Writing in 1989, moral philosopher Sissela Bok tells us:

Imagine a society, no matter how ideal in other respects, where word and gesture could never be counted upon. Questions asked, answers given, information exchanged—all would be worthless. Were all statements randomly truthful or deceptive, action and choice would be undermined from the outset. There must be a minimal degree of trust in communication for language and action to be more than stabs in the dark. This is why some level of truthfulness has always been seen as essential to human society, no matter how deficient the observance of other moral principles. Even the devils themselves, as Samuel Johnson said, do not lie to one another, since the society of Hell could not subsist without truth any more than others

When I look at my screen 30 years later, I see this effect -this collapse- all the time. And the only one I’m comfortable as a moral agent talking about is Baby Getting Cheesed.

Last Saturday I had a moment of pause, so I looked at my screen. The screen showed me an adult person taking a slice of yellow cheese and tossing it on a surprised baby’s face. It made a wet plop sound as it stuck to the startled baby’s face. The video ended.

I didn’t feel upset or outraged by the act itself. It was, in a way, cute and tugged my dad heart-strings. I remember my son at that age. I wouldn’t have tossed a cheese slice on his face, but I played little games with him, like pretending I’d eat his foot, just so I could get a laugh or smile out of him. The cheese slice on baby face schtick was odd, but it was also endearing in a way.

What bothered me most about the baby getting cheesed was that someone -or perhaps the algorithm itself- had decided to put it on my screen. To get me to consume it. To please me and get me to share it. I realized instantly why the baby getting cheesed had upset me: I was staring a moral hazard in the face.

In general, tossing cheese slices onto the faces of babies is a Bad Thing. It’s not something you or I, as moral adults, would encourage. It’s not something we’d do in our own homes. It’s not something we’d do to our friends’ children, our grandchildren, our niece or nephew. It’s not something any baby care book would recommend. You’d be hard-pressed to find a parenting or caregiver expert to tell you that throwing a cheese slice on a baby’s face was a Good Thing To Do. Yet here I was, looking at my screen, reading a piece that voiced great hilarity and mirth at the baby getting cheesed. The video had been viewed 8 million times, and dozens of copy-cats videos had been made, the writer told me. Most replicas were made by parents. Like me. The whole thing had gone viral in the words of the privatized commons.

That horrified me. So I asked myself why baby getting cheesed had gone viral?

I’m no behavioral scientist, my credentials in science, law, and or sociology are pitiful.  What I do know a lot about is how people use technology, and what might motivate the ways they use it. And I know how to use my sense of morality in public and private spaces.

Knowing that most people, in the privacy of their homes or out in public with their child, would elect not to throw cheese on their babys’ faces, or celebrate that others had done so, I realized that the behavior I was seeing on my screen was being induced by something. Encouraged by an unseen hand. By some perverse economic logic at work there, in my screen.

It was being encouraged by the app itself. In my case, that app was Twitter. But it doesn’t really matter. All the apps encourage sharing. They live and die by what we share. And they reward us for sharing. In Twitter’s case, the reward is a value-less form of currency: a like, or a retweet, or maybe a reply. All of these things are bundled up and re-named from what they were (verbs signifying operation-actions on an item of information) into something new: engagement.

Engagement is the coin of the realm of our screens. It’s the engine celebrated by the bit-tycoons and those who write about them for a living. It’s the core economic logic in our screens. To keep us engaged. To further that engagement. To take more of our attention. To ✨razzle dazzle us with pleasing animations and unique experiences.

And also, to get us to do things we wouldn’t normally do. 

Notice the deception therein. As people, as normal moral beings in a real physical place, we’d probably not cheese the baby’s face, and, more than that, we’d also probably condemn or shun others who did so. We sure as hell would not yield to a corporation asking us to throw cheese on our baby’s face, film it, and then put on screens all over the world.

But in the deceptive hall of mirrors that is social, -where sharing is effortless and the twin to the moral hazards it produces- we do exactly that. In the real world, we grab a slice of yellow cheese from the fridge, and toss it on the baby’s face, then upload the video. For nothing and no reason at all except to accrue a meaningless currency.

To top it all off, the original cheese video -supposedly posted by a brother of the baby- was itself a deception. It had been downloaded and stolen from Facebook. Again: why? To perform. To steal a little authenticity for the purpose of accruing likes.

I think we’re in dangerous territory here. My sense is that this un-virtuous cycle could devolve very quickly into chaos. We’re seeing more and more bad actors utilize these exploitative software systems to amplify -and indeed induce- bad behavior. The same thing happened with the Momo hoax, which is now no longer a hoax, but a very real self-harm thing frightening parents of 3rd graders at my kid’s school.  These patterns seem similar to me to the ones that preceded violence in Myanmar and India. And that’s frightening.

Most importantly, we can’t depend on any of these apps to regulate or modify the inducement logic behind the behavior their users exhibit. The app makers benefit from inducing certain behaviors in us. We should have learned that lesson as far back as 2016. We should have learned it in 2017 and 2018, especially after violence took people’s lives in Myanmar. But app makers have no interest in fixing this, and there’s no reason to trust them to fix this as they’ve let us down so many times already. We’ve seen the app makers spread lies, apologize for consequences and yet engagement keeps rising. They have no incentive to fix this; in fact, engagement forces the opposite logic on these businesses. Don’t fix it. Let it spread. We’re making money, so who cares?

Bok, writing with moral clarity and force, warns us again:

A society, then, whose members were unable to distinguish truthful messages from deceptive ones, would collapse. But even before such a general collapse, individual choice and survival would be imperiled. The search for food and shelter could depend on no expectations from others. A warning that a well was poisoned or a plea for help in an accident would come to be ignored unless independent confirmation could be found. All our choices depend on our estimates of what is the case; these estimates must in turn often rely on information from others. Lies distort this information and therefore our situation as we rerceive it, as well as our choices. A lie, in Hartmann’s words, “injures the deceived person in his life; it leads him astray.”


Check out this sentence. I’ll reveal who wrote it later:

…the American West had been the most fertile field for technical innovation…California engineers exported their technology to the rest of the world and improved on that which they imported from everywhere else.

Interesting sentence, right? The author is making the point that California, particularly the Bay Area in this case, is a hub of technical innovation and engineering prowess.

And indeed it is. I mean just look all around us. Silicon Valley companies dominate the world. Three of the top five technology companies (Google, Facebook, Apple) are headquartered there, and the other two, Microsoft & Amazon, have significant presence in Silicon Valley.

Consider those five companies and what they’ve done. Just as the author alleges, those five companies have found a formula for success; they’ve “imported from everywhere else” elemental technology primitives, things like standardized and open protocols built by academics and expert committees in the IETF, IEEE and other standards bodies. These companies have taken those elemental primitives and packaged them up into new exciting innovations and won dominance in the marketplace with them. How much dominance?

Look at this chart I made in Excel. $3.5+ trillion of market dominance, that’s how much dominance. And notice how few they actually employ compared to other titans of the marketplace. They’re massively efficient. That’s the whole point. That’s why capital is so excited about the Big 5.


Numbers are out of date reflecting 2017 LTM Revenue & employment numbers but you get the idea

All around the world, people have tried but largely failed to replicate the supposed success of this vibrant hive of technical & engineering prowess. I hear it all the time on podcasts, I read it on Twitter, I read it in blogs. Everyone wants to be Silicon Valley, to be the exciting hub of innovation. Indeed, they want to be the next Silicon Valley, as if this is a repeatable formula there for the taking, as if you could just divine it out of the ether and bam, the next Silicon Valley. 

You see the big 5 marketed endlessly by the apostles of the Disruption Gospel, by the trade press, by us, even when we just think we’re talking about a new device or service. Oh yeah, I love this new feature on my Android. Oh Instagram is introducing end-to-end encryption & direct messaging. People love the products they’re using from these big five companies, and some study them so much they’ve launched ancillary careers just by studying how they work.  I’ve mentioned it before how I admire Ben Thompson, of stratechery.com for the one-man punditry business he’s built atop what he calls Aggregation Theory.

And the founders! We construct mythologies about them too. We build them up into icons. They collectively have more money than God or the tycoons of old.

Now circle your mind back to the quoted sentence. That’s it. Now let’s zoom out:

By 1893, the renowned Canadian mining operator James Douglas could claim that the American West had been the most fertile field for technical innovation in the development of hardware, techniques, and chemistry. California engineers exported their technology to the rest of the world and improved on that which they imported from everywhere else.

The quoted passage is from Dr Gray Brechin’s masterpiece polemic, Imperial San Francisco:Urban Power, Earthly Ruinpublished by University of California Press in 1999, revised in 2006.

Brechin, is, in the words of people I follow on Twitter, my spirit animal. He’s a Geographic Historian who lectures at Berkeley and other universities in the Mountain West. His book -which invokes huge themes about mining, agriculture, cities vs rural areas, and what he terms the Anglo-Aryan race- is all about the conquest of the frontier, and how that conquest was directed by a cartel of mining interests in San Francisco just after the start of the Gold Rush. If you’re interested in Manifest Destiny, you can’t miss this book.

Throughout his polemic, Brechin details the ruthlessness of the early titans of gold & silver mining in and around San Francisco. How they pushed out or simply killed natives. How President Polk, on discovery of gold in California, sparked a war with Mexico and ultimately won control of the west for America. How the early miners scooped up and collected the easy gold first, then pitched a false vision of California to the rest of America and got suckers to move out west for cheap & easy gold. How the miners & miner interests leveled entire forests in the Sierra Nevada, changed the course of rivers, dynamited and blasted their way deep into the scarred earth. And how, once the great con was over, they set their eyes westward again, to spreading the Anglo-Aryan race across the Pacific Basin from the mouth of the Golden Gate.

It’s really a yarn, quite the page turner I tell you. Definitely a great purchase, especially if you’re interested in place and history. Brechin even links the mining & mineral themes almost up to the present day, with the founding of Lawrence Livermore Labs in the east Bay, and its work on developing nuclear weapons.

