10 things that I liked in 2018

Written on 31 December 2018, 12:50pm

Tagged with: , , , , , , ,

In the last day of the year, it’s time to look back at the year and highlight the things that enjoyed in 2018. For reference, here is the list from the last year.

1. Two books: Daemon and Freedom, by Daniel Suarez. Absolutely brilliant, I don’t know how I missed them for so many years. Here’s an excerpt:

The Code book from Simon Singh was probably the runner-up – a few months ago I ordered the printed version and read it again after 5 years.

2. My new notebook: Huawei Matebook x Pro. Say what you want about Huawei, but they came up with a brilliant device. Miles ahead of the premium-priced Macbooks, it fundamentally changed my workflow. Never been a tablet guy and probably never be, so the combination of an iPhone + an ultrabook like the Matebook works best for me.

3. WorkFlowy: an exponent of the makers (*) culture, WorkFlowy is a dead-simple, cross-platform note-taking app. The hierarchical structure of the notes makes it compatible with mind-mapping and I found myself using it in a variety of ways. For instance, I drafted the outline of this post in WorkFlowy. Others wrote books with it:

(*) the makers culture: Peter Levels https://levels.io/ https://makebook.io/
https://twitter.com/ajlkn https://carrd.co/

4. A place: the Austrian Alps in the summer time. I had the chance to spend about a week in the mountains. The combination of mountains, clean air, outdoor activities and clear blue sky is amazing. Just have a look:

5. Security. 2018 was the year I learned a lot about security. Went to a few classroom training sessions (CISM, CISSP, TLS), passed some challenging certification exams, and realized that (IT) security is a fascinating domain with a lot of brilliant people.

The IT industry rocks (as one of the security guys that I follow said today), and on top of that, the security aspects make things much more interesting to watch.

6. Simona Halep: not only for finally winning her Grand Slam, but also for having the capacity to remain competitive for a long time: never dropped out of the top 10 for over 5 years and currently number 1 for more than a year (with a brief 4-weeks interruption). Well deserved and very inspirational.

Simona Halep, Roland Garros 2018, Simple Dames, Finale, Photo : Nicolas Gouhier / FFT

7. Two series: Breaking Bad and Better Call Saul. I enjoyed watching Breaking Bad when it was released on Netflix, and found the Better Call Saul a very good continuation of the series. Now that Better Call Saul is over, I went back to re-watch Breaking Bad – it’s amazing how a few years and another prequel change the perspective.

https://breakingbad.fandom.com/wiki/Mike_Ehrmantraut

8. Jurgen Klopp. He joined Liverpool 3 years ago and built an amazing team around him. One can learn a lot about leadership just by listening to his interviews. Humble and determined, he’s a perfect fit for Liverpool and you can sense how everybody around the club loves him.

https://twitter.com/stuffIfc/status/1079432962062671873/photo/1

9. The iPhone X – because the dimensions are finally right, and, more importantly, because its camera allowed me to take some amazing photos throughout the year: https://www.flickr.com/photos/dorin_moise

10. Tesla Model S. Finally, I left this at the end because it offered me some very mixed feelings. As I said in a recent post, the car is really amazing and it offers an experience that you will not find anywhere else. But the quality of the support services is disappointing here in Belgium. I hope that things will improve, even though I’m not holding my breath.

Here’s for a brilliant 2019 and remember, in the end it’s all about getting better.

Security exam tips

Written on 21 December 2018, 05:07pm

Tagged with: , , , , ,

After successfully passing 3 IT security exams this year, here are some high level tips:

  • schedule your exam well in advance to avoid procrastination
  • study from at least two sources
  • use quizzes: they make a huge difference in memorizing things
  • use the learning channels compatible to your brain (ex. I always prefer text or classroom training instead of audio or video)
  • Right before the exam: get a good night sleep the night before
  • schedule your exam in the morning when your brain is fresh
  • try to clear your mind in the hours before the exam
  • resist the temptation to go one more time through your materials before the exam
  • During the exam: keep an eye on the watch
  • don’t go back to a question: make the best effort to answer and then forget it (some exams will not even allow you to revise a question)
  • don’t change your answer (exception: when you realize that you misread the question)

