Screaming in the Cloud
aws-section-divider
Audio Icon
Meanwhile in ‘Meanwhile in Security’ with Jesse Trucks
Episode Summary
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Jesse also was the director of the League of Professional System Administrators, ran his own consultancy for 14 years, and served in the U.S. Navy.

Join Corey and Jesse as they talk about what exactly Jesse does at Splunk, what it was like to provision supercomputers at D.E. Shaw Research Group, why it’s important to build security into your products from the outset instead of treating it as an afterthought, the upcoming Meanwhile in Security podcast from The Duckbill Group, its genesis, and why Jesse will be hosting it, the difference between DevSecOps and SecDevOps and the competition to cram as many words into a portmanteau as possible, how Corey weighs sponsorship opportunities for his podcasts, how you can’t regain trust after it’s lost, why you need better security in the cloud than on-prem, and more.
Episode Show Notes and Transcript
Links:
Transcript


Announcer: Hello, and welcome to Screaming in the Cloud with your host, Cloud Economist Corey Quinn. This weekly show features conversations with people doing interesting work in the world of Cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.


Corey: This episode is brought to you in part by our friends at FireHydrant where they want to help you master the mayhem. What does that mean? Well, they’re an incident management platform founded by SREs who couldn’t find the tools they wanted, so they built one. Sounds easy enough. No one’s ever tried that before. Except they’re good at it. Their platform allows teams to create consistency for the entire incident response lifecycle so that your team can focus on fighting fires faster. From alert handoff to retrospectives and everything in between, things like, you know, tracking, communicating, reporting: all the stuff no one cares about. FireHydrant will automate processes for you, so you can focus on resolution. Visit firehydrant.io to get your team started today, and tell them I sent you because I love watching people wince in pain.


Corey: This episode is sponsored by ExtraHop. ExtraHop provides threat detection and response for the Enterprise (not the starship). On-prem security doesn’t translate well to cloud or multi-cloud environments, and that’s not even counting IoT. ExtraHop automatically discovers everything inside the perimeter, including your cloud workloads and IoT devices, detects these threats up to 35 percent faster, and helps you act immediately. Ask for a free trial of detection and response for AWS today at extrahop.com/trial.


Corey: Ever notice how security tends to be one of those things that isn’t particularly welcoming to folks who don’t already have the word ‘security’ somewhere in their job title? Introducing our fix to that, Meanwhile in Security. To sign up for the newsletter or to find the podcast, visit meanwhileinsecurity.com. Coming soon from The Duckbill Group.

Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. I'm joined this week by Jesse Trucks who does, well, two things that we really care about. Let's start with the one that's easier to describe. Jesse, you are the Minister of Magic at Splunk. Thanks for joining me. What the hell do you do?


Jesse: Well, I'm a security specialist. But also people often ask me, “Well, what do you do?” So, I'm essentially an advisor or consultant to Splunk customers, and I help them get better return on their investment for their spend on Splunk products and services and so that they have better security.

Corey: Awesome. Better security; the sort of thing everyone claims is super important to them, usually right after it's been in the papers that security was not important to them, at least, not worth doing anything about. Security has always been a weird space, and you have a strong background in security. You were at Oak Ridge National Lab doing cybersecurity—not the physical security part around the reactors, but doing supercomputer-looking stuff, right?

Jesse: Yes. For a while, I was doing the HPC security for the National Center for Computational Sciences. Before that, I was a sysadmin for Anton supercomputers for D. E. Shaw Research. That was a lot of fun. And then I was a cybersecurity operations team lead for the entire lab’s cybersecurity team.


Corey: Again, but keep going back in time, but one other interesting thing that I'll hit on, and then I promise I'll get off this track, is that you were a D. E. Shaw Research. D. E. Shaw famously being the hedge fund that Jeff Bezos worked at before going to start Amazon. 

And you were there 10 years, 20 years later, something in that range, in the D. E. Shaw Research Group, handling provisioning of their supercomputers. And that's great and all. It's one of those things where you look at a place like D. E. Shaw and you can say an awful lot, but one thing you can't say is that they hire dumb.

Jesse: That's true. I often say that—and this is fairly true—that one of the hardest days of my career was the one-day interview back-to-back with different people at D.E. Shaw, where you knew every 55 minutes, they decide whether you go home. And they asked some of the most interesting, realistic, real-world questions. None of us, like, “How many ping-pongs in a jet” crap, but instead it was, “How would you figure out the bandwidth available on a fiber link, and where a problem might be?” Here's a whiteboard.

Corey: Oh, I like that. It's one of those things that sounds deceptively simple but is so open-ended and you're looking for the trap because, an interview, and you want to perform well and… man… that's a fun one. I will not rat-hole on that question today but, man, is that a fun one to go into.


Jesse: It was good.


Corey: Now, you do all this stuff in security and have for a long time, but the other piece of this—and why we're talking about this today here—is, you are launching a combination newsletter and podcast here at the Duckbill Group called Meanwhile in Security, and people are sometimes thinking that I'm going to be the person that writes this. And sure, I can get up there and pretend to know things that I don’t. I'm a white guy in tech; confidently making statements I don't have facts on is basically what's expected of me at that point, right? But you actually know what you're talking about. And there's a reason that we have you telling those stories instead of me, but start at the beginning: what is Meanwhile in Security and why should anyone care?

Jesse: So, as we all know, one of the problems that we see is security is important. And there's all the obvious reasons: don't want to get hacked, don't get exposed, don't want your stuff shut down, blah, blah, blah. But the real reason the security is really important, and to be integrated into how operations are built from the ground up from—not afterwards, “Scan my new application,” or things like that, but built-in from the ground up, especially in cloud-native apps these days because everything is a surface, and therefore everything is so surfaced. So, how do you get more ROI out of your spend on your cloud infrastructure or your on-premise infrastructure? Do better security and do it up front. 

And also, one of the things is, nobody knows how to talk about security except for security geeks. There's very, very few people who understand the nuances of security and the actual business impacts of what those things do, and what they are, and how they interact. There's very few people who are willing to go public and talk about having one foot in business and one foot in tech. I mean, Corey, that's how you’ve become successful: you can speak both.

Corey: Yeah, I can blend multiple areas of expertise into something forming a niche, which is great. I mean, the idea of finance and cloud computing is a small but important niche. Being able to talk to computers about security, and being able to talk to people about security is more important I would argue, and also not so much of a niche as it is a common business problem that every company needs to be able to traverse somehow.

Jesse: Yes, absolutely. And the message out there to a lot of people in their various organizations, especially in new DevOps-y kinds of operations is, “You must do better security,” but they're not security people. And security people generally aren't the DevOps-y IT people and so how do you get your SRE types to know better security? Meanwhile in Security.

Corey: I love the buried pun in there, personally, but that's neither here nor there. There are a lot of podcasts about cybersecurity, information security, what is the appropriate term these days? I don't want to deal with the community yelling at me because, honestly, I have no patience left for the InfoSec community as a whole.

Jesse: So, that really depends on who you're talking to. If you're talking to anyone vaguely associated with the federal government or works with the federal government at all, we've all given in, thrown in the towel, and we call it cyber, or cybersecurity. Cyber meant something totally different when I was coming up into computers, back when IRC was the only chat option. But these days old school InfoSec people call it InfoSec, or information security or just security but generally most people just call it cybersecurity because that's what the general layperson or the management people who don't know technology call it. So, really you can call it anything, and I'm going to say cybersecurity and cringe every time I say it.

Corey: Everyone refers to your industry a certain way. You smile and you shrug, and you put up with it. I mean, I was on the side of DevOps shouldn't be in a job title, but then I saw a lot of people paying an awful lot of money for jobs that had the word DevOps in them. And what, smile, nod, take the money. The problem I saw across the board was that there are two categories—very broadly—of folks who work with cybersecurity or InfoSecurity, we're going to call it—is InfoSec okay to call it? Or is that going to annoy people?

Jesse: InfoSec is fine. In fact, it's actually my favorite term. And I like CamelCase. So, it's capital I capital S, but that partially because it kind of irritates some people.

Corey: Oh, absolutely. Irritating people is one of my favorite things to do, especially when it's intentional. The promise—there are two worlds in InfoSec. One is people who are deep into InfoSec talking to other people who are deep into InfoSec. And then you have InfoSec-adjacent folks, where you're a DevOps person, or you're an SRE type, or you're managing a team, and you are very much on the hook for security being implemented properly—and yes, it’s a spectrum. I get it. 

And it properly can meet a lot of different things to a lot of different folks—but security is one of those things you have to do, but it's not your core focus. And all the stuff I see in the InfoSec world, there are a bunch of great newsletters and podcasts in the space that speak security to people who are already deep in the weeds on security, and it's not accessible. I don't find that it resonates with me for whatever reason. The more I looked for something that didn't have that approach and instead talked about cloud security—which let's be clear, is security these days—in an accessible way, the more I realized I can't find it. Well, if I'm looking for this, maybe other people are, too. And thus began this our Meanwhile in Security experiment.

Jesse: Yeah, and one of the reasons for the title is because what happens is, is most of us have some job, and then there’s security. So, it's like, “Oh, yeah. Meanwhile, over here in the security land…” so—and again, the pun in case anybody didn't catch it, is Meanwhile in Security. And we call things ‘insecure,’ which always cracks me up because you think of a therapist for a computer. Although the origins are actually in grammar. 

And the problem is, is that people have to figure out all the security things that are irrelevant to their job, but their job is not security. And on top of that, they're expected to wear five or six different hats, and the hardest hat is the one that they're focusing on right now. And then in 10 minutes, a different hat, it's a different hat. They're all incredibly hard jobs, and most of them have DevOps-y titles as well, even though really the biggest thing these days is SecDevOps. Have you seen that one yet?

Corey: I've seen DevSecOps, and I'm sure the ordering is important. And at some point, it's one of those how many words you're going to shove into a portmanteau?

Jesse: [laugh]. Exactly.

Corey: What about ‘QA’ as well? And oh, we got to get the word Kubernetes in there somehow because the CNCF demands it.

Jesse: [laugh]. Yes. And also, if people are searching for job titles, then they'll find what you're trying to hire for. And most people I've talked to actually have DevSecOp jobs or SecDevOps, or whatever way you're doing that. Generally what they are is they're people who have a strong programming infrastructure background who have learned some security. 

And, you know, that's not always true. Sometimes the security people have learned IT stuff, or like me, you know, I came up through the ranks doing both IT Ops and SecOps together. And the problem is, is that they can't keep up with all of their industries that they have to; there's already too much. There's already so much bifurcation. For instance, you don't have somebody who is an amazing Linux engineer and an amazing Windows engineer, and an amazing Cisco engineer because that's too much to keep track of. They can be good at all of them, but they're only going to be amazing at one of them at best, and—with rare exceptions; there are prodigies—and so in security, same thing happens.

Corey: There's also a question of how do you position something? Because on the one end of the extreme spectrum, there's room for a show that explains InfoSec concepts to the layperson: use a password manager, here's what multi-factor authentication looks like and what it means. And then on the other side of it, you have folks talking about the actual seed algorithms you use behind those MFA devices. And there's an unmet need in the middle, which is, “Okay, I want to know how to approach that AWS account MFA story. Yeah, I get why MFA is important. You don't need to belabor that to me, but I don't care about the underlying algorithm. What I want to know is how do I handle the root account’s MFA device without having to put it in a safe somewhere that burns down or we can't get to in a pandemic, versus making it available to every person who works at my company? What are strategies real companies use around stuff like that?” Because everyone wonders. That's the sort of question I want to see explored. While simultaneously rounding up, what are the interesting stories that happened last week in the wide world of InfoSec that people should pay attention to?

Jesse: Yeah, I think that there's a combination of things that you just hit on. One is just understanding fundamental concepts. And these have to be repeated quite often because even people who are in InfoSec, we often get rusty in things that we don't work on on a frequent basis. And then you have people who of course, are not full-time security people, and you have new people coming along all the time. Like, “Okay, so what is ‘buffer flow’ exactly?” “Okay, well, it's this fundamental concept.” “What's a man-in-the-middle attack? Do people even do these anymore?” 


And also, where are some resources if I wanted to deep dive and geek out on it? Where do I go? Which ones are reliable? What's the things that are most digestible? And the last thing is, how do I actually do this? Just functional things. 

I guess the other really last thing is what has happened recently? What's in the news? And Meanwhile in Security, we'll cover these concepts, as well as big things that happen in the news and links to things that are current events that are relevant to how we do security today.

Corey: I've also said it before on the show, I'm going to be very transparent about this, I find the InfoSec community is largely a trash fire. And they haven't quite had the same experiences that a lot of the sysadmin community did as the DevOps movement was emerging, built around empathy. I found it so abhorrent in many cases that I got largely out of those spaces. There are good people in that community working for change. I get that, but it still has a weird lingering vibe of that, for me anyway. 

And I can expect that some people are going to read Meanwhile in Security and say, “Oh, this is way too basic for my big brain exploration of how security works.” Great. That's not for you. It's also not for someone who is sitting at home and trying to make sure that someone doesn't break into their Facebook account, necessarily. It's not really for them either. 

It's for folks who are operating in the world of Cloud slash modern computing—hybrid, of course, is a very real deal, too—and even in data centers, a lot of this stuff all is cohesive and needs a reasonable approach. But everything that even begins to speak to those people, it seems, is vendor-captured. It's by folks who have something to sell them, and magically, everything that they talk about, all roads lead to, “Buy my enterprise software.”

Jesse: Yeah. And that's one of the problems, too, is that, which vendors do you trust? Which vendors have a good account team for you to talk to? Who’s going to be frank with you today? And that changes and evolves. 

And most of your main vendors out there, they're going to tell you for perfectly true things, but we're all biased in our experiences, and where we work, and what we're trying to sell. And what I want to do with Meanwhile in Security is to show people what happens when there is no bias. Because this is about what is good security, what is good methodology, and most importantly, one of the things that I've always done is teach somebody how to understand the basics because you know if the basics, you can derive an answer. You can re-derive if you can go back; if the how and the why, you understand where it comes from, then you can make your own decisions, your own informed decisions. Even if you're not an expert in something you know what kinds of questions to ask, you know what kinds of things to look for, whether you're asking that question of your systems, or of your vendors, or your coworkers or yourself.

Corey: I do want to talk a little bit about our sponsorship policy on Meanwhile in Security. We have something very similar here on this show, but with you, it's been much more explicit and drawn out. You don't know who's sponsoring any given episode or issue until you see it come out. We are building a hard firewall between you and anything sponsorship-oriented, which means you have no idea what vendor is going to appear above or below whatever it is you have to say that week, which absolutely could lead to really interesting stories. Theoretically, if I don't know, ‘vulnerability scanners are bad’ is your entire thesis one week, and ‘this episode is sponsored by a vulnerability scanner,’ that's going to be an interesting juxtaposition and we may have to make some apologies, but it's the way to do it because you aren't shifting your coverage based upon who's paying us. I never have either, but in your case, we're making it far more explicit.

Jesse: Yes, absolutely. And one of the things that it's very important to me, which is one of the reasons why I like working with you and your CEO, Mike Julian, is because it's a strong code of ethics, a personal code of ethics. And part of that is that I also come from sort of a tangential to a journalistic background, I worked at a newspaper; it's where I met my wife when she was a reporter and an editor there. And it's important to have the firewall between the journalistic content and the advertising content. I don't want to know who's advertising; it's not relevant to me. 

What's relevant to me is me producing the best possible content I can to deliver the message to educate, train. I had so much incredible amounts of help in my career so far to give me the success that I have found, and it's my turn to pay it forward just like I pay it forward in other community things that I do with nonprofits. And that separation is extremely, extremely important to me, and I thank you for that.

Corey: Of course. I want to just be very clear, as well, that there is a vetting process that we put sponsors through. We don't usually talk about it directly with them because we politely decline to pursue anything further if they don't pass through it. But fundamentally, I take a look at their site in the abstract. And, okay, let me understand what this product does, and I dig into it a bit. 

And it's a relatively low bar, but there has to be a problem that I can imagine or conceive of where, yeah, this is the right answer for that problem. If I think about that problem, and oh, this would be a terrible solution for that and I don't like anything about what they're doing, I mean, I can always make more money by talking to different sponsors. I can't recover credibility that I've lost by recommending garbage. And while a sponsorship is not an explicit recommendation, it appears next to my name. People are going to associate us on some level. So, I make it a point to not do business with companies I feel the need to apologize for on a consistent ongoing basis. With the possible exception of whoever names AWS services.

Jesse: Yeah, that was a good one. Yeah, one of the things I find really important is to always remember—and I'm glad you mentioned indirectly—at the end of every day, if your entire house burned down, your company went bankrupt, and there's nothing left whatsoever, all you're left with is yourself, your family, your friends, your reputation. That's it. All this other stuff can go. It can be replaced. And so standing on a code of ethics and putting your best face out there, and standing behind everything that you say and do is extremely important.

Corey: Some people need dozens of tools to visualize their stack. But not you. You’ve got New Relic Navigator.All your hosts, services, containers, and anything else you can monitor are in one dense hex view, so you can check system-wide health at a glance.And you can sort by platform, service, app, or any other tag, which makes it easy to navigate yourentire system and see what needs your attention.Go to NewRelic.com and get started for free

Corey: It's one of those areas where you can't regain trust after it's been lost. It's one of the things that's true in business; it's true in security. And people will forgive implementation challenges, but they won't forgive you attempting to rip them off, or you making trade-offs about their security so that you can do something you need to do faster. It comes down to messaging, and I think that that's something that gets very much lost. I mean, take two of the security sponsors that I've had on my existing shows, namely ExtraHop, and Lacework. 

They're both solid companies that do really interesting things. In both cases, I've used demos of their products in my own AWS accounts, and I see the value of it. Oh, this is actually extraordinarily helpful. But I wanted to look at those things before I accepted it. Just because—especially in the security space, it feels like the RSA expo hall, is a never-ending sea of primarily the same company with different logos and different marketing phrases, selling what for all the world appears to be the exact same thing.

Jesse: Oh, and the security in any industry is bad, but—in terms of trying to figure out what's what, and who's the right vendor, and what things are available, but cloud security, it's a murky morass of unknowns because it's something that's not actually been explored enough, and there's a lot of great vendors doing really great work in SaaS offerings, as well as observability and security related to that, but you got to figure that out. Going into RSA or black hat showrooms, you just look at a sea of what do they all do, and why are they different? And that's the problem. You walk in there, if you don't know who they are, you don't know those vendors—it’s hard enough to figure out when you're somebody who does this all day long. So, I'm hoping to demystify some of that in terms of understanding the technology. 

Then you can go ask all the vendors, all the questions you need to, to be able to find out what they're doing and why they're doing it. And especially moving into the cloud infrastructures, you know, companies who are doing the lift and shift, and going hybrid, and before they go cloud-native, it's really important.

Corey: We talked about people being on one side or the other of the security divide, but one thing I see, what makes that the most clear for me, is I look at various security vendors websites, and some of them explain in reasonable terms, what it is they do. And that's great. No argument here. I might, I don't know, argue about a word choice or something, or maybe there's a better story. Fine. 

The others are incomprehensible to me. It is very clear, they're written with the CSO in mind who speaks in specific phrases around very specific compliance requirements, or very specific terms of art in the InfoSec field. It feels almost like a CISSP is a prerequisite for an awful lot of the marketing material to even begin to make sense. When I look at something and I don't understand it, I feel like I am not the target market, which on some level, I cheat and just take a shortcut to, “And therefore it's probably crap,” which is unfair. But it's very hard for me to see how those offerings are being articulated to the people who could actually benefit from them, assuming they're good.

Jesse: Well, in a sense it’s the same problem that you solve is, I look at an AWS bill and it just baffles me. It's like, “Well… do I start drinking now or later?” [laugh]. And instead, there's somebody who's an expert in that, that can help somebody get through that path, and I hope to be a little bit of that guiding light. And one of the things I think is important for people to—and you mentioned it earlier: people need to remember security and cloud security are one and the same, but there's an added layer. 

In a data center, you can lock the door, and you can put really, really, really fancy good locks on it. It will really raise the bar up high to barrier to entry. So, somebody has to be able to understand physical security, get through, get into your data center, or they can go through the network. So, now you can secure the network; all of your normal security things apply. In the infrastructure you have on the cloud, there's all the cloud infrastructure that is remotely accessible, so your entire data center, effectively for you as the cloud consumer, you have all that extra layers of security. So, security all is the same, plus you have to deal with the cloud security. It's really, really important, and in fact, it's more important to have cloud security infrastructures have better traditional security mechanisms than it is for traditional on-prem solutions.

