The 256th day of the year (the 100th day in hexadecimal) is known as the Day of the Programmer. On most years, it’s September 13th, but on leap years — which includes this one — it’s September 12th.
The day was proposed by two Russian programmers, Valentin Balt and Michael Cherviakov, who petitioned their government to recognize this day. The recognition came on September 11, 2009 when Russian president Dmitry Medvedev signed the decree, making it official.
During the Information Security week of the UC Baseline cybersecurity program, the instructors asked us a lot of questions whose answers we had to look up. As a way to maximize participation, we were encouraged to share lots of links of the class’ Slack channel, which also functioned as a backchannel, as well as a way to chat with the students who were taking the course online.
The links that we shared in class were valuable material that I thought would be worth keeping for later reference. I’ve been spending an hour here and there, gathering them up and even organizing them a little. The end result is the list below.
Since these are all publicly-available links and don’t link to any super-secret UC Baseline instructional material, I’m posting them here on Global Nerdy. Think of this list as a useful set of security-related links, something to read if you’re bored, or a peek into what gets discussed during the InfoSec week of the UC Baseline course!
Krebs on Security: Thinking of a Cybersecurity Career? Read This. Krebs is a good regular read for security news, and this article is a good guide: “Thousands of people graduate from colleges and universities each year with cybersecurity or computer science degrees only to find employers are less than thrilled about their hands-on, foundational skills. Here’s a look at a recent survey that identified some of the bigger skills gaps, and some thoughts about how those seeking a career in these fields can better stand out from the crowd.”
Wired: The Garmin Hack Was a Warning
“Ransomware continues to affect the usual suspects; the hospitals and cities and homeowners who click on a bad link haven’t gotten any sort of reprieve. But as hacking groups add both to their coffers and tool sets, it seems likely that Garmin is hardly an outlier—and only a matter of time before the next big target takes a big fall.”
The O.MG cable
It looks, feels, and acts like an ordinary USB cable, but it also has a processor, web server, and 802.11 radio, which can help you sneak your way into a system.
GRC: Governance, Risk, and Compliance
“The acronym GRC was invented by the OCEG (originally called the ‘Open Compliance and Ethics Group’) membership as a shorthand reference to the critical capabilities that must work together to achieve Principled Performance — the capabilities that integrate the governance, management and assurance of performance, risk, and compliance activities.”
The eJPT — eLearnSecurity Junior Penetration Tester certification “The eJPT designation stands for eLearnSecurity Junior Penetration Tester. eJPT is a 100% practical certification on penetration testing and information security essentials. By passing the challenging exam and obtaining the eJPT certificate, a penetration tester can prove their skills in the fastest growing area of information security.”
NIST Cybersecurity Framework
“The Framework is voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.”
NIST Special Publication 800-series General Information “Publications in NIST’s Special Publication (SP) 800 series present information of interest to the computer security community. The series comprises guidelines, recommendations, technical specifications, and annual reports of NIST’s cybersecurity activities.SP 800 publications are developed to address and support the security and privacy needs of U.S. Federal Government information and information systems. NIST develops SP 800-series publications in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283.”
NIST Compliance FAQs: Federal Information Processing Standards (FIPS) “FIPS are standards and guidelines for federal computer systems that are developed by National Institute of Standards and Technology (NIST) in accordance with the Federal Information Security Management Act (FISMA) and approved by the Secretary of Commerce. These standards and guidelines are developed when there are no acceptable industry standards or solutions for a particular government requirement. Although FIPS are developed for use by the federal government, many in the private sector voluntarily use these standards.”
VISA: PCI DSS Compliance
“Learn about Payment Card Industry Data Security Standard (PCI DSS) with Visa. Keep your cardholders safe with the latest security standards.”
“One of the most respected, non-profit standards bodies in the world, OASIS Open offers projects—including open source projects—a path to standardization and de jure approval for reference in international policy and procurement.OASIS has a broad technical agenda encompassing cybersecurity, blockchain, privacy, cryptography, cloud computing, IoT, urban mobility, emergency management, content technologies. In fact, any initiative for developing code, APIs, specifications, or reference implementations can find a home at OASIS.”
OWASP Foundation “The Open Web Application Security Project® (OWASP) is a nonprofit foundation that works to improve the security of software. Through community-led open source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web.”
How Unix Works: Become a Better Software Engineer
“Unix is beautiful. Allow me to paint some happy little trees for you. I’m not going to explain a bunch of commands – that’s boring, and there’s a million tutorials on the web doing that already. I’m going to leave you with the ability to reason about the system.Every fancy thing you want done is one google search away.
