A Venezualan Anti-Chavista Offers Some Advice on Resisting Trump

So immediately after offering my advice on the best way to disarm Trump and his populism I come across this article:  How to Culture Jam a Populist in Four Easy Steps.

Written by an anti-chavista it attempts to apply lessons learned in that effort to resisting Trump.  They are:

Don't Forget Who The Enemy Is:  Populism can only survive amid polarization. It works through caricature, through the unending vilification of a cartoonish enemy. Pro tip: you’re the enemy. Yes, you, with the Starbucks cup. Trump needs you to be the enemy just like all religions need a demon. As a scapegoat. “But facts!”, you’ll say, missing the point entirely.

Show No Contempt:  Your organizing principle is simple: don’t feed polarization, disarm it.  This means leaving the theater of injured decency behind.  The Venezuelan Opposition struggled for years to get this. It wouldn’t stop pontificating about how stupid it all is. Not only to their international friends, but also to the Chavista electoral base itself.

 Don't Try To Force Him Out:  The people on the other side, and crucially Independents, will rebel against you if you look like you’re losing your mind. Worst of all, you will have proved yourself to be the very thing you’re claiming to be fighting against: an enemy of democracy. And all the while you’re just giving the Populist and his followers enough rhetorical fuel to rightly call you a saboteur, an unpatriotic schemer, for years to come.

Find A Counter-Argument (No, Not The One You Think):  Don’t waste your time trying to prove that this ism is better than that ism. Ditch all the big words. Why? Because, again, the problem is not the message but the messenger. It’s not that Trump supporters are too stupid to see right from wrong, it’s that you’re much more valuable to them as an enemy than as a compatriot.

The problem is tribal. Your challenge is to prove that you belong in the same tribe as them: that you are American in exactly the same way they are.

I don't think this contradicts my earlier advice, but it is a lot more complete while still being succinct.

Samizdata: #GamerGate - the canary in the coal mine and my thoughts

Perry de Havilland wites:

Looking back, it’s hard to overstate the cultural significance of GamerGate: it marked when the Left suddenly and unexpectedly lost control of social media, right at the point where the influence of social media actually started to matter.

...

 So certain was the Left that they had won the culture war, so confident with the established media under their effective control that ‘truth’ was theirs to declare, motivating them to gave up on any pretence of objectivity.

And in his (her ?) opinion this lack of introspection / misreading of the populace is what cost the British establishment the Brexit vote and America (both Right and Left) the Trump vote.

I agree.

Chris over at Carnifex,org and I have discussed this a few times at our Friday night games. GamerGate was a warning sign that everyone missed.  (I don't think I have actually convinced him), it was the first time in recent memory that a group wasn't cowed by the collective press.  The gaming press would say "You're a bunch of racists and sexists" and GamerGate would respond with a "No, were not.  Fuck you" and double down.

That is exactly what happened with Trump and there were people (I am proud to say I was one, although I underestimated Trump's chance of winning greatly) who were pointing it out:

Anyway, she responded that London had voted against Brexit too, and then followed up with something on the order of , "Only bigoted ignorant rubes voted for leaving the EU", a couple seconds passed and she followed up with, "The same bigoted ignorant rubes from places like the south that are voting for Donald Trump".  Everyone laughed.  (Those are paraphrases not actual direct quotes but they are pretty close). 

I looked over at the guy who was sitting next to me and he was looking kind of quizzical too so I said "Do you think that constantly being referred to as bigoted ignorant rubes might be one of the reasons people are voting for Trump?"

Now we have Trump and an Immigration ban that people find to be the worst outrage in the history of moral outrages and people still aren't catching on.  Protest all you want, you are strengthening Trump's power in his base.  Call his supporters racists, homophobes etc.  They will wear it like a badge of honor.  

I'm not saying don't engage, I'm saying engage his supporters, not the policy.  In the words of Alinsky (probably taken out of context but it will work) Isolate the Target.  Personalize it.  The make Trump supporters live up to their ideals.

1.  Ask if they know anyone affected by the ban?
2.  If they say yes, ask how it is affecting them.  If they say know introduce them to someone who is.
3.  Make them justify the ban as applied to those individuals while linking it back totheir sense of community and charity.

