There is an old saying we’ve all heard at some point. It’s often attributed to Donald Rumsfeld. There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know If any of us have ever been in a planning meeting, a variant of this has no doubt come up at some point. It came up for me last week, and every time I hear it I think about all things we don’t know we don’t know. If you’re not familiar with the concept, it works a bit like this. I know I don’t know to drive a boat. But because I know I don’t know this, I could learn. If you know you lack certain knowledge, you could find a way to learn it. If you don’t know what you don’t know, there is nothing you can do about it. The future is often an unknown unknown. There is nothing we can do about the future in many instances, you just have to wait until it becomes a known, and hope it won’t be anything too horrible. There can also be blindness when you think you know something, but you really don’t. This is when people tend to stop listening to the actual experts because they think they are an expert. ...

This has been a pretty wild week, more wild than usual I think we can all agree. The topic I found the most interesting wasn’t about one of the countless 0day flaws, it was a story from Slate titled: In Praise of the Private Email Server The TL;DR says running your own email server is a great idea. Almost everyone came out proclaiming it a terrible idea. I agree it’s a terrible idea, but this also got me thinking. How do you explain this to someone who doesn’t really understand what’s going on? ...

Earlier this week I had a chat with David A. Wheeler about mentoring. The conversation was fascinating and covered many things, but the topic of mentoring really got me thinking. David pointed out that nobody will mentor if they’re not getting paid. My first thought was that it can’t be true! But upon reflection, I’m pretty sure it is. I can’t think of anyone I mentored where a paycheck wasn’t involved. There are people in the community I’ve given advice to, sometimes for an extended period of time, but I would hesitate to claim I was a mentor. Now I think just equating this to a paycheck would be incorrect and inaccurate. There are plenty of mentors in other organizations that aren’t necessarily getting a paycheck, but I would say they’re getting paid in some sense of the word. If you’re working with at risk youth for example, you may not get paid money, but you do have satisfaction in knowing you’re making a difference in someone’s life. If you mentor kids as part of a sports team, you’re doing it because you’re getting value out of the relationship. If you’re not getting value, you’re going to quit. ...

Last week saw a really interesting bug in TCP come to light. CVE-2016-5696 describes an issue in the way Linux deals with challenge ACKs defined in RFC 5961. The issue itself is really clever and interesting. It’s not exactly new but given the research was presented at USENIX, it suddenly got more attention from the press. The researchers showed themselves injecting data into a standard http connection, which is easy to understand and terrifying to most people. Generally speaking we operate in a world where TCP connections are mostly trustworthy. It’s not true if you have a “man in the middle”, but with this bug you don’t need a MiTM if you’re using a public network, which is horrifying. ...

If you attended Black Hat last week, the single biggest message I kept hearing over and over again is that what we do today in the security industry isn’t working. They say the first step is admitting you have a problem (and we have a big one). Of course it’s easy to proclaim this, if you just look at the numbers it’s pretty clear. The numbers haven’t really ever been in our favor though, we’ve mostly ignored them in the past, I think we’re taking real looks at them now. ...

Unless you live in a cave (if you do, I’m pretty jealous) you’ve heard about all the political hacking going on. I don’t like to take sides, so let’s put aside who is right or wrong and use it as a lesson in thinking about how we have to operate in what is the new world. In the past, there were ways to communicate that one could be relatively certain was secure and/or private. Long ago you didn’t write everything down. There was a lot of verbal communication. When things were written down there was generally only one copy. Making copies of things was hard. Recording communications was hard. Even viewing or hearing many of these conversations if you weren’t supposed to was hard. None of this is true anymore, it hasn’t been true for a long time, yet we still act like what we do is just fine. ...

I’ve been getting myself ready for Blackhat. If you’re going you know this conference isn’t like most. You don’t bring your normal gear with you. You turn the tinfoil hat knob up to an 11, then keep turning it until it breaks off. I did do one thing that’s pretty clever this year though, I have no doubt it could be useful for someone else putting together an overengineered tin foil hat security rig. ...

I was listening to the podcast Security Weekly and the topic of using AI For security work came up. This got me thinking about how most people make their way into security and what something like AI might mean for the industry. In virtually every industry you start out doing some sort of horrible job nobody else wants to do, but you have to start there because it’s the place you start to learn the skills you need for more exciting and interesting work. Nobody wants to go over yesterday’s security event log, but somebody does it. ...

There’s a news story going around that talks about how horrible computer security tends to be in hospitals. This probably doesn’t surprise anyone who works in the security industry, security is often something that gets in the way, it’s not something that helps get work done. There are two really important lessons we should take away from this. The first is that a doctor or nurse isn’t a security expert, doesn’t want to be a security expert, and shouldn’t be a security expert. Their job is helping sick people. We want them helping sick people, especially if we’re the people who are sick. The second is that when security gets in the way, security loses. Security should lose when it gets in the way, we’ve been winning far too often and it’s critically damaged the industry. ...

The Red Hat Summit is happening this week in San Francisco. It’s a big deal if you’re part of the Red Hat universe, which I am. I’m giving the Red Hat security roadmap talk this year. The topic has me thinking about the future of security quite a lot. It’s easy to think about this in the context of an organization like Red Hat, we have a lot of resources, and there are a lot of really interesting things happening. Everything from container security, to operating system security, to middleware security. My talk will end up youtube at some point, I’ll link to it, but I also keep thinking about the bigger picture. Where will security be in the next 5, 10, 15 years? ...