But understanding why the solution does what you want is not the same.That’s what gives you real power, the power to not be afraid. And since it rhymes, it must be true.”
Kaspersky: What is a honeypot?
“In computer security terms, a cyber honeypot works in a similar way, baiting a trap for hackers. It’s a sacrificial computer system that’s intended to attract cyberattacks, like a decoy. It mimics a target for hackers, and uses their intrusion attempts to gain information about cybercriminals and the way they are operating or to distract them from other targets.”
DFIR — Digital Forensics and Incident Response “Digital forensics and incident response is an important part of business and law enforcement operations. It is a philosophy supported by today’s advanced technology to offer a comprehensive solution for IT security professionals who seek to provide fully secure coverage of a corporation’s internal systems.”
Understanding RPO and RTO “Recovery Point Objective (RPO) and Recovery Time Objective (RTO) are two of the most important parameters of a disaster recovery or data protection plan. These are objectives which can guide enterprises to choose an optimal data backup plan.”
The 3-2-1 backup rule “For a one-computer user, the VMware backup strategy can be as simple as copying all important files to another device – or, ideally, several devices – and keeping them in a safe place. However, for multiple computer systems, things can be (and usually are) much more complicated, especially when it comes to virtual environments containing thousands of virtual machines. To protect physical machines, you would need to perform Windows Server backup or Linux Server backup, which might be difficult without effective backup tools. In these cases, a comprehensive data protection plan should include the 3-2-1 backup rule.”
How to Set Up an AI R&D Lab “The moment a hyped-up new technology garners mainstream attention, many businesses will scramble to incorporate it into their enterprise. The majority of these trends will splutter and die out by Q4. Artificial intelligence (AI) is unlikely to be one of them.AI is a transformative series of tools that can accelerate productivity, drive insight, and open up unexplored revenue streams. It’s poised to revolutionize the way we do business and everyone in a leadership role should be thinking about it.But few organizations are set up to do AI properly.”
ZDNet: FBI and NSA expose new Linux malware Drovorub, used by Russian state hackers
“The FBI and NSA have published today a joint security alert containing details about a new strain of Linux malware that the two agencies say was developed and deployed in real-world attacks by Russia’s military hackers.The two agencies say Russian hackers used the malware, named Drovorub, was to plant backdoors inside hacked networks.”
Military Cyber Professionals Association (MCPA)
“Military Cyber Professionals Association (MCPA) are a team of Soldiers, Sailors, Airmen, Marines, Veterans and others interested in the development of the American military cyber profession.Our members are interdisciplinary, as such a diverse set of perspectives is needed to develop cyberspace as an entire domain. Also included in our ranks are other government employees, contractors, academics, industry leaders, foreign allies, and private citizens.”
Why the fuck was I breached?
“Did you just lose 100m customer SSNs because your root password was ‘password’, you set an S3 bucket to public or you didn’t patch a well known vulnerability for 8 months? Is the media and government chewing you out because of it? Worry not! Our free excuse generator will help you develop an air-tight breach statement in no time!”
Evaluating Risks Using Quantitative Risk Analysis “Project managers should be prepared to perform different types of risk analysis. For many projects, the quicker qualitative risk assessment is all you need. But there are occasions when you will benefit from a quantitative risk analysis.Let’s take a look at this type of analysis: What is it? Why should we perform it? When should it be performed? And how do we quantify risks?”
What is CMMI? A model for optimizing development processes
“The Capability Maturity Model Integration (CMMI) is a process and behavioral model that helps organizations streamline process improvement and encourage productive, efficient behaviors that decrease risks in software, product and service development.”
How Many Email Accounts Do You Need? “With all this need for email accounts, the question obviously arises: how many email accounts should you have? In theory, you could use a single email address for everything, but that could leave you with thousands upon thousands of emails from hundreds of sources in a single account; even with an account that allows you to easily sort everything, you’ll quickly be overwhelmed. It’s all but required that you have multiple email addresses nowadays.”
NIST NVD (National Vulnerability Database) — Vulnerability Metrics
“The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base metrics produce a score ranging from 0 to 10, which can then be modified by scoring the Temporal and Environmental metrics. A CVSS score is also represented as a vector string, a compressed textual representation of the values used to derive the score. Thus, CVSS is well suited as a standard measurement system for industries, organizations, and governments that need accurate and consistent vulnerability severity scores. Two common uses of CVSS are calculating the severity of vulnerabilities discovered on one’s systems and as a factor in prioritization of vulnerability remediation activities. The National Vulnerability Database (NVD) provides CVSS scores for almost all known vulnerabilities.”
Tampa Bay UX Group
The Tampa Bay User Experience Group is one of the largest volunteer led user experience professional organizations in south central Florida. Krissy Scoufis created the group in August, 2013 with the goal of providing a network of design practitioners, product owners, web developers and product strategists who could share UX methodologies, principles and techniques. Mike Gallers and Beth Galambos joined the leadership team shortly after the group started and together they have hosted over 73 events. The group’s foundational pillars are to provide free mentorship, education and community to evangelize the User Experience discipline. Frequently partnering with other regional technology meetups, the Tampa Bay UX Meetup group has fostered a cross functional network of professionals dedicated to putting users at the center of product strategy and design.
The Five Steps of Incident Response “Incident response is a process, not an isolated event. In order for incident response to be successful, teams should take a coordinated and organized approach to any incident. There are five important steps that every response program should cover in order to effectively address the wide range of security incidents that a company could experience.”
What Are Security Controls?
“At the most fundamental level, IT security is about protecting things that are of value to an organization. That generally includes people, property, and data—in other words, the organization’s assets.Security controls exist to reduce or mitigate the risk to those assets. They include any type of policy, procedure, technique, method, solution, plan, action, or device designed to help accomplish that goal. Recognizable examples include firewalls, surveillance systems, and antivirus software.”
110 Must-Know Cybersecurity Statistics for 2020 “In order to give you a better idea of the current state of overall security, we’ve compiled the 110 must-know cybersecurity statistics for 2020. Hopefully, this will help you paint a picture of how potentially dire leaving your company insecure can be as well as show the prevalence and need for cybersecurity in business. This includes data breaches, hacking stats, different types of cybercrime, industry-specific stats, spending, costs and the cybersecurity career field.”
How to Restore Deleted Files Even After Emptying the Recycle Bin
“So you’ve emptied your recycle bin and then realized that you’ve deleted a file that you still need. If you act fast enough, you may be able to recover the files before the computer overwrites them with something else.Read on below for how to restore deleted files and for recycle bin recovery steps even when emptied.”
Here are six basic human tendencies that are exploited in social engineering attacks:
Authority: An attacker may call you pretending to be an executive in order to exploit your tendency to comply with authority figures.
Liking: An attacker may try to build rapport with you by finding common interests, and then ask you for a “favor”.
Reciprocation: An attacker may try to do something for you, or convince you that he or she has, before asking you for something in return.
Consistency: An attacker might first get your verbal commitment to abide by a fake security policy, knowing that once you agree to do so, you will likely follow through with his next request in order to keep your word.
Social Validation: An attacker may try to convince you to participate in a fake survey by telling you that others in your department already have. He or she may have even gotten some of their names and use them to gain your trust.
Scarcity: An attacker may tell you that the first 10 people to complete a survey will automatically win a prize and that since some of your co-workers have already taken the survey, you might as well too.
Social Studies – A Lesson in Social Engineering Basics
As we have become more and more vigilant against clicking on malicious links in suspicious emails, some social engineers have gone back to the classic person-to-person approach. Their basic strategy is to prey on vulnerabilities in human nature.
Last night was the final night of the Intro to Python Coding course that I’ve been teaching on behalf of Computer Coach for the past five weeks — Mondays and Wednesdays, 6:00 p.m. to 10:00 p.m..
I’d like to congratulate the students! It’s not easy to spend four hours an evening twice a week learning something completely new and unknown to you, but the students did just that. If you’ve ever been in any of my Tampa iOS Meetup sessions, you’ve seen my teaching technique — you’re not passively watching slides, but coding along with me, and even experimenting, just to see what happens. That’s I what I did with the Python class — we entered code and saw what happened, hopefully learning along the way.
As a farewell present to the students, I sent them a copy of So You Want to be a Wizard, a little “zine” written by Julia “b0rk” Evans for programmers who are starting out that’s full of good advice. I hope it helps them through those moments that every programmer has, when nothing seems to work and all you want to do is throw your computer out the window. I’ve posted it here as well, partly because it’s full of good advice that even experts need to remember, and partly because I want to make sure that everyone knows about Julia’s works.
Even the table of contents lets you that that you’re in for a fun read:
Julia has a whole set of zines, some of which are free…
…and some fancier ones, which come at a reasonable price, even for groups:
Once again, congratulations to the Intro to Python Coding students!
