Duke Humfrey

A Year of Reading Only New Things

It was March 4th, 2022. I already re-read all my comfort books over the last two years. In an effort to avoid becoming dull-witted, I’m going to only read new things for a year, between March 4th, 2022 and March 3th, 2023.

…one year passes. I update this blog post every time I finish a new book.

Today is March 3rd, 2023. This was a great experiment and I’ll be doing it again for one more year -two years of comfort reading and two years of challenging reading. Books I tried to read (sometimes after multiple attempts) and gave up on. Ulysses. Just can’t. Don’t like it. Mrs Dalloway is a sufficient exposure to the modern novel and Proust was lovely. No need to read Ulysses for something unique.

It was worth it to finally force my way through Moby Dick; I renewed it in the library 3x. Finally to finish it I had to make sure there were no other books I had or could check out so that it was the only one available in Kindle and also had a ticking clock on it.

Fell off the new wagon; read three Pern novels 9/22-9/25. Interestingly enough coinciding with a very stressful personal situation where I didn’t want to process new things.


  1. Everyone should read all of Raymond Chandler.
  2. Get your Roman history from Mary Beard.
  3. It’s hard to screw up by emulating the Horatio Hornblower series. See: Naomi Novik, David Weber, Lois McMaster Bujold, Bernard Cornwell
  4. When Marcia Hofmann tells you to read something, do it.

Here’s the list of all the books I read. [I’m too lazy to change the Amazon Affiliate link thing which is really easy to copy so if you don’t want to use these links, you don’t have to.]

March 3rd, 2023: Cicero: The Life and Times of Rome’s Greatest Politician (Anthony Everitt) A page-turner for information purposes, but it’s no Mary Beard. Just a dash of patriarchy over what should be a more modern take.

March 1st, 2023: White Noise (Don DeLillo) Interesting and a rollercoaster.

February 21st, 2023: Hercule Poirot’s Christmas (Agatha Christie)

February 19th, 2023: Titus Groan (Mervyn Peake) Save a trip – it’s lovely, but go read the Feast of the Innocents by Colin Harker instead – this book is gruesome without the humor.

February 16th, 2023: The Ballad of the White Horse (GK Chesterton) Outstandingly beautiful.

February 10th, 2023: Poems & other Essays (TS Eliot)

February 6th, 2023: Shenanigans (Mercedes Lackey)

January 31st, 2023: Flatland (Edwin Abbott) A bit of a slog to get through so I’m glad it was short.

January 29th, 2023: Death in the Clouds (Agatha Christie)

January 25th, 2023: Work Rules (Laszlo Bock) Jen Easterly recommended this book; excellent choice. Like all good management books, stuffed to the gills with stories that help walk a reader through similar management choices and ideal outcomes

January 17th, 2023: Desperate Undertakings (Lindsey Davis) I LOVE these procedurals written by a Roman historian. Excellent fodder, written by a lovely and learned author.

January 15th, 2023: SPQR (Mary Beard) My reaction:

January 14th, 2023: Murder at the Vicarage (Agatha Christie) The first Miss Marple – it’s cozy but also lovely and scary.

January 1st, 2023: It Can’t Happen Here (Sinclair Lewis) Yes, yes it can.

December 30th, 2022: Pathways (Mercedes Lackey)

December 26th, 2022: No True Way (Mercedes Lackey)

December 23rd, 2022: Boundaries (Mercedes Lackey)

December 20th, 2022: Into The West (Mercedes Lackey) I binge, sometimes.

December 10th, 2022: Range: Why Generalists Triumph In A Specialized World (David Epstein) (holy cow what a great affirmation of the way I approach startups, poker, and life)

December 9th, 2022: The Pale Horse (Agatha Christie) (meh, not the best of all Christie novels)

December 2nd, 2022: Moby Dick (Herman Melville) Only the forcing function of this blog post could get me all the way through it (and that killer episode of The Mentalist)

November 28th, 2022: Black Cake (Charmaine Wilkerson) Mind-blowing, killer mystery, wonderful world building. Everyone should read this.

November 25th, 2022: Women & Power (Mary Beard) (as advertised; I’m a woman in startups so I already knew all this but now I have source citations)

November 25th, 2022: League of Dragons (Naomi Novik) (what a wonderful ending, though not as page-turning as the first five installments)

November 23rd, 2022: Blood of Tyrants (Naomi Novik)

November 15th, 2022: Crucible of Gold (Naomi Novik)

November 14th, 2022: Babel, Or the Necessity of Violence: An Arcane History of the Oxford Translators’ Revolution (R. F. Kuang) Beautiful, sad, not a book to read if you’re feeling sad.

October 27th, 2022: The Three-Body Problem (Liu Cixin) Now here’s an incredible work of fiction that feels like futurism instead of a story.

October 23rd, 2022: Lord Edgware Dies (Agatha Christie)

October 23rd, 2022: On The Road (Jack Kerouac) Audiobook A better way to ride a bike.

October 22nd, 2022: Leaves of Grass (Walt Whitman) Audiobook A good way to ride a bike.

October 22nd, 2022: For Whom The Bell Tolls (Ernest Hemingway) Audiobook. Very Papa. Much Ernest. It’s just…really, really Hemingway-esque, but the ending is genuinely moving.

October 19th, 2022: I Know Why The Caged Bird Sings (Maya Angelou) Oh my god; it was mindblowing. Lovely, terrifying, inexorable.

October 18th, 2022: Tongues of Serpents (Naomi Novik)

October 15th, 2022: The Four Day Win (Martha Beck) Less pretty than French Women Don’t Get Fat but basically the same message.

October 9th, 2022: The Applied Critical Thinking Handbook (formerly the Red Team Handbook) (US Department of Defense) Excellent work; systemic, a good layout of military strategy.

October 9th, 2022: North And South (Elizabeth Gaskell) YAS in every way; you’re going to see Richard Armitage in the lead role for this no matter what you do, and it’s ok.

October 8th, 2022: Dark Lord of Derkholm (Diana Wynne Jones) This was…pardon me…darker than I’d expected. I’m not sure I am glad I read it in that moment.

October 5th, 2022: When We Were Very Young (A. A. Milne) A beautiful and cozy work.

