One of my favorite passages in literature is when Douglas Adams proclaims the Ultimate Answer to the Ultimate Question of Life, The Universe, and Everything to be 42 in Hitchhiker’s Guide to the Galaxy. Of course, we don’t know the Ultimate Question. Details. This week I plan to discover he was right as I finish my 42nd year on the planet. That seems old. It’s a big number. But I don’t feel old. In fact, I feel like a big kid. Sometimes I look at my own kids and my house and snicker a bit. Can you believe they’ve entrusted any responsibility to me? These kids think I actually know something? Ha, that’s a laugher…
Since I’m trying not to look forward and plan, I figure I should look backward and try to appreciate the journey. As I look back, I can kind of break things up into a couple different phases. My childhood was marked by anger. Yeah, I know you are shocked. But I took everything bad that happened personally, and as a result, I was a pretty angry kid.
College was a blur. I know I drank a lot of beer. I think I studied a bit. When I graduated I entered the unbreakable phase. Right, like the Oracle database. I could do little wrong. I had a pretty quick progression through the corporate ranks. In hindsight it was too quick. I didn’t screw anything up, so I felt invincible. I also didn’t learn a hell of a lot, but thought I did. Sound familiar? Then I started a software company in 1998 to chase the Internet bubble IPO money. I learned pretty quickly that I wasn’t invincible, as I heard the sound of $30 million of someone else’s money being flushed down the toilet. Crash. Big time.
Then I entered the striving stage throughout my 30’s. Striving for more and never being satisfied. From there I proceeded to jump from job to job every 15 months, chasing some shiny object and trying to catch the brass ring. Again, that didn’t work out too well and I found myself getting angry again. Then I started Incite and was a lot happier. I managed to remember what I liked to do and then start to address some of my deeply buried issues. No, I’m not going to bare my soul like Bill Brenner, but we all have demons to face and at that point I started facing my own.
I took a detour back into the vendor world for 15 months, and then sold Rich and Adrian a bill of goods to let me hang my shingle at Securosis. 10 months in, I’m having the time of my life. I’m thinking this is the contented phase. I’ve been working hard, at everything. Physically, I’m in the best shape I’ve been in since my early 20’s. Mentally I’m making progress, working to accept what’s happening and stop looking forward at the expense of being present. I’m happy with what I do and what I have. My family loves me and I love them. What else does a guy need?
I’m still fighting demons, and I probably always will. The hope is that my epic battles will be fewer and farther between over time. I’m still screwing things up, and I’ll probably always do that too. That’s an entrepreneur’s curse. I’m also learning new things almost every day, and when that stops it’s time to move on to the Great Unknown.
As I look back, I figured out what my Ultimate Question is: “When do you realize it’s a game and you should enjoy the ride, both the ups and the downs?” Right. For me, the answer is 42.
Photo credits: “42” originally uploaded by cszar
Recent Securosis Posts
- Friday Summary: September 30, 2010
- Monitoring up the Stack:
- Understanding and Selecting a DLP Solution
- NSO Quant Posts
Incite 4 U
- Get on the (security incident) cycle – Good summary here by Lenny Zeltser covering a presentation from our hero Richard Bejtlich about how he’s built the Incident Response team at GE to deal with things like well-funded patient attackers (note I didn’t use the a(blank)t acronym). Of course there will always be failures, but the question is about organizational commitment to detecting adversaries and putting the right capabilities in place to protect your organization. And to look at security as a process and – dare I say it – a lifecycle. That means you need to focus on all aspects – before, during, and after the attack. Amazingly enough, Rich and I are starting another blog series on exactly this topic in about a week. – MR
- Save the children… with robots – The state of technology education in this country is simply embarrassing. Everyone talks about how kids use a mouse before they can read, but how many of them understand how a computer works? You’d think today’s teenagers would know a hard drive from RAM, but not if they rely on their (standard) school to teach them. However, they are pretty good at putting cats in PowerPoints. Our friend Chris Hoff is trying to change this with a hacking conference dedicated to kids… called, appropriately enough, HacKid. It’s an amazing idea, with everything from Lego robots to online safety covered, and if you have kids of the right age, or just want to support it, I highly recommend attending or getting involved. – RM
