Backpacking In Europe – Two Weeks Of Flights 2021

This is somewhat of a “stream of consciousness” diary of my EU Flight Trip – 10/25/21-11/8/21. Yes, it’s long (sums up over 40 hours of flying), and veers off the security/hacking/risk content typically here. But it’s a new hobby for me, and I do find it fascinating and teaching – especially how to approach a new topic, establish that you are always learning, and experience things from a different perspective. Some of the terms are likely aviation-specific so apologize in advance (GA is General Aviation, airport codes may seem cryptic but can be easily Googled for, etc…).

Day 1 – Basics

Getting to know OK-MMA was easy – it’s the same type of Cessna 172 I’ve been flying so far for. The engine is brand new with less than 100 hours on it since major overhaul, the aircraft is nicely trimmed (no need for a heavy right leg on the rudder), and practicing a few takeoffs and landings from a grass airfield has proven to be quite easy to handle.

We took off in very clear weather and flew VFR to a few “sightseeing” airstrips to practice some navigation, aviation, and communication. Getting through the airspace is comfortable, with clear communications from the helpful “Praha Information”, and so was getting to our rest stop at Karlovy Vary. Making sure we cleared the Prague TMA, getting clearance to land was a breeze, and the sights along the way were stunning. Fall is in full force, and the colors of the trees and grass are picturesque.

Autumn at full force
Autumn at full force

Short break at LKKV, and we headed back to a fairly “low” flight (3,300ft to keep clear of the 3,500 max under the Prague TMA) to LKMB for the final landing before lunch break.

Lunch at the Restaurant (and my hotel) and prep for the night flight lesson which is planned to start at 18:30 as twilight is out.

Taking off from LKMB to Brno, the flight was quiet and beautiful, as most of the navigation is done while keeping the highway at the glide path in case of an emergency. Uneventful landing at Brno with a quick coffee stop before heading off to Ostrava (Mosnov Airport). Same weather (clear and quiet) but as we got to Mosnov we hit quite some turbulence as we started practicing “techniques” for the night VFR rating. Steep turns and stalls in high turbulence were less than optimal, but provided for a great training opportunity, followed by a few traffic patterns with some of the longest finals I’ve experienced (with 15k headwinds it feels like landing in slow-motion). We concluded the night training with almost 4 hours clocked in for the night, and a couple of beers after refueling and parking at the airport.

Approaching Mosnov Airport for night training
Approaching Mosnov Airport for night training

Day 2 – Cross Country

Headed out from Mosnov (LKMT) towards Oradea (LROD) in Romania. Longer cross-country flight (2.6 hours) with stunning views as we crossed Slovakia and Hungary through the mountains (Tatra mountains). A quick refueling there and headed off to Targu Mures in the Transylvania area of Romania (more mountains). An hour and a half flight time, and we landed, and headed out to a nice local restaurant for some local version of Goulash.

The rolling hills between the Czech Republic and Slovenia
The rolling hills between the Czech Republic and Slovenia
Crossing the mountain ridges in Hungary
Crossing the mountain ridges in Hungary

Back to the airport, and we started heading back west to get to our night training in time. From Targu Mures (LRTM) to a quick refueling stop (and customs, always customs/passport when crossing so many borders outside the EU Schengen area) at the Slovakian airport of Poprad-Tatry, and we departed at night towards Ostrava. 2 hours of flight time (including the night training at Ostrava, and it was time for one final flight for my solo night flights. 5 clean takeoffs and landings later, and I was ready to call it a day and crash, especially as the next day called for an early takeoff to get to the airport where my validation examination will be held which is an hour flight away.

My night solo pattern work
My night solo pattern work

Day 3 – Making it official

Early wake-up at Ostrava for a 7am takeoff in marginal VFR (light mist/fog rolling over the valleys in the morning time) and a beautiful flight to Jihlava where my examiner is. Another grass field airport with cool activities in it (firefighting, gliders, and an experimental shop that bolted a crazy turbo-prop engine to a Cessna 172).

Early morning mist across the Czech plains
Early morning mist across the Czech plains

The examination flight went well with additional tips from the examiner on navigation in the Czech Republic, and an hour and a half later I was given the all-clear to get my European (EASA) license validation.

At that time the fog/clouds north of us were still around Mlada Boleslav so we waited it out a bit before heading back on the 1-hour trip to “home base”.

