Community

10271475_10152759210649050_8992138074515938717_n

Today I lost a good friend from the security community.

Richard James was a security technologist and one of my friends. We first worked together in the fires of what became VirginMedia. I came out of self imposed retirement after selling SmoothWall to head up a fledgling part of NTL the former cable TV telco and broadband provider. Richard worked for the security team at Telewest the other UK cable incumbent provider, the crux being that NTL and Telewest both owned by Barclay Knapp would come together to form VirginMedia.

I joined NTL at a time when I didn't want or intend to be working. I made my money and retired in 2003 and had no reason or intention of being employed having exited SmoothWall and I certainly had no reason to want or need to work with idiots. So imagine my surprise when I got talked into digging NTL out the crap to go in to head up what would not even be know as cybersecurity but as a security customer function. Going to war daily with the existing "hardware network and security guys". Working alongside some great folk many of whom I am still friends with who actually got little credit for keeping a 7m user network alive, whilst their better paid bosses did little of anything credible and took the credit.

I scared the crap out of folk at NTL. I was hired to get them out the proverbial and to realign their MTAs and their caches, their ability to reduce customer services calls from tens of thousands of infected customers and a badly deployed platform that I used to root at will and hence why by the time I left I was reporting direct to the Chairman and was his personal security and goto guy for securing his Gloucestershire mansion and his London townhouse. By the time I left I was part of the team acquiring Telewest and also involved hands on with the merger meetings that very few people knew about at NTL even people who I had to work with every day. Richard came along as part of the acquisition and was part of a small team of security folk who had worked miracles.

Press and customers assume a telco is well organised. Telewest wasn't. It was a sinking technical ship and their mailservers in Liverpool were held together with tape and string and they took our lead in walled gardening customers and understanding how I built out whitelisting and greylisting and replaced Sieve rules and the dumb stuff that we inherited when I joined that made little to no sense.

It was just as hard for the incumbent security staff and management who were mostly traditional Cisco types with almost no useful skillsets and rightly they ran scared, and rallied to kick back and anybody who knows me knows that is when I'm at my best - I genuinely am not going to back down and I don't need the hassle or the money. If I tell you something is broken and it needs fixing or it will be hacked take it as read. If the network team don't rate it as a risk trust them or me.

Difference is I already hacked it and here is your data on a USB key. An exercise we used to play out in the CEO's office whenever the network team would try to ask for my head on a stick whilst I proved them to be old school and lacking in skills useful in dealing with modern cybercriminals. One Sunday I remember rooting an entire platform remotely and copying 300k subscriber bank account details to an external drive and then walking into the CEO's office and putting it on his desk after the network team had told them the platform was secure. Richard wet himself laughing.

It must have been hell for them because with all the CISSPs and certificates in the world they'd never met a hacker before and it was like taking candy off the proverbial baby. Even if I did take a £100k+ paycut to take the job to kill time rather than sit at home it was still hopefully a learning curve for their future careers. Richard got it, he'd back me up regularly.

Luckily NTL had some amazing management in the form of Steve Townsend, Dom Forrest and Justin Leese who would sit back and just let me do whatever I wanted. Consistently I would prove the point that it wasn't about me being right and them being wrong but the fact that I would regularly break into critical systems and platforms, and they wouldn't see me coming. It made life fun, that and the fact I had written into my contract I never had to wear a suit and could work from home.

There is a well known story that during this time I got bored went to Spain for two weeks and replaced myself with a server running Perl scripts outputting Acrobat PDF reports on a cron that created daily emailed management reports and nobody was any the wiser. It was essentially money for old rope and it wasn't hard to shine in a bucket of crap. Richard thought it hilarious someone could drop off the face of the earth and replace himself with nine Perl statements, Postscript and QMail. A fact nobody knew apart from a few other folk in the security team.

Richard got it, he understood the changing face of security. We had long discussions night after night during the acquisition process and we became firm friends at a time when people were reapplying for their jobs. He made himself safe by being honest, stoic and steadfast and able to translate some of the threat management and identification stuff into a platform at Telewest pre acquisition. He even became part of Chatham House rules projects with me with the intelligence services that only senior management at NTL and Telewest had awareness of. Working with the betting industry, the Post Office and major banks on DDoS issues and threat mitigation. One evening Richard and I along with Nigel Beighton (then LastMinute.com) found ourselves sat having dinner in The Dorchester Hotel in London with MI6 and Whitehall security folks, it was hilarious it was like being at school and being invited to sit and eat with the teachers. We felt out of place even though we were there for good reason. After the 7th July attacks on London that feeling accelerated with us both spending time working in London with the intelligence community.

When NTL and Telewest joined forces Richard became part of the host security team. I knew I'd had enough, I was bored. I was exiting stage left knowingly to go do exiting stuff first for Bell Labs in California and Lucent Technologies (pre Alcatel) and then to San Mateo to do Zimbra.

We kept in touch and talked regularly and met up at security shows and were supposed to have dinner this week but my wife and I had tickets to go to a music concert Tuesday night. He was down from Glasgow at Aztec West where he was staying while working for T-Systems in Germany doing security work with their partner EE the multiplay cellular broadband player.

On Wednesday night we talked till 1am. We talked about doing another startup sometime in the distant future to give ourselves something to do when we hit our 50s which isn't too far off and where just like SmoothWall we'd throw the rule book out the window and we'd employ our friends.

We talked about family, he was madly in love with his partner who had been in a massive car accident 18 months ago and was about to have to face court to get damages. How he'd been so grateful that fateful day that she had been driving his BMW which gave her a survival chance in the impact with a commercial goods vehicle. He knew I was happy, he was happy I was finally a dad after having spent the majority of my adult life in a very unhappy relationship where I would never have been one. He told me regularly I was punching above my weight with my amazing wife. We talked and laughed till 1am. He said that he was proud that my name would crop up in conversations and he could say he was my friend. That was one of the last things he said to me less than two days ago. It will stick with me forever.

Thirty six hours later I am sat having lunch when I receive word he had died suddenly this morning.

World. Shattered.

He was my friend, he liked music I couldn't dance to, he had a sense of humour that would make you laugh till you hurt. He was a talented technologist, a man who loved his family and who was honest decent and true.

Richard James you were part of the change from traditional bricks and mortar security to a time where security is more intrinsic and fluid than ever before. I will do another start up one day and I will do it knowing you'd have been part of it and made it successful. You were one of the good guys, nobody could say a bad word about you. You made a dent in peoples lives and you were the difference I am sure in me not embedding folk in whiteboards back in the day. A constant source of fun, bright eyed, a bundle of fun and utterly reliable to your core. A true friend.

Rest in peace buddy, I am stunned at your passing and bereft that you aren't around to tell me crap jokes and be my DJ.

I land back in Britain jetlagged, wake up from a brief sleep to find the news flooding my phone's news feed that the Linux distro, LinuxMint, had a bad day at the office. ISO images with backdoors and forum / website rooted and modified with some data potentially stolen.

The thing with LinuxMint is that it's a great project with high user figures, easy to run, it's the goto Linux for the user fed up with Windows and even I have a couple of Mint laptops. However, it's never been "security first and foremost" in the minds of the tiny release crew.

This post isn't going to attack the team behind Mint. Mint is a great project, it's default build does a lot of things right that other distros get wrong. In the default install it allows you to use whole of disk encryption and it also allows you to wipe the target disk and encrypt the user home directory which other distros do not by default. Thats a huge win for users. It's only let down by the default state of the build not defaulting to secure itself down using UFW or basic hardening out the box and a better state of repository awareness to ensure that a better security patching infrastructure isn't utilised. Anybody installing Mint who has a clue needs to spend 45 minutes post build tying it down, once achieved your workstation is pretty damn tight with one exception. That exception is underlying assured trust.

The packages for LinuxMint and other Ubuntu derived projects uses so much bleeding edge and community derived not sanitised code that it is very much a suck it and see approach, e.g you wouldn't deploy Mint in a commercial or workplace environment or anywhere where total data security was an issue. It's a lot more secure than Windows 10 so lets set that straight before we jump into the reasons why you shouldn't be using Mint now on an ongoing basis.

Mint, like many Linux distros before it is built on love. It's maintainer is an amazing guy who has put heart and soul into his project and worked miracles to get regular releases out the door. It's regularly hailed by my friend Stephen J Vaughn Nicholls as a great distribution. A great distribution for hobbyists. You can't compare say Fedora and Mint. Fedora is built on engineering and built by major engineering teams in the OSS community meeting at conferences worldwide (but still built on a tiny shoestring budget and goodwill). Mint relies on Ubuntu but ignores some of the basic security doctrines that Ubuntu has built in (e.g root user hardening) and also ignores some of the upstream patching conventions too.  Makes zero sense, but thats where we're at and you'd think in 2016 there would be more common sense approach to understanding user / sudo segregation and risk avoidance.

