Wednesday, October 3, 2012

Are Silicon Valley "campuses" the 21st century version of coal mining company towns?

I was reading a recent article about the new Facebook "campus" that is being built in Menlo Park at the old Sun Microsystems facility. It's on 57 acres with an additional 22 adjacent acres set aside for more expansion. Later in the article,  it mentions a Facebook official saying they "envisioned a long courtyard at the hear of the cluster of buildings being turned into a play on a European street scene where workers could exchange ideas in an outdoor social scene."

I have some friends and former students who are working for other Silicon Valley companies with similar "campuses". They tell me they love it because they have housing, laundry facilities, dining halls, some stores all on campus. They tell me they don't need a car because everything they need is right there. A couple of them said it was like being in college. Of course, I always ask them about salaries and they were predictably decent salaries. A few of them said they were taking salary cuts in lieu of stock options. I started to get a funny feeling about that but couldn't quite put my finger on what was bothering me.

A couple of weeks ago, I was watching one of my favorite movies, "Matewan", which tells the tale of a struggle between WV coal miners and the local coal mining company. The struggle resulted in a shootout that became known as the Matewan Massacre. Now, my reason for liking the movie is that a bunch of my musician friends are featured in the movie. Anyway, while I was watching the movie, it suddenly hit me why I felt a little uneasy when I was talking with my former students about their jobs in the Silicon Valley campuses.

If you look at the history of coal mining towns, you find that everything in the town was owned by the company. Miners were paid in scrip and a portion of their salary was deducted for living expenses.  You paid for items in the company stores with scrip. Basically, you paid for everything in scrip.

The Facebook article got me thinking about the parallels between the Silicon Valley campuses and the coal mining company towns of the early 20th century. Here's some parallels that occurred to me:

  1. All "living" services - housing, food, laundry, schools, transportation, entertainment, employment provided and owned by the company.
  2. Coal Company "scrip" = 21st Century stock options. Stock options can't buy me a car :-).
  3. Miners/Workers aren't encouraged to leave the town/campus. Companies want them to stay on campus and work more than the traditional 40 hour week.
You could probably find more parallels but these are just a few that came to me. 
I hope this "campus" model of employment doesn't lead to abuses such as those that happened in our history.




Monday, April 9, 2012

A Cyber Security Industrial Complex?

Dwight Eisenhower is one of my heroes. Yep, I said it right here and now. His speech on the military-industrial complex is only now being appreciated. It was done 50 years ago and is still relevant today. Why am I bringing this up and what does this have to do with cybersecurity?

I did a SANS Lightning talk this past month and when I was researching material for the talk, I stumbled across some reference material from 2001 called "Top 10 Security Mistakes" (http://www.computerworld.com/s/article/61986/Top_10_Security_Mistakes). They were:

1. The not-so-subtle Post-it Note.
2. We know better than you.
3. Leaving the machine on, unattended
4. Opening e-mail attachments (remember the Love Bug virus?) from mere acquaintances or even strangers.
5. Poor password selection.
6. Loose lips sink ships.
7. Laptops have legs.
8. Poorly enforced security policies.
9. Failing to consider the staff.
10. Being slow to update security information.

Take a look at this list and tell me which of these mistakes have we eliminated in the past 10 years. If you come up with an answer of "none", then the follow-up question would be "what have we been doing these past 10 years?".

I found another slide from a 2002 presentation I did where I made the following statement:

"Viruses, trojans, rootkits will never be eliminated because we've created a multi-billion dollar industry to combat them. If we eliminate the root causes of cyber attacks, we eliminate a multi-billion dollar industry". I believe there's no economic incentive to eliminate these root causes. Or to put it another way, there is a strong economic incentive to NOT eliminate the root causes of cybersecurity attacks.

Now, mind you, I've been an active part of the Cyber Security "industry" for the past 20 years. I helped write the original SANS/FBI Top 10 Internet Threats document back in 2000. Part of my job is measure the effectiveness of our defense strategies. If I use this 2001 list to examine our effectiveness industry wide, I think while we've made some progress, we (the collective we) have failed miserably.

Alan Paller talked about the 4 quadrants of cybersecurity: Academic Security Researchers, Hunters/Tool Builders, Operator/testers who monitor IPS, IDS, pentest tools and Audit/Policy/Compliance workers. The largest of these quadrants is the Audit/Policy/Compliance group which seems a little backward to me. We're focusing on compliance instead of actually fixing the problem. We need to train and develop more people in the Hunter/Tool Builder category so that we have a chance at fixing the root causes of cyber attacks one of which is insecure code.

And so we come back to President Eisenhower's speech. We're seeing the militarization of cyberdefense. Defense contractors who used to specialize in tanks, helicopters, jets, advanced weaponry are retooling to become cybersecurity "experts". We're seeing a lot of money being spent to defend/monitor instead of fixing the root causes.

Are there parallels between the complex of the 60's and the "complex" of the 201x's? Take a look at a recent NPR article on Eisenhower's speech and see if you can draw the parallels. It's at http://www.npr.org/2011/01/17/132942244/ikes-warning-of-military-expansion-50-years-later.
More on this later.....