lee/hpr-knowledge-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
37e8274bffbd347c22b084a14454141cee746a76
hpr-knowledge-base/hpr_transcripts/hpr3597.txt

150 lines
9.1 KiB
Plaintext
Raw Normal View History

Initial commit: HPR Knowledge Base MCP Server - MCP server with stdio transport for local use - Search episodes, transcripts, hosts, and series - 4,511 episodes with metadata and transcripts - Data loader with in-memory JSON storage 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-26 10:54:13 +00:00
Episode: 3597
Title: HPR3597: Good Idea Fairy Hunting
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3597/hpr3597.mp3
Transcribed: 2025-10-25 01:56:20
---
This is Hacker Public Radio Episode 3597 for Tuesday, the 17th of May 2022.
Today's show is entitled, Good Idea Ferry Hunting.
It is part of the series' privacy and security.
It is hosted by Lurking Pryon and is about 10 minutes long.
It carries an explicit flag.
The summary is, tracing my security woes to the source using Good Idea Ferry Hunting.
Hello, welcome to Hacker Public Radio, this is Lurking Pryon coming at you for a second
episode.
Last time I did an episode called Password1234, kind of just using my way in here, trying
to get my feel for how everyone is doing.
A little bit about myself, I've been a cybersecurity professional for 20 plus years on the ground
doing it, on the bleeding edge of the spear, if you will.
And I've come to learn over time that security is really a state of mind.
It's not things that you do, it's not something that you put in place, either your security
minded or you're not.
And that is what I have tried to instill in people over the years.
Security is a people problem, period, 100%.
I don't care what kind of technology we have, I don't care what kind of security, I don't
care what kind of blockchain, AI, ML, it doesn't matter.
As long as a person is involved, there's going to be a problem with security, security
is a people problem.
And the biggest problem that we have is security professionals is we don't seem to know how
to go about bridging that gap between technology and people.
So I've decided that I'm going to start doing a few episodes where I share my experiences
over the past.
I'm going to call this one good idea, fairy hunting.
I was working for a healthcare organization and I've been there for a little while and
they come and they dump this thing on my plate and they're like, hey, we need to just
sign off on this, it's going live tomorrow.
And I'm looking at this project and I'm like, what the hell is this?
Where did this come from?
We're like, oh, we've been working on this for the last 15 months and I'm like, wait,
what?
I was like, you guys sit like five cubicles over from me.
No one would say anything about this, how am I supposed to sign off on this?
I don't even know what this is.
Well, your security make it happen, wait, what?
That was the last time I ever signed off on something and it was under duress, period.
So after that experience, I decided to go and look at all of the big projects that we're
going on in the company and I asked who came up with the idea for the project and what
I very quickly found out was that all of the projects in our company came from two people,
period, two people.
So I went and I found those people and I introduced myself to them and I said, hey, look, I'm
Robert, I'm your security guy and here's what I do.
And I wanted to help them understand that I'm not the person who wants to say no.
That's not my job.
I'm not here to make the company money.
You are.
You're the person who's coming up with an idea that's innovative, that's going to bring
in a revenue for the company.
My job is to facilitate that in a way that is as secure as it can be.
So after our little conversation, I asked him if he would please include me in his next
inception meeting and he did.
He had a kick off meeting where he had an idea and I was there at the very beginning and
he invited me and introduced me and everybody in the room was like excited to see me and
what I discovered was that most people actually want to do something right.
They want to do it the right way.
They either aid don't know how or they don't have the backing to do it the right way.
So being there from the beginning, they sat there, they put out their idea, they would
ask me questions, I would ask them questions and before we left the table, everybody had
an idea of where we were going and I was included in all the subsequent meetings and
anytime we came to a point where there was going to be a decision made, what we were going
to do, we would bounce things off each other, come up with, hey, can we do it this way
or what if we consider this or hey, if we do this, we're going to be violating HIPAA or
whatever the case happened to be.
By the time that project was ready to go live, the person in charge of the project knew
that security would not be a delay period and as of that day, security stopped being
a delay for his projects and from that moment forward, I was included on literally every
single project that got kicked off.
Now I didn't have to be in on all the meetings and they knew when there was a decision point
that it was easier to bring me in and have the conversation and do it right the first
time because it's much easier to do something right the first time, build it right the first
time rather than to try and go back and rebuild something that's already done.
Do it right the first time, does it take a little bit longer?
Hmm, I don't know, you could argue that, I personally think that it turned out to be
very beneficial and as of that point, projects were no longer delayed and any delays that
did come up weren't because of security which was a huge issue.
So good idea fairy hunting and I made that a part of my practice every single place that
I worked.
I would go, I would find the good idea fairies and in every organization, there's only
a few people.
Organizations are spurred forward by creative people and the creative people that have
the really good ideas that innovate the company that move it forward.
They're in the minority, there's a very few of them.
So it's those people that if you are a security person, you need to get out and go find those
people, introduce yourself and say, hey, here's who I am, here's what I do and here's how
I can help you.
Let's work together as a team instead of budding heads all the time.
That's not what we're supposed to do as security professionals.
Our job is to help the company make money in a more secure way.
Our job isn't there to stop them from making money.
So good idea fairy hunting, something that you can think about and even if you're not
a senior level security person, this is something that you can still do.
One of the things I encouraged all of my security team to do was to get out from behind
their desk and go and pick a random person in the company, go introduce yourself and sit
down with them for 30 minutes to an hour.
Just sit down with them, ask them about their job, ask them what it is they do, ask them
what kind of things they do on a daily basis, ask them what the pain points are, what are
the things that give you problems, what are the things that make your job harder?
And a lot of times what we found was that things that we were putting in place to make something
more secure was creating such an impediment to people getting their job done that somebody
in the organization figured a way to go around it.
So now we had a security control that literally everyone in the organization was bypassing.
In which case we had zero security.
Now we may be counter-intuitive, but it may actually be more secure sometimes to roll back
a security provision in order to have everyone following what it is that needs to be done.
Sometimes less is more and that goes with security as well.
So getting out, learning what people do, what their job flow is, what their function is,
what those pain points are and how everybody works together.
That is going to go a long way in helping you better understand the organization that you're
trying to protect.
Because after all, if you're the security person and you're sitting in an office and you're
trying to secure an organization that spans 70 countries, how are you really going to
know what that company does?
You're probably not really going to have that good of an idea.
Get out, meet the people, start learning what they do, and start finding ways to help
them do their job better, try and find out how it is they do their job so that you can
have a better idea of how what they do fits in with the overall structure and how that
fits in with the security program.
After all, it's kind of hard to secure something that you don't understand.
Think about it.
So that's my little spiel for today.
Just a few minutes sitting here, tickling your brain a little bit.
I'm going to call this series Admin Admin because, well, if you work in security for any
length of time, you know that that's a wonderful password combination.
And yes, it still gets me into about half of the public Wi-Fi routers that I hit.
Even today.
Admin Admin.
Wonderful.
Let's change that stuff.
So anyway, until next time, this is Lurking Pryon, thanks for listening.
And I will talk to you in another week.
Bye.
You have been listening to Hacker Public Radio.
At Hacker Public Radio does a work.
Today's show was contributed by a HBR listener like yourself.
If you ever thought of recording a podcast, click on our contribute link to find out how
easy it really is.
Hosting for HBR has been kindly provided by an honesthost.com, the Internet Archive
and our syncs.net.
On the Sadois stages, today's show is released under Creative Commons Attribution 4.0 International
License.
Reference in New Issue Copy Permalink