Corey: I argue on some level, there's a bit of alignment there where you can save an awful lot of money by turning off things you're not using with the simultaneous argument that it's really hard to exploit something that's been turned off. Not impossible I’m told, but still harder to do than most. And there is a spiritual alignment of worshipping at the altar of the Church of Turn that Shit Off that I feel security and cost [laugh] folks can align on.

Jesse: [laugh]. Absolutely, and especially when you're starting looking at containerizing things and cloud-native apps, you don't have to secure something if you never write it.

Corey: Oh, yeah. And another approach that I find that is very similar from the security world and the billing and governance world is you talk to companies across a wide variety of industries, levels of sophistication, et cetera, and no one believes that they've gotten their cost attribution right, or they're billing exactly where it should be, or their security posture where it needs to be. Everyone believes that they really have a lot of work to do to catch up. No one looks at this and says, “Oh, I've nailed this. I'm doing great,” except for people who are painfully naive.

Jesse: Yes, absolutely. And one of the things that it comes up often, is compliance. Compliance, compliance, compliance. Is it PCI? Is it ISO this? ISO that? Is it NIST this? NIST that? Is it FERPA? FISMA? HIPAA? Or things like in Europe: GDPR, which is actually affecting all of us—in the US and everywhere else in the world because we all have European citizens looking at our things or using our products and services, or we have people who are working and living there.

Corey: Yeah, that is a weird law that is, frankly, a little, I want to say overbroad in some respects. I care deeply about privacy and security. This stuff is important. I built a custom link tracker for my newsletter, for example, that will tell me the number of unique newsletters that were sent out, that have been opened, and which links within them have been clicked without ever telling me what you have opened, or you have clicked on because I've got to be honest, I do not care and I struggle to find a way to care less. Because I want to know of all the links I sent out last quarter, which were the ones that were the most appealing to the point where people clicked on them and dove into them. 

That helps me build things like ‘best of’ issues. It lets me look in the aggregate and say, “Okay. I don't care about IoT, but the rest of the world seems to so I'm going to have to continue to cover it.” Versus, “I don't care about Windows stuff, and it looks like the readership doesn't either. Thank God. I don't have to talk about it much.” 

It helps me inform opinions around what I should write about because I do have an audience; I want to appeal to them. But being able to run a little bit of analysis on that in a privacy-preserving way is super important to me. But all of the tools that you can look at for sending out newsletters stuff is deep in the weeds of oh, and then we can track them across the internet if you want. No. I want you to not do explicitly that. 

A lot of stuff that Basecamp with DHH and their hey.com stuff appeals to me at a deep level. I feel like every time we have any form of tracking, it should have above it in bright letters, “We are going to be watching what happens with these links,” because that is fundamentally what it means. And most of the time, we don't need that, so why do we do it?

Jesse: Oh, absolutely. And privacy is one of the things that is near and dear to me, too. I'm also the principal of a small nonprofit school that I founded with my wife and another woman, and I want to make sure that the things that we use and the services we use at that school have no school information. I'm okay with somebody knowing that this customer did XYZ as long as it doesn't tie back to individual information. Otherwise, we have FERPA violations, et cetera. 

And so, compliance has always been important to me. I've worked in support of just about any kind of compliance you can imagine—including in classified spaces—before. And I think that that's one of the morasses that's really, really confusing is, how do you do really good data-driven business, but yet maintain privacy of both your employees and your customers?

Corey: That's really what it comes down to is you need to be able to have a functional business. We do a best effort job on our side to comply with it, but to dot the i's and cross the T's on this would effectively require a full-time person whose job is nothing other than maintaining a lot of these compliance systems. And I mean, again, we have a list of what information we have about individuals who subscribe to the newsletter, for example, what IP address did they sign up from? We capture that because I believe that's a requirement. And, “What PII do we have on them?” Well, in our case, we have their email address. “Well, why do we need the email address?” Needs to be a valid reason. “Because it's hard to send you an email if I don't have your email address.”

Jesse: Yes.


Corey: Okay, and did they click the ‘Confirm’ option on the email that we send out to validate that this really is their email address? Yeah, without it, they never show up at all. And great, then we have a record of what was sent to them at various times, and when they unsubscribe that shows up, too. There, we have now disclosed everything we know about what you do, tied to you.