And some basic, but interesting things about security:

  • people are the most important asset
  • but humans are also the weakest link in every security program
  • security is always about protecting the CIA triad
  • security controls can bring the risk to an acceptable level, but there is no such thing as risk zero
  • a company exists for the sole reason of making profit. This means that they will always look at the return of investment as primary metric in evaluating any security control
  • security is not a one-time project to fix things, but rather an ongoing program that needs to be planned and revised periodically
  • complexity is the enemy of security
  • as a security professional, you must learn to tailor your language to your audience
  • you are just an adviser, but not a decision-maker
  • you should act as a prudent man. Like this guy would:
https://breakingbad.fandom.com/wiki/Mike_Ehrmantraut

Secure your Tesla Model S!

Written on 26 October 2018, 10:45pm

Tagged with: , ,

Update 8 December 2018: Don’t buy a Tesla!

Even if it has wheels and wipers, your Model S is ultimately a computer. A very good looking one if you ask me, but, as any other computer, it can be pwned. The recent news shows an increased incidence of Model S thefts across Western Europe, and apparently the thieves are exploiting a vulnerability in the way the car communicates with the key fob:

Like most automotive keyless entry systems, Tesla Model S key fobs send an encrypted code, based on a secret cryptographic key, to a car’s radios to trigger it to unlock and disable its immobilizer, allowing the car’s engine to start. After nine months of on-and-off reverse engineering work, the KU Leuven team discovered in the summer of 2017 that the Tesla Model S keyless entry system, built by a manufacturer called Pektron, used only a weak 40-bit cipher to encrypt those key fob codes.

Wired:  Hackers Can Steal a Tesla Model S in Seconds by Cloning Its Key Fob

Long story short, it only takes about $600-worth of equipment, a decent computer and less than 2 seconds to crack the 40-bit cipher. According to Wired, the vulnerability was responsibly disclosed in August 2017, and after about a year, Tesla reacted by addressing the root cause (upgrading the key fobs) in addition to implementing the PIN-to-drive feature. 
But this leaves a lot of room for the bad guys: there must be plenty of Model S manufactured before June 2018 and without the PIN-to-drive enabled. So what should you to secure your Tesla Model S and avoid a situation like this?

1. Disable passive entry

I don’t really like this option because you trade functionality for
security. The passive entry is a nice feature and Tesla should make it work securely, by upgrading the key fobs. But until then, this is a solid option to improve the existing security posture.

2. Enable PIN-to-drive

Again, an option that gets the job done, but leaves massive room for improvement. There are two major inconveniences: first, you must type your PIN in an environment where you cannot properly hide your keyboard. Second, your fingers leave traces when typing, and unless you are wiping the screen after every PIN entry, you are leaving a potential door open. This is simply not good enough, and I did not even mention how inconvenient is to input your PIN every time you start your car. 
Tesla can do better – how about FaceID-to-drive?

FaceID just proved how it can address the most security concerns while providing a seamless user experience. With time, software and hardware updates, it will get even better, and we will see FaceID on other computing devices like tablets or laptops.
And from there it’s easy to imagine a keyless future. How long until you unlock your car by looking at it?

A post that I wrote back in November 2017: FaceID: convenience and security

3. Additional measures

  • If your car was produced before June 2018, contact Tesla to replace your key fob so that the communication between the car and the key fob is properly encrypted
  • Get a Faraday pouch if you would like to keep the Passive Entry active. Store your key inside the pouch when you’re not using the car, but make sure that you don’t leave the key inside the pouch inside the car 🙂 Oh, and get another pouch for the second key
  • Install a hidden GPS tracker on your car. This will help locate the stolen car even when the bad guys would destroy the embedded connectivity module. Tesla won’t be able to remotely control your car, but, if you react quickly, you should be able to tell the police where it is  
  • Just use common sense when parking your car. Would you park your nice car in a shady, cheap and isolated area?
  • Think defense-in-depth: implement not one, but more security measures to protect your asset 🙂

If you plan to buy a new Tesla, here is my referral code:  https://ts.la/dorin16160