The Humanity of ShmooCon

I’m missing the ShmooCon hacker conference for the second year in a row because of family activities. But it remains a favorite of mine for several reasons. One is how its not afraid to explore how the human condition affects the security profession.

Mood music:

For starters, ShmooCon has given Johnny Long a platform.

Long, one of the world’s foremost hackers, has given presentations on why he started Hackers for Charity, a nonprofit organization using the skills of technologists to solve technology challenges for various non-profits and provide food, equipment, job training and computer education to the world’s poorest citizens.

Besides the obvious good that comes of this, the organization has done much to humanize hackers and help the world see them as more than introverts in basements using technology to break into networks for nefarious purposes. More than ever, hackers are seen as agents of positive change. Long deserves our thanks for that, and ShmooCon deserves thanks for giving him valuable exposure.

I also appreciate how ShmooCon has showcased the gifts of those who are different.

A powerful example of that was a talk renowned security engineer Marsh Ray gave at ShmooCon 2011, where he used the fragile mental condition as the basis of a talk called “A paranoid schizophrenia-based model of data security.”  In that talk, he described working in a psychiatric hospital more than 20 years ago and getting to know Keith, a fellow who usually sat on the park bench strumming his guitar for spare change.

“Sometimes I would take a break from reading microprocessor manuals and listen,” Ray said at the time. “Keith had paranoid schizophrenia. He could explain how the world worked: ‘There is a great international conspiracy…’ he would say. Electromagnetic fields, government satellites, resonant dinner plates, you name it: He had it all figured out.”

Ray noted how Keith couldn’t trust the conflicting information coming from different parts of the brain. He knew he was vulnerable and spent much time and energy thinking about it.

“Does this not also describe our current relationship with data security?” Ray asked. “Our architectures have become so complex that they are inherently susceptible to internal schism, leaving us vulnerable to sudden manipulation by shadowy external forces.”

Ray noted that many of the things Keith predicted have come to pass. For example, including radio transmissions being monitored by satellite and underground markets emerging for the purpose of trading information.

There are many more examples from previous years. But those are the ones that really stand out for me.

Sorry to miss it this year, but I wish those who are there a fabulous, enlightening weekend.

 

ShmooCon logo

With Burnout Comes Wisdom (If You Survive)

I’ve devoted several posts to combatting career burnout, particularly in the information security industry. But something recently occurred to me: Burnout can be a good thing, but only if you survive.

Mood music:

The thought came to me after talking to a fellow industry veteran and work colleague. We’ve seen friends younger than us either setting themselves up for the fall or crashing to Earth after burning to a crisp.

My friend knows burnout. So do I. We’ve survived it and are better for it. You don’t often hear about how survivors of burnout become better and stronger. There’s wisdom to be had.

Personal lessons:

  • Accepting more responsibility without more pay seems OK when you’re young, but it’s not. When I was in my 20s and eager to advance my young journalism career, I didn’t think about money. I just wanted to get the job. I assumed that with good work, better pay would follow. All I did was show the bosses that they could keep throwing more weight on me and I’d take it. I nearly destroyed my health in the process.
  • Being a people pleaser is dumb. My current employers treat me well, but I’ve been in jobs where I put everything else in life aside to do more work. I wanted to be the golden boy so badly that I let precious relationships suffer along with my health. As I got older I realized the top brass didn’t put in nearly as much time as I did. I ultimately discovered two things: The best corporate leaders learn to prioritize tasks and keep their eyes on the big stuff. The worst simply ride the backs of minions who won’t say no.
  • Working 90 hours a week and loving it? I didn’t think so. Those who know the history of Apple have heard about the “90 Hours a Week and Loving It” shirts that made the rounds back in the ’80s. It was based on Steve Jobs boasting about his people working those kinds of hours. When you’re in your 20s it’s easy to fall into the trap. I certainly did. But all those extra hours left me with a whole lot of loneliness and depression.
  • Living on your knees will cripple you. As a young man, I was terrified of the punishment bosses would deliver if I ever disagreed with them. Part of the mindset was well intentioned. I knew enough complainers to know that I didn’t like them. The part I missed was that you CAN disagree. The key is to suggest alternative ideas and steer clear of empty whining that only focuses on why something is bad. Even if you don’t always hit the mark, it’s better than letting disagreements in procedure eat you alive.

