Tuesday, September 15, 2020

Engineer -> Cyber -> Startup -> ... Politics?

 

Bloomberg photo of me looking serious in front of computers.

As I wrote in my last post, I've decided that despite spending my entire career in technology (and almost all of it in cyber security), to run for public office. It's not a typical path, and it's not one I suspect is permanent. I outlined some of the reasons how I decided to run in my earlier post, so I won't outline them again here. What I did want to do, is spell out some of the things I think an engineer/nerd/tech-person/hacker/etc. brings to the table from a skill set/perspective point of view and some tech-focused goals. You can see my specific career trajectory at Linkedin, and although I've been fortunate to have a really cool career I honestly believe that many of the technical people I've worked with share most if not all of the aptitudes I describe below. A few of them are unique to cyber folks, and a few are also specific to hackers, but most I think apply across members of the engineering/technology fields.

Aptitudes

  • Analytical mindset
  • Ability to work with numbers/large data sets/statistics/budgets/finances
  • Ability (love?) of reading specs, protocol docs, legal documents, prior art, etc.
  • Ability to focus on facts and not just the emotional component to complex issues
  • Strategic mindset looking at long term implications and not just short term
  • Understanding of computers and technology and software
    • How they're built and how to build them
    • How to use them effectively
    • How to hack/exploit them. And how to (mostly) secure them
    • How to communicate about technical topics to non technical people
    • How and when to apply technology and when to focus on people/process
  • Importance of STEM education
  • How technology drives jobs, education, economic growth, and organizational efficiency
  • Ability to deal with people who passionately take a position and focus on common ground and how to bridge the communication divide. (Linux vs. Windows, Emacs/Vim, SW or HW problem, etc.!)
  • How cyber security affects policy (voting, privacy, corporate liability, government IT spending, etc.)
  • Strong work ethic
  • Seeing new ways of doing things, inventing new ideas.
  • Love of learning, digging into complicated topics and not looking for easy answers
  • Dissatisfaction with the status quo, finding ways to improve processes.
  • Ability to multi-task (I've been told ADHD is common in hackers, I know I have it!)
  • Rational decision making, processes driven by facts/logic/data and not rhetoric/rumor/etc. 

 There are plenty of things engineers ALSO need to have to be an effective politician. A love of people. Good interpersonal/writing/presenting skills. Empathy/compassion. These came from genetics (my extroverted non-engineering mother complemented my Norwegian engineering father nicely!), faith (hard to say you love God if you can't love the people in front of you!) and life (you grow in compassion and empathy as you walk with people who are suffering, experience trauma/difficulties yourself, have children, etc.!)

Tech-Oriented Goals

  • Help secure funding to increase broadband and 5G access across New Hampshire
  • Review and enhance state policies, procedures and technical posture around cyber security, computerized voting, remote education, internal and citizen-facing government software, government networks/systems
  • Ensure the state government works closely with federal agencies to receive and share cyber security threat information and develop policies/procedures for the state and support towns/county-level cyber security posture and programs
  • Pursue right-to-repair legislation that ensures that citizens and companies who purchase products are allowed to repair/maintain those products
  • Increase government transparency and electronic records access to the public
  • Increase the implementation and security around electronic medical records
  • Accelerate the digitization of legacy paper/analog based processes and procedures, such as requesting legal documents
  • Support initiatives to develop enhanced technical literacy in young people (computer science, IT, science/math curriculum) and retraining programs to provide upward/lateral mobility, particularly with under-represented/minority groups
  • Balanced, data driven approach to the increasing use of physical and online surveillance technologies and the inherent tradeoffs between increased security and decreased privacy
  • Analysis of data-ownership models and the application of privacy-preserving technologies to encrypt/anonymize citizen data wherever possible
  • Embrace of digital currency options and new technologies to enhance business/citizen experiences in the state (electronic tolling, online registration, etc.)
  • Support robust, reliable, high quality online learning options Kindergarten through adult educational levels for accredited and unaccredited programs

I'm sure there are plenty of other things that will come up, and of course my focus isn't purely on technical topics. (Low taxes is one I'm fond of!) But that's a good list of things I think about and a unique POV to bring to the capital leveraging my tech background.

Would love to see others in the tech/security community also get involved in public service, either serving in government or even better volunteering for roles such as poll workers, running for local/state office and supporting good people in your communities who do run. If anyone has questions for me about the process, the campaign, issues, etc. feel free to reach out. Easiest way is email or Twitter.

If anyone wants to volunteer or donate to my campaign, I need a ton of support! From my last post: 

"I discovered that the senator currently representing the district (who by all accounts is a very nice guy) is receiving almost $140k a year from a special interest group, lists government "lobbying" and "representation" among his official duties, doesn't recuse himself from matters related to the special interest and in fact puts out press releases bragging about the millions of dollars in benefits that flow back to the special interest. Not coincidentally, the special interest also contributed over $75k to his campaign"

 

Wednesday, August 26, 2020

Latest initiative


In 2016 I fulfilled my dream of starting and selling a successful high tech firm. We built a great team where we treated customers and employees with respect and a high performance culture. Siege Technologies built awesome technologies and made a difference in the world which was very rewarding.

I left the company in 2019 to focus on investing, advising startups, and philanthropy work full time. By 2020 I was the managing partner at 10X Venture Partners, GP of a small fund (both at 10X and the fund I'm investing for charitable benefit), advising a number of tech firms and serving on numerous charitable boards doing inspiring things like fighting sexual exploitation, poverty, and addiction (and volunteering/advising a few others.) It was/is rewarding work and seemed like a great place to be for a while going forward. 

But in the summer of 2020, I read a paper arguing that government policies were far more impactful to help the poor than individual philanthropic programs. Minutes after finishing it, two random strangers suggested running for state Senate, coincidentally within 5-10 minutes of each other! Like most people, I didn't have a positive view of politics or politicians and wasn't enthusiastic about the idea at first. Or after a second glance. But after further reflection and numerous discussions, I realized that:

  1. The state Senate is a place that you can make a difference. Numerous important bills came down to a single Senate vote in the last session, and each senator plays a critical role in the direction of the state. NH has over 1.36M people and a budget of over $13B so the impact you can have is much larger than regional charities serving dozens or even hundreds of people. 
  2. If all the good/moral people avoid politics, what can we say if we don't like the people who are in office? Despite the negative views of politicians, there are some good people who serve for the right reasons and not more base drivers like money, career advancement, or pride. And while some may be motivated by greed/anger/extreme ideological reasons or even boredom, there are some who run because they genuinely care and want to give back.
  3. While I've never considered myself a political type, many of the skills I've developed and my strengths and weaknesses will transfer well to a campaign. The campaign trail is much like running a startup and days are consumed with raising funds from "investors", meeting with various stakeholders, learning the regulatory framework, managing operations, building a team, planning and executing a budget, marketing, and trying to attract a large group of people who believe in what you're offering. While serving as a senator will be very different, things like people skills, textual/policy/logical/budget analysis, public speaking, integrity, work ethic, ability to focus on creating "win-win" scenarios, love of others, and conflict resolution will be valuable.
  4. I discovered that the senator currently representing the district (who by all accounts is a very nice guy) is receiving almost $140k a year from a special interest group, lists government "lobbying" and "representation" among his official duties, doesn't recuse himself from matters related to the special interest and in fact puts out press releases bragging about the millions of dollars in benefits that flow back to the special interest. Not coincidentally, the special interest also contributed over $75k to his campaign. 😒 And it's all legal in NH, since senators only make $100/year and we have very lax laws around how elected officials are compensated. When I worked at DARPA, I wasn't usually allowed to accept a free lunch (there were limited exceptions) because of the concern that that free $10 ham sandwich might unduly influence your next contract award... but in NH it's OK to accept 6 digits in personal compensation from groups that lobby for government money while serving as a senator. That's wrong and needs to be fixed.

Filing to run at the state house

As a result of these considerations I decided to run for Senate. I've really enjoyed getting to meet people from around the state and learn more about the challenges and issues facing the state (like COVID-19 and the opioid crisis) and some the unique aspects of our state/government that make New Hampshire unique and such a great place to live.

