The InfoSec Blog

• The most interesting, creative, fun and innovative people don’t run
  with the pack.
• You’re a leader because your team believes you are worth following,
  not because you are appointed leader.
• You don’t lead by giving orders, you lead by motivation.
• Don’t expect to generate consensus easily, and be very suspicious when it occurs other than spontaneously.
• ‘Who’s to blame’ is the last question anyone should ask.
• You can’t make cats or programmers do something they don’t want to do.
• Avoid the dogs.
• Its important to have a plan, but also to have interesting things happen along the way.
• Curiosity never killed anything except maybe a few hours.
• Always focus on the goal and the results, not the inconsequentials.
• Don’t shout at them at all the time, only the once when it really matters.
• One can only force someone to act against their true nature for so long.
• No matter how hard you try, you can’t baptise cats, and trying to convert some people to The One True Faith is equally difficult.
• You can’t trust dogs to watch your food.
• Never hold a dustbuster and a cat at the same time. Never try to hold a debugging session with the original programmer present.
• Cat’s, like programmers, pretty much do as they please.
• Cat’s, like programmers, make a mistake, and by sheer luck they land on their feet. The next comment from them? “I planned it that way…”.
• They conveniently “forget” the big rule when it suits them.
• They are major egoists.
• They are always sitting in the “command” seat (i.e. the seat you sit in), figuring they are real designers and architects and planners as well.\
• Don’t take it personally, they’re like that with everyone.
• They are always pouncing on their favourite ‘toy’ and ‘killing’ it.
• They take highly risky chances just because they can.
• An understanding cat is better than a therapist; and cheaper too.
• It’s important to make time to do ‘Cat things.’
• If it’s not fun, why are we doing it?

In Memoria, Ulla

My friend and fellow security droid Gary Hinson asked why so many corporate mission statements end up being utter gibberish, with more meanings than bits.

Hmm.
A ‘bit’ being, according to /usr/share/units.dat, a measure of entropy.

No Gary, I think that corporate mission statements, like political party policies, are high entropy. and with a high negative correlation with observable reality.

Perhaps one of the stochastic/markov-chaining text generators was used - what were they called? “Racter“or something like that?

As it says at http://en.wikipedia.org/wiki/Nonsense

The problem is important in cryptography and other intelligence fields,
where it is important to distinguish signal from noise. Cryptanalysts
have devised algorithms for this purpose, to determine whether a given
text is in fact nonsense or not. These algorithms typically analyse the
presence of repetitions and redundancy in a text; in meaningful texts,
certain frequently used words—for example, the, is, and and in a text in
the English language—will occur over and over again.

However the Racter (?) programs, corporate PR and political speech writers seems to know this - heck, if you can test for it algorithmically you can generate it algorithmically, so manage to make
‘nonsense’ have the necessary redundancy to pass these tests and sucker-punch our cognitive processes and perform memetic subversion.

If reading parts of http://megahal.alioth.debian.org/Classic.html reminds you of conversations with your boss or of televised political debates or radio phone-in shows with politicians, then you’ll understand.

(As a sidebar, I’ll mention that my local talk radio, CFRB, has a show late Sunday where ’saucertites’and the like are given a platform. They answer phone-in questions more rationally than the politicians, in fact they actually answer the questions the callers ask instead of sounding off on their own agenda. Perhaps this is why people believe the politicians and not the saucerites.)

Perhaps, as Neal Stephenson speculated in ‘Snowcrash‘, there is some Deep Language of our brains and some Politicians know fragments of it.

Related articles by Zemanta

• Neal Stephenson’s new novel, Anathem: sneak peek at glossary
• Neal Stephenson’s Latest Novel Invokes The Long Now

No, not a Google its a Sagan!

I’m sure that like me you get mails that read something like

From:Mr.John Lewis
Phone No: 44-702 409 9061

This is to inform you that your funds of US$15 Million
has been approved for immediate delivery to you.

For the purpose of clarification,you are advised to
reconfirm your Full Names,Direct Telephone
Numbers,Physical Address with Zip Code so that there
will be no error during the delivery of the funds to
you in your country of residence.

Your quick response will be highly appreciated.
Congratulations in advance.your mail to this email address .
johnlewis477@yahoo.com.hk
Please Try and call me now Phone No: 44-702 409 9061.
It is very Urgent.
Mr.John Lewis

Its always struck me as illogical that these are rarely addressed to me personally, they are usually to ‘undisclosed recipients’. That’s plural.
Lots of people have been sent this offer for $15M then.

The second thing that is illogical is that if there is this much money surely they could do the background check on me so they don’t need to ask for my name, address and all the other stuff. I’m in the phone book. And the on-line phone book.

Some of these even give physical addresses and phone numbers in countries - is that ‘44′ UK and not HK? - which may look convincing but s a bit stupid in this day and age when so many people travel and have relatives and friends in other countries. I do recall reading on the net of someone who did scam one of these people by having friends in that country following up.

But that ‘lots of $15M’ raises an interesting question.
Presumably the scam artist is appealing to greed.
The trouble is that its unrealistic.

