Addicted to Accolades

Last year, David McCullough Jr. — longtime Wellesley High School English teacher and son of one of my favorite authors — gave a commencement speech in which he told graduates the hard truth: They’re not special.

Mood music:

You can see the whole speech here, but here’s a key passage for me:

In our unspoken but not so subtle Darwinian competition with one another — which springs, I think, from our fear of our own insignificance, a subset of our dread of mortality — we have of late, we Americans, to our detriment, come to love accolades more than genuine achievement. We have come to see them as the point — and we’re happy to compromise standards, or ignore reality, if we suspect that’s the quickest way, or only way, to have something to put on the mantelpiece, something to pose with, crow about, something with which to leverage ourselves into a better spot on the social totem pole.

I loved that speech, as did a lot of friends and colleagues. But an uncomfortable truth hit me: McCullough wasn’t just talking about the teenagers in caps and gowns. He was taking about us adults, too.

In this world of Twitter and Facebook, we’ve become addicted to accolades. Not every single one of us, but many of us, myself included.

I found myself thinking about it this week after watching some industry colleagues discuss the notion that our community has “too many rock stars and not enough session players,” in the words of Jack Daniel. In my opinion, Daniel is one of the biggest security rock stars out there.

There are a lot of rock stars in the security industry. Hell, every industry has ’em. I do not count myself among them. Not even close. People like Jack rose to that status by doing the hard work and having the balls to discuss difficult issues in front of crowds full of skeptics and cynics.

I know a lot of session players, too. They shun the limelight and prefer to tinker away in peace.

Though I don’t consider myself a star, I do love getting positive attention for work I’ve done. I’ll even admit I’m addicted to it.

Sure, I value negative feedback as a necessity for personal growth, but I also find it crushing sometimes. Not because it’s unfair, but because I have a big ego.

The bigger the ego, the harder the fall.

I love rock stars, in my industry and beyond. If I ever rate being one, I hope it’s because I did something important, not because I wanted such status. I trust y’all will help keep me honest.

The Book of Rock Stars book cover

Account Theft: The Worst That Could Happen Wasn’t Much

Because I’m a security writer by profession, one of my biggest fears is that online thieves will suck my bank account dry. I’ve seen it happen to friends and family, and I know how violated they felt. I’ve written too many articles about people I don’t know being victimized.

So when it finally happened to me, I was surprised by my muted, almost calm response.

Mood music:

http://youtu.be/iJ3aVCvM0JY

When I signed in to the family account, I was perplexed to find a few hundred dollars less than I had budgeted. The second I called up the account activity, I knew.

Six transactions in a row, all from the same morning, for $50 apiece, going to Steampowered.com, a well-known entertainment and gaming site. No one in this house uses it, so it instantly raised my suspicion. A few years ago, before learning to cope with my demons, my response would have been panic and rage. I would have visions of the family living on the streets, destitute, with nowhere to go. I would entertain the idea of hunting down the thief and plunging a knife into their chest a few hundred times, and I’d be unable to focus on anything else.

Of course, I’d never actually attack someone that way, and family and friends would keep us off the streets if it really came to that, which it wouldn’t have.

But when the obsessed mind spins beyond control, the victim views all the worst-case scenarios as reality.

Here’s what actually happened:

  1. When I saw the suspicious activity, I called the bank.
  2. The bank immediately canceled my card and arranged to send me a new one.
  3. I went to the bank and went over the last month’s transactions with them in an effort to trace the point when someone successfully penetrated the account. I signed paperwork to get my stolen funds restored.

Within 20 minutes, I had done what was needed and went on with life.

I’m not perfect, by any means. I still entertained the idea of finding the thief and turning the tables. I still cussed up a storm for being inconvenienced.

But I’m grateful for the ability not to go over the rails as my younger self would have.

In recent years, particularly in moments like this, I’ve developed a game called “What’s the worst that can happen?” I’ll picture a bad scenario and play out the absolute worst things that could happen from there. In the end, the answer is usually not much. For this incident, the worst-case scenario was that the account would run dry and all the scheduled bill payments would fail. Then I would have been running up the credit card for handle current expenses.

Those thoughts fizzled pretty quickly, though. I knew the bank would replace the missing funds and I knew I was fortunate to have the resources to keep paying for expenses.

