I had one of those weird moments today where I found an unrelated part of my life unexpectedly influenced by my martial arts background.
I was asked to critique a research paper by someone I haven’t worked with before. Without going into details, this particular paper had a fatal flaw.
It opened with a negative position, then attempted to justify the positive. It started defensively, and in the process lent credence to the opposing view, as opposed to strengthening the author’s position. In other words, it started with, “here’s what you say about X, and why I think Y” as opposed to, “here is position Y, and why it is correct and X is wrong”.
In advising the author, I remembered a lesson I learned when I first started teaching martial arts (traditional taekwondo). I was giving a class on unarmed restraint techniques, which adapted some experiences in physical security to martial arts. They’re similar to police restraint techniques, but adjusted for not having a firearm (police techniques involve protecting the firearm so the bad guy can’t grab it while being restrained) or handcuffs. In the class were two of my instructors, helping me learn to teach. I started by saying something like, “I’m no expert”, and one of them walked off right then and there.
At a break he came back and asked if I knew why he had left. He told me to never start a lesson or debate by disqualifying myself as an authority. I essentially told the class they shouldn’t listen to me, because I didn’t know what the frack I was talking about. Self-deprecating humor, applied appropriately, is fine – but never start from a position of weakness. I was trying to be humble, but instead destroyed any reason someone would want to learn from me.
Over time I expanded this lesson to “Never start with a negative when your goal is to prove a positive.” Essentially, that places the opposing view ahead of yours and forces you into a defensive position. If I’m writing research to show the value of DLP, I sure as heck better not start it with all the criticisms against DLP.
It’s kind of like a fight. If you allow the opponent to control the ring and dictate the pace, your odds of winning are much lower. You can never win on defense alone.
One important corollary is that you also shouldn’t expect someone to agree with your position based on your credentials alone. I get seriously annoyed by other analysts/pundits who make pronouncements, yet never back them with evidence. Start from a position of strength (assuming you are the expert), but also lead the reader, with evidence and logic, to reach your conclusions for themselves.
Most black belts are crappy martial artists and teachers… if their techniques suck, find another one. Respect still needs to be earned.
Enough with the preachy stuff…
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Adrian’s Dark Reading article on What IBM’s Acquisition of Guardium Really Means.
- Rich was quoted on Scottrade regarding Rapid7.
- Adrian was quoted by Information Security Magazine, PC Magazine, The Boston Globe, Network World, and Dark Reading on IBM’s acquisition of Guardium.
- Rich was picked up a bunch on the Bit.ly security additions, including this mention at eWeek.
- Episode 175 of The Network Security Podcast.
Favorite Securosis Posts
- Rich: Adrian on Top Questions Regarding Guardium Acquisition
- Adrian: Rich’s post on Coming Soon: Bit.ly Adding Real Time Security Scanning for All Links.
- Mort: Quick Thoughts on the Point of Sale Security Fail Lawsuit
- Meier: Quick Thoughts on the Point of Sale Security Fail Lawsuit – I’ve personally found a few PoS with card readers wide open at Mom ‘n’ Pop shops.
Other Securosis Posts
- Sign Up To Drop Comment Moderation
- Cloud Risk Thoughts: Deciding What, When, and How to Move to the Cloud
- Serious Flaw in Clientless SSL VPNs & Clientless SSL VPN Redux
- Christmas Wish
- Guardium Acquired by IBM
- We Give Thanks
- M86 Acquires Finjan
- Microsoft IE Issues Reported
- Health Net Asked to Explain Disclosure Delay
Project Quant for Databases:
- Project Quant: Database Security Planning, Part 2 (part 3)
- Project Quant: Database Security Planning (part 2)
- Project Quant: Database Security Process Framework (part 1)
Favorite Outside Posts
- Rich: What the Black Screen of Death Story Says About Journalism. Serious fail on the part of PrevX – they should be ashamed, and have just destroyed any reason for people to trust them.
- Adrian: It’s Homeric in length for a blog post, but Hoff’s post The Cloud in Context is a great overview of Cloud computing.
- Mort: Real Security Is Threat-Centric. Not seeing this change anytime soon, alas.
- Meier: Used ATM Machines for sale on Craigslist. My new weekend hobby!
- Pepper: Recommendation: Disable Invisible Flash. Flash cookies are evil.
- Rich #2: This is a must-read article on how few breaches really get reported. The winning quote: “Of the thousands of cases that we’ve investigated, the public knows about a handful,” said Shawn Henry, assistant director for the Federal Bureau of Investigation’s Cyber Division. “There are million-dollar cases that nobody knows about.”
Top News and Posts
- Researcher busts into Twitter via SSL reneg hole And they said it couldn’t be done!
- 79 million records exposed in government breaches.
- We were named one of the top analyst blogs.
- Two security tools for analyzing relationships in social networks.
- More on the Rybolov Information Security Management Model.
- Layer8: BSOFH: the roar of the packets, the smell of the cloud.
- True stupidity: woman calls in a fake bomb threat to delay a plane. From the TSA blog.
- Ray Wagner from Gartner on personal security at work.
- Hackers attempt to take $1.3M from small business account. If you are in security, and don’t understand the ACH system, it’s time to educate yourself.
- Users aren’t the weakest link if your security sucks.
- Cool password research from Microsoft.
Blog Comment of the Week
This week’s best comment comes from David in response to Quick Thoughts on the Point of Sale Security Fail Lawsuit (there were a TON of good comments in this thread, including some from Anton Chuvakin):
With the Radiant POS Lawsuit one wonders if a Micros POS suit will follow? As a QIRA forensics investigator, I saw a 10 to 1 compromise rate of Micros over Radiant systems. Micros REM had such bad stretch of PCI failures.