Agnostic Atheist Secular Liberal Humanist. InfoSec bod . Likes cheese, pate, cigars, and good booze. And knows a few things about stuff. Kind of.

How to Win the Next General Election

Tories need to be gotten rid of, for the next couple of generations ideally - but I'll settle for the next 3/4 election cycles. But first, they need to be displaced. These are, in my opinion, the manifesto promises and policies that should do it:

  1. Proportional Representation - this should be a no-brainer. And should be done without a needless, baited plebiscite. AV or STV would be my personal choices, but I'm by no means the expert. All I do know is, FPTP benefit the Tories, and only the Tories.
  2. OffMin - I've mentioned this idea before, but I think the behaviour seen by Johnson and his cabinet now virtually demand an Office of Ministerial Responsibility. An almost sister agency to the OBR, this would need to be independent of both government, parliament, and other public bodies, as its function is to be, amongst other roles, the arbiter of the Ministerial Code. It would place checks and balances on what would be considered proper behaviour from our elected officials, and be able to enact actual punitive measures against them, beyond just forcing them to resign their seats.
  3. Increased devolution - and I don't just mean to Wales, Scotland, and Northern Ireland, I mean across England, too. Far too much of UK politics is focused on London and the South-East, and has been for a long time. This isn't even a measure to save the Union, this is a measure to restore actual, meaningful democracy, opportunity, and investment across these islands.
  4. Constitutional Inquiry - another thing hat has become blatantly clear over the past few years is the weakness in not having a written constitution - how easily abused it and our system of politics is when controlled by those with no clue what service or honour mean. I'm not saying that ultimately a written constitution is best - gods know the issue the US seems to have with theirs - but we do need a full review into ours, what changes need to be made, what values it should reflect etc. It should also be used to redress the balance of power across the Union as well, including what should be done if independence was demanded by any constituent country. It should also look at modernising the second chamber.
  5. EDIT: One more has really come to light since I first published this: All rights under ECHR/UNCHR preserved and restored - including the right to protest "noisily".
Bonus policy:
  1. Pathway to Europe - this isn't me demanding a complete return to the EU here, don't make that mistake. Regardless of whatever I think there, it should be abundantly clear to anyone by now that the handling of Brexit has done severe damage to the UK economy as a whole, and that will only get worse. We've also failed miserably to gain any meaningful trade deals around the world. The EU is one of the largest trading blocks in the world, and we are on the outside - we need a pathway to better trade with out neighbours.

You can promise whatever moon shot ideas you want after that, but if Labour, or a Labour-involved coalition, want to get anywhere near power again in the next GE, this is what they have to do.

A republican's Notes on a Royal Jubilee

As this very long weekend has shown, lots of you are still attached to the idea of monarchy - specifically British monarchy. The reasons are varied, but are irrelevant. All that matters, in the end, is that you like the institution, and you are unlikely to change your mind on the matter.

Equally, there are republicans like myself, who are very much in opposition to a monarchical structure in its entirety. Again, there are a few reasons for this, and again, they are largely irrelevant. Like our cousins across the aisle, we are also deeply unlikely to recant our position.

This is a long-running disagreement, one that has been discussed, argued, debated, and all other manner of conversant ways for centuries. And it is one that is essentially at the core of how to change the political structure of the UK that is failing us all.

My personal stance will come as no shock - abolish all monarchy and accompanying aristocracy. However, I'm also not that naïve nor that insanely stupid to actually propose this as a solution - that would invoke civil war as quickly as holding an investiture ceremony for another Prince of Wales. 

My proposal, then: a royal divorce. The complete and irrevocable separation of the monarchy from any power-holding position (whether that power is ever wielded or no), as has been achieved in other nations, like Sweden. Let them keep only that which they can afford (without public contribution), and they may remain as feckless figureheads - tourist attractions with only the power to bolster charitable ventures.

This method allows for a continuation of the monarchy - but also allows much-needed reforms to the Mother of Parliaments. It returns taxpayer fund previously allocated to the monarchy back to the public purse. It enshrines a dedication to full democracy. It takes away the giving of prestige and power in exchange for donations to the ever-bloating second chamber. Indeed, it forces a desperate rethink of our second chamber altogether.

I understand that a 70-year reign is quite a milestone - but when we look at almost any other country on this earth that has had leaders in place for even a fraction of that time, we see nothing but illiberal - and yet because established tradition means that, while the monarch could command more power than most other world leaders, they do not, it is still an illiberal and non-democratic notion to still be enthralled by an irreplaceable ruler.

By all means, let us wait until the throne's incumbent's reign is over to implement these changes - she has, in all fairness, been a leading figurehead, particularly during the past couple of difficult years (and I am deliberately putting aside he ability to shrug off the day-to-day worries of us unwashed masses by saying that). The image of HM sat alone during her husband's funeral is one that will always stay with me, for in that moment, she wasn't just the monarch, she was each and every one of us who chose to follow the rules to protect those around us, and she was every single one of us who had lost someone dear and precious under even more tragic circumstances than usual. Bu make no mistake, this is the way we must move forward - and we must begin planning now.

The Changing of the blog

FB Page post from 25/05/2021

I know the blog hasn't really been much of a blog for the past two years - between lack of time, and life, I've just not been able to do what I really want with it.

In the past few days, I've come across 2 things that have re-inspired me to get back into this, but to do it in a very different way, so that's what I'll do.

The first thing that gave me inspiration was this piece by the internet's own Cory Doctorow, who described how his method of blogging draws inspiration from a beloved piece of computing history, a machine that no-one every used due to its outrageous expense: 

The Memex:

Secondly was this video, about one of the longest-known funny images in the internet. This was surprising in so many ways:

So I think I'll try doing it Doctorow and Adachi-style for now: shorter pieces to act more as an extension to my cluttered mental corkboard. After I draft someone in to help with a redesign - I might be able to write legible things, but I don't have a designer's bone in my body. As you may have guessed

Jan 2022 note:

This is part of the changes I was talking about in my "Fresh Start" post. This format is flexible enough to allow for a longer exploration of a topic, as well as more of a short-form note-type post.

Shortly after reposting this, I came across this post: which I think might also be beneficial when considering not just meetings, but also when considering deeper topics.

I may also take elements from this Theme System journal, which while not entirely suited to me, does provide some interesting ideas: 

Another thing I am more determined to work at is a better form of record-keeping for the coffee, wine, whiskey, and cigars I partake in - partially as a review that could help interested parties make a decision, but also for my own sake: what I liked, what I didn't like, why I liked/disliked it, would I buy it again etc.

