Blog

“We accept the risk.”

“A lot of smaller communities are resource-constrained.  If you have a million dollars, are you going to fix the potholes constituents have been calling about, open parks and swimming pools for the summer? Or buy new servers and do all the things that are going to make you more secure?”

When Ransomware Cripples a City, Who’s to Blame? This I.T. Chief Is Fighting Back
New York Times, August 22, 2019

Yes. The answer is yes.

Municipal leadership, like the leaders of any organization, are tasked with balancing the seemingly endless number of competing priorities. That’s why they get paid the big bucks.

Crumbling physical infrastructure or reductions in municipal service offerings are always sure to elicit strong reactions from residents and constituencies. Technology assets and infrastructure are not as visible to their end customers. As a result, software updates and hardware refresh cycles often take a back seat because “well it still works” or “but we only bought that server 5 years ago and it’s not broken.”

But in today’s operating environment, proper maintenance and risk management of a municipality’s technology infrastructure, endpoints, and systems are as just as critical as the maintenance and risk management of its roads and bridges.

When faced with audit findings and risk assessments, far too often management takes what is viewed as the “easy” way out: just accept the risk. I mean, it’s just a checkbox or your initials, as opposed to thousands of dollars and person hours that could be used for other things, right? Quick election cycles and the tendency to kick the can down the road for the next administration makes accepting the risk even easier…let the “next guy” deal with it in the “next budget.”

But the crucial caveat that management is failing to remember in these situations is that when you accept the risk, you accept the risk.

In the case of Lake City’s ransomware attack, I look forward to seeing what comes out through public records requests and the legal process. It should be relatively easy to determine what decisions were documented and what actions were or were not taken.

It is crucial that this incident be a lesson to better understand that day-to-day actions and decisions do have consequences:

  • For management and “the Business,” ensure that you have an appropriate level of understanding about your environment. Understand its functions, life cycle and risks; look to your technical leaders and individual contributors to help educate you so that you can make informed decisions. Don’t just check a box and move on…the ass you save might just be your own.
  • For technical leaders and individual contributors, as the subject matter experts for your environment, you need to ensure your management chain, auditors, and Boards / Committees have the right information make good decisions.

Regardless of how management chooses to act, remember this invaluable advice from SANS NewsBites Editorial Board Member William Hugh Murray in reference to the Lake City incident:

Any such risk acceptance, and its acknowledgement by the leadership, must be documented. If that was done in this instance, Hawkins will have a good case. In the absence of such documentation, his case may turn upon the honest recollection of that leadership of a decision made months ago. The three rules of risk management are document, document, document.

Living the “Dream”

It was never my dream to turn on the TV and hear entitled assholes speculating about my health, my injuries, and devoting segments on their shows to discussing my medical file, guffawing their way through segment after segment about the hell I have endured. But that’s what life becomes for NFL players: reciting tired sound bites through gritted teeth and long, sleepless nights, handfuls of pills, and early-morning rehab sessions, sideways looks from coaches who want you on that field, who need you on that field, or else your ass is gone.

Nate Jackson, “Andrew Luck Got Out. I Couldn’t.” (Deadspin)

A statistic that blew my mind this week

Since launching in 2002, Amazon Web Services has grown to dominate the public cloud in quite the same way that Amazon has dominated online commerce overall. Many of the services people use every day like Netflix run on AWS, although nobody really thinks about it much until there’s an outage.

In her series of articles earlier this year where she attempted to cut out various Big Tech(tm) players from her life, Kashmir Hill described avoiding Amazon as “nearly impossible.”

Amazon has embedded itself so thoroughly into the infrastructure of modern life, and into the business models of so many companies, including its competitors, that it’s nearly impossible to avoid it.

Kashmir Hill, “I Tried to Block Amazon From My Life. It Was Impossible

So it’s not surprising that the infrastructure that backs the world’s largest and most dominant public cloud platform is massive. But the statistic that stood out the most for me was this:

Each day, AWS adds as much infrastructure as they used to run in total 7 years back.

Jeff Desjardins, “The Impressive Stats Behind Amazon’s Dominance of the Cloud

You read that correctly: Amazon deployed as much infrastructure into their environment today as they ran in total in August of 2012.

Enjoy additional mind blowing stats from RapidValue Solutions’ recent infographic after the jump.

Continue reading “A statistic that blew my mind this week”

Windows 10 time format and the Welcome screen

If you’re like me, you live on a twenty four hour clock for work. And while Windows 10 is easily adjusted to display the time in my preferred format within my user account, one of my pet peeves is how the Welcome screen continues displaying the “wrong” time when I’m not signed in.

So I was delighted to learn of one more step that is available to easily update the time format on the welcome screen that I’d not seen before. Shawn Brink provides all the nitty gritty details over at Windows 10 Forums, but for the tl;dr inclined:

  1. In region settings, change your short and long time formats.
  2. Click Apply.
  3. Click on the Administrative tab.
  4. Click the Copy Settings button.
  5. Check the Welcome screen and system accounts button.
  6. Click OK.

Voilà! Now my eyes don’t twitch every time I wake my laptop and log in. Thanks Shawn!

Sharing is caring and Google is a geek’s best friend, y’all. If you’re working a problem, don’t suffer in silence. And if you learn something new, share it somewhere so that others can learn and build on your experience.

It’s the right thing to do, y’all. And I’m going to start doing more of it here.

Happy Friday!

Apollo astronaut Charlie Duke says he almost died jumping on moon – Business Insider

The Apollo program is full of incredible anecdotes about the challenges and experiences of spaceflight. And like every other NASA program, it’s also had its fair share of shenanigans.

So it’s not surprising to read about Charlie Duke was horsing around on the towards the end of his time on the moon during Apollo 16. But when he landed hard on the lunar surface:

“I learned a lesson: Never do anything in space that you haven’t practiced. And we had not practiced the high jump.

Charlie Duke

Source: Apollo astronaut Charlie Duke says he almost died jumping on moon – Business Insider

Head Starts are Overrated

Never decide you are too old or too late to the game to try something new. “The tidy specialization narrative cannot easily fit even [the] relatively kind domains that have most successfully marketed it,” Epstein concludes. “So, about that, one sentence of advice: Don’t feel behind…research in myriad areas suggests that mental meandering and personal experimentation are sources of power, and head starts are overrated.”

 Ephrat Livni, “To thrive in a “wicked” world, you need range

The Human Factor

Horrible news today out of Ethiopia, with the loss of a second Boeing 737 MAX 8 resulting in the deaths of all aboard. I’m grateful to learn that the recorders have been recovered, though one was severely damaged. Hopeful Boeing and the authorities can piece things together quickly.

Reading the initial reporting on today’s incident, this amateur plane nerd’s first reaction was a single word: Prius.

Remember when shortly after the Prius hit the mainstream there was a series of unfortunate events involving vehicles and their occupants sailing through hedge bushes and shopping mall storefronts? Toyota did eventually issue software updates to help prevent crashes, but over time the platform also became familiar to the public. Now, we see more and more models with push button starts and unconventional shift levers and transmissions.

This is the Prius, at scale. Boeing is already working with the FAA to deploy software updates to improve safety, and I’m sure they will help prevent future events. But training and familiarity with an aircraft and, now more than ever, it’s software, will always win the day. Like when you hit birds and determine your best bet is to go for a swim.

Further Reading