Getting to be a busy fall/winter schedule. If you’re interested in catching up with me, learning, or just discussing security, check me out at one of these venues:

  • Sept 14 | Washington DC | EnergySec Summit
    • Giving workshop on Frameworks and the Discipline of Cybersecurity
  • Sept 28-29 | Krakow, Poland | CYBERSEC EU
    • Panelist in the State Stream
  • Oct 8-9 | Detroit, MI | SIRAcon
    • Speaking on risk: Yours, Anecdotally”
  • Jan | Florida
    • To Be Announced

Cant make these? Interested in having my somewhat unusual viewpoints represented at your security, industry, coffee, hiking, or other event? Let me know so I can get it on the calendar! :)


Pulled from a posting I made to SCADASEC:

Hard to believe that only 54 percent of those surveyed knew who to call in the event of a cyber incident or attack.

Why is this hard to believe? I think it’s not only hard to believe but
also somewhat astounding that we live in a world where we legitimately
expect a substantial percentage of our control systems operators to
have to know this information.  Think about it.  We’re not asking them
to be prepared for a hurricane, we’re asking them – businesses – to
have the knowledge and capability to participate (even if, in some
cases, minimally) in what is becoming global conflict (the delineation
between crime, war, espionage, vandalism, etc is really immaterial to
that statement).  This isn’t a series of potential incidents, it’s an
effective siege environment.  Sieges drain resources, drain morale,
and need a serious strategy to break, or those inside get overwhelmed
eventually. Even with or without actual (public) incidents, the effect
is the same here.

Fifty-three percent of respondents have experienced at least one malicious cyber attack on their control system networks and/or cyber assets— ** that they were aware of- ** within the past 24 months“.  – WOW!

I can’t emphasize enough how…irrelevant….”incident” and “attack”
incidences are when taken individually, or even as concepts that can
be individualized and counted.  The long term damage will be in
environmental predictability, resource allocation, trust, and
increasing cost of doing business.  Maybe something really bad might
happen as an event, but whether it does or not, the foundational
environment can’t sustain this level of conflict and risk indefinitely
without cascading consequences.

Instead of concentrating on managing incidents, responding to
incidents, etc, we should be taking a serious look at what
environmental (technical, legal, social, political) changes we can
make to break the overall siege.  Anything focused on incident
management directly is a two edged sword: It keeps us feeling like
we’re treading water at the cost of resources dedicated to fixing the
long term problems (and incident management capability for individual
organizations is *not* solving a long term problem).

All In My Late Night Humble Opinion.  Take it as you will.

I’ve mentioned here and there that I hit around 586 miles of hiking from August 6 2014 – August 6 2015. Last year was the first time I ever hiked more than 6 miles. Ever.

300 miles were in Appalachian Trail Sections and most of the other 286 were in the Pacific Northwest (and most of those were done in the Olympic Mountains).

Im writing about the whole experience, slowly (using tons of emails during the AT hikes as the core), but I thought folks would appreciate having an idea of where I’ve been in summary form. If nothing else, putting this here helps keep the history and experiences straight in my head.

The first section of this post is a hike location/distance summary and the second section is an alphabetized list of the trails I’ve been on – including links to any pictures I have, any official information online, and brief trip notes on my part.

I also wrote up a Medium piece HERE on a recent hike and it sort of sums up how I feel about being out here in general – and has some gorgeous pictures of what is, essentially, my backyard :)


