2019
Unsolicited Advice on Self Improvement
2019-12-03
Some thoughts on advice about guiding others’ self-improvement. Often, advice comes in the form of “If you do X, Y will happen.” It’s worth unpacking that. What “If you do X, Y will happen” often really means is, “For some group, which I think is large and I believe you are in, doing X will increase their favorable outcomes in the direction of Y by some small amount.”
The first half of that framing can be really othering if you’re wrong. “I think this works for all humans!” might get heard as “It doesn’t work for me, do you think I’m not human?” I think of the latter half of the framing as the 1% effect: For some set of people, this advice might improve their expectations of good outcomes, but maybe by no more than 1 percent. How big is “some people”? It might be just the advocate (“I did this and it worked for me”), or it might apply to a large in-group. But it almost certainly doesn’t apply universally, to every possible listener. We should understand that the original framing (“Do X to get Y”) is incredibly othering to members of the outgroup. That advice might not work at all for them. Or a 1% improvement in their outcomes might be outweighed by the odds stacked against them. So that’s the first tip in guiding: acknowledge that you might be wrong, and your advice might not apply. And that for some people, these topics are so sensitive and carry so much historical stress that you might hurt them more than you planned to help them.
But what about the 1% effect? Assume that any piece of guidance might help someone by 1%. Is that a lot? It depends! The difference between the best NFL player and the worst is just a small collection of 1% effects. But me? 1% isn’t getting me onto the Patriots roster. Understand where there’s a cluster effect - maybe this advice is useful, but the biggest effect you see is for people who’ve invested in gaining a lot of advantage in a related area, and others might not see the same benefit.
Consider this one: when people ask how I am, I say, “I’m fantastic!” It helps me keep my frame focused on positives, which increases my resilience to stress. I used to say, “Not bad,” and I noticed that I was looking for the bad. Now for me, that “one simple trick” sits on top of a lot of mindfulness, and care, and good fortune. Thanks to a colleague, I always remember I could have been born a nematode! I’m really fortunate to be a human in the 21st century. I suspect that for many people, a daily remembrance of good fortune will improve their condition - but I also know that for people with a wide range of circumstances, from chemical depression to trauma to many more, that advice rings hollow. So when you’re evangelizing something that works for you, and maybe others, recognize that you are almost certainly talking at someone with a different experience. And they might not appreciate unhelpful and/or unsolicited advice without caveats. (If you’re in the mistargeted group for whom this advice might even be harmful, recognize that this blind spot around inapplicable advice might be just a blind spot, and not explicit malice (We hope).)
That leads to a point about inclusion. I think of inclusion as “reducing the energy cost of a person just to exist in a space.” Recognize that your assumptions about what works for other people increase their existence cost when you’re wrong.
So I conclude with hopefully near-universally applicable guidance, from the hallowed halls of San Dimas: Be excellent to each other. And, as always, thank you to a remarkable cast of humans who help me think about these ideas, and find ways to make the world better. It’s truly a blessing to know you and have access to you.
The first half of that framing can be really othering if you’re wrong. “I think this works for all humans!” might get heard as “It doesn’t work for me, do you think I’m not human?” I think of the latter half of the framing as the 1% effect: For some set of people, this advice might improve their expectations of good outcomes, but maybe by no more than 1 percent. How big is “some people”? It might be just the advocate (“I did this and it worked for me”), or it might apply to a large in-group. But it almost certainly doesn’t apply universally, to every possible listener. We should understand that the original framing (“Do X to get Y”) is incredibly othering to members of the outgroup. That advice might not work at all for them. Or a 1% improvement in their outcomes might be outweighed by the odds stacked against them. So that’s the first tip in guiding: acknowledge that you might be wrong, and your advice might not apply. And that for some people, these topics are so sensitive and carry so much historical stress that you might hurt them more than you planned to help them.
But what about the 1% effect? Assume that any piece of guidance might help someone by 1%. Is that a lot? It depends! The difference between the best NFL player and the worst is just a small collection of 1% effects. But me? 1% isn’t getting me onto the Patriots roster. Understand where there’s a cluster effect - maybe this advice is useful, but the biggest effect you see is for people who’ve invested in gaining a lot of advantage in a related area, and others might not see the same benefit.
Consider this one: when people ask how I am, I say, “I’m fantastic!” It helps me keep my frame focused on positives, which increases my resilience to stress. I used to say, “Not bad,” and I noticed that I was looking for the bad. Now for me, that “one simple trick” sits on top of a lot of mindfulness, and care, and good fortune. Thanks to a colleague, I always remember I could have been born a nematode! I’m really fortunate to be a human in the 21st century. I suspect that for many people, a daily remembrance of good fortune will improve their condition - but I also know that for people with a wide range of circumstances, from chemical depression to trauma to many more, that advice rings hollow. So when you’re evangelizing something that works for you, and maybe others, recognize that you are almost certainly talking at someone with a different experience. And they might not appreciate unhelpful and/or unsolicited advice without caveats. (If you’re in the mistargeted group for whom this advice might even be harmful, recognize that this blind spot around inapplicable advice might be just a blind spot, and not explicit malice (We hope).)
That leads to a point about inclusion. I think of inclusion as “reducing the energy cost of a person just to exist in a space.” Recognize that your assumptions about what works for other people increase their existence cost when you’re wrong.
So I conclude with hopefully near-universally applicable guidance, from the hallowed halls of San Dimas: Be excellent to each other. And, as always, thank you to a remarkable cast of humans who help me think about these ideas, and find ways to make the world better. It’s truly a blessing to know you and have access to you.
Nine Years After: From Aurora to Zero Trust
2019-02-20
How the first documented nation-state cyberattack is changing security today.
It's January 12, 2010. In a blog post, Google publicly discloses that it has been the victims of a targeted attack originating in China. The attack resulted in the theft of intellectual property, but the attackers didn't stop with Google — they targeted at least 20 different organizations across the globe, in an attack that would later become known as Operation Aurora.
Operation Aurora was a shock for many organizations because it made everyone face a new kind of threat, one that previously was only whispered about around the watercooler. A government-backed adversary, with near-unlimited resources and time, had struck the world's largest Internet company — and almost got away with it.
No one wanted to be the first to call Operation Aurora a nation-state attack. The possibility was certainly there, but the fear was that by rushing to attribution and getting it wrong could mean the first person to speak would be viewed as Chicken Little for the rest of his or her career.
Later, leaked diplomatic cables would show this attack was "part of a coordinated campaign of computer sabotage carried out by government operatives, private security experts and Internet outlaws recruited by the Chinese government." With confirmation from several sources all reaching the same conclusion — that Aurora was in fact government sanctioned and sponsored — our beliefs about what constituted reasonable choices for the state of security within the enterprise would never be the same.
Here at Akamai, one of the companies targeted by Aurora, the attacks became a primary driver for change.
Target: Domain Admins Akamai was affected by the Aurora attacks because a domain administrator account was compromised. From there, the attackers were able to enter any system they wanted, including the system they targeted. Fortunately, while systems were compromised, the specific data the attackers were seeking didn't exist. So, in a way, Akamai was lucky. Still, there was an incident, and the underlying hazards needed to be addressed.
All across the industry, we talk about trust, but the systems and processes used to establish trust have been broken or abused time and time again. Our journey for addressing this trust challenge began by examining how Akamai managed systems administration.
We started by replacing accounts that could log in to anything with narrow, tailored accounts that were not the principal account for the user. Doing this created a situation where a single error couldn't lead to the fall of the company, but rather a situation where a series of errors and failures would be required before that can happen.
When people think of blocking and tackling of security, getting domain administration right and implementing the right tools and policies are where you start. But — while not minimizing this task and sweeping change — this was only the beginning. Over the next several years, we migrated further and further away from passwords to point authentication. This was essentially an in-house SSO, but even that was altered to focus on X509 certificates and, later still, push-based authentication.
Lessons Learned It's been a nine-year journey. Nine years since Aurora, and we're still not done changing. We went from a place to where, if you were on the network, you had access to everything to now, when you're not even on the network. Today, services and applications are only available to those who need access to them. It's no longer about trusting where you are; it's about trusting that you're you. So when you're compromised, the adversary can access only the tools and services available to you, and nothing else.
Over the last decade, a new concept has started to take hold in the security industry. We call it a number of things — zero trust, BeyondCorp, nano-segmentation, micro-segmentation — but the goal of this idea is to move away from location-based trust on the network. We followed a parallel path, breaking new ground along the way.
We got it right in a lot of places, but there were plenty of lessons to learn. Don't be afraid to realize that you've chased down the wrong path. 802.1x for our corporate network, in the grand scheme of things, was the wrong path. We learned a lot by doing it, and if we hadn't done that, we'd be in a worse place today. But we're going to basically throw out all of that hard work in the next few years as we move to an ISP-like model for our physical buildings, and that's OK.
Change is a constant in the security industry, and being willing to change as needed is one of the key growth factors in any business — large or small. It's taken nine years to figure out what we wanted and to get to where we are. And we've taken this journey so that others can do it more seamlessly going forward.
This post was originally published at Dark Reading.
It's January 12, 2010. In a blog post, Google publicly discloses that it has been the victims of a targeted attack originating in China. The attack resulted in the theft of intellectual property, but the attackers didn't stop with Google — they targeted at least 20 different organizations across the globe, in an attack that would later become known as Operation Aurora.
Operation Aurora was a shock for many organizations because it made everyone face a new kind of threat, one that previously was only whispered about around the watercooler. A government-backed adversary, with near-unlimited resources and time, had struck the world's largest Internet company — and almost got away with it.
No one wanted to be the first to call Operation Aurora a nation-state attack. The possibility was certainly there, but the fear was that by rushing to attribution and getting it wrong could mean the first person to speak would be viewed as Chicken Little for the rest of his or her career.
Later, leaked diplomatic cables would show this attack was "part of a coordinated campaign of computer sabotage carried out by government operatives, private security experts and Internet outlaws recruited by the Chinese government." With confirmation from several sources all reaching the same conclusion — that Aurora was in fact government sanctioned and sponsored — our beliefs about what constituted reasonable choices for the state of security within the enterprise would never be the same.
Here at Akamai, one of the companies targeted by Aurora, the attacks became a primary driver for change.
Target: Domain Admins Akamai was affected by the Aurora attacks because a domain administrator account was compromised. From there, the attackers were able to enter any system they wanted, including the system they targeted. Fortunately, while systems were compromised, the specific data the attackers were seeking didn't exist. So, in a way, Akamai was lucky. Still, there was an incident, and the underlying hazards needed to be addressed.
All across the industry, we talk about trust, but the systems and processes used to establish trust have been broken or abused time and time again. Our journey for addressing this trust challenge began by examining how Akamai managed systems administration.
We started by replacing accounts that could log in to anything with narrow, tailored accounts that were not the principal account for the user. Doing this created a situation where a single error couldn't lead to the fall of the company, but rather a situation where a series of errors and failures would be required before that can happen.
When people think of blocking and tackling of security, getting domain administration right and implementing the right tools and policies are where you start. But — while not minimizing this task and sweeping change — this was only the beginning. Over the next several years, we migrated further and further away from passwords to point authentication. This was essentially an in-house SSO, but even that was altered to focus on X509 certificates and, later still, push-based authentication.
Lessons Learned It's been a nine-year journey. Nine years since Aurora, and we're still not done changing. We went from a place to where, if you were on the network, you had access to everything to now, when you're not even on the network. Today, services and applications are only available to those who need access to them. It's no longer about trusting where you are; it's about trusting that you're you. So when you're compromised, the adversary can access only the tools and services available to you, and nothing else.
Over the last decade, a new concept has started to take hold in the security industry. We call it a number of things — zero trust, BeyondCorp, nano-segmentation, micro-segmentation — but the goal of this idea is to move away from location-based trust on the network. We followed a parallel path, breaking new ground along the way.
We got it right in a lot of places, but there were plenty of lessons to learn. Don't be afraid to realize that you've chased down the wrong path. 802.1x for our corporate network, in the grand scheme of things, was the wrong path. We learned a lot by doing it, and if we hadn't done that, we'd be in a worse place today. But we're going to basically throw out all of that hard work in the next few years as we move to an ISP-like model for our physical buildings, and that's OK.
Change is a constant in the security industry, and being willing to change as needed is one of the key growth factors in any business — large or small. It's taken nine years to figure out what we wanted and to get to where we are. And we've taken this journey so that others can do it more seamlessly going forward.
This post was originally published at Dark Reading.