How to Quickly Create New Habits in Your Life

A friend of mine mentioned that she was having trouble getting in the habit of going to the gym every morning, so I promised an explanation of how I have created so many beneficial habits in my life in the past year. I thought that the email that I sent her might actually be useful for others who are having the same type of issue. Not that anybody out there has trouble creating habits that improve their life at all. My email is below...

My reading of the latest research says that forming a habit comes down to three things (with an optional fourth):

Turning that habit in to a precise behavior (instead of "I want to get in shape", "I want to go to the gym 3x per week").
Deciding on an "anchor" for that behavior within your life. The anchor point determines the behavior that immediately precedes the new behavior: "After I brush my teeth upon waking on M/W/F I will put on my gym clothes and walk to the front door to leave")
Repeatedly be triggered to perform that behavior at the right anchor point
(Optional) To really make it stick, it helps to create (social) accountability around that behavior

There are a bunch of tools to do this. If the habit is small, start with BJ Fogg's latest research project, called "Tiny Habits" (http://tinyhabits.com/). Joining BJ's project is the easiest and best way for you to get a really solid understanding of how to form interesting habits in your own life and perform the first two steps.

Once you're good at doing the first two things for yourself, all you really need to do is the third. There are a few sites that have popped up to help with that:

Note that Habit Forge has built in to it the ability to create "teams", which provides the fourth step I mentioned earlier. 21Habit uses a financial accountability model, costing you money for every day that you don't complete your habit. Each of these strategies is more or less likely to work, depending on the individual. But neither of these are really needed as much as the first 3 steps.

So, if you want to start going to the gym, here's what you do.

Decide what the target behavior is. (I like the one I chose above, but it could be anything: "")
Decide on the anchor point in your life. An example could be: "When I get in my car to leave the office, I will drive to the gym and walk in the front door". (Notice that your goal doesn't have to be related to actually working out: if you walk in the front door, you're likely to, but you may just walk right out again. This is what BJ Fogg calls "baby steps" - we don't have to do the entire behavior, just the part of it that is cognitively easy enough to create the habit)
Set a trigger to remind you at that time where you're going. Could be one of the services above (that work by email), a calendar reminder, or a sticky note on your steering wheel. As long as you're reminded close to the time that you actually leave the office.
If you want to make it even more likely, find something to hold you accountable: it could be a workout buddy or someone else who you want to impress, it could be your entire Facebook friend list, or it could be one of the services above.

Since meeting BJ Fogg last year, I've used this same format to implement a whole pile of new habits in my life, from improving my workout routine to changing the way I eat and the way that I floss my teeth.

Matching and Mirroring (or: Cybernetic Issues in NLP)

One of the fundamental tenets of Neurolinguistic Programming (NLP) is the idea of "matching and mirroring" - the idea that we create rapport between individuals by mirroring aspects of their physiology in ourselves and, because they see someone who looks like them, they're more likely to enter in to a rapportive state with us. This effect does have some amount of basis and has been studied quite significantly - psychologists tend to call it the "chameleon effect", based on the landmark 1999 study by Chartrand and Bargh. Their definition:

"The chameleon effect refers to nonconscious mimicry of the postures, mannerisms, facial expressions, and other behaviors of one's interaction partners, such that one's behavior passively and unintentionally
changes to match that of others in one's current social environment."

The studies have shown that the effect of mirroring is present across most studies that have been performed - in particular, the Chartrand/Bargh study found significant impacts of mimicry on the rapport set of those studied. (Although, as Chartrand & Bargh note, some studies (LaFrance) have noted that the effect doesn't exist or depends on other aspects of a relationship between those being studied)

The problem comes when we consider the reason for rapport from an evolutionary perspective - we have evolved rapport and mimicry to facilitate social interaction between humans, not as a one-way process. That is, when I mirror you, I am unconsciously reproducing your state within me - this is facilitated by the "mirror neurons" (the posterior inferior frontal gyrus and adjacent ventral premotor cortex, as well as the rostral inferior parietal lobule as described by Iacoboni) - we are able to mimic another because we perceive their behavior and, in so doing it, represent it within ourselves.

Note that this is the other half of the cybernetic loop that is edited out in the studies (and much traditional teaching of NLP) - in mimicing another successfully, we unconsciously represent their state within ourselves. While the Chartrand/Bargh study talked about the target of the mirroring liking the study confederate more when mirrored, there wasn't a corresponding questionaire filled out by said confederate to determine whether they had increased liking for the person being mirrored. Obviously, this would have had some methodological concerns. (Note that Chartrand and Bargh noticed the potential issue that this half of the cybernetic loop wasn't being respected, and attempted to control for other behaviors - however, the question of the subtlety of mirroring behaviors on the behalf of the confederate is still open - I'd love to see a FACS coding of some of the samples of the confederates against those of the participants and note facial / micro-expression similarities.)