Distance Summary

300 Appalachian Trail NA
32 Enchanted Valley 1 WA
26 Enchanted Valley 2 WA
21 7 Lake Basin/High
20.4 Thunder Creek WA
19.4 Hoh River Trail WA
15 Shi Shi Beach 1 WA
14 Upper Lena Lake WA
11.5 Marmot Pass WA
9 Surprise Lake WA
8.2 Dickerman WA
8.2 Ollalie/Talapus Lakes WA
8 Shi Shi Beach 2 WA
8 Yellowstone WY
7.5 Blanca Lake WA
7.4 Beckler Peak WA
7.2 Snow Lake 1 WA
7.2 Snow Lake 2 WA
6.4 Looking Glass Rock NC
6 Huntoon Point
6 Oyster Dome WA
6 South Lost Lake WA
5.4 Mt Plchuck (all) WA
5 Calypso Trail MT
4.6 Heather Lake WA
4 Mt Pilchuck (half) WA
4 Tiger Mountain #3 WA
4 Trillium Lake
3 Art Loeb Trail NC
2.4 Cresent Beach Trail OR


(All visible pictures and all linked pictures are mine, save “Looking Glass”.  “ON” Denotes “Over Night Trip”)

7 Lake Basin/High Divide (Sol Duc Start, ON at Hoh Lake)


My Pictures:

Notes: We started out at Sol Duc, didn’t see much the first day – heavy clouds. Descended to Hoh Lake for the night – saw my first west coast bear! – then back up and around to Sol Duc. Jogged the last few miles; loved it. Would like to head back on clearer days. Im trying to wake up early enough one day to run the whole 18 mile loop in a single day.


Appalachian Trail Sections (VA, NC, TN)


My Pictures:

Notes: Full narrative is still being edited. List of sections can be found based on album names in Flickr collection above.



Art Loeb Trail (Small Section, NC)


My Pictures:

Notes: Just a quick get-out-and-hike-hike post-AT


 Beckler Peak


My Pictures: None (Surprisingly?)

Notes: Easy trail for a cool view at the top. A hike. Not sure where my pictures of this are…


Blanca Lake


My Pictures:

Notes: Seriously the coolest lake I’ve ever been to – and coldest I’ve ever swam in. Amazing place, tough hike, loved it. Go if you can!



Calypso Trail (MT)


My Pictures:

Notes: Driving from DC to Seattle. Found this middle-of-nowhere trail right off the highway. One of the loneliest feeling places I’ve ever been…in a good way. Might have been a bit dumb driving my crappy Jeep Liberty over that bridge you see in the pictures. Alone. Twice.



Crescent Beach Trail (OR)


My Pictures:

Notes: Another short hike, 90 miles west of Portland. Was my first trip to a beach you can only get to by hiking. Gorgeous beach, gorgeous day. Was held up for awhile by quite a few mountain goats taking their time munching on the trail.



Mt. Dickerman


My Pictures:

Notes: Last hike of the fitness series I was a part of. One of my favorite hikes in Washington so far, but 4000 feet-ish in 4-miles-ish makes you work for it. Still – outstanding alpine meadows, wildflowers, and amazing views.


Enchanted Valley (Twice, ON)


My Pictures (First Trip):

My Pictures (Second Trip):

Notes: Pics have multiple hikes mixed in them. I’ve Overnighted this trip twice. The first time, the Valley was closed so we stayed at Pyrites campsite then hiked most of the way to O’Neil Trail Junction before finding a bridge out. We turned around and headed back to Pyrites, then back to the TH the third day. The second trip we stayed in O’Neil Creek on night 1 then the Valley night 2, where we saw a bear fairly up close. My foot went out, so we ended up not going further again. I will get up that mountain to Anderson Glacier!


Heather Lake


My Pictures:

Notes: Cute Lake. Pretty easy lake to hike to. Recommend J



Hoh Rain Forest River Trail (to Olympic Ranger Station, ON)


My Pictures:

Notes: Hikes through the Hoh Rainforest in a one-nighter. Stayed at the Olympic Ranger station, but made it another ¾ mile or so – and that last ¾ mile absolutely made the whole hike worth it.. Some of the prettiest, most magical, scenes I’ve ever been in. A walk through an enchanted tunnel with a couple of deer was particularly surreal. As were the faeries that came out of the log.


