online whoring and the beauty of the internet

…Silicon Valley once was home to scientists and engineers — people who wanted to build things. Then it became a casino. Now it is being turned into a silicon cesspool, an upside-down world filled with spammers, liars, flippers, privacy invaders, information stealers — and their grubby cadre of paid apologists and pygmy hangers-on.

Pieces like this* (Hit men, click whores, and paid apologists: Welcome to the Silicon Cesspool) remind me why I always have this inexplicable bad taste in my mouth when thinking about tech journalists, “online influencers,” and other people who don’t seem to *create* or *do* anything other than chase page views, which itself doesn’t seem like a viable long-term business strategy to me. (Evidenced by the utter lack of ads on my own site.) In a sort of subtle (maybe too subtle for the people in mind) switch, I much prefer those people who chase content, and the page-views just become incidental, and never eclipses the content.

(To pile onto things, I also hate articles like this: Apple PR’s dirty little secret. The situation pisses me off, but I also get pissed at the tech author who thinks way too highly of himself and whines in the article itself. Get over yourself and shut up.)

This is the sort of thing that really rocked Digg, or maybe didn’t rock it directly, but it does contribute to various levels of lack of trust: transparency and conflict of interest. I don’t like having to piece together for myself a conflict of interest, since that will absolutely destroy credibility in my eyes. At the very least, be up front about it, about your processes, and if you do sell spots on the front page or otherwise artificially adjust whatever, at least say so. I know Google’s first few hits are paid placements, but they don’t hide it either (well, not ENTIRELY anyway…they certainly do try to camoflage it…)

When I read a magazine and I can’t tell if a page is an ad or not, I feel upset and distrustful of both the magazine but mostly the product on that page. I really hate having to see the word, “paid advertisement” on the top in order to tell, but at least they mags do that much!

Don’t get me wrong, mags plug shit in their normal articles as favors or whatever all the time. Yeah, information security and tech magazines know this very well! Just like Congressmen introduce bills for lobbyists, just like I may gloss over a few negative traits to get a casual friend a job interview in my company, etc. This happens, but that doesn’t mean I really like it. I just tend to try not to internalize and agonize over fights that can’t be won, ya know?

Anyway, the point is I have never liked the whole “online influencers” problem. It’s a greed play for money via pageviews, rather than driven by the love of the content (or ego play to compensate for poor self-image that drove them online in the first place). And because I don’t like this sort of stuff, it’s sort of why I don’t think things like these are viable business models (or personal mental health models) in the long run, even though they are lucrative in the short run and are threatening to destroy things in their wake (traditional journalism, content-driven but under-funded ‘little guys,’ etc).

Hell, you can even chase non-monetary popularity if you want. Just don’t be a whore.

One of the absolutely beautiful underlying concepts of the Internet is the playing field where someone can share something of quality, and you and I can find it. Where we’re not just bound by physical limitations or horizon limitations where I can just look up more on it and verify information and such. It’s not just information served to my eyeballs, but interactive and, at its best, a give and take situation that enriches lives in a wholesome way.

(Oh, and I believe ripping away anonymity won’t help.)

This is strange. I’m being pessimistic and ranty about having an idealist slant on something? Anyway, End Rant! 🙂

* I already don’t recall where I got linked to this article…

a bunch of great sec lessons from tripwire

I love me lists, and Tripwire dug deep to drop out a list of 25 things:* “25 Infosec Gurus Admit to their Mistakes…and What They Learned from Them”.

(* I say things because that title sucks. It’s too long for Twitter use, so it gets shortened and passed around as various other juicier-sounding things, but is still a fun read. Likewise, you’ll get halfway through the list and forget what the point was; are these myths? truths? just anecdotes? did this just get too long?)

This is a huge list and not everything is worth reconsidering, but I wanted to highlight a few things more things than I anticipated, probably because there are good lessons through the whole list. Some of these lessons could be a whole book chapter in themselves.

1: I got no errors so I’m sure the backup is valid – Test and verify. You’re taking backups? Are you sure? And do you know for sure you can restore them when you need to? Having backups is probably the most important security *and* operations function, and verifying the process works shouldn’t be done when the emergency hits. (I really, really hate when “outages” are excuses to call them half-assed [and usually woefully incomplete] disaster recovery/business continuity tests just because someone is averse to talking to the business about the interruption/work that occurs during the real test.)

2: Do you really need everyone to wish you “Happy Birthday?” – I actually think I uttered an audible, “wow” when I read this. It just bears highlighting in itself.

4: Yes, a UFO is an unidentified flying object, but it’s probably an alien – Great point, yet strange enough for someone with an ear to security, I’m usually the last to assume some form of strangeness is a hack attack. I guess I’ve seen way too many “strange” things turn out to be explained via completely innocent means (or unexplained, non-security events). As I like to say about law enforcement approaches: the simplest answer is usually the correct one.

5: I don’t care. I work in information security, not physical security – I simply like the reminder that, well, fucked up shit happens in the physical world, and you really can’t predict it.

7: Let’s get the bad guys…all the bad guys – I’m not sure I liked this item; I had to read it several times and still am not sure I follow it or agree with it. I think maybe the bullet title is just awful since it doesn’t match the anecdote. Still, even small things can be a problem, as I think a few other bullet points make mention of, but yes we should prioritze and we can’t get to everything all at once.

10: We only offer secure access to our system, unless you want to use our test machine – I have to quote Wysopal because he’s right. Read another way: least-fricken-privilege. This is one of the more common issues, imo, in business: people do and get away with whatever they *can* do or get away with.

“The lesson here is not to give your users a less secure way to get something done or they will pick it and be compromised,” said Wysopal.

11: This system was secure when I bought it – As I move further into my career, I realize the hardest long-term problem I’ll face is likely just keeping up with changing technology. I’m just one job and a few years away from being grossly behind, ya know? I’m thankful I work in a progressive organization right now where we have many advanced tools and a mature IT budget and culture, but getting behind always scares me. Hell, I’m already behind on the desktop side, as I’m nowhere near as proficient at Windows Vista/7/2008 as I am everything older.

13: We’ll make it a security policy and everyone will follow it – I love both his points in this bullet: monitor (verify) and even educate your clients. For the latter, right now I’m actually having to defend an SSL certificate on a website that passes internal credentials and sensitive data to a client who doesn’t want to spend the money to purchase one. If a client asks, the account managers and salespeople aren’t going to say no! Normally I just do this, but more and more, larger corps are keeping tighter control of domain ownership…

14: Hurry up, we need to fix this problem right now! – Slow down and do it right. In the past 6 months we’ve had it pretty rough on my team, with lots of strange outages both self-inflicted or completely out of our control. I really dislike how, during an outage, a huge rush and pressure is put on to find creative ways to get things half up again. This often brings with it new challenges, issues, orphaned changes, and risk, and sometimes causes more problems than it fixes. If you have a plan, stick to it. Don’t create new plans during an issue unless you absolutely have to. And if you do, relax, think about it, and work smarter rather than faster. (Really, this cuts both ways and gets back to value/business needs, but my more recent experiences are reflected in this opinion.)

15: Yeah sure, the USB key is secure – Just a great anecdote to drive home that bad things happen and people are ultimately a constant problem.

18: I’ll just dictate security and it’ll work – I think dictating security *does* work, but not when you’re just dictating policy or procedures; only when you’re backing it up with technological controls to enforce it.

19: People are usually very thorough when filling out survey forms – I cringe. I know Bob fills out security questionnaires from prospective clients. Bob barely knows what he’s filling out. Bob also knows prospective clients barely look at the results anyway. Ultimately, what someone claims is somewhat meaningless without verifying it. I think that rings true in several of these bullets.

20: All vulnerabilities take priority over the business – Ahh, this rings of both truth I agree with, but also some of the more intense frustrating feelings that I disagree with. I think this is where you’re on the bar of a seesaw that can’t fully dip down on one side or the other. It’s hard to read this without feeling that hot/cold duality, to both agree with Gene and disagree. Honestly, I think that’s a healthy reaction to this…

21: Eventually, when I have time, I’ll encrypt that hard drive – Just another great anecdote, especially to higher-ups, that shit sometimes just happens. And when it does, it doesn’t smell like roses like ya think…

22: No one is going to screw with my unattended computer in the office – We do this in my team, and it drives home the point quite nicely. I prefer to email their immediate manager, “I’d like a pay decrease. Thanks!”

24: Wow, a cool new untested security product! – The real point in this, to me, is that you can’t just throw something out there in the name of security and expect it to just be unattended. I agree you should test, but you could spend a year testing something like an IPS, put it in, and still have a strange problem. You need to accept that security is an ever-moving balance between blocking things and allowing things, on an ever-moving landscape. It’s like balancing on a pylon from a broken dock in the beating surf.

interviews and hiring and social interaction with strangers

Enjoyed this quick and entertaining article from Techdulla: “Hiring is hard.” I’ve (obviously) been the interviewed in the past, and I’ve done some of my own interviews as well (usually with my manager, sort of as the technical evaluator). It’s my opinion that interviewing for a job is an extremely stressful moment for most people, right up there with public speaking. I think we internalize way too much and stress way too much about how the other person (or audience) is thinking about us, and not enough on just presenting the content. While the content is admittedly ourselves, the judgement will come later on with a yea or nay on the job interview. Warning: This might be the introvert talking!

Interviewers can help with this process, and I think some care can be given to help ease the person being interviewed, at least just a little bit. Maybe try some informal ice-breakers or some directed conversation to get things flowing, ya know? Like talk about the company and position and yourself for a bit, rather than immediately putting the interviewed on the spot. It’s not like the employee-manager relationship is always going to be this tense, stressful, rigidly formal situation. Some might think this is a good idea because it may reveal personality traits (good or bad) that can be subdued when talking to a stranger and/or an authority figure.

It’s a whole other topic about dealing with the self-conscious issues when dealing with strangers or interviews. While I am quite an introvert and really suck with the small talk that extroverts excel at, I have gotten far better than I used to be; I think partly I’m comfortable with myself, but also realize deeper things like how such worry just doesn’t matter, and whether someone likes me or not is not a big deal in the whole scheme of things that entail my own life; some people I’m compatible with, others not really. Basically, carry a conversation, be knowledgeable about the topic at hand, listen respectfully, don’t put up false fronts, and try to be interested about the other person. Or at least learn to suppress those expressions and mannerisms that consciously or unconsciously signal to the other party that you don’t want to talk to them at all; encourage just enough to get more information and evaluate whether that cute blonde is still worth chatting with at length.

These are not just thoughts about interviewing, but rather interaction in general, from dating to meeting strangers, to small talk in the bar.

I thought about making one of my New Year’s Resolutions this year to make an effort at saying something to a stranger every day (beyond a general greeting) or some other nicety designed to challenge my introvertedness (practice, practice, practice) and improve my social skills, but decided I had enough stuff already lined up, and thought I could use some more planning on that one.

divulging encryption passwd could be protected testimony

The issue of forcing accused to provide hard disk encryption passwords is a pretty interesting topic these years. I just read today over on the H about how, in certain situations, password divulgence could be protected by our Fifth Amendment (protection against self-incriminating testimony). Definitely interesting.

I’m no lawyer, but there are plenty of fun issues. For instance, what if I don’t know the password but is kept on a keyfob? Does this fall into key-and-safe issues? What about a combination safe where the combination is in your head? (Though, granted, I bet *someone* can get into that safe…) Or coded documents? Law is a greatly interesting field, but I’m also glad I didn’t go down that road of study back in the day!

slightly challenging my distant view of rsa

RSA has never really been on even my long list of cons to attend. Too corporate; too marketing; not deep enough; too superficial; too many analysts… But Securosis has a post with advice on RSA, and I am glad for the honesty (e.g. avoid the parties, hallway track: they’re not the same beast as geekier cons) and detail. The post even mentions that there are plenty of geek things to do, such as engineers to talk to and product demos and such, which is a great point, and one that may make a trip to the RSA conference worthwhile. Someday. It’s still not in my plans!

They also have a post up with some eats recommends, which I know I always personally appreciate when I can quickly get a thumbs up or thumbs down quickly. It sucks to experience that craptastic fake chinese place first hand. (I need to be careful with my wording, lest I start making it sound as if “liking” something on a “social network” is a good thing that I should be participating in all the time. I love me first-hand opinions, but the author and content and context [e.g. poor Amazon reviews because shipping sucked] still need to be considered as opposed to a raw score…)

checking out 8 lessons from the nortal hack

Via Infosecnews mailing list, I read 8 Lessons From Nortel’s 10-Year Security Breach. Let’s visit these items!

1. Don’t Treat Nortel As The Exception – This is a good item itself, but it gets smeared with the stain of having to talk about APT. As item #8 implies, don’t limit yourself to just talking about APT.

2. Keep Proving You’re Not Nortel – This follows the need to have permanent, ongoing security.

3. Create A Robust Information Security Program – A good point, but please at least mention the need for staff in addition to tools.