The state being mimiced is, in effect, dual-sided - that is, the more precisely we replicate the state of the other person, the more effectively we display the chameleon effect. It is this behavior that Chartrand & Bargh noted in their third experimental condition - that, at an unconscious level, those of us who tend to take other's perspective (which can correlate to but isn't the same as the traditional emotional definition of empathy) more often have a better developed set of strategies for adopting mirrored positions with others.

This, in my opinion, leads to a lot of the problems with the traditional NLP model for learning matching and mirroring. As Grinder said in "Whispering in the Wind", there are two criteria for the evaluation of a model:

Is it learnable?
Does it lead to the learner producing results congruent with the original source of the model?

While any six-year old can learn the NLP version of matching and mirroring (i.e. "monkey see, monkey do"), it's the second condition that is much more problematic. Many who attempt to learn to create rapport through traditional means end up with matching/mirroring processes that, rather than create rapport more often, come off with the subtlety of a bad used car salesman. The reason for this is that we aren't effectively attempting to teach the student of NLP how to mirror states, but only to broadly mirror large parts of behavior - we're not respecting that rapport is a cybernetic process with multiple sides to the loop. And anybody teaching it from the perspective of behavior/posture isn't respecting the other side of the loop (at least consciously).

In fact, in my own modeling of those who are excellent at creating rapport, it's not their ability to mirror posture or breathing pattern or eye blinks that is most effective - it's the ability to mirror and represent within themselves the state of those around them and to effectively convey that mirrored state (usually at a completely unconscious level).

Grinder also noted this in Whispering, when he stated that calibration is "the most fundamental of all NLP processes". The person who is most effective at creating rapport with others is the one who most precisely calibrates the state of the other person and, upon representing that state within themselves, unconsciously adopts whatever behaviors are appropriate, regardless of whether they precisely "mimic" the other person.

The student who attempts to learn to create matching and mirroring without understanding how to effectively calibrate (which, using NLP terminology, is akin to an unconscious shift in to second position) doesn't become (in the Chartrand/Bargh terminology) a "high perspective taker", which is one of the fundamental bases of being effective when it comes to matching and mirroring.

That is, the goal in matching and mirroring isn't to replicate behavior - replication of behavior comes naturally when we effectively can adopt and replicate the state of the other person within the interaction. To attempt to mimic the behavior generally works only in so far as that adopting a matched physiology can assist in replicating state.

My Newest Experiment - The Kindle Book

A few months ago, my friend Drawk Kwast released his first ebook on the Kindle store. And he's been having some great success (mostly because the book is awesome). Shortly after, I got my first Kindle and was fascinated by all of the low-cost and interesting self-published books on there that I wouldn't have found physical access to in the average book store. It piqued my interest around the Kindle as a publishing platform. But it wasn't until I read this story on Slashdot that I really got fascinated. From the story:

'These days the buying public looks at a $9.95 eBook and pauses. It's not an automatic sale,' says Locke. 'And the reason it's not is because the buyer knows when an eBook is priced ten times higher than it has to be. And so the buyer pauses. And it is in this pause—this golden, sweet-scented pause—that we independent authors gain the advantage, because we offer incredible value.'

It was fascinating to me that we could be seeing a sea change in the world of books.

While I've been a great consumer of books on the Kindle, I hadn't yet explored the seller's side of this new world.

So, I took the ebook I wrote a few years ago (called "Forget the Parachute, Let Me Fly the Plane") and re-formatted it for the Kindle. In the process, I updated the content and added in some new material.

And it's selling in the Kindle store for $2.99. As of this writing, it's in the Top 25 in the "Job Hunting" sales list.

My thought: would you trade a cup of coffee for some solid career advice? I hope to find out.

Maturity and Business

I wrote recently on Maturity and the way I've been trying to view my life lately. The place that I've found this thinking most interesting is in conceiving of my businesses (esp. THA). It's easiest to try to solve most of our business problems in the frame of "what's best for us right now?". Especially in technology, which is so driven by quick-return venture capital (where we expect an exit in no longer than 3-5 years), this type of thinking is endemic. We live and die by the quarterly numbers. The most forward-thinking of us try to think 9-12 months out. Sometimes, our roadmaps extend a whopping 18-24 months. But that's it.

And that's a sure way to make decisions that are bad. My experience with venture capital driven businesses has been almost universally bad - the decisions that the VCs (or their hand-picked executive teams) made were almost universally oriented toward a quick exit, and, most often, in diametric opposition to what would have been done if the company had been managed with an eye toward building a long-term sustainable and profitable business. I'm not the only one with this experience - Inc published a great article about this a few years ago on Friendster that was eye-opening to me when I first read it.

