Seeking Knowledge and Willful Ignorance

I had a great time recording a fun episode of Seeking Truth in Networking, an awesome podcast with my friends Derick Winkworth and Brandon Heller. We talked a lot about a variety of different topics, but the one I want to spend a few more minutes on here came in the first five minutes. Brandon asked me what question I liked to be asked and I mentioned that love to be asked about learning. My explanation included the following line:

I feel like the gap between people that don’t understand something and the willfully ignorant is that ability to take a step out and say “I don’t know the answer to this but I’m going to find out.”

I’ve always said that true learners are the ones that don’t accept the unknown. They want to find the answer. They want to be able to understand something as completely as they can. Those that I consider to be willfully ignorant choose not to do that.

Note that there is a difference between incidentally ignorant and willfully ignorant. People who are incidentally ignorant are unaware they don’t know something. They haven’t had the opportunity to learn or change their thought process on something. It would be like going to a random person and asking them about how to launch a rocket to another planet. They’re ignorant of the steps because they’ve never had the opportunity to learn them. They’ve never been exposed to the info or had a need to know it. People who are willfully ignorant choose to not learn something even after they’re exposed to it.

Where There’s a Will

We deal with people who choose not to learn things all the time. Even I choose not to learn everything. I don’t have all the Pokemon memorized. I don’t have the registration number of every Starfleet vessel in my mental Rolodex. There are a variety of other more technical topics that escape me. However, my reasoning for choosing not to learn those things is not because of malice. It’s because of self preservation.

If you exposed to something that you are curious about and choose to learn more you will often find yourself consumed by it. I am always on the lookout for a new laptop bag or hiking backpack. When I search for them I will find myself watching videos and reading reviews that are full of terminology that I don’t understand. I educate myself to the best of my ability but I don’t consider myself to be an expert on messenger bags or ultralight hiking packs. And after a while that knowledge is filed away for another day and I have to relearn something all over again when I’m on the hunt for a new bag.

Let’s contrast the acknowledgment of not being able to know everything with the phenomenon of choosing not to learn something out of spite or malice. This is like a networking engineer saying something along the lines of, “I’m not going to learn OSPF because it sucks and I’ll never use it.” A statement like that should immediately raise flags. In this specific case a working knowledge of OSPF is important for anyone building and maintaining networks. You may not need to know the details for every LSA in the database but you at least need to know how OSPF is different from RIP.

This kind of willful ignorance of information makes IT difficult. Why? Because actively choosing not to learn or understand something creates two hurdles to overcome. The first hurdle is showing people where to learn more about it. That is hard enough in and of itself. Every bookshelf in every office everywhere has the kinds of books that people refer to when they need to teach someone something important about networking or wireless or any other enterprise IT technology. Thanks to the power of search engines today it’s even more accessible to get people on the track to learning something new.

The second huge hurdle with those that are willfully ignorant isn’t access to knowledge. It’s getting past their objections to learning it. People have biases that need to be challenged and overcome. I’m not going to speak on anything aside from technology but we all know that everyone has their viewpoint and their understanding and changing their mind about something has varying degrees of difficulty. If someone is convinced, for example, that SHA-1 is an unbreakable protocol and nothing you can show them to the contrary convinces them that is willful ignorance. Evidence that is contrary to the facts isn’t invalid evidence. The quality of the evidence is always important to understand but choosing to dismiss it entirely out of hand solely because it doesn’t fit your understanding is not the kind of position someone in IT needs to take.

A Changing Landscape

Think about some of the following statements:

  • Switching is cheap, routing is expensive
  • 640K is more than enough memory
  • Unbreakable encryption

These are all statements that have been said in the past. They’ve all been proven over time to be wrong. Could you imagine if there was someone out there today that though programs needed to run in less than 640K of RAM? Or that believed that routing packets was too expensive and everything needs to run at layer 2? Those people would get laughed out of the data center.

Those statements are no longer true, but the attitudes behind them are the real problem. It’s not that something is taken for granted but that we choose not to accept anything other than that fact as the truth. Even today we could have positions like virtual reality will never take off or that quantum computers are too noisy to ever be commercially viable. In five years or a decade those statements may prove to be totally wrong. But if I’m still saying them and purposely choose not to learn why they are incorrect then I’m in the camp of being willfully ignorant of the truth.


Tom’s Take

The point of this post wasn’t to call out anyone specific for anything. Instead, I wanted to highlight that we all believe what we believe and we resist learning things that don’t square with that. How we choose to overcome that friction defines us as well as defining us with our peers. If you want to spend your career believing that a protocol is better and you won’t learn anything else then I hope your career is successful and long. I say “hope” because in the world of IT those that clap their hands over their ears and refuse to update their knowledge and understand are running on that kind of hope. They hope their level of knowledge never needs to change. They hope their skills will be enough for years and years of employment. And, in almost every case, they hope they can learn something new fast enough to get a new job when they realize that the attitude of willful ignorance will leave you high and dry.

What’s Your Work From Home DR Plan?

It’s almost December and the signs are pointing to a continuation of the current state of working from home for a lot of people out there. Whether it’s a surge in cases that is causing businesses to close again or a change in the way your company looks at offices and remote work, you’re likely going to ring in the new year at your home keyboard in your pajamas with a cup of something steaming next to your desk.

We have all spent a lot of time and money investing in better conditions for ourselves at home. Perhaps it was a fancy new mesh chair or a more ergonomic keyboard. It could have been a bigger monitor with a resolution increase or a better webcam for the dozen or so Zoom meetings that have replaced the water cooler. There may even be more equipment in store, such as a better home wireless setup or even a corporate SD-WAN solution to help with network latency. However, have you considered what might happen if it all goes wrong and you need to be online?

In and Outage

Outages happen more often than we realize. That’s never been more evident than the situation we find ourselves in now. There are providers that do maintenance during the day because most of their customers are at work. When that work happened in a building covered on a different grid or service line it was fine to reboot things in the afternoon. When everyone is at home working on video calls or remote classrooms it’s no longer ideal. And those are just the planned outages. What about the ones that happen without warning?

Between the extra usage at home and the increased stress on the system, I’m finding that my Internet connection is becoming much less stable than it has been in the past. When you’re on a consumer-grade line, you pay for the privilege of getting online when it works. When it doesn’t you get lumped in with the same group of people in your neighborhood or on your local loop. The provider response is usually a shrug and a “we’re working on it” response. Business lines cost twice as much for less speed but gain the ability to call and at least file a complaint or a ticket. If you’re lucky enough to have one with a good SLA you might even get a truck roll to your location within a few hours. Otherwise, you need to plan for the worst.

This is nothing new to the enterprise. The best SLA in the world is only a piece of paper with a specific promise. It doesn’t protected from the North American Fiber Seeking Backhoe or an ice storm that knocks out power to a few square miles of your town. We need to have plans in place to deal with the potential for not having what we need when we need it. In the enterprise that was part of the job. We bought firewalls in pairs and had expensive power equipment run into the data center to protect our services. The cloud is armored against outages, so long as the engineers keep their fingers off of things. But our house is neither the enterprise or the cloud. How can we ensure we’re able to work when nothing else looks like it’s going to get the job done?

Planning To Recover

In order to keep working from home in the event of an outage, you need to consider three important situations: Connectivity Outage, Power Outage, and a Location Outage.

Connectivity outages are the most basic situation we’re going to find ourselves in. The Internet is down or severely degraded. We need to get online and figure out how to keep working. That means we need a traffic plan. And we need to figure out how to get it working. The first step is going to require you to figure out how you’re going to get back online. Do you want to use your cell phone as a tethering device? Do you want to “borrow” the neighbor’s wireless (with permission, of course). Do you want to try and work completely from your mobile device. You need to figure this out ahead of time. You also need to test it.

If you’re going to rely on your phone for tethering, make sure you have that option enabled ahead of time. Find out how much data you have available and what happens if you go over. Do you get throttled to a slower speed? Do you need to pay more? You don’t want to find out what happens in the middle of a critical call. You also need to test the speed of the tethering at your house. For example, my LTE coverage at home is pretty terrible, so I need to fail back to 3G in order to have a stable signal. That means no video calls for me until my broadband connection comes back online.

If you plan is use your neighboring connection for a backup, please get permission first. You never want to find out someone is borrowing your network and you don’t want to do that to someone else. You also should verify that the neighboring connection is a diverse circuit. It won’t do you much good to hop on their connection only to find out they’re on the same provider and everything is offline for the entire block. Test it ahead of time and make sure their data plan works for you. And remember that you’re doubling the amount of traffic pouring through their circuit. You’re going to have to decide, as above, what traffic is critical to fail over. And give your neighbor a heads up so they don’t panic when everything gets slower.

Limited Power

Electricity is a bigger issue because it affects everything at a lower level of the stack. You can have bad connectivity and just work offline with your devices. But a power outage changes the game because half your devices may be out of commission. If my power goes out, my 4K monitor goes with it. That means I need to work from my laptop until I can get everything under control again. My time is limited to how long my laptop battery can hold out.

If you want to solve the power outage problem, you need to solve your power issues. The easiest way is a backup battery system, like a personal uninterruptible power supply (UPS) under your desk. Remember that a UPS isn’t designed to keep you running for days. It’s something that is designed to keep you going just long enough to put a plan in place or shut things down gracefully. Those batteries last for 5-7 minutes at best. And the more devices you have connected to them, the less time they can stay up.

What other devices, you might ask? Keeping your computer on a UPS is smart. What about your WAN connectivity device, like your DSL or cable modem? Have to have that if you want to stay online, right? What about your wireless access points? Are they plugged into the wall? Or are you using PoE? Did you plug the PoE switch into the UPS too? That is going to reduce the UPS runtime. Unlike a data center, your house likely doesn’t have the infrastructure to run a huge UPS with enough battery to go for half an hour. You need something that is going to fit under your desk and has a fan small enough to not create a white noise generator.

Speaking of generators, if you have regular power issues or you live in a part of the country that is prone to storms that knock out power for days on end, you need to consider a home generator. These are larger, more expensive, and require some kind of fuel source. The upside is you can run your entire house off the generated electricity until the power is restored. No need to hook things up to batteries. The down side is that your house uses a lot of power for appliances and other things and you still need to prioritize what is going to get first crack at the leftover juice. You also need to have a plan to keep the generator going. If it runs off of combustible fuel, like diesel, you need to have a supply ready to go. You also need to test it regularly to ensure it’s going to work when you need it. Just like in the enterprise data center you need to know things work before everything goes sideways.

Getting Out of Dodge

The last situation can be a combination of the above factors or something totally unrelated. What happens if your workspace isn’t usable? Maybe your power is out and your heat is gone too. Maybe your Internet is down and you need to go somewhere with a better signal in order to have that big call with the CEO. Maybe you have a tree trimming service that has set up camp outside your office window for the rest of the day and the chainsaw symphony is driving you insane. If you need to move, you need to have a plan.

Where are you going to go? A friend’s house works great, provided they are home and there isn’t a quarantine order. You could try a coffee shop, provided they aren’t closed for some reason. Maybe you’re alone in a distant city and you need to get some work done. You need to figure out what’s available and have at least two backup plans in place. Maybe you want to use a local coffee shop. Make sure they’re open and make sure you aren’t violating local laws. If they’re closed, consider somewhere more local to you. Perhaps the parking lot of a store or other place that offers wireless connectivity. There are times when those wireless setups extend a bit outside the store proper and you can borrow it there. Not everyone has a vehicle, so make sure wherever you are going is easy to reach through your preferred transit method. Oh, and if it’s a restaurant or coffee shop, make sure you tip well on your purchases as a form of “rent” for the table.


Tom’s Take

Enterprises have DR plans in place for everything. Natural disasters, security incidents, and even good old fashioned human error all have a place in the Big Binder of Getting Back to Work. Homes don’t have that, even though they should. You need to know what has to happen to get you back to working if something goes wrong. You need to write it all down, test it thoroughly, and keep updating it as you go. Your boss may understand the first time you can’t work because your power went out or they’re doing circuit maintenance in your neighborhood. But, as an IT professional, you need to have a plan in place in case it becomes a regular occurrence. And when you do get everything ready to go for your home DR plan, make sure you update your enterprise DR plans too.

A Different Viewpoint of Lock-In

First things first: Go watch this great video on lock-in from Ethan Banks (@ECBanks). We’ll reference it.

