Richard J. Bocchinfuso

Do projects go from green to red overnight? If they do, what is the likely cause?

“Projects do not go from “green” to “red” overnight.” (Kerzner, 2017, p. 46) Projects are typically on a trajectory that takes them from “green to “red”, the road to red is littered with early warning signs depicting this negative trajectory which are either not well understood or ignored. It is the role of the project manager to identify and understand the signs of a failing project and alter its trajectory before it fails.

Should a firm-fixed-price contract have been awarded from the ERP effort?

Based on the case study I think the answer to this question would be, no. I would also agree that a firm-fixed-price contract for an ERP (Enterprise Resource Planning) implementation effort is very risky given the size and scope of a typical ERP implementation. “The key to a successful fixed-price implementation is having the deliverables clearly spelled out in the agreement.” (Should You Choose A Fixed-Fee Cloud ERP Implementation, 2014) Because of the size, scope, the number of stakeholders involved, etc. in an ERP implementation the probability of cost and time overruns is high.

With this said I think that an ERP project in the modern SaaS era can be successfully scoped and delivered in a firm-fixed-price model. More and more customers are willing to go from zero to something using cloud-based ERP systems such as SAP HANA, Infor, NetSuite, etc. In these scenarios, it is possible to write and control a tight scope and deliver value to the customer.

Successful execution of a firm-fixed-price (FFP) contract relies on establishing firm requirements for new systems and developing and implementing solutions using mature technology, design, and implementation techniques. (Callaway, Hastings & Moeller, 2018) This was not the case for the engagement between Mannix Corporation and Prylon. If the ERP system was being the deployed as a SaaS solution, or a well-defined greenfield build rather than the multi-vendor, multi-application integration project that Mannix was attempting to execute on, a firm-fixed-price contract may have been appropriate.

What is the ultimate goal of a recovery project?

The ultimate goal of a recovery project is to assess, reset and restart the project with the objective of closing our the project and delivering the maximum value to the customer. To do so, the project manager (Jerry) must understand in detail what has occurred in the project to date, redefine the project scope, reset and manage stakeholder expectations, lift the project teams morale, restart and execute. The successfully execute the recovery project the project team must operate transparently, communicate, heed the warnings of past mistakes, metric progress, function as a team and stay positive.

Do stakeholders expect trade-offs during recovery?

It is the job of the project manager and the project team to ensure that the stakeholders expect tradeoffs during recovery. In the case study, Jerry does a good job of identifying trade-offs, developing a game plan and presenting these trade-offs to senior management at Prylon. Jerry presents what I will call the quadruple constraint of time, cost, value, and scope. Honestly, this is the First time I have seen these four constraints referenced like this. Typically I see either the triple constraint model (cost = f (scope,time)) or the value triple constraint model (value = f(scope,capability)) used. (Baratta, 2007) I am a huge fan of the value triple constraint because I agree that the measurement of the expected and actual business success of a project is more important than just the ability to meet a cost and budget target. Focusing on cost as a function of scope and time is a horrible starting point for setting expectations and delivering project value. We know these projects are dynamic, as is the case for so many technology implementation projects today, I believe this is why we have seen a shift from waterfall to hybrid to agile project frameworks. (Hartman, Griffiths, Rothman, Fewell, Kauffman, Matola, & Agile Alliance, 2018)

References

Baratta, A. (2007). The value triple constraint: measuring the effectiveness of the project management paradigm. Paper presented at PMI® Global Congress 2007—North America, Atlanta, GA. Newtown Square, PA: Project Management Institute.

Callaway, M., Hastings, S., & Moeller, A. (2018, March). Applicability of fixed-price contracts for successful cost control. In 2018 IEEE Aerospace Conference (pp. 1-16). IEEE.

Hartman, B., Griffiths, M., Rothman, J., Fewell, J., Kauffman, B., Matola, S., & Agile Alliance. (2018, September 18). What is Hybrid Agile, Anyway? Retrieved October 31, 2018, from https://www.agilealliance.org/what-is-hybrid-agile-anyway/

Kerzner, H. (2017). Project Management Case Studies (5th ed.). Hoboken, NJ: John Wiley & Sons, Incorporated.

Should You Choose A Fixed-Fee Cloud ERP Implementation? (2014, March 27). Retrieved October 31, 2018, from https://www.bspny.com/blog/should-you-choose-a-fixed-fee-cloud-erp-implementation

Scott, good news.  I don’t think we disagree, I think it’s more philosophical than a simple disagreement. 🙂 I believe projects go from green to red in an instant from a perception perspective, but in reality, it’s not really how it happens. The number one place I see projects go from green to red is when the SoW (Statements of Work) is signed and passed from the sales team to the delivery team. We create scopes that more often than not define workstreams and deliverables, as the author of these SoWs we make assumptions, interpretation is often subjective and often steered by someone who wants to get the deal signed, this is where the project started going awry. The warning signs could not have presented themselves any earlier in the project. In the time it took the customer to sign SoW lathered in misset expectations the project went from green to red, and it hadn’t even started. I believe all the unforeseen issues, that happen “out of the blue” were foreseeable in the scoping process.

