Posted on

Stripping the Drama from DEF CON

People in my industry love the word drama. The word is tossed out like Tootsie Rolls at a holiday parade. In my opinion, the word is used a bit too much, especially in the month or two before the DEF CON hacker conference in Las Vegas.

Mood music:

Each year, someone suggests there’s sexism at the conference, and someone responds by yelling “Drama!” Each year, someone complains about an overabundance of drunken debauchery and someone else cries “Drama!” This year, I saw the word floating around because some spouses have a group called H(a)ck3rWives, designed to help “spouses, kids, parents, supporters in general everywhere decode their hackers and come together.” In this case, the drama appears to be that some spouses feel a support network is needed in the first place.

Personally, I don’t see these things as drama.

If some people want to network and their common bond is that their loved ones are away at hacker conferences all the time, good for them. If it helps, more power to them. If someone sees sexism or drunken disturbances and wants them dealt with, have at it.

Most people can handle their booze at these events, and most treat the opposite sex with the appropriate respect. But there are usually one or three who cause trouble. In those cases, it’s reasonable if people complain and demand action.

Good people can and certainly will disagree with me on those points. That’s not drama, either. It’s part of a healthy discussion.

To be fair, ours is a community with many colorful personalities. When strong personalities debate and disagree, it’s easy to see the situation as dramatic, even if the issues they discuss aren’t dramatic in the true sense of the word.

I’m looking forward to DEF CON next month. I’ll network, spread the good word for my company, blog and podcast about the talks and hopefully walk away smarter than when I arrived.

Those aren’t dramatic things, but they’ll do just fine.

Comedy and Tragedy Masks on a Stage

Posted on

When We Err, We Learn. When They Err, They’re Idiots

A good friend from the security industry, Eric Cowperthwaite, recently caused some debate with a blog post about security breach victims getting demonized for failing to prevent break-ins. Other industry friends disagreed.

The truth, as usual, is somewhere in between.

Mood music:

Let’s start with Cowperthawaite’s key point:

In the information security community there is a tendency to blame the victim first, rather than the criminal. And as soon as that starts to work, much of the community begins to pile on like sharks smelling blood in the water.

I’m not even going to name all the times this has happened and give examples. We all know about the retail company, the coffee company, the software company …. the list goes on and on …. that didn’t have perfect security, got victimized by a criminal, and we tore into them for “the thing they didn’t do.” This is so wrong, I don’t know where to start.

Boris Sverdlik and George V. Hulme see things differently. Says Sverdlik:

Most orgs aren’t in the business of security, they are in the business to make money. If you believe most companies do their darnedest to protect their customers then you are living in some other world I wish I could be a part of. The truth is most companies don’t give a shit about security until they get popped and when they do they will do the bare minimum to keep appearances up because nobody holds them liable. My job as a security professional is to reduce the risk to an organization and if I can’t 100 percent say that I’ve done my best I deserve to be blamed.

Hulme adds:

I don’t think an organization like Target that had a puke IT culture and didn’t bother to have a CISO or a point person on consumer privacy gets a pass on anything. And that company DEMANDED to scan Driver’s Licenses to buy things like Nicorette gum. As I was a customer at Target for years, that’s the only justification I need for that opinion.

The discussion went back and forth several more times on Facebook, but I think those capture the prime points.

Once again, what’s true in the security industry is true in the rest of the world. Is how we treat people who fail right?

We have a tendency to blame the victims. It’s not a good practice in the first place, but what’s worse is that it’s hypocritical. We all make mistakes and get things wrong. When it happens to us, it’s a learning experience. When it happens to someone else, they’re idiots.

That said, Sverdlik and Hulme are right to point out that companies tend to not give a shit about security until they get hosed. To that end, ridicule is justified.

But I’ll tell you what matters to me: how honest the victim is.

When a retailer is the victim, its customers are victims too. When the retailer tries to gloss over its culpability, the pile-on is deserved. Not because it suffered a breach in the first place, but because it wasn’t honest about what it learned and what it were doing about it.

We need more compassion, but we need accountability and consequences, too.

swift kick in the balls

Posted on

There Are Other Things Besides Hacking

During that SOURCE Boston session on security burnout last week, someone in the audience made an important observation: One of the reasons depression runs deep in the security industry is because hackers spend most of their time staring at a screen.

Mood music:

When a researcher is trying to break into system weaknesses, there’s an obsession to it. You can’t pull away. You have to keep traveling deeper and deeper down the rabbit hole in the hunt for your prize. When that’s all you do, there’s no room for the things that make for a more balanced life: hobbies, time with friends and family, simple walks in the sun.

That leads to depression, cynicism and worse.

The audience member who pointed that out said his life changed dramatically when he started letting the other activities in. I had the same experience, though not as a hacker. Which goes to show that like many of the mental health challenges we’ve been talking about in the security community, the malady strikes people from every walk of life.

Before security, I was a journalist by profession. I spent many late nights chasing fire trucks, cop cars and ambulances. I sat through way too many city council and selectmen meetings to count, and after all the chasing I had to go write about it.

If I was chasing a story, nothing was going to divert my attention. Meals weren’t getting in the way. Sleep didn’t stand a chance unless I was sick from nervous exhaustion. And aside from lying on the couch gorging on TV, I had no real hobbies.

It took years of therapy, a prescription for Prozac and a lot of soul searching before I realized how critical it is to have balance.

I learned to take my family time more seriously and even rearrange my work schedule around it. I picked the guitar back up 20 years after I put it down to dive into work obsessions. I rediscovered the importance of taking walks, especially with Erin. And I learned to build a day into business trips where I could walk around and drink up the culture of where I was.

Life’s a whole lot better now. I still get depressed, but I come out of it more quickly.

For those in the hacking community who are clinging to sanity by a thread, it’s an important lesson.

Red Eye

Posted on

Tapping into Infosec’s Human Side

In my day job, I host the Akamai Security Podcast, an audio program about all things information security. On occasion, the topics of my profession bleed into the focus of this blog.

In the following podcast, I chat with colleague Christian Ternus, a member of Akamai Infosec’s Adversarial Resilience Team. He’s been the driving force behind Humanity in Security, an effort to address burnout, depression and stress in the security community.

One of his main messages is that people in the industry need to be kinder. He touched on this some months back in a post from his “Adversarial Thinking” blog. He wrote about what he sees as infosec’s jerk problem, where cynicism and negativity run so deep that it poisons the atmosphere in many a security shop, dampening spirits and causing burnout and depression across a team.

He stressed that if you practice kindness, good things will follow.

We talk about that in much more detail. Listen to the full podcast.

Bill Brenner's podcasting equipment