Lately, I've been trying to conceive of our businesses in a more long-term way. I've been trying to think about it the way that (I imagine) we conceived of businesses 100 years ago - not as something with a quick exit, but as something that would have to feed our family for the rest of our lives. The questions I've been asking myself are oriented toward that sort of thinking:

What would we be doing if our goal was to be most profitable 10 years from now?
What is single thing that we can do as a business to make our customers' lives better in 36 months?
How can we best reinvest profits today to triple or quadruple them down the road?

The thing is, this wasn't the type of business thinking that I've been taught how to do. Nor do I know anybody else who is. Every time I read the typical business book, they're like reading diet books: GET RICH NOW WITH NO EFFORT AND NO ENERGY! And I love that kind of business book. But nowhere are they trying to teach you how to create something sustainable that adds real value over the long term.

If anybody out there reading this one has any advice on building a company that's sustainable and profitable on a 50-year time scale, I'm all ears. Because, other than some of the old articles about how the Japanese created 100 year plans, I can't really find anything that gives good advice on this one.

What is it to be Mature?

I was having a conversation with a friend the other night about maturity and social connection. We tossed around the question of what it is to be "mature". According to Wikipedia, maturity is "how a person responds to the circumstances or environment in an appropriate and adaptive manner.... Maturity also encompasses being aware of the correct time and place to behave and knowing when to act appropriately, according to the situation". I have trouble with that definition, as I don't believe that maturity is driven by the results of one's decisions but by the cause. As I get older, I look around and I see striking differences between what drives the actions of those around me. A lot of my friends act in a way that would be considered incredibly mature - they're stable, responsible, and stoic. They pay their bills on time, they manage to raise their kids not to become sociopaths, and they go to work every day. They have faithful long-term relationships and they save for retirement and for a rainy day.

Yet I see a difference in what's creating that behavior. Some of those friends are driven to their "mature" behavior by personal insecurities and fears that aren't much more sophisticated than the six-year-old who is terrified of the monsters under his bed. They save money (for example) not because they want to be profitable and well taken care of in their old age, but because they're terrified that tomorrow, someone's going to take it all away from them. They're faithful to their wives not because they're building a relationship that will be fulfilling in the long-term, but because they're afraid of the horrors that will befall them if they cheat.

And I have a problem with the idea that maturity is all about social norms of behavior... because some of the most mature and wise people I know are ones who defy conventional definitions of "being a grown-up" at every turn.

So, I've been playing around with a different definition in my life and trying to see how that definition affects the way that I live. Maturity, in this working definition, is a sliding scale - not a state to be achieved. The scale is simple: maturity is directly proportional the timescale that we consider in making the decisions of our day-to-day lives.

If we think about the least mature among us (e.g. the above-mentioned six-year-old), it should be obvious that most of his/her decisions/thoughts are made on a short time-scale. I'm hungry now, so I eat. I'm not happy with you because you won't give me ice cream, so I hate you forever. (The psychologists call this an inability to delay gratification.)

If we look at those who we consider the most wise and the most mature, we see a different time-scale in action in their behavior. As an example, I looked up some quotes from the Dalai Lama (who I would think most would agree to be a pretty mature guy). What amazed me about that page is the number of quotes about the future - and not just his own personal future, but the future of our species. He thinks about the world not in terms only of "when I grow up", but "when I'm no longer here". As an example:

"If you must be selfish, then be wise and not narrow-minded in your selfishness. The key point lies in the sense of universal responsibility. That is the real source of strength, the real source of happiness. If we exploit everything available, such as trees, water and minerals, and if we don´t plan for our next generation, for the future, then we´re at fault, aren´t we? However, if we have a genuine sense of universal responsibility as our central motivation, then our relations with the environment, and with all our neighbours, will be well balanced."

I've been thinking about this a lot lately - how would my life be different if, in each moment, I was making decisions with an eye not toward what feels good now, but what would be the best for me in 10 years. Or 20 years. Or what would be best for those around me on the day of my death. Or 100 years after I'm dead. How would each decision I make be different?

And I've been finding that it leads to a different way of looking at my life. One that I'm beginning to quite like. (Although, I have to say, it starts to make most US political debates look pretty ridiculous, given that the time scale of their thinking is never more than about 2 years long... which probably maps pretty well to the time scale of the "average" American these days...)

As a reader, do you think about what time scale you make decisions on? How do you make decisions around your finances, your relationships, your health and your career?

A Branding MAD Lib

As a new year begins, I always spend a bunch of time pondering my past, my future, and where I'm going. A big part of that is branding and positioning - who am I, and what problem do I want the people in my life to have when they think of only of me. This year, I have a different situation - in all of my endeavours (MAD Security, The Hacker Aacademy, Information Security Leaders), I have partners. I can't just think of where I want to go all by myself - I'm reliant on other minds to co-develop and agree to the direction we're taking.

