• United States



A few more thoughts on the curmudgeons

May 25, 20113 mins
Data and Information Security

I got some excellent feedback from yesterday’s “Take the word curmudgeon and shove it” post. Allow me to share some of it, along with additional thoughts.

First, a clarification: I wasn’t ranting about people who complain about their lot in the industry per se. Venting about the stupid things people do with computers is healthy. Getting it off your chest on Twitter sure beats going postal about it. Most people vent and move on.

Three people come to mind. One is Astaro’s Jack Daniel (@jack_daniel). Another is Dave Lewis (@gattaca) and another is James Arlen (@myrcurial). They are known for their sometimes salty disposition, and I even took a collection of Jack and Dave’s tweets and made a column from it last year. A lot of people didn’t like that one, but it was meant as a light-hearted, albeit warped “day in the life” of two security guys.

These guys do their fair share of complaining. But they always follow it up by bringing something to the table. All three have played important roles in organizing some of your favorite security events, like B-Sides. When they speak at an event you always walk away smarter.

In other words, they take their crankiness and do something positive with it.

If the word curmudgeon is here to stay, then it’s safe to use them as examples of the useful sort.

Sign up today.

Get your morning news fix with the daily Salted Hash e-newsletter!

The people who whine about everything and offer nothing constructive are the ones I was talking about; those who do little more than get drunk and tweet about how dumb everyone is because they can.

That doesn’t mean it’s never useful to lament about the “dumb” ones.

One security practitioner, Peter Hillier, offered some reasonable points in his post:

Bill; great observation, but your 7+ years of observing the human condition in the security industry doesn’t include putting your ass in the seat of the average IT Security practitioner, let alone executive.

As you’ve no doubt written about in the past, IT Security tenets have consistently been at the bottom of the proverbial food chain with regard to funding, project prioritization, or even interest for a long time. IT Security practitioners have become poster boys (and girls) for the development of unfunded business cases for improvement.

We continue to live and work in an age where negative events have been our business case (re: Sony)!

So, if I, or any of my colleagues want to opine in a negative, curmudgeon-like way, we have every right to do so. Not that I make much of a habit of it myself, but I have my moments.

Another person who responded anonymously suggested we put the “cur” back in “curmudgeon” —

It is not the users who raise my ire — it is the organizations [SONY is the poster child here] who persist in making the same mistakes over and over again, or who scant security, and think they will get away with it.

A man named Noam Eppel wrote a paper about 5 years ago, which he called “Security Absurdity” — alas, as near as I can see, no longer available on line. The point is, that both the types of attacks in use then and the organizational vulnerabilities they exploited have hardly changed at all over the following years.

Which makes me wonder: can we learn? Will we learn? And this does, in fact, make me a bit of a curmudgeon.

Also a fair point.

Thanks for the feedback, folks. Keep it coming.

–Bill Brenner