June 10, 2008 - Volume 3, #55

Good Morning:
Since when is screwing your customer a good idea? I'm talking about the movie industry, by the way. The Boss and I went to take in the new Adam Sandler movie (Don't Mess with the Zohan) on Friday night, and I was reminded there is a reason that the movie business is struggling. Unfortunately (for them) a lot of the wounds are self-inflicted.

To their credit, the ticket buying process has become dramatically streamlined with online ticket "windows" and the ability to pick up the tickets via a kiosk outside the theater. But that's about the only pleasant thing about seeing a movie nowadays. 

Let's deal with the concession stand first. Besides providing TOTALLY overpriced refreshments (like 40 oz of pop should cost $4), they monitor the cups. That's right, if you just want a cup to split a bottle of water (for example), they give you this kiddie cup that wouldn't even provide enough volume for a urine test.

Now I get why they do this. It's too easy for a teenager to pilfer a few cups and give their friends free refreshment. And of course, since the margins on fountain cola (which tastes like crap, by the way) are only like 1200%, they definitely need to monitor that shrinkage in such a draconian fashion. But the reality is that shrinkage is the movie theater's problem - NOT MINE. So if I want to split a big bottle of water with my date - I should be able to and not use a kiddie cup. Is that too much to ask for?

And what's the deal with the commercials. I pay $10 for the right to sit in a theater and get just bombarded with ad impression after ad impression. Sometimes it's a slide show of local merchants, other times it's like an infomercial for movies I don't want to see or TV shows I don't care about. What's next, a pitch for a Tony Robbins program or maybe the ThighMaster?

Basically, what used to be a lot of fun - now pretty much sucks. Given the fact that I have a decent home theater and a couple of my friends are Torrent afficianados, I can see any movie I want - at any time. And I think I might. I can have a bunch of friends over and get the social aspects of going to the theater, and the popcorn is a lot cheaper and I can have all the big ass cups of soda I can drink.

Have a great day.

Photo: "Olympic, formerly Bard's 8th St Theater" originally uploaded by IaasB

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

Why don't we call it Skynet?
So what? - One of the pieces of "insight" coming out of the G's annual security soiree was the concept of the "adaptive security architecture," which is basically an intelligent infrastructure that actually communicates policies and rules in real time to security devices, depending on the user and the policy. Personally, I think it's a pipe dream. The market has voted most IPS blocking off the island, opting instead to block maybe 2-3% of the applicable rules and monitor the rest. What makes us think, that even over a reasonable planning horizon (5-7 years), that detection will become granular and accurate enough to actually do this kind of automated blocking? The first precursor to this is reputation blocking of email messages. Reputation is starting to be applied to web filtering as well, but again it's about blocking the 2-3% of senders that we KNOW are bad. I think the vision is compelling, but I also think it's a long long long long long long long ways off. I like Ted Julian of AppSec's quote at the end. The reason none of the vendor's aren't talking about this is because even they know the balance of selling futures vs. selling THE future. It would be like Trump starting to sell his first building on Mars. Compelling vision, but a bit early.
Link to this

Speaking of far off, how about metrics?
So what? - Dennis Fisher uses some of his column space to talk about the evolution of security metrics. Or lack thereof. My own personal experience with metrics has been frustrating. At my core, I'm a quant guy - but I also understand that we are no closer to gaining consensus on what should be counted. I have Shostack's new book on my night table, just waiting until I have a few cycles to get through it. I agree with the concept, that we need to base our decisions on data, BUT what data? And where do we get it? And how to we normalize it, so we can compare out stuff to other folk's stuff? And how do we get practitioners to share what they are doing, especially given the culture of keeping security quiet? I'm not demeaning any of the work that some of the numbers folks are pushing forward. I think it's important, and I look forward to some breakthroughs. But this is going to be one where I will follow, as opposed to lead. I suspect a lot of the folks I write for (mid-market IT and security professionals) are in a similar boat. We all want it, but don't have the time to get it done.
Link to this

What is your security elevator pitch?
So what? - Great post by Savvis' Lenny Zeltzer here on the SANS site about elevator pitches. He uses some guidelines from TechCrunch to put together a few sample pitches that you could use with the executives. One of the hallmarks of the Pragmatic way is to get face time with the senior team and build credibility. Once you get there, what do you say? How do you describe your security operation? Why should they care? How do you either help them make money or save money? How do your current projects contribute to the overall corporate strategy? If you are having trouble answering any of those questions, you have a lot of work to do. Remember, security is no longer a technical discipline, it's all about the business. And if you can't talk about business, then you aren't going to be a very effective security professional. Read Lenny's post and then start working on your own elevator pitches.
Link to this


The Laundry List

Top Blog Postings

My management doesn't want that level of elegance
A lot of folks have great disdain for good enough. They think it's a cop-out and that we should be able to do better. Maybe they even think we can win. But most likely, these folks spend very little time in the real world. If that's you (don't worry, I won't tell anyone), then you need to read Shrdlu's blog and you need to listen. This is someone who clearly has the technical chops and knows what needs to get done. But at the end of the day, she understands - as well as anyone - that it's not about what's right. It's about what threshold for pain your management has. This quote says it all: "They just want me to keep their names out of the papers, do the right thing by our customers, and tell them how much they should spend to achieve that." Remember that every decision gets back to resource allocation. Ultimately the job of the senior team is to make sure they are allocating resources effectively. Maybe they overhaul their campus networks or maybe they build a new factory in South America. You may laugh, but that's the kind of decision that these folks need to make. So don't take it personally if you can only achieve good enough. Spend you time making sure good enough really is good enough.
http://layer8.itsecuritygeek.com/layer8/why-alex-keeps-me-up-at-night/
Link to this

5 minute penalty to Hoff: Unnecessary Sine wave
I should know better than to do blog battle with the Hoff. Inevitably a small brained individual like me will end up flayed like one of Hannibal Lechter's meals. But I am a glutton for punishment and I'm also sticking to my guns. To be clear, I'm not saying (nor did I ever say) that ALL security ends up in the network. One of my earliest pieces of research was the Pragmatic Security Architecture, and that made it very clear that there is a difference between infrastructure security and application/data security. And you need both. Even though the FOCUS of what we are worried about will follow Hoff's sine curve - ultimately the controls that we utilize to deal with these emerging attacks will largely be in place already and a feature of the infrastructure. Regardless of whether that is network, servers, virtualization, applications or databases. Our control sets and defenses will always need to be tuned, but when we have the capabilities baked into the infrastructure, the tuning process becomes much easier, and that's what I mean when I talk about security being baked into the network.
http://rationalsecurity.typepad.com/blog/2008/06/security-will-n.html
Link to this

iPhone 2.0: Malware extravaganza - not so fast
Yes, Apple announced the iPhone G3 yesterday. Yes, I'm going to upgrade towards the end of July. Yes, it's a computer. But I have to respectfully disagree with Amrito, who believes this is the first step towards mobile malware oblivion. OK, maybe not oblivion since he changed his perspective of malware from an "explosion" to a "slow trickle." I still don't buy mobile devices being a high profile attack vector. Maybe they'll do a PWN2OWN the iPhone contest at next year's CanSecWest and prove me wrong. Let's play it out. Someone gets me to navigate to a compromised web site on my iPhone and it has a zero day attack on it. And they can even root my device. Huh? What does getting root on an iPhone mean? I guess as the SDK becomes more prevalent it may come to mean something, but I'm a big fan of worrying about things I KNOW will kill me (and there are plenty of those), not really the things that may kill me at some point in the future. I guess we need to be thinking about stuff like this. And the research guys need to focus on these things to figure out what the bad guys will be doing, but I think most organizations can put this in the bucket of things that aren't really an issue now, and someone (like me) will let them know when it is. Though Amrit's advice to maintain visibility is a good idea because when the lion does roar, you want to know where the impalas are to protect them.
http://techbuddha.wordpress.com/2008/06/09/iphone-creates-mobile-malware-tipping-point/
Link to this