Brett Winterford at ITNews.com.au recently reported on a group of digeridoo-gooders at the Universiity of New South Wales, who asked a question that many of us were wondering – how do cloud apps perform under stress tests, and are they up to the tasks that modern enterprises typically throw at their in-house networks?

Testing Amazon, Google, and Microsoft’s cloud offering, they simulated 2000 concurrent users connecting to each of the cloud services, “measuring response times and other performance networks.”

What they found was that the Web-based cloud services could scale up to meet the demand… but not reliably.  Response times varied depending on the time of day, what features were added and dropped, and… well…

"Using Google AppEngine, none of your data processing tasks can last any longer than thirty seconds, or it throws an exception back at you," [Researcher Anna Liu] said. "This is very consistent with the Google business model - they want to enable simple web applications to thrive on the Internet. AppEngine is there to enable the rapid development of simple web applications that don't include intense computing at the back end."

According to Liu, the company most poised to accept migration of in-house enterprise apps is Microsoft.  Still…

"None of the platforms have the kind of monitoring required to have a reasonable conversation about performance," she said. "They provide some level of monitoring, but what little there is caters for developers, not business users. And while Amazon provides a dashboard of how much it is costing you so far, for example, there is nothing in terms of forecasts about what it will cost you in the future.”

Cloud computing applications may eventually replace many of the traditional IT applications, but the limitations inherent to Web based computing will mean that it is not an acceptable fit for many enterprise apps.  The opportunity to save money lies in knowing which apps will work best with cloud computing, if moving to the cloud will save you money in the long term, and how well those applications will perform when they’ve been moved to the cloud.

Perhaps the solutions that show the most promise (and this is idle speculation here) is an application that is based in the in-house datacenter but, if it should need additional processing beyond what in-house resources can provide, dynamically requisition additional computing power from the cloud.  Such an application would probably require cloud computing interoperability standards that are still in their nascent stages however – and you still need to monitor performance to know when more resources are needed, and if adding resources from the cloud actually improves the performance of the application. 

There’s an article on ZDNet talking about a video where Sun Microsystems CTO Lew Tucker talks about how future cloud computing applications will be able to know exactly how much demand there is for the application, and requisition the appropriate amount of computing power. During high demand, the application could grab more resources, preventing application-based slowdowns, and during low demand, the application could release resources back into the cloud, saving the company money.

Of course, ZDNet’s title for the article is “Future Cloud Apps won’t need humans” which conjures up frightening images.

If it’s any indication, dynamic allocation of the needs of information will cause anxious consternation about the continued necessitation of the IT occupation, and frantic desperation. (Of course, that’s just idle speculation.)

But it might be more accurate to suggest that “Future Cloud Apps won’t need humans to babysit them.” That is – all that Tucker talks about is the idea of taking what used to be a manual process – deciding how much processing power any particular application needs – and having the computer make that determination on the fly based on the actual processing power needs. Certainly, humans will be involved in determining how much power is “too much,” how much slowdown is “acceptable,” and – most importantly – how much performance that the end-users can actually use.

This has two main impacts on the networking side of IT – that is, if an application can dynamically allocate more resources during times of excess need, application performance may be limited on the server or on the network, but it eliminates one of the main causes of application performance problems – not assigning enough resources to the application.

Additionally, application performance becomes important independent of the network, as a poorly coded application might need more resources and therefore require more money to operate.

Secondly, when you essentially remove the limits on application performance by simply allowing it enough resources to do the job at any time of the day, you have to continue to look for other bottlenecks. If you have the capacity to do more with what you’ve got, it makes sense to do everything you can to take advantage of that capacity.

Now, before this possibility becomes a reality, cloud computing standards need to be developed, agreed upon, and used in order to have multiple applications cooperate in any dynamically scaling environment. That may be very soon, or a long way off, but it will probably happen, because there’s just too much money to be missed out on if there isn’t a cloud computing interoperability standard.

A Texas judge has ruled that Microsoft is not only in patent violation against a company called i4i, which, apparently, owns the ability to create custom XML documents, but must also halt sales of Microsoft Word 2003 and 2007 within 60 days.

