Simple Nomad's Blog

sep 2005 | oct 2005 | nov 2005 | dec 2005

05Sep26 - Goodbye, BindView

I've decided to start blogging, since I used to do it previously. Unlike other blogs, I could give a shit about providing RSS feeds or allowing people to "reply". Boring. So I will do something even more boring -- I'll just write whatever I feel and be done with it.

This is my last week at BindView as a part of the once-elite RAZOR team. Not to knock my fellow RAZOR members, but most of the talent is gone and only a couple of hackerish technically skilled people remain. And I doubt they remain long. If they leave it will be for the same reason I left -- my skill set has been largely untapped and I am bored out of my mind. RAZOR used to report to Scott Blake, who was the VP of Information Security. When he left over a year ago, a plan was being formulated to build the team back up and even get us going on some consulting. The plan seemed to be going fine until BindView had a bad quarter. After waiting and waiting, they finally hired a new guy to me to report to, instead of my old boss' boss (reporting to the President is cool until you try and get expense reports signed by a very very busy guy). By that time we had hired two more RAZOR members and had got back two guys who had transferred departments. Imagine our surprise when we read in a fucking press release that our new boss' title is VP of Field Marketing. Lovely. I felt pretty bad since the new hires came on thinking they would be doing research stuff, and our new boss was an anal-retentive non-technical micro-manager, whose idea of research was about as far removed from our world as possible.

After laying off one of the transferred guys and moving the other transfer guy back to his old department, we got two new guys -- "security compliance" guys. That's right, BindView figured out they could sell software based off of getting companies compliant with HIPPA, SOX, FISMA, and so on. Don't get me wrong -- if the software sucked I'd tell you -- they can actually do that stuff, but it is as boring as boring can be.

I told both the President and my idiot boss that on a scale of 1 to 10 I was capable of producing an 8 or 9 (10 if it is in an area I have some real expertise in) and most of what RAZOR was being asked to do was about a 3 or 4. I also pointed out that in upper management, anything over a 3 was basically magic anyway, and that upper management could no distinguish between a 3 or a 7 or a 9. Therefore when being assigned work, management assumed we were getting our technical freak on, when in fact we were bored. Now what we were doing as of late still required some skillset, but nothing that really challenged us. And being capable of doing a 9 or 10 gave us enough experience and knowledge to do those 3 or 4's very effectively. So nothing was appreciated.

Of course you would also have management asking if we could do a 12 and have it done tomorrow, and they wouldn't understand when you said no. No, remotely detecting a version of the browser on a system without using credentials or sniffing is very hard, can't do that in a day. No, I cannot write a check for a Microsoft Patch Tuesday bulletin based upon the pre-release saying they have a "critical" check, I actually need more details. Yes there is a difference between a 3 and a 12.

It's a pity. The next version of bvControl for Internet Security will be one of the best (if not the best) security scanner on the market, with the final controls and features being added after years of hounding them. And that product is not the future of BindView -- there future is this boring security compliance thing. Oh, they'll make a shitload of money because they actually have their shit together in this area, but a haven for hacker researchers they are not.

So I'm writing this on the plane on my way to Chicago to speak at a conference called Infonex tomorrow morning. The audience is comprised of managers and auditors, IIRC. They requested me to speak and do a "hacker demo", so I'll be breaking into VMware images using MetaSploit Framework. Not as boring as telling accountants about the latest "hacker trends" or talking about "cybercrime" or the non-existant "cyber-terrorism", but there you have it. Still pretty damned boring. They will be expecting some type of super duper Hollywood hack, so I'll make sure it is all command line, because hey, that's what the real hackers do, right? sigh...