Welcome back. Still carrying that pitchfork around screaming about how you want to avoid vendor lock-in? Ready to build the most perfect automation system in history that does multi-cloud, multi-vendor, multi-protocol networking in a seamless manner with full documentation? Nice. How hard was is to build that unicorn farm?

I get it. No one wants to be beholden to a specific vendor. No one likes being forced into buying things. Everyone hates the life of the engineer forced to work on something they don’t like or had to use because someone needed a new boat. Or do they?

Ford and Chevys and Dodge, Oh My!

What kind of car do you drive? Odds are good you’re either ready to get a new one or you’re proud of what you’re driving. I find that the more flashy a car is the more likely people are to talk about how amazing it is. And when there are two dominant manufacturers in a market for cars, you tend to see people dividing into camps to sing the praises of their favorite brands. Ford people love their trucks and won’t hesitate to decorate their bumpers with stickers about the uselessness of a Chevy pickup. Chevy owners will remind you that Ford is an acronym for Found On (the) Road Dead. Ferrari versus Lamborghini. Toyota versus Honda. Tesla versus everyone else. Tell me that car people don’t root for their team.

That’s how it’s always been. However, when you buy a car you are locked in. You have to buy the parts for that car to fix it. Ford starters don’t work in Chevy vehicles. You can’t just pull a motor out of Corvette and drop it into a Mustang. Wanna try to put Lambo tires on your Testarossa? Good luck! You’re locked into a system that has parts for your car. There’s even a specific term for the parts division of Chrysler, which you use when you tell people you drive a MOPAR car.

Why is it that no one cares about lock in when they buy their car? How is it that when making choices between Cisco and Juniper or AWS and Azure that we rail against the need to pick a horse and run with it? How is it that people in IT will go to amazing lengths to over-engineer something to use the most obscure open source routing protocols invented for the sake of making their configs portable only to walk into the parking lot and crawl into a vehicle that has parts that can only be found at the dealer with a 1000% markup on price? How does that compute?

I Take It Back

IT pros see lock-in as a by-product of choices that were made without their input. No one complains about lock-in when they were the ones that got to make the call about which gear to install or which cloud to pick. Lock-in usually becomes a sticking point when the IT contributes were cut out of the decision loop or they didn’t get to voice their opinion for their favorite hobby project on GitHub. The disappointment festers into a feeling that the real problem here is that the evil vendor is just trying to keep us from moving to the solution path that I would have suggested if only they had asked me!

Why do we build networks using standard protocols? Is it so we can rip out huge sections of the network every three years when the incumbent vendor has pissed us off for the last time? Or is it because we want the opportunity to plug in a cheaper device when one fails? Why do we build multi-cloud capable networks? Is it because we hate Bezos or Nadella and we want to stick it to them by moving our workloads whenever we feel like they’ve made a poor strategic decision? Or is it really because some workloads work better in some places and we are trying to keep the rest mobile so we can move them to take advantage of cheaper spot prices like a game of instance whack-a-mole?

Lock-in isn’t a huge problem. It’s the boogeyman we use to cover our real problems: Not feeling heard and valued. We fight back against this by creating more work for ourselves. Instead of paying for the solution with money, we create a solution with an investment of complexity and time spent creating it. You wanna save $10,000 by switching out the gear I suggested for this other model? Fine, I’m going to make it completely open and hard for anyone other than me to use!

Ask yourself honestly: When was the last time you had to completely change your entire setup to a new system or new hardware in less than three months? Pandemic craziness aside, most IT departments can’t even figure out which printers to buy in three months, let alone scrap an entire network or cloud deployment for the competitor. And that’s the technical challenge. Let’s say you’ve used OSPF and open standards and avoided anything proprietary because you’re ready to pull the plug the next time that sales drone comes sniffing for a new motorcycle payment. How is your non-locked-in network going to compete with the power of spiffs? Sure, we could rip this whole $VendorA network out right now and replace it with $VendorB and there’s nothing you can do about it! Until Sales Drone mentions they’ll give you 20% off the next license renewal and throw in four new top-of-the-line switches to “test”. All you hard work sunk because Sales Drone and Executive Team speak the same language: money.

I know this sounds dark and ominous. I realize there are some very valid concerns about vendor lock in, like licensing features behind paywalls that are unreasonable or creating dependence on specific features that can be revoked at any time. But that’s not usually where the lock-in discussions go for IT pros. No, they usually go back to “$VendorA made me mad once and I will never use $ProtocolA again just to spite them!” Lock-in discussions are almost always really about the staff not getting exactly what they want and using their skillsets to create complexity as a panacea for what they perceive as the chance to move away when the executives want to listen to them again. What generally follows is a network that is difficult to maintain and doesn’t hit performance metrics. That means the executives’ decisions are punished. Not through sabotage. Not through malice. But through the decisions by their staff to try and create a system that make things portable when they don’t need to be just in case someone changes their mind sometime in the future.


Tom’s Take

I expect the comments section to light up on this one. Yes, lock-in is a thing. Yes, there are some very specific cases where it’s a Bad Thing (TM). I’m just pointing out that, like the car discussion above, most of the time the average person couldn’t care less about lock-in as long as it was their decision. The same people that will put a sticker of Calvin peeing on a Ford logo on their car chafe at the idea of having to use Cisco’s flavor of OSPF because one area they will never configure isn’t 100% standard. Lock-in is an issue. It’s not the world-ending problem we make it out to be. And it’s certainly not the boogeyman that scares us into making things needlessly complicated to the point of absurdity just to prove a point.

Looking For a Mentor? Don’t Forget This Important Step!

With the insanity of the pandemic and the knowledge drain that we’re seeing across IT in general, there’s never been a more important time than right now to help out those that are getting started on this rise. The calls for mentors across the community is heartwarming. I’ve been excited personally to see many recognizable names and faces in the Security, Networking, and Wireless communities reaching out to let people know they are available to mentor others or connect them with potential mentors. It’s a way to give back and provide servant leadership to those that need it.

If you’re someone that’s reading this blog right now and looking for a mentor you’re in luck. There are dozens of people out there that are willing to help you out. The kindness of the community is without bounds and there are those that know what it was like to wander through the wilderness for a while before getting on the right track. They are the ones that will be of the most help to you. However, before you slide into someone’s DMs looking for help, you need to keep a few things in mind.

Make Me One With Everything

The single most important step you can take to increase your chances of being mentored or being set up with someone to help you out is simple in theory but hard in practice:

You NEED to do your homework.

