I have been rather silent on the blog front for some time. The reason has not been a happy one. I went through something very painful this summer that all of us inevitably experience: the death of a loved one. In my case, it was my best friend of 17 years – though Kerry was more than that, truly. As my sister says of him, echoing Alec Guinness in Star Wars, “there has been a disturbance in The Force.” Someone who was larger than life leaves a void in many lives, most especially mine. For awhile, I was tied up in his illness, then the funeral, and then I just could not pick up my virtual pen because it is hard to live through this much less write about it. The blog entry I really meant to write (about force multipliers) kept being crowded into the back of my mind, because I really needed to write about my friend Kerry and the meaning of legacy.

The occasion of death is a forced milestone in that it is a logical time to assess what matters in life. And what seems to matter to us during our lives is often not what matters after one’s course has run. There’s a story about a man reading that John D. Rockefeller had died and asking a companion, “How much money did he leave?” The answer was, “All of it.” All the things we think matter in terms of accomplishments, press clippings, portfolio, and so on, are dust in the wind once we are gone. Even having a building named after you is not all that permanent. The sages of Israel taught of Herod’s temple in Jerusalem: "Whoever has never seen the building constructed by Herod, has never seen a beautiful building in his life." Herod’s temple took over eighty years to build, yet the Romans utterly destroyed it in a matter of days. All we have left is a retaining wall of the temple structure and a holy day to mourn its destruction:Tisha B’Av.

No wonder that Jesus wept over Jerusalem and advised his disciples, "Do not store up for yourselves treasures on earth, where moth and rust destroy, and where thieves break in and steal. But store up for yourselves treasures in heaven, where moth and rust do not destroy, and where thieves do not break in and steal. For where your treasure is, there your heart will be also.”

Kerry did not leave a legacy in things the world values. He left no assets. No property. No portfolio. No bank account. No buildings named after him. No children. Yet he left a very rich legacy in many hearts. People who loved him. Lives he changed, mine in particular. To name two things near and dear to my heart, Kerry taught me to surf, and talked me into buying my house in Idaho. Oh, and committed me to buying a dog without asking (said dog, Thunder, is howling for a treat a I write this). How can you thank someone for giving you a life, or for helping make you who you are? I can’t really imagine what my life would have been like without him, except that it would have been so much poorer.

The number of calls, cards, emails, and so on I have gotten from people who knew him and cannot believe he is gone astonishes and humbles me. And the way they talk about him is a reminder of what really matters to people. One friend said that Kerry was the only person he could ever trust with money – after years of being burned by partners in business. Kerry not only made my friend good money, but was giving away his “trade secrets” by teaching my friend to do what he did in the markets. The financial institution he cleared paper through called up (to a person) to tell me how much Kerry had meant to them though none of them had met him personally: “We talked every day for four years and we didn’t just talk about the stock market; we talked about life.”

Particularly as we watch the recent economic meltdown caused – if I may be indulged here – by a number of people at all levels of society engaging in financial deception or delusion (such as buying a house one knows very well one cannot afford and that is bigger than one needs, or taking equity out to finance a lifestyle one cannot afford) – Kerry stood out. He always “paid cash or did without.” An old-fashioned value that the world needs more of.

He also had the most honest business model that I know of, one in which he took part of the risk that he assumed for his clients. I get lots of cold calls from money managers. I tell them if they are willing to work on the same basis as Kerry did, I will consider it Kerry made 25% of closed out net capital gains, which means if he lost clients money, he had to make it back for them and be in the black before he made any money for himself. None of these MMLs (money management leeches) take my offer, and typically stutter that my counter-offer is not reasonable. I reply that they want to get paid regardless of whether they earn me money or lose it all. The risk, in other words, is all mine, and none of it is theirs. What, one asks, is fair about that? Kerry only did well if his clients did well. A “square deal meal” kind of guy, an increasing rarity in a world where so many are without honor or integrity, and where many are happy to take the reward on the upside but want a bailout on the downside of risk (which economists rightly call a “moral hazard”).

Back to my point, a legacy of changed lives is all that we can really leave behind us that matters. Yet for some reason, in the software industry, “legacy” as a term seems to only be uttered with a sneer. “That is a legacy system” is almost always said with disdain. Why? What’s wrong with old code? Actual users (remember them?) think “legacy” means “something that works, that meets my business needs and is paid for and I am happy with it so I want to keep using it if possible.” Software kahunas think “legacy” is a pejorative term, and that new is always better, old is always bad, and we all need to upgrade “just because.” (The last software upgrade I went through required me to install all new client software with really poor instructions – uh, is there some reason I should have to magically know to rename a file to BLAHBLAH.exe?) and I absolutely lost it. It was the weekend Kerry died and the thing that caused me to break down and “lose it” was the software upgrade, not Kerry’s death. The three most dreaded words in the English language, as all parents learn to their dismay on Christmas Eve at 3AM, is “some assembly required.”)

