The Daily Incite - 12/17/09 - Changing my Xmas Tune
December 17, 2009 - Volume 4, #40Good Morning:
I tend to be fairly grumpy, but no time more than during the holidays. I'm not a fan of the cold weather. And I've been a Xmas hater. That's right, I was Scrooge personified. Bah humbug was a mantra of mine from the time lights go up in my neighborhood Thanksgiving weekend to the day after New Year's when (thankfully) most folks pull them down.
You know, this classic South Park song says it all. But this year is different. I'm not sure whether it's the fact that the stress of my old job is now gone. Or whether I've just mellowed out, but all the same - I'm not as grumpy. And I can appreciate the lights and the even some of the pomp and circumstance of the holiday season. I didn't instantly hush one of the kids that spontaneously broke into a Xmas song.
Yet, I'm still human and there are the little annoyances. Like the guy whose lights burn up more power than an Eastern European village (hackers and all). I'm still not digging the constant sound of the Xmas Muzak pretty much wherever I am. A week ago I was having sushi with the Boss and the joint was playing Xmas tunes. Just can't see Santa digging on a Spicy Tuna roll, but maybe he does. Right after the big pull off the hookah.
And what's the deal with the emergence of Rudolf as a pitch reindeer? Come on now, if Santa uses AT&T's wireless network everyone is screwed. I can just imagine it, the dude is traipsing around the world at almost light speed, he calls Mrs. Claus to make sure she's got the hot coco ready when he gets home and the call drops. Maybe Steve Jobs can get Santa one of those new iPhones that runs on the Verizon network...
I'm even kind of looking forward to Xmas day this year. I'll spend it as most of my ilk do every year. I'll go see a movie (maybe Up in the Air) and eat a Chinese food feast with my family. And I'll get to do some of those tasks that always get lost in the haze that is my to-do list. Like updating my web site.
So it's all good. I don't think I'll go caroling this year,
but you never know about next year. But before you get any big ideas,
don't be sending my any of those fruit cakes. You have to draw the line
Have a great weekend.
The Pragmatic CSO:
Read the Intro and Get
"5 Tips to be a Better CSO"
me on Twitter:
I'm not sure where I'm going, but I'll get there in 140 characters - or less...
Incite 4 U
"shortcuts" to PCI compliance - Arghhh. Just as I was in a
happy mood, I see yet another "shortcut" story for compliance. NetworkWorld's Cisco blogger has a
nugget of wisdom "By now
we all know that the key to becoming PCI compliant is all about how
well you can control the number of in-scope devices." Ah,
not so much. A merchant with only 10 in-scope devices that gets pwned
because they read this kind of crap is still pwned, right? What we all
better know by now is that PCI compliance is NOT the goal. It's
protecting the private data, right? So then there are 5 tips in the
post about things like segmentation and tunneling and other stuff. Not
sure I get the one about client certificates vs. tokens, but all the
same. I kind of shut down when the first sentence shows this guy got
hit with the security no-clue bat.
- Great, now we
are all accountants - Santa takes a bit of time away from
getting his house on wheels ready for the adventure
(good luck man, I tend to like to know my house is in the same place
every day, but whatever floats your boat) to try to draw the parallel
between IT folks and finance folks. You see, evidently finance folks
understand that all of their actions will be audited and therefore they
act accordingly. Us IT Yahoos have no idea, so we do crazy stuff. He
suggests we build a "culture of compliance,"
so everyone knows their actions will be audited and they'll do the
right thing. How about building a CULTURE OF SECURITY? You know, where
we protect data first and fill out reports second. I hope that's what
Santa means, but the idea of a culture of compliance irks me. It's bad
enough compliance funds everything we do, now everyone wants to make
that the end goal. Which is just wrong.
- Attack of the
Prediction Stories 1 - Now I'm starting to remember why I
hated the holidays. All these freakin' 2010 prediction stories that say
the same damn thing. More hackers. More breaches. We're screwed. Enjoy
the Yule log and maybe OD on egg nog. It'll make the pain go away. Imperva is calling for "industrialized
hacking," as if that hasn't been the case for years. We all
know there are warehouses full of folks in 3rd world nations banging
away on netbooks hacking your stuff. And a move from "reactive to
pro-active security." Man, the bile that just rose from my gut didn't
taste too good. Come on guys. Mediocre attempt here.
- Attack of the
Prediction Stories 2 - Next up on the prediction hit list
is Russ Cooper from Verizon Business.
He's got some gems in there like the social network sites will protect
themselves. Ah, do you think Facebook wants to be a cesspool of
malware? Miraculously they'll figure it out in 2010? Looks like Russ
bypassed the egg nog and went right for the heroin. How about consumers
getting smarter? Evidently he hasn't left his lake house in rural
Canada in YEARS. If what I see in coffee shops or hear at holiday
parties is any indication, consumers are on the express train to
Dumbville. But he does pinpoint two predictions I'm digging. The first
being China will be blamed for everything (shouldn't they be) and the
other is that nothing of note happens to "non-PC's."
- Attack of the
Prediction Stories 3 - Finally, let me call out a piece in CSOOnline getting predictions from
security luminaries, including Mark Weatherford (CISO of CA)
and Dan Kaminsky. There is stuff here from Weatherford on hiring and
maintaining talent (good call) and moving some security functions into
the cloud (ho hum). Kaminsky talks about how prosecution for
cyber-crime will accelerate (that would be great) and some ineffective
security techniques will be called out (much to the chagrin of Big AV).
This one isn't bad as far as prediction stories, but the only
prediction I have is that the electricity required to power Kaminsky's
ego causes a Xmas brownout in Seattle. Put that in your stocking. Yeah,
I couldn't help it. It was right there calling to me. Like Russ
- NSS kicks
some IPS vendors in the nuggets - I tend to disregard most
reviews and "certification" programs because well, folks have this
nasty habit of not biting the hand that feeds them. Except me maybe
(remember the NetworkWorld debacle?) So kudos to
the NSS folks that call some crappy IPS products
to the carpet and actually print effectiveness results. Of
course, in the press release they don't say which vendor got 17%
effectiveness (it was Juniper) and which was 89%
(yay for SourceFire), but I'm sure the happy vendors plunked down their
$1800 to buy the report and will be happy to share it with you. The sad
vendors are well, sad and trying to figure out how to poke holes in the
methodology. Here's a hint: Kevin Tolly is waiting by the phone for
your call. For $50K, he'll run at test that shows 100% catch rate and
make the problem go away.
- Hi, I'm Mike
and I'm a... - In today's personal development selection,
let's look at a post on the 37Signals blog called "Step one is admitting you have a problem."
The point here is about work addiction and that the start-up world
tends to breed many work addicts. They ask the right questions about
time vs. effectiveness and the impact of that to your health. Is that
work done between 10 PM and 2 AM productive? Is it good work? I guess
during the holiday season the message is that we should be questioning
everything and potentially acknowledging our problems and building 2010
plans to address them. And maybe relaxing a bit for the slog that is