In your Toyota example, the project was red before it even started. I don’t believe in mistakes, only decisions that have poor outcomes. The stars were aligned in this example to make a quick decision, not do exhaustive due diligence, possibly to obscure some facts, everyone wanted the fast track, and they wanted the project to succeed, but hope is not a strategy.

Who knows, maybe it was an election year, maybe Toyota coming to town, the economic growth, public sector job growth prompted that late-night cell phone call where both Toyota and the politicians decided that they should obscure this little tidbit and push forward, knowing they would have to address the spring pygmy sunfish in the future. Yes, it seemingly went from green to red overnight, but did it? 🙂

Andrew, the poorly designed and constructed infrastructure dependency, I know it far to well, so often obscured during the discovery phase.

I liken the know of obscured/excluded infrastructure details to painting the street signs with different names at “Wimp Junction”. 🙂

The emergence and adoption of DevOps, cloud, etc. can be traced to the infrastructure dependancy you describe. Composable infrastructure, commodity hardware, cloud allow for infrastructure agility and elasticity which enable quickly adjusting to changing needs.

Release cycles give way to, canaries and blue-green deployments, and the focus is on iterating and automating recovery rather than rigid release cycles and testing which provides a false sense of security that a release is tested, production ready, etc.

I don’t do recovery projects.  I’ve run a sizable service delivery business for the last 18 years, and I have a simple rule, don’t rush me.  I am here to protect you from yourself, yes there are knobs we can turn and levers we can pull, but my scope will be comprehensive, and if I have dependencies like infrastructure requirements they will be called out in my scope. Measure five times cut once, and oh yeah, I am happy to walk away.

Want a fixed pice scope, probably going to be a rigid waterfall project, that I’ve executed a thousand times, in a greenfield environment where I own all the dependencies, have total trust and partnership from the stakeholders, etc… I will deliver on time and budget. If the scope is more nebulous, I will still estimate the project based on experience, defining epics and stories, assigning story points and calculating an estimated cost. We keep the sprints to a max of two weeks, holding daily standups and tracking burndown closely.

Andrew, excellent post, as usual. I agree that a project can go from red if there is an SME that somehow evaporates from the project and now the project t is FUBAR because a major dependency can’t be satisfied. But as you point out the projected started yellow, because you had a major dependency in the project which relied on a single SME, no one asked the question “What happens if Johnny gets hit by a bus?” I hear it all the time among salespeople, I talked to so and so and he knows this tech why can’t we well a project? I don’t like were in this business because we have a guy/gal who knows the tech, that’s not a business, it’s not if your gonna get burned, it’s when.

What is the critical issue with the Clark Faucet Company case?

• Clark Faucet had a consumer product line which placed manufacturing focus on artful design which drove a higher price while their marketing efforts and customer based was commercial focused where cost was the key driver. (Kerzner, 2017, p. 7)
• Clark Faucet had a noncooperative culture. Engineering and marketing did not work collaboratively and their relationship was adversarial. Any attempt to create project or program teams failed which led to a fractured organization, unilateral decision making and fiefdom building. (Kerzner, 2017, p. 7)
• Ultimately this boils down to a lack of communication, strategy, focus, and prioritization.

What can be done about it?

• Regroup, reset, and recognize that the adversarial relationship which had developed between engineering and marketing is the direct result of Clark Faucet not knowing who they are as a company. Clark Faucet needs to find their true north, focus, set priorities and execute. Designing, engineering, and manufacturing artful faucets in 25 different colors while marketing at tradeshows to commercial consumers which creates 375 projects with poor execution was not a result of marketing failing engineering or engineering failing marketing, but rather a poor corporate strategy due to an identity crisis.  Solve the identity crisis and a lot can be accomplished. (Kerzner, 2017, p. 7)

Can excellence in project management still be achieved, and, if so, how?

• Yes! Excellence in project management can be achieved it merely requires focus, realistic expectations, and execution. I have not seen Clark Faucet’s SKUs, I don’t know Clark Faucet’s customer base, and I have not seen Clark Faucent’s financials, but I have seen Clark Faucet and I would be willing to bet that the “Pareto principle” (Links to an external site.)Links to an external site. is alive and well in their business. Recalibrating and focusing is probably easier than it seems.

What steps would you recommend?

