Episode 282: Robin Lauren and Human Centered Security

Robin Laurén joins the pod this week to talk about Human Centered Security. We’ll pick up where he left off in his MacADUK talk, discuss any reactions, and get into a little of the practical applications.

Hosts:

  • Tom Bridge, Principal Product Manager, JumpCloud – @tbridge777
  • Marcus Ransom, Senior Sales Engineer, Jamf – @marcusransom
  • James Smith, Staff Engineer, x15ventures/Commonwealth Bank – @smithjw

Guest

Transcription of this episode brought to you by Meter.com

Click here to read the transcript

Meter is the easiest way for businesses to get internet, networking, and WiFi. Our full-stack approach combines hardware, software, and operations so that any company can seamlessly run on a reliable and modern network.

  • Streamlined installation: We take on the complexities to make designing and deployments easy, fast, and stress-free. We manage the entire installation process, and provide ongoing maintenance and support.
  • Network hardware, security & management: We design and build our own controllers, switches, and wireless access points. After the network is deployed, review your speed, usage, and security in one unified dashboard. No need to hire vendors in every location or have IT teams fiddle with manual configurations — everything is automated with our software.
  • Simple pricing: Pay one monthly rate with no up-front costs for installation, configuration, or hardware.


James Smith:
This week’s episode of the Mac Admins podcast is brought to you by Kandji. Automation in IT is a hot topic, and for good reason. Automating repetitive tasks frees you to focus your skills on more strategic projects that move the needle for your organization. Kandji, the Apple device management and security platform features over 150 pre-built automations to multiply your effectiveness and impact daily. To see how to take the repetition out of your to-do list, visit kandji.io that’s k-a-n-d-j-i.io.

Tom Bridge:
Hello, and welcome to the Mac Admins Podcast. I’m your host, Tom Bridge. And James, it’s great to see you this week. How are you?

James Smith:
Ah, pretty fantastic. It’s great to be back on the podcast. Today, just been spending a nice day relaxing. It’s Father’s Day here in Australia.

Tom Bridge:
I was going to say, Happy Father’s Day.

James Smith:
Thank you. So I actually went for a big shop at Costco, and then I’ve just been building my Lego Millennium Falcon, and playing with the kids today.

Tom Bridge:
Ooh.

James Smith:
Yeah.

Tom Bridge:
Nice. Fantastic. That sounds like a great day. Also, Happy Father’s Day, Marcus. Good to see you.

Marcus Ransom:
Well, thank you. Well, thank you. Good to see you too, Tom.

Tom Bridge:
It’s been the end of the summer here. It’s Labor Day weekend as we record this, that means a lot of quality time spent in front of either the barbecue grill or in the pool, never both at the same time. I’m told that’s a bad combination, but I feel like I want to try it at some point. I feel like there has to be some sort of science that allows for this. But speaking of science, I want to introduce our amazing guest. Robin Lauren, it is wonderful to see you. And I was going to say, we just saw each other in London, or excuse me, in Brighton, in the springtime, but welcome to the Mac Admins Podcast.

Robin Lauren:
Thank you. Thank you. It’s actually wonders to see you people. I’ve heard you people over the years, but actually seeing you is completely different kind of magic.

Tom Bridge:
Indeed. So it’s somehow possible that we have never had you on as a guest on the podcast. I can’t imagine why that would be. I’m so sorry that it’s taken us these many years to get you on, especially given your long history in the Apple community. So we love to start episodes with new guests, with a little bit of an origin story. So do you mind taking us through what your experience has been in the Apple systems administration world?

Robin Lauren:
Ooh. Well, since you say it’s been a long time coming, can I give you a long backstory?

Tom Bridge:
Yes.

James Smith:
That’s what we love. It’s the best kind.

Robin Lauren:
Ooh. Yeah. There’s going to be a lot of editing here. Let’s see way, way, way, way, way, way back at the dawn of time when Macs were new and it was 1984 and leases came up with stuff like that. I got this fascination that that’s a cool piece of gear. And of course, being the age I was whatever. And Macs were completely out of my price range. It was like, they’re cool, but from my perspective, I will never get to touch these things. And I was wrong. So I was in the Scouts. I was doing our Scouts newsletter. And I’m not sure how I actually made this happen, but there was this office supplier store in Helsinki. And one day I just walked in there and started to work on our magazine on that computer. I became part of the environment, part of the scenery.

Robin Lauren:
And eventually, they turned off the lights and said that, “Just make sure that you close the door behind you.” And if you think about it, these days, it could never happen. But back then people maybe trusted each other. And then a few years later, there was another shop who let people, even kids like me, borrow a Mac home for 24 hours. And again, that doesn’t happen these days, but that was a piece of magic.

James Smith:
They wouldn’t bring them back these days would they mate? You’d never see them again.

Robin Lauren:
Yeah. They trusted me and everybody else to actually… It was one of those classic bird nest Macs, a box, actually. This won’t go out to the listeners, but to the watchers, it’s one of these bobbies, right?

James Smith:
Yeah. You’ve got one buried down the bottom of your desk there.

Robin Lauren:
Yes. It hasn’t been running for a while.

James Smith:
That’s like the one I found on the side of the street, it still runs.

Robin Lauren:
Yes, it was in a dumpster. I saved it. So that was kind of cool. I heard that some of you got boot discs. So maybe if you could provide me with a boot disc, I can tell you if it actually boots. All right. So we’re back again. So back in the university days, I was a Linux guy, because with Linux you could do serious things and you could actually afford Linux because hey, it’s only worth your time. And as a student, your time is cheap. Actually, it’s free and abundant. But still somehow I found myself managing the Macs at my mother’s work. She was an architect. So I built up this very small local area network. I didn’t actually realize at the time that I was assistant administrator then, and I built this work management, whatever thingy that they had. They’re all jobs in file maker, no less. So in a DBA an assist admin. At times, I couldn’t spell either. And then came real life, and I was a web developer for some time. And I managed windows machines, MSP-style. There was this product by Kaseya enabled. That’s true. Yes.