We see all the time in technology commentary people invoking the same themes Brechin masterfully describes. They talk of atoms versus bits, as in the mining of precious metal atoms vs the mining of non-physical bits, or elements of technology. We ourselves call the titans of bit-mining today founders, and we all listen to the founders as they pitch a vision that, like the mining cartels and newspaper barons before them, results in more wealth accruing to them, and, like the rubes we are, only marginal value for the rest of us*.

It is hardly surprising that the bronze men at the prow of the Pioneer Monument were gold panners working the Sierra placers. California artists almost always depicted the Western miners as free men working under friendly Western skies—not underground,not for others, and not in squalor of their own creation. Such hardy individuals quickly came to symbolize Western opportunity itself, for they were the first to tap untouched bonanzas amid then-unspoiled scenery, and they remain the most enduring agents in the legend of entrepreneurial independence and of he-men living close to nature’s ample bosom.

ibid, Chapter 1, A Promised Land Plundered

And just as the gold miners of the 19th century externalized costs onto society, the environment, indigenous peoples, the Chinese,so too do the mining titans of the 21st Century externalize their costs onto our society. 

These founders, and the people working to sell the vision have, like the mining cartels before them, become digital prophets and invoke almost with religious intensity the themes of the frontier, the very words & phrases of Manifest Destiny. Simon Wardley, for instance, has built another business atop bits and bit mining. He calls them Wardley Maps, and they offer strategic advice and interesting mapping techniques to software engineers & technology companies. Wardley consistently uses the words pioneers, settlers, town planners and ‘uncharted’ as if there’s still more frontier left to exploit.

Untitled pictureThe founders in charge of today’s mining cartels have been using these words and phrases for more than a decade. I just don’t think we realized they actually meant what they were saying.  I think we all got confused by the razzle dazzle of what we saw on our screens, and so we listened to and trusted the razzle dazzle prophets and founders. In short order, we’ve all adopted the language of this new frontier. We’ve all taken Manifest Destiny a step further, even if we’d object to the old Manifest Destiny in principal if not in our history. Because we don’t see the metaphors the founders use for what they truly are: actual frontier-speak. 

The founders’ conquests are occurring in and around San Francisco, where the last frontier closed a little over a century ago. It’s a place that, on the surface, looks much different than the one Brechin details in his polemic. Yes, there is chronic homelessness and skyrocketing rents on the surface, but no one could claim San Francisco or the Bay Area is uncivilized, that it is not a world class city, that most people feel safe there.

But San Francisco -and the Bay Area- always looked beautiful. It’s a beautiful and lovely place. As beautiful as it was in 1898 to be sure, probably more so. But that’s just the surface. You’ve got to dig deeper, you’ve got to peer across whatever industry vertical you work in in 2019 to see the real costs. To see the con and misdirection. Until you do that, you’ll miss the externalized costs and exploitation of the 21st century mining cartels. You need to look at the razzle dazzle on your screen and realize the words you’re seeing are deceptive, that the metaphors have been used to misdirect you, to create a ‘smoky hall of mirrors’ effect, as I called it in an earlier essay. And then you’ve got to read the news and study it and think about it: Rohingya violence, violence in India, the amplification of bad information, anti-vaxxer ads, measles cases soaring, the flat earth, and so much more. All of it organized, spread, and amplified at lightning speed with tooling created by the founders, their cartels, and the engineering prowess of the Bay Area.

tahoeAs Brechin would point out, the costs of the first mining cartels were hidden from the eyes of the wealthy urbanites in San Francisco as they extracted value out of people and the land far away.  They never saw the destruction of old growth Sierra Nevada forests because they didn’t want to see it. They never saw the Chinese Coolies -practically slave labor- herded into railcars and dispatched post-haste once the mining was done and the railroads were built. They never saw the mud and floods as millions of metric tons of mud and earth flowed down the Central Valley. They never saw any of the costs because those costs were intentionally remote.

But in our age, we do see the costs. The exploitation. We see the costs all the time and everyday on our screens, if we just flip the script and study a little bit. You see the costs and you even think about the costs in the privacy of your own home, with yesterday’s Momo freakout. You see the costs but you don’t conceive of them as costs on you or your loved ones. You think of them as social media problems or platform abuse. 

Zoom out a bit, and the vista becomes clear. You see that the founders imported the elemental primitives of 20th Century standards bodies -things like TCP/IP, SMTP, and DNS, the WWW, and packet-switched networking- and got busy constructing and exporting Manifest Destiny 2.0 with those elements. And they’ve been telling us what they’ve been doing the whole time, we just didn’t realize it.

*I have noted in a previous essay how wonderful these technologies have been for women, People of Color and LGBTQ folks. I celebrate their agenda and the fact that they are seizing real political power long denied to them in the old, physical world. The value & benefit to them is immense, and I acknowledge that, and I want to ally with them in my politics. But this essay explores the costs side of the equation.

Ever since DJT was elected, I’ve been confused. How did this man, this charlatan, this scammer become POTUS? Why were the news stories I read as a responsible consumer & civics-obsessed citizen constantly citing his Tweets, logo & all? Why did we give power to this man? What’s broken? Some said titanic shifts in culture & society were obviously afoot and DJT got elected to burn the ancient regime down. Others said we got hacked by the Russians and the results were illegitimate. Still others said it was legitimate push-back against liberal or neoliberal advances in the Obama admin. This wild outcome followed Brexit, another unexpected & world-shaking event, which I won’t pretend to understand except to say that the west was shook.

Strangely, at work, in my now 17 year old career as an IT Pro, everything was changing, changing much faster than I had forecast when I last looked at the industry in depth. In 2014 I wrote a blog post advising IT Pros to adopt a cloud-first focus in their careers, lest they be left behind. I hadn’t anticipated social media being so important back then. I thought it was an ancillary thing, a thing you don’t really need to consider when you think of your career. But now, in the wake of DJT, it felt like something -maybe work-related, maybe not- was accelerating there in the dark winter & cold spring of 2016/2017.

It was then that I decided to return to where the people where. That was only natural. I had questions. The people had answers. And the cool thing was, they were accessible to me. Where? Where else. On Twitter. The toxic social platform everyone loves to hate. I’d already gotten wise to Facebook, you see, sensing more or less that it was a malicious platform, an AdTech Superpower disguised as a soft ‘n cuddly “We Connect the World” teddy bear. I deleted my account there in Spring 2017.

But Twitter? Twitter I had largely ignored/left behind since closing my old local news blog in 2013.

At the time, I didn’t quite know why I was going back to to Twitter. I’d stopped using all social media back in like 2013 or so, save for the cursed LinkedIn, which I maintained for purposes of my career, such that it is. I just knew that the answers I was seeking to understand all the changes I was seeing around me were likely in this place, in Jack’s place. And I knew smart, observant people in multiple industry verticals were on Twitter. So I went back.

Looking back now to late 2016 when the shock was raw & visceral- I can see the reason I came back to Twitter. I came back to twitter to write this. I didn’t understand that at the time, but I sure as hell do now. Here’s the progression, much of it in my own Twitter feed.

Jumping back in to Twitter

First thing I did on Twitter was present myself as an IT Pro. I had figured I could make some headway in answering my questions there, if I associated with other IT Pros & Technology professionals like myself, thinking it to be a kind of fast-paced, rough ‘n tumble & less buttoned-up version of LinkedIn if you will. People on twitter felt free to talk, this thing was the free speech platform, the pundits said, and that little bit of text “Thoughts & opinions expressed here are mine and not my employer’s” was a magic talisman allowing everyone to speak freely. Perfect!

DJT Inescapable

I think my reputation as an IT Pro is decent, so I jumped back in & blindly felt my way around. I tweeted largely about Enterprise IT technology at first, I think. I got some likes & nibbles, some new followers. But then, I’d experience that perpetual complaint in Twitter: stuff appearing in my TL that I didn’t expect. And it was DJT stuff!  I’d read the news as DJT took office, or squatted out a new tweet. And I’d freak. This is not normal, I thought. But this is my kinda/sorta free speech LinkedIN, better button up and not talk too much about it. Understand, the “this is not normal” was my reaction to the substance of a DJT tweet, not my reaction to Twitter showing me it.

And yet, I did…you couldn’t avoid DJT. It was impossible. I even tried filters for awhile, but nothing worked well enough, or maybe I was just not skilled enough to understand how to use them. As a result my tweets back then were primitive & stupid. And predictably,  I found very few of my largely IT Pro + old blog follower people were interested in talking about my questions or debating my ideas about these & other changes I was observing. Some engaged for sure…I was like, hey, why’s the new world so different than the old world? I’d get a few nibbles, pick up a few followers, lose a few more. Found some folks who had the same questions….neat! But I felt the pressure to stay on topic as an IT Pro and tweet only as that.

But I still kept seeing DJT stuff. And I can’t contain my reaction to it. I just can’t. I’m a political person, I enjoy reading & thinking about politics when I’m not at work, and sometimes when I am at work.

Speaking of work, in 2014/2015, I had started thinking more about infosec, parallel to all the news we Americans read as we saw our private data, held by the government, by retailers, by insurers, and by social, get breached & stolen. Naturally, I floated over to the infosec community, which was nice, cause  I was getting more involved in security at work.

I thought I’d be welcomed there, and I was. It was really neat to experience that. People were open to me and my ideas, all because I was honest & had legitimate and authentic experiences working as an IT Pro. So I started tweeting and mixing in with that community more. I’d frequently comment that I just wanted to secure my employer’s stuff, and then I’d see a new Facebook revelation that said that enterprise didn’t have to play by the rules mine did. And it upset me, so I tweeted when I was upset, and, due to my own poor ability to read & understand the space I was in, I took their openness as a sign that they too trusted this public place, and considered it legitimate to debate politics here, or advocate for a cause I thought they’d believe in (security & privacy), like we do in the commons.

The Crazy Hall of Mirrors that is Twitter

But I learned something. It’s extremely easy to bump up against other people in Twitter, to make them angry, or to make them feel like they’re under attack. It’s not true that that they are overly sensitive or I am overly aggressive (though I admit to episodes of this, and I sincerely regret it). It’s simply that we’re both in a confusing space whose mechanics & physics are easy to weaponize, and that results in the amplification of bad stuff and bad-faith stuff that appears in our timelines. Naturally, most of us are good-faith folks, and so we want to warn others of bad-faith stuff, so we share it, but that’s to the detriment of being forthright about ourselves & our intentions, as Joan Donovan, PhD at Data & Society has observed.

