BastardAcademic

Agnostic Atheist Secular Liberal Humanist. InfoSec bod . Likes cheese, pate, cigars, and good booze. And knows a few things about stuff. Kind of.

The Changing of the blog

FB Page post from 25/05/2021


I know the blog hasn't really been much of a blog for the past two years - between lack of time, and life, I've just not been able to do what I really want with it.

In the past few days, I've come across 2 things that have re-inspired me to get back into this, but to do it in a very different way, so that's what I'll do.

The first thing that gave me inspiration was this piece by the internet's own Cory Doctorow, who described how his method of blogging draws inspiration from a beloved piece of computing history, a machine that no-one every used due to its outrageous expense: 

The Memex:https://doctorow.medium.com/the-memex-method-238c71f2fb46

Secondly was this video, about one of the longest-known funny images in the internet. This was surprising in so many ways:https://youtu.be/yDzAAjzbV5g

So I think I'll try doing it Doctorow and Adachi-style for now: shorter pieces to act more as an extension to my cluttered mental corkboard. After I draft someone in to help with a redesign - I might be able to write legible things, but I don't have a designer's bone in my body. As you may have guessed

Jan 2022 note:

This is part of the changes I was talking about in my "Fresh Start" post. This format is flexible enough to allow for a longer exploration of a topic, as well as more of a short-form note-type post.

2021 Tools

As we're in a New Year, I thought I'd share some of the tools I found and explored in 2021 that really made a difference:

Chocolatey - a package manager for Windows. While MS is still doddering about trying to get "Winget" to work, Chcolatey have been at this for a few years now, and both the shell and GUI versions make finding, installing, and updating software exceptionally easy. They are also constantly adding new packages as well, making this a no-brainer choice for any IT Pro or tinkerer.

Workona - Now I'm aware I've mentioned this before, but in this past year it has been almost invaluable. Yes, I'm still paranoid enough to keep all the tabs bookmarked as well, but to be able to have multiple workspace browsers is a a godsend of unimaginable proportions. I'd be lost without it at this point. Yes, you only get 5 workspaces on the free version, but that's been plenty.

https://vovsoft.com/software/compare-two-lists/ - a fun little gadget that, for anyone who writes anything from prose to code, can make your life infinitely easier if you have multiple versions of the a document.

https://standardnotes.com/ - again, one I may have mentioned previously, but one I've continued to explore. I'll be making some changes to the website soon, and will be using this tool to publish with. It's clean and slick, and as we all know, I have he design instincts of a club-fisted, duck-billed platypus. The tag system makes organisation a breeze, and the functionality increases from there. This is a paid product beyond the free notepad - but I've only been using free and would still recommend it.

https://github.com/conwnet/github1s - another I have mentioned, but whose value has just increased exponentially this year. If you use GitHub a lot, this will be of use to you.

Socially-Acceptable Things that Future Generations Will See as Backwards

Originally posted: Sat, 07 Nov 2020 14:15:58

This is pretty much just a list, as things come to me. For me, questioning things that are socially acceptable started a few years ago when the vegan phenomenon really kicked off. I am not a vegan myself, but I do have serious concerns as to how we treat pets and livestock - bring on cultured meats say I!

A few years later, and I start seeing more and more posts trying to work out what future generations would find abhorrent about ours, as well as the some of the things that the like of Gen Z currently see as backwards, but still exist.

So, I decided to start keeping track of things that, in one way or another, we either shouldn't still be doing, or the things that future generations will ultimately condemn us for.

• Cruel treatment of other animals
• Consumerism
• Worth by wealth
• Economics of scarcity
• Pseudoscience
• Reckless exploitation of natural resources
• Coddling religion and tradition over the real needs of people
• Privatised Profits and Socialised Risk
• Nationalism/Exceptionalism/Nation-state insularity

Do you have anything to add to the list?

Universal Social Absolutes

Originally posted: Sat, 07 Nov 2020 13:51:09

For a truly progressive society that works for everyone, one that also envisages some of the upcoming problems faced by humanity, four basic principles should be enacted and held as the absolute minimum that can be done for the benefit of all. None of these things are new, and most are implemented to greater or lesser degrees in most democratic countries. That the following are available is proof that the task is not a logistical one, but one of philosophy and politics.

The aim, of course, is to enable as much of a level playing field for people of all backgrounds as much as is possible. Equality of opportunity is the goal, not outcome.

Equality of outcome is not the ideal that should be sought, as it is impossible and ignores science and scientific findings. This is a pernicious ideal, one that is harmful, unachievable, and undesired. It is corruption disguised as kindness.

Equality of opportunity, having everyone start on as even a keel as possible (within the limits of what the state can and should achieve), that is something that can and should be implemented. Yes, it is impossible to take account of all the possible variables that affect a persons' ability, but not all of those are within the power of the state to adjust. Removing the bigger barriers, like cost, is possible.

Universal Social Absolutes are the achievable expressions of the core ideals of a society, indeed of civilisation. The are the basis for growth, - moral, personal, and economic - and stability. They are also pragmatic - welfare and healthcare may be something you a privileged not to have to think about now, but the future is not yet revealed, and it never hurts to have a safety net.

I appreciate that this list might not be fully exhaustive to some tastes - and to other idealogues it might go to far. However, a healthy, education, engaged, and supported population an only be a positive, therefore these are my 4 Universal Social Absolutes:

Universal Healthcare - properly funded, administered with care not cash, measured using meaningful metrics - designed without profit consideration.

Universal Suffrage - anything less is indefensible. If you are of age to pay tax, be legally accountable, or be drafted for military service, you should be accorded the right to vote. Should only be restricted as part of a punitive measure taken against convicted criminals.

Universal Welfare - most likely in the form of a UBI or state dividend. The ultimate safety measure against the unforeseen. This is not a fix-all solution but makes for a far more equitable welfare system than the current systems - and builds in some amount of future resilience.

Universal Education - this involves formal and vocational education, up to (and inclusive of) Undergraduate Degree (or equivalent). Not restricted by age. As I'm often fond of quoting, "You are not entitled to your opinion. You are entitled to your informed opinion. No one is entitled to be ignorant" Harlan Ellison

What do you think?

Falling Struts: Examining Equifax’s Breach

Originally posted: Tue, 11 Feb 2020 14:54:55

N.B. This was a paper I wrote for my degree course, giving my view of the disaster that was Equifax. I've just read that the US DoJ has decided to pin the attack directly on China and is levelling charges against Chinese citizens for the breach. I also haven't clarified what Equifax have done to remedy their many, many issues: this is because as far as I can tell, they've done very little.

Abstract— In the Spring of 2017, Equifax suffered multiple breaches of security, which lead to a 76-day access period to, and possible theft of nearly 150m records of PII, belonging to people in 3 different countries. This paper looks at the how the breaches happened, and what could have been done to prevent them.

I. Introduction

To understand fully the breach and its ramifications, this paper will examine 4 major aspects of this incident: 1) the company, Equifax; 2) the technical nature
of the breach and possible data theft; 3) how it could have been prevented; 4) and finally, the consequences of the breach and why they matter in the broader picture of security.