• Change the culture through executive leadership.  Mandates will not work, the culture is way past authoritative management, true leadership is needed.
• Executive leadership needs to focus the organization on the 20% of the business that drives 80% of the revenue.
  • Is Clark Faucet a consumer or a commercial company?
  • How many SKUs should Clark Faucet design and manufacture?
• Executive leadership needs to take ownership of the cultural problems which are largely the result of executive leaderships lack of a true north and breeding a culture of trying to do too much and doing none of it well.
• Follow Jack Welch’s advice: “Great cultures deliver great numbers. Great numbers don’t deliver great cultures.” – Jack Welch
  • “Soft culture matters as much as hard numbers. And if your company’s culture is to mean anything, you have to hang — publicly — those in your midst who would destroy it. It’s a grim image, we know. But the fact is, creating a healthy, high-integrity organizational culture is not puppies and rainbows…  An organization’s culture is not about words at all. It’s about behavior — and consequences. It’s about every single individual who manages people knowing that his or her key role is that of chief values officer…” – Jack and Suzy Welch, Fortune Magazine Op-Ed

• “Zone to Win” meaning realize that innovation and execution are different aspects of the business and you have to zone organizational resource and align objectives to win.

What obstacles exist in getting marketing and engineering to agree to a single methodology?

• The biggest obstacle is the existing culture and adversarial relationship which has developed between marketing and engineering. Executive leadership needs to own this, clearly define the mission and values of the organization and empower chief value officers throughout the organization. If the vice presidents of marketing and engineering can’t get onboard they probably need to be publicly hung. IMO none of the higher-level cultural changes required to transform Clark Faucet can occur without a clear focus and the proper organizational structure.

Lastly, did anyone else find the juice the “procurement manager” had in the case study a bit overreaching and was anyone else as aggravated by the executive management approach here?

References

Denning, S. (2012, May 16). Jack Welch, GE, and the Corporate Practice of Public Hangings. Retrieved October 24, 2018, from https://www.forbes.com/sites/stevedenning/2012/04/26/jack-welch-ge-the-corporate-practice-of-public-hangings/#6996b49e5ccb

Irvine, D. (2015, July 23). Another Lesson From Jack Welch: Culture Is as Critical as Results. Retrieved October 24, 2018, from https://www.tlnt.com/another-lesson-from-jack-welch-culture-is-as-critical-as-results/

Kerzner, H. (2017). Project Management Case Studies (5th ed.). Hoboken, NJ: John Wiley & Sons, Incorporated.

Moore, G. A. (2015). Zone to win: Organizing to compete in an age of disruption. New York: DiversionBooks.

Thanks, Scott. This one was an interesting one for a couple of reasons. I am big on culture above all else and this discussion made me think back to our organizational behavior class. Interestingly enough I read an article the other day on Gizmodo entitled “Working at Netflix Sounds Like Hell”. (Jone, 2018) It’s funny how a few years ago the Internet and Silicon Valley was celebrating the Netflix culture and today the articles have shifted to likening the Netflix culture to hell. I am sure the 50/50 opinion rule is in effect here, the rule I try to live by as a leader is to always eat last. Like Simon Sinek says “Leadership is about taking responsibility for lives and not numbers.” As someone who served our country, I am sure you can appreciate this sentiment. I think this gets lost in business. Another great Simon Sinek quote that you’ll probably appreciate is from his Ted Talk “Why good leaders make you feel safe” and it reads like this “You know, in the military, they give medals to people who are willing to sacrifice themselves so that others may gain. In business, we give bonuses to people who are willing to sacrifice others so that we may gain.” (Sinek, 2014) In our rapidly changing purpose-driven culture I expect that the Netflix-esque cultures which are void of empathy will continue to come under fire.

1. As for who should be publically hung, in order of priority:
   Executive leadership. The case study oozes authoritative executive management rather than leadership. This is apparent in the approach of mandating that the PMO solves what are obviously cultural issues. What we don’t know about Clark Faucet is if there is a board of directors or if it is a sole proprietorship with no one who can conduct the public hanging.
2. The procurement manager, just because this person annoyed me in the case study and I think they need their wings clipped. No procurement manager should have this much juice. 🙂

References

Jones, R. (2018, October 26). Working at Netflix Sounds Like Hell. Retrieved October 28, 2018, from https://gizmodo.com/working-at-netflix-sounds-like-hell-1830020977

Sinek, S. (2014). Transcript of “Why good leaders make you feel safe”. Retrieved October 28, 2018, from https://www.ted.com/talks/simon_sinek_why_good_leaders_make_you_feel_safe/transcript

Professor Knight, I think the sort of personal bonding you describe is an absolute requirement to develop high performing teams.  For the last twelve year’s I have made Presidents Club at my company, this is a boondoggle where “high performers” are taken to exotic destinations.  The first couple of years I turned down the event and in year three (2010), I was asked why I decline the invite, this prompted a Jerry Maguire style memo explaining that no one person holds this much value, that my job as a leader is to mentor others and I find the message that Presidents Club sends to be a negative one.  I went on to explain that the team is more important than rewarding any one individual, especially the leader who should be eating last.  This ended with my company taking the thousands of dollars they would spend on this trip for me and my spouse and allowing me to do a trip for my entire team, this has become something we have done for the past nine years and it’s part of our culture of inclusion, setting the expectation that we are in this together and that everyone is expected to work hard, of course, there are varying skill levels, but this has no bearing on value to the team because the expectation is that everyone is a rockstar in their give swimlane.