What would be realistic?
Would $15,000 sound more reasonable for some long lost relative?
After all what if I am the eldest son of an eldest son of an eldest son, so some collateral branch of the family we lost contact with during the war leaves a legacy part of which follows that path?

Yes, I know its more than most scamers would think worth while, but just as the ‘Net has pushed down the cost of unsolicited mail, so to has it pushed down the cost and effort of genealogical research.

Does being sucked in by the smaller but more reasonable amount make more sense that the obviously impossible millions?

Because lets face it, pitches like

We happily announce to you the draw (#1106) of the UK
INTERNATIONAL LOTTERY,online Sweepstakes International program
held on 12th May, 2007.

Your e-mail address attached to ticket number:56475600545 188
with Serial number 5368/06 drew the lucky numbers:
04-05-16-19-21-49 (bonus no.20), which subsequently won you the
lottery in the 2nd category i.e match 5 plus bonus. You have
therefore been approved to claim a total sum of �500,000 (Five
hundred thousand pounds sterling) in cash credited to file
KTU/9023118308/03.

That went out to ‘undisclosed recipients’ as well.
But since when do these jackpots get disbursed in cash rather than cheques with lots of publicity. And why should the cash be credited to a file and not the winner?

So what it comes down to is that these scams are targeted to people who are dazzled by big numbers and don’t have a lot in the way of critical thinking and scepticism. Scott Adams, the author of the Dilbert cartoon strip, would call them “In-duh-viduals”.

I’m tempted to say that there’s a lot of that about in the western world today for a number of reasons, religious fanaticism, lack of education in statistics, believing that you have a right to gobs of money with no effort … One school of thought is that civilization needs the Marching Morons to act as consumers and keep the machinery of society working, but we don’t want the to be too smart or
they might rebel. Fred Pohl and Cynic Kornbluth explored this idea in their short story
“The Marching Morons“. (I recall the false speedometers in cars that gave the impression you were doing the Ton when you were only just doing a bit over 60. This too has come to pass.) Its been explored in other utopian/dystopian novels such as Ira Levin’s “This Perfect Day” or the sex slaves of Charles Fourier’s (yes THAT Fourier) Utopian vision.
Utopia for some.

If you want to see it applied to our society - yes Virginia, we do have sex slaves and a ‘conspiracy’ (or at least an emergent property) to dumb us down. While John Gatto has written about how our school system is rigged for this (See
http://antonaylward.com/articles/2006/12/01/dumbing-us-down)
he omits that in many ways the society we have NEEDS the Marching Morons. Large scale questioning of roles and existence would be too disruptive. Isaac Asimov touches on this in his stories, for example ‘Strikebreaker’ (someone has to do the dirty jobs like garbage collection and build and maintain the sewers…) and “Profession“

But doesn’t that in and of itself mean that the under-educated classes must exist and must therefore be susceptible to scams like the ones I describe above?

Its a sad, sad world.

Related articles by Zemanta

• 80 Nigerian E-Mail Scammers Arrested
• Why Google is now my homepage instead of Yahoo
• In brief: New Line ex-bosses build new foundations on Asimov
• CRA warns Canadians about tax scam

It seems that many people in HR don’t realise that the interview is a two-way street. Not only are they trying to find out if the candidate is suitable, but the candidate wants to know about the position, the firm, the job and the people he will be working with. The most sucessful intervvvews are when both parties realise this and work accordingly.

Thirty plus years ago the company I worked for out of university assumed that the hires were there for their career. As such they invested in them. Training for middle management and beyond began quite early.

One of the first thing we got was interviewing skills, that is DOING the interviewing. You might wonder why this was so early on. I was told that part of interviewing was determining if the candidate would fit in with the team. (How different from the attitude where hiring ‘gurus’ and
‘whiz-kids’ for their individual excellence is the only criteria.) Hence the candidate needed to meet the team and so the team had to understand how to interview.

But today? How many companies invest in training in that strategic manner?
The last couple of decades have been ones where job-hopping is the norm, so why should a company invest in training someone who will shortly be gone? Most people look to their own training, hence the rise of the training companies.

Hence also the rise of evaluating applications by their training record, and in some cultures the attitude that training is a ticket and certification is a ticket to a job. Many of have seen on other forums people posting

“I want to get into security - which should I take first,
a CISSP, CISA or CISM?”

Its really hard, I’ve found, to convince people with this cultural background and set of assumptions that its experience that counts.

I wonder if the same applies to HH/HR/screeners?

I ask because I’m one of those people who isn’t good at classroom learning. I’m better off taking things apart and experimenting. In the classroom I’m a pest, I ask questions as my mind races ahead and “off on irrelevant tangents” - which amounts to next weeks lesson! You’re never going to see a long list of courses taken and certifications earned on any of my resumes.

I’m off doing the “I wonder what if ..”.   I think in terms of ‘ability’ rather than skills with specific pieces of equipment and software.    I’m more like the guy in Asimov’s short story “Profession“.

Well, it takes all sorts.

Related articles by Zemanta

• Tales from the Interview: Hot, Hot, Hot!, The Last Interview, and A Wrinkle in Time
• Do we need a farm system in the security industry?