Obviously bad news sells. If you have any doubt about that, watch your local news. Wherever you are. The first three stories are inevitably bad news. Fires, murders, stupid political fiascos. Then maybe you’ll see a human interest story. Maybe. Then some sports and the weather and that’s it. Let’s just say I haven’t watched any newscast in a long time. But this focus on negativity has permeated every aspect of the media, and it’s nauseating.

Let’s take the Olympics, for example. What a great opportunity to tell great stories about athletes overcoming incredible odds to perform on a world stage. The broadcasts (at least NBC in the US) do go into the backstories of the athletes a bit, and those stories are inspiring. But what the hell is going on with the interviews of the athletes, especially right after competition? Could these reporters be more offensive? Asking question after question about why an athlete didn’t do this or failed to do that.

Let’s take an interview with Michael Phelps Monday night, for example. This guy will end these Olympics as the most decorated athlete in history. He lost a race on Sunday that he didn’t specifically train for, coming in fourth. After qualifying for the finals in the 200m Butterfly, the obtuse reporter asked him, “which Michael Phelps will we see at the finals?” Really? Phelps didn’t take the bait, but she kept pressing him. Finally he said, “I let my swimming do the talking.” Zing!

But every interview was like that. I know reporters want to get the raw emotion, but earning a silver medal is not a bad thing. Sure, every athlete with the drive to make the Olympics wants to win Gold. But the media should be celebrating these athletes, not poking the open wound when they don’t win or medal. Does anyone think gymnast Jordyn Weiber doesn’t feels terrible that she, the reigning world champion, didn’t qualify for the all-around?

As if these athletes’ accomplishments weren’t already impressive enough, their ability to deal with these media idiots is even more impressive. But I guess that’s the world we live in. Bad news sells, and good news ends up on the back page of those papers no one buys anymore. Folks are more interested in who Kobe Bryant is partying with than the 10,000 hours these folks spend training for a 1-minute race.

On days like this, I’m truly thankful our DVR allows us to forward through the interviews. And that the mute button enables me to muzzle the commentators.


Photo credits: STFU originally uploaded by Glenn

Heavy Research

We’re back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Endpoint Security Management Buyer’s Guide

Pragmatic WAF Management

Incite 4 U

  1. Awareness of security awareness (training): You have to hand it to Dave Aitel – he knows how to stir the pot, poking at the entire security awareness training business. He basically calls it an ineffective waste of money, which would be better invested in technical controls. Every security admin tasked with wiping the machines of the same folks over and over again (really, it wasn’t pr0n) nodded in agreement. And every trainer took offense and pointed both barrels at Dave. Let me highlight one of the better responses from Rob Cheyne, who makes some good points. As usual, the truth is somewhere in the middle. I believe high-quality security training can help, but it cannot prevent everybody from clicking stuff they shouldn’t. The goal needs to be reducing the number of those folks who click unwisely. We need to balance the cost of training against the reduction in time and money spent cleaning up after the screwups. In some organizations this is a good investment. In others, not so much. But there are no absolutes here – there rarely are. – MR
  2. RESTful poop flinger: A college prof told me that, when he used to test his applications, he would take a stack of punch cards out of the trash can and feed them in as inputs. When I used to test database scalability features, I would randomly disconnect one of the databases to ensure proper failover to the other servers. But I never wrote a Chaos Monkey to randomly kick my apps over so I could continually verify application ‘survivability’. Netflix announced this concept some time back, but now the source code is available to the public. Which is awesome. Just as no battle plan survives contact with the enemy, failover systems die on contact with reality. This is a great idea for validating code – sort of like an ongoing proof of concept. When universities have coding competitions, this is how they should test. – AL
  3. Budget jitsu: Great post here by Rob Graham about the nonsensical approach most security folks take to fighting for more budget using the “coffee fund” analogy. Doing the sales/funding dance is something I tackled in the Pragmatic CSO, and Rob takes a different approach: presenting everything in terms of tradeoffs. Don’t ask for more money – ask to redistribute money to deal with different and emerging threats – which is very good advice. But Rob’s money quote, “Therefore, it must be a dishonest belief in one’s own worth. Cybersecurity have this in spades. They’ve raised their profession into some sort of quasi-religion,” shows a lot of folks need an attitude adjustment in order to sell their priorities. There is (painful) truth in that. – MR
  4. Watch me pull a rabbit from my hat: The press folks at Black Hat were frenetic. At one session I proctored, a member of the press literally walked onto stage as I was set to announce the presentation, and several more repeatedly interrupted the speakers during their sessions. When speakers did not deliver some amazing new feat of hackery, or astound the audience with some clever trickery, the press turned grim and surly. I witnessed a dozen or so running in and out of sessions, trying to find a controversial nugget to write about. I guess it’s the end result of a media business driven by pageview whores. And what was the main story we did see in the press? Hotel card key hacking? Really? This is different than a malicious insider with a master key or anyone with 60 seconds and a lockpick kit? How, exactly? To quote attrition.org – I reject your FUD. The awe-inspiring acrobatics of jail-breaking phones, and how ATMs got hacked, are fun to read about, but most of the time that stuff helps no one get their jobs done. Our own Mr. Rothman’s Dark Reading post raised some eyebrows, but he has a point. Our industry as a whole is changing. The security industry is reaching a certain level of maturity – and the realities of making security work within the constraints of time, money, and truckloads of legacy infrastructure are really just not all that exciting. In fact it’s hard work – but essential hard work. And I think the press’ inability to do ‘TMZ: The Hacker Edition’ is a good thing – the presentations were more focused on practical tools than parlor tricks. – AL
  5. My failure to communicate: As Adrian linked above, I posted a few observations of my experience at Black Hat this year, and if you can work through my attempts at humor and snark, what I was trying to say was better communicated by Shimmy. I don’t know what is establishment and counterculture, but his observations are consistent with mine. What I forgot to mention is that I don’t view the RSA Conference negatively. But it’s different than the heritage of Black Hat. As the industry matures it becomes more businesslike, and it’s entirely reasonable for more than one industry conference to prosper. As a fervent capitalist I also realize that sponsors pay for big numbers of folks who buy stuff. My poorly communicated point was that it doesn’t matter what direction Black Hat chooses (more industry-oriented or more research-oriented) – either is fine. Just be sure to make a decision. If anyone can push the conference in the right direction it’s Trey Ford, who has probably set up the Rothman dart board in his office already. Joining hundreds of others through the years. – MR