Josh More's Blog

Policies, Procedures and Politics

jmore@starmind.org (Josh More) — Wed, 11 Apr 2012 16:24:48 +0000

In the United States, you might have noticed that we have an event going on. Theoretically, the purpose of this event is to decide the direction the country for the next four years. As is often the case with these discussions, many claims are being made by both sides. Of course, there are then claims upon claims and discussion and action start to spiral out of control. Luckily, we have a document that we’ve created over the years to help keep things on track.

The Constitution of the United States, the Bill of Rights and associated Amendments serve as a reference and a guideline for how to run the country. They break down as follow:

Constitution of the United States, accepted in 1787 – 4,601 words
Bill of Rights, adjustments to the constitution in 1791 – 731 words
Amendments since 1791 – 2,615 words

This means that in the two hundred and twenty five years that the United States has existed as a country, over four hundred million people, their rights, responsibilities and very lives have been guided by under 8,000 words. In general, it’s worked pretty well.

I make this post with two reasons in mind.

1) If you are going to engaging in political discourse within the US, please take the time to read the 8,000 words (and 7% of that is filler like headers and names). It’s only about 12 pages of text (24 double-spaced), and it will help you to uncover lies and arm you to educate the uninformed.

2) If we can run a country for over two centuries with a policy document that is 12 pages long… that most people don’t bother to read, how many do you think read your information security policy manual?

For those that don’t want to bother clicking the links above, below is the text of the US Constitution and all amendments. Please, read it over lunch. You, and the country, will be better off.

What follows are the transcripts of the original documents, so spelling is a bit different from what we’re used to. If that’s too much work for you, please see the “translation” of these documents into plain English. It’s a seven page PDF. You have no excuse for not reading it.

Constitution of the United States

We the People of the United States, in Order to form a more perfect Union, establish Justice, insure domestic Tranquility, provide for the common defence, promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity, do ordain and establish this Constitution for the United States of America.

Article. I.

Section. 1.

All legislative Powers herein granted shall be vested in a Congress of the United States, which shall consist of a Senate and House of Representatives.

Section. 2.

The House of Representatives shall be composed of Members chosen every second Year by the People of the several States, and the Electors in each State shall have the Qualifications requisite for Electors of the most numerous Branch of the State Legislature.

No Person shall be a Representative who shall not have attained to the Age of twenty five Years, and been seven Years a Citizen of the United States, and who shall not, when elected, be an Inhabitant of that State in which he shall be chosen.

Representatives and direct Taxes shall be apportioned among the several States which may be included within this Union, according to their respective Numbers, which shall be determined by adding to the whole Number of free Persons, including those bound to Service for a Term of Years, and excluding Indians not taxed, three fifths of all other Persons. The actual Enumeration shall be made within three Years after the first Meeting of the Congress of the United States, and within every subsequent Term of ten Years, in such Manner as they shall by Law direct. The Number of Representatives shall not exceed one for every thirty Thousand, but each State shall have at Least one Representative; and until such enumeration shall be made, the State of New Hampshire shall be entitled to chuse three, Massachusetts eight, Rhode-Island and Providence Plantations one, Connecticut five, New-York six, New Jersey four, Pennsylvania eight, Delaware one, Maryland six, Virginia ten, North Carolina five, South Carolina five, and Georgia three.

When vacancies happen in the Representation from any State, the Executive Authority thereof shall issue Writs of Election to fill such Vacancies.

The House of Representatives shall chuse their Speaker and other Officers; and shall have the sole Power of Impeachment.

Section. 3.

The Senate of the United States shall be composed of two Senators from each State, chosen by the Legislature thereof for six Years; and each Senator shall have one Vote.

Immediately after they shall be assembled in Consequence of the first Election, they shall be divided as equally as may be into three Classes. The Seats of the Senators of the first Class shall be vacated at the Expiration of the second Year, of the second Class at the Expiration of the fourth Year, and of the third Class at the Expiration of the sixth Year, so that one third may be chosen every second Year; and if Vacancies happen by Resignation, or otherwise, during the Recess of the Legislature of any State, the Executive thereof may make temporary Appointments until the next Meeting of the Legislature, which shall then fill such Vacancies.

No Person shall be a Senator who shall not have attained to the Age of thirty Years, and been nine Years a Citizen of the United States, and who shall not, when elected, be an Inhabitant of that State for which he shall be chosen.

The Vice President of the United States shall be President of the Senate, but shall have no Vote, unless they be equally divided.

The Senate shall chuse their other Officers, and also a President pro tempore, in the Absence of the Vice President, or when he shall exercise the Office of President of the United States.

The Senate shall have the sole Power to try all Impeachments. When sitting for that Purpose, they shall be on Oath or Affirmation. When the President of the United States is tried, the Chief Justice shall preside: And no Person shall be convicted without the Concurrence of two thirds of the Members present.

Judgment in Cases of Impeachment shall not extend further than to removal from Office, and disqualification to hold and enjoy any Office of honor, Trust or Profit under the United States: but the Party convicted shall nevertheless be liable and subject to Indictment, Trial, Judgment and Punishment, according to Law.

Section. 4.

The Times, Places and Manner of holding Elections for Senators and Representatives, shall be prescribed in each State by the Legislature thereof; but the Congress may at any time by Law make or alter such Regulations, except as to the Places of chusing Senators.

The Congress shall assemble at least once in every Year, and such Meeting shall be on the first Monday in December, unless they shall by Law appoint a different Day.

Section. 5.

Each House shall be the Judge of the Elections, Returns and Qualifications of its own Members, and a Majority of each shall constitute a Quorum to do Business; but a smaller Number may adjourn from day to day, and may be authorized to compel the Attendance of absent Members, in such Manner, and under such Penalties as each House may provide.

Each House may determine the Rules of its Proceedings, punish its Members for disorderly Behaviour, and, with the Concurrence of two thirds, expel a Member.

Each House shall keep a Journal of its Proceedings, and from time to time publish the same, excepting such Parts as may in their Judgment require Secrecy; and the Yeas and Nays of the Members of either House on any question shall, at the Desire of one fifth of those Present, be entered on the Journal.

Neither House, during the Session of Congress, shall, without the Consent of the other, adjourn for more than three days, nor to any other Place than that in which the two Houses shall be sitting.

Section. 6.

The Senators and Representatives shall receive a Compensation for their Services, to be ascertained by Law, and paid out of the Treasury of the United States. They shall in all Cases, except Treason, Felony and Breach of the Peace, be privileged from Arrest during their Attendance at the Session of their respective Houses, and in going to and returning from the same; and for any Speech or Debate in either House, they shall not be questioned in any other Place.

No Senator or Representative shall, during the Time for which he was elected, be appointed to any civil Office under the Authority of the United States, which shall have been created, or the Emoluments whereof shall have been encreased during such time; and no Person holding any Office under the United States, shall be a Member of either House during his Continuance in Office.

Section. 7.

All Bills for raising Revenue shall originate in the House of Representatives; but the Senate may propose or concur with Amendments as on other Bills.

Every Bill which shall have passed the House of Representatives and the Senate, shall, before it become a Law, be presented to the President of the United States: If he approve he shall sign it, but if not he shall return it, with his Objections to that House in which it shall have originated, who shall enter the Objections at large on their Journal, and proceed to reconsider it. If after such Reconsideration two thirds of that House shall agree to pass the Bill, it shall be sent, together with the Objections, to the other House, by which it shall likewise be reconsidered, and if approved by two thirds of that House, it shall become a Law. But in all such Cases the Votes of both Houses shall be determined by yeas and Nays, and the Names of the Persons voting for and against the Bill shall be entered on the Journal of each House respectively. If any Bill shall not be returned by the President within ten Days (Sundays excepted) after it shall have been presented to him, the Same shall be a Law, in like Manner as if he had signed it, unless the Congress by their Adjournment prevent its Return, in which Case it shall not be a Law.

Every Order, Resolution, or Vote to which the Concurrence of the Senate and House of Representatives may be necessary (except on a question of Adjournment) shall be presented to the President of the United States; and before the Same shall take Effect, shall be approved by him, or being disapproved by him, shall be repassed by two thirds of the Senate and House of Representatives, according to the Rules and Limitations prescribed in the Case of a Bill.

Section. 8.

The Congress shall have Power To lay and collect Taxes, Duties, Imposts and Excises, to pay the Debts and provide for the common Defence and general Welfare of the United States; but all Duties, Imposts and Excises shall be uniform throughout the United States;

To borrow Money on the credit of the United States;

To regulate Commerce with foreign Nations, and among the several States, and with the Indian Tribes;

To establish an uniform Rule of Naturalization, and uniform Laws on the subject of Bankruptcies throughout the United States;

To coin Money, regulate the Value thereof, and of foreign Coin, and fix the Standard of Weights and Measures;

To provide for the Punishment of counterfeiting the Securities and current Coin of the United States;

To establish Post Offices and post Roads;

To promote the Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors the exclusive Right to their respective Writings and Discoveries;

To constitute Tribunals inferior to the supreme Court;

To define and punish Piracies and Felonies committed on the high Seas, and Offences against the Law of Nations;

To declare War, grant Letters of Marque and Reprisal, and make Rules concerning Captures on Land and Water;

To raise and support Armies, but no Appropriation of Money to that Use shall be for a longer Term than two Years;

To provide and maintain a Navy;

To make Rules for the Government and Regulation of the land and naval Forces;

To provide for calling forth the Militia to execute the Laws of the Union, suppress Insurrections and repel Invasions;

To provide for organizing, arming, and disciplining, the Militia, and for governing such Part of them as may be employed in the Service of the United States, reserving to the States respectively, the Appointment of the Officers, and the Authority of training the Militia according to the discipline prescribed by Congress;

To exercise exclusive Legislation in all Cases whatsoever, over such District (not exceeding ten Miles square) as may, by Cession of particular States, and the Acceptance of Congress, become the Seat of the Government of the United States, and to exercise like Authority over all Places purchased by the Consent of the Legislature of the State in which the Same shall be, for the Erection of Forts, Magazines, Arsenals, dock-Yards, and other needful Buildings;–And

To make all Laws which shall be necessary and proper for carrying into Execution the foregoing Powers, and all other Powers vested by this Constitution in the Government of the United States, or in any Department or Officer thereof.

Section. 9.

The Migration or Importation of such Persons as any of the States now existing shall think proper to admit, shall not be prohibited by the Congress prior to the Year one thousand eight hundred and eight, but a Tax or duty may be imposed on such Importation, not exceeding ten dollars for each Person.

The Privilege of the Writ of Habeas Corpus shall not be suspended, unless when in Cases of Rebellion or Invasion the public Safety may require it.

No Bill of Attainder or ex post facto Law shall be passed.

No Capitation, or other direct, Tax shall be laid, unless in Proportion to the Census or enumeration herein before directed to be taken.

No Tax or Duty shall be laid on Articles exported from any State.

No Preference shall be given by any Regulation of Commerce or Revenue to the Ports of one State over those of another; nor shall Vessels bound to, or from, one State, be obliged to enter, clear, or pay Duties in another.

No Money shall be drawn from the Treasury, but in Consequence of Appropriations made by Law; and a regular Statement and Account of the Receipts and Expenditures of all public Money shall be published from time to time.

No Title of Nobility shall be granted by the United States: And no Person holding any Office of Profit or Trust under them, shall, without the Consent of the Congress, accept of any present, Emolument, Office, or Title, of any kind whatever, from any King, Prince, or foreign State.

Section. 10.

No State shall enter into any Treaty, Alliance, or Confederation; grant Letters of Marque and Reprisal; coin Money; emit Bills of Credit; make any Thing but gold and silver Coin a Tender in Payment of Debts; pass any Bill of Attainder, ex post facto Law, or Law impairing the Obligation of Contracts, or grant any Title of Nobility.

No State shall, without the Consent of the Congress, lay any Imposts or Duties on Imports or Exports, except what may be absolutely necessary for executing it’s inspection Laws: and the net Produce of all Duties and Imposts, laid by any State on Imports or Exports, shall be for the Use of the Treasury of the United States; and all such Laws shall be subject to the Revision and Controul of the Congress.

No State shall, without the Consent of Congress, lay any Duty of Tonnage, keep Troops, or Ships of War in time of Peace, enter into any Agreement or Compact with another State, or with a foreign Power, or engage in War, unless actually invaded, or in such imminent Danger as will not admit of delay.

Article. II.

Section. 1.

The executive Power shall be vested in a President of the United States of America. He shall hold his Office during the Term of four Years, and, together with the Vice President, chosen for the same Term, be elected, as follows:

Each State shall appoint, in such Manner as the Legislature thereof may direct, a Number of Electors, equal to the whole Number of Senators and Representatives to which the State may be entitled in the Congress: but no Senator or Representative, or Person holding an Office of Trust or Profit under the United States, shall be appointed an Elector.