I also knew that I wasn’t a special snowflake. People are robbed this way every day. It’s become a fact of life and banking protocols have changed in response.

The worst that could happen? Nothing really, save for the inconvenience of a trip to the bank.

Before online banking, we all had to do that anyway.

Computer keyboard with a shadowed hand hovering over it

Bullied by the Word “Bully”

Walk into any school these days and you’ll see anti-bullying posters everywhere. I’m happy to see it, because kids need to learn what it is and how to stand up for themselves. Unfortunately, they’re taking cues from grownups who don’t always know what they’re talking about.

Mood music:

http://youtu.be/d2rmScLelmE

I was reminded of this after reading a blog post from Brian Martin, A.K.A. Jericho, of attrition.org.

Martin got into a protracted debate recently with Elizabeth Weidman, mother of security practitioner Georgia Weidman. I’m not even going to attempt to piece together the string of comments that lead to the inevitable cry of bullying, but I’ll do my best to give you the gist: Georgia tweeted something Jericho disagreed with. Jericho responded. Georgia didn’t like the response. Then Elizabeth came to her daughter’s defense:

Is this really the InfoSec community you want? Stand up for what you want. Don’t let the bullies of InfoSec do this to people. Stand up to them. Support each other loudly. If you don’t, this is the InfoSec you get. Georgia’s gone to some pretty dark places out of inexperience, out of fear, and out of mistakes she admits were her own. She’s made it out, I hope, but what about other new people in InfoSec, other people going through a hard time? Is it going to take someone dying to make you see/care?

Which led to Jericho’s response, which focuses on misuse of the word bully.

If we can arbitrarily call it “bullying” solely based on one side’s perception, then we’re all equally guilty of bullying. If I call you a jerk, and you call me an ass in return, we are both potentially guilty of it. In reality, I think we can all agree that is a bit absurd.

I don’t always agree with Jericho, but in this case he has a point. There’s a lot of snark, sarcasm and hearty disagreement in the security community. It plays out on Twitter around the clock. And while people can be assholes at times, I don’t think they can be called bullies. Not as it’s described in multiple dictionaries at least. Jericho offers a few definitions in his post, and writes:

The words threat, force, and coercion appear more than once in the definitions above and are the crux of what bullying is about. Everyone who is now equating the term “bullying” with anything less than a malicious, sustained campaign of hatefulness with the intent of coercing/threatening is the worst sort of cowardice and dishonesty. They are doing a disservice to society and themselves.

I was bullied as a kid. I also did more than my fair share of bullying. It’s something I regret. But while people can be jerks on Twitter, I don’t think it comes close to bullying.

People disagree with me frequently, which I expect and appreciate as a blogger who throws a lot of strong opinions out there.

Recently, some friends strongly disagreed with my posts suggesting we be more civil in the security community. I disagreed back, and at times I got annoyed. But I never felt bullied. I was being disagreed with, not threatened or forced to take a certain position.

If we can’t get it straight as adults, the anti-bullying education we’re trying to give children will be for nothing.

John Boehner Crying

You See a SecBurnout Cult; I See Common Sense

Some folks are pissed over my recent posts about efforts in the security community to fight job burnout and depression. I won’t change your minds, so I’ll just clarify a few things and move along.

People have made five observations:

  1. The data is far too insufficient to declare a problem specific to the security community.
  2. Without data, all we have is opinion.
  3. The greater InfoSec Burnout movement and I have made it sound like this is an infosec problem or a workplace-centric problem rather than what it truly is: a mental health problem that the individual already has and brings to whatever job they have.
  4. I’m trying to superimpose my issues onto the rest of the community.
  5. I’ve gotten too caught up in the noise coming from the SecBurnout people.

That last line makes it sound like I’ve joined a cult of misguided infosec egotists who can’t see past their upraised noses. What follows is my opinion on each of the points above. I speak as an individual, not as part of any organized movement — security or otherwise.