Merriam Webster defines “legacy” as follows:

1 : a gift by will especially of money or other personal property : bequest 2 : something transmitted by or received from an ancestor or predecessor or from the past

I’ve talked about the first meaning of “legacy.” Now, to the second. Granted, not everything in the past is worth pulling forward and celebrating, but many things are. At the very least, the passage of time allows us to pan through historical dust to find nuggets of permanent value. The second meaning of legacy reminds us that not everything new is wonderful simply because it is new. In particular, the belief that “new and improved” equates to progress is almost a de facto religious belief among many technologists. Yet never has the half-life of technological progress been shorter. Who among us really remembers (or cares) who invented the FOOBAR protocol? Especially when the FOOBAR protocol will be overtaken by something else within a few short years.

Many of the things that historically matter to us now were not obvious to the citizenry of the time (does anybody remember the number one tentmaker in Jerusalem circa 30AD? Yet most of us have at least heard of an obscure carpenter/rabbi named Yeshua). Western civilization, for example, has percolated along quite happily on the strength of the ideas and writings of (if I may be forgiven) innumerable dead white males. Has anyone in the 21st century approached the stature of Rabbi Yeshua or other dead white males (Aristotle, Plato?) We may only know in hindsight. Despite the compressed lifecycle of so much we work with and work on, we should resist the temptation to engage in hagiography on the strength of anything short-lived or of recent occurrence, because we will probably be wrong about who and what really mattered.

An example of near religious ecstasy around technology is all the hoopla around cloud computing, if anyone can decide what it actually is. If by cloud computing, someone really means “software as a service,” that’s not actually a “new” idea at all. It’s been around for eons (remember Compuserve?). And many software vendors offer hosted applications and make a nice business out of it, too. Software as a service makes sense in some scenarios (is that alliterative, or what?). I personally outsource buying anything electronic to my brother-in-law, who does extensive market research and then tells me what to get. “Gizmo-buying-as-a-service” works for me.

If cloud computing is the idea that all your “stuff” will magically be “out there somewhere, in the cloud,” well, that is looney tunes for obvious reasons. Just think basics. I still have cookbooks if for no other reason than I can “fire them up” without waiting for software to load, and I would really hate to have to access recipes in the cloud. Open book, read recipe, book does not need rebooting, ever. Sometimes I do look for recipes online when I realize (in Idaho) that the cookbook I had with my pecan bar recipes is in San Francisco. So, “recipes as a service” might be useful sometimes – but I sure do not want the recipe server to be down when I am in the middle of cooking Thanksgiving dinner.

More to the point, the “it’s stored wherever, and you don’t need to know where” hype around “everything will be in the cloud” is technogobbledygook. There are many things you aren’t going to want to store “somewhere out there,” for good reasons, especially if you have no idea how secure it is and it is something you find valuable. Imagine someone saying, “Mrs. Smith, we can’t actually tell you where your daughter Janie – who you dropped off at day care this morning - will be during the day, she is out there in the daycare cloud someplace, running around, we are not really sure where. But trust us, when you stop by at 5 to pick her up, we’ll have her at the right place.” Yeah, right. Not surprisingly, security people are not buying “somewhere, out there” model of cloud computing. Nobody should. At the very least, instead of having somewhat defensible enclaves of security, you’d have to make everything secure, which is simply not possible.

I was reminded in a frightening way recently that people worship new technology without in many cases either analyzing what problem it solves or whether the benefits are worth the risks. Specifically, I recently heard a highly placed official in the Department of Defense opine about the fact that DoD wants to embrace Web 2.0 because (to paraphrase), “We need to attract and keep all these young people and they won’t work here if we don’t let them use Facebook in the workplace.” What are people going to use Facebook for in the Defense Department, one wants to know? <”Hi, my name is Achmed and I am an Al Qaeda operative. I like long walks on the beach and IEDs. Will you be my friend?” I don’t think so.>

The official went on to say that industry really needed to secure all these Web 2.0 technologies. At that point, I could not contain myself. I asked the gentleman if the Department of Defense was planning on taking container ships and retrofitting them to be aircraft carriers, or buying Lear jets and making them into F-22 Raptors? No, he said. Then why, I offered, does DoD think that the IT industry can take technologies that were never designed with security in mind and “secure them?” Why is IT somehow different that we can, ex post facto, make things secure that were never designed for the threat environment in which they are now deployed? People don’t use a road bike to mountain bike, I don’t use my short board to surf big waves (if I surfed big waves, that is, which I don’t. But if I did I’d get a really expensive blank and get someone to shape me a Big Wave Board, aka “rhino chaser”).

Your “tools” need to be designed for the environment in which they are going to operate. If they aren’t, you are going to have trouble my friend, right here in River City (with apologies to Meredith Willson). To put it even more succinctly (more apologies to Meredith Willson): “You gotta know the territory.” Meredith Willson was not writing about security when he wrote The Music Man, but “you gotta know the territory” is as succinct a description of a security weenie’s responsibilities as ever there was.