I don't plan to put the campaign stuff on this blog, will keep it to tech/entrepreneur content. But as a result of the campaign (and hopefully winning/serving!) I suspect that means I won't be posting as much here for a while as I'll be posted on the campaign site at syversen4senate.com, and on socials on FB and Twitter.

Tuesday, September 24, 2019

Sexy versus common cyber problems



Many people in the cyber security/defense/IT community are fascinated by the "sexy" work of high-end vulnerability researchers. Often the word "hacker" and someone who can break into any hardened system become confused in modern culture. The people who find so-called 0-day vulnerabilities (vulnerabilities in software that the vendor doesn't yet know about or have a fix for) and turn them into exploits are often looked at the top of the pyramid of hackers due to the incredibly challenging technical obstacles that must be overcome, the deep and arcane knowledge of system semantics and architectures and the obvious intelligence of many of the practitioners of this domain.

The Google P0 team is probably the preeminent public global team researching and publishing novel attacks against hardened systems such as Windows, Chrome, iOS and other software systems critical to the secure usage and survival of the Internet. They are impacting the gray market for vulnerabilities. Other teams conduct this research as a PR function for their product or services firms. Many high end teams are restricted to secretive government (or government funded) laboratories or government agencies to support law enforcement or national security objectives. And a small amount support themselves or a larger criminal syndicate through the development and use of these capabilities. When I did a Google search for vulnerability research, I also found Brene Brown which made me chuckle. (Different kind of vulnerability research!)

http://heartbleed.com/http://heartbleed.com/Blackhat and many conferences were built around a platform to share the latest and most interesting "hacks" that these researchers have developed. News stories and books are built around the challenging accomplishments of the individuals and research teams. Vulnerabilities come with their own logos and web sites now.

Some members of the community watch admiringly and wish they could do the same. Some enjoy reading/learning about it and admire the technical accomplishments. Others leverage the research  to raise awareness around theoretical or ever-real threats to their company/products. While others use it to spread FUD (fear, uncertainty, or doubt) to sell more product or further a political agenda. Many companies benefit from the free research and Q&A that is performed on their products by third parties for no cost that allow them to leverage these discoveries to secure their products without paying for it. (To their credit, many are seeking ways to better engage these third parties and compensate them for those valuable contributions.)

https://www.f5.com/content/dam/f5/downloads/F5_Labs_Lessons_Learned_from_a_Decade_of_Data_Breaches_rev.pdf
Graphic from F5 Decade of breaches lessons learned report.
An increasing portion of the community is spending time pushing back on this so-called "sexy" part of the community. They rail that it gets too much attention, that it's pointless to try to find/fix super complex vulnerabilities because you'll never find them all. That high end talent is wasted on this problem. Their argument is built around the (strong) empirical evidence that the vast majority of security compromises aren't done using super-fancy 0-day attacks but rather password re-use, phishing attacks, outdated code that has known exploits in Metaspoloit, misconfigured systems, open cloud repositories, etc. 27% of companies state that they've been breached because they didn't patch KNOWN vulnerabilities, so why spend so much time/energy finding unknown ones?

While I haven't heard the counter argument made publicly (that one should exclusively focus or at least massively increase attention on 0-day vulnerability research) there are certainly individuals and organizations who make this their exclusive focus and have no interest in addressing the human/configuration side of the problem for various reasons. And I have seen individuals in those groups who have denigrated the work of those working on social engineering attacks, auditing systems for compliance and/or rolling out patches.

The problem is that like most complex domains, it is not a boolean problem or a boolean answer. It's complicated and requires a nuanced perspective which is often missing in online rants.  In this post, I'll address some of these complexities and explain why we need to address the human/configuration side of the problem while not neglecting the "high end" technical security risks that remain.