More paperwork to make sure everything is in order for the CAA to issue my validation, more paperwork on producing the night training certification, and I finally drove (what’s that?) to the Prague airport to handle the CAA paperwork before the weekend as Thursday is a national holiday so they are closed, and Friday there’s no public admittance – which means this was my last chance to get the validation if I wanted to fly through the weekend.

Back to the hotel, catching up on a little work and family facetime, and starting to plan the Friday flights…

Day 4 – Rest, and flight planning/booking.

Had a lot of fun realizing that the Zurich airport is VFR friendly and has allotted slots through the day for VFR arrivals and departures in between the massive amounts of flights they are handling. Took their online training and got certified in the way of working there. Coordinated handling and parking, and set up everything for tomorrow to go through Munich (EDMJ – Jesenwang, right outside of Munich) to Zurich (LSZH).

Day 5 – out for an adventure. The weather conditions in the planned route weren’t optimal but showed signs of clearing up. The main issue is a low dense fog that prohibited VFR flights over it (can’t see the ground = no go). Pushed back my departure a bit to allow for the fog to dissipate a bit more and took off from LKMB westward.

A light mist was still in patches around, but overall visibility was good and the crossing of the Kbely and Prague airspaces went smoothly. Once I reached the planned cruising altitude of 6,500’ however, I saw that the fog “front” is in front of me. Slowing down to let the front dissolve didn’t prove to be very effective, and after circling a couple of times at the front of the fog line, I started looking for an alternate field to land at. The first choice (Horovice) was out as it was also foggy, and someone on the radio heard that I was looking for a clear airfield to land and suggested Pribram (LKPM) which had clear VFR conditions. A neat approach and smooth landing and I was back to planning.

Right side – VFR. Left side – nope.
Right side – VFR. Left side – nope.

Filed another flight plan to EDMJ for a departure 45 minutes later and was watching the weather reports on the receding fog front line ahead of me to the west. Once things seemed to be trending positive, I took off again and climbed back to cruise altitude (funny how they call it FL65 here where the transition altitude is 5,000’).

Managed to find a way through some of the Czech portions of the fog area and was clear and cruising in German airspace through rolling hills and serene scenery. However, the fog hit again. The mountain range that runs from Passau, through Deggendorf to Regensburg, essentially leaves the plains to the west of it locked in the low and dense fog, with zero visibility even when looking straight down through it. As I was flying along the fog line north-west, looking for either an area that I could cross towards or alternate landing sites, the helpful ATC was making calls on my behalf to see which fields were open. My first attempt was towards Regensburg (EDNR) which seemed to be right along the fog line but on the clear side. I could see ½ of the town next to the airport (Regenstauf), but the other half was covered, and after descending to examine whether these were low clouds or fog, I realized that fog it is, and there’s no way I’m attempting to go in there – not even knowing the airfield is 1km away.

Riding the fog line
Riding the fog line

Turned back and headed to the clearer areas in the valley where the national park of Bayerischer Wald is (as the fog didn’t get to it – the ridges to the northeast and southwest provided protection against it…). I remembered that on the way west, I noted there was an airfield just to my right and decided to check it out (EDNB at Arnbruck). Flying over there (all while coordinating with the helpful German ATC and listening to Foo Fighters) and managed to contact someone on the airfield frequency, who gave some hope that they were somewhat operational. He did mention there’s no activity today, so I called in blind for the landing. Turned out – the other person on the radio was in another Cessna and is the head instructor for the local flying club, who also called in for the person that could refuel me. I responded to his “how quickly do you need the fuel, and how long do you need to stay” with a simple “I’m easy – take your time, I am on vacation and might stay here longer”. Turned out to be a great little town here. Daniel, the “money person” of the club (who is also a pilot), was extremely friendly (as luck played it – he was on his way to the field to fuel his car) and provided great tips on flying in the local weather, and where to go next. We then also met up with Rolf – the CFI who congratulated me on the nice landing (and the go-around on my first approach since I was extra careful with the surrounded forested hills).

Arnbruck Airport
Arnbruck Airport

After fueling and parking my Cessna out of the way, I finished planning my next leg towards Innsbruck, with a scenic route that goes through Passau to take advantage of the geography that’s likely to keep the foggy areas out of my path and then towards the Austrian alps which had consistently clear weather so far (as well as forecasted ahead).