October 1st, 2022: Victory of Eagles (Naomi Novik)

September 28th, 2022: Empire of Ivory (Naomi Novik)

September 25th, 2022: Snow Crash (Neal Stephenson) I have Feelings about this one. :/

September 20th, 2022: The Vanished Seas (Catherine Asaro) This is an INCREDIBLE series and I love it. cyberpunk badass with great worldbuilding.

September 8th, 2022: A Psalm For The Wild-Built (Becky Chambers) fast read, good world, cozy scifi

September 8th, 2022: Absolutely True Diary of a Part Time Indian (Sherman Alexie) My 15-year old nephew was right – this is a wonderful YA novel.

September 7th, 2022: Undercity (Catherine Asaro) le WOW this is good. Major Bhaajan is an excellent heroine.

September 5th, 2022: Black Powder War (Naomi Novik)

September 1, 2022: Admiral Hornblower (CS Forester)

August 30th, 2022: Lord Hornblower (CS Forester)

August 28th, 2022: Commodore Hornblower (CS Forester)

August 27th, 2022: Measure What Matters (John Doerr) I strongly recall OKRs from this and used it as a text.

August 22nd, 2022: Flying Colours (CS Forester)

August 21st, 2022: Ship of the Line (CS Forester)

August 20th, 2022: Paradise Regained (John Milton) (Audible)

August 20th, 2022: Paradise Lost (John Milton) (Audible) Yeah, that quote you thought was from the Bible? It was from here.

August 18th, 2022: The Happy Return (CS Forester)

August 17th, 2022: Ransomware (Sherri Davidoff) Got to read this one early for blurbing as well and it is an absolutely righteous read – a complete page turner for anyone in infosec.

August 16th, 2022: Hornblower and the Atropos (CS Forester)

August 15th, 2022: Hornblower During the Crisis (CS Forester)

August 14th, 2022: Hornblower and the Hotspur (CS Forester)

August 11th, 2022: Lieutenant Hornblower (CS Forester)

August 9th, 2022: Mr. Midshipman Hornblower (CS Forester) Yeah, so Hornblower by way of…Hornblower. I blew through all these and loved them.

August 5th, 2022: Obviously Awesome (April Dunford) Pretty ok; I can’t remember much about it 8 months later.

August 4th, 2022: Throne of Jade (Naomi Novik)

August 4th, 2022: Mrs. Dalloway (Virginia Woolf) And here it is – my reason to never have to read Ulysses. Woolf did the walkabout novel best and with the precise amount of fractured internalism while giving the incoherence a miss.

August 3rd, 2022: His Majesty’s Dragon (Naomi Novik) Hornblower by way of dragons – I burned through all these as fast as possible. I loved Honor Harrington (Hornblower by way of spaceships) so I figured these would do the trick and I was quite right.

July 30, 2022: The Sins Of Our Fathers (James SA Corey)

July 29th, 2022: The Big Sleep (Raymond Chandler) Never going to not re-read Chandler for the rest of my life.

July 24th, 2022: Barchester Towers (Anthony Trollope)

July 15th, 2022: The Warden (Anthony Trollope) These are wonderful! Same Middlemarch energy in half the serving size.

July 10th, 2022: Black Coffee (Agatha Christie)

July 10th, 2022: The Murder of Roger Ackroyd (Agatha Christie) THE MASTERPIECE. The whole point is the reveal; if you’re going to read this, do not look up anything about it, don’t read reviews – just go read it immediately and trust me.

July 7th, 2022: The Gilded Wolves (Roshani Chokshi) Lovely YA, but I didn’t choose to keep going with the series. It has notes of Tanith Lee but not quite the depth and universality.

July 2nd, 2022: Leviathan Falls (James SA Corey)

June 29th, 2022: Tiamat’s Wrath (James SA Corey)

June 25th, 2022: Auberon (James SA Corey)

June 25th, 2022: Gods of Risk (James SA Corey)

June 24th, 2022: Persepolis Rising (James SA Corey)

June 24th, 2022: Strange Dogs (James SA Corey)

June 22nd, 2022: The Churn (James SA Corey)

June 22nd, 2022: Babylon’s Ashes (James SA Corey)

June 20th, 2022: The Butcher of Anderson Station (James SA Corey)

June 20th, 2022: Nemesis Games (James SA Corey)

June 16th, 2022: Cibola Burn (James SA Corey) Yeah, you’re about to see me burn through every single Expanse novel as fast as I can get them into my Kindle.

June 11th, 2022: Daring Greatly (Brene Brown) I liked.

June 10th, 2022: The Island of Doctor Moreau (HG Wells) Eh. HG is best when on themes of physics, not biology.

June 8th, 2022: Don Quixote (Miguel de Cervantes) This is far more heartbreaking than I realized it would be.

June 8th, 2022: Great Expectations (Charles Dickens) I can’t remember if I ever actually read it before or just know the story so well, but I don’t think I ever read the unabridged one; holy cow the Hamlet references are so many and so strong.

June 6th, 2022: Zero To One: Notes on Startups, or How to Build the Future (Peter Thiel & Blake Masters) I mean, he’s not wrong.

June 3rd, 2022: The Snows of Kilimanjaro And Other Stories (Ernest Hemingway)

May 31st, 2022: The Secret History (Donna Tartt) Du Maurier by way of Dark Academia – another thanks to Marcia H on this one.

May 29th, 2022: Frankenstein: Annotated for Scientists, Engineers, and Creators of All Kinds-The MIT Press (Mary Shelley) (the easiest read for people who didn’t like it the first time since the annotations are brilliant)

May 2nd, 2022: Enumerations: Data and Literary Study (Andrew Piper)

May 1st, 2022: A Hacker’s Mind: How The Powerful Bend Society’s Rules, And How To Bend Them Back (Bruce Schneier) I read this in drafts to comment and it’s an incise description of how to see the world differently enough to be usefully annoying.

April 25th, 2022: The Portrait of a Lady (Henry James) (stultifying, brilliant, the future’s dark mirror)

April 22, 2022: Through The Looking-Glass (Lewis Carroll) [it’s been so long I can’t remember if I read it or just thought I had]

April 16th, 2022: Shorefall (Robert Jackson Bennett) These novels are just lovely.

April 13th, 2022: The Feast Of The Innocents (Colin Harker) Do you like gothic mystery with a sly nod to the campy takes from film? And how!

April 13th, 2022: The Mystery On The Blue Train (Agatha Christie)

April 11th, 2022: Farewell, My Lovely (Raymond Chandler)

April 11th, 2022: Cyberinsurance Policy (Josephine Wolff) Yay! I got to read this in galleys to blurb it, and it was outstanding. Josephine writes about risk more skillfully than anyone I’ve encountered so far.

April 10th, 2022: No One Can Pronounce My Name (Rakesh Satyal) What a lovely and amazing novel; it’s weird and familiar at the same time.

April 8th, 2022: The Maltese Falcon (Dashiell Hammett) Every. Word. Is. Perfect.

April 7th, 2022: Middlemarch (George Eliot) Get 60% of the way through this and all of a sudden, it’s not slow, or quiet, or meditative, but a righteous blast of a drama with characters that should every one of them have a Netflix miniseries.

April 7th, 2022: Becoming (Michelle Obama) Beautiful, inspiring, glorious; I quote it in my head and I probably ask myself twice a week, WWMOD?

April 4th, 2022: The Crime at Black Dudley (Margery Allingham)

March 28th, 2022: The Big Four (Agatha Christie)

March 23rd, 2022: The Man Who Knew Too Much (GK Chesterton) A killer mystery.

March 21st, 2022: The Immortal Life Of Henrietta Lacks (Rebecca Skloot) Heartbreaking, lovely, not for reading by anyone who’s not in a good place emotionally.

March 20th, 2022: The Simple Art Of Murder (Raymond Chandler) More, more, more!

March 17th, 2022: Rebecca (Daphne du Maurier) Oh DAMN this one was a screaming page-turner and anyone who hasn’t read this, simply MUST.

March 16th, 2022: The Murder On The Links (Agatha Christie)

March 15th, 2022: Eat Pray Love (Elizabeth Gilbert) Not too bad. The manifesto of a woman who never gave herself permission to do what she wanted ever, and when faced with the ability to do so, took a while to get her feet under her.

March 13th, 2022: Jude The Obscure (Thomas Hardy) A righteous page-turner with such tear-jerking, especially for anyone familiar with Oxford.

March 13th, 2022: Wild (Cheryl Strayed) I loved the PCT parts, and eventually started more skimming the personal bits.

March 13th, 2022: Poirot Investigates (Agatha Christie) Another in the line.

March 11th, 2022: The Hero With A Thousand Faces (Joseph Campbell) A bit derivative but a useful collection – sort of like a literary review of classic stories to find meta-similarities.

March 10th, 2022: The Long Goodbye (Raymond Chandler) Holy WOW thank you to Marcia Hofmann for getting me into the classics of crime. This is a stunning book and the language is as beautiful as you may have been told.

March 8th, 2022: The Underworld Sewer (Josie Washburn) A fascinating read that was one of the first available autobiographical books from a sex worker, describing all the ways in which blame and consequences attached themselves to women as opposed to the men who bought sex from them.

March 7th, 2022: Gone Girl (Gillian Flynn) This suffered from the fact that it was the first in a genre, and I’d already read several in the succession from it. We all think Frankenstein is derivative now because it was the first and inspired so many takes.

March 6th, 2022: The Prince (Niccolo Machiavelli) [counts because I hadn’t read the new translation]

March 6th, 2022: Slaughterhouse Five (Kurt Vonnegut) This one’s stuck in my head.

March 5th, 2022: Death By Dumpling (Vivien Chien) Very cute.

March 4th, 2022: The Mysterious Affair at Styles (Agatha Christie) So worth it; I hadn’t ever started from the beginning of the Poirot mysteries. I’d read The ABC Murders, etc, but this one is so fascinating for all the things we think we knew about Poirot but weren’t actually true – or were missing from our collective understanding.

Troubleshooting Apple’s iCloud Advanced Data Protection

TL;DR: set your recovery key and contact, pick an iCloud device (I used my phone), log fully out of iCloud, and log back in. Try enabling ADP then.

I tried a month ago to enable ADP on my iCloud account, using the Apple instructions found here. I went to Settings > iCloud > Advanced Data Protection, and did my darnedest. It simply would not work.

I gave up after the utter lack of explanatory messages and silent fails for why ADP would not enable. I tried to add my spouse as my Recovery Contact, but he does not use iMessage or Apple devices. I have someone else I am using for that Recovery Contact, and after messaging them to tell them what I’d done, they accepted the invite and I was able to see they were a confirmed Recovery Contact. I eventually figured out that I had to have a friend with an Apple device who could receive iMessages for a Recovery Contact, but I saw this maddening screen again and again:

Even though I had clearly added and verified my Recovery Key.

If you try to enable ADP without having both a Recovery Key and Recovery Contact set, you may see a completely unhelpful message that said “Something went wrong. There was a problem turning on Advanced Data Protection. Try again later.” Here’s the Apple Support Forums thread on this topic. You may also only see a blue button that says “Review Recovery Methods” which then simply closes without telling you what next steps to take.

The legendarily good Apple user experience has fallen completely over on this one. It’s as if the rollout of this was tested only by people deeply experienced with Apple devices and logic, and full implementation was left as an exercise to the end user.

The ADP settings screen does not tell you that you must BOTH have a Recovery Key and a Recovery Contact.

So, for fixes, here are the first steps to try:

  1. Are all your devices updated to the minimum required operating level?
    • iPhone with iOS 16.2
    • iPad with iPadOS 16.2
    • Mac with macOS 13.1
    • Apple Watch with watchOS 9.2
    • Apple TV with tvOS 16.2
    • HomePod with software version 16.2
    • Windows computer with iCloud for Windows 14.1
  2. Have you considered removing any devices that are currently unneeded from your iCloud account? I removed my Apple Watch 4 because it’s trivial to restore it and fewer devices might be better.
  3. Did your Recovery Contact accept the invitation? It’ll say “Request Sent” under their name if they haven’t yet accepted. That request is sent via iMessage, with no option for any other method of sending the request.
  4. Have you set the Recovery Key, then logged out of iCloud on your device, and logged back in? When you did, did the Recovery Key show as set and On?

That’s what worked for me. If you get here, you’re probably golden. Good luck!

Jan 30, 2023 EDIT: an infosec community member who does not currently wish to be identified provided additional information for 2020 iPhone SEs which seem to be a bit fussier. Here is the workaround and a composite screenshot. Thank you so much to them!