All this occurs inside a space that surfaces zero trust signals about the items we see on our screens, save for the Blue Covfefe Checkmark, which we’ll return to soon.

I did lots of stupid stuff like this on twitter, the new private commons

I started to realize it’s a smoky hall of mirrors. It’s not like the old internet, where people searched for their interests on the web, then found forums or watering holes around which people of like-minded interests congregated & talked shop. It’s not like that at all.  This new place was so much easier than that old place, I realized. Some were anointed in this new place with signs of power & privilege: they got Blue Covfefe Checkmark, for instance. I saw that, and I wanted one, a fact you can see in my tweet history.

Meanwhile, behind the scenes, I didn’t realize fully how big the grin on the Cheshire Cat of Silicon Valley & capital was.

But I did realize slowly that I could never focus on just one aspect of myself here. Nevertheless, I picked up followers, many of whom remain to this day. Awesome!

Why People Use Twitter, and Why they Don’t

Next, I made the mistake, particularly in the last year, of thinking people on Twitter went to twitter to find friends or fellow travelers. They largely don’t. They go there to associate with their communities, and if you go in ready to throw (polite, somewhat aggressive, but ultimately jarring civics) elbows, you’ll get banished quickly. People will mute, unfollow, ignore & monitor, or block you. I only got blocked once to my knowledge, but there you have it. The number of times i got muted I’ll never know, but my guess it was very high.

Please note, I’m not claiming I’m a victim here. I’m claiming that I was sensitive to and sensed feedback from my readers, as all writers should! Anyway, I’ll never know if I was or not. That’s not for me to know.

Randomly, I’d take stock. Oh wow. That person whose tweets I liked stopped following me. That hurts. This other person who follows me & I like has stopped liking/retweeting my stuff, yet I see them tweet all the time. Did I piss them off somehow? It’s easy to bother people here, I’d say to myself. It’s easy to get on someone’s bad side here. What am I missing, I’d think. It’s kind of miserable here, I said to myself when someone I liked unfollowed me. In old world, when blogging, I never saw these signals. I just wrote. It was wonderful. And this gave me anxiety!


Not hustling hard enough in the crazy hall of mirrors

Ok then. So what the hell are we all doing here in this awful product?

Slowly I realized I was wrong about the rules of the game. This thing, this place, it wasn’t about likes & follows as I imagined. That’s just what the people who built it wanted me to think. I realized that all the stuff I saw was evidence of people organizing. They were protesting, politically. Even when they thought they weren’t. . They were getting mad as hell & not taking it anymore.They, and I alongside them, were negotiating interests loudly & aggressively in this crazy smoky, hall of mirrors with zero trust signals and lots of bad faith.

To borrow a Twitter joke/meme about Silicon Valley I was particularly fond of: they invented the commons & called it social media. Insert emoji here: 🤣🤣. Now like, retweet, share, and ignore the serious point

Is this place the commons?

Hmmm, I thought to myself. Isn’t that what people usually do when they go to the commons? I voiced this a couple of times.,..but always figured the real commons isn’t a crazy smoke-filled hall of mirrors owned by a private sector company…this is Twitter…it’s not that, it’s not the commons. The public commons or town square is impossible to be owned by a private company. That’s crazy Jeff!, I thought.

Hassling & Harnessing Expert Power on my Quest

Bug in brain, and not knowing or understanding why I had stumbled upon such a question, I went and started chatting up the consumer tech elite. I bugged Nilay Patel a bunch, got a few nibbles, no bites I’m afraid, even when I tried jokey, friendly tweets resistant to mutability. Same with Casey Newton, who authors an outstanding newsletter on democracy & social media, but that doesn’t scratch my itch enough.

I got a bunch of likes, no bites, few replies. I’m really bad at Twitter, I thought to myself.

Then I started tweeting at Walt Mossberg, a man I really like and admire for his towering career, his wit, his journalism, and his sign-off note at his retirement calling for regulation of tech via administrative courts. I followed Walt, then one day, hey Walt, what the hell is this place and why am I here?! Is it the commons Walt?

It’s not the commons he shouted back, probably before muting me, because I’ve never gotten a response again. 

Slowly, I got the dawning sense that Twitter wasn’t a good place to discuss weighty matters such as these. Duh! Nevertheless, he persisted (so sorry, couldn’t resist).

Next, I added Scott Galloway to the list. Same thing. Few nibbles, no bites, no real debate.


On and on I went, tracing a path through different communities of twitter, looking for answers without even realizing what the question was, or that I was asking a big question. In my mind, I felt I was doing something akin to civics, but I wasn’t woke to that because this was Twitter, a private company’s social platform. And the smart people told me it wasn’t the commons. So asking questions & advocating for my views in an aggressive way, like I learned to do growing up, wasn’t civics, it was simply tweeting. And the outcome of my tweets was simply likes, replies, or retweets. No civics here.

Tweeting the J-School Profs

On I went now to the journalist elite: Jay Rosen & Jeff Jarvis & Dan Gilmore and others, even citing one expert’s case against the other! Maybe they knew what the hell this place was and why the world was upside down. Come on folks!

And then the DC Elite

Then the DC elite, including my favorite pundit in the world, Yglesias, who I’ve read for 15 plus years because I believe in civics & making informed decisions with my vote. Yglesias gave me a few nibbles, a like here, a retweet there, but mostly, none of these kings of social media wanted to play ball and none of them liked my ideas for what I thought was happening here. I even tried to email a few of them sometimes. Believe me, I’m persistent, and a little embarrassed as I write this.

And the Business Tech people

Maybe I oughtta chat up the business tech guys. I liked Ben Thompson, studied his aggregation theory for awhile, and I admired the hell out of him for building a punditry micro-business for himself & his family. Wow! I followed him, bugged him on Twitter, no bites, and one apology issued by me for being a tad too aggressive. Likely muted. Ooops. DAMNIT! I was bad at this social media game.

I even got a nibble from Alex Stamos once. To his credit he gave me a good faith answer, and it was an answer I didn’t like. You can see in this thread I kinda/sorta had the secret unlocked. But no likes, no retweets, no user engagement.

After that, I regret most of what I’ve written to him. I was mad at his brush-off & it was hard for me to watch the meltdown of our society, the government, and my personal privacy while disassociating him from his job at Facebook, no matter his position in security community. Which underlines & places a red circle around a big part of life here in the crazy hall of mirrors, where the difference between your public self & your private self is utterly dissolved & gone.

Twitter & the layperson’s Access to Expert Power

I felt if Stamos was here, in this crazy hall of mirrors with me, that I, as someone who once had a Facebook, Yahoo and other consumer accounts that Stamos secured, in other words a “stakeholder” as we conceived of it in the old world, I felt I had a right to question him. I loved that access to power, but I didn’t know how to use it, but I don’t think he did either, or maybe he did as he was speaking to his interest group only.

In this, I was confused by my own role as an Enterprise IT Pro, where my users hold my decisions & actions to very high standards, and where I tell them what choices have been delegated to them, if they care to ask. I think I was aggressive with Stamos because I viewed him, in a way, like my users viewed me. I occupy a trusted position at work, and I control to a large degree, what my users at work see on their screens, and I work hard to signal symbols of trust & validation to them when they look at the screens I manage. In any case, I loved the access to powerful people, simply as a matter of my own agency in the commons, so I frequently tweeted to him or retweeted him. I feel pretty sure I got muted, which is fine. It helped me to understand what I was doing here.

Given my own experience confusing my role as IT Pro and Stamos’ in a role way bigger and of wider scope than my own, I stumbled across something in one tweet. I said cloud scale folks should treat their users -which is a derisive & politically-charged term- more like constituents. What the wha? I’m not sure I even know what that means. I’m just sure I want some rights in this weird hall of mirrors I increasingly find myself, and you, in.

I went crazy on Digital ID

Oh. Also. I tweeted a lot about certificates and Digital ID too, because I felt that was a solution to this place. Full disclosure: this is like a totally top/down hierarchical solution, designed by patriarchy, by white dudes like me. Surprise! Ha. You’re not surprised are you. Still, please read, because I reflected and I realized what it was, and I still like x509 PKI because it’s most similar to what we’ve got in the real commons, which maybe you’re not satisfied with, but I bet the majority of the constituents in the commons are.  Moreover, you’re already using this system if you use Apple to identify yourself to your phone or PC via your fingerprint or faceID.

No one is talking about this old system, though I tried, even from a social justice angle. But we should. We should have a debate about it. You should evaluate it and challenge my views, and you’re friends’ views about it, like you did in the public commons on other topics, bringing your own values & beliefs to the table. I tried advocating for it, but I didn’t realize I was talking to interest groups. I was speaking as a tech guy.

But in advocating for digital ID, I did get some valuable pushback from another interest group: anonymous internet users. These people don’t feel safe online. They utilize anonymity to protect themselves & those whom they love. I didn’t really understand that before coming to the new private commons, because look at my Republican.JPG. But now I do.

Powerful Followers & Shadow Likes

But as I continued down this weird path of exploration through the commons, arriving & departing various sections in the smoky hall of mirrors we occupied, a curious thing


A shadow like in the wilds!

happened. First, I got followers I never sought before. Like the former President of Estonia. In the old world, this man, whom I respect immensely for his work in Estonia on Digital ID, would never have crossed paths. He literally would never have read my name, because I don’t write for people such as him. But he followed. I was shocked. I also started getting messages from people -respected & smart and wonderful people some of them names you would recognize- and they said something like this: I want to like what you Tweeted, but I can’t like it, if you know what I mean. Others said this: your tweets are on fire Jeff, I love how you’re displaying vulnerability.

hahaha, I replied, to each. Appreciate the feedback. Thanks. I know exactly what you mean

/narrator:no he didn’t and still doesn’t, but it might have something to do with capture of the commons or his

Privilege, MeToo, and Black Lives Matter

Meanwhile, back in other smoky, loud, and largely dark parts of the hall of mirror commons that is Twitter, light, truth, and purity of purpose emerged. People were organizing in ways no one really understood. I liked & followed Zeynep Tufecki. Her Twitter & Teargas book made waves in 2011 describing the Arab Spring, the uprising in Egypt and more, and she had a solid Times column I’d read & cite on Twitter. You might say this scholar was bullish on Social Media, but we all were then and by the time I started asking questions of her, she was no longer so bullish, calling the place I was in a ‘persuasion platform.’

