Skip to content

New Fox Series: When Clouds Go Bad!


Here’s the scenario: you’re a nefarious attacker and you want to compromise some boxes, install your malware and run a little (or huge) botnet. There are plenty of malware and botnet options for you to choose from, but you still need a few things. You need some internet connected storage on which to host the payload, and you need some internet connected server to act as command and control. You don’t want these things to be connected back to you, of course. And you need availability and features as well. So basically, you need DropBox and WordPress.

And that’s what happened.

Some clever criminals figured that if all these sweet features were good for consumers, maybe they’d be good for crime. DropBox became a spot to host malware, because “People trust Dropbox,” and WordPress became a command and control server for a botnet, because the commands are, after all, user generated content.

Overall, this isn’t a new threat, but a new vector for an old threat. As long as services aim to solve these challenges for consumers, they’re likely to solve them for criminals as well. It becomes a pretty interesting challenge to defend the enterprise from constantly shifting attack vectors. You almost have to monitor your environment continuously.

Hanlon’s Razor and Government Spying

The_Greeting_At_The_Port_1Hanlon’s Razor says “Never attribute to malice that which is adequately explained by stupidity.

There’s a lot of content out in the world on the NSA, government spying and Snowden. *A lot* of content. There was a sentence in this blog post that stood out to me, primarily because someone tweeted it.

“[I]f we ever found out just how insecure the Internet is, we would all take our ball and go home.”

The blog post itself is deep into the conspiracy theory that the government is just pulling the wool over our eyes and allowing us to believe we’re making progress.

“After all, if it were so easy to hack into systems to steal sensitive data, the house of cards would quickly fall. But perhaps those in power realize this and severely regulate their tools to be used only when needed. That way, the rest of us IT security professionals would naively play along, keeping busy downloading worthless security patches and updating outdated virus signatures.” But but, if they knew that we know, then they’d have to … oh wait.

I’m all for a good conspiracy, but it just doesn’t pass the Hanlon’s Razor test for me. It seems much more likely that while there’s some clear intent to collect vast amounts of data on the part of the NSA (renaming a program doesn’t really make it go away), the majority of the Government isn’t coordinated or cooperative enough to engage in that kind of a coverup for that long.

That’s not actually what I wanted to talk about, however. What’s underneath this sentiment is the incredibly damaging notion that the goal of information security is to be secure. It’s simply false, and leads to more conflict and confusion in information security than just about anything else. Except in some particular cases, information security should be about risk management, about running a business in a world full of risk. What’s really far more astounding is that businesses continue to succeed, make money and deliver services despite the fact that the Internet, and technology in general, are so “insecure.” It should make us wonder, really, how “secure” you have to be to be successful. And that should drive, in turn, an approach more focused on the business than the technology.

Personal Marketing Checklist

Seth Godin lays out some principles for media moguls here. They’re interesting, and interesting to read, but hard to apply at the moment of media interaction, i.e. just before clicking ‘publish’ or ‘post.’ I thought I’d attempt to translate them to a sort of personal marketing checklist.

  1. Is this the truth?
  2. Is this content or noise?
  3. Who will this post help?
  4. Who will this post hurt?
  5. Is this original or an echo?
  6. Am I trolling?
  7. Who is the audience?
  8. Does this post generate interaction or engagement?
  9. Will this post be interesting in 12 months?

If I mentally run through this checklist with every tweet, blog or post, will it change my output? Are there items missing from the checklist?

Understanding Intent and Control – When Defaults Attack


“A Japanese ministry is conducting an internal investigation after a Google Groups account used for international treaty negotiations was left on its default, publicly viewable settings.”

It’s tempting to say that Google should change the defaults to be more secure. Security professionals understand the default-deny stance really well, but there are other perspectives to consider.

The Intent of the Service

“An official at Japan’s Ministry of the Environment created the group to share mails and documents related to Japan’s negotiations during the Minamata Convention”

First, it’s not that the defaults are bad, it’s that they’re bad for the intent of this user. Consider that he was sharing documents on Google groups, as system designed for sharing, not privacy. Is it surprising that the defaults are permissive? It shouldn’t be. I’m not sure what else you’d expect. He should have checked the settings.

An IT Service Failure

“[T]he ministry has its own system for creating groups and sharing documents, but it doesn’t always function well outside of Japan, sometimes leading to “poor connections” and a “bad working environment.”

Say hello to the workaround hero. I can’t help wondering if this was the first time he set this up. He must have known that Google groups would work. There’s a rule from Pragmatic Marketing’s product management course that goes like this: “If product managers don’t do their jobs, the other departments will fill the void.” You might translate that for the cloudy new world: If IT doesn’t offer a service, the Cloud will fill in the void.

