October 3, 2007 - Volume 2, #138

Good Morning:
Interestingly enough, I get a number of questions about career development every month. Considering my career path, I find that nothing short of amazing. I guess folks are interested in the perspectives of an ADD-ridden (career-wise anyway) sort of technical guy, sort of marketing guy, sort of pundit guy - who's never held down a job for more than 5 years and has an opinion about everything.

I feel less than qualified to really advise people on career topics, but I'll certainly share my opinions for what it's worth. In reading Marc Andreessen's series on career development, including this fantastic second post about skills and education. I kind of get the same feel. This is a guy who has been a success since he stepped off his college campus. His was one of the founders of Netscape and he's had a lot of success since then. He's been chief technical guy, CEO, Chairman, etc. Not sure he can really empathize with the young folks out there or the folks that have gotten to a dead end in their careers.

But the fact remains that you can learn a lot by seeing other people screw things up. The post is great and provides a lot of very actionable advice to folks at all career levels. Clearly Marc has picked up a lot in his travels. I especially like the idea of actually challenging yourself, as opposed to going through the motions and being busy because you don't know what else to do. To be clear, I've had a few advantages (education, supportive parents, etc.), but nothing was handed to me. One of the best days of my life was the day I didn't need to ask my folks for money anymore. I've been very fortunate to not have asked since then either.

I'm on board with the idea of getting a technical education. I've got a bunch of friends that went from Engineering School to business, medicine, law, even public service. Just because you study something doesn't mean that you practice it. That fact that I learned a trade in college (though I never actually practiced Operations Research) allowed me to step into a more in demand profession (computer programming) right out of college. I hated it and left within a year, but it got me started on my path of finding what I like to do. Most importantly, my technical education taught me how to solve a problem. Since I seem to find problems wherever I go, that's a pretty good skill to have. 

It's also great advice to constantly be striving to learn new things and expand your horizons. My Mom started to learn Spanish after she turned 60. It's great to see her engaged in a new pursuit and expanding her mind. It's never too late to take a class or pick up a new hobby or just read a book about a topic you know nothing about. What's the worst that can happen? You find out you can't stand Civil War history? Neither do I.

The best piece of advice I can give is to just try a bunch of stuff. Screw up. Find out what you DON'T like. That gets you one step closer to finding what you love. What you are passionate about. The reality is, if you hate your job you are going to suck at it. So find something you like and don't be afraid to change if you aren't happy.

I kind of had an unfair advantage in that department. My Dad started as a Pharmacist. One day he told us that he sold his Pharmacy and was going to law school. He was 38 at the time. Right, he made the decision to have no income for 3 years while he studied law and then he'd start building his own practice. That takes some stones. I learned that you don't have to settle if you aren't happy, no matter what the risks.

My father-in-law has a similar story. He left retail after 20 years and became a stock broker. He's never looked back and that was almost 30 years ago. He already knew what he loved to do because the Boss tells stories of him charting stocks on his days off from his store. Now he gets to do his hobby every single day. He'd do it for free, the fact that he get paid is just icing on the cake.

That's my big advice for the day. If you don't love what you do, find something else. If you like what you do, just not where you do it, find someplace else. Every day is a gift, don't squander it doing something you hate in a place that makes your skin crawl. Life is too short. It really is.

Have a great day.


Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and pre-order your copy today www.securitymike.com

Top Security News

That shredder software is for what?
So what? - It really is amazing what some folks will do with their work computers. I hear my admin friends tell stories of what they find when they check out the logs on their web filters. Or when they give someone a new machine and have to clean up all the p0rn left on the old one by the previous owner. HELLO!?!?! The machine belongs to the company. The IT guys are going to know about your wacky fetishes. And they aren't bound by HIPAA to keep it private over beers. Spend the $20 on Spectravison if you have to. Stories like the CFO of Mesa Airlines getting into trouble for destroying data (though he maintains it was just porn), just make me cringe. It's not like you don't have alternatives to be a little more "private." Buy a Mac and learn how to use private browsing in Safari. No, I wouldn't know anything about that. Actually Safari runs on Windows now, so you Windows deviants are in luck. It seems your luck is going to get better, since a UK company is introducing a new browser that leaves no trails. No cache, no cookies, no nothing. It also connects through a proxy out in the Internet, so where you connect from can't be tracked either. Best of all, it runs off a USB drive - so there really is no trace. Wonder if these guys will be bundling it through some of the finer "subscription sites" out there? Maybe they need a business development guy.
Link to this

