The Rhetorical Style of Drama

There is a spectre haunting the internet, the spectre of drama. All the powers of the social media have banded together to not fight it, because drama increases engagement statistics like nothing else: Twitter and Facebook, Gawker and TMZ, BlackLivesMatter and GamerGate, Donald Trump and Donald Trump, the list goes on and on.

Where is the party that says we shall not sink to the crazy? Where is the party which argues for civil discourse? The clear, unarguable result is that drama is universally acknowledged to be an amazingly powerful tactic for getting people engaged on your important issue, the exquisite pain which so long you have suffered in silence, and are now compelled to speak out upon! But, reluctantly, draw back, draw breath, draw deep upon your courage before unleashing, you don’t want to, but musts be musts, and so unleashing the hounds of drama, sadly, reluctantly, but…

In this post, I’m going to stop aping the Communist Manifesto, stop aping drama lovers, and discuss some of the elements I see which make up a rhetorical “style guide” for dramatists. I hope that in so doing, I can help build an “immune system” against drama and a checklist for writing well about emotionally-laden issues, rather than a guidebook for creating more. And so I’m going to call out elements and discuss how to avoid them. Drama often includes logical falacies (see also the “informal list” on Wikipedia.) However, drama is not conditioned on such, and one can make an illogical argument without being dramatic. Drama is about the emotional perception of victim, persecutor and rescuer, and how we move from one state to another… “I was only trying to help! Why are you attacking me?!?” (More on that both later in this article, and here.)

Feedback is welcome, especially on elements of the style that I’m missing. I’m going to use a few articles I’ve seen recently, including “Search and Destroy: The Knowledge Engine and the Undoing of Lila Tretikov.” I’ll also use the recent post by Nadeem Kobeissi “A Cry for Help Against Thomas Ptacek, Serial Abuser,” and “What Happened At The Satoshi Roundtable.”

Which brings me to my next point: drama, in and of itself, is not evidence for or against the underlying claims. I have no opinion on the underlying claims of either article. I am simply commenting on their rhetorical style as having certain characteristics which I’ve noticed in drama. Maybe there is a crisis at the Wikimedia Foundation. Maybe Mr. Ptacek really is unfairly mean to Mr. Kobeissi. I’ve met Nadeem once or twice, he seems like a nice fellow, and I’ve talked with Thomas on and off over more than twenty years, but not worked closely with him. Similarly, retweets, outraged follow-on blogs, and the like do not make a set of facts.

Anyway, on to the rhetorical style of drama:

