Good Bosses and Bad Bosses

August 31, 2006

In a recent podcast, Jack & Suzy Welch consider the following question:

Would you rather work for a good company with a bad boss, or a bad company with a good boss?

Their answer was to go with the first, because bad bosses will get found out eventually and the company will get rid of them, and then you’ll have a good company. Suzy made the caveat that “there are probably less good, healthy, functioning companies out there than we would hope for”.

While this probably makes some sense at a larger company, I don’t know that it makes as much sense at a smaller one – in my experience, the smaller companies I have seen have a larger tolerance for bad bosses – this is especially true at startups where the founder is still in place (it’s known as Founder’s Syndrome).

Somewhat in agreement with the Welch’s, I’ve always believed that people don’t leave bad companies – people leave bad managers (no, that has nothing to do with me leaving nCircle – the last two managers I had there were the two best of my career so far). That belief has made me work hard when I’ve been in charge of a team to try and ensure that I’m doing a good job and supporting my people.

I have always believed that management is a responsibility that can be measured by a single factor: staff retention. I have seen managers in terrible companies who had incredible retention because their people believed in them and knew that they were learning and growing. And I have seen the opposite – managers in relatively strong companies with huge (100% and higher) turnover in their departments because they ignored the needs of their teams.

I’d like to say that I have always been the first manager, but I know it’s not true – it’s hard work to do management and leadership well, and nobody’s perfect. But it’s something that I believe strongly in, and the successes in that area are some of the ones I’m most proud of.

48 Days…

August 30, 2006

I recently read an incredible book that I think that everyone should check out. It’s called 48 Days to the Work You Love. It’s one of the first books that I have read that really puts a different spin on job hunting – Dan looks at job hunting very much as a sales process, and uses the normal tools of sales people to help get jobs.

It’s funny – I found this after I was already in the interview process for my new job, so I didn’t get a chance to try this out (not that I was looking).

The part of the book that was most powerful was the idea of “finding a calling” rather than finding a job – the question that you can’t escape asking when you read the book: “what is my calling on this planet?”

What am I here to do? What’s my purpose in life? Am I living that purpose each day, or am I spending my time “majoring in minor things”? (to use a Tony Robbins-ism).

These are questions I ask myself each week during my weekly review process to ensure that I’m staying on track.

I have the Security Silver Bullet!!!

August 29, 2006

Well, actually, no, I don’t. But I’ve seen a lot of people claim that they do – they’re usually product salesmen.

I started thinking about this when I read Ryan’s recent blog post over at the nCircle blog. Ryan’s a smart dude, and somebody who everyone should read whenever he has a post.

Ryan posits the following scenario:

So you are an administrator within random company ‘X’. You have been happily using a certain product that has had some known vulnerabilities within it. However this isn’t a problem as you’ve patched them as the patches have come out. The vendor came out with a new version of the product a year ago and has been pushing all users to upgrade. Being a safe administrator worried about the interaction of new products and desktop installs, you’ve been testing the product in your test lab and everything seems a-ok. So you decide to push the new product out to all the desktops slowly department by department. Everything works well. All users are happy.

After a couple of weeks though, users are reporting that their boxes are acting funny. After some detective work, you’ve noticed that the boxes have been exploited with an old exploit in one of the vulnerabilities within the product you just upgraded to. Knowing that you patched already a couple of months ago when the patch came out, you believed that you were safe. Taking a look at the patch management system, the system reports all the exploited boxes as patched to this vulnerability. Management is unhappy and you are SOL.

He then goes on to rant about this being the vendor’s fault. While I agree with him that the vendor is culpable, I also think that the hypothetical administrator in question should have his ass handed to him/her – he/she violated a core tenet of rational thinking: he relied on a single source of information to make a decision. In handing that much trust to any one system (be it patch management, vulnerability management, IDS or the Oracle at Delphi) he/she has been ignorant of other information in the world that could have helped him/her make an informed decision.

In NLP terms, there is a fundamental concept called “triple description”. It suggests that, in order to concieve of a well-formed model of the world, one needs to percieve a situation from at least three perspectives. This is equally true in security – you need to take information from a bunch of different systems in order to have a complete view of the world.

So, in Ryan’s scenario, the administrator made a fundamental mistake in trusting the patch management system. He/she should have run another tool against the newly deployed systems before rolling out – a vulnerability management system, a serious protocol fuzzer. And the administrator should have had an IDS and an endpoint firewall enabled, too.

It used to be called “Defense In Depth” before that became an over-used cliche that now mostly means “buy more stuff”. It’s not about buying more – it’s about having enough descriptions in your world to help you make appropriate decisions.

In short, if somebody tells you that they have the Security Silver Bullet (“you won’t need system X anymore!!”), walk away. And check that you still have your wallet.

Hacking the Mind

August 27, 2006

Recently, I did a talk at HOPE Number Six that was called “Hacking the Mind”. It got some decent reviews.

I mentioned it on the Hope Wiki (which is down as I write this), but the slides are here. As well, the HOPE website now has downloadable Audio of the talk. I had a blast with it, and the audience seemed to like it, so I thought I’d post it up here.

Bandaids are for Stupidity

August 25, 2006

So, Mary Ann Davidson has a blog. I haven’t ever met Mary Ann in person, but I have seen her speak a few times – she’s an excellent speaker, and does an amazing job of getting her message out.

But I have yet to hear her say much that I really agree with.

(Aside: I was scheduled to speak on a panel with her at the Security Standard in Boston, but with leaving nCircle, TK’s going to take that spot. I was quite looking forward to that discussion.)

Anyways, her blog has the following nugget on it:

“Think about it, why do we need all these “protection” products like anti-spam, anti-virus, specialty firewalls and so on? Yes, defense-in-depth is sound defensive security practice, but in general, if enterprise software were more robust, self-defending and didn’t have so many dumb (technical term) coding errors (DCEs), we wouldn’t need so many products that are supposed to protect against attacks engendered by DCEs.”

I completely agree with her on this point – and if cars didn’t have so many dumb mechanical errors (DMEs), we wouldn’t need auto-mechanics either. Except that people crash cars. Okay, well, if we didn’t have terrorists, we wouldn’t need airport screenings either. Except that some redneck would probably forget to take his gun out of his pants pocket.

It’s the same thing in the security community – even the most self-defending computer code can be defeated by a user with a sufficient defecit of clue. And, really, that’s what most “bandaid solutions” (as she calls them) are for. They protect enterprises from their user’s lack of clue. (“Oh, look… an email that says “I love you”… let me open that attachement!!!”)

While the security world would be better off if all of the vulnerabilities (DCEs) went away today, I’m confident that I’d still have a job if that happened. Because it’s going to take a long, long time to teach users not to open attachments in their email, or download games from untrustworthy sites.

Flashback

August 25, 2006

I was reading the Matasano blog this morning and Tom’s newest entry gave me a huge flashback:

“From the new blog of former Hiverworld researcher Marty Roesch comes this post…”

Suddenly, I was back in 2000, walking in to those offices on University Ave in Berkeley. Walking by Basia at the front door, seeing Marty talking with Jeff, Andrew and Will.

I wonder who else that sentence gave flashbacks to.

Sayonara X-Force

August 23, 2006

Consolidation in the security industry continues… ISS got bought today by IBM.

The purchase price was about $1.3bn – quite a decent number for ISS, especially since they’ve been a bit in decline over the past few years. Their scanner went into disrepair, X-Force lost most of their key talent, and others (esp. Cisco & McAfee) took share from them in the ISS/IPS world. It’s not like 2000 when RealSecure was the best IDS out there by a decent margin, and X-Force was the most bad-ass research team around.

What’s interesting is how the world has changed in terms of acquisition prices… in the early phases of consolidation, we saw huge multiples – as an example, Cisco purchased Okena at a 22:1 price/revenue ratio.

However, this one’s only at about a 3.5:1 multiple – what does that mean for the network security industry over the long run? Does it suggest that we’re less vital as a strategic part of a product portfolio? Most importantly, what does this mean for the acquisition prospects of the smaller companies that still exist out there whose VC’s are looking to pull in 7-10 times multiples

Do you have the Right Key?

August 22, 2006

So, last night, we went to Warren’s Lobster House in Kittery, Me for dinner. Beyond being an absolutely incredible meal of lobster and a really incredible salad bar, there was a little trick that I loved.

With our dinner, the waiter dropped two small envelopes on the table – inside the envelope was a small key. And the envelope directed us to the gift shop, where we could try our key in their “Treasure Chest” to win a prize. And so, when we were finished our dinner, we walked to the gift shop to try out our keys. Of course, we didn’t win anything.

