Sunday, October 5, 2014

When patience is not a virtue

Patience is a virtue. Indiscriminate application of patience is not.

When waiting for an egg to hatch, patience is our friend. Trying to get the chicken (or the lizard) out early isn't going to avail us much. On the other hand, watching a customer service agent go through our case in slow motion is definitely not a fit case for patience.

As processes and personal risk-avoidance become dominant, poor service and undue delays have become an epidemic not only in the government but also in the private sector. References to “process poison” and “process anesthesia” are not exceptions any more. Process-designers, instead of focusing on the service quality or timely outcome, quite often seem to emphasize due diligence and checks-and-balances, much to the delight of the auditors instead of customers.

People and their attitudes are important too. Having a stake in the outcome helps. Well-motivated individuals can delight customers despite process hurdles. Those who don't care, routinely take shelter in inane provisions despite well-designed processes.

That brings up two questions:

What if we teach discretion and application of thought to our children? That'll make them ask tough, uncomfortable questions. It would still be worth the trouble in the long run.

What if we reject patience as a virtue? It will need some discretion. It will be harder to do when we have something to lose; or when we need to get on with other things, but it will make a huge difference. Even the simple act of letting someone know that their behaviour is not acceptable will trigger a natural human behavioural change. Not everyone has a vested interest in tormenting us; those people will surely change for the better.

But then, can we overcome the other virtue we are taught alongside patience, such as unquestioning obedience?

Saturday, January 4, 2014

OWASP and the RSA Conference 2014

Much has happened since. After a lot of discussion, OWASP Board voted to cancel their co-marketing agreement with RSA for RSA 2014. They also voted to deliver training and talk at the conference, if permitted to do so. 
While my disagreements with the underlying arguments remain, I must admit I am a much bigger fan of OWASP's style of functioning than I was. To put it mildly, I had grossly misunderstood OWASP openness. In retrospect, I wouldn't have used the same strong words as I had, if I were to do it now. 
To preserve what was, and the nature of my misunderstanding, I'm leaving the post below as is. Instead of messing here, I'll write a separate post on the developments.
The OWASP Board apparently decided to participate in RSAC 2014 by way of offering a 4 hour free-of-cost AppSec training. Apparently "developers' benefit won out". 

Here is a twitter conversation on this topic:

This was an opportunity for the world's most influential and inspirational AppSec organization to take a principled stand that:

  1. the industry will not stand by and watch the foundations of trust and technology be eroded by patently malicious intent (such as that of subverting crypto products and standards); and
  2. the industry will not stand for unwarranted universal surveillance using national interest and anti-terrorism as flimsy excuses.
However, the wise old men/women of the board have chosen not to take the high road. They didn't say, "what's a few developers' one lost-opportunity when the whole world is reeling?". They didn't say "this will only encourage other pillagers of infosec public trust, assuring them that OWASP and others will find glib rationalizations to look the other side while they earn a few bucks on the side". 

In short, they copped out.[edit: I was under the impression that the decision was made, done, closed. However, in a welcome development, the matter has been re-opened for wider discussion within OWASP. I will update this post when the status changes.]

Update: The OWASP email discussion on this topic is available at:

Relevant blog post: Robert Graham's Why we have to boycott RSA

I've never been invited there as a speaker. My protest and opinion may neither dent RSAC nor OWASP. Yet, I believe it is important for me and other like-minded people to clearly say NO.

As a first step, I've offered (to my co-leads) to step down from the local OWASP Chapter leadership, unless the situation changes. It is a sad day for me, as I worked hard to establish this chapter only recently. We are doing a very important public service. The principles of open community and open source are as dear to me as the InfoSec profession. Yet, I don't believe I can compromise and tell RSA or OWASP that "it's okay".

At this time, I haven't considered any other possible action. I'm looking out for more though.