The Bucket List
By user701213 on Apr 08, 2011
The title of this blog comes from a recent movie starring Morgan Freeman and Jack Nicholson. I confess I have only seen part of the movie - edited, on a plane, with the headphones off for half the movie - but I still "get" the premise, involving two guys in pursuit of accomplishing the list of things they want to do before their lives are over (i.e., before they "kick the bucket"). I have various personal bucket lists that are really more like "short term wanna-do lists." Mine are nothing grandiose like "climb Mt. Everest,"* but they are personal goals which includes places I want to visit and in some cases things I want to do when I get there (e.g., hike the Kalaulau Trail on one of my trips to Kaua´i, perform Hawaiian music at an "open mic" night without rotten vegetables being thrown in my direction, and so on). It's good to have goals and some of those can certainly include life experiences.
In the context of this blog, "bucket" means something other than "things to do before you kick the ..." For example, we use buckets for things like a) swill, b) mopping floors and c) for the inevitable output of drinking far, far, too much with too little food accompaniment. "Buckets" are receptacles for unsavory things we plan on throwing out, and the sooner, the better.
After multiple years in the work force and in technology specifically, I have amassed a list of concepts, phrases and behaviors I believe should be thrown out with prejudice (meaning, that they never darken our door again). I'm including everything from trite business phrases to entire bodies of obfuscation like "governmentese."
At the end of the day
As one of my professors at Wharton said, "in the long run, we are all dead." I might add, "at the end of the day, the sun goes down." So what? There is nothing wrong with using phrases like "the end result is," which has the twin advantages of clarity and being useful advice for more than a single day.
At the net/net, we lob/lob. Why can't people just say, "the result of FOO is BAR?"
Security is only as good as the weakest link
...and the second weakest link and the third weakest link and so on, because we call them "determined adversaries" and not "lazy pesterers." If you strengthen the weakest link, then the adversary goes for the second weakest link and so on. In short, there will always be stronger and weaker aspects of security and there will always be - depending on what is being secured - people who try to cirvumvent those security measures. It is certainly good practice to acknowledge weak points of security and monitor those, but if someone can break through security at the second weakest link, the weakest link didn't really matter, did it?
As long as we do not have perfect security, there will always be one point that is arguably weaker than others. There is nothing stunning in this pronouncement unless it's the banality of it.
Zero false positives
Every security vendor in the world whose product detects bad stuff claims they do so with zero false positives. I can do that, too. Just return (hard code) "no problem" to any scan/test/benchmark that your tool checks. An added plus - the performance is excellent since you don't actually have to do anything, woo hoo!
Most people will tolerate a reasonable rate of false positives because very few alert/alarm mechanisms are 100% accurate. To misquote Dickens, "If I could work my will, every idiot who goes about with 'zero false positives' on his lips should be boiled in his own pudding and buried with a stake of holly through his heart."
There are no silver bullets
Sure there are. After all, how many vampires and werewolves do you see out there? Not many. So, clearly there are silver bullets and they work pretty well.
Glibness aside, there are, occasionally, silver bullets that are (cliché alert) game changers because they work against problems that were previously considered unsolvable. For example, before there was a vaccine for polio, it was a scourge upon youth - too many kids were left crippled or in an iron lung for life. Thanks to the Salk and Sabin vaccines, polio is almost nonexistent. It's pretty darn close to a silver bullet. Vaccines in general are almost silver bullets when you consider the horrible diseases that they protect against which (rant on) makes parents' reluctance to vaccinate particularly heinous.
Digital Pearl Harbor
You could argue that, perversely, Pearl Harbor did the US a favor by galvanizing public fervor. Prior to Pearl Harbor, there was a strong isolationist movement in the US; afterwards, not. "Remember the Arizona and remember Pearl Harbor" were rallying cries throughout the Pacific war. The attack on Pearl Harbor paradoxically put the US in a stronger position in the long run because they had to rely upon aircraft carriers instead of battleships (the Japanese having done significant damage to battleships at anchor in O´ahu) and, as any student of naval history knows, aircraft carriers were the key to success in the Pacific. (While the lack of carriers spelled the end of the British Empire's rule of the seas, notably as the Prince of Wales and Repulse were sunk in the early stages of the war due in no small part to No Air Cover, duh.)