This analysis will consider how both technical competency and controls, and human competence (or lack, thereof) played a role in both the breach, and the handling of the fallout, thus highlighting the need for organisations to take a more security-focused posture to prevent further occurrences of data breaches, and loss of reputation.

Despite not being the biggest breach of 2017 (Yahoo! takes that title at having 3 billion accounts compromised), this attack does have several notable features, including the speed of attack (initial breach took place within 24 hours of the exploit being released); the length of the attack (76 days unadulterated access); and the lengthy response time of Equifax (146 days from release to patch being applied). These factors, as well as some legally questionable actions from the management team, leave Equifax a study in InfoSec gone wrong for years to come.

II. Equifax

A. Who are Equifax?

Equifax are a US-based Consumer Reporting Agency (CRA), although they operate across the globe [1]. While Equifax also employ data analytics for consumer, government and business markets [2], the relevant capacity for this incident is the CRA. A CRA is a credit agency, meaning that as a company, they hold large amounts of Personally Identifiable Information (PII) on millions of people, for the purpose of identifying, monitoring and improving their credit ratings. These credit ratings are then sold on to, and used by, many other companies to determine the financial viability of prospective customers.

B. Why is this important?

It is important to note that this breach took place in the USA, and that PII for consumers in the UK were also affected by this breach and theft. The first is important as the US, and Equifax, were judged to “ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data” [3], under the Data Protection Act (1998)1. The relevance of the second is to do
Fig. 1 CIA Triad[4]
with compliance and prosecution under UK law, the aforementioned DPA(1998). From a security perspective, good security practices should have been in place, and procedures followed, as the data being stored and processed here needed to be kept Confidential, and its Integrity was crucial. While it can be argued that the third leg of the CIA triad (see Figure 1), Availability, was also important to their operations, with either of the first 2 compromised, Availability was negligible.

III. Incident Overview

A. Brief Breach Timeline

As alluded to in the Abstract, there were 2 breach incidents, despite only one being the focus in subsequent investigations. The first breach appears to have been a trial run, although this attack is disputed by Equifax. According to 2 sources [2, p. 8] [5], Equifax was initially breached on 10th March 2017, using an exploit [6] created only days before. This Remote Code Execution (RCE) was created to exploit a vulnerability within the Apache Struts web application framework [7] [8]. Said vulnerability is one that had been known about, and had a patch released to remedy it, since 6th March 2017.

At this stage of compromise, it does not appear that the hackers took any further action until 13th May 2017. From this date until 30th July 2017 (76 days), the hackers gained access through Equifax’s Automated Consumer Interview System (ACIS) and performed thousands of queries on multiple sensitive databases throughout Equifax’s digital estate. The breach and unauthorized accesses went unnoticed until 29th July, which was patched a day later. It would further take until 7th September for the public to be notified of this incident
[2 p.9-11] [9].

1 GDPR was not applicable in this case as the legislation did not pass into active legal status until 2018

B. Other Notable Actions

After the announcement of the Common Vulnerabilities and Exposures (CVE) relevant to Apache Struts (CVE-2017-5638), Equifax’s internal InfoSec team released a notification that all systems relying on it should be patched, as per their 48-hour policy. This was forgotten by a member of the team, and not picked up on by other staff [13].After their first breach, Equifax did run a vulnerability scan, which found nothing (not even the unpatched vulnerability) [10].Security company Mandiant were brought in to investigate the breach internally, and the FBI were notified [2 p. 10].In the immediate aftermath, Equifax setup a website to help those possibly affected, but on their Twitter account repeatedly linked to a phoney website [12] Up to 145 million Americans, 19,000 Canadians [14], and 15 million Britons [15] were affected by the breach

VI. Breach Detail

Despite the flaws in the model, namely the first two links being difficult-to-impossible to either protect against, or model accurately post-incident without a
confession, Lockheed Martin’s Cyber Kill Chain® 16 does lend itself well as an analytical tool with which to dissect an attack.

Fig. 2 Lockheed Martin’s Cyber Kill Chain® [17]

In this case, the second phase, Weaponisation, can be understood by looking at the vulnerability and known exploits. However, any analysis of the preparation phase, Reconnaissance, will consist largely of speculation synthesised from other attacks allegedly committed by the alleged cyber-criminals responsible.

A. Alleged Hackers Responsible

Despite 2 years since the attack and exfiltration, no individual hacker, nor criminal organisation, hacktivist collective, known APT (Advanced Persistent Threat), nor nation-state have claimed responsibility for the Equifax breach.

Attribution is a common problem with any cyber-attack, particularly as any indicators can be faked or obscured. In this case, while no official body has pointed fingers directly at anyone, Bloomberg have suggested China a likely culprit, suggesting similarities with other attacks of a like nature [18]. While there does seem to be at least motivation justification for this, no further information suggesting this claim is correct (or incorrect) has been made available. Motive will be discussed later in this paper.

B. Reconnaissance

Without complete attribution, it is difficult to understand how the hackers came to target Equifax in particular. Two possibilities exist:

1) The attackers had already decided on Equifax as a target, either for their own purposes, or as part of an agreement with an external party;
Or
2) Using random IP enumeration, the hackers found Equifax vulnerable and decided to launch their attack based on the first “hit” they had.
Whichever of these option describes the motive of the bad actors, the tool used was likely to have been the vuln struts2 package [19], part of the popular exploit framework, Metasploit [20].

C. Weaponisation, Delivery, & Exploitation

This module breaks down into two parts: Reconnaissance and Attack. The reconnaissance aspect allows for a user to enter an IP address and port number, which will then be checked for the vulnerability.

The second part of the strutscodeexec_jakarta exploit module takes advantage of the flaw in the exception handling of the Content-Type value. The invalid value data that should be displayed in the error message, is instead parsed to the Object Graph Navigation Library (OGNL) [19, comment: tseller-r7] [21].

Using a properly crafted payload, OGNL’s blacklisted class method functionality can be completely bypassed, allowing an attacker to execute code to reach a system shell, and then further compromise the system. This is achieved by clearing out the exception list, leaving nothing to be compared to, rendering the blacklist neutered 22.

Using a specially designed Content-Type HTTP header with a specific string (in this case ‘#cmd=’, to launch command shells), it would have been easy for the hackers to take control of the server [23].

It follows that it is likely the attacker didn’t create or weaponise this exploit themselves, but used the freely available one in Metasploit. Although Equifax contest this, it is not unreasonable to propose that this part of the infiltration, the breach itself, took place on the 10th March, 2 months before beginning their objectives run. While it may seem unlikely attackers would breach a target this early, getting a foothold inside the system allows for a certain amount of control and foresight – had Equifax realised they had been breached and patched, the criminals could have reacted better rather than having to start the process from the beginning and finding another entry point.

Even if this was not the case, the hackers had still managed a successful dry run that provided proof of concept for later attempts, either on Equifax’s systems, or another, similarly security-lax network.

Content-Type: ${(#_='multipart/form data').(#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear
Content-Length: 0

Figure 3: Sample exploit payload request, with blacklist clearing in bold [22]

D. Installation & C2

During this phase of an attack, the bad actors usually install some form of malware, like a Trojan or RAT, to establish a persistent connection. The Chinese connection has been made due to the use of malware known as China Chopper, a web shell designed for persistent control for webservers, as well as having several C2 features such as code obfuscation [26].