So, I came up with a rather simple way of thinking about positioning, direction and vision: a simple MAD lib:

(I / {name of entity}) am/is/are the best (name of primary activity) in the (geographic region / location / entity) . (I / {name of entity}) am/is/are also quite good at (name of secondary activity) .

You'll know that you have a real brand statement when you can have an independent third-party read the statement that you have prepared and agree that it is (or could be) true.

The key to the exercise is to resist the temptation to have more than one primary activities (or to make the activity overly broad) - a brand statement is about your unique differentiator. You may truly be good at multiple things, but you can only really be known as the best at one thing. And the more precise and specific you are about your brand statement, the more likely it is to reflect some amount of truth.

(As a note: the second "is also quite good at" is optional, but left there because lots of people have secondary skills that they are known for as well)

An example... a not-so-good brand-madlib:

Michael Vick is the best quarterback in the NFL . Michael Vick is also quite good at being contrite for his past wrongs. .

It's not so good because there's some amount of argument whether Michael Vick is the best quarterback in the NFL. At the very least, Peyton Manning and Tom Brady might have something to say about it. Now, this one, I don't think anybody could disagree with:

Michael Vick is the best dual-threat running/passing quarterback in the NFL . Michael Vick is also quite good at raising pit-bull puppies. . (Yes, that was a low blow...)

In fact, that one's so good that if you removed Michael Vick's name, most people would still know who the statement referred to.

So... what's the brand MAD lib for your company? How about your own personal MAD lib?

Suppressing Dissent

I once heard it said (and I can't find the quote) that a society's level of freedom isn't determined by how it treats its normal citizens - it's determined by how it treats those who dissent and don't adhere to society's norms. Nowhere do I find this more evident than in the Byron case.

Look, let's be blunt: from everything we know about what Byron was doing, it was kind of stupid. He was acting as an agitator to the G20 security establishment. He wasn't being particularly subtle. He was trying to stir up a response, and he did.

I think it's clear that he's guilty of mischief. He's certainly an agent provocateur (def: "a person or group that seeks to discredit or harm another by provoking them to commit a wrong or rash action.")

Joshua Errett over at NOW Toronto described it best:

"What Sonne was actually trying to do is expose security inadequacies of the G20, as is the role of the hacker. His intent was never to harm, and any crimes he allegedly committed were entirely victimless.

That the justice system can’t see the deep shades of difference between Sonne detailing security lapses and petty vandalism is an outright shame. And, in some ways, discrimination. If Sonne had been a cowardly Blac Blocker, bail would have already been set. There certainly seems a different set of rules for hacking."

With the ruling yesterday that Byron will remain in jail until his trial and be unable to have any contact with his wife during that time (unless in the presence of lawyers), there's little question that he got the "rash action".

And it's clear that Canadian society has made its statement on how it intends to deal with dissent - zero tolerance.

In contrast to Byron's crimes, those who steal $30-$50 million, dangerous offenders, those who kill while drinking and driving and crack dealers all go free on bail.

This is one of the more disturbing issues with the case - not that Byron wasn't guilty of being annoying, but that the treatment he is receiving at the hands of the justice system in Canada is far more harsh than those who commit far more significant crimes that leave people hurt, dead or destitute.

Free Byron.

Byron (and influence through the media)

If you're following the Toronto news today, one of the main stories out there is about a former team member of mine, Byron Sonne. The news coverage (CNN, Yahoo) paints Byron to be one step this side of Timothy McVeigh... explosives, threatening police, etc. And that doesn't even mention that the picture that they're using makes him look that way. (As an aside: in my 11th grade journalism class, we spent a lot of time talking about how pictures frame the news story that you're reading. Before you ever even start the Globe and Mail coverage of this story, you're greeted with a blurry, grainy picture of Byron looking like he's about to blow up a building. Regardless of whether the facts support the charge, our minds are primed with all of the times that we've seen a terrifying looking psychopath looking very similarly to this picture... and we read the story with that bent.)

Unfortunately, the reality seems a little less glamorous. If you read Byron's Twitter account, you'll find that Byron was being little more than the opinionated activist that he is. "An agent provocateur", as someone told The Star. He talked about investigating the fences and posted video of the fences. He talked about how the cameras were being set up in locations that were likely to be used by activists. And he was pointing out that the amount of money spent on "security" for this conference was a little out of range.

One of the things that Byron has been most pilloried for in the news was the talk he gave a few months back on radio surveillance (a decent account can be found here).

