These Squabbles Make Us Small

Some of you asked why I don’t write as much as I used to. Partial answer: My real job and a lot of family business leave me with less time and motivation to do so.

But there’s something else, and it’s had a bigger impact.

Mood music:

The squabbling on social media has gotten so childish that it’s not worth commenting on anymore. This is especially true in infosec.

My job used to be writing about the security community and its research. Now I’m part of the security community, working and writing alongside researchers. Instead of hearing and writing about the challenges of incident management and compliance, I’m living it. No complaints there; it’s what I wanted.

It’s made me realize that it’s more important to keep learning and doing the work than to opine about every instance where my peers get their underwear in a twist. People once used social media to build up the security community. Now they’re using it to tear vast segments of it down. I see more bickering about tactics and positions than discussion about how we can do better. You’re either right or you suck.

For example:

  • Someone says they don’t like getting hugs at conferences. The people that do like hugs take offense.
  • Someone makes an off-color joke. The ensuing conversation revolves around people’s triggers being set off. Then people with those triggers get pissed on for having triggers in the first place.
  • Someone takes a position that’s unpopular. A cabal of naysayers question that person’s right to exist.

Now people are denouncing the whole idea of a security community. They’re suggesting the industry and community are two different things. The community, they say, is a collection of cliques — the so-called cool kids and posers — whereas the industry is where all the grownups are.

Like most things in life, it’s hardly that simple.

The problem isn’t that people pine for the idea of a community. It’s that too many people lack understanding of what a community is.

Communities are a mix of people with different beliefs. They’re places where people can come together for the greater good while still arguing about smaller things. Real communities are not offense- or trigger-free zones.

Infosec isn’t unique, either. These communities exist in many professions, and people behave in them much the way they behave in the infosec community.

I could write a post suggesting people stop being so ridiculous. I could suggest some of us stop getting so offended about everything. And before this year, I probably would have.

Right now, though, I have more important things to do.

It’s not that I’m personally offended by it all. I just don’t have time for it anymore. The challenges we face are big, and the squabbles make us small.

Boxing glove hitting boxer's face

Stripping the Drama from DEF CON

People in my industry love the word drama. The word is tossed out like Tootsie Rolls at a holiday parade. In my opinion, the word is used a bit too much, especially in the month or two before the DEF CON hacker conference in Las Vegas.

Mood music:

Each year, someone suggests there’s sexism at the conference, and someone responds by yelling “Drama!” Each year, someone complains about an overabundance of drunken debauchery and someone else cries “Drama!” This year, I saw the word floating around because some spouses have a group called H(a)ck3rWives, designed to help “spouses, kids, parents, supporters in general everywhere decode their hackers and come together.” In this case, the drama appears to be that some spouses feel a support network is needed in the first place.

Personally, I don’t see these things as drama.

If some people want to network and their common bond is that their loved ones are away at hacker conferences all the time, good for them. If it helps, more power to them. If someone sees sexism or drunken disturbances and wants them dealt with, have at it.

Most people can handle their booze at these events, and most treat the opposite sex with the appropriate respect. But there are usually one or three who cause trouble. In those cases, it’s reasonable if people complain and demand action.

Good people can and certainly will disagree with me on those points. That’s not drama, either. It’s part of a healthy discussion.

To be fair, ours is a community with many colorful personalities. When strong personalities debate and disagree, it’s easy to see the situation as dramatic, even if the issues they discuss aren’t dramatic in the true sense of the word.

I’m looking forward to DEF CON next month. I’ll network, spread the good word for my company, blog and podcast about the talks and hopefully walk away smarter than when I arrived.

Those aren’t dramatic things, but they’ll do just fine.

Comedy and Tragedy Masks on a Stage

When We Err, We Learn. When They Err, They’re Idiots

A good friend from the security industry, Eric Cowperthwaite, recently caused some debate with a blog post about security breach victims getting demonized for failing to prevent break-ins. Other industry friends disagreed.

The truth, as usual, is somewhere in between.

Mood music:

Let’s start with Cowperthawaite’s key point:

In the information security community there is a tendency to blame the victim first, rather than the criminal. And as soon as that starts to work, much of the community begins to pile on like sharks smelling blood in the water.

I’m not even going to name all the times this has happened and give examples. We all know about the retail company, the coffee company, the software company …. the list goes on and on …. that didn’t have perfect security, got victimized by a criminal, and we tore into them for “the thing they didn’t do.” This is so wrong, I don’t know where to start.