  • Big, bold claims which are not justified. Go read the opening paragraphs of the Wikimedia article, and look for evidence. To avoid this, consider the 5 paragraph essay: a summary, paragraphs focused on topics, and a conclusion.
  • The missing link. The Wikimedia piece has a number of places where links could easily bolster the argument. For example, “within just the past 48 hours, employees have begun speaking openly on the web” cries out for two or more links. (It’s really tempting to say “Citation needed” here, but I won’t, see the point on baiting, below.) Similarly, Mr. Kobeissi writes that Ptacek is a “obsessive abuser, a bully, a slanderer and an employer of public verbal sexual degradation that he defends, backs down on and does not apologize for.” To avoid this, link appropriately to original sources so people can judge your claims.
  • Mixing fact, opinion and impact. If you want to cause drama, present your opinion on the impact of some other party’s actions as a fact. If you want to avoid drama, consider the non-violent communication patterns, such as “when I hear you say X, my response is Y.” For reasons too complex to go into here, this helps break the drama triangle. (I’ll touch more on that below).
  • Length. Like this post, drama is often lengthy, and unlike this post, often beautifully written, recursively (or perhaps just repetitively) looping back over the same point, as if volume is correlated with truth. The Wikimedia article seems to go on and on, and perhaps there’s some more detail, causing you to want to keep reading.
  • Behaviors that don’t make sense If Johnny had gone straight to the police, none of this would ever had happened. If Mr. Kobeissi had contacted Usenix, they could have had Mr. Ptacek recuse himself from the paper based on evidence of two years of conflict. Mr. Kobeissi doesn’t say why this never happened. Oh, and be prepared to have your story judged.
  • Baiting and demands. After presenting a litany of wrongs, there’s a set of demands presented, often very specific ones. Much better to ask “Would you like to resolve this? If so, do you have ideas on how?” Also, “if you care about this, it must be your top priority.”
  • False dichotomies. After the facts and opinions, or perhaps mixed in with them, there’s an either/or presented. “This must be true, or he would have sued for libel.” (Perhaps someone doesn’t want to spend tens or hundreds of thousands of dollars on lawyers? Perhaps someone has heard of the Streisand effect? The President doesn’t sue everyone who claims he’s a crypto-Muslim.)
  • Unstated assumptions For example, while much of Mr. Kobeissi’s post focuses on last year’s Usenix, that was last year. There’s an unstated assumption that once someone has been on a PC for you, they can’t say mean things about you. And while it would be unprofessional to do so while you’re chairing a conference, how long does that zone extend? We don’t know when Mr. Ptacek was last mean to Mr. Kobeissi. Perhaps he waited a year after being program chair. Mr. Kobeissi probably knows, and he has not told us.
  • Failure to assume goodwill, or a mutuality of failure, or that there’s another side to the story. This is the dramatists curse, the inability to conceive or concede that the other person may have a side. Perhaps, once, Mr. Kobeissi was young, immature, and offended Mr. Ptacek in a way which is hard to “put behind us.” We all have such people in our lives. An innocent act or comment is taken the wrong way, irrecoverably.
  • With us or against us. It’s a longstanding tool of demagogues to paint the world in black and white. There’s often important shades of grey. To avoid drama, talk about them.
  • I’m being soooo reasonable here!. Much like a car salesperson telling you that you can trust them, the dramatic spend a (often a great many words) explaining how reasonable they’re being. If you’re being reasonable, show, don’t tell.

Not all drama will have all of these elements, and it may be that things with all of these elements will not be drama. You should assume goodwill on the part of the people whose words you are reading. Oftentimes, drama is accidental, where someone says something which leaves the other party feeling attacked, a rescuer comes in, and around and around the drama triangle we go.

As I wrote in that article on the drama triangle:

One of the nifty things about this triangle — and one of the things missing from most popular discussion of it — is how the participants put different labels on the roles they are playing.

For example, a vulnerability researcher may perceive themselves as a rescuer, offering valuable advice to a victim of poor coding practice. Meanwhile, the company sees the researcher as a persecutor, making unreasonable demands of their victim-like self. In their response, the company calls their lawyers and becomes a persecutor, and simultaneously allows the rescuer to shift to the role of victim.

A failure to respond to drama does not make the dramatist right. Sometimes the best move is to walk away, even when the claims are demonstrably false, even when they are hurtful. The internet can be a wretched hive of scum and drama, and it’s hard to stay clean when wrestling a pig.

Understanding the rhetorical style of drama so that you don’t get swept up in it can reduce the impact of drama on others. Which is not to say that the issues for which drama is generated do not deserve attention. But perhaps attention and urgency can be generated in a space of civilized discourse. (I’m grateful to Elissa Shevinsky for having used that phrase recently, it seems to have been far from many minds.)

“Think Like an Attacker” is an opt-in mistake

I’ve repeatedly spoken out against “think like an attacker.”

Now I’m going to argue from authority. In this long article, “The Obama Doctrine,” the President of the United States says “The degree of tribal division in Libya was greater than our analysts had expected.”

So let’s think about that statement and what it means. First, it means that the multi-billion dollar analytic apparatus of the United States made a mistake, a serious one about which the President cares, because it impacted his foreign policy. Second, that mistake was about how people think. Third, that group of people was a society, and one that has interacted with the United States since, oh, I don’t know, someone wrote words like “From the halls of Montezuma to the shores of Tripoli.” (And dig the Marines, kickin’ it old skool with that video.) Fourth, it was not a group that attempts to practice operational security in any way.

