March 25, 2008 - Volume 3, #30

Good Morning:
Last week was my wife's birthday. That's right, the national holiday (at least in my house) is called "The Birthday of the Boss." We had a lot of fun, especially when I had the kids write their own B-day cards for her. It's amazing to see how each of them attacked the problem and came up with something totally independent, creative and very indicative of their unique personalities.

But then you get into the challenge of finding an appropriate present. It's not about money, but it's about the thought that goes into the present. At least that's what I'm told. So I decided it was time to upgrade her cell phone. You know, the 3 year old Nokia was a bit beaten up and the T-mobile service remains mediocre. That's a lot of thought, right? It's all for her, RIGHT? I had to make the executive decision and it was time for a new gadget, I mean cell phone.

OK, if you don't tell anyone - the real reason the Boss got a new cell phone is that I needed to have an iPhone. I NEEDED IT. So I had to move our service back to the telecom Borg and that means we both get new devices. I've been limping along with my Blackberry Pearl for about 2 years. Actually it worked fine, but once I moved my email and calendar over to Google Apps, the die was cast. It wasn't a matter of if, it was when. And when turned out to be last Friday. Since most of my mobile activity now is browsing and the Blackberry browser sucks, with a capital U-C-K-S, I had no choice. That's my story and I'm sticking to it.

When I first moved over to Gmail, I mentioned that the Gmail application on the Blackberry was pretty good. What I came to discover is that if hardly available, slow as molasses, and very limited is pretty good, then it's there. I'm not sure if T-mobile EDGE network just blows, or if Google mobile hasn't been able to scale, but it got to a point where I could hardly use the app. And the BB's IMAP support is worse than sucky. So it was time for a new thing, and the iPhone is it.

I have to say the iPhone is all it's cracked up to be. I'm with Matt Asay, who has similar perspectives. Yes, it lives up to the hype. Email just works. When I read something on the iPhone, it looks like it should. And it's marked read in Gmail. When I move a message into a folder, it gets that tag in Gmail. It just works. I don't have to handle messages twice. And best of all, I didn't have to set up a thing. It slurped up my settings from Mail.app and it was done. Literally ZERO configuration. Calendar synced. Address Book synced. It couldn't have been easier. I didn't realize how much I'd like having a computer in my pocket until I had one.

Although not everything is perfect. AT&T's EDGE network is pretty slow. Maybe not as slow as T-mobile, but it's slow. So when I'm home, or in my favorite coffee shop(s), I use the WiFi. Much snappier. And yes, I installed a PPTP client, but I have to remember to activate the VPN access, so I'm not surfing naked on foreign Wifi. And it's pretty silly that you can't sync your iPhone and Macs using .Mac over the air. How hard could that be? Hopefully that will get fixed within a few months. 

Now I was planning to wait for the 3G iPhone that will happen sometime this year. Rumors are split between June and September. I was all set on waiting, basically chewing my fingers off every time I saw someone with the device. But then I had a flash of inspiration that pushed me to pull the trigger now.

I'm pretty confident the Boss would like her very own iPhone. Though she doesn't really do anything but talk on her phone, I'm sure she needs one. She has a text monster inside of her. I know it's there, just waiting for a device with predictive text and a dead simple interface to unleash it. And I figure right about the time the 3G iPhone ships, she'll be ready - for my hand-me-down iPhone. I love it when a plan comes together.

Have a great day.

PS: Just when you thought I was a real ass, I did actually get my wife other presents for her Birthday. I'm an unromantic fool, but I'm not an idiot...

Photo credit: Louder

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

How to do "Security First..."
So what? - Damn damn damn damn damn damn. Yet another one of my hallmark terms, Security First, now co-opted by no less than NetworkWorld. Damn copyright lawyers. I should have paid them the damn money and I'd probably own Forrester and now NetworkWorld by now. On second thought, I'd rather you tie a friggin' anchor to my neck and tell me to swim to Alcatraz. Now that I've cleansed myself of the vitriol of yet another one of my concepts being "borrowed," is there anything to the NetworkWorld article? Hmmm. It seems that the big story here is to "understand business." Really? Now that's a shocker. Duh! This is the best quote: "if security professionals speak in the language of business, they will find they get a seat at the table when new projects are beginning." A seat at the table. If that didn't come directly for the P-CSO website. Arghhh. As opposed to sounding like a whiny beoch, I guess I should be happy. The stuff I've been espousing for two years is making it's way into the common vernacular. That's a good thing, no? Of course, that doesn't help me keep my Starbucks card topped off, so what's the number for my lawyer again?!??
Link to this

I'll take a disconnect roll. Don't forget the extra wasabi!
So what? - It looks like the Japanese are starting to take file sharers off their networks. They give a warning and then they cut them down. Is this a good thing? Is it a bad thing? The question Silicon Valley Insider asks is whether it could happen here? I say it should. Then we'd really get tiered and segmented Internet service. I could buy a "clean" pipe, where my neighbor the 13 year old wouldn't be able to bog it down by being a Skype supernode or a BitTorrent site. If someone wants more bandwidth, they could buy it. If they don't and want to hang out with the great Internet unwashed, they pay less. The reality is that the ISPs need to do something. Video is crushing their networks and they haven't figured out how to get anyone to pay more than $39 a month. To be clear, this isn't about copyright enforcement. It's about bandwidth. The RIAA and movie folks are easy to blame, but if this wasn't about bandwidth - there is no way the ISPs would be caught in the midst of trying to enforce what is legal and what isn't legal. This same thing applies to bot networks. Until these rouge devices start knocking down entire portions of their networks, the ISPs are going to remain blissfully unaware. They know what their customers are doing on the networks, they just don't want to do anything about it. Yet.
Link to this

Rolling reviews hit patch managers, I mean "configuration software"
So what? - Network Computing is at it again, now they are focusing their latest Rolling Review on the patch manager space. First they started with Shavlik and now they are tackling PatchLink, I mean Lumension. I still think Lumension is closer to suppository than to security, but that's just me. The fact is, these tools are pretty mature and get the job done. Applying patches, even in a multi-OS environment is no longer novel, but that doesn't mean it's not important. Making sure machines are updated and have consistent configurations is a critical aspect of ensuring that your endpoints have a fighting chance against all the crap out in the wild today. But that's not the interesting part. It's all about how these patch managers become more strategic, and that probably means getting bought by an AV company. Sort of like Symantec/Altiris. Why? Because it's all about the agent. End users want fewer agents, not more agents, and why wouldn't a company want to manage their configurations and patching policies in the same console where they manage AV updates and the like. Of course they want to. So it'll be interesting to see if Lumension uses their SecureWave stuff to look more like a next generation AV play (and I know white listing by itself isn't enough, but it's a start) than a fancy configuration management thingy. Or these folks could position themselves as policy/regulatory compliance managers, making sure something nebulous like ITIL can be deployed, whatever that means. Whatever it is, I don't think the configuration management space is long for the world, but I guess I could say that about most of security. 
Link to this

The Laundry List

Top Blog Postings

Metrics du Bejtlich
I love analogies. They make what we do a bit more real and a bit more understandable for folks that don't spend all day wondering how they are going to get killed that day. Bejtlich does a masterful job by relating some reasonable metrics to the Fire Department. When you see metrics like "number of burning houses" and "average length of time the house is burning" related to "number of compromised computers" and "length of time any computer is compromised," you start to get it. At least I do. I'm constantly on the lookout for more applicable metrics. Both operational numbers that help to improve the practice of security, but also those that can help to relate what we do to the executives that pay our freight. Of course, this is just one set of things that we have to count, and finding out how many computers are compromised and for how long isn't exactly easy - but it's certainly worth thinking about how you could gather these metrics in your shop. I'll be doing a lot of work on metrics this year, so stay tuned for more of my thinking in the near term.
http://taosecurity.blogspot.com/2008/03/how-many-burning-homes.html
Link to this

VampParanoia, they are out to get me...
LonerVamp makes a great point here about being realistic in your threat assessment. The reality is, we as security professionals need to really focus on that stuff which we can control. If our vendor is shown to ship keyboards with keyloggers or computers with back doors, then you REACT. Hopefully FASTER. But the threatscape is infinite. There are a million ways to get killed and you will make yourself crazy if you try to protect yourself against every attack vector. You need to take a more Zen-like approach. What will be, will be and we can only react to it. That is if we want any shred of sanity. I wonder if that's why Bejtlich calls his blog TaoSecurity. I'm on the ball today, eh? 
http://www.terminal23.net/2008/03/security_paranoia_1_part_healt.html
Link to this

Your demos suck, read this post
For the last two years, I've been a CODiE award judge. I lost a bet. So over the holiday season I'm subjected to 10 demos of products from people who really shouldn't be giving demos. Thankfully Mitchell has your answer. A foolproof approach to doing demos in his "Product Bistro" series. Seriously, if you are a vendor - read this post. It's amazing how many people lead me demos screen by screen, like I care how you configure the LDAP integration. Show me how to set up policies (QUICKLY) and how this impacts my workflow. I really like scenario or use case based demos. Pretend I'm a security manager for a mid-sized organization. If your demo doesn't make it very clear how your product makes my life easier, then it sucks. And if you can't show me the highlights in 5-7 minutes, then your product sucks. I'm sure there is 10 days of functionality in there. But if you can't tell your story in 5 minutes and show me how it works, then you better go back to the drawing board. Start with Mitchell's process. I'm flogging this post for very selfish reasons. I hate demos and this can make them better. Though it is helpful to spend the time you are doing your demo checking my email and writing my monthly columns. So on second thought, don't read Mitchell's post.
http://www.theconvergingnetwork.com/2008/03/product-bistro.html
Link to this