Tuesday, February 19, 2013

The City; It Changes You

My first day at the new job was July 9th, 2012. I moved to the city two days before that. Today is February 19th. That means it's been roughly 227 days since I arrived in New York City.

Handy tip, straight from the Unix Stack Exchange site. If you want to know the difference between two dates, ask a snake for help.
$ python
>>> from datetime import date as D
>>> print (D.today() - D(2012, 7, 7)).days
Handy tip from the sysadmin rolodex of tricks.

These 227 days have been filled with emotional ups and downs. I deal with the constant feeling of being an inadequate father, as I'm not physically with my wife and son back home. Usually at least once a month either I'm back home visiting them or they come to the city, and each time my boy seems to have grown another inch, despite not looking so different on our periodic Skype sessions.

That wears on you after awhile. I had several reasons for coming here, and there is the promise that things will improve. The time between moving and things getting better, though, that's the rocky part. It's a tough road to travel. I don't recommend it unless you're really dedicated to taking that path, and you have a strong relationship with your significant other, because without a very strong support system something will definitely give in your relationship.

Sometimes I think the only things that have kept me going are my extremely strong support system back home and my enjoyment of the new job.

But there are times when I look at my life and I see that some things have changed. Not just in circumstances, but in my general outlook on life. I suppose it comes from the horizon having been stretched a little wider, due to the fact that I lived my entire life in a small town with as many bars as there are churches, and we have a lot of churches back home. Here...it's New York City.

There was a story of someone living in the Chicago area who went home to a more country area to visit his family. The strange thing was he never came back to the city. Just quit his job...his coworkers apparently didn't have much idea of what happened.

Upon hearing this, one of my own coworkers said, "The city will make you or break you." That stuck with me. It was said as a nonchalant observation. But it rang true. You are either a city person or a country person, and some people just can't take the transition between.

I still have some of the fragments of country life in me. I know it's true; I have a stab of repulsion at my reaction to homeless people. Not repulsion at the homeless; my reaction to them. I ignore them. Like just about every other New Yorker, I ignore them. At least, I ignore them to the extent that I don't pull out my wallet, I don't donate to them, and I pretend I don't hear them if they're speaking.

I still try to glance at the cardboard signs they hold in front of them as they sit on the sidewalk. Not long ago I saw one man with a hand on a sign and the other on his dog, who lay quietly at his master's side. "Lost everything but my dog," it read.

Another time I was walking to the toy store to find something for my son who was planning to visit in a few days, and a passed a woman sitting against a light pole at a crossing not far from an Apple Store. Next to her was a large bag and a tattered sign. She was sobbing. I was in a bustling crowd that split apart as they approached her, as if grief were something that you could catch if you got too close. I didn't know what she was sobbing about. I moved with the crowd.

Why?

In part because I can't save the world. There are far far too many homeless and desperate out there, and handing out money for a short term assist will do little in the long run other than deprive me of resources that I can, admittedly in a selfish fashion, use on myself and my family.

In part because I'm afraid; afraid to engage people. Many are mentally ill. It is not difficult to find stories of people who end up being mugged because they engage with a homeless person, and once the wallet comes out...you're a target. Or they may suddenly flip out on you.

Cynicism also plays a part. How many of the people asking for money are telling sob stories that are disingenuous? Do they really have a family that's starving? Or will the money be used to feed some addiction?

And then there are the scammers. As there are stories of people being mugged for trying to help, there are stories of people who actually pretend to be homeless, or play on your emotions to get more money. Want more donations? Try sitting outside with your children, or your dog. You're a really heartless bastard for letting someone's kids suffer when you have a spare buck in your pocket.

The way I see it, the city has made me more of a heartless bastard.

I take solace in hating myself for it. It means that there's still a part of me that questions that behavior...it's just that that part is smaller than the part of me that pretends I can't hear them through my headphones.

Then there's the people. So many people! Back home a heavy crowd means having to pass within five feet of someone in the mall. I remember when that was irritating.