ZDNet said that i4i’s patent “sounds a bit generic,” but the court ruled in their favor, granting them $200M in damages.

Did anyone else notice that the name of the company is a homonym with “Eye for (an) Eye?”

Anyway, Microsoft probably has workarounds and legal avenues to pursue before it stops selling Word, but if need be, Microsoft may just have to offer a “Texas Edition” of Word without the XML capabilities.

So if they’re going to do that anyway, allow me to suggest some other improvements to the Texas edition.

• Standard Font: Calibri at 13 points, rather than 11. Everything is bigger in Texas.


• When a program crash happens, instead of giving up, Texas Word will fight off thousands of kernel panics and memory errors to give Sam Houston time to save his documents.


• Texas Word will come in two editions: Mild and Extra Spicy.


• Clippy will run for Governor, and get at least 12.43% of the vote on a platform of “It looks like y’all are trying to run a state.”


• Texas Word doesn’t worry about overheating CPUs. After a few years, you get used to the heat.


• Finally, I was going to suggest “Y’all” should no longer trigger spell check, but it actually doesn’t. Try it out. However, a truly Texan Word would include “Ahma,” and “Dija” as in, “Ahma goin’ to the store, Dija need anything?”

Network World has an article by Eric Lai up today on “Five recession-era strategies for software vendors (and their customers.)”

The first suggestion, however is to “Crack down on piracy.”  It’s not that customers (or pseudo-customers) are malicious, it’s just that oftentimes the licensing is often complex – like, for example, forgetting to renew a time-based license but continuing to use the software.  The problem isn’t that people don’t want to pay – the problem, Network World says, is that it’s difficult for vendors to figure out when and how to pay. 

I can attest to that, just from a personal standpoint.  This past weekend, I reformatted my main desktop computer to the Windows 7 beta.  Reinstalling my programs worked pretty well, until I got to one particular program that I bought. 

I won’t name the program, save that costs over $100, and all it does is convert video files taken from certain videocameras from an unprocessed form to one that can be used in various video editing applications.  A specialist tool to be sure – but until very recently, it had a monopoly on the Windows platform.  (On the Mac platform, there’s a freeware app that does the same thing, but you have to buy a Mac to use it....) 

Now, this program, in order to prevent piracy, requires that you register and activate online.  This is no different than many programs nowadays; but the process for this program is particularly onerous.  You enter in your name and serial number into a form on the company’s Web site.  That Web form will then give you an activation code number which you enter back into the application.  If the Web form goes down, or you can’t access the Internet, you can’t use the product past a seven day trial.

This is actually kind of standard, as many programs require online support for registration, including Adobe products.  My problem comes with the de-activation process. 

That is, if you wanted to use this program on multiple computers, you would need to deactivate the program on one computer, and re-activate it on another.  And de-activation is just as complicated as activation – you tell the program you want to deactivate, and it gives you a deactivation code to enter into the Web form – which you can copy and paste, or write down later.  You then install the program on the other computer, and you reactivate it.  You cannot use the program simultaneously on multiple computers (like, for example, home, work, and laptop) so you have to keep juggling them.

One of the big problems is that if you delete the program BEFORE you deactivate the program – for example, your hard drive crashes, or you contract a nasty computer virus, or you simply forget to deactivate the program before reformatting your OS to the new version of Windows… you have to open a trouble ticket to get the support team to deactivate the program on their end.  Their support team, of course, only works on business hours, Monday through Friday, and they have better things to do, presumably, than babysit people’s applications.

In my case, I simply forgot to deactivate the program before reinstalling it, so it wouldn’t let me reactivate.  That was Thursday.

On Friday, I ended up getting a computer virus because I did something stupid.  (Note to self: Install antivirus program BEFORE installing e-mail program next time…)

So I needed to reformat again.  This time, I remembered that you need to deactivate the program before you can reactivate it, so I hit the deactivate button.  The client program then notified me that it was deactivated, and gave me an eight digit code to enter into the Web form.