So if we consider that the analytical capability of the US can get that wrong, do you really want to try to think like Anonymous, think like 61398, like 8200? Are you going to do this perfectly, or are there chances to make mistakes? Alternately, do you want to require everyone who threat models to know how attackers think? Understanding how other people think and prioritize requires a great deal of work. There are entire fields, like anthropology and sociology dedicated to doing it well. Should we start our defense by reading books on the motivational structures of the PLA or the IDF?

The simple fact is, you don’t need to. You can start from what people are building or deploying. (I wrote a book on how.) The second simple fact is repeating that phrase upsets people. When I first joined Microsoft, I used that phrase. One day, a developer grabbed me after a meeting, and politely told me that he didn’t understand it. Oh, wait, this was Microsoft in 2006. He told me I was a fucking idiot and I should give useful advice. After a bit more conversation, he also told me that he had no idea how the fuck an attacker thought, and if I thought he had time to read a book to learn about it, I could write the goddamned features customers pay for while he read.

Every time someone tells me to think like an attacker, I think about that conversation. I appreciate the honesty that the fellow showed, if not his manner. But (as Dave Weinstein pointed out) “A generalized form of this would be ‘Stop giving developers completely un-actionable “guidance”.’ Now, Dave and I worked together at Microsoft, so maybe there’s a similar experience in his past.

Now, this does not mean that we don’t need to pay attention to what real attackers do. It means that we don’t need to walk a mile in their shoes to defend effectively against it.

Previously, “Think Like An Attacker?,” “The Discipline of “think like an attacker”,” and “Think Like An Attacker? Flip that advice!.” [Edited, also previously, at the New School blog: “Modeling Attackers and Their Motives.”]

Open Letters to Security Vendors

John Masserini has a set of “open letters to security vendors” on Security Current.

Everyone involved in product or sales at a security startup should read them. John provides insight into what it’s like to be pitched by too many startups, and provides a level of transparency that’s sadly hard to find. Personally, I learned a great deal about what happens when you’re pitched while I was at a large company, and I can vouch for the realities he puts forth. The sooner you understand those realities and incorporate them into your thinking, the more successful we’ll all be.

After meeting with dozens of startups at Black Hat a few weeks ago, I’ve realized that the vast majority of the leaders of these new companies struggle to articulate the value their solutions bring to the enterprise.

Why does John’s advice make us all more successful? Because each organization that follows it moves towards a more efficient state, for themselves and for the folks who they’re pitching.

Getting more efficient means you waste less time per prospect. When you focus on qualified leads who care about the problem you’re working on, you get more sales per unit of time. What’s more, by not wasting the time of those who won’t buy, you free up their time for talking to those who might have something to provide them. (One banker I know said “I could hire someone full-time to reject startup pitches.” Think about what that means for your sales cycle for a moment.)

Go read “An Open Letter to Security Vendors” along with part 2 (why sales takes longer) and part 3 (the technology challenges most startups ignore).

Boyd Video: Patterns of Conflict

John Boyd’s ideas have had a deep impact on the world. He created the concept of the OODA Loop, and talked about the importance of speed (“getting inside your opponent’s loop”) and orientation, and how we determine what’s important.

A lot of people who know about the work of John Boyd also know that he rarely took the time to write. His work was constantly evolving, and for many years, the work existed as scanned photocopies of acetate presentation slides.

In 2005, Robert Coram published a book (which I reviewed here and in that review, I said:

His writings are there to support a presentation; many of them don’t stand well on their own. Other writers present his ideas better than he did. But they don’t think with the intensity, creativity, or rigor that he brought to his work.