Set boundaries. Put family and health first. Stand up for yourself. Spend  your time on that and you just might survive the burnout periods.

90 Hours a Week and Loving It

You Call It Selfish, I Call It Survival

A friend once lamented that she tries to make everyone around her happy. She’s a self-described people pleaser, and it’s led to a world of hurt. She wanted to know how I got past it and was able to out myself. Here’s my attempt to answer the question.

Mood music:

I used to be a people pleaser. I probably still am to some extent. But nothing like how I used to be.

I wanted desperately to make every boss happy, and I did succeed for a while. But in doing so I damaged myself to the core and came within inches of an emotional breakdown.

It caused me to work 80 hours a week, waking up each morning scared to death that I would fall short or fail altogether.

No employee gets back 100 percent of what they put in to the corporate machine. Sure, you can make your direct bosses happy, but the folks many layers above them in the food chain still won’t know who you are or care that you work 80 hours a week.

I wanted to make every family member happy. It didn’t work, because you can never keep everyone happy when strong personalities clash. To this day, my relationship with some family members is on ice. Part of the problem is that I failed to keep them happy and take care of others I needed to be paying attention to. I reached a breaking point that has caused pain on all sides. I’m not happy about it, but it is what it is.

When did I reach the moment of truth? I don’t think there was one defining event. It was just a gradual realization that if I kept trying to please everyone, I wouldn’t be alive much longer. I would have had a complete breakdown and plunged into my addictions until they killed me with a heart attack or a blood clot to the brain.

It was a simple matter of survival.

If I’m trying to please every boss, friend or family member, I can’t be present for my wife and children. And I certainly can’t be present for God.

Of course, that realization doesn’t make it any easier to stop trying to please everyone. Even today, I’d much rather keep my bosses happy than piss them off. As for family, I’d still prefer we all get along.

Several things have made it easier not to try to please everyone:

  • Years of therapy have helped, because you’re forced to peel back every layer of every relationship by a trained professional who has no stake or relationship with the people in your life.
  • Prozac must have helped, because sometime in early 2007, when I first started taking the medicine, I stopped worrying about what my bosses would think of every move I made.
  • My former office mom, Anne Saita certainly taught me that it’s better to stand up to people then to live life on your knees.

I’ve found that the longer you go without being a people pleaser, the easier it gets. And then something else happens: Most of the people around you start liking you better when your nose isn’t cemented to their asses.

man's hands bound in chains

There Are Other Things Besides Hacking

During that SOURCE Boston session on security burnout last week, someone in the audience made an important observation: One of the reasons depression runs deep in the security industry is because hackers spend most of their time staring at a screen.

Mood music:

When a researcher is trying to break into system weaknesses, there’s an obsession to it. You can’t pull away. You have to keep traveling deeper and deeper down the rabbit hole in the hunt for your prize. When that’s all you do, there’s no room for the things that make for a more balanced life: hobbies, time with friends and family, simple walks in the sun.

That leads to depression, cynicism and worse.

The audience member who pointed that out said his life changed dramatically when he started letting the other activities in. I had the same experience, though not as a hacker. Which goes to show that like many of the mental health challenges we’ve been talking about in the security community, the malady strikes people from every walk of life.

Before security, I was a journalist by profession. I spent many late nights chasing fire trucks, cop cars and ambulances. I sat through way too many city council and selectmen meetings to count, and after all the chasing I had to go write about it.

If I was chasing a story, nothing was going to divert my attention. Meals weren’t getting in the way. Sleep didn’t stand a chance unless I was sick from nervous exhaustion. And aside from lying on the couch gorging on TV, I had no real hobbies.

It took years of therapy, a prescription for Prozac and a lot of soul searching before I realized how critical it is to have balance.

I learned to take my family time more seriously and even rearrange my work schedule around it. I picked the guitar back up 20 years after I put it down to dive into work obsessions. I rediscovered the importance of taking walks, especially with Erin. And I learned to build a day into business trips where I could walk around and drink up the culture of where I was.