At that point, I decided that I’m not going to fall to “getthereitis”, and fully embraced the flexibility and the enjoyment from being able to fly anywhere, and everywhere I could (under the weather conditions) as the scenery is absolutely stunning.

Paid the extra 10EUR for parking overnight (cheaper than a couple of hours of parking in TLV or NYC) and booked the closest hotel for the night. The plan is to eat local food, drink local beers, and head out tomorrow morning-ish (10 am) southbound and “where the wind takes us”.

Arnbruck felt like a Disney theme park, but for real
Arnbruck felt like a Disney theme park, but for real

Day 6 – To the Alps!

Started the day slowly as I was waiting for the morning fog in the valley to clear up. Took a while to get the plane ready as I had to scrape off the ice from the windshield, wings, and vertical stabilizer (a first for everything!).

Safety first – took a while to get all the frost off the wings and windshield
Safety first – took a while to get all the frost off the wings and windshield

Warmed up the engine and prepped for a short field takeoff to clear the trees and houses at the end of the runway (best direction as the mist was still around). The scenery was beautiful again this morning, and the patches of fog across the hill ridges made it for a fantastic area to fly by. Uneventful flight southbound towards Passau, Austria – a city that lies in the connection of three rivers, and the detour was definitely worth it. One of the rivers was still filled with fog, while everything around it was clear. Amazing views, and pictures probably don’t do justice to it.

The rivers converging around Passau
The rivers converging around Passau

Had to maneuver around some more fog but the way towards the alps passing and into the Innsbruck valley was fine, and as I was getting close to the alps the raw beauty of the mountains really pops up from the altitude I was flying at (6,500’).

Getting close to the Alps
Getting close to the Alps
Alpine ridges – there are the northeastern parts of it
Alpine ridges – there are the northeastern parts of it

Going through the Alps in the valley between the mountains is an amazing experience, and so was the response from Innsbruck tower when I first made contact. “We were waiting for you…” Uh, that didn’t sound too great. Apparently, as luck had it, the Foehn kicked in – a nasty wind coming in from the south and generating wind speeds in excess of 60kt at the top of the ridges. The tower reported highly turbulent winds measuring 44kt, with a crosswind component of 22kt on the runway, and asked what I’d like to do. I checked with a small airfield I spotted earlier in the valley whether they had fuel (AVGAS) and would welcome an unannounced visitor, and of course, they were happy to host guests. Called back to Innsbruck and told them I’d like to do a pass around the airport and then head back and land at Langkampfen (LOIK). As I was getting close, I realized that the winds are pretty vicious at that altitude (6,000) and were getting worse. I was barely making 80kt ground speed and inching forward through the valley. I only managed to get a good look at the Innsbruck airport but decided to turn back after a nasty turbulence hit me. Everything in the plane jumped up and hit the ceiling – me included. I was thankful for being a little stricter with the seatbelt than the locals in the Czech Republic (who secured the shoulder strap in the back seat so they can just wear the waist strap). I was more thankful that as I was going into the turbulence, I tightened the shoulder strap closer – to a point where I couldn’t lean forward. The jolt threw everything around the cabin, and my headset was the only thing separating me from a nasty bump to my head. We bounced so hard, that the plastic housing that connects the yoke to the instrument plane broke off…

That’s Innsbruck airport and as much as it looks serene the wind was unforgiving
That’s Innsbruck airport and as much as it looks serene the wind was unforgiving

I immediately turned back after making sure everything is still working and in one piece and informed the tower that I’m heading back.

Langkampfen was a short grass strip nestled in the valley between the mountains and has an active glider and GA activity. A go-around – realizing the wind speed difference between up in the valley – around 30-40kt, and down on the ground at 2kt made my final too fast and too high, and the second circuit resulted in a smooth landing on the grass.

Another highly welcoming group of people (who don’t take credit for refueling – which meant another trip to the bank with one of the locals), and I was back and getting my bearings after the nasty jolt in the turbulence.

Langkampfen is nestled in the Alpine valley
Langkampfen is nestled in the Alpine valley

Planning my next hop, I was aiming for north-east Austria, but after chatting up with the volunteer controller he mentioned Vilshofen in Germany which has a nice airport, a great restaurant, and a small town right across the river. I remembered that other pilots were talking about it, and it is just an hour away from my home base in CZ, so I quickly filed a flight plan and prepped the route over.

