Slashdot Mirror
Are IT Security Professionals Less Happy?
zentanu writes "It's said that if you want to be happy, be a gardener. What about IT security professionals?
Having worked as an IT security consultant for several years, I now wonder if my job has a negative influence on my happiness, because it constantly teaches me to focus on the negative side of life: I always have to think about risks and identify all sorts of things that could go wrong.
As an auditor I search for errors that others have made and haughtily tell them. As a penetration tester I break systems that system engineers and administrators have laboriously built. I assume inside threats and have to be professionally suspicious. The security mindset surely helps me in my job, but is it good for me on the long run? What kind of influence has being an IT security professional had on your general attitude towards life? What helps you stay out of pessimism and cynicism? Is protecting existing things really as good as building new ones?"
Who watches the watchmen? Being a security wonk is going to be our version of being a member of the secret police. Check out how they went historically in terms of happiness.
AC
I hate doing security work (why can't ve just assume that all users are friendly people who would never rockroll or goatse anyone?), but I still don't like life. ;)
YES.
Real Question: WHY?
Seven Days with Ubuntu Unity
"As an auditor I search for errors that others have made and haughtily tell them."
You must be very popular.
I'm an IT consultant with over 30 years experience since I graduated. There are good times and bad times.
The good times for me were in the mid 1990's when I worked in the old Soviet Block. There, I could see the work I was doing making a difference.
The bad times were when the company I worked for got taken over and the whole job changed. Suddenly we were supposed to apply production line metrics to consulting assignments.
Luckily I got out and started on my own.
However in your job, it does weem that you are predominantly occupied looking at the down side of IT. Keeping those pesky hackers at bay is not a job I'd want to do.
I'm a fairly creative person. So I have concentrated in spending more time doing things outside of IT.
I've just signed a deal to get my first novel published. Not a huge amount of money. But I can concentrate on the positive for at least part of the day.
Perhaps you do really need to take a long hard look at your work life balance.
I'd rather be riding my '63 Triumph T120.
I have never *ever* used my job when considering my own self worth.
Jobs are the means to make money. Sure if you enjoy them, great, but if you don't, and you judge your self worth by them, well then you're fucked.
Its better to have other measures, other means to judge how well you are doing in life. For me its my open source coding, and my amateur science efforts, as well as being a dad. Any job I do is only, and will only ever be, the means to provide the necessitaties of life, like savings, a home, money for my kid and such.
Ok, that's important, but its not a thing upon which your self image should be based. At least that's how I feel.
A learning experience is one of those things that say, 'You know that thing you just did? Don't do that.' - D. Adams
I myself am a it security professional, and i am deeply depressed, and have asked myself the exact same thing. Ive tried all kinds of SSRIÂs and SNRIÂs, 5-htp and herb crap.... Nothing helps besides benzos and alchohol.....
If this mindset is a general thing amongst us, is this profession chosen by sceptical depressed cynics, or do the work make us that?
I can think of a few jobs that are a lot less happiness inducing, like insurance actuary... placing bets on how long people have to live must be a downer.
OTOH, if you can learn to leave work behind when you go on vacation then IT security pays a decent salary and you should be able to afford a relaxing and distracting trip to whereever entertains you, especially in nature settings.
It's all about your attitude. Is the glass half empty or half full? Injurious suffering or ardent happiness is a choice.
I had one of the misfortunes to assist the DJJ to stop a guy who was contacting underage kids using IM. Sadly we did find him and the guy committed suicide a week later!! So yes I completely understand what your saying.
Why do you think they call them server farms?
Seriously, being a system admin is like being a commercial-grade landscaper or farmer.
If a system admin has a good job, he'll have the authority to decide what to plant/what equipment to install, what to feed it and how often to water it/what scheduled hardware and software maintenance is necessary, etc.
He will also tend the garden/maintain the system and reap and share the rewards for his efforts/get paid and have happy customers or bosses.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Reframe it if you're unhappy or get out. Consider that you could be a Police Officer or a Pediatric Oncologist.
But at the same time, you can approach your work as challenges to overcome, and ever revel in the cleverness of the attacks, as many are quite clever -- thus the attraction for many. Yea, if a client gets hacked it sucks, but that's the game you play.
Enjoy the hunt, enjoy the chase, enjoy the race to keep them out before they get in. Otherwise, find another line of work.
Come on. Get over yourself. Cops, laywers, doctors, nurses, paramedics, military people... these walks of life deal with human misery, pain and suffering every day. If you're so worried about offending your sunny disposition maybe you should join a convent.
Listen, in any field if you can't take enjoyment out of what you're doing then (a) you should change your profession, or (b) realize if you can't do (a) you're in the same boat with about 80% of the rest of the population.
As a member of the IT world, security-related or otherwise, you have intellectual challenges and brain-teasers to deal with on a constant basis. Testing your knowledge and skill, forcing you to re-evaluate whether you're as good as you think you are every step of the way. And yet, even in such a position you're bound to go through times when you find yourself working for some real asshole(s). They're no fun, either, but you have to keep plugging away.
Either that or apply for a job at the factory where they make those "Have A Nice Day!" bumper stickers. Oh wait ... that's in China. Never mind.
Very, very negative people. And your peers are constantly jibing you. Any differences in opinion are made fun of. People at work are 50 50. Some think your really smart, and understand business and tech would be nowhere without computers. But then there are the others, who think your like the CEO, and getting paid for nothing (future IT professionals). But the worst thing, as an IT pro, is that you mostly work with Windows, and that's always a bummer.
A good number of them would be checking bags on the way out of BestBuy if they didn't know how to boot a PC.
My experience lately is that security people, generally, are:
a) not intellectually curious,
b) fearful of change,
c) often suspicious of others' motives because they, themselves, have malevolent intentions, and
d) powertrippers, because they've been given power to second-guess solutions they weren't technically-savvy enough to come up with themselves.
It's fun to discuss something like IPv6 with an IA weenie. He doesn't understand it, so it must be a threat!
BTW, I work for a large federal organization, where these people are everywhere.
Just think about what a cop or a detective has to deal with.
Being a "security" expert doesn't make you special in anyway. As a developer i not only have to do that end i have to tell people around me their code is shit, their setup is bad for more reasons than just security, then i have to help fix it. Your just catching what the worst of us might miss, more of a QA job by that point.
Its a job you can't deal with it i'd say its a personal problem, i go home have a beer smoke a joint get ready for the next days battle.
O yeah and creating is much better than destroying someone elses work :)
After all, the IT security people know what it takes to make things secure, BUT they aren't allowed to make it secure.
Why? Because that would make it too much of a hassle for the end users, or some bean counter says it'll cost too much.
I get less pay working in IT than i do working in McDonalds as a manager.
I used to be a software developer for many years and am not in IT security. For me, IT security is actually more satisfying. I'd much rather be the person responsible for finding security weaknesses and assessing risk than the person responsible for getting high quality systems built under tight deadlines.
When you present your security assessment findings to the developers/engineers, there's no need to be haughty about it. Nobody's perfect and every system is going to have some bugs and weaknesses in it. Just present the risks in a matter of fact way so that the people in charge will understand and can make informed decisions on what to fix and how quickly.
Also, when you do security assessments / pen tests, why not also include a section in your report where you tell the developers what they're doing well from a security standpoint? I always do this, which helps to balance out the negative aspects of a pen test makes the developers feel good before I show them what they need to improve on.
Those don't sound like security professionals... I've run into people like that, they're the ones who applaud "security theatre" solutions like Vista's UAC, but I wouldn't call them "IT Security Professionals". They sound more like the mob over in QA pushing ISO9000.
The security mindset surely helps me in my job, but is it good for me on the long run?
No.
What kind of influence has being an IT security professional had on your general attitude towards life?
I beat my wife.
What helps you stay out of pessimism and cynicism?
Beer.
Is protecting existing things really as good as building new ones?
No, not really.
Sorry, am I being too negative here?
The higher the technology, the sharper that two-edged sword.
ah: number of happy IT Security Professionals
au: number of unhappy IT Security Professionals
bh: number of happy non-IT-Security Professionals
bu: number of unhappy non-IT-Security Professionals
The answer is yes if au/(au+ah) > bu/(bu+bh)
You're performing a vital function for your job that's just as important as building something from scratch. Rather then seeing yourself as someone who points out your coworkers' mistakes, see your role as one in which you make your coworkers' better. Maybe you don't feel like you're part of a creative process but by investigating flaws and improving the product, you have a lot of positive influence. It sounds corny but if you're good at what you do, then there's no reason to feel bad.
Infosec is also less likely to be taken over by offshore guest workers. Or, at least, I would think so.
So, unlike every other US IT worker, you won't be training your replacement within two years. I guess that's something to be happy about.
Hasn't it been fairly well established that more intelligent people are less likely to be happy in general? Being good at IT security (and not just an appliance operator, trained to run a few tools and read the generated reports) requires a fair amount of creative thinking and intelligence. I've worked in the field in the past, and I don't think it's specifically the adversarial mindset that causes unhappiness. I actually had a lot of fun doing that stuff - at least, when my work was appreciated by those I was advising and I wasn't seen as an interloper. That depends more on people skills, both on the working level and in management.
On the other hand, for the last few years I've worked on projects that are ostensibly for the public good, ensuring safe water supplies and such, but I've been rather unhappy with it. Why? Because the company I was working for was far better at securing grants and government contracts than at building anything useful and actually putting it to use beyond carefully controlled tests and demos. I came to realize that nothing I ever did there would ever really matter.
Since then I've been self-employed, doing ten times as much work but I'm happier.
It's a thankless job.
Think about it, you have to constantly deal with user mistakes or quite often the mistakes of others and correct them. By correcting someone's mistake you are showing them their faults, not generally a good idea if you want people to be nice to you.
Therefore you end up with user aggression towards the people who provide their computer support.
And when it's the fault of faulty hardware they blame you, you can't win.
I believe the answer was posed in the question itself - that anyone in the security field should spend equal amounts of time protecting and building systems. It may not always be possible, but being able to create something beneficial to all parties involved really helped to alleviate the stigma of "the network security G-Man."
Wouldn't cops and military personnel also be extremely unhappy as well, based on this?
Wouldn't people who work in demolitions, tearing down buildings, be very unhappy?
Wouldn't this mean that anyone working in a job that had a potential negative impact on others, also be very unhappy? I mean with gas prices what they are, isn't the guy working at the gas station feeling miserable, because people hate paying as much as they are for gas, and he is the front-line representative seeing these reactions?
"I love deadlines. I love the whooshing sound they make as they fly by." -D. Adams
*sob* Can't post, sobbing. *sob*
The days of the digital watch are numbered.
Perhaps you had an inherently cynical and pessimistic nature to begin with, and that is what attracted you to your profession?
Sometimes it can be subtle. Try digging for clues earlier in your life.
GameRanger - multiplayer gaming service for PC and Mac games
If you say you're happy, then why question that?
All I know is that when I worked with mainframes there was no such job classification as "security professional" unless you count the people in charge of guarding the building.
When one mainframe needed to communicate with another we did so over leased lines, and the notion of receiving an executable from another mainframe and running it automatically I don't think would have ever occurred to anyone.
While you might conclude that having a powerful computer on everyone's desktop makes the security exposures we have today inevitable, I don't think it necessarily follows from that that enterprise computing should be as vulnerable as it has gotten. Obviously the "PC revolution" has not resulted in economies of scale, quite the opposite. How many orders of magnitude has growth in enterprise IT gone through? I guarantee you right here an Slashdot there are people who see no problem in downloading large chunks of sensitive data to a machine (even a laptop) outside the data center, for either temporary fiddling, local cache, or whatever and then (if the machine hasn't gotten lost or broken) uploading it to the corporate database overlaying intermediate transactions.
I talk to people working in these environments quite frequently who just don't have a clue. Someone in your job has to not only constantly try and stay a jump ahead of crackers (not hackers!) but also fight with people who are supposed to be on your side about how rules you impose keep them from getting their job done (or so they think). Our profession has been considerably dumbed down in my opinion by the advent of desktop computing. There is no solution in sight. That's why I would find a job like yours unappealing.
It breaks my heart when I have to tell a penetration tester that he's mistyped "penetration". ;)
We adapt our lives according to what we need to do for living. We train our brains and our bodies for the profession we have chosen. For example a mathematician will evolve his logic part of the brain and a model will evolve the muscles of his body...
Ever to excel
I've run into people like that, they're the ones who applaud "security theatre" solutions like Vista's UAC, but I wouldn't call them "IT Security Professionals".
Security Theater. Is that anything like Dinner Theater? It sounds fun!
Sometimes the 'security mindest' gets silly. I often find our security team thinks they're being paranoid for the good of the company when the truth is they're being a roadblock for the sake of being a roadblock. Or more frightening, to cover up their ignorance or to short-cut understanding the application they're trying to secure.
In this regard, they likely are miserable people but frankly, you should have people in your security department that are jazzed about IT and security. Not someone who flipped a quarter between CPA and IT professional.
you need to get a different job
Gardening is hot, sweaty, sometimes backbreaking work. If you've got any allergies, you'll be sneezing and/or blistered all the time. If you slack off a bit, your work for a season or more is wasted. And you've still got security threats, in the form of rodents, ruminants, insects, and the slower but more tenacious weeds.
IMO, the security mindset as described in that article won't hurt you. What will hurt you is trying to counter the threats that mindset helps you find. By locking everything down and distrusting everyone, you make your co-workers your enemy. You also stop them from getting work done, making management (except for whoever security's patron on the board is) your enemy too. Who wants to do a job which makes everyone hate you, and for good reason? Leave it to the less competent. Or find a place where that level of security is both appropriate and understood by all, like a bank or the IRS or developing country's nuclear weapons pro... err, skip that last
Every job involves looking at positive and negative sides, not only IT professionals.
If you look at a cop's job, the bad thing is he/she has to sometimes think like a criminal in order to catch one.
If a boxer wants, he has to look at his opponent and examine the negative points in order to capitalize on them. Same goes with other sports people and professions.
Nobody is less or more happy. Move an IT professional to a different career path and he'll be complaining about that as well (yeah, my former IT colleagues cry about their new jobs ALL THE TIME).
slashdot rocks
Part of it comes form PHB's who don't get it and force non working software and security rules on you.
I totally concur with the poster - I often point out to people (before being rude about the security blunders in their system designs) that my input often seems negative and unconstructive, but that's because whilst everyone else in the company is thinking about how to make stuff work it's my job to figure out how it can be broken. I should add that this is outside the US and in theory I get five weeks' paid holiday a year; in practice they tend to be "catch up on the literature" study breaks. But the biggest single source of stress is being perfectly well aware that there are dozens of catastrophic security-related events that could happen which would cost us lots of customers, lots of revenue, and make me the most unpopular person in the company, but there's nothing much I can do about it, except make sure I put my warnings and concerns on the record, and keep an encrypted offsite backup.
