Friday, October 11, 2019

Diversity, Inclusiveness, and how to completely break them while saying the "right things" (Or how to jump the shark!)


For nearly 9 years now, I have been a moderator on various Stack Exchange sites. Initially Security Stack Exchange, which I first encountered as a useful information centre and then realised I was probably more useful moderating (as there are members of the community there much smarter on particular topics than I) and this spread out to other interests including Music, Parenting, the Outdoors, Sound and Video, as well as the ill fated Personal Productivity site.

I look after more sites than any other moderator on Stack Exchange. And I have over 10k rep on various other sites. I'm pretty personally invested in the communities that have grown up around these sites. I have helped prevent bad behaviour, bullying, trolling etc. I have helped advertise and market them, have steered and guided growth, and while I am not a mod on the big 3 SE sites, my role crosses technical and subjective sites in a way that gives me a pretty good insight into what makes them tick, what helps drive positive behaviours, and how the long standing "Be Nice" rule can be used to stop trollish behaviour in its tracks. I am generally respected as fair and patient, and willing to bring in independent voices if I feel too conflicted) so I hope a large net positive to the SE network.

Many years back, Stack Exchange the company was incredibly positive about interaction with moderators. Community Moderators (SE employees) worked with us unpaid volunteers to help get through issues with growth, or challenges along the way. The process was iterative and collaborative, and while it wasn't perfect, we all felt part of it. We spoke with staff. My wife and I were even made to feel very welcome at their head office when we visited.

But in recent years, SE has visibly gone down the route of ignoring moderators, and instead responding to public sources (eg twitter) with knee-jerk actions that invariably caused more damage than the initial problem. Policy changes, wording changes, members of staff missing the point entirely and blaming moderators for things they didn't do, forcing a licencing change,and now actively misusing a proposed Code of Conduct change to suspend a moderator for something she might do in the future. To put it bluntly, SE could have helped us out in previous years, to improve the experience for persecuted minorities, but while the CM's listened, SE didn't change. Now they have decided change is required publicly (perhaps because of the new CEO, perhaps to appease twitter) they have messed up every single step.

The proposed Code of Conduct ostensibly looks to ensure that minority groups are made to feel welcome. Sounds great, right? Only every iteration has shown that SE have nobody in a position that understands how to do this, and they don't take guidance or advice from the community. Their Head of PR, in fact has retweeted posts indicating her intention is to rejoice in any mods who leave and blame them for being bigots. Well, after ensuring the Internet has the impression the first mod they fired is a bigot, they don't seem to understand how much personal danger they put people in by this. To be clear, SE have put at least one person in real physical danger over this, and have still not apologised. They could do the same to any one of us.

The latest debacle has led to mass resignations and self-suspensions by moderators across the network, hoping to hold SE to a timeline of improvements, but instead SE seem to double down on the dumb. Promising conversation and consultation, but continuing to ignore moderators and community alike. I have suspended all my moderation activities (overall, 90 mod roles are affected - a significant percentage of the total)

All of these are documented on meta.SE (as well as reddit, HN and others) so I won't post all the links. This one is a useful starter point though, as is this apology which was well received, but was ultimately too late, missed important points, and indicated SE was not interested in making things right...

*added some more useful links at the bottom*

When the new Code of Conduct was published, it seemed okay, right? But this faq post by SE (one of the most rapidly downvoted posts of all time) has made things worse. It now appears to suggest that we must now not treat minority groups the same as others, but instead treat them very differently, thus causing a wider divide between groups.  Rather than disallowing negative words and harassment, it forces certain word types that prevent inclusiveness and are unworkable in practice, and worse, as mentioned by a commenter on twitter:

"That sad consequence is that Sara's labeling of non-bigots as bigots HAS CREATED AN ENVIRONMENT WHERE BIGOTS FEEL SUPPORTED. People like Monica are disgusted by that, but because Sara has told them that leaders lke Monica are bigots, transphobes feel represented and embolden." (spelling mistooks in the original tweet)

As you may know, technical SE sites pride themselves on removing extraneous noise from posts in order to focus on the core question and then good answers. So we remove salutations, signatures, things that add nothing. This faq suggests we can no longer do that if the post includes a statement of the OP's preferred pronouns. Along with a number of other rules which will encourage trolling and remove moderators' ability to combat bad behaviours. The main discussion points from the moderator community were ignored, and instead the delivery of the update appears to be designed once again to create controversy, create a divide in the community and to score media discussion points. I really hope that isn't the reason for it, but I grow less surprised every time they do something new.

