You’ll probably see ads under and possibly incorporated into articles on this blog.
I don’t choose them and I don’t approve them: that’s the price I pay for not being able to afford to pay for all my blogs…
If lots of people suddenly start viewing this blog, I’ll find some money for this one. (I already pay for dharley.com and whealalice.com!) But I’m not expecting a sudden rush of visitors after all these years.
David Harley
I make no claim at all to be a cartoonist (let alone any sort of real artist). However, some people seemed to like my cheesy little cartoons (mostly IT-related), idiotic photos, and cheap sarcastic commentary, so I thought that I should start putting some of these ramblings together in the same place.
That place was the Dataholics blog, and much of this book was originally based on that content. Ironically, though, many of the cartoons have now been abstracted for other projects.
I parted company with most of the security industry in 2019 (though the recent book Facebook: Sins & Insensitivities did place me back in that arena, though not as a professional). That is, I supppose, why the Dataholics site has seen less use since then, and why what content has been posted is less like to have been related to IT security. On the other hand, much of it still has a connection to internet ephemera. Some of the content here comes from other blogs such as Parodies Regained while some hasn’t previously been made public at all.
[Disclaimer: you’ll probably see ads under and possibly incorporated into articles on this blog. I don’t choose them and I don’t approve them: that’s the price I pay for not being able to afford to pay for all my blogs…]
I’m amused to see that Amazon has excised the word ‘Facebook’ from the ordering details of the latest book. I’m not sure whether that’s because of corporate mistrust of competitors, nervousness because it isn’t complimentary about Meta, or just that I’ve breached some unwritten rule of titling. But at least the title survives on the book cover.
Available as Kindle eBook and as paperback.
“Sadly, while it would be entertaining (for me, but maybe less for you) to write a more academic book tracing the historical aspects and trends in Facebookland, that will have to wait. Here, my primary aim is to provide an overview of Facebook-related issues that will be of more use to the everyday Facebook user than to academics and security mavens. However, the links to articles in the Appendix, covering issues such as the Cambridge Analytica shambles, may be useful to researchers wanting to go deeper into those issues that I haven’t covered in an in-depth article here. (Or even that I have covered, but not in depth!)”
[For some reason I posted this several months ago on my Dataholics blog, when this one might have been at least as obvious a place to put it. I haven’t anything new to say on the topic: I’m just putting it here for completeness.]
There was never much chance of my opening an account on Tik Tok (so you’ll have to look for my twerking videos elsewhere), so I don’t have strong personal feelings about it. That doesn’t mean I don’t have concerns about its data-gathering practices and its hotly-denied links with the Chinese government, of course. Are those concerns more profound than my concerns about Western social media? Not necessarily, but I’m not engaged enough with these matters nowadays to make comparisons between those concerns. In fact, if it were up to me, I’d advise anyone holding office in the government, security services, armed forces etc. to consider carefully the wisdom of engaging with any social media platform, though for most of us that genie escaped the bottle long ago. Clearly, there are risks in terms of personal data leakage, misinformation, social engineering and manipulation everywhere you look on the Internet, and many of those issues relate directly to groups in Russia and China, some with state sponsorship.
However, there have been other security concerns that date back to long before the launch of Douyin and Tik Tok. In 2011, I wrote on the ESET blog about issues relating to the buying-in of components ultimately sourced from China. Specifically, BT’s intention to buy network components from Huawei, and the US Navy’s purchase of 59,000 fake microchips ‘for use in systems “from missiles to transponders” ultimately sourced from China.’ Even further back, in 2009, I wrote:
I don’t have enough data to assess the seriousness of … an attack [on national systems via foreign-sourced components] in practical terms, but it seems unfortunate that “government departments, the intelligence services and the military” are apparently committed to the use of the new BT network if that network cedes significant potential control, even at component level, to a nation that clearly isn’t trusted at high levels of government.
I have to wonder how many elements of the UK’s Critical National Infrastructure (CNI) are labelled “made in China”. Not that I want to buy into the universal xenophobia that seems to dominate this story, but if you’re building or maintaining a CNI, don’t you try to keep it in-house, even if it costs more to buy from trusted sources?
