Incite 5/19/2010: Benefits of Bribery

By Mike Rothman

Don’t blink – you might miss it. No I’m not talking about my prowess in the bedroom, but the school year. It’s hard to believe, but Friday is the last day of school here in Atlanta. What the hell? It feels like a few weeks ago we put the twins’ name tags on, and put them on the bus for their first day of kindergarten.

Just take it... The end of school also means it’s summertime. Maybe not officially, but it’s starting to feel that way. I do love the summer. The kids do as well, and what’s not to love? Especially if you are my kids. There is the upcoming Disney trip, the week at the beach, the 5-6 weeks of assorted summer camp(s), and lots of fun activities with Mom. Yeah, they’ve got it rough.

Yet we still face the challenge of keeping the kids grounded when they are faced with a life of relative abundance. Don’t get me wrong, I know how fortunate I am to be able to provide my kids with such rich experiences as they grow up. But XX1 got our goats over the weekend, when one of her friends got an iPod touch for her birthday. Of course, her reaction was “Why can’t I have an iPod touch, all my friends have them?”

Thankfully the Boss was there, as I doubt I would have responded well to that line of questioning. She calmly told XX1 that with an attitude like that, she’ll be lucky if we don’t take away all her toys. And that she needs to be grateful for what she has, not focused on what she doesn’t.

To be clear, not all of her friends have iPod touches. She is prone to exaggeration, like her Dad. What she doesn’t know is our plan to give her a hand-me down iPhone once we upgrade this summer. (Of course I’m upgrading, come on, now!) I think we need to tie it to some kind of achievement. Maybe if she works hard on her school exercises over the summer. Or is nice to her sister (yes, that is a problem). Or whatever kind of behavior we want to incent at any given time. There’s nothing like having a big anchor over her head to drag out every time she misbehaves. That’s right, it’s a bribe.

I’m sure there are better ways than bribery to get the kids to do what we want. I’m just not sure what they are, and nothing we’ve tried seems to work like putting that old carrot out there and waiting for Pavlov to work his magic.

– Mike.

Photo credits: “Unplug for safety” originally uploaded by mag3737

Incite 4 U

  1. Where is the Blog Love? – I’m going to break the rules and link to one of my own posts. On Monday I called out the decline of blogging. Basically, people have either moved to Twitter or left the community discussion completely. Twitter is great, but it can’t replace a good blog war. In response, Andy the IT Guy, DanO, and LoverVamp jumped back on the scene. These are 3 sites I used to read every day (and still do, when they are updated) and maybe we can start rebuilding the community. Why is that important? Because blogs provide a more nuanced, permanent archive of knowledge with more reasoned debate than Twitter, however wonderful, can sustain. – RM

  2. Critical Infrastructure Condition Critical – We all take uninterrupted power for granted. Yet, we security folks understand how vulnerable the critical infrastructure is to cyber-attacks. Dark Reading has an interesting interview with with Joe Weiss, who has written a book about how screwed we are. A lot of the discussions sound very similar to every other industry that requires the regulatory fist of God to come crashing down before they fix anything. And NERC CIP is only a start, since it exempts the stuff that is really interesting, like networks and the actual control systems. Unfortunately it will take a massive outage caused by an attack to change anything. But we all know that because we’ve seen this movie before. – MR

  3. Desktop, The Way You Want It – I am a big fan of desktop virtualization, and I am surprised it has gotten such limited traction. I think people view it ass backwards. The label “dumb terminal” is in the back of people’s minds, and that not a progressive model. But desktop virtualization is much, much more than a refresh of the dumb terminal model. The ability to contain the work environment in a virtual server makes things a heck of a lot easier for IT, and benefits the employee, who can access a fully functional desktop from anywhere inside – and possibly outside – the company. Citrix giving each employee $2,100 to buy their own computer for work is a very smart idea. The benefits to Citrix are numerous. Every employee gets to pick the computer they want, for better or worse, and they are now invested in their choice, rather than considering a work laptop to be a disposable loaner. The work environment is kept safe in a virtual container, and employees still get fully mobile computing. Every user becomes a tester for the company’s desktop virtualization environment, bringing diverse environments under the microscope. And it shows how they can blend work and home environments, without compromising one for the other. This is a good move and makes sense for SMB and enterprise computing environments. – AL

  4. Security 5.0 – HTML5 is coming down the pipe, and Veracode has some great advice on what to keep an eye on from a security perspective. Not to show my age, but I remember hand-coding sites in HTML v1, and how exciting it was when things like JavaScript started appearing. Any time we have one of these major transitions we see security issues crop up, and as you start leveraging all the new goodness it never hurtss to start looking at security early in the process. Odds are your developers are already using bits and pieces of it anyway… especially if they are coding for the iPhone/iPad. – RM