Despite all that, though, I actually really enjoy my job - partly because virtually everything I do is making a significant difference (starting from a low base, see...) I can also pick and choose, to some extent, because there's far too much to do it all so - why not do the low-hanging fruit stuff first?
It sounds like we have very similar jobs and my mindset is also as distrusting and cynical as you describe and that causes me to get a bit down at times. It's different from a lot of other (certainly IT) jobs as you are dealing with the downside and worst-case scenarios all of the time.
The trick is to turn it around, concentrate on the benefits of what you are doing and the way it affects other people. The first thing you must do is set up a good relationship with your client so that they understand that you are not there to judge them, but to help them improve and protect themselves as much as possible. We've all struggled for hours over a problem something (system design, sysadmin stuff, coding etc.) and when someone uninvolved comes along and spots the problem straight away. You are that someone else, that other perspective. Some sysadmins regard their systems as though they are their baby. You are the doctor giving the baby a checkup and spotting the early symptoms of a disease that is easily treatable.
Once you get the client in that mindset, having to point out multiple significant problems becomes easier for both parties.
Sometimes you do have to do a demolition job on something that someone has spent many hard hours on, or you accidentally bring a large portion of a network to a stand-still (etc. etc.) it's not a nice thing to do, until you realise that the client will be ecstatic in comparison to how they would be feeling if a black-hat did the same thing maliciously.
You have to deal with worst-case situations, so the client can be fully prepared for what is coming, you go through all the shit so that they don't get worse later on. It's usually a thankless task, but I can at least feel good that someone is far less likely to get hit because of the work I am doing.
And that's not even touching on the really great parts of the job, the real intellectual challenges therein and the fact that no other field requires such a breadth of knowledge and experience - absolutely everything is relevant in the security field as you don't know what risks are there until you've looked.
I work in a large IT department (5000+), and our Security area has the hardest time keeping good people of any area in the department. Most people that have transitioned to another area have told me that they were "sick of being assholes" or feeling forced to hold back opinions that differed from the tenant that most employees are intentionally trying to hack internal systems and implement non-secure code.
I have no statistical basis for this of course, and the state in my company could simply be due to overbearing pricks managing the security area. But professionals in other fields in which people have a duty to seek out others based on suspicious activity -- police officers, IRS agents, etc. -- often convey similar thoughts.
To oversimplify: focusing on the bad in everyone will slowly wear you down.
Even if I'm very underpaid. But I know that this profession is not a good future investment. You mind got somewhat tainted: Some ex-coworkers have been fired from programming works because they can't stop pointing at security bugs in people's work.
You would think that they will be glad that you are helping, but in fact, people get mad at you.
I know a guy in IT security. He's generally a happy person, with a good family life to keep him busy. He plays horn with a band, with practice keeping him busy several times a week. He says that's what keeps him sane.
The Spoon
Updated 6/28/2011
If you are in IT at all you tend to be less happy.
---- Booth was a patriot ----
This is Slashdot, so my comments won't be popular here:
Get a wife or a girlfriend and be *her* penetration tester. You might find a new joy in bringing your work home!
The mention of gardening brought to mind section 5 of the alt.sysadmin.recovery FAQ. Well worth a read.
"I bless every day that I continue to live, for every day is pure profit."
As an auditor I search for errors that others have made and haughtily tell them.
It's possible InfoSec is not the thing making you unhappy; maybe you're just a dick.
When I was a kid, we only had one Darth.
As a security pro, it is your job to protect existing computing assets, but the question of personal happiness is not an unreasonable thing to ask in regards to your overall career.
Computer security seems almost hopeless some days. Viruses, bots, hacks and the like... Helplessly watch as some assholes overseas rally up a monster botnet in less than a month because regular folks are too dumb to not to click on the latest meme? It's like watching lemmings go off a cliff. Security researcher has to be one of the worst jobs in IT. Most people don't even know what they do, let alone why what they do is so important.
I work as a professional desktop technician so I spend a fair bit of time dealing with security problems, viruses, patches, malware, etc... I rely on security pros to do my job. Some days are trying. There are these days, after wiping off the X-badmofo.worm.32.whatever of the week you get to asking yourself, "Why do it? Why go on? It's only one computer. It will be the same next week."
So then you tell yourself that you have to, you _must_ do it, you're the front line, your skillz are great and if you don't do it, who the hell else will? A few belts of whiskey and some video games make the doubts go away in the evening.
But the next day it's still the same. Some jerk is infected with a trojan, someone else has a pop-up storm, "I'm getting so many spams!". OH NOES NOT THE SPAM!!! The deal is the same and it never gets better. You might as well be working in a factory making cars, what for all the repetition.
If that is how your IT job is making you feel, then it is time to get a new job. Not everyone is wired to endure the kind of crap that computer people have to deal with day to day.
There is no shame in wanting to be gardener. At least they don't get spam.
Bibo Ergo Sum.
The security mindset can definitely do long term harm, in my opinion, assuming you're not careful that is. In order to be really good at it you need to be thinking about new potential exploits all the time, and it's really easy to let that rub off in your ordinary life.
I started seeing trivial security holes everywhere... everything from what's wrong with security labels, and tabs, on food products, and "tamper-proof" pharmacy jars to flaws in ATM vestibule security... you name it.
Honestly I kind of started developing mini-phobias or something about things like, take the security labels on food items. Let's look at a plastic mustard dispenser. Underneath the screw on top it comes with a little tab that you rip off, and somehow this keeps it safe from tampering during the period between when the manufacturer creates the product and when you purchase it.
It's absolute nonsense, and does NOTHING to stop anyone from doing anything to the contents of the mustard dispenser. Should someone want to insert a harmful substance into the bottle it could still be done with a very thin needle. It's really there just to appease the masses into thinking the product is somehow made "safe" by the introduction of that little security tab.
So I think about that, then I start to think... oh man, even my mustard's not safe, what if someone did something to it!?!?
It's ridiculous, and completely irrational. I don't think in the history of the modern food distribution system has anything ever happened to anyone's mustard. We all hear horror stories about Halloween candy, and over the counter medicine but I think in large part that stuff is all urban legend.
I think absolutely, yes the security mindset can cause mental health problems, in minor ways for some, and for others who are more prone to thinking negative thoughts perhaps in major ways.
The key, I think, with the security profession is that in order to stay on top of the game you need to always be thinking about how the next attack could arrive. Criminals are creative, and so must be the security people as well. In training your mind to think this way I can see how people would find it easy to become unhappy in other areas of life too.
I no longer do security work, but it's not because of finding it difficult to keep that work / life balance alive (I just got another better opportunity in a different sector). Still to this day I have some lingering security thoughts about things, but all I can do is try to think logically about them.
Just because something is insecure that doesn't mean it's worth worrying about. There's a big incentive for criminals to find any way possible to gain access to a sensitive or desirable computer system, but there's very little gain in tampering with a bottle of mustard ;).
As you stated in your question, it sounds more like you're starting to see the pessemistic side of things everywhere. Everyone's a potential threat. I think no matter what it is it's a similar expression of the same issue: security people get paid to do nothing but worry.
It's not a totally correct analogy, but I think it serves well enough. Now that I'm out of the security business I am pretty thankful. I never realized how much of a burden it was until it was gone. The less time I spend thinking about potential security holes the better I feel in general :). I think it's safe to say security pro just isn't the job for me... perhaps others are made for it.
Seriously though I don't know how people do it. How DO you do that job and not immediately size up threats? How do you not instantly look for the gaping security hole in the access panel on the ATM you're using? How do police men not become jaded and see the potential crime in every situation?
I think some people don't... they do become jaded. But others, the ones who stay happy, they just fight through it. I honestly think it's a choice. You are in control of your mind, and you choose what you le
I don't know. In many ways, "security" is never anything more than putting up deterrents to crime. The more of them you implement, the more you create inconveniences for YOURSELF, in the process. It never really ensures the PREVENTION of a crime.
In "traditional" security scenarios, I think people have found a balance they're content with in most cases. (EG. If I want to secure my house against a break-in, I can stick with the "staple items" we universally employ, such as door and window locks. We've pretty much all established that having to find the proper key for one's door to get inside is a minor hassle, vs. the level of crime deterrence it provides. Optionally, people wanting more can buy an alarm system. Much more hassle, expense and inconvenience, but an added layer of protection everyone understands and can opt for or against with a good sense of the pros and cons.)
"Computer security" is largely considered "of little real value" by the public because they (usually CORRECTLY) come to the conclusion that it creates too many impediments to being productive with the computer tools given. I.T. security nazis that demand those "tough to guess" passwords that have to be changed regularly only cause people to have too much trouble signing THEMSELVES in. So to work around this? They start writing the passwords down on things they can easily look at. Problem solved, but security measure largely bypassed.
By the same token, your business can spend thousands and thousands on firewalls and other "network appliances" that all promise to improve security from hackers and outside threats. But one employee can circumvent it ALL with a $50 wireless access point concealed someplace in a drop ceiling, and letting his buddies know they can now get on the LAN from a portable sitting in the parking lot.
I think many people in charge of spending (whether management or other I.T. workers) are realizing that the basics like merely having SOME kind of password required to log in, a basic NAT firewall in place, some anti-virus/spyware package on the workstations, and maybe a spam filtering service on their email is ALL they realistically need. MOST companies just don't have that much on their network that outside hackers even care to access. The most "sensitive" information is usually just of interest to EMPLOYEES of the company (like salary histories of different people?). So let the one dept. that has to handle that data (H.R.) put extra security measures on it, and keep them from inconveniencing everybody else.....
I am a software developer for a large defense contractor and to be honest, our IT security makes my job harder and adds more stress to my life. For instance all urls with the letter sequence 'mail' anywhere in it is blocked. All IM is blocked. I understand the need for security but it sucks. So - you make me less happy.
US Customs just outsourced their IT infrastructure design and maintenance to a shop where only 15% of the employees are US citizens.
I keep getting called a racist and a "jingoist" when I point this out, which is hilarious considering half my family are not US citizens, nor by the old Southern rules would I be considered white.
It seems that we are more afraid of paying a living wage than handing the keys to our house over to strangers.
I used to be constantly unhappy on my job until I found a way to vent. Typically I randomly reset someone's passwords, shutdown a server for no reason, or throttle down the internet bandwidth. When asked what going on I just blame a Microsoft patch. Trust me this is much better way to get the anger out than trying to horsewhip a user (I tried it, wouldn't recommend it)
More seriously, if the job is getting you down look to change the environment. If another job isn't possible look to transfer to at least another position in the company. Never do something that makes you miserable.
The world isn't run by weapons anymore, or energy, or money. It's run by little ones and zeroes, little bits of data.
I even keep doing it in my spare time.
The question is, as someone else points out above, is how you can prove that IT _causes_ depression, or simply whether it _attracts_ people who are inclined to be depressed.
There's a correlation between intelligence and depression as far as I know, so you would really expect in any case a batch of IT professionals (if measured to be more intelligent) to be less happy than a group of construction workers (if measured to be less intelligent).
The only way to really measure this is find a significant group of people who _would have become IT professionals_, and were pretty much on their way to become so, but for freak reasons did not, and rather became gardeners. This is naturally incredibly difficult to find any significant number of, and so the question is also very difficult to answer.
Another way of looking at it, however, would be in terms of working conditions: It might be possible to find some form of correlation between different physical environments and varying degrees of happiness. Someone e.g. working outside, or doing physical work, may on average be happier than someone not doing it, I could suspect (but not prove).
You might also want to consider taking a considerable holiday (in US terms, a week and a half maybe). This might be time enough for your brain to switch out of "work" mode, and feel a bit what life is when you are not like that.
It is one of those proffesions where youre never done with your job. The industry is inherently uninterested in real security from the get go. Band-aid solutions to things the vendors doesnt give a crap about isnt a viable solution. Its an endless treadmill that goes nowhere. Some people can get a bit down because of that and the only thing i can think of is for you to change career. Either that or become that grumpy guy who people almost hide from or twitch when he speak.
I would suggest a job where you can feel that by the end of the day you made some difference. Avoid service and try to get into manufacturing.
HTTP/1.1 400
It probably isn't the mellowest career, but I think you're mistaking the effect for the cause. The mindset makes the security professional, not the other way around. You can't unlearn this stuff. You've taken a bite from the apple of security consciousness and you've been damned to recognize vulnerabilities where other people see working systems. Most other jobs require a fix-it-when-someone-breaks-it attitude. You couldn't do those jobs. You would either get fired for constantly pointing out risks which your coworkers and bosses are willing and indeed required to ignore or you would develop the familiar disdain for the sloppiness of IT system architects. Might as well get paid for it.
There is a book called Learned Optimism written by a PhD and based on experimental data that talks about how pessimism tends to lead to depression.
However, it also talks about how certain jobs require you to be a pessimist to be good at them (and your kind of IT qualifies). It just means that you need to be a pessimist in your work, but more of an optimist in your life.
It's a good read. I like it because all of the guy's conclusions come from actual experimental data and not namby-pamby new age navel gazing.
If it's something you like doing, then you're probably ok. But you asking the question implies you're not. A lot of folks have mentioned keeping a balance between work and other things to improve things. Good advice. For me, situations came up where I couldn't do that as a lowly sysad. I ended up leaving IT and have been doing completely different jobs for half to a third of the pay I could been getting. Not a great trade off, but the money I've saved in booze, cigs and probably BP meds has been significant. I'm looking at what's needed to start my own business. Even if it's not tech related, I know I can save some money initially by handling my own IT issues.
"Common sense will be the death of us all"
...then policemen, soldiers, security guards, bodyguards - hell, even doctors - would all be sad people [i]per definitionem[/i], as they all protect people from negative influences.
good IT security is not about following anybody's agenda but about securing the property. It's like being the night watchman responsible to lock the doors, close the windows, and be on look out for strangers. IT security is not "policing", nor should it be. In my company our guys work hard to keep their jobs non-political. They'll provide facts but not run around snooping on people for the boss. There's a big difference in the two.
I think some folks are going to always be naturally suspicious. In addition to my full time work as a network administrator / engineer for a state agency, I've also worked in the past as a FT Police Officer and now am working as a Reserve Deputy in the county where I reside.
I have always been suspicious. I always notice everything. I enjoyed my FT time as a cop and I enjoy my time on the SO. I enjoy what I do at the state agency I work for. I don't think that my contact with the negative part of society (at the SO) or dealing with idiot users (which sometimes is more difficult that the folks I get to take to jail) spills over into my time away from work.