While I will happily continue to support all members of the community equally, no matter what gender, race, technical level, personality type, and continue to suspend or remove folks for breaking the basic tenet of "Be Nice" I am not going to sign up to the new Code of Conduct, unless it is reworded to actively promote inclusiveness, and I will encourage others to do the same.

If that gets me removed as a moderator, well, I guess SE will elect new moderators, and it is possible they will be brilliant, SE will lose the passion, collaborative spirit of helpfulness, fair ethics, and mentorship I have brought. And I will use the extra time to give back to other communities.

Well done Stack Exchange - you have shot yourself in the foot

Links:

Summing up the main issues - the story so far
Are there specific issues with unwelcoming behaviour towards LGBTQ persons on Stack Exchange
An apology to our community and next steps
Define Gender-Neutral language
How should we refer to members of the SE network in a neutral way
Aza's resignation update
Why are the code of conduct changes received so negatively
We need "assume good intent" back in the CoC

Friday, August 25, 2017

Is there really a lack of Cyber Professionals?

There are a lot of conflicting articles on whether or not we have a cyber skills drought or deluge currently. Some say HR teams are setting the bar too high even for entry level roles, some say we just don't have enough people with cyber skills, and yet others bemoan the salaries offered.

But which ever way you look at it, candidates are complaining about not being able to get jobs, and companies are having trouble hiring into roles. So there is a disconnect somewhere.

I have actually seen a dramatic improvement in the way the process seems to work (at least in the UK) for experienced hires over the last 6 or 7 years. With organisations like the Institute of Information Security Professionals providing skills frameworks, the majority of experienced individuals I know have reference benchmarks, a clearly defined skill set, awareness of salaries and packages, and a strong understanding of where they fit in security departments. But few have a solid alignment with risk, with conduct, with the business - so the wider knowledge and experience needed for a CISO is still in short supply.

At the mid-tier, I honestly think we are actually oversubscribed with a large number of skilled individuals available for hire. The problem here appears to be expectations. I see people with 5 years' experience asking for £80k and over, despite only having experience in penetration testing - a fairly narrow niche compared with what many companies are looking for. From the business perspective, that can rule these individuals out completely - which leads to HR looking at less experienced individuals for these roles and being disappointed in their capabilities.


At more junior grades I am starting to see universities producing graduates with not just technical expertise, but a more broadly applicable security skill set than previously, with luminaries such as Prof Bill Buchanan OBE leading the way in this respect - look at Zonefox as an incredibly successful company spun out from Napier University by Jamie Graves. 

But conversely, I'm still seeing companies having challenges hiring graduates. In looking into this, it is obvious that some of the problems are down to how HR teams are trying to build "cyber" graduates into their existing frameworks. Some want a CISSP for an entry level role, despite CISSP requiring 5 years experience... Some assume that the normal grad process will pick up cyber grads, despite the process not including universities with cyber degrees.

And I would like to see more graduates coming onto the market with a broader knowledge of the jobs available. They all seem to know about penetration testing, but few seem to be aware of roles in operational risk, security audit, secure architecture design, monitoring and logging, and those jobs that don't appear so much in the media. 

So can we do something about this? Of course we can, at many levels:

- Universities and industry need to continue to develop relationships for internships, development of course materials, industry days etc.
- We need to educate HR teams who may not fully understand the various aspects of Cyber.
- Individuals need to be realistic about their skill set - security is one part of a package, and if you don't have business and risk awareness you seriously reduce the opportunities that will be offered to you.
- Use frameworks such as the IISP one to define roles and skills against industry baselines.

Friday, October 09, 2015

New gaming PC build

My old PC was starting to get a wee bit clunky for games, so I needed to sort out a new box, but technology has moved on a lot in the last few years. I turned to the clever technical folks in the DMZ for assistance.

The spec I got back was rather nice:

EVGA X99-Classified motherboard
Intel i7-5930 6-core processor
EVGA GeForce GTX 980 Ti GPU
32Gb of RipJaw RAM (in shine red-chrome sticks)
256Gb M2 SSD
4 Tb spinny drives
Noctua NH-D14 cooling

All in an Antec 1200V3 case and a 1000W EVGA Power supply.

Having built a few hundred PC's in my time I commenced the build perfectly confident that I'd do it in an afternoon.

Hmmmmm...

The case itself is rather easy to work on - lots of space, handy pop-outs etc, but it does have a couple of sharp edges. It didn't take me long to have the CPU, along with the Noctua, happily installed on the motherboard in the case, with RAM and GPU fitting in quite easily:

But at this point I opened up the SSD package and found it looked like this. Nothing like any SATA SSD I had used in the past:


So I hunted around for ages and couldn't figure out where it should go. Eventually I admitted defeat and went back to the DMZ - they diagnosed this as a dumb PEBCAK and advised me to remove the GPU. Lo and behold, I found a slot for the SSD:


Yep - it's that one that says M2. So, time to install that, pop the graphics card back in and connect up cables again:

Fan power - loads of these round the edge of the board make it very easy. Most are controllable on board, and the 3 front fans also have manual knobs so you can crank 'em up before a gaming session...




Cable routing is very straightforward in this case:




And the PSU has ample spare slots:


 Fan units on the front allow for simple removal or addition of drives, with space for 3 external drives at the top:

 Finally, after about 3 hours I had it all together, but nothing would boot. Interesting BIOS beep codes didn't really help me diagnose it. The usual tactic is to unplug everything and reinstall one device at a time, so my friends advised me to remove the GeForce and just use onboard graphics until I'd figured out the problem. Unfortunately, this board has no onboard graphics...

WTF??

Anyway - after tearing my hair out a lot, I found that the M2 slot was not automatically detected, and I had to select Legacy for SATA to make it work. And the machine booted, so I hooked it up to an ASUS 28" 4K DisplayPort monitor and began to install Windows 7 Home Premium.


As it happens, I did need that hammer. The case comes with a side fan port, but the Noctua heatsink is so huge it wouldn't fit - so:


Shiny LED's in all the fans - grand:


Job done, right - ahh, well, no...

I did manage to install W7. In fact I installed it 4 times over the next couple of days, but it never worked fully . Most USB devices came up as unidentified, the monitors would only run at 1950x1080, I was having memory errors everywhere and it ran like a pig.

So I took it all to pieces again, and ordered Windows 10.

Some days later (after an aborted delivery attempt, refund and reorder because DHL couldn't find my house that day) I had Window 10 on a nice shiny USB stick.

And start again.

Windows 10 installed pretty easily - although as mentioned by everyone, you have to uncheck all the defaults if you want any semblance of privacy. There is some odd stuff in there.

Also picked up my dual monitor mount at the same time (Of course I'm going to have multiple 4K monitors - this card can handle 3 at once) and got a Razer Death Adder Chroma and Razer Black Widow Chroma; added all my external storage (no, it's not organised as a proper NAS yet - another project. Maybe next year) and started to configure the usual stuff: Plex server, Surround sound, network config etc

And once again - major USB challenges. I'm thinking something is just jinxed here, but first...I went back to the DMZ and described the install to the guys, and how I'd used the driver disks that came with the components.

That apparently was a mistake...

Don't use the EVGA driver disk with that GTx! Go to NVIDIA and download the proper drivers - that made all the difference. Similarly, I got a range of updated drivers which sorted most of the USB issues.

Ongoing niggles:


  • I can't let the monitors go to sleep - DisplayPort doesn't behave sensibly, so once they go to sleep, Windows decides on next wake that only one exists. So I need to make the PC sleep before the screens sleep.
  • I have 10 USB sockets on the back and 3 on the front of the case - but it doesn't seem to be possible to have more than 2 of the front ones working. Perhaps I can buy a USB card to sort that - but until then, I have USB hubs.
  • My WACOM tablet sort of works, but sometimes doesn't appear as a device


But aside from that, this machine rocks! I do like having a desktop 7680 pixels wide :-)


Sunday, September 06, 2015

Scottish Airshows 2015

After not blogging on here for a while (just doing the Security Stack Exchange Blog) seeing the last flying Vulcan (XK-558, the Spirit of Great Britain make her final flight in Scotland today inspired me to pop up some pics from the two air shows I went to in Scotland this Summer, the East Fortune Air Show in July and the Scottish Air Show in August.

From East Fortune:























And from The Scottish Air Show in Ayrshire: