Josh More – Starmind Blog

According to Aztec myth, after the previous inhabitants of the Earth had been turned into fish, the gods wanted to make more people.  Now, one would rationally expect that if the gods liked people so much, they wouldn't have flooded the Earth in the first place and turned all the previous people into fish, but the Mesoamerican myths don't seem to be much for rationality and forethought.

Anyway, to create the people, the gods need the magical bones where were guarded by the Lord of Death. After a fairly typical quest followed by a challenge and the reneging by the Lord of Death on the deal, the hero carrying the bag of bones fell to the bottom of a pit and the bones were broken. That, of course, is why the people come in a variety of shapes and sizes.

Of course, we are quite lucky that the Aztec hero was such a klutz. The numerous variations in humanity have rendered us resistant to various plagues. (Technically, this is only partly true as there is evidence that humans are more genetically identical than most animals (except for cheetahs), but we're ignoring that here.) The more variation there is in a genome, the greater the resistance to threats. Though similar concern has been raised about the ongoing homogenization of our food supply and how it renders us vulnerable to threats. this blog is about I.T. and business security.

For quite some time, I have been arguing against homogenization within certain businesses. The current practice of having all systems identical makes things very easy to manage. It makes it easy for auditors to verify that proper security standards are in place. It also can tie into automatic patching plans and keep everything up to date. However, it means that every person in the organization has adapt themselves to the same software and that if an attacker manages to get into one system, they can march right into every other one.

Like all things, using system images is a tradeoff. It seems that many organizations implement imaging just because it's best practice. Sure it solves some problems, but any change also creates others. Often, an imaging project identifies numerous applications to drop out of the environment. This is great for general security, as it reduces attack surface, but often many of these are there because they make the business more effective.

Given that the whole point of "the computer revolution" was that we are now able to adapt technology to our lives are very small levels. It seems like questionable logic to take devices that are capable of enhancing individual abilities and compensating for individual flaws and turn them all into identical machines and then force people to match them. Richard Bejtlich gets into this in more depth over in his post Let a Hundred Flowers Blossom.

My point isn't that imaging is bad. In some environments, it's a necessity. (Mostly regulated environments or those lacking a technically-skilled workforce who can select the appropriate applications to enhance their productivity.) It just shouldn't be a goal without consideration of the total business impact.

After all, people are all different. If the technology is all the same, it obviously won't work as well for some people than it will for others. The question to ask is whether the benefit of uniformity outweighs the cost of productivity.

Related posts

• Mythic Monday – Love and Creation (0)

There is a Persian creation story that goes much the same way as the usual creation myth. First, there was nothing, then there was a god (Ohrmazd). The god made stuff and then people. Then the people screwed up.

People screwing up is really a common theme in myth, when you think about it.  Maybe that says something about life?

In this case, though, the type of the screwup is a bit different. There's nothing here about wanting to the equal of the gods, disobeying orders or even just desiring to be more than they are.  Instead, the people wind up having children (a popular activity). Then since they can't bear to be separated from their kids, they eat them.

Ohrmazd the creator god is understandably surprised at this turn of events. What's interesting is the solution. Knowing that the people just love too greatly, he reduced their love by 99%.

(As an aside, it's worth noting that the Persians did a lot of interesting mathematical exploration and that this is the only myth I know of that uses numbers like this instead of something like "reduced their love as if love were water in the cap of an acorn, and when emptied, the moisture that remained was as the love that remained within the man the woman". Are the two related? I don't know, but it's interesting.)

With the amount of love they could feel, reduced, the people were able to have children and let them live long enough to have children of their own. Thus, did humanity prosper.

Now, in the original, this was but a small piece of the story of creation (which also involved a devil and a bull, much conflict and blood and all the fun stuff you find in creation myths). However, for our purposes, it is enough.

There is a lot of talk in the business community these days about the power of love. I have no doubt that there is something there. If you love what you do, you can do it without feeling the burden. You can more easily justify risks and you can share the load by letting your love inspire others. However, there is a dark side.

The same love that makes it easy to get started on a project is what makes it hard to stop. Love can get you through the boring 20% of the work that takes 80% of the time. However, it's not so good at allowing you to stop when you get to 100% complete. I've seen projects that fail because the quest for perfection goes too far. I've seen businesses falter and fail because the founder loves it too much to allow it to change.

That form of love is stifling, and while it's becoming more acceptable to recognize the harms of excessive love within personal relationships, it's still not well considered within the business world.

This is the sort of emotion that makes security practitioners secure things for the sake of their being secure... they've fallen in love with the idea of "security" instead of "protection". There are many ways to protect an asset. Keeping out the bad guys is but one.

It's a tough balance, I know. We have to love enough to keep us going in the face of incredibly difficult odds and constantly changing threats, but then, once a project is complete, reduce our love by 99% and allow our project to continue on without meddling with it and destroying it in the process.

While learning to let go is difficult and messy, if we're lucky, we can do it without the massive quantities of blood and death that the Persians seem to have required.

Related posts

• Mythic Monday – The Creation of the Aztec People (0)