Good artists copy, great artists steal
February 28, 2007
I was a bit surprised today when I saw a comment on my earlier post about using 37Signals as a template for the redesign of the website for the ebook Forget The Parachute, Let Me Fly the Plane. The copy was from Jason Friel, over at 37Signals:
“Thanks for the kind words about our book, but you can’t steal the design of our site for your own purposes.
Our designs, like the words in our book (or the words in your book) are protected by copyright. Stealing someone’s design is like stealing someone’s words: It’s plagiarism and it’s illegal.
Please change the design of the site within 72 hours to your own original design.”
I’m actually a little surprised – “plagiarist” is a word that isn’t thrown around lightly, and I’m more than a little disturbed by it. As long as I’ve been in technology, the ethic has been to look at what other designers do and learn from it, copy the good ideas, and move toward something even better.
I intentionally gave 37Signals credit for the inspiration here because I respect their work, their ethic, and their thoughts on design. And I believe in giving credit where credit is due. One of my readers accused me of being “a little too honest” in my previous post. But, at the same time as I’m trying to sell the book, I’m also using the experience of doing something completely online as a learning experience.
Using their work as a basis for my own future improvements wasn’t meant to be construed as “plagiarism”. Never did I consider that a site that doesn’t walk on their trade-dress or their trademarks would be something that they’d jump on. Call it a learning experience.
In an email discussion, Jason said: “Our designs aren’t templates for the public domain.” I can understand that, of course, and my goal wasn’t to take their templates directly – only to move from where I was to the beginning of something new.
To that end, I have replaced the site with the old version until I can make further edits and improvements that can’t be construed as copyright infringement.
Reflection before Changes
February 28, 2007
Over at his blog, Alan has some great thoughts on reflection. From the post:
“But there comes moments in all of our lives where we stop and want to bookmark where we are and reflect on who, what and why we do what we do. I am having a weekend like that this weekend.”
I, too, have been reflecting a lot lately. For me, it happens most often when I sense impending changes in my life. With the new book project and a few other things percolating (but not yet finished), I have found myself reflecting a lot lately on my life and where I’m going.
I can relate to much of what Alan said – I am lucky to have a wife (of almost a year) and great friends and supporters around me. (Some of whom I email far too infrequently… you know who you are, and I promise to write soon).
What I find most interesting is that I’m “eating my own dog food”, so to speak – many of my reflections have come by working through the games in my own book. And they have been incredibly helpful in answering the question: “where do I want to go in my life? Who do I want to be? And who do I want to be surrounded by?”
Those answers have been somewhat interesting, and some of them haven’t been what I expected.
The time for firing vendors is here….
February 27, 2007
Not sure whether it’s the ever changing weather, the change in Daylight Saving Time in the US, or the fact that spring is now just around the corner, but it seems that this is the season for firing vendors. Michael over at MCWResearch is going through a divorce with a vendor. He lays out a whole pile of issues and things that vendors should never do.
And, while I agree with most of his points, he really is sounding like a jilted lover laying out all of the faults of his soon-to-be ex. It makes an interesting read from the “People magazine” type perspective.
Just as intersting is the saga of Jim and the Sony Vaio laptop that he had some trouble with. He has certainly had his share of mishaps with this one, and I can’t imagine a company handling a customer service situation much worse than they handled his.
Maybe it’s not the weather – maybe customer service is much like security in its investment patterns: “just good enough” is really the key to success. And it sounds like Michael and Jim both ran into situations where vendors strayed too far afield of the “good enough” line.
I Paid $50 to Drink Concentrated Sulfuric Acid
February 27, 2007
No, that title isn’t a typo. I didn’t win $50 for the privilege, but actually paid for it.
As anyone who reads the blog often knows, I’m always looking for ways to be better. Whether it’s mental, emotional, spiritual or physical, I’m always looking for some “new thing” that will help me out. And I often go in cycles where I focus on different things at different times. (In that way, I suppose I’m a bit like Steve Levitt, who talks about his “twice a year” health kick). Right now, my focus has been on improving my health and fitness.
Which leads me to the real story here. I was at the health food store on Sunday, picking up some great food, and, as I walked up to the checkout, they had a display for CellFood. Well, I had never heard of it, so I asked the store manager about it. She said that her customers love it, everyone raves about how great it is, how amazing they feel, etc.
So, I picked up 2 bottles, at a cost of $25 each. I figure I’ll try anything at least once.
When I got home, I started reading the literature associated with the products, and my b.s. detector started going off when I was reading pseudo-chemistry marketese like this:
“Cellfood continuously releases oxygen into the body using a secret proprietary process that catalytically reacts over and over for up to three days, continually dissociating just a little bit (one five hundred thousandth) of your body’s water every moment the reaction continues. Cellfood weakens the molecular water bonds, continually dissociating the precise amount of water molecules into free hydrogen and oxygen. This process generates body building hydrogen ions and life giving oxygen right from your internal water, and carries them via its ionic mineral solution right into all the cells.”
Well, with my knowledge of basic chemistry, it got me curious. Because a substance that releases “hydrogen ions” (i.e. H+) is an acid. So, I started researching, and found this pseudo-study which calls cellfood by a different name: deuterium sulfate, or D2SO4.
Deuterium is a heavy isotope of hydrogen, and requires a heavy water plant to produce. So, unless I’m seriously misunderestimating the capabilities of the NuScience Corporation, I’m guessing that they’re calling this “deuterium sulfate” based on the natual fraction of deuterium in water (about one part in 3200, according to Wikipedia).
Which means that cellfood is actually just H2S04. Which is sulfuric acid.
And it’s not dilute sulfuric acid, either. When I tested it with the handy PH paper that I had at home, it came up with a PH of ZERO.
Of course, I tested all of this after I actually drank it (diluted in water, of course).
Suffice it to say, I don’t much see the health benefits of drinking sulfuric acid, so I tossed the bottles I had bought. But, all told, I have an amusing story to show for my $50 investment in the most amazing health quackery I’ve ever seen.
Technological Condemnation
February 26, 2007
One of the worst periods in judicial ignorance in American history was the Salem Witch trials. In this case, hundreds of people were imprisioned and some were executed due to little other than the ignorance (and sometimes maliciousness) of the people around them.
I was reminded of those trials today when I heard about the case of Julie Amero. I hadn’t heard the story before, but I read about it first on Amrit’s blog. Amrit pointed the reader at Ryan Russell’s comprehensive article on the story. And I found myself with my jaw hanging open. From Ryan’s story:
“There’s a good chance that you’ve already heard something about Julie. She’s perhaps better known as the Connecticut substitute schoolteacher who’s been convicted of “child endangerment.” She now faces a sentence of up to 40 years in prison because porn pop-ups appeared on a school computer.”
Actually, Ryan, I hadn’t heard anything about Julie. But I have now. And, even more importantly, I now know about this website with much of the information on the case. And, more importantly, the ability to donate to her defense, which I’ll be doing shortly.
I can’t stand seeing people buttonholed because of nothing more than ignorance. It’s one of the reasons that the Maher Arar case got me so riled up and continues to to this day.
The Trouble with Internet Marketing
February 26, 2007
So, as anyone who reads this blog knows, I released an e-book recently entitled Forget the Parachute, Let Me Fly the Plane. And with the publication of the e-book, I threw myself into learning how to sell products on the internet. Reading the popular books and blogs, listening to podcasts, and even purchasing a couple of products from the gurus out there like Perry Marshall and Derek Gehl.
And, after looking at what some others (including fellow security blogger Mike Rothman) had done, the site went live looking like this.
And, while the sales have been fair (and I really want to thank all the people who have purchased the book), the site simply didn’t convert traffic in the way that I would have hoped. And then I realized that the approach wasn’t necessarily what I had hoped: my wife called it “ugly and over the top”. Someone else compared the site to Steve Gibson’s site. And I realized that there had to be a better way.
And I went back to the gurus and tried to see what I was doing wrong. And then I realized that all of the gurus are selling their expertise. But I couldn’t find any examples of their expertise beyond what they were telling me. And beyond what they were selling themselves. So, they’re experts because they’re selling products.
So, I went on a bit of a search for someone who had just done it. And I found exactly one example: 37Signals’ book Getting Real. They sold a huge number of copies of the book. And their site looks absolutely nothing like the sites that are touted as the paragon of internet marketing virtue by the gurus: John Carlton, Perry Marshall, and Derek Gehl.
And, believing that imitation is the sincerest form of flattery, I re-designed the Forget The Parachute website based on the design that 37Signals used for Getting Real. (I admit it: I’m a terrible web designer, so this first iteration borrowed a lot more from 37Signals than I’d like. But, if it works, I’ll continue to refine.)
I’d like to ask for some feedback from my readers: please leave a comment or send me email: which site makes you most likely to actually buy the book? The original long-sales-copy site? Or the new site based on 37Signals?
SLA Madness
February 22, 2007
There has been some recent discussion of nCircle’s vulnerability SLA – eEye’s Ross Brown fired the first salvo, Alan Shimel jumped in, and then TK from nCircle answered back. (Update: TK’s post was from a different time period – he wasn’t part of this debate.)
Before I start this, I want to say that I respect these guys immensely and I’m not writing to throw stones – the real issues of the discussion are being ignored because, while these guys are all great executives and marketers, I would argue that there are nuances that they’re missing.
And, since vulnerability assessment is what I’ve spent most of my life doing, I can help shed some light. Especially since (even though I don’t work there anymore and haven’t in a long time) I was involved in writing the SLA.
Before I jump in on the discussion, let me stop short here and get remedial for a second so we’re on the same page. I need to explain the difference between unauthenticated and authenticated checks. Authenticated checks use things like SSH, SNMP and SMB and other protocols to log in to the device and check as though the scanner was checking from the keyboard. These are incredibly easy checks to write, and take no time at all. Unauthenticated checks work only for some vulnerabilities (the ones hackers can get at remotely on servers, not things like web-browsers and mail clients). And, in most cases, they are incredibly hard to write.
All vendors are able to put out authenticated checks in under an hour. Heck, there are teams of monkies in the deepest parts of the jungle that are putting out authenticated checks in under an hour. As well as a few pre-school classes that I’m aware of.
The SLAs are interesting only in the case of unauthenticated checks.
The first thing that I have to say: in some ways, Ross is right. Today, with advanced tools like BinDiff (and, actually, everything Halvar makes), Ollydbg, and innumerable others, vulnerability reverse engineering is a lot easier than it used to be. Most companies can release remote checks in less than 24 hours pretty reliably.
But most vendors still don’t. And even fewer have gone back and written the unauthenticated checks for the ones they missed. Because it’s resource intensive and, for any given less-than-CNN-worthy vulnerability, the ROI on doing it just isn’t there.
In fact, I know of vulnerabilities that nCircle wrote unauthenticated checks for under their SLA that are still only covered by authenticated checks in most competitive products.
I’m not here to advocate for either side – the business decision clearly favors not doing it because of the resources involved, though there are customers out there who definitely appreciate it – when I was at nCircle, I talked with them daily.
Beyond that, as Ross and Alan point out, the SLA itself is mostly useful as a marketing tool, not as a statement either of quality or actual service given to customers.
But, Ross, you should have asked your R&D team this question before you posted:
“For every vulnerability since 2004 in a Microsoft remotely available service, do we have a check that doesn’t require authentication?”
Knowing your product, I’m 99.9% sure that the answer is no. nCircle’s SLA requires theirs to be yes. That’s the only real value that the SLA provides, beyond the marketing b.s.
The newest security blogger…
February 22, 2007
And the award for quietest entry into the blogosphere in 2007 goes to my old friend Ryan. You may know Ryan from his posts over at nCircle.
Ryan happens to be one of the smartest and most diverse people I know – from baseball to graph theory to security, I don’t know many people who can expound intelligently on so many different topics. I’m incredibly excited to see what he does with his blog. Already, he has baseball blogs linked on his blogroll, so we can expect some interesting topics. And his first few posts are as good as I’d expect from a guy I had to pursue for over a year to get him on staff at nCircle.
(Thanks to Tyler for the link to Ryan’s new blog.)
Slides: Building a Sustainable Security Career
February 21, 2007
I spoke yesterday at the New Hampshire Chapter of ISSA on the topic of Building a Sustainable Security Career. The talk went quite well, and the audience had fun debating how the world of work is changing.
I promised that I would post the slides for the talk – even if you weren’t there, you may find the slides interesting. And they give a good (security-focused) preview of Forget the Parachute, Let Me Fly the Plane.
Some Debunking of “The Secret”
February 18, 2007
All the big hype lately in the “self-help” world has been about The Secret. This is a movie produced in the UK with many of the big names on the “B List” of the self-help world. And the movie has very quickly made them into “A List” people – the cast of the movie made Oprah last week, which is about the pinnacle of the universe for self-help authors.
Linda had a post recently that talked about some of the content in the book (which is based on the movie). From the post:
“This morning, I was reading a book that is currently the subject of lots of buzz (yes – it made it to Oprah). It contained a statement that it has been ‘scientifically’ proven that an affirmative thought is hundreds of times more powerful than a negative thought. No reference was given to the study or studies that “proved” this hypothesis.”
Having read much of the work that underpins the premises in the movie, I can reference the study. The “scientific proof” is based on the work of David Hawkins and his book Power vs. Force. In the book, Hawkins “scientifically” proves the energy level behind certain thoughts, concepts, emotions and figures in history. This one is done using Applied Kinesiology (AK) or “muscle testing” because, in Hawkins words, “the human body is the ultimate measure of truth or falsehood”.
Do a bit of reading about AK and you’ll find very quickly that it’s as much a phenomenon of social proof and hypnotic suggestion as it is of any response with the body’s energy field. And, unfortunately, Hawkins’ experiments have been unable to be reproduced by anyone other than him.
All told, it’s far from “scientifically proven”.
All of that said, I enjoyed watching The Secret – the movie was entertaining and in a very similar vein as What the Bleep Do We Know. It has some interesting concepts around putting intention out into the world.
At it’s heart, though, it’s not much more than a spiritualized, new-agey version of the best book on the subject of creating wealth: Napoleon Hill’s classic “Think and Grow Rich”. You’re far better off reading that first.