Incite 2/17/2010 - Open Your Mind

By Mike Rothman

I was in the car the other day with my oldest daughter. She’s 9 (going on 15, but that’s another story) and blurted out: “Dad, I don’t want to go to Georgia Tech.” Huh? Now she is the princess of non-sequiturs, but even this one was surprising to me. Not only does she have an educational plan (at 9), but she knows that GA Tech is not part of it.

Mr. Bartender, take away my pain...

So I figured I’d play along. First off, I studied to be an engineer. So I wasn’t sure if she was poking at me, or what the deal was. Second, her stance towards a state school is problematic because GA residents can go to a state school tuition-free, thanks to the magic of the Hope Scholarship, funded by people who don’t understand statistics – I mean the GA Lottery. Next I figured she was going to blurt out something about going to MIT or Harvard, and I saw my retirement fund dwindle to nothing. Looks like I’ll be eating Beef-a-Roni in my twilight years.

But it wasn’t that. She then went on to explain that one of her friends made the point that GA Tech teaches engineering and she didn’t want to be an engineer. Now things were coming more into focus for me. I then asked why she didn’t want to be an engineer. Right, it’s more about the friend’s opinions, then about what she wants. Good, she is still 9.

I then proceeded to go through all the reasons that being an engineer could be an interesting career choice, especially for someone who likes math, and that GA Tech would be a great choice, even if she didn’t end up being an engineer. It wasn’t about pushing her to one school or another – it was about making sure she kept an open mind.

I take that part of parenting pretty seriously. Peer and family pressure is a funny thing. I thought I wanted to be a doctor growing up. I’m not sure whether medicine actually interested me, or whether I just knew that culturally that was expected. I did know being a lawyer was out of the question. (Yes, that was a zinger directed at all my lawyer friends.) Ultimately I studied engineering and then got into computers way back when. I haven’t looked back since.

Which is really the point. I’m not sure what any of my kids’ competencies and passions will be. Neither do they. But it’s my job (working with The Boss) to make sure they get exposed to all sorts of things, keep an open mind, and hopefully find their paths.

– Mike

Photo credit: “Open Minds” originally uploaded by gellenburg

Incite 4 U

Things are a little slow on the blog this week. Rich, Adrian, and I are sequestered plotting world domination. Actually, we are finalizing our research agendas & upcoming reports, and starting work on a new video initiative. Thus I’m handling the Incite today, so Adrian and Rich can pay attention to our clients. Toward the end of the week, we’ll also start posting a “Securosis Guide to RSAC 2010” here, to give those of you attending the conference a good idea of what’s going to be hot, and what to look for.

I also want to throw a grenade at our fellow bloggers. Candidly, most of you security bloggy types have been on an extended vacation. Yes, you are the suxor. We talked about doing the Incite twice a week, but truth be told, there just isn’t enough interesting content to link to.

Yes, we know many of you are enamored with Twitter and spend most of your days there. But it’s hard to dig into a discussion in 140 characters. And our collective ADD kicked in, so we got tired of blogging after a couple years. But keep in mind it’s the community interaction that makes all the difference. So get off your respective asses and start blogging again. We need some link fodder.

  1. Baiting the Risk Modeling Crowd – Given my general frustration with the state of security metrics and risk quantification, I couldn’t pass up the opportunity to link to a good old-fashioned beat down from Richard Bejtlich and Tim Mullen discussing risk quantification. Evidently some windbag puffed his chest out with all sorts of risk quantification buffoonery and Tim (and then Richard) jumped on. They are trying to organize a public debate in the near future, and I want a front row seat. If only to shovel some dirt on the risk quantification model. Gunnar weighed in on the topic as well. – MR

  2. Meaningful or Accurate: Pick One – I like Matthew Rosenquist’s attempts to put security advice in a fortune cookie, and this month’s is Metrics show the Relevance of Security.” Then Matthew describes how immature metrics are at this point, and how companies face an awful decision: using meaningful or accurate metrics, but you only get to pick one. The root of the issue is “The industry has not settled on provable and reliable methodologies which scale with any confidence.” I know a lot of folks are working on this, and the hope is for progress in the near term. – MR

  3. Wither virtual network appliances? – Exhibit #1 of someone who now seems to think in 140 characters is Chris Hoff. But every so often he does blog (or record a funny song) and I want to give him some positive feedback, so maybe he blogs some more. In this post, Chris talks about the issues of network virtual appliances – clearly they are not ready for prime time, and a lot of work needs to be done to get them there, especially if the intent is to run them in the cloud. Truth be told, I still don’t ‘get’ the cloud, but that’s why I hang out with Rich. He gets it and at some point will school me. – MR

  4. Getting to the CORE of Metasploit – Normally vendor announcements aren’t interesting (so $vendor, stop asking if we are going to cover your crappy 1.8 release on the blog), but every so often you look at one, and figure “I can work with that.” In a nutshell, CORE Security is moving toward interoperability with the open source pen testing tool Metasploit (which was acquired by Rapid7 late last year). This takes a page from Microsoft’s “Embrace and Extend” playbook. CORE isn’t fighting Metasploit, although it’s competition. Instead they’re embracing the fact that a lot of folks use it to get started with pen testing tools and extendng it with their commercial-grade technology. Just as I beat down crappy marketing, we need to applaud a good strategic move for CORE. – MR

  5. Who’s the dope now? – So evidently Floyd Landis doesn’t give up easily. To be a world class cyclist means he’s persistent and will work through the pain. So I guess we shouldn’t be overly surprised that he (or his peeps) hired a hacker to compromise the testing lab where his allegedly doped blood sample results were stored. If he’s willing to cheat to win in the first place, why wouldn’t he bend the rules to make test results disappear? I guess from a security professional’s standpoint, we’ve hit the big time. Folks have been using cyber-attacks for espionage purposes for years. But now it’s on the front page of the newspaper. Cool. – MR

  6. It’s not about the money… – Toward the end of last year, I was including a more career-centric link in each Incite to get you all thinking. This post on Don Dodge’s blog is a good thought generator. He asks: What do Mark Cuban, Dan Farber, Steve Ballmer, and Mary Jo Foley all have in common? Not to spoil the fun, but the answer is they love what they do. Two folks on that list are billionaires, yet they still work hard. Why? Would you even work if you had that much money? If what you did every day didn’t feel like work, you probably would. And that’s something I keep having to learn the hard way by going back into corporate jobs every couple years. – MR

No Related Posts

If you enjoyed Don Dodge’s post, read Daniel H. Pink’s “Drive: The Surprising Truth About What Motivates Us” (Dec 2009).  20 pages in it was already the most important book I read in the past year.  Almost done with it, and it’s in my top 3 list for most important books read in the past 10 years.  In a nutshell the answer is autonomy, mastery and purpose.  Great insight into each one of them within the book.

By Chris Carpinello

I like that, love what you do. Not just what you do, but do something you’d do even if you didn’t need to do it (i.e. you had money).

I’m going to add this to a mental inspirational list along with the likes of, “successful people aren’t cynics, they tend to be happy, upbeat, active people.”

By LonerVamp

Interesting comments on risk modeling and quantification all around.  While I agree that the equation presented is ridiculous, it doesn’t change that fact that there needs to be a basis for prioritizing and triaging security events.  Perhaps within the realm of threat analysis, it becomes a joke because of all the unseens and unknowns, but I think there is value in terms of a response model especially for all the infosec teams under duress from information overload. 

I do agree that the slugfest with money on the line is absolutely hilarious.  If nothing else, there’s some definite entertainment value there.

By hb

A. I’m good for a round of trading punches with risk modeling.
B. See my blog post on your searchecurity article

You’re welcome to respond.

Take care ...Danny

By Danny Lieberman

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.