Fast forward to 2014/2015, and we all watched as Missouri caught on fire and riots resulted in the streets. The Black Lives Matter movement hit social & punched through to all of our TV screens. People in the smoky hall of mirrors had found each other, they’d built a community, and that community became an interest group which topped the agenda of no less than President Obama at the time. Wow! This smoky hall of mirrors was pretty powerful. Social media was working, we all thought. None dared call it the commons though.

Shortly after that, the long darkness arrived. DJT elected. 55+ million followers of this big fish there in our smoky hall of mirrors, inside, as I would later learn, a fishbowl. DJT used this new commons as a sniper uses his rifle: with lethality and precision, to get his views & statements on all our agendas, confused as they are there deep in the hall of mirrors. Do you remember when he told DPRK his nuclear button was bigger & stronger? Surreal! A million nervous tweets followed from me, there in the noisy & now frightening hall of mirrors.nuclear

But then! Light & truth: #MeToo movement. Hundreds, maybe thousands of women sharing stories of how aggressive men had hurt them, hurt their careers, raped or sexually assaulted them. More stories from women and trans & LGB folks and the great rainbow variety of humans emerged: they too had experienced either harassment or been minimized, zeroed out & dismissed in their workplaces. Titans of industry fell, people like Harvey Weinstein. Hell, they even got O’Reilly & the dark jedi master behind Fox News, Roger Ailes. Wow!

Women and people of color were using this crazy smoky, hall of mirrors fishbowl with lethal precision too, I thought. What’s more, I realized, the people using this weird place best had been the people disenfranchised the most in the real commons. Women only have had the right to vote for 99 years; people of color only had a de jure right to vote since 1965, but in practice, they face & continue to face a lot of friction on their way to the polls, and that’s before we think of gerrymandering. Their voices have been squelched for so long in America, well, now they were roaring!

Interest Groups form on Twitter

They come here, I thought. They come to the crazy smoke-filled hall of mirrors, deep in the fishbowl. They organize here into communities. Those communities become interest groups. And those interest groups pursue political outcomes & political power in the crazy hall of mirrors commons, just like the old world, and they are winning because people I know are going through diversity training at work, sitting through White Privilege slide decks. Wow!

Meeting new Interest Groups

It was through this part of the commons that I learned more about myself, and more about other people. I’m really grateful I did. I never would have come across these voices in the old world, apart from my university years, which are long past me. I only would have found them in this new world. I got mildly offended & mad when someone said I was privileged, then I read up on what that was and I was like, oh yeah, you’re right. I am that way. My path was easy in this life. But my politics, my deep belief in civics, allows me to adapt, so adapt I did. Then I said to them, my path was easy in this life, and I want the same damn thing for you, my friend. I even put He/Him in my twitter profile. I never would have thought to identify my pronoun preference before I came back to the crazy smoky hall of mirrors commons. But the polity in the private commons made it clear they wanted that. So I did it. I got some great followers from many different communities & interest groups along the way. I feel very fortunate for having learned from them, for having read them. I count myself wealthier & closer to my political values for having met them. I thank them.

Left & Right in the Hall of Mirrors

I met other sincere, good-faith people in the commons too. Largely they didn’t want to engage with my crazy questioning or my civics, so I just observed them. There were Republicans in the mix, just like in the old Letters to the Editor page of the paper, which had largely functioned as delegated & privately owned commons local to us in the towns, cities & rural areas where we live. I met old school GOP people, like Tom, who left the party dramatically last year, and whom, somehow, I got to follow me this year. Mostly, I  just watched and learned from the opposition in the commons, the same as I always did growing up. They were using the commons in a similar way, there just weren’t as many of them.

The left was numerically superior in this smoky crazy hall of mirrors commons. The right was there too, but, just like in the real world, they didn’t have the numbers. Still, some good civics debates can be had in this new commons. And I like that. As a kid who was educated on Point/Counterpoint, it drives me, it really does. It’s what I seek. I thought it was dead, but it wasn’t. . The commons should be a little wild & crazy. It is neither a marketplace of ideas, nor a public library, nor a Barnes & Noble as I once supposed. It’s literally the commons, or the public square, if you wish. Only now, it’s captured & owned by a private business.

And that’s not good. That’s not good for me on the left, nor you on the right. It’s benefited my side -sure- and I’m so glad it has, because dammit, I like that women & people of color are now enjoying just some of what they lacked in the old world, but private capital’s management of the commons is utterly clueless & incompetent, and the whole thing could easily become the next Rohingya genocide, only it might happen here. Or somewhere near here.

What’s more, it’s confusing that capital has captured the commons. Witness the debates about “de-platforming,” that we’ve had on twitter.

The smokey hall of mirrors inside the fishbowl is a confusing place, a place where zero trust signals are available for us to see or make use of, a place where bad actors -many of whom don’t even belong in our American public commons- face the same fast, friction-free path to organizing and advocating for political views, for good and for ill.

A Hall of Mirrors inside a Fishbowl owned by Capital

A smoky hall of mirrors. Inside a fishbowl. With capital & tech on the outside, looking in. Poking us with inputs and observing the outputs. Hmmm, that’s interesting. Let’s A/B test this change, and see how they react. Measuring the output. Maybe they realize they now own the commons, maybe they don’t. In either case, they laugh all the way to the bank, and the next mega-company looks to create a viral megahit virtue-signalling ad that will light the private commons on fire.

Mansplaining to you my view of this place

Look, I’m not anyone special. I’ve got nothing to sell, other than my ideas, which you can have for free through the amazing thing that is civics & the old fashioned internet. I’m just a dad, an IT Pro, and someone who studied and pursued my interests kind of apart from my career. I’m not academic, but let me say I think you should approach Twitter and other social media systems like this:

  • When they say “social media,” you should think the private commons, or the privatized public square
  • The owners of privatized commons saw political expression on their commons and they didn’t know what it was, so these brilliant data scientists, programmers, and the moneyed banks & marketers -many of whom think poorly of politics or look down upon it and have no second thoughts about choosing things for you- they called that phenomenon “user engagement.” But you should think of the portion of “user engagement’ surrounding political discussion as regular, good old fashioned civics, as people massing & organizing in commons, negotiating their shared interests with one another, and shouting from a soap box to you, to try to sell you on their ideas
  • You may call yourself and your allies on Twitter a community, or a movement. Keep doing that. But add interest group to your vocabulary too, for that is what you are, left or right, and it’s been amazing to watch you all work, particularly #BLM & #MeToo. You’ve dominated the public agenda, and that means what you do works and it has an impact, and that’s kind of incredible for leaderless civics orgs.
  • When you agree to Terms of Service, End User License Agreements, or Privacy Agreements, you’re agreeing to the law of the digital private commons. There is no appeal, except to voice your complaint in the semi-free speech commons that is owned by the private company
  • You should think of the C-Suite of these social companies as akin to unelected leadership in a private, wholly-owned kingdom that opens the commons to anyone with an email address or phone number and dispenses various signals of virtue & enlightenment upon princes & princesses of that kingdom (Blue Covfefe checkmark). The process for getting these virtuous signals that the commons understands is entirely opaque and is, like everything else, left up to the kings to decide
  • When Zuckerberg and other Kings of these privatized commons address you as “community,” you should get mad, make lots of ‘user engagement’ noise that the data scientists back at the castle will interpret as civics, eventually. Whether they ignore it or not, is beyond our control. They probably will for as long as possible, or maybe they figured out a way to sell your civics to adtech, which is most likely. Anyway, none of this is transparent & they will throw lots of sand & dust in the air to tell you how they are responsible stewards of private commons. But they’re not. They’re clueless.
  • Political memes in the digital commons are the political pamphlets & posters in the old commons
  • Because there are no trust signals inside Twitter & Facebook, the new private commons, users in that space have invented their own. If you want to be trusted in the new commons, you’ve got to screenshot & tell your followers  you deleted a tweet. That’s because there’s no unbiased mechanism in place, like a public log or what not, that allows you to signal to your followers you deleted a tweet. And as we all know, the Kings haven’t given us the power to edit tweets yet.
  • Muting a follower is a compassionate act one person performs in the commons on another person in order to shape & understand the commons better. Filter bubbles got it all wrong. People who mute for politics talk in the private commons are just walking away from your noisy talking, from you on the soapbox, just like we do when we walk down the street and ignore a protest movement on the way to join our own interest group
  • It didn’t break our politics. Our politics, which are practiced in the commons where the people gather by definition, simply moved to the private, captured commons, because friction was minimized so effectively by capital, and celebrated by tech journalists who don’t understand politics or the commons, industry observers, and powerful tech-elite, who even use the language of the commons (pioneers, settlers, town planners)
  • When you hear that people -diverse, wonderful, free, sovereign human beings like you and like me- are stupid and susceptible to the filter bubble, or don’t know how to distinguish light from dark in a hall of mirrors with zero trust signals, you should get pissed & angry. How dare they? Remember, they built it this way. 
  • The Republicans realized this first. That’s why they’re so active in trying to influence the new kings of the private commons. As well, they’ve got financial interests that bias them to not admit it
  • But so too do the Democrats, some of whom have realized this truth, but the base doesn’t appear to grok it, nor does the Republican base
  • The two American political figures who understood it first: Donald Trump & Alexandria Occasio-Cortez. Both of them realize they are competing in the new private commons, that you and I float between & see interests groups in this space, and they both are racing ahead from their respective soapboxes in the public square of our private commons.

