Incite 11/17/2010: Hitting for Average
We all need some way to measure ourselves. Are we doing better? Worse? Are we winning or losing? What game are we playing again? It’s all about this mentality of needing to beat the average. I hate it. What is average anyway? We took the kids in for their well checkups over the past week. XX1 is average. Hovering around 50% in height and weight. XX2 is pretty close to average as well. But the Boy is small. Relative to what? Other kids just turning 7? Why do I care again? Will the girlies not dig him if he’s not average? We see the same crap in our jobs. Everyone loves a benchmark, so they can spin the numbers to make themselves look good. In security we have very few quantitative ways to measure ourselves, so not many know if they are, in fact, average. Personally I don’t care if I’m average. I don’t care if I’m exceptional because I don’t know what that means. I did well on standardized tests growing up, but what did that prove? That I could take a test? Am I better now because I was above the arbitrary average then? Will that help me fight a bear? Right, probably not. I’d rather we all focus on learning what we need to. I don’t know what that means either, but it seems like a better goal than trying to beat the average. You see, I need to learn patience. So I guess I can’t be above average all the time because I’ve got to get comfortable waiting for whatever it is I’m waiting for. Which is maybe to be above average in something. Anything. So what do you tell your kids? It’s a tough world out there and beating the average means something to most people. They’ll compete with people their entire lives. As long as they choose to play that game, that is. I tell them to do their best. Whatever that means. That goes for you too. Even if your best is below the arbitrary average, as long as you know you did your best, it’s OK. Regardless of what anyone else says. Now a corollary to that is the scourge of delusion. You really need to do your best. Far too many folks accept mediocrity because they fool themselves into thinking they did try hard. I’m not talking about that. Only you know if you really tried or whether you mailed it in. And learn from every experience. That will allow you to do a little more or better the next time. Sure it’s scary and squishy to stop competing and let go over the scorecard. But if you are constantly grumpy and disappointed in yourself and everyone around you, maybe give it a try. You’ve got nothing to lose, except perhaps that perforated ulcer. Photo credits: “Not Your Average Joe’s” originally uploaded by bon_here Incite 4 U Rich is playing in the clouds (at the Cloud Security Summit) this week, he’s MIA. I’m sure he’s holding bar court in Orlando, debating the merits of the uncertainty principle and whether Arrogant Bastard Ale was really named after him. Holy backwards looking indicators, Batman! – It must be that time of year, where Symantec (formerly PGP) pays Larry Ponemon lots of shekels to run a survey telling us how encryption use is skyrocketing. Ah, thanks, Captain Obvious. Evidently 84% of nearly 1,000 companies are using some form of encryption. Wonder if they counted SSL? 62% use file server crypto, 59% full disk encryption, and 57% use database encryption. The numbers are the numbers, but that seems low for FDE use and high for DBMS encryption. But most interestingly, nearly 70% said compliance was the main driver for crypto deployment. That was the first time compliance was the main driver? Really? Not sure what planet the respondents of previous surveys inhabitat, but on Planet Securosis compliance has been driving crypto since, well, since Top Secret ruled the world. You think companies actually want to be secure? Come on now, that’s ridiculous. It isn’t until the audit deficiency is documented that there is any urgency for crypto. Or you lose a laptop and then your CEO has to fall on his/her disclosure sword. Wonder if that was one of the choices… – MR More secure, or passing the security buck? – Banking applications on cell phones seem to be a hit with customers. This type of service really makes sense for banks as it greatly reduces their customer service costs, and allows the bank to provide more easy-to-use services to the customer, enhancing their impression of the bank. Are you worried about security? From the customer’s standpoint, the security of their account(s) is probably better in the short term, if for no other reason mobile phone-based attacks are not as prevalent as web-based attacks. But from the bank’s perspective, this is a big win! All they need to do is worry about the security of their app. The cell providers and the phone platform providers inherit the rest of the burden! In the event a compromise happens, now there are three possible parties who could be responsible, any of which can accuse the other players of failing to do their job on security. In the confusion the customer will be left holding the (empty) bag. It will be interesting to see how this shakes out, as you know black hats are looking into War Driving, the cellular version. – AL We aren’t in the excuses business, Mr. Non-SSL web site – I’m not a big fan of excuses, just ask my kids. So it’s infuriating to see apologists still out there trying to rationalize why a lot of websites don’t go all SSL. Like the folks at Zscaler in their “Why the web has not switched to SSL-only yet? post. Sorry, with the exception of one issue, that’s all crap. Server overhead? Hogwash. Gmail proved that’s a load of the brown stuff. Increased latency? Where? Crap. How SSL impacts content delivery networks (mostly in terms of certificate integrity) is