Boris Sverdlik and George V. Hulme see things differently. Says Sverdlik:

Most orgs aren’t in the business of security, they are in the business to make money. If you believe most companies do their darnedest to protect their customers then you are living in some other world I wish I could be a part of. The truth is most companies don’t give a shit about security until they get popped and when they do they will do the bare minimum to keep appearances up because nobody holds them liable. My job as a security professional is to reduce the risk to an organization and if I can’t 100 percent say that I’ve done my best I deserve to be blamed.

Hulme adds:

I don’t think an organization like Target that had a puke IT culture and didn’t bother to have a CISO or a point person on consumer privacy gets a pass on anything. And that company DEMANDED to scan Driver’s Licenses to buy things like Nicorette gum. As I was a customer at Target for years, that’s the only justification I need for that opinion.

The discussion went back and forth several more times on Facebook, but I think those capture the prime points.

Once again, what’s true in the security industry is true in the rest of the world. Is how we treat people who fail right?

We have a tendency to blame the victims. It’s not a good practice in the first place, but what’s worse is that it’s hypocritical. We all make mistakes and get things wrong. When it happens to us, it’s a learning experience. When it happens to someone else, they’re idiots.

That said, Sverdlik and Hulme are right to point out that companies tend to not give a shit about security until they get hosed. To that end, ridicule is justified.

But I’ll tell you what matters to me: how honest the victim is.

When a retailer is the victim, its customers are victims too. When the retailer tries to gloss over its culpability, the pile-on is deserved. Not because it suffered a breach in the first place, but because it wasn’t honest about what it learned and what it were doing about it.

We need more compassion, but we need accountability and consequences, too.

swift kick in the balls

The Changing, Frightening Face Of Plagiarism

Plagiarism used to be such a simple thing: If you stole someone else’s work and passed it off as your own, you were a liar and a thief. But in the cyber world, it has become something much grayer, though no less sinister.

Mood music:

In the security community I write about for a living, sites such as Attrition.org have vast sections devoted to those who plagiarize. To be called out for such an act is to be given the kiss of death. Once you’re exposed as a plagiarist, your career is pretty much over, though plenty of busted people have gone on to fool others in their new careers as “consultants.”

I was talking about all this with a friend, Dave Marcus, yesterday. Plagiarism is seen as a growing pandemic in the 21st Century, the result of everyone’s ability to post someone else’s content in their blogs without giving proper credit. In most cases, the plagiarist gets away with it because in the tidal wave of content in the digital age, it’s damn near impossible to keep track of what everyone is doing. I have a lot of respect for sites like Attrition.org for at least trying to keep watch.

But here’s the thing that scares me: These days, you can be a serial plagiarist and not even realize you’re doing it. It’s so easy to find information on sites like Wikipedia and copy and paste. Some call it research. But when you use it without sourcing it, it’s plagiarism.

I’ve been in journalism for 18-plus years and I’ve always lived in fear that at some point I might falter and forget to adequately source someone. Staying clean from that was already difficult enough before the Internet became the fast and easily-switched-on fire hose it is today.

In my day job, I write about a lot of research reports. The name of the game is to take the complex detail and break it down into language most of us can understand. In this blog, I draw from a lot of studies about mental health, addiction, etc.

I do a ton of cutting and pasting. In my security blog, I’ll use chunks straight from the horse’s mouth, first identifying who it’s from and then italicizing the borrowed passages. It’s my way of keeping it honest. I do the same thing here.

Other times I’ll copy and paste and then convert something into my own words. In those cases, I tell you where it’s coming from. But it’s also easy to see how simple the careless omissions of credit can be.

In the push to get a piece of writing finished, oversights will happen — no matter how hard the scribe tries to avoid it.

The result of all this is that plagiarism is becoming something that’s no longer black vs. white, good vs. evil. It’s becoming something more like sleepwalking. You get up in the middle of the night and walk around the house. Someone else in the house might see you and make note of it. But the next morning you wake up with no memory of it. As far as you’re concerned, you spent the entire night in bed.

It’s more forgivable when you don’t know you walked into a priceless vase in the middle of the night and sent it crashing down the stairs in a million pieces. But it’s still a sorry state of affairs.

The point of all this is that I never want to steal someone else’s work. But I’m awake to how easy it is to slip up.

If I ever do, I won’t feel evil. But I will feel terrible, all the same.

I can promise you that I’ll always do everything I can do get it right.

Pluto's_Judgement_Day_5