May 22, 2008 - Volume 3, #50

Good Morning:
If we click our heels a few times, maybe we can get to Camelot. Unfortunately it seems that Camelot is on fire and mostly burned to the ground. I was sad when I heard about Senator Ted Kennedy's brain tumor. Similar to Alan, I've always had a fascination with the Kennedys and what kind of deal old man Kennedy must have cut with the Devil to have bestowed such angst on his family. As opposed to Alan, I spend zero time thinking about how different the world would be if Bobby didn't get shot, or if Teddy didn't drive off that bridge. That's pointless because I think the global predicament we are in has much more to do with human nature, than with bad luck or an assassin's bullet.

But I do feel bad because one of the last political icons from my youth will be gone sooner rather than later. Whether it's one year or two years or whatever, Teddy can now see the light at the end of his tunnel. I wonder what he'll do in the time he has left? Will he keep fighting the fight in DC? Will he sail a lot and withdraw from the public eye? What would you do? I ask myself that question sometimes, but I can't calibrate a good answer because it's more of an intellectual exercise at this point. When you are in the middle of it, I doubt there is much intellectual at all.

I'd like to think I'd handle it like Randy Pausch. For those of you not familiar with the inspiration that is the CMU Professor that has terminal pancreatic cancer, you should learn about this guy. He did a famous pitch at CMU called "the Last Lecture." Millions have watched it on YouTube. I suggest you take an hour out of your day and watch it too.

You'll laugh, you'll cry, but most of all you'll be inspired. How this guy is dealing with his own imminent demise is amazing. He's fighting, but he also knows that is futile. Most of all, he is enjoying every day he has. He's spending it with the people that matter to him. He's teaching a new generation (not just his family) life skills, much like he taught countless students computer science skills. 

I also bought his book, which expands a bit on the Last Lecture video and codifies his thoughts a bit more cogently. Most of this stuff is common sense, but it's very hard to practice in day to day life. It's very easy to get frustrated with stupid things. Like the fact that I need to hound Leah to get her socks on in the morning to get her ready for the bus. Or that I have to badger the twins to pick up their toys after they are done with them. Every time.

None of that stuff is important. I'm sure I'll still do it because old habits are hard to break and I guess it would be great if I could get the kids to keep the house somewhat tidy. But it's not worth getting bent out of shape about. It's really not.

I've been trying to change my attitude a bit along these lines and it's made a difference. Recently I found I wasn't having fun working on a fairly significant project for a client. So I walked away. It was probably stupid and arrogant to leave money on the table when I'm a one-man band, but I wasn't having fun. And if anything, I see what Randy Pausch is dealing with and what Sen. Kennedy is now dealing with and I realize that I should be having fun. Every day. Every single day.

Ask yourself whether you are having fun. Do it now! Are you? Be honest. Ask that same question every day for a month. If you find that most days you aren't having fun, then make a change. None of us has time to waste. Seriously. Change is hard and it's scary. But getting a death sentence and feeling like you've squandered a lot of time doing stuff you hate should be a lot scarier. It was for me.

Have a great weekend.

Photo: "Camelot Fire" originally uploaded by roemerman

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

Security not annoying? What's the world coming to?
So what? - Over on the WSJ blog they do a quick take on how the Big Yellow is trying to evolve security to be - dare I say it - less annoying. Wow. I wasn't even sure that anyone in Big Security realized there was anything wrong with the existing model. Truth be told, although the goal of "zero-impact" security is a laudable one - it's not practical. The approach of looking at deployment of software as one of the factors to determine if it's malware is suspect. PrevX has used a similar model and that's been panned in comparative reviews. Yet, I can beat them down too much because at least this kind of interview shows a dissatisfaction with the status quo that is comforting. But we've heard Big Yellow words before with little ability to actually innovate and execute. I'm not holding my breath, let's just say that. 
Link to this

Yep, wireless is swiss cheese...
So what? - Interesting article here on NetworkWorld about a wireless security lab run at Lockheed. These folks spend most of their time trying to figure out the holes in wireless and what can be done to protect not just the battlefield (where Lockheed makes most of their coin), but also at home and in other places. The verdict? We're screwed. Ubiquitous wireless connectively exponentially increases the attack surface that needs to be protected. We also need to understand that as the distinction between corporate network and home networks blur with VPNs and WiFi access that it becomes all the more important to try to restrict how and where sensitive data travels. Per usual, I'll tell you to start asking more questions. Why is that private data on the laptop? Should that fat client application be rearchitected to work in a remote (or virtualized desktop) type of architecture to centralize (and therefore more effectively protect) the private data? Strangely enough we've seen this movie before and the return to the terminal host model does bring some data security advantages that shouldn't be minimized. Of course, the definition of the "host" is much different than it was back in the 70s, but that's another story for another day.
Link to this