Here...two words. "Times. Square."

Ugh. One more word. "Tourists."

With all the flashy animated signs, you'd think someone could add a billboard that slides the words "MOVE IT" in that sardine can of a tourist trap. I don't know how many times I was bumped into, shouldered, and run over with rolling suitcases as I navigated my way around that general area.

But it wasn't limited to just Times Square; that was just where the effect was most pronounced. I would get shouldered as I crossed the street as I commuted to and from the subway station and my apartment. On the weekend I would make a trek to the ATM and from there to the comic shop; I'd have to dance around the sidewalk to keep from getting plowed by New Yorkers yacking on phones or jogging or just glowering at me.

Eventually I realized that this was like some kind of test. I was moving because they expected me to move. When you're 300 pounds...that's just ridiculous. I was being bullied by complete strangers.

See, there is this thing that happens when you're in an environment that is just filled with people in close proximity to you. Manhattan has over two million people living and working on a relatively small island. The five boroughs have, during the workday, more people total than my entire home state of Pennsylvania. This is crazy full of people.

So many people in such a small space...you begin to see other people as if they were two dimensional. You're forced into a small space, but you have an instinct to respect some semblance of personal space, while physically forced to break the personal boundaries...subways will crowd you to the point where you wonder if you've impregnated someone between two stations because you didn't have enough room to turn around, yet the whole time you and the strangers you're rubbing up against have this insane mutual understanding that you all don't actually exist. All of you refuse to acknowledge the other people are there.

Unless, of course, one of them is insane. But that's another story.

You end up with this situation where people act as if no one else exists, and you don't generally acknowledge their existence. And that kind of dehumanizes you; the infamous "don't look other New Yorkers in the eye" seems to stem in part from the unwritten rule of never acknowledging the existence of others. When you do this, you force them to acknowledge you, and it triggers something primal, like an animal being challenged for territory.

I was thinking about this one day when I realized that my moving around the streets to accommodate others was a way of signalling my submission to others. I was a target of bullying because I allowed myself to be bullied. I nearly laughed when I thought about the image of a 300 pound guy hopping out of the way of some 100 pound bastard sporting thick rimmed glasses and expensive brand name jacket; he was no better than I was, and I had every right to be where I was.

You move.

And as I crossed the street, they did.

Well, most did.

Whump!

Dude. I'm 300 pounds. Your skinny ass isn't going to stop me.

I don't think I've been a prick about it. I don't plow over old ladies or ram headlong into people just because they're there. But when I'm walking a straight line, and they clearly see I'm coming and they move into my way...I don't really move over so much to accommodate them. I've noticed that there are people who will actually move into your way, like a challenge.

Now I take that challenge.

Whump!

Times Square is worse. There are times when I've contemplated molding rubber to my shoulders to cushion the blows from passersby. Some of them almost seem shocked when I don't get out of their way.

Get used to it. You and me, when we die, we both become dirt. I've been a doormat long enough and I'm hardly invisible.

Then I get back to my apartment and I feel shock. I'm pushing people out of my way instead of dancing around, trying not to get pushed over. I'm ignoring people that sit on sidewalks painted in dried piss, begging for a buck. At times I hate myself for it. Other times I feel as if I'm seeing more of what people are really like; I see how it's possible to have little regard for other people and place yourself at the top of the priority list.

Care about yourself first; other people here don't give a damn about you.

The other night I sat on the floor of the Port Authority waiting for my wife and son to arrive on the bus. I clutched my bag, which basically held my clipboard of documents and a couple containers of lunch leftovers; my trenchcoat shielded me from whatever unpleasantness was skittering about on the floor, and my headphones played a podcast loud enough to drown out the low din of travelers trying to find their way around the terminal when it occurred to me that the best way to be ignored, even on an island with two million people crawling around it, was to put a cup in front of me and dump a couple dollars into it. That would virtually guarantee that I would become instantly invisible to people as they hustled by. Just sitting on the floor in my decade-old trenchcoat and out-of-fashion clothes seemed to be enough to keep me camouflaged from most of the travelers.

I was starting to understand how this worked. I was starting to understand how people are, when they feel anonymous in large crowds. When they are given the freedom to behave how they want without consequences. Without having to conform beyond the minimum of civility towards other people.

Basically, in some ways this was a real life version of the Internet. The city anonymizes you and gives you leave to care more about yourself, or you will be taken advantage of by others.

These emergent behaviors seem to make it hard to raise a child in the city environment. How can you teach your son to care about others when you also teach them that it's okay to ignore people sitting on the corner begging for money?

I'm not entirely sure.

I suppose the only thing I can do is look for teachable moments, where I can make some difference in his character. Not long ago we were in a Barnes and Noble, and he was looking at a large book. It's slightly above his reading level, but I still encourage him to read whatever he can, because $DEITY knows children today get more than enough flashy commercials to fill their brains with PURCHASE THIS OR YOUR PARENTS DON'T LOVE YOU messages. I hope that teaching my son to love books may foster his curiosity and help him become a bit of a critical thinker as he grows older.

As he flipped through the book I heard the sound of paper shredding. The heavy binding slipped from his grip and a page suddenly gained a four inch tear.

He was clearly embarrassed and his face reddened.

"Be more careful," I said. "Support the book with both hands."

"I will, Daddy," he said.

I sighed. "Well, it looks like you've gained a book." I closed the back cover. "Thirty bucks."

"That's a lot," he said. I could tell he was afraid I'd be docking his allowance to pay for it, which was horrible for a boy obsessed with trying to negotiate advances in his allowance to feed his BeyBlade addiction.

"Yeah, it is. Here's the deal...I'll pay for it, and you're going to read it to Mommy. You read it and if you do well we'll talk about a new Bey for Easter."

"Okay," he said.

On the surface it was a bribe. What I hoped it taught him, in some small way, was manifold lessons.
  1. If you damage something like that, you don't hide it. You make it right. In this case, we bought the book. Because really...how would you feel if you bought a new book at the store and when you read it, found a page ripped?
  2. I might get upset at something, but if we're going to work on a solution, it's okay to get upset. I won't stay mad. Cover it up, and then I'd get mad. Lie to me, and then I'd get mad. Acknowledge the problem and work on a solution, I'll get over it.
  3. Honor is the one thing only you can give away and no one can take from you. I could have had him hide the book back on the shelf. Sometimes doing the right thing is more scary...or in this case, expensive...but it's still the right thing to do.
  4. Mistakes happen, but if you learn from them, it's okay to make mistakes.
I can't help but think there's a paradox to the direction I find myself personally evolving. Becoming more impersonal, and seeing people as more generic when they hustle by me on the street. I sometimes question my own existence here. On more than one occasion I've even seen my coworkers, people I see in the office during the day, walk by me on the sidewalk without acknowledging my existence. Did they not see me? Are they ignoring me? Or am I just another empty shell, another obstacle among the many others shuffling around the streets of the city?

Then I find myself trying to teach my son to be better person, which in part is the opposite to how I see myself reacting to other people in the street.

I still haven't found a way to fully reconcile these observations and behaviors. Maybe in the next 200 days I will find a way to integrate them into a narrative that makes sense, so it will be okay to look out for your own good while still believing in the goodness of others and hoping that people aren't always, completely, selfish.

But in the meantime...don't stand in my way when I'm crossing the street. In New York City, I'm invisible. And you are too.

Monday, February 11, 2013

Hello Trello!

I was a skeptic.

When I started working at Stack Exchange, I had to adapt to a new workflow. They had certain things they did in a certain way; that's something that is to be expected. There are ways certain things are expected to work, and you are going to conform to them so things run smoothly among your team.

They used a lot of tools, largely unfamiliar to me. And as with any new job, it took time to "ramp up" and become familiar with the tools.