This year we held our annual two-day event in Atlantic City, New Jersey.  Two days of team bonding built around the idea of loving what we do.  Each attendee was required to build something using a Raspberry Pi (Links to an external site.)Links to an external site. and present why they chose the project, the development process and demo their creation to the team.  Here is a time-lapse video from the event:

Scott, I enjoyed reading your analysis.  Couldn’t agree more that there is a glaring lack of leadership at Clark Faucet.  I liked your commentary on scorched earth and the bat persuasion approach.  I was reminded of this scene from “The Untouchables”.

Maybe a company screening of “The Untouchables” is in order at Clark Faucet.

Team!

I am also reminded of one of my favorite documentary series, “The Men Who Built America” (Links to an external site.)Links to an external site. and a question I often ask myself “What would Henry Clay Frick (Links to an external site.)Links to an external site. do?”

Andrew, I can certainly relate to your travel schedule, my past few months have been brutal as well. Glad to be nearing the finish line.

I agree with you that the enemy is the human factor. Let’s face it the internet is one giant honey pot and for those with skill, des, re and malicious intent, it’s the perfect storm of riches and anonymity. If we believe that data is the new oil, we (as individuals) often leave our most valuable asset (data) unprotected. While I don’t use dictionary words or l33t passwords, I don’t use single-factor authentication, etc. the average person puts their information on the information superhighway with an easy to remember l33t password, no multifactor authentication and they use that same password everywhere. Hacks, where user information is exfiltrated, allow the creation of huge word lists which can be used for dictionary attacks. There is a multiplier affect each time user data is exfiltrated because of our individual security practices.

The Target data breach is just plain scary. Why would an HVAC contractor have access to Target’s internal systems? Assuming they needed access for whatever reason why they would be given access to systems on a network segment which can route to their payment systems is just beyond odd. In the case of Target, it seems there was a massive technology architecture fail that occurred way upstream from the IPS/IDS events and SOC response.

The human element is by far the largest vulnerability in any system, old-school espionage is alive and well, social engineering is on the upswing and FOMO is not helping our security posture.

References

Kerbs, B. (2014, February 5). Target Hackers Broke in Via HVAC Company. Retrieved October 20, 2018, from https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/

Passwords. (n.d.). Retrieved October 20, 2018, from https://wiki.skullsecurity.org/Passwords

Kamelia, I agree, the biggest vulnerability being exploited by hackers is the uneducated or undereducated end user. But we have some real things to be concerned about when it comes to the human factor.

• Rule #1: We have an entire generation entering the workforce which has been labeled the “Click Generation”. (Marcia, 2015) This generation (Gen Z) will eclipse Millenials in terms of economic power by 2020. (Morris, 2018) Like their pseudonym suggests they like to “click”, and they do it fast and furiously.
• Rule #2: What’s email? Isn’t that for old people?
• Rule #3: What’s a “preview” pane? Oh, something else for old people.

The world is changing fast, but there is some good here.
My kids who are both Gen Zers have no desire to use Windows or MacOS, they are either on their iPhone or Chromebooks. This is good and bad, In theory, because they don’t use thick clients a centralized security paradigm may be easier to architect and enforce. The ransomware we’ve come to know that attacks CIFS shares is made extinct via the extinction of the CIFS/SMB protocol. The bad news is the “Click Generation” oozes FOMO so the idea of slowing down clicking seems unlikely. Centralization creates a larger honey pot with a much larger blast radius. Only time will tell.

References

Marcia. (2015, July 27). Generation Z Coming Into The Workforce | Click Generation. Retrieved October 20, 2018, from http://www.employeedevelopmentsystems.com/2015/07/whats-coming-next-generation-z/

Morris, C. (2018, May 2). Gen Z will outnumber millennials by 2020. Retrieved October 20, 2018, from https://www.tradeonlytoday.com/industry-news/gen-z-will-outnumber-millennials-by-2020

“Pen Testing” or Penetration Testing is typically conducted by white hat hackers, also known as ethical hackers. In contrast to black hat hackers who attempt to hack, penetrate, exploit, vandalize, etc. systems the white hat hacker attempts to penetrate a system to identify vulnerabilities so they can be remediated. It is important to realize that vulnerability scans and penetration tests are not synonymous. Vulnerability scans are often automated and inspect systems for known vulnerabilities, while penetration tests focus on attempting to exploit a system, this can be any combination of attack tactics including both social engineering (hacking the human factor) and technical hacking (hacking the machine). (Barnett, 2017) A penetration tester acts as an attacker, adopting the mindset of the attacker. Penetration testers need to possess the technical skills to conduct attacks, but they also need the mind of an attacker. This is why we see famous black hat hackers like Kevin Mitnick running successful cybersecurity businesses like MitnickSecurity (Links to an external site.)Links to an external site.. The move from black hat hacker to white hat hacker is no different than the story told in “Catch Me If You Can” (Links to an external site.)Links to an external site. where Frank Abagnale Jr. makes the move from a check counterfeiter to FBI counterfeiting expert. Thinking like the individual you trying to protect against is key to being a good penetration tester. (CyberVista, 2017)

