Archive for 2015
Fear itself: Thinking through change and turmoil
Fair warning: this is going to be a controversial post, and it might be considered a bit “off topic.”
Maybe it’s just the time of year for fear. Or maybe it’s several conversations I’ve been involved in recently. Or maybe it’s the result of following over 150 blogs on a daily basis covering everything from religion to politics to technology to philosophy. Whatever it is, there’s one thing I’ve noticed recently.
We’re really afraid.
I don’t mean “concerned about what the future might hold,” but rather — it seems, at least sometimes — sinking into a state of fear bordering on the irrational. Sometimes it feels like the entire world is one long troubleshooting session in the worst designed network I’ve ever encountered. Let me turn to a few completely different areas to illustrate my point. Some of these are going to make people mad, so hold on to your hats — and hear me out before you jump all over me or shut down.
We’re afraid of what the future might hold for us as engineers and as people. Maybe this entire software defined thing is going to destroy my entire career. Maybe I’ll end up like a buggy whip maker a few years after the first car was built. Maybe the entire world is going to sink under the oceans as they rise due to man made global warming. Maybe we’re all going to be replaced by robots, leaving none of us anything to do for a living at all. Maybe we’re all going to eat GMO foods and die. Maybe I don’t have the right certifications, or maybe I have too many certifications. Maybe cell phones are going to give us all cancer.
Or maybe, just maybe, we’ve come too close to perfecting fear as the ideal motivator for selling just about everything from things to training to politics. Maybe the noise level has gotten so high that we won’t listen until it’s a existential crisis right now. Maybe we’re rushing from crisis to crisis like a boat out in a huge storm trying to stay above water and forgetting to ask where it is we’re going — which port we actually should call home.
Maybe it’s time to reassess, to find some strategy that will help us cope with all this information and all this fear. Some thoughts to that end.
First, ask what claim is actually being made. This might be painful, but learn logical syllogisms, and make it a habit to turn enthymemes into a proper syllogistic form so you can actually evaluate the claim. We’re too fast to accept straw men, too quick to dismiss with a casual wave of the hand, an appropriate bit of snark, and a quick dose of name calling. We’re too slow to listen and spend time really trying to understand. We’ve sown a world of 140 character snippets, and we’re reaping a whirlwind of thoughtlessness.
Second, ask what supports the claim. I don’t mean who supports the claim or why they support it. Stop asking about feelings and motives. Start asking about facts.
Third, ask why you might have any reason to doubt the claim. Intentionally fight against your confirmation bias and seek out the most credible sources you can find that disagree with the claim. Read them carefully, intentionally, and as honestly as you can.
Okay, you’ve done all of this, and you believe the claim is correct. Now is the time to jump to action, right? Wrong. In fact, the hard work has just begun.
First, ask what it is you can actually do about it. Second, find the tradeoffs, including who pays and how.
The climate of fear we live in particularly shuts down our ability to think about tradeoffs. When we’re afraid, we move to “there is no tradeoff,” “we need to do something about this,” and “anyone who disagrees is a moral monster” far too quickly. Engineers should know from long experience with real world systems there are always tradeoffs. If you’ve not found them, then you’re not looking — and if you’re not looking, then you’re not really engaged in thinking.
Let me try to take a personal example here. “What happens if my job ends tomorrow, because the technology I know goes away?” Well, you could run around like a turkey the day before Thanksgiving. I don’t how useful that’s going to be, but it’s certainly entertaining, and, in some ways actually satisfying.
Or you could process the question, ask if it’s true (it probably is on some level all the time), think about what you can do about it, and then focus on finding the tradeoffs so you can make a rational set of decisions about what actions to take in response. Maybe you should make it a practice to learn new skills on a regular basis? “But what if I bet wrong, and learn the wrong skills?” How is that better than not betting at all? Learning is, itself, a skill that takes regular practice.
We need to use the same process across the board. Before we casually cast aside anyone’s rights (or responsibilities) in the name of creating a “safer world,” before we radically alter our entire way of life to solve the fifteenth world crisis that has a celebrity “do something now” video attached, before we all collapse in despair at the collapse of our world and our careers, we need to make certain we ask the questions — what does this really mean, what are the facts supporting it, why should I doubt it, what can I really do about it, and what are the tradeoffs?
I don’t want to get into a long, drawn out, political discussion. That’s not what this blog is about. I’m not trying to make a political point, but rather a thinking point. Fear makes us treat one another like objects when we really need to listen to one another as people. We really need to learn to get past the fear our world seems to be drowning in. There are things we should rationally be afraid of. But there is also a sense in which fear removes our capacity to react rationally, and hence makes our nightmares into reality.