What do we do from here? Where do we go? Governments broken and not moving. It’s closed right now. Academia still there, and I learned so much by following smart & open academics on twitter, but the money from Silicon Valley, as Zuboff has noted, is so good that the brain drain is on in higher edu. The free press is still kicking, but I think the owners of the new commons have them right where they want them: in the hall of mirrors, sorting light from darkness, signal from noise, and chasing illusions, like I did for a long time. To help you parse this new reality, I’ve got a list, if you want to study it.

Beyond that, it is wholly & completely inappropriate and indeed terrifying for a private company to own the commons. Why? People come out of there homes. They meet each other in the commons, when they are of age. They begin negotiating their interests. Then they form interests groups & they build an agenda based on their mutual interests. This worked fairly well, even when the commons was owned by private companies -like the dozens of once vibrant metro newspapers- but those are largely not the commons anymore. Twitter is. And Facebook. That’s what they’ve captured in the last 20 years, as Zuboff notes so well.  I’m utterly convinced of it.

Walt, sorry buddy, I love you, but you were wrong.

I see the same thing in the old commons that I do in the new digital private one, only I see & hear from new forces, and dark forces too. Vlad realizes it’s the new commons. That’s why he’s attacked it to mixed success. Corporate America realizes it’s the new privatized commons; when Nike & Gillette buy & share ads on Twitter, even ads that have positive political messages I agree with, let’s be honest: they’re erecting billboards in the privatized commons, billboards whose political message appeals to the majority of the commons, folks who are on the left, and oh, also, wanna buy a razor?

I don’t think mid-level technologists in Silicon Valley or Washington yet realize that commons has been captured & privatized and that BLM & MeToo aren’t community movements, but interests groups agitating for political power in a shared space their companies own. 

Is there a fix?

There’s a couple of things we could do- we could inject our real world legal identities into this privatized commons by virtue of an optional gov-issued Digital ID, in effect becoming citizens in this space rather than mere users, but have a look at my tweets over the last two years to see how popular that idea is. We could repeal and blow up Section 230 of 1996 Computer Decency Act -the act that created all this, and is, by my reckoning, the father of all unintended consequences because it enabled both the discovery of surveillance capitalism + the capture of the commons(I use father because I want a man to own it). We could kill that thing, and all would go back to the way it was. We’d have our clunky old internet back, which was built to resemble our clunky old democracy (Another thing I tweeted about often), but we’d lose all those new voices that have taught me so much, and for which I’m grateful.

Actually check that. We wouldn’t technically *lose* them. But they’d face more friction in making their voices heard. But so too would the right. Which seems fair. Right/Left should face equal friction, and that friction should not be zero for the interests & integrity of the commons, whether owned by a company or the public. Then again, the non-privileged people are enjoying their first tastes of political power, so I’m inclined to think this is a bad option.

But, it would end the abuses of our new private commons -the hall of mirrors would be gone- and maybe we’d have normal, slower civics without as much foreign or bad actor interference.

But the owners of the private commons are going to fight like hell to ensure that never happens. Because they are getting *ungodly* wealthy off of this change we’ve all been blind to.

Anyway, now that I’ve realized this -thanks in large part to exploring the private commons that is Twitter over the last two years- I don’t think I want to hang out in it much anymore. I want the old commons we had, but with the new voices I read and the new people I met in the privatized commons. I want to see them and advocate for them & their interests in my big-tent party, the Democratic party, and I want their voices to be heard. So should you. Even if you are a right winger I would never vote for, you should want what I want. We all should want good faith, a plain & easy to understand commons so we can debate, negotiate and sell each other on our ideas without the adtech people watching & occasionally manipulating us, not to mention the bad faith actors & foreign intelligence agencies.

I’ll pop in from time to time on Twitter, maybe lend my voice to an interest group’s cause, even though I see what it is now. I’m happy I figured this out to my own satisfaction because now I feel like I can write with confidence again. I’ve found my muse fam, and I’ve got the confidence to argue for it in the public sphere, on my website!

Managing Enterprise Secrets & Privileged accounts has to be one of the most difficult jobs in Information Technology today, and one of the least transparent to the business. Bad guys have painted a target on admin’s backs, regulators are chomping at the bit as more consumer data is lost online, and Compliance officers are scrambling to understand the landscape and adapt to new rules from overseas. And yet the business may not even realize that unsung heroes in IT are still managing a stack of hardware & software designed to fulfill 1990s-era security models.

Take it from me: I know this pain well. Even if you do have an internal identity system, say Active Directory, it can be difficult to get all the bits from your Storage, Network, Compute & cloud systems to run a proper AAA model against your AD Forest. Even more difficult: figuring out how to audit the records of Active Directory (or NPS/RADIUS or ADFS or OAuth2/SAML glues) to present to your Compliance officers.

Yet in the background, a constant churn of news that only raises the pessimism bar higher: Target. Anthem. Maersk. Equifax. Facebook. Marriot. The goddamned CIA and the f****** National Security Agency. I made a Visio Timeline because I was having difficulty tracking all the breaches, and I’ve run out of room! And let’s not forget the business and your user colleagues’ need for secrets too as consumer technology continues to eat away at the Enterprise and as more of the economy is digitized. By 5pm most days, IT admins are just hoping to make it to retirement in 10 years without their orgs getting popped by a black hat.

cyberark-logoEnter CyberArk. This Silicon Valley company was founded in 1999, which is impressive to me. It’s not often you’ll find a company that’s been selling a product that handles Enterprise secrets + PAM for 20 years, at least a decade longer by my count than the popular consumer password management companies that are now sashaying their way into your Enterprise, as if they understand the challenge you’re facing. At Security Field Day 1 (#XFD1), CyberArk’s maturity & comprehension of the challenge of securing the enterprise really showed.

CyberArk’s Privileged Access Security Suite is a mature & fully-featured secrets + PAM tool. I was super-impressed with the demo their Global Director of Systems Engineering, Brandon Traffanstedt, gave us back in December 2018 in sunny San Jose. I came prepared to endure a boring password management demo; I left impressed at what I had seen, with only a single caveat.

Not only was CyberArk’s product comprehensive, it was bad-ass, with one exception. I saw:

  •  An SSH session opened to a network device’s command line, with a second factor prompt before access was granted
  • Full auditing + screen recordings of a Privileged Account accessing a protected server, just the kind of thing that reassures the business that you, as an admin, have nothing to hide, are not an ‘insider threat’ and are 100% transparent in your work.
  • Deep integration into Windows’ Win32 API, hooking into parts of the OS I’d not seen before outside of Microsoft products, including Credential Management
  • Full integration & support for MacOS
  • OAUTH2/SAML support and full support for your ADFS infrastructure
  • Cloud secrets & PAM management across AWS (and soon) Azure
  • Full support for your RADIUS infrastructure & 802.11x, whether via Microsoft’s NPS or some other solution
  • Automated credential rotation so that you don’t have to scramble when a fellow admin changes jobs, is fired for negligence, or joins Edward Snowden in Moscow
  • Secure sharing of secrets among your privileged IT colleagues
  • An offline, secured, and high-entropy password in a sealed envelope you can hand to the business for peace of mind

I’ve been working in IT for about as long as CyberArk’s been pounding the pavement and trying to convince IT Teams to invest in Enterprise Secrets & PAM software. I was impressed…..particularly because CyberArk scratches an itch that many IT Teams don’t know they have: the security costs & technical debt that a legacy of tactical, rather than strategic, investments that tend to leave an org arrears in 2019’s security landscape.

Por ejemplo: say you’re a mid-market SMB IT shop in the healthcare sector that’s experienced a lot of turnover among its IT admin staff through the years. If you’re the business, you’ve watched as IT Admins come and go, and listened as they’ve pitched tactical solutions to various challenges facing the business. You’ve invested in a few, and most work well enough, but gluing them all together into a comprehensive, strategic, and business-enabling solution has been a challenge.

cyberarkWhile your solutions are working, you’re paying a cost whether you know it or not because more than likely, the technical legwork needed to glue those solutions together into a comprehensive & auditable security framework hasn’t been done. Meanwhile, the regulators are knocking at your door, the pace of breaches quicken, and Brian Krebs’ pen is waiting to write about your company.

CyberArk is a good fit there. No, check that. It’s a *great* fit in that scenario. The product addresses threats to your business from both the inside and the outside. It protects Enterprise secrets -the very thing your admins are targeted for- while shining a bright light on your employee’s Privileged Accounts and how they are used.

It’s a product that’s far beyond anything the consumer password management companies are offering…trust me, I’ve looked at them all. It’s a true Enterprise solution. However….

I will say that one area where CyberArk felt a bit less than polished was in how they’ve architected the sharing & use of secrets with non-admin users working in the business. If we return to the healthcare example, think of a person in your business who needs the credentials to login to a state Medicaid site in order to bill the payor of a medical product.

In fairness, this is a complicated problem…while it’s in the business’ interests to control/maintain/audit all secrets, including to third party sites & services that are outside of IT’s domain, the mix of devices/browser here is a difficult puzzle to solve. Yet it’s here that CyberArk’s product left me perplexed. They propose intercepting TLS traffic on your user’s endpoints & injecting credentials into your business user’s browsers, whatever they may be.

This seemed to me -at the ass-end of 2018- to be a poor solution. For starters, we’ll soon see TLS 1.3 across more and more websites. TLS 1.3, as my fellow Delegate Jerry Gamblin pointed out, is not something you can intercept, decrypt, and inject credentials into. Indeed, other vendors in the security space seem to be steering Enterprise customers away from the expectation that we’ll be able to intercept/inspect/fiddle with TLS 1.3 connections. At best, we’ll be able to refuse TLS 1.3 connections in favor of the more Enterprise-friendly TLS 1.2 connections, but even here, the Enterprise’s political power & ability to influence the market & standards bodies is lacking, and Google, for better & worse, rules the roost. Even Microsoft is playing second fiddle here and announced in late 2018 that it would ditch its new Edge browser’s Trident engine in favor of Chromium open source.

Secondly, CyberArk’s solution even here feels archaic. They propose that you put a middlebox in front of your users to accomplish this. This is definitely old-school, calling to mind the many nights/weekends I spent configuring & troubleshooting BlueCoat devices in server rooms across many Southern California businesses. If you’re going to tackle a problem like TLS intercept, you need to think 21st century and go with a cloud interception service, that will follow your users around on the internet. Middleboxes often make your security posture worse, not better.

In my day job, I intercept/inspect TLS connections across several continents and on several thousand endpoints; it’s a tricky science and one that’s filled with compliance & policy questions above my paygrade. Microsoft’s move in the browser arena fills me with questions, and that’s before we consider mobile devices; so too should it fill you with questions if you are looking at CyberArk with an eye towards sharing secrets with non-admin users.

So, caveat emptor on this narrow point friends: a significant selling point of CyberArk’s featured product (injecting secrets into an HTTPS session) may not work a year or two from now. We raised this issue at #XFD1 and CyberArk says they have a plan for it, but eyes open!

Other than that though, I was really impressed. CyberArk gets the challenge facing Enterprise IT in this Wild West era. It understands intuitively complexities of Enterprise secrets, PAM, insider vs outsider threats, and auditing/compliance requirements. The only place it seems to fall short is in sharing credentials from the ‘Vault’ to non-privileged users.

Check it out if:

  • You’ve got a heterogenous stack of best of breed IT hardware & software and you’ve neglected integrating AAA security across that stack
  • You’re in an environment requiring heavy compliance & auditable proof across your stack against both insider & outsider threats
  • You want 2FA/MFA on old network switches, Macs, and Windows Servers
  • You want screen captures of your admin’s work on devices, servers, and services that you consider privileged
  • You’ve got cloud/SaaS management challenges even as you’ve centralized identity in on-prem Active Directory or other system

Ignore it if:

  • You’ve only ever bought Microsoft, only have Windows PCs & servers and Microsoft applications, and you have an MCSE on staff who understands Kerberos, Active Directory, NPS, RADIUS, ADFS, OAUTH2/SAML, and has configured your AD environment to comply with various regulatory statutes and compliance regimes

Other Coverage:

This blog post was written by me, Jeff Wilson, for publication on my blog, wilson.tech. I was not compensated by CyberArk to compose this blog post, and CyberArk did not see it prior to its publication. I learned about the CyberArk products during Security Field Day 1 (#XFD1) an event for IT, Security, and Enterprise influencers that was held in December 2018 in & around Silicon Valley, California. The Gestalt IT group paid for my airfare, accommodations, and meals during the time I was in greater San Jose, CA area. CyberArk and other sponsors paid Gestalt IT to bring Delegate influencers like me to #XFD1. 
I received no monetary compensation otherwise, save for the swag listed below
CyberArk swag I took home:
  • A ballpoint pen
About Me: My name is Jeff Wilson. I am a 20 year IT Professional with a security focus. I hold a GSEC from the SANS Institute, as well as a Bachelor’s Degree in History & a Master’s in Public Administration, both of which are from CalState. I live & work in Southern California. You can reach me on twitter @jeffwilsontech or via email at blog@wilson.tech

Morpheus Data was our first sponsor at #CFD3 and, as is my custom before Tech Field Day events, I had done zero prep work on Morpheus. I had never heard of the firm, and as first-at-bat sponsors for #CFD3, they were facing 12 delegates full of energy and with decades of Information Technology experience between them. So how’d they do? I came away impressed. Let me tell you why: they have a heart for operations, and I’m an operations guy.

Morpheus Data – Background

I found Morpheus Data’s story pretty compelling when I read up on it later. The company started off more or less as an internal product inside a cost center of Bertram Capital, a private equity firm in the Bay Area. Now every company has a founding mythology, but Morpheus’s range true to me. Here, I’ll quote from their site:

Bertram Labs is a world-class team of software developers and ops professionals whose sole purpose is to rapidly implement IT solutions to fuel the growth of the Bertram portfolio. In 2010, that team needed a 100% infrastructure agnostic cloud management platform which would integrate with the DevOps tools they were using to develop and deploy applications for a range of customers on an unpredictable mix of heterogeneous infrastructure. Such a tool didn’t exist so Bertram Labs created their own solution…

Just that phrase right there -an unpredictable mix of heterogenous infrastructure- comprises the je nais se qua of my success as an 18 year IT Pro. Using ratified standards sent to us from on high by the greyhairs at the IETF & IEEE ivory towers, a competent IT Pro like myself can string together disparate hardware systems into something rational because most vendors sometimes follow those standards.

But it’s very hard work.  It’s not cheap either. And that act -that integration of a Cisco PoE switch with an Aruba access point or an iSCSI storage array with a bunch of Dell servers- isn’t bringing much value to the business. Perhaps it would be different if IT Shops could just start over with a rational greenfield infrastructure design, but that’s rare in my experience because the needs of IT aren’t necessarily aligned with the needs of the business.

Morpheus Data says they grew out of that exact scenario, which is immediately familiar to me as an ops guy. I find that story pretty encouraging; an internal DevOps team working for a private equity firm was able to productize their in-house scripts & techniques and are now a separate company. Damn near inspiring!

So what are they selling?

It’s Glue, basically. But well-articulated & rational glue

Morpheus’ pitch is that their suite of products can take the pain out of managing & provisioning services from your stack of heterogenous stuff whether it’s on-premises, in one cloud, or several clouds. And by taking the pain out, you can move faster and bring more value to the business.

I’m not going to get into each product because frankly, I think they’re poorly named and not very exciting (Sharepoint-esque in a way: Analytics, Governance, Automation, Evolution, Integrations). But don’t let the naming confuse or dissaude you; it’s an exciting product and the pricing model is simple to understand.clover-b4ff8d514c9356e8860551f79c48ff7c

Instead, let me describe to you what I saw during Morpheus’ Demo at #CFD:

  • Performance data from On-Premise virtualization servers running Hyper-V, VMware, and even Citrix’s XenServer all in one part of the Morpheus web-based portal
  • You can drill-down from each host to look at VM performance data too. Morpheus says they’re able to hook into both Hyper-V performance counters and VMware’s performance counters. That’s pretty awesome for a hetergeonous shop
  • Performance & controls over IaaS & PaaS instances in both Azure & AWS, again in the same screen
  • Menu-driven wizards that let you instantly provision a new virtual machine pre-configured for whatever service you want to run on it. Again -this could be done in the same tool and you can pick where you want it to go
  • Cost data from each public clouds
  • Rich RBAC controls, which is very important to me from a security & integrity standpoint
  • A composable role-based interface. Por ejemplo, you can let your dev team login to Morpheus and not worry about him or her offlining a .vhdx on a Hyper-V server

This chart from their website sums up their offering nicely in comparison with other vendors in this space.


Concluding Thoughts

I’ve worked in IT environments where purchasing has been less than most people would consider as rational. Indeed, I’ve worked at places where we had the very best equipment from multiple vendors, but nobody had the time or talent to integrate it all into a smooth & functional machine in service to the business.

Stepping back, the very nature of the integration puzzle has changed. I mentioned above that a competent IT Pro could stitch together infrastructure that used IETF, IEEE, w3c and other standards-based technologies. Indeed that’s been the story of my career.

But in 2018, the world’s moved on from that, for better and worse. The world’s moved on to proprietary Application Programming Interfaces (APIs), and so I’ve moved with it, creating my own Powershell functions and Python scripts to interact with cloud-based APIs. You can do this too, given enough time & study.

But let’s be honest: it’s hard enough to manage & integrate a heteregenous stack of best-of-breed stuff on-premises. Now your boss comes to you and wants you to add some Azure services & Office 365. And then someone on the business side orders up some Lambdas in AWS, surprise! Or perhaps a distant IT group at your company just went and bought Cloudflare or Rackspace. If you’re still trying to solve standards-based puzzles of yesteryear, while learning how to develop scripts & tools for use in a world of proprietary APIs, you’re probably not bringing much value to the business.

And that’s where Morpheus sees itself slotting in nicely…they’ve done the hard work of integrating with both your legacy on-premises standards-based systems and the API-driven cloud ones, and they release new integrations ‘every two or three weeks.’ They even take requests, so if you’ve got a bespoke stack of stuff that doesn’t surface SNMP properly, you can propose Morpheus build an integration for it.

Sidenote: One of the more dev-focused delegates at #CFD3 criticized the prodcut as too ops-friendly (nobody cares to see all that stuff! he said), but I had to push back on him because details are important for ops teams, and Morpheus can surface an interface that’s safe for devs to use. And that’s why I say they’ve got a heart for operations teams.

On pricing: the products which again, have somewhat confusing names, at least offer simplified pricing. To get workload & ‘core features’ running on a VM in your datacenter, you’ll need to spend $25k to start. That seems high to me, but you’re essentially buying a DevOps integrator & engineer who can work 24/7 and doesn’t need health insurance or take vacation, which is pretty cool, and which helps you bring value to the business.

This blog post was written by me, Jeff Wilson, for publication on my blog, wilson.tech. I was not compensated by Morpheus Data to compose this blog post, and Morpheus did not see it prior to its publication. I learned about the Morpheus Data products during Cloud Field Day 3, an event for IT & Enterprise influencers that was held in April 2018 in Santa Clara California. The Gestalt IT group paid for my airfare, accomodations, and meals during the time I was in Santa Clara. Morpheus and other sponsors paid Gestalt IT to bring Delegate influencers like me to #CFD3
Morpheus Data shwag I took home
  • Cool stickers
  • A t-shirt

While scanning my kid’s birth certificate this AM, my mind wandered to Digital ID, x509 pki, and Facebook. Am I guilty of overthinking things a bit? Sure. But this time, I wrote a post about it.

