Updates / Checking In

I am looking at my queue and seeing five posts sitting in drafts:

  • Small Office Set-Up: A Short Series (posts 1 & 2)
  • A Sufficient Network for an Ordinary SMB
  • A Case for Quantitative Risk Management
  • DIY VPN

Frankly, it looks like they’re going to stay in that queue for a while. Inevitably, we post about what is on our minds, and often those things that are on our minds are those things which are on the minds of our clients, our families, our friends, and our peers. Today those things in the queue are not what are on my mind, and the things that are on our minds aren’t necessarily about what’s in the queue.

Yes, there are ongoing tasks including the ordinary O&M; yes, there are questions about teleworking infrastructure and security; and, yes, there are the ordinary schedules of projects in orbit. All of these and others provide a sense of normalcy in a time when ordinary life suggests otherwise. Through other media, though, is the barrage of “In these uncertain times” marketing messages from services I haven’t used in years ~ relentless.

From my personal perspective, this is a time to re-evaluate. It’s a time to fall out of habit, to reflect, to get to the heart of what the people around us really need, and to consider deeply how we might help.

We’ll see where it leads.

Roll Your Own? Why not?!

In today’s news, there are revelations, allegations, and speculations of commercial VPN compromises. In at least one case, it seems the access to the VPN server came through the cloud hosting provider’s administrative access to the hosting hardware. In that case, with root access, public certificates together with their private keys used by the service were accessible for a few months before the cert expired.

That paragraph contains enough fuel to fill an INFOSEC proponent’s life with glee ~ page one of a veritable “choose your own adventure” novel: Which thread would you like to pull? The obvious one is how wildly these commercial VPN providers promote how secure they’ll make you — often leading one to believe that security extends a bit beyond the scope of what a VPN provides — and here they are in the news. Karma… people do love that “pride before the fall” business, don’t they? Here’s a less shiny thread that should have industry scratching their heads: What if the VPN provider did everything technically right, but it was the cloud / hosting provider’s security breach that allowed the compromise? Has your organization considered that angle for cloud security? Do your contracts pass liability to the hosting provider? If so, would it really make a difference once your brand takes the black eye?

Stuff worth considering. Anyway, for me, it was something different. It was a blowhard’s Twitter thread seemingly mocking other people’s advice to roll your own VPN service. People piled on and then one person escalated with “‘stand up your own VPN service’ is the new ‘stand up your own email server.'” Naturally, anything near that fire ignited as well. Soon there was, “Why not stand up your own ISP?” “Why not create your own internet?” “How about a WISP?” “How about those mesh networks?” “Why not roll your own crypto?” Etc.

Sigh… “Celebrity shit-posting” and the anti-intellectuals hopping on the bandwagon. Who benefits from it all? Not our clients, that’s for sure.

So, for each of those “Why not?” assertions that cause actual SMEs to cringe, let’s instead ask “Yes, why not indeed?” in response:

  1. Why not stand up your own VPN? Whether your objective is to tunnel your traffic out and away from the coffee shop or the airport lounge, or if it’s to reach your files at home or your servers at the office, a private VPN is absolutely a correct answer. It is simple enough to do, it’s completely private. The up front costs are between $0 and $50 and the recurring costs are likely between $0 and $10 per month depending on the complexity and what you want to accomplish. Odds are that you’ll be using the same software components that the commercial folks are buying.
  2. Why not stand up your own email server? The code bases for the two or three major software packages have been stable just about forever and are still actively maintained. They’re proven and they’re battle hardened. You can keep your data close by and controlled.
  3. Why not create your own ISP? Internet? WISP? Mesh Network? Were you even aware it was possible? Your cheap wireless firewall router box from Walmart essentially sets up a private network in the house wherein you can set up websites, file servers, email servers, and whatever else you like and make them all accessible to anyone on that network. Everyone in the neighborhood could do the same. If they’ve got something cool they want to share, we just need to establish a network link to join them and a mechanism to route the connections back and forth. Maybe that’s a router and a wireless connection that everyone on the cul-de-sac can see. How about a few houses up the block where the signal is a bit weak? What if the house just before it could relay the signal? So far, nothing has touched the internet-proper at all. Here’s the thing: Communities are doing this. Places without internet access have travelers bringing back copies of websites on a thumb drive to be added or updated to the isolated network — how cool is that? Under-served communities are setting up their own Wireless ISPs to ensure that families and businesses can get a signal where Comcast and Verizon don’t believe it’s worth going. Cities are standing up their own public ISPs to ensure a base level of services is available to all of their citizens, much to the chagrin of the major ISPs.
  4. Why not roll our own crypto? Here’s the thing: the first iterations of anything, including crypto, were people rolling their own. And like everything else, we learn from mistakes and make improvements — a continuous process. It’s one thing to ignore the work of folks who’ve gone before, but it’s an entirely different thing to shunt people to ground and declare that they shouldn’t try and innovate.

It goes on. We can handle our own email and data. We can create our own telephone and chat services. We can make our information available to each other in any number of forms. We can do it all privately, and we can actually do that without touching the internet itself — the same equipment that lets us connect to Comcast and Verizon let us connect to each other without them. Is it worth it? Well, that depends on us our risk tolerance and our operational needs.

With the explosion in commercial networked technology over the last 30 or so years, you’d think we’d all be able to stand up a website or similar before graduating middle school. Instead, as a society we’ve largely become device operators, ignorant of how the pieces fit together. There, there — leave it to the professionals… We’ve created a new form of illiteracy, and it’s left us ungrounded — unable to distinguish when we’re being hoodwinked or bamboozled by businesses, governments, or anyone else.

Before you know it, we have celebrity shit-posting SMEs on Twitter making technical recommendations to major corporations putting us all at risk.

So, if you find yourself around the water cooler with the kibitzers slamming that commercial VPN for their breach, why not pull the other thread instead and ask them how they mitigate the risks of putting their own corporate services in the cloud where they could be compromised by the host? It could be an interesting chat.

Find your trusted advisers and ask questions. Never stop asking questions.

Take Time to Reflect

“We have always been at war with Eurasia.”

While a lot of nerds are enjoying “Palindrome Week” — at least in those places where we’re satisfied to write today’s date as 9-11-19 — many are telling their “Where were you when…” stories for the more notable 9/11.

Yes, I’ve got my own story… but today I have a slightly different reflection I’d like you to consider: It’s been 18 years. That means that, starting today, there will be people enlisting in the U.S. Armed Services who were not yet born when the towers crumbled, the Pentagon was hit, and the field in Pennsylvania was scarred. Soon enough, many of them will be far from home in support of missions that had their origins in that day.

For better or worse, 9/11 was a tremendous catalyst for breaking the political, the policy, and the budgetary status quo. Where I was, people were suddenly willing to take risks, to reevaluate safeguards & protections, and to use phrases such as “for the greater good” as weapons; and there would be few if any willing to stand against that internal wildfire. How many reports and whistle-blowers later would it take to realize that perhaps this “New Normal” should have been a collection of temporary measures at best.

Of course, we all know that there are no “temporary” measures… Once justified, approved, and in the budget, an effort has seemingly infinite momentum. It would almost take another 9/11 to change direction. 18 years later, our next wave of war-fighters, beginning today, will only have ever known the current status quo, and they will learn the lore on the job and accept how “We have always been at war with Eurasia.”

So, how is it in your organization? How long have you been at war with Oceana?

It doesn’t take long for an organization to lock-in to standard operating procedures. It doesn’t take long for an infrastructure configuration to take root and quietly disappear into forgotten history. It’s often a fresh set of eyes asking “Why?” that either triggers our memories and war stories (if we were part of events 18 years ago) or shoulder shrugs from the generation that followed. If the fresh eyes belong to a green new hire, that may be the end of the discussion. On the other hand, if the eyes belong to a consultant or an auditor, you may have to dig deeper.

But what about you? How often do you pause to ask “Why?” Maybe with your annual audits? Maybe with your annual review of corporate documents? Maybe when something comes up in a tabletop exercise and makes it into the record? Who is charged with keeping the lore, and who is in charge of challenging it from time to time?

Or is it “I don’t know; it’s always been this way”?

Open your calendar. Pick a day or two that means something to you or your organization. Use that reminder and that energy to bring your status quo into your conscious attention and ask “Why?” Ask if it still makes sense. If it does, good — you’ve kept the reason alive — never forget. If on the other hand your circumstances have changed, now is the time to right your course.

As always, if you would like the assistance of that fresh pair of eyes to challenge your assumptions, contact us.