Jesse: And I think it's important to point out that that is actually harder to do than you just listed out because—

Corey: Well, what I just talked about is the ideal. What we actually have—because ESPs don't really offer a way to disable this—I can look at what newsletters you've opened, I can look in their systems at what links you have clicked on. And that is a problem, and there's no good way to disable that with our current ESP. But the saving grace is that their interface is so terrible for looking at these things that no one ever does. And we restrict access to this, obviously. It's not useful for us, and it definitely goes to show that okay, well, what's the value of all this surveillance? The answer here is, not much.

Jesse: Also, I think there's a different aspect of it, too, is what is actually legislated compared to what has been tried in court and proven realistic. I remember when I worked at AT&T—it was SBC at the time, pre-merger—and my team was part of the first SOX audit—Sarbanes Oxley act. We had no idea how bad things would be, we didn't know if we're going to get in trouble, so we did all this work internally. And then when we finally got to the official external audit, turns out, things were just fine because we were paranoid about it for nine months.

Corey: Yeah, it turns out that it's super easy to wind up inadvertently setting a foot wrong. And I looked at all of this when it was first coming out and on—again, we did a best-effort attempt to do all of these things, and we didn't do the dumb things, like assuming that an IP address is indicative of whether someone is considered an EU citizen. Great. Yeah, that doesn't actually work. Who knew? 

And again, we weren't tracking all this stuff to begin with, but it's just one of those areas where, yeah, I want Facebook and Google and large companies that are doing tens of millions of dollars a year in ad business—or more—to absolutely have to do these things. But this stuff also applies to rando hobbyist newsletters with a Patreon donation link in them. And where do you start, and where do you stop?

Jesse: Yeah, and a good example, there are, too, is school regulations. I have an actual school in the state of Tennessee. And it's a legal school. We have a full-time teacher and we're subject to all the same regulations, and laws, and inspections, and data privacy for the FERPA act, and things like that. And it doesn't matter that we have eight students in one classroom. 

Doesn't matter. We have the exact same burden as a large-scale district with 10,000 students. And so, how do you implement that in a way that's reasonable? Same thing with HIPAA. If you're a single doctor, and you do all your own bookings and you have one room you use, you know, like a therapist, for instance, you're still subject to the exact same requirements, as Kaiser Health. 

So, how do you navigate that? I'm hoping that we can help solve some of those things in—if you think about it in Meanwhile in Security, we’ll take you to the side and have a little fireside chat about how you can figure that out by knowing the requirements and how they are in both at a legal and spirit of that law. And that's how you learn.

Corey: That's really what it all comes down to is learning; learning as we go. And that's the goal of this podcast. Some weeks, we do a better job of teaching folks things than others. At least if the takeaway here this week is sign up for Meanwhile in Security at meanwhileinsecurity.com, but also the newsletter. 

It's about educating people about what's going on in the world. AWS says that re:Invent is a conference primarily about education, and I get that. I can see an angle from which that is true. The problem with re:Invent is it has no idea what it wants to be, and thus no sense of itself, so it tries to be all things to all people at all times. And it turns out, that's a really hard list of boxes to check.

Jesse: Absolutely. That's why you should pick a narrow focus, and go for it, and do it right.

Corey: Exactly. And in our case, we're doing that with explaining security to practitioners who have other work to do.

Jesse: And we're going to have a little fun.

Corey: We certainly are. Where can people sign up, once again?

Jesse: meanwhileinsecurity.com.

Corey: And of course, the Meanwhile in Security podcast is also available wherever you get your podcasts from. If it's not there quite yet, let us know. By the time this airs, it should be everywhere, but it seems like there's a new podcast platform every week and it is increasingly difficult to catch them all. Let us know. Jesse, thank you for taking the time to speak with me. As always, it is appreciated.

Jesse: Thank you very much, Corey. I love talking to you. It's always a good time and I look forward to Meanwhile in Security helping others learn better about security.

Corey: Jesse Trucks the new author slash editor of Meanwhile in Security. I'm Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with an angry and insulting comment about why I truly don't understand the true meaning of InfoSec, if you can manage to get the comment posted through the filters against racial slurs.

Announcer: This has been this week’s episode of Screaming in the Cloud. You can also find more Corey at screaminginthecloud.com, or wherever fine snark is sold.

This has been a HumblePod production. Stay humble.


View Full TranscriptHide Full Transcript