Incite 3/31/2010: Attitude Is Everything
There are people who suck the air out of the room. You know them – they rarely have anything good to say. They are the ones always pointing out the problems. They are half-empty type folks. No matter what it is, it’s half-empty or even three-quarters empty.
The problem is that my tendency is to be one of those people.
I like to think it’s a personality thing. That I’m just wired to be cynical and that it makes me good at my job. I can point out the problems, and be somewhat constructive about how to solve them. But that’s a load of crap. For a long time I was angry and that made me cynical.
But I have nothing to be angry about. Sure I’ve gotten some bad breaks, but show me a person who hasn’t had things go south at one point or another. I’m a lucky guy. My family loves me. I have a great time at work. I have great friends. One of my crosses to bear is to just remember that – every day.
A good attitude is contagious. And so is a bad attitude. My first step is awareness. I make a conscious effort to be aware of the vibe folks are throwing. When I’m at a coffee shop, I’ll take a break and just try to figure out the tone of the room. I’ll focus on the folks in the room having fun, and try to feed off that. I also need to be aware when I need an attitude adjustment.
Another reason I’m really lucky is that I can choose who I’m around most of the time. I don’t have to sit in meetings with Mr. Wet Blanket. And if I’m doing a client engagement with someone with the wrong attitude, I just call them out on it. What do I care? I’m there to do a job and people with a bad attitude get in my way.
Most folks have to be more tactful, but that doesn’t mean you need to just take it. You are in control of your own attitude, which is contagious. Keep your attitude in a good place and those wet blankets have no choice but to dry up a little. And that’s what I’m talking about.
Photo credit: “Bad Attitude” originally uploaded by Andy Field
Incite 4 U
What’s that smell? Is it burnout? – Speaking of bad attitudes, one of the major contributors to a crappy outlook is burnout. This post by Dan Lohrmann deals with some of the causes and some tactics to deal with it. For me, the biggest issue is figuring out whether it’s a cyclical low, or it’s not going to get better. If it’s the former, appreciate that some days you feel like crap. Sometimes it’s a week, but it’ll pass. If it’s the latter start looking for another gig, since burnout can result from not being successful, and not having the opportunity to be successful. That doesn’t usually get better by sticking around. – MR
Screw the customers, save the shareholders – Despite their best attempts to prevent disclosure, it turns out that JC Penney was ‘Company A’ in the indictment against Alberto Gonzales that didn’t work for the Bush administration. Penney fought disclosure of their name tooth and nail, claiming it would cause “confusion and alarm” and “may discourage other victims of cyber-crimes to report the criminal activity or cooperate with enforcement officials for fear of the retribution and reputational damage.” In other words, forget about the customers who might have been harmed – we care about our bottom line. Didn’t they learn anything from TJX? It isn’t like disclosure will actually lose you customers, $202 per record and all be damned. – RM
Hard filters, injected – SQL injection remains a problem as the attacks are difficult to detect and can often be masked, and detection scripts can fooled by attackers gaming scanning techniques to find stealthy injection patterns. It seems like a fool’s errand, as you foil one attack and attackers just find some other syntax contortion that gets past your filter. Exploiting hard filtered SQL Injections is a great post on the difficulties of scanning SQL statements and how attackers work around defenses. It’s a little more technical, but it walks through various practical attacks, explaining the motivations behind attacks and plausible defenses. The evolution of this science is very interesting. – AL
The FTC can haz your crap seal – I ranted a few weeks ago about these web security seals, and the fact they some are bad jokes – just as a number of new vendors are rolling out their own shiny seals. Sure there seems to be a lot of money in it, but promoting a web security seal as a panacea for customer data protection could get you a visit from some nice folks at the Federal Trade Commission. Except they probably aren’t that nice, as they are shutting down those programs. Especially when the vendor didn’t even test the web site – methinks that’s a no-no. Maybe I should ask ControlScan about that – as RSnake points out, they settled with the FTC on deceptive security seals. As Barnum said, there is a sucker born every minute. – MR