1. Device backup (offline)
2. Device wipe
3. iCloud login, set recovery key, then enable ADP
4. Restore from backup
5. Add security keys

That’s a nice cyber you’ve got there. Shame if something were to happen to it.

It should deeply concern us that cyber insurance is becoming less available.

The CEO of Zurich Insurance (the company that denied Mondelez’s USD 100m claim after NotPetya on the grounds of it being warfare) says “What will become uninsurable is going to be cyber,” and he asks “What if someone takes control of vital parts of our infrastructure, the consequences of that?”


He’s right – and also right that ransomware payments are creating perverse incentives for insurance companies. This is something like the equivalent of submitting a claim to your home insurance for $10,000 when you had to pay that 10k to a criminal threatening to burn your house down, and telling the insurance company that they should be happy that they aren’t paying the full value of your home instead.

Now, the issue here is that there’s no law enforcement agency with the ability to save you from ransomware attacks in the same way that you can turn in a criminal threatening arson, leaving especially small and mid-sized businesses in the lurch. Ransomware is existential for them in a way it is simply not for larger organizations.

The burden will be put on organizations to save themselves from ransomware with what I think is an ever more likely push by USG to ban ransomware payments. Because this ban will not hit SMBs (existential threat) the same way it will for enterprises (closer to a cost of doing business), USG must provide more services at the state and local level for SMBs to prevent and recover from ransomware attacks. I and @ciaranmartin wrote an article on this last year which is still 100% true: attacking critical infrastructure via ransomware payments along any point in the supply chain is a national security risk, not simply a financial one.


Contempt is the most dangerous emotion

There is an entire world of small and mid-sized businesses that are absolutely helpless in front of the kinds of attacks that we call “basic” in infosec. Invoice spearphishing, BEC, credential harvesting – these are the kinds of things we think of as entry-level hacks.

Ok, I’m a little angry here. I’ve heard a dozen stories this year from professional services providers like accountants and lawyers and MSPs about the jargon, contempt, and expense from enterprise product companies and infosec consultancies.

I’d like to challenge every infosec pro: can you talk to your friends, barista, gardening service, local cafe owner, bookkeeper, day care provider, personal trainer, housekeeper (really, any person whose job is actively being replaced by the gig economy) and find out if their business has implemented 2FA? If they don’t understand what you’re talking about, can you explain it clearly and helpfully enough that they’re happy to become the internal advocate at their SMB for more security?

If you can, thanks. If you can’t, ask yourself and your company and your community: what are we doing to protect the half of American workers who don’t work at enterprises large enough to force security measures and profitable enough to pay for them?

Why am I retiring from CTFs?

I’ve talked a lot about how I no longer do “fuzzy mentorship.” (If you haven’t heard the term, it’s generally seen as mentorship that focuses mostly on vague things like good vibes and is endeavored upon mostly for reasons of publicity. I’ve got no more energy for all… that.)

I’d rather do sponsorship: targeted acts of promoting and providing opportunity that allows me to put my influence behind young and/or midcareer women of color. Writing a recommendation, referring for a job, setting up a meeting, and responding to specific questions are some of those very targeted actions that can make a difference.

Here’s how that’s currently manifesting in my life and career in a way that tries to help others.

I’m about to retire, as it were, from competitive Capture the Flag (CTF) hacking competitions. After 5 years of competing within the SANS NetWars circuit, I and my team — NullCastleException — won the international Tournament of Champions in December 2021. My teammates David (@chebuzz) Carlson, Christopher (@tcpsub13eq0x02) Miller, Szymon (@szymex73) Borecki, and fable were supportive and amazing!

The SANS Institute has made some really awesome trophies over the years!

I have been doing CTFs seriously for about ten years, and cannot think of a better way to improve your skills in information security while making great connections and adding lines to your resume than by participating in CTFs. It’s how you can gain experience, face problems that aren’t discussed in textbooks, and try exploits against real-world systems that aren’t just in your sterile sandbox or your company’s lab. I have loved doing this ever since I and my long-time collaborator and good friend Liz (@tanglisha) were on the winning team in LosT’s Mystery Challenge at DEF CON a decade ago.

Left: Tanglisha at DEF CON 20. Right: me and LosTboY at DEF CON 20.

That’s me and Liz with our team’s trophy and our black badges. Since that DEF CON, we kept going in competitions and have had a total blast.

This is us at DefendCon in 2019 where we won the OpenCTF.

We won the OpenCTF at DefendCon in 2019, too. 🙂

There are lots of CTF teams that have highly skilled members but which can also use someone who’s more junior or even differently-skilled. Someone who will simply show up, do the research, and support the team. Do not dismiss this possibility if you are considering where you might find a place in the competitive hacking arena and you’re a bit nervous about whether your skills are enough.

NOTE: It’s sadly also true that many CTF teams somehow mysteriously manage to leave the junior women off the podium or snatch the trophies back when they win something, and later “explain” that as a junior member of the team they were just there as a support, not a real or full team member. I and other women have personally experienced that injustice and there are some horrible missing stairs in the CTF world. However, I also know several excellent CTF teams that treat people with respect and would never do that, and I would love to very specifically connect midcareer women of color to a few of those teams where you’ll get a shot to listen, learn, really participate, and eventually form additional teams. Yes, this is a lot of work, but it’s the single best way I’ve seen for women and BIPOC to be seen as “truly technical” in the field.

Besides, this kind of competition is really, really fun!

DefendCon OpenCTF, 2019

I can’t even describe how much I’ve enjoyed CTFs. The experiences I’ve had at SANS during their NetWars competitions have, on average, been the best. Event architects Tom Hessman, Jeff McJunkin, & Ed Skoudis have been amazing at running the competitions, getting new people unstuck, and challenging veteran players. Our team NetWarsAndChill had a whole holiday decor theme happening at the SANS Tournament Of Champions in DC in 2019.

