ANECDOTES AND OBSERVATIONS FROM A FUN LIFE
This article is crossposted to LinkedIn here for comments and discussions.
Ever since I started OWASP and it suddenly took off, I have been fascinated by what makes some things rise up. In recent years, as OWASP lost its shine, I have also become fascinated by why things fall from grace and how you can make them rise again. It happens all the time. Things are trendy, and then they are not. Things are industry standards, and then they are not. Things are household names, and then they are not.
This phenomenon happens to security products, security companies and security communities all the time, but they are obviously not unique. You see it all the time across loads and loads of things.
Reflecting on my education and working life, from my teenage years right through to today, I think there are common patterns that create these situations, and by being conscious about them, you can avoid them or address them. I like to think I have had a colorful life. It’s been at least funny and rewarding, so here is my life and my observations about what makes things come and what makes things go.
In my teens, I had a 14.4 modem and a Sinclair ZX Spectrum. People got their tech news and messages via compuserve. The Internet existed but access to it was not common. There was no XBox Live, people played Chuckie Egg. There was no Netflix, people rented VHS tapes from a video store. There was certainly no Porn Hub, young men in the UK got their teenage kicks from a sneaky peek at a pair of boobs printed on page three of the Sun, usually fish and chips wrapping. It was a very different time, technologically and culturally.
I used to copy computer games using simple cassette recorders chained together with an audio cable and two jack plugs. I used to ‘war dial’ using the home phone when my mum was out. Of course she saw the bills and turned a blind eye. It was relatively hard to learn how things worked, and my social network was as far as I could ride my bike. The next village if you are interested. Basic information was just not readily available and collaboration was hard, but I could learn at my own pace, work for as long as I wanted, whenever I wanted, and use anything that was available to me. There were no long nights with pizza and soda, maybe some evenings eating fish and chips in my room, but I honestly can’t remember, and wouldn't admit to it even if I did. What I do know is that they were fun and very rewarding times, and I felt I accomplished a lot. My personal productivity was off the scale and I was highly motivated to do more.
What this taught me was that one determined person can and will find a way to do something, have some grit and determination, and if it is something they enjoy. You see this time and time again in security startups.
In the sixth form doing A levels, I was at a boarding school called Sexeys. Yes Sexeys, I kid you not. Sexeys was steeped in history, and in traditional, and in silly fucking rules. Boys slide down banisters and that doesnt deserve detention. No one is going to kill themselves doing it. I had the fastest time in the school at one point. I am still here. I fell off loads of times. Boys raid the tuck shop, get over it. Boys will sort it out for themselves, they don’t need micromanaging. It's part of growing up and becoming an adult.
The head of house ran a computer club. They had BBC Micros and some other computer that I can't remember the name of. He was a useless old fart that made the twenty or so members do the same boring exercises, at the pace of the slowest person in the class. I hated it and learned nothing. Almost everyone joined the computer club because they were interested in computers, but then left the computer club because it was boring.
What I learned from Sexeys was that micromanaging people and loads of pathetic rules is wrong. I learned that dull leaders not only fail to inspire people, but actually put them off, and I learned that if you force people to work at the pace of others you do nothing but handicap and disillusion bright and motivated people.
I was eventually expelled from Sexeys, for some questionable behavior. I only share the details when I am plied with good beer or wine. It involved a girl and a cricket field.
During my undergraduate degree in mechanical engineering, I hacked hardware dongles and copy protected software. Most of it was expensive garbage software anyway, and should have been free. Copy a field from one byte sector on a floppy disk to another, and away you go. Route the input of a dongle directly to the output and bypass the protection of three thousand pounds worth of computational fluid dynamics software. I just rewired some printer connectors and away you went. I had a few close calls from lab assistants that suspected what I was doing. People were turning in assignments without having checked out the labs dongles, but I learned to deny things. If they couldn’t prove it, then it never happened.
The next term I figured out how to bypass Autocad and ran the same playbook. I made even more money and was a cool kid. It didn't immediately help with girls, but I did have money to pay for drinks at pubs and clubs so it did in the end.