4. Expect Defenses To Fail – Can’t say this enough, since it never really sinks in to unwashed managerial levels.

5. Don’t Fail To Investigate Data Breaches – Fair enough, but this is also a really big cultural and political problem, not to mention an empowerment one. One thing to learn from Nortel is that even the CEO levels need to capitulate to the security team. Honestly, the IT team knows a lot about a company (and has great access), but a robust security team probably knows or could potentially know even more. Accept it and embrace it for maximum value from your staff. This is hard, though, since analysts may see lots of little things that make no sense and they have to choose which to investigate, or may spend too much time tunning things to create black holes in an effort to be more efficient, or quite simply don’t want to create more work for themselves (unethical, but that’s human nature).

6. Conduct A Thorough Forensic Analysis – The next line is better: “Likewise, don’t expect breach investigations to be cheap. But short-term savings–skimping on conducting a thorough forensic analysis after a breach, for example–can have long-term repercussions, as Nortel discovered.” Tell a CEO you’ll need his laptop for a week to do forensics on a suspected issue. His reaction will tell you everything you need to know about a company’s security culture.

7. Expect Greater Accountability – Not sure if this will create accountability or simply just be more noise that desensitizes people to insecurity. Still, look forward to more economic pressures accountability…

8. Defend Against More Than China – Good point, but I really wish they had mentioned US, domestic, or even hackers in your own backyard.

my bigger concerns when I hear a company has been hacked

A British student has been jailed for hacking Facebook:

Scotland Yard said in a statement that the breach had occurred “over a short period of time” in April of last year. The court was told that Mangham had obtained the information after hacking into the account of a Facebook employee while the staff member was on vacation…

“This was not just a bit of harmless experimentation,” [Judge] McCreath told Mangham. “You accessed the very heart of the system of an international business of massive size, so this was not just fiddling about in the business records of some tiny business of no great importance.”

And what exactly happens to a large, tech-friendly corporation that allowed a single hacker to access the “very heart of the system” in what sounds like a live-or-die breach to that company? Internal reviews, probably an employee with a slapped wrist (perhaps), and nothing else that I can tell. Well…at least they found the attack (presumably).

the discussion on continuous patching

First, go read Rafal Los’ post over at the HP blogs: Continuous patching – is it viable in the enterprise?, along with the comments. I really deeply dislike the commenting system on their platform (even moreso on my Linux desktop, let alone the damn captcha and moderation rules…), so I’ll make reactive comments here, largely because it’s a great discussion.

(Disclaimer: I’m super sensitive to downtime discussions right now, since my company is suddenly super sensitive to it, resulting in more work by my team, more after-hours work by my team, and lots of confusion on how to satisfy “no downtime” mandates with “make progress” expectations. It’s painful in the SMB world where expectations between biz and technology [and even security!] are still in a world of upheaval this decade.)

1. Hindsight is always valuable, but in too many cases with technology risk in business, we’re just going to keep bouncing between contradictory “hindsight lessons,” which result in analysis paralysis. At some point, you just need to buck up and do it and stop playing business politics about it.

2. Patching is “simple” (even though it can be easily over-thought and subjected to analysis paralysis) and everyone can put in their 2 cents, from IT geeks to the lowest users to the highest execs. Yet we can’t even begin to agree on it. Just like so many things in security, we need to stop looking for the “right” answer to the problem. It will always be different. If there was one correct answer, it would hit us all like a truck to the face and discussion would be over. That said, this discussion is still useful.

3. “Patching” in an organization isn’t just about approving patches in WSUS, or even testing them. It might also mean getting them configured in a central management tool like Altiris, or image files and the like. For my SMB, smaller more frequent patching (presumably at on-demand intervals) really sucks and would probably result in only bothering with major upgrade releases.

4. When we’re talking the web world, sure downtime may be minimized as systems are updated, but that doesn’t mean users feel all honky-dory when a “patch” changes their app layout (thanks Google Reader/Gmail, Twitter, etc…). That may not be “downtime” to managers, but may as well be downtime for users. And we may not even be talking yet about developers making constant little changes to web site code, or at least more frequent changes. It’s always fun when frequent changes are made and a problem isn’t found right away to correlate to that last update. It’s also fun when users update their own shit on their systems, leaving a business in an unpredictable desktop state.