SANS NetWars Tournament of Champions, December 2019
Team NetwarsAndChill at SANS NetWars Tournament of Champions, December 2019
SANS NetWars Tournament of Champions, December 2019
Team NetwarsAnd Chill at SANS NetWars Tournament of Champions, December 2019
Team NetwarsAndChill at SANS NetWars Tournament of Champions, December 2019

When women and POC interview for technical roles, there is often a person advocating for them. Give that individual a weapon to use on your behalf. “We took third place in my local BSides Open CTF in 2021,” is a two-handed flaming broadsword in the hands of a recruiter trying to get you into a security research or SOC analyst job opening. It says you’re participating in the community, that you believe in teamwork, that you put the effort in, and that you’re connected with similarly enthusiastic colleagues already.

Let this be a way for you to stand out among the hundred other people who are interviewing!

I must emphasize: if you’re afraid you’ll expose your total ignorance, know that I have been on lots of CTF teams, and I — along with nearly everyone else whose sat next to me at the competition tables — constantly struggle with that same fear. We cope with it by being open about what we don’t know and by being generous with teaching people what we do know. These are the friends and colleagues I’ve had with me through this experience and I’m grateful for each and every one of them.

Of course I love my NetWarsAndChill team, including amazing people like Mike Downing and Jacen Kohler! I had great experiences competing with other veteran and respected CTFers like Mike Dee (@mikedee_hacker), Matt (@pseudosec) Kalinowski and ants (@DarkBerryBash), and they’re welcoming to n00bs. The buddy system works, and everyone I’ve named in this post is open and willing to help, advise, and maybe even compete with you!

I’ve been doing this for a decade. It’s time to both pass the torch and move on to sponsoring the next set of amazing competitors. If this avenue of potential opportunity appeals to you, let me know. I have a private list and Signal group of resources, people, and mentors who like introducing people to CTFs. Many of these individuals and teams are explicitly interested in diverse voices and new faces, because they recognize that a team which represents multiple perspectives and backgrounds will always be stronger and more capable than a team whose players are all monolithic and identical.

If you don’t know how to reach me, go find one of my email addresses. That is your first flag to capture. 😉

Good luck!

An education-based approach to curbing CSAM production

Originally published in Brookings TechStream.

March 17, 2022 Savannah Sly and Tarah Wheeler

A bird flies past the U.S. Capitol in Washington, D.C., U.S., on Thursday, March 17, 2022. Photo by Al Drago/Pool/ABACAPRESS.COM
A bird flies past the U.S. Capitol in Washington, D.C., on Thursday, March 17, 2022. (Pool/ABACA via Reuters Connect)

In recent weeks, a misguided legislative initiative to provide children with better protection online has gained momentum on Capitol Hill. In its current form, the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2022—better known as the EARN IT Act—would strip technology companies of protection from liability for child sexual abuse material (CSAM) uploaded onto their platforms by users. The bill is premised on the idea that technology companies aren’t doing enough to combat the presence of such material and need to face the prospect of greater legal penalties to do so.

The bill is deeply flawed, and a chorus of technologists and researchers argue that the bill not only won’t achieve what it aims to do (protecting children) but will also harm a much larger group of internet users in trying and failing to protect kids from being exploited online. One of EARN IT’s key provisions potentially exposes technology companies to liability if their encryption features are found to enable the spread of CSAM—a move that may lead many companies to conclude that offering encryption to users simply isn’t worth it and doing away with secure messaging tools entirely. Such a move would be disastrous for privacy, human rights, free speech, and communities at risk for surveillance. 

EARN IT’s backers are motivated by a desire to help children, but in their attempt to do so, they’ve misdirected their efforts at computer security systems that enable the spread of CSAM as part of enabling all communications of any kind. Rather than focusing on preventing the production of CSAM in the first place, they are attempting to make changes to the security features of modern computing that allow it to be spread once created. The digitally enabled sexual abuse of children is a serious, horrific problem, but addressing it requires a different, more proactive approach. Instead of attacking security systems, policymakers could direct their efforts in a more useful direction: educating children how to be safe online. Investing in childhood education, primary care, adolescent education in consent, community support for ombuds and social work, and appropriate financial incentives for primary caregivers is difficult and expensive—and it works to prevent child sexual abuse. The EARN-IT Act, flatly, will not.

The EARN-IT Act takes aim at CSAM by altering the liability protections of Section 230 of the Communications Decency Act, and it isn’t the first time Congress has sought to regulate the presence of sexually explicit content online. In 2018, Congress sought to address commercial sexual exploitation by passing SESTA and FOSTA, two bills that increased liability for content hosts under Section 230. The result of SESTA and FOSTA was the immediate voluntary shutdown of dozens of websites that sex workers used to advertise and vet potential clients, the ripple effects of which inadvertently increased vulnerabilities to exploitation and violence in the sex trade. When sex trade websites close or get shut down, it is more difficult for law enforcement to identify and combat sex trafficking. Given how badly SESTA and FOSTA backfired, it’s alarming that lawmakers would entertain the EARN IT Act before passing legislation that would evaluate the full effects of these online censorship laws. 

One of the most discouraging aspects of the EARN IT Act is that it does nothing to prevent child abuse from happening in the first place. EARN IT does not bolster preventative tools that can protect young people from harm, such as age appropriate comprehensive sexuality education. Predators lurking on chat sites would have a harder time grooming and exploiting youth if young people were equipped with knowledge about boundaries, consent, and healthy/unhealthy relationships. Ironically, anti-abuse organizations such as the National Survivor Network have suggested that the EARN IT Act may prevent young people from accessing online information about sexual health, gender, and consent that could help keep them safe. Queer youth are particularly vulnerable to the unintended consequences of a bill like EARN IT, especially in light of the many anti-LGBTQ bills cropping up around the country. Given that an estimated 9-10%  of youth in the US identify as LGBTQ, it would be difficult to overstate the potential harms of this bill.

It Is well-established that victims of child abuse are usually harmed at the hands of someone in or connected to their family, and preventing abuse at home starts with adults taking responsibility, being active in the lives of young people, and learning how to identify signs of abuse. Decreasing stress and offering pathways to treatment by ensuring families have access to stable housing and healthcare may do more to curb abuse at home than a bill like EARN IT ever could. EARN IT plays whack-a-mole with CSAM instead of actively stopping it from occurring. 

EARN IT will never be able to eradicate the increasing practice of young people taking and sharing intimate photos and videos of themselves, and preventing such material from circulating online would be better done through education. This material, referred to as self-generated child sexual exploitation materials (SG-CSAM) is the result of youth having increased access to media and communications technology. While EARN IT may attempt to stop SG-CSAM from being circulated, it’s more important to have realistic conversations with youth about the enduring nature of digital media and the risks of sharing intimate media of themselves. In our increasingly digital world, arming youth (and adults) with education about risks to privacy is critical. Additionally, we must collectively stop victim blaming people who have their nude photos non-consensually or illegally shared with the public, regardless of their age or occupation. 

Just as SESTA and FOSTA did not stop sex trafficking (and in fact may have made things worse), EARN IT will not stop child abuse materials from coming into existence. EARN IT may in fact make it harder for law enforcement to locate CSAM files being circulated. Once it becomes known that encrypted services are no longer useful for transmitting CSAM, abusers will pivot to other tools, such as snail mail or niche platforms, to circulate offensive materials. A move toward such platforms or an embrace of ordinary mail would make CSAM investigations even more difficult than they already are. 

A lingering question yet to be addressed is exactly how CSAM materials will be identified, should EARN IT pass. EARN IT will stifle sexual expression and hinder consenting adult sex workers from making a living online but not actually solve the problem of CSAM. How would an abuse video of a 16 year old be differentiated from a legal video created by an 18 year old? Given the complexity of of this task, it’s likely that many formerly encrypted services would bar the transmission of any erotic or explicitely sexual content. EARN IT could mark the death of sexting as we know it. Not only does this violate sexual expression freedoms, but it prevents adult sex workers from supporting themselves financially through the relative safety of online work. Sex workers who produce pornography already maintain records proving that everyone in the film is of age and consents to being filmed. Law abiding webites that host pornographic content already require proof of age documentation, reducing the odds that CSAM will end up on their platforms. 

For decades, cryptographers have made the case that the compromises politicians seek in encrypted computer systems—to crack down on CSAM or to listen in on the contents of terrorist communications—can’t be made without consequences for the broader computer security ecosystem crucial to businesses and citizens. This conflict—between the demands of politicians on the one hand and encryption on the other—has become a fact of modern life, and the EARN IT Act is merely its latest iteration. There are no technologists who can tell you how to safely and securely enforce this new EARN IT Act—because it’s not possible. As a recent Washington Post piece noted, the EARN IT Act  has made strange bedfellows of Big Tech, free speech activists, industry groups, sex workers rights activists, the infosec community, and civil society groups, all of whom are united in their belief that this legislation is infeasible and a net negative. On the other side of the debate are law enforcement groups, moral crusaders (primarily the National Center on Sexual Exploitation, which before it rebranded was known as Morality in Media), and some well-meaning abuse victims organizations looking to crack down on CSAM. But even for the latter group, EARN IT will not do what they hope and will instead make CSAM prosecutions substantially more difficult. 

If lawmakers want to curb rates of CSAM production, we must create policies that prevent CSAM upstream, rather than increase the attention and resources to downstream mitigation that can never catch everything. Washington state recently passed a measure mandating age appropriate comprehensive sex education in schools which will help students understand consent, safety, and “choose healthy behaviors and relationships that are based on mutual respect and affection, and are free from violence, coercion, and intimidation”. Educational policies in schools such as age appropriate sex ed will do far more to prevent the creation of CSAM than reactive like EARN IT ever would.

Politics, it’s often said, is the art of compromise. A life in politics teaches the art of the partial achievement. When politics bumps up against a universal constant, or a truth of math and physics, politicians often simply cannot grok that there are things they can’t change, can’t bargain against, can’t shift, can’t manipulate. Encryption is one of these things, but in this latest iteration of the three-decade long fight between technologists and politicians seeking to limit the availability of encryption technology, political leaders with a genuine interest in curbing the spread of CSAM would benefit from seeking solutions that actually address the problem. Educating children how to be safe online is the first step to reduce the prevalence of abusive material online. 

Savannah Sly is an advisor to the Woodhull Freedom Foundation and a sex worker rights advocate who resides in Seattle, WA. @SavannahSly
Tarah Wheeler is a contributing editor to TechStream, a Cyber Project Fellow at the Belfer Center for Science and International Affairs at Harvard University‘s Kennedy School of Government, an International Security Fellow at New America leading a new international cybersecurity capacity building project with the Hewlett Foundation’s Cyber Initiative and a US/UK Fulbright Scholar in Cyber Security for the 2020/2021 year.

4 Truths About Cybercrime (and the research to back them up)

Original post on Medium.

I was recently asked by someone involved in policymaking for a short bulleted reading list on cybercrime and how to understand the major issues since they didn’t come from a technical background. I started writing the email and then realized I might as well post it here so I can refer back and possibly update. This is massively simplified and is my short hot take if I’m given one minute to explain a problem to someone who doesn’t have a lot of time but has to act on issues related to cybercrime.