Of course, before I could write the eight digit code down, the virus told the computer to reboot.  When I came back, there was no way to get that eight digit code back.  So now I have to go back to the support team – again – and tell them to deactivate the program on their end – again.

Maybe this cuts down on piracy.  But I’d bet that this specialist tool is useful to so few people that there just isn’t enough of a critical mass of people willing to take the time to crack and pirate the program.

But it’s still problematic, especially from a network performance perspective.  That is – if something goes wrong – and it frequently does – it requires a man-hour investment for people to do a mindless, repetitive task. 

When you consider that this problem occurs frequently, you have to ask – why is human intervention necessary?  Why can’t customers just log-in with the username and password they used when they bought the program and remotely deactivate the program themselves when something goes wrong?  Why do customers need to enter in a code to deactivate, and then go to the Web site to enter that code – couldn’t the application just deactivate it automatically when the “deactivate” button is pressed? 

And of course, there’s the problem that there’s no guarantee that the company that makes this program – which is the only one of its type – will continue to be in business and operate the activation servers at any time in the future. 

All in all, this was a very frustrating experience; and the biggest frustration was that I paid for this application, while those who pirate software never have to deal with this. 

It doesn’t make piracy any more ethically moral, but the biggest advantage that software companies have over pirates is convenience – you get the software you want, when you want it, when you pay for it.  Except – I can’t use the software I bought.  I’m left more annoyed than someone else who may have pirated and cracked the software and don’t have to wait until the weekend is over in order to use it.  The pirated product is a superior one – and this can mean that frustrations caused by anti-piracy measures, (“Aargh!”) can actually lead to piracy. (“Arrrr!”)

All of this reminds me of chatty apps that were coded to work on LANs – very low latency, high bandwidth networks – by constantly sending little bits of information back and forth, and finding out that those apps don’t work well on high latency, low bandwidth WANs.  In many of those cases, application performance can only be improved by recoding the application for the WAN.

In this case, I’d suggest two main changes for the program above: First, I’d give each user five activations.  This way, they can keep the program at home, on their laptop, and their work computer without moving it around.  And, if they should happen to need to reinstall when they forgot to deactivate, they could do so, using up one of those spare activations.  And, finally, if they use all five activations, then they could either use their login and password to deactivate all five of their activations at once on the server side – or, if that isn’t secure for some reason, at least it will cut down the amount of time that the staff spends deactivating programs by hand by a factor of five. 

Now, there’s always a problem with multihost licensing, in that two or more people might decide to share a single purchase among them.  That’s fine, but I think the cost savings of fewer support man-hours would offset that – and increased customer satisfaction and positive word of mouth would lead to more sales overall.

The idea of a multihost licensing scheme is probably most familiar to people that use iTunes, which is one of the most successful anti-piracy programs in existence.  And it’s one of the most successful anti-piracy programs not because it limits customers but because it provides better service than piracy at a reasonable price. 

Because I honestly cannot see this company lasting for long if more people need this specialized tool.  Eventually a competitor will come along and undercut them – (and one particular competitor is actually very close) or someone will finally just sit down and design a freeware application to take care of it.  Maybe even the camera companies themselves – who might even get around the problem by recoding their cameras to record directly to the type of video file that computers can use. 

So yes – cut down on piracy.  But do it in a way that’s smart, that doesn’t increase costs or turn away customers.  And keep in mind that time – both the time of the end user – and the time measured in bandwidth – is important when considering applications. 

Thom Yorke, lead singer of Radiohead and vice president of the “Extra Silent Hs and Trailing Es Foundation” said in a music magazine interview that it plans to focus on downloadable singles and EPs instead of putting together albums. Yorke claimed that the album format was extremely difficult, creatively, to put together.

But more than that, Radiohead has typically been at the forefront of digital technology and music; pioneering the “pay what you want” model for the digital download version of “In Rainbows.”

Part of it is the fact that digital technology has made selling singles efficient. The Album came about primarily as a way to reduce the costs of printing, shipping, and storing music in the days when music had to be a physical product.