Huntoon Point (Snowshoe via Artist’s Point)


My Pictures:

Notes: This was my first “real” snowshoe and it was hard! But I was with some Mountaineers and our group was the one that didn’t turn around. Good for us because I’ve never ever been in such grand, amazing surroundings. Certainly not in the snow; too much Florida in my youth. Some of the best pictures Ive taken of the outdoors – they’re glorious.



Looking Glass Rock (NC)


My Pictures: Somewhere, still looking, so here are someone else’s:

Notes: This was a quick fun post-AT hike while I was decompressing in Asheville (go AirBnB!). Cool looking mountain-stub-rounded-cliff-face-thing.


Marmot Pass (ON)


My Pictures:

Notes: Led an overnight Meetup trip myself with a couple of guys I didn’t know. Got there earlier than expected and it was colder than expected. Not as cool as I thought it would be, although it was certainly gorgeous. On my list to return to this summer to go explore some of the connecting trails.


Ollalie/Talapus Lakes


My Pictures:

Notes: One of the fitness series hikes. Snow. :)


Oyster Dome (Most)


My Pictures: None

Notes: Didn’t quite make it to the top; it was terrible weather and nothing to see. We could’ve kept going, we just didn’t care. One of the fitness series hikes.


Mt. Pilchuck (Twice)


My Pictures:

Notes: First trip I only made it about 2/3 of the way up. It was a fitness-building hike, I had 30lbs on by back, and hadn’t slept in almost a week. The second time I came back with my sister and her boyfriend and made it to the top and it was a lot easier and more fun than the first time (note: not the lookout, I didn’t feel up to scrambling)


Shi Shi Beach (Twice)


My Pictures (first trip):

My Pictures (second trip):

Notes: First time was a meetup hike – my first in Washington State! We ended up walking back and forth along the beach several times – plus bushwhacked down a very old mining path to a lake deep into the woods (hence the trip length). TONS of coastal life everywhere. Second trip was with a friend and we spent a lot of time watching Seals.


Snow Lake (Twice: Winter Snow, Summer Dry)


My Pictures (snow trip):

My Pictures (summer trip):

Notes: Did Snow Lake twice. The first time was in the winter in snow with microspikes. It was actually pretty easy – deceptively so. Going back, I took a first time hiker (old friend) who had a pretty tough time with the trail; it was way rockier and exposed to sun and heat than I remembered


South Lost Lake (Not) 


My Pictures: None

Notes: I actually don’t know where we ended up hiking; our hike leader couldn’t find the right trailhead. J Lost Lake remained lost.


Surprise Lake


My Pictures: None

Notes: I’ve been told I was on this hike. I don’t remember it. Wait…I think it rained. A lot. Till we were soaked through our heaviest rain gear. Ugh. This is why I try not to remember it.


Thunder Creek (Far, ON)


My Pictures:

Notes: Not as many classically scenic viewpoints as many other hikes, but it was really enjoyable – both the scenery and company. (I led several Meetup folks on this trip.)  We went past the standard WTA hike, but I cant quite recall where we stopped, except it was about 10.2 miles in. We didn’t do 4th of July pass or whatever.


Tiger Mountain #3


My Pictures: Totally not worth it

Notes: Just a training hike alone. It was boring as sin. Got a decent distance up then just stopped and came back.


Trillium Lake Snowshoe


My Pictures:

Notes: This was a super easy snowshoe that I really screwed up and almost died during. It was flat and sunny out when I left, but I wore jeans, didn’t have a headlamp, and didn’t have a map – it was a circle after all – and it was my first snowshoe ever. It rained. Then it snowed. And it was getting dark. I was getting really cold and there were two exit options, both far, and one led to my car. I guessed and picked right.


Upper Lena Lake


My Pictures:

Notes: I almost died on this hike; really close. Fell off a ledge/stream/waterfall. Was inches from falling 40 feet.. landed 4 feet down instead. Beautiful area, but still feel sketch about going back. If it’s been wet out in the area, several areas are pretty tough. Went with two friends.


Yellowstone (Somewhere?)


