The OCD Diaries

April 17, 2014

You See a SecBurnout Cult; I See Common Sense

Some folks are pissed over my recent posts about efforts in the security community to fight job burnout and depression. I won’t change your minds, so I’ll just clarify a few things and move along.

People have made five observations:

The data is far too insufficient to declare a problem specific to the security community.
Without data, all we have is opinion.
The greater InfoSec Burnout movement and I have made it sound like this is an infosec problem or a workplace-centric problem rather than what it truly is: a mental health problem that the individual already has and brings to whatever job they have.
I’m trying to superimpose my issues onto the rest of the community.
I’ve gotten too caught up in the noise coming from the SecBurnout people.

That last line makes it sound like I’ve joined a cult of misguided infosec egotists who can’t see past their upraised noses. What follows is my opinion on each of the points above. I speak as an individual, not as part of any organized movement — security or otherwise.

Data isn’t everything. I write from personal experience. Part of that includes discussions I have with distressed peers. It doesn’t always take a study to see a problem.
Well-formed opinions based on experience are useful.
I’ve said it repeatedly: A mentally ill person can be sent over the edge by their work circumstances, but in the final analysis the problem starts with them. I used to be crazy and work stress was a trigger. But the problem was always my inability to deal with stress. I had to be the change. I had to get treatment and find the coping tools. I had to create a new me. So it is with everyone.
The notion that I’m superimposing my issues on the larger community is laughable. I didn’t start out on a mission specific to this community. It’s still not a security-only thing. But there are people who came to this community with mental illnesses who could use a helping hand. If I can share what I’ve learned in my own recovery with industry peers, I will. Maybe it’ll help them cope better with the stresses of the industry. Or maybe it’ll just help them cope better with life in general. Either way, it’s a win.
I don’t believe I’m caught up in “noise.” I know where I’ve been and who I’ve talked to. When asked, I’ll always share what I’ve learned and who I learned it from. I’ll also be the first to admit I’m imperfect and still a work in progress.

This has never been about suggesting there’s a problem special to infosec. I don’t see a pandemic within the community. I see friends and colleagues grappling with territory I’m familiar with.

It’s as simple as that.

bill the cat giving rock sign

April 16, 2014

Three Things Jeff Bauman Teaches Us About Being Boston Strong

Jeff Bauman has gotten so much attention since the Boston Marathon bombings a year ago that I had resolved not to write about him here. I’m as inspired by his story as everyone else; I simply thought there was nothing I could say about the guy that hadn’t been already said.

Then I started reading his new book “Stronger.”

Mood music:

I’ve only read previews and excerpts thus far, but already I’m seeing something special.

About now you’re thinking I’m daft for only just now seeing something special. After all, the man’s durability of body and spirit has been evident since the day that bomb blew his knees off. We’ve seen picture after picture of him smiling in the hospital, throwing the first pitch at the start of a Red Sox game and appearing at the start of a Bruins playoff game.

But what I’ve read reveals raw feelings beneath the smile. In particular, he shows his discomfort as sports teams and politicians ask him to make appearances. He writes:

Did the Boston Bruins really want to do something nice for Jeff Bauman the human being? Or did they want him to be a prop? Something they could use to make a crowd of people cheer? Look at Jeff, isn’t he adorable? Look at Jeff, isn’t he brave? Look at Jeff, he’s a symbol. He’s a marketing tool.

Bauman also shares his relationship struggles before and after the bombings. He reveals the mood swings and commitment issues he thrust upon girlfriend Erin Hurley. Happily, the couple recently announced their engagement and that they are expecting a baby.

For me, there are three valuable lessons as I continue to read his story:

Don’t believe all the hype that surrounds you. Bauman knows he’s not the special snowflake the media and sports franchises portray him as. He’s essentially a regular guy who was in the wrong place at the wrong time and is doing the best he can with the fate he’s been handed. My experience as a writer is that people regularly put me on a pedestal for sharing my demons. I know I’m not special. Though, trust me, when people tell you you’re awesome often enough it’s easy to start believing it.
Smile, even when you don’t feel like it. We’ve seen all those pictures of Bauman smiling as he tries out his new prosthetic limbs. His writing reveals that on many days he didn’t feel like smiling. But he did anyway, and whether intended or not, that gives others the shot of inspiration needed to forge ahead in the face of adversity.
Make the best of bad situations. We all go through bad times. When we do, it’s hard to recognize the blessings hidden in them. Bauman knows his experience has made him stronger and that there are plenty of ways he can turn tragedy into something good. Reluctant as he may be some days, he has certainly made the best out of his situation.

Thanks for the inspiration, Jeff. And congratulations on the new book. I look forward to reading it in its entirety.

Stronger by Jeff Bauman

April 15, 2014

Curse You, 403: Forbidden Error!

UPDATE: We believe we have fixed the setting issues behind the problem. But if you encounter an error message, please let us know. Thanks!

For months, my OCD has been triggered by a vexing, mysterious problem: Some of my readers keep getting “403: Forbidden” errors when trying to read posts. I’ve looked high and low for the cause and solution, to no avail.

Mood music:

http://youtu.be/QD0D7IuriWQ

What probably infuriates me most is that I can access the posts just fine. If it failed for me, too, at least there’d be a little less mystery.

Instead, I’m left to wonder why the blog opens for some people and not others. I have noticed that the folks who get 403 messages are trying to open posts from an iPhone or iPad and usually get through from their desktop computers.

Also read “Depressed Web Servers and Other Amusing 404 Pages“

But there are some who get locked out from any mobile device, and some who can get through on those Apple devices.

Typically, my OCD is triggered by things I can’t control. In this case, however, it’s something that probably can be controlled. It’s pinpointing the issue that’s the problem.

In response, I’ve done what any typical OCD head would do: wasting hours and days exploring every line of code and every URL for clues.

I’ll continue to investigate the problem. If anyone wants to do some investigating of their own, I’ll gladly accept the help.

If there’s any silver lining, it’s that the error messages are killing me much more than they are killing you.

Storm Trooper 403 Error Message

April 14, 2014

There Are Other Things Besides Hacking

During that SOURCE Boston session on security burnout last week, someone in the audience made an important observation: One of the reasons depression runs deep in the security industry is because hackers spend most of their time staring at a screen.

Mood music:

When a researcher is trying to break into system weaknesses, there’s an obsession to it. You can’t pull away. You have to keep traveling deeper and deeper down the rabbit hole in the hunt for your prize. When that’s all you do, there’s no room for the things that make for a more balanced life: hobbies, time with friends and family, simple walks in the sun.

That leads to depression, cynicism and worse.

The audience member who pointed that out said his life changed dramatically when he started letting the other activities in. I had the same experience, though not as a hacker. Which goes to show that like many of the mental health challenges we’ve been talking about in the security community, the malady strikes people from every walk of life.

Before security, I was a journalist by profession. I spent many late nights chasing fire trucks, cop cars and ambulances. I sat through way too many city council and selectmen meetings to count, and after all the chasing I had to go write about it.

If I was chasing a story, nothing was going to divert my attention. Meals weren’t getting in the way. Sleep didn’t stand a chance unless I was sick from nervous exhaustion. And aside from lying on the couch gorging on TV, I had no real hobbies.

It took years of therapy, a prescription for Prozac and a lot of soul searching before I realized how critical it is to have balance.

I learned to take my family time more seriously and even rearrange my work schedule around it. I picked the guitar back up 20 years after I put it down to dive into work obsessions. I rediscovered the importance of taking walks, especially with Erin. And I learned to build a day into business trips where I could walk around and drink up the culture of where I was.

Life’s a whole lot better now. I still get depressed, but I come out of it more quickly.

For those in the hacking community who are clinging to sanity by a thread, it’s an important lesson.

Red Eye

April 11, 2014

SecBurnout: Much Ado About Nothing?

At the SOURCE Boston security conference yesterday, I ran a session with former colleague and friend Josh Corman on the topic of security burnout. It’s an issue I’m increasingly dedicated to, given my own history with mental illness and high-profile deaths in the community.

When I think of the suicide of Aaron Swartz and the accidental overdose of Barnaby Jack, something in me screams out to act. I’m also inspired by the efforts of people like Amber Baldet and Akamai colleague Christian Ternus and want to help.

But some think this effort is a curious sideshow.

Mood music:

After reading about the session, one infosec practitioner took to Twitter and asked, “How many of us have lost it and started shooting up a place?”

It’s true there hasn’t been an explosion of people in the industry losing it and gunning down a bunch of co-workers. Therefore, he feels, the problem isn’t worth the efforts some of us have embarked upon. He added, “Something is wrong, alright. But let’s not make a big deal here.”

My skeptical friend isn’t the only one to make these points. Others have pointed out that the SecBurnout effort is a waste of time because antisocial, caustic behavior is a staple of the profession. Nobody will change those people, nor should anyone try to.

Those who can’t handle it simply need to grow a set of balls or go do some other kind of work.

I agree with that — to a point.

As Corman noted yesterday, this effort isn’t going to “cure cancer.” We can’t tell people how to think, and we don’t want to. We’re advocating more kindness and civility in the profession, but we know the more negative elements will always be there.

Also true is that you can’t cure things like depression, bipolar disorder and OCD. We can learn to manage these things better, however, and keep them from controlling us.

But all that is beside the point of SecBurnout and similar efforts.

We don’t expect to change the world. We do believe it’s worth trying to suggest a better approach. If we can inspire just a few security shops to adopt a more humane environment that inspires people instead of crushing them — and if that leads to fewer cases of depression and suicide — it will be worth it.

Maybe this isn’t a big deal to you. If that’s the case, congratulations for staying above it all. But if you or your friends and colleagues are casualties of burnout, it’s a big deal.

I do see progress. When I was stuck in the deepest depths earlier in my career, you simply didn’t talk about this stuff. It was a sign of weakness and could get you fired.

That’s not as true today. I and many others are talking openly about our demons, and it’s making a difference. As a community we’ve recognized there’s a problem. Amber Baldet took it a step further by sharing suicide intervention techniques.

The next step is to attack the conditions that fuel depression in the first place, to tear at the roots of the problem so fewer people reach the point where they need an intervention.

And so we press on.

lighting a row matches

April 10, 2014

A Hacker Walks Into a Vape Shop…

A while back, I wrote about my use of electronic cigarettes as a way to avoid tobacco products.

Since then, the phenomenon known as “vaping” has taken off. It’s especially popular in the security industry I work in. There’s some symbolism in that, as I’ll explain shortly. But first, a self-assessment.

Mood music:

http://youtu.be/53iekfJg4IY

E-cigs have gotten me over smoking. True, vaping looks like smoking, and even feels like it to an extent. But I’m using nicotine-free water vapor and have absolutely no interest in returning to the old-fashioned cigarettes. I now detest the smell of real cigarette smoke and how it hangs in the air like a bad dream. I don’t miss getting ashes all over my clothes, either.

I like how the vapor vanishes almost immediately after the exhale and how it makes no mess. My breathing is also ten times better since nixing the cigarettes. (OK, that last one isn’t a scientific measure, but you get the idea.)

I admit that I’m also using vapor to satisfy the need to have something in my hand and in my mouth. I’ve done far worse, though. I can live with this.

There is something else I enjoy about vaping: the creativity it brings out in my security peers.

Which brings me to the symbolism I mentioned earlier.

Hackers are thought of as people who break things, and that’s partly true. The good guys break things to uncover weaknesses in technology that can then be fixed. That work is potentially lifesaving, if you look at the late Barnaby Jack’s focus on finding and fixing security holes in medical devices.

But the thing that gets lost is that hackers are also master builders. In the process of breaking things, they help build stronger technology. And, in the case of some friends, they love to build devices that dispense vapor. Hell, there’s even a Facebook group dedicated to the craft.

There, folks show off the different liquid flavors they’re trying the same way foodies take pictures of all their meals. They also show off the myriad vaping devices they’ve concocted, many of which look like lightsabers. The pieces that are assembled into a pipe are like the paints an artist puts on canvas.

Some of us get carried away. Take my friend Boris, who started collecting and concocting devices some time ago and can’t stop. Look at the guy’s bathroom:

Boris's collection of vapor pipes and liquids

While some like to build their own, there are also folks who just like to collect different pipes the way kids collect baseball cards. Martin Bos has an impressive collection:

Martin Bos's vapor pipes

While the creativity that Boris and Martin demonstrate tickles me, I’ve mostly used the e-cigs you can find in most gas stations. I only recently upgraded to an eGo pipe, which so far has great battery life.

I don’t plan to maintain a vaping habit forever. But compared to some of my past habits, which caused plenty of physical and mental destruction, this is good clean fun.

For now.

April 9, 2014

Success vs. Failure: Not as Simple as This Image Suggests

LinkedIn and other social media sites are publishing a lot of articles and graphics lately about things successful people do and don’t do. There are many good points in all of them, and they at least give us things to strive for. This graphic in particular caught and held my attention:

What Successful People Do and What Unsuccessful People Do

For the most part, I agree with this one.

Before I started to bring my demons to heel, many of my traits fell into the yellow. I hoped for certain people to fail. I held too many grudges to count. I criticized everyone and everything, and I was terrified of change. Over the years, I’ve learned to do a lot of what’s in the green column. And I’m much happier and more successful for it.

But the advice in the image isn’t as simple as the creators would have us believe.

Back when my demons were in control, I read every day, kept detailed to-do lists and accepted responsibility for my failures. Some colleagues used to tell me I beat myself up too much when things didn’t go well. Those traits are in the “successful” column.

In recent years I’ve enjoyed a lot of success. But I still do some of the things in this graphic’s “unsuccessful” column. I horde information and data. I fly by the seat of my pants much more than I used to — and I enjoy it. I find it hard not to pat myself on the back for jobs well done.

