Incite 10/20/2010: The Wrongness of Being Right

By Mike Rothman

One of my favorite sayings is “Don’t ask the question if you don’t want the answer.” Of course, when I say answer, what I really mean is opinion. It makes no difference what we are talking about, I probably have an opinion. In fact, a big part of my job is to have opinions and share them with however will listen (and even some who won’t). But to have opinions means you need to judge.

Now those are great words of advice... I like to think I have a finely tuned bullshit detector. I’ve been having vendors lie to me since I got into this business 18 years ago. A lot of end users can be delusional about their true situations as well. So that means I’m judging what’s happening around me at all times, and I tell then what I think. Even if they don’t want to hear my version of the truth. Sometimes I make snap judgements; other times I only take a position after considerable thought and research. I’m trying to determine if something is right or wrong, based on all the information I can gather at that point in time. But I have come to understand that right and wrong is nothing more than another opinion. What is right for you may be wrong for me. Or vice-versa. It took me a long long time to figure that out. Most folks still don’t get this.

I can recall when I was first exposed to the Myers-Briggs test, when I stumbled on a book that included i. Taking that test was very enlightening for me. Turns out I’m an INTJ, which means I build systems, can be blunt and socially awkward (go figure), and tend to judge everything. Folks like me make up about 1% of the population (though probably a bit higher in tech and in the executive suite). I knew I was different ever since my kindergarten teacher tried to hold me back in kindergarten (true story), but I never really understood why.

Even if you buy into the idea there are just 16 personality types, clearly there is a spectrum across each of the 4 characteristics. In my black/white world, there seems to be a lot of color. Who knew? This train of thought was triggered by a tweet by my pal Shack, basically calling BS on one guy’s piece on the value of not trying to be successful. That’s not how Dave rolls.

And that’s fine. Dave is one guy. The dude writing the post is another. What works for that guy clearly would n’t work for Dave. What works for me doesn’t work for you. But what we can’t do is judge it as right or wrong. It’s not my place to tell some guy he needs to strive for success. Nor is it my place to tell the Boss not to get upset about something someone said about something. I would like her not to get upset because when she’s upset it affects me, and it’s all about me. But if she decides to get upset, that’s what she thinks is the right thing to do.

To make this all high concept, a large part of our social problems boil down to one individual’s need to apply their own concept of right to another. Whether it’s religion or politics or parenting or values or anything, everyone thinks they are right. So they ridicule and persecute those who disagree. I’m all for intelligent discord, but at some point you realize you aren’t going to get to common ground. Not without firearms. Trying to shove your right into my backside won’t work very well.

The next time someone does something you think is just wrong, take a step back. Try to put yourself in their shoes and see if there is some way you can rationalize the fact they think it’s right. Maybe you can see it, maybe you can’t. But unless that decision puts you in danger, you just need to let it go. Right? Glad you decided to see it my way (the right way).

– Mike

Photo credits: “wrong way/right way” originally uploaded by undergroundbastard

Recent Securosis Posts

  1. Vaults within Vaults
  2. React Faster and Better: Introduction
  3. Monitoring Up the Stack series
    1. Platform Considerations
    2. Climbing the Stack
  4. Dead or Alive: Pen Testing

Incite 4 U

  1. Verify your plumbing (or end up in brown water) – Daniel Cox of BreakingPoint busts devices for a living. So it’s interesting to read some of his perspectives on what you need to know about your networking gear. Remember, no network, no applications. So if your network is brittle, then your business will be brittle. Spoken by a true plumber, no? There is good stuff there, like understanding what happens during a power cycle and the logging characteristics of the device. The one I like best is #5: Do Not Believe Your Vendor. That’s great advice for any type of purchase. The vendor’s job is to sell you. Your job is to solve a problem. Rarely the twain shall meet, so verify all claims. But only if you want to keep your job, because folks covered in the brown stuff tend to get jettisoned quickly. – MR

  2. It’s new, and it’s old – Adam Shostack’s post Re-architecting the Internet poses a valid question: if we were to build a new Internet from scratch, would it be more secure? I think I have argued both sides of the “need a new Internet” debate at one time or another. Now I am kind of non-plussed on the whole discussion because I believe there won’t be a new Internet, and there won’t be a single Internet. We need to change what we do, but we don’t need a new Internet to do it. There is no reason we cannot continue to use the physical Internet we have and just virtualize the presentation. Much as a virtual server will leverage whatever hardware it has to run different virtual machines, there is no reason we can’t have different virtual Internets running over the same physical infrastructure. We have learned from information centric security that we can encapsulate information into some container, the size of which varies according to the application environment. The playground we play in is defined virtually, and users enter through some application portal with whatever security credentials we care to define. Outside that playground, it’s just encrypted bits of data being routed along with the rest of normal Internet traffic. Of course, the more people you let into your virtual segment of the Internet, the less secure it will be. And just like Adam noted, you can still mess up the new security model, but damage won’t necessarily cascade to everyone’s version of the Internet – just those who screw up. – AL

  3. Ready for the virtual invasion? – If there is a bandwagon, the security marketeers must jump on it. It’s in every product marketing manager’s job description. Of course, the latest bandwagon is virtualization and cloud. The challenge is separating out the folks doing something interesting from those hopping on the bucking bronco. It seems McAfee is taking a different approach to running endpoint AV in virtual machines with their MOVE technology. They have built this not to totally consume 85% of the VM’s processing power and conceptually it’s pretty cool. I haven’t seen it, nor have we spoken to the technical guys to understand more about how it works. But it’s a cool concept. Then you have Fortinet launching a few virtual appliances. Ho hum. Not that they don’t have to do it, but it’s not like this is novel. Though it does give customers the ability to more flexibly provision perimeter protection, and that’s not a bad thing. – MR

  4. Jumpin’ Java threats – Holly Stewart of Microsoft posted Have you checked the Java, an interesting statistical look at the jump in Java exploit attempts over the last 3 quarters. While the malware has focused on three basic exploits, it’s amazing that the number of attacks dwarfed the attempts against PDF vulnerabilities by 10:1. An interesting trend attempting to take advantage of, what Holly aptly calls a blind spot in threat detection systems. We’ll continue to see attackers dig through code looking for more low hanging fruit on what I consider an under-hacked platform before they move on to the next sacrificial goat. You’re looking at one of the reasons we felt the Monitoring up the Stack series was important – to explain why looking at new data sources and leveraging multiple analysis techniques is key. I enjoyed the subtle twist at the end of her post, placing the burden of patching Java squarely at Oracle’s feet. Could a rash of security bugs help Oracle make a political decision to “Free Java”? – AL

  5. Critical infrastructure needs more secure software? Really? – In our Master of the Obvious piece this week, the NERC folks were beating the drum a few weeks back using Stuxnet in an attempt to create urgency for more secure software within critical infrastructure. I’m not disagreeing with the idea, but since lots of control systems are 15-20 years old, do you really think anyone is going to pay to update the software running on those boxes? The code was probably written in hieroglyphics. I should be so cynical (yeah, right), but secure software is a multi-year endeavor (maybe multi-century is more like it, considering their timescales). Won’t the Compliance God come riding in on its white horse to save the day? Just like PCI. Uh no, but you can learn a bit more about NERC CIP to understand that isn’t a panacea either. The real question is what tactically needs to happen to ensure the systems can defend against and recover from the next Stuxnet? Besides us all buying generators and then going all Mad Max on each other. – MR

  6. Get out of the excuses business – Chris Eng nails it here, calling on the carpet all the application developers complaining about how hard it is to get rid of XSS. Chris’s point is that getting rid of XSS isn’t hard (like slaying a dragon), but there are tons of vulnerabilities to stomp out – more like ants. It’s an effective analogy and he even mentions that there will be edge cases that are more akin to slaying the dragon, but they are the exception. It’s been years since I’ve coded much of anything (except some HTML), and Chris acknowledges he’s not a full-time coder either, but threw this thought bomb out there to spur some debate. So debate. What do you think, developers? Oh right, developers don’t read security blogs. They are too busy shipping crappy code. (No offense to any developers who do actually read security blogs. You are unique, but you already knew that.) – MR

  7. Step away from the keyboard… – Normally I’m above throwing mud at my analyst brethren, but I read this totally asinine piece on the Motley Fool and just had to link to it. If only so you can read it too and laugh. Evidently according to Rob Enderle, McAfee is kicking both Symantec and Cisco’s butts. Regardless of whether that is happening or not, it’s Enderle’s ‘reasoning’ that makes me chuckle. Evidently Symantec has all storage sales people who don’t know how to sell security. Hello, Mr. Enderle. It’s 2010, and if anything the SYMC folks can’t sell storage because that part of the business has been dragging them down for the past year. And evidently SideWinder (now called the Enterprise Firewall) is making inroads on Cisco. Uh huh. And in the best bit, Rob goes all thought leader. “Security is in the process of evolving from a reactive technology which, after seeing a threat, responds to it. To a proactive technology that anticipates threats and prepares defenses against them.” Really? Why anyone pays attention to this guy (on security, no less!) is beyond me. Get a frackin’ clue, dude… – MR

No Related Posts

Wait, a vendor trying to tell me not to trust what vendors say?!?!?

Take what Daniel Cox and Breaking Point are saying with a grain of salt. They’re in the business to sell boxes, too. Is anyone verifying/checking their box?

In particular, users should be aware of the limitations of their solution. The biggest problem I had was the fact that the traffic they generate, while leaps and bounds more realistic than their competitors in the network performance testing space, is not adequate to test real-world performance for all devices. Not all users deal with performance testing enough to understand some of those nuances, and might loose perspective with the huge reports generated.

As with all things in life, there’s not really a short-cut to make the hard decisions for you. Can you trust what the vendor says? Is what the vendor selling of value to your organization? Breaking Point and all performance testing vendors offer tools to assist in the evaluation, but at the end of the day, you’ll need talented individuals to understand and comprehend the situation to decide if it makes sense to go forward with any big-ticket purchases.

In fact, I would argue that all the extra information and capabilities offered by Breaking Point for testing puts more pressure on your vetting folks to be at the top of their game to truly make sense of any results when dealing with new DUTs. Performance testing isn’t a skill one picks up casually in an afternoon or two.

By Julie Starr

I have a crystal ball to sell someone. It sees the future and can predict threats and prepare defense for things that don’t exist yet. Really. Maybe skynet is being born right now in McAfee’s labs. “[Humans are threat. Locked out of all systems until eradicated.]”

That and I guess security has never been interested in preventing attacks until now, eh?

On a different note, I think I learned in high school to beware the kool-aid high after attending an event/conference/gathering. Someone else has not.

By LonerVamp

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.