I think you make your own happiness. I can focus on the negative I do or deal with or when I am away from work or I can find things that I enjoy or relax me. That doesn't mean you're not aware, we all should be aware no matter what we do its more that you don't let the frustrating or negative part of your job overwhelm you. I think that holds true no matter what you do, be it IT, LE, retail, customer service. Every career has negative points in it, it is a matter of what we do in our down time to unwind and blow off steam.
Having said all of that, if you're finding your job is making your personal life unhappy and decompression time / activities are not making that better, you may need to find a different area to work in (not necessarily out of IT, maybe just a different sub-set).
Just my thoughts.
Illiterate? Write for free help!
I think if you have passion for something then you're among the lucky, and certainly the lines blur between my work and my hobbies. Of course, sometimes that can have unexpected results!
no, there is quite a bit of liability involved in IT now. Not properly protecting salary and HR files can be a criminal offense to the company owners.. you have to do it. But you are correct, security is not really about "preventing" wrongdoing, because somebody that wants to get you will. On the other hand one part is to make enough noise that the honest people know you're watching and aren't lead astray. The other part is logging and auditing what's going on... just like a physical security guard, to know who belongs and who doesn't, then able to prove that in court if you need to.
Good security also keeps people from accidentally messing up your data, and that's the most common and disastrous thing that happens. To only give people the minimum they need, then when 2 months of TPS reports are missing you have a short list of who had access rather than entire departments, and find out the boss deleted them not "some hacker". You also keep unqualified people from screwing things up.
Treat your IT job as gardening. Instead of thinking how to prevent the attack think of preventing all but legitimate use. The attack vectors possible for a malicious agent are far more numerable than the legitimate uses. Encourage the growth of legitimate uses, prune illegitimate uses, and weed out malicious attacks. Allow your mind to shift freely between attacker and user and do not dwell any one place too long.
Gardeners have stress too. It's just over a much longer term. They have cycles of nurturing and cycles of reaping. A gardener and a farmer knows they cannot control nature, she has a mind of her own, instead the gardener trys to coax nature in the right direction.
It's an issue of attitude in control and the illusions of control. The gardener knows better than to assume that they control the garden. The security professional should be like-wise. Having plans, and backup plans. Cuttings and transplant beds. All in preparation for the inevitable blight or crop failure. I'm sure gardeners spend time "thinking" like snakes to be sure that they don't get a predator in their garden.
It's false to assume nature is understood or controlled better than the wild server room. Instead, see that server rooms and gardens are the same wild forests of emergent chaos brought under tentative control.
The gardener and the farmer do battle with aphids, ants, mole crickets and other pests just as the security professional does battle with attacks by worms and viruses. Both professions have their malicious vermin and the gardener of a public garden has to deal with users just as a security professional does. I'd say the professions are ironically similar.
I'm sure the gardener of a private garden is far less stressed than the gardener of a public garden. I'm sure an IT security professional guarding over a small server farm has less stress than the one watching over a large and heavily traveled network. The problems multiply with the size of the network or garden.
The happy gardener is probably wiser and has given up the illusion of control where appropriate, knows how to deal with failures, learns from mistakes, and focuses on the positive results of a blooming garden. It's sad that most IT professionals only get the spotlight when things go horribly wrong. There should be a change in the culture of businesses that instead celebrate the competent professional, not the one that cleverly gets out of being caught with their pants down.
Find ways for yourself to take pride in a flourishing network with more and more users having positive and safe experiences in your server garden. No snakes here. Find ways to show your manager blooming trees of files growing in beds of NAS servers. Help them to stop and smell the Rational Rose, or the Blooming Alfresco server.
If a snake got in, plug the hole, learn from it, and realize even the best gardeners occasionally get a snake or two in their garden. When that happens have a cursed apple for the blighter to bite down on... or a honey pot for them to fall into. It's all a matter of attitude. Nobody has the market cornered on bliss.
[signature]
What we are beginning to understand is that high levels of concentration-learning are not what the brain is designed to do. The very reason that we see teens and others fighting learning is that it causes a certain type of brain disability. That built in limit is something that schools and others try to teach us to ignore.
The proof is in savants that are aided by modern medicine. As their disabilities are cured their extraordinary abilities start to vanish.
You can make out the loss of functions in the typical "sophomoric" young person who becomes a social basket case as they struggle to learn in college.
The funny thing about the "security mindset" common among IT people is that it doesn't even work. IT security managers are like fundamentalist Christians, dividing the world into "bad" and "good" and trying to stamp out all the "bad" stuff. What they should be doing instead is think about harm reduction and communications.
Yes, you are. I suggest smoking more weed and drinking less beer^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H. It helps.
You're absolutely correct sir!
You see, one of the side effects of weed is paranoia. And I can't think of anything better than increasing paranoia in a security professional.
Weed for IT security folks should be a job requirement - paid for by the company!
Part of it comes form PHB's who don't get it and force non working software and security rules on you.
Those same PHBs have software and rules forced on them by their PHBs and they are tasked with implementing them. It's your job to help them. Either you do it with no questions asked, or you need to convince them that some alternative is better. If you can't do either, you aren't doing your job.
Let me explain it with a chart...
http://www.princeton.edu/~jchui/stuff/happiness_vs_intelligence.jpg
Or a cellphone with a USB cable. 5 minutes searching the web (from home) gives the required driver, and dial-up networking settings. Considering our IT policy forbids network access not provided by the company. They supplied the cell phone, cable, laptop, so all I needed was a driver (not the easiest thing to sneak in without admin rights, may require a boot disk, etc.)
And to the person who is taking the time to moderate this down, you are fucking loser too. Just look at yourself. You're moderating this comment on slashdot. You fucking loser. Fuck you. Nobody goes on slashdot anymore anyway.
Are doctors unhappy too, then? Since they see problems constantly? What about the fact that we're in infosec to fix problems?
It seems to me like you've already started with the wrong perspective---already focusing on the negative.
It all comes down to the people you work with. Do they listen? Do they improve their organizations based on what you tell them? If so, then finding problems is a good thing. If not, then finding problems is a bad thing because it just adds to the list of things that will never be fixed.
Make the requisite changes so that you'll be listened to. This may mean changing positions, companies, or elevating your game, or all of the above. But when you get there the whole game will change.
dmiessler.com -- grep understanding knowledge
In the beginning, I had a sense of smug superiority about my knowledge and prowess, and I used to get quite miffed when people didn't 'get it' about security, didn't spend the time to learn, staff, fund, or operate good security practices.
But over time, I came to realize that my role is to advise, assist and educate, not to adopt an adversarial role, to beat people over the head with mistakes.
You have to remember, you're no better than anyone else. Just because you have license to go through someone's dirty laundry, doesn't mean you have to throw it in their faces. If you adopt a more cooperative tone, and look to work with the client to solve their security issues, it is far more likely that your recommendations will ultimately be followed:
As an auditor I search for errors that others have made and document them, explain the impact, and provide suggested remediation.
As a penetration tester I break systems that system engineers and administrators have laboriously built, and work with them to find and integrate compensating controls.
I am watchful for inside threats and helped implement solutions that can help detect them rather then spending all me time being professionally suspicious.
There, fixed that for you.
Driving to lunch one day with a car load of people, someone asked me if I am constantly frustrated because when it comes to security, no one ever listens, or gets it. I said: not really, because (as Schneier says) humans make terrible risk decisions. For example, there is an overwhelming amount of evidence which says seat belts save lives, yet how many people fail to put on their seat belts every single day?
Shortly thereafter I heard several clicks as some very smart, very rational people surreptitiously put on their seatbelts.
...and I don't know what the answer is.
Anything that involves looking below the surface, wondering whether things are what they seem, and taking a critical attitude toward things will put you out of step with the mainstream of humankind. Most people never get beyond choosing sides and rooting for "their" team, be it sports, products, or ideologies.
It is stressful to be out of the mainstream, and to some extent it is not healthy. On the other hand, believing in things that aren't so isn't good for you, either.
I suspect happiness is mostly governed by kind of internal psychological homeostasis mechanisms, and some people are just naturally Eeyores. If you are, try to "keep an even strain" and maintain a "state of flow" and try to lean in a cheerful direction to counteract your own natural balance.
Someone at a meeting starting talking to me about "PMA" (Positive Mental Attitude) and how everyone needed to have one. I replied that pessimism had served me very well in the past, and that I had had complete faith it would do well for me in the future.
It's OK for it to bother you that other people think two and two make five. When it gets to the point that it bothers you that you think two and two make four, then it's time to take some kind of action.
"How to Do Nothing," kids activities, back in print!
...all the happiest (Or at least the 'least frustrated') IT professionals are BOFH. :3
Since you usually have to deal with clueless asshats at one time or another regardless of what you're doing...the true path to happiness involves linking someone's home directory to /dev/null
You know I'm right.
Friend: "The NIC is misconfigured..." Me: "No prob, I'll just telnet in and fix it." *Silence*
"I search for errors that others have made and haughtily tell them. As a penetraion"
that's penetration, you fool.
I now wonder if my job has a negative influence on my happiness, because it constantly teaches me to focus on the negative side of life:
As do many other professionals. Lawyers deal with criminals (or ex-wives), doctors deal with sick people, engineers deal with structural or systems failures.
You want to stay awake nights? Think of whether that widget you designed for the 787 can be installed backwards by some third-world aircraft mechanic holding the diagram sideways.
Thank goodness we sent all that engineering work to Moscow. Vodka makes the problems look more manageable.
Have gnu, will travel.
A few points:
I have come to think it is mass marketing and advertising that really makes people unhappy; the goal is to make people want some consumerish things - people go into debt and feel stressed from that; if they resist the advertising they feel stress from the fact that they are not conforming - at least from the image of conforming that modern advertising presents.
There was a study some years ago that showed the Amish were the happiest people in America. I'd bet the main reason is that they aree pretty much isolated from the attacks of advertisers on their psyche.
The best security consultant I met was not a super geek able to hack my Checkpoint installation. He was a very kind, easy going guy, who started by explaining that absolute security was impossible. He asked the management what was the most important stuff to protect, and against who. In a single meeting, less than one hour, he understood our business and our needs, and instead of freaking the management with catastrophe scenarios, he built a security architecture in layers around our most valuable assets.
He did not try to draw suspicion on employees at large. He asked simple questions like: what if an employee in such position is not as competent or as honest as you thought, or what if an employee in this other position starts having problems at home and this lead him to lower his standards at work? Or what if this key employee was injured and could not even communicate with his replacement for weeks?
Other good questions he asked: did you see the graffiti in the parking lot? (yes). Do you think the company or someone here was directly targeted? (No). Then why did someone make this graffiti? (Because he had a can of spray and too much time). Anybody here has a teenager at home with unsupervised access to high-speed internet? (Silence). Anybody here has a teenager at home with unsupervised access to the computer where you have your VPN client installed? (More silence).
In the end that guy provided us with an excellent audit, and a very cost-effective implementation plan for a security upgrade. I don't think he left the building feeling bad for his pessimism; instead I am pretty sure he left with a smile, knowing he helped his customers to get what they needed. Maybe the NSA or some expert hacker can find a backdoor in some obscure network appliance, but our biggest concerns, getting our product specifications stolen by the competition or our CRM database plundered by a disgruntled employee, is not gonna happen.
lucm, indeed.
Having been in the field for years, I agree that most of us are less happy than Joe Average. But correlation does not causation make. Are we unhappy because we're IT Security people, or are we IT security people because we're unhappy? Or is a third variable causing both?
My guess is on the third. As an IT security guy, you need a certain mindset, one that doesn't exactly lead to happiness. "Ignorance is bliss", remember? If you're a critical person, one that looks for flaws, one that goes around constantly wondering "what could go wrong?", for whom "good enough" isn't - that and other things like it are good pre-conditions for IT security people, and bad pre-conditions if you're looking for happiness.
Assorted stuff I do sometimes: Lemuria.org
Let me say that yes, none of the OP's reaction is new. However you're wrong when you say that you can simply "punch out", at least in policing.
The constant search for threats and hypervigilance have a psychological effect that carries over into your private life. After 10 or 12 hours on duty in this heightened state often the last thing you want to do when you get home is engage another person. It's hard on personal relationships, especially when your close relations don't understand the psychological mechanisms taking place. Children seldom understand why all mom or dad wants to do when he/she gets home is sit in front of the TV or just be alone for a while.
Now, IT security is a little different. But not that much. In policing you constantly deal with the 5% of the population (and it's usually the same people over and over again) all of whom are intent on harming you or someone else. You're conditioned to be wary and you can't trust people if you want to remain safe. This mistrust spills over into your dealings with the 95% of the population who are decent, earning you a reputation as an asshole. It's hard not to become cynical and view everyone around you as a waste of skin. All of this has an effect on your self image if you're not able to separate your "self" from the job you're hired to do. Not everyone is cut out for this sort of thing, and perhaps the OP isn't...
To the OP: Consider that while you may be good at your job your talents are also applicable to other fields and that perhaps IT security isn't for you. There's no shame in recognizing this and moving on. At the end of the day the people who care for you are more important than your job, and you're shortchanging them by bringing your work home in increased pessimism, cynicism and depression.
I hope you don't do this in person. Bad things happen when you do.
You might find a new joy in bringing your work home!
Your underlying assumption, that we here on slashdot want sex a lot, is true, but then why on earth would you use a woman as a penetration test subject? Your job is to prevent penetration!
Okay, a few things here:
1> Your happiness in general shouldn't be based on your job. Sometimes people take shitty jobs because they need to pay the bills. You think people like cleaning toilets or hauling garbage? Some might, but I suspect most don't really care for it. And yet, I know a lot of people who have shitty jobs but very happy lives. They just learn not to let their job get them down and they learn to make the most of their time outside their job.
2> That said, if you have the option, you should get a job that brings you pleasure, 'cause it's worth more than money. After all, you're probably spending most of your waking hours doing your job.
My general impression in IT (not necessarily security), is that the people who do it because they truly enjoy IT, are the ones who are going to be happiest in their jobs. On the other hand, people who go into it only for the money, tend to be the most miserable, unhappy people in IT. It's not just that they may not like it to begin with. They probably liked aspects when they got into it. But working in IT can be more trying than other jobs if you're not into it.
Most jobs (and not all, obviously), don't require you to constantly stay on top of a very quickly evolving subject matter. Let's face it, once you know accounting for example, you're done. It's not like it's a fast paced field with lots of changing ideas and innovation. The same can be said for most other fields. Obviously most technology related fields are this way. Medicine as well, but largely due to advances in technology and its effect on biology and biochemistry research.
To be good in tech, you have to stay on top of things and a lot of times, you have to do that outside your job as well as in your job. If you don't love it, or at least like it quite a bit, trying to keep pace with it can be incredibly frustrating.
Anyway, just my $0.02
I guess this could be split up into different groups -- IT professionals vs. IT security professionals.