2021 Tools

As we're in a New Year, I thought I'd share some of the tools I found and explored in 2021 that really made a difference:

Chocolatey - a package manager for Windows. While MS is still doddering about trying to get "Winget" to work, Chcolatey have been at this for a few years now, and both the shell and GUI versions make finding, installing, and updating software exceptionally easy. They are also constantly adding new packages as well, making this a no-brainer choice for any IT Pro or tinkerer.

Workona - Now I'm aware I've mentioned this before, but in this past year it has been almost invaluable. Yes, I'm still paranoid enough to keep all the tabs bookmarked as well, but to be able to have multiple workspace browsers is a a godsend of unimaginable proportions. I'd be lost without it at this point. Yes, you only get 5 workspaces on the free version, but that's been plenty. - a fun little gadget that, for anyone who writes anything from prose to code, can make your life infinitely easier if you have multiple versions of the a document. - again, one I may have mentioned previously, but one I've continued to explore. I'll be making some changes to the website soon, and will be using this tool to publish with. It's clean and slick, and as we all know, I have he design instincts of a club-fisted, duck-billed platypus. The tag system makes organisation a breeze, and the functionality increases from there. This is a paid product beyond the free notepad - but I've only been using free and would still recommend it. - another I have mentioned, but whose value has just increased exponentially this year. If you use GitHub a lot, this will be of use to you.

Socially-Acceptable Things that Future Generations Will See as Backwards

Originally posted: Sat, 07 Nov 2020 14:15:58

This is pretty much just a list, as things come to me. For me, questioning things that are socially acceptable started a few years ago when the vegan phenomenon really kicked off. I am not a vegan myself, but I do have serious concerns as to how we treat pets and livestock - bring on cultured meats say I!

A few years later, and I start seeing more and more posts trying to work out what future generations would find abhorrent about ours, as well as the some of the things that the like of Gen Z currently see as backwards, but still exist.

So, I decided to start keeping track of things that, in one way or another, we either shouldn't still be doing, or the things that future generations will ultimately condemn us for.

  • Cruel treatment of other animals
  • Consumerism
  • Worth by wealth
  • Economics of scarcity
  • Pseudoscience
  • Reckless exploitation of natural resources
  • Coddling religion and tradition over the real needs of people
  • Privatised Profits and Socialised Risk
  • Nationalism/Exceptionalism/Nation-state insularity
  • Politically disengaged public
  • Propaganda as news media/false balance

Do you have anything to add to the list?

Universal Social Absolutes

Originally posted: Sat, 07 Nov 2020 13:51:09

For a truly progressive society that works for everyone, one that also envisages some of the upcoming problems faced by humanity, four basic principles should be enacted and held as the absolute minimum that can be done for the benefit of all. None of these things are new, and most are implemented to greater or lesser degrees in most democratic countries. That the following are available is proof that the task is not a logistical one, but one of philosophy and politics.

The aim, of course, is to enable as much of a level playing field for people of all backgrounds as much as is possible. Equality of opportunity is the goal, not outcome.

Equality of outcome is not the ideal that should be sought, as it is impossible and ignores science and scientific findings. This is a pernicious ideal, one that is harmful, unachievable, and undesired. It is corruption disguised as kindness.

Equality of opportunity, having everyone start on as even a keel as possible (within the limits of what the state can and should achieve), that is something that can and should be implemented. Yes, it is impossible to take account of all the possible variables that affect a persons' ability, but not all of those are within the power of the state to adjust. Removing the bigger barriers, such as cost and access, however, is possible.

Universal Social Absolutes are the achievable expressions of the core ideals of a society, indeed of civilisation. The are the basis for growth, - moral, personal, and economic - and stability. They are also pragmatic - welfare and healthcare may be something you a privileged not to have to think about now, but the future is not yet revealed, and it never hurts to have a safety net.

I appreciate that this list might not be fully exhaustive to some tastes - and to other ideologues it might go to far. However, a healthy, educated, engaged, and supported population an only be a positive, therefore these are my 4 Universal Social Absolutes:

  1. Universal Healthcare - properly funded, administered with care not cash, measured using meaningful metrics - designed without profit consideration 
  2. Universal Suffrage - anything less is indefensible. If you are of age to pay tax, be legally accountable, or be drafted for military service, you should be accorded the right to vote. Should only be restricted as part of a punitive measure taken against convicted criminals.
  3. Universal Welfare - most likely in the form of a UBI or state dividend. The ultimate safety measure against the unforeseen. This is not a fix-all solution but makes for a far more equitable welfare system than the current systems - and builds in some amount of future resilience.
  4. Universal Education - this involves formal and vocational education, up to (and inclusive of) Undergraduate Degree (or equivalent). Not restricted by age. As I'm often fond of quoting, "You are not entitled to your opinion. You are entitled to your informed opinion. No one is entitled to be ignorant" Harlan Ellison

What do you think?

Falling Struts: Examining Equifax’s Breach

Originally posted: Tue, 11 Feb 2020 14:54:55

N.B. This was a paper I wrote for my degree course, giving my view of the disaster that was Equifax. I've just read that the US DoJ has decided to pin the attack directly on China and is levelling charges against Chinese citizens for the breach. I also haven't clarified what Equifax have done to remedy their many, many issues: this is because as far as I can tell, they've done very little.

Abstract— In the Spring of 2017, Equifax suffered multiple breaches of security, which lead to a 76-day access period to, and possible theft of nearly 150m records of PII, belonging to people in 3 different countries. This paper looks at the how the breaches happened, and what could have been done to prevent them.

I. Introduction

To understand fully the breach and its ramifications, this paper will examine 4 major aspects of this incident: 1) the company, Equifax; 2) the technical nature
of the breach and possible data theft; 3) how it could have been prevented; 4) and finally, the consequences of the breach and why they matter in the broader picture of security.

This analysis will consider how both technical competency and controls, and human competence (or lack, thereof) played a role in both the breach, and the handling of the fallout, thus highlighting the need for organisations to take a more security-focused posture to prevent further occurrences of data breaches, and loss of reputation.

Despite not being the biggest breach of 2017 (Yahoo! takes that title at having 3 billion accounts compromised), this attack does have several notable features, including the speed of attack (initial breach took place within 24 hours of the exploit being released); the length of the attack (76 days unadulterated access); and the lengthy response time of Equifax (146 days from release to patch being applied). These factors, as well as some legally questionable actions from the management team, leave Equifax a study in InfoSec gone wrong for years to come.

II. Equifax

A. Who are Equifax?

Equifax are a US-based Consumer Reporting Agency (CRA), although they operate across the globe [1]. While Equifax also employ data analytics for consumer, government and business markets [2], the relevant capacity for this incident is the CRA. A CRA is a credit agency, meaning that as a company, they hold large amounts of Personally Identifiable Information (PII) on millions of people, for the purpose of identifying, monitoring and improving their credit ratings. These credit ratings are then sold on to, and used by, many other companies to determine the financial viability of prospective customers.