5. What is the goal of patching? To fix bugs that my users don’t see and fix security holes that aren’t currently letting in attackers, or roll our new features that my users would like? One of those gets traction, the other does not, when management becomes sensitive to downtime.

6. I like that last comment from Chris Abramson. I dislike the part about bringing up AV signature updates (not a patch process, more of a data update), but I do like the part about baking in stability and separation so that one update doesn’t bring the host part down. And while noble, I echo the sentiments that it takes many years and many resources to even begin to do. Not something that today’s fast-moving business and technology and developers can do, or are willing to do.

why we can’t have good things

Two scenarios.

Dev: “I can either do this the more secure way which will take me 3 hours to set up and test, or I can just do it this less secure way that is already in place which will take me 5 minutes. Which would you like to pay me to do?”


Dev: “Here’s a quick mock-up of what your website will look like. This is functional, but not all the protections and back-end work is done yet.”

Stakeholder: “This looks great! Perfect! Don’t touch anything, this is how it should be.”

Dev: “Wait, this isn’t done, this is just the really quick-and-dirty version.”

Stakeholder: “Nope, don’t change anything else. This looks perfect!”

Dev: “But it’s not done.”

Stakeholder: “That’s ok, I already have your time earmarked for other tasks that don’t look done yet. If we can blast through this, we’ll impress the client and they’ll be happier.”

Dev: “But…”

Stakeholder: “If the client isn’t asking for it, stop putting time into it!”

being a pest about insurance and security

I am sympathetic to those who compare info security to insurance, but there are gaping holes in such an analogy which sometimes lead people down the wrong paths. Ultimately, the real point of the comparison is to attack the idea the security enables or generates revenue or something. Unless security is something you do as a business, it’s going to be a cost.

I’m going to drastically oversimplify some things here, and I don’t have experience in the underlying nuts and bolts of insurance, but humor me for a few minutes.

1. Being covered by insurance implies means you’ll be compensated if something goes bad (the “risk of contingent, uncertain loss” [wikipedia]). This would lead someone to think if they invest in security, then when an incident happens, they will get money back somewhere. While this might (arguably) work when specifically talking about actual ‘cyberinsurance,’ this doesn’t seem like a healthy way to look at your own internal security expense/duties. This then has nothing to do with prevention or detection or mitigation. Sure, those may be qualifying factors, but that’s security, not insurance. If I, as a CEO, spend money on security and I still get hacked, I better not be expecting compensation anywhere.

2. Nothing’s standard in IT. One of the biggest challenges to, well, anything in IT at all is the fact that every shop does things just a little bit differently, with lots of magic customized glue holding things together. Perhaps today’s SaaS/IaaS/Cloud will level the playing field a bit, but we’re a long, long ways away from being able to value anything properly. We have a hard enough time in specific industries. You can go to 10 companies in the same industry space and of similar sizing, and a deep dive into their security postures will probably yield 10 incompatible reports. (Note I mention a deep dive, not some piddly 2-day pen test and PCI-worthy interview process and vuln scan that harps on the same 12 things, but an actual analysis and hand-holding look beneath the covers.)

3. You don’t even need to be hacked to have your bottom line affected. Take last week’s Google Wallet disclosures. I’m not sure if anyone has actually attacked anyone with it (let alone Google), but just the presence and media attention has caused Google to take notice and even halt a line of their business while they attend to it. Try valuing that.

Anyway, I’ve exhausted my brain already on this, must be low on fuel or something, so I’ll just leave this as is.

good articles to read on a monday morning

Wendy is awesome. Her posts are awesome. I wanted to link to two must-reads. I’ll quote soundbytes, but really every paragraph drips of awesome.

First, let’s skip ahead to, “In 50 gigabytes, turn left: data-driven security.”

“Yes, automation is getting better, but it’s not there yet. There are still too many alerts taking up too much time to sort through (particularly in the tuning phase). IT staff get hundreds of emails a day; they can’t handle more than two or three alerts that require real investigation. (By the way, this is why operations often can’t respond to something until it’s down — it’s the most severe and least frequent kind of alert that they receive all day, and they don’t have time to chase down anything lower-level, like a warning message that hasn’t resulted in badness yet.)”

There’s a parallel here to another piece I just read today via the PCIGuru blog: People in the Loop: Are They a Failsafe or a Liability?, by Dan Geer.