While penetration testing tools and toolkits are varied there is a process that most testers follow. This process is (Incapsula, n.d.):

1. Planning and reconnaissance: Define the scope of the test and gather intelligence. During the planning phase, the tester would determine the testing method. Because penetration testing is an ethical hack the tester is given permission to try to gain access and exploit a system. Testing methods include:
   1. External Testing: Testing internet accessible assets from outside the internal network.
   2. Internal Testing: Testing internal assets which are not internet accessible, but that could be attacked but a malicious insider.
   3. Blind Testing: Test us, here is our company name.
   4. Double Blind Testing: Same as blind testing, but insiders and security personnel are not informed of the test.
   5. Targeted Testing: Insiders and security teams work collaboratively. This type of testing is valuable for training security personnel because the pen tester provides real-time information to the security team.
2. Scanning: Static and dynamic target inspection. There are various tools to automate scans.
3. Gaining access: Access system and exploit vulnerabilities.
4. Maintaining access: Determine if access can be persistently maintained.
5. Analysis: Compile the results of the penetration test.

Hacking has always been an important learning tool for me. Learning to exploit vulnerabilities can be a fun way to dig deeper into a particular technology and strengthen skills, it’s not always about exploiting something, the process of reverse engineering has often exposed details about a specific technology that I otherwise would not have investigated. I started hacking, cracking and phreaking the mid 1980s, back then I followed Captin Crunch (John Draper) (Links to an external site.)Links to an external site. and phone phreaked, today I am still a 2600 (Links to an external site.)Links to an external site. subscriber and I have added podcasts like Hak5 (Links to an external site.)Links to an external site. to my portfolio of edutainment. In the 80s I was really into BBSes (Bulletin Board Systems) (Links to an external site.)Links to an external site., online communities that pre-date the internet. FidoNet (Links to an external site.)Links to an external site. for life, but I digress, anyone who was BBSing in the 1980s knows that long-distance and exchange costs were painful; let’s just say the blue box (Links to an external site.)Links to an external site. was hard to resist. While I do love playing with application and OS exploits as well as WiFi hacking my current passion is RF hacking.

If you are looking for something to do with that old DirectTV mount I suggest repurposing it for for a high-gain WiFi antenna rig to supercharge your WiFi hacking. Here is a pic of my setup. 🙂

My RF hacking tool of choice is the HackRF One (Links to an external site.)Links to an external site. which I use for fun and to spread awareness of just how insecure the radio waves can be. My neighbors really love when I show them how easy it is for me to lock and unlock their car, pop their trunk, opening their garage door, and disable their alarm system; with their permission of course).

Like any good techie (hacker), my home office is filled with lots of RasperryPis (Links to an external site.)Links to an external site., multiple computers with my hacking machine running Parrot Linux (Links to an external site.)Links to an external site. as opposed to the more mainstream Kali (Backtrack) Linux (Links to an external site.)Links to an external site.. I am a fan of bWAPP (Links to an external site.)Links to an external site. aka a buggy web application to practice skills but I also use Pentester Lab (Links to an external site.)Links to an external site. and Hack This Site (Links to an external site.)Links to an external site. for learning. I have machines running in AWS and OVH, and a rack of equipment in my basement. There aren’t enough toys to keep me entertained.

With the explosion of edge technologies and the connected world, the attack surface continues to increase. Today we don’t just need to pen test the glasshouse data center but we have to worry about every edge device, many of which are manufactured with well know exploits. It’s well known that many low-cost Bluetooth can easily be hacked. @jasongorman recently posted the following tweet “Of all the responses by Facebook to some massive data breaches oh and then accidentally possibly helping to end Western democracy, ‘We want to put a webcam in every home’ seems to lack self-awareness” He is referring to the Facebook portal device (Links to an external site.)Links to an external site., and that idea that FB just gave up access to the information of 50 million users, maybe releasing a camera that people can connect to their Facebook account is a bit mistimed. I agree it seems to lack a certain sense of self-awareness or maybe Facebook realizes that the same number of people who read the terms-of-service will care about the hack and not buy the Facebook portal, maybe they are very self-aware and @jasongorman and I are just situationally unaware.