B. Why is this important?

It is important to note that this breach took place in the USA, and that PII for consumers in the UK were also affected by this breach and theft. The first is important as the US, and Equifax, were judged to “ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data” [3], under the Data Protection Act (1998)1. The relevance of the second is to do
Fig. 1 CIA Triad[4]
with compliance and prosecution under UK law, the aforementioned DPA(1998). From a security perspective, good security practices should have been in place, and procedures followed, as the data being stored and processed here needed to be kept Confidential, and its Integrity was crucial. While it can be argued that the third leg of the CIA triad (see Figure 1), Availability, was also important to their operations, with either of the first 2 compromised, Availability was negligible.

III. Incident Overview

A. Brief Breach Timeline

As alluded to in the Abstract, there were 2 breach incidents, despite only one being the focus in subsequent investigations. The first breach appears to have been a trial run, although this attack is disputed by Equifax. According to 2 sources [2, p. 8] [5], Equifax was initially breached on 10th March 2017, using an exploit [6] created only days before. This Remote Code Execution (RCE) was created to exploit a vulnerability within the Apache Struts web application framework [7] [8]. Said vulnerability is one that had been known about, and had a patch released to remedy it, since 6th March 2017.

At this stage of compromise, it does not appear that the hackers took any further action until 13th May 2017. From this date until 30th July 2017 (76 days), the hackers gained access through Equifax’s Automated Consumer Interview System (ACIS) and performed thousands of queries on multiple sensitive databases throughout Equifax’s digital estate. The breach and unauthorized accesses went unnoticed until 29th July, which was patched a day later. It would further take until 7th September for the public to be notified of this incident
[2 p.9-11] [9].

1 GDPR was not applicable in this case as the legislation did not pass into active legal status until 2018

B. Other Notable Actions

After the announcement of the Common Vulnerabilities and Exposures (CVE) relevant to Apache Struts (CVE-2017-5638), Equifax’s internal InfoSec team released a notification that all systems relying on it should be patched, as per their 48-hour policy. This was forgotten by a member of the team, and not picked up on by other staff [13].After their first breach, Equifax did run a vulnerability scan, which found nothing (not even the unpatched vulnerability) [10].Security company Mandiant were brought in to investigate the breach internally, and the FBI were notified [2 p. 10].In the immediate aftermath, Equifax setup a website to help those possibly affected, but on their Twitter account repeatedly linked to a phoney website [12] Up to 145 million Americans, 19,000 Canadians [14], and 15 million Britons [15] were affected by the breach

VI. Breach Detail

Despite the flaws in the model, namely the first two links being difficult-to-impossible to either protect against, or model accurately post-incident without a
confession, Lockheed Martin’s Cyber Kill Chain® 16 does lend itself well as an analytical tool with which to dissect an attack.

Fig. 2 Lockheed Martin’s Cyber Kill Chain® [17]

In this case, the second phase, Weaponisation, can be understood by looking at the vulnerability and known exploits. However, any analysis of the preparation phase, Reconnaissance, will consist largely of speculation synthesised from other attacks allegedly committed by the alleged cyber-criminals responsible.

A. Alleged Hackers Responsible

Despite 2 years since the attack and exfiltration, no individual hacker, nor criminal organisation, hacktivist collective, known APT (Advanced Persistent Threat), nor nation-state have claimed responsibility for the Equifax breach.

Attribution is a common problem with any cyber-attack, particularly as any indicators can be faked or obscured. In this case, while no official body has pointed fingers directly at anyone, Bloomberg have suggested China a likely culprit, suggesting similarities with other attacks of a like nature [18]. While there does seem to be at least motivation justification for this, no further information suggesting this claim is correct (or incorrect) has been made available. Motive will be discussed later in this paper.

B. Reconnaissance

Without complete attribution, it is difficult to understand how the hackers came to target Equifax in particular. Two possibilities exist:

1) The attackers had already decided on Equifax as a target, either for their own purposes, or as part of an agreement with an external party;
2) Using random IP enumeration, the hackers found Equifax vulnerable and decided to launch their attack based on the first “hit” they had.
Whichever of these option describes the motive of the bad actors, the tool used was likely to have been the vuln struts2 package [19], part of the popular exploit framework, Metasploit [20].

C. Weaponisation, Delivery, & Exploitation

This module breaks down into two parts: Reconnaissance and Attack. The reconnaissance aspect allows for a user to enter an IP address and port number, which will then be checked for the vulnerability.

The second part of the strutscodeexec_jakarta exploit module takes advantage of the flaw in the exception handling of the Content-Type value. The invalid value data that should be displayed in the error message, is instead parsed to the Object Graph Navigation Library (OGNL) [19, comment: tseller-r7] [21].

Using a properly crafted payload, OGNL’s blacklisted class method functionality can be completely bypassed, allowing an attacker to execute code to reach a system shell, and then further compromise the system. This is achieved by clearing out the exception list, leaving nothing to be compared to, rendering the blacklist neutered 22.

Using a specially designed Content-Type HTTP header with a specific string (in this case ‘#cmd=’, to launch command shells), it would have been easy for the hackers to take control of the server [23].

It follows that it is likely the attacker didn’t create or weaponise this exploit themselves, but used the freely available one in Metasploit. Although Equifax contest this, it is not unreasonable to propose that this part of the infiltration, the breach itself, took place on the 10th March, 2 months before beginning their objectives run. While it may seem unlikely attackers would breach a target this early, getting a foothold inside the system allows for a certain amount of control and foresight – had Equifax realised they had been breached and patched, the criminals could have reacted better rather than having to start the process from the beginning and finding another entry point.

Even if this was not the case, the hackers had still managed a successful dry run that provided proof of concept for later attempts, either on Equifax’s systems, or another, similarly security-lax network.

Content-Type: ${(#_='multipart/form data').(#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear
Content-Length: 0

Figure 3: Sample exploit payload request, with blacklist clearing in bold [22]

D. Installation & C2

During this phase of an attack, the bad actors usually install some form of malware, like a Trojan or RAT, to establish a persistent connection. The Chinese connection has been made due to the use of malware known as China Chopper, a web shell designed for persistent control for webservers, as well as having several C2 features such as code obfuscation [26].

It has also become apparent that the attackers may not have had to go to such lengths to accomplish persistence.

As revealed during a class-action lawsuit against Equifax, a portal for credit disputes, that stored PII, was protected solely by the username/password combination of “admin/admin”. [24].

