“Sapiens” and Economic Value

To some extent, Economics is the study of how people produce more (both variation and volume) when they work together. Most of the time people have a place in the world’s economy when they provide value, which is measured by money and credit…mostly.

The book “Sapiens: A Brief History of Humankind” by Yuval Noah Harari has me thinking differently about economics. Harari takes us into critical transitions in human history; like the years just before and after the invention of “credit”. According to Harari, “credit” is anchored in the belief that the future will be better than the past. For most of human history, people assumed the reverse. The future was no match for the glory of the past.

Once credit took hold, however, both for good and ill, it allowed for a greater and more frequent transfer of value. Humanity could start to build a future together. And value could begin to be sought out in all corners of the globe. Trade and credit meant that we could do more together. And the more humans worked together to produce what they needed (or wanted) the more the economy grew. With all the benefits of economic growth, humans also witnessed exploitation and abuse of this system. Individuals and institutions figured out how to steal value from others who weren’t in a position to know better or defend themselves.

Unfortunately, trading on stolen value still happens today. But in the greater scheme of things, I find myself wondering about how we’re going to manage value and economic growth in the future. We’re moving from exploiting people to simply eliminating them from the equation all together. If people are not providing direct value to the global economy, will they be able to participate? Will there be huge swaths of people who can’t take advantage of all the value being created because they won’t have anything to offer in exchange for it?

Think of the countries or societies that are generating value and those that aren’t. Countries that don’t generate value fall victim to crime and exploitation. The further they get from full participation in the global economy, the further they get from the benefits of modern society. Disproportionately they end up on the downside of the world’s value systems.

As a result, with no value accessible to them, citizens in these countries migrate toward countries where value is accessible; where they have a chance of participating and producing value of their own. These value destinations, however, have responded by restricting their borders. Also, they attempt to control the flow of value by forcing their hand in trade deals. But these kinds of restrictions are antithetical to what actually makes a global economy work in the first place. We generate value when we work together.

Sure, there’s competition, but ultimately the real wins happen when we engage countries and societies who have been left out. And we all win when we help them generate value. The more overall participation we get, the better we’ll all be. Both because we’ll benefit from what these countries have to offer and because they won’t become feeders for crime and violence.

‘The Cloud’ is Still New

It feels like folks have been talking about ‘the cloud’ forever. But levels of cloud utilization in the form of IaaS, PaaS, etc. have really only ramped up significantly in the last couple years. The tendency is to think that there are ‘cloud’ people who were just born knowing ‘cloud’ and that the chasm between ‘cloud’ and ‘on-prem’ is so great that the ‘on-prem’ folks simply won’t understand this new realm.

Fact is, ‘the cloud’ is still new. And no one is born knowing anything, especially not best-practices around cloud utilization, security, and architecture. Herein lies both risk and opportunity. If we can all just put down our pretensions around cloud know-how and get busy learning, we might actually be able to build, configure and secure our cloud environments in a way that delivers consistent, beautiful results.

But the first step is remind ourselves about how new all of this is, and how revolutionary it is. Organizational leaders, instead of saying, “Hey what do you know about cloud? Oh, you don’t know anything? Okay, bye.” Need to say, “Hey let’s get learning! See what you can find out about the cloud that will help us meet our goals.” Because the reality is, most of us don’t know everything there is to know about the cloud. It is still new! And it is going to still be new for a long time!

If leaders don’t charge their teams with learning, these same leaders will have their business strategies singularly handled by vendors — well meaning as they may be. And the best solutions and the most remarkable features of ‘the cloud’ will never arrive. Innovation happens with a sense of ownership and dedication. This is less likely to happen when innovative work is attempted by 3rd parties who have ample room to over promise and under deliver.

The cloud is still new! Let’s respect that fact and don’t presume that the best solutions live elsewhere. Bring your teams into this new world and get ready to be blown away. Give them a chance to learn and innovate; don’t write them off. Sometimes the best innovations are right under our noses, but we can see them because we’re blinded by the glare of shinny, well-marketed solutions that can be low on substance.