Attackers target the human or misconfigured/unpatched systems for numerous reasons:
  1. It has a low barrier to entry, meaning significantly high portions of the attacker community have access to these techniques (ie, script kiddies, starting out criminal/national state teams, etc.)
  2. It does not burn valuable capabilities in the event of later compromise. Why spend your 0-day if you don't have to!?
  3. It is often more reliable. (In the modern era many 0-days rely on probabilistic techniques like heap spraying which fail a portion of the time depending on the usage/configuration of memory in the target.) 
But if these attacks don't work, or the attacker is concerned that using well-known techniques may trigger enhanced monitoring/scrutiny of their actions they will often choose to use more complex advanced techniques such as 0-day exploits (software exploits that are built around the knowledge of an unknown (0-day) vulnerability in a piece of software. For a great read on the topic check out this RAND report.) Only a subset of attackers even have the resources to buy or build their own 0-day exploits.

Decades ago this was commonly performed by individual hackers who found vulnerabilities and didn't share them but used them to poke around and "explore" the Internet. Reporting a discovered vulnerability to a vendor could result in the police being called or lawsuits and many hackers were young and didn't think they were "causing any harm" or even wrong for using what they'd found for their own entertainment.

But today many firms have vulnerability reporting programs and policies of working with third party researchers. Most of the top software companies in the world even offer some sort of compensation (cash, prizes, or recognition) to these third party researchers through the use of internal or external bug bounty programs (A great list is here.) The combination of maturing software development practices, productive pathways to reporting third party discovered vulnerabilities and anti-exploitation mitigating techniques available in modern operating systems and hardware means that finding useful 0-days and exploiting them typically requires a significant effort by an advanced individual or team of individuals.

Attacks are conducted using BOTH approaches on a daily basis around the world. While reports and news stories getting attention focus on breaches that utilized one or more 0-day attacks, the vast majority are done using human/system mistakes. 0-day attacks tend to be utilized in the highest value or extremely targeted cases by nation states conducting intelligence operations although in less frequent cases by law enforcement, or "defense" operations. A non-negligible portion of 0-days are deployed by criminal groups (although in an era when North Korea employs large teams of hackers to raise billions to bypass national sanctions and fund weapons/missile research,Russian Business Network as long as they target other countries, drawing the line between criminal group and nation state operations becomes increasingly difficult!)
or Russia explicitly refuses to shut down criminal operations out of the

Attackers will use the path of least resistance to accomplish their objective. In a perfect world humans would not be susceptible to manipulation and sharing passwords or other sensitive data. And software would be free of bugs and vulnerabilities. Systems and networks would always be properly configured. But that world is far away and I would argue theoretically unachievable. (Although I have yet to gather the methodology for a proof, I'm working on it!)

As a result, we are faced with a world with vulnerable software, systems/networks and humans. And attackers who spend the minimal amount of resources to accomplish their objectives. In that environment, defenders should focus their efforts on ways of increasing the cost to an attacker that is consistent with their threat model. If you're an individual or small/medium sized business (SMB) not in a high-risk class, you don't need to worry about targeted 0-day attacks and should focus more on phishing-style threats, reducing your threat surface and patching. If you're an elite government agency or global Internet powerhouse, you should invest in the full panoply of security measures including internal/external red teaming, vulnerability research programs, human testing, secure coding programs, multi-tiered security layers, robust secure operations centers with visibility into each layer, deception measures in the network, customized locked-down software stacks,  investments into new architectures and mitigations, etc.

Individuals and specialized research shops will continue to exist and advance the objectives of these groups. If someone is a vulnerability researcher (VR) they aren't going to suddenly start offering phishing training to individuals, even if that was the highest payoff security measure for the organization who employs them because the role wouldn't be interesting to them and would squander their abilities. They'll just change employers or take a mundane position and do this as an evening hobby. Similarly, we shouldn't force phishing training experts to become VR experts just because there is a need if staring at hexadecimal and decoding heap structures isn't something that fascinates them and they have an aptitude for.

To state more succinctly, attackers will continue to exploit BOTH classes of vulnerability (software vulnerabilities and human weaknesses/system configuration) as required for their objectives, and improving the security of BOTH while properly understanding our risk is critical. Doing that in a quantitatively robust way is currently impossible since we're still grappling with how to quantify both classes of risk, but heuristics and other measures are appearing so we can at least approximate it. (Example papers on quantifying phishing, vulnerabilities) Researchers continue to publish papers looking at trying to quantify/model these actors as game theoretic problems using things like attack graphs with limited practical success. (Random example)

The larger question about the allocation of resources (People, money, etc.) needs to be addressed at the policy level. As long as companies can knowingly sell software that has known vulnerabilities in it and is insecure by default configuration, we will have massive security breaches. As long as enterprises build/buy solutions that depend on everyone in their organization never making a bad security decision and having to analyze false web sites or phone callers to detect falsehoods, we will have humans being exploited. As long as we have millions of job openings for security professionals, we will remain understaffed and dependent on untrained operators and insecure code.

To see security postures change significantly requires measures across the entire spectrum. Changing the hardware and underlying software our platforms run on. Writing more secure code. Shipping systems securely by default. Automating testing and management. Training more users and security professionals. Buying security products that don't suck and work together to provide a complete picture. Embracing creative defensive approaches like dynamic defense (and "defending forward", whatever that means?) Quantifying everything and making rational decisions. To date we keep spending more money each year but still haven't seen a reduction in breaches... and we aren't going to by denigrating people in the community plugging different holes in the dike than we are.

Wednesday, November 28, 2018

Crowd-sourcing and bounties for defense

A little different post than I've done in the past, but I thought it would be interesting to the larger offensive/defensive cyber communities and too long form for Linkedin or Twitter. I'm an advisor to a company called 418 Intelligence, which is run by a friend of mine named Mark Jaster. They are trying to provide a platform that allows companies to move beyond bug bounties and actually crowd sourcing threat hunting/anomaly detection. They're just now opening up the platform to the community, I think it's worth checking out as I think there's upside for the individuals and for companies and room to grow/expand. I'd love to hear what people think of their approach, and would incorporate any positive or negative feedback you have back to them.

Here's the invitation:

If you have skills in analyzing logs and pcap files here is an opportunity to join the first cyber professionals testing a new community platform, supported by DHS, designed to incentivize and crowdsource better defense and insights on what methods are working. If testing and shaping this vision sounds interesting, sign-up to participate as a tester of the alpha release of the FOURSight DEF3NSE cyber defense crowdsourcing platform from FOUR18 Intelligence. This release operates a three-round live simulation game of an intrusion where you analyze artifacts and bet points with other players on what is happening and how to defend against it. It then transitions into crowdsourcing countermeasures against a known attacker group executing the same attack playbook in the real world.  The sign up form can be found here: FOURSight DEF3NSE Pre-registration Form.

FOURSight DEF3NSE is the first online community and marketplace for cyber defenders and decision makers to directly connect and incentivize crowdsourcing better defense and network resilience against cyberattacks. The system uses a unique, gamified and incentivized "wisdom-of-the-crowd" betting experience to crowdsource fast and accurate assessments of cyber risks and countermeasures, and it is designed to pay-off participants by creating a market for this information, including what will be the first-ever bounties for breach hunting. If the vision of bounty-hunting for attackers, or of testing what you know and winning pay-offs by predicting how successfully a countermeasure will perform against an attack sounds interesting, please join others in testing the platform and helping the designers make it great.

Once you register you will receive orientation materials explaining the system further, and an update on the testing schedule, but if you have any questions you can contact the team at admin@def3nse.net.

Thursday, June 21, 2018

@War review

I finished Shane Harris' book on Cyber Warfare recently and felt obligated to write a review about it on GoodReads. Given I spent the time writing it up, thought it might be worth sharing here for those following my blog who share an interest in the cyber security/warfare communities.


A thorough introduction to the world of cyber warfare from the perspective of a journalist surveying published media from mid 2005-2015 time frame. Some sampled private discussions and insights into behind the scenes discussions and classified projects. A good read for someone new to the field to catch up quickly. 

Unfortunately the author spends a significant amount of time pontificating on concerns that have been excessively debated elsewhere and attempting to seem moderate while making clear his opinions where the concerns lie... and unfortunately basing his conclusions on rumors he heard from self-proclaimed "experts". One example is the "thousands of exploits" the NSA is hoarding. This claim appears to be based on a single unquoted individual, and appears inconsistent to the other information in his book. (Pointing to a budget of $25M to acquire exploits, and price tags of $50,000-$1,000,000 would imply a catalog of 25-500 (dozens or hundreds, not thousands)) Much hand wringing is spent on NSA surveillance, defense-industrial relations, foreign government spying, and other topics that have been extensively discussed in the media over the last decade and a half.

