Know Your Why

I’m personally driven by a few ideas… Things I’m pretty passionate about. Improving cyber security in the US though education is a major one.

When I remember my goals they my action. Why do I want to volunteer to teach at a college? Why did I spend time building K-12 python, cyber security, and boolean logic short courses? Why do I look for opportunities to have my knowledgeable folks teach the rest of my folks?

That passion is my why.

People that know their why are much more effective followers and leaders. It’s maybe important to work their why into their work…

Make Sure My People Know Their Why

This is the real reason why we make sure our followers know how they got into the mission, why they’re critical parts of the mission, and why the mission is critical. If they don’t already have a “why”, that gives them one.

Why should I get out of bed? Go into work? Give a shit?

Make Sure My People Know Their Why

Personality Inprocessing

One of the things every leadership course includes is some discussion of personality types. Usually everyone has to take or retake a personality test for the Myers-Briggs system.  You usually go around the room at some point and talk about, or show by example, the effects of each piece of the type.

Then, at some point, they recommend building teams with a diversity of personality.

But who actually ends up doing that?  Sure, any reasonably good builder of small teams and assigner of tasks considers personality when doing that job.  Good managers even consider diversity of personality as one input.  Who goes to their list of people and Myers-Briggs types and uses that list?*

Well, I should.

Build and Make Available a List of Personality Types for People Under My Command

When you show up to a unit there’s always a questionnaire about who you are, who your family is, birthday…  And that should include personality type.
I’ve actually seen this on one inprocessing questionnaire, I believe.  It’s easy enough to add on there…  If someone hasn’t taken a test in the last 2 years, ask them to take it again!  Things change.

A recent leadership course introduced me to the 5 voices system.  This also seems great – the predictive power of the system, and the way it got people talking, was interesting to me.

Aside from just collecting this info, it should be on SharePoint so other leaders in the unit can access it easily.  Along with birthdays and such.

The Cyber Sim

This is a fictional imagining of what could be.

Dear Journal,

I took a refreshing break from my staff job today to keep up my “mission qualification”, and it really re-centered me. Sim time is something only pilots used to talk about, but the new “cyber sim” concept has brought that idea into the info ops world. Stupid name, great concept.

I took my laptop out to the local library and sat in a back room one of the squadrons borrows regularly. I set out my coffee and turned my noise cancelling headphones on to the Swordfish soundtrack on repeat. I SSHed in to the cyber sim virtual machine and got started.

This quarter the sim works like a jeopardy-style capture-the-flag. I say “this quarter”, because the sim is updated quarterly by a rotating team of nerds working out of the 49th IOS Det in San Antonio. The top contestants from the previous quarter get invited out for a two week TDY to invent new challenges, improve the scoring systems, add the occasional Easter egg, and feed their excellent skill back to the rest of the force. The interaction and teamwork those top nerds get is almost a more valuable training experience than the sim they end up producing.

Categories this quarter were several of the typical: algorithmic problems, malware reversing, embedded device hacking, Windows service exploitation… One of the special topics this time was Android exploitation, though. It’s tough to shoe-horn an odd topic like Android exploitation into an eight hour block, and even tougher to reward participants sufficiently to get them to spend time on the problem, but this quarter it was well-executed.

Just last month some researchers publicly released a simple exploit for the Chrome JavaScript engine. Well – simple once you know where it is… Their proof-of-concept (POC) didn’t work on Android though, and with the speed at which the Chrome team publishes updates nobody released a public exploit beyond the POC.

The Android exploitation challenge this quarter was to create an Android POC. The quarterly sim build-out team setup Android VMs with the correct version of Chrome, then added in some custom Chrome crash detection software. Upon causing a Chrome crash, participants got full points for two entire CTF categories.

The risk-reward calculation was critical here… My strength often lies in solving the algorithmic challenges. I can finish the entire category in about three hours, then knock out the easy half of the malware reversing and embedded device categories.

A public x86 POC was released already… How tough would it be to get a crash on ARM Android in eight hours for the same bug?

I bet on the Android vulnerability and got started.

After an hour I had fixed the obligatory POC bugs and could replicate the researchers’ attack on Chrome x86.

After two I was starting to understand the vulnerability and was thinking about the differences between the current POC’s target and the target devices.

After three I had my second target environment setup. I needed two because the first one was 32-bit, and I realized after about 45 minutes that the CTF targets were 64-bit. Oops.

Hour four I spent building a version of the POC that was written in a way I actually understood it and could debug. The researchers didn’t leave in much debugging code…
Hours five through seven I spent slamming my head against the keyboard wondering why everything was suddenly so difficult.

But in hour seven I had a breakthrough, and occasionally got Chrome crashes. Good enough for the win, I thought!

After a struggle getting my code to run on the CTF targets, and three attempts at running the code, I had success against the cyber sim target and got the full two categories worth of points.

I was instantly rocketed to the top of the scoreboards! Apparently nobody else had made my risk-reward choice.

Of course, it was only a matter of time before someone would de-throne me, but it seemed like a solid day in the cyber sim.

Finishing the quarter within the top ten would mean I would be invited TDY to San Antonio next quarter to be part of the CTF creation team. A blissful two weeks sequestered from email and the needs of the office, spending ten hours a day inventing challenges, trying them out against the rest of the team, and building scoreboard glue-code to make sure we can select the next creation team… Honestly sounds like a two week paradise to someone like me.

As an O-4, I’m not sure I’d be able to carve time out for that TDY. I’d probably pass the honor on to someone next on the scoreboard…

I’m thrilled that I have leadership that recognizes the value of this quarterly technical training time. They have no problem with me scheduling a full day for this, and being unavailable then to the normal office demands. The simplicity of this sim system, executing it on cloud infrastructure, and keeping it to open-source techniques only has meant that costs are comparatively tiny and access is simple.

Training value is huge though, because this exercise continually reinforces the flexibility our cyber force demands.

Can’t wait to see what they come up with next quarter.


Broken Windows

The broken windows theory of policing suggests that when police target small crimes like “vandalism, public drinking, and fare evasion,” and reduce visible signs of “crime, anti-social behavior, and civil disorder” they reduce the likelihood of further and worse crime.

This can certainly be taken too far, as in “stop-and-frisk” policies, if those are examples of broken windows policing, as some suggest.

When applied to a team you’re leading, broken windows policing looks like: making sure uniforms are still sharp and worn properly, office common spaces are kept tidy, individuals are shown respect in each interaction, promises are kept, report and presentation standards are being met, and people generally meet the requirements and standards of each of their duties.

Watch for Broken Windows

It’s easy to forget why the small things matter. So often, we invent, raise up, and perpetuate new small things that really don’t matter. However, there are a set of standards we are each supposed to be required to maintain, either by order, regulation, or law.

Those true requirements are the broken windows I need to watch for. The purpose, which I should not forget, is to maintain a lower probability of more serious problems in the unit.

Mission Qualified

Commanders of operational units maintain their flying qualification. Most units in the Air Force aren’t flying units, but all have some mission they’re responsible for.

Remain Qualified on your Mission System

Once a quarter I should spend a day making sure I’m up to speed on the mission my folks are doing, and if possible I should get some practice actually doing it. At the least I should sit alongside folks as they execute the mission.

It’s important to understand what your folks are doing each day, to understand what problems they face, and to ask of them only things you’d be willing to do yourself. What better way to do that then to sit beside them and work. The social benefit is also easy to realize with this technique.

Remain Qualified on your Mission System

This needs to be time set aside on the schedule, that doesn’t get pushed around by meetings, that doesn’t get interrupted… This is mission qualification time, and it needs to be a priority.