Robin Lauren:
There was this product called Kaseya, which was a Windows management system. These days I think it’s known mostly, because there was a gaping security hole in Kaseya. But back in those days, the security hole was us and not the technology. Then I did a brief stint for the United Nations development program in East Timor or Timor Leste where my boss was Jose Ramos-Horta who got the Nobel peace prize some years earlier, that was kind of cool. And then finally I became a Mac admin and this is like, I’ve only been a Mac admin for this job, which is 10 years ago. I got the gig as a sys admin at Reaktor. So I’m basically the new guy with the new technology. And during these soon 10 years, I did a stint at our own sort of internal tech startup, which was, well, it was for defense and security, like high security stuff. The stuff that you don’t talk about, what it is, and you only mention it in hushed tones and we call it the dark side, not because we do the nasty things, but because it was dimly lit.

Robin Lauren:
And that was kind of fun, because I got to create an infrastructure from scratch, which was good enough to be used by real people, good enough to be secure for the auditors and for the job and be both used, useful and secure at the same time. And once we got over the invention phase in five or six years, then I dropped back to regular Reaktor where I’m now a sort of regular admin doing regular admin stuff. And during the, maybe let’s see one and a half years, something like that, we’ve gone from installing stuff by hand and managing stuff by hand to implementing MDM and ACE or ACE, which is AppleCare Enterprise and a new inventory system previously used to get some text files. And that was geekish and nice. But these times we realize that there are also non-geeks and regular people using that system. So we actually also have a proper inventory stuff. And I’ve sort of floated to the magic of API coding.

Robin Lauren:
So I’ll try to make this system talk with each other. So I’m not only talking with the humans, but also machines to machines. So that’s sort of the more longer than short of it.

Marcus Ransom:
Lovely. Now, got you onto the podcast to talk about human-centered security. So you gave a talk at MacADUK around human centered security. So do you want us just give us for those people who haven’t caught that on YouTube? Do you just want to give us a really brief rundown of what the basis for that talk was?

Robin Lauren:
Well, based on my previous answer, that I’m not very good at brief stuff anyway, but very briefly, security is not so much about computers and it’s not so much about networks and it’s not so much about processes. It’s actually about humans and how you interact with humans and how you consider your fellow work mate a human and not an obstacle. And that was basically it’s like how to be a human without other humans and then to do so in a perspective from security.

James Smith:
I think that’s a really great point of view around thinking about security, because at the end of the day, depending on where you work there is that requirement to have a secure device, whether it’s based on compliance, whether it’s based on regulations and depending on what industry you’re in. And oftentimes, it can be taken out of your hands as an engineer or an admin. And just say, here, you must do these things on these devices and that’s it. And then you get a brick and you can’t do any work. And I think that it’s really important. And what you’re highlighting is you have to take a step back and you have to look at it from the point of view of these people, these are humans, they’re here to do a job. How can we enable these people to do their job while also managing that security requirement there? Maybe you could go into how you kind of strike that balance between the auditing side of things and the people side?

Robin Lauren:
Let’s see. So there are a couple of things to realize. I mean, we’re geeks, many of us are geeks. Maybe you are geeks. And-

Marcus Ransom:
I think we are.

Robin Lauren:
We sort of have a love, hate fascination thing with the technology we are using. The computers are cool for their own sake. And we love to get to know more, get to understand the computers better and their quirks and stuff like that. And we also might understand security from the perspective that this is what should be done, and there’s nothing else to choose between. Now, your workmates, they’re not there because they love computers. They use computers because they need to get stuff done. Their job is not to work with computers, their job is to make code or make pictures or crunch numbers or do whatever these legal people do that I have no clue about or sell stuff to people that the people or the customer actually wants to buy, which I hope is the ethical way of selling things. Your people are using computers, because they must love the computers. So that’s one thing.

Robin Lauren:
And security exists, not because people want security, but people don’t want to say, use security. They want to get their job done despite the computers and despite the security requirements for anyone except for security, professional security, isn’t really a thing in itself. It’s sort of the thing that enables us to do our jobs. And once you take the humility to think that security, which is close to your heart and the computers, which are close to your heart, they’re just the enabling technology then that helps. So you have the humility and then you start thinking that what’s the point of view from your folks, what are they trying to do? How is this security stopping them from doing it? And you flick on the empathy switch and think of it from that perspective. And I had a good point and I lost it and we’ll get back to it once I suddenly stumble over it.

Tom Bridge:
That happens to all of us.

Robin Lauren:
Not sure if that answered half of your question, but sort of think of what the folks are doing with the stuff that you’re giving them.

Tom Bridge:
This week’s episode of the Mac Admins podcast is brought to you by Black Glove. Black Glove is about to be your new favorite IT partner. They provide ongoing expert support and rapid deployment services for your current new or refreshed Apple fleets. But what they’re really providing is complete peace of mind that your technology is safe, secure, and operating at its full potential. So no more quick and expensive calls to the geek squad or Apple support, Black Glove’s strategies and fixes are from the hands and minds of former Apple engineers. So not only is the expertise of this team unmatched, but their services are affordable and easy to get started too. Fortune 500 companies and small budding businesses alike are working with Black Glove to ensure their Apple technology is doing exactly what they need it to, whether it’s helping manage your remote teams, devices, transitioning your device management system, onboarding new employees or casing tagging and tracking your devices. Black Glove can handle it all.

Tom Bridge:
They’re also just really great people to work with. In fact, mention this podcast when you reach out to them and the Black Glove team will sponsor the next generation of Mac Admins through our Mac Admins Foundation. You can learn more and get started at blackglove.com. That’s B-L-A-C-K-G-L-O-V-E.com. And while you’re at it, ask them why they’re called Black Glove. It’s a clever nod to how White Glove services just don’t cut it for IT. We think a lot about how people work together. And I think about this all the time in terms of what do my admins want from me, the product manager. What do the admins need to know? What do they need to be able to do on behalf of their charges, their users, their people, their coworkers really. I really enjoyed the part of your talk where you talked a lot about what people want in their jobs.

Tom Bridge:
Because I think that there is a lot of understanding that admins need to have in terms of thinking about things in different ways, because as an admin, I want my coworkers to be secure so that they don’t get hacked, because there’s something like a 20% solvency rate in, if you end up with a ransomware attack in that, this is mostly on small and medium business. And so, 20% of the companies that get hacked that way don’t come back. And I don’t want that to be me. I don’t want my job to be gone. I don’t want to be responsible for their jobs being gone, but we think about what the end user, what our colleagues want. It’s very different from what admins want. And I think that it’s really important that folks think about this and hear about it.

Robin Lauren:
Yeah, they’re really two quite different ways you can tackle this question. So really on a fundamental level, people want to be happy and by happy, I don’t just mean all smiles and happy and rainbows and unicorns, but sort of the deep satisfaction, kind of happy and kind of a meaningful happiness and to be happy. I mean, these of you who seen the Maslow charts of the hierarchies, whatever, they know that. So you need certain things to, I don’t know, just to do your thing and be happy. So you need to feel safe. And this is safe, both psychologically and physiologically. You need to feel competent that you have a clue of what you’re doing, but still you need to feel challenged, you’re not doing your expertise, but you’re doing it all over again all the time. You need to be valued for what you do.

Robin Lauren:
So yeah, sure. I’m an expert, but if nobody cares, then I’m not happy about it. And you need to feel that you are part of something, usually part of a group of some kind. So you have a belonging to that. And that what to do is somehow meaningful, valuable to something like back in the days, meaning was that I actually had a job and I got paid and that’s kind of cool. I’m happy with that. And these days, my threshold of what counts as meaningful has gone up. So now, like I said, I worked for the UN, so I was teaching their IT guys to be an IT department, but on a grander scale, it would help the department, the Ministry of Foreign Affairs and Cooperation to actually have international corporation cooperation with other countries. Isn’t actually sort lift them up into true independence. So suddenly my geek skills has a fundamental value to somebody and that makes me happy doing what I would do. Now from a security standpoint, you can look at this very differently, because you can look at your organization’s security maturity.

Robin Lauren:
You can look at any security, sorry, any maturity levels. So the minimum viable security level is that you are compliant to something sort of just blind compliance, just do it. Okay. I don’t care if you understand this or not, just do it.

Marcus Ransom:
There’s a spreadsheet. And it’s got some tick boxes in it and we’re happy about that.

Robin Lauren:
And it actually sucks, because it doesn’t really do… No, it does security, but it’s really totally boring, because people do security because must, you can be informed. You’ve read somewhere on a blog post that your password needs to be this long and have this many special characters. And it sort of becomes kind of a religion that you believe that your password needs to be changed every so often, but you’re informed. Maybe it’s actually based on true information, but you have an idea what you’re fulfilling, or you can have an actual secure behavior where you understand why you’re fulfilling these security things.

Robin Lauren:
You understand why you do it. And you do the secure thing, because it’s the right thing to do. Or your organization, this is sort of the black belt. Then you could have a secure culture where you have a deep understanding, a deeper level of understanding what you’re doing, why you are doing it and what it’s for. And you’re able to actually evolve these security practices together, but you’re doing it for the, because it’s the right thing, because you understand that if you do this right, then we’re not going to end up in the headlines in a bad way. And we’re not going to be out of an employer, because the proverbial manure just hit the air vents. So very long story, slightly shorter, an understanding of why security is important. I think that that’s sort of the really base level of doing things right.

James Smith:
So just following on from that thought, I really love the idea of actually educating people around the security on their devices. And rather than looking at, like you mentioned this magical set of compliance checklists that we have to blindly follow. I much prefer to look at it from a point of view of, let’s take a look at this and let’s actually evaluate how this will impact the people that I’m looking after. And let’s actually go through and see, what will this particular rule on this spreadsheet? What will this do? How will this impact our people and that productivity hit going to be, and is it saying you need to rotate your passwords every 60 days, how’s that going to affect our fleet of devices? So I think it’s great to be able to work in an environment where you’re able to actually take this as a base, look at this and evaluate and say which ones you’re going to adhere to and which ones you’re not.

James Smith:
But have you ever come into a situation where you’ve had to effectively run that back up the chain and justify why you’re not going to implement a particular control and try to take it the other way and bring that empathy around these humans that you’re working with and actually take it to the auditors and say, “Actually, we are not going to do this,”?

Robin Lauren:
Yeah. I mean, auditors and their set of audit criteria tend to be, or tend to look quite non-flexible, but it turned out, at least the auditors we were talking with, they were humans as well after some bending, but they were. Yes, they came in with a shield of auditors and we are the authority, but it turns out they’re good people. They’re actually really good people and people you can talk with. And for example, often when you see these audit questions that need to be fulfilled, you start by thinking that there’s only one way to do this, and it’s sort to forbid everything. But if you look at what you would like to have achieved, what needs to happen, despite these audit questions, you start thinking of ways around or ways of solving the problem that still fulfills the audit criteria. That sounds very abstract.

Robin Lauren:
So let’s say for example, that on a highly secure computer, it can’t be connected to the internet, because the internet is nasty and full of the text and all that stuff. But how do people code? They need stack overflow to code and to survive. Well, then you get them another computer, which is connected to the internet and that’s sort of their reference manual. And then you have a sufficient gap between those computers and they’re not connected they don’t touch each other. And you can actually do the work in a secure manner and still have an internet connection, because what you need is not the internet connection to the computer, with which you’re writing code, but you still need stack overflow to have as your reference. So sometimes again, you need to understand that what is this security requirement protecting? How are we protecting it and how can we still do our job in a way which corresponds to modern development and not the times where these requirements were written.

Robin Lauren:
So we need to fulfill the idea as well as the sort of the character or the text, the requirements, but we need to do it so that we can keep doing our job.

