Thursday, May 24, 2007

Finish The Job

I'm a big fan of Tom Clancy type spy thriller novels. I just read a book which reminds me of these, and which Clancy himself called "A spy story for the 90's -- and it's all true." The book is called The Cuckoo's Egg by Cliff Stoll. I won't give away any spoilers here, but you can read the collective summary if you want to know what happens.

This is a classic story of what happens when you see something out of place and instead of just fixing the problem you really investigate. You start digging and pretty soon you find that there are dozens of things that need to be reworked, and dozens more that need to be done and done right. With no funding for a project, it can be damn near impossible to carve the time out of your paying job to do them, so most go undone. In his book, Cliff doesn't let his main issues fall to the wayside, he sticks with them and sees that things get done as well as they can be.

While the book is nearly 20 years old, the lessons it teaches are true today. Cliff has to overcome sloppy practices, a determined and perseverant adversary, invasion of his personal life, lack of support from those he is trying to help, etc. And in the end, he is essentially unrewarded for his efforts. These are problems that security professionals -- and many others -- face every day. But Cliff won't back down or give up, he is able to look at the problem as an opportunity to learn and explore. His reward comes from the joy of discovery, from seeing the problem to its conclusion, and making connections with people in the same situation.

It's easy to respect and admire someone like this, but it's not as easy to become them ourselves. It is much easier to push things off to another day or let things drop by the wayside as we hurtle along through life. But I think that one of the things that makes me happiest is when I pursue the things that Cliff did: truth, discovery, and resolution. It also tends to make the products of my work better because we care about what I am doing, not just trying to get it done so I can move on to something else.

It's hard to be enthusiastic about every aspect of we all do for a living. In fact, if we really enjoy doing something and decide to make money from it, we will soon find that we enjoy it less. But what would it take to do every task like we enjoyed it? Probably not that much more effort than we already put into it. That could be changing the duty enough to make it more interesting, like turning it into a game. Or it could mean trying to learn all you can from theories to history to other techniques. Or it might just mean that you embrace the unembraceable and focus on being as good as you can.

But you've got to find some way to persevere through the difficult jobs to get to the end. In Information Security, it is absolutely essential to do things right and see them through to completion. It is like that in many other fields and aspects of our lives. If you give up or half-ass it at any point, it diminishes the results of your labor. But working hard through every step gives a great feeling of accomplishment and self-esteem as well as makes for a better end result.

Tuesday, May 22, 2007

Simplify, Simplify, Simplify

I am back from my recent hiatus and have finally gotten caught up enough to write a couple of lines here. While on trips, it always becomes obvious how much better a simple solution is when compared with a complicated one. For example, when trying to backup images from a camera. It was a hassle to try to get them onto the computer then to a jump drive or a flickr.com account.

A much easier solution would be to use a device to dump the pictures directly to an iPod. The Apple iPod Camera Connector is the descriptively named device made by Apple to do the job. It works pretty well, too. It will even move RAW photos, though the iPod can't display them. This helped out greatly since my friend had dozens of gigs worth of these large photos and no way to store them to make room for more. While this certainly wasn't the simplest solution, it worked well and stayed within our budget.

With simple solutions, it is easy to see their flaws and compensate. The problems which can occur in a system increase exponentially with complexity. In other words, the more things that are involved, the more likely something is to go wrong and the more difficult they will be to solve. When giving directions to my house, I usually give them a route with very few turns. Because the directions are simple, they can be more precise and are easier to follow.

Also, the more difficult and complex something is to use, the less likely people are to use it. To stay with the example above, I drive a very simple route home from work every day. I could probably shave 5-10% off my trip time by taking alternate routes depending on conditions and using back streets rather than the main ones. However, this adds stress to my drive and introduces frustrations. Using the most direct route, I can sit back and relax on my drive, focusing instead on my music or on what I'll do with my free time.

Reducing the complexity of a system usually increases its security (or decreases its likelihood of failure). If a process requires four easy steps, it is much more likely to be followed closely than a similar process which requires several times more steps. In automated systems, more steps means that there are more places to troubleshoot when a problem arises. More worrisome, the more likely a single step is to fail silently and/or catastrophically.

So KISS! That Wikipedia link can elaborate for you if you are interested, but repeating what others have written is not keeping it simple. I'd hate to multiply entities beyond necessity, so I'll quit while I'm ahead.