Gearing Up the Workforce: Will the “crash courses in coding” model work in Albuquerque?

I’ve been thinking a lot about this business model since long before seeing this article in the Albuquerque Journal:

The article comes out of an Atlanta paper and primarily deals with two companies in that area, Tech Talent South and The Iron Yard, both of which work on the theory that months of intensive education and mentorship works better than four years and giant debt. They both specifically address coding, which is a solid strategy because the demand for up-to-date coders is pretty much endless at this point. Take it from me: the recruiters frequently ping me for leads for hot recruits. If you want it, it’s there for the taking.

There is one such operation in town, and it looks interesting. But not cheap. None of these are cheap. Among all three schools I’ve mentioned, the class duration is 8 – 12 weeks, and the price is $7000 – 10,000. This is a heck of an investment, though it’s highly likely worthwhile for someone who wants to make a start from scratch.

Most of the hard-core developers I know, and I know a few, are entirely self-taught. But for those less-than-hard-core developers like me, a working familiarity with programming principles and specific languages came slowly. If you’re looking for a job, and you know you can code, the boot-camp school method may be a hot ticket.

I’ve considered opening a shop to do exactly this, though I’m watching the local firm to see how they do. Frankly, however, my emphasis is different. Sure, I do Unix, and coding, and networks and so forth. But I’m deeply interested in security, and I’m deeply interested in teaching. This is handy because a lot of security consists of education.

So if I were going to do this I’d take a careful look at the audience for a security school along a vaguely similar model. My local friends are familiar with the “DoD Order,” which requires local national lab and Air Force base personnel to pursue a continuing education in security. And we have another national lab up the road at Los Alamos, and two more bases and a missile test range down near Alamogordo.

It’s an interesting thought….

* * *

“So You Like Pain and Vulnerability Management?”

Executive Summary:

You will never catch up when you try to do security through patch management. The unknown vulnerabilities are, by their nature, unknown. And the zero-day vulnerabilities will always be irritatingly one day ahead of your malware detection.

Instead, understand and implement proper operational controls.

See the full article at


Substantial changes usually have to happen in the context of paradigm shifts. That’s just a fancy way of saying that we do things differently when we change the way we think about them.

Consider, for instance, the SANS list of Critical Security Controls. Find it at

It’s a long list of directly applicable areas of operation. They’re talking about controlling things like boundaries, and data protection, and inventories of systems and software. Okay, but this is the starting point of hamster-wheel madness. You will never patch your way to security, for one example. You will ALWAYS be a day behind the zero-day vulnerabilities.

Consider, in contrast, the OSSTMM controls. There’s a good outline at

This is a very different list of controls: Authentication, Indemnification, Subjugation…. Hey, wait, this is totally different stuff!

Exactly. The OSSTMM, which is described in some good detail at the link above, is about a whole different way of thinking. There is a good example of its application at

You cannot patch Dropbox to security, is the gist; and if you apply the right analytics to it, it may not look attractive for doing much more than sharing recipes. But that’s another story.

Let me simply suggest to my friends and security practitioners that it’s going to be worth your while to study this in more depth. Because the OSSTMM is about an entirely different vision of security, one that costs less, works better and doesn’t put you in the hamster wheel. Those are good things.

* * *

“Frontline” looks at how 9-11 led to today’s NSA

The problem has always been the creeping assumption of powers. From the founding days of our country, that has been our defining issue.

Today’s NSA is the most prime example our country has ever seen, but we haven’t seen the worst of it. Given how quickly we grant powers, and how reluctantly they are relinquished, we have got a fight on our hands.

People were concerned about the legality of the NSA’s actions from the beginning:

And he [Michael Hayden] says to the president, “But I’m worried about the legality of this.” And the president looks at him and says, “Don’t worry about it. We’re going to go forward with this. I’ve got lawyers working on this now and you don’t have to worry about the legality of this; I think I can do this on my own authority.”

Even the legal rationale was thin or nonexistent:

All they knew was that something had been signed by the president and the attorney general that authorized them to walk across the bright white lines that had been established by Congress in the 1970s. … It was and is, I think, the darkest-kept secret that the government has had in recent times.

And security professionals are particularly at risk, especially those who work within the NSA:

We tried for several years to do it [whistle-blowing] within the system and look what they did to us. Clearly Edward Snowden saw that and said, “That’s obviously not an option.” … And just to be a little more formal, there are no whistle-blower protections for any employee of the U.S. intelligence community. There [is] a modicum of protections for other government employees, but not inside the intelligence community.

Read the whole article and watch the video at:

* * *

Can we trust TOR, or any public VPN service?

So, you want to cruise the Internet anonymously. You need a good VPN. That means no user logins, no logging of your activity, no blocking of traffic – and no cooperation with the NSA.

TOR, famously, is NOT all these things. Thinking you are safe by using TOR alone is a sad mistake with big consequences. A VPN is a good layer to add, assuming you do it right, if there is a truly right way. One saying I’ve heard is, “VPN before TOR, cops at your door.” Presumably TOR before VPN, ain’t no one coming in?

Back in 2014 I found this list of VPN providers and their answers to some very pointed questions about the security, confidentiality and privacy they provide their users.

More recently (2015), Jock at directed me to a much-updated version of this article, using the blindingly clear Infographics style.

This issue hasn’t gotten any smaller over the past year; in fact, I’ve been analyzing confidential services, and finding that you’ll largely have to go to Switzerland to get them. Read the article and see just how “private” most services really are.

#encryption #hackerhighschool

* * *

Francis Bacon’s Bilateral Cypher: How to make anything signify anything

One of the contributors to Hacker Highschool has been turning me toward some very interesting examples of early cryptography. Have you ever heard of his bilateral (not binary) cypher?

This is one any student of security should read, particularly when you realize that the accompanying photograph of WWII soldiers is itself an encoded message!

Here’s a good explanation of the cypher:

And the Wikipedia page:

#cryptography #hackerhighschool

* * *