Why aren’t you teaching?
There is an old saw about teaching and teachers: “Those who can, do. Those who can’t, teach.” This seems to be a widely believed thought in the engineering world (though perhaps less in the network engineering world than many other parts of engineering) — but is it true? In fact, to go farther, does this type of thinking actually discourage individual engineers teaching, or training, in a more formal way in the networking world? Let me give you my experience.
What I’ve discovered across the years is something slightly different: if you can’t explain it to someone else in a way they can understand it, then you don’t really know it. There are few ways to put this into practice in the real world better than intentionally taking on the task of teaching others what you know. In fact, I’ve probably learned much more in the process of preparing to teach than I ever have in “just doing.” There is something about spending the time in thinking through how to explain something in a number of different ways that encourages understanding. To put it in other terms, teaching makes you really think about how something works.
Don’t get me wrong here — engineers shouldn’t lose their focus on doing. But we need to learn to blend doing with understanding in a way that we’ve not done well with up until now. We’ve often been so focused on the what that we forget about the why.
Given that one excellent way to develop the thinking skills, to exercise our why skills as well as our what skills, is to tech, why aren’t you teaching?
Is it that you don’t think you have the skills to teach? Is it that you don’t think you have the opportunity? Is it that you don’t think you have the knowledge?
All of these are excuses, rather than real reasons. You can always take the time to put together a basic course in networking for the people in your company. In fact, maybe the reason they don’t really understand your job is because you never explain the technology you work on. You can always take the time to teach your peers, or even the junior engineers on your team, or another team. There are local high schools that could use your time in the classroom teaching networking technology. Where else are new network engineers coming from, after all?
I’m also not saying you shouldn’t rely on professional education — after all, I still want you to buy my books. 🙂 But there’s something about building and giving a class that teaches things you just can’t learn many other places.
So — let me ask again — why aren’t you teaching?
Innovation and the Internet
Industries mature, of course. That they do so shouldn’t be surprising to anyone who’s watched the world for very long. The question is — do they mature in a way that places a few players at the “top,” leaving the rest to innovate along the edges? Or do they leave broad swaths of open space in which many players can compete and innovate? Through most of human history, the answer has been the first: industries, in the modern age, tend to ossify into a form where a few small players control most of the market, leaving the smaller players to innovate along the edges. When the major impetus in building a new company is to “get bought,” and the most common way for larger companies to innovate is by buying smaller companies (or doing “spin ins”), then you’ve reached a general point of stability that isn’t likely to change much.
Is the networking industry entering this “innovation free zone?” Or will the networking industry always be a market with more churn, and more innovation? There are signs in both directions.
For instance, there’s the idea that once technology reaches a certain level of capability, there’s just no reason for any further forward motion. Fifty years ago, if you would have asked people what airplanes could do, and what they would look like, you have have gotten some wild feedback. Today, ask the same question, and you’ll likely get the same wild ideas. Things haven’t changed much in air travel (other than reductions in the amount of space in the cattle cars, it seems) because we’ve reached the point where new advances don’t bring much in the way of new benefits.
Another instance: there is a growing group of “old” companies with a lot of money, and they’re turning that money into political power. The one sure way to ensure stagnation is to get the government involved. A case in point here is LTE-U, which bids fair to turn the last mile upside down. It seems a number of large companies are using their lobbying mojo to make certain older carriers aren’t allowed to use unlicensed space. A lot of top flight engineers don’t seem to agree on the overall impact of allowing AT&T, for instance, to expand their wireless network on WiFi frequencies; much of the argument at the moment seems to come down to the political, rather than the engineering aspects of the problem. When lobbying takes over engineering, it’s a sure sign the industry is moving into an ossified state. Robotics are the new and exciting thing now; the Internet seems like a “given.”
On the other hand, routing is more interesting right now than it has been in a long time. Software Defined and cloud are taking over the world, it seems (though a few of us do try to inject a bit of sanity into the news stream every now and then). Over the top services, like SD-WAN, seem to be creating new value in spaces long thought completely ossified. In a somewhat virtual world (hardware still counts, but the intelligence tends to move into the overlay), there isn’t any apparent point at which you can say, “we’re done with this, let’s move to the next thing.”
It seems, to me, that we’re on a bit of a cusp, a turning point. Which way the industry goes depends, in some part, on the way the larger players go. Will they continue to turn to the government, using political muscle to solidify revenue streams? Or will they turn back to real innovation?
Let’s not lose sight of the role each of us, as individual network engineers, play in the path from this point forward — the choice between the safe vendor bet, and innovating even on a small scale, played out over the thousands of networks in the world, can make a huge difference. We tend to divide the world into small networks with boring problems and large networks with interesting problems. This is a false dichotomy — interesting problems are interesting problems, no matter what the network size. Interested people make for interesting solutions, and in turn, interesting innovation.
We need to realize that no matter how small it seems, we’re at a point where the small decisions, en mass, will make a big difference. What decisions will you make today?
Assuming the worst is not the best assumption
It was too bad to be true, but I should have known that assuming the worst was not the best assumption. I was driving the “other” car, the Saab, on the way back from the METNAV shop around eight in the morning. Since the shop was located in the middle of the three runways, this meant I had to drive across the 18 taxiway, along the white lines painted between the C-141’s, C-130’s, KC-10’s, F-4’s, and sometimes other odds and ends, and then past the Tower, off the flightline, and onto the “surface streets.” As I was coming off a call at around three in the morning, I wasn’t in uniform. For some reason, I hadn’t driven my normal car — a white Jeep — so the folks in the Tower certainly wouldn’t recognize me.
So when the SP flipped his lights on and pulled in behind me, I was worried. Just as the lights came on, I remembered something really important: I had forgotten to put my sticker on the car. You see, to drive on the flightline, you had to have a sticker on your car. There were various colors for the different areas you could gain access to; mine was red, which meant I had access to everything on the flightline other than the red zone and hot spot. But here I was at eight in the morning, after spending five hours putting the glideslope back on the air for the morning’s landing runs, in a plain pair of jeans, a ratty T-Shirt, without a shower, electronics junk and tools strewn in the back seat of the Saab, and no sticker.
As an aside, I’d encountered the SP’s before on the flightline. Several times, in fact. I was once pushed to the ground face first because I’d accidentally crossed the red line. One night a friend and I walked out of the shelter at the localizer to find ourselves staring down the barrels of at least a dozen M16’s. It seems there was a shift change while we were inside working on something, and the outgoing duty officer had forgotten to brief in the oncoming duty officer. Not a happy memory.
Needless to say, then, I was assuming the worst.
I stopped (there is no place to “pull over” on a flightline”), rolled down the window, and waited. The officer walked up to the car, took a look at the back seat, took a look at me, and said, “I just wanted you to know your lights are on. Don’t forget when you park to turn them off. I wouldn’t want you to have to call a tow truck because of a failed battery.” With that, he turned, went back to his car, and drove off.
I’m glad he didn’t give me time to go through all my excuses. On reflection, it would have only made it worse. Of course I had my military ID handy, but just having an ID doesn’t help you if you’re on the flightline without authorization. In fact, it might just make things worse.
Thinking back through my life, I can recall a lot of times that I’ve made things a lot worse by assuming the worst — by making the worst assumption my first, and best, assumption. By assuming the worst about a situation (and about people), I’ve probably made a lot of things a lot worse than they ever needed to be.
Don’t do this.
What I learned that morning, even though my head was foggy, even though I was tired, and even though I had a few hours of paperwork staring me in the face, is this: don’t assume you’re being stopped for doing something wrong. You should allow each person who enters your life at least a neutral frame of reference, if not a positive one. In a court of law, you’re guilty until proven innocent. In real life, if you treat everyone as if they’re guilty, you’re going to make them all act like their guilty.
Sometimes someone just wants to tell you that you left your lights on.
Personal Integrity
There is, on a daily basis, a choice you must make as a geek, as someone who is involved in technology — particularly in the world of computer networking. The choice we always face, every one of us, is whether to champion a particular product or service, or to champion solving the problem at hand. Between doing what’s best for a vendor — or even harder, what’s best for our career — or doing what’s best for our customer (whoever that customer might be). In other words, what to do with our personal integrity.
I know it’s hard, when you’re working for a vendor, not to just throw yourself into a product to the point of seeing it as the hammer that solves every problem, whether a nail or not. I know it’s hard, when you work for a smaller company, or in what feels like a “side alley” of our little industry (what Ethan calls a “mud puddle”) not to try to throw yourself at being famous, or warping the direction of the company so you can learn something new. I once worked on an account where I’d been asking to come in and help them switch from EIGRP to IS-IS. Not because there were any problems, but because they were working on their CCIE’s, and wanted to learn a second protocol. Seriously.
Once you’re seen as doing things in a self-serving way, once you’re seen as being self-centered, self focused, or just plain selfish, it’s hard to shake loose of it. In fact, it’s hard not to slide down the slope of selfishness into the pit below, into a world where personal integrity is completely lost. I know it’s a battle we all fight every day — I’m not a progressive who thinks I can perfect myself (or humanity) if I just have the right motives and techniques.
But I also know it’s a battle worth fighting for, for one simple reason —
If there’s one thing it’s really hard to get back once you’ve lost it, it’s your personal integrity.
I’ve been kicked out of accounts a number of times in my career because I wouldn’t “toe the company line.” I’ve been frozen out of projects because I refused to back down on asking hard questions I thought really needed to be asked. Often it felt like, at the time, the “end of the line.” Several times I really thought it was going to end my career. But you know what? It didn’t. And, honestly, even if keeping my personal integrity intact did end my career, would my career have been worth it? Would yours?
Remember this: we live in a connected world. To go to the post that kicked off my musings in this area —
Anonymity isn’t a bug
The problem with anonymity and the modern Internet is we tend to think of being anonymous as either “on” or “off” all the time. The only real reason we can think of to want to be anonymous is to do something evil, to hurt someone, to steal something, or to do something else considered anti-social or wrong.
But there’s a problem with this thinking — it’s much like pitting “the rich” against “the poor,” or any other time bound classification. There are times when I want to be anonymous, and there are times when I don’t care. It’s not a matter of doing that which is nefarious. It’s more about expressing opinions you know people won’t agree with, but which the expression of could cause you material harm, or about being able to investigate something without telling anyone about the situation. For instance, support someone you love has a dread disease — is it right to violate their privacy by searching for information about the disease on the ‘web? And yet how can you hope to prevent anyone with access to the data about your browsing and your network of friends from drawing a conclusion based on actions taken? In some places (like college campuses in the US, for instance), it’s will kill your career to hold certain opinions or beliefs (conservative Christianity in general, for instance). Should people not be able to express their opinions in a way that protects them from the harm of the “twitter storm?” Or what if you move into a house only to find it’s horribly built — if you tell anyone in a way that allows you to be identified, you’ve just lost the value of the house. On the other hand, if you don’t tell anyone at all, you’re letting the builder off the hook.
While privacy can certainly be used to cover a multitude of crimes, it is also necessary to being fully human in any way that really counts.
Castle versus Cannon: It’s time to rethink security
In case you’re confused about the modern state of security, let me give you a short lesson.
Your network is pictured to the left. When I first started working on networks in the USAF we were just starting to build well designed DMZs, sort of a gate system for the modern network. “Firewalls” (a term I’m coming to dislike immensely), guard routers, VPN concentrators, and other systems were designed to keep your network from being “penetrated.” Standing at the front gate you’ll find a few folks wearing armor and carrying swords, responsible for letting only the right people inside the walls — policies, and perhaps even an IDS or two.
The world lived with castles for a long time — thousands of years, to be precise. In fact, the pride of the Roman Legion really wasn’t the short sword and battle formation, it was their ability to work in concrete. Certainly they had swords, but they could also build roads and walls, as evidenced by the Roman style fortifications dotting the entire world.
But we don’t live inside concrete walls any longer. Instead, our armies today move on small and large vehicles, defending territory through measure and countermeasure. They gather intelligence, and they fake their opponents out (ever heard of razzle dazzle paint jobs, or Operation Mincemeat?). What’s the difference between the Romans armies and ours? The cannon.
Long before they were made popular in modern pirate movies, they made castles pretty unpopular. For some time, of course, there was a competition between the wall builder and the cannon maker. Build the wall high, and the cannon would be pointed skyward, lobbing missiles over the top (in the form of a mortar). Build your walls thick, and the cannon would be built to launch a heavier ball, and more accurate to hit the same spot regularly. Right now we’re in that phase between the two, when armies battle as set pieces moved around the field, arranged like the movable human walls of the First World War.
But, in the end, walls are no defense against cannons. So what do we need to do? The defensive forces of your network need to become more like a modern army.
First, you need to enlist the average user. I know this is hard, particularly when there are so many new attacks, and so many good social engineers out there. We live in condition white, and we need to live in condition yellow.
Second, we need to start thinking in terms of gathering information and reacting in near real time, rather than in terms of gateways and portals. And we need to go beyond packet traces. We need to think in terms of the OODA loop, to think about what we can measure, where we can measure it, what normal looks like, and what an attack looks like. For instance, DNS data is a really good source of incoming attacks or infected machines. There are now products out there that perform near real time analytics of database accesses to stop injection attacks, and warn an administrator of irregular accesses. We need to stop arguing against BYOD, and start arguing for real security that doesn’t depend on building a wall between the network and the world. We need to understand the real difference between cover and concealment, and stop saying things like “security by obscurity doesn’t work.” Concealment isn’t cover, but it’s also not useless.
And we need to start doing these things now.
Our walls have failed. It’s time to build new security systems that are nimble, go to where the problem is, and work they way our users work.