Admiral Yamamoto - who meticulously planned the attack on Pearl Harbor - nonetheless actually opposed doing so since, as he noted, it would buy him at most 6 months to roam around the Pacific. It was almost 6 months to the day between the attack on Pearl Harbor (December 7, 1941) and the battle of Midway (June 3-5, 1942), at which Japan lost the war. Japan also erred in not destroying the POL (petroleum, oil and lubrication) facilities on O´ahu that would have rendered Pearl Harbor effectively useless as a port.
In short, while nobody wants to have a digital (or other) event that amounts to a) a sneak attack with b) a significant loss of life, Pearl Harbor is a poor metaphor to use because, in the long run, it was an attack that ultimately backfired on the attackers.
Unique means "one-of-a-kind" and requires no other modifier. Unique is thus binary: something is or is not unique, but cannot be "sort of" or "exceedingly" unique.
It's a hard problem
When does anybody ever have an easy problem? If it's easy, it's not a problem for very long! "Hard problem" is the mother of all redundancies.
I have a better phrase: "it's an unsolvable problem." Some problems are not solvable; you merely, if you are lucky, whack away at them until they are less intractable. Or, a problem may be unsolvable as stated and thus you must change the way you think about it to devise better strategies for addressing it.
One of my favorite "it's an unsolvable problem" discussions involves trying to find deliberately introduced malware in code. It's not possible to prevent someone putting something bad in code in a way that is undetectable. Instead of expensive boogeyman hunts (like requiring background checks on all employees of a company whether or not they touch code), other strategies may be more effective, such as having multiple suppliers of a component instead of a sole source (thus reducing the chances that a corrupted core component gives someone the keys to the digital kingdom). Creating more isolation for network elements (e.g., so their interactions with other elements are more constrained and through known paths) is another potential strategy. If I cannot get to a back door to open it, does it matter that it is there? Many things in life do not lend themselves to "solutions" as much as "management." We are better off acknowledging that than holding out false hope of perfect solutions.
A technoid favorite, and entirely too cutesy. Most of us do not care if a solution is elegant or not, as long as it works. To me, elegance involves black tie and classical music. However, I do not need most problem solutions to be accompanied by Chopin and presented by a white-gloved waiter. "Ugly gets you there."
Awesome and Cool
If ever there were words that were overused, they are "awesome" and "cool." It's as if surfer-dude speak has permeated our national consciousness. As much as I love surfing, and "speak the lingo" when I am out in the water, I dislike hearing non-surfers try to use "gnarly" correctly and pepper their lexicon with "awesome" and "cool." These are the same loons who wear "No Fear" T-shirts when they wouldn't even set a toe in the ocean on a flat day, most likely. Only God is awesome: everything else is, at best, spectacular.
Who admits to core incompetencies? I think it is fair for individuals and entities to think about what they should do themselves, which is likely a subset of "things that I am actually good at." If something is a core competency, it's probably not a good candidate for being outsourced to a third party. More to the point, if something is a core mission - it absolutely should not be outsourced, or why are you in business?
For example, I have been concerned about the US National Institute for Standards and Technology (NIST) recently outsourcing some standards development. I restate that I have immense respect for the mission of NIST and the people I know who work there. But they should not, IMHO, be hiring contractors to develop standards for them, particularly not when by definition paying a contractor to develop a standard means it is not a standard, but a "contractor-developed, closed way of doing something that has not been developed with others, with industry, or sanity checked by a broad group of actual experts." If it is proprietary, it's not a standard unless you are handed a monopoly. Which is what happens when the government pays to develop something that they then mandate through procurement - you get a government-proprietary way of doing something instead of an open standards way of doing something. None of which is conducive to use of core competencies.
Think outside of the box
Thinking inside the box is perfectly acceptable for 98% of daily living. For example, if I look in the backyard and see that Thunder is not there, which is more likely to be true:
- I let him in and forgot about it?
- He was attacked by a mountain lion (without my hearing it)?
- He was beamed up by aliens looking for a very noisy and hairy addition to their alien zoo?
My mantra is to by all means, think inside the box, because there is a lot of amassed wisdom as to how you do things well that is just ripe for the picking - far preferable to an expensive experiment to "think creatively" for a problem best solved using current approaches. And let's face it, the majority of tasks that the majority of us do is a problem someone else, somewhere, has already dealt with.
Reinvent the wheel
Presumably, once something has been invented it cannot be reinvented, and it certainly cannot be reinvented if someone has a patent on it. Maybe people who are reinventing the wheel were told once too often to think outside the box?
Boil the ocean
The global warming alarmists are convinced that we are boiling the ocean by degrees, so people who say, "we shouldn't try to boil the ocean" are apparently mistaken. Of course, nobody is presumably actually trying to warm the ocean, except - perhaps - surfers like me who would be happy to wear less neoprene in northern climes.
Aside: I am endlessly amused by watching surfers in the water who wear far, far, too much "bundle up gear" in not-all-that-cold water. Such as a surfer I saw in San Diego wearing a) a full suit b) a hood c) booties d) and had some oxygen apparatus on his back - all on a 3 foot day in 57 degree water, which is warm for winter surfing in SoCal. I wanted to ask him, "what are you going to wear when it gets really big and really cold?"
Frameworks are the "F" words of technology. A framework is something that is never actually implemented. It's kind of the scaffolding of technology, actually, because scaffolding can go anywhere and you never really know what the building it rises beside is going to look like.
This is not a verbal cliché but it is a cliché nonetheless. I like tasteful tribal tattoos on Hawaiians and other Pacific islanders: it's a cultural thing ("tattoo" comes from the Polynesian word "tatau" - or kākau" in Hawaiian, which means "to write"). I even like a tasteful globe-and-anchor on members of the US Marine Corps (which also represents a tribal affiliation of sorts). I really, really hate tattoos on pasty haoles for two reasons. One is the general lack of "truth in advertising;" e.g., a guy I saw who must have weighed 350 pounds, very little of it muscle, with "buff" tattooed on the back of his neck. He was anything but buff, but I guess nobody wants to get a tattoo that says, "out-of-shape pudgewad."
Second, given so many people are getting or have tattoos now, how "individual," and "cutting edge" is it to get one? It's mainstream and crowd following. More to the point,
when you get old, tattoos fade, sag, and generally look even more awful than they do now, if that is possible. As the French say, "a chacun son goût" - each to his own taste. But in my opinion, except for Marines and Pacific islanders, I think most people look dumb with a tattoo.
According to one waggish definition, an expert is "someone who knows more and more about less and less until finally (s)he knows everything about nothing." I am, alas, beginning to think that a similar definition can be extended to the way in which some employees and "deputies" of the government express themselves: "governmentese is the language by which one says more and more less and less comprehensibly until finally ones says nothing that can be understood." (To be fair, the same can be said about academia, particularly in areas of study that have been strip-mined more than Appalachia, and technologists who insist upon speaking in acronyms - without spelling out first use - such as SOA, CRSF, and EIEIO.)
I am particularly frustrated by government documents that
a) do not clearly define a problem
b) are written in passive voice, so that the actual actors (and direct objects of the acts) are unclear, and that thus obfuscate who has actual responsibility, if anybody does**
c) that make heavy use of acronyms and jargon that is not spelled out (e.g., VBBWAR, which stands for Very Big Bureaucracy Without Actual Responsibility)
People who are proposing legislation that's going to cost somebody something - probably a lot - or are proposing building something - that will cost a lot - have a responsibility to articulate clearly. What they mean, who does what, and with what proposed effect.