I still don’t know the answer to the question in that second paragraph, and none of my former contacts (such as they were – my paygrade wasn’t particularly high) along the Corridors of Power are likely to have that exact information, let alone share it with me. The CNI is a wider network than you might think, incorporating not only obviously relevant sectors such as government and defence, but less obvious sectors such as health (hence my interest as a former NHS security professional), finance, food and even space. More information on the CNI Hub here.
Even worse, the Long March of technology (see what I did there?) means that components of components of components may fall under suspicion: tracking the provenance of every component on every potentially vulnerable site makes the sort of scanning for vulnerabilities some us enjoyed at the turn of the millennium look about as daunting as going to the front door to check that it’s locked.
In October 2022, the UK government sent a designated vendor direction to 35 telecom providers requiring them, effectively, to remove Huawei technology from UK 5G public networks by the end of 2027. The requirement to ‘remove Huawei equipment from sites significant to national security by 28 January 2023’, given that communications are also a CNI sector, tells us that Huawei did indeed have a presence in CNI technology until less than two months ago. Call me cynical (many people have…) but I don’t think that delivery of that direction means that we’re all now safe from whatever the National Cyber Security Centre has been predicting. Nearer to home, the NCSC has published a basic explanation of the thinking behind their predictions and what it means for home and business users not directly engaged with the CNI.
Information in this post is made available by the UK government under version three of the Open Government Licence for public sector information.
And if you’re wondering what happened to the normal Dataholics dollop of cheap sarcasm, all that I can say is that sometimes political reality outdoes satire. Hopefully, normal service will be resumed shortly. On the blog, that is: I’m making no promises about political reality.
David Harley
…or at least put in a home for retired security pundits where someone can make sure I take my medication on time, so that I stop pontificating about security issues even though no one is paying me to any more and I have lots of other writing projects demanding my attention. Still, after writing about Robert Slade’s work on preparing CISSP candidates for the exam they have to take as part of the qualification process, I found myself needing to revisit an article I wrote when I originally abandoned my subscriptions to the two organizations that enabled me to add three extra initialisms to my signature.
The article noted the official end of an era, though it was a very minor ripple on the surface of the Sea of Security. As of the end of August 2014, I was no longer entitled to put the initialisms CISSP, FBCS, or CITP in my signature. (In fact, I hadn’t been using those manifestations of alphabetti for quite a while before, in anticipation of that day. Or, more precisely, the 31st August.)
There’s nothing sinister about this: I hadn’t been drummed out of (ISC)2 or the BCS Institute for conduct unbefitting a computer security guru: I was simply dropping my annual subscriptions to those organizations. I was and still am in sympathy with the general aims and ethics of both organizations. There are many otherwise rational people in the security business who are dismissive of any form of certification that results in an artificially lengthened signature, but I’m not one of them. These particular initialisms acknowledge many years of working to improve the security of the organizations for which I’ve worked since 1986 and the community as a whole: I’m honoured by that recognition of whatever I may have achieved in that time, and refuse to be ashamed of having been entitled to use them. So why was I letting them go?
First, let me save you anxiously searching the web for an explanation of all those initialisms:
So, to answer the question “why was I dropping my subscriptions?”, I first have to make a confession. I didn’t maintain those subscriptions out of some purely altruistic desire to further the aims of (ISC)2 and the BCS, though of course I’m happy that my money went towards the attainment of goals that I’m generally in sympathy with. But – shock! horror! – my primary aim was to demonstrate that I had certifiable skills and acknowledged achievements that gave me credibility in the eyes of my peers and enhanced value in the job market. Like most people, even the good people who run (ISC)2 and the BCS (not to mention other organizations like ISACA and SANS), I had to make a living, though I’m fortunate in that I was able to do so by doing work that I enjoyed and (I like to think) for which I have – or at least had – some ability. Over the last year of my subscription, I made a cost/benefit analysis (as all CISSPs are taught to do!), and while the cost of those subscriptions wasn’t high, the benefits (to me personally) were not what they were:
So from then on, I had to stand or fall by the quality (or lack of it) of my published work. But then, most of the time, I always did. And if I feel the need to expand my signature, I’ll have to fall back on my humble BA. (Now that’s a qualification I am proud of, having completed it under stressful circumstances: that is, as a new parent with a full-time job.)
