Comments for

Comment on NLP is not Science by How Did Batseon Conclude Shoddy Epistomology!

How Did Batseon Conclude Shoddy Epistomology! — Sun, 24 Jan 2010 00:25:39 +0000

[...] you? I Googled "NLP shoddy epistemology" and got some interesting hits. Here's one: NLP is not Science | Here's a teaser passage: Where it all went to H-E-double-hockey-sticks is when [Bandler and [...]

Comment on Six Sigma and App Security by Why Information Security is the Hardest Career | Information Security Leaders

Tue, 10 Nov 2009 22:36:15 +0000

[...] changing and we’re forced to keep up constantly. The simple reason behind that change is that security is ultimately a quality issue. What’s interesting about quality is that issues in product quality are heavily front-loaded – [...]

Comment on NLP is not Science by Latest NLP news – NLP is not Science | Episteme « BrightonNLP.com

Fri, 09 Oct 2009 07:44:43 +0000

[...] NLP is not Science | Episteme [...]

Comment on Hacker Halted Redux by Great Social Engineering Presentation | The McMillen Group, LLC

Great Social Engineering Presentation | The McMillen Group, LLC — Wed, 07 Oct 2009 18:15:10 +0000

[...] in why social engineering works and not just the techniques used, there is a great presentation here. I would like to thank Mike Murray for taking the time to record his presentation in its entirety [...]

Comment on NLP is not Science by NLP for Social Engineers |

NLP for Social Engineers | — Tue, 06 Oct 2009 00:00:04 +0000

[...] state of NLP learning and its application to social engineering. It got me riled up enough to do a post on NLP and science a few months [...]

Comment on Hacker Halted Redux by Chris Carpinello

Chris Carpinello — Thu, 01 Oct 2009 00:56:03 +0000

This is the t-shirt you’re looking for:

http://www.jinx.com/men/shirts/geek/social_engineering.html

Mine is well worn.

Comment on Greed as a prime motivator by Michael

Michael — Wed, 30 Sep 2009 21:28:45 +0000

I would like to point out that there is not fear and greed, only fear; greed is fear of falling behind. A buying panic such as the one displayed by the executive in this situation is a moment of fear.

Comment on Hacker Halted Redux by Interesting Information Security Bits for 09/29/2009 | Infosec Ramblings

Interesting Information Security Bits for 09/29/2009 | Infosec Ramblings — Tue, 29 Sep 2009 23:10:00 +0000

[...] through on it. Check out this post to see the full version of the talk he gave at Hacker Halted. Hacker Halted Redux Tags: ( social-engineering video [...]

Comment on Greed as a prime motivator by Jamison

Jamison — Tue, 29 Sep 2009 11:51:34 +0000

Yep, eliciting a strong emotional response is a pretty strong motivator. I’ve found the two most commonly used: Fear & Greed. Lust is up there as well.

Comment on NLP is not Science by George Lambert

George Lambert — Tue, 22 Sep 2009 12:22:12 +0000

Yep, neurolinguistic programing is indeed as pseudoscientific as it sounds.

More recently it has been discredited by over 100 practitioners and researchers of neuroscience:

http://knol.google.com/k/joe-greenfield/neurolinguistic-programming/2j6nlcky7q5vo/2#

Its in a top ten of most discredited interventions

Now thats an amazing result! Show Paul Mckenna and watch his hair fall out altothether:)

Comment on Six Sigma and App Security by MikeN

MikeN — Mon, 22 Jun 2009 21:02:06 +0000

It sounds like you’re both in agreement that a financial wrapper is required for C level execs to even look at application security. The way I see it, there’s 2 ways to frame the conversation 1) You’re going to make X amount of money or 2) You’re going to not lose Y amount of money.

The problem with option 1 is unless you’re going to build and sell a solution to secure you’re application security, you’re not going to make money on it. It’s a cost centre.

The problem with option 2 is, financial quantification of risk is a very difficult thing to do without sounding like chicken little. Until a very tangible example of the described perceived loss is presented in the company, marketplace or media the C level exec can justify 100 other things to spend the money on.

In my opinion, it’s a lot like insurance. Everyone hates it until you or someone close to you needs it, then you’re glad you have it. It would take a very open minded C level exec to start the trend, but even if you find one, how do you have that “we saved umpteen million dollars” moment that gets shared with the world?

Comment on NLP is not Science by What can NLP do for me? | Self Help Blog

What can NLP do for me? | Self Help Blog — Thu, 07 May 2009 21:41:37 +0000

[...] NLP is not Science | Episteme [...]

Comment on Obama and Hypnosis by Dave Hull

Dave Hull — Wed, 06 May 2009 18:13:03 +0000

Yes. I am here leaving this comment on your blog. You have posted this entry and I have read it and am now commenting on it by leaving this comment.

It’s true that you have written this entry by creating it and posting it to your blog.

One day we shall meet in person. A great light will shine down upon you and a voice will speak to you and it will tell you to give me your wallet. And just as I am currently leaving this comment, by submitting this comment on your blog, you will have no choice but to give me your wallet.

Comment on NLP is not Science by grander

grander — Mon, 04 May 2009 21:01:43 +0000

Great post!
NLP is a classic pseudo-science.. with some nasty commercial,self-help features.
The “influence” part of NLP is really silly.. parts are simply taken from the classic social psychology, others are just bullshit. A true classic on influencing people behavior is Robert Cialdini’s work.

Paul Ekman’s work is great too. His work on lie detection is amazing.

Comment on NLP is not Science by Getting even better organizational results through personal development | Self Help Blog

Sun, 03 May 2009 05:08:41 +0000

[...] NLP is not Science | Episteme [...]

Comment on National Honesty Day by national honesty day

national honesty day — Thu, 30 Apr 2009 14:37:26 +0000

[...] | NowPublic News Coverage [2] Column: National Honesty Day is just the beginning | CJOnline.com [3] National Honesty Day | Episteme [4] Holiday Insights : National Honesty Day [5] JoeCartoon ” National Honesty Day [6] Founder [...]

Comment on NLP is not Science by Gadi Evron

Gadi Evron — Fri, 17 Apr 2009 02:57:44 +0000

Mike, great post! Thanks for taking the time and for your kind words.

First — much respect for mentioning Paul Ekman. He is one of the only body language researchers I respect.

I am unsure why you believe I am disappointed with NLP, I am still examining it and having quite a bit of fun doing so.

I like how you portray NLP as the original experiment and documentation rather than the pseudo-science and “Shoddy Epistemology” (as you quote Bateson describing it).

One point I didn’t like is that while you explain away NLP’s eye accessing cues as a sort of “wrong conclusion to good results”, I think your explanation, while plausible, comes across in a vague fashion as more of a rationalization than anything else.

I look at eye movements as yet another thing to baseline during an interview which indicates thinking processes and intent, for example, rather than anything NLP-like.

Unrelated note, there is a new TV show called Lie to Me which is based on Paul Ekman’s work in detecting lies. He is an advisor on the show.

While popularized, they are mostly careful about how they portray reading different signals, as they can mean quite a few different things from stress to not being honest about something else entirely which people think to themselves.

Comment on Six Sigma and App Security by dwaynedibbly

dwaynedibbly — Mon, 23 Mar 2009 10:51:17 +0000

So what we really need is a killer app that by it’s very nature must developed and deployed in the most assured way posible, that can act as a trojan horse (no pun intended) for bringing good quality practices (whatever they actually happen to be in the app-sec space) to the masses. I have a few thoughts on what that app should be (and it ain’t DLP)!

Fascinated to hear your thoughts on the translation/uses of manufacturing disciplines into security, it is rather apposite for myself at the moment. Personally I can see a lot of value in the Lean’s pull methodology for creating self evidencing compliance controls – not exactly sexy, but necessary none the less.

Comment on Six Sigma and App Security by mmurray

mmurray — Fri, 20 Mar 2009 20:34:53 +0000

A couple of thoughts:

First, completely agree on the application of manufacturing discipline to security processes – they are different animals. I have thoughts on the translation process between them, but that’s out of scope for this conversation.

Second, you bring up the biggest problem in the whole appsec issue – in order to drive adoption, appsec has to create a tangible business benefit (in the same way that 6S/Lean drive efficiency and profitability in the long term) before we can have the large-scale business adoption.

Is the current loss from a lack of app-sec enough of an impact on the business to make that worth doing? I have no idea. I have my thoughts, but none of them are more than wet-finger-in-the-air guesses.

All I was really saying is that, if we’re ever going to have mass-market penetration, we need those early adopters in the same way that Six Sigma needed GE & Applied Signal and Lean needed Toyota. We need to use the quality movement as a metaphor and a roadmap to organizational adoption.

I haven’t seen that yet, which isn’t going to make it something that CIOs recognize as valuable.

Comment on Six Sigma and App Security by dwaynedibbly

dwaynedibbly — Fri, 20 Mar 2009 20:23:45 +0000

This is indeed a rich topic for debate. For the sake of argument I’ll adopt a more extreme position than is strictly appropriate. The blanket application of manufacturing paradigms to information security is at best misguided and at worst completely irrelevant.
Two examples should focus things – fixing security flaws in word and building an IDS. Fixing security flaws in Word is a noble thing to do but from a manufacturing point of view it is a non-starter. Word is designed to help people create documents and communicate ideas. It should do this efficiently and effectively. That a bad guy can make word do nefarious things, whilst not good, is not part of the fundamental design brief that delivers a product to market that people will use and gain the penetration that lead to sustained profit. Lean and 6S in manufacturing are about delivering a product that consistently delivers to customer expectations within the parameters of acceptable use – fail at that and the commercial opportunity is lost. Lean delivers production efficient by eliminating waste, 6s by eliminating production defects. If ones business is delivering security software, or implementing a secured system, like an IDS or payment system, then security is a functional requirement and therefore in scope of manufacturing paradigms. A false-positive in an IDS is waste Lean should eliminate and evidence of a defective detection routine that 6S should cover. If a flaw in word can compramise a supposedly secure system, then it is not a failure of word, but in the defensive depth of the secured system. If a flaw in word can screw up or lose a document, then it is a failure of word.
Now here’s the rub. What if 6S and Lean, expressed as organization qualities, had only peripheral effect on the success of the business? Toyota’s Lean techniques haven’t made people buy cars in the current down turn. Lean is about efficiency. Name me one business for whom efficiency isn’t vitally important? 6S is about avoiding mass production mistakes. What business won’t benefit from that at some level except companies that succeed because of bespoke production for whom 6S isn’t that relevant? I don’t mean to undermine these things, they have delivered tremendous savings and efficiencies. But a vibrant market, flush with ready cash is far more important. The ecology of a business is the single biggest contributor to it’s success. If the market demands custom built then mass production won’t help. If the market don’t want what you sell, however good, then the product is a dud. Looking at the success of previous companies and divining what made them work is very difficult. It is fraught with danger and bad assumptions. The Halo Effect by Rosenzweig (http://www.amazon.co.uk/Halo-Effect-Business-Delusions-Managers/dp/0743291255) describes the problems very well and is a must read! Certainly the level of data needed to prove that these things are in-and-of-themselves recession beaters in today’s ‘noughties-are-the-new-thirties’ world is just not there.
Quality is not free. To describe it as free implies perfection is free, which is demonstrably untrue. It takes practice, honesty, integrity, dedication and energy. Every industry needs that. If you want to sell application security it to C-level executives then prove that the security you deliver is what your customers actually want. But one has to remember from TX Maxx that customers are fickle beasts who’s memory length is inversely proportionate to the depth of their pockets, and aren’t apt to behave in totally rational ways.
Am I right? I don’t know. All I know is that survival is based upon one’s reading of the world and adaptation to that information. More security is not always the right thing. Just ask the blacksmith forging a new sword with a suit of chain-mail on.