Life’s a whole lot better now. I still get depressed, but I come out of it more quickly.

For those in the hacking community who are clinging to sanity by a thread, it’s an important lesson.

Red Eye

Wherein I Run Afoul Of The U.S. Secret Service

My resolve against the inner demons is tested regularly.

Some are little tests, like being put in a room with all the food and alcohol I once binged on daily to see if I can resist the temptation.

Some are bigger tests, like getting lost en route to Washington D.C a few years ago with my wife and kids in the car. Getting lost in a car used to be the stuff my anxiety attacks were made of.

Then there are the huge tests, like the time I got an unexpected grilling from two U.S. Secret Service officers — incidentally, the day after getting lost on the interstate somewhere in New Jersey.

Mood music: 

[spotify:track:3ckQ5LMB0ORA45X0ozu9eR]

I wrote a full account of the encounter for CSOonline.com in “What it’s like to be grilled by the Secret Service,” so I won’t repeat it all here. That column captures it from a security perspective.

Here I’ll focus on the emotional part.

First, the gist of what happened: I was taking photos from my BlackBerry of Marine One (with President Obama aboard) taking off from the White House South Lawn. I guess I lingered there for too long, because the Secret Service thought I was taking surveillance photos. Two Android smartphones later, I’m amused they found BlackBerry-quality photos threatening.

One of them was pretty tough and didn’t believe my honest protests that I was just taking pictures and walking around there because I’m a White House history buff. One officer played bad cop, grilling me as if I were just caught red-handed robbing a bank. The other guy played the reassuring role. “We’re just going to get one of these for our records,” he cooed as he snapped a picture of my unshaven face.

Apparently nobody ever showed them the picture of the Brenners visiting the West Wing three months earlier. They did note that I was texting a lot as I walked, and they wanted to know who I was texting. When I told them it was Howard Schmidt, President Obama’s then-cybersecurity advisor, it knocked them off stride. I told them I was making dinner plans with Howard, that I was buying him dinner to thank him for giving me, the wife and kids the West Wing tour.

“Why didn’t you tell us that in the first place?” the meaner of the two cops asked.

As I told Howard what happened over burgers that evening, he had a good laugh.

I didn’t fault the Secret Service cops at the time. It’s not their job to know these things. It’s their job to nail terrorist activity when they see it. Could he have been a bit nicer to me, given that I was doing nothing wrong and all? Sure. But I try not to hold grudges.

It does say something about how much of a police state we’ve become in the decade-plus since 9-11, though. I also admit that if I could do it again, I’d be more belligerent. Government’s excessive reach into our lives has been laid bare since then. If I knew then what I know now, I would have been far more outraged.

Truth be told, the experience did freak me out. My back went into spasms and my hands shook for hours after. As they were in my face accusing me of running a terrorist surveillance mission, I was thinking to myself, “If these assholes haul me in, it’s really going to screw up the work I had planned for this afternoon.” I’m a typical OCD case, worrying that getting arrested will screw up the work day.

But it’s all good.

I didn’t go back to my hotel room and order $80 worth of food and a bottle of wine to comfort myself. A few years ago, a friendly encounter with Secret Service would have made me do that.

My mind wasn’t paralyzed, either. I got a lot of work done back at the hotel, even with the headache.

And hell, I got a pretty good column out of the experience.

Secret-Service-agents-death-investigated

Work-Life Balance in the 21st Century

A friend noted the other day that he actually gets annoyed about holidays and mandatory paid time off because he simply loves his work and would rather keep at it each day. He’s not an all-work-no-play kind of guy, either. He’s a dedicated weight lifter, traveler, music lover and bee keeper, all things that require time away from the computer.

I see some of myself in his outlook on life. I too love what I do, and I don’t mind a bit when I find myself thinking about work stuff on weekends and days off.

Mood music:

True, we’re lucky because we have great jobs that come with a lot of freedom. If we worked in retail or drove trucks, we might feel quite differently. But to me, what we’re experiencing reflects a change in the way technology has allowed us to live our lives.

