August 5, 2008 - Volume 3, #67

Good Morning:
I'm glad kids are so adaptable. Yesterday, the twins started at their 4th pre-school. In 4 years. And they are not even 5 yet. It's kind of wacky. The first was exclusively an 18-month program. It was a good program, but a 15-20 minute ride from the house, which became a drag. The second was right around the corner and was great, but didn't offer a full day program - which we needed when the twins turned 4. So last year we sent them to yet another program, and they really liked it. We figured they'd be in the same program again this year, and that was that.

But the best laid plans... It seems the director of the school decided (in her infinite wisdom) that it was OK to have 41 kids, split across 2 classrooms with only one teacher and two assistants. Yeah, not so much. For what I was paying for the privilege of sending my kids to the school, we deserve better than double the teacher:student ratio they get in public school.

The Boss was a teacher before the kids were born, so she realized how untenable the situation was. A lot of other parents had real reservations as well. So much that a simple meeting turned into a 2 hour bludgeoning of the Director. After a while, she relented and said she'd hire another teacher.

Cool, problem averted. Back to our regularly scheduled program. But I have taught the Boss well, and she immediately went into contingency planning. What if they don't get another teacher? What do we do then? Well, the Boss didn't leave anything to chance. She scouted about another (well regarded) school in the area. So when we heard the Director had "changed her mind" and wasn't hiring another teacher - it was right down to the other school to get our kids a spot.

We decided to vote with our wallets. We knew going back to the Director was going to be fruitless. So we didn't even bother. We didn't complain about it, we took action. Too many folks just accept their lot in life, with nary a whimper. That ain't me or the Boss. If we don't like it, we change it. It's as simple as that.

Thus, the 4th school in 4 years. The boy cried a bit today, but he'll be fine. He's not as good with change as the others. It's a great program and they will be super ready for kindergarten next year. This new school has up to 36 kids in the class, but 3 REAL teachers. The kids are broken up into 3 groups, and no more than 2 groups are ever in the class at any one time. There is a school store (where the kids can practice) and it's very rigorous from an academic standpoint.

We aren't those crazy parents that are trying to push the kids ahead. Drilling them in multiplication tables before they are even in kindergarten. Yes, there are parents that do that. We have them in a full-day program so the Boss can work. But while they are there, they may as well get a good education. 

Have a great day. 

PS: I'll be at Black Hat this week. Check out my thoughts on the show.

Photo: "Empty" originally uploaded by -Mandie-

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

Penny wise and pound foolish - laptop encryption style
So what? - Andreas from Nemertes (run by my former colleague and all around brain surgeon Johna Johnson) makes an impassioned plea for laptop encryption in his recent NetworkWorld column. His main point is that there really is no excuse not to encrypt the laptops. Given the reality that a bunch of devices will be lost, quite a few stolen, and still others compromised due to the general idiocy of the owners, why not do it? Especially given the availability of "free" open source solutions like TrueCrypt. This is where he loses me. I'll admit to not having played around with TrueCrypt (Apple's FileVault works fine for me), but the idea of any mid-market or enterprise technology manager rolling out open source technology to the masses scares the hell out of me. And not for why you'd think. The technology is more than likely solid. It's the manageability that I worry about. Does TrueCrypt come with a management console to deploy the software to 100 devices, or 1,000 devices, or 10,0000, or 100,000? Does it handle exceptions and create a failsafe so the CEO can access his/her laptop when they forget the password and not require you to FedEx a recovery disk to them. Can it recover if they lose the tip of their index finger in a freak private plane accident and can't use the fingerprint reader? If the answer is yes, then I'm cool. If it's no, I'd point technology managers to not forget that whatever they deploy - they actually have to manage.
Link to this

Vista is more secure the XP - uh huh!
So what? - Since I'm looking forward to seeing Jeff Jones and some other Microsoftians at this week's Black Hat conference, I'll just take a moment to poke fun at this continuing myth that one operating system is more secure than another. It's like saying one gun is more deadly than another. The folks that watch Microsoft continue to perpetuate this fallacy. Of course, based on Microsoft's own subjective assessment of the patches "criticality." The reality of the situation is that it doesn't matter which operating system is "more secure." In the hands of a stupid user, either of the operating systems is a deadly weapon. I understand that the Microsoft watchers have a vested interest in making sure Microsoft sells more Microsoft stuff, so they have more actions at Microsoft to watch and write about, but still. The fact is Microsoft makes it hard to continue using XP. It's hard to buy. You should have seen the hoops my father-in-law had to jump through to get XP on his new laptop (since I couldn't in good conscience tell him to actually use Vista). Within a few years it will be hard to get support on XP. So Vista is the future, whether we like it or not. And whether it's secure or not is besides the point. How many bugs each one has is also besides the point. Everything is vulnerable (even my beloved Mac) and we need to plan for those eventualities. But tracking this stuff is certainly an interesting use case for Excel.
Link to this

