Category: respect

What’s your website’s D&D alignment?

This is the impression – often the first impression – that users of the website get of the organisation.

Cookies and Dungeons and Dragons – a hypothesis

Recent privacy legislation has led organisations to have to adopt ways of allowing their users to register their cookie preference in ways which expose the underlying motivations of the org. I have a related theory, and it goes like this: these different registration options allow you to map organisations to one of the 9 Dungeons and Dragons character alignments.

This may seem like a bit of a leap, but stick with me. First, here’s a a little bit of background for those readers who’ve never dabbled in (or got addicted to -there’s little room between the two extremes) the world of Dungeons and Dragons (or “D&D”). There are two axes used to describe a character: Lawful-Neutral-Chaotic and Good-Neutral-Evil. Each character has a position across each of these axes, so you could have someone who’s Lawful-Good, one who’s Chaotic Neutral or one who’s Neutral-Good, for instance (a “Neutral-Neutral” character is described as “True Neutral”). A Lawful character follows the law – or a strong moral code, whereas a Chaotic one just can’t be bothered. A Neutral character tends to do so when it suits them. The Good-Neutral-Evil axis should be pretty clear.

Second bit of background: I never just accept cookies on a website. I always go through the preferences registration options, and almost always remove permissions for all cookie tracking beyond the “minimum required for functionality”. I know I’m in a tiny minority in this, but I like to pretend that I can safeguard at least some of my private data, so I do it anyway (and so should you). I’ve noticed, over the past few months, that there are a variety of ways that cookie choices are presented to you, and I reckon that we can map several of these to these D&D alignments, giving us a chance to get a glimpse into the underlying motivation of the organisation whose website we’re visiting.

I’ve attempted to map the basic approaches I’ve seen into this table.

Lawful GoodNeutral GoodChaotic Good
Functional cookies only by default.No cookies, and a link to a long and confusing explanation about how the organisation doesn’t believe in them.No cookies at all, no explanation.
Lawful NeutralTrue Neutral Chaotic Neutral
Functional and tracking cookies by default, clear what tracking cookies are; all easy to turn off.Functional and tracking cookies by default, completely unclear what the cookies do.Random selection of cookies, and it’s unclear what they do, but you can at least turn them off.
Lawful EvilNeutral EvilChaotic Evil
All cookies by default: functional, tracking and legitimate uses.  Easy to remove with “reject all” or “object all”.All cookies by default.  “Legitimate uses” need to be deselected individually.All cookies by default, with 100s listed.  You have to deselect them by hand (there’s no “reject all” or “object all”), and there’s a 2 to 5 minute process to complete the registration, which finishes on 100% but never completes.
D&D alignments and website cookie preference approaches

Clearly, this is a tongue-in-cheek post, but there’s an important point here, I think: even if this glimpse isn’t a true representation of the organisation, it’s the impression – often the first impression – that users of the website get. My view of an organisation is formed partly through my interaction with its website, and while design, layout and content are all important, of course, the view that is presented about how much (if at all) the organisation cares about my experience, my data and my privacy should be something that organisations really care about. If they don’t respect me, then why should I respect them?

If I’m trying to attract someone to work for me, partner with me or buy from me, then my marketing department should be aware of the impression that visitors to my website glean from all interactions. At the moment, this seems to be missing, and while it’s not difficult to address, it seems to have escaped the notice of most organisations up to this point.

Demonising children (with help from law enforcement)

Let’s just not teach children to read: we’ll definitely be safe then.

Oh, dear: it’s happened again. Ill-informed law enforcement folks are demonising people for getting interested in security. As The Register reports, West Midlands police in the UK have put out a poster aimed at teachers, parents and guardians which advises them to get in touch if they find any of the following on a child’s computer:

  • Tor browser
  • Virtual machines
  • Kali Linux
  • Wifi Pineapple
  • Discord
  • Metasploit

“If you see any of these on their computer, or have a child you think is hacking, please let us know so we can give advice and engage them into positive diversions.”

Leaving aside the grammar of that sentence, let’s have a look at those tools. Actually, first, let’s address the use of the word “hacking”. It’s not the first time that I’ve had a go at misuse of this word, but on the whole, I think that we’ve lost the battle in popular media to allow us to keep the positive use of the term. In this context, however, if I ask a teenager or young person who’s in possession of a few of the above if they’re hacking, they answer will probably be “yes”, which is good. And not because they’re doing dodgy stuff – cracking – but because they’re got into the culture of a community where hacking is still a positive word: it means trying stuff out, messing around and coding. This is a world I – and the vast majority of my colleagues – inhabit and work in on a day-to-day basis.

So – those tools. Tor, as they point out, can be used to access the dark web. More likely, it’s being used by a savvy teenager to hide their access to embarrassing material. VMs can apparently be used to hide OSes such as Kali Linux. Well, yes, but “hide”? And there is a huge number of other, positive and creative uses to which VMs are put every day.

Oh, and Kali Linux is an OS “often used for hacking”. Let’s pull that statement apart. It could mean:

  1. many uses of Kali Linux are for illegal or unethical activities;
  2. many illegal or unethical activities use Kali Linux.

In the same way that you might say “knives are often used for violent attacks”, such phrasing is downright misleading, because you know (and any well-informed law-enforcement officer should know) that 2 is more true than 1.

Next is Wifi Pineapple: this is maybe a little more borderline. Although there are legitimate uses for one of these, I can see that they might raise some eyebrows if you starting going around your local area with one.

Metasploit: well, it’s the tool to get to know if you want to get involved in security. There are so many things you can do with it – like Kali Linux – that are positive, including improving your own security, learning how to protect your systems and adopting good coding practice. If I wanted to get an interested party knowledgeable about how computers really work, how security is so often poor, and how to design better, more secure systems, Metasploit would be the tool I’d point them at.