I wasn’t aware that there was video of him presenting, but Jasonmbro has uploaded approximately 5 hours of Boyd presenting his Patterns of Conflict briefing. The audio is not great, but it’s not unusable. There’s an easy to read version of that slide collection here. (Those slides are a little later than the video, and so may not line up perfectly.)

Think Like An Attacker? Flip that advice!

For many years, I have been saying that “think like an attacker” is bad advice for most people. For example:

Here’s what’s wrong with think like an attacker: most people have no clue how to do it. They don’t know what matters to an attacker. They don’t know how an attacker spends their day. They don’t know how an attacker approaches a problem. Telling people to think like an attacker isn’t prescriptive or clear.

And I’ve been challenging people to think like a professional chef to help them understand why it’s not useful advice. But now, I’ve been one-upped, and, depending on audience, I have a new line to use.

Last week, on Veracode’s blog, Pete Chestna provides the perfect flip of “think like an attacker” to re-frame problems for security people. It’s “think like a developer.” If you, oh great security guru, cannot think like a developer, for heavens sake, stop asking developers to think like attackers.

Can Science Improvise?

My friend Raquell Holmes is doing some really interesting work at using improv to unlock creativity. There’s some really interesting ties between the use of games and the use of improv to get people to approach problems in a new light, and I’m bummed that I won’t be able to make this event:

Monday Dec 17th – 7:15 to 9:15pm
835 Market Street, Rm. 619, Downtown San Francisco State University Campus

Register at http://www.acteva.com//booking.cfm?bevaid=234451
In advance- $15 At the Door- $20

What happens when you combine the playfulness of improvisation with
the rigor of science? The Life Performance Coaching Center which
leads people from all walks of life in a performance-based approach to
human development is pleased to host Dr. Raquell M. Holmes founder of
improvscience. Holmes has been bringing the discoveries in human
development and performance to researchers and educators in many areas
of science including biology and computing sciences.

In this exploration for scientists and those interested in creativity
and development, participants are introduced to what the
improvisational arts bring to science. Learning to build with the
contributions of others and see opportunities for improvisational
conversation helps us to take risks and discover new ways of seeing
each other and our work.

Come and play as we break down the social barriers that can inhibit
creativity, exploration and discovery.

Helen Abel, LCSW, has worked with people to develop their lives for
over 30 years as a social worker, therapist and coach. She is on the
staff of the Life Performance Coaching Center where she leads the
popular Playground series {link if available} where people learn how
to use their capacity to create, perform and play. As a life coach she
helps people access these same skills to develop creative and new
kinds of conversations with their friends, family and colleagues.

Dr. Raquell Holmes is Director of Outreach, Recruitment and Retention
at the Center for Cell Analysis and Modeling at University of
Connecticut Health Center. She helps biologists to incorporate
computing and computational resources into their teaching and
research. Community building and improvisational theater are explicit
components of the majority of her National Science Foundation funded
projects. She founded improvscience to provide scientists with
opportunities to develop skills in leadership, collaboration and
innovation. Since its inception improvscience has worked with over a
thousand professionals in Science, Technology, Engineering and
Mathematics education and research.

Two Models of Career Planning

There’s a fascinating interview with Mark Templeton of Citrix in the New York Times. It closes with the question of advice he gives to business students:

There are two strategies for your life and career. One is paint-by-numbers and the other is connect-the-dots. I think most people remember their aunt who brought them a gift for their birthday or whatever and it was a paint-by-number set or a connect-the-dots book.

So with the paint-by-number set, you know ahead of time what it’s going to look like. Then, by contrast, with a connect-the-dots puzzle, you can only guess at what it might look like by the time you finish. And what you notice about that process is the further along you get, the more clear it becomes. It might be a beach ball, or a seal in a Sea World park or something. The speed at which you connect dots gets faster as the picture starts coming into view.

You probably get the parallel. This isn’t about what’s right and what’s wrong. This is about getting it right for you. Parents often want you to paint by numbers. They want it so badly because they have a perception that it’s lower risk, and that’s the encouragement they’re going to give you. They’re going to push you down this road, and faculty members will, too, because they want you to deliver on what they taught you. It doesn’t make it wrong; it’s just that there’s a bias in the system. You have to decide for yourself. The earlier you actually get it right for yourself, the faster and the better that picture is going to look.

And the more time you spend on paint by numbers when you’re a connect-the-dots person, and vice versa, the harder it’s going to be. (Mark Templeton, quoted in “Paint by Numbers or Connect the Dots“)

When I got started in information security, there were a lot fewer jobs. They were less categorized. There might have been degrees in information security, but there certainly were not “Centers of Excellence” churning out graduates. (It turns out “degree” is one of those terms, like “hotel” or “mesothelioma” that’s so heavily SEO’d that it’s a pain to search that history.) Because there was no “paint by numbers” path, people entered the field from a wide variety of backgrounds. Everyone was connecting the dots as we went.

Anyway, I like the analogy, and think it explains why a lot of career advice fails to help its intended recipients.

This is what science is for

In “The Quest for French Fry Supremacy 2: Blanching Armageddon,” Dave Arnold of the French Culinary Institute writes:

Blanching fries does a lot for you – such as:

  • killing the enzymes that make the potatoes turn purpley-brown. Blanching is always necessary if the potatoes will be air-dried before frying.
  • gelatinizing the starch. During frying, pre-cooked fries form a crust faster than raw ones, and they can be cooked at higher oil temperatures than raw fries – which is easier for workflow.
  • pre-salting the interior of the fries. We blanched two batches of fries, one in boiling 3% salt water, one in boiling plain water. The plain-water fries tasted like crap next to the salt-water ones. All subsequent tests fries were blanched in a 3% salt solution.
french-fry-science.jpg

It’s easy to think of science as just being good for building computers and the internet, extending average lifespans, giving us goretex, nylon and vulcanized rubber. Some people may worry that it’s in the weeds when worrying about string theory. But science is an approach to problems. The testing of ideas to see how well they work, rather than loving the idea.

And Dave Arnold, along with Harold McGee and others, and driving the intersection of science and cooking. And while they’re likely to skewer quite a few cows along the way, the results are worth it.

Women In Security

Today is Ada Lovelace Day, an international day of blogging to celebrate the achievements of women in technology and science.

For Lady Ada Day, I wanted to call out the inspiring work of Aleecia McDonald. In a privacy world full of platonic talk of the value of notice and consent, Aleecia did something very simple: she figured out how long it would take for consumers to do what the Direct Marketing Association recommends: read privacy policies.

She then multiplied that by an estimate of how much it would cost, and demonstrated pretty conclusively what we all intuitively knew: the current scheme is a massive wealth transfer because of transaction costs. (I’m interpreting her results here; I believe she would be more conservative in the interpretation.)

Her work also prefigures Cormac Herley‘s recent work “So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users.”

So Aleecia McDonald is my choice for a woman in science and technology who’s inspiring me to think about the economics of security and privacy in new ways.

PS: I have an another choice over at The New School blog. Hey, two blogs, two choices.

How to Make Your Dating Site Attractive

bookio.jpg

There’s a huge profusion of dating sites out there. From those focused on casual encounters to christian marriage, there’s a site for that.

So from a product management and privacy perspectives I found this article very thought provoking:

Bookioo does not give men any way to learn about or contact the female members of the site. Men can join for free, if they have been invited—and if a current Bookioo member can vouch for their information. They can then post a profile for the perusal of the female—and paying—members of the site. It’s those paying women, however, who get to call the shots.

As interesting as the approach is, what’s more interesting is how they came to it. They focused on a set of female customers, and asked what is it that they worry about, and what do they want? Co-founder David Olmos:

We think that women don’t feel comfortable with the current dating sites. The latter are too masculine: they were designed by men and they fundamentally address men’s needs. We know that many women prefer a different approach: they’re eager to socialize, to meet new people, and we propose to do that through activities. It may lead them to find a partner, of course, but they may as well enjoy an afternoon in a museum with a new girl friend whom they met Bookioo! So we propose to socialize through activities, common hobbies and common tastes.