For my part, I treasure and protect my personal time. I rearrange work schedules to accommodate family, whether it’s to drive the kids back and forth to appointments and scouting activities or simply to keep an eye on the kids so my wife can hole up in her office and meet deadlines. On weekends I rarely do work activities these days, though my brain will often spin some ideas around that I need to jot down so I won’t forget come Monday.

I manage to get my work done despite a busy personal life that includes guitar lessons, church activities and chores. I’ve actually found that on my work-at-home days, I can participate in call-in work meetings while folding laundry and emptying trash, activities that require little thought and allow me to focus my mind on the work being discussed.

In the bigger picture, I think my generation is pretty fortunate. Our parents had to be out of the house to do their jobs and often would have to be gone early in the morning and not be back until late in the evening. Some jobs are still like that, but if you work with technology and your company’s brands all reside on the Internet, you can work pretty much anywhere where there’s an Internet connection. And you can find the Internet almost anywhere.

I have my office days and my work-at-home days, but I also get work done while sitting in waiting rooms when the kids have dental appointments or in the Jiffy Lube during an oil change.

Some say these things aren’t necessarily changes for the better. Indeed, it’s harder now to completely separate work from personal time because with smart phones, iPads and the like, work can always find you. For me, the trick, one I admittedly haven’t mastered yet, is to not pick up the phone every time it rings or answer emails the second they hit the inbox.

There’s plenty of room for a workaholic to get lost and get sucked away from home life. But my life is better for having these things. It’s up to us to put the technology in its proper place and balance the work with everything else.

Work-life balance

Farewell, CSO and IDG. Hello, Akamai!

Today is my last day as managing editor of CSO Magazine and CSOonline. Monday, my new job at Akamai begins. I’m excited about the new challenges that await me. But I’m going to miss the place where I spent the last five years of my professional life.

Mood music:

[spotify:track:1JFQyGHeNDAqUAubIAMiXI]

It’s been an excellent ride. I worked with some of the best talent and sweetest human beings on Earth. I got to burrow deeper into the information security community and made many new friends along the way. And I’m a better man for it.

Just a few of the folks I’ve loved working with:

Derek Slater: A gentle soul with a mighty laugh, Derek gave me a ton of creative freedom. My only regret about this relationship is that I never succeeded in getting him to drop some F-bombs. Trust me, I tried. The dirtiest thing this man will say in a moment of crisis is pickles. One night at a dinner we hosted for CSOs attending one of our events, he introduced himself this way: “Hi, I’m Derek. I ‘manage’ Bill Brenner.” The room erupted in laughter, and Andy Ellis — my new boss come Monday — raised his glass and congratulated Derek for managing a guy like me without losing his grip on sanity. I’d like to think Derek’s rational ways have rubbed off on me.

Joan Goodchild: Joan is a powerhouse whose videos, slideshows and articles have been key to CSOonline‘s rise  in monthly traffic. I worked with her at TechTarget and was thrilled when she joined CSO a few months after me. She’s been a good friend through some turbulent times, and I’m forever grateful for that.

John Gallant: John runs IDG Enterprise with good humor and grace, and he’s gone to the mat for CSO on countless occasions. We bonded over an interest in WWII history, our common geographical roots, cigars and movies. I’ll miss his always-entertaining editorial offsites.

Steve Traynor: Steverino designs all CSO‘s pages and helped us make CSOonline more visually compelling. He put up with a lot from me, and we had a ridiculous amount of fun concocting illustrations and layouts.

Bob Bragdon: Bob is CSO‘s publisher, a Marblehead Yankee and an all-around great guy. He took a lot of ribbing from me and gave it back in kind. One time, after I returned from a Washington, DC, trip that included a grilling from the Secret Service, I discovered that Bob had plastered my workspace with signs welcoming me to Gitmo. I got him back a million times over and had a hell of a lot of fun doing it.

Per Melker: CSO’s top sales guy for most of my time there, Per was my traveling partner in crime. He did the driving as we journeyed to Hoover Dam for a security tour and, more recently, a side trip to Amityville, NY, so I could take pictures of the famous house for a slideshow.