The Electors shall meet in their respective States, and vote by Ballot for two Persons, of whom one at least shall not be an Inhabitant of the same State with themselves. And they shall make a List of all the Persons voted for, and of the Number of Votes for each; which List they shall sign and certify, and transmit sealed to the Seat of the Government of the United States, directed to the President of the Senate. The President of the Senate shall, in the Presence of the Senate and House of Representatives, open all the Certificates, and the Votes shall then be counted. The Person having the greatest Number of Votes shall be the President, if such Number be a Majority of the whole Number of Electors appointed; and if there be more than one who have such Majority, and have an equal Number of Votes, then the House of Representatives shall immediately chuse by Ballot one of them for President; and if no Person have a Majority, then from the five highest on the List the said House shall in like Manner chuse the President. But in chusing the President, the Votes shall be taken by States, the Representation from each State having one Vote; A quorum for this purpose shall consist of a Member or Members from two thirds of the States, and a Majority of all the States shall be necessary to a Choice. In every Case, after the Choice of the President, the Person having the greatest Number of Votes of the Electors shall be the Vice President. But if there should remain two or more who have equal Votes, the Senate shall chuse from them by Ballot the Vice President.

The Congress may determine the Time of chusing the Electors, and the Day on which they shall give their Votes; which Day shall be the same throughout the United States.

No Person except a natural born Citizen, or a Citizen of the United States, at the time of the Adoption of this Constitution, shall be eligible to the Office of President; neither shall any Person be eligible to that Office who shall not have attained to the Age of thirty five Years, and been fourteen Years a Resident within the United States.

In Case of the Removal of the President from Office, or of his Death, Resignation, or Inability to discharge the Powers and Duties of the said Office, the Same shall devolve on the Vice President, and the Congress may by Law provide for the Case of Removal, Death, Resignation or Inability, both of the President and Vice President, declaring what Officer shall then act as President, and such Officer shall act accordingly, until the Disability be removed, or a President shall be elected.

The President shall, at stated Times, receive for his Services, a Compensation, which shall neither be increased nor diminished during the Period for which he shall have been elected, and he shall not receive within that Period any other Emolument from the United States, or any of them.

Before he enter on the Execution of his Office, he shall take the following Oath or Affirmation:–”I do solemnly swear (or affirm) that I will faithfully execute the Office of President of the United States, and will to the best of my Ability, preserve, protect and defend the Constitution of the United States.”

Section. 2.

The President shall be Commander in Chief of the Army and Navy of the United States, and of the Militia of the several States, when called into the actual Service of the United States; he may require the Opinion, in writing, of the principal Officer in each of the executive Departments, upon any Subject relating to the Duties of their respective Offices, and he shall have Power to grant Reprieves and Pardons for Offences against the United States, except in Cases of Impeachment.

He shall have Power, by and with the Advice and Consent of the Senate, to make Treaties, provided two thirds of the Senators present concur; and he shall nominate, and by and with the Advice and Consent of the Senate, shall appoint Ambassadors, other public Ministers and Consuls, Judges of the supreme Court, and all other Officers of the United States, whose Appointments are not herein otherwise provided for, and which shall be established by Law: but the Congress may by Law vest the Appointment of such inferior Officers, as they think proper, in the President alone, in the Courts of Law, or in the Heads of Departments.

The President shall have Power to fill up all Vacancies that may happen during the Recess of the Senate, by granting Commissions which shall expire at the End of their next Session.

Section. 3.

He shall from time to time give to the Congress Information of the State of the Union, and recommend to their Consideration such Measures as he shall judge necessary and expedient; he may, on extraordinary Occasions, convene both Houses, or either of them, and in Case of Disagreement between them, with Respect to the Time of Adjournment, he may adjourn them to such Time as he shall think proper; he shall receive Ambassadors and other public Ministers; he shall take Care that the Laws be faithfully executed, and shall Commission all the Officers of the United States.

Section. 4.

The President, Vice President and all civil Officers of the United States, shall be removed from Office on Impeachment for, and Conviction of, Treason, Bribery, or other high Crimes and Misdemeanors.

Article III.

Section. 1.

The judicial Power of the United States shall be vested in one supreme Court, and in such inferior Courts as the Congress may from time to time ordain and establish. The Judges, both of the supreme and inferior Courts, shall hold their Offices during good Behaviour, and shall, at stated Times, receive for their Services a Compensation, which shall not be diminished during their Continuance in Office.

Section. 2.

The judicial Power shall extend to all Cases, in Law and Equity, arising under this Constitution, the Laws of the United States, and Treaties made, or which shall be made, under their Authority;–to all Cases affecting Ambassadors, other public Ministers and Consuls;–to all Cases of admiralty and maritime Jurisdiction;–to Controversies to which the United States shall be a Party;–to Controversies between two or more States;– between a State and Citizens of another State,–between Citizens of different States,–between Citizens of the same State claiming Lands under Grants of different States, and between a State, or the Citizens thereof, and foreign States, Citizens or Subjects.

In all Cases affecting Ambassadors, other public Ministers and Consuls, and those in which a State shall be Party, the supreme Court shall have original Jurisdiction. In all the other Cases before mentioned, the supreme Court shall have appellate Jurisdiction, both as to Law and Fact, with such Exceptions, and under such Regulations as the Congress shall make.

The Trial of all Crimes, except in Cases of Impeachment, shall be by Jury; and such Trial shall be held in the State where the said Crimes shall have been committed; but when not committed within any State, the Trial shall be at such Place or Places as the Congress may by Law have directed.

Section. 3.

Treason against the United States, shall consist only in levying War against them, or in adhering to their Enemies, giving them Aid and Comfort. No Person shall be convicted of Treason unless on the Testimony of two Witnesses to the same overt Act, or on Confession in open Court.

The Congress shall have Power to declare the Punishment of Treason, but no Attainder of Treason shall work Corruption of Blood, or Forfeiture except during the Life of the Person attainted.

Article. IV.

Section. 1.

Full Faith and Credit shall be given in each State to the public Acts, Records, and judicial Proceedings of every other State. And the Congress may by general Laws prescribe the Manner in which such Acts, Records and Proceedings shall be proved, and the Effect thereof.

Section. 2.

The Citizens of each State shall be entitled to all Privileges and Immunities of Citizens in the several States.

A Person charged in any State with Treason, Felony, or other Crime, who shall flee from Justice, and be found in another State, shall on Demand of the executive Authority of the State from which he fled, be delivered up, to be removed to the State having Jurisdiction of the Crime.

No Person held to Service or Labour in one State, under the Laws thereof, escaping into another, shall, in Consequence of any Law or Regulation therein, be discharged from such Service or Labour, but shall be delivered up on Claim of the Party to whom such Service or Labour may be due.

Section. 3.

New States may be admitted by the Congress into this Union; but no new State shall be formed or erected within the Jurisdiction of any other State; nor any State be formed by the Junction of two or more States, or Parts of States, without the Consent of the Legislatures of the States concerned as well as of the Congress.

The Congress shall have Power to dispose of and make all needful Rules and Regulations respecting the Territory or other Property belonging to the United States; and nothing in this Constitution shall be so construed as to Prejudice any Claims of the United States, or of any particular State.

Section. 4.

The United States shall guarantee to every State in this Union a Republican Form of Government, and shall protect each of them against Invasion; and on Application of the Legislature, or of the Executive (when the Legislature cannot be convened), against domestic Violence.

Article. V.

The Congress, whenever two thirds of both Houses shall deem it necessary, shall propose Amendments to this Constitution, or, on the Application of the Legislatures of two thirds of the several States, shall call a Convention for proposing Amendments, which, in either Case, shall be valid to all Intents and Purposes, as Part of this Constitution, when ratified by the Legislatures of three fourths of the several States, or by Conventions in three fourths thereof, as the one or the other Mode of Ratification may be proposed by the Congress; Provided that no Amendment which may be made prior to the Year One thousand eight hundred and eight shall in any Manner affect the first and fourth Clauses in the Ninth Section of the first Article; and that no State, without its Consent, shall be deprived of its equal Suffrage in the Senate.

Article. VI.

All Debts contracted and Engagements entered into, before the Adoption of this Constitution, shall be as valid against the United States under this Constitution, as under the Confederation.

This Constitution, and the Laws of the United States which shall be made in Pursuance thereof; and all Treaties made, or which shall be made, under the Authority of the United States, shall be the supreme Law of the Land; and the Judges in every State shall be bound thereby, any Thing in the Constitution or Laws of any State to the Contrary notwithstanding.

The Senators and Representatives before mentioned, and the Members of the several State Legislatures, and all executive and judicial Officers, both of the United States and of the several States, shall be bound by Oath or Affirmation, to support this Constitution; but no religious Test shall ever be required as a Qualification to any Office or public Trust under the United States.

Article. VII.

The Ratification of the Conventions of nine States, shall be sufficient for the Establishment of this Constitution between the States so ratifying the Same.

The Word, “the,” being interlined between the seventh and eighth Lines of the first Page, the Word “Thirty” being partly written on an Erazure in the fifteenth Line of the first Page, The Words “is tried” being interlined between the thirty second and thirty third Lines of the first Page and the Word “the” being interlined between the forty third and forty fourth Lines of the second Page.

Attest William Jackson Secretary

done in Convention by the Unanimous Consent of the States present the Seventeenth Day of September in the Year of our Lord one thousand seven hundred and Eighty seven and of the Independance of the United States of America the Twelfth In witness whereof We have hereunto subscribed our Names,

G°. Washington
Presidt and deputy from Virginia

Delaware
Geo: Read
Gunning Bedford jun
John Dickinson
Richard Bassett
Jaco: Broom

Maryland
James McHenry
Dan of St Thos. Jenifer
Danl. Carroll

Virginia
John Blair
James Madison Jr.

North Carolina
Wm. Blount
Richd. Dobbs Spaight
Hu Williamson

South Carolina
J. Rutledge
Charles Cotesworth Pinckney
Charles Pinckney
Pierce Butler

Georgia
William Few
Abr Baldwin

New Hampshire
John Langdon
Nicholas Gilman

Massachusetts
Nathaniel Gorham
Rufus King

Connecticut
Wm. Saml. Johnson
Roger Sherman

New York
Alexander Hamilton

New Jersey
Wil: Livingston
David Brearley
Wm. Paterson
Jona: Dayton

Pennsylvania
B Franklin
Thomas Mifflin
Robt. Morris
Geo. Clymer
Thos. FitzSimons
Jared Ingersoll
James Wilson
Gouv Morris

The Bill of Rights

The Preamble to The Bill of Rights

Congress of the United States
begun and held at the City of New-York, on
Wednesday the fourth of March, one thousand seven hundred and eighty nine.

THE Conventions of a number of the States, having at the time of their adopting the Constitution, expressed a desire, in order to prevent misconstruction or abuse of its powers, that further declaratory and restrictive clauses should be added: And as extending the ground of public confidence in the Government, will best ensure the beneficent ends of its institution.

RESOLVED by the Senate and House of Representatives of the United States of America, in Congress assembled, two thirds of both Houses concurring, that the following Articles be proposed to the Legislatures of the several States, as amendments to the Constitution of the United States, all, or any of which Articles, when ratified by three fourths of the said Legislatures, to be valid to all intents and purposes, as part of the said Constitution; viz.

ARTICLES in addition to, and Amendment of the Constitution of the United States of America, proposed by Congress, and ratified by the Legislatures of the several States, pursuant to the fifth Article of the original Constitution.

Note: The following text is a transcription of the first ten amendments to the Constitution in their original form. These amendments were ratified December 15, 1791, and form what is known as the “Bill of Rights.”

Amendment I

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.

Amendment II

A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed.

Amendment III

No Soldier shall, in time of peace be quartered in any house, without the consent of the Owner, nor in time of war, but in a manner to be prescribed by law.

Amendment IV

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Amendment V

No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject for the same offence to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.

Amendment VI

In all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial, by an impartial jury of the State and district wherein the crime shall have been committed, which district shall have been previously ascertained by law, and to be informed of the nature and cause of the accusation; to be confronted with the witnesses against him; to have compulsory process for obtaining witnesses in his favor, and to have the Assistance of Counsel for his defence.

Amendment VII

In Suits at common law, where the value in controversy shall exceed twenty dollars, the right of trial by jury shall be preserved, and no fact tried by a jury, shall be otherwise re-examined in any Court of the United States, than according to the rules of the common law.

Amendment VIII

Excessive bail shall not be required, nor excessive fines imposed, nor cruel and unusual punishments inflicted.

Amendment IX

The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people.

Amendment X

The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.

The Rest of the Amendments

AMENDMENT XI

The Judicial power of the United States shall not be construed to extend to any suit in law or equity, commenced or prosecuted against one of the United States by Citizens of another State, or by Citizens or Subjects of any Foreign State.