I probably won’t return to the topic of certifications, though I addressed it at some length in a chapter in the AVIEN Guide,.
David Harley
I dropped my subscriptions to (ISC)2 and the BCS Institute some years before I retired from the security industry. Not because I have the traditional hacker’s hatred of formal qualifications, but because I knew that when ESET and I parted company I wouldn’t be looking for work in security again, and if I did, I wouldn’t be interested in the sort of administrative role where certifications like CISSP (Certified Information Systems Security Professional) are often sine qua non.
Nonetheless, I still feel that (ISC)2 does a darn good job of giving IT security professionals the opportunity to demonstrate their competence by meeting the strict criteria necessary to put the letters CISSP (among others) after their name, and I haven’t forgotten how demanding the exam was!
I actually went that route for two main reasons: one was the fact that when I was in the later stages of my security work for the UK’s National Health Service, I was given the opportunity to be sponsored for CISSP certification*, and I knew that it was likely to help me find another job in the same area. (As it happens, I eventually found myself working in the much more specialized antimalware industry as a consultant for ESET, but I certainly don’t regret taking the opportunity to refresh and extend my knowledge far beyond the borders of malware, which had already become one of my specialities. (I don’t think that it did ESET any harm that I was able to write on their behalf with some pretence of authority about a wide range of issues, either.)
The other factor was that I was already well acquainted with the work of Robert Slade, my longtime friend and sometime co-author on Viruses Revealed, who has done a great deal of work for (ISC)2 and had certainly made me aware of the advantages of qualifying as a CISSP.
While Rob is, as he puts it, “ostensibly retired” (after nearly four years, I too still find myself unable to stop writing about security altogether!), he’s in the process of making available some vital information that any CISSP candidate will surely appreciate in the form of bitesize videos. As well as providing links for all that information (and other sources), he’s also summarized the reasons why a security professional should consider CISSP certification in a hugely useful blog article here: CISSP seminar (free!)
Highly recommended.
David Harley
*As it happens, I also got the opportunity to qualify as a BS7799 auditor, but I never actually made use of that qualification. Still, I used to be able to sound as if I knew something about it. 🙂
While I stopped working with ESET at the end of 2018, I didn’t entirely abandon the security industry: I’ve responded to the occasional request for an interview, including this one on Who owns social media? and I did quite a lot of work on the English translation of this Book by Eddy Willems (I might still be tempted by other authoring/reviewing/editing projects). And I’m still playing with the idea of a book on anti-malware product testing.
Meanwhile, here’s an article I wrote recently for the AV-Comparatives blog. Spotlight on security: The Curse of the False Positive. Well, product testing was part of my job description long before I joined the antivirus industry (as we still often called it at that time), so it’s not quite a case of crossing over to the Dark Side. As a matter of fact, I’ve always had a good relationship with the guys at AV-Comparatives. And I have one or two other articles in process.
David Harley
This is Cyberdanger, an updated edition of a book previously published in Dutch and German. I contributed some material, did some general/technical editing, and also did some of the translation. You can find out more on Springer’s site here. That’s actually the UK page, but you can change the page to suit whichever part of the world you live in. I have no idea why it’s apparently more expensive to buy a single chapter than it is to buy the whole book as eBook or hardback, but I’ll see if I can find out. 🙂 Interesting sales strategy.
I’m not sure if this is the last security book I’ll work on, though. I still have the urge to write something about product testing.
David Harley
In spite of the fact that I have very little connection with the security business at this point, I was asked for my opinion regarding the topic of deleting your content on social media.
I tend to think that the safest way of looking after sensitive data is to avoid posting it in the first place, that’s pretty much what I said, though at greater length and in more detail. However, the final article, now published, is actually pretty good, and while it does include my comments, it also covers a wider range of opinion.
Worth reading…
David Harley
As of 1st January 2018, I’m no longer working with ESET, so my connection with the information security business is now stretched pretty thin: in fact, I’ve reverted to a previous life as a musician, though there are a few security-related jobs still to be completed, and at least one of those will be flagged here when it’s publicly available.
On the other hand, I can still be tempted by further one-off authoring/editing/reviewing jobs, especially if related to security. 🙂
There’s a contact form here if you feel like tempting me. 😉
David Harley
The Geek Peninsula 