- No trust for you! – Despite being a big fan of monitoring technologies, I thought the Trust No One, Monitor Everything position was a bit over the top. The “monitor everything” approach fails for exactly the same reasons “encrypt everything” fails: a single technology cannot solve every problem. Monitoring is just another security tool, and before you try to saw wood with a hammer, remember attacks that bypass WAF, IDS, App Monitoring, and DAM are well documented. Don’t get me wrong – we should incorporate this approach as much as possible considering we trust far too much stuff right now. But that’s because the Internet is based on an academic model of trust everything and log nothing important. Adopting a Zero Trust model means not browsing the Internet – the web sites you visit trust people you never would, and they treat your web browser like a public restroom on the information superhighway. Zero Trust means you don’t accept email from the hot chick you met last night because she’s not on your white list. Zero Trust means Grandma is to be considered a hacker until proven otherwise. Kind of difficult to expand your horizons that way. And feel free to monitor everything, but see if you can come up with rules that differentiate good behavior from bad. – AL
- Monitor Everything (even if Adrian hates it) – So I was planning to discuss Forrester’s Zero Trust thing, but Adrian beat me to it and once again shows his disdain for monitoring everything. First off, Zero Trust is nothing new. Remember back just two years ago (I know you can), we called that the insider threat and a new category of technology emerged to try to combat this threat. Actually, it was more like trying to spin an existing product into this new category – marketers have been known to do that. I believe you should monitor as much as you can. But collecting every packet that traverses your network (even the ones from Grandma) is probably too much, so you need to consider the point of diminishing returns for monitoring. But most folks don’t monitor much at all, so I’ll keep pushing for monitoring everything, knowing that this is effectively a push for more folks to monitor something. And if that means you need to package it up as Zero Trust, I’m okay with that too. – MR
- Reputation is finally ubiquitous – The Big Yellow has been busy, evidently getting ready for their annual user conference, in Spain no less. Sounds like a boondoggle to me. First off they showed off a new logo. Which looks amazingly like the VeriSign check in a yellow circle. To call it awful is being nice. Very nice. Of course, those jokers on Twitter instantly cracked about how SYMC is putting the check in checkbox compliance. LMAO. But they also talked about their new Ubiquity technology, which is basically a fancy name for reputation. It’s good to see Symantec closing the gap with the other anti-malware vendors to what? Maybe two years? But it’s the right thing to do for now. It’s still not enough to save the blacklist approach, but might give them a few more quarters of being able to milk the (cash) cow. – MR
- Tomato, Tomaeto – Android apps caught covertly sending GPS data to advertisers. The only shock here would be software that didn’t spy on you. I mean, isn’t that why Google is creating the Android platform? To broaden their ability to monitor activity and collect data to more effectively sell advertising? Heck, most attackers are just building on top of the ‘clever’ techniques pioneered by web intelligence firms for their marketing and merchant applications over the last decade. Cookies, iFrames, scripting … ask yourself, honestly, why that stuff was created. Am I the only one who thought the name Android was a euphemism for an advanced botnet? Isn’t it a little odd to complain that Android apps are “surreptitiously transmitting the user’s phone number …”, GPS coordinates, and other sensitive information when The Google will be using those same hooks to collect the same data from Android platforms? – AL
- Oracle bets on authentication – Oracle is at it again. Buying yet another security technology mostly likely never to be heard from again. They acquired PassLogix, which does authentication/SSO stuff. The deal actually makes sense because Oracle already OEMed the technology, and it’s a logical extension of their identity management technology. PassLogix is one of the authentication companies that have been around seemingly forever (like Arcot, recently bought by CA) and now they get an exit. It does beg the question: why now? And what about the others, like Courion? But again, this is just more evidence that security is not a standalone business long-term, but will gradually get lost within some kind of middleware thing. A Fusion of sorts… – MR
- 5 problems with security SaaS. Oy. – One of the issues with new technology is overlapping and confusing vernacular. So I see this article on 5 problems with SaaS security and I’m not sure if they are talking about SaaS, PaaS, IaaS, or (blah)aaS. Things like identity is weak in the cloud. Well, let me tell you, identity management not in the cloud is weak too. Other issues include the lack of standards and security by obscurity. Blah blah blah. It’s a new technology, there aren’t going to be standards. And since when do any markets wait for standards? Right, never. Here’s the deal. The cloud (whatever that means) is going to happen. So our choice is whether we (as security folks) start working with the teams internally which are thinking cloudy thoughts and figuring out how to at least get them thinking about security, or give up. Because if we don’t engage and start figuring this stuff out (maybe even influencing it to become a bit more secure over time), we don’t have a fighting chance. – MR