It’s 2016, why is rotating a video such a pain?

How many times have you quickly shot a video on your phone and not rotated it for landscape? It happens too often and we see these videos all over social media. I sometimes forget to do it as well, or portrait is more in line with what I am shooting. So, I want to quickly rotate a video 90 degrees sometimes. Should be easy, right?

I’ve asked friends and social media before, but I asked again last night and got a lot of great input. My criteria were very simple, but I did not specify platform; I want to load an MP4 video, rotate it 90 degrees, and save it. I didn’t qualify it, but my expectations are that it would not lose quality, it would keep the original MP4 format, and that the process was “one-click” (or close). While I have plenty of history using Linux, going back to CLI graphics tools to do this is not ideal for me, but I considered those options.

  • @cl suggested Windows Movie Maker – It will rotate trivially, but saves your MP4 as WMV and the quality drops noticeably.
  • @TCMBC suggested mencoder – A command line utility, part of MPlayer. So it is not trivial (download, configure, compile, figure out CLI syntax), but it does rotate. Yet, the quality drops noticeably.
  • @viss suggested ffmpeg – A command line utility and graphics library, not so trivial. It did rotate, but the quality drops noticeably.
  • @viss suggested The ‘Rotate My Video‘ web site – It is a bit slow for file upload and conversion, but very easy to use. It played the video correctly in my browser, but when I saved the video the final copy was not rotated.
  • @DeviantOllam suggested (in DM) the Rotate Video FX app for Android – I thought the UX wasn’t intuitive for starters. It did rotate the video for immediate playback, but no apparently way to save the new video back to the device. Sharing it brings up the usual Android options, but uploading the video to google drive and the video was not rotated.
  • @elkentaro suggested Apple’s QuickTime Player – Even with his reference which is outdated, there is no apparent rotation function. Even the ability to save a file is now ‘Pro’ only.
  • MegaManSec suggested ImageMagick ‘convert’ utility – this didn’t work and gave me a nice reminder of the old ‘terminal flash attacks’ from the early 90s.
  • @DeviantOllum suggested Virtual Dub but warned me that some versions handle MP4 and some don’t. Thus, I didn’t try it.
  • @Grifter801 suggested VLC but qualified it “just for viewing”.
  • @mehebner suggested Open Shot Video Player but said it is Linux only, which isn’t convenient.
  • @cl suggested iMovie but it is Mac OS X only, which isn’t convenient.
  • @cl suggested Facebook but he isn’t sure you can save after. I am fairly sure you lose quality though.

The final recommendation, and the one that worked the best for me, is Handbrake suggested by @bmirvine. The upside is I had it installed (but an old version) and am familiar with it to a degree. The best part about conversion is that the video does not lose any quality. The downside is trying to figure out the ‘Extra Option’ argument to rotate is a raging mess, as seen on this thread. I found that using “, –rotate=4” as the extra option worked for version 0.10.5.0 64-bit (latest as of this blog). The only other annoyance is that Windows won’t show a thumbnail of the newly saved video for some reason. [Update: with a newer version of the K-Lite codec pack, the thumbnails render fine.]

There are my quick testing results. I hope it helps. I’d like to give a big round of thanks to all who contributed ideas late night. Reminds me that Twitter has some value and isn’t a cesspool of insipid political tripe. =)

The Problem with Facebook…

Maybe that was a bit of a ‘clickbait’ title, since the list of problems with Facebook is epic, tragic, and depressing. So let’s go with, “tonight’s example of an ongoing problem with Facebook”.

One of my biggest gripes about the social media platform is that after all this time, they still do not give us a simple way to view posts chronologically. At some point in the past, they introduced an option to supposedly to that, but it was done via a URL argument and not a user-friendly GUI widget. I’ve used that option to view Facebook to this day, and it is still horrible. Why? Because as you think you finally get the holy grail of simplicity, it is still weighted… just less so. Meaning you are more annoyed when some crappy post pops up four times that day.

OK, so they want weighting and control to deliver the posts your friends make, as they see fit. That means you never see some posts you absolutely want to see, while seeing other posts multiple times a day. Their algorithm has nothing to do with standard weighting, and everything to do with their weird formula that no one can seem to figure out. OK, fine…

Facebook has also been on a tear about ‘honesty’ in the form of user profiles. The last few years have seen nothing but drama and turmoil as Facebook tries to enforce their ‘real name’ policy. A policy that the Chief Product Officer at Facebook apologized for, ensnared a former employee or seven, unfairly targets the LGBT community, and has caused enough headache to warrant a Wikipedia entry. Oh, of course, that the “noble and charitableMark Zuckerberg defends. So… integrity and honesty and clarity is important, right?

That sets up the easiest of questions. Why is Facebook targeting their user base, who they profit off, regardless of a real name attached? Sure, they may make a few more pennies on the dollar if a real name is attached over a pseudonym, but still profitable. For years, it let them defend their absurdly high user count on top of the obvious ploys of ignoring idle accounts and such. Now, jump to tonight, which set up a perfect example of where Facebook shows they don’t care. A rather simple example, but one that should be trivial for them to programatically notice and warn against, in a variety of methods. If a single user is posting something that may be fraudulent, contradictory, or a basic scam (e.g. how many times have you been tagged in an image for Oakley sunglasses, even in 2016), why isn’t there a warning? Even when the account isn’t compromised, the user isn’t warned. When the same image of knock-off sunglasses is posted to hundreds of ‘friends’ from a compromised account, it comes with no warning, either from the subject matter, or the break from the normal behavior (e.g. that user with 87 friends tags one photo with 87 names, when never tagging more than 2 people the last 5 years). We’re not talking AlphaGo or Microsoft Tay, we’re talking a couple decades behind them as far as computer intelligence goes. The fact that one was an amazing success while the other was an amazing failure, speaks to my point. They are cutting edge, trying to solve ‘problems’ that are are incredibly complicated. Meanwhile, Facebook can’t figure out what boils down to mid 1990’s email spam patterns, implementing the most basic of statistical filtering.

That said, I would love to see Facebook answer how the following two posts, from the same user, within 40 minutes of each other, could be posted without a warning to them AND me. Compare them posts carefully, not that there is much to go on as far as the end-user sees. At some level, this is stupidly trivial and any half-assed program should notice. No, it isn’t trivial or worth ignoring, that such articles get posted with such discrepancy. That is how we end up with stupid rumors and lies spread around as if they are fact, and fundamentally why our political climate is like it is. When you stop ignoring the details, especially the obvious contradictions, you are buying into a system that doesn’t serve you; rather, one that only exploits you.

sf-box-2

sf-box-1

A Note on the RSA Keynote Fiasco…

In the past day or two, The RSA Conference announced a few of the keynotes for the upcoming 2016 RSAC conference. The industry is largely scoffing at some of their choices, for obvious reasons. There are so many facets to this topic, one could write a book. Hopefully I will limit myself to the key points, as applies to the chatter in our industry. If a couple paragraphs are meh to you, skip down a few, as the point will likely change quite a bit.

First, let’s put this into perspective. This is the RSA conference. The Computer Dealers’ Exhibition (COMDEX) of the InfoSec industry. This conference is a weird mix of “OMG necessary” and “OMG I hate it“, and it has been for a decade or more. It’s the party everyone shows up to, and the one you want to be at, to ‘be seen’ and ‘catch up on the gossip’, even though you hate it. In our industry, it is the embodiment of reality T.V. in many ways. On the flip side, this conference hasn’t actually been relevant to our industry for a long time, where reality T.V. is sadly relevant in the worst ways. Sure, it is THE place to do a meet-and-greet, solicit new customers, solicit new employees, and show off your stupid “advances” in security technology. Advances in quotes for a blindingly obvious reason. But, if you feel RSAC is relevant in any meaningful way to our industry, you can stop reading here. You are not my intended audience, and do not meet the “you must have this IQ to ride this ride” criteria. Sorry =( I feel this point is almost entirely lost on the 2016 RSA keynote fiasco.

On the “keynote” angle, first… what is a “keynote” talk? You can’t even Google “keynote” and get the definition in the first few results. You actually have to qualify “keynote definition” which I can’t recall ever having to do for Google to get a definition. Even for some pretty obscure animal-related searches I have done while trying to learn as much about wildlife rehabilitation as I could. That is telling.

Now, I called this bit out in my BSidesDC “keynote” presentation in 2014, where I questioned what a keynote was, in my keynote. How very “meta”, and how very appropriate given I picked on RSAC back then. Look to slide 5 where I pointed out that RSAC had as many as four keynotes a day back then, 16 in total. So again… what is a keynote? For most conferences, it is very clear, per the definition. It “sets the intended tone of the conference” in so many words. For RSAC? It is more a game of how many “big” speakers can we cram into a multi-day event to fill the seats. [Remember, many of them may be in our industry, but it doesn’t mean they bring any value to the rest of us.]

This latest fiasco is no different. So… back to the controversy. RSA stacked the keynote deck with the usual nobodies (in the context of providing real value to our industry, or if an awesome person, not in the context of a 40 minute talk). This year, they went above and beyond, and are having three people in the keynote lineup that are more than questionable. I’m sure it isn’t the first time we have seen it, but it sticks in my mind… RSAC set up a “keynote panel”. For most conferences, that would be laughable, but in 2014 they had 16 keynotes. Compare that to this year, with 20 keynotes on the schedule so far! Two minorities, and one female, if you are keeping track after the last two years of our industry pointing out the lack of diversity. Maybe RSA will say it is a good sample representation to be politically correct, given the representation in the industry!! So… the three speakers making waves, well before the conference starts?

  • Charley Koontz, Actor, CSI: Cyber Panel
  • Shad Moss, Actor, CSI: Cyber Panel
  • Anthony E. Zuiker, Creator/Executive Producer of the CSI Franchise, Technology Visionary

It is honestly difficult to figure out how to approach this, in the sense of writing this blog. This show has been lambasted from day one within the InfoSec industry. Worse, it has deviated from the CSI franchise in ways that are arguably more harmful to the public than the predecessors. The last 15 years of the other CSI shows have created the “CSI Effect“, which has been a burden on our current legal system. It took many years of the original CSI franchise to give us that modern problem, that interferes with our judicial system on a daily basis. We are all arm-chair experts on DNA, trace matter, footprints, dark crime scenes, and flashlights. That is a T.V. show born out of a 30+ year scientific discipline. And it has serious backlash in the real world.

Now, we have CSI: Cyber, which is easily argued to be the worst of the franchise. Looking at ‘Rotten Tomatoes‘, well-known for providing real-world reviews of movies, what do they say about the entire CSI franchise?

rotten-tomatoes-csi

Wow… enough people hated CSI: Cyber to contribute their opinion, where the original CSI show that ran 15 years didn’t get enough feedback to rate. The original show was ground-breaking, in many ways. It introduced the average American household to the world of forensics, even if exaggerated and dramatized to some degree. Jump to today, and enough have spoken out against the new spinoff to give it a negative rating. That is telling.

OK OK, so jump back a bit, because this is not an easy blog to write. The entire CSI franchise is questionable; it has some serious value, but also has some serious pitfalls. So let’s try to focus on CSI: Cyber. Start by doing a Google search:

google-csi-cyber2

Woops, that is telling. It also reminds me that the series got renewed for season 2, which I bet would happen to an FBI agent I know (who refuses to watch the show, as does the entire ‘Cyber’ division in his city). If it gets renewed for season 3, I lose a dollar. OK, seriously sidetracked. Back to the latest drama..

Cliff notes: three people related to CSI: Cyber are part of the RSAC 2016 keynote clustermess this year. Two actors, and an executive producer putting himself forward as much more than that (or RSAC is), are part of a panel that is a keynote. Every bit of the InfoSec fiber is not happy with this, and they shouldn’t be. RSAC is grabbing what is popular, what is in the ‘mainstream’, and vomiting it on stage. No care, no concern, and most importantly, no consideration of what it means. Of the two actors, do either have any background in computers? Security? One is a very young rapper-turned-actor who I previously Tweeted to, because I felt his portrayal as an African American actor in the context of the Black Lives Matter movement was absolutely horrible. I’m a privileged white guy and I felt that episode was a disgrace to African Americans (do the math). The other is “sympathetic to the issues” according to Violet Blue, in an article she wrote on this topic. If Koontz is truly sympathetic, he should either back out of the talk accompanied by a public statement, or use the stage-time to go against the very reason he was invited. Embrace the fact he is a T.V. actor, that the show is lacking in technical detail or reality, and call out the technical advisors and/or producers, and let the world know why the show may be harmful. As for the producer, why? It could be argued there is value if one of the technical consultants to the show were to speak, not a producer.

It should be obvious that I do not think any of them are relevant, or should be keynoting a BSides, let alone RSAC. They are actors in a mid-ratings show, built on a 15 year-old franchise. A current iteration that isn’t really that popular or well-known… merely “what some people are watching”. RSAC is quite simply cashing in on a popular meme, in line with the profitable business.

So… let’s agree to agree, or agree to disagree! Yep, how is that for a blog plot twist, befitting that horrible T.V. show? Let’s focus on the small bit that actually got my attention in all this, that demanded all of the above as backstory and explanation. Let’s jump to the other fun bit of this mess. While most of the industry was somewhere between annoyed and outraged over these keynotes being announced, others quipped in ways that suggested the industry wouldn’t be so upset if it was “other” high-profile media-centric personalities that were keynoting.

rsac-fiasco-actors_from_hackers

I’d like to assume the ellipses were leading off to the obvious conclusion, “we would ridicule them just the same“. But I have a feeling that was not the intended argument. That movie is 20 years old, released on the fourth year of RSAC. Assuming you at least meant to compare the cast being keynotes at the 1995 RSAC… this is actually a more compelling comparison as far as a “timely” media publication being thrust upon our industry. Back then, I don’t think it would have been considered. I say that because some of us in the hacker circles back then joked about them speaking at DEFCON and how absurd it would have been.

rsac-fiasco-colbert_baldwin

This is a fascinating comment, because it puts two polar opposites as a single argument that somehow has the same merit, which is baffling to say the least (compare Colbert vs Baldwin in the context of ‘actor’ vs ‘comedian’). If your argument for comparison is “Stephen Colbert” (soft T), then I would argue you are beyond dense and completely oblivious to the genius of the persona Colbert (hard T) took on. The entire persona was designed around being a blind fanboy to an ‘industry’ (or political party in his case, which is basically an industry) in a manner that highlights how absurd the industry is in the first place. That is exactly the kind of persona that would help our industry realize how perverse it is, and show us through delicious irony how absurd and blind we are to our own problems. More importantly, Colbert did not claim any relevance to, or portray anyone in our industry in any way.

If your argument for comparison is Alec Baldwin? That is a valid argument I think! If the industry didn’t speak out against Baldwin in this context, while speaking out against CSI: Cyber actors, that seems hypocritical. I don’t recall Baldwin doing a RSAC keynote in the past, but it isn’t something I would have noticed unless there was an eruption of drama. Stick with this example for arguments against the CSI: Cyber cast.

rsac-fiasco-adam_savage

Really? This has to be the worst comparison possible. Adam Savage has made his career around breaking and building things, a cornerstone of the hacker ethos and mentality. Not only does he build and break things, he does it in the pursuit of truth and shares it with anyone willing to watch MythBusters. That embodies the hacker spirit in the minds of a significant portion of our industry. The cross-over from our largely digital world, to his largely analog world, makes complete sense. He is a rare case where the ‘reality’ in ‘Reality TV’ is actually true.

To come full circle, people still argue that RSAC has value because that is where the “trends” are announced. The problem is, RSA ‘trends’ are mostly buzzword rebrands of old technology, with a few ‘bleeding-edge’ adjectives thrown in to make them sound more sexy. I’ll leave this great Tweet as a tongue-in-cheek, but accurate, reminder of how a significant portion of our industry views the conference, regardless of keynote choices.

rsac-tic

The Charity Snail Mail Burden

If you have ever donated to a charity, you likely received something in the mail from them down the road. A thank you note (and request for more money), a new fundraising initiative where they would like you to donate again, or general information (and request for more money). What happens when you donate to a dozen or more charities over the years? The amount of snail mail you get from those charities, and many others you have never donated to, gets out of hand. At the start of 2015, I decided to keep all of the snail mail I received from charities for the entire year. How much would it be? What kind of ‘gifts’ would add up over the year?

Before the fun bits and pictures, a quick background on this. Charities have three primary categories for spending money: administrative (e.g. salaries, office supplies), fundraising, and program expenses (i.e. what their cause is). Charities are rated based on that breakdown, among other things, by the excellent CharityNavigator web site (a 501c3 not-for-profit themselves). As an example, let’s look at the breakdown for Paralyzed Veterans of America, who spends almost two thirds of the money it brings in trying to raise more money. They only spend 33% of their money on the intended cause; helping paralyzed military veterans. That is an absolutely horrible ratio and not a charity anyone should support. They are essentially in the business of raising money. All of the snail mail you get from charities falls under that ‘fundraising’ category. If a given charity sends what seems to be an obnoxious amount, that is money they could be better spent on the program expenses.

20160103_141807  20160103_141953
20160103_143928  20160103_144238

In one year, I ended up receiving 351 pieces of mail from charities, that weighed 26.6 pounds. It’s hard to say if this is truly a lot, and what led to this. I donated to 32 different charities in 2014, some in a manner that would not have led to any snail mail (e.g. “would you like to donate a dollar to..” during grocery store checkout). A few were local charities that do not maintain mail lists and would not have generated any mail. Other bigger charities though, certainly took the opportunity to solicit me for additional money. And at least one of those charities sold or shared my information with other charities that I never donated to, and in some cases would not. To offer a bit of perspective, the 26.6 pounds of charity mail can be contrasted with the 10.8 pounds of ‘commercial’ snail mail I received.

20160103_202512  20160103_203008

Back to charities! Who were the worst offenders? The top six charities by snail mail volume are as follows, with links to pictures of their offering, and what percentage of their money they spend on fundraising:

Charity Fundraising
Humane Society (31 pieces) 19.1%
World Wildlife Fund (21 pieces) 18.9%
American Red Cross (21 pieces) 6.0%
USO (16 pieces) 26.5%
JDRF (13 pieces) 12.8%
Doctors Without Borders (11 pieces) 10.3%

Note that I have donated to the top five charities on that list, but never donated to Doctors Without Borders. Considering that I received snail mail from around 75 different charities, almost three times as many as I donated to in 2014, that is certainly interesting. Also note that many charities were right on the heels of 11 pieces, but I had to pick an arbitrary amount to highlight above. Charities should note something very important! This level of snail mail is a waste of money, and does not encourage some contributors to keep donating. I understand that direct mail campaigns are a huge source of revenue, but finding a happy medium for the amount of requests versus the expected income would be appreciated. Someone donating $25 to a charity and receiving 30 pieces of mail, is watching $14.70 of that money go to postage alone (for charities that are paying full price, which some do). That money should be spent on program causes, not soliciting for more money that will likely be wasted.

Now the fun bits. Which charities sent me money? Yes… a long-standing gimmick of some charities is to send some level of money, typically under a dollar, and ask that you send them more back. They usually want 25 – 1000% more of course. This gimmick is frowned upon by many people, and for good reason. First, it is just that, a gimmick. Second, for charities that put a nickel, dime, or quarter in the envelope, they are quite literally throwing money away. Many people are tired of receiving the snail mail spam and quickly throw it away, coin or not. Even March of Dimes no longer sends a token dime in the mail. In 2015, Paralyzed Veterans of America sent $0.15 (3 nickels), FINCA sent $0.10 (2 nickels), Unicef sent $0.10 (2 nickels), Sierra Club sent $0.30 (6 nickels), National Law Enforcement Officers Memorial Fund sent $1.50 (6 quarters), Keepers of the Wild sent $0.50 (1 half dollar), Leukemia & Lymphoma Society sent $0.05 (1 nickel), and CARE.org sent $0.05 (1 nickel). All said and done, I cleared $2.75!

20160103_coins

Next, what is it about mailing address labels and charities? I mean seriously… almost every single one thinks that sending me such labels is a ‘gift’. Do these people not understand that the average adult in 2015 does not send that many written letters? Even people who send in checks to pay bills don’t generate too much snail mail. Yet, the National Wildlife Federation sent me enough address labels to mail a letter a day, every day of the year. Amnesty International sent 96 mailing labels in a single piece of snail mail… and sent three of those mails. USO sent 81 address labels in a single envelope. I didn’t have the patience to try to count them all individually, but I did take the time to count 154 sheets of address labels, weighting 558 grams, or 1.23 pounds.

20160103_labels1  20160103_labels2

Membership cards are another popular thing to send, because membership apparently has its privileges? By privileges, I mean it grants you absolutely nothing. Yet, dozens of charities want you to carry that card around… yet none of them send you a new, bigger wallet. National Wildlife Federation sent me four membership cards in a single year, and Sierra Club sent me six. I have not donated to either.

20160103_membership_cards

If that isn’t odd enough, the support stickers that are sent out are certainly interesting! In addition to the usual “Don’t give me a speeding ticket” stickers, that you receive from supporting law enforcement organizations, I received a NRA 2015 member sticker! Despite never donating to the NRA, or contacting them. It makes me wonder if that is how the NRA claims such high membership numbers. Is it based on who is on their mail list?

20160103_stickers_blurry_oops

Moving on to stamps! Yes, postage stamps. A few charities will include a stamp in their offering, with the intent that you use it to mail them more money. While this is a variation of the ‘coin’ gimmick, the real tragedy is that some nonprofits have figured out the USPS offers special rates for charity-related mail, and others have not. The USO understands this, as their Self-addressed Stamped Envelopes (SASE) include five 1-cent stamps on them, while the Human Society of America sends a SASE with a forever stamp. Regardless, all of the stamps included, on an envelope or not, can be re-purposed since they have not been used to send mail yet! In 2015, I received two Forever stamps, one Postcard stamp, nine 10-cent stamps, one 4-cent stamp, seven 3-cent stamps, three 2-cent stamps, and 85 1-cent stamps. That is $3.39 in stamps! If they came in a sealed roll, I could return them to the post office for cash per old hacker legend. Alas, I can just tape them onto an envelope as needed, and they are still valid stamps.

20160103_stamps

To wrap this up, what else did I get? Nine calendars and 26 writing pads, apparently for the silly number of letters these charities think I write, that demand thousands of mailing address labels.

20160103_calendars  20160103_paper_pads

I also got card sets (again, maybe explains the address label flood?), magnets, random swag, calendars and paperwork, as well as X-mas specific gifts:

20160103_cards  20160103_magnets  20160103_paperwork  20160103_swag  20160103_xmas

And finally, two bits of pure amusement. First, ‘Doctors Without Borders’ seems to be fond of sending us Americans world maps. Yes, yes.. I know, Americans suck at Geography. But sending us world maps that we’re to hang up on our wall, of our first-world decorated establishments where style and the artist’s name matters more than actual living enjoyment? Please. But I get you, send the maps, rub it in that we’re a nation of stupid.

20160103_maps

Second, all of this snail mail spam… can you opt out of it? Nope. At least, none of it includes any wording or forms or telephone numbers to remove yourself from the snail mail lists. For the charities that call as often as they send snail mail? If you complain enough, and trust me, ‘enough’ is relative… they will eventually opt you out. But then? They send you a not-so-form letter. In the case of March of Dimes, they write:

“… we are writing to you because of your request not to be contacted by telephone… please donate $25 to us”

I donated $5 to them on 2014-06-04, meaning it was “target of opportunity” (e.g. grocery store, or some case where someone asked me to donate). This was not a yearly contribution I make to half a dozen or more charities that I feel are making a difference. In the span of half a year, March of Dimes called me enough that I got fed up with them and specifically asked to be removed from their spam call list. They did as I asked! But then… reverted to snail mail to ask me for more money.

In summary, U.S.-based charities are living in the 80’s. They send pads of paper and mail address labels, on the heels of you telling them “quit harassing me”. They send stamps and currency in a desperate attempt to guilt you into donations. Some send you as many as 30 pieces of snail mail in a calendar year, on the back of a $50 donation given to a specific sub-group of their organization (e.g. in my case the Prairie Dog Coalition, a part of the Humane Society). If I want to find out if the Prairie Dog Coalition printed a new token adoption certificate, I e-mail the director. And Lindsey responds to me personally every single time. That is what I want to support… both prairie dogs in jeopardy, and the director of a non-profit group who takes the time to respond to my emails, helping me to support their cause in the specific way I want to. This is a model for how charities should work in 2015/2016. Instead, most are still stuck in the early ’80s, sending me dead trees that I don’t need or want.

If the director of a non-profit can’t reply to you, or even sign that Christmas card they sent, while asking for more money? That is bad. They should task their staff to send personal replies and sign such cards. It doesn’t matter what name ends up on it; it matters that someone on the other side appreciates my contribution, and takes the 30 seconds to read and reply to me or scribble their mark. In fact, I think that might be a great criteria for charities I support in 2016. No personal contact? Then maybe the charity is too big and has plenty of money coming in. Maybe they don’t need my donation. Instead, I can give to local charities, which I have started focusing on, where I can see exactly how my money is used, and even stop by and talk to the ‘director’ or staff when I want. I put that term in quotes because it is a misleading title for small local charities, for someone who is often knee-deep in mud or animal poo, doing their best to make the charity work. With that personal connection, especially when I find myself volunteering or visiting, then I feel very comfortable telling friends, family, or social media about their cause and encourage them to donate as well.

When Reality TV Rears Its Ugly Head

I really do love the show COPS. I’ve seen 99% of the episodes over 28 seasons, and there are ~ 25+ episodes per season. The show is absolutely real, but they certainly cherry pick the scenes, and the officers they follow. Further, the TV show is built on a premise of formula of one violent takedown, 1 drug bust, 1 family domestic (if memory serves, and is based on material that is heavily criticized). So tonight, watching the latest episode… cop in the car says: “There was an anonymous caller that just uh… told us there was a warrant suspect in the back yard… he’s known to run from us, he’s alluded capture before so.. we’re going to see if we can uh… take him into custody here…”

Yep, stop there. This is where the TV show, shows its hand so to speak, and demonstrates how it is not objective at all. Nothing about that one minute intro makes any logical sense. The responding officer wouldn’t say “anonymous caller”, as 911 dispatch takes the calls and knows who they are speaking to (even if anonymous, they know the address and name registered to a line with few exceptions). How many people stop to read the most-wanted posters that the local post office? You do? Great, they don’t show local warrant suspects. Those aren’t posted anywhere that I have seen, ever. Known to run from police? The cop knows exactly who they are dealing with then, which is a positive ID. Escaped before? Why… rare case the police stop pursuit during a chase… so, moving on!

The more compelling reason to watch this show? It is reality TV that demonstrates why no unarmed person should EVER be shot by a police officer, no exception. This show actually broadcasts cases where the officer screws up, does something that is against policy, or against training. But there is a struggle, and the outcome is beneficial to the public and police, so they air it. I generally don’t blame those officers one bit. They are a half-second too quick to use mace? Fine. But those are the scenes we see… the taser incidents we see, but rarely if ever in a position of dispute. So consider that police are a bit too eager to mace a suspect, or go hands-on (the real bit we should question), on national TV. Is it so wrong to consider that a police officer would step over the ethical line when no cameras around?

There is a movement to put body cameras on police, and I believe that should happen. If we had the budget, I’d want a COPS camera crew following every unit and publishing that material w/o police oversight. I think it would be very telling. Remember… this TV series shows us the BEST that police have to offer. It is filtered and approved at multiple levels, before it goes to TV.

Now, for your “meta” discussion… it’s 2015, and we’re still seeing violent take-downs of suspects over flakes of marijuana. They are offered deals in the field to admit to their crime, or arrested for having personal-use volumes (by Colorado law), which are illegal in other states. Why is the TV show COPS still showing us these ‘dramatic’ scenes where police officers use physical force over the presence of personal-use levels of marijuana, and someone that is nervous in the face of police, especially when they are minority?

This episode? The suspect says they won’t answer questions until they get an attorney. The cop keeps asking questions… ON NATIONAL TV. Was the officer not trained on Miranda? I’d say YES, since the same cop was reading the Miranda warning from a card they kept in their pocket. If a cop pulled a card to read me my rights? Part of me would appreciate it, as they are doing it to make sure they are read correctly. Part of me would be scared, because they are a professional LEO supposedly… and haven’t memorized the relatively short Miranda warning. If they can’t remember those few sentences, why are they enforcing the law?

Again, I am a fan of the show in many ways. It reminds our society that police activity is not safe, and that law enforcement puts themselves into situations that endangers their lives every single day. But when a heavily edited TV show that has served as propaganda since seasons one, shows police clearly stepping over the lines? The producers need to consider what the fuck they are broadcasting to the world. They are either proper journalists (no..), or sloppy (yes..), and need to quit their jobs.

Shan Yu had a point.

BOOK: Have you ever read the works of Shan Yu?
SIMON: Shan Yu, the psychotic dictator?
BOOK: Yep. Fancied himself quite the warrior poet. Wrote volumes on war, torture… the limits of human endurance.
SIMON: That’s nice…
BOOK: He said “live with a man 40 years, share his house, his meals, speak on every subject. Then tie him up and hold him over the volcano’s edge. And on that day you will finally meet the man.”
SIMON: What if you don’t live near a volcano?
BOOK: I expect he was being poetical.

I am a sucker for a movie or TV show that presents a compelling scene or story, that conveys a complicated topic most humans will never experience, or likely never fully grasp with any bit of reality. I am a bigger sucker when such a scene or story starts taking on a small shred of reality, in a different context, that I can piece together.

While I can’t compare my point to being held over a volcano’s edge, I feel that slowly meeting and getting to know someone over 20 years and watching a variety of mental toils take effect, may come in a distant second. In addition to compassion fatigue, spending decades in an industry you believe in that keeps failing, no matter how hard you try to improve, wears a person down in many ways. Some of them often destructive to themselves and those around them.

We’ve reached a point in InfoSec where there are hundreds, maybe thousands of veterans that are reaching a critical mass. The number of disillusioned professionals that cannot tolerate their beloved industry is incredible. Some I know have sworn off the industry, vowing to work outside their niche market, and forsake the rest of the industry. This is great for them, bad for the industry who could desperately use their experience and knowledge, and absolutely fair to both. I won’t get into the debate of “oh but there is a next generation“, and just say that a community who loses a significant portion of their elders will suffer tremendously, even if they don’t realize it until many decades later.

if Shan Yu were on social media, I think he would be fascinated watching the story unfold, and amazed at how much he could learn about people during their industry-induced downward spirals.

Studies, articles, and social media activism are just a start.

I would imagine everyone reading this, who partakes of social media to any degree, is getting worn down with the social media activists. Like everything, there are some that are effecting change and doing great work. They use the media to spread the message while helping to enact change in other ways. Basically, doing more than just ‘awareness‘. You can Tweet and Facebook and Tumblr all day long about “help our vets”, and the sentiment is great. But until you turn that effort toward people who can effect change (e.g. politicians), it’s not likely to actually help a veteran. Oh, and you do occasionally promote charities that help the veterans and donate yourself… right?

Yesterday, “Spouse-gate” happened at the ASIS / ISC2 Congress event. In a nutshell, a female InfoSec professional is a speaker at the conference, and her InfoSec professional husband joined her as a regular attendee, but via her “plus one” that the conference provides for. Each “plus one” in the eyes of ISC2 is the spouse, which by definition is the husband or wife. So imagine his surprise when he goes to the registration desk and finds the staff “utterly confused how [he] could be a spouse and asks [him] four times how [he’s] a spouse“. Did the meaning of spouse change sufficiently in the past years, that it is only applied to females? He explains several times that his wife is speaking, and he is her “plus one”, and they finally understand. Next, they give him a con swag bag and information regarding ‘spouse events’ which include shopping trips. The bag included two bottles of hand lotion, an empty photo album, shopping coupons, a magazine, and the business card for Jay Claxton, the Director of Loss Prevention at Marriott Vacation Club International.

I think it safe to say that the conference bag for spouses is a clear case of misogyny. Now, why am I posting about this? Peruse the bag contents and scroll down…

isc2-bag

I have been an outspoken critic of ISC2 for many years. In the last couple of years, I have toned down that criticism considerably, for various reasons. The biggest reason is that one of the board members, Wim Remes reached out to me and prompted many discussions over a year. He made an effort to get my feedback on how ISC2 could improve in their process, public perception, and get back on track (my words) with their intended purpose of making the security industry better. When someone in a position to effect change reaches out and demonstrates they want to make things better, it is time to help them rather than continue to criticize the organization. In that time, Wim has done an incredible job working to change the organization from the inside. Sorry for the diversion, but I feel it is important to give credit to those working very hard toward bettering our industry.

At some point in the last year or two, ISC2 has taken on a very public “pro-woman” stance (scroll through their Twitter feed). They have collectively called for more equality in the workforce in our industry. In fact, within one hour of ‘Spouse-gate’ starting, ISC2 was Tweeting about women remaining underrepresented in InfoSec. It’s hard to understand how an organization can promote a great cause while also devolving to the base levels of misogyny that are a root cause of the inequality.

isc2-tweet

Social media activism can do great things. But many of the great things that can be done get lost in the noise of people blindly re-posting feel-good messages that ultimately do very little to do actual good, and concretely support the cause. If organizations like ISC2 want to help effect real change, they need to “be the change that [they] wish to see in the world.” In short, more doing and less grandstanding.

Compassion Fatigue in an industry largely devoid of compassion.

A few days ago, Bruce Schneier actually wrote a slightly interesting piece for Fusion. I say that with surprise because most of his articles are engaging and well-written, but he rarely shares new ideas or concepts. Most of my professional circle is already very familiar with a given topic, and Schneier largely enjoys a reputation for his insight because he has a considerable following and they read about it there first. In this case, it wasn’t so much that Schneier’s piece was new information (he did quote and cite a 1989 reference on the topic that was new to me), it was that he flirted with a much more interesting topic that is somewhat aligned with his point.

In ‘Living in Code Yellow’, Schneier quotes a handgun expert who described a specific mind-set. From his article:

In 1989, handgun expert Jeff Cooper invented something called the Color Code to describe what he called the “combat mind-set.” Here is his summary:
[..]
In Yellow you bring yourself to the understanding that your life may be in danger and that you may have to do something about it.

Reading on, Schneier brings up the psychological toll that such a mindset can have, and that concept should not be new to anyone that has been in InfoSec for a few years.

Cooper talked about remaining in Code Yellow over time, but he didn’t write about its psychological toll. It’s significant. Our brains can’t be on that alert level constantly. We need downtime.

While not new a concept, this one flirts with another type of psychological toll that some in the industry are not familiar with, based on my conversations over the last year. It only took a few minutes of Twitter discussion for others to recognize the same thing. While the point I want to bring up is similar to a degree, I want to stress that is also significantly different based on profession. I am not comparing InfoSec people to the people that typically face this condition. That said, quoting Wikipedia’s entry on ‘Compassion Fatigue‘:

Compassion fatigue, also known as secondary traumatic stress (STS), is a condition characterized by a gradual lessening of compassion over time. It is common among individuals that work directly with trauma victims such as, therapists (paid and unpaid) nurses, psychologists, first responders, health unit coordinators and anyone who helps out others.

This is another important aspect for some InfoSec professionals, but clearly not all (or most?) of them. Personally, I feel this is a condition that can manifest in people who truly care about their work, and as the article says, people who “help out others”. Many in our industry technically help, to some degree, but are driven by profit and fame. I do not think they suffer from, or will ever suffer from such a condition. On the other hand, there are certainly many InfoSec professionals who strive to help their clients, the public, and anyone they can. Money is a nice perk, but they are likely the ones that would do it even if it meant a paltry salary. Unfortunately, I think that many of them are newer to the industry as it speaks directly to compassion fatigue and the effects it can have on an individual. From Wikipedia again:

Sufferers can exhibit several symptoms including hopelessness, a decrease in experiences of pleasure, constant stress and anxiety, sleeplessness or nightmares, and a pervasive negative attitude. This can have detrimental effects on individuals, both professionally and personally, including a decrease in productivity, the inability to focus, and the development of new feelings of incompetency and self-doubt.

First, I don’t think our industry suffers from the last detrimental effect. It is brimming with egotistical idiots that never have those feelings, even if they should. Second, while I doubt anyone in our industry will suffer nightmares, the rest can and likely hold true to varying degrees. More specifically, hopelessness and a negative attitude. I will be the first to admit that I fall into this category when it comes to InfoSec. I have a serious level of apathy and disillusionment with the effectiveness of our industry. I have several draft blog posts on this topic and may finish one some day. All of the evidence is right there, showing we fail over and over in the bigger picture. Those who argue otherwise are idealists or new to the industry. Either they haven’t seen the evidence, or they refuse to believe it. It is easy to miss when you live the life. But there is a steady level of ‘systematic desensitization’ as @VRHax calls it, and that is spot on. For anecdotal comparison, think back to the frog in boiling water story, even if not true. It happens to us all, even if we aren’t fully cognizant of it.

While compassion fatigue can have a much more serious toll on some of the professions listed above, I believe that it likely has an interesting way to manifest for our industry. Rather than lose the desire to help, or feel it is hopeless, I think that it slowly wears down an individual in a different way. They lose that desire to help out of a truly noble cause, and inch toward doing it only for the salary and lifestyle that many of us enjoy. As such, they become hopeless as far as original intent, don’t enjoy their work as much, develop a base level of stress, and grow an increasingly negative attitude, yet do it because it pays well.

Unfortunately, when you join the industry, you aren’t warned about this to any degree.

If you volunteer at an animal rescue / rehabilitation shop, you are likely to be warned of this during your orientation on day one. And for good reason! When you spend your time trying to help a sick or wounded animal, do everything in your power to help it, and it doesn’t make it… it is devastating. That warning is what prompted me to read more on the topic originally, and it took Schneier’s blog to make me realize just how true it was in our industry, one that largely helps out of selfish gain rather than altruistic desire. So I am grateful for his blog missing the mark as usual, but doing so in a way that prompted this blog and discussion. Is there a solution to this, for InfoSec professionals? Not that I can figure out. Many that see the problem still operate under this assumption that we can magically fix things, if only we could figure out! They rarely give merit to the possibility we are in an untenable position and there is no way to win. Perhaps they should watch Star Trek again and consider the value of the Kabayashi Maru challenge. In the mean time, I will offer you a simple but slightly twisted way to help deal with compassion fatigue in our industry; by going outside of it. Dare to face it in another world while you help others unrelated to technology. I’ve found great reward in doing it every week, even if I may ultimately face the same problem.

2015-06-07-151123-Chip20150712_154604

Smile! And your favorite charity benefits.

Recently, Amazon implemented a program called ‘Smile’ that allows you to select a charity who will get a small portion (0.5%) of your purchases. The beauty of this program is that you select your charity one time. Every visit to Amazon after that, they donate. Even better, if you forget to go to the ‘smile’ sub-domain, Amazon will usually remind you and give you a chance to one-click over.

When you consider that Amazon made $74.45 billion in revenue in 2013, this could potentially add up to serious money being donated to charities around the world. If 0.5% of all of their revenue in 2013 was donated, that would be $372,250,000. Yes, $372 million dollars. That is almost 2% of the estimated cost to end homelessness in the U.S. Not bad, that a single company has that capability and puts that power in the hands of their customers.

So click on smile.amazon.com once, choose your charity, and help contribute to your cause. Finally, spread the word. The more that opt in to this program, the more charities benefit.

BSidesLV, two boxes-of-shit up for charity auction…

For those not familiar, last year I created a new-and-improved Box-of-Shit that was put for charity auction at BSidesLV 2014. Wow, lot of dashes there, go Engrish! For those not familiar with the absolutely legendary attrition.org boxes-of-shit, take a minute to familiarize yourself with it. The box last year was the center of a heated bidding war, with a BSidesLV security staff member proxying bids from another room, as a bidder was also teaching a class or robbing a casino or something like that. Anyway, Nate the Hero (official title) donated $1,000 to the charities selected by BSides (EFF, Securing Change, and HFC). Outstanding!

This year, I doubled down. There are TWO boxes of shit up for auction…

First, the important part. I humbly ask that you read and focus on this bit, because it is the entire point of my effort and goal in doing this. BSidesLV 2015 auctions will raise money for OWASP, Electronic Frontier Foundation (EFF), Hackers for Charity (HFC), and Hak4Kidz. Supporting charity is always a good thing, right?

Remember, InfoSec is considered a “zero unemployment” industry, and our average salaries are ridiculous. While we are quick to do the Facebook “like-activism” to support minimum wage increases, many of us spend $6 on a coffee every morning. If you make solid money in our field, and you cannot go out of pocket for 1% of your salary, you should probably skip the next version of “h4ck1ng f0r l33t kidz” and read a book on personal finances. Live a little… give up a shred of luxury, and donate to the greater good. If you win, you will get to read some personal thoughts I have on the matter, and receive a challenge of sorts.

So… there are two boxes this year! You can troll my Twitter feed for a few random pictures that barely tease what are in each. Even better, you can use this blog to see the teaser page that is accompanied with each box! I’ve been told that there will be remote bidding this year, which is very cool. For the next two days, I will also answer questions about each box, in a manner that does not reveal how awesome, or how lame a box is. Rest assured, more time and energy was spent on these two boxes than all other boxes/envelopes I have ever sent out, combined. Each box comes with a ~ 4 page personal letter for the winner, among other things. That has to be worth a postage stamp at the least.

box-bad

box-good

Here you go! You get what the in-person bidders get, the same teaser PDF. If you are at keys, you can play 20 questions via Twitter, while they are throwing back a bud light and telling their new friends about how they found an unpatched WordPress CMS last week.

p.s. These are likely to be the last ever boxes I brew, for many reasons.
p.p.s. In the interest of exposure, I will spam this link several times the next couple of days. DEAL WITH IT