That's specific to this case, but in general that is how you are going to beat Trump, not with noise and disruption.  
(also if you really want to beat Trump get Ivanka on your side, instead of insulting her (Joss Whedon) appeal to her.)

Why do we love Ron Swanson but hate Donald Trump?

They are one and the same.

A good question from Instapundit

A FORMER STUDENT, HERSELF SUCCESSFUL AND UPWARDLY MOBILE, WRITES: “When I was growing up, people my age who were enjoying the fruits of their success and focused on being even more successful were called yuppies. It’s not a thing anymore. We have millenials, hipsters, but no term for the young newly upper middle class with good jobs and nice homes. Is that because success is shameful now? Are there not enough of these people?”

source 

It's a good question, and as I have stated before part of what drove Trump's (and Sander's unsuccessful) campaign.  People who know me know I am a free trade advocate, but it was supposed to be trade which implies a two way street.

Am I An Anti-Intellectual? And Is Obama Just Too Damned Smart?

Today I saw an article in the Washington Post,  David Gelernter, fiercely anti-intellectual computer scientist, is being eyed for Trump’s science adviser:

Gelernter is a pioneer in the field of parallel computation, a type of computing in which many calculations are carried out simultaneously. The programming language he developed in the 1980s, Linda, made it possible to link together several small computers into a supercomputer, significantly increasing the amount and complexity of data that computers can process. Since then he has written extensively about artificial intelligence, critiquing the field's slow progress and warning of AI's potential dangers.

 In 1993, Gelernter was seriously injured by a letter bomb sent by Ted Kaczynski, the anti-technology terrorist known as the Unabomber.

 Beyond computer science circles, Gelernter has made a name for himself as a vehement critic of modern academia. In his 2013 book, “America-Lite: How Imperial Academia Dismantled Our Culture (and Ushered in the Obamacrats),” he condemned “belligerent leftists” and blamed intellectualism for the disintegration of patriotism and traditional family values. He attributed the decline in American culture to “an increasing Jewish presence at top colleges.” (Gelernter himself is Jewish.)

That made me think, what exactly is an anti-intellectual?

The wikipedia article states: "Anti-intellectualism is hostility towards and mistrust of intellect, intellectuals, and intellectual pursuits, usually expressed as the derision of education, philosophy, literature, art, and science, as impractical and contemptible."

I don't think that really describes me, and I question whether, given his lifelong pursuit of advances in computer science, it really applies to Dr. Gelernter either.

Thomas Sowell offers a different definition:

Economist Thomas Sowell argues for distinctions between unreasonable and reasonable wariness of intellectuals. Defining intellectuals as "people whose occupations deal primarily with ideas" as distinct from those who apply ideas practically, Sowell argues that there can be good cause for distrust of intellectuals. When working in their fields of expertise, intellectuals have increased knowledge. However, when compared to other careers, Sowell suggests intellectuals have few disincentives for speaking outside their expertise, and are less likely to face the consequences of their errors. For example, a physician is judged by effective treatment, yet might face malpractice lawsuits if he harms a patient. In contrast, a university professor with tenure is less likely to be judged by the effectiveness of his ideas and less likely to face repercussions for his errors:

By encouraging, or even requiring, students to take stands where they have neither the knowledge nor the intellectual training to seriously examine complex issues, teachers promote the expression of unsubstantiated opinions, the venting of uninformed emotions, and the habit of acting on those opinions and emotions, while ignoring or dismissing opposing views, without having either the intellectual equipment or the personal experience to weigh one view against another in any serious way.[3]

I like that definition, or opinion, or what have you.  I think most ideas that come out of the purely academic realms need to be approached with a degree of mistrust. (Just like I think most of Silicon Valley's claims of creative disruption should be examined skeptically) I don't really think that qualifies as anti-intllectual though.  I think that is healthy skepticism and is in fact something that should be taught in school. 

I can't speak for Dr.  Gelernter but I am give myself a pass on this one.


Second question - Is Obama just too damned smart?

This is legitimate. 

Yesterday I am listening to NPR and they are discussing Obama's legacy and political polarization.  The host at one point asks the guest (again I am not making this up) "Is it possible that one of President Obama's problems is that he is so intellectual, that he so thoroughly examines a problem, that after he makes up his mind he can't see how anyone can possibly disagree with him.  That if they do disagree it must be malicious in intent"

Te guest of course responds, "Yes, you've hit the nail on the head" or something similar.  Now this isn't the first time I have heard this argument advanced, and being widely acknowledged as a moron, I usually just accept it and move on.  But this article on Gelernter got me thinking - If this was a Republican President this wouldn't be looked at as some sort of advanced intellectual process leading the  President to undoubtedly correct conclusions; No, it would be seen as a sign of intellectual rigidity unworthy of the leader of the free world. 

Just sayin'...

The Gunfighter - excellent short film

Man I am happy - ITPro.tv is putting together a GSEC course

SANS GIAC is one of those organizations that is viewed as a kind of premier provider of services.  In this cases training and certification of information security personnel.  The have a number of training courses and associated certifications and their certs are viewed very highly.

Here is the problem - they are majorly expensive.  Training is somewhere around $5600 for a 4 or 5 day course and the exams for the cert are about $700 each.  Self study is almost impossible because there aren't any materials available unless you can find someone selling theirs on ebay even then course books can go for $800.

These guys have a stranglehold and they wring every possible dime out of it.  So imagine my joy when I signed onto ITPro.tv and found they are putting together a GSEC course.  (GSEC is one of GIAC's entry level certs that meet the DoD 8570 requirements for Level II IAT).  I have some materials from work and other sources, so with this course I am hoping to be able to put together a decent self study program and knock out this exam.

Chelsea (nee Bradley) Manning's Sentence Commuted

To be released 17 May.

I have to say, even though I argued earlier this week that Manning's sentence should be commuted instinctively this pisses me off.

Oh well, I'll live with it, and the country will survive.

8 Men As Rich As Half The World. Are Any Looking For A 52 Year Old Moron To Adopt As Their Son? - What I Am Reading 1/16/2017

Seattle Times - Stark inequality: Oxfam says 8 men as rich as half the world -

DAVOS, Switzerland (AP) — The gap between the super-rich and the poorest half of the global population is starker than previously thought, with just eight men, from Bill Gates to Michael Bloomberg, owning as much wealth as 3.6 billion people, according to an analysis by Oxfam released Monday.

I'm not sure I believe these numbers, but even if I did, I definately don't accept Oxfam's contention that it is immoral for people to accumulate large amounts of wealth.

“It is obscene for so much wealth to be held in the hands of so few when 1 in 10 people survive on less than $2 a day,” said Winnie Byanyima, executive director of Oxfam International, who will be attending the meeting in Davos. “Inequality is trapping hundreds of millions in poverty; it is fracturing our societies and undermining democracy.”

Maybe there is such a thing as too much wealth. But what is driving inequality is not the fact that these men are successful.  It's government policies that actively loot from the population.  It's governments holding one group of people in thrall while another enjoys all the advantages of their work.  It's policies like blocking GMOs for use in feeding starving populations or blocking effective mosquito eradication programs to prevent malaria and yellow fever.  It is a host of diverse complicated issues and what is immoral is targeting people like Bill Gates as the cause.

The Register - Google reveals its servers all contain custom security silicon: Even the servers it colocates (!) says new doc detailing Alphabet sub's security secrets -

Revealed last Friday, the document outlines six layers of security and reveals some interesting factoids about the Alphabet subsidiary's operations, none more so than the disclosure that: “We also design custom chips, including a hardware security chip that is currently being deployed on both servers and peripherals. These chips allow us to securely identify and authenticate legitimate Google devices at the hardware level.”

That silicon works alongside cryptographic signatures employed “over low-level components like the BIOS, bootloader, kernel, and base operating system image.”

Quick read was pretty interesting.  It looked like I could pretty easily match most of their controls to the top 5 of the SANS 20 Critical Security Controls.

Ars Technica - Apple in Trumpland: How the new administration could upend Apple’s business -

As one of America’s biggest companies, Apple will continue to find itself singled out by Trump. Apple provides a good case study for the ways in which Trump’s stated economic and trade policies could benefit and damage large, multinational tech companies. Those policies combine typical Republican orthodoxy about low corporate tax rates with Trump’s bellicose proclamations about import tariffs. Depending on the way things break, Trump’s policies are going to be a double-edged sword for Apple and any company that relies heavily on overseas manufacturing and the global economy.

The gist of the article is kind of "Trump is an idiot, but Apple has to work with him."  They are far more diplomatic of course but that's the general feel.

What I'm reading 1/15/2017 - And just to let you know it's 21 degrees F and Sunny here up from 13 when I got up this morning. Spring has arrived! (Global Warming my shivering ass)

SANS - Critiques of the DHS/FBI's GRIZZLY STEPPE Report -

The White House's response and combined messaging from the government agencies is well done and the technical attribution provided by private sector companies has been solid for quite some time. However, the DHS/FBI GRIZZLY STEPPE report does not meet its stated intent of helping network defenders and instead choose to focus on a confusing assortment of attribution, non-descriptive indicators, and re-hashed tradecraft. Additionally, the bulk of the report (8 of the 13 pages) is general high level recommendations not descriptive of the RIS threats mentioned and with no linking to what activity would help with what aspect of the technical data covered. It simply serves as an advertisement of documents and programs the DHS is trying to support. One recommendation for Whitelisting Applications might as well read "whitelisting is good mm'kay?" If that recommendation would have been overlaid with what it would have stopped in this campaign specifically and how defenders could then leverage that information going forward it would at least have been descriptive and useful. Instead it reads like a copy/paste of DHS' most recent documents ? at least in a vendor report you usually only get 1 page of marketing instead of 8.

We read this report at work, and while we took what action we could based on what it contained almost everyone was confused on how the attribution portions played into the conclusions.  It was not a well put together effort. 

Ars Technica - Congress will consider proposal to raise H-1B minimum wage to $100,000 -

One major change to that system is already under discussion: making it harder for companies to use H-1B workers to replace Americans by simply giving the foreign workers a raise. The "Protect and Grow American Jobs Act," introduced last week by Rep. Darrell Issa, R-Calif. and Scott Peters, D-Calif., would significantly raise the wages of workers who get H-1B visas. If the bill becomes law, the minimum wage paid to H-1B workers would rise to at least $100,000 annually, and be adjusted it for inflation. Right now, the minimum is $60,000.

The sponsors say that would go a long way toward fixing some of the abuses of the H-1B program, which critics say is currently used to simply replace American workers with cheaper, foreign workers. In 2013, the top nine companies acquiring H-1B visas were technology outsourcing firms, according to an analysis by a critic of the H-1B program. (The 10th is Microsoft.) The thinking goes that if minimum H-1B salaries are brought closer to what high-skilled tech employment really pays, the economic incentive to use it as a worker-replacement program will drop off.

This will help, but what is really needed is to a) decrease the number of slots available by 10% per year over 50 years, make employers certify that they have looked for qualified American workers, under penalty of perjury and hold the CEO personally criminally responsible, and require a bond on every H1-B that can be returned when the worker is replaced by an American.  Also make the visa follow the person after 2 years so companies can't hold workers hostage and deflate wages.

The Verge - AMC and the BBC are teaming up to adapt John le Carré’s Spy Who Came in From the Cold

The Spy Who Came in From the Cold is le Carré’s third novel. First published in 1963, it follows a British agent who is sent to Germany to try and undermine an East German intelligence official at the height of the Cold War. The novel was an immediate success, and was adapted as a film two years later.

I read the book and saw the movie.  This is not a James Bond film.  Actually it was dense enough that a multipart TV show may be the best way to do it justice. 

Backchannel - Where Weird Facebook is King: How a College Kid Does Social - not much here unless you have a teen who you want to harrass on social media.  In that case so valuable.