References

Barnett, P. (2017, December 20). Vulnerability Scanning vs. Penetration Testing. Retrieved October 12, 2018, from https://www.secureworks.com/blog/vulnerability-scanning-vs-penetration-testing

CyberVista. (2017, April 24). Penetration Tester: The Secret Agent. Retrieved October 12, 2018, from https://blog.cybervista.net/penetration-tester-cybersecurity-roles

Incapsula. (n.d.). PENETRATION TESTING. Retrieved October 12, 2018, from https://www.incapsula.com/web-application-security/penetration-testing.html

Pentester’s Guide to IoT Penetration Testing. (2018, July 02). Retrieved October 12, 2018, from https://resources.infosecinstitute.com/pentesters-guide-to-iot-penetration-testing/

Christopher, it’s interesting, we hear a lot about how machine learning, deep learning, and artificial intelligence are being used to improve security offerings, everything from SIEM (security information and event management) to antimalware to next-generation firewalls. Cisco calls the use of artificial intelligence in next-generation security products the network intuitive, where the system continuously learns and develops intuition and the ability to infer intent. (Walker, 2017)

What few people realize is that machine learning, deep learning, and artificial intelligence is also being used by hackers. A project called DeepHack where the developers weaponize a machine learning algorithm. (BishopFox, 2017) The technologies for defenders and attackers are getting far more sophisticated, in the future, much will depend on how the user can leverage these underlying complex but powerful technologies. I believe penetration testers will have to learn how to use machine learning frameworks such as TensorFlow, MXNet, and PyTorch.

References

BishopFox. (2017, July 31). Bishop Fox Introduces Hacking AI “DeepHack” at DEF CON 25. Retrieved October 14, 2018, from https://www.bishopfox.com/news/2017/07/bishop-fox-introduces-hacking-ai-deephack-def-con-25/

Walker, K. (2017, June 26). Introducing The Network. Intuitive. Retrieved October 14, 2018, from https://blogs.cisco.com/news/introducing-the-network-intuitive

Carmeshia, I enjoyed the post. The timing of your post is impeccable in the wake of the October 4th Bloomberg Businessweek article (Robertson & Riley, 2018) which stated that the Chinese government (military) was manufacturing microchips that were being placed on motherboards at Chinese factories that manufactured motherboards for Supermicro. The article went on to state that he motherboards went into servers which shipped to dozens of U.S. companies including Amazon and Apple.

Supermicro, Apple and Amazon (Schmidt, 2018) all issued statements of denial, stating that there is no evidence to support the claims made in the Bloomberg report. (Naughton, 2018)

This the truth is not clear here, what is clear is that a country (China) which is a major component manufacturer and a critical supplier to most tech companies has been linked to more than one nation-state attack with a well know cyberwarfare unit (PLA Unit 61398, 2018). Dr A. Theodore Markettos, a Cambridge University researcher, conducted an initial investigation of a key bit of the Supermicro hardware to see if the Bloomberg claim passed what he called “the sniff test” of initial plausibility. He concluded that the Bloomberg report does pass the sniff test. (Markettos, 2018)

Implanting malware on devices during the manufacturing process is nothing new, we’ve seen reports of malware being inserted during the manufacturing process on low-end Android devices (phones and tablets) for years. (Jones, 2018) I expect we haven’t heard the last on the Supermicro saga, it will be interesting to watch it unfold and see how major corporations like Apple and Amazon react.

References

Jones, R. (2018, May 24). More Than 100 Cheap Android Phones Found to Have Malware Preinstalled. Retrieved October 14, 2018, from https://gizmodo.com/a-new-reason-to-not-buy-these-cheap-android-devices-co-1826289219

Markettos, T. (2018, October 5). Making sense of the Supermicro motherboard attack. Retrieved October 14, 2018, from https://www.lightbluetouchpaper.org/2018/10/05/making-sense-of-the-supermicro-motherboard-attack/

Naughton, J. (2018, October 13). The tech giants, the US and the Chinese spy chips that never were… or were they? | John Naughton. Retrieved October 14, 2018, from https://www.theguardian.com/commentisfree/2018/oct/13/tech-giants-us-chinese-spy-chips-bloomberg-supermicro-amazon-apple

PLA Unit 61398. (2018, August 12). Retrieved October 14, 2018, from https://en.wikipedia.org/wiki/PLA_Unit_61398

Robertson, J., & Riley, M. (2018, October 4). The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies. Retrieved October 14, 2018, from https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

Schmidt, S. (2018, October 04). Setting the Record Straight on Bloomberg BusinessWeek’s Erroneous Article | Amazon Web Services. Retrieved October 14, 2018, from https://aws.amazon.com/cn/blogs/security/setting-the-record-straight-on-bloomberg-businessweeks-erroneous-article/

Dr. Perez and fellow classmates, first off I am incredibly tardy on this weeks post, my apologies. It’s Been a crazy week with my company being acquired and a number of competing priorities. Anyway, this week I did have the opportunity to spend an incredible amount of time in the air traveling around for regularly schedule QBRs (Quarterly Business Reviews) as well as delivering the acquisition news and what it means to our business. Unfortunately, United Airline’s Wifi service is in line with the rest of their service, but I suppose I should be happy none of the planes that I was on ran out of gas (Links to an external site.)Links to an external site..

While I was in flight, with no internet access I had a lot of time to think about my favorite “Infamous Attack”, after a few minutes of thought it was really an easy decision. One of my favorite books “Ghost in the Wires” (Links to an external site.)Links to an external site. which takes you on a journey with Kevin Mitnick from his perspective.

