Debugging is a skill you must employ when writing software and yet requires a uniquely different type of mindset. Software engineering (for most code) is largely process oriented, debugging is often non-linear and looks like it’s intuition oriented. But there is process.

My #1 Rule in debugging is: Believe No One.

It’s so easy to follow a wrong assumption when you are listening to another developer who has been debugging something to no avail who is sure the “error is in how we do foobar so we just need to change it to encode correctly” or “it’s a race condition…

I have Linux on my phone right now (I’ve finally switched from Apple -> Android). My terror of malware aside, it’s a delightful experience. I see people using Linux on their desktops/laptops, and it JUST WORKS.

This continues to amaze me. In the 90s, back when I started using Linux, one did not simply ‘install’ Linux.

I ran Linux as my desktop throughout high school (dual-booted) and, along with a brief stint with NetBSD, as my primary OS in college. Thinking back, I’m not sure why, other than a) I was cheap, and b) it was what the other cool…

Earlier today, someone posted a blog about their experiences auditing an NQ Vault, an Android app that claimed to be “a safe place to store your private data.” The result was not pretty.

TLDR: basically it turns out the encryption the app was using was, how shall we say, less than effective (using a 1 byte ‘key’ XOR’d over the first 128 bytes).

As developers in this freshly security-conscious world, what lessons can we learn from this?

1. Encryption is still too hard for developers.

One of the first thoughts that came to mind was this: with all of the effort involved in constructing this custom ‘encryption’ scheme…

I’m going to to talk about two archetypes I’ve observed over my career as a developer, the Hacker (the programmer kind, not the software breaking kind) and the Engineer.

How to Spot a Hacker

Hackers get shit done, and fast. It may not be the most elegant or scalable solution, but it comes to life, and it works, and it solves a problem or is just something cool.

Hackers value source code over support or documentation. Hackers thrive in open source. This also makes them fearless. They have the attitude: if you have the source code, you can fix any problem you encounter. …

Recently, an interesting Docker exploit was posted (http://stealth.openwall.net/xSports/shocker.c) that demonstrates an information leak where a Docker container can access some privileged filesystem data where it shouldn’t. As I was just discussing the relative merits of using Docker, and how security is often quoted as one of them, I thought it would be interesting to dissect exactly how this exploit works by looking at a bit of the code.

The core problem is misconfigured permissions (CAP_DAC_READ_SEARCH) that are granted to the container process, and illustrates how container-level virtualization can be tricky to configure. …

I sent an email out to @all at Threat Stack, and I thought it would be worth cleaning up to post here…

“Noble Vision”

I heard a CEO mention this concept during a Tech Stars talk then ran into it again reading some awesome articles on Harvard Business Review (e.g. http://blogs.hbr.org/2014/05/managing-a-negative-out-of-touch-boss/).

Quote from article:

You can do this by asking about the core purpose of the organization, or even its noble vision. “What is our purpose?” Not, “how are we doing?” but “why do we exist and how do we serve our organization and society?”

Nate asked this recently in…

This article was inspired as a reaction to this WAPO article: http://www.washingtonpost.com/blogs/the-switch/wp/2014/02/27/heres-what-its-like-to-be-a-booth-babe-at-cybersecuritys-biggest-conference/?tid=pm_business_pop

You think it’s frustrating to be a booth babe? You know nothing, Washington Post.

I spent some time this past week managing my startup’s RSA Conference booth. We’re not a huge company (yet!) so many of us are pitching in, marketing, selling, and demoing.

If you ever wanted to know why booth babes are poison to diversity in this industry, let me tell you first hand.

So, I’m literally the most technical person manning our RSA booth. (look up my bio, I’m worked in development/research/etc for infosec companies…

This is likely the first in a series of thoughts I have for startup ideas. I am, in many cases, not a subject-matter-expert, and am talking out of my ass. Is the idea valuable? Maybe. But it’s all about the execution.

You know what is annoying? Watching ads or being stuck behind an annoying paywall that was me to give out yet another credit card number and fill out another sign up form for yet another website.

It’s 2014, and it’s surprising to me that no one’s solved this problem. I would gladly pay 10-50 cents to read a single New York Times article even though I have no intention of ever signing up for a subscription, or pay some change to click through a 30-second video ad I am likely muting anyway.

Let me pay…