I’m crappy at vacations. It usually takes me a few days to unwind and relax, and then I blink and it’s time to go home and get back into the mess of daily life. But it’s worse than that – even when I’m away, I tend to check email and wade through my blog posts and basically not really disconnect. So the guilt is always there. As opposed to enjoying what I’m doing, I’m worried about what I’m not doing and how much is piling up while I’m away. This has to stop. It’s not fair to the Boss or the kids or even me. I drive pretty hard and I’ve always walked the fine line between passion and burnout. I’m happy to say I’m making progress, slowly but surely.

Hard to find the right place for this... Thanks to Rich and Adrian, you probably didn’t notice I’ve been out of the country for the past 12 days and did zero work. But I was and it was great. Leaving the US really forces me to unplug, mostly because I’m cheap. I don’t want to pay $1.50 a minute for cell service and I don’t want to pay the ridonkulous data roaming fees. So I don’t. I just unplug.

OK, not entirely. When we get to the hotel at night, I usually connect to the hotel network to clean out my email, quickly peruse the blog feeds and call the kids (Skype FTW). Although WiFi is usually $25-30 per day and locked to one device. So I probably only connected half the days we were away.

The impact on my experience was significant. When I was on the tour bus, or at dinner with my friends, or at an attraction – I didn’t have my head buried in the iWhatever. I was engaged. I was paying attention. And it was great.

I always prided myself on being able to multi-task, which really means I’m proficient at doing a lot of things poorly at the same time. When you don’t have the distractions or interruptions or other shiny objects, it’s amazing how much richer the experience is. No matter what you are doing.

Regardless of the advantages, I suspect unplugging will always remain a battle for me, even on vacation. Going out of the US makes unplugging easy. The real challenge will be later this summer, when we do a family vacation. I may just get a prepay phone and forward my numbers there, so I have emergency communications, but I don’t have the shiny objects flashing at me…

But now that I’m thinking about it, why don’t more of us unplug during the week? Not for days at a time, but hours. Why can’t I take a morning and turn off email, IM, and even the web, and just write. Or think. Or plan world domination. Right, the only obstacle is my own weakness. My own need to feel important by getting email and calls and responding quickly.

So that’s going to be my new thing. For a couple-hour period every week, I’m going to unplug. Am I crazy? Would that work for you? It’s an interesting question. Let’s see how it goes.

– Mike

Photo credits: “Unplug for safety” originally uploaded by mag3737

Incite 4 U

  1. Attack of the Next Generation Firewalls… – Everyone hates the term ‘next generation’, but every vendor seems to want to convince the market they’ve got the next best widget and it represents the new new thing. Example 1 is McAfee’s announcement of the next version of Firewall Enterprise, which adds application layer protection. Not sure why that’s next generation, but whatever. It makes for good marketing. Example 2 is SonicWall’s SuperMassive project, which is a great name, but seems like an impedance mismatch, given SonicWall’s limited success in the large enterprise. And it’s the large enterprise that needs 40Gbps throughput. My point isn’t to poke at marketing folks. OK, maybe a bit. But for end users, you need to parse and purge any next generation verbiage and focus on your issues. Then deploy whatever generation addresses the problems. – MR
  2. Cry Havok and Let Slip the Lawyers – I really don’t know what to think of the patent system anymore. On one hand are the trolls who buy IP, wait for someone else to actually make a product, and then sue their behinds. On the other is the fact that patents do serve a valuable role in society to provide economic incentive for innovation, but only when managed well. I’m on the road and thus haven’t had a chance to dig into F5’s lawsuit against Imperva for patent infringement on the WAF. Thus I don’t know if this is the real deal or a play to bleed funds or sow doubt with prospects, but I do know who will win in the end… the lawyers. – RM
  3. Bait and Switch – According to The Register, researchers have successfully exercised an attack to bypass all AV protection. “It works by sending them a sample of benign code that passes their security checks and then, before it’s executed, swaps it out with a malicious payload.” and “If a product uses SSDT hooks or other kind of kernel mode hooks on similar level to implement security features it is vulnerable.” I do not know what the real chances for success are, but the methodology is legit. SSDT has been used for a while now as an exploit path, but this is the first time that I have heard of someone tricking what are essentially non-threadsafe checker utilities. A simple code change to the scheduler priorities will fix the immediate issue, but undoubtedly with side effects to application responsiveness. What most interests me about this is that it illustrates a classic problem we don’t see all that often: timing attacks. Typically this type of hack requires intimate knowledge of how the targeted code works, so it is less common. I am betting we’ll see this trick applied to other applications in the near future. – AL
  4. Just Do Something… – I get a lot of questions about how to get started in information security, like most of you. For some reason, if you are reasonably high profile in the business, folks think we know some kind of shortcut to get established. We’ve already talked about the benefits of social networking, but ultimately this post from Adam nails it. Just do something. Volunteer at your church. Help out the kid’s nursery school or your favorite charity. They have computers and Internet connectivity, so they’ve got security problems. If you are willing to trade time for experience, then you can learn and get established in this space. But certainly not if you view getting a security job as a chicken/egg problem. – MR
  5. It’s not what you know, it’s what you think you know – Hilarious post by James Iry titled “A Brief, and Mostly Wrong History of Programming Languages. I especially love the comments on COBOL. But I think the post is missing a couple important landmarks:
    1. September 1973, Lotfi Zadeh creates a paper on Fuzzy Logic. An inadvertent side effect is discovery of Zadeh’s theorem, proving it is possible to simultaneously be a supergenius and the village idiot.
    2. April 1994, Kernighan and Ritchie finally admit that Unix and C are a hoax: “We stopped when we got a clean compile on the following syntax: for(;P(“n”),R-;P(“|”))for(e=C;e-;P(“_”+(*u++/8)%2))P(“| “+(*u/4)%2);”.
    3. November 1995, James Gosling quietly released “Oak white paper” and no one notices. After scolding by marketing executives “What kind of a stupid $^@&#% name is ‘Oak’?”, the white paper was re-launched as “Java white paper” in December of that year to international acclaim.
    4. April 1974, honorable mention to Professor Stonebreaker, who launches the Ingres Relational Database with QUEL and SQL programming languages. Ingres hires dedicated programmer-monks to fulfill revolutionary vision. Resultant code is so dazzling and stupendous that they forget to hire sales team and go bankrupt. – AL
  6. More Who DAT Fail Impact – It’s been a few weeks since the McAfee DAT update fiasco; and as I was out of pocket for two weeks, I’m catching up on it, but I wonder if anyone took Rob Graham up on his offer to analyze the real number of failed machines. We also saw McAfee’s financial results suffer (earnings transcript) and you have to wonder whether customers looking at big McAfee renewals will look elsewhere. Finally, McAfee is going to help customers clean up, which seems either like a blank check (if done right) or a marketing ploy (if done wrong), but either way the old adage about it taking years to build credibility and only seconds to lose it is reality here. Set your clocks for three months from now: MFE’s next financial announcement should be interesting. – MR
  7. Happy Birthday LoveBug – Can it really be 10 years since the ILOVEYOU virus hit… hard? I still tell the story about getting the virus sent to me by the Chairman of RSA (Chuck Stuckey) and it keeps geting big laughs. But what have we learned over the past decade? We live in a dynamic world. Once we close one attack vector, the bad guys find the next. It’s an arms race, baby, and there is no end in sight. So remember LoveBug, get nostalgic for a minute, and then get back to work. Because blended threats won’t wait and zombies don’t sleep. We need more than a can of Raid to deal with today’s bugs. – MR
  8. Thoughts on Minimalism – Being out of the country always gives me perspective on the “reality” that is life in the US. Just driving around my neighborhood really brought it home. We’ve got space, we live in relatively big houses, we’ve got relative wealth, and we are still unhappy. At least most of us. So stumbling across this post on the ZenHabits blog about minimalism provided a good reminder that stuff doesn’t make us happy. The point here is to be happy with what you have and stop making yourself crazy trying to get that stuff you probably don’t need anyway. I talk about this a lot, and I don’t do particularly well in practicing what I preach, but at least I recognize where I’m trying to go, and maybe one day I’ll even get there. – MR