So, really, the news isn’t that Radiohead is moving to singles, but that the album has survived so long in the post-Napster era. While there are some truly connected and well thought-out albums, most of the time an album is two singles and eight filler songs. Even really good albums can be thematically disconnected – Billy Joel’s “Storm Front,” for example. (What the hell does “I Go To Extremes” have to do with “The Downeaster ‘Alexa’?”)

We are also beginning to see this with other media as well – short movies have been rescued from film-festival purgatory and put on YouTube.

It’s going to sound obvious when I say it out loud, but we’ve entered the era when the analog medium is the “special case” and the digital medium the status quo. For most organizations, the next step is not taking what was once analog and making it digital (from phones to VoIP, for example,) but from finding a way to add new digital features to already occupied networks.

I moonlight as a documentary film field producer, and the team I work with is in the planning stages of a project – we talked about what kind of cameras we’re planning to use, and we’re looking at cameras such as the Canon 5DM2, the Panasonic Lumix GH1, and we might possibly be renting a Red One, or, if it comes out by then, a Red Scarlet. The lead producer on the project is smitten with the idea of using film stock for some of the shots, to get a “nostalgic look.”

That’s what the analog method is worth nowadays. Nostalgia.

In “Good Math, Bad Math,” Ph.D. carrying, Google-employed, shmartypants Mark Chu-Carroll talks about how math can be used, incorrectly, to mislead people into having expectations that do not match up to reality.

His latest post points out a particularly interesting one – the bad math used to calculate the mileage on the Chevy Volt.

The Volt, if you’re not familiar with it, is a type of vehicle called a “plug-in” hybrid. In a normal hybrid, the internal combustion engine powers a generator which charges batteries, and the car runs off of the electric juice in those batteries. This generally produces better gas mileage than standard internal combustion engines – basically because the batteries in hybrids can store energy that is normally “lost” in internal combustion engines – specifically, in braking and idling.

So anyway, the Chevy Volt simply takes the next step; it not only takes electric power from the onboard internal combustion engine, but also allows you to draw electricity in off-peak hours from the municipal grid. You literally plug this sucker into an outlet outside your house.

Now this isn’t particularly new technology either. Hobbyists and car enthusiasts have been creating “PHEVs” (Plug-in Hybrid Electric Vehicles) since 2004. This is the first car, however, that has plug-in as a default, off the factory rack, no voiding the warranty needed.

But because of the technology needed, it was always hard to figure out exactly how fuel-efficient plug-in-hybrids were. Hybrid cars – those cars that get all of their electricity from the internal combustion engine – had rather simpler metrics. But plug-in hybrids use zero gallons of gas for the first few dozen miles – for the Chevy Volt, that’s about 40 miles without a need for gas. But once you get over that limit and start burning gas, the volt is no more fuel efficient than a normal hybrid – say, 50 miles per gallon.

So depending how far you drive between 8kwh charge cycles, you’re looking at anywhere from slightly above 50 mpg to “infinity” Mpg. Where’d this 230 number come from?

Well, the U.S. Environmental Protection Agency drafted some guidelines for coming up with an MPG figure – with, of course, some “guidance” from the auto industry. Of course, this is a literal case of “Your Mileage May Vary.” Chevy is claiming the 230 mpg number based on its own internal tests, however, as the EPA has not yet tested a Volt.

You may argue that a more accurate nomenclature, say “50mpg + 40” is confusing to consumers who are used to thinking in cars in terms of “miles per gallon” – but you know what’s going to be even more confusing? When they find out that their 230 mpg car might get as little as 50 mpg.

One of the big problems with trying to figure out something that’s “per” anything else – is that essentially, our brains aren’t wired for division. They’re wired for addition, subtraction, and multiplication. It’s counterintuitive, but true, that a hummer that improves its mileage from 10mpg to 15mpg saves more gas (about 3.33gal/100 miles) than a hybrid going from 40mpg to 50mpg. (about 0.5gal/100 miles). I mean, I’d still get the hybrid over the hummer, but you see where I’m going with this.

