Sometimes things don’t go your way. Maybe it’s a promotion you don’t get. Or a deal you don’t close. Or a part in the Nutcracker that goes to someone else. Whatever the situation, of course you’re disappointed. One of the Buddhist sayings I really appreciate is “suffering results from not getting what you want. Or from getting what you don’t want.” Substitute disappointment for suffering, and there you are. We have all been there. The real question is what you do next.

You have a choice. You can be pissy for days. You can hold onto your disappointment and make everyone else around you miserable. These people just can’t recover when something bad happens. They go into a funk for days, sometimes weeks. They fall and can’t seem to get up. They suck all the energy from a room, like a black hole. Even if you were in a good mood, these folks will put you in a bad mood. We all know folks like that.

Or you can let it go. I know, that’s a lot easier said than done. I try my best to process disappointment and move on within 24 hours. It’s something I picked up from the Falcons’ coach, Mike Smith. When they lose a game, they watch the tape, identify the issues to correct, and rue missed opportunity within 24 hours. Then they move on to the next opponent. I’m sure most teams think that way, and it makes sense.

But there are some folks who don’t seem to feel anything at all. They are made of Telfon and just let things totally roll off, without any emotion or reaction. I understand the need to have a short memory and to not get too high or too low. The extremes are hard to deal with over long periods of time. But to just flatline at all times seems joyless. There must be some middle ground.

I used to live at the extremes. I got cranky and grumpy and basically be that guy in a funk for an extended period. I snapped at the Boss and kids. I checked my BlackBerry before bed to learn the latest thing I screwed up, just to make sure I felt bad about myself as I nodded off. That’s when I decided that I really shouldn’t work for other people any more – especially not in marketing. Of course I have a short-term memory issue, and I violated that rule once more before finally exorcising those demons once and for all.

But even in my idyllic situation at Securosis (well, most of the time) things don’t always go according to plan. But often they do – sometimes even better than planned. The good news is that I have gotten much better about rolling with it. I want to feel something, but not too much. I want to enjoy the little victories and move on from the periodic defeats. By allowing myself a fixed amount of time (24 hours) to process, I ensure I don’t go into the rat hole or take myself too seriously. And then I move on to the next thing.

I can only speak for myself, but being able to persevere through the lows, then getting back up and moving forward, allows me to appreciate all the great stuff in my life. And there is plenty of it.


Photo credits: 24 Hours Clock originally uploaded by httsan

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Building an Early Warning System

Implementing and Managing Patch and Configuration Management

New Papers

Incite 4 U

  1. Who sues the watchmen? Whenever you read about lawsuits, you need to take them with a grain of salt – especially here in the US. The courts are often used more as a negotiating tool to address wrongs, and frivolity should never be a surprise in a nation (world, actually) that actually thinks a relationship between two extremely wealthy children is newsworthy. That said, this lawsuit against Trustwave and others in South Carolina is one to watch closely. From the article it’s hard to tell whether the suit attacks the relationship between the company and lawmakers, or is more focused on negligence. Negligence in an area like security is very hard to prove, but anything can happen when the call goes to the jury. I can’t think of a case where a managed security provider was held liable for a breach, and both the nature and outcome of this case could have implications down the road. (As much as I like to pick on folks, I have no idea what occurred in this breach, and this could just be trolling for dollars or political gain). – RM
  2. What does sharing have to do with it? Congrats to our buddy Wade Baker, who was named one of Information Security’s 2012 Security 7 winners. Each winner gets to write a little ditty about something important to them, and Wade puts forth a well-reasoned pitch for more math and sharing in the practice of information security. Those aren’t foreign topics for folks familiar with our work, and we think Wade and his team at Verizon Business have done great work with the VERIS framework and the annual DBIR report. He sums up the challenges pretty effectively: “The problem with data sharing, however, is that it does not happen automatically. You hear a lot more people talking about it than actually doing it. Thus, while we may have the right prescription, it doesn’t appear that we’re consistently taking our meds.” He isolates the primary roadblocks as language, trust, and incentives. Wade is exactly right, and until we address these issues it will be hard to make progress. – MR
  3. I’m you because Skype says so: Dmitry Chestnykh has a very interesting post on Hacker News about how he discovered a flaw in the way Skype handles user identities and password resets – check out the comments for more. In a nutshell, he found that when someone else had created a new Skype account, they inadvertently used his email address. Using a newly created Skype name with the target’s email address, he is able to request a password reset token, sent by email and as a chat message to the new Skype account. He can reset other users’ passwords. If you read all the way through, the Skype Live Support agent reveals several design issues that need to be addressed at some point. Password reset procedures are difficult to get right. Here is a live example of how not to do it. – AL
  4. As opposed to “not fun stalking”: I never really understood this whole location thing. Folks check into places to save a buck? Or to have a location attached to a Tweet. I’m way too paranoid to want anyone to know where I am all the time. The best you’ll get from me is tweeting a picture from a ball game. Though it’s not like I don’t know that governments (yes, plural) are tracking all our movements through the magic of the GPS chips in our phones. And yes, I’m being fitted for my tinfoil hat at 2pm. Carnal0wnage’s geo-stalking exploits just make me happy my normal behavior is to hide. Don’t take it personally, but I’m not going to register on Find my Friends because if I wanted you to find me, I’d call. – MR
  5. If you can’t beat them: On the Android Police site, Google announced it was releasing its own payment card, which surprised me for a couple reasons. First, they seem dedicated to providing payment through their own Android platform. But merchant and customer adoption of mobile payments and digital wallets have both been slow. Second, a traditional mag-stripe payment card seems like a step backwards for security – they are already on Visa’s and MasterCard’s hit lists, and mag stripes have been all but been abolished in the rest of the world. If mobile payment does not make serious progress in the next couple years, it’s a good bet that EMV will become reality in the US to help reduce fraud with payment cards. Finally, there is very little tie-in between mobile platforms and payment cards. Payment cards should probably be simply a stop-gap until virtual wallets gain some traction. The race between mobile payments and payment cards is far from over. – AL
  6. Red Cyberdawn: While Mike and Adrian have been hammering away, some of you may have noticed my blogging pace has slacked off this year, as I focused on some longer term projects. So I failed to highlight what may be the most ‘important’ breach of the year – the devastation of Saudi Aramaco. The destruction of 30,000 systems in an energy provider is nothing to take lightly. I believe our intelligence agencies probably know what went on, but I don’t think the rest of us can assume we know anything close to the truth – the politics are too intense for the truth to come out unscathed. But it is plausible that Iran did this in response to Stuxnet. I believe the vast majority of what is written on cyberwarfare in public today is uninformed, hyperbolic, and unreasoned analysis. But we cannot ignore these incidents and shouldn’t downplay them. In light of the potential consequences, even glimpses of possible truth about these breaches demand our attention. – RM
  7. The slippery slope of retaliation: Krypt3ia’s post about Offensive Defense is thought-provoking, making the case that retaliation and preemptive strikes are a path to nowhere. Besides the challenges of accurate attribution, you need to deal with the murky ethics of descending to the same level as the adversary. Is the IP or customer data taken worth it? My Dad told me, “Mike, you only get one chance to compromise your integrity, so use it wisely.” He’s right. But we will see a lot more of this because we have got a lot of defense sector technology waiting to be commercialized, as a few wars winds down and the gravy train threatens to stop. These folks have offensive technologies, and they will try to convince you that it’s okay to use them. Then you get a choice about the kind of security practitioner and person you want to be. Choose wisely. – MR