The world remains neither black nor white
So what? - I'm not known for my love of gray. In fact I hate it. If I could reduce every decision to a clear, black or white, left or right, up or down analysis - I'd be a happy guy. Of course, the world isn't like that, since without black there can be no white. Without up? That's right, no down. OK, enough of abstract philosophy. I'm reminded of these issues when I see the whitelisting vs. blacklisting argument resurface. It's like when I saw Andy Jaquith go through his provocative "AV sucks" pitch at Source Boston earlier this year. Of course, Andy was poking fun at the AV engine that drives security, but he only told one half of the story. His story is about the inabilities of the blacklist (signature-matching) techniques to scale to keep up with the new attacks. On that point he's exactly right. That's where whitelisting comes in and pretty much every big AV product has some kind of whitelisting capabilities. Some more formal than others, some that try to get you to pay extra for it. But it's all the same. You need the black list to make sure you don't make the same mistake twice. You need a white list to allow the things you know need to be allowed. And you also need some kind of "gray list," which more heavily scrutinizes the stuff not on either the white list or the black list to make sure it doesn't kill you. But religion continues to drive page views, so I figure we'll continue having more of the same for a long time to come.
Link to this


The Laundry List

Top Blog Postings

More numerical idiocy
First of all, hats off to Dancho for using Count von Count's picture in a blog post. The Count is by far my favorite Sesame Street character. Actually, the highlight of a recent Orlando trip with the kids was getting a picture with the Count himself, all the way in from Transylvania. But I digress. Dancho skewers the recent one-upsmanship from the AV vendors about who has more thingys to detect other thingys. His point is that none of this matters because today's brand of malware is sufficiently evolved to actually morph and obscure on the fly. So how many you have doesn't really matter, as long as you have the one the script kiddie is using against you right now. Or have some kind of white/black/gray list approach (as mentioned above), or better yet - just wait in your office for someone to do something stupid, then you clean up the mess. Which is what we normally have to do anyway, right?
http://ddanchev.blogspot.com/2008/07/counting-bullets-on-malware-front.html/
Link to this

I'm too disillusioned to CAER
Actually I'm not, but it was a nice play on words based upon the latest wisdom to emerge from the Tao Master himself. Bejtlich introduces a new acronym (since we haven't had a new acronym in a while, sorry Rich ADMP doesn't cut it) that really sums up the operational roles of the security professional pretty effectively. Collection, Analysis, Escalation, and Resolution are what CAER represent and there is a lot of logic here. Especially as Richard laments the fact that most folks just collect data and don't really do much with it. Besides maybe generate some reports for an auditor every six months or so. They figure the audit is the end goal, not a checkpoint on the way to figure out if you've wandered off the reservation. Another point also rings true: "the goal of every mature security operation is to reduce the mean time to resolution." Ain't that the truth! Unfortunately it's not clear to me what most security professionals believe the goal is. They generate some great reports about how quickly they patch and what wonderful AV coverage they have on the devices. Bah humbug. Maybe set about trying to CAER a bit more for the rest of the year. Everyone will appreciate you efforts. 
http://taosecurity.blogspot.com/2008/07/security-operations-do-you-caer.html
Link to this

Your demo still sucks
Doing what I do, I'm subjected to a lot of demos. Though I try my best to get out it them. I'll use all sorts of excuses. Like the dog ate my Internet router (I don't have a dog). Or your WebEx works like crap on my Mac (it works good enough). Or my coffee shop blocks access to your crummy demo (actually I could surf pr0n there if I wanted to). Despite my best efforts the demos still suck. Why? Because most demos still focus on what the product DOES, not what PROBLEM IT SOLVES. If you have anything to do with demos, please read Mitchell's rants on doing demos, and listen. Do scenarios. Help the prospect (or analyst) understand how your tool is going to impact their job. Make the issues real for them. What can they do better with your stuff, saving them time or money or protecting information more effectively? And I love the idea of packaged demos. Even if you (or your best SE) are great at doing the demo, I'm sure other folks in field suck. So take the variability of crappy Internet connections and the like out of the equation. A recorded demo also makes sure your folks stay on point and highlight the issues/problems/capabilities that really matter. Not what the product manager thinks is a cool feature or a nicely colored box.
http://www.theconvergingnetwork.com/2008/08/product-bistro.html
Link to this