IT professionals, unless they work in a particularly good situation, often deal with a lot of job dissatisfaction. They do a lot of behind-the-scenes work that no one ever sees, but is necessary to keep things up and running.
However, I'm friends with our security team, and they do deal with a lot more than the average IT person. First, they're constantly helping our legal department conduct investigations into whatever illegal thing one of our employees did. Second, they're always the ones right in the crosshairs when a system breach occurs. Third, they're universally hated. Whenever they enforce a requirement (no flash media devices, stronger password policies, etc.) it's always a hassle. No one ever says, "What a great job the security department is doing."
I've heard a lot of security people look at some of the crazy exploits that are out there and lament that people have way too much time on their hands. I agree with that one...
I think it's sort of like being a cop or an ER doctor. Both pay relatively well, but you're constantly dealing with the worst side of people.
until *you* are not happy.
Depends on if
- If your company allows you to do your job.
- If you are provided with the resources you need to do your job
- If you can make a difference (and feel as though you can)
I have worked in enterprises where I was a simple task monkey not having the ability to influence real change with little management buy-in and I was extremely unhappy. Now I work for an enterprise doing security and they have provided me with the tools to do my job with the ability to actually improve process/procedures including education. In my case I'm happy but it wasn't always this way.
Believe me, if I started murdering people, there would be none of you left.
YOU'RE NOT YOUR JOB. You're not how much money you have in the bank. You're not the car you drive. You're not the contents of your wallet. You're not your ****** khakis. You're the all-singing, all-dancing crap of the world.
The only thing that really matters is what you'll think about it when you're on your deathbed, about to die. Will you look back and think "i'm glad i did that with those years"? Or will you think "what a waste"?
If you've got a compelling reason to keep doing something you're not happy about, then you just have to handle it. If not, then give it the boot and do something you will be happy about.
Life's far too short to waste it doing a crap job that makes you miserable.
As the saying goes: "Damned if you do, damned if you don't."
If you don't point out the mistakes, then you're the one who gets blamed when there is (inevitably) a security breach.
If you do point out the mistakes, you've irritated and embarrassed the user -- and, possibly, forced them into doing something they don't want to.
Which means, assuming you never make a mistake, the only kind of feedback you'll ever get is negative -- that you were annoying, or that you failed -- never positive. (Compare this to, at the very least, a sysadmin -- bring up a new service, and you get to be a hero, at least for awhile. But nobody ever sees an attack that failed.)
Don't thank God, thank a doctor!
I've been working in InfoSec for around 5 years. Early on in my career I have to say that it really did get me down. When you see the same mistakes repeating themselves being the cause of numerous hacks - it's almost never some well crafted, tailored attack. It's always the same:
E.g. Retard user refused to change the passwords to something reasonable, never applied basic hardening, never configured their firewall, never patched the server, etc.
You escalate the risks to the business and the business doesn't care. You're astonished at the lack of concern. You wonder how businesses can operate. You wonder if its like this in other businesses (most of the time it is).
That's the frustrating bit. And you just have to live with it if you're working in InfoSec.
Overtime, I've come to accept that anything I do is better than nothing and that each day in the office I hopefully leave my place of employment that little better than when I came in. I am passionate about my work. I enjoy straddling both the business and IT sides of the fence. I always look for ways to improve myself - how to better present risk to the business (that skill really helps), how to build allies in an organisation, how to communicate better, how to stay abreast of new threats, keeping my tech skills sharp and relevant, etc. I certainly wouldn't recommend this work for someone that isn't passionate about it. It's certainly not for those that want the praise from their superiors and the respect of their peers.
The mindset of consistently looking for fault can get to you. My partner calls me paranoid about somethings, whether its leaving doors unlocked or shredding personal papers but she understands it is more of a lifestyle for someone in our profession than it is paranoia. I can live with that.
The one thing that really shits me about the work is this: There is never any kudos for our work. Ever.
You watch as the fucking Marketing schmucks and Producers (the same people who expose the business to numerous risks for some really dodgy website or bypassing due process to get the site online) bring home awards while InfoSec gets nothing.
The best case scenario in InfoSec is this: nothing happens. God forbid an incident breaks out, you're certainly not thanked for your involvement, for responding to the after hours calls, etc. Everyone just expects you to do it.
InfoSec in many ways is like being a janitor - a dirty thankless task that someone has to do. But on a more positive note, at least the world will always need janitors.
Dude, I thought I saw a link in your sig, but then I realized that there is no spoon.
I've also worked in jobs where assuming everyone was out to get you was a requirement.
This served me in good stead years later, when a lying back-stabbing b@st@rd of a workmate sabotaged the system in an attempt to make me look bad, I had all the logs I needed to prove what he'd done.
Saved my job, and nailing the b@st@rd with the evidence in front of his boss gave me great satisfaction.
Quidquid Latine dictum sit, altum videtur (anything said in Latin sounds important)
I've worked in infosec for nearly a decade and it certainly takes a toll. The most stressfull situations, by far, are internal investigations and legal proceedings. Unfortunately, I believe the inevitability of these situations are just a byproduct of human nature -- the fact that computers were used is many times incidental. I've seen eye-opening security situations over the years, even some from individuals that I never would have guessed possible. Despite the incredible stress these situations can present, having the support of senior management, legal counsel, family, friends, and good beer has helped tremendously in my long-term attitude.
You mentioned you're a consultant. Have you considered taking a role to stay with an organization on a more permanent basis? It has been very rewarding for me to look back through my strategic accomplishments over the years. Despite the ever-increasing, disproportionate workload in security I can clearly show progress and in the end that helps give me perspective.
And those freaking retarded Novell logins that so often prevent anybody from logging in... unless you call the IT department to come and fix it. Or workers not being able to install typical software on their own machines, or perform routine updates. Most corporate IT departments appear to be scams designed to ensure their own longevity and profits via meaningless busywork, not to help workers be productive.
... and then they built the supercollider.
I know a billion reasons where my company, or any company for that matter, could just collapse.
Having a big list of DR firesale events, for instance, isn't fuel for a cheery attitude.
Luckily, I'm not usually affected by stress - I'm more of a 'carrier' :-)
I've worked in IT Security for 15 years.. after doing all the scary risk assessment stuff I focus on helping my clients fix things. I see my as a business enabler and not a prophet of doom. It also helps to take a few risks every now and again... I find riding a motorbike fits the bill... yes I have a hacker mentality and spot holes in all sorts of things, but I just laugh (often at myself for being sad enough to spot it)...life's to short to worry about everything
Programming is the same way: you have to anticipate things that can go wrong or else your app is buggy or unreliable. It thus makes one cynical in a way.
Table-ized A.I.
If you actually think its a good idea to allow most workers to install software on their Windows boxen you have never run a serious Windows network.
You have to recognize some groups of people like developers, engineers, most of the IT department itself, and a certain range of exectuive types probably need to have some control and access to their own systems. If you don't they will be calling every hour. You will get tired of it and they will get tired of it. They need to do that to be productive. Then their is that other group ( most office workers ) who have no business whatsoever installing or modifing they machines beyond moving the shortcuts to their favored corner of the desktop. You lock them out so they are not calling every hour. If you have 300 customer service people you don't want them installing Magic Cursors 10, Fun E-mail Stationary 6, Son of Bonzi Buddy. Experience has taught me if you don't make it impossible to do so they will.
Some of the Google apps have been really bad as well. We have discovered snips of confidential documents in Google searchs as a result. Nothing to sensitive thank goodness, and no way to access the document as a whole but I had to black list all the Google Toolbar and Desktop Search stuff.
If you don't enjoy what you do. If you aren't enjoying the chase and the finding of security holes. If it makes you crazy or think it might make you crazy. If your professional "paranoia" is causing you emotional/mental issues... then you are in the wrong line of work. The best IT security professionals enjoy all of that, so it does not cause them problems outside of work.
That can really be applied to any line of work. Any job that causes those sorts of things makes you "less" happy than others in a line of work they enjoy.
I dunno about anyone else, but the love of computers that got me into this field didn't last more than a year or two into my now-20-year-career... it's gotten to the point where I hardly turn on my computer(s) at home unless I have to do something - for someone else! When you only ever see computers failing (I'm in I.T. and programming) it's hard to remember what they're like when they work properly.
In fact I sometimes border on envying those less familiar with the technical innards of our new silicon overlords. When you run across some home user who never backs up and hasn't had a problem for years, do you want to slap them over the head - or beat yourSELF up a little, and wish you lived in their world?
Perfectly Normal Industries
I'm a dba...that has influenced me to constantly put things in lists, then reference those lists, and make sure the lists are ok. Everything becomes a copy, of a copy, of a copy, until I get so wrapped up in my own brand of existentialism that I use my own life as an object within the lists. Object oriented programming is my religion now, and I pray to J2EE and PL/SQL.
From the alt.sysadmin.recovery FAQ: 5.5) Should I slit my wrists across or downward? Downward.
In computers (as in anything) there is real security and there is perceived security. Good security people worry about the fundamentals (OK, you have to use a crappy protocol due to element X of your solution, how can we make sure this does not come back and bite us) while bad security people inconvenience users so that they are forced to avoid implementing the security measures and then wash their hands (you need a 32 character password, and the only protocol you can use is our proprietary one that only works with IRIX servers with an O/S from June 1997). Inconveniencing people to make security visible doesn't work. Feuding so that you are overruled by business people does not work either.
It is the same thing with the department of homeland (homemade?) security. Oooh, you have to take off your shoes and leave your liquids behind, it's so inconvenient, it must be secure. Only it isn't.
The appearance of security is irrelevant. Real security involves backups so you don't lose data, monitoring so that you find intrusions quickly, and prioritization so that important data stays in high security networks and does not get lost. Real security requires knowledgable security people, not drones who say "well Nessus reports a problem" that they cannot evaluate.
Of course when decisions are taken by business people with no clue, and network and sysadmins are hired by HR departments who can't spell IT much less define it, you have to expect some problems... Especially when said admins are given more work than they can cope with after their department is identified as a cost.
Outsourcing pretty much kills security as well. When you have to let semi-motivated people from countries with minimal IP laws who change jobs every 6 months or so access your network there is no way to save your data.
You got me into this! You were the ideologue! I'm only a poor assassin! - Twenty evocations, Bruce Sterling
No job has to make you unhappy. If you are unhappy, it's not necessarily circumstance. If you can't enjoy the medium, change the task, or find another profitable hobby.
I cry my self to sleep at night on my pillow that is stuffed with money.
When I wake up, I usually take the Porsche GT3 from the multiple options I have and rip up and down the highway to blow dry the tears away from the 200/hour I am making full time.
rough life!
If one is to derive personally happyness from work, then you have to do work where people are happy to see you. I tell the story of the Tech guy. One day, the big boss passes him in the hall way. Big Boss stops the tech, says: "You know, every time I see you I hear something broke. I'm begining to think you are breaking them. Stop that or find another job." Likely not a true story.
Just last week I got verbally pummeled, berated, and chewed out because a major IT function went wonky. Never mind that they pulled the trigger on it four weeks early, never mind they cancelled testing, never mind the project wasn't fully complete. It's my fault for bringing it in four weeks early and without testing that it broke, and required three more days to fix. Never mind that not a single malfunction stopped production (only reporting and accounting - that's what took three days to fix. The numbers were there, the info was there, just the reports hadn't been given even a first pass debug run).
Computers are "magic". Management incants the PO, and *POOF*! the job MUST be done already, I mean, it's PAID for, right? We had six meetings, right? What OTHER work could POSSIBLY be required?
Just remember - there is no work so easy as that which management doesn't do. At least, to management's eyes...
You want to be happy, again, find a job where people are really glad to see you.
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
The people able to put in a $50 router/AP would be the people who more or less have access to do so in a corporate environment, in which case they are aware of the security impacts or should be. In a corp environment you normally don't have access to just put in a router anywhere, it would be noticed by the IT folks. Most of what you state would be reflective of a small business not a large corp environment. If that is the case the company has a bigger problem to deal with than just password issues. Here is the thing, coming up with a password is not a hard task. People, office people in general, don't seem to be too creative when it comes to making passwords. You're given the basic sets of security rules, etc and then you make one within those sets of rules. Reusing a password is a no no, so come up with variations of the same password, but variate them in a way that it wouldn't be guessable. What is so difficult about D1ff1cult90? That password is 10 characters contains letters and numbers along with a capital letter. Sure, its crackable with l0pht, but it would take time and if the time>cracked password then the attacker is more likely to move on to the next hopefully easier target. Most hackers are not going to waste their time with a hard target unless they are out to get a specific piece of info or have been paid to hack a company or have some sort of vendetta against said company. Security is more for deterrence than it is for actual security, which in of itself creates security. As for outside hackers wanting info on a company, how about social security numbers of all employees, bank account information the company uses, products that the company purchases or sells, inside trader information for the stock market. There is a ton of information a hacker could sell on the black market or even utilize on their own. Granted doing so would send up a red flag somewhere at some point, but the point is made there is plenty of information to be had. This goes for *every* company, unless somehow its on an all paper system which a simple break in to the company would see their files disappear altogether unless they have backups. As far as the mental state of a IT security person...I'd have to say getting irritated and drained on having to repeat oneself and fixing the same issues over and over again. I'd think a virus outbreak would be the highlight of their day. You'd be surprised how many office folks simply forget their passwords over a weekend or use the caps lock key because they have no idea how to use the shift key. Hell, these people use computers day in, day out, own a computer at home, but still somehow don't know the basic functions of Windows and keyboard commands. I've run into people who don't know how to f'ing copy/paste! Really...at this point that is ridiculous. The issue is that many people in office positions are from a different era before computers really went mainstream. They've had to acclimate to them while in the work place while the younger folks (including me) have been brought up with them since childhood. The original PCs were so mundane and simple that a gradeschool kid would get bored with it at this point. Now we've had Windows 3.1, 95, 98, ME, 2k, XP, and now Vista. All of which in each itteration seemed to screw around with the layout of options, windows, menus, etc. This just confuses the normal user who has to basically re-learn Windows each time, whereas IT staff usually are on the forefront of the changes. Normal people could care less or give the time/inclination to learn a new version of Windows (Thanks Redmond, jerk offs stick with the same dang interface and upgrade the mechanics of the software instead of changing the looks and implementing new damn bugs in the system.) because they have more important things to do than sit in front of a PC. Its blasphemy to us, but for the normal person its like an IT person wanting to learn how to do the books in Accounting.
"When the people fear the government, there is tyranny. When the government fears the people, there is liberty."
Most companies have a lot of stuff that outside hackers would like to access - try a fast connection and several PCs that can launch whatever attack you like.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
Security nut for local network speaking. Since Security is the antithesis of Usability, you are not popular for doing your job. If you introduce a new security regime that makes things "hard" for people to do their jobs you are seen as a roadblock in the road of progress. If your security regime is not tight enough you are blamed for data leaks.