Two for the Marines

The Register - US Marines seek more than a few good men (3,000 men and women, actually) for cyber-war -

The head of the US Marines wants to recruit about 3,000 troops skilled in online warfare and espionage to make sure the Corps is ready for 21st-century battle.

On Thursday, General Robert Neller told the Surface Navy Association's annual convention that he was looking to raise his numbers from 182,000 to 185,000 in the next Defense Appropriations Bill – and wants to use the extra heads to beef up online and electronic warfare capabilities.

The problem here is that most of the people who are interested in stuff like this are not the type of people the military wants.  This is going to be a really hard sell on both sides.

Wired - What Better Way for the Marines to Prepare for Future Wars Than With Sci-Fi? -

Officers at the Marine Corps Warfighting Laboratory/Futures Directorate in Quantico, Va., came up with the idea last year to host a sci-fi contest to spur creativity, as well as get uniformed Marines to conceive of threats in a different way. A total of 84 entries were narrowed down to 18 finalists, who were paired with professional sci-fi writers—including “World War Z’s” Max Brooks—during a workshop co-hosted by the Atlantic Council. After months of editing, the top three stories were collected in “Science Fiction Futures: Marine Corps Security Environment Forecast 2030-2045″ and published online [PDF].

No comments - just thought you guys might enjoy this one.

On Chelsea Manning and Commutation

It's 13 degrees here in Vancouver WA, and I am basically stuck inside because I screwed up my foot walking to the store the other day.  Given that I have been in a position to do some thinking about Chelsea (nee Bradley) Manning.

When Manning was arrested I was one of those who was for a full bore prosecution, up to and including the possibility of the death sentence.  It seemed to me at the time that the damage he (now she) had potentially done was so drastic that severe measures were warranted.    As time went by and details of what was released became known I began to moderate my views a bit.  Yeah there was some damaging material but most of it was just embarrassing.  I didn't think Manning should go free but I definitely thought that the real bad guy here was Julian Assange.

Now it's 6 years later.  Manning has been in prison, much of it in solitary confinement (suicide / harm prevention).  Her ability to do the US further harm is nil and no matter what her life is ruined.  I say commute the sentence to 10 years.  It's enough to serve as an appropriate punishment.  It allows Manning to try and salvage something and it allows us to move on from some of the worst feelings of the last 16 years.  If Obama doesn't do it Trump should.

Also - people quit calling her Bradley and He.  I know you think you are making some sort of point but you just come off as bigoted and stupid, even if you don't accept the idea of Gender Identity Disorder, it costs you nothing to call someone by a name they prefer.

This is awesome - Full Auto Crossbow

Some more NIST Thoughts (mainly revolving around the Risk Management Framework)

Earlier this week I posted about NIST SP 800-181 the Draft NICE Cybersecurity Workforce Framework.  I had a few criticisms, but one of the things I didn't really discuss was the fact that NIST specifically mentions that they intend (or intended whatever the proper tense should be) for this publication to be used by organizations to help develop certification exams that employers can directly tie to a job role.

Not a bad idea, in my opinion at least, if the Roles, Tasks, Knowledge, Skills, and Abilities can all be kept up to date and relevant.  I have my doubts about that.

Be that as it may however, discussing that with a couple co-workers led back to a discussion that we have had a couple times.  The under-utilization of the NIST Risk Management Framework in the educational process.

NIST has a pretty extensive set of publications dealing with just about every facet of information security.  The part I am particularly interested in is Risk Management,  Business Continuity, and Disaster Recovery.  Not only do they have publications available on various topics in those fields but they have built out an entire framework - aptly named the Risk Management Framework.

The issue that I have seen is that there isn't any sort of real formalized instruction on the process.  I have taken a number of classes on Risk Management, Business Continuity, and Disaster Preparedness and while individual features of the Risk Management Framework are presented, it isn't presented as a coherent whole.

Maybe this is just my experience, but talking with co-workers I don't really think so.

