In the wake of my last post, over the past year I’ve found myself reflecting on how often I crash up against incompatabilities in existing cybersecurity frameworks when working with small businesses. The current status quo has not only persisted in the face of criticism for at least a decade, if anything it has gotten worse with the increased pressure from cyber insurers, big business customers, and governments - who have only grown more forceful in their insistence that their small business counterparts adopt the same bloated and resource intensive enterprise standards and best practices as they use.

Well, eventually I came to the conclusion that “someone” needed to create a new framework especially for small business, but the fact that it hasn’t happened yet meant that “someone” was evidently going to have to be me. So it was that I decided to create OpenCASE - the Open Cybersecurity Architecture for Small Enterprise. XKCD comic be damned.

It’s 2024. In the past 10 years we’ve seen the explosion of cloud computing and the transformation of business IT. We’ve been through a global pandemic that rapidly accelerated the adoption of remote work technologies and distributed workforces. The majority of businesses I work with these days have no servers, no internal network, and in some cases, not even an office. These changes have completely re-written the rule book (well OK, not completely) on the practicalities of cybersecurity for such businesses, upending long-held base assumptions and decades of “best practice”.

For the most part, unfortunately, cybersecurity standards and frameworks have failed to keep up, remaining firmly rooted in the past and wedded to legacy concepts like “the network”, “trusted locations”, and “teleworking” like it’s still 2004. To be honest, most of the well known standards have barely evolved since the concept of “computer security” was invented, just a few tweaks around the edges to account for new jargon and incremental advances on tools and techniques. It seems very much like no one has ever bothered (dared?) to question whether some of these concepts are still relevant, or whether the radical shifts towards cloud and decentralisation might require a ground-up rethink.

Welcome back, gentle reader. When I last left you, we were just heading into round 2 of CFP for this year’s Australian Cyber Conference. I had hoped that my words might spur a jump in the quality of submissions we received for round 2. To be fair, I’d say over all there were fewer submissions which were obviously lazy and/or half arsed, but in general there was still a lot of room for improvement. So, here I am again, venting my frustrationoffering some constructive advice about how to write a CFP submission that has the best chance of being accepted…

I made this post on Linkedin earlier this year, when the blog was still collecting ether-dust. I decided to publish it here because it was very well received, mostly by people who are on other conference committees and review boards. It’s not my intention to discourage anyone from submitting a talk to a conference, quite the opposite in fact. Conference organisers want lots of submissions, but they need them to be good. Hopefully this will help some of you who are thinking about it hit the mark.

TL;DR: Be clear, be concise, be qualified.

So yeah, it’s been a while since I last posted to this blog. Quite a while in fact. What happened? How did the thing with speed cameras go? If you’re hoping for some sort of fantastic story about how I was rendered to some nameless island in Indonesia by the government for exposing their evil plans, I’m afraid this time there isn’t one. The truth is I just got bored. As the court case receeded further into the past it became less interesting to think about, and I just didn’t feel like writing the rest down. With the series unfinished however, I also didn’t feel like I could to move onto new topics, so I just let the thing rot…

If you’ve been waiting all these years to hear the thrilling conclusion, the short version is that I lost. The laws are written in a way that makes them almost impossible to challenge, and the real lawyer I was up against dismantled all my arguements (though it at least took him longer than he was expecting). I avoided having to pay their costs on a technicality, but they made it pretty clear that if I tried a similar thing again I probably wouldn’t be so lucky.

Anyway, I finally feel like enough time has passed that I can revive this blog. I also really like this domain and I feel bad leaving it to rot. So, expect some new content. I can’t make any promises about how long it’ll be until I get bored again, but until then, buckle up and get ready for some rants.

In the process of making my application to force disclosure under the Criminal Procedure Act, I did a lot of reading to try and get my head around the legal technicalities of what I was trying to do. It was during this research that I first began to get a feel for how draconian a piece of legislation the Road Safety Act is. As I read through the various sections which were relevant to my charge, it became increasingly clear that the Act had been written very deliberately to place motorists at a distinct disadvantage when legally contesting any charges against them, with the obvious but unstated intention of discouraging people from even bothering.

My education on the ins and outs of the Victorian criminal justice system began with the Criminal Procedure Act. Included with my charge sheet were some instructions on how I could ge more information from the informant about the charge, in my case a police officer from the Traffic Camera Office. Following these instructions, I sent the officer in question an email with my list of things I wanted him to provide.

So I decided to challenge an infringement notice for speeding, what now? In my previous post I briefly described the grounds on which I intended to challenge my infringement notice, in this post I’ll talk through the beginning of what turned out to be a long and drawn out process. Firstly, I’d like to make one thing absolutely clear - you should ALWAYS challenge an infringement notice. The ecconomic viability of the entire system is predicated on the assumption that most people will just pay.

We’ve all heard the old adage “Never bring a knife to a gunfight”. It can be adapted to all sorts of situations. Recently I learned that you shouldn’t bring cybersecurity to a legal fight either. Over my next few posts I’m going to tell you a story about how I tried to use my expertise in cybersecurity to challenge a speeding fine, and failed horribly. It was however a very educational and interesting experience, and unless you happen to be a real lawyer (like I wasn’t) you will probably learn a few things that surprise you if you follow along.

One of the biggest issues in cybersecurity this year has been third party assurance, particularly when it comes to big businesses working with smaller ones. The Accepted Wisdom among cybersecurity professionals for a few years now has been that the easiest way to hack a big company is usually by hacking a smaller service provider or contractor first. To deal with this threat, enterprise organisations did what they do best: come up with a complicated and inflexible assessment and compliance framework and then tried to apply equally it to every third party they have any kind of relationship with.