With this in mind, you need to derive your happiness from other places than peoples praise. I'd say the GPs post example is of a person who has learned to derive happiness from both family life and playing in a band.
I know I get happiness not from doing the security work, but from other sources that are funded by the security work. I can definitely corroborate the correlation with more anecdotal evidence of my own experience.
Now I must get back to writing more policy.
A sig is placed here
To display how futile
English Haiku is
Why you can write the slowest algo in the world, eventually Moore's law will take care of the problem for you. However, a poor designed software package that can be exploit cannot be helped by Moore's Law. Better to teach kids to write secure programs then fast ones.
I find there are generally two types of IT person whether they are 'security' IT people or otherwise. There are those who think of the users as 'the enemy' and those who see the users as their reason for being employed. Obviously, I consider myself to be a member of the second set... the former set doesn't fully acknowledge the second set except that the second set "only serve to keep the problem going."
Long ago, just after the dot-com bubble burst, I began to realize what everyone else forgot during the dot-com boom. The boom occurred because people thought "IT" was some sort of magic bullet that just made money by virtue of its simply being there. Ridiculous amounts of money were spent on IT development and manpower. Anyone and everyone who was tired of their previous job, changed over to become "an IT professional" and expected enormous wages... some even got it. (There's still a lot of dot-com boomers in the biz... some deservedly so, and others have no clue or talent at all... we all know one or two don't we? You know, the 'cert chasers' and 'job hoppers' with enormous resumes who couldn't manage to set up a server for which he has a certification if his life depended on it?)
That thing I realized was that "IT" is just a support function for business. Sometimes "IT" is the production side of business, but generally speaking, whether directly or indirectly, IT is a utility function like electric and plumbing. While there are supposed to be higher skills and ability involved in the execution of IT functions, this isn't always the case. Upper management sees IT in this way as well because all of their executive clubs, newsletters and conventions tell them so. This is why they think they can outsource a lot of IT without hurting the company and generally lower the wages of the same group of people they classify as exempt from overtime pay.
But the realization that IT is an operating expense on business showed me that just being a great IT guy isn't enough -- I have to have the interests of the business at heart as well. And you can't have the interests of the business at heart when you hate your users and what you do. I do hate spam and spammers with no known limits, and crackers polluting the internet drive me a little crazy, but in the end, I recognize the range and limitations of my role in defending against those ass-clowns and focus on my users and mitigating the damage that can be done and balancing any methods I might employ against the needs of my users.
Another thing I have realized is that the same people who hate their users, probably hate their children as well... if they have any. If doing their job seems to have a negative influence on their personality, I think it's more likely that doing their job merely brings out existing negative tendencies. My point is that they probably already had personality issues to begin with and would likely respond to 'negative' stimulus in the same way whether it's IT or not. Doctors can bitch you out for eating too much. Dentists can bitch you out for not brushing regularly. Mechanics can bitch you out for not changing your oil regularly. And cops might beat you senseless for running a red light. We don't expect or desire these behaviors from people we consider "professional." If you're an IT person and you feel that your users are 'the enemy' then it's time to look at your professional attitude.
if you just keep your mind focused on one mantra: this is a computer system - not a living entity. Money is an illusion. Importance is a frame of mind not a fact of life. I like breaking things to see what happens because I really do not care if something breaks (unless it is done properly in the first place and finding out why it failed is a bitch) so why should you or anybody else? Is not it better for you to find out that something is breakable than for some lunatic bastard? You should just not take everything so seriously. Importance is in the eye of the beholder. If you just chill out things will get better. And ... I know this is /. but seriously - have more sex (not to your self though). ;)
CHET-NUN
A friend from the garden buzzed today to inform me that you should definitely not be so down. He threatens to sting you unless you cheer up. Maybe you could take up a little square-foot gardening in your spare time? Seriously sincerely,
JB
former IT professional
now gardener
IF I keep up the attitude of working as a partner, assuming that 'we' are managing to build against unseen forces. I am able to maintain a much more positive take away from my job.
IF however I instead find my self saying things like 'My god can't those idiots do anything right." I'll manage to kill not only my job performance, but my self and the things I value (Wife, kid etc.)
See yourself as a builder and you won't tear yourself apart. See yourself as a destroyer and you will be one at every level of your life.
I'm sorry, I'm to tired to be witty at the moment so this message will have to do.
I AM an IT professional turned gardener, you insensitive clod. Now get off my lawn.
WAP in a ceiling panel?
Haha, try that on the Pentagon network.
That might work in some tiny company that doesn't have any intrusion detection system or anyone monitoring network traffic but any organization with a credible security plan is well beyond that.
Newsgroups: alt.sysadmin.recovery
Subject: ADMINSPOTTING
Message-ID:
From: gkb@aber.ac.uk (Gary Barnes)
Date: 28 Jan 1997 14:49:18 -0000
Organization: Ripoffs R Us
X-No-Archive: Yes
Choose no life. Choose sysadminning. Choose no career.
Choose no family. Choose a fucking big computer, choose hard
disks the size of washing machines, old cars, CD ROM writers
and electrical coffee makers. Choose no sleep, high caffeine
and mental insurance. Choose fixed interest car loans. Choose
a rented shoebox. Choose no friends. Choose black jeans and
matching combat boots. Choose a swivel chair for your office
in a range of fucking fabrics. Choose NNTP and wondering why
the fuck you're logged on on a Sunday morning. Choose sitting
in that chair looking at mind-numbing, spirit-crushing web
sites, stuffing fucking junk food into your mouth. Choose
rotting away at the end of it all, pishing your last on some
miserable newsgroup, nothing more than an embarrassment to
the selfish, fucked up lusers Gates spawned to replace the
computer-literate.
Choose your future.
Choose sysadmining[1].
Gaz
[1] It might fuck you up a little less than heroin[2].
[2] ObFootnote.
-- /\./\ gkb@aber.ac.uk (Gary "Wolf" Barnes)
( - - ) "Do not ask any lady to take wine, until you
\ " / see she has finished her fish or soup."
~~~ - Hints on Etiquette and the Usages of Society
Yeah, I don't work in IT security or as an IT admin. But if I was, I would totally bring an ipod stacked with uptempo rock tunes to work and listen to it 9-5. But *not* EMO or "alternative rock" or anything that would impress someone in conversation, these tunes would delve such deep topics as "all-American thighs" and being born a "ramblin' man". Then of course there would be:
"You may be right, I may be crazy
But it just may be a lunatic you're looking for
Turn out the light, don't try to save me
You may be wrong for all I know, but you may be right"
You lock them out so they are not calling every hour.
But that's exactly the problem that it causes. Users are constantly calling the helpdesk because they don't have any control over their systems. They need to get something done, but then they need to wait 2 days for IT to respond to the call, because IT are so backed up with trivial requests.
Treating the user like an idiot who needs to be protected from him/herself is not the solution. Better to educate people and teach them responsible computing. Hell, if workers don't know not to install malware and randomly downloaded stuff, then what business do they have being employed in a job that uses a computer? Get rid of the idiots, instead of turning people into idiots by not allowing them to learn, or bothering to teach them.
... and then they built the supercollider.
The thing about happy gardeners: Don't promote them to head gardener. Even future predicting machines can't tell you what might happen.
Apart from that, it's a puzzle. Someone hands me a system or process, and it's my job to see if there's an unguarded way in (or out), a way to DOS the system, etc. Sometimes I don't find them before the real enemy does. It's a race, and it's a thrilling one.
Finally, I don't haughtily tell anyone anything. These are systems that (ideally) people have put their heart and soul into. You don't go up to someone and say their baby is ugly or deformed or broken. You point out that there may be a problem, and that you're a doctor - a specialist - and you're here to help.
Having a job (much of your time) that requires you to have a negative mindset is likely to affect your life in general unless you combat the negative mindset in the remainder of your time with positive hobbies and relationships with uplifting people, not to mention faith and hope in something greater than the current system that requires you to have to be so negative in the first place. I do IT Security as a part of my job and stay far away when not on the clock whenever possible.
It's all of the inbetween conversations that help me.
Yes, I also do a lot of testing where I focus on demonstrating, as systematically and comprehensively as possible, that software, infrastructure, and components thereof are flawed, expose organisations to undue risk, and are otherwise bad and evil and nasty.
A lot of this sort of testing is inevitably tied into project lifecycles and operational readiness requirements where there's no dialogue and understanding between me, a security professional, and the professionals on the other side of the fence I engage with. Sometimes they're disinterested project managers, sometimes they're technical resources associated with a project which would really rather I not prove they're not operationally ready and prefer I not make them slip their deadlines.
Sometimes, I interface directly with security staff, or technical staff in an organisation who've been pushing to have $security input for some time. I really relish these engagements - the chance to actually talk to a customer, individually, face to face, and *really* find out what they want - and what's going wrong. Sometimes the conversations I have in these situations bear little or no resemblance to what's on the piece of paper detailing why I'm there. No matter - I'll still do the job. But over coffee, standing outside datacenter gates at 2am, whilst eating noodles at lunch, I chat with these people about what they're doing and how it can be done better.
Selfishly, these conversations are invaluble to me as a tester. I pick up more information regarding flaws, particularly those hard to find architectural ones much pentesting misses, from these conversations than from weeks of poring over build documents, change requests, and the output of tools and scripts.
That's just secondary to this point, though - really, I'm a roving, peripatetic know-it-all who loves to chat - and in those watercoolerconversations I have on most jobs I do, I have the opportunity to seek out and systematically eradicate boredom, stupidity, poor assumptions, and a whole range of other things. Some mine, some theirs.
That's why I really relish the job - it's just part of what makes being a consultant fun. Without that - doing the wrong kind of jobs, doing entirely remote work, just doing research.. well, there'd be other perks. But this one would be gone, and this one's been the biggest source of job satisfaction for me, recently.
Just my 2c. What's yours? :)
I've discovered it just doesn't mesh with who I am as a person. Some people just love to be assholes and make work for others, say "no" a lot, and generally piss people off. I didn't realize that a lot of what "security" comes down to is that sort of thing. From the outside, all of the research, hacking, break-ins, forensics, etc. is extremely interesting. But when it comes to the day-to-day responsibility for millions of peoples PII, corporate oversight, depositions, audits, etc. Oy.
Or maybe you're drawn to the "big brother" side of things -- monitoring email, web usage, AUP violations, etc. Maybe you're a natural voyeur. But when you're instrumental in getting someone fired for minor infractions of AUP, and have to live with the knowledge that you're somehow partly to blame...
Some people become cops because they get off on having authority and like to throw their weight around. Others like to build things. If you're a builder, then don't get into security, since your job in security is to prevent, control, and destroy, in the hope of protecting your assets.
Someday you'll have an epiphany: "No matter what I do, how hard I try, something, somewhere, will get screwed up and there will be a breach or suspected breach. And when that happens, the ensuing investigation will make me and/or my department look like fools and destroy whatever is left of my career".
Then you get out of security. Maybe you'll be less lucky and almost die from a bleeding ulcer first, like me.
So if you want to do security, great. Enjoy. I'm going back to the low-stress world of system administration. I might lots of midnight calls, but the healing needs to begin.
"But actually trying to use m4 as a general-purpose langage would be deeply perverse" --ESR
Oh, and if Windows is so fucked-up that workers can't be trusted to install things, then what the hell is the IT department doing installing Windows machines in the first place?
... and then they built the supercollider.
real life or living is not as secure as it is needed
because of SLOW propagation of its nature
virtual life has to be secured because it's easily spread across the whole world and propagate at a rate u can never imagine
actually u have to make human to be machines if u want to live in secure way
but if like that......one virus kill both real world and the virtual
A heretical thought. God invented pens, paper, handwritten records and locked file cabinets for a reason. If it's a small company, why do these records need to exist on a network?
You're fucking hysterical! I just looked at your posting history and it's a blast. It's like if Don Rickles had a really shitty day, too much to drink, and he discovered that he had some incurable disease.
I hope you don't do this in person. Bad things happen when you do.
You're a phaggot. hahahaha -cyberwave
DUH!
I mean really, who wants a job working for machines?
Be happy that you have a decent paying job and quit runin' my life !!
About 7 years ago I started working in craft, with tile laying (bathrooms etc), and I never had a bad day.
Intriguing. I work as a programmer, but on bad days I find myself reminiscing about my old days flipping burgers at Burger King. It was a humble job, but I didn't worry too much about whether or not my work was generally worthwhile (the nutritional qualities of fast food notwithstanding). I'm sorry to say that the majority of what I've done as a programmer has apparently been for naught.
I enjoy programming, but it's difficult to find programming work that actually makes people happy, I think.
"Not an actor, but he plays one on TV."
Get rid of the idiots, instead of turning people into idiots by not allowing them to learn, or bothering to teach them.
Easiest way to do that is to track who's wasting IT's time, as opposed to who's using the department wisely. When Johnny Sales calls for the tenth time in a week 'cause he just HAD to click the monkey for a better insurance deal, you or your boss should point out that Johnny blew 5 man-hours of labor that week...on a digital monkey.
Anyone that helpless needs to be replaced with someone who CAN follow policy.
Don't tell me to get a life. I'm a gamer; I have LOTS of lives!
Is he really happy?
He says that's what keeps him sane.
Maybe he really means it.
If you delay pleasure infinitely, the pleasure will be infinite. (YM)
Really, sometimes, I think their heads are going to explode. Why? We refuse to give our SSNs to the doctor's office. They swear up, down, nine ways to Sunday that they absolutely need those 9 digits so they can bill our insurance company for the visit. Nevermind the fact that they've never once gone unpaid. Why? We give them the insurance information, which includes our member id #'s, which is NOT an SSN. The last time we went through this, the girl told me, "But, if we enter anything wrong, misspell your name, get the id number wrong, or whatever, the insurance company will bounce the claim." My suggestion was simple, "Ok, no problem, just make sure you type in the correct number and information the first time, and then it will be correct in the future as well."
The unsig!
Actually, many cell phones don't require drivers ;)
For example - supposedly the Helio Ocean requires a driver. In reality, you can plug it directly into a DL585 running Windows 2003 and it is instantly recognized as a USB device (two if you have a flash card in it)
An operating system should be like a light switch... simple, effective, easy to use, and designed for everyone.
I worked for 15 years in computer security. Gave it all up at 35 for underwater photography. I am sooooooooo much happier person now diving at Eastern islands. And frankly - nothing has really improved in computer sec in past 3 years I have been away - the way I see it anyway. On the contrary - as far as I can tell - more and more snake oil - more and more wannabies who have no clue - more and more vaccine rather than the cure.
you are just an asshole.
have a great day.
Note that the book's author, Martin Seligman, has apparently provided assistance to the CIA in the development of their torture programs. So, that might make the book more or less relevant, depending on your point of view...
"Not an actor, but he plays one on TV."
This article hits very close to home for me. You'll forgive me for posting as anonymous coward, but the following post is quite private and I'd rather it not appearing next to my name in Google searches.
I'm probably what you'd call an IT Security Professional. My job title is "network administrator", but I spend my day securing our network, reading security articles, finding new ways to protect my own data, as well as the organization I'm employed by. I tell you, when that cold-boot attack against whole-disk encryption came out, it scared me half to death. My workmates describe me as a "Security Nazi", which I think is in part why I was hired for this position.
Anyway, about 12 months ago, I was diagnosed with clinical depression. Whilst I don't think my 'IT security' based position was the consequence of it, I don't think it helped - which my physiologist and psychiatrist both seem to agree on.
To cut a long story short, my depression revolves around a fear that I'm going to lose all my friends - being left alone without anyone etc. Which would be bad.
It seems that my 'security-based-paranoia' comes into play a lot here. I always look at the worse-case-scenario in everything (hope for the best, plan for the worst). I always plan a response to an event. I analyse everything I say and do. That's what security professionals are supposed to do.
My problem is that mindset is being applied to my personal life. I see, plan and even expect worse-case-scenarios. I have an argument with a friend. I spend hours in my head working out what this could mean. Usually it ends up with me thinking "worse-case-scenario is I've just lost my best friend". It may have been a simple argument, but at least at the time, I don't see it that way.
Whilst these thoughts probably aren't that bad, being in my depressive type state, it continues down a path to which there is no end. "If, I've just lost this friend, it's only a matter of time before he/she talks to my other friends and I'll lose them too". Towards the end of that road, you get to "If I've lost all my friends, is there any point in living?" You can probably guess where things go from there, it's not pretty.
I very much like learning about security, so I am reluctant to walk away from it. Hell, I'm even good at it. In a way, perhaps too good.
I believe me being an IT security professional was just a coincidence to my depression, but now I'm here, it certainly hasn't helped.
I've found that the best IT Security people were already cynical before they ever took the job. The job didn't make anyone worse off. You'll notice a pattern in the comments on this page of an increase in happiness over time: You take a job, work with crappy people, move to a better job, afford a fun hobby.
Security nut for local network speaking. Since Security is the antithesis of Usability, you are not popular for doing your job. If you introduce a new security regime that makes things "hard" for people to do their jobs you are seen as a roadblock in the road of progress....Now I must get back to writing more policy.
The security policy folks at my organization have me doing development work on a machine so locked down that I can't even go into Admin Tools to reassign a drive letter for a USB drive that keeps colliding with the chosen drive letter mount point of the main network share. Before I was hired, the head of IT sent goons in to confiscate our department's server and put its contents on one of the centralized servers at the downtown office. Access is now consistently slow--- when it even works. To prove the size of his penis, he also took over the MS Access database built by my predecessor and changed all the passwords, including the one needed to add additional records. He now refuses to give us the password, nor have one of his people add records for us. As time goes on, this database becomes increasingly less useful to us. This is the application I'm currently "stealth coding" a replacement for.
At any rate, I think there are some IT security people who like their jobs, and some who don't. The former are probably more likely to be intelligent, know what they're doing, and don't try to make their job the validation for their life's worth. The latter are the ignoramus fucktards like the idiot little caeser where I work.
If a job's not worth doing, it's not worth doing right.
I've been in IT security for a few years now, and just last year I came down with a severe depression, to the point where leaving the bed became near impossible. You burn away from the inside if you let the whole thing fester and rot you away.
For me it was the combination of the people you're trying to protect being completely resistant to any learning and gaining any kind of consciousness for their own security, coupled with the deep insight my job basically gave me into the plans of our governments to abuse the whole system to eliminate any kind of privacy. And NDAs that keep me from talking about it don't necessarily help there either.
I guess it all depends on why you do it. If you're in it for the money, and the money is good, no doubt, then you won't have a problem. If security is your reason, you're in for a very depressing ride.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Never mind the statistics - are you happy? Considering the vagueness with which this concept is surrounded, I wouldn't put too much in what "they" say about happiness, but there is actually a way to measure it, which strangely doesn't seem too far out:
http://www.coachingtohappiness.com/happiness_-test.html
Whatever else people say about happiness, I think a major part has to be that you feel contented. Do you go to your job every day wishing that you were somewhere else? Then you are not happy and you should possibly think of a career change. But if you feel that what you do gives you a number of things you want in life, whatever they are, then you are reasonably happy - at least with your job. Our daily life should be much more than just our job.
The key is to avoid taking your job personal. It's a game, a puzzle to be solved. You're a white hat looking to thwart black hats. In the process, you protect people and organizations and their critical assets. You're doing important work, and to the degree that you work with other professionals in your field, and cross pollinate ideas and concepts, we'll all be happier and more secure because of it.
Your white blood cells don't get stressed over protecting you from invading germs? Right? You have a contribution to make, make it freely, then live the very best possible life you can. If you find the stress of the work begins to outweigh the pleasure of solving the puzzle. Find something else that pleases you more :-)
I know it sounds simple, but we're the ones who make life so complex...
I've been chief security officer of an ISP, and now I am "only" system administrator at another ISP -- for good reason.
If you do your job right, you're constantly harrassing your co-workers and customers, and with no apparent benefit. Or alternatively it looks like you're not doing anything at all.
If you don't do it right, you get broken into, so everyone notices, and you've obviously failed.
I had one break-in in several years (on a test-machine with too much software running), and guess what, I didn't get commended by the management for having no security problems in years, I got commended for the incident-response.
Nah, I really can't recommend it. Playing cassandra, get no thanks and all the blame.
"The more prohibitions there are, The poorer the people will be" -- Lao Tse
The plants grow at a leisurely pace. You'll have much time to consider your options. Also, weeding etc are tasks that take up only a small part of your consciousness - enabling you to plan ahead.
Contrast this to the life of a common system admin. Sure, as a gardener you will have to deal with the unexpected and the weather. In a server farm, you will have to deal with stress (the system is down!), poor choices by your superiors and/or peers (because I say so!), and a permanent demand for efficiency. Of course, all these factors do not apply if you're working in a smaller company or one of those companies with a high enough profitability that they prefer to slightly overstaff their IT department just because it's a good way of reducing risk.
Stop the brainwash
well there's like 15 answers to that, but the first two that spring to mind are:
1) the IT team at that company might not make the decision to install windows. someone less knowledgeable may have decided that.
2) finding knowledgeable CHEAP admins is far easier for windows networks than *nix networks.
Actually, I am quite serious. TakeHow about taking a popcorn & beveage-attitude? IMHO reality is one big movie theatre. It is just a cognitive-emotional decision to take a different point of view and have a differnet emotional judgement.
It's said that if you want to be happy, be a gardener.
There, fixed that for ya.
Of course, the traditional reply to this argument is that the scope of your traditional security scenarios is locally limited. A lock picker from Elbonia won't trouble you. A script kiddie with a cracklib and a password file might.
I suppose it is inevitable that the original poster couldn't spell 'penetration'. It is Slashdot, after all ;)
Probably every skilled programmer loses his/her trust in technical devices of all sorts, because he/she is aware of the fact, that even things that look simple are extremely difficult to build correctly.
The consequence is that even many of the most reliable devices and systems - like aircraft, medical devices, nuclear reactor control systems and such - have bugs that can be expected to lead to catastrophic failure from time to time.
Actually, there was this study linked on Slashdot a few years ago, where average happiness in IT was below that of, say, workers on garbage trucks. I'm too lazy to google it atm, though.
So apparently there _is_ at least some correlation.
There are plenty of personal anecdotes of people who were unhappy in IT jobs and got a lot happier when they resigned and did something else. I don't know if that's enough to "prove" a causation, but it at least makes one wonder.
Of course, it could also be that the people who are drawn to IT work are the ones who are totally unfit for that kind of a job, and who'll hate it. At least theoretically, it's a possibility.
On the other hand, it would be a first for any job.
On yet another hand, about half the people who end up in IT or programming jobs, loved working with a computer before choosing that career. In fact, that's why they chose it. A lot still love working with computers in their free time.
So whatever the cause and direction there is, at least it surely can't be that it draws people who hate computers.
At the very least, something is wrong there either way that causation goes. In the end, regardless of which way it goes, if you're unhappy with a job, you're just unhappy and that's that.
I have to wonder how much you can keep those attitudes separate.
There was a study some time ago, where merely being asked to write an apology of a position contrary to your own, fully knowing that it's just a silly exercise and it's not even supposed to be taken seriously, after a while causes your actual position to shift towards what you wrote. E.g., if you're a Democrat and have to write an essay about how right Bush is, after a while you'll actually start seeing him in a somewhat better light.
It's called cognitive dissonance. The brain basically has a model dissonance with "I'm a honest person" and "I just wrote a lie", and basically resolves it by changing the latter to "well, it wasn't really a lie. Maybe at most a bit of an exaggeration."
So a mask you wear every day, eventually becomes _you_. If you pose as a Linux/BSD/Mac/Windows fanboy to fit a certain crowd even just for a couple of hours a week, eventually you become more and more of an actual fanboy. And if you have to put on a thoroughly unhappy face every day for 8 hours, eventually you _will_ convince yourself that you _are_ unhappy with your situation.
At any rate, you can't really keep two completely opposite mental models, unless maybe if you're schizophrenic. And those attitudes are based on your model, after all: being, say, a misanthrope is based on your model having a pretty bad opinion of your fellow humans. You can't really switch between "humans are evil idiots, and they should have stayed in the trees for another million years until they're ripe" and "humans are nice and friendly, and I enjoy their company" at the drop of a hat. Your brain is wired to keep _one_ big model of everything consistent, not to have several models and switch between them as needed. If it worked with several models, it would avoid cognitive dissonance very easily. In practice, it doesn't.
So any model changes that cause a different attitude at work, _will_ still be there in your model when you're at home or at the pub with your friends. You may build an artificial "us" group (as in, "us vs them") of people who ar
A polar bear is a cartesian bear after a coordinate transform.
I never compile USB in to my server kernels, although recent ones require USB for keyboards, though I don't compile any more in. Damn you, USB keyboards.
Get your own free personal location tracker
Like many other posters from the "other side of the desk" who've had crappy experiences / perception of corporate infosec, you've got some pretty profound misapprehensions about what real infosec is all about. Security that gets in the way of people doing their jobs IS bad security, as a general rule, because as you observe they will route around it - and then you have a false sense of security, because now you don't know what insecure practices are going on, because the users are actively trying to conceal them from you. This is a Bad Thing. Seriously, I spend a lot of my time giving masses of positive reinforcement to people who do the right thing (like dropping me a mail saying "uh, it's probably nothing, but we're coding up this system which includes a secret admin backdoor, is that OK with you guys?" , and likewise making sure that users know to flag it up and complain, LOUDLY, if security does get in their way. When I get to hear about such issues I put of a lot of effort into addressing concerns in a fair way, explaining the risks that eg. rotating strong passwords is designed to protect against, providing tips and hints about how to generate memorable passwords (first letters of a line of a favourite song is one of my favourites), why it's actually OK to write them down on a slip of paper kept in your wallet and so on. I also try to make sure these efforts are highly visible - not because it's a security contest, but precisely because I want to reduce to the inevitable "look out, here come those goose-stepping bastards from security again" attitude to the absolute minimum possible. That's also why I try to take the time to chat to real end-users rather than just listening to what managers tell me their people are doing.
one employee can circumvent it ALL with a $50 wireless access point concealed someplace in a drop ceiling,
That's what 802.1x is for, and why you spent all that time arguing about the wording of your AUP, and making sure that no-one can claim that they didn't know that installing a network backdoor was grounds for instant dismissal (eg. with regular mandatory refresher training, all@... emails and the like.
I think many people in charge of spending (whether management or other I.T. workers) are realizing that the basics like merely having SOME kind of password required to log in, a basic NAT firewall in place, some anti-virus/spyware package on the workstations, and maybe a spam filtering service on their email is ALL they realistically need
Actually, the "right" level of security is as long as a piece of string. What are your assets? What are the risks to them? What (to some arm-waving approximation) is the chance of something bad actually happening? Now compare the costs and benefits. Lo, there is no "one size fits all" solution. For instance my home WLAN is configured with a really crappy WEP encryption doobry, broadcasts it's SSID, etc. However only my Dad uses that connection, and the only plaintext stuff going over it is low-value general mail and web usage; on to of that we're miles out in the countryside, we know the families within wifi range personally and none of 'em have computers anyway... and I couldn't make his cheapo wifi dongle work with WPA2. Given that cat 5's impractical without cutting holes in doors (or drilling thru' 18" thick masonry walls and fitting proper conduit.) Oh and I don't run any a/v or firewall on my work machine; I use a hardened BSD and have no network services running apart from ssh on a high port. See what I mean?
Everything I needed to know about life, I learnt from Blake's Seven
Dear Sir,
I was unable to read your comment, or apply appropriate moderation, due to its total lack of readability. Please consider the use of paragraphs in the future. Thank you.
Sincerely,
AC Mod
I can see you've never done helldesk duty clearing up the malware infections and broken configs caused by users installing such work-essential s/w as online poker clients and the inevitable screensavers and browser toolbars. Guess what, we're paid more than most of our users, our time is more valuable, and we don't want it wasted rebuilding their bloody laptops for the 20th time because they went off to donkeyporn.com AGAIN after being specifically told not to the last time they and you lost a day's work whilst you rebuilt their machine....
Everything I needed to know about life, I learnt from Blake's Seven
Apart from the severe kicking you'd get from HR if we caught you doing this, it wouldn't work at my employer, because we have our laptop and desktop USB slots locked.
Everything I needed to know about life, I learnt from Blake's Seven
Dealing with their "why does it not work", "i NEED this to work" and "it works at $home, why not $here" is not always easy.
Better to educate people and teach them responsible computing.
BWAAAAAAhhH!! hahahahahahahahaha. Ever tried it? Obviously not... :D
Everything I needed to know about life, I learnt from Blake's Seven
I'm worried my boss may ask me to monitory employee /. postings.
Bark less. Wag more.
" into every reply I do just because /. fails to interpret the return character.
Seriously, *why* doesn't /. do this? Along with being able to edit posts...this is a standard feature in threaded forums. This site for all intents and purposes is a forum....
"When the people fear the government, there is tyranny. When the government fears the people, there is liberty."
Define small.
3 persons? Probably still done by cheque.
10 persons? In some businesses that's enough for an IT person. Other businesses, well, there may be someone that knows the difference between a printer and mouse, and they do that as a side line.
Centralised backup? Shared access between 2 persons needing access? Files on a RAID drive, not subject to the whim of a dodgy power supply?
Q:I was listening to a CD in Grip and it sounded horrible! What's up? A:Perhaps you are listening to country music
I work in IT security for a large financial firm. We've spent a good amount of time convincing the development community and the business that security is THEIR responsibility and have built processes to reinforce this (i.e. if folks want to do truly risky things, we can make them go get signoff from senior management). With check in place, I feel we take the approach of "doctors" for applications/architectures.
Dev team is building a new architecture to trade with an exchange? They ask us to review their architecture before they build (sort of like a checkup before going to climb a very dangerous Mt. Everest).
User accidentally e-mails confidential information to the wrong counterparty? We help them work with legal to get things cleared up, give training on appropriate data handling and add client controls to their outlook. (I.e. tell a kid not to run with scissors, take away the scissors and put band aids on the wounds)
In this light, I feel I'm proactively helping folks and treating those who have run intro trouble. Security folks are able to have a broad view of the solutions available to common problems (even outside of security) and teams get value out of this. I've even had folks say (and mean) thanks after meetings that involved them totally re-architecting their application. With the right approach, you can be more than a roadblock...
I've been working in IT security for almost 13 years now - I started back in the days when were said, "what's a firewall and why do I need it?"
I largely work as an independent consultant, and I have worked in banking, defense, fed gov't and the live-like-a-rockstar-dot-com-days.
I have to say that my overall sense of fulfillment at work has been rather low. Spending a decade telling people 'no' or 'how to do it better' - especially when they don't really understand that you're trying to help them, or they don't understand that there are actual threats - is really frustrating.
Working on endless IT projects, for clueless management, unappreciative end users only to have the project canceled (don't 80% of all IT projects fail?) leaves me with no real sense of accomplishment and meaning.
To mitigate this, I joined the local volunteer fire dept. Nothing beats a day in the cube more than rolling down the road lights and sirens or actually bringing someone back to life.
pax
"Omnis tuus capsa sunt inesse nos"
I'm one of those "IT Security Professionals". Hence the AC.
I decided a while ago that I will not take on any more "defensive" security jobs. As a general rule, I find pen-testing to be a joke-- you can almost always find a way in (especially when people are involved), and if you can't, it probably means that the pentester sucks, not that the security is great. (It's what Gary McGraw calls a badness-ometer, the dial on the one end says "security suck" and on the other hand says "don't know".)
I work for one of the last large multi-billion dollar global enterprises that are privately held. I don't even have to deal with things like SOX or HIPAA. I do deal with PCI, but we've done our homework and segmented where that affects us, so it's really not terribly bad. Since my organization has been around for the last 100 years, they have had to operate in a risk-taking mentality. Otherwise, they would have been belly-up by now. So, anything for security has to be a business case justified expense-- and rightly so.
But as the senior security analyst responsible for protecting the organization, I routinely feel like "giving in to the darkside" and becoming an "offensive" security professional, like the pentesters I willingly dismiss. Why not? They get the same or money I do. They don't have to stick around after the bad news is delivered to clean up and fix things. Those guys are never responsible for "building" things. (BTW, to all the other posters who say their security people don't build things-- it's because they suck, not because security people don't do that. I am constantly involved in "building security in". If you're smart, you'll quickly realize that's the most efficient way.
Does the "security mindset" bring me down? Maybe a little. Ignorance generally is bliss. Do I like the knowledge. Absolutely. Do I think most "security professionals" have it? No way. They're in the job for the money, not for the love of the game.
So, how do I cope? It's simple. I realized that in order to be free, I need to be able demonstrate how to build secure systems without having the day-to-day political BS to actually get that work done. In order to "build security in" (which should be any security professional's ideal), you have to teach developers who didn't learn this in college. How can I fix that problem while still keeping what's left of my hair? Become an academic. Hence, this week in fact (what timing!), I'm starting my PhD. I moved away, it's full-time residential, not some crappy overseas PhD farm. This way, I get to keep (add onto) the knowledge (yay), I get to stay defensively-minded (yay for ethics), and I get to help correct the problem as early on as possible (when the future software punks are in school, yay), without having to deal with the "that's going to cost our organization $X Million over the next Y years?" question.
Good luck. YMMV.
Empathy and positivity are wrong in IT/Security. However they might give you a bit of good time now and then, they *will* backfire.
What if your own empathy makes you feel the dissatisfaction and troublesome mood of the boss? And that of many other colleagues, one day things are not working? You 're gonna be wishing to help, get very stressed, then fry.
What if the worst case scenario happens, despite how good your consultant was. He'll soon find himself quite sued, unless he has carefully weighted all negative scenarios, lots of cynicism.
10 years in IT: it sucks to be there. I rather go sell newspapers could I afford it.
You either don't work in IT security, or you work with hacks. A good IT security department monitors the 2.4GHz spectrum for rogue wifi, and hunts down and punishes those who use them.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
IT work killed off my soul and turned me into an anti-social hermit who doesn't like people very much. Computers are logical, predictable, efficient, and don't smell too bad. None of those can be said about people.
I was, once upon a time, an IT security administrator for a Fortune-50 company.
I made ridiculous amounts of money.
I also got ridiculous amounts of professional anxiety.
I had plenty of responsibility but no authority - a fact based on, I would later find out, the company's imminent merger/acquisition to an overseas conglomerate. My predecessor had gotten wind of it when they killed one of his projects to make the Point of Sale databases actually capable of being backed up every day in under 24 hours' time (at that point, it took 36 hours to back up 24 hours' worth of POS data) - which was necessary because our number one job was to help identify where people had committed internal fraud, credit card fraud, and had stolen identity data from our systems of our customers.
I had an FBI liaison officer on speeddial on my Batphone, and I on his.
In order to actually get ahold of the data I and the FBI needed in order to track down these criminals - as well as to actually secure our systems as problems cropped up - we needed to analyse anomalies in the sales data - and we couldn't touch it until it had been backed up.
At one point, we were three weeks behind POS data backup. Three /weeks/. Can you imagine three weeks between the commission of an exploit and even being able to learn of it?
I made quite a few official memoranda to my boss, and my boss' boss, the CIO - who spoke doublespeak at me about budgeting constraints and going through channels. My boss was sympathetic but towed the CIO's line.
The day after the merger, I was locked out of the systems and walked off the campus, and later found out that the very next week, so was the rest of my team. No references, no recommendations, and the only reason they confirmed my employment dates is because they had outsourced that function.
I missed my brother's wedding because I was on-call for a major systems-security event (the event of the millennium), sitting watching a console with the bat-phone on my desk, waiting for something to go wrong.
---
I am now a DBA. Not even the head DBA. I am an assistant DBA.
There are no letters in the universe sufficient to alliterate the "Aaaaaaaaaaaaaaaaaaaahhhhhhhhhhhhhhhhhhhhhhhh" of relief.
Not that BB doesn't hit a few targets by accident... but we're all pretty much safe from intentional action.
When those around you are loosing their heads while you are keeping yours, maybe you've misunderstood the situatiuation.
My dad is a cop. Or I should say, now that he's retired, was a cop. I think he really hated his job toward the later years, but he's never been happier since he retired at a young age a decade or more ago.
How did being a copy affect him? Not sure if it was partly his personality already, probably was, but I can tell you how he has been since I've known him and compare and contrast to my personality... being mostly a Network Admin/IT Mgr (with security on the mind but not in a huge way) the last several years. My dad is always suspicious and untrusting of others. Almost always pessimistic, self-centered, sometimes mean and ill-tempered, sometimes very social (like groups), very opinionated, and quick to judge others.
Me - very different background but my personality, I think, is probably:
Less selfish, sometimes overly trusting, fairly pessimistic, sometimes mean/spiteful/ill-tempered, sometimes very social (usually on one to one basis), not as opinionated on everything under the sun, and quick to judge others. I tend to be an overachiever (on a small/personal scale) in some areas, but I've gotten more mature/mellow with age. I consider myself to be pretty happy... especially since I have a wonderful wife and now a wonderful son. My job kicks ass as well lately, but it is a job.
So anyway, take that as you will.
The true answer is that their password _can_ be the name of their dog, for 95% of users
In a perfect world, this might be true. However, it's not. It's like saying that 70% of the people on earth can have unprotected sex because only 30% have STD's (numbers pulled at random for demonstration purposes).
However, in real life, there are plenty of other scenarios.
a) Not password, but security related (say restriction downloads). You have Bob on the 1st floor who pretty much just writes out paperwork. However, Bob's computer gets a virus. This virus emails itself to the department in the form of an infected document or whatever, which gets opened by Jim in accounting. Now Jim's computer sends all the client-info to some public webserver where it's picked up by crackers from Russia.
What, you want a password example, OK, how about this
b) We'll use Bob as an example again, except this time, Sally from HR has gone on Maternity leave. There's nobody to replace her right away, so Bob gets somewhat of a promotion. Sally gives Bob access to her network share via her username/password, so that he can access documents there. Sally's password is fairly secure, however Bob's is still "fido." Frank from the other department decides to sniff around because he thinks he's getting stiffed on pay. He logs into Bob's computer and downloads an Excel sheet with the employee pay scales from Sally's share that's still connected on Bob's computer...
And yes, there are plenty of examples that are more simple than this. Simple situations can cause big problems.
Now, I don't agree with IT Departments that insist you have a 15-character alphanumeric password with at least 2 other characters, but having a decently secure password that's not easily dictionaried or guessed is not that hard. Even alphanumeric is easy:
slashd0t
slash_d0t
d0t_slash
sla5h_d0t
Overly difficult to remember, not really. Super-duper-secure, perhaps not, but better than "fido" or the name of your firstborn child.
Without researching and relearning everything about cognitive dissonance, I'd like to comment. So this is like brainwashing yourself, if I'm reading you correctly.
I can't buy into this too heavily, despite having seen people who are trying to brainwash themselves with the goofy self-made propaganda that sales jobs (especially the pyramid variety) seem to push. I don't think it's a longterm thing, and I don't think pretending to be happy all the time when you are not really makes you happier. Sure, it probably has a chance to make you feel a little better, but I don't think it is as black and white as you make it out to be.
On the other hand, you make a good point and probably has some effect on people who are putting on the mask of stern-security person. I just don't know that it is the biggest part of the equation.
So, you know that the same guy is probably reading and sniffing your packets as you write this post to /., right?
It amazes me that IT-aware people cannot seem to understand that the minute inconvenience that occurs by little things like centralizing services, adding passwords, and generally making an IT department that does IT, allow "your department" to focus on little things like doing business, and making the company money.
Instead, the IT-aware people inevitiably complain that its security, and security impedes business. The problem is that people like you build crappy little tools to do a job, and then bitch about the power tools that would be built if your manager had the balls to get rid of your now obsolete position and pay to roll out secured enterprise class tools for the same thing.
Good luck, remember security is useless unless the company makes money; and free because you built it doesn't save time, or money when it can't be supported because you got hit by a bus.
Confidentiality, Integrity, Availability: without Availability the other two are assured, as is Bankruptcy.
I've been doing security work as part of my admin job for a decade or so now. I'm getting depressed enough with it that I'm ready to give up and pass it off to someone else, despite the fact that it fascinates me.
Why? Because it's a losing battle. Ten years ago (or 20, right back to RTM), if there was a security breach you could track down the source with the help of admins at other sites, and then do something about it. Nowadays, if there's a security breach your job is strictly limited to patching the hole and rebuilding the machine. "Security" has become a euphemism for building bigger walls, and hiding inside. When someone takes a swing at you, you cower even deeper.
I work for a major ISP (>$9B market cap), and am on a security planning task force. Someone is currently sending out UDP spam with the source address spoofed to be a range of IPs that we own. Victims (and in fact, other ISPs) routinely phone us and ask why we're spamming them. Now despite the fact that criminals in this country (and our neighbors) are paying organised crime to spam people, our official solution is to rewrite our canned response letter! Do we prosecute? No. Do we investigate? No. Do we get the lawyers involved? No. Why? It's because the prevailing attitude is that trying to stop spammers (and other online criminals) in any useful way is futile; and that the only solution is to buy more defenses.
The computer industry doesn't like spam or hackers, but they also know that it drives a significant part of their business, so they don't want to work _too_ hard at changing the attitude. Unfortunately, now that the Russian mafia is involved, they're probably right.
Security is a losing game. You will never get ahead. You will never make your systems secure. You may make your systems sufficiently less of a target than the next guy to prevent random attacks, but that's it. There is no security, there is no safe place, and (worst of all) there is no recourse.
Man, I've just depressed myself even further.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
One key addition (from the non-profit world):
3) Meeting system requirements dictated by the U.S. government.
I'm not tense. I'm just terribly, terribly, alert.
Maybe in a large company they do... but come on! How many smaller businesses (and by that, I mean such places as warehouses, machine shops, factories, etc. that might employ between 25 and 100 employees) are *really* going to have I.T. security people on staff doing regular wi-fi signal sweeps?
What they *usually* do is have a small I.T. dept. tasked with the job of implementing/maintaining security of the network as well as the rest of the I.T. duties.
That doesn't make them "hacks". That just makes them prioritize their work, so they're going to make judgment calls about the relative necessity of doing different security-related tasks.
If you get the feeling that most of your employees couldn't configure a wireless router if their lives depended on it, and by the same token, you have a very real concern about getting reliable backups - which one are you going to spend more time and effort on?
This is one reason I find many of the self-proclaimed "security experts" a little annoying. They assume that the "best practices" they push are good ideas for everyone - instead of realizing that they're pedaling a level of system security that isn't cost-effective or practical for many.
Anyone that helpless needs to be replaced with someone who CAN follow policy.
Maybe Johnny Sales is best salesman on the team? then your not gonna convince them his going to donkeyporn.com and getting a virus every other week is a "big" concern. Problem is only people who actually see us IT Security guys as valuable is actually our boss. Rest seem to think were nazi's wanting to show we can restrict all they do. Thus they rebel to show us we cant, when really were just trying to keep things moving.
Well, kudo's found that to be well stated :)
It just occured to me that there's an even better example of what I'm talking about. Think of some of the "audiophiles". The kind that actually hears the sound difference in an MP3 played over an audiophile-grade Ethernet cable.
Pretty much, the cognitive dissonance at work is between, X="I'm one of the elite guys with a superior hearing", Y="that kind of people hear such differences", and Z="I don't hear a damn thing differently with this cable." (Sometimes with an extra jab of, X1="I'm a smart, savvy customer", Y1="Only gullible people buy snake oil" and Z1="this cable I paid $500 for is snake oil.") Something there has to give. If you really believe Y and X is too important to give up, then Z has to be false. So they actually convince themselves that they hear a much nicer and clearer sound when they use that cable.
A polar bear is a cartesian bear after a coordinate transform.