  1. Data isn’t everything. I write from personal experience. Part of that includes discussions I have with distressed peers. It doesn’t always take a study to see a problem.
  2. Well-formed opinions based on experience are useful.
  3. I’ve said it repeatedly: A mentally ill person can be sent over the edge by their work circumstances, but in the final analysis the problem starts with them. I used to be crazy and work stress was a trigger. But the problem was always my inability to deal with stress. I had to be the change. I had to get treatment and find the coping tools. I had to create a new me. So it is with everyone.
  4. The notion that I’m superimposing my issues on the larger community is laughable. I didn’t start out on a mission specific to this community. It’s still not a security-only thing. But there are people who came to this community with mental illnesses who could use a helping hand. If I can share what I’ve learned in my own recovery with industry peers, I will. Maybe it’ll help them cope better with the stresses of the industry. Or maybe it’ll just help them cope better with life in general. Either way, it’s a win.
  5. I don’t believe I’m caught up in “noise.” I know where I’ve been and who I’ve talked to. When asked, I’ll always share what I’ve learned and who I learned it from. I’ll also be the first to admit I’m imperfect and still a work in progress.

This has never been about suggesting there’s a problem special to infosec. I don’t see a pandemic within the community. I see friends and colleagues grappling with territory I’m familiar with.

It’s as simple as that.

bill the cat giving rock sign

Three Things Jeff Bauman Teaches Us About Being Boston Strong

Jeff Bauman has gotten so much attention since the Boston Marathon bombings a year ago that I had resolved not to write about him here. I’m as inspired by his story as everyone else; I simply thought there was nothing I could say about the guy that hadn’t been already said.

Then I started reading his new book “Stronger.”

Mood music:

I’ve only read previews and excerpts thus far, but already I’m seeing something special.

About now you’re thinking I’m daft for only just now seeing something special. After all, the man’s durability of body and spirit has been evident since the day that bomb blew his knees off. We’ve seen picture after picture of him smiling in the hospital, throwing the first pitch at the start of a Red Sox game and appearing at the start of a Bruins playoff game.

But what I’ve read reveals raw feelings beneath the smile. In particular, he shows his discomfort as sports teams and politicians ask him to make appearances. He writes:

Did the Boston Bruins really want to do something nice for Jeff Bauman the human being? Or did they want him to be a prop? Something they could use to make a crowd of people cheer? Look at Jeff, isn’t he adorable? Look at Jeff, isn’t he brave? Look at Jeff, he’s a symbol. He’s a marketing tool.

Bauman also shares his relationship struggles before and after the bombings. He reveals the mood swings and commitment issues he thrust upon girlfriend Erin Hurley. Happily, the couple recently announced their engagement and that they are expecting a baby.

For me, there are three valuable lessons as I continue to read his story:

  • Don’t believe all the hype that surrounds you. Bauman knows he’s not the special snowflake the media and sports franchises portray him as. He’s essentially a regular guy who was in the wrong place at the wrong time and is doing the best he can with the fate he’s been handed. My experience as a writer is that people regularly put me on a pedestal for sharing my demons. I know I’m not special. Though, trust me, when people tell you you’re awesome often enough it’s easy to start believing it.
  • Smile, even when you don’t feel like it. We’ve seen all those pictures of Bauman smiling as he tries out his new prosthetic limbs. His writing reveals that on many days he didn’t feel like smiling. But he did anyway, and whether intended or not, that gives others the shot of inspiration needed to forge ahead in the face of adversity.
  • Make the best of bad situations. We all go through bad times. When we do, it’s hard to recognize the blessings hidden in them. Bauman knows his experience has made him stronger and that there are plenty of ways he can turn tragedy into something good. Reluctant as he may be some days, he has certainly made the best out of his situation.

Thanks for the inspiration, Jeff. And congratulations on the new book. I look forward to reading it in its entirety.

Stronger by Jeff Bauman

Curse You, 403: Forbidden Error!

UPDATE: We believe we have fixed the setting issues behind the problem. But if you encounter an error message, please let us know. Thanks!

For months, my OCD has been triggered by a vexing, mysterious problem: Some of my readers keep getting “403: Forbidden” errors when trying to read posts. I’ve looked high and low for the cause and solution, to no avail.

Mood music:

http://youtu.be/QD0D7IuriWQ

What probably infuriates me most is that I can access the posts just fine. If it failed for me, too, at least there’d be a little less mystery.

Instead, I’m left to wonder why the blog opens for some people and not others. I have noticed that the folks who get 403 messages are trying to open posts from an iPhone or iPad and usually get through from their desktop computers.

Also read “Depressed Web Servers and Other Amusing 404 Pages

But there are some who get locked out from any mobile device, and some who can get through on those Apple devices.

