Takeaways from Bruce Schneier’s talk: “Security and Privacy in a Hyper-connected World”

Bruce Schneier is one of my favorite speakers when it comes to the topic of all things security. His talk from IBM Interconnect 2017, “Security and Privacy in a Hyper-connected World”1, covered a wide range of security concerns. There were plenty of great quotes from the talk (scroll to the end for those) and I will summarize the main takeaways in this post. People, process, and technology Bruce hits this topic a lot and for good reason: a weak link in any of the three could lead to a breach and a loss of data. He talked about the concept of security as a product and a process. Security is part of every product we consume. Whether it’s the safety of the food that makes it into our homes or the new internet-connected thermostat on the wall, security is part of the product. The companies that sell these products have a wide variety of strategies for managing security issues. Vulnerabilities in an internet-connected teapot are not worth much since there isn’t a lot of value there. It’s probably safe to assume that a teapot will have many more vulnerabilities than your average Apple or Android mobile device. Vulnerabilities in those devices are extremely valuable because the data we carry on those devices is valuable. Certainty vs. uncertainty The talk moved into incident response and how to be successful when the worst happens. Automation only works when there’s a high degree of certainty in the situation. If there are variables that can be plugged into an algorithm and a result comes out the other end, automation is fantastic. Bruce recommended using orchestration when tackling uncertain situations, such as security incident responses. Orchestration involves people following processes and using technology where it makes sense. He talked about going through TSA checkpoints where metal detectors and x-ray scanners essentially run the show. Humans are around when these pieces of technology detect a problem. If you put a weapon into your carry on, the x-ray scanner will notify a human and that human can take an appropriate response to escalate the problem. If a regular passenger has a firearm in a carry-on bag, the police should be alerted. If an Air Marshal has one, then the situation is handled entirely differently - by a human. One other aspect he noted was around the uncertainty surrounding our data. Our control over our data, and our control over the systems that hold our data, is decreasing. Bruce remarked that he has more control over what his laptop does than his thermostat. OODA loop Bruce raised awareness around the OODA loop and its value when dealing with security incidents. Savvy readers will remember that the OODA loop was the crux of my “Be an inspiration, not an impostor” talk about impostor syndrome. His point was that the OODA loop is a great way to structure a response during a stressful situation. When the orchestration works well, the defenders can complete an OODA loop faster than their adversaries can. When it works really well, the defenders can find ways to disrupt the adversaries' OODA loops and thwart the attack. ...

2017-03-22 · 3 min · Major Hayden

Why should students learn to write code?

There are lots of efforts underway to get students (young and old) to learn to write code. There are far-reaching efforts, like the Hour of Code, and plenty of smaller, more focused projects, such as the Design and Technology Academy (part of Northeast ISD here in San Antonio, Texas). These are excellent programs that enrich the education of many students. I often hear a question from various people about these programs:...

2016-10-11 · 5 min · Major Hayden

Preventing critical services from deploying on the same OpenStack host

OpenStack’s compute service, nova, manages all of the virtual machines within a OpenStack cloud. When you ask nova to build an instance, or a group of instances, nova’s scheduler system determines which hypervisors should run each instance. The scheduler uses filters to figure out where each instance belongs. However, there are situations where the scheduler might put more than one of your instances on the same host, especially when resources are constrained....

2016-08-09 · 3 min · Major Hayden

Talk recap: The friendship of OpenStack and Ansible

The 2016 Red Hat Summit is underway in San Francisco this week and I delivered a talk with Robyn Bergeron earlier today. Our talk, When flexibility met simplicity: The friendship of OpenStack and Ansible, explained how Ansible can reduce the complexity of OpenStack environments without sacrificing the flexibility that private clouds offer. The talk started at the same time as lunch began and the Partner Pavilion first opened, so we had some stiff competition for attendees' attention....

2016-06-29 · 3 min · Major Hayden

Troubleshooting OpenStack network connectivity

NOTE: This post is a work in progress. If you find something that I missed, feel free to leave a comment. I’ve made plenty of silly mistakes, but I’m sure I’ll make a few more. :) Completing a deployment of an OpenStack cloud is an amazing feeling. There is so much automation and power at your fingertips as soon as you’re finished. However, the mood quickly turns sour when you create that first instance and it never responds to pings....

2016-05-17 · 6 min · Major Hayden

Lessons learned: Five years of colocation

Back in 2011, I decided to try out a new method for hosting my websites and other applications: colocation. Before that, I used shared hosting, VPS providers (“cloud” wasn’t a popular thing back then), and dedicated servers. Each had their drawbacks in different areas. Some didn’t perform well, some couldn’t recover from failure well, and some were terribly time consuming to maintain. This post will explain why I decided to try colocation and will hopefully help you avoid some of my mistakes....

2016-04-22 · 10 min · Major Hayden

Fight cynicism with curiosity

I’m always interested to talk to college students about technology and business in general. They have amazing ideas and they don’t place any limits on themselves. In particular, their curiosity is limitless. A great question I joined several other local employers at the University of Texas at San Antonio last week for mock interviews with computer science students. We went through plenty of sample questions and gave feedback to the students on their content and delivery during the mock interviews....

2016-02-17 · 4 min · Major Hayden

Nobody is using your software project. Now what?

Working with open source software is an amazing experience. The collaborative process around creation, refinement, and even maintenance, drives more developers to work on open source software more often. However, every developer finds themselves writing code that very few people actually use. For some developers, this can be really bothersome. You offer your code up to the world only to find that the world is much less interested than you expected....

2016-01-15 · 5 min · Major Hayden

Talking to college students about information security

I was recently asked to talk to Computer Information Systems students at the University of the Incarnate Word here in San Antonio about information security in the business world. The students are learning plenty of the technical parts of information security and the complexity that comes from dealing with complicated computer networks. As we all know, it’s the non-technical things that are often the most important in those tough situations....

2015-11-10 · 7 min · Major Hayden

Impostor syndrome talk: FAQs and follow-ups

I’ve had a great time talking to people about my “Be an inspiration, not an impostor” talk that I delivered in August. I spoke to audiences at Fedora Flock 2015, Texas Linux Fest, and at Rackspace. The biggest lesson I learned is that delivering talks is exhausting! Frequently Asked Questions Someone asked a good one at Fedora Flock: How do you deal with situations where you are an impostor for a reason you can’t change?...

2015-09-02 · 6 min · Major Hayden