Amazingly, Byron even posted the slides to that supposedly "provocative" talk on his Twitter feed. (I've put the same slides here for the BitTorrent challenged). Read them... there's nothing in there that suggests anything but a security professional talking about insecure radio transmission.

Let's give a different picture of the guy that used to work for me. Byron's a very smart and well-rounded engineer. While he wasn't the top producer on the team, he was someone who I valued a great deal from a management perspective. He was vocal and would push others to come to the table with their best (even when he wasn't up to their level). He was the member of the team most willing to call out others in a meeting. It wasn't just internal... he was even willing to call out a vendor in a blog post. (Note that since I wrote this, nCircle took the orginal post down)

Above all, Byron Sonne was always an ethical person and someone who I trusted a great deal. And I agree with the assessment that Jesse Hirsh made in an interview with The Toronto Star:

“I suspect that this may just be a stunt and perhaps a stunt that got out of hand,” Hirsh said.

Regardless, it's a shock to me that this would lead to an arrest and incarceration. None of the posts made threats or suggested potential for harm. His talk is innocuous. And this all looks like a very large over-reaction from a police service that felt somewhat embarrassed that someone was publicly calling them out on their failure to encrypt their communications and poor placement of security cameras.

Influence and Failing Kindergarten

Had a great chat with my friend Drawk Kwast recently that he recorded for his list of users (which was an honor given the people he usually interviews). As expected, we rambled all over the map and talked about a million different topics around influence, living an adventurous and successful life, and always being willing to have fun and do the things that most people won't do. The thought that stuck out to both of us during the chat was the idea that we'd fail kindergarten if we were subjected to another year - that the things that has made each of us successful to this point would have caused utter failure in the current school system. We both have a nearly chronic inability to follow the rules, stay in single-file lines, refrain from asking "why?" about a million times too often and ensure that we always make the sky blue when we color.

As Drawk said: "we'd in the corner eating the paste."

I realized later that I should have corrected him... so I will now... "we'd be in the corner figuring out how to take the paste, turn it in to some crazy 5-star dish involving liquid nitrogen and debating about how to market a nationwide line of "frozen paste" shops.".

It's a trait that a lot of my friends seem to share.

The MP3 is worth a listen - Drawk had some great stories on there and I talked about random stuff that some people might find interesting.

(Aside: if you haven't picked up Drawk's "Domination Basics" ebook, you need to - it's free and one of the better reads of the last year. The last person who I convinced to read it immediately sent me the message that "OMG! Drawk Kwast is the UberMan!!!!". All I can say is that you should read it yourself and find out what all the exclamation points are all about.)

Return-to-Barry-White Human Exploitation

Spent a weekend in early October hanging out with Tom and Kim at their rapport and anchoring bootcamp. And I was talking in email with my friend Cris Neckar afterward where we were talking about the large number of pre-existing anchors that exist within someone’s already vast consciousness.

Cris’s comment was that using pre-existing material for anchors is “sort of like exploiting around DEP” – basically, the idea of a "Return-to-libc” exploit. You have pre-existing functions that perform the task that you’re hoping to do.

This reminded me of something that Tom did to me during the weekend. Tom walked up to me this weekend and said:

"So, you're a hypnotist right? You've been in trance before, you know what that feels like, don’t you?" And, as soon as I think about it (which I have to do to understand his question), he achors it.

Tom then proceeded to spend the rest of the weekend enjoying firing off the trance anchor at opportune times.

So, in our email conversation, Cris and I were talking about some good elicitations to anchor that many people would already have:

“Hey... remember that scene from Say Anything where John Cusack was standing outside with the boom-box on his head? How romantic was that? What was the most romantic movie scene you remember... one that just made your heart melt?"

Or: "As you wish" (for anyone who has seen the Princess Bride).

Or: "What’s the song that gets you most in the mood?”

In other words, the "Return-to-Barry-White" exploit.

Note: I’m well aware that this isn’t at all new. Neither’s ret2libc, really. But it’s a great example that hopefully drives some new ideas and new thinking.

NLP for Social Engineers

Anybody in the industry who has talked to me about NLP has understood my utter frustration about the state of NLP learning and its application to social engineering. It got me riled up enough to do a post on NLP and science a few months ago. And, for the past few months, I've been pondering the idea of doing a free education series for the industry on what NLP is and how to use it as a social engineer. But, as anybody who knows me knows, I've been a bit busy. Foreground is taking off, having made the INC 5000 due to the phenomenal amount of growth (and corresponding amount of work for each of us). And my own projects (Connected Career, Information Security Leaders, and the projects we do through Michael Murray and Associates) have added an even bigger load.

But I got really riled up when I read the NLP section of the new Social Engineering framework. Because, while true, it doesn't teach the reader anything useful about how to use NLP in SE. (That shouldn't be taken as a criticism - I believe strongly in the project and will be helping to edit and correct deficiencies and gaps over the coming months... the guys over there are doing the community a phenomenal service).

