Looking back over 30+ years, I realize my athletic career peaked at 10. I played First Base on the Monsey Orioles (“Minor League”). Our team was stacked, and we won the championship. I kept playing baseball for a few more years but my teams never made it to the championship, and when the bases moved out to 90 feet my lead feet became the beginning of the end. But it’s okay – I was pretty good with computers and in chess club too. Yep, I was fitted for my tool belt pretty early.

When I grew up, you played baseball in the spring. Maybe soccer or football in the fall (and yes, I know they are the same thing outside the US). Some kids also played basketball or hockey over the winter. But now the choices are endless. The new new thing is lacrosse. It seems very cool and is clearly competing with baseball for today’s kids. But the variety is endless.

I live in the South, where you can play tennis 10 months a year, and many kids do. My girls dance. There are martial arts and gymnastics. Some kids pick up golf early too. The Boss and I have tough decisions to make every year, because the kids literally don’t have time to do even a fraction of what is available.

But this begs the question: generalist or specialist. Some kids play travel baseball. They don’t have time to do much else, so they (or their parents) decide to specialize on one sport. The twins are 7, so we don’t have to push them one way or the other quite yet, but our 10-year-old seems to love dance. She had better, because two days a week and showcases cost a fortune, and don’t leave much time for her to do anything else (while still doing well in school). At some point the kids have to choose, don’t they?

Maybe yes, maybe no. The genetic reality is that none of my offspring are likely to play professional sports. I can’t categorically rule it out, nor will I do anything to discourage their dreams. It’s cute to see the boy talk about being a football player when he’s big. But the realist in me says the odds are long. Aren’t they better off becoming well-rounded athletes, able to compete in multiple endeavors, rather than just focusing on one skill? To me it all comes down to passion.

If the kids are so passionate about one activity that they have no interest in anything else, I’m good with that. On the other hand, if they can’t make up their minds, they can dabble. They are young. It’s fine. They’ll need to understand that dabbling won’t make them exceptional in any one activity – at least according to Malcolm ‘Outliers’ Gladwell – but that’s okay. As long as they learn the game(s), understand how to contribute to a team, be good sports, and grok the importance of practice, it’s all good. We don’t choose their paths. We just expose them to lots of different options, and see which appeal to them.

Do you see where I’m going with this? Many folks feel they need to choose between being a generalist or a specialist in their careers. For us security folks, it means being a jack of all trades, or a master of one. Odds are, given the complexity of today’s IT environment, you can’t be both. There is no right or wrong answer. Sure it’s a generalization, but specialists tend to work in big companies or consulting firms. Generalists are more common in smaller companies, where everyone needs to wear many hats.

The worst thing you can do (for your career and your happiness) is not choose. Don’t hate the job you just fell into, with no idea why you’re there or what’s wrong. If some of your tasks make you nuts, you should at least a) know why and b) have chosen that role and those tasks. But the only way to find the role for you is to try both ways. Like we’re doing with the kids – they can try lots of things and eventually they may choose one. Or not. Either way, they’ll each choose their own path, which is the point.

Photo credits: “Blocway Paving Specialist Van” originally uploaded by Ruddington Photos

