Last week I was invited to speak at Kennesaw State University’s annual cybersecurity awareness day. They didn’t really give me much direction on the topic, so I decided to give my Happyness presentation. I figured there would be students and other employees who could benefit from my journey from total grump to fairly infrequent grump, and a lot of the stuff I’ve learned along the way.
One of my key lessons is to accept the way I am and stop trying to be someone else. Despite my public persona I like (some) people. Just not many, and in limited doses. I value and need my solitary time and I have designed a lifestyle to embrace that. I say what I think, and know I can be blunt. Don’t ask me a question if you don’t want the answer. Sure, I have mellowed over the years, but ultimately I am who I am, and my core personality traits are unlikely to change.
The other thing I have realized is the importance of managing expectations. For example, I was at SecTor CA a few weeks back, and at the beginning of my presentation on Cloud Security (WMV file), I mentioned the Internet with a snarky, “You know, the place were pr0n is.” (h/t to Rich – it’s his deck). There was a woman sitting literally in the front row who blurted out, “That’s totally inappropriate.” I immediately stopped my pitch, because this was a curious comment.
I asked the woman what she meant. She responded that she didn’t think it was appropriate to mention pr0n on a slide in a conference presentation. Yeah, I guess she doesn’t get to many conferences. But it wasn’t something I was going to gloss over. So I responded: “Oh you think so, then this may not be the session for you.” Yes, I really said that, much to the enjoyment of everyone else in the room. I figured given the rest of the content and my presentation style that this wasn’t going to end well. There was no reason for her to spend an hour and be disappointed. To her credit, she got up and found another session, which was the best outcome for both of us.
Earlier in my career, I would have let it go. I would probably have adapted my style a bit to be less, uh, offensive. I would have gotten the session done, but it wouldn’t have been my best effort. Now I just don’t worry about it. If you don’t like my style, leave. If you don’t think I know what I’m talking about, leave. If you don’t like my blog posts, don’t read them. It’s all good. I’m not going to feel bad about who I am.
Which philosophy is directly from Steve Jobs. “Your time is limited, so don’t waste it living someone else’s life.” I have got lots of problems, but trying to be someone else isn’t one of them. For that I’m grateful. So just be yourself, not who they want you to be. That’s the only path to make those fleeting moments of happiness less fleeting.
Photo credits: “Just be Yourself” originally uploaded by Akami
Incite 4 U
- Keeping tabs on theNurse: I know Brad “theNurse” Smith isn’t familiar to most of you, but if you have been to a major security conference, odds are you have seen him and perhaps met him. I first met Brad 5+ years ago when we worked as Black Hat room proctors together, and have since seen him all over the place. Last week Brad suffered a serious stroke while delivering a presentation at the Hacker Halted conference in Miami, and he still hasn’t regained consciousness. You can get updates on Brad over at the social-engineer.org site, and can leave donations if you want. Maybe I’m identifying a bit too much after my recent health scare on the road, but we feel terrible for Brad and his wife and all of us at Securosis wish them the best. We are also putting our money where our mouths are, and directing (and increasing) our Friday Summary donation his way this week. – RM
- The weakest link? Your people… I just love stories of social engineering. Yes, there are some very elegant technical attacks, but they seem so much harder than just asking for access to the stuff you need. Like a wiring closet or conference room. Why pick the lock on the door when they’ll just open when you knock? Kai Axford had a great video (WMV) of actually putting his own box into a pen test client’s wiring closet – with help from the network admin – in his SecTor CA presentation. And NetworkWorld has a good story on social engineering, including elegant use of a tape measure. But it’s not like we haven’t seen this stuff before. On my golf trip, we stumbled across Beverly Hills Cop on a movie channel and Axel Foley is one of the best social engineers out there. – MR
- Token gesture: 403 Labs QSA and PCI columnist Walt Conway noted a major change to the PCI Special Interest Groups (SIGs) this year. The “participating organizations” – a group comprised mostly of the merchants who are part of the PCI Council – will get the deciding vote on which SIGs get to provide the PCI Council advice. Yes, they get a vote on what topics get the option of community guidance. The SIGs do a lot of the discovery and planning work that goes into the guidance ultimately published by the PCI Council – end to end encryption is one example. Unless, of course, someone like Visa objects to the SIG’s guidance, in which case the PCI Council squashes it like a bug – as they did with tokenization. This olive branch is nice, but it’s a token minuscule gesture. – AL
- Job #1: Keep head attached to body: I joke a lot during presentations about the importance of a public execution when an employee violates Internet usage policies. It sends a very clear message about what behavior is acceptable and its consequences. Many organized crime factions have a similar approach, with slightly more permanent consequences. So when the Anonymous folks target a drug cartel, I’m pretty sure it won’t end well. I get that pimply-faced kids and other malcontents looking to occupy pretty much anything feel invincible in a large group or behind a Tor node, but let’s keep in mind that law enforcement finds these folks. And then they have to work through the justice system (with poor results thus far). Let’s just say the cartels have a different idea of due process. But hey, Darwin was right. And it may take a beheading or two for this generation to adapt. – MR
- On the next episode of CSI: Miami… Anything that does anything contains a microprocessor. Looking around my office, I can’t see a single mechanical object (other than my chair) that doesn’t have some level of processing capacity. Heck, the last time I had my refrigerator repaired it was due to a faulty motherboard. I’m not complaining – I love technology – but think about the situation for a moment. Web sites are one of the single most attacked assets out there, yet we still struggle to have web programmers prioritize security. Do you think all the engineers and hardware designers have even the slightest idea how hackers will muck with their products? Take insulin pumps – some of which use radio frequencies for management. And, as Barnaby Jack just demonstrated, they are subject to remote hacking that could lead to fatality. This is just the beginning, folks… now excuse me while I go lobotomize my children’s toys. – RM
- Security Spotlights: Trash: Mike’s post on conspiracy theories and security research and Rich’s on how regular folks see security offer two perspectives on the ongoing over-sensationalistic coverage of breaches by media outlets. The non-journalists desperate to gain attention with news items of little substance dominates the news, which is a key point Rich & Mike both make. One security related event was Google’s announcement that they paid $26k to external researchers for finding 15 bugs. That’s positive news on a relatively new approach to making code more secure, but it got stuffed into the eReader trash bin while people wondered about Duqu and Mac malware. Reading about breaches and fake anti-virus is a little like eating Cheetos and watching cartoons all day – it was easy and you easily killed several hours, but you are no wiser for it. – AL
- Facebook (in)security? See for yourself: It’s easy to beat up on Facebook and Google and pretty much every other social application because privacy is contrary to their mission. There is a direct negative correlation between privacy and prosperity for these companies. The more information you share, the better it is for them (and their main revenue source, advertisers). Besides some highly publicized screwups, you have to give Facebook some props for their incremental march to better security. All their controls have been listed in this infographic (h/t to the ZDNet Friending Facebook blog). There are security controls for every aspect of your interaction with the site, from login to logout, and even when you are offline. From geographic anomaly detection, to tracking spammy behavior, to clickjacking protection, and link analysis. Is it perfect? Of course not – nothing is. But this is a great example of a company patting themselves on the back and marketing security – they know nobody else is going to thank Facebook for stopping attacks which never they successfully prevent. – MR