Anyway, here is the child partition’s birth certificate with all the important bits obfuscated:

Just look at that thing. It’s beautiful…everything about my kid is right there on a single beautiful, crisp, official document:

  • Full Legal name
  • Home address
  • Birthday
  • The hospital he was born at
  • Various unique identifier numbers
  • Physical Description and birth weight
  • The physician who helped bring him into the world
  • Mom & Dad’s details, including where and when they were born

Embedded within the birth certificate is data about the authorities that issued it. Across the top blue banner is the highest authority: the State of California. Immediately below that (one might say almost chained to it), is in effect, the issuing or intermediate authority, the County of Los Angeles’ Registrar-Recorder’s office. The Seal of the County is visible in the background near the middle of the document and in the lower right corner. And of course the Great Seal of the State of California is in the lower left. Near the bottom of the document is a signature by the County Registrar-Recorder/County Clerk (an elected office) that testifies to the document’s authenticity. And you can’t really see it here, but there’s a physical stamp on the document you can feel if you run your fingers over it that serves as, in effect, the fingerprint of the issuing authority. In fact, the whole document feels more like a crisp & clean $20 banknote than it does a piece of paper. There are ridges and subtle impressions all over this thing beautiful document signifying when my son came into the world!

With this single document, my child is entitled to the following:

  • He is automatically an American citizen
  • He is automatically a resident of the State of California
  • He can apply for and receive a United States Passport
  • He is entitled to attend public school at no cost
  • He is entitled, when of age, to legally work in this country, to vote, to marry, to serve in its armed forces, and  to contribute to and receive various social benefits

The United Nation’s Convention on the Rights of a Child says that registering every child born is so important it is a human right. To borrow a term from my 80s self, this is pretty heavy stuff.

x509 PKI

How my son’s identity chains up to a trusted source

Now if you’re a technologist, like I am, some of the words above might have tickled your spidey senses. Certificate. Issuing or Intermediate Authority. Seals. Signatures. Chained. Stamps. Authenticity. Identity. Authority. We practitioners of technology are quite familiar with these terms and how they work in the digital world thanks to the Elders of the Internet who developed, over time, the standards we all depend on today for security & identity on the internet: x509 Public Key Infrastructure.

I think x509 PKI is one of the least appreciated yet most important systems ever designed by humans, more important even than the plumbing technologies on which the internet depends on today. x509 PKI is an incredibly elegant system that provides encryption over untrusted networks (the how), identifies with cryptographic certainty the parties involved in digital transactions (the who) and bundles it all up into a neat digital organization chart that anyone can inspect and look at any time (the what).

But x509 PKI is much more than just an elegant set of tech standards. It functions as a digital overlay of our existing, stable and analog identity system, which begins with the Birth Certificate issued to you when you are born and ends with a Death Certificate issued to your family when you die. In this way, x509 PKI is a profoundly democratic and empowering system that takes our real world identity system and makes it available to us over the world’s largest untrusted network, also known as the internet.

The problem is nobody knows that, nobody cares and even those who do aren’t entirely comfortable with extending it past the way it’s currently used.

Digital ID

We have a big problem on the internet today: all of us operating on the internet lack any sort of Digital ID that mirrors the real world identities that have been issued to us by our nation-states. Much of the angst and concern and outright abuse on the internet could be solved if we the people had a Digital ID that, built upon x509 PKI, cryptographically proved our identity during certain important transactions on the internet.

How would that work and what would my Digital ID look like? That’s the beauty of x509 PKI, part of this has already been solved: a Digital ID would overlay the way in which you are identified by government & legal systems in the real world. As to the form it would take?  It could and should be as simple as a credit-card sized device issued to you by local authorities, which you own and care for, and which identifies you and chains up from the local issuing authority to your state/province or nation, just like the Birth Certificate my son was issued.

Having been issued a Digital ID along with a Birth Certificate, my son, once he was of age, would ideally have the choice of where and when to use his Digital ID on the internet. I say ideally because implementation of Digital ID is the fuzzy grey area problem that really needs to be solved in the public square. In my view, a Digital ID should not be required to use the internet (say to search it or read from it), but may be required by companies or institutions that provide services on the internet (such as posting information in a public forum in social media that requires real user names).

For instance, maybe a social media provider that requires users to post as themselves would require you to submit your Digital ID for verification. Public clouds might require your Digital ID whenever you make an assertion that you are who you say you are (such as when you ‘sign’ a digital PDF). You could use your Digital ID when you apply for a job online, or to digitally sign documents you own or any scripts or code you write**. It could be used for a lot of things, but it should be your choice when to use it, and ideally you’d have the right to revoke your Digital ID from any service you wish to part ways with.

Are there serious privacy and security concerns about Digital ID, even in my vision of it? Yes of course. I can’t present a solution for everything here, nor is it my job to. And I’m certain anarchist-techno-libertarians would fight to keep the internet fully anonymous, but I and a growing number of people aren’t happy with how those values have shaped the digital public commons we now collectively inhabit.

I am convinced existing democratic systems, with expert advice & counsel, could legislate a decent Digital ID system that maps most of the things I do online to my real-world identity and is owned by me and me alone. Moreover, I feel that there has been an incidental and favorable ‘split’ in how society uses the internet that suggests Digital ID could work to solve many of the problems. For instance, many people hardly use a browser or a PC at all anymore; their primary compute device is a mobile phone, and their only interface to the internet is the Facebook app. Many others are still using the internet as we’ve used it for the last 30 years: to search, find, and view information. Requiring a Digital ID to be used before posting information to the former would not necessarily mean it’s required while using the latter.

The problem is no one is having this conversation. Digital ID is not on the agenda anywhere in the west, and only India has embraced it at scale.  That’s not only frustrating, it’s really dangerous because the only alternative to Digital ID is going to be something like China’s Firewall or outsourcing identity to a private corporation like…


Facebook is in the crosshairs on multiple fronts, and rightly so in my view. The sheer scale of Facebook is incredible.

Let’s do a little thought experiment so we can appreciate the scale of this thing: imagine Facebook as an online society rather than a multinational corporation, Facebook is populated with 2 billion humans and overseen by about 17,000. At the top of this online nation-state is a C-suite, just like other corporations. The Chief Executive of this online society is Mark Zuckerberg. With him at the top are boards of directors, but Zuckerberg calls the shots in the Kingdom of Facebook.

Credit: mrscainsclass.com

The two billion residents of this online society labor without compensation for Facebook, creating then giving data to the giant for free. Every photograph, video, along with data on all the things the residents like and dislike and talk about, is given by the residents to the people who own the kingdom. No compensation is given back to the residents of this nation-state for their work, which means Facebook is historically somewhere between a mercantilist nation-state or a kingdom that extracts wealth from its residents/subjects.

In return, the Facebook nation-state publishes news, information, and photos/videos/posts from other friends  and family who are resident in Facebook. Lately, Facebook is under fire because it does zero to authenticate whether the information its residents consume is genuine. More than that though, it freely makes available to anyone anywhere at any time tools that allow bad actors to reach out and influence any group or sub-group of its residents for pennies.

The other important thing about the Facebook kingdom is this: unlike the stodgy old democracies of the real world, the residents of the kingdom of Facebook have no vote or say in how this mercantilist society is run. In the kingdom that Facebook runs, people do not have rights and there is no rule of law. There is only rule by fiat, so the rules tend to follow that which is good for shareholders.

Government issued Digital ID would solve much of this problem. Facebook knows it and the US Government knows it. But there’s more than enough hubris and conceit in Facebook & Silicon Valley in general that you can bet in the next six to 12 months, someone in Silicon Valley will propose the outsourcing of Vital Records to private tech industry players. And because of our dysfunction in Washington, we’ll likely let them.

I don’t like that future and we should be having a conversation about Digital ID to forestall it from happening.

It’s been a hell of a few days here in the trenches of Information Technology in 2017. Where to begin?

Between explaining how this all works to concerned friends & family, answering my employer’s questions about our patching posture & status, and reading the news & analysis, I think it’s safe to say that WCry has been in my thoughts for every one of the last 72 hours, including the 24 hours of Mother’s Day and all the hours I spent in restless slumber.

Yes, that’s right. WCry was on my mind even as I celebrated Mother’s day for the three women I’m close to in my life who are mothers. Wow. Just wow.

Having had the chance to catch my breath, I’ve got some informed observations about this global incident from my perspective as an IT Pro. Why is WCry as interesting & novel as it is potent and effective in 2017? And is there any defense of an IT team one might make if their organization got pwned by WCry?

I contemplate both questions below.

WCry successfully chains a social engineering attack with a technical exploit resulting in automated organization pwnage
WCry begins as a social engineering/phishing attack on users in the place they love and hate by equal measure: their Inbox. Using Subject lines that draw the eye, the messages include malicious attachments. This facet of WCry is not new of course…..it’s routine and has been in IT for at least two decades.

How WannaCry works

Once the attachment is clicked, WCry pivots, unleashing an NSA-built cyberweapon upon the enterprise by scanning port 445 across the local /24, cycling through cached RDP accounts and calling special attention to SQL & Exchange services, presumably to price the ransom accordingly.

Then it encrypts. Nearly everything.

All of this from a single email opened by a gullible user.

This behavior -socially engineered attack on human meatbag + scan + pivot to the rest of the network- is also not novel, new or remarkable.  In fact, security Pros call this behavior “moving laterally” through an enterprise and they usually talk about it being done from “jump box” or “beach head” that’s been compromised via social engineering. Typically, security pros will reserve those terms to describe the behavior of a skilled & hostile hacker meatbag intent on pwning a targeted organization.

Where WCry is novel is that it in effect automates the hacker out of the picture, making the whole org pwnage process way more efficient. This is Organization-crippling, self-replicating malware at scale. Think Sony Pictures 2014, applied everywhere automatically minus the North Korean hacker units at the keyboard.


The red Wcry “Ooops” message is both informative and visually impressive, which multiplies its influence beyond its victims
As these things go, I couldn’t help but be impressed with Wcry’s incredibly detailed and anxiety-inducing UI announcing a host’s Wcry infection:

This image, or some variant thereof, has appeared on everything from train station arrival/departure boards to manufacturing floor PCs to hospital MRIs to good old-fashioned desktop PCs in Russia’s Interior Ministry. The psychological effects of seeing this image on infected hardware, then seeing it again on popular social media sites, the evening news, and newspapers around the world over the last few days are hard to determine, but I know this: this had an effect on normal consumers and users of technology across the globe. Sitting on my lap Saturday, my four year old saw the image in my personal OneNote pastebin and asked me, “Daddy, is that an alarm? Why does it show a lock? Do you have key?”

