Wednesday, April 21, 2021

Episode #45 Dolla Dolla Bill Y'all


Money!! it makes the world go round, we need it, we want it, and when it comes to money for our security program we fight for it, but are we spending it wisely?

  • Will it have the impact on our security program we hopped it would?
  • Did we spend too much or not enough?
  • How much money is enough?
  • What the hell should i be spending it on that will make the biggest impact?

Is it wiser to invest in your people and the fundamentals or to invest in state-of-the-art laser cats with predictive AI powers? What is the right level of budget for your organization and how will you show improvements to the organizational security posture against the spend on the security program.

Vendors love money, and the love of money is the root of all evil.

  • How do you know if your vendor is predatory?
  • Does the product or service do what they claim?
  • will you need to increase headcount to accommodate the tool or service?
  • Could you get a better deal on this tool or service?
  • Do I even need this tool in my portfolio or is there an existing tool that I can leverage better?
All this and more, on the Security Shit Show Join Chris Roberts, Evan Francen and myself for what should be a a very lively discussion. 

Ryan Cloutier

Thursday, April 15, 2021

Episode #44 - Am I Crazy?

What the hell is going on?! It feels like the world has lost it's mind. Everywhere I look (out there), it's chaos.

  • Hypocrisy running rampant.
  • Virtue signaling is a "thing", gotta score those popularity points.
  • Cancel culture? This is a thing now, maybe, maybe not?
  • Politicians preach nonsense, openly lying and manipulating.
  • Big societal problems left unsolved, with no (unbiased) solutions.
  • Black kids shot (accidental or not, the result is the same) on the streets.
  • Cities burning, and we're burning them.
  • People hurting (deeply), and we're not helping them.
  • Vaccinate! Wait, maybe not. If you do, maybe you'll die?
  • Accountability, what the hell is that?
  • On, and on.
The bath water is dirty. Who cares about the baby.

People spew shit out of their mouths that doesn't make any sense. Nobody speaks up. Worse yet, yahoos sell their souls to support bullshit, because it's better to be in the "in" crowd. Who the hell is the "in" crowd anyway?

This shit IS NOT computing. 

Not in this brain anyway. Everyone's lost their minds! Not "everyone" everyone, but everyone out there.


It clicks. Didn't my Day say something about this once?  

Son, if everyone's an asshole, you're the asshole.

So, does this mean, if everyone's crazy, I'm the one who's crazy?!

Dammit! Now, I have some reflection to do. The journey down the rabbit hole begins...

What does this have to do with information security?



The hypocrites, the virtue signalers, the cancellers, the politicians, the "illegals", the Blacks, the Whites, the Hispanics, the people who live in our cities, the people who live in our suburbs, the people who are hurting, the people who vaccinate, the people who don't vaccinate, the Liberals, the Conservatives, and everyone in between, is ALSO my co-worker, my relative, my partner, my customer, my friend, my employee, and my fellow human being.

I may run in my circles, just like you run in yours, but my job is to protect EVERYONE, regardless of who you are, where you come from, what you believe, or what you're struggling with. Knowing that information security isn't about information or security as much as it is about people, makes people my focus. Not just the people I like and agree with.

This is deep, but sometimes we have to dig deep to find out who we really are and what we're really doing here.

Looking forward to talking this shit out with my AWESOME friends, Ryan Cloutier and Chris Roberts! Catch us this week LIVE at 10pm/2200 CDT on the YouTube

(and yes, I am crazy, but a functional crazy)

Thursday, April 8, 2021

Episode #43 - Killed My Grandma (updated for primetime)...

 NOTE: #ShitShow topic NOT my Grandma in Real Life before anyone gets worried!

Annually, there are anywhere from 22,000 to 250,000 cases of death in the medical field that really should NOT have happened.

Firstly, I'm glad the medical field has as many problems as we do in counting how many people they've harmed. InfoSec has no REAL idea as to the implications of our actions beyond "Hey, Look! More data's out there..." At least in the medical field there's bodies to count.

The question then is how do you categorize death? IF they were sick before they came to the hospital does that count as malpractice, or "accelerated natural causes"? You get the idea. It's apparently rather subjective...

These two fields are coming together n something akin to a collision course of a plant sized scale.

Technology in/on/around the body (smart pills, nanotechnology, biotechnology, telemedicine, etc.) are all making serious inroads into "us" the human. Analog humans are becoming part OF the digital realm.

We need a LOT more forethought before medical malpractice add another tick box called "CAUSE OF DEATH... Kernel Panic".

So, join Ryan Cloutier, Evan Francen and the crew tonight on the Shit Show to discuss...

'all for now


Thursday, April 1, 2021

Episode #42 - The Joke's On You


The advertising in the InfoSec industry is laughable to say the least and may be breaking the law with the outlandish claims security vendors make.

We poke fun at those companies who have data breaches, but to the outside world our whole industry looks like a big joke.

Password less authentication sounds great, but wait is the joke on you?
 How about 100% secure this also sounds great but again is the joke is on you?