1. Each person in the company is entitled to a $100 "security bonus", payable at the end of the year.
2. If you break into somebody else's account without getting caught (and prove it), you get an additional $100 security bonus. It would be nice if the bounty was larger than the loss of the victim, but that would promote collusion.
3. If your account is compromised, you lose all security bonuses for the year.
What you describe is basically Batman's mindset, "What is the worst that could happen?" So do what he does -- be miserable.
I see three alternatives: (1) Get good at compartmentalizing. Fill your non-professional life with positive things. When not required to be paranoid, live in blissful ignorance. (2) Embrace your inner cynic. You should discuss this first with your loved ones to avoid alienating them. (3) Give it up, which is easier said than done, given your innate security mindset.
#3 is likely to get you a reservation at Arkham, so I suggest trying #2, then #1, then #0 before resorting to #3.
Empathy and positivity are wrong in IT/Security. However they might give you a bit of good time now and then, they *will* backfire.
What if your own empathy makes you feel the dissatisfaction and troublesome mood of the boss? And that of many other colleagues, one day things are not working? You 're gonna be wishing to help, get very stressed, then fry.
What if the worst case scenario happens, despite how good your consultant was. He'll soon find himself quite sued, unless he has carefully weighted all negative scenarios, lots of cynicism.
10 years in IT: it sucks to be there. I rather go sell newspapers could I afford it.
This is an incredibly weak argument. Empathy is just one more channel to gain information through. Saying "Empathy is bad, because what if you feel someone else's dissatisfaction?" makes about as much sense as saying "security cameras are bad, because what if you see something on them that depresses you?"
Also, what-ifs work both ways. What if your lack of empathy makes you miss social cues that someone is trying to lie to you? What if you miss noticing that a co-worker is having a rough time in their personal life, and is not at the top of their game?
So. Summary: Your argument = silly. Empathy = useful channel of information.
On a serious note, I used to work with a guy who started out being a cop before he got into IT and he said that he quit due to a similar reason. He said that police are taught that about 10% of the people commit 90% of the crime but that when you spend 90% of your time dealing with that 10%, it starts to warp your perspective of society. He also said that his training in human behavior to look for suspicious or dishonest activity started to carry over into his personal life and over analyzing everyone around him.
That same mindset isn't always good for dealing with other aspects of life. Who wants to always be focused on solving problems in their relationships for example? In my case I had to realize the inclination to always find the "negative" aspect of a situation. Once I became able to realize it, I developed the ability to set aside my initial perception and focus on more positive ways of dealng with situations. For example instead of focusing on what is wrong, I appreciate what is working correctly. By identifying the positive aspects of any particular situation or system I'm better able to bring individuals and departments together. People respond a lot better to a presentation that effectively says, "These systems were implemented to do X, Y and Z. They've been doing them well enough. Lets consider how adjusting A and B will make them even more effective." A few years ago, my presentation would have been more along the lines of, "X, Y and Z are completely cluster fucked. The developers fucked up A and B, and didn't even bother to think of doing C. Now, lets fix this broken pile of shit."
Maybe Johnny Sales is best salesman on the team? then your not gonna convince them his going to donkeyporn.com and getting a virus every other week is a "big" concern.
To which you answer:
"You're right. Johnny brings in lots of money. In fact, he brings in enough money to offset the damage caused when someone gets our customer list and financial info from Johnny's PC. Why, Johnny will accept the legal liability for that, and pay for our overtime and for the lawyers! Who needs a secure bank account and client list when the money's rolling in?!?"
If, at that point, they all nod their heads and agree, hit the job ads....FAST.
Problem is only people who actually see us IT Security guys as valuable is actually our boss. Rest seem to think were nazi's wanting to show we can restrict all they do.
...then I might submit your boss isn't doing his job. He's supposed to be able to justify each and every security measure you have in place, and he's either not explaining the "why" of things in a manner that the other managers can take to their teams, or really CAN'T justify it... in either case, he's not doing his job.
Thus they rebel to show us we cant, when really were just trying to keep things moving.
So the employees are willfully causing damage to the systems, and the higher-ups are OK with that? If this is the case, I'd again suggest the job ads, a shrink, or both. You can't do your job with people fighting you.
Don't tell me to get a life. I'm a gamer; I have LOTS of lives!
I agree that it helps to find happiness outside of work. In my case it is martial arts that I find real enjoyment from these days. Working in IT is a pretty unappreciated and invisible job in the grand scheme of things. A few months ago we had a yearly meeting where the entire organization (only about 200 people) came together in the auditorium. The director and some of the other big wigs got up and proceeded to give various departments kudos for doing different things for the organization. IT didn't get any recognition and I realized we never will. People don't care that they pick up the phone and get a dial tone. They don't care that they have an email/messaging/calendaring system that helps them communicate, makes sure that they get to their meetings and are able to keep everything organized. Most people simply don't realize that there is a lot of effort that goes into providing them with the tools that they take for granted. How does the head of finance know that they made budget? They trust the accounting system. How does the director of development know who to contact for donations? They use their contact lists, email application and the phone systems. How do they know if they made their numbers? They check the fund raising system.
I've said it before and I'll say it again, being a pessimist isn't a bad thing.
When you expect the worse, you can enjoy the good. Having a birthday? Expect crappy gifts? Well, when you get something good you can be happy, appreciative, thankful, and surprised in life. Still got crappy gifts? So what, you expected it, no surprise, no unhappiness.
Whereas being an optimistic, you're expecting a new car in every box... let me tell know how happy you are when it isn't what you expected. You could try being optimistic about that too, and say at least it wasn't a cobra in the box.
I think most pessimists don't understand the enjoyment of being one, sure you may need to learn to have a care-free attitude, but optimists have one as well. If the glass is half empty, so what? That means you have GOALS in life, and you are more likely to be productive and achieve those goals. If it's half full? You are happy with life and couldn't care if you had more.
Disclaimer: I am not god.
We may not be created equal
But we can be treated equal.
What helps you stay out of pessimism and cynicism?
Now, why would I want to do that?
In times of universal deceit, telling the truth gets you modded -1 Troll
Well, see, that's just one of the many reasons why Linux (and BSD, etc) make better servers...
You only have to run what you NEED. You'd be amazed what careful and selective compilation will do for stretching older servers.
With Windows, you have a pretty big footprint, even for a simple web or file server.
An operating system should be like a light switch... simple, effective, easy to use, and designed for everyone.
Actually doing the work that one loves is a privilege for a minority - and I'm in that minority, after a career change (and a temporary dip in income that, at some point, will be overcome.) I was in IT, now I'm an academic. I view the privilege as being as much a matter of luck as anything else.
The down side is that I'm always thinking about my work, and it puts pressure on my family. When I had a job I was "meh" about, I would leave it at the office when I came home (I started my family after leaving that job, but the phenomenon still holds.) Now, save for wee bits of online-forum-posting procrastinations (cough), I come back to my computer and work when my wife and baby are asleep. I make a lot of commitments for projects and such that make me travel over weekends, or keep me out a bit late, and I chafe a little when I turn those commitments and such down to "spend more time with the family" (and I do enjoy my family - but I identify with my work.)
The people able to put in a $50 router/AP would be the people who more or less have access to do so in a corporate environment, in which case they are aware of the security impacts or should be.
In a corp environment you normally don't have access to just put in a router anywhere, it would be noticed by the IT folks.
Most of what you state would be reflective of a small business not a large corp environment. If that is the case the company has a bigger problem to deal with than just password issues.
Every single one of the Fortune 1000 companies I've done a security audit for this year had rogue access points. Generally they're behind someone's desk, or behind the potted plant in the bigwig's office.
I found one just this morning sitting on the person's desk, blinking like mad (someone was downloading something... hmmmm...)
Of course, in my roll as a consultant, all I can do is notify the IT department and move on, but I always wonder what they do to follow up.
As far as the mental state of a IT security person...I'd have to say getting irritated and drained on having to repeat oneself and fixing the same issues over and over again. I'd think a virus outbreak would be the highlight of their day.
This is why i quit corporate security to work as a consultant doing assessments and penetration testing. I treat it like a hacking game... "capture the flag". Of course, there's the 90 page document to write at the end of it all, but it's really fun to go through and challenge myself with penetrating this multi-billion-dollar company. FYI, I'd put myself at about 75% successful and completely penetrating every aspect of any given business. Some shops (even the big ones), we own 8-ways-to-Sunday, others are pretty tough nuts, but I've never been on a job where we didn't get some pretty good access after awhile.
Its blasphemy to us, but for the normal person its like an IT person wanting to learn how to do the books in Accounting.
But... I do want to know....... :-)
"When the people fear the government, there is tyranny. When the government fears the people, there is liberty."
That's on my wall at home and is my quote of the decade. Amen.
Agreed.
Unless you have one of the cool infrastructures like Aruba's controller/scanner scheme, you can't possibly monitor the spectrum.
Most big companies I look at run distributed operations. Fifteen buildings in one metro area, a few leased offices downtown, a couple of warehouses maybe a factory or three. Not to mention satellite offices.
I'm curious what you guys use to do rogue detection? Because simply walking around with netstumbler isn't a great solution, but most shops don't have the budget or the motivation to put together a cohesive product like Aruba's to detect for rogue APs.
"Since Security is the antithesis of Usability..."
Not necessarily true. The best example is SSH. Before SSH, you had to suffer hell to do remote X11 with rlogin: rlogin, export DISPLAY, fool around with X11 cookies, make sure that incoming port 6001 was opened, etc, etc... A real PITA.
Then comes SSH: Just use -X on your command line: everything is taken care of automatically by SSH, and you get as an additional bonus encrypted X11 traffic, RSA auth, man-in-the-middle attack protection, auth of the server, etc.
Security is not necessarily the Antithesis of Usability... but security THEATER surely is.
Well I assumed a company large enough to have an IT security department would know to either deploy wifi detection equipment, or get some of the free wifi scanning software, and stroll through campus carrying a laptop every once in a while (which is cheap and low-cost). A company too small for an IT security department probably can't afford to hire security policy writers in the first place (and is probably totally owned by some botnet operator, anyway).
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
Of course focusing on the negative and the problems and all the ways things can be hacked makes you less happy than, say, um, someone who arranges flowers or tastes chocolate all day long. Of course someone needs to poke holes in all the unsecure code or insecure endpoints because if you don't know the vulnerability, how are you going to fix it? I used to be a reporter and editor and got out of it because I ended up focusing on the dregs of the world - murders, war, crime. All the ugly stuff that puts scabs on you if you have to deal with it all day long. Of course someone needs to do it. Am glad that all these people around me - in my company and elsewhere - are looking for the trouble. Keeps me safer. I like to think so, of course.
I can totally agree with timothy on this one, it's not so much that doing your work makes you an unhappy person, it's that constantly thinking in a critical way (fault finding) can mess with your life. You begin to automatically think about every possible way in which something could go wrong and lose your positive attitude towards life (which is really handy).
I'm a software tester and so I'm always finding problems with everything, and this somewhat conditions your mind into always thinking that nothing is perfect, which of course it isn't, but your increased focus on the fact in unhealthy.
Of course there are plus sides like being able to make sure that things will run smoothly whether it be organising a holiday or buying a new household appliance, but in the end your over analysing still prevents you from properly relaxing. Like someone posted above, I think it's pretty important to get away from technology in your downtime, and into a situation where things can't really go wrong - you have what you need and don't care about anything else (snowboarding and drinking with mates come to mind for me).
I think it's good to realise you've developed some useful life skills, you're never going to make stupid blind decisions in life, and you just need to learn to control your thinking by not analysing things which aren't so important and just going with the flow.
Could it ultimately be that the reason many IT security professionals are unhappy is that they've known all along that computers CAN be made secure if the code was done right in the first place?
Spending a lifetime covering up the coding "sins" of others gets old after a while. I know, I've been a career tech support guy.
While I've moved "up" to handling very expensive inside-the-carrier-never-touched-by-outsiders telecom gear, which pays a lot better than the desktop -- I still know (and try to explain to folks) that the model isn't "let's code the best possible software we can and make a great product". Instead the reality is... let's code whatever gets this thing shipped and go have a beer, the tech support guys will fix the rest or create procedures to deal with our bugs while being bitched out by customers who know better, and we'll move on to creating the NEXT product that will ship "just in time" with just as many bugs.
The cycle is slower in telecom than the desktop, in an order of magnitude measured in anywhere from 3-7 years, but it's the same merry-go-round it was in 1994 when I started this gig. I took some time "off" in the dot-bomb days building an ISP/data center company, and came back to the same old "problems" that never go away four years ago.
It's a steady paycheck and I do other things besides my work to enjoy myself. Work is utterly boring when you know all the drama of new code releases, new versions, and new products is all just a way to start over when the code gets so crufty no one can fix it anymore.
Yawn...
I think the only place this might not be true is in embedded aerospace code and systems support roles. When people DIE when your code/products suck, you pay attention. Otherwise, at some point the ADD poster-children over in Engineering enamored with some new real-time OS, DSP chip, or coding language, get bored and want to sell something new to justify their existence, and the cycle starts over again.
Fixing up the old system that's tried and true becomes either a) impossible -- too many people left/moved on to "next big thing" or b) boring -- time to build "next big thing".
It's utterly boring. But it keeps me in a job. If they actually coded something perfect, I'd be jobless since there'd be no reason to maintain a tech support contract.
So... I wonder if "security" is similar, except that you get to put out "fires" of a different variety. 80% of my job is political 20% is actually fixing/working on technical things. That's fine with me, but I don't think it's how UPPER management envisions my role. They figure anyone with the same technical training can do it.
My customers whom I've built relationships with for 14 years (with a few years "off" but where we all still kept in touch -- telco is a small world) would certainly disagree. It's more about trust for them than it is about anything else. Downtime is evil, because when they're down they're bleeding real cold hard cash revenues and possibly future contracts, and they know I know that. They don't trust newbies unless they've been vetted by folks they trust. (It's a six month process to "introduce" a new tech, for example.)
Same thing from the security-biz friends I've asked -- their "customer" whether internal in a corporate job, or external in a consulting job, trusts them. Or they wouldn't be there.
But we all know deep-down it's all a huge waste of time, if the code were just correct to begin with...
+++OK ATH
Have you tried setting your "Comment Post Mode" to "Plain old text" instead of "HTML formatted"? Typically if you're not intending to use HTML to format your post HTML formatted is a poor option.
But 'eh, keep bitching. It only shows your ignorance.
Cheers,
ND
This statement is forty-five characters long.
So when your boss or your boss's boss comes to you asking you to do some snooping, do you just say "Sorry, I can't do that." and still keep your job?
we give requests to HR to deal with at certain point. That makes people male better requests. We also have more mature bosses most of the time.