Marcus Ransom:
Of often the challenge is the auditors have a requirement of having to write down a simple line item to describe what is often a very complex and moving set of requirements and unpacking what that particular audit requirement means or is trying to achieve, or is trying to protect against. What is the behavior we’re trying to mitigate against? What is the undesirable outcome that this audit control is designed to prevent? What do we need to be doing to be seen to adhering to this? What does success look like? What will make you happy or confident that our organization has thought this through in order to tick that and say, I’m confident that this is being adhered to? Here in Australia, we have a framework called the Essential Eight, which is what government organizations is supposed to adhere to. And it’s not like your nest or your CIS benchmark.

Marcus Ransom:
It’s very much, it’s about the vibe of what things should be. So you must have application control in place, but what does that mean? And you can see organizations meet that criteria and tick that off with nothing more than we place these icons on the dock and assume that the users don’t know how to access the rest of the applications, which is probably not doing a great job, but other organizations may say that they’ve put controls into restrict applications that they know are malicious though, therefore are meeting that criteria. But I really like your idea of we’ve spoken to our users and explained why we have a process that we go through to enable applications on your device. So we can make sure that your device is going to be safe and we’re not going to be triggering any audit controls.

Marcus Ransom:
So this is why you can’t just install anything you want on your machine. And this is why we have this process here. And if you’re not happy with the process, let us know, and we’ll do what we can to address that, so that these humans over here who are auditors will be happy.

Robin Lauren:
But that goes very well with the auditors as well. And you see the word confidence and that that’s actually it because the auditors are experts in understanding risks and mitigations and all that stuff. And we need to provide the confidence to the auditors that we understand what the criteria is and how we are going to address that. And it’s the same thing with teaching. You can teach only when you truly understand the subject matter. So that means we need to clarify for ourselves that, okay, is this really the way to address their requirements? And if we are able to explain that to ourselves and then to the auditors, then yeah, they will have the confidence that these guys know their stuff. And we understand that we are solving the right problem. I mean, if you can explain to the auditors, what’s our technological solutions are and how they make stuff safe, then we’re doing the right thing.

Marcus Ransom:
Many auditors are coming up against people who aren’t looking for ways to achieve the desirable outcomes. Many times they’re coming up against people who are trying to cover up or find ways of avoiding good outcomes, because they think it’s all going to be too hard or it’s going to be bad. I think finding that common ground and explaining that we are both after the same thing, although maybe from very different directions, but how can we collaborate? And I don’t know, I’ve found that’s a much better way to enjoy dealing with humans rather than siege warfare, which is what these things can often turn into from anyone who’s gone through SOC2 compliance, it can very easily devolve into that.

Robin Lauren:
But it’s a question of trusts and of common goals. We can either try to get through the audits or it becomes checkbox security. We can sort of pass the audits and we can try to hide whatever’s fudged together, or we can have a trust with, well, first the audits are of course, then the customer, the clients, and we’d rather keep a happy client, because the happy client will come back and think that these guys, they still know their stuff. So we want to purchase from them and not get a nasty reputation of, well, these are the guys who take shortcuts. And in the case of the security or the secure business, you don’t want to be known as the people who are fudging it and cutting corners. I mean, when the business is trust, maybe your tools need to be trust as well.

Tom Bridge:
And that’s the whole thing. I mean, I’ve been having a lot of ethical conversations out in the community around tracking software. And there’s tracking software that’s out there. There’s a recent New York Times article about all of the different trackers that might be on your computer and what they’re used for and how they affect your performance as an employee. And I think that we like to think that as individual people, we’re not subject to that. And I strongly agree that having intrusive trackers is not a great way to build trust amongst your employee base. And there are places where you absolutely need to as an employer, not trust anyone around anything. And I think you’re specifically a people that handle credit card information, people that handle payment information, bank codes, swift transaction records, all sorts of good things like that, maybe you need to not trust those people. Is that true for Joe over in marketing? Is that true for Jane and finance as opposed to payment information? Is it true for anybody that’s out there?

Tom Bridge:
I don’t think that’s as true. So talk to us a little bit about trusting your users and getting their trust.

Robin Lauren:
Well, in a sense, people are going to behave like you behave towards them. If I have reason to trust you, then you will probably, if you’re not a psychopath, but if you’re a regular happy, jolly human being, then you’re probably going to be trustworthy as well. It’s like, there’s this scientist, Robert Cialdini who actually, I’m not sure if I could put the persuasion levers here, never mind. People just, no, that’s actually the point of it. people will act like you act to them and you are the example. And if you start hiding the fact that you have trackers, for example, then that’s not the way to go, you’re going to lose that trust, but it’s okay to say that because of this and that compliance reason or whatever, then we will need to have some tracking software on your computer. You need to be open with that.

Robin Lauren:
And if you’re open with the fact that you have some stuff on the computer, which would be nasty in a normal situation, then suddenly Joe from finance will understand the reason for this and that it’s actually common goal to have some tracking stuff. It’s not just that. I mean, Joe wouldn’t be employed, if we would suspect that Joe was a nasty person doing nasty stuff, but humans are humans. Humans make mistakes and errors. Suddenly I just typed the wrong numbers somewhere and it happens. And after a long day, it’s Thursday and it’s close to five. I’m not at my sharpest anymore, so I might make a mistake. Then it’s okay that there are some checks to see that I’m not doing a dumb thing. So these controls might be there for a good reason. And once I’m fine with that, then I can use it.

Marcus Ransom:
And it’s credit card information is a really good example of that, where somebody may not be exfiltrating credit card details so they can do something with it. But they may have noticed there’s often a particular glitch in the software where credit card uploads may fail. So they think, “Oh, well, I’m just going to open this text document on my desktop and I’m going to keep them in there. So if it fails, I can just go and upload them all.” And next thing, there’s a text document on someone’s desktop that may also be getting backed up to a cloud backup software or something like that, that develops a breach. And so that level of control is often they’re explaining to the users that this can also be about protecting you where you may be doing something with the best intentions, but not realize that what you’re actually doing is opening up a huge amount of risk if the planets align. So this software is-

Robin Lauren:
That’s exactly true.

Marcus Ransom:
To educate you that not you’ve been storing a text file of credit cards on your desktop. So pack your desk up, you’re out of here, but explaining to the user why that sort of behavior with the best intentions may actually be opening up a lot of risk or putting them in a position where someone is looking at it and going, “Why are they doing that?”

Robin Lauren:
Well, because I mean, generally people have good intentions. They want to do the right thing, but people don’t necessarily have the mental models that corresponds to how the computers are actually working and they don’t have to, that’s our job. But I mean, it’s wonderful that this one person would, for example, copy the credit card numbers, to be able to help his user or doing the stuff to make money flow, except that he just simply doesn’t have the idea that this would be a bad thing.

Marcus Ransom:
Fortunately, the auditors came through and saw that, the whole operation maybe shut down immediately.

Robin Lauren:
Yeah, we’re all out of an employer, we don’t want that.

Tom Bridge:
Deploying, managing and protecting Apple devices at work. Shouldn’t be difficult to require several solutions. Mosyle is the only Apple unified platform for business by combining enhanced device management, endpoint security, internet privacy and security, single sign on and enhanced and apps management into a single Apple-only platform. Businesses can now easily and automatically deploy, manage and protect their Apple devices with one solution and at an affordable price. With a solution for every business size and the best support in the market, request your free account today and see firsthand why Mosyle is more than an Apple MDN. Mosyle is everything you need to work with Apple. To learn more, visit business.mosyle.com that’s business.M-O-S-Y-L-E.com. One of the other things that I think that sometimes we have trouble explaining to our colleagues is getting them onboard with some of the tech stuff, just to make sure that they’ve got some level base level of literacy around this kind of things, because I always see, I think you called it out as, “I’m too busy for this security stuff,” because I absolutely have been guilty of that. And I know people who experience the same kind of thing.

Tom Bridge:
So when it comes to doing the right thing, since we all use different kind of software and technology stacks, a lot of this is just about being thoughtful about that experience. So how do you do the design work as the admin to try and take away some of the ignorance, to try and take away some of the intrusion that security can represent in order to make a better culture going forward?

Robin Lauren:
Well, I’m kind of repeating myself, I think, but the idea is again, to understand why you’re doing this and we don’t do this to arbitrarily make your job hard. We’re here to enable you to do your job in a way that you have an employer now and in the future.

Marcus Ransom:
Or at least we shouldn’t be doing it just to make their job hard. Sometimes it feeds that might be the case.

Robin Lauren:
But a sys admin, again, we are not our users. We also don’t see automatically their point of view. So, I mean, I might be just flabbergasted that somebody has a text file with the credit card numbers, but that’s because I don’t understand their job and what they need to do. Back in the day when I was an ignorant sort of new in the field, we talked about stupid users. It took me a while to get over that, but users aren’t stupid. They want to do their thing and do it right with the best intentions and they know stuff that I don’t know. And the reason I think that they’re stupid, it’s I’m basing it, it’s like how well a fish can ride a bicycle or climb a tree, but that’s silly. I don’t know accounting and I don’t know graphic design and I’m terrible at coding, but I’m sure that these people who are excellent at graphic design, coding and legal and everything like that, they have such skills and such knowledge in that stuff.

Robin Lauren:
And they don’t know all the security things, and they don’t know all the sys admin things. And thank heavens for that, because they would be terrible graphic designers if they all thought like sys admins. So we do this together. And from their point of view, I’m a very stupid graphics designer and I’m a horribly stupid legal person and I’m worthless at accounting. And thank goodness we have people who are experts in those fields. Now, if I could understand what those people let’s say, the graphics people, we have a division in Reaktor who they do, the graphics design work for other customers. And sometimes they need to have these huge video files that they need to have delivered to the customer or shared among each other. So how do people share stuff while they share them through a network connection and they wonder why their computer is so slow?

Robin Lauren:
Well, you can’t expect to have half a terabyte a video file synchronized between computers and have it Snapchat like that. Or if you want to have that video sent to a customer, it’s good if the disc you’re transporting it on is encrypted, because I mean, stuff gets lost in the mail or whatever, and it would be a bad thing if that stuff leaked. So my job is to understand that you need to share this video file either with your peers or your customers. And I want that to be handled in a secure and efficient manner. So then I take my technology tools and try to solve their practical problem.

James Smith:
Do you think that it’s better to try and solve these problems from that technological point of view, which is the lens that you are looking at it from or to try and help enable more of a security-based mindset and culture. And rather than us as admins of our fleet, trying to control that on the devices, actually just help people to think about what they’re doing with that security mindset. So maybe they take a pause and go, oh, maybe I won’t copy this file onto just this USB stick. Maybe first I’ll encrypt this stick and then hand it off.

Robin Lauren:
It’s probably a balance of these things, because I think that the more we understand of each other’s fields, the better, if I understand the work of the graphics people, I understand what kind of challenges they have. And if I talk about security with the graphics people they’ll have an idea of what I’m trying to do and why I’m trying to do it. And it’s really two ways. I mean, the more we understand of what we do and what the person on the other side of the company does, and the better we can do stuff together, it doesn’t mean that I’m taking their job. It just means that I’m my job at solving their problems and serving their needs is improved. And I can do that better.

Marcus Ransom:
Having that open dialogue between the different areas as well, leads to, so that gets to you that hierarchy you were saying of where you get to, once you’ve got that collaboration and sharing and transformation of ideas and those conversations happening the whole time, you all of a sudden discover so many more opportunities for improving things or ways that you can do things, not just around security, but even around operations where talking to designers, it’s like, would you design something for somebody without taking a brief or would you go and get the brief for the last time you did this particular job for someone which may have been 10 years ago, and we’re just going to use that brief and that solution, but that can often be what we can find ourselves doing as technologists is, well, I solve that particular problem this way, so I’m going to solve it that way again, I know how to do this without having that discussion of is the problem actually, as I think it is, or has someone just cut and paste something out of an auditor’s spreadsheet, because they think that’s what we need.

Robin Lauren:
Not every problem is a nail and not every solution is a hammer. But it’s hard. I mean, I know these graphics people, and I know they’re always in a hurry to get their stuff to the client and the same goes for everybody. So yeah, I understand. And I sympathize with I’m too busy for this security stuff, but understanding that it’s actually a fundamental building block of, I mean, it’s an existential question. Really, if you don’t have security, we don’t have a company maybe not today, maybe not the week after, maybe it doesn’t ever happen, but there’s a risk that we don’t have this here, wonderful community of people doing wonderful things in the future, because hey, something went really, really wrong.

Marcus Ransom:
Especially when security, these days, the main attack vector is the actual humans. It is quite fascinating that organizations often leave that bit out or don’t acknowledge that or embrace that the way they should and getting the humans to understand why, where preventing certain behavior, preventing certain applications, just being told that here’s a long list of things you are now no longer allowed to do on your work machines, move along.

Robin Lauren:
Now we’re coming to the part where I started to think of psychology as a science and not just an art. So Robert Cialdini, he identified ways in which humans can be persuaded and I sort of thought that psychology is sort some not very well defined field, a field of not very well defined borders and people are infinitely complex and will do things in an infinite number of ways. But the fact is that we do follow patterns. And the way I like to approach science is that there is a course and an effect. So humans do have a sort of course and course, and effect relation to what we do, even though we seem to be perfectly irrational. We’re irrational, because the way we’ve been measured is with a different kind of rationality stick. But really Brian Brushwood said that, “We are not fooled because we’re stupid, we’re fooled because we’re human.”

Robin Lauren:
And I like to live in a world where if I see that somebody has had a cycling accident, that I stop, even though I’m in a hurry and try to help that person who had an accident and that my first thought isn’t, “Ooh, there’s somebody behind the bush who’s going to Rob me.”

Tom Bridge:
I think that as we look at those kinds of situations, we have to know what our biases are. And I think that that’s what lets starts to let us take down our guard a little bit and essentially understand what the risks are for a given situation, because if we look at things like the CIS benchmark, right, the CIS benchmark is incredibly effective at closing security holes. It is also incredibly effective at making computer that’s not very good to use, if only because like, hey, it’s got a five-minute screensaver timeout and it’s got all sorts of other restrictions placed on it that maybe make it really hard to use effectively.

Marcus Ransom:
The key chain password and the login password might have to be different to adhere to certain CIS benchmarks.

Tom Bridge:
And so, what you have is a very secure brick that you never use and that this drives people to use their personal machines or their phone or any number of other things you have now compromised.

Marcus Ransom:
Write stuff down, because they can no longer use the automation that’s been built in to help them do their job and help them be efficient in safe ways.

Tom Bridge:
Well, exactly.

Robin Lauren:
Well, there could be two reasons then. I mean, either the ones who wrote the controls don’t understand the work or we who try to implement the work, we look at it all to narrowly and we sort just take the side of the demands of the CIS benchmarks, but we don’t look how we’re going to solve this in a way that has happy customer, not happy customer that has happy employers as a result. I mean, I think that if you are able to do your work, if you were able to belong, if you’re able to kick ass, then you will be a happy camper, happy employee who stays at work and wants to do that stuff. You’re not frustrated and going somewhere else.

Tom Bridge:
Well, and I think my point out of all of this was as admins, we have to keep the risk register. It’s our job to say, you know what? I can tolerate a 15-minute screensaver timeout, because I believe that this doesn’t pose a risk to our environment given to where our employees work, given to what they do given to all of those things and be able to essentially say, this setting is highly caustic to my environment and to the participation of my users with it. So I am going to set it aside, knowing that it doesn’t make us that much more secure or it makes us that much less productive. So I think that admins need to know that there’s a permission ability out there to run a risk register instead of just blindly complying with a specific benchmark.

Robin Lauren:
And that’s what like to say the world isn’t ready yet. If you take a look at the MDM protocol, you have the possibility to lock the screen now, or in a minute, who the heck thinks that it’s secure to leave a computer, which seems to have a screensaver on, but it’s not really locked for a full minute or the other way around, like you said that the screensaver shall engage in five minutes, 10 minutes, 50 minutes, 20 minutes, but people work differently, but there is no way in the MDM to say, okay, as long as your screen locks within 20 minutes, you can set it to whatever you want to, whatever suits you, but it needs to be at maximum X minutes. One fine day, maybe we have the provisions for this. And I mean, I’m not losing hope just because the world isn’t ready just yet.

Marcus Ransom:
IBM did a great job of defining the risk register when they did the Mac at work Mac at IBM program there, where so many people were shocked by their approach of, we don’t run antivirus on our Macs. And they were very clear about the fact that it was not that they were saying there were no viruses. Their approach was that they’d looked at the time, what was available and done a risk analysis and said, the tools that are available at the moment are not protecting our devices enough for us to accept the performance hit that we are going to get. So we’ve done a risk analysis. We’ve worked out what our approach is, and we’ve decided not to deploy any anti-malware. Now in this day and age, where there are better tools out there approaching it from a very different direction, organizations are having different conversations now, but we’re also seeing there are plenty of organizations out there that are having a look at legacy tools designed to mitigate risks that maybe they aren’t actually mitigating and taking that same approach and going.

Marcus Ransom:
Well, this is actually the net gain of having this software installed in our fleet is not enough. There’s no tangible benefit. So we will accept the risk that maybe there is this thing that may never happen. But if it does happen only has a minor impact. And we are good with that, but we’ve identified it. The auditors know about it. It’s documented it’s on a folder somewhere in a shelf that we’ve acknowledged that this is happening. And if it does come to pass-

Robin Lauren:
But this was a very brave move. It was a very brave move, because I suppose back in the days when this was written, especially from auditors coming from the Windows world, if you didn’t have antivirus, you were really asking for trouble. I mean, you’d-

Marcus Ransom:
Last about five minutes before it was game over.

Robin Lauren:
Yes, exactly. Now what IBM did was a move against security theater, which was what Bruce Schneider like to call stuff that looks like security, but doesn’t really make anything any more secure. And at worst it hinders secure operations. It might give you a sense of security, which means that you will act in a less secure manner and you will in the end be less secure, like the polar opposite to that. I read about this one sys admin, a Linux gray beard who sorry, Unix gray beard, who only did stuff as root, only as root, not pseudo root. It made him think more clearly. Before he pressed the Enter key, he would think twice. So I can certainly see that point. And it just goes to say that people are very different in the way they work. Somebody needs to run with that memory stick with the new video to the clients and just get stuff done.

Robin Lauren:
Somebody has the time to think that before I press this one, will this do the RM-RF slash trick, even though the slash was at the end, but suddenly the variable wasn’t initialized. And we’re ending up with a very, very, very blank computer.

Tom Bridge:
I always enjoy the XKCD comments that says, all right, you can stop nuclear war, if you can type a valid [inaudible 00:55:36] on the first try. And of course, the results of that comic is I’m really sorry, but that sounds like that one sys admin was the guy who probably could have saved the world in that case.

Robin Lauren:
Yeah, but people are different. Again, it’s really hard for us to apply the same controls to everybody when people are different.

Marcus Ransom:
And embracing those differences is a bit like the discussion around whether a user is an idiot or not. In the old days, somebody who didn’t do well at school would be considered an idiot. Whereas now we understand that there are different kinds of intelligence. And I can’t remember it was, I think it was one of the British footballers that said that nobody ever gives Stephen Hawkins a hard time that he’s a bad shot on goal. Yet, footballers are all told that they’re stupid. When in fact there can be an awful lot of spatial intelligence strategy, things like that going on. So why we make people’s computing environment exactly the same.

Robin Lauren:
Oh, because people are ignorant. And if you are the top, you have a very narrow mind because you think, you know everything, but that’s not the case. Just seeing things from-

Marcus Ransom:
And these Macs are just a toy and they don’t belong in the enterprise. So therefore our whole organization will not have them.

Tom Bridge:
Here at the Mac Admins podcast, we want to say a special thank you to all of our Patreon backers. The following people are to be recognized for their incredible generosity. Stu Barker thank you, Adam Selby, thank you, Nate Walck, thank you, Michael Sye, thank you, Rick Goody thank you. Mike Boylan, you know it, thank you. Melvin Vives, thank you, Bill Stites, thank you. Anoush d’Orville, thank you. Jeffrey Compton, M. Marsh, Stu McDonald, Hamlin Krewson, Adam Burg, thank you. A.J. Potrebka, thank you. James Stracey, Tim Perfitt, or Twocanoes, thank you, Nate Cinal, Will O’Neal, Seb Nash, the folks at Command Control Power, Stephen Weinstein, Chad Swarthout, Daniel MacLaughlin, Justin Holt, Bill Smith and Welden Dodd, thank you all so much. And remember that you can back us if you just saw head on out to patreon.com/macadmpodcast. Thanks everybody. So I think that leads us nicely into our bonus question.

Robin Lauren:
Ooh, it’s a hard one.

Tom Bridge:
We’d originally phrased this as who’s your favorite villain? But I think we have to change that ever so slightly now. And that is who’s your favorite security theater villain.

Robin Lauren:
Ooh. “I’m not going to let you do that, Dave.”

Tom Bridge:
Open the pod bay doors, Robin.

Robin Lauren:
“I’m not going to let you do that, Dave.” That would probably be it, yeah. Coming sort of from behind a bush. That would probably be it.

Tom Bridge:
The Hal 9000 kind of approach.

Robin Lauren:
Correct. Yeah, because it’s kind of you have people coming from completely different stances and somebody who is being just, oh, I’m lost for words again. If you have two opposing views and nobody has any intention of trying to understand the other one, then you will have clashes. And that goes for security and that goes for theater villains as well.

Tom Bridge:
All right.

Marcus Ransom:
Robocop ED-209. Yeah, this was supposed to save, it was about efficiency and control, but all of these things that were all about efficiency and control, they really weren’t. It was actually about the wrong people being in control and ultimately led to the failure of the whole system.

Tom Bridge:
I think that’s a great way to put it.

Robin Lauren:
Good answer. It’s almost like Skynet. I like it.

Marcus Ransom:
Yes.

Tom Bridge:
Yeah. I mean, because my answer goes right to the same thing and same kind of thing. My favorite security theater villain is of course, Ben Kingsley from the Sneakers movie where he is playing the mobster who wants access to all of the cryptography. And he’s trying to break everything with this and it’s an intention to say, oh, the codes don’t matter, but except the codes have never mattered. And that’s not really how this works at all. I love that movie. I love that intensely. We’ve talked a little bit about it over the last couple of episodes and I’m probably going to go watch it later today, because it’s an amazing piece of work.

Robin Lauren:
But it resonates very well with human thinking. You don’t recognize something is off if it’s just slightly off and somebody else waves a little piece of persuasion behind your eyes and suddenly you think, ooh, let’s ignore all the signals.

Tom Bridge:
Yes, absolutely. And so, I think a lot about that movie in terms of how it works and how they gain access to things and kind of that social engineering that we don’t think about so much that maybe we ought to. Robin Lauren, it is wonderful to have you with us this week. Thank you so much for talking about this. We’ve got a bunch of links in the show notes to your talk to a bunch of the materials from your talk. This is such a phenomenally interesting area of discussion. Thank you so much for bringing it to us today.

Robin Lauren:
Thank you. It’s been excellent being here.

Tom Bridge:
And if folks want to find you on the internet, where should they go look?

Robin Lauren:
Well everybody’s on Mac Admins Slack and so am I. My handle there is in many other places is Lauren which you can’t hear what it’s spelled like, but it’s L-L-A-U-R-E-N. It comes from the typo, but it’s stuck. My blog is at first name dot last name dot FI, which is robin.lauren.fi that for Finland and I tweet at Robert Lauren. And because again, for the Anglo-Saxon world, the pronunciation doesn’t make any sense. Then they’ll just have to check from the show notes. If all goes well, I’ve either just appeared or will just appear at a taped set about humans and security at the Gothenburg Conference [inaudible 01:02:23], we’ll see. And apart from that, maybe we’ll meet somewhere real. For example, in Brighton, next time.

Tom Bridge:
I was going to say, I am very hopeful to be going back to MacADUK in Brighton in May. And again, really hoping to get to Gothenburg hopefully next fall, knock on wood, right? I feel like that’s all we’re doing at this point is knock on wood, let’s get some real conferences on the books and go to places.

Robin Lauren:
I mean, last time I did get the Corona, but heck it was worth it.

Tom Bridge:
I will say-

Robin Lauren:
It wasn’t fun, but it was still worth meeting actual people.

Tom Bridge:
I didn’t love getting coronavirus in London, but I definitely enjoyed seeing all of my colleagues over there. It was very humanizing and I appreciated that immensely.

Robin Lauren:
Get your shots. The coronavirus will hurt a lot less.

Tom Bridge:
Yes. Well I was going to say, and of course here in the states, they’ve just approved the new bivalent vaccine, which is the new Omicron booster. So you can go out if you’ve had your shot, if you’ve had your first two doses, if it has been more than two months since your last dose and you are over the age of 12, you are free to go get your next shot. I get mine on Wednesday. I’m really excited about it. So I’m not really excited about it, because I’m not big into needles, but I’m big into not being laid out for a couple of weeks with coronavirus. So that is what I’m doing.

Robin Lauren:
Go out to get shots in the best sense. I mean, yes. It’s just yeah.

Tom Bridge:
I live in America. So I have to be very careful about how I say that, because-

Robin Lauren:
Go out and get a shot… I’m so sorry.

Tom Bridge:
A shot, not shot.

Robin Lauren:
In Finland, English is not my first language.

Tom Bridge:
Thanks everybody for joining us for another amazing episode of the Mac Admin podcast. Thanks so much to our sponsors, Kandji Black Glove, Mosyle and our transcript sponsor Meter who are awesome. And of course, Robin, thank you so much for joining us. Thanks so much to our wonderful Patreon backers and thanks everybody. We’ll see you next time.

Marcus Ransom:
See you later.

Robin Lauren:
See you later.

James Smith:
Hey, cheers.

Tom Bridge:
Mac Admins podcast is a production of Mac Admins podcast, LLC. Our producer is Tom Bridge. Our sound editor and mixing engineer is James Smith. Our theme music was produced by Adam Kudega, the first time he opened GarageBand. Sponsorship for the Mac Admins podcast is provided by the macadmins.org Slack, where you can join thousands of Mac Admins in a free Slack instance. Visit macadmins.org, and also by Technolutionary, LLC. Technically we can help. For more information about this podcast and other broadcasts like it. Please visit podcast.macadmins.org. Since we’ve converted this podcast to APFS, the funny metadata joke is at the end.

Links

Listen

Sponsors:

Patreon Sponsors:

The Mac Admins Podcast has launched a Patreon Campaign! Our named patrons this month include:

Rick Goody, Mike Boylan, Melvin Vives, William (Bill) Stites, Anoush d’Orville, Jeffrey Compton, M.Marsh, Hamlin Krewson, Adam Burg, A.J. Potrebka, James Stracey, Timothy Perfitt, Nate Cinal, William O’Neal, Sebastian Nash, Command Control Power, Stephen Weinstein, Chad Swarthout, Daniel MacLaughlin, Justin Holt, William Smith, and Weldon Dodd

Mac Admins Podcast Community Calendar, Sponsored by Watchman Monitoring

Conferences
Event Name Location Dates Format Cost
ACES Conference Online 5, 12, 19, 26 May 2022 Synchronous • Thursdays 12:00-14:30 EDT (UTC-4) USD$299
MacAdmins Campfire Sessions Online (State College, PA, USA) Thursdays in June and July 2022 Synchronous • Thursdays 13:00-15:00 EDT (UTC-4) Free
Apple Worldwide Developers Conference Online (one in-person event @ Cupertino, CA, USA) 6–10 June 2022 Asynchronous • New sessions available daily Free
MacDevOps YVR Online (Vancouver, BC, Canada) 15-17 June 2022 Synchronous • 2 consecutive days CAD$50-2000
Jamf Nation User Conference San Diego, CA & Online 27–29 September 2022 In Person & Virtual $899-$1299 Education.
$1099-$1499 Commercial (pricing increases over time),
$299 Virtual,
Keynote streams free
MacSysAdmin Online (Göteborg, Sweden) 4–7 October 2022 Asynchronous • New sessions available daily Free (Optional T-shirt purchase)
Objective by the Sea El Vendrell, Spain (Barcelona) 3-5 October 2022 (Training)
6-7 October 2022 (Talks)
In Person 0-499€
Upcoming Meetups
Event Name Location Dates Cost
Mac Admin Monthly Virtual 8 March 2022, 4:30pm ET Free
JumpCloud IT Admin Network (DC) Virtual 8 March 2022, 4pm ET Free
San Diego MacAdmins Meetup Virtual 9 March 2022, 6pm PT Free
Recurring Meetups
Event Name Location Dates Cost
London Apple Admins Pub Online weekly (see #laa-pub in MacAdmins Slack for connection details), sometimes in-person Most Thursdays at 17:00 BST (UTC+1), 19:00 BST when in-person Free
#ANZMac Channel Happy Hour Online (see #anzmac in MacAdmins Slack for connection details) Thursdays 5 p.m. AEST Free

If you’re interested in sponsoring the Mac Admins Podcast, please email podcast@macadmins.org for more information.

Social Media:

Get the latest about the Mac Admins Podcast, follow us on Twitter! We’re @MacAdmPodcast!


Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back MAP on Patreon



Support the podcast by becoming a backer on Patreon. All backer levels get access to exclusive content!

Subscribe

Archives