E. Actions on Objectives

Whether or not persistence had been maintained from the March attempt, the cyber-criminals had complete access to several databases containing over 160 million people’s records. Over 9,000 queries have been acknowledged by Equifax to have been made [1, p.9].

It is either unknown or unreported how much, if any data was exfiltrated from the databases, but with that many searches being made, it would be naïve to ignore the possibility. What is known is that none of the data has shown up on any sites, on the indexed web nor the dark web, for sale.

V. Motivation

As mentioned earlier, there is no known definitive proof to reveal a culprit. However, some speculation can be made based on the events and using logic extrapolated from this information.

Current thinking contends that this was the work of a nation-state, like China, to accomplish one (or more) of several aims, including:
1) Use of financial data to identify current US intelligence workers [25];
2) To identify possible double agents through blackmail or extortion;
3) Aiding economic warfare through using the data to model consumer trends;
4) Theft of Equifax Intellectual Property
5) Build a “data lake” to track government and intelligence workers

Other options could include competitor action, either industrial espionage or sabotage, that went too far. It is also possible that it was a script kiddie who got in over their heads.

VI. Equifax Failures

While malicious actors are the only ones to blame for committing criminal acts, Equifax must also be held to account for their many failures and blunders in this breach.

A. Halting the Breach

It should be noted that this breach could have been halted at anytime, and should never have happened (at least in this manner) at all.
The patch for vulnerability CVE-2017-5638 had been released several days before the March breach. This had even been noted by Equifax’s InfoSec team, who had sent instructions that this patch be applied, as per company policy, within 48 hours. This was missed by one employee, and wasn’t carried out. Mistakes happen all the time, however this should have been caught by other team members, management, and even the InfoSec team themselves, but it was missed.

When a vulnerability scan was conducted days after the March incident, the vulnerability was not even seen, implying that the techinque used was old, or the signatures used were out-of-date. Again, at this point the missed patch should have been caught, as it should have been noticed as missing from the scan.

B. During Breach

For 76 days, no alarms were tripped, no suspicious activity was logged, while millions of records were compromised. This implies a serious lack of access controls on user accounts and databases, as well as no monitoring on systems containing sensitive information.

Another measure that could be applied here are canary tokens or honeypots [27] [28].

C. Post Breach

To give information to the public after the breach was announced, Equifax setup a website, On it’s Twitter account, the company relayed the address as securityequifax2017 no less than 8 times[12].

During a class action lawsuit against Equifax, it has been revealed that the company were also storing unencrypted PII, on a public-facing server, that also contained the encryption keys for those data that were encrypted [24].


Data breaches and cyber-attacks have rapidly become a fact of existence for organisations and individuals alike in the 21st Century. Increasing legislation and regulations are being drawn up to ensure that the security of the CIA triad is embedded within the ethos of a company.

Equifax’s many failings, technical, procedural, and human, contributed to making what should have been a one-off, lucky knock on the digital door, into one of the most expensive, most publicised and publicly humiliating incidents the world had seen up to 2017.

However, the only real damage done to the firm was in the eyes of those who launched the class-action suit, and the professional security community. Somehow, despite 3 of the C-Suite retiring (with generous golden handshakes), the company still maintained governmental contracts and carried on business, almost as normal.

If there are lessons to be learned here, then they are to constantly review your security, follow a recognised framework, and it is cheaper to secure than to pay out $700+ million in damages.


[1]U.S. House of Representatives Committee on Oversight and Government Reform, "The Equifax Data Breach", Committee on Oversight and Government Reform, Washington, D.C., 2018.
[2]"Company Profile | About Us | Equifax UK",, 2019. [Online]. Available: [Accessed: 28- Nov- 2019].
[3]Data Protection Act 1998, vol. HM Government, 1998.
[4]The Informed Future Team, CIA Triad. 2019.
[5]M. Riley, A. Sharpe and J. Robertson, "Equifax Suffered a Hack Almost Five Months Earlier Than the Date It Disclosed",, 2017. [Online]. Available: [Accessed: 28- Nov- 2019].
[6]V. Woo, "Apache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - Remote Code Execution", Exploit Database, 2017. [Online]. Available: [Accessed: 28- Nov- 2019].
[7]"CVE -CVE-2017-5638",, 2017. [Online]. Available: [Accessed: 28- Nov- 2019].
[8]"Welcome to the Apache Struts project",, 2018. [Online]. Available: [Accessed: 28- Nov- 2019].
[9]"Equifax Breach Timeline — GracefulSecurity",, 2017. [Online]. Available: [Accessed: 28- Nov- 2019].
[10]R. Chirgwin, "Equifax couldn't find or patch vulnerable Struts implementations",, 2017. [Online]. Available: [Accessed: 28- Nov- 2019].
[11]I. Thompson, "Equifax execs sold shares before mega-hack reveal. All above board – Equifax probe",, 2017. [Online]. Available: [Accessed: 28- Nov- 2019].
[12]E. Kovcs, "Equifax Sent Breach Victims to Fake Website | SecurityWeek.Com",, 2017. [Online]. Available: [Accessed: 28- Nov- 2019].
[13]A. Glenn, "Equifax: Anatomy of a Security Breach", BBA(Hns), Georgia Southern University, 2018.
[14]T. Press, "Equifax doubles number of Canadians hit by breach, now more than 19,000 | CBC News", CBC, 2017. [Online]. Available: [Accessed: 29- Nov- 2019].
[15]C. Williams, "Oi, you. Equifax. Cough up half a million quid for fumbling 15 million Brits' personal info to hackers",, 2018. [Online]. Available: [Accessed: 29- Nov- 2019].
[16]"Gaining the Advantage",, 2015. [Online]. Available: [Accessed: 29- Nov- 2019].
[17]Lockheed Martin, Cyber Kill Chain. 2015.
[18]M. Riley, J. Robertson and A. Sharpe, "The Equifax Hack Has the Hallmarks of State-Sponsored Pros",, 2017. [Online]. Available: [Accessed: 29- Nov- 2019].
[19]"CVE-2017-5638 - Apache Struts2 S2-045 · Issue #8064 · rapid7/metasploit-framework", GitHub, 2017. [Online]. Available: [Accessed: 29- Nov- 2019].
[20]Metasploit. Rapid7, 2017.
[21]A. org, "OGNL - Apache Commons OGNL - Object Graph Navigation Library",, 2013. [Online]. Available: [Accessed: 29- Nov- 2019].
[22]E. Rafaloff, "GDS - Blog - An Analysis of CVE-2017-5638",, 2017. [Online]. Available: [Accessed: 29- Nov- 2019].
[23]G. Duan, "Equifax Data Breach Analysis: Container Security Implications - NeuVector", NeuVector, 2017. [Online]. Available: [Accessed: 29- Nov- 2019].
[24]K. O' Flaherty, "Equifax Lawsuit: ‘Admin’ As Password At Time Of 2017 Breach",, 2019. [Online]. Available: [Accessed: 29- Nov- 2019].
[25]K. Fazzini, "The great Equifax mystery: 17 months later, the stolen data has never been found, and experts are starting to suspect a spy scheme", CNBC, 2019. [Online]. Available: [Accessed: 29- Nov- 2019].
[26]"Web Shells: China Chopper", Canadian Centre for Cyber Security, 2018. [Online]. Available: [Accessed: 29- Nov- 2019].
[27]" - Quick, Free, Detection for the Masses",, 2017. [Online]. Available: [Accessed: 29- Nov- 2019]
.[28]"What is a honeypot? How it can lure cyberattackers",, 2017. [Online]. Available: [Accessed: 29- Nov- 2019].

Back to the Grind

Originally posted: Mon, 26 Aug 2019 09:33:18

It's been a busy few weeks here, as I'm back on the job hunt. You'd think searching and applying for new positions would be easy - but there are some rather annoying pitfalls. Here's my short overview, in which we discover that geography should become a compulsory short course for recruiters (particularly if they live within the M25).

Getting setup

The easy bit - open your browser, find your job boards, create your accounts, upload your CV. After this, it's just a case of setting your search parameters and trawling through the results.

Now, you may not be 100% confident in your CV - and that's fine, most people aren't. Most online job boards offer a CV checking service for free. Use them all. Don't just do one, do all of them you can. You will find plenty of contradictory advice, but you should be able to compare notes and work out some good advice to fix the CV up a bit.

It's also worth pointing out that, depending on your industry, keeping your LinkedIn profile up to date (or even building one in the first place) is a good idea. Put the link on your CV, too. Recruiters and potential employers will be looking for an online presence of some kind, so it's probably best to keep at one social profile for professional purposes. You can give them your Facebook and Twitter links if you want, but you don't really want to be judged by photos of that time you went to Magaluf with the gang now, do you?

N.B. on Twitter, you may have multiple handles, so if there is one you keep strictly for work-related things, it might be advisable to put this on your CV.
GitHub/Lab profile links can be highly beneficial to add, as it shows off your capabilities, interests, and projects to companies and recruiters before you even meet them, giving them a good idea about you and your work. Particularly for developers, this can be a boon, as it takes half the pressure off during interviews.

Daily Hunting

With your CV sorted, and your accounts created, let's have a little gander at the actual searching.

The first thing is to try and be as specific as you can - this isn't always possible, as job titles can have wide variations on a theme. But you can mitigate this by making sure you fill out the search criteria as completely as possible. This usually includes Salary (min and max, min is necessary to get the best results),
Location (Postcode is usually best, but town/city can work), Distance (how far you are willing to travel), and Industry (the field you work in).

The main trouble you might have (if you don't live, eat, and breathe London that is), is with the Location and Distance - the results are... interesting. I can tell you stories of results being returned telling me that I'm a perfect match for this job that's just down the road - only to find that their version of "down the road" actually translates to "200 miles away as the crow flies". Job sites and recruiters take a rather liberal interpretation of these two parameters, so be wary and read the job ad thoroughly.

You will also find yourself confronted with a filter on how to organise your results. I highly recommend sorting them by date (most recent). Job ads tend to linger a while after the position has been filled, and there are some that are blatantly fake and exist purely for CV harvesting purposes. If you sort by this method, you get to see if an older job has been re-posted and is likely to not be real.

Searching Miscellany

If you are looking to break into a new field, or area, and you think you might lack qualification or experience, don't worry. Put down on your CV what you are doing about this interest, even if it's a few free courses online - anything that shows you are being serious about it, not just after a pay rise.
While it is important to have references at the ready, you do not have to put them on your CV. This can help, particularly if yours is already running to 2-3 pages. You can also dispense with the "References on request" bit too, as this is taken for granted these days.

I'll also mention that the training industry have decided that their courses qualify as jobs (still trying to figure that one out), and so litter the boards and sites with their adverts. One dedicated company has their adverts show up for practically every village in my search radius.

All about the Benjamins

This is worth noting all on its own: don't believe the listing entirely. When you see the matching criteria at the top of the ad, don't expect it to be 100% accurate. Or even 50% for that matter.

Even though you specified your starting salary, your search will include jobs where that is the maximum. You'll also find that halfway through the vague job description, it might say something entirely different to the figure in the match. These differences aren't minor, either. I've seen £10,000 differences.

The same goes for contract jobs: always check the rate, and always calculate it to your preferred format. You should also check if this is Inside IR35 or not, and whether it is fixed term (aka you'll work for the firm directly), Umbrella, or Limited company.

Closing Notes for Recruiters

Recruiters must often wonder why they get such a bad reputation, I think (if not, then they must remain oblivious). The reason is pretty straightforward - they lie. A lot.

Should they wish to change this state of affairs, it's quite simple; just a few minor changes would make all the difference:
• Stop using imaginary mathematics to judge distances
• Learn to use a map
• Use said map when posting adverts
• Post accurate salary information, and not contradict it within the main body of the ad
• Post accurate job descriptions
• Don't post ridiculous qualification requirements when they aren't necessary, and you don't understand how they work

I think that covers all my grievances for this week!

Yea, though I walk in the valley of the Shadow IT, I carry a big stick

Originally posted: Sat, 20 Jul 2019 08:51:54

Users are infuriating at the best of times. Then there are the ones who smuggle their own applications or devices onto your network. Welcome to the deep, dark depths of Shadow IT...

Shadow IT, if you don't know, is the concept of users run amok and installing whatever application or device they think they need without asking. Tut Tut. Of course, this is also partially your fault, for ignoring the Principle of Least Privilege and letting them, so we can't be too angry at the poor end users. Or we can, but we have to admit that our oversight allowed this to happen.

This is one of those Big Problems, along with people clicking every link in sight, and those special snowflakes who plug in every USB thing in sight because SHINY!

Why is it an issue?

If you have to ask, you haven't thought about it. Software on your network from parts unknown could be anything: there could be a trojan horse buried in it, or a keylogger. It could be transmitting data of any kind to anyone. Compatibility issues could mean it has a detrimental effect on your current setup. It could also be unlicensed, which is a headache all of its own.

While there isn't always a reason to suspect the 'ware isn't safe, that doesn't mean you can take leave of your senses either: if you didn't put it there, it shouldn't be there.

