August 21, 2008 - Volume 3, #71

Good Morning:
Now that the Olympics are winding down, in the US the presidential election is heading into full swing. With about 10 weeks before the election, soon enough it's going to be all election - all the time. It starts next week with the Democratic National Convention and then the Republicans get their turn. On one hand I'm excited because it's a historic election and we clearly need some change. On the other hand, I'm sickened by the negative ads surfacing even before the conventions. They've let out the attack dogs, and once they are on the loose - you can't pull them back in.

Seth Godin has a great post here about why negativity sells in politics. It's within the context of the "stories" each candidate manufactures about the other, but he's annoyed by it as well. I can tell you, this is going to be a nasty election. There is a lot at stake, and even if you have something good to say - that isn't interesting. Not to the media anyway.

I don't want to totally blame the media, but they have a lot to do with why most folks in the world are cynical, pessimistic, and downright grumpy. All we see on TV are sensationalistic images of everyone else's pain. Maybe 20% of the news is sort of positive and "feel good" stories. And it usually is the last 5 minutes of the broadcast, after the Lotto numbers.

In the US, it seems we've become a have-not society. We think a lot more about what we DON'T have, rather than what we DO have. People make more money than ever before, yet we are less happy. The stress is enough to break most people on most days. So why would our politics be any different? Our politicians sell us on what the other guy DOESN'T have, not on what the candidate does have.

It's all disgusting. But it's not going to change because negativity sells. That's right, being positive is a crappy marketing strategy. It's sad, but true. Obama did try this different message in the primaries and it was new and novel and different. And then the negativity broke him down. It had to. He would have lost if he didn't strike back. 

And now the presidential election will be more of the same. I'm going to try to tune out most of the crap. But it will be in the news, on the TV, all over the Internet. Maybe I'll just hibernate until mid-November. Clearly that's not an option, but it sure would be nice. It's hard to try to stay positive, when everything around you is negative.

I guess it is what it is. In hindsight, 2004 was the historic election. That was when the entire US was "swift boated." And it's hard to see how that is going to change in the foreseeable future. That's the thing about the US. We do stuff and don't really think about the long term impact and cost. I guess that's the American Way.

Have a great weekend. I'll need to spend the next 45 minutes doing positive affirmations.

Photo: "Can I please walk my dogs in peace?" originally uploaded by hand-nor-glove

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

Taking the wraps off PCI 1.2
So what? - PCI is the gift that keeps on giving. With PCI 1.2 imminent, the PCI grand poobahs are starting to talk about what's new and different. Not a lot, but they are moving to address some of the weaknesses in 1.1 that resulted in breaches and/or confused the hell out of us. Things like wireless security. Evidently they figure 802.1x is a good thing. Not clear if that will be mandated, but perhaps "recommended." This is great for everyone that sells networking and security services. Why? Because 802.1x is hard to do and most companies don't have the technical chops to do it right. And we all know what happens when you configure things incorrectly. There is also some more clarification about anti-virus, evidently it needs to run on all operating systems. I'm sure the folks that sell Linux AV are tickled pink by that prospect. Of course, those nasty Linux worms are definitely creating a problem out there. Like signatures are going to stop a root-kit. It just seems to me that PCI is becoming like the TSA. Every time a new attack vector shows up, there is a new rule to stop it. A lot of it seems like security theater. Or even better, kind of like the signature AV business. At what point does PCI become so long (since it needs to have a new rule or clarification for every attack every attempted), that it can't keep up? For the time being, PCI has been a good thing. I hope it stays that way.
Link to this

Now this is an "insider threat"
So what? - What most of us do is low risk. You know, if one of your devices gets compromised, it's sad - but no one is going to die. With the CIA, it's a totally different story. Fascinating article here in NetworkWorld about how the CIA truly trusts no one, not even the insiders. The watchers are constantly watching the watchers and there are definitely lessons that we can take out of this. The first is about the fact that a background check on employees is a point in time. Kind of like an audit. But tomorrow something can change and that could impact the insider. So maybe doing ongoing investigations on people that have access to truly sensitive data is a good thing. The CIA also audits everything and looks for anomalies. REACT FASTER baby. That's what it's all about. They know they can't possible protect every flank of the tens of thousands that work there. But they can make sure everyone knows they are going to be monitored and that "they'll" be watching. Is it a deterrent for everyone? Of course not. But it works for most. And when people's lives are at stake, every little bit of help is a good thing.
Link to this

