August 26, 2008 - Volume 3, #72

Good Morning:
As cool as the Olympics were, I'm a bit perplexed by some of the TV and media coverage. We got all Phelps, all the time (and with good reason), we got lots of ladies gymnastics (for good reason too), some Kobe and LeBron and a good amount of Bolt. All of this makes sense. But we got very little decathlon. I notice these things because the 1976 decathlon (in Montreal) was the first time I really remember following the Olympics.

Of course, that was the year that Bruce Jenner won and became a national fascination. I guess every Olympics has their big stars and unfortunately the guy that won the decathlon, Bryan Clay, isn't on the list. That's right, did you even know an American is the "world's greatest athlete?" I didn't.

Did you know that Bryan Clay took silver in Athens four years ago? Yeah, me neither. What happened to the world-wide fascination we had with the decathlon? Remember Dan and Dave, that Reebok ad campaign before the 1992 games? Then Dan didn't make the Olympic team and Dave sucked wind in Barcelona. Yeah, Reebok took it in the shorts on that one. Then Dan came back four years later in the ATL and took gold. Guess that was the first redeem team. What's Dan O'Brien doing nowadays?

I don't know why this is annoying me. There are a lot of athletes that didn't get much air time, unless you count CNBC coverage at 3 in the morning coverage. But the decathlon is something else. Or at least it used to be. Bruce Jenner's nose job and face lift (how else could the guy still look 35?) gets more coverage than the Olympic gold medalist.

In fact, I couldn't even find a picture of Bryan Clay with his gold medal. Not that I could use without paying a crap load to Getty Images. That's why I pulled this Bruce Jenner mural. It's all I could find that was sort of related to the decathlon. Bryan Clay needs to fire his marketing reps. He may make it onto a Wheaties box because every decathlete seems to do that, but no one will know who he is. And that's a shame because he accomplished something spectacular in Beijing. 

Have a great day. 

Photo: "bruce jenner mural" originally uploaded by MacQ

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

Criminals taking the path of least resistance (and least risk)
So what? - We may not like to admit it, but our adversaries are business people like everyone else. They just happen to be in the business of fraud and crime. When you are facing that old career management decision, you have to figure these folks are opting from online fraud because it's a lot safer, with a lot less risk than sticking up a bank - for example. As much as you would have liked to, you probably didn't spray bullets at the person that sent you a phishing message. But there was always the threat of getting caught and then doing time. But evidently that threat isn't much of a threat either, since it seems the US justice system can't seem to figure out what to do with cyber-crime. Thus, it will take some time to figure out how to properly gather evidence and prosecute these folks, and I'm sure many will walk on technicalities and win their trials because the prosecutors are still trying to figure out how to use email. So that means online criminals have a bit of runway before there is an occupational hazard of getting thrown in the slammer. What does that mean to you and your family? You can't count on the "system" to make things right, so you have to protect the people you care about yourself. Train them on how to detect fraud. Configure their machines securely. Monitor your credit cards and banking accounts frequently for signs of something funky. At some point, they'll figure out how to bring these folks to justice, but it will take a while.
Link to this

Outsource your app testing
So what? - Application QA (quality assurance) is hard on a good day. It's hard to find good folks, it's hard to automate the process, it's hard to really map what a user is going to do. And when you do this wrong, you ship crap code and piss off your customers. Normally I don't mention start-ups (because most of them suck), but there is a new company called uTest that has built a community of sub-contractors to help customers test their applications. It's a cool idea, especially the community aspect of it. Kind of like Elance (which I use to find designers), but applied to the application testing markets. These contractors beat on your application from all parts of the world. So you can get a real feel for how the user experience works in both Topeka and Timbuktu. You are also much more likely to find platform/browser specific issues via this method because you can assume the testers all use different technology platforms. It's not clear what kind of security testing they'd do, but that would be an interesting place to specialize and be able to charge significant premiums. But this seems to be a model with long term legs and why wouldn't it? Finding people is very hard, managing them is even harder. If these types of organizations have cracked the code on that, there is a lot of value there.
Link to this

VeriSign becomes your password PI(m)P
So what? - Single sign-on remains the holy grail for many folks. I have accounts with countless web sites and many of them have different password requirements. Given the risk (especially on my financial accounts), I also prefer to use very strong passwords. So 1Password has been a life-saver for me. Now VeriSign is getting into the web SSO business with their Personal Identity Portal, which is described here by TechCrunch. They've got a long list of sites they already integrate with and that will grow over time. You are trusting VeriSign with your credential, but they are in the security business, no? Personally, I like to have control over my data - that's why I steer people towards either 1Password for Mac users or KeePass for Windows (I use both). But that's just me. If the alternative is to use your dog's name or your alma mater as your password for everything, then let VeriSign pimp out your passwords. More security is better than less security, even if it's not perfect.
Link to this


The Laundry List

Top Blog Postings

Yes, security is a process (and mindset), not a product
Schneier has been saying that for years, and he's still right. This post by AndyITGuy reminds me of that, especially about how most organizations don't protect customer data in any way, shape or form. It's not that they don't want to, or blatantly skirt the rules. It's that they just don't realize that actions (like leaving loan applications on their desks or not locking their computers when they walk away) is an invitation to have that data stolen. It's not the people that are broken, it's the process. Now good people can overcome a broken process, but it's hard. Andy points out that looking at log files and having high level interviews won't give you the answers you need to really understand the process. You've got to get out into the field and observe how folks do things, and then you have to fix a broken process and train folks in how to behave properly. Remember, the most dangerous place for a security professional to spend the day is behind their desk. 
http://andyitguy.blogspot.com/2008/08/im-not-expert-in-all-things-security.html
Link to this

Compliance <> Panacea
Rich rants a bit (responding to an Anton post) about the checklist mentality to doing security. I was talking to some of the muckety-mucks from the PCI Standards Council yesterday about the same issue. Many many practitioners are looking for the easy way out. They want someone to tell them EXACTLY what to do, give them a shopping list and then tell them everything will be alright when the auditor shows up. Seriously. So many many vendors try to do exactly that. They make whatever widget they sell look like a compliance panacea. Buy my thingy and the auditor will smile and be happy. Not so much. Rich's point is that many of the regulations are nebulous about specific technologies, which means the vendors are basically making up any firm correlation between the regulation and their product. Remember Security FIRST! Figure out the best way to protect your data, and then the compliance will fall into place.
http://securosis.com/2008/08/18/dont-sell-compliance-if-it-isnt-a-checkbox/
Link to this

Experience makes the nomad
I read Hugh Macleod's blog because I like his artwork. But every so often he posts something that clarifies a lot of what I deal with as a one-man band, whose office is more likely a coffee shop than anywhere else. Digital nomads "can and do work anywhere he or she likes." And it's true. I was at the beach for two weeks over the summer, and if I didn't tell you - you wouldn't have known. Unless I am doing a strategy engagement or a seminar keynote, it really doesn't matter where I am. And that is liberating. But I also have been around long enough to appreciate the technical advances that have made this possible. EVDO being probably the most important, but also better laptops, blogs and communities (to do marketing) make this kind of lifestyle possible. But the one thing that has been most useful to my ability to be an independent analyst is EXPERIENCE. This kind of business, job or lifestyle wouldn't work for a kid right out of school. They don't know anything and they need some structure to learn it before they can head out on their own. I spent over 17 years in the school of hard knocks to earn this privilege. And a privilege it is, I don't ever forget that.  
http://www.gapingvoid.com/Moveable_Type/archives/004651.html
Link to this