The Fix

It is actually a reasonably easy problem to fix, though: first have a policy that states no unauthorised software on any of your machines (have this policy backed-up by scary bouncer types. Or just the management). Next, use group policy to make sure no-one has access to be able to install crap. Finally, get some decent asset management software that will monitor not just your hardware assets, but also the installed software too.

If you also have a policy where you are open to looking into new software that others suggest, this will help mitigate Shadow IT problems. Encourage your users to come to you with suggestions and involve them in the testing phase. Explain to them what they need to take into account and get them to argue the case for it. If it passes muster, maybe you'll have something to implement that might make life easier. More often than not, though, you'll get users who understand why you said no, and that's worth its weight in gold-pressed latinum.

Farewell, Vertigo

Originally posted: Sat, 22 Jun 2019 08:50:05

I've not really talked about my love of comic books and graphic novels here. Not that I'm an obsessive, but I do have a few titles I'm heavily attached to. Hellblazer, Lucifer, The Sandman, The Invisibles, Preacher, 100 Bullets, DMZ, to name but a few. A large portion of these have a one specific thing in common: they were all released, or continued, on DC's Vertigo imprint.


Started in 1993 under the guidance of Karen Berger, an editor of legendary status for good reason. Its mandate was to find a home for the more adult-themed comics largely spawned by the British Invasion. This was necessitated by not wanting to draw the attention of the Comics Code Authority. DC's latest imprint became home to some of the more influential, as well as freethinking, offerings of the American format.

Another thing of note with regards to Vertigo is that, at least in its early days, a large amount of the work remained creator-owned, something that had been a
challenge for writers and artists for decades, and still can be.


As someone who grew up with the Vertigo imprint, albeit coming in a little later, I can honestly say I found a home there. The titles evoked fear, horror, elation, beauty; took you on journeys wondrous and complex. You had no choice but to face up to the changing face of society and its ethics: these books took you on a quest to confront it all, whether you liked it or not.

Readers became more than passing dabblers in the occult, bore witness to the conflict at the heart of creation, and saw a conspiracy that operated across all levels of the United States bear its fruit and then collapse. We saw a world bereft of men, and a US civil war played out in Manhattan. Nothing was held back, no sacred cows here: everything was fair game.


On the 21st of June 2019, DC announced that the Vertigo imprint would be sunsetted by the end of the year. It will move all its mature reader titles to DC Black. Just like that, 26 years of comic book history, large amounts of it being made on the imprint, gone.

I am deeply sorry to see it go, given the many hours of entertainment, intrigue, and wonder I have enjoyed in its pages.

High Moon

Originally posted: Tue, 28 May 2019 08:51:09

N.B. This is a freebie writing prompt for anyone who wants it - I got as far as I could, then couldn't see a way forward with it.

The bell struck midnight as the crowds snaked through the city streets, their shapes bathed in the blue reflected light of the moon. At least, they did heading towards the bigger temples, the gatherings heading to the smaller ones, or those of the minor cults, would barely fill a tavern. Still, they all came, greedy for prophecy: would they be chosen? Would their child's destiny be revealed and hail a new era? Could they herald an age of conquest, or lead a calamitous war? Hero, villain, warmonger, peacemaker - it was all the same to them: if prophecy called, they would answer and be immortalised in history.

Bloody fools, the lot of them. Why anyone would want the eyes of fate to glance at them and decide to hijack them "for glory", I don't know. The smart ones stay at home on High Moon, or go on hunting trips, or mountain treks. They're the ones who understand. They're also the poor sods who get a visit from me. And if I show up at your door... Well I'll put it this way: most of those I minister the future to have a higher survival rate than the temples. Physically, anyway.

Prophecy is lunacy: people will bend over backwards trying to obey it, despite it being uselessly vague and referring to events and people either centuries buried or not yet born. It has become the coin of charlatans to appease the influential. It also fucks with history, and with my plans for history. This does not make me happy.

No, I'm not actually a prophet, by the way. I'm more of what you'd call an agent of Time: I don't hop around in it at will, I cannot travel strictly through time, I just get sent instructions and have them carried out. OK, fine, I'm a fucking prophet, stop rubbing it in. What I don't do, is write this shit down and peddle it for cash or influence. I don't get the same vagaries most "prophets" do, but that's because I'm not grasping at the edges of the Tapestry, stealing a small loose end of a thread. I get specifics. I get specifics, because they are basically orders. They are not visions of things to come as warnings; not a tidbit to send some prancing gallant nitwit on a quest; and they are most certainly not a way to get rich quick (although I'm far more loaded that the temples and nobles could dream of).

Anyway, back to tonight: Tonight is High Moon, a day-long festival where the moon is high, the weather is good, the temperature warm, and the people come out to beg a temple acolyte to make them famous and rich by telling them an obscure passage in an impressive-looking old book means they have a Great Task to accomplish that will Save People/Nations/Pretty Young Thing. It's my favourite night of the year, because it gets the priests off my back while they do their thing, and I can actually go get things done. Which I can usually do, provided one of their smart alecs don't actually find something genuine, and the right person to match it. Thankfully that doesn't happen very often, as untangling the resulting catastrophe really eats into my "me" time. The last time that happened, the priests still haven't forgiven me for it: I stole one of their people, burned down one of their hidden storehouses and embarrassed them into submission in front of the Archon. They should be glad I didn't do it publicly, given the storehouse bit was mostly their fault, sticky-fingered weasels. I digress, although the storehouse is relevant, as it is my current destination.

Now, as you may have gathered, I'm a bit of an oddball around these parts, which, on top of being a prophet (even one of an obscure cult, as they like to call my practise) allows me certain courtesies, and a lot of leeway in regards to my behaviour. Not that anyone really pays much attention to my comings and goings, but I do like to take the paths less travelled. So this High Moon had me visible to everyone, should they be looking, ambling along the city's skyline, leisurely hopping from rooftop to rooftop heading towards the docklands district for a "chance" meeting at the aforementioned husk of a storehouse.

The Fifth Domain

Originally posted: Mon, 20 May 2019 08:54:25

As I'm seemingly doing a series on Cyber Warfare, I suppose we should rewind from Hybrid War a little and define what CyberWar is. Let us enter the fifth domain of warfare, Cyberspace, and try not to get hit.

Traditional war is fought on land, at sea, or in the air. For a short while (although this notion might be having a small renaissance with Trump’s Space Marine idea), it looked that combat might move ever upwards into space, so much so that the USA went as far as creating a Unified Command to back this idea (naturally, this concept was gravitically attracted back to solid ground. I could go into a little rant over this lunacy, so keep your eye out for that, it should be fun). Cyberspace, however, seems to have only just garnered the attention it has so desperately needed. Given the substantial amount of damage that can be done in the digital realm, it is quite worrying that it’s only within the last decade that it has been taken seriously. It’s also rather disturbing that it is still not a public conversation piece.