Information sharing is a mantra for every problem in cybersecurity: if only we shared more information with more people, we'd all be more secure. This is postulated as a Universal Truth.*** My response to this is that I am happy to share information: I don't like any opera written after Puccini died, I think post-modern anything is by definition dreary, devoid of moral values and second rate, my weight and age are...OK, I am not going there. I could "overshare" a lot of information that might be of interest to somebody but to the larger security populace, oversharing of information is:
a) not relevant
b) does not help anybody mitigate risk better
c) is a tactic and not a strategy
d) risks "hardening of the digital arteries" to the extent more and more information is shared and drowns out or crowds out the really useful information in our technical and neural pathways.
Finding the useful nuggets in a sea of overshared information is like looking for a platinum needle in a haystack of silver needles: "good luck with that." The next time someone proposes "information sharing" as a solution, let us ask them "to what problem? And what information, precisely, and to whom?"
I would agree that selected information sharing may help us improve the security of the commons if it enables collective situational awareness that we do not have now. Unfortunately, most people who opine on information sharing want to feed at the public trough as they create frameworks, repositories, standards and so forth as to how to do it, and offer information sharing as the cure for all digital ills. Presuming, of course, that all that shared information only got to the right people, and wasn't shared with or leaked to the wrong people. As we've been so recently reminded, sharing more information with more people carries its own set of risks. Thus, the problem with looking for the platinum needle in a haystack of silver needles is that you may prick yourself and lose a lot of blood before you find what you are looking for.
* Mostly because, while I like reading about mountaineering, I have no interested in doing technical climbing. And anyway, being hauled up Mt. Everest by a guide when you have no actual technical climbing skill in my book does not count as "climbing Mt. Everest."
** "Mistakes were made" is the poster child for responsibility avoidance masked in passive voice.
*** "It is a truth universally acknowledged, that a single man in possession of a good fortune must be in want of a wife." This, the opening line of Pride and Prejudice, is one of the catchiest and most-quoted first lines of a book, the other two being "it was a dark and stormy night" (the opening of Paul Clifford by Bullwer Lytton), and "In the beginning, the world was formless and void," the opening of the book of Genesis, whose authorship is a matter of faith.
Book of the Month
The Twilight Warriors by Robert Gandt
This is a wonderful read about the air battle for Okinawa, which was the most expensive naval battle in American history. It is very well researched but also reads well: you have a strong sense of the players, the terror caused by the kamikaze attacks, the valor of the defending pilots and ship crews, and the human cost of the carnage. Well worth the read.
I picked this up because my local Sun Valley bookstore had it on their staff picks list. About three pages into it, I was hooked. If you think, "why would I want to read a book about ranching in South Dakota," you are missing a treat. It's a poignant book encompassing natural history, hopes, dreams, and the unique ecology of the buffalo. The Great Plains evolved around the buffalo and has - devolved, for lack of a better word - under cattle. A beautifully written book that will sweep you up in the life of a buffalo rancher.
Killer Summer, Killer View, Killer Weekend by Ridley Pearson
These are just fun "thriller" reads, set in Sun Valley and starring a protagonist - Walt Fleming - whose name is a whisker away from the real-life sheriff, Walt Femling. (As of this writing, Sheriff Femling has just retired after a 24-year career of public service to Blaine County. Happy retirement, Walt.) As the book notes, the sheriff of Blaine County looks after a county bigger than the state of New Jersey. They are great reads and I enjoy them as much for the celebration of Sun Valley - gorgeous views, and outdoor living punctuated by "got-bucks" living - as for the fact they are great page turners "I betcha can't read just one."
Unbroken: A World War II Story of Survival, Resilience, and Redemption by Laura Hillenbrand
This is the "amazing but true" story of Louis Zamperini, a former Olympian and "survivor" par excellance. He survived his plane being shot down over the Pacific, 47 days in a raft, and years in Japanese captivity where he was the target of a particularly sadistic guard. Meticulously researched, brilliantly written, it is a book that will lift the spirit of all who read it. Sometimes truth is not only stranger than, but more transcendent than fiction.