Speculation is rampant in the book regarding what's happening behind closed doors and allegations are made without the editorial self-control that a reputable paper would employ. As someone with two decades of experience in this community, this reviewer recalls numerous relevant events that were not included and significant portions of the book devoted to commonly discussed events from various media sources (with a few interesting exceptions). In fact, the acknowledgements section credits many of the content writers of those stories from the news sources covering cybersecurity/cyber warfare (Michael Riley, Nicole Perlroth, Kim Zetter, etc.)  who actually interviewed the original sources and wrote about the events as they happened (or as they were uncovered!)

Books such as "Countdown to Zero-Day" by Kim Zetter provide a much deeper look that is more technically accurate and better sourced and represent a good alternative for a reader looking to gain insight into the technical and political aspects of the cyber warfare complex through a single (large) operational lens. 

@War is a good option if one has no prior exposure and views it as a breathless description of the events of the last 10-15 years in the US cyber warfare community from a non-technical observer doing his best to share what he's read about and been told as an outsider.

Friday, January 19, 2018

2017-2018 Update


 Nehemiah Security Siege Technologies     

As readers of this blog (or former readers!) have noticed I have been updating the blog less and less over the years. We successfully sold Siege Technologies to Nehemiah Security back in 2016 and have been working on the integration between the firms.
Pretty exciting to see technology we've been developing for years (Now known as AtomicEye RQ) make its way into the broader commercial market and getting traction with some big (Fortune 500) customers in addition to mid size and various government groups.
 AtomicEye
It wouldn't have happened without an experienced team like the group that Nehemiah brings to the table. Hopefully once that stabilizes I'll be able to get back to blogging more often, either this year (2018) or next (2019). Hoping to get back to some technical/cyber topics but will probably also include more diverse content as well. Stay tuned!

Wednesday, April 19, 2017

Leadership lessons

Normally use this blog for longer form discussions about public news in the "cyber" field, but since I don't have another blogging forum I'm going to post this writeup here.

Getting tweens/teens to do chores can provide some lessons on leadership. I've assembled ten of them below for your enjoyment. 😀

1) Questions are OK. Sure, they're doing it to try to delay/distract/disrupt your objective as long as humanly possible. But it's OK to want to know what the objective and buy into the overall mission.
2) Be specific. If you don't know where you're going it's unlikely you'll get there. Describe what you're looking for and there's a small (OK, tiny) possibility it will happen the first time around.
3) Explain what triggers task completion and try to avoid time based metrics. If it's time, the human response is to conserve energy (see: USSR as an example of how well that works out). But if it's goal based, people will often choose to work harder to accomplish the objective quickly and do other things they value more. Like watch Netflix.
4) Positive and negative outcomes are useful and must be tailored to the individual. Some people love chocolate, others don't. Some would consider reading a punishment, others a pleasure. Personally I find beatings are consistently unpopular but you might find something else works well. 😏
5) Music and humor are great ways to make tasks more enjoyable and lighten the mood. Unless you're listening to NF's rap song about Mom dying and leaving him, in which case you want to start crying and console each other.
6) Yelling doesn't produce anything positive IMHO. Except fear/anger. Which, if you're trying to train a Sith could be useful I suppose.
7) Showing/training is important for things more complicated than "carry this from here to there". Although sometimes even that requires instructions.
8) Have reasonable expectations and don't accept poor work. The DMV is a great reminder that even adult humans are perfectly willing to work in a way that yields a terrible product/experience. Don't be United Airlines and accept that just because it's the way things are or you might end up with kicking, screaming and blood everywhere.
9) Positive feedback provided promptly to people doing great work or with a great attitude is helpful. Kind of like participation trophies, but actually earned. 🏆
10) Lead by example. Returning to my Sith Lord example, Darth Vader doesn't make his troops do all the enemy soldier killing, he's at the front of the line doing it himself (even at a distance). Showing everyone you're willing to work just as hard slaughtering enemy troops means they have someone that they can and should follow. Or get force choked.