The lesson? The path to success or failure is much more complicated than an image can show us. And no matter how successful we are, there will always be room for improvement.

April 8, 2014

Eleanor Roosevelt Was a Badass

I’ve always admired Eleanor Roosevelt. She defied the society of her day and forged a new path for women. She was a tireless fighter for the disadvantaged. During WWII, she traveled to the front to visit the troops, despite the danger. She was an early fighter for civil rights. One of her most famous quotes was to do something every day that scares you.

The older she got, the more badass she became.

Mood music:

http://youtu.be/ede2_tuZJp8

In the 1950s, when she was in her late 60s and early 70s, she insisted on driving around the country to promote her various causes. The Secret Service freaked. A former First Lady was a tempting target, especially given her support of civil rights. That made driving around the South particularly perilous.

As a compromise, she agreed to pack a pistol.

I remember learning about that during a visit to the Franklin D. Roosevelt Presidential Library and Museum in Hyde Park, N.Y. But I had forgotten about it until Slate published a picture of her firearms license.

She didn’t let danger stop her, and she certainly didn’t let her age or sex stop her.

Have a look, and be inspired.

Eleanor Roosevelt's pistol license

April 7, 2014

The Misguided Coping Tool of My Teenage Rage

The first car I ever owned as a kid was a beat-to-shit 1983 Ford LTD wagon. It had a catalytic converter that always flooded and stalled the car. The power steering was gone. And it was the misguided coping tool of my teenage rage.

Mood music:

http://youtu.be/biXnwOMznkg

The LTD’s exterior was a toxic green, covered over in patches with stickers promoting whatever anarchist political causes I espoused at the time. In one inspired move, I took a “No Sludge” bumper sticker that had been proliferated by groups opposed to a sludge burning plant at the Rowe Quarry, cut off the no part and stuck sludge to the rear hatch. (The no-sludge people ultimately won. A massive condo complex sits where Rowe used to be on the Revere-Saugus border in Massachusetts.)

Some days I loved that car. Some days I hated it.

I hated the constant stalling and the smell of gas and oil that always seemed to make its way into the passenger compartment. The steering wheel was thin, which wasn’t masculine enough for my liking. Loose metal around the rear passenger-side wheel well constantly sliced the tires, though that at least gave me plenty of tire-changing practice.

But I loved its battered exterior and the sound system. The speakers were actually blown out, but I liked how it made the bass rattle the car whenever I put an Ozzy cassette in. I loved how I could pack a bunch of friends in the back for trips to the Worcester Centrum, the main place to see the big rock acts before we had the TD Garden and Verizon Center.

I was always told the back was perfect for sex, though I never attempted it. At least two friends did. If I wasn’t in the car at the time, I didn’t care, as long as they cleaned up after themselves.

Despite the engine’s shortcomings, I broke a lot of speed limits with that car. I had a vicious temper and often drove too fast to feel better. I used to blast up and down the causeway between Lynn and Nahant. You had to slow down before reaching Nahant, though, because the police loved to bust kids like me. They often did.

I would drive within an inch of the car in front of me and bang the horn. I would flip off anyone who slowed me down. And I punched the ceiling over the driver’s seat so much the fabric started to sag.

Looking back, I could have killed someone. There were many opportunities to do so. I could have killed myself and my friends in those moments of road rage. By the grace of God, that never happened.

The coping tools I have today — music, my guitars, walks with my wife, the elliptical machine in the garage, my faith, my mindfulness exercises — are far more effective. Nobody gets hurt. Everyone wins, because I’m easier to deal with.

Still, there are occasions, however infrequent, when I miss that wreck on four wheels.

April 3, 2014

Knowing You’re a Punk is the First Step in the Cure

I was an absolute punk this morning. I was incensed over tech problems, dropping F-bombs and punching the desk with my fist.

Mood music:

It’s a typical problem for someone with clinical OCD. You want to control everything, though you know it’s impossible.

In mid-rage, I learned a friend had just lost a sibling.

Rage turned to guilt.

I’m no special case. We all lose our patience from time to time and act like spoiled brats. More often than not, it’s over little things, like missing a favorite TV show or getting stuck in traffic. It’s much easier to blow up than to be stoic when things don’t go our way.

The news I received this morning in the middle of my tantrum just goes to show that someone else always has it worse. I know what it’s like to lose a sibling, and I truly feel for my friend and pray for his family. I needed a hard slap of perspective this morning, but I wish the lesson came from someplace else.

Appreciate what you have. Hug those around you, and don’t sweat the little things. If you fail at any of these, just try again.

I’ll work at following my own advice.