Security Hygiene is Boring and Critical

This has been said many times before by people many times more credentialed than me. There are sexy vulnerabilities out there that take considerable expertise to understand. Then there are vulnerabilities or configurations that are the equivalent of leaving your car door unlocked.

The calculation so often made goes like this: “it hasn’t happened before”, or “I’ll only be gone for a few minutes”.

Oddly, many who have an incredibly honed financial sense about them and who understand that ‘past performance does not equal equal future results’, have great difficulty extending this concept elsewhere. But nowhere is it more applicable than in security. Past performance does not equal future results! (Or you may have been hacked in the past and you don’t know it.)

The oversight that causes an organization to get hacked in the first place is likely something simple. Are you missing two-factor authentication? Are you still using a default login? Is your password “Spring2019” and do you use it everywhere? These are security concerns that don’t take heaps of expertise to understand; they are boring and critical.

Attackers don’t want to work hard to steal data or install ransomware, so they’re likely to look for simple vulnerabilities or poorly configured networks in order to get the job done. Don’t sweat the small stuff, sweat the simple stuff.

“The Pain Chronicles” by Melanie Thernstrom

Yesterday I finished reading “The Pain Chronicles: Cures, Myths, Mysteries, Prayers, Diaries, Brain Scans, Healing and the Science of Suffering” by Melanie Thernstrom. I’d heard about it in an episode of Radiolab titled “Loops”. (A very fascinating episode, btw.)

Thernstrom suffers from chronic pain. Her book is a journey through the history of pain; not just pain as we typically understand it, but its historical baggage. How we experience or interpret pain, for example, can change how we suffer in relation to it. And we interpret pain based on a host of contexts: religious, spiritual, through relationships, and our own understandings about ourselves, etc.

I don’t suffer from chronic pain, luckily (she discusses ‘luck’ in her book), but I do think it is important to try and understand what it might be like for people who do.

“The Pain Chronicles” reminds me of another book I read some time ago called, “The Noonday Demon: An Atlas of Depression” by Andrew Solomon. Both Solomon and Thernstrom bring the reader with them in their search for healing.

For some reason, this kind of book, where the author researches the very thing that ails them, appeals to me. These authors don’t have the luxury of distancing themselves from their subject matter, yet they have to push forward anyway and seek objective observations whenever they can. This balancing act is what creates tension and makes their work much more meaningful.

I especially enjoy Thernstrom’s look at the placebo effect and a term I’d not heard of before, its evil twin, the nocebo effect. (The nocebo effect involves psychological and psychosomatic factors that can have a detrimental effect on one’s well-being.) Admittedly, with either effect, it only lasts as long as someone believes in its efficacy. So the challenge, at least in the case of the placebo, is to trick the self into continuing to affirm its reality, which is a tall order.

Thernstrom doesn’t have the luxury of getting a consistent benefit from the placebo effect. Neither do many chronic pain sufferers, but there is hope that some day the kind of understanding that comes from this research might lead to healing for chronic pain sufferers. This particular topic is one small piece of her very thorough narrative, however.

She follows several subjects on their respective journeys and, at times, provides fairly harsh criticisms of the doctors who treat them. These are as much criticisms of the doctors themselves as they are of how the medical profession as a whole addresses chronic pain.

Consider reading this book if you want to learn more about chronic pain and the experiences of those who suffer from it.

“The Cuckoo’s Egg:” An Old Story – New to Me

Two weekends ago I finished reading “Tribe of Hackers: Cybersecurity Advice from the Best Hackers in the World”. (Please read previous blog entry to learn more.) I was amazed at how many of “Tribe of Hackers” contributors recommended an old book, “The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage,” which was written by Clifford Stoll in 1989.

The story actually begins at Lawrence Berkeley National Laboratory in 1986. I won’t go into too many details about the setting or the time. In computer years, it was ages ago. So my question: “How could such an old book about tracking down a hacker be so routinely recommended by a slew of highly knowledgeable and well-respected info sec professionals?”

