Spider, spider, burning bright

Or something like that.

In the unlikely event that you were wondering where you’d seen the spider used as a feature image for an ESET blog by my friends at ESET Russia, this is it.


It was one of some cartoons we wanted to use for the AVIEN Malware Defense Guide book a few years back, but Syngress didn’t like the idea. Of course, I cropped out the text for the ESET blog.

There are also two cartoons by Paul Dickens and an idea for the cover he and I were also kicking around. None of it used, but still online here.

David Harley
Small Blue-Green World
ESET Senior Research Fellow


Cosmetic Aftercare

Dear Facebook,

I’m still seeing ads asking me whether I’m a victim of botched cosmetic surgery.

Let me assure you, if I’d had cosmetic surgery and still looked like this, I’d certainly want to sue somebody. Sadly, if there’s anyone to blame for my inability to grow old gracefully, it’s me.

David Harley
Small Blue-green World
ESET Senior Research Felon. Er, Fellow.

System Administrator Appreciation Day

…is today, apparently.

I can’t say I remember getting much appreciation when that was my own job title, but evidently things have changed a bit. Sophos is making quite a big thing of it on its Naked Security blog.

I was reminded by the ‘Worst things to say’ blog of an article I saw many years ago in much the same context. It took a bit of finding, but it turned out that another site had the same thought a couple of years ago.

Advice to employees on the proper use of the System Administrator’s valuable time

You need to go down the page a bit to find the reprinted section about Ted the mistreated sysadmin. Most people will love it apart from sysadmins and support professionals who might worry that someone will take it seriously, and those awful people who really do regard the people they work with so inconsiderately. But I’ve worked with enough people like that myself not to worry about offending them… Not at ESET, by the way. Those days are long gone.

David Harley
Small Blue-Green World
ESET Senior Research Fellow

Writing? Well, anyone can do that…

My friend Marion Pitman drew my attention to a Guardian article by Anakana Schofield, whose novel Malarkey is about to appear in a UK edition. It makes some very good and all-too-familiar points about the writing game. While fiction is not where I do my professional writing, many of those points have analogues in the tech arena. Well, very few journalists have expressed much interest in me personally – “so what do you do when you’re not writing security books? You work in security? Oh… Never mind…” But I know a great deal about being expected to work for free.

As it happens, I’m in the privileged position of being paid to write free security articles. (What???) That is, ESET is happy for me to write for external magazines, conferences, web sites etc. because it has PR value for them. And some academics do a lot of free writing because spreading their research is one way to maintain tenure. But I’m also all too aware of the fact that there’s a great deal of abuse of that need for visibility. In my area of expertise, it includes people who expect me to write articles for them with no backlinks to the company that pays most of my invoices, or to my own research and no IP right to content they wouldn’t dream of paying me for.

Hey, I’m a writer, I should have an unlimited supply of fresh article ideas, right? Just think of me as the goose that lays the golden eggs. Oh, another article just popped out. No wonder I have haemorrhoids.

Quite rightly (IMHO) she suggests a link with the general devaluing of labour in general. After all, the most prevalent business efficiency model in the West is based on the assumption that a company can do more and more each year with fewer resources and less investment. I hadn’t realized that aspiring novelists had to spend so much time writing about how to write, but I suppose it’s kind of analogous with the way security researchers are asked for security tips: usually the journalist is really asking for ways of being secure without paying for the products that keep researchers in bread and jam.

Actually, I have a theory that aspiring writers also spend a lot of time documenting the writing process as a way of drawing attention to the fact that there _is_ a writing process, that being a good writer – or even a popular writer (not always the same thing) – is not something that comes without work. A good reason for not talking about something you do well (for example writing, photography, playing an instrument, art, gardening) is avoiding all the people whose idea of polite conversation is telling you (not always subtly) that they’d do it better than you if they had time.

And I’ve lost count of the number of times where some PR/media professional has made it clear that I’m making his life difficult by saying what I think rather than what he thinks some audience wants to hear, or by not producing enough content quickly enough. Research, that’s posh copywriting, isn’t it? “Let’s get it straight who’s doing the real work here and get on printing some money. I mean, generating some content.”

As it happens, I do a lot of writing for which I don’t expect anyone to pay me, ever. That’s fine, as long as someone else isn’t stealing it and/or making money off it behind my back (yes, that has happened). I already have a job. And if it went away tomorrow, I wouldn’t necessarily have to look for another.

Some things you write because you think someone should, or you just have too much to say and you can’t help yourself. That’s probably me:   I’m lucky enough to be able to make a living writing because some of my prose seems to meet a need. Some things I write for me. The fact that some other people like them is a bonus.

So yes, sometimes I’m a professional blogger, sometimes I’m just a blogger. I’m a writer when I write, whether it’s a book or a blog or a song, and irrespective of whether I’m paid for a particular piece. Context matters, but I don’t see myself as one or the other. Well, that link is to an article differentiating essentially between book authors and book reviewers, but then I wear both those hats, too. But I don’t review anything unless there’s some positive reason to. Well, I did once tear a book to pieces – it was a commissioned review, too – but that was because it was so technically uninformed it was potentially dangerous. Giving a bad review because it’s good for your ego is one thing: I see reviewing a seriously incompetent and misleading book masquerading as technical advice as positive.

While I’m unlikely ever to venture seriously into the curious world of fantasy authoring, I do have to say that another piece by Zoe Marriot makes a lot of sense to me, not least in its thoughtful consideration of book piracy. I’ve never really expected one of my books to repay the amount of time it took to write them, and I haven’t been disappointed. In fact, none of the many royalty statements I’ve received has ever heralded or been accompanied by a cheque. Given the very limited audience for malware-oriented security writing, it’s not so surprising. (Hopefully, major publishers can manage the occasional niche topic.) And I don’t suppose any of the people who pirated a copy would have bought it even if they’d been unable to get a free copy. But Marriot puts it quite succinctly.

When you pirate books or other media, you *are* taking something away from someone. At the very base level, you are depriving a creative person of the income that they are legally and morally entitled to from their work, and you are depriving them of the ability to show their publisher/record company/production company that there is a demand for their work

Well, yes. I can understand that you might not be interested in buying anything I’ve written. Just. But I don’t understand how anyone can take a ‘moral’ position that amounts to ‘Your work isn’t worth buying, but it is worth stealing.’

Don’t worry. The next blog here will almost certainly revert to sarcasm as an art form.

David Harley
Small Blue-Green World

Taken as Read

When we saw this sign in a bookshop window in Ludlow yesterday, my wife’s eyes lit up.

retirement book sale lite

Obviously, she was thinking of all those author’s copies of various security books that are still cluttering up the house. Even at 100% off, I don’t think there’d be many takers. Even ESET doesn’t want any more copies of the AVIEN book.

Conversation with my daughter some years ago:

Me: So, the new book is out.
Her: Oh no. Does that mean I have to have a copy?

David Harley
Small Blue-Green World
ESET Senior Research Fellow