Truth About Computer Security Hysteria
Rob gets introspective
Friday, 20 August 1999
A COLLEAGUE I admire recently chided the way I express my opinions on this website. "You call yourself a computer security expert," he noted, "yet you ridicule and slam people in our industry. You do it all the time." My colleague gives me credit for the content of my opinions, but he wants me to tone down the diatribes; he wants me to quit spotlighting the blunders. He believes my little crusade would influence more people if I worked with security personnel rather than against them. I'd reach a wider audience if I moved up to a respected publication, for example.
I struggled to give my colleague a decent rebuttal. What he said didn't feel right ... yet I couldn't find the words to express my opinion. I finally gave up and mumbled a trite remark: "I know I'm doing the right thing."
It took a few days to put my thoughts into words.
Suppose I follow my colleague's advice. Let's say I go to work for a think tank like GartnerGroup or Hurwitz Group, or I start writing for a popular rag like Information Security magazine or InfoSecurity News. If I join them, I'll need to follow some basic rules.
The first rule: "get into the pecking order." Journalists pretty much write at the whim of the editors, so my opinions could get bumped if, say, Bruce Schneier sneezes at a conference. "My God, Bruce, can we quote you on it? 'Atchoo!' " (No offense to Schneier: he can take a joke about his legendary status.) My opinions could languish for months, and they won't even show up on a website before the paper version reaches subscribers.
"Okay Genie, for my first wish, I want you to toss out the pecking order." Poof!
Now comes the problem of corruption & dilution. Editors get paid to edit. "C'mon Rob, we [plural] can't talk about Boeing like that. You [singular] need to appreciate the security issues they face as a large company. This anecdote about the Air Force needs to go, too. We can't let Saddam know our military shuts down whenever CNN announces a new virus..."
The thrust of my attitude — the sarcasm, the irony, the burlesque, the satire — would get corrupted by an editor's desire to make my opinions more diplomatic. After ripping out the soul of my opinion, it would still probably end up 400 words over target. "We'll cut that paragraph, let's drop the chart, this sentence was borderline anyway..." Slash slash slash. Editors would dilute my opinions to fit the space allotted.
"Genie, cash another wish for me. No editing allowed." Poof!
Now I've got a "point/counterpoint" problem. If someone lambastes an industry in a trade journal, it may very well appear as part of a pro-con debate. "I love your piece but it falls way outside the mainstream," an editor will say. "It needs 'balance,' otherwise readers will ignore it." A skeptic in the world of computer security? Perish the thought. Editors compensate with an opposing voice — and readers interpret it as a cue to look for the middle ground.
"Hey, blue dude! Master Yoda says we don't need balance in the Force." Poof!
Now guess what? Shallow thinking dominates the computer security industry. I don't mean shallow people, just shallow thinking. Network administrators, for instance, make some of the best security people because they already know every employee and every server. However, ex-administrators often feel an urge to absorb
security knowledge faster than they can understand it. They can (and often do) get locked into shallow thought patterns as a result.
I can open the eyes of shallow thinkers in computer security if I can get them to read my opinions. No sweat, I'll just tell the floating cartoon guy to--
Hmmm, I ran out of wishes.
Shallow thinkers in computer security seldom read my opinions. The solution? I don't write for them. I focus on the users who must put up with them. Shallow thinking gets mugged when users ask a string of embarrassing philosophical questions.
THIS WEBSITE GRANTS my first three boons: no pecking order, no editors, no point/counterpoint. Unfortunately, I can't make shallow thinkers read my opinions. The solution, then? I don't write for shallow thinkers in computer security. I focus instead on all the users who must put up with them. I give those people ammunition. Shallow thinking gets mugged when users ask a string of embarrassing philosophical questions.
I try to inject a lot of humor, too. Let's face it: computer security personnel take themselves way too seriously way too often. They call themselves "personnel" rather than "people" just for starters!
Sure, I make fun of stupid mistakes and I satirize dumb policies and I ridicule shallow thinking and I expose bizarre claims. Why not? It gives users a chance to snicker at an industry filled with pompous blowhards. Sarcasm? Irony? Burlesque? Satire? They provide a spoonful of sugar to help the medicine go down. People laugh at first — then they think about it a little bit. "Ya know, Rosenberger actually made a valid point there..."
"Comedians probably have more license to tell the truth than anybody. Most of them don't take it. Bill took it, and you have to admire that about him."
-- Richard Jeni, eulogizing the career of Bill Hicks
Yeah yeah, I've got some favorite whipping boys. What can I say? They keep handing me great material! Still, some of them can take it on the chin. I've bashed Network Associates for over a decade, yet SrVP Peter Watkins once called me from an aircraft. SrVP Gene Hodges impressed me greatly when I spoke to him for the first time. I bash Symantec too, yet CTO Enrique Salem lets me call his backline number. Those gentlemen continue to give me straight talk with absolute professionalism despite all the whippings. (Hodges sounded more professional on the phone than I did when we spoke. Ouch!)
I don't just make fun of experts — I whack users, too. I don't make fun of just the military; I don't make fun of just the bad stuff. I treat everything & everyone as fair game, including even myself.
I wish I could name some bigwigs who give my opinions the thumbs-up. Why can't I? The head of computer security for a Fortune 250 firm touched on it in an email yesterday: "it's obvious that there are a lot of us (computer security geeks) that still don't get it. However, trust me Rob, there are a lot of other people like me that do get it! We just have to live in obscurity for various reasons." How true, how true...
Some people in this industry actually believe they save lives while guarding the military's cyber-perimeter. Others believe their firms would instantly go bankrupt without eternal cyber-vigilance. People get branded as heretics if they question even the absurdities. "Tone it down, man! Legions of deadly über-hackers will overwhelm our defenses if they see dissent anywhere in our ranks!" Peer pressure still outguns skepticism for now.
I taste real success when my opinions flow from the lips of the heavy hitters. Bruce Schneier openly applauded one of my tirades, for instance. Hurwitz Group analyst Diana Kelly sounded a lot like me when she recently criticized precautionary disconnects. It would seem CERT and GartnerGroup changed their opinions about Melissa — right after I flogged them for shallow thinking. If I influence a few heavy hitters, they will quickly influence many shallow thinkers.
"Thirteen days after ExploreZip struck, the Xinhua news agency reported 'China's leading antivirus company ... issued new software containing an antidote to the new worm virus that swept through the Internet early this month.' [Yeah, like I should talk. I spent 15 days compiling these tidbits.]"
I ACTUALLY DO influence the computer security industry via my little website. I influence it in a highly effective manner, too. I can finally tell my colleague "I know I'm doing the right thing" without sounding trite in the process.
Oh, he may still disagree with the sarcasm, the irony, the burlesque, the satire ... but I believe he'll understand my reasons. I understand my "crusade" a little better now, too. My colleague forced me to think, and that's a big part of why I admire him.