The flight from the Alps back to Germany was beautiful, with the clearest weather yet. Coming in for a landing at Vilshofen is an experience, as I circled the small town, and lined up for final while crossing the bridge just before touching down. Closing up the day in the town after checking into a local hotel (15-minute walk from the airport), and the plan is to (again) have great local Bavarian food and beers before heading back to Mlada Boleslav tomorrow.

Vilshofen as seen from the airport
Vilshofen as seen from the airport
Old town center Vilshofen
Old town center Vilshofen

Day 7 – Back to LKMB and for a few days with Dorit (alone!)

Woke up to a beautiful day at Vilshofen, and to my surprise – completely clear of fog/mist around the river. After a quick breakfast (eating soft boiled egg “old school” is an underappreciated skill), headed back to the airport to prep the plane and amend the flight plan which I filed for a 12:00 noon departure. The flight over was great – cursing at 7,500’ until I got close to the Prague TMA and couldn’t get a clearance to cross the class C as Ruzyne was using the runway that covered my path, and then a 3,000’ with more up-close scenery until getting to Mlada Boleslav. Out of all the approaches and landings over the past week, somehow this was the weirdest, as there was definitely activity in the airspace, but I never expected to execute a parallel landing on the runway (16L and 16R) with another plane. As I was in the pattern (from base to final) someone just came in straight for the final and fortunately, I spotted him as I was completing the right turn. Apparently, he was ignoring my callouts from downwind and base and was aiming at the left runway which I was going for. I quickly sidestepped to the right runway, called it out, and fortunately was ahead of him but still made sure to touch down a bit further down the runway just in case. Guess there’s a first for everything – even for almost parallel landings on a grass airfield ;-). I was too busy trying to keep things safe, otherwise, I would have definitely taken a picture of this.

Locked down the plane and headed to Prague to check-in to the hotel and wait for Dorit.

Heading back towards Prague
Heading back towards Prague

Day 10 – Quick Dresden trip

The weather was looking up, so we drove to MB from Prague to take the plane for a quick trip to Dresden. The flight over was quiet and quick, with a smooth landing at the Dresden international airport. Dorit was impressed with the follow-me and handling process for our little Cessna. We spent a couple of hours walking around the old town of Dresden, shopping, and admiring the architecture and restoration of the old buildings that were partially destroyed in the fire bombings.

Heading back to make it before sundown, we hit some clouds on the way back and managed to duck quickly below them, had a nice view of the castle and a smooth landing back on the grass strip at Mlada Boleslav.

Dresden sightseeing
Dresden sightseeing

Day 12 – Back at it

After spending a day “grounded” as the weather wasn’t playing nicely, I was headed back towards the Austrian valleys that are fairly unaffected by the low cloud coverage sweeping through the main plains of southeast Germany. Hence – Graz. With a route that takes me through Wien, and the areas surrounding the mountains I had all-clear weather to (not) deal with. A beautiful ride there, with a few altitude changes as the Wien class C/D airspace wouldn’t accommodate VFR flights with the busy weekend schedule, showed how the Wien FIS worked relentlessly to separate and warn VFR flights in the area. Considering the volume of airplanes that were around, and the fact that these were all flying “full VFR” it’s interesting to note how the Israeli controller is so busy over the weekends with flights going through prescribed routes and altitudes…

Approaching Graz international airport
Approaching Graz international airport

Getting to Graz was another nice experience where VFR flights are “first-class citizens” among the IFR and airliners, and through the approach’s directions, it was another smooth landing and a quick stop at the crew lounge to plan the next leg. Skipped refueling (cash only? No way…) and filed a plan for Krems after finding the small asphalt field north of the ridges that lead to the Alps. The tower controllers there seemed very welcoming (and accepting credit cards for landing and fueling). And it also made up for a good leg to cover the commercial license XC requirement.

An hour of flight time across the Alps and its stunning valleys nestling small towns (and airstrips), and Krems was sighted. A small town next to the Danube River, with an extremely active airfield packed with gliders and GA activity. After some small talk with the locals, I realized that it’d be a shame to waste the great weather and headed out for another quick flight and a touch-n-go at St. Georgen which is located further down the river. ½ an hour back and forth for the great views of navigating with the river path, and I was ready to call it a day at Krems.