“Ghost in the Wires reads like a contemporary über-geeky thriller…. For those interested in computer history, Ghost in the Wires is a nostalgia trip to the quaint old days before hacking (and hackers) turned so malicious and financially motivated.”―J.D. Biersdorfer, New York Times Book Review

The “Infamous Attack” that I chose is one perpetrated by Mitnick and told in the book  “Takedown” (Links to an external site.)Links to an external site., the story of how Tsutomu Shimomura (Links to an external site.)Links to an external site. a security expert working at the UC San Diego Super Computer Center took down Kevin Mitnick (Links to an external site.)Links to an external site., possibly the worlds most infamous hacker. In December of 1994, Mitnick broke into Shimomura’s computer and stole software that allowed access to cellular phone frequencies. This hack triggered a game of cat and mouse between Shimomura, the FBI, and Mitnick that would last four years. (Shimomura, 2017) As someone who grew up in the 80s, addicted to computers, first the TRS-80 and an acoustic coupler (Links to an external site.)Links to an external site., then a Commodore 64 and my 1200 baud modem (Links to an external site.)Links to an external site. I am nostalgic about the hacking and phone phreaking that took place in the 80s and 90s. I have always been intrigued by the early hackers like Captain Crunch and others because they were the pioneers. In the early BBS (bulletin board systems) like Exec-PC BBS (Links to an external site.)Links to an external site., the entire community was filled with hackers, crackers, (Links to an external site.)Links to an external site. and phreakers (Links to an external site.)Links to an external site..

For those of us old enough to remember POTS (Links to an external site.)Links to an external site. lines, the squeal of a modem connection, and the feeling of connecting with a global community of people just like you.  It’s hard to not say thank you because for me, someone who had their head buried in a computer form the age of eight I am not sure where I would be today without the opportunity I was provided to feed my obsession. In the 80s and 90s hackers, crackers, and phreaks where digital explorers, unlike many of the attacks discussed by other like the Olympic Games program which gave birth to Stuxnet, the Target hack, the Equifax hack, WannaCry, and other ransomware attacks, etc. Hackers, crackers, and phreaks like Kevin Mitnick and Captain Crunch (John Draper) (Links to an external site.)Links to an external site. (Cap’n Crunch Whistle and the Secrets of the Little Blue Box, n.d.) were curious, they were not interested in monetary gain, they were not employed by a nation-state, this is why so many people like me sported “Free Kevin” t-shirts (Links to an external site.)Links to an external site..

Attacks have become far more intricate these days, the curiosity motivator in the context of the modern day attacker/hacker seems almost non-existent, this is because the curious hackers can now hack legally, bug bounty programs are everywhere, with sites like HackerOne (Links to an external site.)Links to an external site. listing pretty much every available bug bounty program. Since I started this post talking about United Airlines, I may as well end it with the story of Oliver Beg (Links to an external site.)Links to an external site.who earned a million miles via the United Airlines bug bounty program (Links to an external site.)Links to an external site..

The world has changed significantly from the days when hackers, crackers, and phreaks were people I admired as the pioneers of a digital frontier to what we see today, organized crime syndicates and nation-states exploiting a connected world.

When I think about the hackers of yesteryear I think about the pioneers of an industry I love, people like Barry Kildall (Links to an external site.)Links to an external site., Steve Wozniak (Links to an external site.)Links to an external site., Dan Bricklin (Links to an external site.)Links to an external site., Bob Frankston (Links to an external site.)Links to an external site., Richard Stallman (Links to an external site.)Links to an external site.and many others who were pioneers in many cases exploited by those with differing motivations.  The Kevin Mitnick’s and John Draper’s of the world represented those of us who didn’t like the Gary Kildall, Digital Research, CP/M and Bill Gates, Microsoft, DOS story (Links to an external site.)Links to an external site.. (How Bill Gates Outmaneuvered Gary Kildall, 2005) While may think these days are over, they are not, what is different is that most of the Gary Kildalls today are Open Sourcing their code, this makes it much harder for the Bill Gates’ of the world.  Few people have heard of Scott Hansen, but he is the third founder of Google (well maybe the number two founder, but this is debatable), a book I recently read entitled “Valley of Genius” (Links to an external site.)Links to an external site. provides some great insight on some of the unsung heroes of Silicon Valley.

