Every time I took a new job, on my first day I would tell the team that I hate surprises. What I really meant was a warning, not to screw something up and not tell me. That’s not really a surprise, per se. More a failure to communicate. But now that I’m a bit older I realize the importance of surprises. When you are surprised it really means you had no expectations.

For example, if I really didn’t like surprises I wouldn’t have appreciated the fact that The Boy took a hip-hop dancing elective at camp. That’s right, hip-hop dancing. That’s nothing less than shocking. He’s a pretty shy kid, and definitely doesn’t like to be the center of attention. Or so I thought. So hearing about him getting onstage to do a hip-hop routine was an awesome surprise.

The flip side of a pleasant surprise is disappointing surprise. Of course we all feel disappointment at some point. It happens when you enter a situation and expectations are unmet.

This all comes back to managing expectations. I know what you’re thinking – who cares? I do. I spent a long time disappointed with almost everything, because my expectations were unrealistic and usually unmet. I was constantly surprised because I expected things to happen, and I got bent out of shape when they didn’t.

One of the things I’ve been working on is having no expectations – or at least very limited expectations. For example, if I’m about to go out for the evening with friends I expect to end up back at home, and not naked in a crackhouse without any money. See how easy that was? Having realistic expectations is pretty straightforward. And if you do find yourself in that situation, there’s probably a great story to be told… once you get out of rehab.

All kidding aside, the sooner you can release most of your expectations, the sooner you will have more pleasant surprises and much less disappointment.


Photo credit: “Surprise” originally uploaded by Tom Rolfe

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Leveraging Threat Intelligence in Incident Response/Management

Endpoint Security Management Buyer’s Guide (Update)

Trends in Data Centric Security

Understanding Role-based Access Control

NoSQL Security 2.0

Newly Published Papers

Incite 4 U

  1. Penetrating words about vulnerabilities: Daniel Miessler clarifies the distinctions between a vulnerability assessment and a penetration test. This is a good discussion – some organizations don’t know what they are buying when they select one or the other. Daniel offers a clean distinction: “The only key attributes of a VA vs. PT are list-orientation vs. goal-orientation…” A vulnerability assessment should produce a comprehensive list, while a penetration test has a mission to accomplish. But in the end the definitions aren’t even that important. The key is to know what you are buying. You likely need both, but if you expect a comprehensive list of issues from penetration testers you will be disappointed. – MR
  2. iPhone as a political pawn: As discussed in this week’s Firestarter, state-run China Central Television called out Apple’s iPhone as a national security concern because of fears that iOS “frequent location” data could leak and compromise state secrets. Apple responded succinctly yesterday: Apple does not have access to Frequent Locations or the location cache on any user’s iPhone at any time. Obviously the iPhone uses location data, and users can share geolocation data with individual apps as desired. We assume China Central Television’s coverage is politically motivated national posturing, laying out ground rules on surveillance and data collection. After all, the iPhone is made in China so it’s hard to imagine how much of a threat to national security it really is. The real issue is not being discussed: In response to legal demands from nation such as the USA and China for iPhone user location data, what will Apple provide (what has Apple provided) and who will be notified, if anyone. – AL
  3. Trees don’t grow to the sky: Just in case you thought any of these megacapitalized technology giants would grow to the stratosphere… forget it. It looks like the German government is looking to more heavily regulate the large web advertising businesses and treat them like utilities to make sure pricing doesn’t get out of hand. The Europeans in general are far more egalitarian than on our side of the pond, and that makes it hard to see how any one company could becoming too powerful. Remember the Microsoft anti-trust case in Brussels years ago? And how they went after Intel as well? Yup, this time it started in Germany, but it is only a matter of time before other countries and eventually the EU go after those giant targets. Though I guess there is something to be said for getting big and successful enough to have a government start chasing you. – MR
  4. Never forget: The US Selective Service made a serious snafu this week when they mailed out registration reminders to fourteen thousand dead people. Instead of sending reminders to men born between 1993 and 1997, they mailed to men born between 1893 and 1897. Frankly, when you’ve over 100 a reminder is warranted, but the potential draftees were unlikely to be living at the addresses on file… or, actually, anywhere. Getting past the momentary disbelief that the Selective Service imported those records at all, one question comes to mind: Do you really want to generate outbound correspondence from a database used for record keeping and/or analytics? Those databases are chock full of private information, which could just as easily have been leaked. Slate poked fun with a Super fun, super chill addition to the Selective Service web site graphic, which was very funny, but a simple Google search confirms that the word ‘fun’ is simply not part of the Selective Service vocabulary. – AL
  5. Subliminal OS Wars: It shouldn’t surprise anyone that Google would take steps to secure Android which they don’t take on iOS. An example of this is Softpedia’s Gmail for iOS Poses Man-in-the-Middle Attack Risk. It turns out this attack requires iOS users to install a configuration profile, which directs traffic to the attacker for sniffing before it continues on to its destination. An app can hardcode a destination certificate, so if the supplied certificate doesn’t match the connection is refused. Evidently Google does this on Android version but not iOS. Was this malicious? Of course not… as I put away my tinfoil hat. Though I’m sure it will get remedied soon. You just know Google wants to be the only company who can see your Gmail traffic. – MR