  5. DPI Behind the Scenes – I eyed Will Gragido’s post about deep packet inspection (DPI) as a next generation technology with bemusement. First because I hate the term next generation. But Will kind of misses the point here. Folks are resistant to new technology, but they are not resistant to solving their problems. DPI is not a product you buy, but a way to solve a number of problems – ranging from security enforcement, to network performance management, to content inspection. Who cares if anyone resists a particular name? They are not resistant to understanding what is happening on their networks, so they need some form of DPI. Just don’t call it DPI and we’ll be all good. – MR

  6. Cyber-Security and National Policy – Dan Geer does it again: Cybersecurity and National Policy. As usual from Dan, this is (to say the least) dense, and covers a broad range of topics. One favorite is: “To this extent, security becomes a subset of reliability in that an insecure system will not be reliable, but a reliable system is not necessarily secure.” Bonus: this fuels the rumor that Hoff is in fact Dan in disguise. – DMort

  7. Employees Look out for #1? Really? – The jackass survey of the week award goes to Trend Micro, who actually published the stunning fact that Employees Put Personal Security, Interests Above Company’s. And Dark Reading actually went with the story. Given the loyalty that most companies show their employees nowadays, why is this a surprise? Even better, 1 in 10 users go around corporate security to access restricted websites. Really, truly? All I can say is I hope they didn’t pay a lot for that survey. – MR

  8. Auditor School – Are you an auditor? Do you deal with auditors? How about “assessors” – you know, auditors who don’t want the title, because they think it’s not nice – or because it creates too much legal liability? If so, this post at Layer8 is mandatory reading. Shrdlu (who, as an end user, has to deal with them all the time) presents an open letter to auditors that should be part of every engagement. The audit process is bad enough without someone calling for last-minute meetings without a defined agenda, or blasting out random emails instead of structured documentation. Auditors are just as fallible as the rest of us, and setting expectations early can sure ease the process. – RM

  9. Back-Handed Compliments – Over on the CSO Online site, Bill Brenner posted an opinion piece on Rugged software. He makes a comparison between the data security features in the Oracle database, and software development principles that have yet to be fully defined. WTF? “Unbreakable” was marketing run amok, with product function falling far short of claims, giving Oracle a long lasting black eye. Bill is relating the two concepts, saying he is more comfortable with Rugged, as it implies “… a toughness that’s a lot better than what came before.” That is a little like saying Rugged doesn’t suck as much. Saying “Your new car is better than a Yugo,” is not a compliment. Of course “… rugged isn’t something you can contain in a box” is a correct statement. That’s because there is nothing to put in the box! Not yet anyway. Look, I admire what Josh Corman is doing over at 451 Group with Rugged. It’s the right idea. The real question is: What are the next steps to make Rugged more tangible? Pragmatic, actionable advice and recommended techniques are in order, as this conceptual blob tries to morph into useful approach. Bill’s getting the word out about Rugged, but frankly, the community is still on the fence, and will remain that way until there is something of substance for us to chew on. Comparing a bad marketing idea with Rugged principles achieves little more than kicking Oracle for a decade-old mistake. If we want to do something useful, let’s talk about how MS SDL is or is not Rugged, or contrast Rugged concepts with BSIMM. Those discussions would be much more interesting! But that sends chills down developers’ spines. The problem is that many in the secure code movement have trepidations about saying anything bad about any secure code practices, as the ideas are just now gaining momentum. But we have to go there at some point to make Rugged real. – AL

  10. Do They Have a Class for Common Sense? – Raf hits the nail on the head here, giving some career advice to security folks. The reality is that security is much less of a technical discipline than any other IT function. Sure, there is some level of kung fu that you need to get things done, but ultimately it’s about people. Security folks have to convince IT peers that security is important, and employees not to do stupid things. Many of these tactics depend on a level of business savvy and understanding of how to get things done in their specific organizations. As Raf says: “There is a distinct lack of the analytical mind, business-level understanding and even worse …common sense.” Unfortunately those aren’t skills you can teach – not in a SANS class, anyway. So we’ll end up with a glut of adequate technical folks and a distinct lack of leaders. Which makes us like every other technical discipline, I guess. – MR

No Related Posts

Haha! LoverVamp? I don’t think I’ve been called that since humiliating some folks on Quake 1 servers back in the day. I admit, though, my favorite was “LavaLamp.”

@AL I somewhat agree with the desktop virtualization thoughts. For people whose systems don’t need a lot of fancy changes constantly (i.e. non-admins), VDI is an amazing no-brainer once you get technicians to start learning how to support them. For those of us who tend to run at work as local admin for various reasons, that can be a different story. But even converting 50% of an install base can be a huge benefit!

The caveat, of course, goes back to our pendulum of change. Early on we had centralized mainframes, then discrete personal computers, and now back to centralized control? I really do expect that if VDI catches on wider, we’ll just go back to people clamoring for discrete systems in 10 years… That or it won’t matter because the “OS and all the apps are in the cloud” or other such dreams.

By LonerVamp

Interesting blog on incenting your daughter with an iPhone “bribe.”  Time magazine recently published an article on the same topic.  their conclusion:  sometimes it works.  In any case, it’s interesting reading.,8599,1978589-1,00.html

By Thom VanHorn, Application Security, Inc.

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.