The Google smells a bit (skip)fishy – Last week Google launched Skipfish. Even though I was on vacation I found a few minutes to download and try it out. From the Google documentation: “Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes … The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.” The tool is not bad, and it was pretty fast, but I certainly did not stress test it. But the question on my mind is ‘why’? And no, not “why would I use this tool”, but why would Google build and release such a tool? What problem does it solve for them, and what value does it provide to Google or the user community at large? My guess is that Google is building out a needed component to their web application development suite so developers can test code on their Android stack. And taking a page from the Oracle playbook in educating the masses on their product, the Summer of Code 2010 virally builds out a user base while evolving their products and visibility. I have been slow to realize competing with Apple app development is ancillary, and Google’s efforts are working towards creation of a new primary web development environment. – AL
Does compliance help security? – That’s the age old question, right? Are we more secure thanks to compliance, or less secure because it becomes the lowest common denominator? Mike Dahn has a pretty interesting analysis of some drivers of compliance, and applies things like traffic analysis and other modeling techniques in an attempt to figure out the impact of regulation by looking at other industries. He also makes some suggestions about what makes for effective regulation, and those are on point. IMO unless there is an economic benefit to doing something, it won’t happen unless it’s regulated. So without a regulatory driver, security won’t happen. So although I think most regulations are horribly imperfect, without them we’d be in far worse shape. – MR
The house always wins – Brian Krebs reports on yet another case of a small business losing major bucks in bank account fraud, and the bank telling them to suck up the losses. As usual, the bad guys probably nailed one of the office computers with Zeus or a similar trojan, giving them full credentials to the online banking account. In this case, losses were $200K and the bank refuses to cover the charges. With a personal account you get a full 2 days to detect and report the fraud, but on business accounts you’re out of luck. But hey, for that $200K they got a security token in the mail that probably won’t help. Might be time to look for a bank that takes security seriously, and maybe uses something like Trusteer to protect sessions. Oh – and stop accessing your accounts on an insecure computer. – RM
Survey says BZZZT! WRONG ANSWER! – Yet another data loss story. When ECMC Group Inc. announced that the information of some 3.3 million borrowers has been compromised, Richard Boyle, president and CEO of ECMC Group, Inc. said: “We deeply regret that this incident occurred and the stress it has caused our borrowers and our partners and are doing everything we can to help protect our borrowers’ identity and personal information.” Short and professional. Cuts to the heart of the issue and says the right things without divulging too much information. Contrast that with Education Department spokesman Justin Hamilton who stated “Protecting student privacy is a top priority for the department,” and “We are working with ECMC to make sure that affected individuals are provided with resources to protect their information and to provide them with identity-theft insurance.” Individuals cannot protect the information stored at ECMC. Nor can they really protect their identities, as that really falls on the financial and government institutions who grant credit or provide services andbenefits. Nor do borrowers want “Identity Theft Insurance” – they simply do not want to deal with the problem that was created for them. The later quote reeks of someone who is unprepared and unsympathetic to the issue. Regardless of what either of these people really thinks, and the actions they are taking, planning and preparedness (and the lack thereof) show. – AL
Is there an ass personality type? – I remember how enlightening it was the first time I took a Myers-Briggs test. I read the description of my type (INTJ) and it was like looking into a mirror. How’d they know that about me? It was actually very helpful in my relationships, since The Boss can at least understand that I’m not intentionally trying to be an ass, just that I look at situations differently than she does. As Trish Smith points out on the Catalyst blog, understanding your colleagues’ personality types can help you interact with them much more productively. Now it’s probably not appropriate to force your entire team to take a personality test, but you certainly can do a lunch and learn and make it a game. You all take the test (those who agree, anyway) and then discuss how that can help the team work more cohesively and be more aware of how different folks need to be addressed. – MR