As you can see, we actually want to revamp the “dating” concept, taking the perspective of women. The key issue for us is to make sure that women enjoy the level of privacy they wish and that the males’ profiles are fully validated. (“Bookioo: dating and social networking site gives women full control.”)

It’s also a very different approach to “creep management,” which we’ve covered in past posts like “Emerging dating paranoia,” “Dating and Background Checks in the UK” or “Dating & Background Checks in China

Pay for your own dog food

At Microsoft, there’s a very long history of ‘eating your own dogfood’ or using the latest and greatest daily builds. Although today, people seem to use the term “self-host,” which seems evidence that they don’t do either.

Eating your own dogfood gives you a decent idea of when it starts to taste ok, which is to say, ready for customers to see in some preview form.

Apropos of which, there’s a really interesting post at the Inkling blog, “Pay for your own dog food:”

Using your own product comes with a ton of benefits, because you become your own customer. The quality of your product likely increases because you can’t ignore it’s problems. They aren’t just your customers problems. They are your problems.

We’ve gotten in the habit of actually taking out our own credit card and using it on our own account sign up page. Yes, it’s a bit silly when the credit card processing takes some money off the top. But it makes the feeling very real that you are paying for this, and now it’s an expense just like it’s going to be an expense for your clients.

Non Commercial

If you haven’t listened to Larry Lessig’s 23C3 talk, it’s worthwhile to listen to the argument he makes. As I was listening to it, I was struck by the term non-commercial, and, having given it some thought, think that we need a better word to describe the goals Creative Commons is pursuing.

The term non-commercial reminded me deeply of the invention of non-secret encryption by James Ellis, Clifford Cocks, and Malcolm Williamson at the British GCHQ. Despite having invented what the world now calls public key encryption, the idea languished under both classification and a failure to make the critical jump from ‘non-secret’ to ‘public.’ Even when something isn’t a secret, you might not want to shout it from the rooftops, unless you’re Whit Diffie. In which case you might think that it would be great to have a phone book full of keys. Whit probably wouldn’t have thought of that with ‘non-secret’ keys, but he certainly did think of a directory of public keys.

Defining your movement by what you are not isn’t the best way to rally people to the cause. No one claims to be on either the anti-life or anti-choice side of the abortion debate. Beyond that, I’m going to say that non-commercial as a descriptor may be essential in the legal licenses associated with the Creative Commons licenses. Non-commercial may even be almost the right word but, as Mark Twain pointed out, the difference between the almost right word and the right word is really a large matter–it’s the difference between the lightning bug and the lightning.

So in seeking the right word, it may help to think about what we mean by non-commercial? We mean almost every word we say to our families, children, or lovers. We mean pillow talk, explaining to kids why the sky is blue, and that I would prefer not to live as a vegitable. We mean our scientific papers, our poems and our fair use of the song Happy Birthday. We mean blogging (others may see their blogs as commercial), asking a stranger directions, talking to our elected representatives, water cooler chatter, graffiti, and even all the unneeded words we say to a cashier in a checkout line.

It’s honest speech. It’s human speech. Let’s not demean it by asserting that commercial speech is the norm.

Identity is Mashed Up

I posted last month about Bob Blakely’s podcast with Phil Windley.

Now (by which I really mean last month, wow I’m running behind!) Bob posts that the “Relationship Paper Now Freely Available,” and I’m embarrassed to say I stole Bob’s opening sentence.

Now that I’ve actually read the paper, I’d like to remix the ideas with some web 2.0 Zero Knowledge Infomediation craziness and having thus altered it, send it back out, its identity changed.