Of course, we’re no strangers to bad math ourselves in IT. Bad math is one of the reasons that you need to independently confirm service level agreements with various bandwidth providers. They may promise something like “100ms” latency, but there’s a big difference between a maximum of 100ms latency and an average of 100ms latency. Network visibility isn’t just looking at the numbers, but knowing what the numbers mean.

The “Investors Business Daily” recently wrote an op-ed piece opposing public healthcare. I’m not going to get into the overall argument about public vs. private healthcare, but the line below (since edited out of the official version) is just too hilarious:

“People such as scientist Stephen Hawking wouldn't have a chance in the U.K., where the National Health Service would say the life of this brilliant man, because of his physical handicaps, is essentially worthless.”

Stephen Hawking? You mean the Stephen Hawking who was born in Oxford because his parents moved there during the Blitz? The Stephen Hawking who enrolled in University College at Oxford to study physics? The Stephen Hawking that works at Cambridge University as an astronomer and physicist? The Stephen Hawking who was named a Commander of the Order of the British Empire in 1982?. That Stephen Hawking?

For a more famous Briton, you’d have to choose one of the members of Monty Python. For god’s sake, the guy looks like a grown-up Harry Potter.

Now, none of this is meant to indicate my, or NetQoS’s, support or opposition for public healthcare; but the mistake illustrates a basic point – without doing some basic research, you end up looking foolish.

For example, early datacenter consolidators who moved applications from branches to the home office servers didn’t do the basic research regarding latency in their applications and ended up with extremely slow applications when they were moved from the low latency LANs to the high-latency WANs.

The only real way to fix the slowdowns was to recode the applications so that they made fewer round trips between the server and the application – because no matter how good your network is, you’ll still experience latency associated with the speed of light.

If we ever pass that barrier, it’ll be because of people like, say, Stephen Hawking, doing the research and getting the information.

More generally, it never hurts to have more information before drawing your conclusions. You can’t claim that performance has improved – or degraded – unless you have a baseline to compare performance to. You can’t assure someone that the problem does not exist in the network unless you have full end-to-end visibility of the network.

Now, if you’ll excuse me, I have to go meet with the Prime Minister of Britain, Mr. Bean.

This past weekend, I downloaded “Pac-Man Championship Edition” on my roommate’s Xbox. I played the heck out of that sucker.

My other roommate invited me to learn, and perhaps play a game of Go. I told him I wasn’t interested.

And that’s when I realized something. When I play games – video or boardgame – I play games that are simple, repetitive, enjoyable, and don’t require a whole lot of mental processing. My roommate plays games that require deep thought, strategy, complexity, and practiced skill. In other words, the games I play – Pac Man, Katamari Damacy, MegaMan, Team Fortress 2, etc, are designed to turn my brain off. My roommate plays games like Go, Chess, Reversi, Warcraft 3, all designed to turn his brain on.

And this wasn’t always the case. When I was a kid, I used to love the Final Fantasy series, but as I entered grad school, I had significantly less patience for it. Even old games I used to love don’t seem nearly as appealing now as simpler games you can pick up and start playing – the casual stuff.

Which made me realize something. We recently made a viral-marketing game called “The Network Rockstar Challenge.” Around the same time, Cisco put out a game of their own – a sequel, in fact, called “Edge Quest 2,” to promote its ASR series of routers. And the two types of games are very dissimilar. “Rockstar Challenge” is a trivia game with some pretty hard questions in it – making you think, quickly. Cisco Edge Quest is a game where you move a spaceship on some tracks and pick-up powerups, and it’s more important to move your fingers quickly than anything else.

So when I look back on my life, and I compare the times in my life when I was playing simple games compared to the times in my life when I was playing complex ones… a pattern emerges. The more complexity and mental stimulation I was getting from other activities – usually my day job at the time – the less I needed mental stimulation in my free time. Conversely, in times in my life when I was working boring jobs, I’d be playing games that required a lot of thinking and mental gymnastics.