One of the tools, Trello, was created by our sister company, Fog Creek Software. I didn't quite get it at first. I'm not even sure I quite get it now...but over time I became a believer.

How can I describe Trello? Trello is like...lists of lists. A veritable listception. If you have a project that can be tracked or organized using cards which can in turn be organized into topics, Trello is the ultimate organizational tool for you. It's a new way of organizing just about anything using the Trello web page.

Maybe you're an author working on a book. You can create a Trello board, and on that board create a list called "Agents to query." Then create a card in that list for each agent you send your manuscript to. Suppose one of these agents is named Likable Literary Agency, Inc; you click the card and for the description you add the address of the agent.

 Create another list called "Manuscripts sent." Click the Likable Literary Agency, Inc. card again and enter as a comment the date which you sent your manuscript and the contact you sent it to. Then drag the card from Agents to Query to the Manuscripts Sent list.

After a few months, you can create a list called "Rejections", and drag the card to that list! And move on to the next card on your "Agents to query" list!

Being relatively new in the city, I am always getting a little lost. I created a board I titled "Locations." In it, I created lists by subject; banks, clothes, books, etc. Then under each list, as I found a location of interest, I would note it in my Trello. My bank has a card; in the comments, I added the address of each ATM. In another card I added an address of a Barnes and Noble to the comments along with a note telling me the nearest subway stations and what trains stop there. For a clothing store, along with notes on the address and station, I uploaded a screenshot of a Google map so I could get some reference of the nearby streets.

The Trello team released a very usable iPhone app; the only complaint I've had is that it relies on a connection to the Internet to update at the time you use it, so when I'm in the subway I can't read my notes. Once I pop above ground, though, I can open Trello, pop into my Locations board, and refer to my directions.

I also use Trello as a to-do list; I track my tasks at work, organized by what I'm currently doing, what I need to do, what I periodically needs to check, and what I've finished for the week. When it comes time to work on the weekly report, I can pull up my finished tasks and jot them down on the report. Better yet, there are times when I've needed to refer to past items I've finished and my Trello lists tell me what I completed and when, along with my notes.

What started as a single list blossomed into several. "This website looks interesting, but I don't have time to look at it right now..." Blam! New list.

"This might be an interesting blog topic..." Blam! New list.

Organization was almost addictive with Trello.

I know someone who uses Trello as a shopping list; he created a board and invited his wife as a user, so they can both add to the board and edit things as needed.

I even liked it when Taco the Dog made an appearance on the board to make announcements; I remember "feeding Taco" treats in the form of inviting new users to Trello. IT WAS JUST FUN.

I really haven't pushed Trello to the limits. You can invite multiple users and collaborate on projects; assign them cards or tasks, assign due dates, create lists on the card (wherein it will give you a kind of percentage complete as you check items off), and upload files to cards. You can track research papers or writing projects or constructions projects.

Anything that needs organization, especially if you need to collaborate, can benefit from using Trello.

Here's the kicker. It's free.

There's really no risk to trying it out. You can create a board and set the permission to be as strict as you want; invite others to collaborate, or keep it private while you experiment with it yourself. Or do what I do and create boards for yourself and others that collaborate with someone.

Seriously. If you need to organize a projects...or your life...or collaborate on a project with other people...try Trello. Click the link. It won't hurt. I promise.

...now if you'll excuse me, I have to remove the Trello card from my list of possible blog topics...

Saturday, February 2, 2013

New York Times Hack and Symantec

If you're the kind of person that monitors news relating to security in technology or have been paying attention to headlines in the mainstream media, you may have seen the news stories detailing the infiltration of the New York Times' network by the Chinese.

The details are surprisingly thorough for a mainstream story, and the Times is being rather candid in their sharing of details. Usually when a business is "hacked" they'll do anything and everything possible to hide the details from the public so they can save face.

For people in the tech industry the story is still overly simplified and light on gritty details, but for a story aimed at public consumption the details get gory. So I won't bother rehashing them. I even linked to a version of the story so you can view it there.

What I did find interesting, though, was the small storm that erupted because of the malware software the Times used being directly named in the article and the publicity that it generated, most of it negative. I have had dealings with Symantec, along with several other security/malware/antivirus solutions, and upon reading that there were 40-plus pieces of malware created to infiltrate the Times in one way or another and their Symantec software caught approximately, oh, one of them wasn't much of a surprise to me.

But apparently this is still news.

In terms of dealing with this, I found the fluffy public relations face rather amusing. The article recounting events mentioned Symantec in passing; not a directly attack on the company. But merely mentioning the name put a face upon which to plant a black eye. While probably accidental, it was nice of them to be candid about it while accidentally making the company look rather incompetent.

Symantec wouldn't, at first, comment, and I thought their initial reaction on Twitter was rather...strange. Didn't they realize how they looked in the news story? A company using their Enterprise solution (I'm assuming, given their size) with not-so-cheap licensing associated with said product (no solution with the word "enterprise" is cheap) had over 40 malware applications get into their network and your product caught one of them. And yet, Symantec said this:

There's some irony to the order of these tweets.
That tweet was rather...bland, don't you think? Perhaps the press release was more interesting. A fiery defense of the company? Acknowledgement of weak points in their software? From the article:

"Advanced attacks like the ones the New York Times described in the following article, (http://nyti.ms/TZtr5z), underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions. The advanced capabilities in our endpoint offerings, including our unique reputation-based technology and behavior-based blocking, specifically target sophisticated attacks. Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats. We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough."

...So the problem was that the Symantec software would have been effective, but the Times didn't use all the software features to detect the malware. In other words, our customer was too stupid to fully use our product.


It didn't take long for others to notice this response and criticize Symantec. Somehow Symantec was still trying to spin this in a positive light for themselves.



I'm not a marketing person, but I'm not sure implying "Our customers are morons" is a good public defense.
I can understand what Symantec is saying, even if I'm not sure I'd have framed the reply this way.  I would think blaming the customer, even though they may legitimately feel this way and there is probably more the customer could have done to try to protect themselves, is usually not going to make you look good. The fact their last tweet I quoted above is a link to their entire software suite just conveys the message (to me) that if you don't want what happened to the Times to happen to you, you just need to buy more of our stuff!...doesn't seem effective.

On the other hand, protecting your network and your users is hard.

In the old days, viruses tended to be written by clever malcontents eager to show their technical prowess. Viruses were a way to display their programming ability while at the same time showing their hatred for non-technical people who dared to bring their non-geekhood to a domain ruled by geeks. The basic idea was that if you were stupid enough to get a virus, it was your own fault for not knowing how computers worked so you deserved what you got. Their software carried an implicit message with every infection:

Non-geeks are not welcome here.

But computers were becoming more mainstream and non-geeks weren't going away.

Somewhere along the way viruses went from becoming a nuisance to becoming something more sinister. Black hats learned that stupid people had money! The behavior of viruses evolved until they were no longer technically viruses, but rather "malware;" they relied on social engineering and software flaws to spread rather than self-replicating code, and the target was less the computer and more the person using the computer. If you knew the computer was "infected", that was an accident, whereas in the golden age of viruses the programs often announced their presence with pride.

Much of the malware out there now is backed by organized crime and State-sponsored campaigns. These groups will pay individuals or groups to orchestrate attacks to farm naive or ignorant users into running programs that will then target a user for spammy and intrusive ads, redirecting your web browsing to ad-ridden websites that may contain more malware, tracking your keystrokes to intercept passwords to banking websites,...all sorts of fun things.

 As you can probably guess, the antivirus industry is quite lucrative, and have created a kind of arms race with malware authors. In the beginning the cycle of war was pretty simple; virus author created a new virus and released it into the wild. Antivirus vendors got a sample, reverse engineered it, found a "signature" sequence of code in the executable that was unique to the virus, then they updated their product for clients. The Antivirus product then scanned every program you ran on your computer and if anything matched that unique string of code, it flagged it as a virus and sometimes would try to clean your computer.

One step forward for virus authors matched by one step forward by AV vendors.

Virus authors fancied themselves clever, so they needed to find clever ways to beat AV vendors.

That's when we started seeing viruses that incorporated encryption as well as adapting in memory to alter themselves so you couldn't find a single simple signature. AV vendors had to react and find new techniques for deconstructing these polymorphic viruses.

Second step from virus authors...second step from AV vendors.

The point: clever people with time on their hands are obsessed with the challenge of finding new and creative ways to be destructive and/or profit from people.

This little lockstep war continues today. It's reached a point where the possible attack surface (the places where unauthorized users or code can be run) against a potential target is huge, and as our society continues to become more connected through the Internet the surface continues to get worse (or better, depending on which side of the fence you're on.) Computers, cellphones, our cars, printers, security cameras, televisions, disc and media players, even home appliances like refrigerators, air conditioners and thermostats are accessible over networks.

That baby monitor you installed to watch the crib from your computer? Did you forget to use a long, secure password? I bet the wireless connection was a lot more convenient than having to run a wire. But you did securely encrypt it, right? Since your wireless signal could be intercepted a house away...or from the street...or farther, if someone used a directional antenna?

It's really neat that you can connect your phone to your car. Handy, especially in states where it's illegal to use your phone without a hands-free connection and $DEITY knows you HAVE to take that call from your boyfriend the moment he calls. But did you change the default connection sequence to marry the bluetooth in the car to the phone? Are you even able to change it? Because someone did write a program for clever techs to use a laptop for connecting to nearby bluetooth systems. It's fun to stream porn audio into unsuspecting schlub's cars on the freeway. Or listen in through the car audio system.

The point: there are ways for malware to get into your systems that you may not even be aware of.

Secondary point: The things that make our lives more convenient can be used against you.

The security industry now relies on a variety of techniques to try closing the holes in the potential attack surface.
Vendors rely on signatures, heuristics, behavior analysis, probabilistic analysis of email and web pages via proxy scans, along with good practices in firewalling connections and locking users down to accessing only the things they actually need to use on their computers (keeping users from being able to install updates to Word or new programs also means they can't accidentally install malware.)

Users, of course, tend to hate this because security measures come at a cost. Malware scanners use CPU and memory while they check every program being accessed, slowing down the computer. Proxies intercepting your web browsing and email to analyze the content for spam or embedded malware sometimes go wonky and end up messing up your email or creating web browsing quirks. Locking down the computer access privileges means you end up waiting hours or days for software updates or programs to be installed that would have taken a few minutes if you could do it on your own.

Users hate this. They just want to get their work done and just want their systems to work. This stuff gets in the way. And when security people do what they're supposed to do, they make the lives of their users more miserable; thus users being to hate their system administrators even more. It's a cycle of antagonism.

Point: security is a balancing act. You can have it really secure or really usable for users.

Most of the malware out there is kind of generic. These crime syndicates trying to steal your money or browsing habits (or control of your computer) cast a wide net and are pretty content with the replies they get; this is why you normally get laughably horrible emails filled with generic messages offering you tons of cash in exchange for contact and banking information. Malware often comes in the form of code on hacked websites that waits for you to find the webpage and asks you to install a plugin that isn't really what it reports it is. The weak point is the social engineering of the user; we tend to be trusting of things we don't want to think about beyond the immediate future.

If I want to see boobies I need to install this plugin? Okay! <click>

<dialog box pops up> words...words...words...whatever. <click>

<email comes up asking you to run an attachment.> Blah blah. Okay, whatever. <click!>

People aren't just trusting, but we do things that are blatantly dangerous or stupid if it means getting some kind of payoff. When a company does put in generally good security policies it still falls down when users are willing to give away their passwords to anyone who says they're from IT and need your password to test something.

In fact, a study found that users were willing to give up passwords for a chocolate bar (although it's a valid point to say that there wasn't any indication whether these passwords were tested for validity.) There are also cases where USB drives left in parking lots were taken and plugged into systems with little thought of whether there was malware on them.

Point: Users are the weakest point of any security policy, and social engineering can be a powerful attack vector.

Unfortunately with technology we still have to trust someone at some point.We end up needing to trust that someone more skilled or knowledgeable is doing the right thing for us, or acting in our interests, in areas in which we lack skill or knowledge.

Of course in many, if not most cases, we abdicate responsibility for these domain-specific areas of knowledge; we don't want to deal with it. This is understandable when you look at the complexity of our society today, I suppose...

If you read this far...

 ...this is where things tie together a bit. See, I sort of understand the difficulty the Times IT crew faced because they made themselves a target.

Usually malware is sort of out there, like a poisonous jellyfish in the ocean waiting for prey to happen into it. But the Times was running a story on someone that was a big name in China. And China is known for sponsoring targeted "cyber-attacks" (to be fair, this has been long rumored for the US and its allies as well. I'm just focusing on China because it is alleged they were behind the New York Times attack.)

When you get into becoming a named target, things get worse. Much worse. Because you are targeted for a custom attack. You're no longer a target of opportunity; you are a target that is researched, and a breach means tendrils of back doors being installed and user activity being actively monitored.

The network gets scanned and probed. Your employees are researched, and emails come in specifically addressed to specific employees with malicious code embedded (or more likely, links to malicious code.) Maybe they had a meeting with someone who was set up to hand over a drive with malicious code. Or maybe someone got a device sent to them for testing that contained trojan-horse type code that went to work as soon as it was connected to the company network.

Once there is some kind of hook into a computer, software can be installed and run that will scan the network from the inside. A military sponsored attack means that when they find something connected with a vulnerability, custom code can be created to create a back door into that system again; for example, installing malware on a particular brand of printer.

Yes, it's possible for a printer to have custom code embedded into it for attacks.

Emails get monitored, maybe forwarded or copied without your knowledge, leading to more information being leaked and another user that can be targeted with possibly better access privileges.

Malware monitoring relying on signatures would be useless if there's software being custom-crafted to attack you. If there is a device running on your network that isn't monitored directly, the only way to detect it is to have intrusion detection at the border of your network, or devices watching for suspicious network behavior to alert administrators, and if the attackers are aware of what you're using for defense (which they'd know, for example, that you're running Symantec the moment they pull a list of running programs from an infiltrated system) they can create software specifically meant to bypass the malware scanners in use.

Worse, once a system is infected, it's nearly impossible to know with 100% certainty that you've completely eradicated the intruders. Clean a workstation with a complete reformat and reinstall only to discover that the intruders managed to reinfect it because you didn't realize that laser printer was also allowing remote access to your network...very frustrating, to say the least.

People tend to think that they install antivirus software and they're safe. They're not. Security is a process with several layers, and there are many factors to consider in the great set of tradeoffs between security and usability. So the fact that Symantec detect one piece of malware out of over 40 programs used to attack the New York Times isn't really surprising to me. Symantec's response, to blame the customer for not having more monitoring and alerting mechanisms in place, is valid in that it may have helped to some degree but I doubt it would have stopped this attack.

On the other hand having a completely secure environment would likely have been a management headache as well as a miserable environment for the users to try to actually get a product out the door. Sometimes I think software vendors in a certain industry develop a myopia to this aspect of their product in the real world.

In the end Symantec took a bit of a black eye for being named. I have my gripes with their security products...several several gripes...but part of the problem is just the environment in which security software must co-exist and operate and blame can't be entirely laid at their feet.

Security is complicated. End users misunderstand it. And vendors, in their zeal to sell products, misrepresent the issues involved. If you're a company that may draw a giant target on your back, it's worth your trouble to hire people focused on computer and network security to work in your IT team, lest you, too, end up making the news for the wrong reasons...