It has also become apparent that the attackers may not have had to go to such lengths to accomplish persistence.

As revealed during a class-action lawsuit against Equifax, a portal for credit disputes, that stored PII, was protected solely by the username/password combination of “admin/admin”. [24].

E. Actions on Objectives

Whether or not persistence had been maintained from the March attempt, the cyber-criminals had complete access to several databases containing over 160 million people’s records. Over 9,000 queries have been acknowledged by Equifax to have been made [1, p.9].

It is either unknown or unreported how much, if any data was exfiltrated from the databases, but with that many searches being made, it would be naïve to ignore the possibility. What is known is that none of the data has shown up on any sites, on the indexed web nor the dark web, for sale.

V. Motivation

As mentioned earlier, there is no known definitive proof to reveal a culprit. However, some speculation can be made based on the events and using logic extrapolated from this information.

Current thinking contends that this was the work of a nation-state, like China, to accomplish one (or more) of several aims, including:
1) Use of financial data to identify current US intelligence workers [25];
2) To identify possible double agents through blackmail or extortion;
3) Aiding economic warfare through using the data to model consumer trends;
4) Theft of Equifax Intellectual Property
5) Build a “data lake” to track government and intelligence workers

Other options could include competitor action, either industrial espionage or sabotage, that went too far. It is also possible that it was a script kiddie who got in over their heads.

VI. Equifax Failures

While malicious actors are the only ones to blame for committing criminal acts, Equifax must also be held to account for their many failures and blunders in this breach.

A. Halting the Breach

It should be noted that this breach could have been halted at anytime, and should never have happened (at least in this manner) at all.
The patch for vulnerability CVE-2017-5638 had been released several days before the March breach. This had even been noted by Equifax’s InfoSec team, who had sent instructions that this patch be applied, as per company policy, within 48 hours. This was missed by one employee, and wasn’t carried out. Mistakes happen all the time, however this should have been caught by other team members, management, and even the InfoSec team themselves, but it was missed.

When a vulnerability scan was conducted days after the March incident, the vulnerability was not even seen, implying that the techinque used was old, or the signatures used were out-of-date. Again, at this point the missed patch should have been caught, as it should have been noticed as missing from the scan.

B. During Breach

For 76 days, no alarms were tripped, no suspicious activity was logged, while millions of records were compromised. This implies a serious lack of access controls on user accounts and databases, as well as no monitoring on systems containing sensitive information.

Another measure that could be applied here are canary tokens or honeypots [27] [28].

C. Post Breach

To give information to the public after the breach was announced, Equifax setup a website, equifaxsecurity2017.com. On it’s Twitter account, the company relayed the address as securityequifax2017 no less than 8 times[12].

During a class action lawsuit against Equifax, it has been revealed that the company were also storing unencrypted PII, on a public-facing server, that also contained the encryption keys for those data that were encrypted [24].

Conclusions

Data breaches and cyber-attacks have rapidly become a fact of existence for organisations and individuals alike in the 21st Century. Increasing legislation and regulations are being drawn up to ensure that the security of the CIA triad is embedded within the ethos of a company.

Equifax’s many failings, technical, procedural, and human, contributed to making what should have been a one-off, lucky knock on the digital door, into one of the most expensive, most publicised and publicly humiliating incidents the world had seen up to 2017.

However, the only real damage done to the firm was in the eyes of those who launched the class-action suit, and the professional security community. Somehow, despite 3 of the C-Suite retiring (with generous golden handshakes), the company still maintained governmental contracts and carried on business, almost as normal.

If there are lessons to be learned here, then they are to constantly review your security, follow a recognised framework, and it is cheaper to secure than to pay out $700+ million in damages.

References

[1]U.S. House of Representatives Committee on Oversight and Government Reform, "The Equifax Data Breach", Committee on Oversight and Government Reform, Washington, D.C., 2018.
[2]"Company Profile | About Us | Equifax UK", Equifax.co.uk, 2019. [Online]. Available: https://www.equifax.co.uk/about-equifax/company-profile/en_gb. [Accessed: 28- Nov- 2019].
[3]Data Protection Act 1998, vol. HM Government, 1998.
[4]The Informed Future Team, CIA Triad. 2019.
[5]M. Riley, A. Sharpe and J. Robertson, "Equifax Suffered a Hack Almost Five Months Earlier Than the Date It Disclosed", Bloomberg.com, 2017. [Online]. Available: https://www.bloomberg.com/news/articles/2017-09-18/equifax-is-said-to-suffer-a-hack-earlier-than-the-date-disclosed. [Accessed: 28- Nov- 2019].
[6]V. Woo, "Apache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - Remote Code Execution", Exploit Database, 2017. [Online]. Available: https://www.exploit-db.com/exploits/41570. [Accessed: 28- Nov- 2019].
[7]"CVE -CVE-2017-5638", Cve.mitre.org, 2017. [Online]. Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638. [Accessed: 28- Nov- 2019].
[8]"Welcome to the Apache Struts project", Struts.apache.org, 2018. [Online]. Available: https://struts.apache.org/. [Accessed: 28- Nov- 2019].
[9]"Equifax Breach Timeline — GracefulSecurity", Gracefulsecurity.com, 2017. [Online]. Available: https://www.gracefulsecurity.com/equifax-breach-timeline/. [Accessed: 28- Nov- 2019].
[10]R. Chirgwin, "Equifax couldn't find or patch vulnerable Struts implementations", Theregister.co.uk, 2017. [Online]. Available: https://www.theregister.co.uk/2017/10/02/equifax_ceo_richard_smith_congressional_testimony/. [Accessed: 28- Nov- 2019].
[11]I. Thompson, "Equifax execs sold shares before mega-hack reveal. All above board – Equifax probe", Theregister.co.uk, 2017. [Online]. Available: https://www.theregister.co.uk/2017/11/03/equifax_share_trade_investigation/. [Accessed: 28- Nov- 2019].
[12]E. Kovcs, "Equifax Sent Breach Victims to Fake Website | SecurityWeek.Com", Securityweek.com, 2017. [Online]. Available: https://www.securityweek.com/equifax-sent-breach-victims-fake-website. [Accessed: 28- Nov- 2019].
[13]A. Glenn, "Equifax: Anatomy of a Security Breach", BBA(Hns), Georgia Southern University, 2018.
[14]T. Press, "Equifax doubles number of Canadians hit by breach, now more than 19,000 | CBC News", CBC, 2017. [Online]. Available: https://www.cbc.ca/news/business/equifax-canadians-affected-update-1.4424066. [Accessed: 29- Nov- 2019].
[15]C. Williams, "Oi, you. Equifax. Cough up half a million quid for fumbling 15 million Brits' personal info to hackers", Theregister.co.uk, 2018. [Online]. Available: https://www.theregister.co.uk/2018/09/20/equifax_ico_fine/. [Accessed: 29- Nov- 2019].
[16]"Gaining the Advantage", Lockheedmartin.com, 2015. [Online]. Available: https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/Gaining_the_Advantage_Cyber_Kill_Chain.pdf. [Accessed: 29- Nov- 2019].
[17]Lockheed Martin, Cyber Kill Chain. 2015.
[18]M. Riley, J. Robertson and A. Sharpe, "The Equifax Hack Has the Hallmarks of State-Sponsored Pros", Bloomberg.com, 2017. [Online]. Available: https://www.bloomberg.com/news/features/2017-09-29/the-equifax-hack-has-all-the-hallmarks-of-state-sponsored-pros. [Accessed: 29- Nov- 2019].
[19]"CVE-2017-5638 - Apache Struts2 S2-045 · Issue #8064 · rapid7/metasploit-framework", GitHub, 2017. [Online]. Available: https://github.com/rapid7/metasploit-framework/issues/8064. [Accessed: 29- Nov- 2019].
[20]Metasploit. Rapid7, 2017.
[21]A. org, "OGNL - Apache Commons OGNL - Object Graph Navigation Library", Commons.apache.org, 2013. [Online]. Available: https://commons.apache.org/proper/commons-ognl/. [Accessed: 29- Nov- 2019].
[22]E. Rafaloff, "GDS - Blog - An Analysis of CVE-2017-5638", Blog.gdssecurity.com, 2017. [Online]. Available: https://blog.gdssecurity.com/labs/2017/3/27/an-analysis-of-cve-2017-5638.html. [Accessed: 29- Nov- 2019].
[23]G. Duan, "Equifax Data Breach Analysis: Container Security Implications - NeuVector", NeuVector, 2017. [Online]. Available: https://neuvector.com/container-security/equifax-data-breach-analysis/. [Accessed: 29- Nov- 2019].
[24]K. O' Flaherty, "Equifax Lawsuit: ‘Admin’ As Password At Time Of 2017 Breach", Forbes.com, 2019. [Online]. Available: https://www.forbes.com/sites/kateoflahertyuk/2019/10/20/equifax-lawsuit-reveals-terrible-security-practices-at-time-of-2017-breach/. [Accessed: 29- Nov- 2019].
[25]K. Fazzini, "The great Equifax mystery: 17 months later, the stolen data has never been found, and experts are starting to suspect a spy scheme", CNBC, 2019. [Online]. Available: https://www.cnbc.com/2019/02/13/equifax-mystery-where-is-the-data.html. [Accessed: 29- Nov- 2019].
[26]"Web Shells: China Chopper", Canadian Centre for Cyber Security, 2018. [Online]. Available: https://cyber.gc.ca/en/guidance/web-shells-china-chopper. [Accessed: 29- Nov- 2019].
[27]"Canarytokens.org - Quick, Free, Detection for the Masses", Blog.thinkst.com, 2017. [Online]. Available: https://blog.thinkst.com/p/canarytokensorg-quick-free-detection.html. [Accessed: 29- Nov- 2019]
.[28]"What is a honeypot? How it can lure cyberattackers", Us.norton.com, 2017. [Online]. Available: https://us.norton.com/internetsecurity-iot-what-is-a-honeypot.html. [Accessed: 29- Nov- 2019].