And also check out Wendy’s Insecure at any speed:

“What this indicates to me is that our IT infrastructure — from the networks to mobile — is inherently, badly insecure. And we’re so far down the road in its widespread implementation that it will be decades before the problem is substantially fixed, even assuming we started today with all software developers and manufacturers. Nobody is going to pay to replace what’s running just fine today — until someone loses a figurative eye.”

I love her explanation of telling security pros vs operations staff about business insecurity, and how their reactions are so different. You can pretty much tell someone’s background by their resigned or indignant reactions to the same ol’ news.

In the latter post, Wendy essentially talks about baking security into technology from the start. While I do agree with this, I’m not holding my breath on it. In fact, I just am not sure this will actually ever happen, even on a small scale.

The sad part is I can’t read posts like this without hearing my phone ring with 3 vendors proffering their wares as “the turnkey/plug-n-play solution” to any of the above issues before they even know what sort of business they just called.

reviewing my short list of security steps for smbs

Recent news about law firm attacks/hacks has renewed interest in the surprising unsurprising plight of small business, especially in regard to law firms, in recent articles. For instance, should a law firm employing maybe a dozen people have tight security, “just enough” security, or barely any? I think that’s hard to say. Many of these firms are going to be lucky to have a single IT-minded staffer all to themselves or to have software to do their main line of business (e.g. case management software/file storage), let alone to be secure.

So I thought it might be poignant to revisit an old post of mine where I review “5 security steps for small businesses.” Hell, even my “10 security steps for home users” is getting old.

You know you’ve been blogging a while when you can’t remember your own posts, and when you do find them, they’re way older than you thought they were!

So, how do my steps hold up? I’m not even done with this post, and I really think I need to update my list.

1. Backups. Still has to be the first suggestion. Even if you get hacked, you can still keep going if your data is backed up.

2. Network firewall on the Internet link. Gunnar calls this outdated technology (I can’t resist!), but it’s still going to be a necessary line of defense. The “pain” of the lack of this is far removed today than it used to be, though, where households had 1 computer or businesses had just a few systems and they had their balls hanging out on the Internet with public IP addresses passed right on through. In addition, so many attacks right now are coming in through the app layer (and straight on into your precious database) or through email-borne vectors. Old, but still going to be necessary.

3. Desktop Antivirus. No one really puts much weight on this, but you still don’t tell people it’s ok to not use it. If absolutely nothing else, you’re going to be considered negligent if you’re caught without it.

4. Patch Management. Yes, please. More, please.

Wow, I clearly cheated a bit on the next “one.”

5.1. Physical Security. This is usually easy for most people because it’s maybe the easiest to understand, and unless you get serious, is not really technical. If you go beyond a lock system, you won’t roll your own solution but instead talk to security professionals. Why not do the same with the systems? For a law firm, this should include secure waste disposal.

5.2. Inventory/Baselining. I’m not sure I’d keep this, but it does end up being a foundational task for any intermediate or advanced security projects.

5.3. Get Help. I think this should be a necessity on any list. It appears the dramatic #10 on my suggestions for home users, and I think it should bookend every such list.

5.4. Wireless Security. This is still important, but not as gaudy and interesting as it was when retailers were being siphoned off from parking lots. Likewise, today’s “APT” and “organized” online hacktivists aren’t typically performing physical proximity attacks. Yet it’s hard to drop this down too far, lest an SMB leave their wireless pants around their ankles…

I think I will look into that revised list of steps for SMBs…this feels woefully inadequate today, which itself is strange, since things don’t seem to have changed *that* much, have they?. I struck that last part, but wanted to preserve the thought. When you’re looking at security right in front of your nose, it’s hard to see that things really are changing. I like lists and exercises like this, because it allows one to step back and get a different perspective on things, in more than one way. Get back to the roots and fundamental problems/steps, but also empathize with the position of an SMB and their capabilities (or lack of), limitations, and pain points…

some thoughts on happiness and technology today

Via securosis I read that really good article: “Happiness Takes (A Little) Magic”.
I won’t rehash his points, but I think there is still more to these stories than appears in that one. The biggest ones: to each their own happiness, and actively choose how your spend your time and work towards achieve feel happiness with it.

(Disclaimer: This has nothing to do with information security, or even technology…and reading this is likely a waste of time for everyone, including me.)