AMENDMENT XII

The Electors shall meet in their respective states and vote by ballot for President and Vice-President, one of whom, at least, shall not be an inhabitant of the same state with themselves; they shall name in their ballots the person voted for as President, and in distinct ballots the person voted for as Vice-President, and they shall make distinct lists of all persons voted for as President, and of all persons voted for as Vice-President, and of the number of votes for each, which lists they shall sign and certify, and transmit sealed to the seat of the government of the United States, directed to the President of the Senate; — the President of the Senate shall, in the presence of the Senate and House of Representatives, open all the certificates and the votes shall then be counted; — The person having the greatest number of votes for President, shall be the President, if such number be a majority of the whole number of Electors appointed; and if no person have such majority, then from the persons having the highest numbers not exceeding three on the list of those voted for as President, the House of Representatives shall choose immediately, by ballot, the President. But in choosing the President, the votes shall be taken by states, the representation from each state having one vote; a quorum for this purpose shall consist of a member or members from two-thirds of the states, and a majority of all the states shall be necessary to a choice. And if the House of Representatives shall not choose a President whenever the right of choice shall devolve upon them, before the fourth day of March next following, then the Vice-President shall act as President, as in case of the death or other constitutional disability of the President. The person having the greatest number of votes as Vice-President, shall be the Vice-President, if such number be a majority of the whole number of Electors appointed, and if no person have a majority, then from the two highest numbers on the list, the Senate shall choose the Vice-President; a quorum for the purpose shall consist of two-thirds of the whole number of Senators, and a majority of the whole number shall be necessary to a choice. But no person constitutionally ineligible to the office of President shall be eligible to that of Vice-President of the United States.

AMENDMENT XIII

Section 1.
Neither slavery nor involuntary servitude, except as a punishment for crime whereof the party shall have been duly convicted, shall exist within the United States, or any place subject to their jurisdiction.

Section 2.
Congress shall have power to enforce this article by appropriate legislation.

AMENDMENT XIV

Section 1.
All persons born or naturalized in the United States, and subject to the jurisdiction thereof, are citizens of the United States and of the State wherein they reside. No State shall make or enforce any law which shall abridge the privileges or immunities of citizens of the United States; nor shall any State deprive any person of life, liberty, or property, without due process of law; nor deny to any person within its jurisdiction the equal protection of the laws.

Section 2.
Representatives shall be apportioned among the several States according to their respective numbers, counting the whole number of persons in each State, excluding Indians not taxed. But when the right to vote at any election for the choice of electors for President and Vice-President of the United States, Representatives in Congress, the Executive and Judicial officers of a State, or the members of the Legislature thereof, is denied to any of the male inhabitants of such State, being twenty-one years of age, and citizens of the United States, or in any way abridged, except for participation in rebellion, or other crime, the basis of representation therein shall be reduced in the proportion which the number of such male citizens shall bear to the whole number of male citizens twenty-one years of age in such State.

Section 3.
No person shall be a Senator or Representative in Congress, or elector of President and Vice-President, or hold any office, civil or military, under the United States, or under any State, who, having previously taken an oath, as a member of Congress, or as an officer of the United States, or as a member of any State legislature, or as an executive or judicial officer of any State, to support the Constitution of the United States, shall have engaged in insurrection or rebellion against the same, or given aid or comfort to the enemies thereof. But Congress may by a vote of two-thirds of each House, remove such disability.

Section 4.
The validity of the public debt of the United States, authorized by law, including debts incurred for payment of pensions and bounties for services in suppressing insurrection or rebellion, shall not be questioned. But neither the United States nor any State shall assume or pay any debt or obligation incurred in aid of insurrection or rebellion against the United States, or any claim for the loss or emancipation of any slave; but all such debts, obligations and claims shall be held illegal and void.

Section 5.
The Congress shall have the power to enforce, by appropriate legislation, the provisions of this article.

AMENDMENT XV

Section 1.
The right of citizens of the United States to vote shall not be denied or abridged by the United States or by any State on account of race, color, or previous condition of servitude–

Section 2.
The Congress shall have the power to enforce this article by appropriate legislation.

AMENDMENT XVI

The Congress shall have power to lay and collect taxes on incomes, from whatever source derived, without apportionment among the several States, and without regard to any census or enumeration.

AMENDMENT XVII

The Senate of the United States shall be composed of two Senators from each State, elected by the people thereof, for six years; and each Senator shall have one vote. The electors in each State shall have the qualifications requisite for electors of the most numerous branch of the State legislatures.

When vacancies happen in the representation of any State in the Senate, the executive authority of such State shall issue writs of election to fill such vacancies: Provided, That the legislature of any State may empower the executive thereof to make temporary appointments until the people fill the vacancies by election as the legislature may direct.

This amendment shall not be so construed as to affect the election or term of any Senator chosen before it becomes valid as part of the Constitution.

AMENDMENT XVIII

Section 1.
After one year from the ratification of this article the manufacture, sale, or transportation of intoxicating liquors within, the importation thereof into, or the exportation thereof from the United States and all territory subject to the jurisdiction thereof for beverage purposes is hereby prohibited.

Section 2.
The Congress and the several States shall have concurrent power to enforce this article by appropriate legislation.

Section 3.
This article shall be inoperative unless it shall have been ratified as an amendment to the Constitution by the legislatures of the several States, as provided in the Constitution, within seven years from the date of the submission hereof to the States by the Congress.

AMENDMENT XIX

The right of citizens of the United States to vote shall not be denied or abridged by the United States or by any State on account of sex.

Congress shall have power to enforce this article by appropriate legislation.

AMENDMENT XX

Section 1.
The terms of the President and the Vice President shall end at noon on the 20th day of January, and the terms of Senators and Representatives at noon on the 3d day of January, of the years in which such terms would have ended if this article had not been ratified; and the terms of their successors shall then begin.

Section 2.
The Congress shall assemble at least once in every year, and such meeting shall begin at noon on the 3d day of January, unless they shall by law appoint a different day.

Section 3.
If, at the time fixed for the beginning of the term of the President, the President elect shall have died, the Vice President elect shall become President. If a President shall not have been chosen before the time fixed for the beginning of his term, or if the President elect shall have failed to qualify, then the Vice President elect shall act as President until a President shall have qualified; and the Congress may by law provide for the case wherein neither a President elect nor a Vice President shall have qualified, declaring who shall then act as President, or the manner in which one who is to act shall be selected, and such person shall act accordingly until a President or Vice President shall have qualified.

Section 4.
The Congress may by law provide for the case of the death of any of the persons from whom the House of Representatives may choose a President whenever the right of choice shall have devolved upon them, and for the case of the death of any of the persons from whom the Senate may choose a Vice President whenever the right of choice shall have devolved upon them.

Section 5.
Sections 1 and 2 shall take effect on the 15th day of October following the ratification of this article.

Section 6.
This article shall be inoperative unless it shall have been ratified as an amendment to the Constitution by the legislatures of three-fourths of the several States within seven years from the date of its submission.

AMENDMENT XXI

Section 1.
The eighteenth article of amendment to the Constitution of the United States is hereby repealed.

Section 2.
The transportation or importation into any State, Territory, or Possession of the United States for delivery or use therein of intoxicating liquors, in violation of the laws thereof, is hereby prohibited.

Section 3.
This article shall be inoperative unless it shall have been ratified as an amendment to the Constitution by conventions in the several States, as provided in the Constitution, within seven years from the date of the submission hereof to the States by the Congress.

AMENDMENT XXII

Section 1.
No person shall be elected to the office of the President more than twice, and no person who has held the office of President, or acted as President, for more than two years of a term to which some other person was elected President shall be elected to the office of President more than once. But this Article shall not apply to any person holding the office of President when this Article was proposed by Congress, and shall not prevent any person who may be holding the office of President, or acting as President, during the term within which this Article becomes operative from holding the office of President or acting as President during the remainder of such term.

Section 2.
This article shall be inoperative unless it shall have been ratified as an amendment to the Constitution by the legislatures of three-fourths of the several States within seven years from the date of its submission to the States by the Congress.

AMENDMENT XXIII

Section 1.
The District constituting the seat of Government of the United States shall appoint in such manner as Congress may direct:

A number of electors of President and Vice President equal to the whole number of Senators and Representatives in Congress to which the District would be entitled if it were a State, but in no event more than the least populous State; they shall be in addition to those appointed by the States, but they shall be considered, for the purposes of the election of President and Vice President, to be electors appointed by a State; and they shall meet in the District and perform such duties as provided by the twelfth article of amendment.

Section 2.
The Congress shall have power to enforce this article by appropriate legislation.

AMENDMENT XXIV

Section 1.
The right of citizens of the United States to vote in any primary or other election for President or Vice President, for electors for President or Vice President, or for Senator or Representative in Congress, shall not be denied or abridged by the United States or any State by reason of failure to pay poll tax or other tax.

Section 2.
The Congress shall have power to enforce this article by appropriate legislation.

AMENDMENT XXV

Section 1.
In case of the removal of the President from office or of his death or resignation, the Vice President shall become President.

Section 2.
Whenever there is a vacancy in the office of the Vice President, the President shall nominate a Vice President who shall take office upon confirmation by a majority vote of both Houses of Congress.

Section 3.
Whenever the President transmits to the President pro tempore of the Senate and the Speaker of the House of Representatives his written declaration that he is unable to discharge the powers and duties of his office, and until he transmits to them a written declaration to the contrary, such powers and duties shall be discharged by the Vice President as Acting President.

Section 4.
Whenever the Vice President and a majority of either the principal officers of the executive departments or of such other body as Congress may by law provide, transmit to the President pro tempore of the Senate and the Speaker of the House of Representatives their written declaration that the President is unable to discharge the powers and duties of his office, the Vice President shall immediately assume the powers and duties of the office as Acting President.

Thereafter, when the President transmits to the President pro tempore of the Senate and the Speaker of the House of Representatives his written declaration that no inability exists, he shall resume the powers and duties of his office unless the Vice President and a majority of either the principal officers of the executive department or of such other body as Congress may by law provide, transmit within four days to the President pro tempore of the Senate and the Speaker of the House of Representatives their written declaration that the President is unable to discharge the powers and duties of his office. Thereupon Congress shall decide the issue, assembling within forty-eight hours for that purpose if not in session. If the Congress, within twenty-one days after receipt of the latter written declaration, or, if Congress is not in session, within twenty-one days after Congress is required to assemble, determines by two-thirds vote of both Houses that the President is unable to discharge the powers and duties of his office, the Vice President shall continue to discharge the same as Acting President; otherwise, the President shall resume the powers and duties of his office.

AMENDMENT XXVI

Section 1.
The right of citizens of the United States, who are eighteen years of age or older, to vote shall not be denied or abridged by the United States or by any State on account of age.

Section 2.
The Congress shall have power to enforce this article by appropriate legislation.

AMENDMENT XXVII

No law, varying the compensation for the services of the Senators and Representatives, shall take effect, until an election of representatives shall have intervened.

AMENDMENT XI

AMENDMENT XII

AMENDMENT XIII

Section 2.
Congress shall have power to enforce this article by appropriate legislation.

AMENDMENT XIV

Section 5.
The Congress shall have the power to enforce, by appropriate legislation, the provisions of this article.

AMENDMENT XV

Section 1.
The right of citizens of the United States to vote shall not be denied or abridged by the United States or by any State on account of race, color, or previous condition of servitude–

Section 2.
The Congress shall have the power to enforce this article by appropriate legislation.

AMENDMENT XVI

The Congress shall have power to lay and collect taxes on incomes, from whatever source derived, without apportionment among the several States, and without regard to any census or enumeration.

AMENDMENT XVII

This amendment shall not be so construed as to affect the election or term of any Senator chosen before it becomes valid as part of the Constitution.

AMENDMENT XVIII

Section 2.
The Congress and the several States shall have concurrent power to enforce this article by appropriate legislation.

AMENDMENT XIX

The right of citizens of the United States to vote shall not be denied or abridged by the United States or by any State on account of sex.

Congress shall have power to enforce this article by appropriate legislation.

AMENDMENT XX

Section 2.
The Congress shall assemble at least once in every year, and such meeting shall begin at noon on the 3d day of January, unless they shall by law appoint a different day.

Section 5.
Sections 1 and 2 shall take effect on the 15th day of October following the ratification of this article.

AMENDMENT XXI

Section 1.
The eighteenth article of amendment to the Constitution of the United States is hereby repealed.

AMENDMENT XXII

AMENDMENT XXIII

Section 1.
The District constituting the seat of Government of the United States shall appoint in such manner as Congress may direct:

Section 2.
The Congress shall have power to enforce this article by appropriate legislation.

AMENDMENT XXIV

Section 2.
The Congress shall have power to enforce this article by appropriate legislation.

AMENDMENT XXV

Section 1.
In case of the removal of the President from office or of his death or resignation, the Vice President shall become President.

AMENDMENT XXVI

Section 1.
The right of citizens of the United States, who are eighteen years of age or older, to vote shall not be denied or abridged by the United States or by any State on account of age.

Section 2.
The Congress shall have power to enforce this article by appropriate legislation.

AMENDMENT XXVII

No law, varying the compensation for the services of the Senators and Representatives, shall take effect, until an election of representatives shall have intervened.

So you want a new job… adapted from a presentation.

jmore@starmind.org (Josh More) — Sat, 07 Apr 2012 05:48:22 +0000

Introduction

This post details the techniques that many people, including myself, have used to find the jobs that we love. However, it is not for everybody. This process requires time… time to think about who you are and what you want. This is a long game and if you’re going to win it, you have to be able to focus on the process.

This means that if you have a job that you can tolerate for a while and want a better one, this is for you. If, however, you are unemployed and out of savings, this is probably not the best path. If you’re in this situation, you are probably better off finding a job that is tolerable. Once you have that, this process should help you on your next search.

If you have just been laid off, this process might be right for you and it might not. This will only work if you can take the time to understand yourself. In Western culture, we tend to derive much of our identity from our occupation. (Just look at some of our last names.) Thus, if we lose our job, we also lose our position in society and our identity within our own minds. It would be best to deal with those issues first. If you have saved up enough resources to do the self analysis and then go through this process, go for it. However, if savings are slim, it would be probably be better to get any job you can, get yourself stable and then start down this path.

Leaving

First of all, you must understand why you want to leave your current job. Common reasons include wanting to do more important work, to make more money, to gain more respect and to gain additional flexibility with regard to how, when and where you work. You may wish to move to a new city or find an organization with a culture that fits you better. You may also not be running to something, but running *from* something. If you are in a situation where legal, moral or abuse issues are driving you to seek another situation, what you need will be very different. Knowing this will help you evaluate new opportunities.

In addition to knowing what you want, it is important to know who you are. I have turned down several offers in the course of my career that would have been perfect for the person that I once was. I’ve turned down offers that involved more traveling that I want and offers that would require me to move to a city that I don’t want to live in. Knowing what is right for me has helped me know when to focus on improving what I have and when it’s time to move on. The following questions should help you determine what you really want to do with your life.

What do you love?
What do you hate?
What would you do for free?
Do any moral issues limit your options?
What are your short-term goals?
What are your long-term goals?

What’s your primary goal in looking for something better?

More money?
More responsibility?
Less responsibility?
Different work environment?
More flexibility?

Visibility

Next up is working on your visibility. This includes things like creating a personal website. Buy your own domain, it looks better that way. As you do work, try to be public about it. This means writing articles, releasing code (when you can) and being generally active on mailing lists. Tie this activity to your web site. The goal is to own the search engines. If you check out my personal site, you can see that I list some articles, some papers and some fun stuff. I also post my resumes, so they get caught up in the interest that my other posts drive. All of this improves Search Engine Optimization (SEO). You can also drive some of this traffic by posting links in social media, but remember that the goal of social media is to be social. You’re more likely to get a job from someone you know via social media than via a link you posted on social media.

The key here is to be as public-facing as you can. For most jobs/careers, being publicly visible is more of an advantage than it is a drawback. This post is very tech focused, as that’s where my personal experience is. However, the more visible you are in (almost) any industry, the more likely you are to be noticed by others. There’s going to be information out there about you anyway. The more of it that created by you, the harder it is to find anything negative that someone else might put up about you. (It does, of course, help to minimize the amount of stupid stuff you do in the public eye.)

I have been lucky that much of what I do is in the public eye, but this has been a progression. Writing white papers, helping with marketing documents, working on open source projects and such all help get your name out there. If you do create public-facing documents for your current company, make sure that they are appropriate to be released. A document that is created for a prospect may need be cleaned up before it’s ready to be shown to someone else. This also applies to items that you may wish to adapt from a forum/mailing list post and turn into an article or blog entry. As you work on this stuff, build a portfolio of items that you can show off in an interview. Then, before the interview, hire a freelance editor to review the portfolio and make sure that there are no stupid typos or grammar issues lurking therein. This can be pricey, but a few hundred dollars spent to fix your mistakes will likely be made up in your first paycheck at the new job.

Lastly, line up freelance work to do in the evenings and weekends. This raises funds to help with the job search (less debt makes it easier to take greater risks) and helps you learn more quickly. I mostly do freelance work in the publishing and education industries (editing, writing questions, etc), but there are many options out there.

Resume

So, about the resume… you should focus on two areas. First, each point should link to a story. These stories are what you’d tell in a job interview. They should be written to generate interest, whether in someone browsing on your site or in sitting in front of you. Remember, the resume is primarily a tool to get people to talk to and about you. Secondly, the resume is a tool to get you past the HR filters. This means that you need to write it to match database queries. They have to list your skills and use all the terms that HR is going to use when they search it.

A few SEO tips (Google “SEO” for many many more):

Put the name in bold at the top. You want a search for “obscure skill” to link to your name, not “Security Resume.pdf”.
Similarly, name the file “ – .”. For example: “Josh More – Security.pdf”.

Recruiters & HR people get lots of resumes. Make yours easy to find.

Place any certifications you have at the top. This is what a lot of HR folks are going to search for.
Don’t use an objective, use a profile. We’re used to them on social media sites, and they support SEO-happy keywords.
Keep each bullet to one line. Keep your writing short and pithy.
If you have more than five certifications, put them all on your online resume. You’ll need them to turn up in searches.
Printed or emailed resumes need to be shorter and more targeted. Consider limited certifications to just those that are directly applicable so you don’t come across as a distracted learner.

Squishy Skills

Once you get in front of someone, you have to be good at talking to them. This is social stuff and those of us in technology are usually pretty bad at it. Tough. If you know you’re bad at something and don’t fix it, you’re lazy and don’t deserve a better job. Fix your social skills by working on them. Books can help (see end of this post). After that, you need practice. Preferably, you need practice in two areas: one-to-one discussion and one-to-many.

For one-to-one, you’ve got to talk to people. Consider volunteering for events in your area. If you run a table with someone, you get to practice talking during the slow times. You can go to lunch or business after hours events. It’ll be uncomfortable at first, but after a few times, you’ll get a lot better at it. In my field, I’ve volunteered for events like Software Freedom Day, CCDC and for local nonprofits. Not only does this provide good practice, but it gives you the ability to get good references from people outside of your current job.

For one-to-many, you need presentation practice, I like BNI and Toastmasters. These groups get you out of your comfort zone, so you can improve much faster. You can also practice meeting and getting along with strangers at various groups. Look for a local Linux or programming user group. If you’re in the security field, look at Infragard, ISSA and your local CitySec group. Most of these groups are desperate for speakers and are very welcoming of people regardless of experience level.

Any time you build skills you run the risk of someone, like your boss, noticing. In my experience, this risk is significantly lower than most people think. Yes, you’re changing and growing as a person. However, it’s the people that like you that pay attention to you. If you were surrounded by people that liked you, you’d probably not be looking for a new job. The fear of “My boss will find out I’m looking and fire me” is almost entirely FUD (Fear, Uncertainty and Doubt) that is promoted by bad bosses because it keeps their people in line. Most people aren’t watching what you do in your off hours because it takes time and TV is more interesting.

If you’re really worried about this, you have to use squishy skills to play your boss. Find a way to make it their idea that you get involved. Saying things like “I was chatting with a friend about and they recommended that I work up a presentation for the user group, but I’m not sure. Would you mind if I talked about how you helped the team find the solution to this problem?” If you just do a little bit of ego stroking, you can usually get permission. Then, once you have permission, it’s easy to stretch it: “This other group wanted to hear my presentation too” and “The group asked me to write a blog post about it”. Then, when you’re regularly presenting and blogging, you can slowly stop asking for permission and shift towards informing your boss about what’s going on.

Targeting

Remember, you never use a resume to open a door. You use it to drive conversation. You get in through the window. No one is watching the windows. The rest of this post is on picking a window and getting through it.

First, you need to pick some companies/organizations to target. To do this, consider your industry experience. Even if you don’t have much experience outside of your industry, consider peripheral industry types. For example, if you work in a bank, you could look at other banks, credit unions, collection agencies and loan administration groups. If you want out of your industry entirely, look for industries with similar roles. This may mean that it will take you two steps to get your dream job… one lateral move to another industry and then a leap within that industry to where you really want to be (like a knight in chess).

When you’re pondering lateral moves, you should think, not about what you want to do, but what sorts of industries you can to work in and how your current job would blend into that industry. For example, if you do system administration in the Finance sector, you may not be working with the same applications if you move to Health Care, but you would be using similar operating systems and doing similar operations tasks. If you’re doing programming work, you might not use the same libraries, but the languages would be similar.

Once you know your possible industries, pick your geographic area and make a list of all the companies in each target industry. Resources like your local metro area’s _Book of Lists_ and the annual newspaper’s list of “best places to work in ” can be helpful here. This will likely result in quite a lot of options, so you’ll need to narrow them down.

I like to first narrow by stability. Look at how long the organization has been in business and what you can determine of their customer base. Look at total number of customers and whether there is a single “megacustomer” that provides most of their revenue. In the latter case, the risk is higher because if that customer leaves, it’ll gut the company on the way out. Then look at the reputation. Talk to competitors, customers and search legal databases to see how often they’ve sued or been sued. You want to make sure that your dream job doesn’t vanish out from under you, so take your time here.

If the list is still too big, look a the technologies that you like. Identify the companies that make each technology and call the person that manages their partner program. Ask that person which other companies in your target area work with their technologies and, in their opinion, which would be the best to work for. It is surprisingly easy to get this information.

If you need to narrow it further, use the tools you have. Talk to friends about the companies on your list and see what you learn. Use tools like LinkedIn, Google, Bing, Google Groups, Mailing lists, RapLeaf and Maltego to build a “profile” of notes for each company. Then rank them and start with your favorite.

Getting In

Now for the fun part. Use LinkedIn, Maltego and eSearchy to build a list of the people who work for that organization and try to sort them by department. For the department you’re targeting, learn what you can about them (Google, Bing, Facebook, LinkedIn, etc) and see if you can map out their interests. See if you have a friend in common or a friend of a friend who can make an introduction. See if you have shared interests and if you can manage to bump into them at a user group. Don’t do anything illegal to get information, but if the information is out there you might as well use it. Think of this as shopping for a boss. Learn as much as you can about the person you want as a boss and about their bosses.

Now search the web site and for their name across all other websites. Look for areas of improvement in their products and services. Forums are excellent sources of information. So are press releases and newsletters. Take the time to figure out their primary competitors and figure out where they fit. Make a feature chart if you can and map out where they may be lacking when compared to the competition and where the industry as a whole is lacking. See if you can come up with ideas to fix things, open up new markets and make the company more “sticky” with respect to their customers.

Remember the squishy skills I said you’d need? This is where you use them. Get an introduction to your hopefully-new boss. Go with friend-of-friend if you can, but if you can’t, see if you can identify a former or current employee to introduce you. People like to be helpful, so let them. A cover letter may or may not help this process. If you are successful in getting a personal introduction, you don’t need a letter. However, if the best you can do is find out the name of the new boss and what they’re looking for, a cover letter is very important.

If you must write a cover letter, keep it simple. Leave your hopes and dreams out of it. Focus on how you’ll help your new boss. Talk about what you think their problems are and how you think you can help. Identify things you’ve done in the past to solve similar problems. Remember that the less you explain *how* you solved them, the more likely you are to be invited in to discuss that process. The goal of the cover letter is not to get a job or to completely explain yourself… it’s to get an appointment.

Once you get the appointment, be prepared to work very hard for a few weeks.

Personal Branding

Review your website to make sure that it conveys what you want to the person you’ll be talking to. If you’ve been maintaining it and pruning out comment spam and informality, this should be easy. Next, you’ll need a business card. You can generate your own and have it printed at a local print shop, but if you have a friend in the industry, see if they’ll help you out. Ideally, your business card will be awesome, but if you can’t make it awesome, make it memorable. Think of titles like “Hopeful Job Candidate” or “Revenue Booster”. Think of putting other information on the card like hobbies. This makes you seem more personable and creates additional connections in the target’s brain so they’ll remember you better. Do not use one of those free services. They usually put their name on the back of the card, which splits the brand and makes you look cheap.

Then, update and spell check your resume. Then contact your friends and create a page of references to have ready in case the company asks for them. If time allows, create some blog entries that are written with your target’s customers in mind. Fill enough of your blog/site so that only new content exists on the first page.

Now, pull out your portfolio. Get some folders from your local office supply store and build everything out. You’ll want to have any public handouts, flyers, pamphlets, whitepapers etc in one pocket. Put your list of skills, references (optionally) and resume over top of them, leaving the other pocket empty. If you get a folder with a spot for a business card, put that in the right spot.

Now you get to fill the other pocket.
Targeted Portfolio

Remember that competitive review you did? Make it look all pretty, put it in the target’s colours and print it out. It goes in the empty pocket. Remember the research you did on what the company can do to fix problems or add functionality? Write that up too, make it look pretty and put it in the empty pocket. Consider writing a strategy paper for a new business endeavor, filming yourself presenting and putting it on DVD or coming up with a list of potential clients. Put all of this in the empty pocket. Think of what could be combined with the existing product that could increase revenue through upsells or feature enhancements.

The goal is to have at least five items that show that you are a smart person who is willing to work hard and help out the company. This way, one half of your portfolio is about you… what you’ve done and who are. The other half is about what you will do… if they hire you. The fact that if they don’t hire you, you might do the same for their competitor is one that you’re best off letting them realize themselves.