Day 13 – Slovenia and back to the Czech Republic

The morning started with filing a plan to land at Maribor in Slovenia, which seemed to have the best weather options (between Zagreb and Bratislava) and a very friendly handling crew. The flight over there was (again) postcard perfect as the Alps crossing has become a feature of these flights (yet never gets old).

Crossing the lower ridges of the Alps at 9,000ft
Crossing the lower ridges of the Alps at 9,000ft

And just as the clouds were starting to show up, I timed my descent towards the airport to make it to a straight-in approach via the visual approach routes. As promised – the handling crew was highly friendly, fueled up within 5 minutes of landing (and paid with “regular” credit, even ApplePay…), and a quick break to plan the next leg. Initially, I was considering heading straight west towards the Italian coast and landing at Trieste, but watching the weather develop over eastern Germany and Czech, I decided not to risk getting stranded outside of the home-base in the last day of flying and filed for a straight shot from Maribor to Mlada Boleslav.

The Maribor Airport
The Maribor Airport

After a lengthy goodbye from Boris the handler at Maribor, I started up and took off on a straight line through the Alps towards home base. With a clear weather and a smooth cruise at 9,500’, I managed to bypass the low-laying fog of the Bavarian valley, and cross over to the Czech Republic. Halfway through the CZ as the cloud base started forming in lower altitudes, I switched from FL95 to FL75, then to 60, and eventually to 4,500’ while maintaining VFR conditions (with a quick pass through two layers of clouds on my left that would have been a VFR over the top with a close ceiling above – cool picture!). However, as I was getting closer to the hilly area separating the northern and southern parts to the east of Prague, the clouds were getting lower, and up to a point where visibility of the hills was getting beyond my personal safety limits, and I started circling for an alternate landing site at least until the weather clears up.

My first alternate was close, but the clouds were closing in faster, and although I was just a mile short of the field, I could not visually identify it and decided to turn around. A second alternate proved to be much more visible, however with a strong crosswind it proved to be a good reminder to my training (and ended up being on my personal top-5 landings). Grass strip, and nobody on the radio to acknowledge I was even there, I landed at LKZB – Zbraslavice.

Parked at LKZB to wait for better weather
Parked at LKZB to wait for better weather

Completely alone, and in a field that didn’t have a single soul on it, I parked alongside an old, decommissioned jet fighter to let the weather calm down a bit.

After watching the worst part of the rain and strong winds die down, I started up again and lined up for a tricky takeoff – mostly crosswind component (I’d estimate around 15-18kt), a slight backwind, and a damp/wet grass field.

A bumpy takeoff run, with a typical grass field hump that bounces the plane up for a “faux-wheels-up”, but I let it slide back down to pick up enough speed for a proper takeoff, and easily cleared the trees and small houses that lined the field. Vicious winds welcomed my takeoff, and I banked right into them to make sure I’m getting the most lift I could (compromising on groundspeed) and got to a safe altitude from which I started navigating the low ceiling, strong winds, occasional rain shower, and obviously the terrain itself. After so many hours of flying across mountains and valleys at high altitude, the bumpy ride and constant wind calculations were less than fun, but definitely a good training for wind corrections and navigation. Finding a good VFR path without compromising on my personal limits probably made this leg a bit longer, but overall, it was a good experience, with a safe approach back to MB, and slightly calmer weather on the final. By now a short and effective landing was the norm, and I parked trusty old OK-MMA back at the hangar for the day (possibly for the trip – pending tomorrow’s weather).

Day 14 – That’s a wrap

Given the limiting weather (Overcast with a ceiling ranging from 3,500’ to 3,000’) I opted to go out for a quick round trip to the first airport that “saved” me – Pribram. Located southwest of Prague in an area that typically doesn’t get the low mist/clouds. Used the opportunity of the low flight (2,000’-3,000’) to practice accurate altitude and heading and area navigation. Total back-n-forth with a full stop landing at Pribram and another smooth landing on the Mlada Boleslav grass strip marked the end of the trip (flying-wise).

That totals 41.6 hours of flights on OK-MMA in 30 flights and 51 landings. Including the night VFR training and the license validation-related flights.

Elastic Permissions

Over the past two years my colleagues and friends have heard me talk about Elastic Permissions, and at some point I started hearing other people mention the term (yay for planting the seeds through consistently using a new term…). So I figured – for the sake of clarity, let’s put this out there for posterity.