One of the core ideas in the paper is that of intermediaries who will represent for you. These intermediaries, who Bob says have a ‘custodial relationship with your data,’ rather than a transactional one, will know lots about you, and gossip as you let them. It’s like letters of introduction or recommendation–you select who you think can represent you well, and if they have a relationship with the person you want to talk to, then things are great.

This is a useful model because a business can perform due diligence on a few of these infomediaries, rather than on each customer. I’m using the phrase infomediary, which some of you may remember from the book Net Worth. The idea was you’d have someone representing you to the net, who would help you get good deals. It was a very consumer-centric idea in some ways, advertising-centric in others.

The difference with the 1990s infomediary concept is that Bob has a great angle on why a business would want to engage with the infomediary, rather than engage in surveillance itself.

It’s a compelling vision, but I’m not sure I buy it as a complete view of identity. As a citizen, I don’t want to work with a single identity provider. The lock in risk seems very high.


But worse, I don’t have one identity. My identity is created through a set of relationships: with family and friends, with employers, but also with colleagues who I’ve never worked with directly (like Mordaxus and Chris) and with former co-workers who aren’t exactly friends. For example, I had a great three hour lunch and walk around Rock Ridge with a fellow who I’d worked with at Zero-Knowledge, and seen maybe once since. I feel a little like Comic Book Guy, caught in a new situation, and forced to say “There’s no emoticon for what I’m feeling!”

Some of our business relationships lead to personal ones, of friendship or romance. The bright lines which once existed are gone. A business which tries to help us with all of these may end up creepy like Facebook. One which only sees one aspect of our lives may well get and give a one dimensional view of us.

I’m thinking of two folks reading this. One is saying “what’s the point?” Another is identifying this as “Adam brain spew.” Which is another way of saying that this is all over the place.

And perhaps, in a world in which we present different selves at different times, that is exactly my response to Bob.

Joseph Ratzinger and Information Security

Joseph Ratzinger (a/k/a Benedict XVI) made some comments recently made some comments that got some press. In particular, as Reuters reports: “Pope in Africa reaffirms ‘no condoms’ against AIDS.” Quoting the story, “The Church teaches that fidelity within heterosexual marriage, chastity and abstinence are the best ways to stop AIDS.”

Many of you are likely outraged. Saying, “sure, if only people would do that, then we wouldn’t need condoms. But people don’t behave that way.”

I’d like to explain what this has to do with information security. Some of you may be saying “sure, but we’re not that bad.”

In information security, we often keep saying the same thing over and over again, because we know it’s right. We tell people to never write down their passwords, to always validate their input, and to run IDS systems. Deep in our hearts, we know they don’t, and yet we keep saying those things. We tell them they “have to” fix all the security problems all the time.

It’s my hope that we in information security will be less religious than the Pope, but there’s plenty of evidence that, like him, we offer advice that makes people shake their heads in disgust.


Wherever you work, whatever you do, it’s worth asking yourself: am I being dogmatic in what I’m asking of people?

Me, I’m being dogmatic about asking you all to keep it civil in the comments.

Public Perception of Security

So the US Consulate in Jerusalem sold a file cabinet full of secret documents. What I found interesting about the story is the perception of the finder:

Hundreds of files — with social security numbers, bank account numbers and other sensitive U.S. government information — were found in a filing cabinet purchased from the U.S. consulate in Jerusalem through a local auction.

“We couldn’t believe what we found,” said Paula, who purchased the cabinets and asked that her last name not be published. “We thought of calling the American consulate right away, and then we thought, you know they’ll just hide it and say, ‘Oh, we made a mistake.'” (“U.S. Consulate Mistakenly sells secret files in Jerusalem,” Fox News)

Transparency is a powerful idea. There’s little risk in disclosing this incident, except to the career of the person who sold the cabinet. Security professionals on both side know that these things happen. If we talked about the incidents we could assess their frequency and see if there are cost effective ways to prevent these things. I expect that there are, but no one wants to add a layer of bureaucracy for a threat that they can’t really assess. There are too many threats and too many ways to address them.