We all need some way to measure ourselves. Are we doing better? Worse? Are we winning or losing? What game are we playing again? It’s all about this mentality of needing to beat the average.

Now that's not your average Joe, it's much better...I hate it. What is average anyway? We took the kids in for their well checkups over the past week. XX1 is average. Hovering around 50% in height and weight. XX2 is pretty close to average as well. But the Boy is small. Relative to what? Other kids just turning 7? Why do I care again? Will the girlies not dig him if he’s not average?

We see the same crap in our jobs. Everyone loves a benchmark, so they can spin the numbers to make themselves look good. In security we have very few quantitative ways to measure ourselves, so not many know if they are, in fact, average. Personally I don’t care if I’m average. I don’t care if I’m exceptional because I don’t know what that means. I did well on standardized tests growing up, but what did that prove? That I could take a test? Am I better now because I was above the arbitrary average then? Will that help me fight a bear? Right, probably not.

I’d rather we all focus on learning what we need to. I don’t know what that means either, but it seems like a better goal than trying to beat the average. You see, I need to learn patience. So I guess I can’t be above average all the time because I’ve got to get comfortable waiting for whatever it is I’m waiting for. Which is maybe to be above average in something. Anything.

So what do you tell your kids? It’s a tough world out there and beating the average means something to most people. They’ll compete with people their entire lives. As long as they choose to play that game, that is. I tell them to do their best. Whatever that means. That goes for you too. Even if your best is below the arbitrary average, as long as you know you did your best, it’s OK. Regardless of what anyone else says.

Now a corollary to that is the scourge of delusion. You really need to do your best. Far too many folks accept mediocrity because they fool themselves into thinking they did try hard. I’m not talking about that. Only you know if you really tried or whether you mailed it in.

And learn from every experience. That will allow you to do a little more or better the next time. Sure it’s scary and squishy to stop competing and let go over the scorecard. But if you are constantly grumpy and disappointed in yourself and everyone around you, maybe give it a try. You’ve got nothing to lose, except perhaps that perforated ulcer.

Photo credits: “Not Your Average Joe’s” originally uploaded by bon_here

Incite 4 U

Rich is playing in the clouds (at the Cloud Security Summit) this week, he’s MIA. I’m sure he’s holding bar court in Orlando, debating the merits of the uncertainty principle and whether Arrogant Bastard Ale was really named after him.

  1. Holy backwards looking indicators, Batman! – It must be that time of year, where Symantec (formerly PGP) pays Larry Ponemon lots of shekels to run a survey telling us how encryption use is skyrocketing. Ah, thanks, Captain Obvious. Evidently 84% of nearly 1,000 companies are using some form of encryption. Wonder if they counted SSL? 62% use file server crypto, 59% full disk encryption, and 57% use database encryption. The numbers are the numbers, but that seems low for FDE use and high for DBMS encryption. But most interestingly, nearly 70% said compliance was the main driver for crypto deployment. That was the first time compliance was the main driver? Really? Not sure what planet the respondents of previous surveys inhabitat, but on Planet Securosis compliance has been driving crypto since, well, since Top Secret ruled the world. You think companies actually want to be secure? Come on now, that’s ridiculous. It isn’t until the audit deficiency is documented that there is any urgency for crypto. Or you lose a laptop and then your CEO has to fall on his/her disclosure sword. Wonder if that was one of the choices… – MR
  2. More secure, or passing the security buck? – Banking applications on cell phones seem to be a hit with customers. This type of service really makes sense for banks as it greatly reduces their customer service costs, and allows the bank to provide more easy-to-use services to the customer, enhancing their impression of the bank. Are you worried about security? From the customer’s standpoint, the security of their account(s) is probably better in the short term, if for no other reason mobile phone-based attacks are not as prevalent as web-based attacks. But from the bank’s perspective, this is a big win! All they need to do is worry about the security of their app. The cell providers and the phone platform providers inherit the rest of the burden! In the event a compromise happens, now there are three possible parties who could be responsible, any of which can accuse the other players of failing to do their job on security. In the confusion the customer will be left holding the (empty) bag. It will be interesting to see how this shakes out, as you know black hats are looking into War Driving, the cellular version. – AL
  3. We aren’t in the excuses business, Mr. Non-SSL web site – I’m not a big fan of excuses, just ask my kids. So it’s infuriating to see apologists still out there trying to rationalize why a lot of websites don’t go all SSL. Like the folks at Zscaler in their “Why the web has not switched to SSL-only yet? post. Sorry, with the exception of one issue, that’s all crap. Server overhead? Hogwash. Gmail proved that’s a load of the brown stuff. Increased latency? Where? Crap. How SSL impacts content delivery networks (mostly in terms of certificate integrity) is a bit of a mystery to me, but I’ve got to imagine that Akamai has figured this out. Scary security warnings? What is this, 2003? More crap. Sorry, these are just excuses. If a website collects private information it should use SSL everywhere. Is it a panacea? Of course not, but it eliminates another low hanging fruit, and sorry, it’s just not that hard, even at large scale. – MR
  4. Danger, Mac Users! Danger, Danger! – New worm, same FUD. A/V vendors are once again trotting out the oldest of their dogs and ponies for display: Fear, Uncertainty, and Doubt. Despite being long in the tooth and suffering from periodontal disease, these old warhorses are always front and center whenever we see a new worm or piece of malware, as is the case with the Boonana variant of Koobface on the loose. This time it’s the whole gang, including SophosLabs, ESET, Panda, and the rest of the herd of vendors, all trying to make sure Mac users understand that we’re not ‘invulnerable’, there is risk on the horizon, and just you wait – the day hackers will come to get us is not far off. Then you’ll be sorry! Of course, that implies that some A/V product would actually detect and stop the malware. And that A/V would be the right way to stop attacks or malware, as opposed to stuff like safe browsing practices, or use of NoScript and Flashblock, or diligent OS patches, or how about simply not using Flash or JavaScript? Better yet, if you can put up with the occasional annoyance, application white listing and reverse firewalls like Little Snitch. Those work too! And for those of you who missed it, McAfee offers their usual provocative ad campaign: Focused, Unwavering, Dedicated. At least they’re honest about it. – AL
  5. What’s that smell? Oh crap, seems my ass is on fire… – This one is hard to believe, but it seems that this week’s Timing is Everything award goes to Trend Micro, who this week released a Stuxnet detection tool. Just in time, I might add. OK, snark aside, if any organization that runs Siemens control systems has not looked in every nook and cranny of their networks for Stuxnet, they should literally be drawn and quartered. But as a friend reminded me during a meeting today, we live in a sound bite nation. And the press loves sound bites, so this is just another way to crank the PR machine. Career-wise, the only thing I’m more thankful for than Rich returning my call when I became a free agent is that I don’t have to play the slimy, soul sucking, cringe inducing, and scrotum constricting game of security marketing. And yes, Rich, you owe me $10, because I was able to use ‘scrotum’ in an Incite – twice. – MR