Tuesday, February 19, 2013

Find your pebbles

I have just left one of my favorite gatherings of the year, Shmoocon, and I’m now at the Microsoft MVP Summit.  While they are very different events, and the total attendance overlap is probably fewer than five of us, there is a common thread: I’m spending time with people who have found something which interests them, and are exploring and sharing what moves them.

different seashells on a beach sand, marine landscape

It is easy to dismiss the things we don’t care about personally, or ask “how could anyone get excited about [whatever]?”, but I think encouraging curiosity, exploration, and especially sharing what you know- these things are critically important, personally and professionally.  Even if others don’t agree, or you think you are just amusing yourself.

Some centuries ago a man looked back at his life’s work and said:

“I do not know what I may appear to the world, but to myself I seem to have been only like a boy playing on the sea-shore, and diverting myself in now and then finding a smoother pebble or a prettier shell than ordinary, whilst the great ocean of truth lay all undiscovered before me.”

Granted, some folks find pebbles which are more universally interesting, and shells which lead to advances for the greater good, but I think that quote should encourage you to find your pebbles to study and share.  It seems to have worked for Isaac Newton.


Monday, February 18, 2013

Virtually Absolute. Or not.

It is almost time for the RSA Conference, where those in attendance (and via the media, those not in attendance) will be bombarded with hype and hyperbole, on topics old, less old, contrary to popular belief, even new. 

The part of RSA which frustrates and demoralizes most attendees is the expo floor.  Some people avoid it entirely, which I can appreciate- but for those of us in the industry, we have to be on the floor, working for our companies, and checking out the state of the industry.  Others see it as a way to check out products and services, and talk directly to the vendors.  Whatever brings you to the expo floor, remember that it is a sales and lead generation event (which explains, poorly, the “booth babes”, fast cars, and other nonsense).

When talking to vendors, my standard advice applies: watch out for absolutes.  If anyone is claiming to have “the answer” to an InfoSec challenge, run away.  If someone claims to have “an answer”, you may want to listen if it interests you (but always keep the BS shields up, and keep an eye on the exit path). 

If you find someone who offers something shrouded in what are often derisively called “weasel words”, pay close attention.  These tend to fall into two categories:

Those overstating their product’s or service’s performance, who use weasel words to provide an escape clause for their “exaggerations”


those who know the world is complex and who are unwilling to promise the impossible, but believe in what they do.

In the former case, those not-quite-absolute words are indeed weasel words; in the latter, they are honesty.  Sadly, the former far outweighs the latter.  It may not be a compelling statement, but if someone tells you “I think we may be able to help you solve part of your challenge”, pay attention.  Maybe they’re offering crap, but more likely they are being brutally honest about the challenges of InfoSec, and have probably been in the trenches themselves and didn’t appreciate vendor tall tales.

Note: this advice primarily applies to face-to-face conversations.  Banners and marketing materials have to grab your attention; admit it, you aren’t going to respond if they don’t grab you.

And yes, as implied above, I’ll be at RSA, Tuesday-Thursday, mostly in the Tenable booth (it seems like the least I can do for them, considering the regular paychecks they send me).  I’ll also be around BSides San Francisco on Sunday and Monday.  Stop by and say hello, I’m pretty easy to spot.



Saturday, February 2, 2013

Don’t be “that guy”

I was recently having a conversation with a friend who was telling me a story from a conference a few years ago.  My friend had an unpleasant interaction with an unpleasant person, and in the telling said something like

“I was talking to this guy, [really common first name] something, a real tool…”

to which I said, oh, yeah, HIM! and the story continued- as another friend joined us and when caught up on the story he knew exactly who we meant and had his own stories about [really common first name].  Keep in mind that none of us had uttered a last name, although by now one corporate affiliation had been mentioned to confirm that we were indeed all talking about the same [really common first name], who we all agreed was “a real tool”.

The active part of the InfoSec community really isn’t that big, and bad reputations tend to stick.  There are a lot of brilliant people in our industry, and more than a few successful (by a variety of definitions) people; there are also a fair number of out-of-proportion egos.  Don’t be like [really common first name], a little humility and common decency are probably all that are needed to keep you in good standing.

Perhaps we could all use reminding of the classic Midwestern parents’ admonition “don’t think you’re special, because you’re not”, or maybe the modern equivalent, “yes honey, you are special- just like everyone else”.