The issue with the rooting of the website was just daft. Reading the timeline on the website it looks to have been "handled quickly" and in good order but the damage to reputation may now already have been done. As a community project you never utterly control community gifted mirrors but you should have better controls over your portal and your storage of user data.

Already the finger pointing has started. I'm not sure it helps. One thing is for sure this is a bad day at the office for a project that has given a lot of home Linux users a first taste of Linux.  Mint is not a company with infinite resources and engineers, they're trying their best and marching on goodwill. Now is not the time to tar and feather now is the time to just nod your head and realise that it was a bad day at the office but it was a long time in the making.

Nothing wrong with being a hobbyist, thats where so much goodness in the community is derived.

If you want a Cinnamon flavoured workstation, install Fedora, install Fedy post install then install Cinnamon from the command line. Done. Secure and ready to go to work.

One of our friends, one of our team, one wearing a red hat with pride is in the battle of his life and faced yet another huge skirmish today. I've mentioned before we have someone in our midst who is desperately ill with a disease that this week has claimed two famous souls and therefore is on so many radars in the most raw fashion. Except this time for us it's personal. Someone who matters to all of us at Red Hat who has given everything he has for the cause needs some prayers and has our admiration, respect and unconditional affection.

Tonight I would welcome you direct you point any prayers towards the Northern Lights for a man mountain whose bravery is without peer in my lifetime. Someone who means so much to many people on my friends list and who is not just a peer but so much more than I can ever be as a human. A father, one of my best friends, an Open Source apostle, a traveller - a journeyman who has helped carve the Red Hat story for over a decade. 

As the light faded this evening a group of us who wear the scarlet fedora sent a request, no a demand, a fervent commanding dictat to whichever idol we individually worship for the heedful and gentle loving care of one of our own.

This will be a long night, a long weekend. This hasn't been a battle, it's been a fucking onslaught, it's not been a scrimmage, it's been a campaign and now the guns fall silent and we hope for a quiet uneventful and peaceful armistice that creates a silent place where things start making sense.

Five years ago this week he and I, two mad Englishmen drove in thick driving snow from Westford, Massachusetts  to JC Penny cross the state border in Nashua New Hampshire to look at new iPads and pick up a MacBook for his wife because thats what you do, risk your life to play with tech toys. The snowdrifts were the size of trucks, we were in a front wheel drive rented sedan not a 4x4 or SUV and we needed our heads looking at. Later that evening we would drive up into the hills without a GPS without a clue where we were going for a team meeting, Laughing and probably farting nervously everytime the car skidded out. BOTH of our wives were pregnant at home in the UK and Sweden and with hindsight it was probably dumb but we survived.

Every minute I've ever spent with him has been a joy, every conversation, every piece of guidance and every laugh delivered in his own inimitable style. Breakfasting with him, whiteboarding stuff we would go on to try and invent with no resources, watching him train and shape the first steps of new starters at Red Hat saw him in his true light. Getting the best out of everyone around him.

So tonight dear friend, my companion in all things utterly politally incorrect, wrap yourself in all our love, every single drop of it is sent to cosset you as you roll up your sleeves and Queensberry Rules climb into the boxing ring for another pugilistic round with the demon that is this horrid disease.

This is for you because you would laugh, like a drain. Also he's your double !

We adore you. Ding Ding, seconds out, round 10 ....

News breaking tonight of the sad passing Monday of Ian Murdock founder of Debian.

It's not wise to speculate nor should anyone start openly discussing the reasons behind his death. Right now concentrate on his achievements. Personally I'm just gutted he never got the chance to demonstrate his brilliance at Docker after joining them so recently.

I can't imagine the personal torture he endured the last few days or to speculate on his state of mind, nor do I want to. More it's the tragic loss of someone who gave so much at a formulaic stage of open source when we were all finding our feet.

What he co-created has lasted and given birth to so many derived versions. His attitude to packaging and release and his influence on others will long be remembered.

Life is fragile. Go hug someone who needs it. You never know the difference it will make. We should right now be thinking of his family and his kids and the pride he had in being a father. Everything else is just noise.