My Pictures:

Notes: A random hike in Yellowstone. Was pretty, but the PNW has this particular hike beat on all accounts, even if the threat of grizzlies does add an edge. We did see 10’s of prairie dogs in one area and some geese being hysterical. Oh..and a lone wolf! Was with my sister and her boyfriend.


So the results of the Mozilla Delphi project are out. I was one of the panelists – alongside some pretty well known names like Jane Hall Lute, Bruce Schneier, and some other big etc.’s.   You can find it here:

And some background here:

“Mozilla’s Cybersecurity Delphi 1.0 is a step to address this gap, by identifying and prioritizing concrete threats and solutions. Through the iterative structure of the Delphi method, we will build expert consensus about the priorities for improving the security of the Internet—infrastructure to protect public safety, sustain economic growth, and foster innovation. The Delphi method offers unique benefits in this context because it aggregates the input of a diverse, broad set of voices, using a discrete and defined process with a clear, fixed end point and a mechanism for non-attribution to encourage open and through engagement. “

Im still processing the results, many of which I adamantly disagree with, but what I think the report mainly shows is that “cybersecurity” isn’t a thing that exists outside of specific sets of contexts and perspectives and goals. It just goes…poof…and disappears as a concept if it’s not bracketed by material constraints. The all over the board nature of the responses seems to demonstrate that (even though Mozilla did a good job creating a narrative around them).

That said, I think there are some interesting points in the document and that it’s worth a read – at the very least you’ll get to see some of the filter biases of some very smart people (obviously including my own).  And those are worth knowing, because very often our human fears and backgrounds and perceptions are not reflective of actual risks and needs.


Today I saw an announcement for another cybersecurity leadership council filled with the usual suspects:

“When it comes to the cybersecurity of our networks, the private sector has the capabilities and the market has produced good solutions. Now we need to focus on mitigation of cyber risks through cross-sector information sharing efforts, public and private partnerships, and the improvement of cyber hygiene of businesses of all sizes,” said Howard Schmidt, a partner at Ridge-Schmidt Cyber, and chairman of the council.

Sigh. Let me give this to you all straight:

First, our cybersecurity exposure is fundamentally created by how businesses go about making money. It’s about corporate discipline, perception, culture, value chains, investment strategies, procurement, marketing, communication, trust, operational quality, etc. Cybersecurity state is NOT primarily a function of anything that happens in a CISO’s office, It has very little to do with Information Sharing (as typically defined in this conversation), and Public Private Partnership success depends on having some sort of comprehensive problem space model which precedes conclusions (and the language provided starts with conclusions without a consensus problem space model anywhere).

CISO’s activities are done as a result of a business’s actual exposure – created OUTSIDE of the CISO’s office – business perception of its risk – created by its culture – and actual threat actors – which neither the business nor the CISO’s office directly controls.  Therefore any conversation or effort centered on how to do “Cybersecurity” better will, almost by definition, fail.  “Cybersecurity”, if defined as “activities centered around the CISO’s office and levers to enable the CISO’s office”, has little to no influence or control over the business risk level created by ICT (Internet Connected Technology) use  because it neither controls nor influences ANY of the primary environmental factors.

The problem is, since coordinating solutions on the non-CISO’s office problem space (exposure creation) requires dealing directly with how businesses make money, it’s a really tough nut to crack (legally, politically, financially, culturally, etc) and few are willing to do it. It’s MUCH easier to focus on the CISO’s office – even at the expense of success. And, besides, we have a whole security industry telling us that another box or service will solve the problem.  (For those not following along, what they mean by “solve the problem” is “hold the line until you slowly drown in the cascading consequences of rising complex conflict interactions online”)

Further, technically, even if we did move the conversation to “how we do business in general and how that creates exposure” – which NONE of the language around the new group even smells like it might be saying – the way we build IT and OT infrastructure is not securable to the level we desire it to be for the cost we wish to pay. Full stop.  This is not a “security” problem, this is a mathematical complexity problem that has to do with error rate and organizational competency across time and disciplines.  Moving further on “cybersecurity” without changing the surrounding technical environment – transformationally, not evolutionarily – is an abject waste of time.