Back to the Grind

Originally posted: Mon, 26 Aug 2019 09:33:18

It's been a busy few weeks here, as I'm back on the job hunt. You'd think searching and applying for new positions would be easy - but there are some rather annoying pitfalls. Here's my short overview, in which we discover that geography should become a compulsory short course for recruiters (particularly if they live within the M25).

Getting setup

The easy bit - open your browser, find your job boards, create your accounts, upload your CV. After this, it's just a case of setting your search parameters and trawling through the results.

Now, you may not be 100% confident in your CV - and that's fine, most people aren't. Most online job boards offer a CV checking service for free. Use them all. Don't just do one, do all of them you can. You will find plenty of contradictory advice, but you should be able to compare notes and work out some good advice to fix the CV up a bit.

It's also worth pointing out that, depending on your industry, keeping your LinkedIn profile up to date (or even building one in the first place) is a good idea. Put the link on your CV, too. Recruiters and potential employers will be looking for an online presence of some kind, so it's probably best to keep at one social profile for professional purposes. You can give them your Facebook and Twitter links if you want, but you don't really want to be judged by photos of that time you went to Magaluf with the gang now, do you?

N.B. on Twitter, you may have multiple handles, so if there is one you keep strictly for work-related things, it might be advisable to put this on your CV.
GitHub/Lab profile links can be highly beneficial to add, as it shows off your capabilities, interests, and projects to companies and recruiters before you even meet them, giving them a good idea about you and your work. Particularly for developers, this can be a boon, as it takes half the pressure off during interviews.

Daily Hunting

With your CV sorted, and your accounts created, let's have a little gander at the actual searching.

The first thing is to try and be as specific as you can - this isn't always possible, as job titles can have wide variations on a theme. But you can mitigate this by making sure you fill out the search criteria as completely as possible. This usually includes Salary (min and max, min is necessary to get the best results),
Location (Postcode is usually best, but town/city can work), Distance (how far you are willing to travel), and Industry (the field you work in).

The main trouble you might have (if you don't live, eat, and breathe London that is), is with the Location and Distance - the results are... interesting. I can tell you stories of results being returned telling me that I'm a perfect match for this job that's just down the road - only to find that their version of "down the road" actually translates to "200 miles away as the crow flies". Job sites and recruiters take a rather liberal interpretation of these two parameters, so be wary and read the job ad thoroughly.

You will also find yourself confronted with a filter on how to organise your results. I highly recommend sorting them by date (most recent). Job ads tend to linger a while after the position has been filled, and there are some that are blatantly fake and exist purely for CV harvesting purposes. If you sort by this method, you get to see if an older job has been re-posted and is likely to not be real.

Searching Miscellany

If you are looking to break into a new field, or area, and you think you might lack qualification or experience, don't worry. Put down on your CV what you are doing about this interest, even if it's a few free courses online - anything that shows you are being serious about it, not just after a pay rise.
While it is important to have references at the ready, you do not have to put them on your CV. This can help, particularly if yours is already running to 2-3 pages. You can also dispense with the "References on request" bit too, as this is taken for granted these days.

I'll also mention that the training industry have decided that their courses qualify as jobs (still trying to figure that one out), and so litter the boards and sites with their adverts. One dedicated company has their adverts show up for practically every village in my search radius.

All about the Benjamins

This is worth noting all on its own: don't believe the listing entirely. When you see the matching criteria at the top of the ad, don't expect it to be 100% accurate. Or even 50% for that matter.

Even though you specified your starting salary, your search will include jobs where that is the maximum. You'll also find that halfway through the vague job description, it might say something entirely different to the figure in the match. These differences aren't minor, either. I've seen £10,000 differences.

The same goes for contract jobs: always check the rate, and always calculate it to your preferred format. You should also check if this is Inside IR35 or not, and whether it is fixed term (aka you'll work for the firm directly), Umbrella, or Limited company.

Closing Notes for Recruiters

Recruiters must often wonder why they get such a bad reputation, I think (if not, then they must remain oblivious). The reason is pretty straightforward - they lie. A lot.

Should they wish to change this state of affairs, it's quite simple; just a few minor changes would make all the difference:
• Stop using imaginary mathematics to judge distances
• Learn to use a map
• Use said map when posting adverts
• Post accurate salary information, and not contradict it within the main body of the ad
• Post accurate job descriptions
• Don't post ridiculous qualification requirements when they aren't necessary, and you don't understand how they work

I think that covers all my grievances for this week!

Yea, though I walk in the valley of the Shadow IT, I carry a big stick

Originally posted: Sat, 20 Jul 2019 08:51:54

Users are infuriating at the best of times. Then there are the ones who smuggle their own applications or devices onto your network. Welcome to the deep, dark depths of Shadow IT...

Shadow IT, if you don't know, is the concept of users run amok and installing whatever application or device they think they need without asking. Tut Tut. Of course, this is also partially your fault, for ignoring the Principle of Least Privilege and letting them, so we can't be too angry at the poor end users. Or we can, but we have to admit that our oversight allowed this to happen.

This is one of those Big Problems, along with people clicking every link in sight, and those special snowflakes who plug in every USB thing in sight because SHINY!

Why is it an issue?

If you have to ask, you haven't thought about it. Software on your network from parts unknown could be anything: there could be a trojan horse buried in it, or a keylogger. It could be transmitting data of any kind to anyone. Compatibility issues could mean it has a detrimental effect on your current setup. It could also be unlicensed, which is a headache all of its own.

While there isn't always a reason to suspect the 'ware isn't safe, that doesn't mean you can take leave of your senses either: if you didn't put it there, it shouldn't be there.

The Fix

It is actually a reasonably easy problem to fix, though: first have a policy that states no unauthorised software on any of your machines (have this policy backed-up by scary bouncer types. Or just the management). Next, use group policy to make sure no-one has access to be able to install crap. Finally, get some decent asset management software that will monitor not just your hardware assets, but also the installed software too.

If you also have a policy where you are open to looking into new software that others suggest, this will help mitigate Shadow IT problems. Encourage your users to come to you with suggestions and involve them in the testing phase. Explain to them what they need to take into account and get them to argue the case for it. If it passes muster, maybe you'll have something to implement that might make life easier. More often than not, though, you'll get users who understand why you said no, and that's worth its weight in gold-pressed latinum.

Farewell, Vertigo

Originally posted: Sat, 22 Jun 2019 08:50:05

I've not really talked about my love of comic books and graphic novels here. Not that I'm an obsessive, but I do have a few titles I'm heavily attached to. Hellblazer, Lucifer, The Sandman, The Invisibles, Preacher, 100 Bullets, DMZ, to name but a few. A large portion of these have a one specific thing in common: they were all released, or continued, on DC's Vertigo imprint.

History

Started in 1993 under the guidance of Karen Berger, an editor of legendary status for good reason. Its mandate was to find a home for the more adult-themed comics largely spawned by the British Invasion. This was necessitated by not wanting to draw the attention of the Comics Code Authority. DC's latest imprint became home to some of the more influential, as well as freethinking, offerings of the American format.

Another thing of note with regards to Vertigo is that, at least in its early days, a large amount of the work remained creator-owned, something that had been a
challenge for writers and artists for decades, and still can be.

Impact

As someone who grew up with the Vertigo imprint, albeit coming in a little later, I can honestly say I found a home there. The titles evoked fear, horror, elation, beauty; took you on journeys wondrous and complex. You had no choice but to face up to the changing face of society and its ethics: these books took you on a quest to confront it all, whether you liked it or not.

Readers became more than passing dabblers in the occult, bore witness to the conflict at the heart of creation, and saw a conspiracy that operated across all levels of the United States bear its fruit and then collapse. We saw a world bereft of men, and a US civil war played out in Manhattan. Nothing was held back, no sacred cows here: everything was fair game.

Sunset

On the 21st of June 2019, DC announced that the Vertigo imprint would be sunsetted by the end of the year. It will move all its mature reader titles to DC Black. Just like that, 26 years of comic book history, large amounts of it being made on the imprint, gone.

I am deeply sorry to see it go, given the many hours of entertainment, intrigue, and wonder I have enjoyed in its pages.

High Moon

Originally posted: Tue, 28 May 2019 08:51:09

N.B. This is a freebie writing prompt for anyone who wants it - I got as far as I could, then couldn't see a way forward with it.

The bell struck midnight as the crowds snaked through the city streets, their shapes bathed in the blue reflected light of the moon. At least, they did heading towards the bigger temples, the gatherings heading to the smaller ones, or those of the minor cults, would barely fill a tavern. Still, they all came, greedy for prophecy: would they be chosen? Would their child's destiny be revealed and hail a new era? Could they herald an age of conquest, or lead a calamitous war? Hero, villain, warmonger, peacemaker - it was all the same to them: if prophecy called, they would answer and be immortalised in history.

Bloody fools, the lot of them. Why anyone would want the eyes of fate to glance at them and decide to hijack them "for glory", I don't know. The smart ones stay at home on High Moon, or go on hunting trips, or mountain treks. They're the ones who understand. They're also the poor sods who get a visit from me. And if I show up at your door... Well I'll put it this way: most of those I minister the future to have a higher survival rate than the temples. Physically, anyway.

Prophecy is lunacy: people will bend over backwards trying to obey it, despite it being uselessly vague and referring to events and people either centuries buried or not yet born. It has become the coin of charlatans to appease the influential. It also fucks with history, and with my plans for history. This does not make me happy.

No, I'm not actually a prophet, by the way. I'm more of what you'd call an agent of Time: I don't hop around in it at will, I cannot travel strictly through time, I just get sent instructions and have them carried out. OK, fine, I'm a fucking prophet, stop rubbing it in. What I don't do, is write this shit down and peddle it for cash or influence. I don't get the same vagaries most "prophets" do, but that's because I'm not grasping at the edges of the Tapestry, stealing a small loose end of a thread. I get specifics. I get specifics, because they are basically orders. They are not visions of things to come as warnings; not a tidbit to send some prancing gallant nitwit on a quest; and they are most certainly not a way to get rich quick (although I'm far more loaded that the temples and nobles could dream of).

Anyway, back to tonight: Tonight is High Moon, a day-long festival where the moon is high, the weather is good, the temperature warm, and the people come out to beg a temple acolyte to make them famous and rich by telling them an obscure passage in an impressive-looking old book means they have a Great Task to accomplish that will Save People/Nations/Pretty Young Thing. It's my favourite night of the year, because it gets the priests off my back while they do their thing, and I can actually go get things done. Which I can usually do, provided one of their smart alecs don't actually find something genuine, and the right person to match it. Thankfully that doesn't happen very often, as untangling the resulting catastrophe really eats into my "me" time. The last time that happened, the priests still haven't forgiven me for it: I stole one of their people, burned down one of their hidden storehouses and embarrassed them into submission in front of the Archon. They should be glad I didn't do it publicly, given the storehouse bit was mostly their fault, sticky-fingered weasels. I digress, although the storehouse is relevant, as it is my current destination.

Now, as you may have gathered, I'm a bit of an oddball around these parts, which, on top of being a prophet (even one of an obscure cult, as they like to call my practise) allows me certain courtesies, and a lot of leeway in regards to my behaviour. Not that anyone really pays much attention to my comings and goings, but I do like to take the paths less travelled. So this High Moon had me visible to everyone, should they be looking, ambling along the city's skyline, leisurely hopping from rooftop to rooftop heading towards the docklands district for a "chance" meeting at the aforementioned husk of a storehouse.