So, I sat down and started recording the material I had been putting together over the previous months. It's going to come out to about 10 hours of audio, video and a whole pile of exercises. I even did a video to explain what you're going to get.

Check out the video and sign up here.

Recap: The Hope Symposium

This past weekend, I had the privilege of speaking at The Hope Symposium. It was a small conference put on by my friends over at NLP Canada.

I was actually lucky enough to speak twice at the conference – I was the opening speaker and the final speaker before Chris and Linda closed out the conference.

More (including video of my talks) in the coming days, but for now, just a picture of me, Chris Ron Verreggen of RapidSuccessCoach.com.

Greed as a prime motivator

I found this article the other day about the teen in Great Britain who managed to completely dupe a bunch of airline executives in believing that he was a millionaire who was looking to buy into their company and expand it. The key to the attack is that greed was the prime motivator in the attack. From the article: "When asked how he had managed to fool them, one of the airline execs in Jersey stated:

“If they were real then there would have been opportunities for us to expand our business and that’s not the sort of thing we are going to ignore.”"

That quote is the key to it all - we can all learn something from this executive. The problem is that the higher ups in this company were willing to throw caution to the wind when granted a potential for monetary gain. Of course they’d love to expand their company, but at the cost of ignoring security and inviting the con-artist into their inner sanctum?

The question is would this executive also be answering a phishing email like the one I got from Jassay Goran in the Solomon Islands that promised me I’d get $8.5 million if I followed a few simple steps? People involved in social engineering are often extremely bright, inventive and ingratiating - as I have said repeatedly in talks, social engineering is primarily a crime of the imagination. Note that in his explanation and defense of his actions, the executive used the phrase, “if they were real,” as the pretext for his action. Anytime someone does that, they’re taking a big chance with that little word “if.”

I’ll comment more on this article and overall story in a later blog. I think there’s something to be learned from a fact that’s recently been reported about this 17-year old—he has Autism. Also, this story really makes me reconsider the whole topic of user education. More thoughts after the pre-Blackhat rush settles a tad.

Constraints and The Bandwidth Problem

I got in a conversation last week about the upcoming bandwidth crisis in the core. I've managed to forget about those issues more and more over the past few months. I’ve spent a lot of time thinking about vulnerability research and social engineering lately at the expense of a lot of other security thinking. But that conversation and this article brought my thinking back to the infrastructure side of security. From the article: “The super-high-speed cable is now hidden under six feet of Cornish beach-which is just as well, because if it were discovered and damaged, the entire web in Britain could turn to treacle. Warren Pole reports on the fragile network of ocean cabling that keeps the modern world turning, the madcap economics of internet supply-and why it will run out of space by 2014 unless scientists think of something... fast.”

While we're pushing bandwidth at the final mile (I'm able to get 25Mbps down, and that's not even on FIOS), we're going to run in to significant snags at the key chokepoints - the core internet infrastructure and the transoceanic cables.

According to the article, there are nine cables joining the US and England that have a capacity over 39Tbps.

When I started in security in the 90s, we spent a lot of time talking about infrastructure and the core. Then, we "solved" a lot of the bandwidth problems in the late 90s and got ahead of the game.

And now we're deploying video across the net. I watched UFC 100 the other night through Yahoo. All of my TV is via iTunes/AppleTV.

We're not prepared for users like me. And that doesn't even consider the idea of wholesale IPTV. No question - the idea of trying to lay cable to solve this problem is going to be difficult to keep up with. These cable links, which can be seen simultaneously as being tenuous and formidable, retro and high tech and innovative and shortsighted, are a model for the often unpredicted but possibly anticipated challenges that keep us in business.

Social Networking and Security

Lately, I've been thinking more and more about social networking. I was reading a recent article by Eric Ogren on this issue at Searchsecurity.com. The article said: "According to a recent Websense Inc. survey, the decision has already been made by the business units with 86% of IT respondents reporting pressure to allow more social networking in the business. The message resonates loud and clear to security: Resistance to advances in technology is futile; find secure ways that business can move forward."

It seems obvious that the more social networking we do, the more vulnerable we make ourselves to breeches in security. Viruses can spread quickly, data can be compromised and entire systems can be severely hampered.

The fact is Facebook offers a variety of ways for those in the same company to interact and for various organizations to create networks - there's business value there. Not to mention that Twitter, LinkedIn, MySpace and other such sites, although all different, have the power to bridge a global communications gap. Both Facebook and Twitter have become popular with professionals between the ages of 25 and 35.