Incite 4 U

1. How many SkypeOut minutes can you buy for $8.5 billion? That’s right, sports fans, Microsoft is buying Skype for $8.5B (yes, billion). For a long time we security folks didn’t quite get Skype, so we tried to block it. Then it showed up on mobile devices, and that basically went out the window. The simple fact is that many companies harness cheap telecom to communicate more effectively throughout their far-flung empires. Given Skype’s inevitable integration into all things Microsoft, for those of you that haven’t figured out this VoIP thing the time is now. Like anything else, it’s about doing the work. You know: model the threats of letting certain folks use Skype. Understand the risk, and then make a decision. With a couple hundred million users, you’d think Skype was already mass market. But I suspect you ain’t seen nothing yet. So dust off that policy manual and figure out whether you want/need/can afford to enforce constrain Skype, and how. – MR
2. Ask me nice: George Hulme’s recent post on Making An Application Security Program Succeed raised a couple good points, but reminded me of another angle as well. Rafael Los points out that secure code development is not part of the everyday development job, and developers trail IT management in preparedness and understanding. Gunnar reminds us that we need to keep expectations in check – SDLC is new to development organizations, and your best bet is to pick one or two simple goals to get things started. My point is that if you’re not a developer, you’re an outsider. An outsider telling developers how to do their job is doomed – they’ll find a dozen ways to ignore your invalid input. My teams never had the luxury of having dedicated security staff – instead we had consultants. The consultants who met with us face to face, and told developers how they would attack the system before it was coded had success. The ones who emailed security “to do” lists, checked in libraries of code for selected operations, but were not on site, failed. Success was tied to how they worked with the development team and made coders aware of the challenges. It’s an educational opportunity, and lets developers figure out how to fix the code rather than receiving orders or what to do. – AL
3. Arms dealers or blackmailers? – A French security firm has discovered a 2 step process for bypassing Google Chrome’s sandbox and Windows 7 anti-exploitation (ASLR). Okay, we get it, research happens and it’s important for flaws like this to be discovered and fixed. Except these folks (VUPEN Security) are only releasing the details to their government customers for “offensive and defensive security”. In other words, these profiteering assholes would rather make a buck and feed the rest of us to the dogs. I have a hell of a lot of respect for security researchers, and although I don’t always agree with their disclosure tactics, at least most of the folks I know try to put the good of the community first. I have no respect for anyone that puts their own ego or wallet ahead of our safety. And let’s be honest – if they were real government contractors they wouldn’t be bragging about their exploits. These dudes just want some work and the bucks, and are happy to run us over in the process. Asshats. – RM
4. Hoffa’s body found in the cloud: Okay, not really. But when I saw the headline, Did cloud computing help catch Osama Bin Laden? I ROFLed. The article goes on to describe how the US intelligence communities are using cloud computing (whatever that means), to collaborate better, which may have resulted in helping to pinpoint the whereabouts of our now-dead Public Enemy #1. But that’s the funny thing – the cloud didn’t do jack. It’s not like the three-letter agencies didn’t have technology to collaborate before, they just didn’t do it. Is the cloud facilitating this? Hardly. But in the brazen search for page views, the tech media will continue to find ways to ascribe pretty much everything to the wonders of the cloud. I hear Sasquatch is spinning up AMIs as we speak. And Nessie has found Loch Ness cold and clammy, so she is migrating to the cloud as well. Seriously… – MR
5. Furniture weasels: Atlanta based PC rental firm Aaron’s Inc. is being sued for spying on their customers through rented computers. Turns out they’re apparently installing spyware on their computers before renting them out and using it to secretly take photos of customers. Similar to last year’s case of a Philadelphia School District conducting surveillance on their students, at least a handful of Aaron’s computers have been used to photograph customers – apparently to verify the computers were still in the customers’ possession when payments were missed. Am I bothered by the invasion of privacy? Absolutely. But those weasels have the FBI on them now. My question is: Why do people blindly trust computers? You drag home an infected computer and you don’t wipe the hard drive? Even adopted kittens get shots and a flea bath. Maybe we need a public awareness campaign – something like “This is your computer. This is your computer on Meth, with STDs and fleas”. – AL
6. Use it or lose it: Here’s a basic principle of both economics and psychology: all things being equal, we tend to take the path of least resistance. If something is hard to do and we don’t see the benefits, we normally look for an easier way. This is directly relevant to usability – the more usable something is (easier to navigate/operate), the greater the chance we’ll use it. The harder it is, the more likely we’ll look for alternatives. It’s about as basic as you get. But all too often in security we think users will find our arcane processes so valuable that they’ll take the harder path. Yeah, right. Adam Shostack has a great post on the SDL blog about NEAT ways to build secure user interfaces. Aside from making sure what you’re doing is necessary, explained, and actionable, it’s also important to test the UI itself for both benign and malicious scenarios. I think these efforts will have far more impact in the long term than any technical security controls. Build it in and make it easy. – RM
7. Vertical is a misnomer: Forrester’s John Kindervag put forth a very interesting thought balloon, trying to figure out what vertical markets mean nowadays. I’m a bit pissed off that I didn’t think of this – he is spot on. We used to think about markets based on industries and maybe sizes of companies. At least thinking about security, and the fact that compliance funds pretty much everything we do, we need to start with regulatory mandates. That is more of a “digital vertical”, and the place to start defining requirements and priorities. That would make PCI the biggest ‘industry’ the security market targets. It’s pretty rare to come across a company that doesn’t have at least some PCI exposure. HIPAA has similarly broad applicability. Which is kind of the way markets should be defined. Not by what your company does, but by the problems you have. Yes, they are intertwined, but given that checking the compliance box is Job #1 for many of us for the foreseeable future (regardless of our chagrin), markets really are segmented differently. – MR