Sound contrite, right? You don’t know what you don’t know. You need to figure out what you have to have, right? Why not ask someone that has been there and have them tell you everything?

Let me give you the perspective of someone who mentors and teaches in all aspects of my life. The scouts, professionals, and students that come to me and say, “Tell me everything I need to know” are usually the ones that listen the least and forget the most. They are the people that haven’t done their homework. They haven’t looked up what interests them or tried to figure out what knowledge they’re missing. They want answers but don’t have questions. Without questions, answers are meaningless.

Moreover, telling someone “everything” is a recipe for disaster. How does a mentor know what to focus on? What areas interest you? In security, are you offensive or defensive? Do you enjoy writing reports or using tools? Do you want to be a per-work consultant or have a steady, if not smaller, paycheck from a single organization? How can a mentor know where to point you if you haven’t done this basic homework?

Let me give you an example that happened to me in the last week. I got a DM from someone I’ve never talked to before. They politely asked if I could answer a couple of questions for them. I said sure with some hesitation. Usually this means they’re looking for some very broad advice or they need help with their homework. When the questions appeared in my inbox, I asked for some clarification. In this instance, it was someone that needed to understand queuing mechanisms. Once I determined I wasn’t doing someone’s CS homework for them, I read up on the topic and explained what I thought was the case. I was pleasantly surprised to get a response that they had read the same paper and it sounded right but they wanted to understand deeper. We talked for a bit and I feel like the person walked away from the exchange with a greater understanding.

What made me happy in this situation is that the person did the work ahead of time instead of just saying, “teach me how this works”. They wanted to understand, not just get the answer to a multiple choice question. They were curious and wanted to learn the right way. These are the kind of people that benefit from mentors. They are self-motivated and willing to do the work to get ahead.

Help Is Always Given To Those Who Ask

You may have heard the phrase, “Help will come to those that help themselves”. It’s another bit of cliche that means you need to be as active in the process as the person you are seeking knowledge from. If you just show up and say, “I need to know everything starting from scratch”, you’re sending the message that you aren’t invested. Mentors don’t want to help those that aren’t invested.

On the other hand, if someone comes to me and says, “I tried this and it failed and I got this message. I looked it up and the response didn’t make sense. Can you tell me why that is?” I rejoice. That person has done the legwork and narrowed the question down to the key piece they need to know. They don’t need to “boil the ocean” so to speak. They have a specific need that can be met.

Mentors are people too. Maybe they enjoy teaching and guiding more than others but they have limits on their energy just like you would. If a mentor spends more time exerting themselves trying to teach someone everything starting from zero, they’re going to burn out. However, teaching someone that just needs a little extra push to get over the hump of a hard problem is a much better use of everyone’s time. The mentor gets the reward of seeing their student understand and the mentee gets the satisfaction of getting it right and doing the work before they ask for help.

Asking someone for help is never easy. It’s an admission that you don’t have all the answers and you need to rely on others. In a profession where being smart and knowing everything is seen as a sign of success it can be humbling to admit you need something from someone. However, I find that those that need the least amount of help from having exhausted their capabilities are usually the ones that learn the most over time and rely on their peers and mentors the least. They know what to do and where to start. They just need a helping hand to get over the line.


Tom’s Take

I am always willing to be a mentor for anyone that needs help. I can help you understand protocols, tie tripod lashings, and teach you more than you ever wanted to know about building space probes or speaking in public. That’s the life I’ve chosen for myself. However, I ask that all those that seek my mentoring help also commit to learning. Do the extra work ahead of time. Narrow your focus to what is essential to get over the hump. Realize that the more you do for yourself the more meaningful it is for you. And remember that those that mentor you are also on the learning journey themselves. Just as they help you, so too do others help them. And one day you will find yourself in the position to mentor others. Showing the investment and determination to go the extra mile for yourself is the example that you will set for those that come later.

Securing Your Work From Home

UnlockedDoor

Wanna make your security team’s blood run cold? Remind them that all that time and effort they put in to securing the enterprise from attackers and data exfiltration is currently sitting unused while we all work from home. You might have even heard them screaming at the sky just now.

Enterprise security isn’t easy, nor should it be. We constantly have to be on the offensive to find new attack vectors and hunt down threats and exploits. We have spent years and careers building defense-in-depth to an artform not unlike making buttery croissants. It’s all great when that apparatus is protecting our enterprise data center and cloud presence like a Scottish castle repelling invaders. Right now we’re in the wilderness with nothing but a tired sentry to protect us from the marauders.

During Security Field Day 4, I led a discussion panel with the delegates about the challenges of working from home securely. Here’s a link to our discussion that I wanted to spend some time elaborating on:

Home Is Where the Exploits Are

BYOD was a huge watershed moment for the enterprise because we realized for the first time that we had to learn to secure other people’s devices. We couldn’t rely on locked-down laptops and company-issued phones to keep us safe. Security exploded when we no longer had control of the devices we were trying to protect. We all learned hard lessons about segmenting networks and stopping lateral attacks from potentially compromised machines. It’s all for naught now because we’re staring at those protections gathering dust in an empty office. With the way that commercial real estate agents are pronouncing a downturn in their market, we may not see them again soon.

Now, we have to figure out how to protect devices we don’t own on networks we don’t control. For all the talk of VPNs for company devices and SD-WAN devices at the edge to set up on-demand protection, we’re still in the dark when it comes to the environment around our corporate assets. Sure, the company Thinkpad is safe and sound and isolated at the CEO’s house. But what about his wife’s laptop? Or the kids and their Android tablets? Or even the smart speakers and home IoT devices around it? How can we be sure those are all safe?

Worse still, how do you convince the executives of a company that their networks aren’t up to par? How can you tell someone that controls your livelihood they need to install more firewalls or segment their network for security? If the PlayStation suddenly needs to authenticate to the wireless and is firewalled away from the TV to play movies over AirPlay, you’re going to get a lot of panicked phone calls.

Security As A Starting Point

If we’re going to make Build Your Own Office (BYOO) security work for our enterprise employees, we need to reset our goals. Are we really trying to keep everyone 100% safe and secure 100% of the time? Are we trying for total control over all assets? Or is there a level of insecurity we are willing to accept to make things work more smoothly?

