March 13, 2008 - Volume 3, #26

Good Morning:
The rise and fall of Eliot Spitzer will make a great case study at some point.  Now it's just a sad statement of hypocrisy, power mongering, and the awesome power of karma - which cuts both ways. Spitzer seems to have pissed off anyone who he's ever met. Even the folks that voted for him did so not because they thought he was a compelling individual - but that he'd take no crap and get things done.

They say you find out who your friends are when you hit hard times. The former Governor has certainly found out - the hard way.

Ultimately this is a story of arrogance. You wonder how a guy with almost everything going for him could engage in this kind of behavior - illicit meetings with high end hookers, and the answer is he didn't think he'd get caught. Crap, he spent a career chasing laundered money, so he knows how to hide it. He spent a career tapping phones and getting incontrovertible evidence against someone, and then ramming the blade hilt deep to extract whatever concessions he wanted.

Payback is a bitch. To Spitzer's credit, he didn't dispute the issue. He fessed up, stepped down, and will now retreat into history - with his trust fund (estimated in the hundreds of millions). You do feel bad for his wife and kids. I'm sure the kids at school and the tennis club have been very understanding...

Ultimately this is a great learning experience for us all. No one is above the law. No one is that smart. Maybe for a few years, but not forever. I'm going to make the assumption that you (yes, you Mr/Ms Reader) wouldn't engage in this kind of stuff. But at some point you may be asked to clean up after it. We're security professionals. We clean up the mess.

It gets back to business continuity. There are self-destructive people in every business. You must make sure the business survives. Do you have contingency plans if the CEO is taken on a perp walk? What about any other key exec or rainmaker? That's really the lesson to learn. You can't stop someone from self-destructing. Even if you could intervene, it would only be a matter of time before the demons return. But you CAN and MUST make sure that you and your organization can move on.

No one is indispensable. Everyone must be able to be replaced. Even the Governor of New York. It does bring up a question that's been nagging at me. Everyone knows about the NY/Boston rivalry. What are the Beantown guys going to do to top this? My depraved mind has some ideas, but I'll leave them unsaid. For once.

Below you'll find some snippets from two of the more interesting sessions at Source Boston yesterday. Tomorrow I'll cover the sessions I hit today, including Dan Geer's keynote. I'll resume the normal TDI format next week, but there have been some interesting sessions and it makes sense to cover those. Have a great weekend.


Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

@SourceBoston

Clarke's keynote - Having your cake and eating it too...
So what? - Beltway bandit Richard Clarke started off the Source Boston show with a 30 minute keynote. His entire theme is that the US is finally awakening to the imminent cyber-threat because of two events that happened last year. The reality that Estonia was brought to it's knees due to a denial of service attack, and the clear penetration of the Pentagon's E-Ring by the Chinese. These events were a catalyst for what will be an unprecedented amount of spending from the US Government to address cyber-crime.

Candidly, I left this keynote irate. First because I really like Chinese food and now the Patriot in me says I shouldn't support anything Chinese. Yes, I'm joking. But much more disturbing where Clarke's suggestions on how to address the problem. He first spoke of the dramatic abuses of privacy perpetrated by the current US administration. Then on the other hand, his specific recommendations were for the Government to mandate the ISPs to do more active filtering to "protect" the citizens (and basically allow citizens to go where the Gov think we should go, where they deem as safe), and also for the Government to mandate some level of software security practices.

I think we can safely say that mandates don't work. And I don't trust the ISPs to do anything right. I said that Tuesday. And it takes a rare Washingtonian talent to talk so smoothly out of both sides of his mouth. He wants to enforce personal privacy, but then figures more regulation is the only way to deal with the new wave of cyber-war. I'm not sure I have an answer, but I think more regulation sounds like a bad one. But that's just me.
Link to this


Jaquith on AV futures (or the lack thereof) - Customers can't handle the truth
So what? - Andy Jaquith did his pitch talking about the demise of the AV business. Actually the title "Not Dead Yet: But Twitching..." is overly provocative. Andy's point is to get back to his thinking on how a more effective data gathering effort to pinpoint emerging attacks would help keep up with the severe acceleration of new malware samples. His indictment seemed to be more on the marketing side of AV, with a few great example of the AV vendors claiming to stop "all viruses" and other ridiculous claims.

Andy wants a level of truth from the AV vendors and for them to stop setting the expectation that a desktop suite will make all the problems go away. He is right and wrong. His ideas of using a "herd mentality" to share information from the clients to the cloud more effectively is fine. The anti-spam vendors have been doing that for years, with a feedback loop that is measured in seconds - not minutes. And it works. Not 100%, but nothing works 100%. He is wrong about the messaging and believe me - a lot of AV marketing is objectionable. But the truth is that customers DON'T WANT TO KNOW. That's right, they don't want to know how dangerous it is. They want to be comfortably numb and depend on the yellow or red or green or blue box.

In that way, an analogy that makes sense to me is the TOBACCO INDUSTRY. For a long time, the tobacco companies didn't tell the truth. Most customers knew they were lying, that cigarettes were addictive and caused cancer, but they let it slide. Then when the truth came out, and the tobacco companies fessed up, but the customers didn't want to hear it, and thus they don't listen. If AV all of a sudden acknowledged that their solutions are not comprehensive and that, in fact, they may not work at all against some new classes of attack - then customers would tune it out. You can't push on a string. Customers can't handle the truth.
Link to this