Anyone telling you different is selling you something, ignorant, or has unfortunate perspective blinders on.

I wrote the following up in response to a mailing list thread on some sort of anti-OPM petition campaign. I think the original email and a subsequent follow-up from me to a bunch of replies deserve repeating here:

Part 1:

I’m calling shenanigans. Why are we picking on OPM???

We’re seeing numbers like “76% of organizations breached in past 12
months”.  Or “97% of networks have been breached” etc (the numbers are
coming from all over – and back up anecdotal evidence – so whichever
source you do or don’t believe, it’s still “a whole damn lot”).

Many of these organizations do have sucky security. Many … do not.
Many are, actually, pretty good at it.

What does this mean? It means that, in today’s world, keeping your
network clean, over time, is next to impossible.  It requires a level
of competency and diligence that few organizations have in any other
respect than their core business competencies.  It also means that
bemoaning the state of government cybersecurity over that of private
industry cybersecurity is just…talk.  *Everyone* is getting owned,
at some point or another.

Publicly flaying OPM does absolutely nothing good and it harms our
collective ability to get better in the future.


Because one of the major roadblocks to real improvement is the infrequency of organizations willingly
admitting – publicly or even, often, to themselves – that they’re having a
really tough time with security…..mainly because exactly this
type of villagers-with-torches response occurs when they do.

Being unable to admit difficulty/failure, they’re unable to work publicly together
or with other institutions and organizations to collectively figure out a way

Im sure OPM committed all sorts of infosec sins. Im sure they acted
with classically government idiocy in some respects.

But they would have been compromised anyway by the people who
compromised them in order to get the data that was gotten. Just like
everyone else.

If we can stop making things so damn adversarial, maybe we’ll be able
to get together and stop….losing….so badly.

Part 2 (Response to a lot of dialogue):

Thanks for all the thoughtful responses so far. FWIW, I suggest
taking my points in total, as they were meant to be:

1. L* and A* are right, you can protect “the crown jewels” if you
try hard enough. But, that’s really not enough to reduce the
environmental conflict level, so it really is only an intense holding

2. While this is possible, everyone is making mistakes anyway – it’s
just a matter of degree of mistakes. In fact, that’s the deep nature
of the problem: It’s too hard to not screw up eventually (even
protecting crown jewels).

3. Some companies make “better” mistakes than others
(Kaspersky/LastPass’s post exploitation activities being a good
example of “better mistakes”), but it’s a matter of degree of mistake
vs a matter of “not doing some  that we
know sustainably works with a sufficiently low error rate”

4. Although the government (or any organization with important data)
should, from a “fairness” perspective, be held to a higher level of
accountability, from a practical standpoint, that’s actually not
*helpful* at this stage – which was the central point of my original
post.  This is because:

5. …even if we hold everyone who needs to be held accountable to
make the “best mistakes” possible, it doesn’t get us where we need to
be ***and*** has the side affect of creating an environment which is
hostile to admission of failure.

6. Without candid admission that “we need a whole new re-think of this
problem space”, we’re going to keep doing the insane – more of the
same and expecting different results. Further investing in infosec as
we know it, or limiting protection to crown jewels, simply delays the

7. The “inevitable” without change is a level of constant hostility
and conflict that will escalate until even protecting the crown jewels
will not be sufficient for people to be able to do business
economically online (or until the profitability/value curve for the
adversaries flattens).

8. So instead of beating up OPM, we should be taking a long hard look
at the very long list of crappy companies and excellent companies who
have been breached and ask ourselves “What’s missing”

9. Because, right now, a list of “InfoSec Best Practices” is a list of
activities that aren’t sustainably working.

Follow me on Twitter

My Art / Misc. Photo Stream