The goal of applying the Elastic Permission model is to reduce the effective attack surface for an organization.

Elastic Permissions (can you tell I am an Amazon AWS veteran? 😉 ) is a concept where permissions are being constantly and dynamically evaluated against the actual use of the granted permissions, and reduced to where they match said usage. This requires a few phases: mapping, measuring, and elasticity.

Mapping – in order to apply Elastic Permissions effectively, we first need a system to identify all the users, accounts, roles, assets, as well as all the relations between them. Think about a sort of a graph map where you can traverse between users, their accounts, the assets (whether data or functional/compute) using the effective set of permissions that tie them together. Now apply that to your organization, across all systems and platforms (including across platforms – for example IaaS, Saas, etc…).

Measuring – once you have a map graph, the actual use of every permission should be measured. This needs to be recorded in a way that reflects usage over time, in order to identify patterns of seasonality, volume, and misuse/under-use. In an essence, this phase applies weights to the graph map – where the higher the weight, the more use that set of permission gets.

Elasticity – based on the mapping and the difference between granted and used permissions, the system should revoke access dynamically. This means that unused (or even less used) permissions are being revoked. Additionally, permissions that have been identified as being used seasonally, should be revoked while unused, and re-granted in preparation for the usage period (then to be revoked again). Lastly – since there is an expected potential friction where permissions are incorrectly revoked, the system should offer a way to natively escalate and regain privileges (for example – through an MFA challenge) and apply learning to the decision to revoke the permission set in the future. Systems should also consider several grades of escalation based on the confidence level of the revocation (from granting access immediately, through challenge-response to verify with the user their intent, to an out-of-band escalation to a manager/SOC).

The end result as stated in the Elastic Permission goal is to accomplish a reduction in the effective attack surface. In my personal experience working with several systems like this, organizations should expect somewhere around 70-80% reduction, but these numbers will depend on the level of complexity of the organization (how many platforms are used, and the relationships between platforms), and allow the security organization to focus on real incidents since the elasticity acts as sort of a canary/honeypot.

Incentives and metrics

“you have to be very careful of what you incent people to do, because various incentive structures create all sorts of consequences that you can’t anticipate”

Steve Jobs

Observation 1: As more companies are enforcing a work from home (WFH) policy these days, a new trend is starting to emerge. I’ve already observed at least 3 companies that started adding a “work from home” payroll addition to their employees, and with even more amusement I’ve heard employees gloat about it.

Observation 2: People and managers tell me how they are happy to see productivity not only remain stable, but improve. People are finding their “zone” much more easily without the distraction of office environment, less wasted time on water cooler chats, less time spent on lunch breaks, and of course huge amounts of time saved on commute.

I think that it’s only a matter of time until people start connecting the dots.

I’ll start with the first (quite miserable) realization: if you work for a company that boasts fancy office perks, you are underpaid, and are incentivized to spend more time in the office. The latter is pretty obvious, and I’m sure you realized that when you signed up. The second usually takes a while to sink in. Look around the office, and count the money. All the people there catering for your needs, all the food, dry cleaning, cooks, massage therapists, and whatever other ostentatious pers you see, cost a lot of money. And all this money – is taken out of your pocket.
I had the luxury of having an opportunity to decide between two jobs – one with Amazon, and another with a large company that offered said perks, and quickly realized how the amazon frugality translates into more employee satisfaction and more take-home pay. Simple – as an Amazonian, your perks end up with a $100 discount on shopping at amazon.com. Per year (manifested as a 10% discount on the first $1000 spent). And for the same role you are getting significantly more in your total compensation than with the other “fancy perks” company.

Question 1: Is this a time where both employees as well as companies realize that it’s time to start treating their employees like adults (you need a massage mid-day – great, you are paid like an adult, so go ahead a book one). This realization will have some significant effects on the workforce – less human capital needed to maintain the office environment (all those service jobs basically gone), but with the obvious other side of the coin – an opportunity for small businesses to offer the same services, for actual cost (not subsidized) as all those employees that are now paid more can consume these based on actual need.
It’s also the greener less wasteful path – again, we’re switching to a model where consumption is actual and not pre-planned based on number of employees.

Question 2: Setting aside the office environment side, and realization that companies need to pay more to employees who counted on getting fed and their ass wiped at the office (maybe that’s why people are buying stupid amounts of toilet paper),the productivity boost is hard to ignore. There are already entire companies working fully remote, my question is how many of the ones that have not embraced work from home (even on a partial basis) will realize this is something they need to start planning for and embracing, rather than trying to force butts-in-seats-at-the-office for some 80’s era productivity book?

So to get back to Steve Jobs’ quote from earlier – pretty clear how creating the wrong incentives have driven a culture that’s less productive, brings less value to both the companies as well as to employees, all in the name of “competitiveness”. Time to check what problems you are trying to solve again, and act a bit more like the engineers and scientists we are…

Full disclosure – I’ve been a proud Amazonian and still support many of the work culture elements from there. I’ve also been working remote for over a decade, both as an IC as well as managing remote teams globally (pretty successfully as well).

The Product Versus Skill Pendulum In Security And The Need For Better Solutions

This post was originally published on Forbes

Security used to be easy–a fairly binary condition over whether you are protected or not, whether you are patched or not, or whether the port is accessible to outside IP addresses or not.

And then came complexity: Overlaying different aspects of vulnerabilities. Factoring in application issues, platform bugs, OS patches, network configurations and user access controls has shifted the rather binary situation to an exponential one. As such, we, as security practitioners, learned to use more skills in terms of threat modeling, secure development, honeypots and honeytokens for earlier detections, data-centric decision-making and increased focus on education and training.

We’ve reached a point where products matter less and less. Remember when the first action when getting a new PC was to install an AV on it and try to beat the clock before it got exploited? Now, PCs are pretty much secure out of the box thanks to the native malware detection and mitigation tools that are part of the operating system.

However, when looking at the security industry, we still see a lot of relics of the old-school way of operating. I’m not looking to explore who’s to blame (VCs? Startups? Consumers? Analysts? Your bet is as good as mine), but a lot of security vendors still treat the world in a binary fashion. If you look at marketing claims, for instance, it’s either you have their product, or you are not secure.

This brings me to my main point: A lot of security organizations are already through the pendulum shift. They are much more data- and customer-focused and are prioritizing their risk decisions around this rather than around the binary checklist of products. If that’s the case, where does that leave most industry vendors, especially with products that are not designed around the customer’s actual needs?

As an example, our security organization at Cimpress has been pretty adamant about practicing this customer-focused approach. We make it clear what our needs are and the features/capabilities we’d like to have based on our threat models and current capabilities. However, this leads to several problems.

First, a lot of vendors don’t know how to address that. They have a list of features and their marketing pitch, and that’s it. We’re looking for specific answers–possibly answers that include road map milestones–and are not expecting a single product to address all of our needs. Vendors, on the other hand, find it difficult to adjust their sales process (and pricing) to address customers’ specific needs, leaving frustrated after being told that we’re not using 80% of the product capabilities but would love to pay for the 20% we actually need.

Second, there seems to be a lack of vendors who truly adopt the approach of identifying needs on the customer side and are still adopting the approach of finding novel technical problems and solutions to address them. So, we’re left with niche products that don’t address actual needs but get snazzy marketing backing. We end up pushing the pendulum further into the skills territory, forcing security teams to rely on their own skills and in-house tooling.

To top it off, this increased reliance on skill is deepening the skills gap we already have in the industry. We have an education process that focuses on specific areas of the security field and training and education programs that are often product-focused. Meanwhile, generalists are becoming more rare and expensive as demand for less product-centric and more data/process-centric expertise increases.

What to do? Simple: Enjoy the sound of silence for a moment, especially as a vendor. Don’t incessantly ask what a potential customer’s current challenges are while trying to calculate what part of the answer you can anchor on to and sell your product through. We need to “shift left” that question from sales back to product design and even company inception. We need more smart people listening to what customers say about their needs and, rather than identifying where existing solutions can address them, trying to identify where there are partial or no solutions.

I’ve been fortunate to work with a few VCs and startups that do just that and have the foresight to validate these needs and keep driving their solution to address them or pivot their product so that it truly addresses the core issues.

On the other hand, I get frustrated with vendors who succumb to trying to latch on to a minor detail and blow it out of proportion or, worse, resort to speaking ill of their competition. Statements like, “We see a lot of customers of vendor X come to us after two years, and now, with our product, they are happy,” should be banned from sales discussions and replaced with, “Vendor X? Yes! I hear that their product is really good and addresses a certain set of problems really well. I’d love to know what your threat model and priorities are to better understand whether it is X you should go with or maybe find a different set of solutions.”