If time permits, search your network for someone at the same level as your hopeful new boss. See if they’ll meet with you, perhaps over lunch, and review the portfolio to give you feedback.
Private Portfolio

Finally, build a private portfolio. This would be documents that you don’t want to leave behind and ones that you wish to reference during the meeting. Have a copy of your resume in there, as well as anything that is somewhat sensitive. The most sensitive would be the total compensation calculation.

When the discussion turns to money, it’s tempting to just ask for 10-15% more than you’re making now, but that’s risky. If you take a 10% raise, but give up vacation days or a cell phone stipend, you might wind up with a loss. Make a spreadsheet that lists your current salary, any education and certification maintenance costs, software and hardware costs, benefits like vacation and health insurance and financial considerations like 401K matches, stipends, commissions and bonuses. Figure out how much a vacation day is worth and add that in. Finally, if you’re moving to a new city, figure out what the cost of living adjustment is and adjust your final number by that percentage. This allows you to directly compare any offer they give you and counter with something made of real numbers.

Now you’re ready to climb in the window and your tools are ready.

Interview

Interviews are hard. We only tend to do a few of them in the course of our lives. Naturally, we’re going to be bad at the process so we have to practice. I like to practice with audio books. Listen in the car and, after each question, pause the CD and respond. You’ll look like an idiot talking to yourself in the car, but if you’re going to look like an idiot, it’s better to do it on your own than in the interview itself. Remember not to memorize the answers. You just need to be assured that you *have* the answers and practice flowing through them and not saying “um” and “uh” too much.

When it is time to go to the interview, pre-drive it the day before. This prevents getting lost from being a problem. Also, allocate lots of time. Arrive in the parking lot at least half an hour early, but don’t go inside until about 10 minutes before the interview. Once there, you will be asked to sit. Don’t, it’ll make your clothes wrinkly. Stand and read the company literature. Then have the rest of the day open. If things go well and they bring more people in for you to meet, you could spend all day. I have had seven, eight and nine hour interviews… that were originally scheduled for one hour. Basically, dedicate the day and be flexible. If they want to go to lunch, go to lunch (don’t order anything messy).

Then the interview(s) will start. When you’re in them, try to ask questions. The interviewer should talk at least as much as you do. Remember, if you did your research, you know more about them than they do about you, so drive the discussion to their passions. If they like programming, answer their questions in terms of programming. If they like their family, spend time talking about yours. Giving factual answers is only 10% of the interview process. The rest is building rapport. Build rapport over time and leave the interview with them more interested in you than when it started.

As you talk, take mental notes. Use the documents you created to illustrate your ideas, but if you guessed wrong, correct the documents in front of them. Then, when you come back for the second (or third…) interview, update the docs and give them the fixed versions. If you have to build a brand new document, do so. The goal is to show learning and improvement, the same way you would in the actual job.

At the end of the interview, try to either close the deal (get a job offer) or get an advance (discussion with a higher-level person or group). Get an appointment, thank them for the opportunity for further discussion, and leave. Don’t stay too long past the “next step” decision, it’s not likely to help and it could hurt. Leave things on a high note.

If you can’t get this, start over with the next company on your list.

If the interview was successful, you’ll have some TODO items. Email the interviewers back with answers to things you couldn’t answer at the time. Include links if appropriate. Send personalized hand-written thank you cards too… but spell check them first. This will give you a nice follow-up that they’ll receive just as they were starting to forget about you.

Loop through this process until you get and negotiate an offer.

Notice

Once you have the job, consider the notice process. For some jobs, giving a two week notice is sufficient. For others, you need more so they can find a replacement and you can train them. If you are a billable resource, consider negotiating a corp-to-corp rate so your current company can pay your new company for your time in case something isn’t covered by the time you leave. This can be used as leverage to renegotiate any non-compete that might be in place. Yes, these are generally viewed as unenforceable in a court of law… but who wants to go to court?

When these preliminaries are done, write down the fact that you’re leaving, the status of any projects you have, the length of the notice and, if applicable, any corp-to-corp rates. Put this in the form of a business letter, set up an appointment with your boss, walk in and hand it to them. They may give you a counter-offer. In almost all cases, you don’t want it. If they threaten you, get a lawyer involved. Otherwise, serve your remaining time and then escape to your shiny new job.

Resources

This article is the result of years of reading, learning and thinking. The following books and people were instrumental in helping me understand this process and sharing it with you. Please consider them if you want more information:

Books

Don’t Send A Resume by Jeffery Fox laid out the bones for this process.
Brag – The Art of Tooting Your Own Horn Without Blowing It by Peggy Klaus taught me how to talk about myself without sounding like an arrogant ass.
The Science of Fear by Daniel Gardner discusses the reasons that people act the way we do and how fear is used to manipulate us.
Google Hacking 1 & 2 by Johnny Long shows how to use Google (and other search engines) to uncover the information that you really care about.
What The CEO Wants You To Know by Ram Charan explained the language that people use in business and why it matters.
How To Win Friends And Influence People by Dale Carnegie teaches social skills to people that didn’t bother to pick them up the first time around.
The Last Lecture by Randy Pausch helps with understanding what really matters in life.
Selling The Invisible by Harry Beckwith explains marketing to non-marketers and why what’s obvious to us isn’t obvious to others.
Spin Selling by Neil Rackham finally explained sales in a way that didn’t seem sleazy and full of tricks.
Let’s Get Real Or Let’s Not Play by Mahan Khalsa is about the process of identifying when you’re at the point of diminishing returns and how to get out.
Sales Bible by Jeffrey Gittomer explains sales in ways that work, but does feel a bit sleazy at times.
Getting Things Done by David Allen introduces a method time management so you can do more in less time and stop playing catch-up all the time.
Getting To Yes by Roger Fisher and William Ury is about negotiation in a way that matters and works, not just one upsmanship.
Good to Great by Jim Collins discusses what businesses need to be successful.
The Innovator’s Solution by Clayton Christensen and Michael Raynor explains why disruption is as powerful as it is and how to take advantage of that fact.
The One Thing You Need to Know by Marcus Buckingham is actual about several things… but you need to know them anyway.
Better by Atul Gawande is a book on improvement. It’s by a surgeon, but the lessons apply to other fields too.
Orbiting The Giant Hairball by Gordon MacKenzie is about when corporate culture goes horribly wrong and how to deal with it.
Last Chance To See by Douglas Adams talks about figuring out what matters and doing it, a humorous book about a serious subject.
Visual Explanations by Edward Tufte helps with conveying your message in a way that is easily and immediately graspable
Made to Stick by Chip and Dan Heath helps with crafting your message in a way that is extremely memorable.
Presentation Zen by Garr Reynolds gets beyond presentations that don’t suck and into presentations that are actually pretty great.
Surely You’re Joking, Mr. Feynman by Richard Feynman is about life and learning and identifying what matters.
Tesla by Margaret Cheney explains that brilliance alone isn’t enough.
An Unquiet Mind by Kay Redfield Jamison talks about overcoming self limitation by identifying and accepting it.
The Complete Greek Tragedies edited by David Grene and Richard Lattimore reminds us that no matter how bad things are, others have had it much worse.
The Art of Living by Epictetus shows how life hasn’t changed much since ancient Roman times and suggests that we should stop re-inventing the wheel.
Meditations by Marcus Aurelius is a business book… about running the Roman empire.
Outliers by Malcolm Gladwell talks about why some of our problems aren’t our fault and how to deal with that.

People

Mike Wagner has personally helped me understand pretty much everything I know about branding and public speaking.
Mike Sansone has personally helped me leverage the Internet to help me get where I want to go.
Mike Colwell has helped me understand business by building a community of knowledgable people to leverage.

Tools

Inkscape is a tool used to create powerful graphics at zero cost.
LibreOffice is a word processing and spread sheet tool that you can use at home for free.
Maltego by Paterva helps you find information all over the Internet to gather data for analysis.

There are, of course, many others, but I consider these my core resources.

Horsing around at SchmooCon

jmore@starmind.org (Josh More) — Wed, 08 Feb 2012 22:28:41 +0000

Last weekend I attended ShmooCon, a yearly security conference held in Washington D.C. Today I want to explore several common themes I noted in many of the great technical presentations at the conference.

1) Operations

For many years, the community has been saying that security is facing an operations challenge, not simply one of just technology and cash flow. Simply put, most people aren’t following our advice. Administrators aren’t reviewing logs, systems are still unpatched and users are still running as administrators. Risk increases every day when people don’t do the right thing; this is the fundamental reason most people get successfully attacked.

In many ways, this flaw in operations is like having a horse. You build a great stable. You put in lights and a heater. You put nice locks on the doors. You build out the plumbing system so the horse can have fresh water and then finally … you buy a horse and put it in the stable. Sadly, most companies get to this point and then, after spending tens of thousands of dollars on their horse, decide spending $100 on oats is too expensive and just toss scraps into the stable as time permits.

Sadly, we live in a world full of dead and starving horses.

2) Separation of Targets

Fortunately, not every business is as behind as most we see. There are many businesses doing security right. They are investing money to protect assets, training employees and seamlessly running operations. These companies are succeeding, and as a result, the gap between “good” and “average” is widening dramatically.

To get back to the horse metaphor, we no longer have a single race. Instead, we have two. In the first, people are riding their horses much as you’d expect. In the second, businesses have invested in security but not operations, dragging their dead and dying horses around the track. These races work very differently and therefore are attacked differently.

If your operations are failing (as in #1 above), your horse may not be worth much. However, if an attacker can get a nice pile of dead horses, they can sell them for glue. In other words, these are the low-level attacks we see every day zeroing in on credit cards, ACH transfers and customer data. Attackers focus on bulk theft and you are just a convenient target.

However, if you have good security AND good internal operations, you’re in a different race. A horse thief focusing on live horses is going to have more options than one who raids the graveyard. The attacker who selects a company with good operations will see greater value from a successful attack. If your company is investing in day-to-day operations, odds are you have some juicy intellectual property to protect. This is where these attackers focus.

In either case, if you’re behind more than half the horses in the race (i.e., below average), you’re going to lose. Remember, the attacker just has to win once… you have to deflect the attacks constantly. The attackers are targeting the easiest in each category first, so as horses vanish from the race, you have to keep improving to stay above average.

3) Defensive Intel Sharing

Finally, there is the true value of an event like Shmoo. The value isn’t in the sessions (though they are great), but in the discussions in hallways and over meals. This is where security people get together and share ideas as to what techniques work to defend against these attacks. We brainstorm and share intelligence. This helps us protect our own little corners of the world better.

To beat the horse metaphor to death, it is as though an international team of horse rustlers (hackers) specialize in stealing horses (your business). Some are great at stealing wagons and have no idea what horse they’ll be getting. Others team up and have one person good at riding horses, one at distracting jockeys and maybe a large animal vet to determine how best to use the newly-stolen horse. They share ideas with other teams as to what has worked and what hasn’t, thus they constantly improve.

At Shmoo, we share ideas that keep our horses from being stolen. It could be as easy as putting better locks on the stables, or as ridiculous as using velcro saddles to keep the jockeys firmly seated. In many cases, it is about small improvements … ways to feed the horses more cost-effectively, or the ability to keep an extra set of eyes on people approaching your stable.

In other words, going to Shmoo isn’t likely to help you, but it will certainly help me help you. Now, let’s talk about your horse.

(Originally posted on RJS Informer)

Password Security and Schools

jmore@starmind.org (Josh More) — Mon, 16 Jan 2012 18:00:25 +0000

For those who don’t know, when attackers successfully breach a system, they often share the information they find publicly on the internet. For those on the illegal side of Information Security, this awards them the satisfaction of adding another notch on the scoreboard and further shames those who have poor security. For people like me on the legal side, we receive the ability to gather passwords used in the real world and analyze commonalities, variations and patterns. For this reason, I have several automatic searches that notify me when certain information gets leaked.

Recently, I was alerted to a situation that occurred at the George Washington Middle School in Ridgewood, New Jersey. I won’t link to the actual leaked data, but suffice to say it contains enough administrative information to access their systems. I did not verify this to the point of logging in, but it certainly looks correct and the leak has already been plugged, thus illustrating the sensitivity of the information revealed. Besides the data mentioned above, the leak also contained usernames and passwords for 246 sixth graders.

You’d think with 246 young students, you’d see 200, perhaps even 225 unique passwords, right? And if default passwords were created for them by a network administrator, you’d hope all 246 were unique. When analyzing the data, however, there were only 34 unique passwords. 34!

Here they are:

glasses = 13 (5.28%)
finish = 12 (4.88%)
button = 12 (4.88%)
dinner = 12 (4.88%)
oranges = 12 (4.88%)
apples = 12 (4.88%)
letter = 12 (4.88%)
stormy = 12 (4.88%)
gentle = 11 (4.47%)
cupcake = 11 (4.47%)
winter = 11 (4.47%)
butter = 11 (4.47%)
carpet = 11 (4.47%)
joyful = 11 (4.47%)
summer = 10 (4.07%)
middle = 10 (4.07%)
friday = 10 (4.07%)
person = 10 (4.07%)
football = 10 (4.07%)
people = 10 (4.07%)
soccer = 10 (4.07%)

butter32 = 1 (0.41%)
butter27 = 1 (0.41%)
dinner20 = 1 (0.41%)
letter38 = 1 (0.41%)
summer17 = 1 (0.41%)
summer83 = 1 (0.41%)
winter34 = 1 (0.41%)
apples74 = 1 (0.41%)
letter28 = 1 (0.41%)
Password = 1 (0.41%)
summer22 = 1 (0.41%)
letter48 = 1 (0.41%)
winter64 = 1 (0.41%)

Note the right hand column. Those are the passwords that are truly unique. This means that of 246 passwords, only 13 of them are not like the others. Of those 13, only one wasn’t based on the shared list. And even that one was the always original “Password.”

