It’s easy to be cynical. If you want to look at the negative, things are bad. The economy isn’t great and in many parts of the world it is getting worse. Politics are divisive. The Earth is pushing back at 7.9 on the Richter scale, resulting in a generation of Japanese who may be glowing sooner rather than later. Why do we bother?

Is that a burrito in your pants, or are you just happy to see me?...Security is a microcosm of that. It’s easy to descend into rage about pretty much everything. Budgets, users, senior management, auditors, regulations. I mean everything just sucks, right? I was at BSides Austin last week, and that was the undercurrent from folks at the con. I did my Happyness presentation and it went over pretty well. At least we could laugh at the folly of our situation. When I feel bad, I try to make fun of the situation. Right after I tear something into little pieces, that is. So that presentation is all about accepting our lot in life and learning to enjoy it.

They say it’s always darkest before the dawn. Despite my pessimistic view on the world, I’m trying to change – to be optimistic. We are seeing technology advance at an unprecedented pace. The world is a much smaller place with many of these new collaboration capabilities. I mean, a guy can make a living by blogging and tweeting from a coffee shop anywhere in the world. Really. I wonder what technology will look like when my kids enter the workforce in 12-15 years.

But in the end it’s about the people. It’s easy to be cynical on the other end of a Twitter client, or as a troll on a blog post. It’s easy to snipe from behind a TOR node. But when you actually spend time with people, you can get optimistic. I mean, look at the outpouring of help and gifts to Japan, and Haiti & Chile before that. And then there are the little things. This week I’m on the road and needed a quick dinner. So I stop into a Chipotle, because I’m a burrito junkie. I notice the woman ahead of me talking about not having any money with her and if they don’t take her coupon, she has to leave. I figure worst case, I’ll cover her burrito since that’s the right thing to do. But the guy at the register is way ahead of me and lets it go.

Turns out they did take her coupon and that entitled her to not just her meal, but 2 others. So she turns to me and the lady behind me and says she’s got it. Yeah, man, a free burrito. And that made me remember that one person can do an act of kindness at any time. Maybe it’s funding a Kiva loan. Maybe it’s volunteering at a local food bank or other worthy local organization. Maybe it’s tutoring/mentoring someone without the opportunities you had.

The real message of the Happyness pitch is that you have a choice. You can deal with everything either negatively or positively. Yes, it’s a struggle, because negativity is easier – at least for me, and probably for you too. But remember that every time you feel rage, you can turn that around. Do something nice instead of something mean. Novel idea, eh? Now I’ve got to practice what I preach. Talk is cheap and I’ve been talking a lot. Maybe I’ll head over to Chipotle and pay it forward. Maybe you should too.


Photo credits: “happy burrito” originally uploaded by akeg

Incite 4 U

  1. HP’s Strategy: cloudy and not so seamless: Apparently I drew the short straw and ended up attending HP’s annual analyst shindig. Being locked up in a room with 300 analysts is interesting, but let’s just say it’s good I don’t carry a weapon in CA. HP’s strategy is, amazingly enough, all about the cloud. Their tagline is “seamless, secure, and context-aware.” Hmmm. Security is perceived as important for cloud stuff, so I get that. I’ll even say that on paper HP’s security story is pretty good. But then I hit myself with the clue bat. This is a company that had very few security assets and capabilities – until a year ago they rapidly acquired TippingPoint, Fortify, and ArcSight. Now they claim to be a Top 5 security provider, which seems to involve creative accounting. I guess they sell a lot of secure PCs. As I’ve mentioned before, customers can’t implement a marketecture. They have years of integration work to do, and they need to have a larger presence on the endpoint and with network security products. An IPS is not a network security strategy. So HP will continue to buy stuff. They have to, but the issue is with making their products seamless. Right now it’s anything but. – MR
  2. Amazon drops the vBomb: As a loyal Amazon Web Services subscriber I received another morning email update. In my massively sleep-deprived state I figured it was merely another cool service like Elastic Beanstalk, but once the coffee kicked in my eyes popped wide open. AWS added a massive networking update that basically wipes out the divisions between VPC and public instances (if you want) and supports complex architectures such as a hybrid internal data center-to-VPC-to-Internet facing stack. Hoff, as usual, has a good take, and I’ll probably need to write it up for Securosis. After I rewrite significant chunks of the CCSK class. This update isn’t everything a large enterprise needs, but it’s a giant leap forward. Heck, we finally get outbound filtering! – RM
  3. Incentives: Tax incentives to promote cyber security? Apparently that’s the idea. But my question is why would voluntary participation be any better for security programs than mandatory compliance? I have two problems with opt-in programs. First, the level of effort is always less than or equal to the incentive, and half-assedfunded security programs don’t cut it. Second, the effort devolves into pure marketing to give the appearance of being secure. Think PCI compliance, but without the audit. Now couple that with complex stacks of software, and try to figure out who gets the incentive check and under what circumstances? I understand that the tax carrot and the regulatory stick are the only two incentives our government has to fix a market that is otherwise uninterested in doing what is right. But in complex systems the buck has to stop with the people who own sensitive data, and that means regulation. – AL
  4. Botflation and other creative accounting gimmickry: It seems some folks are pulling botnet numbers out of their asses, which shouldn’t be surprising. It’s also another reason I’ve always scoffed at how folks count things out of their control (like sales numbers and market share), and (even better) how companies make real decisions such as allocation of real money based on these numbers which basically flew out of some analyst’s butt. Do you care how many bots are out there? More then a million and less than a gazillion, right? Do you need more precision than that? If folks spent more time doing something productive, rather than making up numbers, imagine all the work we would get done! – MR
  5. Magic Number 9: Microsoft has officially released Internet Explorer 9. So… how many of you are still using IE6 on Windows XP? You may have noticed I seem to have a new anti-XP/ancient IE campaign. Considering the post-XP advances in OS and browser security, it astounds me when organizations don’t have a short-term migration plan in place to get up to Windows 7 and IE 8 or better. Yes, I fully understand the operational complexities of such a major migration, but if you can’t communicate to management the urgency and risk of relying on a completely impossible-to-secure platform, I suggest you consider night school. Some of you will lose the battle, but if you don’t recognize the problem you shouldn’t be in this business. – RM
  6. It only takes one: Jeremiah Grossman posted one of the key findings from his RSA presentation last week, and it’s the single slide in his deck I found most fascinating during the presentation: Most websites were exposed to at least one serious* vulnerability every day of 2010. A lot of development teams look at security metrics by what got fixed, rather than the “Window of Exposure”. Looking at how many days a web site was vulnerabile to a serious issue is far more illustrative of the state of application security. If a hacker only needs a single serious vulnerability to get access to your systems, you left the door open more days than not. You guys in Retail … are you getting this? – AL
  7. Whitelisting is a niche, and that’s okay: So the Gartner Burton folks say whitelisting isn’t a replacement for AV. They are right, but for the wrong reasons. Yes, AWL is hard and can be management intensive – especially at enterprise scale. But that’s for folks who try to roll it everywhere for everything. First, until the regulations allow AWL to replace AV, it can’t happen. What the AWL companies are screwing up is trying to position as a replacement for AV, since most users don’t need to be totally locked down. At least not all the time. So a typical user should have different (virtual) desktops, with different control sets, for different access needs. Something like DVI (desktop virtualization) allows you to use AV (it sucks, but it’s easy) in your general purpose v-desktop, and AWL in the v-desktop that access stuff that matters. And that will provide plenty of $$$ for the AWL vendors who can focus on it. – MR