References

Cap’n Crunch Whistle and the Secrets of the Little Blue Box. (n.d.). Retrieved October 4, 2018, from http://telephone-museum.org/telephone-collections/capn-crunch-bosun-whistle/

Great Rivalries in Cybersecurity: Tsutomu Shimomura vs. Kevin Mitnick. (n.d.). Retrieved October 4, 2018, from https://www.cybersecuritymastersdegree.org/tsutomu-shimomura-vs-kevin-mitnick/

How Bill Gates Outmaneuvered Gary Kildall. (2005, August 18). Retrieved October 4, 2018, from http://arnosoftwaredev.blogspot.com/2005/08/how-bill-gates-outmaneuvered-gary.html

Shimomura, T. (2017, June 04). Catching Kevin. Retrieved October 4, 2018, from https://www.wired.com/1996/02/catching/

Tung, L. (2016, August 09). This Dutch hacker can fly a million miles on his United Airlines bug bounty. Retrieved October 4, 2018, from https://www.zdnet.com/article/this-dutch-hacker-can-fly-a-million-miles-on-his-united-airlines-bug-bounty/

Jonathan, interesting read, I had never heard of WANK, and I always enjoy learning something new. In the mid-90s I worked in big pharma as a Unix Sys Admin, I was a recent college grad, with this being my second job out of school, I used a Sun Microsystems IPC all-in-one workstation in college and Slackware Linux on my desktop, I spent all my time in Emacs and wrote all my paper with LaTeX. When I was hired by a pharmaceutical company with ~120K employees, I was given the reigns of the new Unix systems ranging from Sun Solaris, to DEC Tru64, to IBM AIX, to HP-UX, to SGI IRIX. It was amazing how many DEC and Mainframe people worked in IT in this massive company and how few Unix capable engineers there were, especially given that the plan was to replace a large DEC VMS footprint running on both DEC VAX and DEC Alpha machines. The organization (and the pharma industry back then) was so DEC centric they were deploying Windows NT 3.51 on DEC Alpha, it made total sense to everyone because of course, the developers of Windows NT were also the developers of VMS, the story was that WNT being the letters following VMS was not a coincidence. (Russinovich, 2018)

I remember DECnet, CIQBA, FDDI, and our DEC email system (I think it was called Teamworks) all too well, I don’t miss these days. 🙂 Ken Olsen could have owned the world, if he had just embraced the PC era and open computing, DEC tried to correct late in the game with the acquisition of Compaq, OpenVMS, and Digital Unix, but it was too late. I will say that the industry never really successful delivered something like VMS clustering, which just worked.

BTW – I would argue that the term hacking originated in the 1990s. Gordon French held the first Homebrew Computer Club meeting in his garage in 1975; the attendees were all hackers (Love, 2013). John Draper (aka Captain Crunch) was hacking (phreaking) Ma Bell in the 60s and 70s, Ron Rosenbaum published an article in Esquire Magazin in October 1971 entitled “Secrets of the Little Blue Box” (Rosenbaum, 2011) where he talks about hacking the phone system and the hacker subculture.

References

Love, D. (2013, March 05). An Incredibly Important Tech Event Happened 38 Years Ago Today. Retrieved October 7, 2018, from https://www.businessinsider.com/homebrew-computer-club-2013-3

Rosenbaum, R. (2011, October 07). The Article That Inspired Steve Jobs: “Secrets of the Little Blue Box”. Retrieved October 7, 2018, from http://www.slate.com/articles/technology/the_spectator/2011/10/the_article_that_inspired_steve_jobs_secrets_of_the_little_blue_.html

Russinovich, M. (2018, September 19). Windows NT and VMS: The Rest of the Story. Retrieved October 7, 2018, from https://www.itprotoday.com/compute-engines/windows-nt-and-vms-rest-story

Sergio, like most things in life, attacks or I should say successful exploitation can often be traced to human error. I think this is what makes social engineering so interesting, look around at the amount of data we, as a society are willing to volunteer online. Modern day culture and the rise of FOMO (Fear Of Missing Out) (Rivera, 2018) has created a fertile social engineering hunting ground for hackers, as our society moves closer to “The Truman Show”, we have the actors, those volunteering information, and the voyeurs, those who just watch, wait and manipulate. Our digital footprint makes us more vulnerable to attack; it can make us more or less likely to be hired, it can impact our creditworthiness, etc. I believe that we have no idea of the psychological impact of the experiment we are currently conducting, only time will tell, but as a Gen-Xer, a technologist and a parent I would be willing to take the bet that we will need to achieve better equilibrium because the trajectory we are currently on seems dangerous. (Walton, 2017) I guess my question here is, are we more afraid of the nation-state or the organized hacktivists like Anonymous or are we more afraid of the truly dangerous social engineers like Facebook who are trying to spread “emotional contagion”? (Kramer, Guillory, & Hancock, 2014)

References

Kramer, A. D., Guillory, J. E., & Hancock, J. T. (2014). Experimental evidence of massive-scale emotional contagion through social networks. Proceedings of the National Academy of Sciences, 201320040.

Rivera, J. (2018, August 04). The Rise of Fomo – Julia Rivera – Medium. Retrieved October 7, 2018, from https://medium.com/@riverajulia0/the-rise-of-fomo-4e9c2419b791

Walton, A. G. (2017, October 03). 6 Ways Social Media Affects Our Mental Health. Retrieved October 7, 2018, from https://www.forbes.com/sites/alicegwalton/2017/06/30/a-run-down-of-social-medias-effects-on-our-mental-health/#4367e3592e5a