You may have noticed that I left one out: Discord. Dear, oh dear, oh dear. Discord is, first and foremost, a free gaming chat server. If a child is using Discord, they’re probably playing – wait for it – a computer game.

This poster isn’t just depressing – it’s short-sighted, and misleading. It’s going to get children mislabelled and put upon by people who don’t know better, and assume that information put out by their local police service will be helpful and straightforward. It’s all very well for West Midlands police to state that “[t]he software mentioned is legal and, in the vast majority of cases is used legitimately, giving great benefit to those interested in developing their digital skills”, and that they’re trying to encourage those with parental responsibility to “start up a conversation”, but this is just crass.

I have two children, both around teenage age. I can tell you know that any conversation starting with “what’s that on your computer? It’s a hacking tool! Are you involved in something you shouldn’t be?” is not going to end well, and it’s not going to end well for a number of reasons, including:

  • it makes me look like an idiot, particularly if what I’m reacting to is something completely innocuous like Discord;
  • you’re not treating the young person with any level of respect;
  • it’s a negative starting point of engagement, which means that they’ll go into combative, denial mode;
  • it will make them feel that I suspect them of something, leading them to be more secretive from now on.

And, do you know what? I don’t blame them: if someone said something like that to me, that would be precisely my reaction, too. What’s the alternative suggested in the poster? Oh, yes: contact the police. That’s going to go well: “I saw this on your computer, and I got in touch with the police, and they suggested I have chat with you…” Young people love that sort of conversation, too. Oh, and exactly how sure are you that the police haven’t taken the details of the child and put them on a list somewhere? Yes, I’m exactly that sure, as well.

Now, don’t get me wrong: there are tools out there that are dangerous and can be misused, and some of them will be. By teenagers, children and young adults. People of this age aren’t always good at making choices, and they’re sensitive to peer pressure, and they will make mistakes. But this is not the way to go about addressing this. We need to build trust, treat young people with respect, discuss choices, while encouraging careful research and learning. Hacking – the good type – can lead to great opportunities.

Alternatively, we can start constraining these budding security professionals early, and stop them in their tracks by refusing to let them use the Internet. Or phone. Or computers. Or read books. Actually, let’s start there. Let’s just not teach children to read: we’ll definitely be safe then (and there’s no way they’ll teach themselves, resent our control and turn against us: oh, no).

On conversation and the benefits of boasting

On Monday and Tuesday this week I’m attending DevSecCon in Boston – a city which is much more pleasant when it’s not raining or snowing, which it often seems to be doing while I’m here.  There are a bunch of interesting talks[1] and workshops, and I was asked, at the last minute, to facilitate an “Open Space Discussion” at the end of the first day (as two people hadn’t arrived as expected).  Facilitating discussions is about not talking all the time, but encouraging other people to talk[2]: my approach to this is to tell a story, and then encourage them to share stories.

People enjoy listening to stories, and people enjoy telling stories, and there is a type of story that is particularly useful and important in the world of work: “war-stories”.  Within the IT industry, at least, this refers to stories about experiences – usually bad experiences – from our day-to-day working lives.  They are often used to illustrate a point or lend experiential weight to an opinion being put forward. But they are also great learning experiences.

What I learned yesterday – or re-learned – is the immense value of conversation with our peers in a neutral setting, with no formal bounds or difference in “rank”.  We had at least one participant who was only two years out of college, participants with 25-30 years of experience, a CISO of a major healthcare provider, a CEO, DevOps engineers, customer-facing people, security people, non-security people, people with Humanities[4] degrees, people with Computer Science degrees.  We were about twelve people, and everybody contributed, to greater or lesser degrees.  I hope that we managed to maintain a conversation where age and numbers of years in the industry were unimportant, but the experiences shared were.

And I learned about other people’s opinions, their viewpoints, their experiences, their tips for what works – and doesn’t work – and made, I hope, some new friends.  Certainly some new peers.  What we talked about isn’t vitally important to this article[5]: the important thing was the conversation, and the stories they told that brought their shared wisdom to the table.  I felt, by the end of the session, that we had added something to the commonwealth of knowledge within the industry

I was looking for a way to close the session as we were moving to the end, and hit upon something which seemed to work: I encouraged everybody to spend 30 seconds or so to tell the group about an incident in their career that they are proud of.  We got some great stories, and not only did we learn from them, but I think it’s really important that we get the chance to express our pride in the things that we’ve done.  We rarely get the chance to boast, or to let people outside our general circle know why we think we should be valued.  There’s nothing wrong with being proud of the things we’ve done, but we’re often – usually – discouraged from doing so.  It was great to have people share their various experiences of personal expertise, and to think about how they would use them to further their career.  I didn’t force everybody to speak – and was thanked by one of the silent participants later – and it’s important to realise that not everybody will be happy doing so.  But I think that the rapport that we’d built as a group meant that more people were happy to contribute something than would have considered it at the beginning of the session.  I left with a respect for all of the participants, and a realisation of the importance of shared experience.

 

1 – I gave a talk based on my blog article Why I love technical debtI found it interesting…

2 – based on this definition, it may surprise regular readers – and people who know me IRL[3] – that I’d even consider participating, let alone facilitating.

3 – does anybody use this term anymore?

4 – Liberal Arts/Social Sciences.

5 – but included:

  • the impact of different open source licences
  • how legal teams engage with open source questions
  • how to encourage more conversation between technical and legal folks
  • the importance of systems engineering
  • how to talk to customers and vendors
  • how to build teams through social participation[6]
  • the NIST 800 series and other models to consider security
  • risk: how to talk about it, measure it, discuss it with other functions within the organisation.

6 – the word “beer” came up.  From somebody else, on this occasion.