But I can guarantee that if it hadn’t been for the realization that everything in there was three times the cost that it would have been elsewhere, we’d have come out with something. And the store was perfectly set up for kids – I know we wouldn’t have escaped without purchasing something if we had little ones in tow. (I know this because I saw it happen to some other couple who was in the store).

It seemed like a very Seth Godin thing to do. And it made me think: what little aside could I do in life to ensure that I have satisfied customers?

The One Career Mistake that you Should Never, Ever Make

August 22, 2006

I hesitated over the title of this entry, because there are a lot of dumb career mistakes that you should never, ever make. But there’s one that I can think of that is more egregious than most, and many people make it without thinking about it. I don’t remember where I learned this one, but it’s one of those things that I have learned that has always made my career a little smoother than it probably would have been otherwise:

Never, ever, ever, ever get on the bad side of human resources.

That simple.

I’ve seen people do it, and it’s almost always just about the worst thing that they can do – their life becomes more and more difficult. This is especially true as the company gets smaller – the person who runs HR almost always has the ear of someone important, and you’d be better off wearing a sign that says “I hate my career” than get in a fight with the head of HR.

It’s funny – sometimes the simplest rules are the most profound.

Hurricanes and Internet Worms

August 21, 2006

It seems that there was a bit of reaction to my recent blog entry. Specifically, Alan had a great post about hurricanes in response to what I wrote the other day.

Two things I wanted to respond back to: first, I didn’t mean to suggest that I was “taken out of context”. While I always caveat my warnings, I was quoted entirely accurately by Bill with what he said. The caveats weren’t included in the article, but I didn’t expect them to be. The point was simply that I always knew it was possible that there wouldn’t be a worm – just that the conditions were right.

As for hurricanes, I can claim to have lived through only one of them – I’m not a southerner as Alan is. But I do take a bit of an exception to his analogy – I have made this kind of warning only one other time in the last 3 years. While many other people in the security community are hawkish every month, you can see from previous news stories that I’m usually the one who is suggesting the least severity around things. I’ve had numerous Patch Tuesday discussions with reporters where my message was basically “ho, hum… another IE patch”.

The argument behind my alarmist comments was basically the same one that Tom Ptacek made over at Matasano’s blog:

What a vulnerability needs to rival the Slammer worm:

1. A vulnerable population of more than 50,000 hosts (check!)
2. A pre-auth vulnerability that provides remote code execution (check!)
3. A reliable exploit (one that doesn’t need to know specific stack or code offsets in the binary, and that isn’t heavily data or timing dependent). (check!)

This is very different than a weatherman predicting a hurricane with only a tropical depression forming – this is more like seeing a tropical storm on a westerly track from about 350 miles from Florida, when the water is significantly warmer than it is in average years. Sure, there’s a possibility that the storm will turn north early, or head into the gulf without making landfall. But there’s also a good chance that it’ll hit land.

And, while Alan is completely right about me knowing little about hurricanes, I know a little about internet worms. The conditions were right for a bad one – that it hasn’t hit is fantastic, and nobody is happier than I am about that (except perhaps the administrators who would have lost sleep).

Next Page »

• Subscribe

  • Subscribe to RSS
  • Comments

• Recent Posts

  • Suppressing Dissent
  • Byron (and influence through the media)
  • Influence and Failing Kindergarten
  • Return-to-Barry-White Human Exploitation
  • NLP for Social Engineers
  • Hacker Halted Redux
  • Recap: The Hope Symposium
  • Social Engineering Abounds
  • Greed as a prime motivator
  • Constraints and The Bandwidth Problem

• Categories

  • Business
  • Career Skills
  • Hypnosis
  • Management
  • Marketing
  • NLP
  • Personal
  • Security
  • social engineering
  • Uncategorized

• Archives

  • July 2010
  • June 2010
  • May 2010
  • November 2009
  • October 2009
  • September 2009
  • July 2009
  • April 2009
  • March 2009
  • January 2009
  • December 2008
  • October 2008
  • September 2008
  • August 2008
  • July 2008
  • May 2008
  • April 2008
  • March 2008
  • February 2008
  • January 2008
  • December 2007
  • September 2007
  • August 2007
  • July 2007
  • June 2007
  • April 2007
  • March 2007
  • February 2007
  • January 2007
  • December 2006
  • November 2006
  • October 2006
  • September 2006
  • August 2006

• Links

• Meta

  • Log in
  • WordPress
  • XHTML