So, you're asking, what's my point?  Well, it's actually a proposal.  We have two, I think, fairly well thought out frameworks.  The CSF and the RMF.  They have also been mapped too each other, although I think that could be done better, and hopefully will be in upcoming revisions.  What we need now is people skilled in implementing them.  I think that just like the NSA has their educational Centers of Excellence NIST / DHS  should implement similar designations for programs that really dig in on the Cybersecurity and Risk Management Frameworks.  They should also help with developing curriculum materials and make them available.  It would also be nice if there was a vendor neutral risk management certification program, sort of like the Project+

(I know it took me a long time to get here for little payoff but I am trying to keep simple and at least partially coherent, basically I am just spitballing an idea)

Well crap. Trump is going to end up being right on Russian hacking - What I am reading 1/3/2017

Washington Post - Russian government hackers do not appear to have targeted Vermont utility, say people close to investigation -

Huge walkback on this story.

An employee at Burlington Electric Department was checking his Yahoo email account Friday and triggered an alert indicating that his computer had connected to a suspicious IP address associated by authorities with the Russian hacking operation that infiltrated the Democratic Party. Officials told the company that traffic with this particular address is found elsewhere in the country and is not unique to Burlington Electric, suggesting the company wasn’t being targeted by the Russians. Indeed, officials say it is possible that the traffic is benign, since this particular IP address is not always connected to malicious activity.

and the latest also contains this nugget -

 Experts also expressed concerns regarding the report released by DHS and the FBI on the Russian hacking operation. The report said it was providing “technical details regarding the tools and infrastructure used by the Russian civilian and military intelligence services” to “compromise and exploit” political, government and private computer networks. The government released the document on the same day it announced a series of measures taken to punish the Russian government for its interference in the 2016 presidential election, including the DNC hacks.

But a range of cybersecurity experts say that although the intention of the report was good, it lacked specific details that would enable firms to detect Russian government hackers.

So what the post is now saying is that the government can't prove any Russian hacking period.  They have some general activity associated with Malware but that's it.

 Los Angeles Times - Leaving for Las Vegas: California's minimum wage law leaves businesses no choice -

When the $15 minimum wage is fully phased in, my company would be losing in excess of $200,000 a year (and far more if my workforce grows as anticipated). That may be a drop in the bucket for large corporations, but a small business cannot absorb such losses. I could try to charge more to offset that cost, but my customers —the companies that are looking for someone to produce their clothing line — wouldn’t pay it. The result would be layoffs.

When Los Angeles County’s minimum wage ordinance was approved in July, I began looking at Ventura County, Orange County and other parts of the state. Then, when California embraced a $15 wage target, I realized that my company couldn’t continue to operate in the state. After considering Texas and North Carolina, I’ve settled on moving the business to Las Vegas, where I’m looking for the right facility.  About half of our employees will make the move with us.

If only there were some science, some study of, well let's call it Economics, that could predict things like this.

NIST SP 800-181 NICE Cybersecurity Workforce Framework

Sometime around November 2, 2016 NIST, as part of the National Initiative for Cybersecurity Education (NICE) initiative, released SP 800-181 - The NICE Cybersecurity Workforce Framework. (comments are open until January 6, 2017).   It's an interesting document, at least what I have read given that it is 130 pages of bureaucratese coupled with some sort of education speak, designed to try and bring common role definitions to certain jobs, and associate tasks, knowledge skills and abilities with each of those roles.  Or as the authors put it:

The purpose of this publication is to provide a fundamental reference resource to support a workforce capable of meeting an organization’s cybersecurity needs by:

• Providing organizations with a common, consistent lexicon that categorizes and describes cybersecurity work;
• Organizing cybersecurity work into seven high-level Categories and over 50 Work Roles within those seven Categories;
• Offering a superset of Tasks for each Work Role; and  
• Offering a superset list of Knowledge, Skills, and Abilities (KSAs) for each work role

 In addition and effort is made to tie the 7 high level categories back to the Cybersecurity Framework Categories:

While the CSF and the NCWF were developed separately, each complements the other by describing a hierarchical approach to achieving cybersecurity goals.

After identifying a broad category where a particular need is present the organization is supposed to further break the position down by specialty area and work role then associate tasks, knowledge, skills and abilities with that role.

(obviously there are more than 3 of each - Tasks = 928, Knowledge areas = 614, Skills = 359 and Abilities = 119)

NIST has already identified a number of NCWF roles (approx. 50)

(and actually as I look at this again I am not clear on whether an organization under the NCWF is allowed to define their own work roles - I would assume they are but I am not absolutely sure)

OK so now we know how the process is supposed to work -  here are my concerns:

1.  This is too static.  Both in job roles, (which are never going to fly.  Every job I have ever worked has had an other duties as assigned clause and they always end up being a significant part of the work load.  So these are way too restrictive) and in the process it self.  In fact as far as the process goes an issue has already been identified in Section 4.1

Several work-related elements have been raised at various discussions and, while not currently integrated into the NCWF, are areas that are likely to be the subject of further research and guidance. The areas of further investigation are:

* System Security Engineering (SSE) – Many elements of systems security engineering (a specialty engineering discipline of systems engineering ) contribute to a
fully integrated, system-level perspective of cybersecurity. Additional research will be
conducted to ensure that the Tasks and KSAs described fully support the SSE lifecycle
described in Draft NIST Special Publication (SP) 800-160, Systems Security Engineering - Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems.

2.  I believe that the Knowledge areas, Skills, and Abilities are tied to the wrong item.  Currently they are tied to the work role:

I believe tasks should be tied to the work role and the knowledge skills and abilities should be tied to the task.  It might seem like a small thing but I believe in the long run it would make a program like this more manageable and since you can't complete the task without the knowledge skill and abilities it makes sense there too.

That's my $.02 on this.  I didn't see anyone else really discussing it so I thought I would throw something out there.

Russia Attacks The US Power Grid - Kind of, Sort of, Not Really

So late Friday or early Yesterday I came across a story that claimed Russia had hacked the US Power Grid (I thought it was on the NY Times, but now I can't find it) at the time it only said that a Russian malware had been located on a computer at a Vermont utility.

At the time my first thought was - Business side or Transmission / Distribution / Generation side?
The article didn't say.

I know some of you (given my readership of hobos, drunkards and imaginary voices perhaps all) are wondering why does that matter.  Well simply put the two sides are, in theory mostly segregated, and compromising the business side, while it could cost the company money, shouldn't bring power down or damage the grid.  It's also a lot easier to compromise business side operation because they often have direct internet connections.  The transmission side shouldn't.  It should have levels of logical and physical separation (At BPA the network I worked on was as airgapped as we could make it) of course malicious code can always be brought in on a USB stick or something but we tried to actively prevent that through monitoring and other means.

Anyway the initial article I read lacked detail.  I checked back a couple times but then got busy with other things.

This morning I had my answer starting with this article in the Washington Post "Russian operation hacked a Vermont utility, showing risk to U.S. electrical grid security, officials say" which now carries this disclaimer -

Editor’s Note: An earlier version of this story incorrectly said that Russian hackers had penetrated the U.S. electric grid. Authorities say there is no indication of that so far. The computer at Burlington Electric that was hacked was not attached to the grid.

 and states:

Burlington Electric said in a statement that the company detected a malware code used in the Grizzly Steppe operation in a laptop that was not connected to the organization’s grid systems. The firm said it took immediate action to isolate the laptop and alert federal authorities. 

So it appears the actual grid was never compromised.  And it's nor even really certain that the Russian government was responsible as pointed out by Mashable (not my usual go to source but they have the best explanation)

So did the Russians attack a laptop at a public utility, even if it wasn’t connected to the electric grid?

It’s possible, but not certain.

The malware found was certainly Russian made and related to the malware used to infiltrate the DNC. But that does not mean that it was used by Russians.

Malware, like any software, is bought and sold. It is not necessarily used by the same people who craft it. 

On the plus side CBS is now reporting that a number of states are looking at their cybersecurity posture in a more critical light:

Several states around the country on Saturday asked cybersecurity experts to re-examine state and utility networks after a Vermont utility’s laptop was found to contain malware U.S. officials say is linked to Russian hackers.

The minus is stories that are incorrectly reported like this was just start to inure the public to real issues.