You just got rick rolled.. ok well that's just funny, but seriously we seems to be living in a bad joke when it comes to how we address information/cyber security

Then we have the end users who just treat the whole idea of security is a joke. But wait! This is no laughing matter we must start our journey of transparency and accountability before we laugh ourselves off a cliff.

Let’s talk about what we can do to avoid being the butt of the joke, and have a few laughs along the way.

Join us tonight LIVE at Join us tonight, LIVE at 2200 CDT.

Thursday, March 25, 2021

Episode #41 - Security Shit Show Jeopardy!

You think you know your shit?

Want to prove it? Now's your chance.

We're doing our first episode of  Security Shit Show Jeopardy! 

Here's what tonight's episode looks like:

  • I'm (Evan) going to be the Security Shit Show version of Alex Trebek, meaning I'll be the game show host. Nobody can do Alex Trebek justice because he was a truly unique, one of a kind, human being.
  • We're going to choose three contestants from our audience. We'll choose contestants by posting a question in the Security Shit Show chat. The first three people to answer correctly will become our contestants.
  • We'll invite the contestants to join us in our private web conference (where Chris, Ryan, and I do our shit) and ask themselves to tell us a little about them.
  • Then we'll play the first game of Security Shit Show Jeopardy (you know, the way they play it on the television).
  • While I'm playing host, Chris and Ryan will heckle. We might talk some smack about the clue and/or answer too.
  • The winner of the first game becomes our champion. The champion plays on, the losers sit.
  • Then we'll do it all over again, game number two.

Champions get a Security Shit Show shirt and their name listed on the Security Shit Show Jeopardy Cham Peons Board.

Why are we doing this?

Because it's Thursday fucking night, and I want to have fun. This WILL BE FUN dammit! If it's not fun, it's because YOU'RE not fun. Blame yourself.

If there are technical issues related to the game...

WTF am I talking about? There won't be any issues! 

Let's get on with it...

Join us tonight, LIVE at 2200 CDT. Bring your thinking cap if you intend to play. Bring your drink(s) if you plan to be entertained (or to play I guess). See you there!

Thursday, March 18, 2021

Episode #40 - Simplify, then add lightness…

The late Colin Chapman, founder of Lotus eschewed the pursuit of horsepower in favor of lightness combined with better handling across his road and race vehicles.

That courage to buck the trend resulted in numerous accolades on both sides of the Atlantic.

It is that ethos our industry should once again embrace.

The interfaces, the barriers to entry, the integration, deployment and overall management of the plethora of technology we eagerly buy, deploy, and then complain about.

Adding power is great if you are going in a straight line, however, leave the power alone, remove the complexity, and unnecessary features (the rule of 90%) and reduce the amount of time you have to fettle over the technology.

  • How well do your tools integrate?
  • How much unnecessary overlap do you have?
  • How much of that tool do you REALLY use?
  • How many hands does it take to run?
  • Do you maintain it?
  • Etc.
Start measuring vendors, technologies and PEOPLE by how well they help you simplify, then that should add some lightness across the board.

Join Evan Francen, Ryan Cloutier, Rachel Arnold and I as we unpack this tonight on the Shit Show

‘all for now

Thursday, March 4, 2021

Episode #38 - The Tool Fool

A fool is a person who acts unwisely or imprudently. A Tool Fool is someone who unwisely or imprudently loves tools. They don’t necessarily love the tools they have; they just love tools. The more tools, the better. 

Don’t be offended. We’re all fools from time to time. When it comes to our information security, we do the best we know how. We don’t intentionally act the fool, but when it comes to our tools, too many of us are the fool. 

Don’t be the Tool Fool!

Here’s the top 10 things about the Tool Fool:

  1. Brags about their tools, but they don’t know how to use them.
  2. Brags about a big budget, but they can’t justify it.
  3. Thinks “tool first” instead of a “needs first”.
  4. Thinks tools fix process.
  5. Thinks tools makes problems easier to solve.
  6. Likes easy but confuses “easy” with “simple”.
  7. Has tools they don’t know they have.
  8. Advocates for tools because fools like company.
  9. Oblivious to they’re most significant risks.
  10. Knows how to use some of their tools but won’t to use them well*.

The Tool Fool costs the organization more than they know. Tool Fools waste money on tools they don’t need, don’t understand, and/or can’t use. The Tool Fool can convince themselves that their tools will keep them secure when the opposite is true. Worst yet, the Tool Fool’s work has convinced management of the same.

The Tool Fool has a false sense of security. The Tool Fool makes security worse.

The Tool Fool will be the topic for this Thursday’s Security Shit Show with Chris, Evan, and Ryan. Be sure to catch the show LIVE on YouTube at 10pm/2200 CST!

*This is relevant to a dialog between Senator Wyden (D-OR) and witnesses (Kevin Mandia, Sudhakar Ramakrishna, Brad Smith, and George Kurtz) in the recent open hearing, “Hearing on the Hack of U.S. Networks by a Foreign Adversary” before the U.S. Senate Intelligence Committee (2/23). This particular exchange happens at 1:22:08 in the recording here, and has been transcribed here.

Episode #45 Dolla Dolla Bill Y'all

  Money!! it makes the world go round, we need it, we want it, and when it comes to money for our security program we fight for it, but are ...