Turns out cybersecurity hasn’t changed much. In “The Cuckoo’s Egg,” the hacker who is being tracked by Stoll, an astronomer, is aided by of the following: 1) default credentials, 2) processes that run as root, but shouldn’t, 3) well-known vulnerabilities, 4) the fact that folks can be fooled into entering their credentials into fake sites, 5) the desire of organizations to not share information, 6) the fact that various US agencies described this sort of attack as not their ‘bailiwick’, 7) the fact that various agencies don’t have the expertise to fully comprehend the risk to their data and network infrastructures, and 8) that organizations could not possibly imagine someone actually penetrating their ‘high security’ environments. I’m sure I’m missing a few, but you get the idea.

Besides being a great old book, published when I was a curious, modem tapping, BBS surfing adolescent, it’s an excellent primer on the foundations of modern cybersecurity. Sure, the technology has changed, but fundamentals haven’t moved an inch. Maybe all cybersecurity professionals have heard of this book except for me, but if you haven’t, consider reading it. Even if you’re not after the education, it’s wonderfully entertaining.

“Tribe of Hackers” Wins the Day

It’s weird how I found out about “Tribe of Hackers: Cybersecurity Advice from the Best Hackers in the World”. I saw a photo on Twitter of a fellow Luther Collage alum, Ben Tomhave, showing that he was featured as one of the ‘tribe’. “What’s this about?” I asked myself.

As it turned out, this was a book soon to be released by Threatcare, a firm that is an active, generous purveyor of learning and community building in cybersecurity.

I love books and learning learning, and I’m relatively new to cybersecurity. Though I would hazard to guess that a majority of people in this field feel like they are ‘relatively new’. For people like me, books like this are pure gold. (I can’t say I’ve read many books like this one, however.)

Jeshua with books.

The crowning glory of this recent publication is thought-diversity. (Yes, I just hyphenated those two words together.) You can read a chapter by one contributor who says that ‘user security awareness’ is the biggest bang-for-the-buck toward improving organizational security. The next will say ‘asset inventory’. I love this.

The bang-for-your-buck question is just one simple example. There is a WHOLE LOT more going on in this book than that. It’s loaded with practical advice on building your career, getting along with others, and learning from your mistakes. Sure there is a lot varying ideas, but they all lead to a few core truths. One of these core truths is that cybersecurity is all about PEOPLE. That is even if you like the term ‘cyber’ which one author explains ‘holds no real meaning any more’. I love this too.

This collection of industry wisdom is a rare find. Hats off to Marcus J. Carey and Jennifer Lin and all the contributors who had the fortitude to put these reflections down on paper for people like me. 🙂 “Tribe of Hackers” wins the day! Check it out: https://www.threatcare.com/tribe-of-hackers/

Postman API Learning, Testing, and Development

I’m pretty late into to the API game. Recently I was on a call with a handful of security engineers and they explained that they couldn’t afford to have their people staring at console screens any more. Instead, they rely almost entirely on API’s to automate and streamline their work. I’ve been hearing about API development forever but I’d not gotten past the first hurdle: how to start. My answer to this is Postman.

Once you have an API you want to consume, you can start doing ‘POST’ and ‘GET’ requests pronto and see results immediately. Also, one critical tipping point for me was when I watched a number of the introductory videos that Postman provides. For example, I didn’t understand what the ‘Test’ section was for. The videos demonstrated that this is where you can write JavaScript to traverse the JSON files which are the results of your requests.

Currently, I’m only using a free account. I’m in learning mode, but as I move toward doing more work with API’s in the future, I’ll absolutely be using Postman to test and verify my efforts. It’s also a great introduction in the security advantages and disadvantages of using API’s.

Anyone else who has a desire to dig into API’s and consider what they can do to add value to your work, try Postman. And don’t forget to check out a few of their tutorial videos.

Discovering “2600 Magazine: The Hacker Quarterly”

Not long ago I did one of those “Strengths Finder” assessments put out by the folks at gallupstrengthscenter.com. At the top of my “strengths” list was the designation “Learner”. It essentially confirmed what I already almost knew — that I enjoy learning or getting to a point of understanding on a variety of topics.