On-demand VPNs are a good example. It’s fine to require them to access company resources behind a firewall in the enterprise data center. But does it need to be enabled to access things in the public cloud? Should the employee have to have it enabled if they decide to work on the report at 8:00pm when they haven’t ever needed it on before? These challenges are more about policy than technology.

Policy is the heart of how we need to rebuild BYOO security. We need to examine which policies are in place now and determine if they make sense for people that may never come back into the office. Don’t want to use the VPN for connectivity? Fine. However, you will need to enable two-factor authentication (2FA) on your accounts and use a software token on your phone to access our systems. Don’t want to install the apps on your laptop to access cloud resources? We’re going to lock you out until we’ve evaluated everything remotely for security purposes.

Policy has an important role to play. It is the reason for our technology and the driver for our work. Policy is why I have 2FA enabled on all my corporate accounts. Policy is why I don’t have superuser rights to certain devices but instead authenticate changes as needed with suitable logging. Policy is why I can’t log in to a corporate email server from a vacation home in the middle of nowhere because I’m not using a secured connection. It’s all relevant to the way we do business.

Pushing Policy Buttons

You, as a security professional, need to spend the rest of 2020 doing policy audits. You’re going to get crosseyed. You’re going to hate it. So will anyone you contact about it. Trust me, they hate it just like you do. But you have to make it happen., You have to justify why you’re doing things the way you’re doing them. “This is how we’ve always done it” is no longer justification for a policy. We’re still trying to pull through a global pandemic that has costs thousands their jobs and displaced thousands more to a home they never thought was going to support actual work. Now is not the time to get squeamish.

It’s time to scrub your policies down to the baseboards and get to cleaning and building them back up. Figure out what you need and what is required. Implement changes you’ve always needed to make, like software updates or applications that enhance security. If you want to make it stick in this new world of working from home you need to put it in place at the deepest levels now. And it needs to stick for everyone. No executive workarounds. No grace extensions for them to keep their favorite insecure apps or allowing them to not have 2FA enabled on everything. They need to lead by example from the front, not lag in the back being insecure.


Tom’s Take

I loved the talk at Security Field Day about security at home. We weighed a lot of things that people aren’t really thinking about right now because we haven’t had a major breach in “at home” security. Yet. We know it’s coming and if it happens the current state of network segementation isn’t going to be kind to whomever is under the gun. Definitely watch the video above and tell me your thoughts, either on the video comments or here. We can keep things safe and secure no matter where we are. We just need to think about what that looks like at the lowest policy level and build up from there.

Learning To Listen For Learning

Can you hear me? Are you listening to me? Those two statements are used frequently to see if someone is paying attention to what you’re saying. Their connotation is very different though. One asks a question about whether you can tell if there are words coming out of someone’s mouth. Is the language something you can process? The other question is all about understanding.

Taking Turns Speaking

“Seek first to understand,then to be understood.” – Stephen Covey

Listening is hard. Like super hard. How often do you find yourself on a conference call with your mind wandering to other things you need to take care of? How many times have we seen someone shopping online for shoes or camping gear instead of taking notes on the call they should be paying attention to? They answer is more often than we should.

Attention spans are hard for everyone, whether you’re affected by attention disorders or have normal brain chemistry. Our minds hate being bored. They’re always looking for a way to escape to something more exciting and stimulating. You know you can feel it when there’s a topic that seriously interests you and pulls you in versus the same old staff meeting each week when we just run down a list of notes that haven’t changed in weeks.

The second reason why listening is harder for us is because we’re often waiting for our turn to talk. Be honest with yourself on this one. During your last five conversations with people, were you really listening to what they were saying? Or were you just waiting for an opportunity to jump in with a statement or opinion? And, in all honesty, was that statement just something you were going to say to prove that you were paying attention the whole time?

I admit I have huge issues with attention and listening myself. My brain is always racing a thousand miles an hour with the statements people make. If it’s a briefing I’m usually thinking about use cases or applications of technology or where the next steps will go. If it’s a discussion about a topic with opinions I’m listening for their position and formulating my response by taking their arguments and finding counter arguments. If it’s a boring meeting or status update session I’m usually working on my own list or trying to cross tasks off to get ahead with my time.

Whatever your reason for not paying attention, you have to realize that doing it means you’re not focused on the message. In classic communications training, the lesson is that there are three components to a message:

  1. The sender
  2. The receiver
  3. The message

People focus on the first and the third a lot. They optimize how to deliver a speech or how to craft the perfect message. The second part of the list is the one that gets neglected. How does the receiver act in the communication? Do they pay attention actively and summarize the content? Do they ask questions to seek better understanding? Or are they bored? Are they looking for their opportunity to turn things around and make themselves the primary sender?

Seeking Understanding

It’s been a long hard road for me at Tech Field Day and Gestalt IT to learn how to listen and understand and not just hear and hope for a chance to speak or tell a story. Stephen Foskett (@SFoskett) has helped me a lot by making me sit back and listen and get people talking instead of dominating the conversation. My time with the BSA Wood Badge program has also given me a lot of tools to help.

Here are a few ways that I work on listening with the intention to understand:

  • Taking Notes – This is something that I work hard on because with every conversation I tell myself I have a great memory and then I remember that I’ve forgotten I don’t. I’m a voracious note-taker. If a piece of paper has a square inch of space and there is a pen in reach I will write on it. Sadly, this means there are notes all over the place with zero context that have been lost to time. My note taking strategy has evolved to embrace things like pre-notes, where I start the notes for a briefing or conversation ahead of time to capture important questions or thoughts to ask, written electronic notes with my iPad and Notability where I can write things down on the fly without having to stop to think about typing, and consolidation of notes, where I go back and add those notes to a program like Agenda. Yes, it’s extra work but that extra work helps me summarize, categorize, and draw conclusions during the consolidation process. It’s like reading your study notes back a second time or rewatching a sports play to catch the nuance of the action.
  • Comprehension Questions – When you’re in a briefing, it’s easy to fall into the trap of just repeating back the thing you heard a minute ago to prove you’re paying attention. When I’m teaching my Scouts something and I ask them if they’re paying attention, some of the time they’ll do this to me. I fight back by asking them what that last thing they told me means to them in their own words. I want them to be thinking the whole time and not just listening for their name. Critical thinking is a skill we have to develop just like a fastball or juggling. The way to increase it is to be able to ask a summarizing question in a briefing. Speakers will pause frequently to ask, “Are there any questions? Is this making sense?” This is your chance to jump in with a summary and a question. Quickly summarize the important point – “You said BGP is broken” followed by a question, “Can we fix it with identity validation or something like PKI?” A word of warning on this one: remember to ask a question seeking knowledge. Don’t just state an opinion trying to prove you’re smarter than the speaker and then ask them what they think about your opinion.
  • Take The Lead – This one is especially important for people that interview others or podcasters that deal with shy guests. There are times when you realize the person you’re talking to is smart and capable but doesn’t communicate well. If you see that you’re going to need to jump in a take an active role in the conversation, but from the perspective of teasing out their knowledge. Leading them to where they need to be to be comfortable or expressive. My good friend Ethan Banks (@ECBanks) does an amazing job of this on his podcasts. He asks questions in a way that gives the speaker a clear opening to seize on his words to tell their story. It’s like watching an episode of Perry Mason where the star lawyer asks a question in the right way to make the witness tell the story they’re afraid of telling. When you do it right, it seems like you’re just very curious and the speaker does the job of telling the story. If you do it wrong, you’re dominating the conversation and putting words in someone’s mouth. If you really want to practice this part, ask your kids (or someone close to you) how their day went. Don’t let them stop at “fine” or “good”. Encourage them to expand on that by asking very leading questions about specific parts of the day or topics of interest. You’ll be a pro in no time.

Tom’s Take

Did all of that make sense to you? Did you hear me? Did you listen? Video content creation and blog posts are hard tools for communication because we’re cutting out the second part of the communication process. I don’t get to see your understanding or ask questions that allow you to consolidate your knowledge. I have to hope that the topics here are things that you enjoy and understand, even if you have to go back and read them a couple more times. I promise that if you work on the things above in the coming months you’re going to find yourself a better, more active listener with a lot of knowledge gained. And that’s a learning lesson worth listening to.

Do You Do What You’ve Always Done?

When I was an intern at IBM twenty something years ago, my job was deploying new laptops to people. The job was easy enough. Transfer their few hundred megabytes of data to the new machine and ensure their email was all setup correctly. There was a checklist that needed to be followed in order to ensure that it was done correctly.

When I arrived for my internship, one of my friends was there finishing his. He was supposed to train me in how to do the job before he went back to school. He helped me through the first day of deploying laptops following the procedure. The next day he handed me a different sheet with some of the same information but in a different order. He said, “I realized we had too many reboots in the process and this way cuts about twenty minutes off the deployment time.” I’m all about saving time so I jumped at the chance.

Everything went smashingly for the next month or so. My friend was back at school and I used his modified procedure to be as productive as possible. One day, my mentor wanted to shadow my deployment day to see how I was doing things. I invited him along and we did the first one. I pulled out my deployment docs and made sure to follow the procedure so I got a good grade. When we were done, my mentor pulled me aside and said, “I noticed you went pretty fast and did some things out of order. Why?” I mentioned that my friend and I had modified the deployment procedure a bit to make it easier and faster. That’s when my mentor hit me with a phrase that I’ve spent a lot of my career deconstructing:

“But this is the way we’ve always done it.”

You Do What You’ve Always Done

Process isn’t a bad thing. It makes jobs easy to break down into steps to assess timelines as well as being able to make a job repeatable. There’s nothing worse than a process that only lives inside the head of one person. If you can’t replicate your job you can’t ever stop doing it. Sure, it may be hard to write things down sometimes but you have to have a way to capture that data.

However, process all needs to make sense. If the process for starting my computer involves pushing the buttons in a certain order, there should be a reason for it. If the process for starting my computer also includes extra steps, such as getting a cup of coffee or banging on the monitor twice, there needs to be a reason for those too. Maybe the employee really likes coffee? Or maybe the startup process for the computer takes long enough that you can get a cup of coffee by the time the login is complete and if you try to do it earlier you’re going to run into slowness or indexing issues.

Documenting the steps is important. You also have to document the reasons behind the steps. Why must we tackle the project in this specific order? If you are doing Task A and then Task B why can’t you do the second task first? If you have no good justification then you should be able to do them in any order. But if Task B requires something from Task A to be able to be completed you need to document that. Otherwise people are going to do them out of order and miss steps.

Going back to our IBM deployment guide, why did there need to be so many reboots in the original document. Well, some of them were necessary. We needed to change the machine name before we joined it to the domain. We needed to log in with the username locally to create the profile before we logged in with the domain account so everything was created properly (this was NT4 domain days). Now, the instructions had us rebooting after every change, which added 3-4 minutes to every step along the way. My friend and I knew we could cut that down and do multiple changes for each reboot as long as they didn’t depend on the others being done first. But the original process was the “way it had always been done” and we had to prove it was better this way.

You’ll Always Get What You’ve Always Got

It’s not enough to challenge the process for no reason. Maybe your way is better. Or faster. Or just easier. But you have to prove it. You have to be willing to examine the process and ensure that what you’re doing is objectively better. It’s like taking a shortcut to work. It may feel faster for you. However if it takes 2 minutes longer on your drive is it really worth it? Or are you doing it because you don’t like driving or walking the other way?

Back to IBM and the laptop deployments. In order to get the revised process approved, I had to prove it was faster and provided the same output. I had to go into the lab and deploy using the old method and capture all the settings and data. Then erase the machine and deploy using the new settings and repeat the data capture process again to make sure the results are the same. Once I could prove that the new process resulted in the same output, we could move on to the second step.

Step Two involved timing the deployment. Now, in order to make sure I wasn’t juicing the numbers in either direction, we had our oldest, slowest laptop deployer use the new instructions. He would regularly take over an hour to setup a new machine with the old directions. We handed him the new page and told him to use this instead. Same steps, just in a different order. He went through them all cold twice and managed to average around 45 minutes for his deployment. He even remarked that our process was better.


Tom’s Take

Once we had it proven that it was faster and easier to do the things the new way we updated the deployment procedures before the next group of interns arrived. I had left my mark on things and proven that “this is what we’ve always done” isn’t always the best justification for things. But you do have to justify why your way is better. Facts beat opinion every day of the week. And if you aren’t willing to do the work to prove why you can make things better, you’ll always be where you are right now.

Imposters Among Us

Have you been playing Among Us? If you haven’t, your kids definitely have. I found out about it a few weeks ago because my children suddenly became Batman-level detectives and knew how to ask the kinds of interview questions that would make the FBI proud. In short, the game is all about finding the imposters in your midst based on their behavior and voting them out of the group to win. Sometimes you get it right. Other times you get it wrong and vote out someone who was doing legitimate tasks. It’s all a matter of perception.

Now, let’s look at another situation where we see this kind of behavior in a different light. You probably guessed where this is going already. We’re going to talk about Imposter Syndrome in our non-gaming lives and how it affects us. We may even make reference to pop culture along the way.

Where You Need To Be

I was thinking about this because something I said a few years ago at Security Field Day 1 popped back up in my feed. I was giving a speech at the beginning of the first day to the delegates and I wanted them to know that I understood that they may feel like they didn’t deserve to be there. I wanted to reassure them that they were where they needed to be. So I said something along the lines of the following:

You are here in this position because you earned it and deserve to be here. It would be an insult to those above and around you to think otherwise. If you have doubt in yourself, trust in those around you that they know who is best for your role.

Thanks to Kori Younger for recalling that specific part of the speech. Imposter Syndrome is hard to overcome because we really do feel like everyone else around us knows what they’re doing and we’re the odd ones out. We feel like we don’t know how to proceed or what to do. And that feeling can be crippling at times.

The idea that we don’t know what we’re doing is really called “learning”. It’s something that we do all the time. We apply lessons and intuition to find new solutions to problems, even ones we don’t feel qualified to do. We feel more comfortable doing this in areas where we have more knowledge or feel more confident, but rest assured we apply it all over the place, especially when confronted with situations we don’t completely understand or feel comfortable working on.

Earlier this year I took a Wilderness First Aid course for an upcoming Scout high adventure trip. Now, I must admit that I’m a terrible doctor or medical professional. I don’t like the sight of blood and I tend to focus on things without having a big picture. WFA is all about what happens when you find yourself in the back country far away from a hospital and what to do to handle situations. After a while, the solutions all kind of started sounding the same. You need to assess, stabilize, and almost always evacuate when critical. Now, that whole process sounds fairly simple when boiled down. But considering the crazy amount of things they want us to know about, like Acute Altitude Sickness, Hypoglycemia, and even things like concussions that cause cerebrospinal fluid leakage, you can see how easy it is to quickly be overwhelmed. However, the training up to that point helps you understand what to do: assess, stabilize, and evacuate if needed.

Applying A Process

Training and baselines help us overcome imposter syndrome in real life. We do similar things in IT or in other lines of work. When we encounter something we don’t understand or we feel overwhelmed by, we repeat the same process.

  • Assess – What is going on? Does this look like something I’ve seen before? The more it looks like a previous experience the more knowledge I can apply. Trust what you know. Being wrong because you applied an incorrect lesson is better than being wrong because you did nothing. Your experience will always serve you well. Trust those instincts.
  • Stabilize – This is where we spend a lot of our time. How can I fix this problem? Or stop it from getting worse? How can I get back to point where things work well enough to be able to reassess or make a different decision? Stabilization is the work that goes on in a process. A problem that is 100% stable is fixed. A problem that is 25% stable is better than it was with room for improvement. We need to apply lessons and things from our experience here too. Seen OSPF fall over before? Let’s try some things to get the routing table stabilized. Seen someone slice open their finger with a pocket knife before? We know how to fix this so it won’t reopen.
  • Evacuate – This one is a little more tricky. Sometimes we can’t fix something. Or we don’t know what’s wrong. So what do we do? Sit there wringing our hands? Scream at the sky? No, we get help. In WFA, evacuation is all about getting better help, whether it’s a first responder at base camp or a doctor in a hospital. In a professional setting, evacuation is more about finding the right help to get past an issue. Asking a mentor or senior person about the issue. Calling the support line. Asking someone on Twitter if they’ve ever seen this before. These are all great examples of evacuation from a situation. There’s no harm in asking for help. But there is harm in not asking for help when you need it.

Remember that everyone else around you is doing the same things you’re doing above when you find yourself in a situation you don’t completely understand. Some look more expert because they have better knowledge to relate to the problem. It doesn’t mean they’re smarter than you or better than you. It means they’re more adept at this problem for this time. Some people are more suited for things than others.

To quote Einstein, “Everyone is a genius. But if you judge a fish by its ability to climb a tree, it will spend its whole life believing it’s stupid.” If we only judge people harshly by their ability to adapt to unknown situations with a minimum of information and then spend hours in post-mortem meetings laying out why they didn’t do everything right, we’re going to make them feel like imposters. Instead, let’s cut them some slack and remind ourselves that we probably couldn’t do as well as they did in the same situation. And if we could have done better than they did, this is a time to step up to the plate and mentor them to make them better. Apply your knowledge to theirs and they will succeed next time. Hoard your knowledge and you will forever believe that they are the imposter.


Tom’s Take

Among Us is all about finding imposters in our midst based on their behavior and what tasks they’re doing. Real life is all about proving we aren’t imposters by doing things and showing our worth. As much fun as the game might be trying to figure out who the imposter is, our reality should be spent more on encouraging people to feel better and mentor them through the process of believing in themselves and applying their knowledge to a problem to have a successful outcome. We should be focusing on making everyone better and more confident. There’s nothing suspect about that.

When Will You Need Wi-Fi 6E at Home?

The pandemic has really done a number on most of our office environments. For some, we went from being in a corporate enterprise with desks and coffee makers to being at home with a slightly different desk and perhaps a slightly better coffee maker. However, one thing that didn’t improve was our home network.

For the most part, the home network has been operating on a scale radically different from those of the average corporate environment. Taking away the discrepancies in Internet speed for a moment you would have a hard time arguing that most home wireless gear is as good or better than the equivalent enterprise solution. Most of us end up buying our equipment from the local big box store and are likely shopping as much on price as we are on features. As long as it supports our phones, gaming consoles, and the streaming box we picked up we’re happy. We don’t need QoS or rogue detection.

However, we now live in a world where the enterprise is our home. We live at work as much as we work where we live. Extended hours means we typically work past 5:00 pm or start earlier than 8:00 or 9:00. It means that we’re usually sending emails into the night or picking up that project to crack a hard problem when we can’t sleep. Why is that important? Well, one of the arguments for having separate enterprise and home networks for years was the usage cycle.