There are many more people who made my time at CSO richer, and I thank them all. CSO and its parent company, IDG, will always hold a special place in my heart.

Now it’s time to start a new adventure and kick some ass at Akamai.

CSO Cube

Leaving CSO, Heading to Akamai

After five excellent years as senior editor and managing editor of CSOonline.com and CSO Magazine, I’m moving on. Starting June 3, I’ll be a senior program manager at Akamai Technologies in Cambridge, Mass. I’m stoked about this new challenge.

Mood music:

[spotify:track:4xaEeuXlXyc3lzYoLYEsAV]

I’m announcing my new adventure here because it’s the best way to reach the most people, since this blog is read by friends, family and many in the information security community.

Let’s address some questions:

Why leave?

The news will surprise some folks because I’ve always done this job with child-like glee. It’s been the best job I’ve had up to this point, and I didn’t start 2013 with plans to go anywhere. But along the way this and other opportunities arose, and the process of talking to people made me realize I needed to take the next step in my career. I’ve gotten too comfortable, which puts me at risk of becoming complacent. Complacency is never acceptable to me.

Will you still be in the security industry? Will you still be writing for a living?

Yes and yes. In fact, this change takes me deeper into the security community. That’s one of the things I wanted: to become less of a journalist and more of an advocate for this industry because I find the work done here so vital to the peace and prosperity of the world.

In the new job, I’ll be blogging, podcasting and creating in-depth reports and multimedia packages about the state of global security through the Akamai prism. It’s huge prism: At last check, the company was handling tens of billions of daily Web interactions for 90 of the top 100 online U.S. retailers, 29 of the top 30 global media and entertainment companies, nine of the top 10 world banks, and all branches of the U.S. military.

I’ll still write about what’s going on in the larger world of infosec (information security, for the uninitiated), and my job will involve a lot of community outreach. But now I’ll have Akamai’s data to compare with what other companies are seeing.

Above all, I’ll be telling the story of Akamai’s security program, which is powerful but not as universally understood as it could be.

When do you start?

I can’t wait to get started, but I will wait June 3. My remaining time at CSO will be for finishing up my current project load and ensuring that the group is in good shape when I leave. I owe them that and more. They’ve been truly fabulous to me, and I’ve made many friends for life. CSO and IDG will always hold a special place in my heart.

Will you still write THE OCD Diaries?

Absolutely. I wouldn’t have taken this or any other job if it required me to stop writing this blog. CSO and IDG supported my personal blogging from the beginning and in all of the discussions about different career opportunities these last few months, no one has asked me to kill this to join them. In fact, the support and enthusiasm have continued.

It goes to show how much progress the business world has made in recognizing and accepting those whose brains tick a little differently from the mainstream.

It makes me more optimistic than ever about the future.

Akamai

How To Avoid Becoming #RSAC Roadkill

Last year was a first: I had a stay-at-home vacation a week before flying out to a big conference. We took the kids to the Museum of Fine Arts in Boston and did a lot of relaxing. It worked so well I’m doing it again.

Mood music:

The kids are on their February school vacation, which was my main reason for choosing this week. That it fell the week before RSA — one of the biggest security conferences of the year — was pure luck. That it’s happening two years in a row is even luckier.

I always run myself ragged the week before a conference. A couple years ago it caught up with me. This time I have a chance to soak up some quality family time and rest my brain before getting on the plane.

That should allow me to be at the top of my game in San Francisco next week. It certainly did the trick last year.

Conferences have always brought out the the good and bad sides of my OCD. On a professional level it gives me the extra push to write more, network more, stay awake later for said networking, and get up and at ’em early. It also takes over the parts of my brain that manage my pacing and ability to stop and breath.

Not helping is that usually, the week before, I work in overdrive mode to get as much business out of the way as possible. In doing that, I’m already half burned before my plane takes off.

I won’t always get to vacation right before RSA like this. So I’ll be making the most of this week.

I’m especially going to need it this year, because a couple hours after the plane lands Sunday, I’ll be darting back and forth between BSidesSF, the hotel, the Moscone Center registration area and quite a few evening events.