Recently a colleague at work recommended that I consider taking at look at the 2600 Magazine. So I did. I read the Kindle version of the most recent edition. What I really enjoy about reading the Hacker Quarterly is that it is filled with articles written by people who love to learn and understand things, specifically related to computers and technology.

Also, as someone who works in cyber security, it is exceedingly helpful for me to understand the types of vulnerabilities that are written about in Hacker Quarterly articles. For example, I read an article by an individual who was able to ‘investigate’ a very larger number of routers in Malaysia. Initially, he had resource constraints, but discovered that by using a Spot Instance at AWS he could considerably broaden his reach at a very low cost: ten dollars. I’ll be seeking to understand these AWS Spot Instances and the impact they may have on the security of organizations in the future.

By and large the spirit of the “Hacker Quarterly” is centered around learning and understanding. And the culture of the group is such that criminal activity is frowned upon, though they do skirt the edges of legality from time to time. To have a window into this world is marvelous. I’m now reading through a whole ‘digest’ of issues from the past year. And if you’re a “Learner” like me, I suggest you do the same. Here’s their website: https://www.2600.com/

Health Care Pricing: Can big data help us here?

This morning I read an article in the Economist magazine January 12, 2019 edition titled, “Shopping for a Caesarean”. This article summarizes the challenges that we face in the US around pricing for medical procedures. The true cost of medical procedures is lost in reams of arbitrary pricing algorithms.

In an era of “big data” convoluted pricing presents a great irony. We have data that corresponds to nearly every other facet of our lives. This data helps businesses predict consumer behavior in order to market the right product to consumers at the right time.

In the health care industry, hospitals don’t have to predict consumer needs. Rather, consumers will purchase a procedure when they are sick and/or under “duress” (the word used in the Economist article). They aren’t likely to shop around. This “duress” allows hospitals to use creative pricing, make deals with insurers, and do all sorts of tricks that conceal the true cost of healthcare.

The Economist article argues that price transparency is the first step, but that it won’t solve the problem because of the “duress” faced by those in need of care. What is needed is a big picture look at pricing for all of us to see when we are not in duress. This way we can identify who exactly is benefiting from these gross inefficiencies. We need “big data” for the masses. We need “big data” that will improve the standard of living for average folks just like we have “big data” that helps businesses market products. However, as long as the medical industry profits greatly from hidden pricing algorithms, they have little incentive to share their secrets and drive more efficiency into the marketplace.

Originally, this lack of transparency was probably not intentional, but now that it generates so much profit for the healthcare industry there is very little incentive to do anything about it. We need more than transparency around pricing for each procedure; we need “big data” algorithms that will allow us to untangle our current pricing mess.

Holiday Hacking with SANS

Perpetual learning is paramount for folks in any profession, but I’ve found that for individuals who work in cyber security it is absolutely critical. A significant part of the work I do involves knowing what risks lurk both in the wild (and internally) that can stand in the way of an organization’s future success. Staying up with these risks, mitigation techniques, and controls is vital.

There are all types of learning that help new concepts find a home in my brain. One comprehensive learning experience that I recommend for anyone in cyber security is an event put out each year by SANS, which is an organization that trains cyber security professionals. The event is called the SANS Holiday Hack Challenge.

This year 9-year-old son helped me in ways that blew my mind. His little mind went after small details that I thought were insignificant that turned out to be a pretty big deal. He was very excited by what he was able to uncover…and so was I.

The SANS Holiday Hack challenge introduces cyber security professionals and pen-testers to new technologies and opens their minds to risks and mitigation techniques that they had not previously considered. I greatly enjoy their ‘terminal challenges’ which provide hints toward solving objectives. Never before had I decrypted http2 traffic using Wireshark and SSL keys. So awesome! Here’s the link for this years’ challenge which has been a wild ride for me, to say the least: https://www.holidayhackchallenge.com/2018/.

Stop in and poke around. Solve a terminal challenge or two then put it on your holiday to-do list for next year. You won’t regret it!