Darwin alive and well in the channel
So what? - Interesting article here on CRN about the fact that some VARs are not going to be able to make the transition from box pusher to service provider. Many are having a problem as product margins are constantly shrinking and focusing the business on consulting or managed services is hard. It does require a different business model, go to market strategies, cash flow management, and about a million other things that are different. But you know the story - adapt or die. These kinds of eventual shake-outs are good. The fittest will prosper in this new age, where customers (especially small customers) just want a computing utility and they want that utility to be secure. Some security specialists may be going to market VIA an application or other infrastructure provider not too long into the future. Change is good, as long as you are on the right side of it.
Link to this

Welcome to the limb, Senor Fratto
So what? - Finally, someone else with enough stones to project that NAC is probably not ready for prime-time for more than a set of early adopters. I took a lot of heat for my recent statement that NAC won't really hit widespread deployment until 2009. Of course, that came from a set of vendors that will have to raise a bunch more money to get there. But Network Computing's Mike Fratto has it right. NAC is oversold. There are features missing. No one has the whole product yet. And inevitably when this kind of thing happens for too long customers get disappointed. Then they wait. As products mature and requirements become mainstream, then the technology takes off. As long as a new exciting widget hasn't appeared to flash more shiny lights in the eyes of security professionals.
Link to this

The Laundry List

Top Blog Postings

Got an iBrick? Serves you right.
Of course, the blogosphere is up on arms about Apple's decision to brick iPhones that have been unlocked or force them to roll back to an earlier version of the firmware, thus also rolling back security fixes. Shostack takes an interesting position that Apple's policy will make some users unwilling to patch their phones and thus expose them to security mayhem. I know Adam's post is about the psychology of patching and not really about the iPhone. But I want to talk about the iPhone and since it's my party - I can do that. The iPhone is meant to work ONLY with AT&T. Sure it was a stupid decision. I think they would have sold a LOT more if they had it open. But they don't, so anyone that violates the agreement deserves what they get, including security issues because they aren't patched. Will 3rd party patches emerge that reverse engineer the Apple patches? Probably. But this becomes a band-aid on top of a band-aid on top of a bandage. It'll eventually be a mess. If you don't like AT&T, then the iPhone is not for you. What's so hard about that to understand?   
http://www.emergentchaos.com/archives/2007/10/apples_update_strategy_is_1.html
Link to this

The Mogull's life cycle
I have to admit that The Lion King is one of my favorite kids movies. I wish my kids would like it as much as I do. Something about that Circle of Life thing really resonates with me. Everything is cyclical and I've made a career of finding the patterns and predicting when the cycle will repeat. Not to be outdone, the Mogull is starting to document what the data security life cycle needs to look like. Imagine that, it starts at "create" and ends in "destroy." The only thing missing is reincarnation. Maybe that happens when you get sued and the data is reborn because it's been stored by the NSA or AT&T in their secret data vaults. This is an interesting start and gets to the breadth of the data security problem. The reality is that there are very few good options to protect data even within a few of the steps, certainly not between them. So data security has a lot of maturing to do, and it better hurry up because at the pace that applications are decomposing and data is ending up in interesting places (like Romania and China), we don't have a lot of time to waste.
http://securosis.com/2007/09/24/the-data-security-lifecycle-beta-1/
Link to this

1 million XSS
When I read Jeremiah's post trying to figure out how many XSS vulnerabilities are actually out there, all I could think about was that scene in the first Austin Powers movie, where Dr. Evil asks for "$1 million dollars" in exchange for the safety of the world. The reality is that I'm not sure it matters whether there are 1 million or 1 billion XSS vulns out there. It's a lot and more disturbingly, the folks in charge of these websites have no idea how to fix it and developers don't know how to avoid it in the first place. Big J quotes a chap named MustLive who has a three step plan to address the issue. First make browsers less XSS-sensitive. Then more security in frameworks and dev languages to provide more anti-XSS mojo. Finally hit is with education. All great ideas, but all will take time. Jeremiah wonders how long. I figure at least 5 years and that may be optimistic. IBM and HP owning web app specialists now will help with the second task. Not sure what is planned for Firefox 3, but since it's open source - there is a chance we'll see something at some point to address the browser issues. But the education stuff takes a long time. And in the mean time we'll continue to see XSS and other similar attacks compromise data with impunity.
http://jeremiahgrossman.blogspot.com/2007/10/1000000-xss-vulnerabilities-and.html
Link to this

Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://securitymike.blogspot.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite