Renown erudite internet security expert, Eric Breece, recently posted a short dissertation on a new metric for characterizing security problems and solutions, “MTBHD“.
Mean Time Between Horrifying Discovery (a.k.a., Horrific Discoveries).
Mr. Breece’s description of MTBHD is set forth in the context of an employee’s insightful revelations during the initial inside introduction to the working environment—the first day on the job!
I offer my limited experience from my first job as a Dialogue between New Geek employee and Old Geek employee (CTO) giving the ‘Welcome Aboard‘ site tour:
NG (trying to sound knowledgable): “What’s your Patch Management Level?”
NG: Wow! That’s great! Anything above 90% is considered excellent. But it’s not a metric that is very precise — is the “.5” an aberration or simply an artifact of dividing by two?
OG: Neither, it’s a rounded-off measured value. We watch the level very closely and at 2400 UTC yesterday it was precisely 98.48327, hence, “98.5%”.
NG: Impressive. What is your Patch Level?
OG: We’re at Version 1.81372.
NG: Wow, again! You been operating for over ten years and have had only 8 major patches!?
OG: Oh no, we have had over 60 major patches – we’ve averaged one every two months.
NG: I don’t understand … Version 1.8 means you have 8 major patches since you started with Version 1.0
OG: Not in our system, the “.81” means that 81 % of our current total lines of code is from original corrective patch coding updates.
[[ >>> HD#1: OMG! Their system is running on patches! ]]
NG: Uh, “original“?
OG: Yes. We don’t count the individual patch-on-patches lines of code; but we do track the summary sub-patches at the Version 0.00001 increment level.
NG: Uh, … how do you control the patches?
OG: Easy. Each of the four five-man Patch Teams is limited to a block of 0.00025 version revision designations per week.
NG: How do you track the sub-patches?
OG: Easy. Our 334 man QA department assigns a three-man QA Team to each 0.00001 patch designation.
[[ >>> HD#2: OMG!! They probably don’t even know where the original lines of code are located! ]]
NG: Do you have any idea how many lines of sub-patch code you don’t include in your total lines of code used to calculate the PML?
OG: Who cares. The system is running fine and the QA department head says he’s on top of it.
NG: Why did you hire me?
OG: We like fresh ideas, new viewpoints … besides, we never promote from within (too much latent repressed revisionism).
[[ >>> HD#3: What am I doing here? ]]
NG: What’s your Team turnover rate?
OG: 0.3 persons/year
NG: You had only three people out of more than 1,000 leave in 10 years?
OG: No IT member has ever left (3 have passed in 10 years, 2 to automobile accidents and 1 from cancer).
NG: You mean no one has ever gotten a better offer or wanted to move for personal reasons?
OG: That has happened many times I’m sure, but no one has ever left.
NG: Why not?
OG: We pay well, have great benefits, loyalty, and of course the fine print in the employment contract, the same one you read and signed this morning.
NG: Uh, fine print?
OG: When hired an employee agrees to not go to work for a competitor, do any software programming, development or maintenance related work, provide any kind of computer hardware or cloud related service, even as an independent consultant, for twelve years after leaving us; furthermore, any proffered employment contract requires our written approval before signing during the probationary release period.
[[ >>> HD#4: Where’s the train I came in on(#5972?)! ]]
Time to Initial HD, 43 minutes.
MTBHD: 19 seconds