I am joining the ranks of the pre-mature retirees via the route of the RIF which seems to be a common place to stand these days. Lots of people in little rooms having hushed discussions, sad faces, quiet fears, slumped shoulders.. I am sure that the cure is the exit interview on the last day, but since I have the malady I do not know what the end is like. As far as the cause; well I have theories but, will leave that to the economists of the world and the thieves.

I am told that there are multiple symptoms of the RIF..tire Pandemic and they vary in each case. There is crying, fear, hate, anger, depression, sadness, joy, relief. I am surprised that there is little violence; and hopeful that we do not progress to that.

Out of the recovery comes another wave of emotions and the need to channel yourself into something good: exercise, volunteer, hug your wife, listen to music, walk in the woods. Then plan your budget, change jobs into a job hunter/gatherer/creator.

For me a time to write grants, plan a couple of iPhone applications, take more classes towards a degree that I want. Read “What Color is Your Parachute” again. Write a new resume, hit the pavement of the internet and job search world.

After almost two decades of walking the same road, the new one is hard to see in the mist. The cure is next friday; wish me luck.

-bob

Reading on NPR this evening:

How A-Bomb Testing Changed Our Trees

Back in the 1950s, the Americans, the British, the French and the Russians tried to impress each other by “testing” atomic weapons. This involved blowing up multi-megaton bombs in the air in remote places, but the explosions didn’t stay local.

This is an interesting tale of Carbon-14 created by our “activity”. Carbon-14 in the trees, Carbon-14 in Human DNA. This is allowing the study of cell life, etc..

I am not sure where to take this other than to tell you all about it!

John Robb is much scarier than Halloween when he makes some observations about the global nature of the current economic crisis. It’s too short to excerpt effectively, which means it’s easy enough to just go read it.

Our first real global event will directly impact all economic activity from Botswana to Albany. It’s even more interesting since the impact of this event is occurring simultaneously in all places at once.

This is a very bad thing. Not only is the information globally dispersed, but it is likely to recast world’s economic psychology nearly overnight. Fear, uncertainty, and doubt spread at the speed of light. This has/will cause a substantial decline in demand as people and companies become cautious…

Since there isn’t any stable external environment untouched by the crisis, this may become a uncorrectable and self-reinforcing feedback loop. Also, since most economic statistics have substantial lag, we may not even know it is occurring until we reach the next big tipping point.

Hopefully, the global system isn’t as efficient as we designed it to be.

As one of the folks who spent his career toiling in data centers, conference rooms, airplane seats and, yes, even the occasional cubicle, I see both sides of his argument. Fortunately, I don’t think the system is nearly as efficient as Robb is afraid of. I also think, though, that most people are still in denial about the seriousness of the crisis.

This is a case where the constant media distraction of Britney Spears and Madonna helps out–most people are so clueless about the real state of things that they won’t stop shopping until the money is gone and the credit cards stop working. They don’t understand capital markets, credit derivatives, market and credit risk management. They’ve never heard of Iceland, much less realize that it was a First World nation whose currency just collapsed under the weight of the current crisis–kind’ve a problem when you import pretty much everything.

And even if the captains of industry try to take drastic action, big companies don’t turn on a dime any better than the oil tankers that our economies are so dependent on.

Do I believe that the American standard of living is going to take a big hit? Absolutely. The US, along with Britain, Russia, and most of the countries in between, have all over-spent themselves and the only way to recover from that is to spend less for a while, whether you’re an individual, a family, or even a nation.

It’s not going to be pretty, it’s not going to be fun, but it’s also not going to be the end of the world.

Lawrence Lessig has an excellent essay, “In Defense of Piracy,” in which he argues that current copyright regime has externalities which are damaging the very rule of law itself:

It is time we recognize that we can’t kill this creativity. We can only criminalize it. We can’t stop our kids from using these tools to create, or make them passive. We can only drive it underground, or make them “pirates.” And the question we as a society must focus on is whether this is any good. Our kids live in an age of prohibition, where more and more of what seems to them to be ordinary behavior is against the law. They recognize it as against the law. They see themselves as “criminals.” They begin to get used to the idea.

That recognition is corrosive. It is corrupting of the very idea of the rule of law. And when we reckon the cost of this corruption, any losses of the content industry pale in comparison.

Unfortunately, I couldn’t agree with him more. Lessig is now concerning himself with the challenge of reducing corruption. One key element of that is driving respect for the rule of law. The fact that the “content industry” would sacrifice it in a pointless attempt to maintain their profits (or even their existence) is morally corrupt and a perfect example of putting profit before the common good.

Interestingly, I just took a peek at Pete LIndstrom’s blog, where he’s pondering a similar question, asking, “Should I let my kids lie on the Internet?“:

Or even force them to?

I was at a security conference today and two folks were talking who said they never let their kids fill out any online forms with real information. It’s actually a pretty interesting protection mechanism but I am having a hard time getting past the lying part…

In this case, I believe that the negative lesson that comes from teaching small children that there are cases where it’s OK to lie is, like piracy, corrosive to the larger themes that I want my child to learn. I think that it’s more important to teach children lessons about what constitutes unsafe online behavior than that they must hide their identity at all times. We forget that the reality is that, with a little education and higher brain function, using the Internet is extremely safe. This is a much more productive model to impart to our children or elders than, “Lie about who you are on the Internet. That way they can’t find you to kidnap and kill you,” which is the implicit lesson, and along with the corollary, that no one is who they claim to be on the Internet (phishers, the widows of Nigerian dictators and children of over-protective parents notwithstanding).

So, Pete, to answer your question:
Don’t teach your children to lie on the Internet–or pretty much anywhere else for that matter. They’ll learn it just fine on their own when the time comes. The externality, loss of respect for the truth, is too great a cost to pay. Instead, teach them to mitigate the risk by using their brains. After all, the risk is actually quite low and in reality, when kids do dumb things with people they meet on the Internet, they’re probably going to need to lie to you about what they’re up to and you don’t want them to be too practiced at the skill.

Mike Rothman is skeptical that there will be a “security industry”, and I don’t disagree with him.

I think there will be 0 security professionals in 2012. That’s right, ZERO. I think there will be network folks that specialize in security, and also some data center folks and even more application folks that are security specialists. OK, these are word games and a bit of semantics, but I think it’s an important point. If anyone thinks their only job is going to be security in 4 years, I suspect they’ll end up as a petroleum product sooner rather than later. OK, maybe not 2012, but I’m with most of the big mouth security pundits in saying security as a business will be going away within a reasonable long term planning horizon (7-10 years).

Of course, this leads me to wonder who, exactly they think is going to do security work. And by “security work,” I don’t mean running Anti-Virus or pleading with sysadmins to patch their boxes. That’s Console Jockey work and it will go the way of all other Run jobs–overseas and down to helpdesk pay levels. When I talk about Security Work, I mean the job of determining the appropriate level of risk for the organization, then defining the mix of controls and tools across people, process and technology to actually achieve it.

Senior Executives don’t know. They just want to know that they’re not having to explain incidents to the press and that I’m still pushing back on every task because my budget is stretched (their measure of whether or not I’m “appropriately funded”).

IT doesn’t know either. If anything, I’m seeing the competence trend running in the other direction in terms of what it’s reasonable to expect an “IT Person” to know about the technology they’re responsible for. More and more, it’s getting harder to even find anyone who actually does the work of touching the technology. I can find Project Managers, Relationship Managers, Program Managers, Application Managers, Support Managers, and every other kind of manager under the sun. What I can’t find are SysAdmins, DBA’s, Developers, or Engineers, and I find this disturbing.

For example, in a recent discussion of what should be the required fields in our application inventory tool, the question came up as to whether or not the data center where the production environment resides should be required. The answer was, “no,” because apparently that’s too much for a system owner or application support person to know–what building their app’s servers sit in. I wish this were an anomaly, but I’ve seen a steady increase in incidents like these, and not just at my current company, either.

And what tech talent do see, I increasingly wouldn’t bring back from the phone screen if I were the hiring manager. I’ve seen Web developers who didn’t know the difference between the corporate LAN and the Internet from a network visibility/connectivity perspective. I’ve seen support leads who didn’t know how to connect to the application they supported. I’ve seen DBA’s who didn’t know what an index was! These people don’t even understand fundamental aspects of their own core competency and we think they’re going to absorb a volume of knowledge and skills that most specialists can even seem to master?

So who’s going to do this work? The applications aren’t going to secure themselves. This is a simple fact, and even if the application can somehow be declared “secure” (which is to say, “secure enough”) in a vacuum, as soon as it starts interacting with users and other applications, all bets are off. Once again, someone has to decide how much security is enough for those interactions, either by declaring a standard or doing a risk assessment and determining what’s acceptable and what’s not.

While there might not be “Network Security” or “IT Security” as we know it today, I firmly believe that there are still going to be Information Risk and Information Protection specialists at all levels of the organization. Just because we’re going to either evolve beyond the world of Console Jockeys or get a job with Rothman at Dairy Queen doesn’t mean that Security Professionals are going away–quite the opposite, they’re going to have to actually become professionals.

So is all hope lost? Not necessarily. Clay Shirky had some really interesting observations on social surplus which apply here as well. Social Surplus is time that a society no longer needs to spend on some activity. For example, people worked fewer hours in the second half of the 20th century, leaving time that had to be filled. In response, the United States came up with things it sitcoms and yardwork.

So if you take Wikipedia as a kind of unit, all of Wikipedia, the whole project–every page, every edit, every talk page, every line of code, in every language that Wikipedia exists in–that represents something like the cumulation of 100 million hours of human thought. I worked this out with Martin Wattenberg at IBM; it’s a back-of-the-envelope calculation, but it’s the right order of magnitude, about 100 million hours of thought.

And television watching? Two hundred billion hours, in the U.S. alone, every year. Put another way, now that we have a unit, that’s 2,000 Wikipedia projects a year spent watching television. Or put still another way, in the U.S., we spend 100 million hours every weekend, just watching the ads. This is a pretty big surplus. People asking, “Where do they find the time?” when they’re looking at things like Wikipedia don’t understand how tiny that entire project is, as a carve-out of this asset that’s finally being dragged into what Tim calls an architecture of participation.

Now, the interesting thing about a surplus like that is that society doesn’t know what to do with it at first–hence the gin, hence the sitcoms.

(if you want to know where the gin comes in, go read the essay–it’s well worth the time)

But consider that if we switch the scale & topics from “The TV Watching of Population of the United States” to “the use & maintenance of IT,” and then swap Wikipedia with “IT Security,” then other than the scale of it, the same opportunity is out there, if we can figure out how to drive it.

But is it possible to create a Social Surplus within (Enterprise) IT that would be devoted to both improved excellence and ensuring security, rather than just chopped off as cost reduction?

From Cory Doctorow:

Whenever someone asks you which of two futures you think is more likely, your best bet is always “none of the above.”

I was disappointed, though not at all surprised, to learn that The DHS has no Disaster Recovery Plan:

It’s disheartening. It’s incredible. But it’s not all that surprising. That’s how some business continuity experts and government officials reacted to the news that 15 out of 19 agencies under the Department of Homeland Security lack fully operational disaster recovery sites—a shortfall that could hinder DHS’s ability to carry out its mission during a service disruption or national emergency.

DHS’s ability to to carry out its mission during a disruption or emergency is hindered by a lot more than their lack of a DR plan.

From what I can tell, the best way to keep a building from catching fire would be put these clowns in charge of burning it down. They truly are The Gang That Couldn’t Shoot Straight.

This picture is, in and of itself, pretty funny, so long as you’re either
1) Not one of those guys standing by the tree trying to figure out what to do about it; or
2) One of the guys standing by the tree re-telling the story in a bar at any point afterwards.

but then, I noticed the name of the tank…

You can’t make this stuff up.

Shamelessly stolen from Dave Farber’s Interesting People mailing list

Why is Department of Homeland Security worrying about file-swapping?

Simple, Dr. F:

a) MPAA posits that filesharing will kill the movie cartel.
{Dubious assumption - look at the Sony decision’s effects, but
follow along..}

b) If the movie cartel goes away, people will have less to fill
their time.

c) With less to do, the citizens may well start reading and
thinking again, as they did in generations past.

d) They just might run into the classic line from Pogo:

We have met the enemy, and he is us

and/or the Constitution while reading.

e) Armed with that, they might move to check the power
of Fatherland Security, and maybe even the Administration
as a whole.

f) Ergo, filesharing is a threat to them.

I guess that the Homeland Security boys and girls do some Risk Management after all.