Typically, my OCD is triggered by things I can’t control. In this case, however, it’s something that probably can be controlled. It’s pinpointing the issue that’s the problem.

In response, I’ve done what any typical OCD head would do: wasting hours and days exploring every line of code and every URL for clues.

I’ll continue to investigate the problem. If anyone wants to do some investigating of their own, I’ll gladly accept the help.

If there’s any silver lining, it’s that the error messages are killing me much more than they are killing you.

Storm Trooper 403 Error Message

There Are Other Things Besides Hacking

During that SOURCE Boston session on security burnout last week, someone in the audience made an important observation: One of the reasons depression runs deep in the security industry is because hackers spend most of their time staring at a screen.

Mood music:

When a researcher is trying to break into system weaknesses, there’s an obsession to it. You can’t pull away. You have to keep traveling deeper and deeper down the rabbit hole in the hunt for your prize. When that’s all you do, there’s no room for the things that make for a more balanced life: hobbies, time with friends and family, simple walks in the sun.

That leads to depression, cynicism and worse.

The audience member who pointed that out said his life changed dramatically when he started letting the other activities in. I had the same experience, though not as a hacker. Which goes to show that like many of the mental health challenges we’ve been talking about in the security community, the malady strikes people from every walk of life.

Before security, I was a journalist by profession. I spent many late nights chasing fire trucks, cop cars and ambulances. I sat through way too many city council and selectmen meetings to count, and after all the chasing I had to go write about it.

If I was chasing a story, nothing was going to divert my attention. Meals weren’t getting in the way. Sleep didn’t stand a chance unless I was sick from nervous exhaustion. And aside from lying on the couch gorging on TV, I had no real hobbies.

It took years of therapy, a prescription for Prozac and a lot of soul searching before I realized how critical it is to have balance.

I learned to take my family time more seriously and even rearrange my work schedule around it. I picked the guitar back up 20 years after I put it down to dive into work obsessions. I rediscovered the importance of taking walks, especially with Erin. And I learned to build a day into business trips where I could walk around and drink up the culture of where I was.

Life’s a whole lot better now. I still get depressed, but I come out of it more quickly.

For those in the hacking community who are clinging to sanity by a thread, it’s an important lesson.

Red Eye

SecBurnout: Much Ado About Nothing?

At the SOURCE Boston security conference yesterday, I ran a session with former colleague and friend Josh Corman on the topic of security burnout. It’s an issue I’m increasingly dedicated to, given my own history with mental illness and high-profile deaths in the community.

When I think of the suicide of Aaron Swartz and the accidental overdose of Barnaby Jack, something in me screams out to act. I’m also inspired by the efforts of people like Amber Baldet and Akamai colleague Christian Ternus and want to help.

But some think this effort is a curious sideshow.

Mood music:

After reading about the session, one infosec practitioner took to Twitter and asked, “How many of us have lost it and started shooting up a place?”

It’s true there hasn’t been an explosion of people in the industry losing it and gunning down a bunch of co-workers. Therefore, he feels, the problem isn’t worth the efforts some of us have embarked upon. He added, “Something is wrong, alright. But let’s not make a big deal here.”

My skeptical friend isn’t the only one to make these points. Others have pointed out that the SecBurnout effort is a waste of time because antisocial, caustic behavior is a staple of the profession. Nobody will change those people, nor should anyone try to.

Those who can’t handle it simply need to grow a set of balls or go do some other kind of work.

I agree with that — to a point.

As Corman noted yesterday, this effort isn’t going to “cure cancer.” We can’t tell people how to think, and we don’t want to. We’re advocating more kindness and civility in the profession, but we know the more negative elements will always be there.

Also true is that you can’t cure things like depression, bipolar disorder and OCD. We can learn to manage these things better, however, and keep them from controlling us.

But all that is beside the point of SecBurnout and similar efforts.

We don’t expect to change the world. We do believe it’s worth trying to suggest a better approach. If we can inspire just a few security shops to adopt a more humane environment that inspires people instead of crushing them — and if that leads to fewer cases of depression and suicide — it will be worth it.

Maybe this isn’t a big deal to you. If that’s the case, congratulations for staying above it all. But if you or your friends and colleagues are casualties of burnout, it’s a big deal.

I do see progress. When I was stuck in the deepest depths earlier in my career, you simply didn’t talk about this stuff. It was a sign of weakness and could get you fired.

That’s not as true today. I and many others are talking openly about our demons, and it’s making a difference. As a community we’ve recognized there’s a problem. Amber Baldet took it a step further by sharing suicide intervention techniques.

The next step is to attack the conditions that fuel depression in the first place, to tear at the roots of the problem so fewer people reach the point where they need an intervention.

And so we press on.

lighting a row matches

A Hacker Walks Into a Vape Shop…

A while back, I wrote about my use of electronic cigarettes as a way to avoid tobacco products.

Since then, the phenomenon known as “vaping” has taken off. It’s especially popular in the security industry I work in. There’s some symbolism in that, as I’ll explain shortly. But first, a self-assessment.

Mood music:

http://youtu.be/53iekfJg4IY

E-cigs have gotten me over smoking. True, vaping looks like smoking, and even feels like it to an extent. But I’m using nicotine-free water vapor and have absolutely no interest in returning to the old-fashioned cigarettes. I now detest the smell of real cigarette smoke and how it hangs in the air like a bad dream. I don’t miss getting ashes all over my clothes, either.

I like how the vapor vanishes almost immediately after the exhale and how it makes no mess. My breathing is also ten times better since nixing the cigarettes. (OK, that last one isn’t a scientific measure, but you get the idea.)

I admit that I’m also using vapor to satisfy the need to have something in my hand and in my mouth. I’ve done far worse, though. I can live with this.

There is something else I enjoy about vaping: the creativity it brings out in my security peers.

Which brings me to the symbolism I mentioned earlier.

Hackers are thought of as people who break things, and that’s partly true. The good guys break things to uncover weaknesses in technology that can then be fixed. That work is potentially lifesaving, if you look at the late Barnaby Jack’s focus on finding and fixing security holes in medical devices.

But the thing that gets lost is that hackers are also master builders. In the process of breaking things, they help build stronger technology. And, in the case of some friends, they love to build devices that dispense vapor. Hell, there’s even a Facebook group dedicated to the craft.

There, folks show off the different liquid flavors they’re trying the same way foodies take pictures of all their meals. They also show off the myriad vaping devices they’ve concocted, many of which look like lightsabers. The pieces that are assembled into a pipe are like the paints an artist puts on canvas.

Some of us get carried away. Take my friend Boris, who started collecting and concocting devices some time ago and can’t stop. Look at the guy’s bathroom:

Boris's collection of vapor pipes and liquids

While some like to build their own, there are also folks who just like to collect different pipes the way kids collect baseball cards. Martin Bos has an impressive collection:

Martin Bos's vapor pipes

While the creativity that Boris and Martin demonstrate tickles me, I’ve mostly used the e-cigs you can find in most gas stations. I only recently upgraded to an eGo pipe, which so far has great battery life.

I don’t plan to maintain a vaping habit forever. But compared to some of my past habits, which caused plenty of physical and mental destruction, this is good clean fun.

For now.

Success vs. Failure: Not as Simple as This Image Suggests

LinkedIn and other social media sites are publishing a lot of articles and graphics lately about things successful people do and don’t do. There are many good points in all of them, and they at least give us things to strive for. This graphic in particular caught and held my attention:

What Successful People Do and What Unsuccessful People Do

For the most part, I agree with this one.

Before I started to bring my demons to heel, many of my traits fell into the yellow. I hoped for certain people to fail. I held too many grudges to count. I criticized everyone and everything, and I was terrified of change. Over the years, I’ve learned to do a lot of what’s in the green column. And I’m much happier and more successful for it.

But the advice in the image isn’t as simple as the creators would have us believe.

Back when my demons were in control, I read every day, kept detailed to-do lists and accepted responsibility for my failures. Some colleagues used to tell me I beat myself up too much when things didn’t go well. Those traits are in the “successful” column.

In recent years I’ve enjoyed a lot of success. But I still do some of the things in this graphic’s “unsuccessful” column.  I horde information and data. I fly by the seat of my pants much more than I used to — and I enjoy it. I find it hard not to pat myself on the back for jobs well done.

The lesson? The path to success or failure is much more complicated than an image can show us. And no matter how successful we are, there will always be room for improvement.