The Fifth Domain

Originally posted: Mon, 20 May 2019 08:54:25

As I'm seemingly doing a series on Cyber Warfare, I suppose we should rewind from Hybrid War a little and define what CyberWar is. Let us enter the fifth domain of warfare, Cyberspace, and try not to get hit.

Traditional war is fought on land, at sea, or in the air. For a short while (although this notion might be having a small renaissance with Trump’s Space Marine idea), it looked that combat might move ever upwards into space, so much so that the USA went as far as creating a Unified Command to back this idea (naturally, this concept was gravitically attracted back to solid ground. I could go into a
little rant over this lunacy, so keep your eye out for that, it should be fun). Cyberspace, however, seems to have only just garnered the attention it has so desperately needed. Given the substantial amount of damage that can be done in the digital realm, it is quite worrying that it’s only within the last decade that it has been taken seriously. It’s also rather disturbing that it is still not a public conversation piece.

The What?

So, what is Cyber Warfare exactly? Is there even a standard definition, or is that, too, like IW, trapped in a weird limbo of “it’s lots of things, and we don’t want to limit our options by defining it”? (Option B. It’s always Option B when there is a choice). Apparently, not even the great Wikipedia can settle on one unifying concept. One definition found in the book ‘Introduction to Cyber Warfare’, and based on famous Claus von Clausewitz definition of war, reads thusly:

“Cyber war is an extension of policy by actions taken in cyber space by state or nonstate actors that either constitute a serious threat to a nation’s security or are conducted in response to a perceived threat against a nation’s security.”

As it goes, I think this is a fine definition for bandying around a governmental/legislature chamber, but as something practical that actually tells us anything about the subject, it is lacking in detail a little. Richard A. Clarke offers up this definition:

“…actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption”

It’s nice, simple and describes a fight. And also feels like it misses the mark a little, providing little nuance to a rather broad category. Martin Libicki has this to say on the matter, and at least recognises there are different aspects to cyber warfare:

On Strategic Cyber Warfare: “…a campaign of cyberattacks one entity carries out on another”

On Operational Cyber Warfare: “…involves the use of cyberattacks on the other side’s military in the
context of a physical war”

As you can see, these are a little more descriptive regarding at least the battlespace, but are problematic in different ways: the strategic definition can be applied to any entity, from script kiddies putting their newly discovered powers to the test; hacktivists acting in concert to deface/take down a poster website; cybercriminals using zombienets to mine and steal cryptocurrency, all the way to the Iranians planting malware to wipe a company’s worth of HDD’s:
it’s just too broad in scope to be workable, although it gives us a starting point. That’s not to say that in cyberspace, war can only be participated in by nation-states, far from it: the running conflict between Anonymous and the Church of Scientology can almost certainly be seen as a war, one that involved both InfoWar and CyberWar: this is just another example of where the world of the electron and the baud blurs the lines of what we thought we had a pretty good handle on up to now.

The operational definition reduces cyber war to nothing more than a background effort in support of traditional, kinetic warfare. Now, while cyberattacks and other digital efforts can be utilised in
such a capacity, it does seem to limit its true capacity, not just in what can be accomplished in coordination with physical war, but also in how devastating the effects of a war fought purely in the digital ether could potentially be. Let us not forget, it is well established that a few lines of code can blow up a generator (Aurora Generator Test), destroy nuclear centrifuges (Stuxnet), or otherwise cause physical destruction directly or indirectly. And that’s ignoring all the other damage that can be caused by cyberattacks; overall, the only thing more devastatingly effective might well be nuclear weapons.

So, let’s try this definition on for size (my own contribution to the conversation):

“The continued offensive and defensive acts of aggression utilising all available digital assets against
acknowledged adversarial entities in any battlespace”

I’ll leave the word aggression in there for now, but I can see how it might be superfluous. I think it covers all bases, explains that it can stand alone or in support of other conflict agencies, allows for multiple parties, including those non-nation-state actors that might want to engage, and specifies the speciality of the field. The “continuous” modifier was put in there as a scale descriptor – this is to separate from a one-off data grab or breach.

The Logic and The Bomb

Originally posted: Wed, 08 May 2019 09:05:06

Cyber Warfare has just entered a new, and dangerous reality. Is this vicious overkill, a well-measured response, an outlier, or the shape of things to come?

CLEARED FOR RELEASE: We thwarted an attempted Hamas cyber offensive against Israeli targets. Following our successful cyber defensive operation, we targeted a building where the Hamas cyber operatives work. HamasCyberHQ.exe has been removed. pic.twitter.com/AhgKjiOqS7— Israel Defense Forces (@IDF) 5 May 2019

Sunday, the IDF released the above Tweet after demolishing a building that allegedly housed Hamas' cyber operatives, during a cyber-attack. Kinetic warfare met the digital offensive with a bang.

Why is this important?

This is hybrid warfare, where online offensives and IRL retaliation meet. This is largely the first time it's ever happened, if you put aside drone attack on ISIL keyboard cowboys (https://www.theguardian.com/world/2015/aug/27/junaid-hussain-british-hacker-for-isis-believed-killed-in-us-airstrike), that may well have just been for his other activities for the group, rather than specifically for his online prowess. You might also point to the destruction of Ukrainian infrastructure, although that is likely more a direct result of the cyber war campaign than ground forces.

This Wired article (https://www.wired.com/story/israel-hamas-cyberattack-air-strike-cyberwar/) takes a good look at what happened, although it cautions that this incident should be viewed as more specific to the Israeli-Palestinian death game than as a wider indication of digital ether versus bombs-and-bullets battles. I disagree.

The precedent has now been set, and unlike the outlier nuclear bomb, it's out of the box now. This will not be the last time we see this hybrid warfare, and the implications of that are not good. Noted InfoSec researcher Bruce Schneier (https://www.schneier.com/blog/archives/2019/05/first_physical_.html) sees this as an opening to another form of asymmetric warfare.

To put it in terms of the ongoing conflict in Israel, it does appear at first glance to be a massive overkill reaction, especially considering that they claimed to have fended off the cyber-attack already. However, there does seem to be a claim that intelligence agents were operating out of the building as well. Very little has been said officially other than the rather tasteless Tweet. Should there be evidence that Hamas operatives other than hackers were being run out of the building, then perhaps there is a justification for such an extreme measure. As it stands, it just looks like the IDF killed support staff not active combatants.

And this is the crux of the matter as a whole: yes, hackers are waging a war, albeit on digital grounds. But that is a distinction worth considering: yes, hackers can cause immense amounts of havoc, and can physically destroy or otherwise render infrastructure useless. Yes, they can steal critical information and compromise systems, which can lead to putting people in harm’s way. But can they be classed as active combatants, or are they supporting staff?

I am by no means the one to answer that question. I'm not remotely qualified to pass judgement there. My gut instinct is to class them somewhere between support staff and non-combatant intelligence analysts, which should keep them from front-line action, but again, I'm not informed or qualified enough to decide this in the wider scheme of things. But someone needs to. Pandora's box has been opened once again, and the rules need to be clarified before we end up here again, which we most certainly will.