Mike Dominick, who runs The Mad Botter — which develops automation/integration software — moved to the Tampa Bay area three years ago. It’s been my experience that Tampa Bay techies don’t do things halfway, so it shouldn’t be a surprise that in addition to the day job, he also has a technology- and open source-focused podcast named The Mike Dominick Show.
I had the privilege of being the guest for Episode 25 of the Mike Dominick Show, which we recorded yesterday afternoon (that’s its player above), and it was a fun conversation that covered:
The Toronto tech scene
Taking up the accordion
How I got into developer evangelism
Learning iOS programming via raywenderlich.com and then joining them
Remote work and the pandemic
WWDC 2020 and SwiftUI, Python and Burning Man
Windows Phone and my time as a Windows Phone Champ
What I’ve been doing while looking for work
The hidden opportunities that come with having to stay inside
Mike ends each podcast with two questions — one tough and one easy. The tough question he asked me was “What question should I have asked you that I didn’t?” You’ll have to listen to hear how I answered that one.
Don’t just listen to my episode — be sure to check out previous ones, including these ones that I’ve enjoyed on my daily bike rides:
Yup, it’s the holy trinity of books for Smalltalk-80, the definitive release of original recipe Smalltalk. You probably haven’t used Smalltalk, but you probably use a programming language influenced by it: Dart, Go, Java, Kotlin, Objective-C, PHP, Python, Ruby, Swift, and Scala, to name just a few.
They were a lucky find: they were in a banker’s box in a trash pile on the east side of downtown Toronto, sometime in late 1998. It’s probably my best dumpster-dive find, beating out even that still-functional cable modem or e-Machines starter Pentium machine that I would find a few months later. (Boom times make for great dumpster diving.)
The books are historically interesting. They’re written for readers who would spent all their computing time in the command line, and probably had never seen a GUI before, and they most definitely had never used an IDE. That’s why one of the books is devoted to Smalltalk’s interactive environment, and why one of the first illustrations in that book is this one:
Here’s a sample from the biggest of the books: Smalltalk-80: The Language and its Implementation. It’s the definition of a class named FinancialHistory:
To a present-day programmer, the syntax may seem a little weird (it’ll be a little less weird to Objective-C and Swift programmers; now you know where that method-calling syntax comes from!), but they’d still find it familiar. To a programmer in 1984, the year the book was published, who probably subsisted on a steady diet of structured programming, this must’ve been positively mindblowing.
For the curious, here’s how you’d create an instance of FinancialHistory named HouseholdFinances with an initial balance of $350:
Once created, we’d record household spending like so:
HouseholdFinances spend:cost+tax for:'food'
(I just felt a disturbance in the Force, as if millions of Objective-C and Swift programmers cried out, saying “So it’s Smalltalk’s fault!”)
The smallest of the books, Smalltalk-80: Bits of History, Words of Advice, gets deep into the implementation details of Smalltalk-80. And I do mean deep: there’s a whole chapter devoted to an implementation of a Smalltalk garbage collector.
I’ll eventually return these books to their proper place on the bookshelf and replace them with a proper monitor stand, but in the meantime, they’re doing a pretty good job as the basis for my monitor, just as their content did a pretty good job as the basis for the programming languages I use.
I do try to take care of these books, as their scarcity has made them a little more expensive than your standard textbook:
To me, this isn’t just any book. I learned iOS programming from an earlier edition, and from there, became a regular reader of the site that publishes the book, raywenderlich.com. When the opportunity to write an article for them, I took it, and I gladly switched gears to Android, learned Google’s Face API, and the result was the highly rated Augmented Reality in Android with Google’s Face API.
From there, it led to all sorts of things, including not one, but two speaker sessions at their annual RWDevCon conference, where I did presentations on building iOS augmented reality apps — a two-hour intro session and a four-hour workshop. They were the highest-rated sessions of the entire conference. Here’s the two-hour version…
Now that I’ve finished writing the revision for the book, it’s time to look for my next gig. My last one — mobile developer at Lilypad — evaporated in the COVID-19 economic downturn. In the meantime, I’ll be keeping busy as I continue to sharpen my development skills, write this blog, and do what I can for the Tampa tech community.
Are you looking for someone with both strong development and “soft” skills? Someone who’s comfortable either being in a team of developers or leading one? Someone who can handle code, coders, and customers? Someone who can clearly communicate with both humans and technology? Someone who literally wrote the book on iPhone development? The first step in finding this person is to check out my LinkedIn profile.