Perceptions Sometimes Count and Facts May Not

“Perception is reality”

I’ve heard this quote numerous times.  The falsehood evident in those words should be obvious, but these days perhaps it is not.  Reality is reality, perception is perception. 

Often reality and perception overlap heavily – but we don’t notice those times when our perceptions are correct.  Our brains think that’s the default.  There’s also almost always some amount of perception that doesn’t overlap reality – when our brain is jumping to conclusions and we are misled.  These situations often don’t matter too much, and sometimes they even keep us safer than we’d be otherwise.  Optical illusion is one time when perception doesn’t line up with reality.

The quote is usually stated to remind us that often it’s not the reality of a situation that matters, but others’ beliefs about reality.  The quote is often cited to caution individuals away from taking actions that others might misunderstand as ethically or legally wrong.  It cautions individuals away from taking an official-use-only vehicle out to the boss’s house in any capacity.  It cautions individuals away from spending notable amounts of time in private with members of the opposite sex, for even laudable reasons.

These are important cautions!  It’s often hard or impossible to walk back mis-perceptions, and if they are simply avoided then your life will probably be much easier.

But it doesn’t change the falsehood of the statement.  Perception is not equivalent to reality. 

Perception is perception, and reality is reality.  And while thinking people understand the difference intellectually, non-thinking people probably aren’t thinking about it.  Even thinking people will often make mistakes of assumption.

In the era of the false cries of “fake news” and widespread campaigns of actual misinformation, we shouldn’t aid purveyors of this bunk.

Here’s the truth – and I didn’t make it up myself, it’s a quote from a speaker, but was said in a non-attribution environment:

Perceptions Sometimes Count and Facts May Not

That quote warns individuals without suggesting falsehood, and without implying that the situation is acceptable.

It’s not acceptable that, in so many situations, individuals give in to their perceptions and disregard facts.  It happens though, and we must be prepared for when it impacts us.  We should recognize this bias for perception over fact in ourselves too, and seek to avoid being overly influenced by it.

Don’t accept that some hold perception higher than fact, but recognize that

Perceptions Sometimes Count and Facts May Not

Know Your Why

I’m personally driven by a few ideas… Things I’m pretty passionate about. Improving cyber security in the US though education is a major one.

When I remember my goals they my action. Why do I want to volunteer to teach at a college? Why did I spend time building K-12 python, cyber security, and boolean logic short courses? Why do I look for opportunities to have my knowledgeable folks teach the rest of my folks?

That passion is my why.

People that know their why are much more effective followers and leaders. It’s maybe important to work their why into their work…

Make Sure My People Know Their Why

This is the real reason why we make sure our followers know how they got into the mission, why they’re critical parts of the mission, and why the mission is critical. If they don’t already have a “why”, that gives them one.

Why should I get out of bed? Go into work? Give a shit?

Make Sure My People Know Their Why

Personality Inprocessing

One of the things every leadership course includes is some discussion of personality types. Usually everyone has to take or retake a personality test for the Myers-Briggs system.  You usually go around the room at some point and talk about, or show by example, the effects of each piece of the type.

Then, at some point, they recommend building teams with a diversity of personality.

But who actually ends up doing that?  Sure, any reasonably good builder of small teams and assigner of tasks considers personality when doing that job.  Good managers even consider diversity of personality as one input.  Who goes to their list of people and Myers-Briggs types and uses that list?*

Well, I should.

Build and Make Available a List of Personality Types for People Under My Command

When you show up to a unit there’s always a questionnaire about who you are, who your family is, birthday…  And that should include personality type.
I’ve actually seen this on one inprocessing questionnaire, I believe.  It’s easy enough to add on there…  If someone hasn’t taken a test in the last 2 years, ask them to take it again!  Things change.

A recent leadership course introduced me to the 5 voices system.  This also seems great – the predictive power of the system, and the way it got people talking, was interesting to me.

Aside from just collecting this info, it should be on SharePoint so other leaders in the unit can access it easily.  Along with birthdays and such.

The Cyber Sim

This is a fictional imagining of what could be.

Dear Journal,

I took a refreshing break from my staff job today to keep up my “mission qualification”, and it really re-centered me. Sim time is something only pilots used to talk about, but the new “cyber sim” concept has brought that idea into the info ops world. Stupid name, great concept.

I took my laptop out to the local library and sat in a back room one of the squadrons borrows regularly. I set out my coffee and turned my noise cancelling headphones on to the Swordfish soundtrack on repeat. I SSHed in to the cyber sim virtual machine and got started.

This quarter the sim works like a jeopardy-style capture-the-flag. I say “this quarter”, because the sim is updated quarterly by a rotating team of nerds working out of the 49th IOS Det in San Antonio. The top contestants from the previous quarter get invited out for a two week TDY to invent new challenges, improve the scoring systems, add the occasional Easter egg, and feed their excellent skill back to the rest of the force. The interaction and teamwork those top nerds get is almost a more valuable training experience than the sim they end up producing.

Categories this quarter were several of the typical: algorithmic problems, malware reversing, embedded device hacking, Windows service exploitation… One of the special topics this time was Android exploitation, though. It’s tough to shoe-horn an odd topic like Android exploitation into an eight hour block, and even tougher to reward participants sufficiently to get them to spend time on the problem, but this quarter it was well-executed.

Just last month some researchers publicly released a simple exploit for the Chrome JavaScript engine. Well – simple once you know where it is… Their proof-of-concept (POC) didn’t work on Android though, and with the speed at which the Chrome team publishes updates nobody released a public exploit beyond the POC.

The Android exploitation challenge this quarter was to create an Android POC. The quarterly sim build-out team setup Android VMs with the correct version of Chrome, then added in some custom Chrome crash detection software. Upon causing a Chrome crash, participants got full points for two entire CTF categories.

The risk-reward calculation was critical here… My strength often lies in solving the algorithmic challenges. I can finish the entire category in about three hours, then knock out the easy half of the malware reversing and embedded device categories.

A public x86 POC was released already… How tough would it be to get a crash on ARM Android in eight hours for the same bug?

I bet on the Android vulnerability and got started.

After an hour I had fixed the obligatory POC bugs and could replicate the researchers’ attack on Chrome x86.

After two I was starting to understand the vulnerability and was thinking about the differences between the current POC’s target and the target devices.

After three I had my second target environment setup. I needed two because the first one was 32-bit, and I realized after about 45 minutes that the CTF targets were 64-bit. Oops.

Hour four I spent building a version of the POC that was written in a way I actually understood it and could debug. The researchers didn’t leave in much debugging code…
Hours five through seven I spent slamming my head against the keyboard wondering why everything was suddenly so difficult.

But in hour seven I had a breakthrough, and occasionally got Chrome crashes. Good enough for the win, I thought!

After a struggle getting my code to run on the CTF targets, and three attempts at running the code, I had success against the cyber sim target and got the full two categories worth of points.

I was instantly rocketed to the top of the scoreboards! Apparently nobody else had made my risk-reward choice.

Of course, it was only a matter of time before someone would de-throne me, but it seemed like a solid day in the cyber sim.

Finishing the quarter within the top ten would mean I would be invited TDY to San Antonio next quarter to be part of the CTF creation team. A blissful two weeks sequestered from email and the needs of the office, spending ten hours a day inventing challenges, trying them out against the rest of the team, and building scoreboard glue-code to make sure we can select the next creation team… Honestly sounds like a two week paradise to someone like me.

As an O-4, I’m not sure I’d be able to carve time out for that TDY. I’d probably pass the honor on to someone next on the scoreboard…

I’m thrilled that I have leadership that recognizes the value of this quarterly technical training time. They have no problem with me scheduling a full day for this, and being unavailable then to the normal office demands. The simplicity of this sim system, executing it on cloud infrastructure, and keeping it to open-source techniques only has meant that costs are comparatively tiny and access is simple.

Training value is huge though, because this exercise continually reinforces the flexibility our cyber force demands.

Can’t wait to see what they come up with next quarter.


Broken Windows

The broken windows theory of policing suggests that when police target small crimes like “vandalism, public drinking, and fare evasion,” and reduce visible signs of “crime, anti-social behavior, and civil disorder” they reduce the likelihood of further and worse crime.

This can certainly be taken too far, as in “stop-and-frisk” policies, if those are examples of broken windows policing, as some suggest.

When applied to a team you’re leading, broken windows policing looks like: making sure uniforms are still sharp and worn properly, office common spaces are kept tidy, individuals are shown respect in each interaction, promises are kept, report and presentation standards are being met, and people generally meet the requirements and standards of each of their duties.

Watch for Broken Windows

It’s easy to forget why the small things matter. So often, we invent, raise up, and perpetuate new small things that really don’t matter. However, there are a set of standards we are each supposed to be required to maintain, either by order, regulation, or law.

Those true requirements are the broken windows I need to watch for. The purpose, which I should not forget, is to maintain a lower probability of more serious problems in the unit.