Bopping through Lifehacker articles, I found a gem speaking to interview questions: “The Interview Question That’s Always Asked and How to Nail it.” (Ironically, Lifehacker has so much noise in its rss feed, I really feel only 1 in 100 articles is worth clicking into…)

When I first looked for a job after college, I would really have nothing to say after being asked, “Do you have any questions for us?” I usually didn’t. I didn’t know what I liked, what I wanted, what was out there, or what to even ask. I had such little experience, that I didn’t know what I didn’t know!

These days I know better and use that question to my benefit. It lets me fill in gaps in my knowledge of the company, open questions on why I should work there, whether I’d like the job/people, and demonstrate a bit of interest in the position without sounding like a jerk. Truly, I’m not usually looking to get in good with the interviewer and demonstrate that I’m a critical thinker or something, but really there are always questions about the job, company, manager, people, and expectations such that they should be asked before making such a big decision as a job opp.

The article itself has a few suggestions, two of which I’ve used regularly in the past: “What is the immediate need on your team that you are hoping to fill with this position?” and “How would you describe a typical day on this team?”

I only realized/found out today that World of Warcraft’s next expansion, Mists of Pandaria (MoP), is set to released in late September. That seems pretty quick. My gaming situation is a bit stagnant at the moment where I’m really only playing a few games, and not as much of them as even I’d like. I went from WoW casual to Skyrim when it released, and then Star Wars The Old Republic (SWTOR) when it released, and then Diablo 3 when it released. I’ve really not gone back to any of them since. I’ve only moonlighted in a few other games, and my XBox Live account has probably lapsed since I last logged in; I’m just not in front of my television at all (have not watched television in about 10 years, so it’s just movies and gaming).

Diablo 3, unfortunately, is just not the same crack it used to me. I mentioned my thoughts previously, and I think the points all still stand. The one exception is that I just don’t think the loot is quite the same for a variety of really small reasons that add up in the end. I have not had a single set piece drop. I’ve seen 3 uniques. The rares (yellows) are just random names with random stats, most of which I don’t want so it’s trash. None of the gear seems memorable enough, and doesn’t drop quite enough to justify further grinds just for it. I think I might ultimately blame the Auction House (AH) for that. Also, after years of social FPS and MMO games, D3 just isn’t that social and the attempts it has made just aren’t that compelling. I don’t know how you fix that, since D2 really was similar. As it is, I have a few toons, my Wizard is level 60 and basically bogged down near the end of Act 2 Inferno (I don’t expect to have an easy time of it with the end boss, so I’ve just drifted away).

TL;DR: Diablo 3 isn’t really beckoning me to play it unless it’s with a few friends in coop.

SWTOR is a great game with great stories and I really like the gameplay. The problem is still twofold as I’ve mentioned from launch: underpopulated servers and lack of Looking For Group (LFG) tools. LFG is coming in the next major patch, but it’s really freakin’ late. I should get back to this game, but it would just to achieve the bragging rights of finishing my Smuggler’s story arc and getting the last few levels to 50. The social part of SWTOR just never hooked me, though that’s hard to do when you don’t raid or care much for guild affiliations anymore.

WoW MoP will get me back to WoW, but I’m not sure if that will be lasting. The content doesn’t much excite me, but the biggest draw of WoW has always been the guild/social factor, as well as catering to both hardcore players and casual players. I’ve been in both boats, and I have exceedingly fond memories of both, but I really love the idea of just wasting time with virtual friends in a casual manner.

Skyrim. It has its faults and it’s strictly single player, but of all the games I’ve played in the last year, I think Skyrim is the one that beckons me the hardest to get back into. It’s huge, long, varied, fun, and deep. I just feel a bit lonely when I play (single player), and sometimes you hit walls that are frustrating (killing a priest/dragon combo as a thief-type is maddening). But it’s a beautiful game.

Hopefully MoP is fun and hopefully Elder Scrolls Online is Skyrim+social MMO, which would be amazing. SWTOR did most everything right, in my opinion, but two glaring issues really have held it back (and some smaller ones that were actually fixed in earlier patches).

Via New School of Information Security, I wandered over to a surprisingly hotly debated article on CSOOnline from Dave Aitel, “Why you shouldn’t train employees for security awareness”. Really, what the headline should be is, “Why the dollars spend on security training are better spent on something else.” Heading over to the article, I already knew there was some debate going on, but I was a bit shocked at the comments. (Truth be told, very few of the detractors had any decent point to their comments…)

Especially since Dave has a point.

No, he’s not completely correct, but he makes a point; the sort of point that requires hyperbole to make it, ya know? (strictly speaking, I don’t actually see where Dave’s points echo exactly the sensational headline CSOOnline decided to give him, though I can see where one will take the 1/4 step to connect to the dots…)

Too many people lean very heavily on security awareness activities; essentially saying we’ll be more secure if people make smarter choices. This makes sense, but the reality is rarely quite so nice. People still make mistakes. *I* still make mistakes, and *I* should know better. People may willingly make mistakes. I’d much prefer my business dollars spent in a way that I have a technological safety net under me.

Security awareness is useful when you don’t think the whole purpose is to improve your security by a palpable amount due to your training. Security training helps the rest of the business understand why you have security policies. Give the ones who care some knowledge to make better (not correct, but at least better) decisions. Prepares them for when you have to investigate something, offer an opinion, review something, or otherwise finger the brakes of reckless progress. Among other political and soft reasons…

In the end, I agree with people who feel that you should have a mix of security awareness and technological controls, but still trust the technological controls more. I’ve probably said that for a decade now, and there’s nothing that has moved me from that stance. Awareness yes, but rely on those technological controls more.

Oh, and I do “get” the problem of expecting perfection otherwise something is useless. I think that’s an unfortunate extreme position that Dave *mostly* walked into. Because a few attacks still work, doesn’t mean awareness is worthless. But we may be able to have technological controls enough to mitigate, if not outright stop, the mistakes that happen. That’s where we talk about “defense in depth” and doing various things to help limit risk/damage…

PCI is an easy horse to beat when looking for impassioned discussions with other security profressionals. Sadly, too many discussions just talk about “how-it’s-not-perfect-so-it’s-dumb” vs “I-didn’t-have-budget-before-but-I-have-it-now” points, and don’t get down in the trenches of the issues, as it were. Mr. PCI Guru has a lengthy, deeper post, “The Failure of PCI?” which hits many points I sympathize with, like this:

A lot of QSAs are great technologists, but would not know a good or bad control environment if it bit them in the posterior. Fewer QSAs and most ISAs know controls, but would not know a proper firewall or router configuration to save their lives. And finally, there are a very, very few QSAs and some ISAs that know the technology and controls. Unfortunately, the PCI SSC has not found the way to winnow out the QSAs and ISAs so that only the ones that know both technology and controls remain.

General media is a problem when it comes to security. Security is a nuanced, complicated topic to talk about, and media, even IT/security media, doesn’t have the patience or expertise to usually talk properly about it. Instead we get dumbed down and overly simplistic headlines and quotables like how PCI works if you follow it or PCI doesn’t work because a breach happened. None of it does anything except stir the pot and makes those who quote the quotes (read: poor CTOs) look idiotic in front of their (maybe) talented staffs.

Or maybe better yet, the PCI Council/DSS is in a weird position of trying to defend itself while also wipe its hands clean when necessary. That’s an unfortunate position, but is a PR/positioning problem. (Actually, this *may* end up being a legal/insurance/CYA problem at the root…)

But that’s not a PCI problem, per se, rather than overall security.

Via Securosis, check out Krebs’ (seriously, I don’t have a bromance, he’s just the best security journalist out there…) article on CloudFlare’s CEO’s email hack from the other week. Check CloudFlare’s blog for an image of the visual timeline of the incident. Talk about involved!

Some web filters will flag that image location as bad, but the barely-readable preview was enough for me. Hopefully that link persists. If not, right-click the image and try to view it directly.

What’s fun is the CEO wasn’t the target, nor was CloudFlare. Apparently, the target was a client of CloudFlare’s, from what I gather. Bottomline, an attack can come from anywhere and try to get anywhere else. It’s not just targeted stuff that’s all about you, or APT that cares about you. Maybe you’re just peripheral to other goals, either as a company or as employees at a company. I hear a lot of talk about threat modeling and such, and that’s fine, but do threat models pick up things like this any better than general best practices, diligence, and education? Not sure, there.