And as much as innovative products sometimes need to educate the market (I’ve been there and am actively working with companies like that as well), most times, the reverse is what’s needed: truly understanding what the industry needs right now and providing true minimal viable products (MVPs) that solve these often basic problems. There’s money in solving seemingly simple issues, especially if they have been around for a long time and are considered “the norm” or something that people need to just accept as suboptimal.

Trust-Building For Security

This post was originally published on Forbes

Trust is a fickle thing. And, weirdly enough, the basic assumption of a lot of security practices seems to include a certain level of trust in users that is pretty hard to justify these days. This is why we see so many successful breaches that can be traced back to compromised accounts, default passwords and social engineering. One then asks, “How should I reduce or eliminate inherent trust from the equation?” Good question!

By rethinking trust in a modern environment, we can get to a stage where the starting point of any security-related decision (e.g., granting access, allowing/disallowing a certain action) is a state of no trust or zero trust. Before jumping into a marketplace where zero-trust solution providers will happily part you from a considerable chunk of your budget, let’s take a look at the core concepts of trust in our environments.

Our starting point, as I mentioned, should be that we do not trust anything: not users, networks, devices or even third parties. Building trust from this point on can be done by using elements that allow the organization to get to a place where a level of confidence is achieved. At this point, we can ensure that the decision around the action requested by the actor (user) can be backed with actual facts and in a way that’s relevant to the scenario in question.

Taking into account factors such as the user’s environment, credentials, secondary identification elements and behavioral history (to name a few) can build much better context for the decision of whether to grant the user a certain level of access, including which action they are trying to perform (i.e., are they trying to simply access their own files on a shared storage service, or are they trying to delete a table from a production database?). Being able to differentiate between different actions also allows us to set different thresholds to the level of trust we require. In the traditional model of keeping trust, the rule follows that if you have the right username and password, you’re in. No matter what you intend to do, if you have access to a system, you can fully utilize whatever roles and permissions you’re granted. In a trustless scenario, every action can be associated with a different level of trust.

Take a financial user for example. On a typical day, the user may be accessing transactional data, such as ledgers, payment processing and accounting. However, monthly or quarterly reporting (especially in public companies) requires a completely different set of activities and permissions. Why should these activities be constantly accessible to our user if they are only used once in a long period of time?

In a trustless world, our user will have the defined relationship with said reporting functionality, but exercising this functionality would be scrutinized both on a temporal perspective (“Is it the right time of the quarter?”) as well as on a trustworthiness level (“Can we accumulate enough evidence to ensure this is indeed the user in question?”). From the user’s perspective, the process is still pretty much the same. They may be required to present additional validation for their identity (responding to a multifactor authentication process), but the rest of the elements can be gathered and analyzed automatically (“Can we identify the device? Is it adequately patched/protected? Can we identify the environment?”).

Through this simple process, we can significantly lower our attack surface, and even when users get compromised (and our working assumption is that every environment will get compromised), access to sensitive assets in our environment will be highly limited, and we will have better visibility into adversarial actions that cannot achieve our trust requirements.

I realize that the concept of throwing away any shred of initial trust may sound too harsh or counterproductive to some, but when you start to think about the kinds of environments we work in these days, the idea makes sense. I can tell you from personal experience that at my own company, we’ve gone through (and still make) significant changes in the way we perceive trust.

Our latest milestone in that journey has been to rid ourselves of the concept of the “enterprise network” as we all move to a guest network. The concept of providing an inherent trust value to simply be on a certain network doesn’t apply anymore to the majority of assets we access (this is, of course, in a scenario where most assets are cloud-based). This doesn’t mean that we are done with our trust journey: I keep finding myself questioning and challenging paradigms where inherent trust exists, and by going through a process of thinking on behalf of our customers, our businesses and, yes, shareholders, we keep simplifying the security approach to managing risk and keep ourselves nimble.

So here’s a quick takeaway for you: Look at the common ways in which users in your organization access assets. Now, figure out what trust assumptions are being made (implicitly and explicitly) through the process. Scrutinize each trust assumption, and ask yourself, “Should this be an explicit trust assertion that’s based on evidence relevant to this context?” Repeat periodically to make sure you are comfortable with the kinds of risks you are taking when leaving these implied trust assertions in place.