To your typical manager type in an organization, work is work and home is home and n’er the twain shall meet, unless they need you to work late. Need someone to jump on a Zoom call during dinner to solve an issue? Want someone to upload a video before bed? Those are reasonable requests. Mind if my home wireless network also supports the kids watching Netflix or playing Call of Duty? That’s a step too far!

The problem with enterprise networking gear is that it is focused on supporting the enterprise role. And having that gear available to serve a consumer role, even when our consumer office is also our enterprise office, make management types break out in hives.

Technology Marches In Place

Okay, so we know that no one wants to shell out money for good gear. I don’t want to pay for it out of my pocket. The company doesn’t want to pay for something that might accidentally be used to do something fun. So where does that leave the people that make enterprise wireless access points?

I’ll admit I’m a horrible reference to my friends when they ask me what kind of stuff to buy. I tend to get way too deep into things like coverage pattens and device types when I start asking what they want their network to look like. The answer they’re usually looking for is easy, cheap, and simple. I get way too involved in figuring out their needs as if they were an enterprise customer. So I know that most people don’t need band steering or MIMO support in the house. But I still ask the questions as if it were a warehouse or campus building.

Which is why I’m really starting to question how the planned rollout of technologies like Wi-Fi 6E is going to happen in the current environment. I’ll buy that Wi-Fi 6, also known as 802.11ax, is going to happen as soon as it’s supported by a mainstream consumer device or three. But elevating to the 6 GHz range is an entirely different solution looking for a problem. Right now, the costs of 6 GHz radios combined with the operating environment are going to slow adoption of Wi-Fi 6E drastically.

Home Is Where the Wi-Fi Connects

How hostile is the wireless environment in your house? Aside from the odd microwave, probably not too bad. Some of the smart utility services may be operating on a separate network for things like smart electric meters or whole-home DVR setups. Odds are much better that you’re probably in a nice clean radio island. You don’t have to worry about neighboring businesses monopolizing the air space. You don’t have to contend with an old scanner that has to operate on 802.11g speeds in an entirely separate network to prevent everything from slowing down drastically.

If your home is running just fine on a combination of 2.4 GHz for older devices or IoT setups and 5 GHz for modern devices like phones and laptops, what is the advantage of upgrading to 6 GHz? Let’s toss out the hardware argument right now. If you’re running on 802.11ac (Wi-Fi 5) Wave 2 hardware, you’re not upgrading any time soon. Your APs are new enough to not need a refresh. If you’re on something older, like Wi-Fi 5 Wave 1 or even 802.11n (Wi-Fi 4), you are going to look at upgrading soon to get some new features or better speeds now that everyone in your house is online and gobbling up bandwidth. Let’s say that you’ve even persuaded the boss to shell out some cash to help with your upgrade. Which AP will you pick?

Will you pick the current technology that has all the features you need in Wi-Fi 6? Or will you pay more for an AP with a feature set that you can’t even use yet? It’s a silly question that will probably answer itself. You pay for what you can use and you don’t try and break the boss’s bank. That means the likelihood of Wi-Fi 6E adoption is going to go down quickly if the new remote office has no need of the technology.

Does it mean that Wi-Fi 6E is dead in the water? Not really. What it does mean is that Wi-Fi 6E needs to find a compelling use case to drive adoption. This is a lesson that needs to be learned from other protocols like IPv6. If you can’t convince people to move to the new thing, they’re going to stay on the old thing as long as they can because it’s cheaper and more familiar. So you need to create a new device that is 6 GHz only. Or make 6 GHz super fast for things like media transfers. Or maybe even require it for certain content types. That’s how you’re going to drive adoption everywhere. And if you don’t you’re likely going to be relegated to the same junk pile as WiMAX and ATM LANE.


Tom’s Take

Wi-Fi 6E is the great solution for a problem that is around the corner. It has lots of available bandwidth and spectrum and is relatively free from interference. It’s also free from the need to adopt it right away. As we’re trying to drive people toward Wi-Fi 6 11ax infrastructure, we’re not going to be able to make them jump to both at once without a killer app or corner case requirement. Wi-Fi 6E is always going to be more expensive because of hardware and R&D costs. And given the chance, people will always vote with their wallet provided their basic needs are met.

Thoughts From Networking Field Day 23

I know I’m a little late getting this post out but Networking Field Day 23 was a jam-packed event with lots of things to digest. I wanted to share some quick thoughts about it here that should create some discussion amongst the community, hopefully.

  • If you don’t believe that wireless is the new access edge, go look at Juniper. Their campus networking division is basically EX switching and Mist. That’s it. Remember how HPE called Aruba a “reverse acquisition” years ago? And how Aruba essentially took over the networking portion of HPE? Don’t be surprised to see Juniper getting more misty sooner rather than later. And that’s a good thing for everything that isn’t a carrier or service provider router.
  • Network monitoring became telemetry and is now transforming into digital experience. What is the difference to me? Monitoring devices tells you point-in-time information. Telemetry gives you the story of those point-in-time measurements over the course of days or weeks and can help you find issues. Experience is all about how that looks to your users. Problems don’t always affect them the same way it might appear on a dashboard. Likewise, things you don’t always see in your alerts can affect users in unforeseen ways. Honestly, you’re going to have to have all three going forward if you want your employees and your customers to be happy.
  • SD-WAN is moving away from being connectivity only. It’s starting to be focused on application experience and enablement. Sure, that means there’s some connectivity pieces under the hood. But, just like your mobile phone, you don’t care how your favorite app is communicating with the cloud as long as you can get there. Likewise, we are soon going to care less about our connectivity (as long as it works) and more about how quickly we can get our users to their favorite locations. Simplification indeed.
  • Whether we realize it or not, enterprise networking is going to change as we know it. Forget about your home networking connection. You’re going to have to get your home network inside the router to be more like an enterprise than a home. You need switches and enterprise APs to ensure your employees have the best connectivity. Yes, this means you’re going to have spend more money on your remote workers. And yes, this also means there’s a good chance the equipment is going to be used for non-business related traffic. But the alternative is to hamper your workers with substandard connectivity because not everyone can afford 802.11ax APs and gigabit switches on a remote worker budget.

Tom’s Take

Stay tuned for more coverage from Networking Field Day as well as some more networking thoughts!