In the final term I was unable to bypass some electrical engineering simulation software. Some other bloke did, and he got all the attention. He earned all the pocket money. My little business came to an abrupt halt and people moved on, forgetting about me.
What this taught me is that if you solve a useful problem then people are interested. It also taught me that when you solve a problem with an immediate need, people will buy whatever you are selling. It's the ‘gunshot to the chest’ versus the papercut analogy for startups. It also taught me that you have to keep up and you are only as good as your last big thing.
These lessons are of course true for security companies and security communities. You see it all the time. A new technology comes out like cloud infrastructure, and network security companies that were once red hot, like Symantec and McAfee fall from grace. OWASP started focusing solely on the web and has failed to adapt to things like the cloud and web3.
I was eventually hauled in front of the dean of students, who threatened I would not be allowed to graduate. Some twat had grassed me up because he refused to pay me for my fake dongle. I of course denied it because there was no evidence. He didn’t buy one, and I knew no one else would grass because they would incriminate themselves. I think he went on to be a train driver and probably, to this day, packs his own lunch in a sandwich tin to take to work each day. Total and utter twat. Probably a train spotter as well.
After my undergraduate degree and igniting my own passion in computer security, I did a masters degree in information security at Royal Holloway, University of London. We used to hack the PDP, hack the Linux labs and hack the campus network for fun. Outside of the math department that housed the information security group, and its computer systems, it was cannon fodder. The information security group knew what we were doing and turned a blind eye, just like my mum had. I spent many nights in the labs, often after the student union kicked us out of the bar, and when we were completely bladdered. I learned from, and was inspired by fellow like minded people on the course. Bob Tinsley seemed to be able to hack almost anything. He rewrote Alec Muffets Crack one night, to be 10 x faster and even rewrote the Linux mouse drivers because he was left handed and somehow they pissed him off. We were sat right on janet, and an easy route to the UK internet backbone. Go figure. You learned your academic material like cryptography from paper books, but were taught by the people that wrote them like Fred Piper. It was a lot of fun. We even had a stash on hash. “Can you hash the hash?” was a common joke, only funny when you are stoned.
What I learned at Royal Holloway, apart from all of the academic security knowledge that I still have today, was that when like minded people, self-assemble in teams, have very few rules and almost no oversight, then they can do really great things. The informal computer club we created at night in that lab, was the polar opposite of the one at Sexeys.
After graduating, I spent several years doing dull PKI work, Novel Netware migrations and Microsoft Windows security projects at investment banks in the city of London. It was boring work, although I lived the high life as part of the excessive financial services culture in the City at the time. I have stories, trust me, I have stories. Despite the gregarious trading floors, front-of-house at places like Barings bank, the back of house was almost always the opposite. Everyone in IT looked and talked the same. Walking zombies. Everyone complained about Lotus Notes, Novel Netware printing and unusable Windows PC’s but no one did anything about it. People were apathetic. If it's not broken don't fix it. “We can’t change our thighs too fast or people will be upset”. Barings was almost bankrupted by Nick Leeson, a story brought to life in the book and the Hollywood movie Rogue Trader. If you understand the situation, everyone knew something wasn’t right but people were apathetic and nobody wanted to call it out. That was until it collapsed and everyone said “you could see that coming”. That was the culture.
What I learned at Barings and other banks was that big old conservative companies attract old, conservative people who want the status quo. People don't want to upset the apple cart, even if they know bad things might happen. They are lazy. These types of companies are uninspiring and dull.
This has been true in the UK with retail banks, where the big old stuffy brands like HSBC, LLoyds and NatWest are being replaced by challenger banks like Starling and Monzo. It happened in the airline industry too where companies like BA were replaced by companies like EasyJet.
I moved to America in 2000 to work for Internet Security Systems (ISS) which couldn't not have been more different than Barings. I was recruited to ISS by Steve Gant (former Navy Seal, all around badass and lovely human), having deployed some of their software while working for a progressive investment bank in London, Dresdner Klienwort-Benson. ISS was known for having revolutionized the network scanning and intrusion detection markets with their Internet Scanner and Real Secure products. It was also famed for its team of crack security researchers, the ISS X-Force, who published a constant stream of highly credible vulnerability reports, especially in Windows. It was certainly a ‘hot’ security company and it went public when I was there.