  1. When you experience cybercrime, the police probably can’t help you. If you think the cybersecurity staffing shortage is bad in industry and government, try your local sheriff. You are often required to report a crime to secure social help after being victimized, and that experience is rarely a positive one, especially for marginalized persons. The police in general will treat a report of a $250 purse theft differently than a report that $250 was phished from your bank account, even if you know precisely who did it. If you don’t know where the cybercrime was committed or originated from, the police will tell you that you can’t report it. In general they will refer you either to social services or tell you to report an online crime to the FBI (who generally won’t lift a finger for $250). This refusal to accept reports locally by the police and lack of action from the FBI makes these crimes invisible. There’s effectively nothing anyone can do if you’re a victim of cybercrime other than report you as a statistic. (If you need to, here’s where to report to the FBI). Here, read this. Also, advocate for clear jurisdiction over internet crime and fund the people investigating it.
  2. Going dark is a myth. The complaints that the FBI and other law enforcement organizations have over the use of encryption on personal devices are about their convenience, their backlog of investigations, and in general a lack of technical people inside their organizations, not truly about responding to potential crimes. The FBI and other law enforcement organizations should consider creating an appealing workplace environment with market-rate salaries to attract some technologists rather than trying to sue their way into slowing down technological innovation so they can keep pace. LEOs can get into phones whenever it’s actually important for them to do so. Note: domestic cybercrime is a different conversation in terms of policy than in espionage, where the ability to access and read a device in another country could be important. However, note that the technology to remotely access and decrypt devices and communications is the same whether being used by a local sheriff’s deputy or the CIA — so authorize its use carefully. Here, read this. Also, fight backdoors in encryption.
  3. We have a domestic law preventing the creation and training of people who could help with the cybercrime problem. We already have the names of crimes like theft, fraud, and abuse of the public trust. Saying it’s somehow worse to do crimes with a laptop instead of a mailbox only works because prosecutors and juries are frequently able to be convinced that computers are apocalyptically mysterious wizard boxes instead of some sand and steel that we bossed around until it did what we told it to do. The 1986 Computer Fraud and Abuse Act (CFAA) is the cause of much pixel spillage, but suffice to say that it’s a terrible law that penalizes security researchers and doesn’t stop real criminals. It’s primarily used to sprinkle magic cyber dust over a stack of criminal charges against a defendant to scare juries, with a lovely secondary use of threats of prosecution for intellectual property theft against former employees of a monopolistic company afraid of competition. Smart young people have died in this country due to the CFAA. Here, read this and this and this. Also, repeal and replace the CFAA as fast as possible.
  4. Policymakers who don’t understand technology not only make bad law, but they scare others from wanting to help and enable bad actors to flourish. I try to be a reasonably tactful person, but there’s something especially blithering about the idiocy of politicians who think that because they cannot read HTML that it’s encryption (“I can’t read Spanish, so this Mexico City newspaper must be deliberately hiding its meaning from all English speakers!”). Or, that someone with the skills to notice that an entire US state has published the Social Security numbers of all their teachers and the kindness to tell someone so must be a computer criminal. Intentionally ignorant policymakers who take out their own inadequacies in understanding technology by either mocking or hurting techies or by trying to somehow declare that politics is determining the outcomes of math are dangerous. When policymakers don’t understand the fundamentals of technology or how the online world works, it makes them a figure of ridicule and unable to perform the oversight function necessary to regulate and protect the public. Here, read this and this and watch this. Also, if the policymaker you’re talking to has no intelligent technical people they’re listening to, empathetically find them some to talk to — or, if they have no interest in learning new things, back slowly away and primary the hell out of them next time.

Thanks for comments on this to @KendraSerra and to other distinguished colleagues unnamed here.

An Oeuf With Blockchain, Already

Blockchain Eggs

I created a short video and slide deck to help illustrate how a blockchain works. This is not about Bitcoin, but is intended to help people who aren’t as experienced with Merkle trees understand that the idea of a blockchain is to be able to independently verify where and when a thing happened without being able to go back and alter it to make something else have happened instead.

That’s an oeuf for now.

PDF Slides here:

Video here:


Where are the women in cybersecurity leadership roles?

This post originally appeared on the OECD Forum’s site.

It’s easy to feel like everything has already been said about why we need more women in cybersecurity. I’ve been explaining the economic benefits of hiring women as engineers, bringing in women as senior information security leaders, and going to work for women as board members and national influencers for a long time. 

I felt so much like I didn’t know what was left to say on women in cybersecurity. Women in my field have been pointing out the efficiencies, the improved problem space, and the improved outcomes for years. 

So I went and asked my husband what to say.

Stay with me on this one. I said, “I can’t think what’s left to say on the topic. Women have been decreasing in their representation in cybersecurity C-suite roles and board memberships for years, and the entire trend of women in technology and engineering positions has been steadily decreasing, at least in the United States, since 1984. There’s been no real improvement on about 1% women in senior engineering positions holding steady for a decade”. And my lovely spouse said to me, “Well, if you’re writing a piece for the OECD, what’s happened with the European numbers over the last year? What’s happened to women in cybersecurity according to the statistics during the pandemic? Can you talk about that?” I was drying a dinner plate and I stopped, shoved the plate and the towel at him, and ran to a keyboard because I realised what the problem was.

Reader, I cannot. I can’t talk about what happened to senior women in cybersecurity during the pandemic because they’ve all disappeared. 

It will be decades before the career gaps experienced by women and primary caretakers during this pandemic are fully erased, and we’re back to the “normal” gender pay gap. 

During the pandemic, every technical woman with children I know has stepped back from her job. Every single one. She’s already being paid 81% of what her male spouse is being paid, if she’s a married parent. Women who are primary caregivers are buried in childcare, family care, and the absolutely never-ending drudgery of cleaning the house. Their spouse makes more than they do, so it makes sense that if one spouse must pull back from the workforce, it should be the one making less money.

It’s a cruel and economically inefficient joke that during this worldwide pandemic, the women and non-gender binary people who have the most to gain from upskilling and negotiating new salaries and charging ahead in the workforce—because the difference between their realised and potential values is so much greater due to discrimination—are the ones losing the most ground. 

It will be decades before the career gaps experienced by women and primary caretakers during this pandemic are fully erased, and we’re back to the “normal” gender pay gap. 

In the early 1990s, Nobel Prize-winning economist Amartya Sen posited that there were more than 100 million missing women in the world based on sex-selective abortions, undereducation and health care provision to women, and a multitude of factors that prioritised the health and education of boys over girls. As academics, professionals of all kinds, essential workers and health care experts are again noticing that women are going missing, we have to ask ourselves: so what? Why does it matter that women are missing from cybersecurity? 

I have pointed out that the potential gains in efficiencies in salary and benefits for women being properly compensated are far higher than for men. But without the perspectives of diverse professionals in cybersecurity, gaps and problem spaces remain unidentified and, statistically speaking, are larger than they would be with the active participation of all the potential perspectives in the field. Inventions arising out of mixed teams, or women-only groups, appear to have wider technological breadth (and may therefore be more economically valuable) and higher impact from a technological viewpoint than those in which only men are involved.

What can we do to solve this situation?

  1. When vaccines for COVID-19 come out, lobby to have child care workers in as early a priority tier as possible, in order to support primary care givers for children and families (most of whom are women) to have an outsised impact on economic gains.
  2. When hiring and creating leadership roles in the next decade, acknowledge women and primary care givers/workers as being so essential that human beings couldn’t do without them, let alone companies. 
  3. Make your protections against groupthink in your organisations robust and antifragile by ensuring that you have more than one diverse voice in each section/team/location of your organisation. Millennial men expect to spend as much time as their spouses on child and family care, so don’t be surprised if requests for family leave come from an unexpected quarter. Hire, promote and sponsor multiple people from all parts of society, education and the gender spectrum to strengthen your organisation’s impact and resilience.