College was the time of Goldeneye and Mario Kart, but after graduation, working in data entry, I got into ultra-complex pen-and-paper RPGs and played through Final Fantasy 7 and 8. Grad School was the era of Katamari Damacy and discovering the joys of retro gaming through emulation.

So, anyway, right now, I work for NetQoS as the editor of this blog as well as “the video guy” in the company from time to time, and I moonlight as a field producer for an independent film company in town – and let’s not forget that I’m also 30,000 words into my non-fiction book on electoral reform in New Zealand… Pac-Man just about hits the spot.

And that’s when I realized that maybe next time, when we do a game, we might want to do something slightly simpler, because our intended audience, after all, is network engineers, system administrators, and the occasional CIO or CTO. As a group, y’all have to think quite a lot in your day jobs.

Earlier in this blog, I noted that technology geeks gravitate towards games like D&D because they give people simple boundaries to storytelling, and straightforward challenges to overcome. I wonder if this idea can be taken further – that smart people will tend to hit a balance of complexity in their lives. And if so, if simplifying network administration and engineering through easy-to-understand tools doesn’t really make the overall life of the network engineer much easier because the network engineer will then use the “brain cycles” they save to take on a new and more complex task then they were dealing with earlier.

In this way, you hit a paradox: Using network monitoring tools to be proactive about networking issues and working with preventative maintenance is less of a mental challenge than “putting out fires.” Now, ideally, the network engineers work proactively in order to free up time and mental energy for taking on the next big complex task. But I wonder if there’s not something about our geek minds that prefers reactive firefighting to proactive monitoring because firefighting is more challenging work than making sure nothing goes wrong in the first place. It can be annoying to be constantly busy at work, being constantly bored is hell for smart people.

It’s not just gaming – I know more than a few people, myself included, who are actually a bit disappointed by computers and operating systems that “just work,” feeling more than a bit nostalgic for the days when you had to configure modem IRQs via jumpers on the card. These are the type of people who have no good reason to install Gentoo instead of Ubuntu, but do so anyway.

I think we’re all comfortable with a certain level of “challenge” and seek to introduce that into our daily lives. I don’t think it’s static, either – that we can build up a “challenge tolerance” over time. In fact, things like military boot camp and the first year of law school are designed to do exactly this.

So I guess what I’m saying, is not to let the lack of challenge lead you – consciously or unconsciously – to make your job more complicated. Use the tools you are given to solve problems, so that you can come up with new challenges rather than repeatedly dealing with the old ones. And if you’re in a position to manage some smart people who need challenges, give them not only the tools they need to simplify their position but newer, greater challenges that they can now accomplish.

Considering that I thought of all of this while playing Pac-Man… maybe sometimes our brains work most efficiently in a “lower gear.”

Now, if you’ll excuse me, I’m going to go swallow some pills and listen to repetitive techno music in a dark room somewhere…

There were outages related to denial of service attacks on three of the biggest social networking Web sites – Twitter, Facebook, and Livejournal - yesterday. 

What could be the purpose of such a thing?  Actually, it was a concentrated effort to silence a particular individual, a Georgian (the country) blogger who goes by the name of “Cyxymu,” an economics professor known for his criticisms of Russian conduct during the war in South Ossetia. 

Cyxymu himself blamed the attack on the Russian government according to an interview he gave to British newspaper The Guardian. 

He added: "An attack on such a scale that affected three worldwide services with numerous servers could only be organised by someone with huge resources."

If it seems implausible, Max Kelly, Facebook’s chief security officer confirmed that the major DoS was targeted primarily at Cyxymu.

Max Kelly, Facebook's chief security officer, confirmed yesterday that the attack that disrupted the Twitter site and caused problems for Facebook and LiveJournal was aimed at Cyxymu. "It was a simultaneous attack across a number of properties targeting him to keep his voice from being heard," he said.

Talk about a backfire, however.  Now everyone’s talking about Cyxymu, and people who haven’t heard of him before are talking about his blog.  He’s become the next Salam Pax. 

