Josh More – Starmind Blog

Yes, you read the headline correctly.

Several years ago, I was working as a web developer and security admin for a small development house.  We were located at one end of a nondescript building in the middle of a tiny little town.  One day I'm working and suddenly everything goes dark.

And by "everything", I mean everything. My office was the same as the server room, it was lit by a single overhead fluorescent and the glow of a few monitors and lots of little blinky lights. When the backhoe doing sewer work hit the main line, everything went dark and I was suddenly sitting in a tiny little pitch black room rapidly rediscovering my latent claustrophobia.

Luckily for me, I had a cell phone that could double as a flashlight in such a situation. I found my way to the door and met the rest of my coworkers to find out that the entire building was without power, Internet and phone. Business was at a complete standstill.

We were dead on the Internet. No one could reach us. And all of our clients were running that day's production.

What could we do?

Related posts

• No related posts.

So, I'm reading a book on the mammals of Costa Rica. (Why? Because it's more interesting than watching Stargate Universe, that's why. (Which says a lot about the quality of storytelling these days.)) In the chapter on bats, I ran across a mention of a natalid organ.

"That's funny...", I thought. "I've never heard of that!"

So off to the Google I go, to google about and, as it turns out, waste a good hour reading about bat taxonomy. (Which is still better than watching Stargate Universe!) Here's what I learned:

There are these bats, see, that have an organ. It's more than one species, it's in a lot of them... but no one knows what it does!

• Discover Life reports that the cells may be sensory or secretory.
• Novel Guide tells us that it's bell shaped and can cover the entire muzzle (though Answers.com suggests that that's not always the case).
• Brain Museum implies that the presence of the organ may be linked to the lack of a nose leaf. (What's a nose leaf, you ask? Go research it yourself, I'm busy with natalids.)
• Bob's Bat Cave, despite having perhaps one of the coolest names on the Internet, indicates that the organ is below the skin on the forehead, though other sites place it at the back of the muzzle. (This seems like a conflict to me, but perhaps I don't know my way around a bat's head very well.)
• Lastly, Animal Diversity gives us the useful information that only Natalids have natalid organs. Of course, the group of bats known as natalids are defined as those bats that have natalid organs, so that information is less useful than it may initially appear.

I might have learned more, had I given J STOR $19 for the full article, but let's face it, I'm just a Stargate fan who is oddly distracted by bats, and it would be unwise to give my bad research habits free rein.

So what is all of this doing on an I.T. security blog? I haven't the faintest clue... and that's the important thing. The number one biggest threat out there isn't the mysterious Chinese hacker of the organized criminals writing malware. The most dangerous threat is that of poorly-documented legacy systems. These systems exist on every business network I've seen.  They lurk in the dark corners, staring at admins and, well, do something... I think... maybe.  These systems are dangerous because:

1. We have to keep them running.
2. We don't know what they do.

Most people therefore, set them on the network and proceed to ignore them until they break. Maybe all they do is serve a few static web pages. Maybe, though, they process proprietary data. However, since we don't know, we can't pick an appropriate method of securing them.

We can't turn them off, because it might harm the business, just like we can't go up to random bats and remove the natalid organ. If we don't know what it does, we often can't take the risk of killing the business (or bat) by removing it to find out. (Just like we can't take the risk of not trying the new Stargate series, as they might be awesome as SG1 (though, admittedly, history has not born this out)).

We can look deeper into the systems and possibly get an insight ("hmm, it's kinda slimy, but it also looks like it might be a detector"). We can ask those that use it what they use it for (which might be more effective in your coworkers than it is on bats). Or, we can just name it and leave it alone ("well, it's gotta be there for a reason, right?")...

Which works until someone like me comes along and thinks "what the heck is a natalid organ?", and starts digging into the problem. Because at that point, you have to justify one of two likely scenarios:

1. Why you kept a legacy system running and consuming resources when it serves no valid purpose to the business.
2. Why you failed to adequately secure and plan migration paths for a business-critical system.

Really, it's probably better to find out what it does and document the thing.  Luckily, we have technologies now that allow us to record inputs and outputs and clone systems, so the process should be a lot less messy than dissecting the muzzle of a bat or figuring what on Earth the producers of Stargate Universe are thinking.

Related posts

• No related posts.

There is a Persian creation story that goes much the same way as the usual creation myth. First, there was nothing, then there was a god (Ohrmazd). The god made stuff and then people. Then the people screwed up.

People screwing up is really a common theme in myth, when you think about it.  Maybe that says something about life?

In this case, though, the type of the screwup is a bit different. There's nothing here about wanting to the equal of the gods, disobeying orders or even just desiring to be more than they are.  Instead, the people wind up having children (a popular activity). Then since they can't bear to be separated from their kids, they eat them.

Ohrmazd the creator god is understandably surprised at this turn of events. What's interesting is the solution. Knowing that the people just love too greatly, he reduced their love by 99%.

(As an aside, it's worth noting that the Persians did a lot of interesting mathematical exploration and that this is the only myth I know of that uses numbers like this instead of something like "reduced their love as if love were water in the cap of an acorn, and when emptied, the moisture that remained was as the love that remained within the man the woman". Are the two related? I don't know, but it's interesting.)

With the amount of love they could feel, reduced, the people were able to have children and let them live long enough to have children of their own. Thus, did humanity prosper.

Now, in the original, this was but a small piece of the story of creation (which also involved a devil and a bull, much conflict and blood and all the fun stuff you find in creation myths). However, for our purposes, it is enough.

There is a lot of talk in the business community these days about the power of love. I have no doubt that there is something there. If you love what you do, you can do it without feeling the burden. You can more easily justify risks and you can share the load by letting your love inspire others. However, there is a dark side.

The same love that makes it easy to get started on a project is what makes it hard to stop. Love can get you through the boring 20% of the work that takes 80% of the time. However, it's not so good at allowing you to stop when you get to 100% complete. I've seen projects that fail because the quest for perfection goes too far. I've seen businesses falter and fail because the founder loves it too much to allow it to change.

That form of love is stifling, and while it's becoming more acceptable to recognize the harms of excessive love within personal relationships, it's still not well considered within the business world.

This is the sort of emotion that makes security practitioners secure things for the sake of their being secure... they've fallen in love with the idea of "security" instead of "protection". There are many ways to protect an asset. Keeping out the bad guys is but one.

It's a tough balance, I know. We have to love enough to keep us going in the face of incredibly difficult odds and constantly changing threats, but then, once a project is complete, reduce our love by 99% and allow our project to continue on without meddling with it and destroying it in the process.

While learning to let go is difficult and messy, if we're lucky, we can do it without the massive quantities of blood and death that the Persians seem to have required.

Related posts

• Mythic Monday – The Creation of the Aztec People (0)