Bill Brenner wrote an article titled "Take the word curmudgeon and shove it" in which he makes relatively sweeping statements about the "people in security [that] call themselves curmudgeon". As one of the long-time security curmudgeons, I took offense to his article, calling it pathetic. Brenner was intrigued by that response and others and asked for a counterpoint post, something that was already in the works.
First, it is important to get an idea of what a "curmudgeon" is. Straight definitions vary, some saying "a bad-tempered, difficult, cantankerous person", "a crusty, ill-tempered, and usually old man" or "an ill-tempered (and frequently old) person full of stubborn ideas or opinions". In my eyes, the crux of the curmudgeon is very different. While ill-tempered and full of stubborn ideas or opinions is fairly accurate, a curmudgeonly disposition is born out of years of experience in the industry and the long term frustration that builds from trying to make positive change in an industry that continually pushes back seemingly at all costs. Years of banging our heads against a brick wall and making no progress, other than a stellar headache, will drive any optimist to take on a negative view of things. At some point, a curmudgeon may be born; but only if the person still genuinely cares in some fashion.
A fundamental point of the article I disagree with is summarized in this quote:
I've been thinking about this a lot lately because I see an increasing number of security practitioners who are good people and good at their craft who choose to screw it all up by taking their disposition into the gutter.
I don't know what circles Brenner runs in, but the very few security practitioners I have encountered that take on the curmudgeon title don't fit this bill. They dole out curmudgeonly advice or comments, but don't take it to the gutter. Perhaps these other 'curmudgeons' act differently, but without any citations or examples, it is hard to judge.
When doing so, they often throw the word curmudgeon around when describing themselves.
Who is 'they' exactly? When writing an article that lumps a group of people together, the least the author could do is cite a source or three. This is something that should be a fundamental part of how any blogger or journalist operates. Blogging foul, Brenner. The second point I take issue with is his categorization of curmudgeons into 'good' and 'bad', with an inevitable shades of gray distinction coming shortly after I bet. How do I know? Because I am a 'gray curmudgeon' in his black and white world.
A good one might complain a lot on Twitter. About the weather. About clueless customers. About a whiskey bottle that has run dry. But they don't rip apart specific people by name, and they mix their crankiness with a lot of useful advice for their audience.
A bad one calls specific peers names because they disagree with a point of view. They drop one or more F-bombs per tweet and always brag about being drunk because they think that makes them cool.
Using myself as an example, I complain a lot on Twitter about everything. The price of movies, annoying tweets, our crappy self-mutilating industry and more. Err... I also rip apart specific people by name, because they deserve it. My advice, when not talking about hookers and blow, is cranky but frequently helpful. I call peers names because I disagree with their point of view, just as I called Brenner's article pathetic because I disagree with his point of view. The actual F-bomb count is rather low, but the sentiment is surely there. Long story short, I am a 'good' and a 'bad' curmudgeon by his definition. So I will beat him to the punch and call myself a 'gray curmudgeon', because I don't wear hats much, and I am not sure if I should substitute another article of clothing for the labeling.
I've complained on Twitter about the PR pitches quite a bit, so I single myself out for criticism as well. I have a cranky streak of my own, and sometimes I misuse that crankiness.
But I will never call myself a curmudgeon.
That's ok Brenner, I will do it for you. Read your article again, and you are being a curmudgeon, on the topic of curmudgeons. There are certainly bonus points for the circular reference.
After seven-plus years writing about the security industry...
Sorry Brenner, I have to take that back. You are not old enough (industrially speaking) to earn the curmudgeon title. To better demonstrate how a real curmudgeon views things, take the following example of your words and my reply.
The more our Twitter presence becomes about being drunk and tearing other people down, the less useful we become to the newbies who dip their toes in the social networking realm in search of some wisdom that may actually help them do their jobs better.
If a newbie decides to "dip their toes in the social networking realm" in search of some wisdom about security or hacking, then they get what they deserve. They are the new generation, but same breed, as the countless idiots asking us "how do I hack?!". If you feel indebted to them when they didn't owe it to themselves to Google it first, that is a character flaw on your part. If I call them out for being raging idiots, I am not the bad guy, just an honest curmudgeon giving them a tough lesson. The kind of lesson that helps distinguish if they are serious about learning our craft or a Bieber/Twilight/Matrixy obsession with something that is cool at the time. In fact, being a curmudgeon and virtually smacking them down is a strong blessing in disguise; most of them just don't realize it.
Could it be we'd rather they stay ignorant so we'll keep finding fodder to keep our curmudgeonly images alive? We'd rather the user stay stupid so we can keep saying they're stupid?
Perhaps you missed a step in the
peckingbitching order. Many curmudgeons are well past
the "blame the users" game, and enjoying the playoffs where we blame our own industry. Are any of you
so naive to think that we can get all users and idiots to stop clicking
malware.exe in so-called Advanced Persistent Threats?
Quickly reaching the logical answer of "no" should in turn lead you to determine that the security industry
should be there to help save users from themselves. When our industry wallows in its own stupidity and greed
rather than innovating and showing the same drive and intelligence as the 'bad guys' we so often mock,
we fail the users. And that should bring out the curmudgeon in all of you. If it doesn't,
I submit that you simply do not care enough and should strong consider taking up employment in another sector
such as waiting tables or a customer-facing position at the DMV.
Days after his first article, Brenner released a second article on the topic titled My final word on curmudgeons. Really Brenner? Promise?!
First, this tweet from Shalini Sehkar (@0ph3lia): "I'm going to write a blog post in response to @billbrenner70 later, but right now I'm going to wallow in my RAGE." On Facebook, she continued: "It isn't me, and I know who he's talking about...but that article just made me RAGE because he has no (expletive) clue. Can't wait to write that blog post... it seems like he was calling out a LOT of people."
And there you have it, exactly my point earlier. If you are considering someone like Sehkar / 0ph3lia as a 'curmudgeon' of any sorts, you have effectively destroyed your own argument. Repeatedly citing 'rage' issues on Twitter while being in the industry for a couple of years does not qualify a person to take on such a title. You go on to say "I expect she will shred me as only she can, and that's her right." No, it isn't. You have been writing about security for 2 - 3x as long as she has been in this industry, embrace the curmudgeon you started to show in your first article and take a stand. You even say it yourself in a roundabout manner; "Am I clueless...? I don't think so, but I also know that I'm presenting this from my perspective as a journalist who has observed the security scene for a long time." Newbies don't have the right to "shred" you for stating your opinion. They certainly have the right to disagree with you, and even muster up some form of half-intelligent booze-fueled rebuttal (i.e., this page), but they don't have the right to grandstand and media whore on Twitter as if they are relevant or experienced in this industry. That isn't productive or helpful to anyone, and certainly not the curmudgeonly way.
The folks behind attrition.org (@attritionorg) weighed in, calling what I said "pathetic." That got my attention, because I love attrition.org. They express themselves in cranky fashion, but back it up with loads of great content.
We thank you for that observation and would like to point out that it goes back to our view of what a curmudgeon is. Stubborn, difficult, ill-tempered and old, we can agree. But that goes hand-in-hand with having been around the block a few times and trying to use our cloudy disposition to point out the shortcomings in our industry. When we single people out, an action on your 'bad' curmudgeon list, we go out of our way to back anything we say, sometimes through painstaking research and investigation. Lumping us in with the likes of Sehkar or other 'curmudgeons' is pathetic, thus my quick curmudgeonly reply.
Riding the wave of Brenner's article, I am going to branch off and address a broader topic that is related. Some security practitioners have a poor view of curmudgeonly (or any negative feedback) comments, suggesting they are 'bad'. This is patently absurd.
The business of penetration testing is fundamentally based on the negative. The art of code auditing is fundamentally based on the negative. The reports we write are a laundry list of negative traits of a system, program or organization. Thousands of professionals in the security industry spend 40 hours or more a week looking for the bad in things. Vulnerabilities in products, misconfigurations of servers and weaknesses in security posture are our bread and butter. Good auditors do not walk into a building thinking "I'll only highlight the good at $company!"
Despite the daily mode of operation for many professionals, the second they hit social media or conventions they immediately shelve their auditor brain. What would be cause for alarm during their day job, they gleefully ignore at night in the name of "s/he's a good person!" or "we're friends!" More insulting, when these very same people make six figures tearing down customers paying them ridiculous amounts of money are afraid to speak out against companies that sell the very same customers shoddy software based on FUD-fueled marketing that guarantee them job security in the first place. The curmudgeon's cry of "name names already!" falls on willfully deaf ears.
Like it or not, our industry needs curmudgeons. I'd agree with Brenner, that we need the 'good' curmudgeons, except his distinction between the good and bad was weak. By 'good', I mean the curmudgeons that want honesty and simplicity. The ones who refuse to buy into absurd buzzwords, FUD and companies that will say anything to make a buck. The ones who don't care about maintaining some bullshit perception of a stellar reputation at the cost of selling out their integrity.
In the past, Jayson Street directed a quote from the Dark Knight toward me; "... Some men just want to watch the world burn." An amusing and almost accurate reference, but missing a very key point. It isn't the world we want to see burn, it is the security industry, and more to the point, the cretins that plague it. Yesterday, Martin McKeay was caught up in a small scuffle with Ben Tomhave and said "... your post seemed very curmudgeonly" in a negative connotation. I took great offense to that remark too, because such a disposition of observations is one reason I particularly like McKeay and Tomhave both. Being a curmudgeon is not some mark of shame, rather it should be a badge of honor.
Without sharp criticism and singling a person or company out, this mess of warm fuzzy huggles and perceived social pressure to not speak out will continue to obscure the fundamental problems gripping our industry. The last thirty years have fully demonstrated that our current course of action isn't improving the state of security. The bad guys are getting farther and farther ahead, and the good guys are wallowing in their own circle-jerks and six figure salaries, at the expense of the very users we claim to protect. Like it or not, we need more curmudgeons. Like it or not, the few of us continually speaking out, are here to stay.
Perhaps we could channel Colonel Jessep and coin the curmudgeon's
We live in a world that has straw walls, and those straw walls have to be knocked over by curmudgeons with gutter disposition. Who's gonna do it? You? I have a greater responsibility than you could possibly fathom. You weep for Twitter drama, and you curse the curmudgeons. You have that luxury. You have the luxury of not knowing what I know. That those flames, while mean-spirited, probably educated many. And my existence, while grotesque and incomprehensible to you, educates people. You don't want the truth because deep down in places you don't talk about at con parties, you want me on Twitter, you need me on Twitter. We use words like honor, code, integrity. We use those words as the backbone of a life spent educating others. You use them as a punchline and resume fodder. I have neither the time nor the inclination to explain myself to a man who rises and sleeps under the blanket of brutal truth that I provide, and then questions the manner in which I provide it. I would rather you just said thank you, and went on your way. Otherwise, I suggest you pick up a shred of integrity, and start speaking out against those who would sully our industry. Either way, I don't give a damn what you think you are entitled to.
jericho (a.k.a. security curmudgeon)
Copyright 2011 by Brian Martin. Permission to redistribute granted for non-profit uses. Blogs or web sites
hosting content with banner ads receiving income, and therefore are profit-based ventures, do not
have permission to re-print this article in full.
This article was re-printed at http://blogs.csoonline.com/1529/an_excellent_response_from_attrition_org by Bill Brenner with permission.