Been playing Diablo 3 since it released, and I think I’m far enough to dump out some thoughts. My female Wizard hit level 60 this weekend and also finished Act IV Hell. I dipped my toes into Inferno difficulty (the highest) last night. Here’s a hopefully quick list of some good and bad things about the game. Overall, this is a great game and satisfies the action/loot RPG itch perfectly. (For background, I played D1 when it was out and D2 later. I played almost every class up to level 90+ in D2 [didn’t like the assassin], and did the requisite farming on my sorc [meph runs ftw!].)

THE GOOD

1. The Skills.Skill trees and skill points are gone, and in their place are skill assignments you can bind to 1 of 6 hotkeys, and runes which bring minor changes to those skills. I wasn’t sure how this would play out, since skill trees and spending skill points is always fun and a staple of RPGs these days, but holy damn did Blizzard nail this one. My Wizard has 23 skills with 5 runes to augment each, making for 115 skills at my disposal. That sounds like a lot of filler, but I’ve found very few of those skills are such. The ability to tailor my playstyle so much is absolutely brilliant. Which leads to…

2. Skill Balance. Blizzard made it a goal to do skills in a way that didn’t result in players heading to the web to find the one “uber class build” they should go for in the endgame. Blizzard succeeded (with some combo exceptions that have been patched). There are three subpoints for this. A) I’ve really never had a game where I can use a skill buildout where I might get pwned against a boss, then switch things around and try new stuff, which leads me to be the pwner. And it’s not because of skill imbalance, but rather changing my character build to accommodate the situation and how I play. B) Some skills do seem like filler with certain builds, but really many of them are meant to synergize with others for completely new builds. For instance, there’s no reason for me to add to my fire damage when I’m dishing out arcane damage instead. C) In the hardest difficulty level, I’ve seen vids of players using a wide variety of skills and playstyles, and it’s awesome that so much is viable. Which segues nicely into…

3. Endgame – Challenge. Diablo 2 was not really that hard, even in Hell mode. D3’s difficulty is tweaked far better. Normal mode is an easy introduction to the game, but from there things ramp up nicely. While the biggest bosses have some disappointments, finally I feel like champion packs and rare packs are given the respect they deserve in this game. In short, shit’s challenging once you get up there, and that is a welcome piece of endgame enjoyment!

4. Endgame – Replayability. If you played through normal mode in D2, you played the whole game. The only things that saved the game from being useless were the randomized dungeons and random champion/rare encounters and random loot drops. D3 still has the above, but at least this time there are quite a number of random events that you can find in the world, and the random champion/rare packs are more vicious, tougher, and fun. So, while not for everyone, it is a step up from D2. (Too bad the bosses aren’t exciting after the first time around….)

5. Feels finished. I played Torchlight and was highly annoyed that it felt unfinished. D3 feels like a solid, tight, finished game, and I’m very happy with it. It looks beautiful, sounds great, and plays like a dream for the most part (I am a twitch gamer, so sometimes when I try to stick-n-move the game doesn’t register the up-key and instead keeps me standing and firing…)

6. All the little things you didn’t know were annoyances in D2 are fixed. No more identify and town portal scrolls*; you can just do this stuff. In fact, no scrolls/tomes at all. You pick up gold by walking over it. Gems are a bit simplified. Charms are gone. No more mules, since your stash and gold are shared across characters. Every item only takes up 1-2 inventory slots (this is good and bad, as all weapons feel the same as opposed to the old school 6-slot spears, etc, but does save room!). No trapped chests/bodies, though sometimes a zombie or skellie pops out of a jar.

7. Heath pot cooldowns. I was skeptical of the changes to health restoring from D2, but I think it is an integral component to the challenge and strategy of the game. Small change, big positive effect.

8. Followers have been improved. The no-name followers from D2 that were simply forgettable meat shields are replaced with actual characters who never die and have back-stories. That’s kinda cool. While I wish I could equip them with more things, they do a much better job about being an important part of the action in solo games, especially since you can slightly tailor their own special skills (choose 4 of 8 available skills as they level up).