What's in a Singularity?

Originally posted: Thu, 02 May 2019 13:03:28

Singularities are Black Swan events: you might be able to see it coming, but beyond the event horizon, it's anyone's guess. There's been talk for years about the next one, the one where AGI supposedly emerges, and almost instantaneously becomes ASI. But what if it isn't?

Humans have almost always lived with singularity events; hell, from the point of view if all other life on earth, we are a singularity event. Some of these are obvious, like the control of fire, agriculture, the smelting of various metals, writing, the printing press, and many many more. Others have been smaller, or less obvious types; the automobile, the computer, the emergence of currency, the nuclear bomb. While you might not think these things singularities, there was no possible way to determine the far-reaching effects they would have on us as a species.

Now, the way current talk is going around the next Singularity, you could be forgiven for thinking AGI/ASI will be a conscious entity/entities. I'm of the opinion that this is a little far-fetched, and is actually beside the point for what I'm guessing will take place.

See, I'm of the opinion that while these techno-prophets might be on to something, I'm reasoning that all they may have right might be the timescale of the next 50 years or sooner. We don't need AGI or ASI for an event; just advanced enough AI, similar to Alpha Go, to eliminate most of the drudgery work we engage in, and for these to be widely applied.

Yes, this will basically put the economies of today into free-fall collapse, and oh, no won't that be horrible (it actually will be for a while, until we can adjust to it). Whatever will we do?

Now, I say this almost mockingly as if it's not going to be a problem. But by my thinking, by the time this happens, we will already have been mired in the economic issues for some time. As a rough number I'm pulling out of a hat (because I wouldn't begin to know where to start in calculating a proper figure (if you can, please let me know, I'd be happy to learn)), by the time automation hits 25%, it's game over anyway. If it hits that, that means 25% of the actual working population (not the working age) will be out of work, and at that point, the automation systems can only improve and start coming for the rest in an exponential fashion.

Not every job can be automated or will be. but what's left will not be accessible to everyone. But enough will be that it will change the face of society. For a while, the small handful of people who are able to keep making money will do so, but that can only carry on until fewer people have money that those who don't, and when we approach that, money will be worthless.

Thus, we hit Singularity. What will happen at this point? Huge swathes of people unable to work as there are no jobs, several hundred years of cash economics suddenly gone.

We could enter an era of untold greatness, following in the mould of the likes of Star Trek. Just as easily, we could devolve into war and set our species back centuries. We could just remain static, limiting machine labour and trap ourselves in cyberpunk hell. The so-called Great Filter could come calling and decide that this is enough.

We've turned Singularity into Utopia. It has become the Dream, the thing that will solve all our problems because technology will save us. But that is only one possibility, and for it to become a real one, we have to work for it. Even then, there are no guarantees.

Singularity is nothing more than unlocking the next level in a game, and the only way to succeed is not to just wait and hope, but plan, prepare and guide. They bring turbulence, these events, in ways we cannot predict. If we could, they wouldn't be Singularities: we can mitigate disaster if we see it coming (having the will to is a different matter), but it's all the rest of it, the unknown unknowns that are the issue.

One thing I am sure of though, is that this is the point of Singularity, not when AI has developed further. This is when it really begins.

When do we get apps for our brains?

Originally posted: Mon, 18 Mar 2019 11:06:00

This is not a post about transhumanism or integrated tech. This is about my horrible time management. And it is horrible.

I've been doing my annual email cleanout and found some dark neglected corners. A couple of years ago, I decided it might be a Good Thing to create some email rules to help keep my Inbox a bit tidier, and infinitely more readable. It turns out that this has worked, at least to make my Inbox workable. Unfortunately, it means that I have neglected some 350+ newsletters I actually enjoy reading.

Because the email rules put them directly into subfolders (and in some cases, subfolders of subfolders (because I like to be organised)), and I primarily use a mobile app, I tend to glance over these in favour of the ridiculous (100+) amounts of mail that still comes through the Inbox.

I am not pleased with myself for this. I am also grateful that my current job does afford me multiple hours of time on a Monday to be able to contend with this backlog. I will be very screwed when I have to get a Proper Job that involves actual gulp Work.

Of those newsletters I have a backlog in, for those of you with an interest, are the following:
• Daniel Miessler's Unsupervised Learning
• Warren Ellis' Orbital Operations
• Atlas Obscura
• Code Project

I have decided that I need an app for my brain which not only reminds these things are there but can auto-schedule time for me to read them.

How I've managed to get this far with my scatter-brained chrono-control I'll never know...

Becoming Daedalus

Originally Posted: Wed, 20 Jun 2018 17:52:00

Today, I want to look at soft skills; more precisely, one soft skill in particular, namely problem solving. Yes, that old chestnut, the one everyone seems to need to put on their CV, from janitorial staff and burger flippers to IT practitioners of all flavours. But why am I writing about it now? Because it’s not a very well understood skill, and it is only half of what a CyberSec pro needs. Confused? I’ll explain.

As I’ve mentioned previously, one way for CyberSec personnel to test themselves and keep their skills sharp, while learning or while actively engaged in a position, is wargames (you can find a good list of them here). Hack boxes, CTF’s (Capture the Flag) and so on are a great way to introduce you into thinking about the issue faced and the problems that need solving in context. It helps build your problem-solving skills by presenting you with common, and not so common, challenges, which you must overcome with your wits and technical know-how. Problem solving as we know it is a largely regimented process, usually an exercise in remembering a trick you learned way back when. At its best, problem solving is a melding of the creative and the scientific: unusual solution arrived at through logical means.

But a lot of this can be either remembering a known solution, or hours spent jerry-rigging something together until you can fix it properly. It’s as if problem solving is only half the skill. And that’s because it is. Because we forgot Daedalus. Daedalus, for those you who don’t know, was a craftsman and inventor of ancient myth, a puzzle-maker who created the Labyrinth. We have forgotten that we need to learn how to build puzzles and problem scenarios, so we can know better how to solve them. If I were to give you a map of room, at the centre of which was a box, and marked the locations of the doors, lights, cameras, alarms etc, it would be reasonably easy to plot your infiltration route (or routes, if you pay particular attention), path to box, and exfiltration route. But if I were to give you the box and tell you that you needed to build the room to protect it, would it be so simple? Could you build the room that avoided the problems of the room I gave you to break into?

This is increasingly an important skill to develop, with easy-to-use tools, readily available, that are designed to trick and mislead investigators into believing one thing, whilst being another. If nothing else, the Vault 7 leaks of last year showed us that these tools have been in use for some time now. As Cyber Security practitioners, we must have the mindset to see these things, but also to design systems that are labyrinthine to malicious actors, make puzzles of our own systems that they cannot be easily cracked, and that we can find them in return. We have made shifts in this direction, with honeypots and canary tokens, but as always, more can be done.

What I’m driving at here is that everyone wants to be the ace hacker, or CyberSec Architect extraordinaire, but do they really know their skill set? It’s fine learning coding and networking by rote, and Googling for the fix to that problem is all good and well, but are you actively keeping your problem-solving skills sharp by testing yourself from the other side? If you aren’t sure, give it a try. An increasing number of CTF and wargame sites are allowing and requesting new challenges, so why not give it a go?

The Ancient and Venerable Art of Google-fu

Originally published: Sat, 23 Jun 2018 07:13:00 +0000

Other titles considered for this post: How Not to Piss Off Entire Forums and Facebook Groups; Avoiding the Banhammer; Stop Being Lazy and Look it Up Yourselves.

Before you can embark on a career in, well, anything even vaguely IT related (or do practically anything), you must master one crucial skill: information searching. In the days of yore, and even rumoured to still exist despite budget cuts, there were in of cult of specialists in this area, who guarded their domains jealously: the librarians. These knowledge-fanatics could divine what you were looking for from the ridiculously poor and mumbled explanation you gave them, then translated that into a secretive code which led you to a shelf in a library, and then to the book you were after. Just like magic.

These days, while librarians are still a vitally important part of cataloguing knowledge, we also have another, less mystical, tool at our fingertips: the Search Engine. Unfortunately, very few people have bothered to learn how to ask these data crawlers for the right information, leaving too much confusion and clogged-up posts asking other people for something a quick search, done properly, would have revealed. This then leads to arguments and admins swinging Banhammers around like an enraged blacksmith.

Which brings us to the point of this post: What is Google-fu? How can it help me?

Put simply, Google-fu is an slang term for being able to use a search engine and get the desired result almost every time. Or magic, for the uninitiated. It's about understanding what you want, knowing how search engines work and matching these things together to get an answer. You might think "I can already do that", but if that was true, you wouldn't keep asking inane questions on forums trying to work out the simplest query.

I'm not going to go into depth about the algorithms that power Google, Bing, DuckDuckGo or others, you can do that yourselves. The basics are quite simple: they use indexes, compiled from SEO data, tags, labels, search descriptions and site metadata, to form a list of results that match to a greater percentage than others, your query terms. Naturally, it gets more complex from there, but that's the gist of it.

In the good old days of the Internet, before the ideas that formed the semantic web (an idea that would bring web searching and other functions together with a form of natural language processing) were considered close to reality, Boolean logic was god. AND, OR, NOT, NOR logic functions were instrumental in finding what you wanted from a search with any reasonable degree of speed or accuracy. Now, while we do have a more responsive search algorithm being used, Boolean logic isn't necessary, although it can be helpful, not just in the search itself, but while formulating the search.

Here's the crux of this post: I'm sick of people not looking for things on their own and asking in groups and forums that are for discussions about Cyber Security or IT about simple things a quick search should tell you. I'm beginning to think that not only are these kinds of people lazy, but also ignorant of just how to search.

So, here's my quick guide to getting out of my hair and not getting banhammered:

Step the First: Figure out what you are searching for. Basically, work out what information you are after, then break the search down into terms as specific as you can be. If you are unsure, start with a look on Wikipedia about the topic, that might help narrow it down.

Next Step: Grab a thesaurus. If you are still struggling to find what you need, try to find synonyms that you can use instead of the terms you are using. Try switching the order of words around too.

Step the Third: Information Validation. This can be the trickiest bit, working out which resource is the most reliable. If the information is correct, you can usually corroborate it on another resource. Checking the URL validity is important too: a website ending in .co.uk or .gov is more likely to be reliable, over a URL that ends in .com.uk.tv or other such ridiculousness.

Recommendations from other people can be good, as are company websites. Wikipedia might have a reputation for being an unruly free-for-all, but the citations and references can point you in the right direction. It's also worth getting your head around the concept of bias, as you'll find it almost everywhere, not just in journalism or advertising.

I hope this has helped, if it has, share it around.

Multidisciplinarianism

Originally posted: Sat, 23 Jun 2018 11:53:00 +0000

Nice, long, big word there as a title. I'll shorten it for you: polymath. A person of wide knowledge or expertise. The desired human state.

I have long been an advocate for something I call wide-spectrum literacy: competence in reading, writing, arithmetic, science, technology, politics, philosophy, economics, to say the least. I have what you could mildly call a vehement dislike of ignorance, particularly wilful ignorance: I find little to no excuse for it, especially in developed nations where access to technological marvels which act as gateways to endless learning and knowledge, most of it free, is commonplace to the point of being carried around in pockets.

You can imagine, then, my sickening disgust at the state of the world, and the horror of facing an international society in which ignorance, bigotry, and mendacity don't just roam freely, but are actively pursued as if they were the highest virtues.

Now, I'm not going to lay the blame entirely at the feet of poor education, because that simply isn't true. How can it be, when I came through the same academic system as some of my peers who struggle to recall basic biology? That isn't to say the education system isn't flawed, far from it, however it does suggest that there must be other factors involved. Familial biases perhaps? I know it's no longer the done thing to blame the parents, but surely if they seek to take some of the glory of their offspring's achievements, then they should also should some of the responsibility for their failings, too?

We must also consider social pressures, as they have just as much power in the shaping of a mind as a parent or a school. While the lunacy of religion does seem to be waning, it seems other cult-like groups are springing up like weeds, and at much the same rate: pro-diseasers (I refuse to call them by any other moniker, call them what they are), flat earthers (we've got proof the other planets are round, but all evidence that Earth follows suit is bogus, or has been tampered with, or otherwise doesn't fit my narrow bias), naturo-/homeopaths (Avocados are great for making guacamole, so why hasn't David Wolfe been squashed yet?) and a whole host of pseudo-scientific/quasi-religious/kinda-spiritual bullshit. And with these lowest common denominator groups come the wide-smiled snake-oil selling celebrities, conning more and more people (who really, really should know better) into hanging on their every word and following each instruction as if given by a god.

Perhaps it's also political and economic: I'm sure we can easily point to elements within the executive and legislature who have overtly/covertly hinted that everything is worse because of that political party/that colour skin/those from country x rather that admit to screwing you over, knowing full well that they've spent enough money on media, and removed enough funding from everywhere else, to make you believe it. And that's without accounting for the political/economic theory dedicants, those who worship at the temple of Friedman, Rand, Buchanan and Hayek. The truly insidious ones who think money is all that matters, and unless you have it, you shouldn't have anything else.

These are just the obvious, flag-waving culprits of a dumbed-down, ignorant society. These, if anything can be called such, are the enemy.

Homo Sapiens Sapiens (that's us, by the way) are natural polymaths: we are born capable of having wide knowledge across many domains. It is crucial for own our development and survival that we exploit this fact about ourselves. Not only might it help us achieve our fullest professional potential, but also contribute to our personal happiness too. Stifling our own abilities starves ourselves of our need to freely be who we are but could also starve the rest of the world from new scientific discoveries, technological marvels, artistic wonders and more.

It's also more than that: we are living healthier and longer. The implications for this are worrying, with unemployment being chief among them. There is a solution (it's not a perfect one, and perhaps not the most desirable one either): either we have a much longer one-track career, or we re-skill and have 2 full work experiences. (Not that I am advocating that work should be a necessity here, but realistically work isn't something that we can just get rid of overnight [unless we perfect AGI and robotics and nothing goes wrong]).

There is invariably more to this than I can fit in this post, but I do think that this is the future. Exploit the polymath potential and begin a whole new journey!