July 31, 2008 - Volume 3, #66

Good Morning:
I have to admit, the Internet has made me nicer. Now, I wouldn't go around saying I'm like nice or anything. But understanding how the blogosphere works and the fact that Google never forgets (it truly has photographic memory) makes me a nicer person.

Since most of the folks that know me well wouldn't say that "nice" is one of the ways they'd describe me, I'll provide some context. A while back the Mogull was complaining about those sploggers that steal syndicated feeds and put up web sites that sell ads around someone else's content. He even ran a pretty funny experiment to see if they pay any attention to what shows up in the feeds. It's a deplorable practice, but it also must be working because I see another one of these sites (stealing my content) popping up weekly.

There are lots of different opinions about how to deal with this. I've chosen to not allow my feed to be syndicated without permission. It's my content and that's what I decided to do. Basically I ask (nicely I might add) for the content thief to stop syndicating my content. Most of the time these folks don't have an email address on the site (though I'm sure they have a place to deliver the AdSense commissions), so I'll leave a comment. Failing that, I lodge a complaint through FeedBurner and within a month or so that usually takes care of it.

Though I did get a pretty nasty response back from one of the webmasters, saying no one has ever asked to be removed from his site before and basically implying that I'm some kind of idiot. Didn't I know that it's very expensive to run a site that steals other people's content? How dare I question his ability to monetize my work (which I've chosen not to monetize).

Before the blogosphere, the "old" Mike would have ripped this guy apart. I would have sent one of my patented nasty-grams (anyone that has worked with me for any length of time has probably experienced it) and that would be that. But I didn't send a nasty-gram. In fact, I sent a very cordial response back saying it was a personal decision and thanked him for doing such great work to aggregate some much great content. Yes, I blew some smoke into his backside.

Huh? Have I become some kind of wimpy, sniveling lame butt? I guess if I'm being candid, sort of. I'm just very sensitive to the "TechCrunch" effect. Basically, if I sent a nasty-gram and told this guy what I really thought of him and how he's a drag on society and adds no redeeming value. That his parents should be ashamed of him and that if he had any kind of original thought or brain activity he would publish his own stuff, instead of stealing mine. But I didn't because I figured he would turn around and post it in a high profile place. And then I'd be the one that looked like a schmuck.

So there you have it, now I'm a nicer guy because I know when I'm not, it'll show up on some web site and make me look like an ass. I guess it's kind of a deterrent in that sense. To be clear, I'm not any nicer, I just understand that venom and vitriol should be delivered in ways that cannot be cut and pasted onto TechCrunch.

Have a great weekend. 

PS: If you didn't see, the P-CSO was reviewed on Slashdot. Woo Hoo.


Photo: "Smiley face cookie" originally uploaded by devillibrarian

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

Is there are "secure enough?"
So what? - I tend to say "good enough" at least a couple of times a day. I believe that given the opportunity, we'd hit the point of diminishing returns in security pretty frequently. Fact is, most of us don't get the resources or funding that we need to hit that point, but ultimately we need to get comfortable with the concept of "good enough." Until someone figures out how to turn security from overhead into revenue generation (and Ken, don't send me that friggin' white paper again :-), we'll still be in the same boat. Jai Vijayan does a little analysis of "secure enough" and it brings up some interesting points. Many of which are echoed in the P-CSO methodology. You know, figure out how secure you can/should be. Then understand "asset value," but personally I don't care about true value - but rather RELATIVE value. I'm trying to figure out what the most important assets are to protect. Then I need to implement a control framework (though that it much easier said than done). Check. Then measure and monitor. I think monitoring is critical, measurement is a nice to have. Not that it's not important to pull metrics, I just think there are a lot of things that can be measured that shouldn't. And the industry hasn't gotten any sense of agreement on what those things (to measure) should be. Overall this is a good article because it factors in the reality that we aren't going to get everything done and we need a structure to make sure that good enough is really good enough.  
Link to this