THE BAD (or rather, the NOT-SO-GOOD)

1. Endgame – Level Grind. The level 99 grind from Diablo 2 is gone, replaced by a relatively easily reachable level cap of 60. I never did have a level 99 in D2; the grind from level 91 and up is insane, and even in my free-time-college-years I didn’t have the patience for it. But some people did. I really wish that was back, as it was pretty important to always have something to gain from time spent.

2. Some bosses are lame. The Act 2 and Act 3 bosses, at least for a Wizard, are laughably dumb. I dislike the Act 2 boss mechanics (from being cheap with constant adds to just standing in place and slamming tentacles onto the ground). And the Act 3 boss I think I am 3 for 3 against because he does all ranged stuff that is avoidable if you move. Badly underwhelming. The Act 1 and Act 4 bosses, however, are super fun, though a bit simplistic once you have a rhythm. Still, they’re better than just beating on Duriel like D2 Act2…

3. The story. Diablo games are not known for their deep, resonating, and twist-filled stories, but yet they are pretty immersive and interesting. D3 attempts to be more complex with the storyline, but it’s either filler, easily predictable, or simply underwhelming. Or it simply feels like a retelling of D2 (start in Tristram, go to desert…deja vu?).

4. The voice-acting. Maybe I’m hugely spoiled by Skyrim (despite the heavy actor re-use) and Star Wars: The Old Republic (amazing voice acting), but the voice actors and the lines they use in this game. Are. Awful. A few work, like some of the bad guys, Cain, and a couple classes, but for the most part, they’re painful. For instance, my Female Wizard comes off as an arrogant bitch and I really hate hearing her voice or the things she says. (Side note: I am, however, amused by some of the background banter, which changes based on who your companions are or even what zone you’re in.)

4b. My character has a voice. I don’t recall my player talking all that much in previous Diablo games (see also the simplistic story), but it badly draws me out of the immersion when I hear my character’s voice, especially if I don’t like it and she has a terrible tone and attitude. Other classes are even worse.

5. The music. Wait, what music? The music in Diablo games is memorable and part of the immersion and experience. The D2 music is absolutely superb, and even thinking about it makes my skin tingle. My first hour of playing D3 immediately had me noticing the lack of music. The “music” in D3 is mostly just ambient stuff that you don’t really consider music. I’m greatly disappointed in the lack of a worthy soundtrack to my pwning. When music does kick in, it’s not very interesting nor really helps the tone. It’s like they went way too ambient and then way too pom-and-circumstance in later levels, rather than the perfect in-between of D2.

6. Very little social support (so far). There is coop play, and it’s really done well, but that’s been largely it for social support in this game. The chat rooms of D2 are replaced with an Auction House (an improvement), but there’s very little chance to meet new people in a social setting like a typical MMO RPG. We have drop-in-drop-out public games with random people, and we now have a mandatory general chat with a max of 99 other random people, and friend lists. While this is all a step up in most cases from D2, I seriously think Blizz is dropping the ball on support for better social ability. No leaderboards? No chat rooms at all? It might be cool to be able to join a game to watch. Etc.

7. Game world lack of persistence. In D2, if you left your game, but then went back into it, the game world would persist for a short period of time. So if you lagged out or wanted to trade an item to your mule, you could get back in and be ok. If you leave the game in D3 and try to get right back in, you may be back at the same spot you were at, but the layout will be new and the monsters respawned. Yes, that means you can lag out, come back, and be immediately set upon.

UNDETERMINED

1. Endgame – The Loots! Since I’m new to Inferno, I’m still not sure how well the loot grind from D2 will feel in D3. So far the items don’t feel quite so legendary or special, though I’ve only dropped 3 legendaries so far. I think it’s maybe the higher rate of drop on rares (yellows) that deadens my excitement? Not sure yet.

2. Auction House. The real-world-money AH isn’t out yet, but I’m still unsure about the current AH. It’s clunky, it’s filled to the brim with items. But it’s a huge (huge!) step up from the chat rooms and nervous in-game trading/bartering from D2. Still, there’s something social-wise to be missed about offering 10 SOJ for a top-stats Windforce.