Missing the point of security software reviews
So what? - Seltzer is all up in arms because once again Consumer Reports has issued another anti-virus test. It uses the old software. Wah. It's not a fair testing methodology. Wah Wah. They spend the entire front part of the article trying to scare everyone. Wah wah wah. Larry is right that it's hard to explain security to lay people. Me? I'm less concerned about right or wrong or how this is going to effect the Big Yellow's market share. I'm happy that at least SOMEONE is talking about security. No review is perfect. Every review can be gamed. But the worst thing in our space is to not talk about it. If no one is talking about it to the consumers, then they are certainly not doing anything about it. And the fact is, there is very little difference between any of the top tier offerings. That box is green. One is yellow, the other is red. Big deal. They all work good enough. But not talking about it is much worse. Personally, I don't know why anyone pays for this stuff with all the free options out there, but that's just me.
Link to this


The Laundry List

Top Blog Postings

What do Will, Skill, Bill and Nil have in common?
They are impediments that we security folks have to contend with that make it hard to complete a job. Bejtlich comes up with a great way to discuss each of our issues. A "will" problem is about motivation. Skill is self-explanatory. Bill is about not having money, and Nil is about not having "mojo" or credibility to push something through. When you think about it, pretty much all the problems do fall into one of these categories. So how do you fix it? I wish there was a simple answer, but it's really about focusing on the cross-section of the problems where your four impediments are minimal, and whatever you are trying to protect is sufficiently valuable. You don't want to just focus on the things you can get done, if there is little organizational benefit. But you also don't want to spend all your time chasing windmills because you don't have the money or skill (or motivation or mojo) to get something important done. That's why security is an art, not as much a science. And prioritizing effectively is the most important part of the job.
http://taosecurity.blogspot.com/2008/08/getting-job-done.html
Link to this

How do security folks use social networks?
No this isn't another rant about Facebook or Twitter (sorry Jen). This is about an interesting survey done by the Big Yellow that tries to get at how security professionals use social networks. The data is kind of cool. Basically, we are suspect of the value, but can't really block it. We don't want to "friend" everyone because that may be an implicit endorsement of someone we hardly even know. We know there is malware out there, but aren't really sure how to stop it. Hard to dispute with anything in here. The fact remains that social networks is just something we have to deal with. Yes, they are infested with bad stuff and yes, it means we are going to have to clean things up time and time and time again. But like you couldn't really stop IM back in the day, you can't stop the social network. So we need to make the best of it. Try to educate your users on what to do and not to do. Have provisions in place to REACT FASTER when something goes down. Right, this is nothing really new, it's just happening faster than ever before.
https://forums.symantec.com/syment/blog/article?message.uid=343671
Link to this

No one said it had to be hard
It was pretty funny to watch the MBTA dispute over the DEFCON presentation. It seems that every year there is one organization that is caught with their pants down (thankfully it wasn't Eliot Spitzer again) and they react badly. The folks at Veracode wonder if the hack could really be that easy? Of course it can. Because a lot of these organizations are blissfully unaware that bad people will do bad things when given the opportunity. So they are surprised when someone points out that maybe storing value ON THE CARD is a bad thing. That not protecting that value is a REALLY bad thing. And the MBTA was pissed because their entire strategy of security by obscurity has been blown out of the water. Fact is, by trying to muzzle the MIT kids, they shined such a spotlight on themselves that they instantly became a target. And once you are a target, it doesn't take long for the bad guys to figure it out. Whether the kids discuss it at DEFCON or not. Maybe I should write an eBook on "how not to respond to security researchers" or something like that. But most folks wouldn't read it until it was too late. Anyway, it's way too much fun to see these organizations falling all over themselves.
http://www.veracode.com/blog/2008/08/mbta-hack-is-it-really-this-easy/
Link to this