Books Read in 2016 - Final Tally

1.  Lord of Chaos - Wheel of Time Book Six (re-reading the series)
2.  Crown of Swords - Wheel of Time Book 7
3.  The Docker Book: Containerization is the new virtualization
4.  Chris Bryant's CCNA Study Guide Volume 1 (CCENT)
5.  Sold Out: How High Tech Billionares & Bipartisan Beltway Crapweasels Are Screwing America's Best and Brightest
6. Neuromancer - re-read since my niece was reading it for school.
7.  The Practice of Network Security Monitoring: Understanding Network Incident Detection and Response
8.  Path of Daggers - Wheel of Time Book 8
9.  Throwing Rocks at the Google Bus
10. Disrupted
11.  Lauren Ipsum
12.  Iterating Grace
13.  Naked Money - Highly recommended
14  NIST SP 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations.
15.  Ghost Fleet - re-read given that it tends to tie in with news stories like this "China to increase defence spending by '7-8%' in 2016 - official ", this "The US Navy changes rules to allow sailors more tattoos" and this "The Navy's Stealthy DDG 1000 Begins "Acceptance Trials"
18.  Dead Man's Debt - 3rd book in the Poor Man's Fight series, not near as good as the first two.
--------------------------------------------------------
19.  Platform Revolution: How Networked Markets Are Transforming The Economy And How To Make Them Work For You
20.  Industries of the Future
21. The Goal: A Process of Ongoing Improvement
22. Critical Chain
23.  It's Not Luck 
24. The Phoenix Project: A Novel About IT, DevOps and Helping Your Business Win - Reread

A note about 21, 22, 23, and 24 - I originally read 24 as part of a suggested reading list I found thru some school project.  I was in the Navy during the Total Quality Leadership fiasco of the 80's / 90s. Reading The Phoenix Project started to turn me on to just how poorly implemented that process was. They took an industrial process management technique and tried to apply it to everything, which was ridiculous.  After that my interest was piqued about The Goal which is mentioned numerous times in The Phoenix Project.  That got me going on the other two.  I don't want to seem like a zealot but if you are working in a business IT environment, I recommend all 4 books as at least a way to consider some alternate management paths.

25.  NIST 800-82 - Guide to Industrial Control Systems (ICS) Security
26.  Chaos Monkeys: Obscene Fortune and Random Failure in Silicon Valley
27. Practical Leadership - for school, not very worthwhile.
28. iPremier: Denial of Service Attack (Graphic Novel) - A Harvard Business Review case study about a denial of service attack.  There are three parts A, B, C.  It's not very good, with some (I think fundamental misunderstandings about basic technology and services).  The artwork is hilarious, everyone in the IT department looks like either a superhero or a supermodel and acts like James Bond.  If you can find a copy for free read it otherwise don't bother.

----------------------------------------------------------------------------------------------------------------
29.  The Mandibles: A Family 2029-2047
30.  Monster Hunter Alpha
31.  Monster Hunter Grunge
32.  Monster Hunter Sinners
33.  Infomacracy
34.  Winter's Heart - Wheel of Time Book 9
35.  Crossroads of Twilight - Wheel of Time Book 10
36.  The Rise and Fall of American Growth
37.  The Failure of Risk Management
38.  Alliance of Shadows - Dead Six Book 3 
39.  The Grid  - Highly Recommended
40.  Jennifer Government
41.  Agent of the Imperium - Bleh
42.  Broken Trust
43.  Blood Father
44.  The Perfect Thing

Added two more in the last week and something

45.  Cyberpunk Trashcan - I was turned on to this book by Chris over at Carnifex.org.  It is frickin' hilarious.
46.  Scrum:  A Breathtakingly Brief and Agile Introduction - Just made me hate the people who dream these damn project management systems up all over again.  (Maybe this one shouldn't count because according to Amazon it's only 54 pages, but on my Kindle on the train it sure seemed like 500 (boring))

Fell a little short of the one book per week mark :-(

2017 started today and I have already selected my first two books - Ted Koppel's Light's Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath.   I figure it is a good way to start in light of the Vermont Utility being successfully(?) compromised, and 11th Hour CISSP