The What?

So, what is Cyber Warfare exactly? Is there even a standard definition, or is that, too, like IW, trapped in a weird limbo of “it’s lots of things, and we don’t want to limit our options by defining it”? (Option B. It’s always Option B when there is a choice). Apparently, not even the great Wikipedia can settle on one unifying concept. One definition found in the book ‘Introduction to Cyber Warfare’, and based on famous Claus von Clausewitz definition of war, reads thusly:

“Cyber war is an extension of policy by actions taken in cyber space by state or nonstate actors that either constitute a serious threat to a nation’s security or are conducted in response to a perceived threat against a nation’s security.”

As it goes, I think this is a fine definition for bandying around a governmental/legislature chamber, but as something practical that actually tells us anything about the subject, it is lacking in detail a little. Richard A. Clarke offers up this definition:

“…actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption”

It’s nice, simple and describes a fight. And also feels like it misses the mark a little, providing little nuance to a rather broad category. Martin Libicki has this to say on the matter, and at least recognises there are different aspects to cyber warfare:

On Strategic Cyber Warfare: “…a campaign of cyberattacks one entity carries out on another”

On Operational Cyber Warfare: “…involves the use of cyberattacks on the other side’s military in the context of a physical war”

As you can see, these are a little more descriptive regarding at least the battlespace, but are problematic in different ways: the strategic definition can be applied to any entity, from script kiddies putting their newly discovered powers to the test; hacktivists acting in concert to deface/take down a poster website; cybercriminals using zombienets to mine and steal cryptocurrency, all the way to the Iranians planting malware to wipe a company’s worth of HDD’s; it’s just too broad in scope to be workable, although it gives us a starting point. That’s not to say that in cyberspace, war can only be participated in by nation-states, far from it: the running conflict between Anonymous and the Church of Scientology can almost certainly be seen as a war, one that involved both InfoWar and CyberWar: this is just another example of where the world of the electron and the baud blurs the lines of what we thought we had a pretty good handle on up to now.

The operational definition reduces cyber war to nothing more than a background effort in support of traditional, kinetic warfare. Now, while cyberattacks and other digital efforts can be utilised in

such a capacity, it does seem to limit its true capacity, not just in what can be accomplished in coordination with physical war, but also in how devastating the effects of a war fought purely in the digital ether could potentially be. Let us not forget, it is well established that a few lines of code can blow up a generator (Aurora Generator Test), destroy nuclear centrifuges (Stuxnet), or otherwise cause physical destruction directly or indirectly. And that’s ignoring all the other damage that can be caused by cyberattacks; overall, the only thing more devastatingly effective might well be nuclear weapons.

So, let’s try this definition on for size (my own contribution to the conversation):

“The continued offensive and defensive acts of aggression utilising all available digital assets against acknowledged adversarial entities in any battlespace”

I’ll leave the word aggression in there for now, but I can see how it might be superfluous. I think it covers all bases, explains that it can stand alone or in support of other conflict agencies, allows for multiple parties, including those non-nation-state actors that might want to engage, and specifies the speciality of the field. The “continuous” modifier was put in there as a scale descriptor – this is to separate from a one-off data grab or breach.

The Logic and The Bomb

Originally posted: Wed, 08 May 2019 09:05:06

Cyber Warfare has just entered a new, and dangerous reality. Is this vicious overkill, a well-measured response, an outlier, or the shape of things to come?

CLEARED FOR RELEASE: We thwarted an attempted Hamas cyber offensive against Israeli targets. Following our successful cyber defensive operation, we targeted a building where the Hamas cyber operatives work. HamasCyberHQ.exe has been removed.— Israel Defense Forces (@IDF) 5 May 2019

Sunday, the IDF released the above Tweet after demolishing a building that allegedly housed Hamas' cyber operatives, during a cyber-attack. Kinetic warfare met the digital offensive with a bang.

Why is this important?

This is hybrid warfare, where online offensives and IRL retaliation meet. This is largely the first time it's ever happened, if you put aside drone attack on ISIL keyboard cowboys, that may well have just been for his other activities for the group, rather than specifically for his online prowess. You might also point to the destruction of Ukrainian infrastructure, although that is likely more a direct result of the cyber war campaign than ground forces.

This Wired article takes a good look at what happened, although it cautions that this incident should be viewed as more specific to the Israeli-Palestinian death game than as a wider indication of digital ether versus bombs-and-bullets battles. I disagree.

The precedent has now been set, and unlike the outlier nuclear bomb, it's out of the box now. This will not be the last time we see this hybrid warfare, and the implications of that are not good. Noted InfoSec researcher Bruce Schneier sees this as an opening to another form of asymmetric warfare.

To put it in terms of the ongoing conflict in Israel, it does appear at first glance to be a massive overkill reaction, especially considering that they claimed to have fended off the cyber-attack already. However, there does seem to be a claim that intelligence agents were operating out of the building as well. Very little has been said officially other than the rather tasteless Tweet. Should there be evidence that Hamas operatives other than hackers were being run out of the building, then perhaps there is a justification for such an extreme measure. As it stands, it just looks like the IDF killed support staff not active combatants.

And this is the crux of the matter as a whole: yes, hackers are waging a war, albeit on digital grounds. But that is a distinction worth considering: yes, hackers can cause immense amounts of havoc, and can physically destroy or otherwise render infrastructure useless. Yes, they can steal critical information and compromise systems, which can lead to putting people in harm’s way. But can they be classed as active combatants, or are they supporting staff?

I am by no means the one to answer that question. I'm not remotely qualified to pass judgement there. My gut instinct is to class them somewhere between support staff and non-combatant intelligence analysts, which should keep them from front-line action, but again, I'm not informed or qualified enough to decide this in the wider scheme of things. But someone needs to. Pandora's box has been opened once again, and the rules need to be clarified before we end up here again, which we most certainly will.

What's in a Singularity?

Originally posted: Thu, 02 May 2019 13:03:28

Singularities are Black Swan events: you might be able to see it coming, but beyond the event horizon, it's anyone's guess. There's been talk for years about the next one, the one where AGI supposedly emerges, and almost instantaneously becomes ASI. But what if it isn't?

Humans have almost always lived with singularity events; hell, from the point of view if all other life on earth, we are a singularity event. Some of these are obvious, like the control of fire, agriculture, the smelting of various metals, writing, the printing press, and many many more. Others have been smaller, or less obvious types; the automobile, the computer, the emergence of currency, the nuclear bomb. While you might not think these things singularities, there was no possible way to determine the far-reaching effects they would have on us as a species.

Now, the way current talk is going around the next Singularity, you could be forgiven for thinking AGI/ASI will be a conscious entity/entities. I'm of the opinion that this is a little far-fetched, and is actually beside the point for what I'm guessing will take place.

See, I'm of the opinion that while these techno-prophets might be on to something, I'm reasoning that all they may have right might be the timescale of the next 50 years or sooner. We don't need AGI or ASI for an event; just advanced enough AI, similar to Alpha Go, to eliminate most of the drudgery work we engage in, and for these to be widely applied.

Yes, this will basically put the economies of today into free-fall collapse, and oh, no won't that be horrible (it actually will be for a while, until we can adjust to it). Whatever will we do?

Now, I say this almost mockingly as if it's not going to be a problem. But by my thinking, by the time this happens, we will already have been mired in the economic issues for some time. As a rough number I'm pulling out of a hat (because I wouldn't begin to know where to start in calculating a proper figure (if you can, please let me know, I'd be happy to learn)), by the time automation hits 25%, it's game over anyway. If it hits that, that means 25% of the actual working population (not the working age) will be out of work, and at that point, the automation systems can only improve and start coming for the rest in an exponential fashion.

Not every job can be automated or will be. but what's left will not be accessible to everyone. But enough will be that it will change the face of society. For a while, the small handful of people who are able to keep making money will do so, but that can only carry on until fewer people have money that those who don't, and when we approach that, money will be worthless.

Thus, we hit Singularity. What will happen at this point? Huge swathes of people unable to work as there are no jobs, several hundred years of cash economics suddenly gone.

We could enter an era of untold greatness, following in the mould of the likes of Star Trek. Just as easily, we could devolve into war and set our species back centuries. We could just remain static, limiting machine labour and trap ourselves in cyberpunk hell. The so-called Great Filter could come calling and decide that this is enough.

We've turned Singularity into Utopia. It has become the Dream, the thing that will solve all our problems because technology will save us. But that is only one possibility, and for it to become a real one, we have to work for it. Even then, there are no guarantees.

Singularity is nothing more than unlocking the next level in a game, and the only way to succeed is not to just wait and hope, but plan, prepare and guide. They bring turbulence, these events, in ways we cannot predict. If we could, they wouldn't be Singularities: we can mitigate disaster if we see it coming (having the will to is a different matter), but it's all the rest of it, the unknown unknowns that are the issue.

One thing I am sure of though, is that this is the point of Singularity, not when AI has developed further. This is when it really begins.

When do we get apps for our brains?

Originally posted: Mon, 18 Mar 2019 11:06:00

This is not a post about transhumanism or integrated tech. This is about my horrible time management. And it is horrible.

I've been doing my annual email cleanout and found some dark neglected corners. A couple of years ago, I decided it might be a Good Thing to create some email rules to help keep my Inbox a bit tidier, and infinitely more readable. It turns out that this has worked, at least to make my Inbox workable. Unfortunately, it means that I have neglected some 350+ newsletters I actually enjoy reading.

Because the email rules put them directly into subfolders (and in some cases, subfolders of subfolders (because I like to be organised)), and I primarily use a mobile app, I tend to glance over these in favour of the ridiculous (100+) amounts of mail that still comes through the Inbox.

I am not pleased with myself for this. I am also grateful that my current job does afford me multiple hours of time on a Monday to be able to contend with this backlog. I will be very screwed when I have to get a Proper Job that involves actual gulp Work.

Of those newsletters I have a backlog in, for those of you with an interest, are the following:
• Daniel Miessler's Unsupervised Learning
• Warren Ellis' Orbital Operations
• Atlas Obscura
• Code Project

I have decided that I need an app for my brain which not only reminds these things are there but can auto-schedule time for me to read them.

How I've managed to get this far with my scatter-brained chrono-control I'll never know...

Becoming Daedalus

Originally Posted: Wed, 20 Jun 2018 17:52:00

Today, I want to look at soft skills; more precisely, one soft skill in particular, namely problem solving. Yes, that old chestnut, the one everyone seems to need to put on their CV, from janitorial staff and burger flippers to IT practitioners of all flavours. But why am I writing about it now? Because it’s not a very well understood skill, and it is only half of what a CyberSec pro needs. Confused? I’ll explain.

As I’ve mentioned previously, one way for CyberSec personnel to test themselves and keep their skills sharp, while learning or while actively engaged in a position, is wargames (you can find a good list of them here). Hack boxes, CTF’s (Capture the Flag) and so on are a great way to introduce you into thinking about the issue faced and the problems that need solving in context. It helps build your problem-solving skills by presenting you with common, and not so common, challenges, which you must overcome with your wits and technical know-how. Problem solving as we know it is a largely regimented process, usually an exercise in remembering a trick you learned way back when. At its best, problem solving is a melding of the creative and the scientific: unusual solution arrived at through logical means.

But a lot of this can be either remembering a known solution, or hours spent jerry-rigging something together until you can fix it properly. It’s as if problem solving is only half the skill. And that’s because it is. Because we forgot Daedalus. Daedalus, for those you who don’t know, was a craftsman and inventor of ancient myth, a puzzle-maker who created the Labyrinth. We have forgotten that we need to learn how to build puzzles and problem scenarios, so we can know better how to solve them. If I were to give you a map of room, at the centre of which was a box, and marked the locations of the doors, lights, cameras, alarms etc, it would be reasonably easy to plot your infiltration route (or routes, if you pay particular attention), path to box, and exfiltration route. But if I were to give you the box and tell you that you needed to build the room to protect it, would it be so simple? Could you build the room that avoided the problems of the room I gave you to break into?

This is increasingly an important skill to develop, with easy-to-use tools, readily available, that are designed to trick and mislead investigators into believing one thing, whilst being another. If nothing else, the Vault 7 leaks of last year showed us that these tools have been in use for some time now. As Cyber Security practitioners, we must have the mindset to see these things, but also to design systems that are labyrinthine to malicious actors, make puzzles of our own systems that they cannot be easily cracked, and that we can find them in return. We have made shifts in this direction, with honeypots and canary tokens, but as always, more can be done.

What I’m driving at here is that everyone wants to be the ace hacker, or CyberSec Architect extraordinaire, but do they really know their skill set? It’s fine learning coding and networking by rote, and Googling for the fix to that problem is all good and well, but are you actively keeping your problem-solving skills sharp by testing yourself from the other side? If you aren’t sure, give it a try. An increasing number of CTF and wargame sites are allowing and requesting new challenges, so why not give it a go?