What’s interesting is that while computer users saw this or a screensaver version of this image, in reality you could click past it or minimize it in some way. Yet images of this application have proliferated on Twitter, FaceTube and elsewhere. Ransomware used to just announce itself in the root of your file share or your c:\user\username\documents folder: now it poses for screen caps and cell phone pics which multiplies its effectiveness as a PsyOps weapon. By Saturday I was reading multiple articles in my iPad’s Apple News about how regular people could protect themselves from the ‘global cyberattack.’

Its function is not just about encrypting file shares like earlier ransomware campaigns, but about owning Enterprises
If my organization or any organization I was advising got hit by WCry, my gut feeling is that I wouldn’t feel secure about my Forest/Domain integrity until I burned it down and started over. Why? Well, big IT security organizations like Verizon’s Enterprise Security group typically don’t classify ransomware as a ‘data breach’ event. Yet, as we know, Wcry installs a Pulsar backdoor that enables persistent access in the future. This feels like a very effective escalation of what it means to be ransomed in modern IT organizations, so yeah, I wouldn’t feel secure until our forest/domain was burned to the ground.

It is the manifestation of a Snoverism : Today’s nation-state cyberweapon is tomorrow’s script-kiddie attack
I was listening to the father of Powershell, Jeff Snover once and he implanted yet another Snoverism in my brain.  He said, paraphrasing here, that Today’s nation-state attack is tomorrow’s script-kiddie attack. What the what?

Jeff Snover, speaker of wisdom

Let’s unpack: the democratization of technology, the shift to agile, DevOps, and other development disciplines along with infrastructure automation has lead to a lot of great things being developed, released and consumed by users very quickly. In the consumer world this has been great -Alexa is always improving with new skills…Apple can release security patches rapidly, and FaceTube can instantly perform A/B testing on billions of people simultaneously. But not well understood by many is the fact that Enterprises and even individuals can harness these tools and techniques to instantly build and operate data systems globally, to get their product, whatever it may be, to market faster. The classic example of this is Shadow IT, wherein someone in your finance team purchases a few seats on Salesforce to get around the slow & plodding IT team.

I think Snover was observing that bad guys get the same benefits from modern technology techniques & the cloud as consumers and business users do.

And as I write this on Monday, what are we seeing? WCry is posted on GitHub and new variants are being created without the kill-switch/sandbox detection domain. Eternal Blue, the component of Wcry that exploits SMB1, was literally just a few months ago a specialized tool in the NSA’s cyber weapons arsenal. By tomorrow it will be available to any kid who wants it, or, even worse, as a push-button turn-key service anybody can employ against anybody else.

The democratization of technology means that no elite or special knowledge, techniques or tools are required to harness technology to some end. All you need is motive and motivation to do things at scale. This week, we learned that the democratization of technology is a huge double-edged sword.

It was blunted by a clever researcher for about $11
Again on the democratization of technology front, I find it fascinating that MalwareTech was able to blunt this attack by spending $11 of his own money to purchase the domain he found encoded in the output of his decompile. He’s the best example of what a can-do technologist can do, given the right amount of tools and freedom to pursue his craft.

It has laid bare the heavy costs of technical debt for which there is no obvious solution
Technical debt is a term used in software engineering circles and computer science curricula, but I also think it can and should apply to infrastructure thinking. What’s technical debt? Take it away Wikipedia:

Technical Debt is a metaphor referring to the eventual consequences of poor system design, software architecture, or software development within a codebase. The debt can be thought of as work that needs to be done before a particular job can be considered proper or complete. If the debt is not repaid, then it will keep on accumulating interest, making it hard to implement changes later on.

I can’t tell you how many times and at how many organizations I’ve seen this play out. Technical Debt, from an IT Pro’s perspective, can be the refusal to correct a misconfiguration of an important device upon which many services are dependent, or it can be a poorly-designed security regime that takes bad practice and cements it into formal process & habit, or it can be a refusal to give IT the necessary political cover & power to change bad practices or bad design into something durable and agile, or it can be refusing to patch your systems out of fear or a desire to kick the can down the road a bit.
Over time, efforts will be made to pay that technical debt down, but unless a conscious effort is made consistently to keep it low, technical debt eventually -inevitably- becomes just as crippling to an organization as credit card debt becomes to a consumer. Changes to IT systems that in other organizations are routine & easy become hard and difficult; and hard changes in other companies are close to impossible in yours.

This is a really bad place to be for an IT Pro, and now WCry made it even worse by exploiting organizations that have high technical debt, particularly as it relates to patching. Indeed, it’s almost as if the author of this malware understood at a basic fundamental level how much technical debt organizations in the real world carry.

There is no obvious solution to this. We can’t force people to use technology a certain way, or even to think of technology in a certain way. The point of going into business is to make money, not to build durable & secure and flexible technology systems, unless that is your business. Cloud services are the obvious answer, but they can’t do things like run MRI machines or interface with robots on the Nissan assembly line. At least not yet. And nobody wants regulation, but that’s a topic for another post.

It has shown how hard it is to maintain & patch systems that are in-use for more than a typical workday
If we ignore the way WCry rampaged through Russia, China and other places where properly licensing your software is considered optional, something else interesting emerges: the organizations that were hardest hit by Wcry were ones in which technology is likely in use beyond the standard 8 hour workday, which likely makes patching those technology systems all the more difficult.

While reporting on the NHS fiasco has zoomed in on the fact that the UK’s healthcare system had Windows XP widely deployed, I don’t think that tells the whole story, even if it’s true that 100% of NHS systems ran XP, it still doesn’t tell the whole story.  I can easily see how patching in such environments could be difficult based on how much those systems are used.  Hospitals and even out-patient facilities typically operate more than 8 hours a day; finding a slot of time in a given 24 hour period in which you can with the consent of the hospital, offline healthcare devices like MRI machines to update & reboot them is probably more difficult than it is in a company where systems are only required to be up between 7am and 6pm, for instance.

On and on down the list of Wcrypt’s corporate vicitms this pattern continues:

  • Nissan: factory controlled machines were infected with WCry. How easy is it to patch these systems amid what is surely a fast-paced, multi-shift, high-volume operating tempo?
  • German Train system: Literally computers that make the trains run on time have been hit by WCry. Trains and planes operate more than 8 hours a day, making them difficult to patch
  • Telefonica & Portugal Telecom: another infrastructure company that operates beyond a standard 8 hour day that got hit by WCry

I know banks & universities were hit as well, but they’re the exception that points at the rule emerging: Security is hard enough in an 8 hour a day organization. But it’s extra, extra hard when half of a 24 hour day, or even 2/3rds of a 24 hour day is off-limits for patching. Without well-understood processes, buy-in and support from management, discipline and focus on the part of a talented IT team,  such high tempo operating environments will inevitably fall behind the security curve and be preyed upon by WCry and its successors.

It has demonstrated dramatically the perpetual tension between uptime, security and the incentives thereof for IT
This is similar to the patching-is-hard-in-high-tempo organizations claim, but focuses on IT incentives. For the first 2o or 30 years of Information Technology, our collective goal and mission in life was to create, build and maintain business systems that have as much uptime as possible. We call this ‘9s’ as in, “how many ya got?!?”, and it’s about the only useful objective measure by which management continues to sign our check.

Here, I’ll show you how it works:

IT Pro # 1: I got five 9s of uptime this month, that’s less than 26 seconds of unplanned downtime!

IT Pro #2: Still doesn’t touch my record in March of 2015, where I had six 9s (2.59 seconds of downtime) for this service!

Uptime is our raison d’etre, the thing we get paid to deliver the most. We do not get paid, in general, to practice our craft the right way, or the best practice way, per se. We certainly do not get paid to guard against science-fiction tales of security threats involving cyber-weapon worms that encrypt all our data.

We are paid to keep things up and running because, at the end of the day, we’re a cost center in the business. It takes a rare and unique and charismatic manager with support from the business to change that mindset, to get an organization beyond a place where it merely views IT as a cost-center and a place to call when things that are supposed to be up are down.

And that’s part of the reason why Wcry was so effective around the globe.

It has spawned a bunch of ignorant commentary from non-technical people who are outraged at Microsoft

Zeynep Tufecki, an outstanding scholar of good reputation studying the impact of technology on society wrote a piece in the NYT this weekend that had my blood boiling. Effectively, she blames Microsoft and incompetent IT teams for this mess:

First, companies like Microsoft should discard the idea that they can abandon people using older software. The money they made from these customers hasn’t expired; neither has their responsibility to fix defects. Besides, Microsoft is sitting on a cash hoard estimated at more than $100 billion (the result of how little tax modern corporations pay and how profitable it is to sell a dominant operating system under monopolistic dynamics with no liability for defects).

This is absurd on its face. She’s essentially arguing that software manufacturers extend warranties on software forever. She continues:

For example, Chromebooks and Apple’s iOS are structurally much more secure because they were designed from the ground up with security in mind, unlike Microsoft’s operating systems.

Tufecki, whom I really like and enjoy reading, is trolling us. 93% of Google’s handsets don’t run the latest Google OS, which means many people -close to a billion by my count- are, through now fault of their own, carrying around devices that aren’t up to date. Should they be supported forever too? And Apple’s iPhone, as much as I love it, can’t run an Assembly line that manufacturers cars nevermind coordinate an MRI machine.

Rubbish. Disappointed she wrote this.

For all the reasons above, Wcry is not the fault of Microsoft any more than it’s the fault of the element Copper. If anything, the fault for this lies in the way we think about and use technology as businesses and as individuals. Certainly, IT shares some of the blame in these organizations, but there are mitigating factors as I spoke about above.

Mostly, I lay the blame at the NSA for losing these damned things in the first place. If they can’t keep things secure, what hope do most IT shops have?

It has inspired at least one headline writer to say your data is safer with FaceTube than with your hospital
Again, more rubbish and uninformed nonsense from the normals. Sure, my data might be safer from third party hackers if I were to house it inside FaceTube, but then again, adtech companies might just buy that same dataset, anonymized, connect dots from that set to my online behavior dataset, and figure out who I really am. That’s FaceTube’s business, after all!