3. No more stat points. I’m torn on this one, and ultimately probably won’t miss it. In D2 you assigned your own vitality, str, int, dex points. This game allocates them automatically as you level up. While this simplifies things and prevents me from being stupid, it does take away a small bit of tweaking you could otherwise do.

4. Will I look like a badass? I’m not sure yet whether a character’s look is the same based off gear tier, or whether I’ll look relatively unique when I find cooler things. Not that it is a huge deal, since the character is typically pretty tiny on screen….

5. Secret doors? Maybe I’ve not seen any yet, but I miss the occasional secret door you can find in dungeons.
* Of minor note, you can’t stash a town portal at the start of every level that you can race to when shit hits the fan. The town portal ability has an interruptable cast time. This means some dungeons have no way out but a game restart, if you run into a bad champion pack.

Brian Krebs also has a neat article up titled, “Alleged Romanian Subway Hackers Were Lured to U.S.” The article has this to say:

Investigators had subpoenaed Yahoo!, GoDaddy and other communications providers to snoop on Butu’s emails. Information gleaned from those messages included quite a bit of information about where he’d traveled, bars he’d visited, his friends, etc.

Armed with this information, U.S. investigators reached out to Butu posing as an attractive female tourist he had met while he was in France approximately one year earlier.

This, friends, is a classic example of social engineering by knowing a little bit about someone. In this case, he probably thought his emails were private, but investigators (or anyone else) could find similar information about someone on relatively public sites. Essentially: privacy is important.

Brian Krebs has a nice article/interview with Thomas Ptacek in regards to recent password theft issues (LinkedIn, etc). Definitely worth a read and does some nice teaching (I didn’t know password hash and cryptographic hash were two different things). The main point is how often developers don’t know security mechanisms. To me, though, that’s not so much a knock to them as developers, but rather our whole process to development. It’s hard/difficult to expect developers to know all this stuff and yet remain rockstars in their own arena. More knowledge, more time, more experience is really key, along with some positive encouragement and support. Oversight by the experts would help as well (and the desire for companies to ask for that help). Oh, and 2F auth….

In my previous entry, I linked to, “8 rules for creating a passionate work culture,” and I poked at one entry that I didn’t completely like. Another one rubbed me the wrong way, but it took a bit to sink in why:

3. Tend to the weeds. A culture of passion capital can be compromised by the wrong people. One of the most destructive corporate weeds is the whiner. Whiners aren’t necessarily public with their complaints. They don’t stand up in meetings and articulate everything they think is wrong with the company. Instead, they move through the organization, speaking privately, sowing doubt, strangling passion. Sometimes this is simply the nature of the beast: they whined at their last job and will whine at the next. Sometimes these people simply aren’t a good fit. Your passion isn’t theirs. Constructive criticism is healthy, but relentless complaining is toxic. Identify these people and replace them.

I absolutely get the reasoning behind this item. But I also think this item is too often misconstrued in a subtle way: “Get rid of the people who aren’t team players,” or “Get rid of the people who don’t agree with what we’re/I’m doing.”

I’m a huge Star Wars geek, but I don’t really care for the later 3 movies, much like any other Star Wars geek of my age. I firmly believe the main reason for this discrepancy is George Lucas (really, left in a vacuum his writing is childlike and his directing atrocious). In the first movie especially, I believe George Lucas and his entire team had many disagreements and had much adversity to go through to produce one of the best movies ever. Later in life, I believe George Lucas surrounded himself with “Yes Men,” or at least people who feared speaking up against the man because of his clout in the industry. This resulted in really awful later Star Wars movies with childish writing and awful directing which resulted in horrid performances by otherwise decent actors.

The point is, this item is meant to get rid of truly bad people who just whine and cannot provide anything of value themselves. It is not to surround oneself with “Yes Men,” and downplay people who may criticize or question with best intentions. In fact, doing this item wrong stabs at the heart of other items: 2. Communicate (and foster trust and safety) and 6. Celebrate differences.

(Some could bring up Steve Jobs and his causing fear amongst his employees, but I really think Jobs is an outlier in many things; essentially the right person with the right personality at the right time with brilliant ideas and input making the right decisions with a lot of luck. He shouldn’t be a model of anything except the idea that you can have success by bucking the established “rules.” That itself is not a new rule…)

Checked out “8 rules for creating a passionate work culture.” I like these rules, though there needs to be some emphasis added to a few key words here and there to drive home the key items in each point. For instance: “A culture where everyone understands that long hours are sometimes required will work if this sacrifice is recognized and rewarded.”

While these “rules” are good, I find that some people/organizations try to artificially implement them without really understanding themselves or the rules. It’s like dieters looking for the diet pill or easy magic recipe, rather than putting in the real effort and lifestyle changes that healthy living requires. Whacking your employees to be more innovative or passionate without truly understanding the psychology of it all is not a road to success.

I do take slight (slight!) exception to this rule:

7. Create the space. Years ago, scientists working in laboratories were often in underground bunkers and rarely saw their colleagues; secrecy was prized. In cutting-edge research and academic buildings, architects try to promote as much interaction as possible. They design spaces where people from different disciplines will come together, whether in workspace or in common leisure space. Their reasoning is simple: it is this interaction that helps breed revolutionary ideas. Creative and engineering chat over coffee. HR and marketing bump into one another in the fitness center.

I agree with bringing people together, but too many leaders read this and think they need to tear down physical office and cube walls and that will make everything innovative and ideas flow! But that’s not going to work with every department or every person. It’s a nice idea to give people spaces to collaborate and bump into others, but you’re not going to end up celebrating those people who are introverts or who may in fact be more productive in a space they feel comfortable in. Just like “team-building” exercises and get-together social events for an entire company, not everyone is going to be comfortable or have a good time at such things. You’ll tell those people who want some space to work rather than be distracted, because they’ll have headphones on in their “collaborative pods” and it takes several yells of their name to break them out of their trance (ie interrupt their work).

I do have a lot of sympathy to common shared areas that naturally will gather people, for instance break rooms, places to sit/lounge on a break or just a break from the desk to sit and think in maybe a space with some chairs overlooking the morning sunrise, etc. Give people places to broaden out, but keep the places where work can get done in an efficient manner without the distractions or the open space.

More importantly, I think the space should foster creativity and underline the idea of trust and being happy when you’re at work. People who are happy at work are going to do great things. Some people are happy surrounded by friends, some are happy sitting in an environment where their cube is as comfortable or decked out like their favorite room at home. One shoe doesn’t fit all, but you can’t certainly be open. Watching videos and photo montages of many of today’s prime tech companies, start-ups, and creative shops, I am constantly drawn to their non-traditional work spaces. They’re not all open, they’re not all wall-filled, but they do have character. If your office space does not have character reflecting the company (or attractive to an employee you’re asking to spend their days in), you need to fix that before diving into this rule.

Jeff Snyder has a post up about (Handwritten) Thank You Notes. (note: security recruiter page, in case you’re worried about web filters).

I think part of this is not about sending deserved thanks,* but the sort of human contact that really makes our day. Similar to a random (non-creepy) smile from a stranger to someone who goes just slightly out of their way to hold a door or learn your name if you’re a regular in a store or location. Or better yet, give us a conscious, sincere compliment about something. I think I remember every time someone has complimented me on my car, or whatnot. We’re all people, and it’s natural to react positively and memorably to those who poke us the right way.

The article Jeff links to has 5 business etiquette tips, and I can’t help but notice that they’re of a similar human (humane!) vein. In fact, now that I read to the end of the article, here’s the crux: “Will this make someone feel good?” You know, I actually like that as much as the common geek theme, “Don’t be a dick.” It’s a bit of a positive note rather than the absence of negativity, but also doesn’t use a word I tend not to use (if you know my full name, you know why!).

* And please don’t just send Thank You’s like firing off a form letter. Make them personal and try to actually *feel* it. It’s sort of like never saying “thanks” or “excuse me” as a rote reflex, but always with conscious sincerity. (You can observe this failure in other people when they say thanks when *they* did something for you…)

Via Emergent Chaos, I got linked over to a nice article on Consumer Reports about FaceBook privacy. Now, being a CR subscriber, I tend to really skip their tech/security/privacy articles because, well, their treatment always makes me nervous or leaves me with more questions than answers (similar to skipping their reviews on laptops/computers, because I build and evaluate my own based on criteria far higher than their focus). But this article about Facebook actually *taught* me a few things that I probably could suspect, but never actually fully appreciated:

Facebook collects more data than you may imagine. For example, did you know that Facebook gets a report every time you visit a site with a Facebook “Like” button, even if you never click the button, are not a Facebook user, or are not logged in?

And I like this quote from Zuckerberg, which sort of illustrates that we’re often not talking about the same things when we talk about privacy:

…a blog posted last year by founder and CEO Mark Zuckerberg, who wrote, “We do privacy access checks literally tens of billions of times each day to ensure we’re enforcing that only the people you want see your content.”

That’s great to hear about users accessing other users information, but what about the data you use for your purposes and keep for however long?

As kids, we don’t listen to the advice of other people. We’re too busy being independent thinkers, individuals, rebellious, and caught up in our own autonomous futures. We’re also unconsciously sick of being constantly told what to do and molded by parents, institutions, and school.

Part of the process of getting older is appreciating the (value of, which itself is an ‘adult’ phrase, yeah?) experiences shared by other people, and our learning from mistakes and successes of others. This is probably why adults keep trying to “advise” kids, and we adults just don’t get why kids don’t listen. I also believe this sharing of experience is one of the best things about the Internet (and maybe one of the worst if you get idiots sharing poor experiences that make no sense or are rife with, well, idiocy).

Anyway, in comes an experience-sharing interview: “MAKE’s Exclusive Interview with Andrew (bunnie) Huang – The End of Chumby, New Adventures.” I have a Chumby. While I’d known about the Chumby for years, I didn’t actually pull the trigger on purchasing one until last year. Sadly, I jumped on just in time for the wagon to reach the end of the trail: the chumby is on the way out. While it still works, the Chumby is basically dead-thing-uhh-sitting, since its apps rely on the central server for updates and actual function. I see today the forum’s aren’t working, and my never work again for all I know… (also sadly, I do not have one of the cute, awesome, little bean-bag type plushy ones that I fell for years ago; mine is a hard upright piece of plastic…)

But Huang has plenty of advice to give in this long interview, where he talks about entrepreneurship, design, kickstarter, funding, pricing…

The hardware model is radically different from the software model. Software is innately scalable; you can acquire a hundred thousand users overnight. Monetizing the user base in software is trickier, but most software plays start with scale and then worry about money.

This sort of discussion is worth having in really any part of IT. Are you making infrastructure decisions based on what the business wants, or creating a space for the business to find uses for what you do? I’m no expert in this area, but sometimes you need to worry about how your infrastructre or solutions scale and are agile and fill multiple needs quickly, and let the business worry about the monetization, ya know?

In the face of ‘ship or die’, one should not be looking to ship the perfect product. It is more important to ship a product that’s good enough, than a great product that’s late.

I think we in security can relate to shipping unfinished products. But hey, that’s the name of the game.

But that does show one of the flaws of fact-based reasoning. Engineers love to make decisions based upon available data and high-confidence models of the future. But I think the real visionaries either don’t know enough, or they have the sheer conviction and courage to see past the facts, and cast a long-shot. It’s probably a bit of both. Taking risks also means there’s a bit of luck involved.

Often, a 140-char Twitter post isn’t enough to convey a message. In fact, sometimes accessible blog posts don’t give enough meat to a discussion that deserves it. This can probably be said about the current discussions on firewall or AV (or more broadly: “old”) security technology effectiveness. The bullet points usually aren’t good enough to do a topic justice (which sometimes means we’re arguing two different nuances of the same position…).

(Aside: I really hate how Google Reader links tack on extra crap behind a URL; which means I have to get rid of it when linking to stuff found via it.)

Anyway, Beau is back to blogging and threw out a post, “Firewalls and Anti-Virus Aren’t Dead – Should They Be?” which itself is a response to one from Wendy Nather, “Why We Still Need Firewalls and AV.”

(Aside: It might not be proper to call them antivirus tools anymore, but I also still use the term “video” when I mean DVD/Bluray, or to “tape something” as in record it. That’s not meant as a dig, though it certainly makes me grin to think of this analogy.)

This is a necessary and healthy discussion to have, even if I am not terribly open to the direction (wet blanket comes to mine). I totally encourage any other bloggers out there to also chime in, because Wendy’s closing question is really still unanswered, and it’s the Big One, ya know? “So if you don’t agree with me, and you’ve really stopped using these products, I’d love to hear about how you’re addressing those classic threats, and what controls you replaced them with.”

(Aside: This same feeling exists in the whole Down With Patching movement…)

I really require hard proof that techX isn’t working anymore (I already agree it’s not as effective, but that’s different.). And I also require an alternative (something business/management learns you pretty quick) that matches the technology one-to-one and/or improves upon it. Many vendors think this means making Super Boxes that do so many things with covers on top of covers to shield me from the guts of the surgical tools, and I tend to disagree with that approach.

(Aside: I left a comment on Beau’s post, and I’m thrilled to say I only needed one attempt at the captcha to post “anonymously” [or at all]. This is rare, and actually reduces my commenting in outside areas, like the HP evangelist blog which pisses me off to no end each time I try… Of course, InfoSecIsland gets no comments from me because of the login req…)

I do want to bring out just one part of Wendy’s post at the end that I liked, “They [users] need to know what each security product will and won’t protect, and they need to understand this in a non-technical way…” This is partly why it sucks to talk to security vendors today. Their products are too big and bloated for an elevator pitch that doesn’t dive deep into hyperbole. And too complex to understand them well enough to sell them this way. They conflate their protection (DLP is notorious. Also I had a large endpoint security provider today use the words “100% secure” after rolling out their endpoint solution remotely…). And they latch onto compliance and media scares for attention (ok, I do the same thing, since compliance has given me more tools than I’d have without…). The vendors that do this leave a bad taste when dealing with anyone in the whole industry space, which is a shame.
(Aside: Oh, and I think Beau actually agrees with both Wendy and myself [RE: paragraph 8 from his post], it just kinda kneejerk sounds like he doesn’t.)

I have a post about BYOD incubating (for weeks), but did want to post my thoughts on this.

Just checked out a Palo Alto Networks sit-down talk today with Nir Zuk (Palo Alto), Rich Mogull (Securosis), and Mark Bouchard (thank you for not making this over my lunch hour!) doing a live-video discussion titled, “Coming to Grips with Consumerization.” Of course, I took some notes.

– users want to tailor their damn devices; the perception of mobile devices supports this where users may expect customization with mobile devices where traditional computers have less of this perception. I agree with this for the most part, especially if people are expecting to carry this *and* their own personal devices at the same time. People will want less devices, thus just one that covers both work and personal.

– this mobile issue isn’t new. I don’t have much to say about this, but once you really sit down, the fundamental issues here really aren’t new. Protect data. Manage devices. That was true 10 years ago and is still true today. It’s just more difficult today because of how BYOD/consumerization has evolved. This is a good thing to bring up early, since many (even me) get hung up on this being a brand new issue.

is the problem truly just lack of device management? This was a great discussion, and I think this is a huge, huge problem. If not the biggest one: we can’t manage these damn devices people want to use for business purposes. Keeping in mind installed apps, blacklisted apps, bad uses/configurations, inappropriate use, etc, as part of this topic.

data assurance is a new key (somewhat). Again, no difference to traditional computers, only now we have less tools to assure this on these new mobile devices. Remote wiping is just not assurance enough.

“make sure bad things don’t get into the device,” quote from Nir. Kinda sounds like the same problem with any computer for a long time, yeah? Sadly, corporation protections have *less* tools to do this, even as Android/Apple give users better tools to manage their apps and stuff (with arguable oversight). Traditionally, we have device lockdowns, least privs, and endpoint protections. With these new devices, we don’t have these tools really at all, or when we do, they’re usurped.

some talk about network-based protection/inspection. While I love this idea because it sits squarely in the technical side of things, especially on the network/sec teams, I think it is dangerous to rely on inspection visibility for security in the future. There will continue to be pressure to encrypt and hide traffic in motion. And it’s a whole new discussion about how we want privacy but also want visibility; we can quickly talk out both sides of our mouth.