Failing Information Security Means Absolutely (Nothing)
So what? - Hat tip over to Dave at LiquidMatrix for pointing me towards the most recent FISMA grades, as reported by Brian Krebs. There is good news and bad news. The good news is that now the government gives themselves a grade of "C," which is up from C- last year. Outstanding performance. I'm sure some bureaucrat is enjoying a big steak on Capital Hill for that. 8 agencies scored an A. 9 agencies failed, including the Department of Defense and the Nuclear Regulatory Commission. Great, since neither of those agencies house sensitive data. But ultimately, as Bejtlich points out frequently, these scores mean nothing. It gives Congress some fodder for witch hunts after the summer break, but what is the true impact? Are these guys going to lose funding? Will heads roll? Will anything change? Does it even matter? Is the DoD any more likely to get nailed than one of the agencies that got an "A?" I think not because your number can come up at any time, regardless of what FISMA says.
Link to this


The Laundry List

Top Blog Postings

The best defense is a good offense
Sometimes I wish I had an interest in history. When Bejtlich mentions cool (or seemingly cool) shows like True Caribbean Pirates, that would seem to be fun to watch. Yet, it can't compete with American Idol, now can it? But the message definitely resonates. Remember, there is very little that is truly new, so let's look back to see how other folks have dealt with some of the similar challenges to what we face today. It's good to see that bringing the might of the military to find and hang pirates did work back in the day. Unfortunately now, public hangings are few and far between and with it being a global world - enforcing the rules our specific countries have on the books takes a bit of cooperation from other country. Yet, I do see a bit of schizo from our Tao-ist. He ranted recently about how ridiculous the USAF's plan to build a proactive cyber-strike force was, but then says the police and military must "strike back" against threats. Hmmm. Do we have to just react or do we proactively turn some cyber-deserts into glass? I'm not sure I know the answer because it's an ethically murky area. Though I do believe in the deterrent effect. It will stop 80% of the sane folks from doing bad things. You'll never stop the other 20% because they are so desperate (or just don't care) that the risk of being annihilated is not much of a risk. Maybe it's time for Air Coryell to make a comeback.
http://taosecurity.blogspot.com/2008/05/offense-kills-pirates.html
Link to this

Check out the double feature at the SDL theater
Grumpy Pete asks the question that a lot of us are thinking. Is Microsoft's SDL working? I guess that all depends on how you define work. Microsoft's numbers say vulnerabilities are down. Other numbers say they haven't changed. Though it's hard for me to admit it, I think Pete is right in questioning the value. But this is only scratching the surface of the real question, which is why should we even bother? Seriously. Microsoft spends big coin on the SDL and has it really helped? What about all those other folks that spend a boatload on application security scanners, testing services, security tools and the like? Are they just dumping money into a hole? Does any of this even matter? My inner Buddhist says nothing really matters, but ultimately this is as much about security theater as it is about anything else. Isn't it? If Microsoft kept taking haymakers from the bad guys without any response, what would that say to their customers and to their employees? The skeptic says this is as much about branding as it is about fixing things. So the question shouldn't be how to definitely prove whether an SDL is working or not, but rather whether CUSTOMERS think it's working. Now that would be an interesting survey. Do customer's think Vista is more secure. And not customers like you or me, who have opinions. But run of the mill folks that don't practice security. What do they say? Do they care? Is the theater working?
http://srmsblog.burtongroup.com/2008/05/is-microsofts-s.html
Link to this

The impact of the BETA mindset
Ryan Barnett on the ModSecurity blog expands on the web application security topic a bit more by trying to get a feel for how we should be keeping score on the security of applications. Ryan uses some great football analogies to make the point that ultimately a lot of the stuff we are doing to secure our applications is really just practice. Even a blank slate pen test is only a pre-season game in his parlance. And the important point is that we are not testing on the real McCoy (or at least a good approximation of the production environment) nearly enough. That's a significant distinction and important point. Then he paints a picture of blue skies and apple pies relative to code reviews, vuln scans and pen tests and a WAF. Of course in perfect world we want to do all this stuff on a production-like environment and share the results and make our apps more field tested before we let them loose on the world. But there's a little issue with that. It's called "BETA." That's right, most applications are let loose on the world today with the BETA moniker and that gets the company off the hook relative to almost anything bad that can happen. It's only BETA, so they take no responsibility. We've got to evolve our application security practices to factor in this BETA mindset because it's not going away. 
http://blog.modsecurity.org/2008/05/whats-the-score.html
Link to this