1. To each their own, you know? It’s one thing to say, “XYZ makes *me* happy,” but another problem entirely to write a piece about happiness in a way that smacks of trying to convince the world that your view of happiness is the universal or correct one. Or just the “correcter” one. This is a failing of religion and some people in general, where there is self-doubt until such a time as other people agree with you. And if the whole entire world agrees with you, then you can relax, because clearly you’re right. If that article got 5 pagehits and 0 comments, does that make it better or worse than the one that gets 1m hits and 500 comments in a week? Or I just need to let the tone of the piece go, and move on. 🙂

2. The junk food news/information is definitely a problem. It’s why I never spent much time on Fark. It’s why I’m loathe to “hang out” on IRC again. It’s why I never got into Digg or Reddit or other news sites where the news may be interesting, but just doesn’t matter to me or my life. It takes effort to stick to useful news rather than unuseful (useless!) stuff when you’re on the Internet. It takes time to cull the useless bits from a newsreader or learn to quickly scan usefulness in a Twitter feed. I’m finding value is consciously and unconsciously spending time on things that matter. And I already feel dirty browsing YouTube videos and realizing I just lost 3 hours for no real gain.

(Then again, there is a real world analog to this. If you spend 3 hours at a bar meeting 60 people, only maybe 5 are worth your time. Or maybe all the time spent driving to get to those beautiful outdoorsy places that make you feel spiritual. Or those dozen other places that you thought would be beautiful, but just gave you a rash. Or the tourist traps akin to 40m-hit YouTube videos. Great, you can say you’ve seen it, but was it *really* that good for you? Yes, to each their own…)

Honestly, I think this is an age issue for me. Even just a few years ago, I didn’t really give a shit what I spent my time doing. These days, I’m more conscious of my shortening time in this world. Hobbies are fine and distractions/entertainment are fine as well, but I’m trying hard to keep them somewhat bounded. My main weakness is really just video gaming…. As long as I’m truly enjoying the moments, I think that’s the most we can ask for.

2.5 I’m also finding a place for things that let me consume technology in a smarter or faster way. As a youngin, I used to tailor the shit out of my Windows UI with WindowBlinds or various other tweaks whose names escape me. But I quickly moved away from that because every new system or every rebuild would require all that time input again, and the time spent is just not worth it. Being able to quickly set up hotkeys to do mundane tasks that will get me done with computer work is a blessing, but eye candy is useless. I think this is one of the places the “cloud” wants to be, but is still trying to figure out how to do it and be profitable at the same time. It’s not there, but it’s a step… That may be a sub-resolution for this year or maybe the next: to more fully adopt hotkey tools and automate even more things that I do at work and play… (But not automate it in a way that saves some time, but just moves the time spent to maintaining that automation, like scripting/coding often get trapped into.)

Simplify, simplify.

3. There’s this space of people who make money and expect to make money doing very little, i.e. lounging around online, calling themselves social media experts, pursuing page hits, and writing about themselves like they’re more important than most others. I tend to feel like many of these people are one half-step away from a shattered self-image and deep depression and financial disaster. I don’t know the numbers, but it seems like so many of these people may have a few good things to say that are worth reading, but most of it is drivel and useless and a waste of my time. And certainly not worth providing some money to. Sure, play a violin beautifully in the tunnel and I’ll chip in a 20 spot. Give me good conversation in a bar and I may buy you a beer. Give me a good article, I’ll consume and move on. For so many, I think you’re better off getting a “real job” than trying to do the laziest thing you can. (Clearly, this does not apply to everyone as there are truly effective, hard-working, and highly profitable people whose sole product is online media or writing. I’m generalizing unfairly.)

4. I think there is merit in saying human beings need a little bit of adventure, but I also believe we need a little bit of ownership and production and creation of something. Basically, a tangible result of our efforts and sense of self-value. Sort of a microscopic mirror of the problem that the US is moving away from being a manufacturing country and more of an-I-don’t-know-what country. (Consuming and ueslessness? Thinking? Information?) Creating a blog and other online content and chatting and comments should help support real life interactions or at least fill voids temporarily as needed, but none of that is really tangible enough to provide long-term happiness for many people. “I blog for a living” still, to me, even as technologically in-tune as I may be, seems like an awful way to make a living. Sure, there are some who are very useful on a weekly basis and earn it as a real journalist, but for every 1, there is likely a thousand who need to stop lying to themselves and actually create or do something real, ya know? And in turn, stop contributing to the noise.

Then again, I may just have my panties in a bunch this week (HQ power outage all day due to carrier mistake will do that) and have some unfair opinions. But I think that’s increasinfly my right for advancing in age.