It’s evident to me that it’s virtually impossible to stop this trend towards incorporating and integrating social networking sites into the IT networks of companies. With pressure on businesses to allow the use of such sites comes the need for controls, common sense and regulations. While I'm a huge fan of incorporating social networking in to business, there's definitely an important control issue here. Here are a few questions I encourage anyone to consider before using a social networking site in tandem with his/her business.

Why are you deciding to incorporate a social networking site? There’s no doubt that such sites make communication easier. That’s a given. But you have to determine the reason for this expanded communication and how much control is needed. You’ll need to develop protocols for using the site within your company and other protocols in utilizing the site when dealing with vendors, clients and the general public.

Which features will your employees be able to access and which will your business utilize in its public profile? Each social networking site offers a range of choices to its users. As an example, if you elect to go with Facebook, a range of choices await you as to how much information is public, which tools are made available and how participants can interact. Are Wall postings appropriate, should Status updates be allowed and which groups, if any, will be established? These questions and others are appropriate for the manner in which the network is used within the company and amongst the general public, clients and vendors.

What controls will you put around the use of the technology? Once you decide to incorporate a social networking site, you’ll need to develop a sound security plan and a method for checking on how individuals are using the site. Opening your business up to a site such as Facebook makes it more vulnerable to hackers, phising schemes and other security concerns. Once you open up your organization to an outside entity greater security precautions and more vigilance will be needed. Beyond just technical controls, also consider the need for policies and procedures - develop written policies, specific guidelines and a clear vision of the exact reasons for using such a site to guard against misuse, miscommunication and compromises in security. It’s the first step in helping to ensure a smooth transition by your company into the world of social networking.

Anybody who knows me knows that I'm a huge fan of social networking (evidence Twitter, LinkedIn, Facebook) - as such, I welcome the fact that social networking sites are not only here to stay, but that they will continue to expand and evolve. That means that the security and business communities as a whole must also evolve and develop.

Obama and Hypnosis

I was on the Altered Egos radio program from Nanaimo, BC this morning, and we were talking about hypnosis, NLP and influence as it relates to political speech, advertising, etc. I mentioned an awesome paper about Obama's use of hypnotic language and patterning - the paper can be found here. In most of its moral conclusions, the paper is far right and ridiculous (e.g. "Obama's actions are far more than simply lying").

However, in its analysis of Obama's use of language, the paper is worth a read. It's an excellent description of many hypnotic language patterns and how they can be used artfully to influence a large audience.

NLP is not Science

One of the people whose work I have enjoyed of late is Gadi Evron. I find that he and I approach problems and random things very similarly (although he blogs his results far, far more frequently than I do... mine just get saved up for classes, webinars and articles). So, Gadi posted recently about his disappointment with NLP. It's not the first time I've heard these arguments, and they all come down to a single, fundamental misunderstanding:

What we commonly call "NLP" is not science. Nor is it even scientific.

Most of this confusion comes out of the distinct issue that John Grinder called out in his book Whispering In the Wind. The thing that was originally "NLP" was a project that attempted to model successful people, notice the patterns of language and behavior, and replicate them. (This, Grinder refers to as "NLP_modelling").

NLP_modelling was not scientific, but at least its principles were sound. Grinder and Bandler went and sat in the room with three strong therapists and learned to "act like" those therapists. They kept doing so until they were able to replicate the behavior. And then they continued to do so until they gained conscious ability to explain how they replicated the behavior.

While none of this was science, at least there was a principle behind it.

Where it all went to H-E-double-hockey-sticks is when they wrote down what they did and tried to explain how they replicated that behavior. This was a fool's errand in some ways... there are grave epistemological concerns here - it's beyond difficult to take your own behavior, translate it into conscious understanding and then try to convey it to others in language. It's the same reason that great baseball players aren't often good coaches - when you're really good at something, it can often be difficult to teach others. Grinder once noted that when Bateson reviewed their work, his comment was: "Shoddy Epistemology." Bateson was accurate, and this is where things started to get wonky.

This is because NLP_modelling is not what most people call "NLP". When referring to NLP, most people are referring to the things that were written down - the hypothesis explanations that were posed by Grinder , Bandler and their colleagues/followers (e.g. Dilts, the Andreas', etc.) to explain how they replicated behavior. These are what Grinder calls "NLP_application").

Unfortunately, because of the epistemological concerns, NLP_application is about as scientific as me trying to predict the weather by sticking a wet finger in the air. Because we can hypothesize just about anything. I can observe how certain people act, and then make up any random example of why it must be true. For example, I could tell you that people are a certain way because of the position of the moon and the stars when they were born. How crazy would that be?

So, if NLP isn't science, what are we to do?

Most people want to throw the baby out with the bath water. I'm a big fan of the original project - let's look at people who get a particular result, and figure out how they do it.

But if you want to make it science, then turn around and figure out how it works.

Anyone who has looked at NLP has seen the following chart:

(Borrowed from http://completelymental.net/ )

The thing is, anybody who has tried to study whether it works finds that it doesn't. Yet, many NLP people swear that there's some efficacy in watching people's eye patterns and using them to discern how people are thinking.

I was lucky enough to study NLP with Linda Ferguson and Chris Keeler at NLP Canada, and they get it. Linda was the first to point out to me that what Grinder & Bandler probably noticed (unconsciously) was the same set of patterns that Paul Ekman has noticed - we express many feelings and emotions in very small and quick ways with the musculature around our eyes.

So, while eye accessing cues don't work, we find that paying close attention to that region of the face leads us to a detailed understanding of someone's emotional state.

This is what happens when you approach a project without solid epistemology - you end up with many of the right behaviors, but the wrong reasons behind them.

And, sometimes, you end up with a whole pile of dogma and "true believers". But that's the subject of a different rant.

Until then, realize: NLP is not science. There is some useful background to take the tools and attempt to use them, and, even better, combine them with other, more useful science to figure out how to tie it together.

(As a shameless plug, I'm the one taking the lead on much of the "NLP-like" content at the SE Master Class. I say "NLP-like", because it won't be based on either NLP_application or NLP_modelling. But anyone with an NLP background will find similarities on the things that really work in the real world, without much of the NLP and hypnosis dogma that goes around.)

Six Sigma and App Security

From a note that Hoff tweeted, I ended up reading Jeremiah's awesome new post in which he asked the following question: "How do you achieve quick wins in Web Application Security, rooted in software, with measurable results that CIOs would appreciate? "

I started a thread on twitter with my answer, but that's not the format for reasoned discourse and detailed thinking. So, I decided to write about my thoughts a little more in detail here.

The answer is simple: You don't.

Jeremiah laid out most of the reasons in his post, but it comes down to one thing: an SDL improvement effort is a multi-faceted, process-based set of changes that lead to a long-term process that creates security through up-front consideration, not through solving one-off tactical issues.

In that way, the effort that Jeremiah lays out is exactly the same as that faced by the Quality proponents and Deming followers in the 80s. Everyone "knew" that quality was important, but nobody could ever justify the up-front costs of redesigning an entire process to create that kind of quality.

In short, there were no short-term wins.

Yet, today, almost every large corporation has implemented some form of Six Sigma/Lean/TQM program at some point.

The point I was making on twitter was that, if there's a model to follow to find the way to make application security palatable to the C-suite, it's the adoption model of Six Sigma.

I see three key points to the adoption of quality as a movement.

Business Pain without a forseeable end The main driver behind the quality movements of the late 80s and early 90s was the pain that most organizations were feeling. The economic recovery of the 80s lead to a strong competitive environment, with extra pain coming from overseas competition. In the case of the auto industry, it was Japan. For other orgs, the pain came from other offshore and domestic competitors. And as the economy slowed in the late 80s/early 90s recession, many of these organizations looked for a sustainable competitive advantage to give them an opportunity to survive when others in their space couldn't.

The economy is leading us to a similar state today. Businesses are looking for an advantage as the economy turns down. (Note that I don't believe that application security leads to a sustainable competitive advantage in the same way that Lean and 6S do. I'm just making a parallel between the conditions).

Examples of Success The most important factor in the adoption of quality processes was the very public example of success put forward by Honeywell, Motorola and GE. From Wikipedia:

"Other early adopters of Six Sigma who achieved well-publicized success include Honeywell (previously known as AlliedSignal) and General Electric, where the method was introduced by Jack Welch.[8] By the late 1990s, about two-thirds of the Fortune 500 organizations had begun Six Sigma initiatives with the aim of reducing costs and improving quality."

Because these organizations put forward incredibly public accounts of their success, it was easy for other C-level executives to embrace the potential of the initiatives. While every leader wants to believe that they're an individual, the top levels of business are very much a CYA culture - only the success of one's peers allows one to take the risk.

This lead to...

Quality is Free As these successes built, documentation started to build the belief in this type of program. This eventually lead to the mantra that "Quality is Free" - the idea that a successfully implemented quality program pays for itself in the long-term, regardless of the short-term cost/pain associated with the implementation.

My point to Jeremiah is that the Application Security community is living without the latter two of these points - we have no examples (save perhaps Microsoft) that show that a consistent focus on process-oriented security is successful. And we have no data that backs up the long-term cost benefit of the initiative.

In a situation where the task requires long-term process reorientation, short term wins aren't possible. We need to follow the model of the adoption of Six Sigma: We need to court those forward-thinking, Jack Welch-type CIOs who are willing to make this happen, and then have them make their successes public.

Only then will we see a widespread adoption of security-focused SDL reengineering initiatives.