In all the analyses I’ve done, this is by far the worst. There are a handful of possible scenarios here. Ignoring the possibility this is completely fabricated (the usernames of the children make that seem somewhat unlikely), this is either a set of passwords that were generated for children or by children. Given how evenly matched the passwords are in distribution, it seems more likely there was a list of 21 “default” passwords that were generated and then the students were asked to change them. Given the passwords on the right hand column, it seems as though the instructions were “add two numbers to the end of your password to make it secure.” The password of “Password” matches a username of “Username,” so it’s probably a header or a default value and can be ignored.

So, what’s wrong here?

First, selecting passwords in this way means if someone knew their password and wanted to try to get into other accounts, they’d be able to get into at least 9 other accounts and possibly as many as 14 … and that’s with doing no work at all. If you look at word pairs you get summer/winter, apples/oranges and soccer/football. This raises the number of breached accounts with inside knowledge to 25. Now, if you decided to attack this system with a default word list, it would take about a day to get hits on most of these. If you had a list of usernames, you could easily gain access to every account on this list in a day. In some systems, it would take as little as a minute to crack each account.

So no one expects sixth graders to be security geniuses, but sad to say, habits get set early. Assuming the right hand column contains passwords that people changed, only 12 students changed their passwords as instructed. If we assume they were given instructions, this means we can expect 4.88% of people to follow directions. If personal experience indicates anything, sixth graders are even more likely to follow directions than adults, so in an average organization, we can assume less than 5% of people will follow best practices … and they’ll probably do the bare minimum required of them.

Now take a minute and think what this would have looked like if the following changes were made to the system:

Users are assigned completely random passwords
The system required passwords to be at least 12 characters long.
The system required passwords to have a mix of upper case, lower case, numbers and punctuation

What would happen? First, the student would probably write his or her password down somewhere. Now that code is as safe as a locker and/or the student’s resistance to bullying. Maybe there’s a better way.

What if the system were set up to allow users to register themselves and had a password complexity rule. Suppose it had to hit a specific score of something like 100, where the scoring worked this way:

base starts at 0
Upper case character base+10
Lower case character = base+10
Number = base+10
Punctuation = base+10
Space character = base+10
Score = base * length of base

If someone wanted to use a basic word like “winter,” the system wouldn’t accept the password. “Zoologists” on the other hand, would be accepted. If you wanted something shorter, you could go with “like2″ to obtain your required score of 100 (a base of 20 * 5). This is the basic idea of password scoring. You could decide for yourself what metrics to use, but by raising the threshold score and weighting various characters differently, people are driven to select their own passwords.

Using the rules above, suppose you wanted a specific score of 1000. “Jooxiepa8da X1Zaode!” would work, but so would “Ask not what you can do for your country.” Which is easier to remember?

This is how you generate passwords to meet an arbitrary security threshold that are easy to remember and hard to crack. Since people don’t follow directions (5% change rate) and write down hard things to remember, this is one of the best systems you can implement. Sure, multifactor systems are better, but I don’t think sixth graders would be very good at keeping track of their magic “log me on” device. So instead of teaching them horrible password security from an early age, maybe we should implement a system that understands that humans, of whatever age, are human.

In fact, maybe we should do this in business too.

(This article original posted at the RJS Insider)

Security Certification 3/3 – Doing and Teaching

jmore@starmind.org (Josh More) — Fri, 13 Jan 2012 22:00:16 +0000

This post is part 3 of a series. Please see posts 1 and 2.

So you’ve learned something. Congratulations. Knowing is half the battle. Sadly, the other half involves actual fighting. This post is on how to fight… or, in this case, demonstrate that you know stuff. (Which is a lot like fighting if you leave all that tedious stuff about hitting people.)

I like to follow the old cliche “Learn One, Do One, Teach One”. So you’ve learned something. The next step is how do you do something with it? Since we’re talking about security, the best option would probably be to stop a bad guy. Sadly, that’s not always feasible. Fortunately, you have some options.

Doing

One thing I strongly suggest is joining an open source project. I used to suggest starting one, but it seems that whenever I said that, someone would run off and make a new network scanner. We have enough of those.

Join a project that uses modules. Metasploit is good. So are SET and NMap. If you’re webby, take a crack at extending w3af. This will force you to understand a system, improve a system and work with others to get your change accepted. In short, it demonstrates everything that a prospective employer wants.

Suppose you’re not a programmer. That’s OK. You can use the tools above to run assessments. Assess your home network to learn how everything works then start calling local non-profit groups. Offer them scan in return for the ability to post a summary of the results online (after they approve the anonymization of the data). Now, there is a bit of risk here, so you might want to investigate error and omissions insurance before hand. At the very least, consider one of the “approval” forms so that you’re protected. Learning the ins and outs of these sorts of assessments demonstrates that you not only have the technical skills, but that you can also use them in a meaningful way.

(Note: Never give anything away for free. This is a scan in exchange for publicly-viewable experience. If you offer to work for free, all you’ll do is get a lot of clients… who also want you to work for free.)

Now, those two paths are all well and good if you’re technical. However, we have some people in this field that aren’t technical at all. There’s nothing wrong with that… but be aware that to be truly successful you have to understand both technology and people. Try to branch out.

If you’re not going to branch out, you can still help an open source project. Documentation on many projects is… well to call it “lacking” would be like calling the Titanic “a boat that encountered a spot of bother”. There’s a lot of need there and a lot of wikis that are fully editable, so get cracking. You might also be able to help with project management, with resolving disputes on mailing lists, or by prioritizing bugs based on user impact. You know, basically doing all the tasks that stereotypical geeks aren’t very good at.

The next step is to promote the fact that you’ve done something. The best way to do this is teaching, and the Internet makes this easy.

Teaching

Teaching is all about sharing knowledge. While the traditional teaching option of holding a class is still viable, it doesn’t give you the same range of exposure as techniques like blogging and vidding. You certainly get a more personal connection by teaching a class and the people consuming your content might absorb it better, but if you’re wanting to build a brand and try to jump into a better job, you have to cast wide. Here are some options:

Basic blogging is much like you’re reading now. Just grab yourself a domain, link it to WordPress and go. The difficulty with blogging is the tendency to lose time to “research”. If you’re new to blogging, give yourself two days (20 hours) of research time on how to blog. A good place to start are the Converstation Archives. Once you’ve done that, build a list of topics and give yourself one hour for each topic. Give yourself 20 minutes to write the content, 20 minutes to edit the content (after waiting a day or so), and 20 minutes to publish the content on WordPress (this includes adding links and images). You can spend more time than that on posts that matter strongly to you (as I did on this series), but be careful not to spend too much time. If you keep trying to make it “perfetc”, it’ll never get published.

Micro-blogging is a lot like blogging, but you say more with less. In the US, Twitter is the most popular micro-blogging platform, but Facebook and Google+ are challenging it. Personally, I find this a very difficult medium. What works for me is to write a blog and then excerpt key phrases from it for micro-blogging purposes. If you’re gifted in this medium, feel free to start here. However, if you use it for professional purposes, please try to avoid the shorthand that’s common in the medium. U wont get jobz talking lik this.

Vidding and podcasting are other techniques that I’m not personally comfortable with, but which work for a whole lot of people. This is as simple as sitting in front of a web camera and talking to an audience that you hope will emerge over time. My attempts at podcasting were all aborted because the editing took too much time. Perfectionism and linear editing do not mix well. I hope to give this a shot again later this year, but we’ll see. It’s very hard for me.

One friend suggests that these techniques are made easier if you have a script. Granted, you have to practice to make sure it doesn’t sound scripted, but this is very good advice. I’ll have to try it the next time I give this technique a whirl.

Graphically-intensive content such as infographics and comics is another way to get the message out. I’ve done tons of infographics (few are public) and a fairly large graphic novel that has been “in progress” for the last five years. The trick here is not biting off more than you can chew. If you are skilled graphically, take a shot at illustrating what you’ve done and sharing it with others. This can be a very powerful technique.

There are tons of other methods. If you think I’ve missed something important, please let me know in the comments.

Conclusion

This has been a lot of text… but hopefully this has answered your certification questions at a very high level and explained how to extend your learning. If you do this, you should gain something more directly useful to you than tacking a few letters to your name. Of course, it’s a bit more complex than this in “real life”.

In addition to what I described here, each certification comes with it’s own community which may or may not mesh with your needs. Personally, I mesh well with the SANS community and not very well with the ISC(2) community… but this is extremely personal. There’s no way to know where you’ll mesh without giving it a try, so pick the certification based on what you need to learn and figure out the social aspects once your certification grants you access to a community.

Similarly, the “doing” and “teaching” phases only work if you dedicate enough time to them. Your journey doesn’t end when you get the certification, so if you can’t devote the time from your life to complete the process, you should seriously reconsider whether to even get a certification in the first place.

However, if you can afford the time to learn, do and teach, you should see your professional life advance extremely quickly.

Security Certification 2/3 – Learning

jmore@starmind.org (Josh More) — Fri, 13 Jan 2012 18:00:20 +0000

If you’re reading this post, it is assumed that you’ve already read my post on what certifications are for. If not, go there and check it out. This post details my method for comparing certifications.

First, go to each certification’s website and review each certification’s pre-requisites. If you don’t have any of them, it’s probably not wise to do the next step with that one. While I recommend challenging yourself and pursuing a certification for which you do not have all of the pre-requisites, if you have absolutely none of them, you’ve identified what you need to learn and that the certification you are considering will not teach you that.

Second, consider your career trajectory… then throw it away. Some certifications have specific paths that are laid out for you. If you go into the CISSP world, you’re “supposed” to be a manager. If you use Offensive Security, you’re “supposed” to be a penetration tester. While it’s true that these certifications have somewhat high value in these areas, increasingly, security practitioners are expected to know a bit of everything and be good at what they’re good at. It’s about the learning process. Unless you have no interest in learning (in which, go away, this post is not for you), you’ll be better off picking a certification based on what you’ll learn from the process. If you pick a career path laid out for you by someone else, you’re not only trusting your life to guesswork… but to someone else’s guesswork. For example, my grandfather gave me my first computer because it was the wave of the future… but also gave me a slide rule… “because you’ll need to be able to take something into the field with you”. If you’re going to screw up your career path, at least do yourself the favor of doing it to yourself so you can analyze why you wound up where you did and can correct from there.

Third, review what the different certifications cover. For each topic covered, give yourself a rating based on how well you know the topic.

0 = No idea what the topic means
1 = Have a bit of clue about the topic, maybe played with it in a lab
2 = Have done this professionally or played with it a lot in a lab environment. Still have room to learn.
3 = Have done this enough to consider yourself something of an expert
4 = Understand this topic inside and out. Comfortable teaching it to others.

Now, take an average of all your ratings and divide it by four. This will give you a percent of what you already know from what the certification will teach you. Subtract this from 100% to get the amount you will learn from the certification.

Fourth, you have to factor in your time. Most of us have a loaded rate for work that includes salary and benefits. If you know this number, use it. If not, take your hourly rate (convert if you’re salaried) and multiply it by 1.5. If you’re unemployed, figure out what you’d charge doing freelance work. You can quibble over this all you like. Really, you’re just measuring the cost of the time it takes to gain a certification, as that time could be used to boost your skills by working overtime at your day job or doing freelance work in the evenings.

Finally, estimate the time you’ll spend on the certification, multiply it by your rate, add the certification costs and you’ll have a dollar estimate. Take your learning percentage and divide it by the dollar estimate and you’ll get you a number that you can use to compare how valuable that particular certification will be for you.

In other words, Value = (Learning Percentage) / ((Time Spent * Hourly Rate) + (Cost of Certification)). When comparing certifications, the highest value wins.

Here are two examples. Since a lot of the information about tests is hidden behind registration links, I won’t do a complete analysis… just enough to give you an idea of what I’m talking about. In this, we’ll assume that my time value is $50/hr. Basically, I am choosing this number because it makes the math easier and should be in line with a mid-level career person that loves learning enough to drop the “personal cost” a bit. If you’re entry level, it’ll be lower. If you’re well seasoned and have other hobbies, it’ll be higher.

Note: I am also assuming a “zero” time cost to taking in-person classes. There is actually a time cost here, but for most people, it’ll be incurred by your organization, not you. If this isn’t the case, add the time cost back in.

Example: CISSP-ISSAP

This certification would extend my existing CISSP to focus on architecture. Reviewing the Candidate Information Bulletin, there’s a lot of information covered. Here are the first two domains. My score for each point is in brackets at the end. (The typo for “Methodology” is theirs… sorry.)

