Brisket and Salmon!

Just got married, just got honeymooned, just got back to work…  Time for some food!

17 lbs brisket, $61, 6 lbs salmon $9 per pound.  Using the same recipe as usual.

2120: Brisket went on the smoker.  4.5 Tbsp salt, 4.5 Tbsp pepper, 2.25 Tbsp garlic powder.

2200: Fish is brining.

0530: Brisket at 165 and 166.  Crutched it, and turned temperature up to 250.  Also, moved fish to drying.

0845: Brisket at 202 and 189.

0930: Took the flat off, it was done, at 208.

1130: I’ve checked the point temperature periodically this whole time, and it has slowly risen to 201.  I’ll take it off after making coffee.

1145: Point was at 201, close enough, took it off then cleaned the smoker grates and water tray, and removed and chunks.  Set it to reheat to 120.

1230: Fish is on!

1630: All done, delicious.

Next time I need to make sure I slice across the grain.  I mistook the direction of the grain in some of the brisket, I need to double check that next time.  Otherwise I think it all turned out fantastically.

Brisket Numero Quatro

Well, there’s the possibility that the brisket I did last weekend won’t be enough meat…  And there’s the fact that I can get another one done in time…  So I’m making another brisket!  We’ll just try for a repeat performance…

14.1 lbs of brisket at $3.99 a pound…

1045, 21 Jul: Brisket went on, fat cap up, 225℉.  I should check the temperature after 8 hours, at 0645.

0900, 22 Jul: The flat passed 166℉ a couple hours ago, but the point was only at 162℉.  Now, the flat is at about 175℉, while the point is at 165℉…  I wrapped it and increased the smoker temperature to 250℉.  This step took a little longer than last time, but then I was doing to finish up further ahead of the party than I wanted anyway, so the timing should be ok.  After wrapping I kept the fat cap on top.

1200 or so: Brisket got up to temperature, the lean got there first by about 30 minutes.

The party was fantastic!  We had a great time with all the friends that showed up.  We ate almost all of both briskets, leaving only a small container in the end.  I’m very glad I smoked this second one.

Brisket Numero Tres

It’s time to make the brisket for our Maryland wedding party!  I’m pumped.  Goals this time – turn up the temperature to 250℉ earlier, or put it in the oven for a long time.  I don’t want to go more than 24 hours, I can’t go for nearly that long…  Cut off less fat than last time.  Keep the fat cap on top…

The slab of meat I got was a full brisket, point and flat, 14.6 lbs and $3.99 a pound.  Brisket has gone up in price, maybe it’s the season.  When I first did this last winter, it was at about $2 a pound, now it’s double that.  I guess I can’t wait to smoke a brisket in winter again.

Truthfully, there are few times when I’m not looking forward to smoking another brisket.  There’s the point right after I pull it off and rest it, and I’m slicing it up, and eating a little bit of the fatty parts…  Usually during that time I have a little too much fat, and it’s the first thing I’m eating in the day, and my stomach gets angry at me.  That’s the only time I’m not looking forward to smoking another brisket.

I mixed up 4 Tbsp salt, 4 Tbsp pepper, and 2 Tbsp garlic powder, and sprinkled it on the meat after trimming and slicing in half.  I warmed the smoker up.  Time to cook!

2130, 13 Jul: Started the prepped meat smokin!  The smoker is set at 225℉.  I’ll let this go for about 8 hours, until it hits 165℉, then I’ll consider what I’m doing next, whether I crank up the temperature or let it ride.

0630, 14 Jul: Wrapped the brisket, it was at 165℉.  I cranked the smoker to 250℉ then to try to finish the meat more quickly.  This time I wrapped the meat very well, tightly.  If this doesn’t help, then wrapping maybe isn’t my thing.  I intended to wake up and do this step at about 0530, but for some reason I turned my alarm off in my sleep.  No worries, because this was exactly the right temperature.

1000: Lean brisket was at 210℉ and moist at 202℉ – it’s done!

After taking it off the smoker, I let it rest while cleaning the smoker and taking care of all the morning chores.  Then I sliced it into chunks for the freezer.  Before our wedding party, maybe the night before maybe the morning of, I plan to take them out, drop them into the sous vide, then warm them up to a serving temperature.  After that, we’ll crisp the outside again with the grill, then slice the chunks for serving.  I don’t know if this is going to work, but I think it offers the best chance to be right-off-the-smoker good, with minimum prep day-of.  There’s some precedent online for this, too.

I ate a little bit – it’s delicious.  This is the way I need to make brisket in the future.  I have no negative notes.

Introducing the Hitchcock

Some trucks have testicles, mine has a Hitchcock.

The Hitchcock on the truck.

The Hitchcock on the truck.

Yes, that’s supposed to be the outline of Alfred Hitchcock.  It looks a lot like Harambe though…

Hitchcock in profile

If you want to make one, check out the Thingiverse thing here.  Download all files, open the zip up, and under “files” you’ll find an “stl” file.  Hop on over to, click “start manufacturing”, and upload that “stl” file.  I used regular PLA plastic and printed in white to try to avoid any discoloration due to sunlight inevitably breaking this thing down.  If you want a recommendation for a specific hub to use over there, these guys printed this Hitchcock, and I’m sure they’ll do a great job for you too.

For the next go with this, I’ll add some definition to the print, and maybe change the way the right side and bottom are laid out.  Having something that looks like Harambe is also great, but it might be a clearer joke to everyone else in traffic if it’s clearly Alfred Hitchcock staring back at them.