I want to get out of that little car
So what? - Looks like Linus Torvalds (yes, the Linux dude) is aiming some of his angst (maybe about creating a bunch of multi-billion dollar revenue streams and not getting dick out of it) towards the "security circus." If this is a circus, I want to be one of the clowns that gets out of the little car. That looks like fun. It's easy for someone who just sits in an ivory tower and worrys about kernel issues to be very critical of how security researchers choose to promote themselves. In fact, I do that all the time. I don't worry about kernel issues, but certainly spend a good part of every day in my own little ivory tower. The point Linus is trying to make is that security is sensationalized and it's a problem. Unfortunately, he thinks that taking a middle of the road approach of not pandering to either the no or full disclosure ranks is the right path. Unfortunately that doesn't work either and can be more dangerous than anything else. Ask Dan Kaminsky about that. I'm still of the opinion that it's either all or nothing. Either don't disclose at all, and work with the vendors in the background - hoping that the bad guys don't have the attack. Or disclose IT ALL and get the good guys making tools to hopefully stay ahead of the bad guys. Both ways kind of suck, but at the end of the day this is the bed we made (crappy code with no thought to security) - so now we get to sleep in it.
Link to this

And the benefits are great...
So what? - The grass is always greener on the other side. Fact is, if you work in the security business, odd are the grass looks like crap wherever it is you squat. It seems the vendor security researchers are a little steamed that independents get all the attention for finding the "cool" security bugs. Just because they don't have anything better to do, the X-Force ran some numbers to prove that it's really the vendor researchers that find 80% of the "critical" bugs. Talk about needing a hug. Would someone in Armonk please fly down to Atlanta and tell the X-Force guys that you still love them. That someone in a blue suit actually gives a crap about what they find. Or maybe this is a recruiting technique. Join the X-Force and find the important stuff. That's much better than going the independent route and becoming infamous and filling up your Black Hat talk. All kidding aside, it just seems ridiculous to me that anyone would be spending any time to figure out who was "more right." The bad guys are finding new stuff all day, I suggest the researchers (whether they are independents or vendors) get back to work.
Link to this


The Laundry List

Top Blog Postings

I'll take one defeat and despair to go...
It's fact that you have to have a certain type of personality to be a security professional. Paranoia is critical, since the really are trying to get us at all times. But there is a downside to being able to focus on negative use cases all day long, every day. Basically we become grumpy and prone to despair. Amrit tries to provide some context around the fact that "This too shall pass" is a good way to look at things. A mentor of mine would constantly remind me that it was a marathon, not a sprint. We need to play for the long term, even though many of the incentive plans (both positive and negative incentives) are all about short term actions and thinking. Amrit believes that the good guys have a lot going for us and that we actually have an "advantage." Part of this is trying to make lemonade out of a bunch of crap, but he does have some good points. Yet the net is the world is a resilient place. Every time you get backed up against the ropes, the collective we finds a way out of it. Yes, it's hard to keep that context in the morass of daily firefighting and the like, but it's true. The sun will rise tomorrow, just like it has for a billion years. Until it doesn't and then we probably have bigger problems to worry about.
http://techbuddha.wordpress.com/2008/07/24/the-art-of-security-and-why-security-vendors-are-the-root-of-all-internet-evil/
Link to this

If that's the wrong problem, what's the right problem?
Sir Ivan makes a great point here about the real root cause of our security issues. "Underneath all our security issues lies our inability to write defect-free code. Solve that and we've solved the security issues. Focus on the security alone and we won't solve anything." I agree with the sentiment, but can't for the life of me figure out how we'd get there. Food for thought over the weekend. 
http://blog.ivanristic.com/2008/07/ive-come-to-rea.html
Link to this

"Perfect" measurement? Give up now.
Perfect is the enemy of the good. So when I see the title of this post on BlogInfoSec "Crossing the Metrics Rubicon: Quest for the Perfect Measurement" I turn my nose up and figure it's yet another highly theoretical idea about what should be counted and why. But to Patrick Foley's credit, this isn't that post. It's really about the fact that we have a lot more data now, but no one has figured out how to turn it into information. Most interestingly, he points to some securities trading and insurance models that could be instructive in what we have to do. But there will always be problems with models, since they can't predict what we don't know. And it seems every attack that has ever made a big wave was NOT predicted by the people that are supposed to be predicting. So I don't want data to help me predict what is at risk. I want data to help me understand whether I'm working efficiently. I'm starting to come to the conclusion that you can't necessarily come up with a number to represent "risk," but you can count and measure efficiency of the "right" stuff that we know needs to happen. I'm kind of throwing some crap against the wall here, but my utter frustration relative to almost all things metrics is forcing me to look at the problem from a very different perspective.
http://www.bloginfosec.com/2008/07/18/crossing-the-metrics-rubicon-quest-for-the-perfect-measurement/
Link to this