Cyberweekly #194 - Talking to yourself

Published on Sunday, May 08, 2022

Happy sunday on a gloriously sunny day. Some of you might have noticed that I didn't send a newsletter last week, and I'd love to have a good excuse, but in reality, it's the start of summer and the UK has a number of public holidays that make for long weekends. I write this newsletter in my spare time, often at the weekend, and when we have a long weekend, I'm far more likely to spend time with my family, so I simply didn't get around to it. Apologies if you felt you missed out, but sadly, writing this newsletter doesn't pay the bills and my day job takes up vast amounts of my time and attention in the week, so it's best effort from me, and as the summer moves on and we have more holidays, we might miss a few weeks. As always, your comments, stories and recommendations always help and I'm happy to include others links and commentary in here, so drop me a message if you'd like to contribute.

This week a number of articles have stood out to me because my team is in the middle of redefining what we do and how we work with other teams in our organisation, and how our wider organisations all work together. Weirdly, I don't think I've been in an organisation in the last 20 years that hasn't been either just coming out of organisational redesign, or just about to go into one, so it feels like the only constant is constant change.

It's really easy for us to anthropomorphise organisations, to talk about "Twitter does this", or "Meta has this strategy", but as I've said before, in reality most organisations are made up of a large number of disparate business units and teams, and many of them don't actually agree on everything.

Corporate strategy is always a bit of a misnomer, because getting an entire organisation aligned around something is truly hard, especially when there's hundreds or thousands of teams making up tens of thousands of people.

But one of the most critical things we can do in order to be effective in our organisation is come up with clear thinking on who we are, what we offer and how we want people to engage with us.

That last bit especially, is really critical, because we often have a set of implicit assumptions about where work comes from, who is making prioritisation decisions and what we are going to deliver as a team. By making those assumptions explicit and writing a "manual of me" for our team, for other teams to consume, we can make clear how to raise work with us, how to measure what we are doing and how to best work with us.

Only when we understand how all the pieces work together can we truly start to write "strategy" that can help our organisation compete with others.

    TBM 12/52: The Basics - by John Cutler - The Beautiful Mess

    I’m not a process freak, but I do believe teams should have their house in order. You can get by with very little process overhead. Too many teams are spinning in circles (or sprints). It often isn’t their fault, but still…the level of reactivity is so draining.

    Focus on The Basics.

    In my mind The Basics include:

    1. A charter and mission
    2. A strategy
    3. One or more models
    4. A roadmap filled with bets
    5. Artifacts for those bets
    6. Bet-related metrics, Input metrics, goals
    7. Great kickoffs and great learning reviews
    8. An approach to continuous improvement

    If you figure out a minimally viable version of these eight things, you will be further along than most product teams in the world. Pulling this stuff together may seem boring, but the boring bits can be so important .

    Defining what you do and how you do it is boring, but as John says, so critically important to getting a team up and running effectively.

    Of course the hard part with some of this, as I’m finding at the moment, is that writing your own view of your charter or mission is one thing, but ensuring that the rest of the organisation agrees with it is another thing entirely

    Untangling Organisational dependencies

    If you have regular need of other teams, it may make sense to consider working with them to agree on a ring-fenced amount of capacity for a period of time so that they can continue to ensure they can help you with dependencies, just be sure to focus on reducing the fixed capacity over time by having teams build self-service capabilities so that you don’t continually need to rely on them for you to deliver your outcomes.

    A more radical approach is to allow your teams to self-organize and interface with other teams regardless of the department they are in. Think of this as a value network, where each team in the network establishes a Team API for how others should interface with your team (as suggested by Team Topologies ). Give others a way to know how to interface with your team and for what purposes. Once you mature your team API, over time other teams will start to be able to interface with your systems more independently and you can start to build solutions that allow for them to interface with your system without constantly having to get your team to change and prioritize work on their behalf.

    How teams work inside your organisation is critical to the good functioning of your organisation, but often the last bit of thinking that happens. Most organisational redesigns are based more around building the size of a team or funding than working together to pull together as a coherent whole. The idea in here (and team topologies, a great book by the way) of creating Team API’s, essentially interface guides, “here’s how to engage with us” is a really good one.

    11 Strategies of a World-Class Cybersecurity Operations Center | The MITRE Corporation

    If you are getting started in cybersecurity operations, evolving your existing security operations center (SOC), or engaging with a SOC regularly, MITRE offers free downloads of 11 Strategies of a World-Class Cybersecurity Operations Center— both for the 20-page summary document and the full textbook. Fully revised, this second edition of the popular 10 Strategies of a World-Class Cybersecurity Operations Center includes new material and evolved thinking to bring a fresh approach to excelling at cybersecurity operations and leveraging up your cyber defenses.

    These strategies outlined here are good advice, and even if you’ve got an existing SOC, going through them and asking yourself how closely you are aligned is worth doing.

    In particular, I want to call out that knowing and communicating the reason for existence for the SOC, and then both hiring but also growing your staff are absolutely critical.

    There’s a note in here that you should consider non-security entrants to your SOC, and I want to back that thoroughly. While having security expertise can be useful, your SOC will just as likely need skills that are more commonly found in IT helpdesks, in sysadmins, in statisticians and in software developers. People from those areas can probably pick up security faster than your security specialists can learn how the business actually works, how the IT systems work, or strong data analytical skills.

    Don’t reject applicants to your SOC because they don’t have the right security certificate or background.

    Dear Manager, You’re Holding Too Many Meetings

    Think about the meetings you’ve conducted or participated in recently. Which ones have been the most useful? You’re probably thinking about a new project launch or a brainstorm that required a two-way dialogue in real-time. As a general rule of thumb, we recommend holding meetings only when “absolutely” necessary. That typically includes:

    • To review work that’s occurred (what worked or didn’t and why)
    • To clarify and validate something (policies, team goals, etc.)
    • To distribute work appropriately among your team

    Even in the cases above, you should carefully edit your invite list. Is everyone really needed? Or can you make the meeting optional for some people? The less important the topic is to their work, the less engaged your team members will be.

    On that note, encourage your team to flag or cancel meetings if they aren’t the best use of their time. Make it clear that, as their manager, you encourage it and won’t judge or punish them. Being judicious about which meetings add value and which don’t will help free up people’s calendars. Doing so also forces managers to rethink the informal “ad-hoc” engagements that pepper everybody’s calendars.

    Interestingly, we found this strategy garners loyalty towards managers. Granting autonomy is allows people to job craft, which previous studies show help them find meaning in their work.

    Transition your daily status meetings to Slack or team.

    Daily huddles are the most frequently held meetings, and often, they are the most difficult to give up. As a new manager, you may feel that it’s important for your team to be aware of one another’s work in order to reach your goals as a group. These meetings may seem like the best time to do this.

    We have another suggestion: Set up a Slack or Teams channel specifically for this purpose. Every weekday, schedule a message to go out at 9:00 am: “@here What’s on your plate today”?

    Ask your team members to respond within the hour, explaining what they’re working on, any important project updates, setbacks, etc. Managers (and your team members) can then scan the responses and follow up privately on updates that may need more context.

    Our research found that 83% of employees preferred using these chat touch points over traditional one-to-one meetings because it saved them time. If your team members have a question, they can drop you a message instead of having to find a 30-minute block on your calendar.

    This is a good piece of work that shows that, especially for knowledge workers, too many meetings creates frustration and challange for team members.

    As a manager, one of the primary ways that you get an understanding of the work that others are doing is through these meetings, so they serve managers purposes far more, but as the article says, migrating most of the meetings to some other tool, such as Slack, is far better for the team and for your ability to know what is going on

    Mechanical Watch – Bartosz Ciechanowski

    In the world of modern portable devices, it may be hard to believe that merely a few decades ago the most convenient way to keep track of time was a mechanical watch. Unlike their quartz and smart siblings, mechanical watches can run without using any batteries or other electronic components. Over the course of this article I’ll explain the workings of the mechanism seen in the demonstration below. You can drag the device around to change your viewing angle, and you can use the slider to peek at what’s going on inside

    This is just beautifully illustrated and made me think about how poorly we explain how most technology works. When we document and describe things, how often do we take the sort of care and attention that this post did? The way that we describe these critical technologies that make our world work is also how we pass our knowledge on and make complex things seem understandable and simple, and yet it’s mostly a passing afterthought for many of us.

    Meta has built a massive new language AI—and it's giving it away for free | MIT Technology Review

    Meta’s AI lab has created a massive new language model that shares both the remarkable abilities and the harmful flaws of OpenAI’s pioneering neural network GPT-3 . And in an unprecedented move for Big Tech, it is giving it away to researchers—together with details about how it was built and trained.

    “We strongly believe that the ability for others to scrutinize your work is an important part of research. We really invite that collaboration,” says Joelle Pineau, a longtime advocate for transparency in the development of technology , who is now managing director at Meta AI. Meta’s move is the first time that a fully trained large language model will be made available to any researcher who wants to study it. The news has been welcomed by many concerned about the way this powerful technology is being built by small teams behind closed doors.

    This is both great and scary. Meta has rushed this out to compete with GPT-3, and the suggestions are that it does. But it’s been trained on large bodies on text you can find on the internet, such as Stackoverflow and Reddit, which means it has biases and tendencies that come from all of that source area.

    Additionally, it’s difficult to know what uses will be made of this. Of course there will be lots of exciting and interesting uses that can be made, but our adversaries and people with the worst intentions will also attempt to use it for bad ends, and there’s little to no regulation of that use.

    Previously, the capability to scour the internet, and build and train such a model was restricted to high end actors, but this provides a lot of that work for even low end actors

    GitHub - bottlerocket-os/bottlerocket: An operating system designed for hosting containers

    Welcome to Bottlerocket! Bottlerocket is a free and open-source Linux-based operating system meant for hosting containers. If you’re ready to jump right in, read one of our setup guides for running Bottlerocket in Amazon EKS , Amazon ECS , or VMware . Bottlerocket focuses on security and maintainability, providing a reliable, consistent, and safe platform for container-based workloads. This is a reflection of what we've learned building operating systems and services at Amazon. You can read more about what drives us in our charter . The base operating system has just what you need to run containers reliably, and is built with standard open-source components. Bottlerocket-specific additions focus on reliable updates and on the API. Instead of making configuration changes manually, you can change settings with an API call, and these changes are automatically migrated through updates.

    This is an interesting project that I don’t think I’ve covered. A new, minimised operating system that is actively designed for running containers, which means it’s both operationally and security optimised for running your Kubernetes or other container farm systems

    The world’s first airport for flying cars opens in the UK

    The world's first urban airport that will allow 'flying taxis' to take off and land in the busy areas of cities has opened up in the U.K., World Economic Forum (WEF) reported . While engineers and designers are working on vertical take-off and landing (VTOL) aircraft to make them feasible for rapid urban transport, the U.K.-based startup Urban-Air Port Ltd (UAP) is working to demonstrate that the infrastructure needed to make these urban aerial transport centers an operational reality is not as complicated as it may seem. Last year, we reported that an eVTOL maker was also getting involved in building these airports to solve the infrastructure hurdle. Now, UAP's first pop-up airport, dubbed Air One, was completed in 15 months, including the planning and building of the airport.

    In that “where’s my flying car of the future” argument, this is an indication that we’re a step closer to it. Drones are advancing in lift and carrying capacity, and given their remote fly by wire nature means no pilots, it doesn’t mean no passengers. Because the air is less congested than roads and far less complex for vision and remote flying, we might see commercial scale self driving air taxis before we properly see self driving ground taxis.

    Researchers Use a Decommissioned Satellite to Broadcast Hacker TV | WIRED

    Koscher and his colleagues received permission last year to access and broadcast from a Canadian satellite known as Anik F1R, launched to support Canadian broadcasters in 2005 and designed for 15 years of use. The satellite's coverage extends below the US southern border and out to Hawaii and the easternmost part of Russia. The satellite will move to its graveyard orbit soon, and nearly all other services that use it have already migrated to a new satellite. But while the researchers could still talk to the satellite using special access to an uplink license and transponder slot lease, Koscher had the opportunity to take over and broadcast to the northern hemisphere. “My favorite thing was actually seeing it work!” Koscher tells WIRED.  “It's kind of unreal to go from making a video stream to having it broadcast across all of North America.” Koscher and his colleagues from the Shadytel telecommunications and embedded device hacking group broadcast a livestream from another security conference, ToorCon San Diego, in October. At ShmooCon last week, he explained the tools they used to turn an unidentified commercial uplink facility (a station with a special powered dish to communicate with satellites) into a command center for broadcasting from the satellite. In this case, the researchers had permission to access both the uplink facility and the satellite, but the experiment highlights the interesting gray area when a defunct satellite is not being used but has not yet moved farther away from Earth to its final resting orbit.

    Satellite security is increasingly important. We continue to launch new satellites, but their security is reliant on the security of the groundstation, and that’s not where the money and interest is. As pointed out here, there’s also going to be an increasing number of legacy satellites over the next 10 years, and as people move to more modern satellites, they are going to have less funding, less attention and less monitoring.

    Troy Hunt: Partnerships

    The team at is all about revolutionising scalable models, incentivising cross-platform solutions and envisioneering value-added web services. We'd love to partner with you, and if you're on this page it's because we believe you're one of the few who can truly empower real-time experiences. To begin the partnership process, please create an account...

    Some lovely trolling from Troy Hunt here. Try creating an account and discover password rules from numbers of characters to more obscure rules like “must start with ‘cat’” and “must contain an emoji”.

    It’s completely impossible to create a password that can meet all of these rules of course