Confidentiality and Integrity vs Availability

In computer security, there are three main axes for consideration – confidentiality, integrity, and availability (CIA).  These are commonly thought of as things you desire out of a secure system.  You want your communications to only be available to the intended agents, you want them to remain unchanged except when you intend them to change, and you want them to be available when you need them.  Preferably, you want your communications to have all of those properties.

Organizations make trade offs between CIA daily, and in the real world increasing one necessarily decreases another.

This fact is obvious to most network security practitioners – but only considered in theory.  In practice, organizations trade off CIA each time they make a decision about their information systems.

This fact is not obvious to an organization’s decision makers – management.

Most computer security decisions seek to increase confidentiality and integrity without considering the costs to availability.

This is visible primarily in the standard Information Technology world, as contrasted to the SCADA/ICS Operational Technology world where most recognize availability as king.

To demonstrate C&I vs A, consider the way we “improve the security” of our information systems in the traditional IT world.  Improvements generally focus on the C&I, and they do so by adding defense in depth, or defense in breadth.


Defense in depth, first.  Add a security measure to your IT system that is of a type not currently available – add a firewall, an IDS or IPS, include SSL introspection, endpoint virus scanners, host-based firewalls, host-based anomaly detection…  There are always new ways to add defense in depth.

These are methods that directly add fragility to your IT system!  This type of fragility is similar to a child’s model bridge that is supported by one popsicle stick at each end, perhaps leaning against a wall.  Popsicle sticks snap, breaking the bridge, in the same way that network infrastructure has the potential to disrupt your network.

Security infrastructure components have a non-zero probability of causing a problem with part of your organization’s mission.

When you add defense in depth, you are gluing a popsicle stick to the bottom of the bridge’s current supports.  You’re making those bridge supports longer by one popsicle stick.  Now the chances of the bridge breaking have increased – the older stick can snap, or the newer, or both.  The probability for the older stick snapping and the bridge breaking remains the same, but you’ve added in a new possibility with the new stick.

In network security a popsicle stick snap looks like a device blocking legitimate traffic (false-positives), a device providing a new attack surface area for adversaries, a device adding just enough to the packet TTL that delivery fails, or a device delaying traffic long enough to disrupt communications at higher levels in the network model.

Adding defense in depth can provide benefit to confidentiality and integrity, but increases network fragility.  An increase in network fragility necessarily reduces network availability.  The reduction in availability may be difficult to detect, and most of the time has negligible effect.  However – networks are in place for months and years, and over that time the availability reductions become noticeable.


Defense in breadth is again like gluing an additional popsicle stick to the end of the existing bridge supports!  It is not similar to taping a second popsicle stick to the existing ones, nor is it similar to adding another connection point to the bridge for a popsicle stick.

Defense in breadth is adding a second version of an existing defensive measure with the idea that, if the first didn’t catch a bad guy maybe the second will, and we’ll still have caught the bad guy.  Increasing defense in breadth by adding measures to the system has all the same negatives as increasing defense in depth, all of the same outcomes, and increases fragility of the system in the same way.

Adding network redundancies can improve availability, but stretches manpower, limiting the benefits of redundancy to availability.


In practice, manpower is limited.  This is as true in the field of network security as it is in every other field.  The limited manpower that is monitoring your networks today is having some amount of success – you are able to use your networks with some level of CI&A.  By increasing the number of defensive measures those employees must maintain, and increasing the redundancy measures they must maintain, you are requiring more of those limited manpower resources.  This is all in addition to the growing size of other parts of your enterprise and the growing network requirements of our information age.

There is, of course, a rate at which you can increase C&I defenses, and increase network redundancy, and increase manpower, and remain in front of your decreasing network availability.  However, increases in organizational size increase complexity and decrease your return on investment.

Implementing new confidentiality or integrity measures at a constant rate requires exponential increases in availability investment.

This is unsustainable!  Not to mention the fact that every organization has monetary resources and management motivation that will give out long before availability is substantially improved.

Of course – this type of problem has been common in history.  Automation technology and process improvements (defensive/operational tactics) usually save the day, and they can here too, but they are one more thing that will add complexity and fragility to your network, thus reducing availability.  The measures become self-limiting in the same way as before.

Others have discussed the trade offs in C&I vs A – however the idea that C&I trade off vs A is mostly found in discussions of availability’s more human needs.  For example, the idea that increasing C or I by implementing password restrictions makes it more likely that a bank manager will forget their password, and therefore will be unable to run the bank, decreasing availability.  Another paper discusses how confidentiality decreases as redundancy measures (availability) increases, due to increased attack surface area.  However, I have seen very little discussion of a decrease in availability of the underlying technical network consequent from implementing new confidentiality and integrity measures.  I have seen ample evidence of this, though, especially in the business networks I a most familiar with.

Managers of the networks I’m familiar with regularly mandate new security measures, nearly always designed to improve confidentiality or integrity.  Availability issues are always cropping up, and network complexity is rarely considered as a possible cause.  Network complexity is almost never fingered as a problem worth fixing, and increased manpower is always the solution.  Increased manpower is also rarely politically practical.

Lastly – this thought is related to the idea of byzantine failures causing catastrophe within a complex system.  Availability issues are simply the small catastrophes leading up to the major one.

What to do, what to do…

  • We must remember that measures designed to increase confidentiality and integrity necessarily decrease availability.
  • We must be bold enough to consider eliminating confidentiality and integrity measures.

Most of all, though,

We must always balance the risks related to confidentiality and integrity vs the risks to availability.