Mind you, I understand that the idea of collaboration is a powerful one and, if it is appropriately secure, can be a powerful construct. We read, for example, that the intelligence community has created an internal Web 2.0 construct called Intellipedia (along the same lines as Wikipedia). It makes sense that, instead of having one expert on, say, Syrian antiaircraft defense, that that person’s knowledge can be written down and accessed by others. In a way, that kind of collaboration facilitates “legacy” because someone who knows something valuable can share it with others far more easily than through one-on-one oral transmission. But there is a big difference between “let’s embrace collaborative constructs” and “let’s allow insecure and unsecurable Web 2.0 technologies into a classified environment.”

The key to the new is remembering the universal truths of old – legacies. This is particular true in security in that, while the attack vectors may change as the technology does, there are principles of security that do not change (“trust, but verify” works just as well for IT security as for arms control). Remembering and applying “legacy truths” will help us to avoid getting wrapped up in the latest technical fads as something “new and different” when really, it is just the same security issues wrapped in shiny new code.

There’s a great story from Jewish lore about King Solomon challenging a servant to find a magic ring for him, magic in that a happy man wearing it would become sad, and a sad man would become happy. After a long search, the servant brought to King Solomon a ring engraved, “This, too shall pass.” Technologists would do well to remember that story.

I admit to being more backward looking than forward looking. But this much I know: the “old legacy” values that Kerry lived by are still timeless ones. “Honor thy father and mother.” “I am the Lord thy God, you will have no other gods before me.” “For where your treasure is, there your heart will be also.” Kerry died penniless, but richer than anybody else I know. That he gave of himself to so many people is the legacy he leaves us, and I for one feel so blessed to have known him and to have been cherished by him. As for grief, “this too, shall pass,” and someday I will only remember the happy memories.

The only accolade – the only legacy - that matters at the end of your life is the one that I know Kerry heard from his Creator in the early hours of August 17: “Well done, thou good and faithful servant.”

E Keli, ‘o ku’u pu’uwai ‘oe, mau loa.

Remembering Kerry:


Ua lawa.

Book of the Month: Tried By War: Abraham Lincoln as Commander in Chief by James M. McPherson

A really fascinating look at how Abraham Lincoln influence the military course of the Civil War, devising strategies that (once he could find generals who would adopt them) made a critical difference, such as attacking the Confederate lines at two different places at the same point in time. You also have a new appreciation (and frustration) of what Lincoln went through to find generals who understood how to win. And lastly, I have a new appreciation for the element of moral courage Lincoln displayed in prevailing against long odds. In 1862, the Democratic controlled Congress was whining that the war was taking too long, costing too many lives, and the North should sue for peace at any price, including taking the issue of slavery off the table. Had it not been for Lincoln’s moral courage in staying the course, the world would look very different indeed. Leadership is, among other things, taking the long moral view and not merely the expedient political one.

McPherson also wrote the Pulitzer Prize-winning Battle Cry of Freedom.


It’s that time of the year again. A really lovely album of Christmas music (not all of which is in Hawaiian) is:


Herod’s temple:


About Meredith Willson:


This, too, shall pass:



"While I enjoy a good pray as much as the next guy, I try to stay away from methodologies which depend on same. There was a project I worked on that put a cloud up for the network piece. When someone asked why there was a cloud there, the PM responded that "that's where miracles come from". Mmmm-hmmm... ;) " - Bambi Bellows, on oracle-l Perhaps you left something out, but your money manager wouldn't make money unless his customers did - and he died penniless? Regarding using insecure technology: Couldn't you say the same thing about the problem of non-repudiability on the Internet (that is, you can't say for sure who has sent what)? Haven't the Chinese had their way with the Pentagon? And on usenet, I laugh at people who say things like "We're on and we don't have any backups and..." Still wondering if you even read these comments.

Posted by joel garry on December 09, 2008 at 09:32 AM PST #

Hi Mary Ann, I just wanted to say how sorry I was to read today the reason why you have been absent from your blog for so long. Your friend Kerry sounds like a wonderful person and, as ever, you have written about your experiences in a compelling, thought provoking and, on this occassion, heartfelt manner. I hope your pain has begun to lessen and that you can start to recover. I have always really enjoyed reading your blogs as I always learn something and your approach to challenges often makes me think of how I tackle issues in my role as an enterprise architect. I look forward to reading more in the future, Kind regards Rhona MacLennan

Posted by Rhona on December 18, 2008 at 02:00 AM PST #

Mary, thank you for the open heartfelt words. I was touched. I did not know Kerry, but could feel his legacy and spirit through you. There is a great need to remember and apply “legacy truths” in our security practice. The fundamental truth is that information security is a means, not an end. Where there is appropriate security, there can be trust and confidence. Without this systems and data are of limited or value. Just as in life, without trust, information and relationships are largely worthless. Apparently, Kerry personified this truth, a true legacy, and it is a reminder of what really matters most. Thank you for sharing with us.

Posted by Michael Carter on January 05, 2009 at 11:43 AM PST #

Post a Comment:
  • HTML Syntax: NOT allowed



« December 2016