1) ACCESS CONTROL SYSTEMS AND METHODOLGY
A. Apply Access Control Concepts Methodologies, and Techniques
A.1 Application of control concepts and principles (e.g., discretionary/mandatory, segregation/separation of duties, rule of least privilege) [4]
A.2 Access control administration [4]
A.3 Identification, authentication, authorization, and accounting methods [3]
A.4 Identify and access management architecture [3]
B. Determine access control protocols and technologies (e.g., RADIUS, Kerberos, EAP) [3]

2) COMMUNICATIONS & NETWORK SECURITY
A. Determine Communications Architecture
A.1 Unified communication (e.g., convergence, collaboration, messaging) [2]
A.2 Transportation mechanisms (e.g., voice, facsimile) [4]
B. DetermineNetworkArchitecture
B.1 Network types [3]
B.2 Protocols [3]
B.3 Securing common services (e.g., wireless, email, VoIP) [4]
C. Protect Communications and Networks
C.1 Firewalls [4]
C.2 Gateways, routers, and switches architecture (e.g., access control, segmentation, out-of-band management) [4]
C.3 Detection and response [4]
C.4 Content filtering [4]
C.5 Device control [4]
D. Identify Security Design Considerations and Associated Risks
D.1 Interoperability [2]
D.2 Audit requirements (e.g., regulatory, legislative) [3]
D.3 Security configuration (e.g., baseline) [4]
D.4 Remote access [4]
D.5 Monitoring (e.g., sensor placement) [4]
D.6 Network configuration (e.g., physical, logical, high availability) [4]
D.7 Operating environment (e.g., virtualization, cloud computing) [4]

So, for the first two domains of the CISSP-ISSAP, we get (4+4+3+3+3+2+4+3+3+4+4+4+4+4+4+2+3+4+4+4+4+4) / (22 * 4) = .886 for a “known” ratio. This means that the percentage that I have to learn is 11%.

Now let’s look at costs. The official textbook runs $80. The review class runs $2,195. The test costs $449. And the certification costs $82.50. (Not required, but included because the GIAC cert comes with passing the test and we want to be as fair as possible.)

So, we have two options.

* Take the full in person class (assuming the course book is included with the class) $2,195 + $449 + $82.50 = $2,726.50. Add to this, study time of 20 hours at $50/hr and you get $3,726.50
* Wing it with the textbook $80 + $449 + $82.50 = $611.50. Add to this study time of 40 hours, and you get 2,611.50

So, if I were to take the in person class, I’d get a learning value of 11/3,726.50, or 0.295%. If I were to wing it, my learning value would be 0.42%… but the burden of the work would be on me.

Example: SANS/GIAC GXPN

Let’s compare this to the SANS/GIAC Advanced Penetration Testing Essentials / GXPN option. Looking at Day 1, we have the following list of learning objectives:

Low profile enumeration of large Windows environments without heavy scanning [1]
Strategic target selection [2]
Remote Desktop Protocol (RDP) [1] and man-in-the-middle attacks [1]
Windows network authentication attacks (e.g., MS-Kerberos, NTLMv2, NTLMv1, LM) [2]
Windows network authentication downgrade [0]
Discovering [3] and leveraging MS-SQL for domain compromise without knowing the sa password [1]
Metasploit tricks to attack fully patched systems [1]
Utilize LSA Secrets and service accounts to dominate Windows targets [1]
Dealing with unguessable/uncrackable passwords [2]
Leveraging password histories [1]
Gaining graphical access [2]
Expanding influence to non-Windows systems [3]
Exploiting single sign-on systems [1]
Escaping restricted desktops [1]

So, for the first day of this class, we get (1+2+1+1+2+0+1+1+1+2+1+2+3+1+1) / (15*4) == .333 for a “known” ratio, or a learning percentage of 67%.

Looking at costs, it’s a tad more complex, with more options, but fewer parts. The vLive version of the course costs $4,370. The Self Study option costs $3,916. The Conference version costs $4,595. For all options, the test costs $549.

So we have three learning ratios to calculate:

* Self Study: 67 / ($3,916 + $549 + 60*$50) = 0.89%
* vLive: 67 / ($4,370 + $549 + 40*$50) = 0.97%
* Conference: 67 / ($4,595 + $549 + 20*$50) = 1.09%

Example: CISSP-ISSAP vs SANS/GIAC GXPN

So, as you see, even though it’s the most expensive option, you maximize learning when compared to time and dollar costs with the GXPN Conference option.

Certification	Option	Cost	Learning Value
CISSP-ISSAP	Class	$3,726.50	0.295%
CISSP-ISSAP	Self Study	$2,611.50	0.42%
GXPN	Self Study	$7,465	0.89%
GXPN	vLive	$6,919	0.97%
GXPN	Conference	$6,144	1.09%

Now, there are a LOT of variables at play here. If you mis-estimate the time you’ll spend or the amount of money your time is worth, you’ll get drastically different values. So think about these numbers carefully before before you decide for certain which certification to pursue.

Once you’ve followed this process, you’ll have an idea as to which certification to pursue. If you are in this solely for the learning, stop now. The next post is not about certification but focuses on extending your learning in a way that is visible and gets you both known in the community (building the Who You Know) and in gaining and demonstrating experience.

Security Certification 1/3 – Certifications in General

jmore@starmind.org (Josh More) — Fri, 13 Jan 2012 01:48:34 +0000

It seems that, about once a week, someone asks me about security certification. A lot of people seem to believe that a security certification can get you over the “need experience to get experience” hurdle. The point of this post is not to tell you which certification to get (though it does do this), but to explain why this common line of thinking is wrong.

At the entry level of the job market, the “you don’t have enough experience to get experience” problem is particularly troublesome. This is especially true in the current economy where fewer jobs means that many more experienced workers are competing for the entry level ones. These are the people that typically come to me and ask “CISSP, Security+ or GSEC?”.

However, if you show someone an experience-less resume that lists a security certification, all that is communicated is that that particular certification can be attained without experience. This weakens the certification and does nothing to make you look better.

In fact, most hiring managers I’ve spoken too will take the stack of resumes and filter it as follows:

Throw out everyone lacking a college degree.
If the stack is still too tall, throw out everyone that doesn’t have a four year degree.
Then they look at experience and get rid of everyone that lacks the requirements.
If the stack is still too big, throw out everyone that has experience but isn’t certified.
Take any resumes that come with a personal recommendation and add them back in to the pool.

It may not be fair, but when any job opening solicits hundreds of resumes, it is a fast way to get through them. It also means that if you have no experience, possessing a certification gains you absolutely nothing. In fact, the best thing you can do to be considered is to know someone in the organization. After that, the most helpful is a degree, then experience, then certification… but only as a tie breaker.

(Note, in some job areas, like the US Federal Government, certain certifications are required for specific job levels. Assume I’m not talking about these job areas. After all, if you’re going for one of those, you already know which certification you need.)

It seems, from this, that I’m saying that certifications are useless. Nothing could be further from the truth. Certifications are great… just not for getting a job. Let’s look at what employers find to be the most useful: who you know, college degrees and experience.

Who you know

If you are recommended by someone that the hiring manager knows, the manager has already vetted you far more thoroughly than is possible in a series of interviews. They know that you are likely a good person to work with, as you can clearly be friends with the sort of people that work at the organization. They know some of your strengths and weaknesses. In short, they know that you can probably do the job and that you are likely to grow with the business.

A lot of people are disdainful of the “good old boys” network, but if you’re not in it, there is always the question of “why”. Without an answer to that question, people create their own answers… and they are seldom complimentary of you as a candidate.

College degree

The industry also has a lot of disdain for college degrees. Do you need a college degree to work in security? Of course not. There are tons of people in the industry without them. (Of course, they got in because of who they knew.) Like many people state, a college degree is just a piece of paper that says that you spent four years putting up with crap… which is a really good measurement of what many organizations want.

If you can get through a university program for two or four years, toe the line and do what you’re told, a hiring manager will know that you’ll be unlikely to make waves. You might not know all you need to do the job, but you’ll likely be able to deal with stupid corporate rules for long enough to learn what you need.

In short, a standard degree is not a measure that you’ll be an awesome employee. It’s a measure that you won’t be horrible and cost the organization more money than you bring in.

(Note: liberal arts degrees are something different entirely… but from a hiring perspective, they are only useful if the hiring manager is aware of the school and what the degree means. Without that knowledge, they look the same as a regular degree, so it comes back to “who you know”)

Experience

Experience is, of course, the gold standard of getting hired. If you’ve done the job before, the manager knows that you can do it again. However, there’s a trap. If you have experience you’re somewhat stuck in that area of expertiese, and if that area goes away, you could be in trouble. A lot of COBOL programmers discovered this in recent years. If you’re in this situation, you’re really back to who you know.

Of course, it’s better to avoid getting into this situation by constantly taking on new projects and expanding your skill set. However, this series of posts is about certification, so I won’t delve into that topic.

Learning

So if that’s the situation, what do you do about it? The key, I think, is learning.

When you get right down to it, what a hiring manager wants to know is:

What do you know?
What are you capable of learning?
Can you convert that knowledge into something useful to the organization?
Can you do so without causing problems in other areas of the organization?

That’s it. Based on how well you do at those four points, your career will skyrocket or stagnate.

So, the keys are learning, translation and communication. Let’s look at certifications with that in mind.

Most people looking at security certifications look in four areas: ISC(2)’s CISSP line, SANS/GIAC’s G* line, CompTIA’s Security+ line and Offensive Security’s OS* line. The key criterion for you to consider is which line is going to maximize your learning for your dollar. Generally, SANS/GIAC is considered the most expensive, but in my experience also has the greatest opportunity for learning. Second to that, in my opinion, is the Offensive Security line. They’re more focused and hands-on than a lot of SANS/GIAC offerings, but also start a bit higher in the experience level.

So what you need is a way to compare not certifications, but what you learn from the certification process. If you can maximize the amount you learn per dollar you spend, you can both select the best certification for you and the best experience you can get from pursuing that certification.

Check in tomorrow for the method I use to compare certifications.

(See parts 2 and 3)

Angry Birds and Security

jmore@starmind.org (Josh More) — Wed, 14 Dec 2011 16:53:04 +0000

There are many exciting projects going on at my new company, so when I started this post I thought I might talk about the new security website we’re building or how we’re expanding our security offerings in 2012. But then I realized it’s December and December blog reading should be fun… so you get a post about improving your security with strategy lessons taken from Angry Birds!

In the world of Angry Birds, we have a small group of birds that are serially preyed upon by a kleptocratic monarchy of green pigs. In this world, the pigs steal the birds’ eggs and hide them in poorly-constructed shelters while the birds fling themselves at the pigs in efforts of destruction. Despite this vicious onslaught perpetrated by the birds, the pigs continue in their egg thievery, thereby allowing for a continuing series of episodes.

Clearly, there is room for improvement in terms of both offense and defense.

The Pigs

Let’s start by analyzing the Pig Empire. Their goal is to obtain eggs. It is implied they are for eating, raising the uncomfortable question as to where the pigs get their bacon. However, they are inefficient. If they were to take a lesson or two from real-life attackers, they would change their operations in the following ways:

1) Preparation

The root of their’ constant downfall is they expend insufficient effort on shelter construction. Even a cursory inspection of history would indicate a high likelihood of retaliatory avian attack, so it would be wise to prepare. The average shelter is shabbily built and falls to a mere handful of birds. If the pigs focused on quality over quantity, they could invest in sturdier materials and protect far more pigs. Building defenses prior to egg theft would result in a much more successful attack as well.

2) Planning

Another problem facing the pigs is the birds attack using a massive slingshot. I presume this provides additional impact force, but it does introduce a point of weakness. Modern attackers often focus on crippling their target’s ability to retaliate. In other words, if the pigs simply stole the slingshots when they stole the eggs, the birds would be seriously hampered in their efforts to counter-attack.

3) Sacrificial Hierarchy

It appears as though the pigs exist within a hierarchy consisting of a large king pig, a handful of mature leader pigs, some adult pigs and a large number of little pigs (that presumably cry “wee wee wee” all the way home). Malware teams have similar hierarchies, with the people funding development at the top, developers and project leaders below them, marketers below that and finally, those responsible for smuggling the money from your bank account overseas. If the pigs were to learn from this, they would hide their king and leaders in the best shelters possible, well out of reach of the birds, and draw their fire with an array of poorly defended little pigs. This structure allows for organizational continuity favoring the pigs and causes the birds to burn their resources inefficiently.

Common flaw of pig-based construction

A more secure design

The Birds

The birds seem to be structured as a loose confederation. Much in the way business owners band together to discuss and develop shared defenses, birds of more than one feather collaborate to combat the pigs’ designs. Just as there is room for improvement on the part of the pigs, there are areas where the birds could learn from the advice we give our clients as well.

1) Reduce Scope

First of all, the birds face the fundamental problem of constantly losing their eggs. The easiest way to protect against fundamental issues is to narrow the scope. If you’re protecting credit cards or health records, this means identifying the data and centralizing it for better protection. Now, in the case of eggs, there is clearly some risk from putting all one’s eggs in the same basket, but there is no rule that scope has to be limited that far. It could be limited to two or even three baskets. The key is to limit the scope as far as you can and then to boost the defenses around that area.

2) Improved Retaliation

Surprisingly, while the world of Angry Birds has a great many birds, none of them seem to be able to fly. This, as noted earlier, places them at significant risk from the loss of their slingshot. It also means their attacks must all originate from a single point. In the business world, we have several areas from which we can detect and respond to attacks. We detect attacks with technology, forward issues to security teams and law enforcement and, where needed, involve a judicial system. Similarly, an avian attack should be mounted from numerous locations. It should not require a specific bird attack from the East. Any flight-capabable bird should be able to respond to attack.

3) Agility

Agile security involves being aware of your environment, your capabilities and your attackers’ capabilities. You can then make defense plans and execute quickly in the case of attack. There are times when the appropriate response is to tighten security, others when one should involve law enforcement and still others where it makes sense to allow the attack and learn as much from it as you can.

In the case of the birds, while they seem to be masters of resource utilization (expending minimum force to achieve their goals), there is still room for improvement. Their technique works because they face an enemy that fails to adapt. If this ever changes though, it would be impossible to regain the eggs and the birds’ continued existence would be at risk. Simply reviewing the Pig Empire defenses and dynamically selecting the number, species and order of attack would allow a significant increase in agility.

Improved Attack Method Adapted To Environment

Conclusion

Perfect security is impossible so there are inevitable flaws on both the part of the birds and the pigs. While today’s birds are able to achieve their goals, if the enemy boosts their capabilities, the birds’ limited structure puts them at serious risk. The problem is that eggs keep getting stolen. If the birds improve their defensive strategy to such a point that egg theft drops significantly, the pigs might find it substantially easier to obtain sustenance from another source… Falldown 3D, perhaps.

Launching attacks is easier than defending against them. An attacker must only succeed once, but a good defender has to be vigilant all the time. A small improvement on the part of the pigs’ attack would place the birds themselves at risk of extinction. So it is essential that the birds improve their defenses and capabilities. With luck, they’ll manage to do this before things reach a point of criticality.

(This post originally published at the RJS Informer)

It’s a matter of trust

jmore@starmind.org (Josh More) — Fri, 09 Dec 2011 13:52:35 +0000

Warning: this blog entry covers sensitive current events and some of the links may use strong language.

When a big news story hits, do you ever notice a pattern or significant fact, that despite 24/7 coverage, everyone appears to be missing? The world has had three events in recent weeks get considerable attention throughout television, newspapers, radio and social media; and each of these events are catastrophes that occurred because of poor policy choice and unplanned reactions. Let’s briefly explore them.

PayPal v. Regretsy

Paypal is known to “freeze” the assets of somewhat questionable groups. However, many are saying they crossed the line by pulling the plug on a fundraising effort to get Christmas gifts for 200 children in need. Yep, you read that right. Paypal followed their policy and basically profited three times off of preventing children from receiving gifts. Is it surprising that this blew up in their face?

April Winchell, of the popular website Regretsy.com, wrote up her story and published it online with a follow-up. Not only did she get a massive movement behind her, but due to the fame of regretsy.com and the nature of what Paypal’s employee said, the story went viral and is being spread throughout Facebook, Twitter and other social networks. The story has been reported so widely, there are now over 20,000 hits on Google with titles like:

- PayPal ruins Christmas for over 200 kids

- Paypal has no problem ruining Christmas for Children

- Paypal – The Christmas Grinch

There are posts claiming “Paypal is evil” and people should “stop doing business with them immediately.” On top of that, there is a public list of Paypal and Ebay employee phone numbers and email addresses being spread along with this story.

Carrier IQ
As we have covered previously, Carrier IQ is the company that writes activity-monitoring software for cell phone providers. Some call it the rootkit of all evil but others say it’s not so bad. The news started within a rather small technical community, but rapidly expanded throughout the internet and has resulted in a class action law suit and a senate inquiry. Carrier IQ’s customers are also being sued.

Pepper Spraying Cop

Most everyone today knows the story about the cop that sprayed pepper spray in the faces of protesters at the University of California-Davis. While such events happen often, the fact it was captured with cameras and posted all over the internet made it famous. The incident has started a national discussion about militaristic police forces, a personal investigation into Lt. John Pike and endless parodies.

What does this mean?

In each case, someone did something no rational person would do if presented with the given scenario. The various parties all defended themselves by citing law and policy, yet each instance caused a catastrophic public relations nightmare they may never be able to fix.

If you asked John Pike, weeks before the instance, if he would ever walk past a line of passive college students and cover them with pepper spray, I’m sure he would have said no. If you asked the CEOs of ATT or Sprint a month ago if they ever thought about tracking every single action their customers took on the internet, they would have dismissed the idea as ridiculous. If you asked the leadership of Paypal if they planned to steal money from impoverished children for Christmas, they’d have called you insane.

Yet, each of these events happened. Why? It comes down to policy. Policy’s role is to guide behavior. It sets expectations and makes individuals accountable. Sadly, the latter is often phrased in a negative manner so employees do the bare minimum to protect the organization and, in the process, open up the potential for these types of unfortunate events.

A better way?

Think about what would have happened if the Paypal representative had taken the call and responded with “That sounds like a good cause to me. I’m not authorized to allow it, but let me get my boss on the phone.” Maybe their officers wouldn’t have gotten inundated with spam and phone calls. Maybe their name wouldn’t be equated with thievery and evil. Maybe working with the offended party would be a better approach than a half-hearted apology.

Similarly, what if Carrier IQ had entered into discussions with TrevE about his findings and then worked with ATT and Sprint to resolve the issue instead of immediately going to the legal system (and getting trounced)? Maybe the whole issue could have been avoided.

Lastly, what if, Norm Stamper’s reforms of the police system gained traction? Maybe Occupy UC-Davis would have looked a lot more like Occupy Iowa City.

It’s a matter of trust

When I write policy for a client, the goal is to protect the business from mistakes made by employees. The goal is never to restrict employees to the point their only answer is always what the rule book states regardless of gray area. If you need something done exactly the same way every time, use a computer. They’re actually pretty good at repeatable tasks. People, in contrast, are really good facing unique situations and resolving them in creative ways. As soon as a policy prevents an employee from making improvements, there is no longer use for the employee. Just automate that job and be done with it. If that’s not your goal, your policy is broken. You can fix it by looking for scenarios which can be read literally and, as a result, cause catastrophes like the ones mentioned above.

There are many ways to fix these problems, once they’re found. Some businesses give their employees discretionary budgets. What if Paypal had said “Sorry for the mix up, and since it’s a good cause, here’s $100 to buy a kid a present.” Some businesses have an official PR escalation team. What if TrevE’s report hadn’t been met with hostility, but instead they said “Huh, good point. If we give you $1,000 can you give us some consulting on doing this better?” Some organizations create an expectation of personal responsibility, where it is illegal to obey an illegal order. Might that not have helped things at UC-Davis?

If you’re going to have people working for you, you have to let them be people. Let the policy be the guideline and trust them to follow the guidelines. If you do not trust your policy to guide, and not prescribe, action, you need a new policy. If you do not trust your people to be guided by a good policy, you need new people.

This blog entry was originally posted over at the RJS informer.

Leaked Password Analysis – 2011-06 Edition

jmore@starmind.org (Josh More) — Thu, 30 Jun 2011 03:09:23 +0000

As most of you likely know, several months ago saw a shift in how a certain type of attack was being done on the Internet. Instead of breaking into a website and simply stealing information, people began breaking into sites to steal information and then release it publicly on the Internet. It is not my intent to discuss the choice of targets or the motivations of these groups. Others have written plenty on this topic and really, if you’re not working for a target or one of the attackers, anything you can say about their motivations is likely to be guesswork at best.

Instead, I want to talk about the passwords. I’ve been following these leaks and collecting password information. My goal is not to break into people’s accounts or to discuss whether or not the leaked data supports the claims of either side. I only have one goal in doing this. I want to find out what I can about people and passwords so I can help everyone choose better ones. So here is my initial analysis. If time permits, I hope to come back to this and do the analysis with more rigor and dive more deeply. However, since my initial rough analysis is done, I wanted to share my preliminary findings. I think they’re interesting, so I hope that you will as well.

Data Set

I’ve combed leaked data for all the cleartext passwords I could fine. Realistically, this means that the passwords I’ve analyzed here fall into two categories. The first category is passwords that were stored unencrypted or very weakly. The second is passwords that were weak to begin with and were easily cracked by those who released the data sets or analyzed them later. So, the important takeaway here is that this is not and analysis of typical passwords used on the Internet. This is an analysis of bad passwords used on the Internet combined with passwords that were stored poorly. Still, since I want to learn what not to do, this seems like a worthy use of my time.

The data set exceeded half a million passwords… but likely involved some duplicate records. I hope to tighten up the analysis in my next go-around.

Common Passwords

Everyone starts these analysis with a list of the most common passwords. I do not wish to disappoint, so here is what I found.

So what can we learn from this? First of all, note the number of passwords that are just numbers. 123456, 12345678, 12345, 111111, 1234, 1234567, and 123456789 were seven of the top 20 bad passwords. This is ridiculous. Who on earth thinks this is a good idea? A lot of people, apparently.

Second, notice the surprisingly large number of people who thought that trustno1, baseball and superman were good choices. Perhaps choosing passwords based on popular culture is unwise.

Password Lengths

I then looked at the average password length. There’s not much of a surprise here, but here’s the graph if you’re interested:

What I found most interesting was how relatively few passwords were seven characters long. I expected six and eight to be large, but not for seven to be so short. Also, note how quickly it drops off after 8. Nine characters and up are ridiculously small.

Keyspaces

This is where things get interesting. We have been talking for years about how people should use a mix of lower case, upper case, numbers and symbols in their passwords. I don’t want to bore you with math, but the reason is that the more characters you have to pick from, the longer it’s going to take to guess the password. If, for example, your password is one character long, if you use a lowercase letter and the attacker tries those first, it will only take 26 tries to get it. If you use a character from any of these sets, it will take 26 (lower case) + 26 (upper case) + 10 (numbers) + 32 (symbols) = 94 tries. If your password is longer, then it will be increasingly harder.

Let’s use a few pictures to make this easier to talk about.

This is what we’d like to think people are doing. We know that not everyone is following our advice, but at a guess, we’d expect there to be a reasonable mix of people doing it the right way and some overlaps within the other spaces.

Our ideal, of course, would be to widen the overlapping space. This way, more people are using more complex passwords and would be safer.

… and this is where we actually are today. The spaces aren’t the same size, which isn’t terribly surprising I guess. However, I didn’t expect not only for the special characters space to be so small, but I also didn’t expect the overlap to be so tiny. In fact, of the 519,229 I analyzed, only 315 had a mix of lower case letters, upper case letters, numbers and special characters. No wonder they got hacked. This means that 0.06% of all the passwords were considered minimally secure.

Really… is it so hard to add an exclamation point or question mark in there somewhere? Here, I’ll even give you some you can use. I mean, really!?!?!?!?!?!?

Other Metrics of Interest

When I compared the list of passwords to itself and weeded out the duplicates, I found that 65.71% of the passwords overlapped. I must say, folks are just not as creative as I had hoped.

For those that follow math, the average entropy score of the password set was 29.63. I hope to make a neat graph comparing entropy to things like length and commonality, but will apparently have to get more proficient with better graphing tools first. My existing tools found graphing 500,000+ data points somewhat challenging. :)

When I ran the list of passwords against the standard Linux word list, I got 85,196 hits out of 178,049 unique passwords. That’s a 47.85% rate of people that aren’t even trying. Again, we’re talking about the easily-cracked passwords, so this number is inflated… but it’s still much too high.

Surprisingly, I did not see many passwords that were just dates. Those stories of people using their kids’ birthdays as passwords seem to have been exaggerated… or perhaps people today don’t care about their kids very much. :)

So What Do We Do?

Given that this was a set of easily broken passwords, the key things to do to prevent your password from being broken is to make them not fit these patterns. This means:

Use a mix of lower case letters, upper case letters, numbers and special characters. Use at least one of each.
Make your passwords longer than eight characters. To lay outside of this data set, 10 would be fine. Personally, I’m going up to 16. After all, if you can remember an eight character password, you should be able to remember two of them stuck together.
Avoid basing your password on popular culture, sequences of numbers (or keys on the keyboard) or sports. Those passwords are much more common than you’d think.

That’s it. If you do these three steps, you’ll be well outside of this data set and therefore, much less likely to get your password stolen. Of course, the one thing I couldn’t measure was how much these passwords are shared between accounts of the same person. The 65.71% overlap rate suggests that there is a lot of this going on, but I can’t prove it. Still, it’d be a good idea not to do that.

Do these suggestions sound familiar? They should. If you’re still not following them, maybe you should. We don’t suggest them to be annoying or to help protect against some amorphous threat in the future. We suggest it because if you don’t follow these rules, you will be hacked.

We’ve just seen it happen.

Over half a million times in the last six months.