I’m not sure what this teaches us about network performance.  Except maybe that we have always lived in a world where butterflies’ wings have brought hurricanes; it’s just that, with everything around the world connected, there are more butterflies and more hurricanes.  That’s the funny thing about globalization and the disappearance of regionalism due to the Internet; as regional problems become worldwide ones.

And not to end this on a sour note, but… let’s say it’s true.  Let’s say that Russia decided to take down much of the most important bits of the Internet in order to silence one man.  Maybe it’s time we started realizing that an assault on freedom to communicate anywhere is an assault on freedom to communicate everywhere. 

Though with the human race being the way it is, I doubt it. 

Bruce Schneier, if you don’t know him, is one of the Web’s foremost experts on security. I don’t just mean computer security, though he focuses on that – but security overall, including anti-terrorism and crime security. I read his blog often, because even though I’m not a security geek, his writings are very insightful.

Schneier often talks about how human beings can sometimes misunderstand the ideas behind risk .

For example, there’s the oft-cited example that statistically it’s safer to have a gun in the home than a pool. (How the gun got into the pool, I’ll never know!)

That is, while people are more willing to put up with pools than guns because you get more enjoyment out of a pool than a gun, and that a gun is designed to be dangerous (if you’re standing at the wrong end of it,) and the dangerousness of a pool is an incidental side-effect of water and concrete… proportionally, more people die in homes with pools than in homes with guns. So when we evaluate risk, most people instinctually think the gun is “riskier” than the pool.

But other than those “freakonomics” type cases, Schenier points out in his latest post that for the most part, human beings do understand risk, and that there is a certain level of risk that we’re comfortable with – indeed, there’s even a certain amount of risk that we crave.

So when he was at a security conference, where the speaker made a familiar complaint that end users at a company don’t understand security, and don’t grasp the importance of it. Schenier suggested that perhaps the security researcher didn’t understand the importance of the end-users getting their jobs done.

They know what the real risks are at work, and that they all revolve around not getting the job done. Those risks are real and tangible, and employees feel them all the time. The risks of not following security procedures are much less real. Maybe the employee will get caught, but probably not. And even if he does get caught, the penalties aren't serious.

Given this accurate risk analysis, any rational employee will regularly circumvent security to get his or her job done. That's what the company rewards, and that's what the company actually wants.

It’s the old argument about the balance between security and performance – that is, that security is there to prevent loss, and everything else in the company is designed around making necessary gains.

We’ve seen where security procedures have severely degraded application performance, and we’ve seen overreactions become worse than the problems they are designed to solve.

Schneier made this suggestion to the conference presenter:

"Fire someone who breaks security procedure, quickly and publicly," I suggested to the presenter. "That'll increase security awareness faster than any of your posters or lectures or newsletters." If the risks are real, people will get it.

So, in effect, Schneier suggest increasing the consequences of risky security behavior – in other words, to increase the personal risk to employee’s livelihoods. In this case, however, I disagree with him – a public firing of the next employee to write down his password on a post-it-note because he can’t remember which combination of random lowercase, uppercase, numeric and punctuation characters is the active one this month... has risks of its own.

Which is, does the company place as much importance on security as it does on productivity? Is it more important to be secure than to be effective?

In some industries, such as banking, the military, law firms, and hospitals, this may be the case; but for most businesses, such draconian policies make an unpleasant work environment, and “degrades application performance” in the worst way possible – by degrading the employees.

What’s more, in a highly competitive company, these draconian security measures can be subverted to serve malicious goals – like an auto-immune disease. If you fire someone for putting a post-it-note with the department password on their monitor, how long is it before professional rivals will plant post-it-notes on other people’s computers in order to get competitors for promotions fired? This belongs in the world of David Mamet plays, not in the corporate workplace.

Instead, maybe it’s more important to make sure that the end-user has to understand as little about security as possible, and to be proactive about stopping attacks way before they even reach the end-user.

Because if I heard that someone lost their job because they couldn’t remember “Nei#oEVwi3” and had to write it down… I’d be looking for a new job. And I wouldn’t feel too guilty about using company time to spruce up the resume.