Incite 4/6/2011: Do WorkBy Mike Rothman
We spent last weekend up north visiting friends and family while the kids are on Spring Break. We decided to surprise them on Sunday by going to a baseball game. It was opening weekend and our home team was in town. We got cheap seats in the upper deck, but throughout the game we kept moving downwards, and by the 9th inning we were literally in the front row on the dugout. The Boss turned to me and asked if the kids had any idea how lucky they are. Yeah, right.
And that’s a huge problem for me. Given a lot of luck and a little talent, I make a pretty good living, which means my kids can do things that weren’t possible for me growing up. But where do you draw the line? You want the kids to have great experiences, but you also want them to understand the work involved to provide those experiences.
The best answer I have right now is to do work. I think I saw Chris Nickerson say that on Twitter one day and it resonated with me. It’s basically leading by example. I get up every morning and do work. Even though most of the time what I do all day doesn’t feel like work. The kids know that I work hard and I’m good about reminding them when they get a little uppity.
One of the best parts of the weekend was seeing our twin nephews. They are 3 months old and a lot of fun. But each time I got my hands on one of them, I’d start working them out. You know, getting them to start supporting their weight – both sitting and standing. I also had them doing some tummy time, which brought back plenty of memories from when my kids were babies. Just like I remembered, newborns don’t like to do work. They like to eat and sleep and crap their pants. And when they would bark at me I’d just look them in the eye and say “stop bitching and do work!” Though maybe it is a bit early to push them out of their comfort zone. Although they do have to get into that fancy pre-school, after all…
Yes, I know kids need to be kids too. They need to play and have fun because lord knows once they get out of school it’s not as much fun. But they can work at having fun. They can work on their ball skills, being a good friend, or even Angry Birds. If you want to be good, you need to work at it. That’s right. Do work!
Working at home creates some challenges because every so often one of the kids will want to play during the work day. I politely (or sometimes not so politely) decline and remind them that Dad is doing work. Then I make sure they did work before letting them go do their own thing. You see, working hard is a habit and I know that sometimes I can be a bit relentless with them, but if they don’t learn a good work ethic now life will be pretty tough.
So I’ll assume that reading my drivel is work for you, so you can feel good about spending 10 minutes with us each day. And no, I won’t reimburse you for those 10 minutes you’ll never get back. Now get back to work! That’s what I’m going to do.
Photo credits: “Do work, son!” originally uploaded by Lee Huynh
Incite 4 U
Bully? I’m good with that: We haven’t spoken about Stuxnet recently, so let me point to an interesting post from VC David Cowan (the first money into VeriSign among others), who talks about how the guy that decomposed and published all the gory details of Stuxnet is misguided in calling the US a cyber-bully. You see, whether Ralph Langner wants to admit it or not, a nuclear-capable Iran isn’t in anyone’s best interests. Regardless of your politics, it’s hard to make a case otherwise. So presumably the US (and other partners) came up with a way to avoid bombing the crap out of somewhere while meeting their requirements. That’s innovation, folks. And innovation can’t be stopped. Remember the Manhattan Project? How long was it before the USSR had their own nuclear weapons? Once Pandora’s box is open, it’s open. And I’m glad the US got to open this one. – MR
Advanced Persistent Service Providers: Ever hear of Epsilon? Not the Greek letter – the email marketing company. Me neither, until the breach notifications started rolling in. I bet the Secret Service never heard of them either. Evidently they are a pretty successful company, and that made them a target. As our emails and names start circulating the botnets, one interesting point is emerging. If you read one email sent to the DataBreaches.net folks you realize that the lost data included not only folks who opted out, but leftover data from prior corporate customers. That’s right, they kept everything. Forever. This provides a new perspective on the idea of persistence, eh? Perhaps it’s time to check your contracts with your service providers, so you aren’t exposed by their mistakes, after you switch to their competitor. – RM
Consumerization FTW: ZDNet discussed an interesting use case for Pano Logic virtual client terminals at public libraries. I am a big fan of desktop virtualization, both for security because it’s easier to patch and implement policy centrally, and also because this makes your virtual session available regardless of your location or device. This is not an endorsement of any product – just of this type of technology in general. The use case makes sense, and particularly for schools which need controlled environments. At the same time I realize this will probably never catch on – for the same reason phone booths are gone – cell phones made them obsolete. The organizations with the most to gain from this service model are least likely to be able to afford it. In the long run schools and public libraries will likely require people to bring their own devices, and just provide content. – AL
Criticism or critique depends on where you sit: One of the big issues I have with many security folks is their acrimonious relationship with their auditors. They seem to forget we are all supposed to be on the same team. Lenny Zeltser makes a great point about how an assessor should write a report as a critique, not a criticism of your security program. Let me take the other position: regardless of the tone of the report, security folks can deal with things differently. Nobody is 100% secure, so clearly there are areas to improve. Always. Why not leverage an auditor’s knowledge and experience to learn and improve? I know that involves swallowing a little pride, but how’s the old approach working for you? You know, sitting in a room with an auditor and yelling at each other for days. Then talking over, with your boss, how and why their report tore you a new hind section. There are multiple ways to deal with every situation – you can choose a positive or a negative path. Deal with the report either defensively or constructively. The choice is yours. – MR
Your users aren’t special: During my career I have had the privilege of working in the three environments with the worst imaginable egos (not even analysts are as bad): healthcare, higher education, and government. Healthcare was filled with doctors who thought their medical degrees were proper supersets of an MBA. The MBA professors thought their Ph.D.s encompassed all the world’s combined knowledge, and government folks… that was more resistance to change than anything else. Now we hear that NASA left the shuttle, Space Station, and everything else open to hackers because security would interfere with ‘science’. You know what else interferes with science? Some doofus of a kid stealing the source code for the International Space Station. Now all he needs is a few billion in funding and he’ll have a kick-ass science fair project. – RM
Outsourcing is here (and breaches happen): Outsourcing email: Do the benefits outweigh the risks asks the wrong question. Taking responsibility for one’s own data is a nice thought, but the fact is that outsourced service relationships are a normal and healthy business model. Architecturally there is little difference between Epsilon and Google/Postini – or even Salesforce.com. The services are different but they all store and process someone else’s data. This model makes sense and it’s not going away. Quite the contrary, it’s growing rapidly (Amazon AWS, Google Apps). And it requires the service provider to actually satisfy its custodial duties for data, and it requires that businesses verify adherence. Hoping someone else will “take care of” security won’t cut it, so get used to reading those Service Level Agreements and performing on-site audits. Also be prepared for periodic failures and plan accordingly – AL
Earth to Gartner. No one has a crystal ball: Obviously everyone remains all wrapped in with the details (or lack thereof) of the RSA breach. The RSA folks started talking a bit about the attack and their response. Then Gartner’s Avivah Litan said RSA should have known better. What? Analyst mediocrity makes me sad. There is a clear disconnect between the attack that happened and the technology she believes RSA should have used to stop it. How could algorithms for risk-based authentication and consumer fraud detection in web-based applications have stopped an employee from opening a spreadsheet and subsequently getting pwned by malware? Yes, in hindsight, RSA should have had full packet capture everywhere, and I suspect they will now that they own NetWitness. Yes, their low-level finance administrators should have been trained to not click on things. But there is no technical control to prevent user stupidity. I guess there’s no way to prevent analyst stupidity, either. Now that is something I should have known better. – MR