Finally, none of this is fair. Stop trying to make it fair: instead, try to make your solutions just and robust. No single organisation can fix all of the horrors and unfairnesses visited upon women and families during this period of global mourning and recovery—but each person can choose to see the future as different than the track we are on now. Women belong everywhere in cybersecurity to make the world more efficient, to make problem space more known and to keep the world safer than it would be without our voices added to the chorus.

NATO, We Want To Go To War With You

Originally on Foreign Policy, December 22nd, 2020.

Wargames can provide essential cybersecurity training for soldiers. But they won’t succeed unless the players confront real, independent hackers.


A member of the hacking group Red Hacker Alliance uses a website that monitors global cyberattacks on his computer at their office in Dongguan, China.

In recent years, NATO has begun to incorporate some innovative new cyberwarfare games and exercises into its annual wargames. But there is something missing. If NATO wants to see what nation-state hacking is like in the chaotic multiactor online world, it needs to practice fending off some actual hackers.

In mid-November 2020, NATO conducted its 13th annual cybergames in Estonia, with about 1,000 participants and observers from 33 states. Through the five-day exercise, NATO simulated an attack against the fictional nation of Andvaria as well as defending against a cyberattack on a NATO member state’s critical infrastructure. NATO specifically allowed and requested participating nations to practice working together in cyberspace and, for the first time, ran the entire simulation virtually due to the pandemic.

This was a wonderful opportunity that NATO mostly seized. Moving the games online meant that every connection, every network, every target machine could be tested and at realistic and differing levels of vulnerability. But in some key ways, the scenario played through by the various countries’ militaries did not reflect the actual state of the world during the pandemic. The most recent U.S. Treasury and Commerce Department hacks and the still developing U.S. National Nuclear Security Administration hack show how in the cyber-realm, everything, including civilians and weapons of mass destruction, is a target.

Wargames have been used for centuries as a way to train and improve on military strategy. NATO tried to replicate the online nation-state world by engaging with military and national security institutions using tried-and-true wargame planning. However, retrofitting the two traditional wargaming models—either assuming perfect knowledge of the enemy or re-creating 200-year-old Napoleonic and Prussian campaigns—into cyberspace simulations just does not work. In the cyberdomain, the fog of war can be exponentially greater, cyber-capabilities can be more completely hidden, and the enemy is using brand-new tactics.

The reality of the online world is much more chaotic than the NATO simulations presume. There are independent actors, cyber-criminals, white hats, respected security firms, broken infrastructures, country-sized firewalls, a massive and messy differential in power between the largest and smallest actors, and all the chaos of artificially intelligent tools that can automate overwhelming attacks based on leaked personal data.

Unfortunately, NATO does not include nonstate actors in the annual cybergames. This creates three problems. First, there is no guarantee that an attack will come from uniformed soldiers of a hostile country. Bad actors will use whatever low-cost hacks they can find, make, buy, or steal.

Second—and crucially—defending cyberspace requires people who think differently. Even the U.S. government has reached out to hackers to staff up agencies such as the FBI and National Security Agency, realizing that traditional information technology education does not produce innovative offensive security researchers. Limiting contributions to active military and public sector employees will result in a certain amount of groupthink. It is critical for NATO to include nonstate actors, independent researchers, and respected industry experts (who aren’t solely military contractors trying to pump up weapons sales by sponsoring these wargames).

Third, we in the cybersecurity community have been aware that civilian medical facilities and research stations have not only been fair game but the primary targets of international bad actors for half a decade. After we saw vaccine research stations targeted by North Korea and others at the beginning of the pandemic, we in the industry and the cybersecurity community predicted repeatedly that vaccine production would be targeted by nation-states, and we are now seeing evidence in recently reported successful espionage attacks on Pfizer and BioNTech facilities that we were correct. NATO should include in their cybergames the kinds of urgent current events we are already seeing play out in the news.

In the past, NATO has been caught off guard when its cyber-exercises failed to account for real-world attackers. In October 2018, 50,000 soldiers, sailors, and pilots from 31 countries simulated war off the coast of Norway. NATO’s Operation Trident Juncture did not include cyberattacks in the wargames at all—until real-world Russia actually began jamming the real GPS systems of the conventional weapons being tested on the battlefield as part of the simulated conflict.

Everyone planning the games had previously agreed on the polite and necessary fiction that the computers embedded in their vehicles and weapons—and managing their air, water, fuel, targeting, and health—were not permissible targets in this engagement. Russia’s behavior highlighted the absurdity of NATO excluding the cyberdomain from conflict simulations. Even after this real-world mid-scenario attack, NATO has still not incorporated the randomness of actual cyberspace in its simulations.

Recent attacks on vaccine production facilities show how failing to model cyberthreats appropriately will come back to bite you, and we predict that medical facilities will be a popular target for cyberattackers in the future.

Therefore military and government cyberdefense forces should use hackers’ skills and noninstitutional creativity to help predict attacker tactics.

The organizers of future wargames need to recognize that having independent experts see and participate in wargames means the ability to model opponents other than nation-states, test the scenario and the network under use from a fresh perspective, and ultimately make for a stronger training outcome. Cyberwar is new, and soldiers who have been conditioned to see only clearly delineated battlefields will enjoy the challenge of needing to think orthogonally, strangely, and innovatively.

It is important to build NATO’s ability to monitor, manage, and conduct cyberwar because these simulations often lead to a de-escalation of conflict after capabilities become known to the players (and their potential opponents). The same quality that makes cyberwarfare so rapid and difficult to detect—its relative cheapness in terms of cost and time—also makes it much easier to simulate than naval warfare, for instance.

The international information security community is filled with smart people who are not in a military structure, many of whom would be excited to pose as independent actors in any upcoming wargames. Including them would increase the reality of the game and the skills of the soldiers building and training on these networks. Hackers and cyberwar experts would demonstrate how industrial control systems such as power supply for refrigeration and temperature monitoring in vaccine production facilities are critical infrastructure; they’re easy targets and should be among NATO’s priorities at the moment.

Diversity of thought leads to better solutions. We in the information security community strongly support the involvement of acknowledged nonmilitary experts in the development and testing of future cyberwar scenarios. We are confident that independent experts, many of whom see sharing their skills as public service, would view participation in these cybergames as a challenge and an honor.