ISS was also a ‘party city’, full of young passionate security people and an exciting place for a twenty year old. There was beer on tap. Someone had used a wad editor and re-built the entire office in Doom. You could wander into Tom Noonan, the CEO’s office and blow his head off. When the company had kick-off meetings it was crazy. Noonan, and the founder Chris Klaus would enter the stage of the kickoff meetings on motorbikes and things. While I was there, we had a company-wide party with a vodka luge, carved from ice in the shape of a giant penis. You had to get on your knees and take your shot of vodka when you entered the venue. In the office people drank champagne from the shoe of a hooker. Yes, a real shoe and it was a company tradition. Actually it was a company honor to be able to do it. Yes, it was absolutely terrible and inappropriate behavior looking bad but not at the time. It was fun. They were different times.
What I learned at ISS and what was so special about ISS, beyond market timing which it undoubtedly had, was how the company culture attracted so many talented security people and it had kept that culture from the very start right up until the company went public. It was a culture that made the company cool both on the inside and cool on the outside and that made the army of highly technical people that were all absolutely passionate about security, feel at home. It was a loyal army of people that built amazing products and a loyal army of researchers that did such amazing work. Everyone felt they belonged.
That culture at ISS, and its permission to exist (despite looking back with horror) was the result of a brilliant leader, Tom Noonan. Noonan was respected. Noonan was at the coalface. Noonan had a plan. Noonan inspired. Nooan never micromanaged. More than anything else I learned at ISS was that leaders make or break security companies and communities.
ISS was later sold to Cisco and then to IBM. You rarely hear about it now and it is certainly not a hot or innovative company anymore. Cisco and then IBM sucked the culture dry and all of those talented young people left. The products have died as far as I am aware.
When I left ISS, I went to work at Charles Schwab. When I arrived, I was shocked to find out Schwab was still running a mainframe and the online brokerage system was largely a single, monolithic, C-CGI application. When I got there, the security leadership team was old and conservative, writing policies and telling people they couldn't do things. Later I learned they were widely referred to as the thought police behind their backs.
During my tenure, the security leadership was replaced by a young maverick called Dr. Douglas Merill, or Dr Dougie as we used to call him. Doug gave me and others direction and left us to do good things. He encouraged us to build personal relationships with people that mattered, to and choose what you spend your time on wisely. I did, and I even moved my desk from the security team to the development team. When I left Schwab, we had migrated the entire electronic brokerage system to Java, united hundreds of systems servicing millions of users using SAML and I was best friends with the development team.
The biggest lesson I learned from Doug was when he not only let me start OWASP, but encouraged me to do it. From within an old school company that never participated in open-source and had no culture of sharing internal documents, he told me to be unconventional because it would be worth it. It was. I took intellectual property, turned it into a public document, the first OWASP Guide, and launched a community. It was done behind the scenes and in an unconventional way but it happened.
Looking back fondly at that time, I realize now that it's OK to be unconventional and operate behind the scenes, if you believe what you are doing is worth it.
What I applied to those early days of OWASP was what I had learned from previous experiences, although I didn’t know that at the time.
You have to have a plan, an informal plan is fine, and you need one person that the people that matter can get behind and work with. Without a person that can lead and inspire the people that matter, you will get analysis paralysis, apathy and dissolution. You have to set a lofty but achievable goal. The movement you are asking them to join, has to be meaningful and people have to have a sense of purpose. You have to only have high performing motivated people. You have to have as little friction as possible in getting things done. You have to have as few rules as possible.
After Charles Schwab I joined Foundstone, famed for writing the Hacking Exposed books. My mum loved her Christmas present that year. Not really, but it was signed by George and Stu so she thought it was cool. At Foundstone, we used to build a lot of free and innovative tools, like the first tools to do Google dorks and really fast multi-threaded post scanners. At Foundstone we sold a lot of training and service by writing a note on the proposals, ‘Do you want to learn from people who read the books and use the tools, or the people that write the books and write the tools?’ We used to win a very high proportion of proposals.
What I learned while I was at Foundstone was that credibility matters. People trust people that have actually done things, and not people that just talk about doing things. Action over ideas. Your track record matters.
Foundstone was acquired by McAfee where I stayed for four years reporting to the president of the company. He was a great guy, and I was very well looked after, but it was boring as hell. McAfee had had its day. It was full of old people.There was nothing inspiring about it. The software was old and had hardly changed for years. It was a sales driven culture with shit offices and shit snacks. Apart from executive offsites in places like Monaco and Portugal, the company had no party culture. People weren’t passionate. People weren’t aspirational. People didn’t work hard. The leadership team was checked out and so was the rest of the company.
The end result of course was that George went on and formed CrowdStrike, eating McAfee's lunch. Marketing timing was right, he had a clear mission and he surrounded himself with talented and driven people. Today CrowdStrikes market cap is $25 billion, five times that of McAfee. Today you talk about McAfee in the past tense, including the nut job that gave the company its name. McAfee as a company, is all but irrelevant today.
Yet again I learned that culture, credibility and leadership matters.
I left McAfee to join MSFT, first running the security tools team and later the Principal Product Unit Manager running the MSDN Subscriptions team, where we had a million subscribers, 40 million pageviews a month and approaching $1 billion in annual revenue. When I first arrived, what we didn't have was downloads because at the time everything was shipped on CD’s, or shiny coffee mats as people used to call them. I spent two years with a large team to build a global software distribution system that was capable of sustaining 11% of the world's Internet traffic the day when the new version of Windows was first released digitally.
What was frustrating about that time was when I realized that the MSDN subscription service was responsible for one third of the Azure consumption due to the 100 free hours I would give away with each subscription. More interesting was that we had only activated 0.3% of the subscriber base. After a quick user study, it turned out that the reason for low adoption was that we asked for a credit card with an unlimited charge cap upfront, intended to cover overages. An easy fix right? Just remove the credit card charge and ask for a card when the free hours are up right? After three months of meeting after meeting, I was told that I would have to use another team who owned the payment systems to do the work. It would cost almost $1 million from my budget, and it would take nine months to implement after the next fiscal year. Yeah, 18 months to remove a credit card form from a web site, that could have driven the most capacity for one of Microsoft’s most strategic projects ever. We took it to Ballmer who banged heads, but Microsoft was not for me and I left. Bureaucracy and red tape gone mad.
Azure of course has been a runaway success, and it's largely thanks to Scott Guthrie. Not only is he a really nice guy, he motivates teams, surrounds himself with talent and just gets shit done. Sound familiar? When he used to own asp.net, the Visual Studio team couldn't keep up with his needs so he built his own IDE. He doesn't take dependencies on other teams, which is one of his patterns of success. He is a beast. He just gets shit done. Microsoft could have easily gone the way of IBM, but thanks to a strong leader, with a vision and a get shit done attitude, he reinvented the company and kept it relevant.
Microsoft taught me that sometimes, in big old organizations, things that appear to be no-brainers, just get blocked by red-tape and unless you are the king-makers there is little you can do about it. Microsoft also taught me that old organizations, even ones in decline, and ones on a path to irrelevance, can change with the right leaders. That's an important lesson.
After MSFT I have done three startups. The first Sourceclear, was sold to Veracode in 2018 and the second Open Raven is now five years old. I am still a major shareholder in Open Raven but no longer involved. I have previously written about my experience from those companies in my article Security Startup Tips and Tricks from the Field, so I am not going to repeat it here.
My latest company, Crash Override, is on fire. We are a crack team of ten, the most technical team I have ever worked with. We all trust each other. We have the least red tape of any company or organization I have ever been a part of. We are just getting on with it, and building shit fast. Talk is cheap. We are getting shit done.
John and I have watched a lot of security companies come and go over the years. We are coming for you old school tools that generate loads of noise and provide no value. We are coming for you appsec tools that are missing critical features to properly operationalize. And we are coming for you companies that are not looking after their engineering and security talent.
So Checkpoint vs PANW? PANW vs Wiz? RSA vs Okta? OSSF vs OWASP? Splunk vs Panther? Veracode vs CodeQL? SlashDot vs Reddit? The RSA Conference vs B-Sides?