Create your own job

I do a lot of thinking about work, jobs and the economy, both at the macro scale and particularly in Albuquerque. I know a lot of skilled people, of many persuasions, who have been out of work for a year or more. And I also see a barrage of demand for IT people, application developers, security pros, network techs both guru and apprentice, help desk galore, and do I know any web people? And virtualization people, and on and on and on.

What puzzles the hell out of me about all this is the disconnects, on several levels. I long ago discarded the idea that I needed someone to create a job for me. What I’m always looking for is work. There is a massive superabundance of work, more than will ever be accomplished in the history of humankind. So I take the opportunities that interest me, and refer out or turn down the rest. It works. And it’s perfectly clear why: I constantly watch the IT market, and educate myself on my own incentive and at my own expense to do the work in demand. You can do it too; just pick a skill set and start developing it.

Where is the demand? It’s easy to find. Read this Computerworld article, “9 Hot IT Skills for 2012”:

App development, project management, networking, help desk, business intelligence, data center, Web 2.0, security and telecom: there are entire worlds within each of these areas. All they require is technical curiosity and motivation.

Come on people, this is America! If you’re unemployed it’s time to cram for certifications and study new web tools. Take classes, if you can, or buy books and study, study, study. Then don’t look for a job; create your own.

Should we patch?

Obviously you all know I’m obsessive about security (which is to say I may have bored some of you to tears over the issue). So let me bore you with some psychology instead.

B.F. Skinner conducted a series of experiments (or more accurately observations) about caged pigeons fed on a simple scheduled interval. The birds apparently came to associate whatever they happened to be doing at the time food appeared, with the food appearance itself: a simple, and simply wrong, assumption of causality. I was ducking my head when the pigeon pellet popped out, so ducking my head *caused* the pellet to appear! What did Skinner call this behavior? Superstition. (

There’s a degree of superstition in the practice of security, too. One superstition-candidate might be obsessing over patches, which actually introduce unknown elements into your attack surface. Would I personally cease to patch? No way. But I’m already highly selective about what I patch and how. If you’re curious why, do a quick Google on Evilgrade, among other reasons. Or see

Pete Herzog passes along a link to an Infosecisland article by Cor Rosielle below on exactly this topic. Check it out, and the theoretical underpinnings, which are quite solid. I’d also suggest that if you haven’t already, get familiar with ISECOM and the OSSTMM ( Pete will change the way you think about security, I guarantee. See the very last line of this message for a URL to join this news list, if you’re interested.

Thanks everyone, and *study study study*. Especially you recent PhDs.

——– Original Message ——–
Subject:     [ISECOM-news] Do You Need to Patch?
Date:     Tue, 13 Sep 2011 12:53:29 +0200
From:     Pete Herzog <>
Reply-To:, ISECOM News <>
Organization:     ISECOM
To:     ISECOM News <>


Just to let you know that ISECOM Trainer, Cor Rosielle, translated his
recent article from Dutch to English: “Do You Always Need to Install
Software Updates?”

One of the areas we found most interesting in developing the OSSTMM
attack surface metrics is how software patching seemed to be at odds
with security. It was a wild card at best. Even though this seemed to
go against everything we have heard as part of the bigger security
picture, the numbers showed differently. Now it appears there’s more
and more efforts going into investigating this.

Thanks Cor for contributing to this effort with this article! Check it


Pete Herzog – Managing Director –
ISECOM – Institute for Security and Open Methodologies – –

BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
Learn about the latest advances in developing for the
BlackBerry&reg; mobile platform with sessions, labs & more.
See new tools and technologies. Register for BlackBerry&reg; DevCon today!

ISECOM-news mailing list

Are you using Huawei equipment?

If you are, did you know this:

“Information technology companies in particular, including Huawei, Datang, and Zhongxing, maintain close ties to the PLA.”

That’s the People’s Liberation Army of China, in case you don’t recognize the acronym. The NSA is concerned that Huawei equipment, which they blocked from installation in virtually every cell phone tower in America, might contain back doors feeding your information to the Chinese.

Considering the way the Chinese have been hacking the shit out of American companies, this does not seem far-fetched in the least. I for one feel suddenly very sensitive about whose equipment I’m buying or recommending. And it’s time to start monitoring the traffic emanating from them. Who exactly is that box talking to?

Thanks to the ever-alert Herbbie for another scary tip.

Some companies can afford to pay their CEO more than they can “afford” to pay in taxes

Why is the middle class in decline, losing buying power even as the “executive class” gets richer and richer? Why is the federal government’s deficit growing endlessly? Here’s one big reason why:

(Reuters) – Twenty-five of the 100 highest paid U.S. CEOs earned more last year than their companies paid in federal income tax, a pay study by a Washington think tank said on Wednesday.