What happens when the cloud providers do a better job than corporate IT (some would say that some already do)? Is there an BYOD+Cloud driven corporate IT coup coming?


Meeting Rules

The idea of rules about how to have meetings isn’t new. Here’s a somewhat novel list from a company called Urban Airship:

0. Do we really need to meet?

1. Schedule a start, not an end to your meeting – its over when its over, even if that’s just 5 minutes.

2. Be on time!

3. No multi-tasking … no device usage unless necessary for meeting

4. If you’re not getting anything out of the meeting, leave

5. Meetings are not for information sharing – that should be done before the meeting via email and/or agenda

6. Who really needs to be at this meeting?

7. Agree to action items, if any, at the conclusion of the meeting

8. Don’t feel bad about calling people out on any of the above; it’s the right thing to do.

This list sparked a few thoughts for me. The first rule is technically challenging with the existing calendaring systems. I’m sure that a small start-up can solve this, but if you’re at a company with a standard calendaring application, you pretty much have to select an end time. Of course, if you take rule 1 to heart, and combine it with rule 2, then you can only schedule one meeting a day.

Rule 5 is problematic because people consume information in different ways. In many cases, a conversation is the best way to ensure that information is received. Is that a meeting? Is it a meeting if it involves 2 people? More? I believe it’s the communicator’s responsibility to ensure their information is understood, and a meeting is often the best way to get people to focus on a topic.

Other than that, it’s not a bad list of rules to consider.

The Value of a Liberal Arts Education

I considered titling this post “Why I Work Half as Hard as You” or “Why I’m More Productive Than You,” but both make certain assumptions about the ‘you’ that are quite likely incorrect. I was reflecting this morning about why some people seem to be more productive than others. While there are lots of possible reasons, the one that bubbled up to the top for me can be traced back to my degree in Philosophy and Literature. Here I am with a decidedly Liberal Arts degree working in a business position in a very technical market. Seems like a recipe for failure, yet it’s been a distinct advantage.

Most of what I do as a Product Manager is really about communication. I have to learn things from a variety of sources, some direct and some very indirect. That’s inbound communication. I have to synthesize all of that input, process it in various ways, and ultimately produce results. Sometimes it’s a conversation, sometimes a presentation, often a document. The audiences for these products vary greatly, from developers to executives. The one skill that ties all of this activity together is the ability to communicate effectively.

As a practical matter, the ability to create an understandable, audience-specific sentence without revision results in faster time to completion and therefore more ‘work’ done in a shorter period of time. Grammar and usage might be the base skill here. There are fewer revisions required to get it right, but that’s just the surface layer. The structure of the content contributes substantially to the effectiveness of the communication artifact as well.

The end result is that effective communication with diverse audiences is a primary, if not the most important, skill for product managers.

Design Failure

This is from the Old Faithful Education Center in Yellowstone.



Now, a soap dispenser is a pretty simple device and shouldn’t really require instructions. These, however, do. They were integrated into the sink, but it was done in such a way that they’re nearly impossible to see (if you’re taller than 4′). So, aesthetically pleasing, but hard to use.

Start Ups

I was just looking at the website of a local startup and they list the top 8 reasons to work there (8?).

1. Competitive pay and benefits
2. Relaxed creative environment
3. On-site massages
4. Fantastic free coffee
5. Pool & ping-pong
6. Everyone works on a Mac
7. Thursday is Donut Day
8. Free beer on Fridays

It strikes me that 6 of the 8 are basically free stuff and absolutely none of them have anything to do with the content of the company itself. If you want to attract talent (and maybe they don’t), you have to advertise opportunity and exciting *work* more than free massages and ping-pong. Although, ‘fantastic free coffee’ is always attractive, it’s a promise that so often leads to disappointment.

An Existential Theory of Interpersonal Communication

If you are trying to convey some meaning to another person, you are responsible for ensuring that you’ve communicated effectively. A failure by another to understand, is really your failure to communicate.

Of course, if you’re the person attempting to understand, the reverse is true; it’s your responsibility to ensure you’ve understood correctly.

In other words, regardless of the situation, you are the responsible subject.


Decision Making is a Skill

When we think of skills, we often think about clearly defined, easily measureable capabilities. There are, of course, soft skills, people skills, etc. I’ve been thinking lately about the skill of decision making. A Product Manager’s job can be roughly divided into general tasks:

  • Talking
  • Listening
  • Writing
  • Deciding

It’s not hard to evaluate the first three. You inevitable listen to someone talk in an interview. They’re generally required to listen. You might solicit writing examples. Decision making seems to be the odd one out. How do you evaluate a person’s ability to, first, make decisions and second to make good decisions? I’m definitely not the first person to wonder about this. Here are some things to read on the topic: