May 29, 2008 - Volume 3, #52

Good Morning:
I've got a big problem and I'm not sure what to do about it. Basically, my kids like crap TV. I am not one of these crazy parents that thinks all TV is bad. I think there is a lot of value in some of the shows they used to watch, like Dora and Blue's Clues. But help me understand what they are learning from shows like SpongeBob and the Power Rangers?

My 7 (almost 8, just ask her) year old knows how to use the DVR. So now I'm totally screwed because she can read the guide, figure out what crappy show she wants to watch and then she proceeds to record 5 of them. That's how I became familiar with the Fairly Odd Parents. Arghhhh.

Why can't we just go back to the good old days? When Superheros were super heroes. When they had a message in each of their stories about fighting evil and doing the right thing and supporting your community. I guess somewhere buried under a ton of campy eye candy that message kind of resonates from Power Rangers, but the villains are so wacky and the stories so contrived that it's very hard for me to watch.

So I've become the parent that goes through the DVR list every couple of days and cleans out the crap. I never wanted to be that guy, but it my kids brains are going to atrophy at the ripe old age of 7, then I'd rather it be with a show at least I can tolerate. There it is, it's all about me - for a change.

I guess there is a generation gap, as much as I'm trying to be a "cool dad." I let the kids listen to Hannah Montana and the High School Musical soundtracks. Some of the songs are kind of catchy and the movies have decent messages. I wonder if my folks every "understood" the TV that I watched back in the early 70's. A friend reminded me of the great, educational TV I used to watch. Like Hong Kong Phooey, H&R Pufnstuf and the Land of the Lost. I loved those shows and I wasn't even stoned. They were classics I tell ya! Yes, classic piles of crap. And then I got older and graduated to timeless classics like the A Team. Right - more crap.

So the moral of the story is that the more things change, the more they stay the same. You'll still have some shows that are decent and others that are crap. And your kids will like the crap and it will make you crazy. I guess like it made my folks crazy when I did a B.A. Baracus on my kid brother's head. 

Have a great weekend.

Photo: "spongebob effigy" originally uploaded by blurradial

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

Drawbacks or not, security will be embedded into the network
So what? - Farnum totally unloads on this video interview of TPTI's Brian Smith, which I think it pretty entertaining. I guess there is no Tejas love between those folks. I guess I'm much more sanguine about the whole discussion. I've seen this movie before and I know how it ends. Regardless of what TPTI wants to believe. And that means more and more security capability will end up in the network. Will everything be in the network? Not for another two generations or so - best case, but this ongoing migration is going to create a problem for those folks that just do one aspect of network security. That's right, TPTI and Sourcefire need to expand their product visions rather dramatically because doing network security and not having a network device is going to be problematic over time. FIRE is focusing on management with their 3D stuff and that is certainly one direction to go in. It's not clear what direction TPTI is going to go in, once they are liberated. Fact is, the 3Com deal has likely killed their ability to compete. When they are spun out, it's not clear what their balance sheet is going to look like, and if they don't do some deals to broaden their product family QUICK, they are dead meat. But hey, don't shed a tear for those guys. $430 million a couple of years ago was a huge (actually way too huge) number, so they already got their money. It's 3Com shareholders that are left holding the bag.
Link to this

What does "safe" mean anyway?
So what? - Prior to the ScanAlert/McAfee deal I was one of the (few) voices that were very critical of these poor man's web site certifications. It is nice to see a lot of other security folks piling on and bringing up a lot of these issue. NetworkWorld does a decent job summarizing a lot of the challenges of these offerings. But I want to (once again) play a bit of a counter indicator to what the rest of the business is thinking. There is clear value in the process of scanning your network and applications every day. That's good stuff. You can get a bit of an early warning of an issue and move quickly to remediate. Of course there will be a lag between when an attack happens and when you can test for it. It's called "zero day" sports fans. My issue remains providing some kind of "cert" that indicates some level of safety. You can post a little badge that says "I was scanned today." Kind of like the little sticker that you get when you vote. But to claim "HackerSafe" or "Vendor X Secure" is a load of crap. So I'd certainly like to see more companies, especially small retailers using these services. At the same time, I'd like a better clarification on the web site badges to indicate that scanning <> security. Is is too much to ask to have my cake and eat it too?
Link to this

Your data has a staph infection
So what? - It's funny, I was just talking to a company earlier this week about the healthcare vertical. I don't think that's really a good market for security. Clearly their security performance leaves a bit to be desired. For single sign-on and identity management, where there is a clear ROI - sure. But security, not so much. Why? Because once you get beyond the 5 biggest managed care providers, you have a huge number of very small institutions. These institutions are being squeezed by insurance and big pharma and patients that don't pay their bills. These folks don't have a lot of money to spend on security, not until they have to. And when would they have to? After a data breach? Not so much. HIPAA is still an empty suit. There have been zero public executions, even after these data breaches. There is no TJX and a community is a captive audience. I can see it now: Someone is in the ambulance and tells the driver to direct them to another facility because their local hospital has crappy data protection policies. I suspect that isn't really an option in most cases. So there is no incentive to really fix the problem, and we scratch our heads and gnash our teeth that it isn't fixed.
Link to this


The Laundry List

Top Blog Postings

Blow chunks whistle blower
RSnake is pissed, since one of his constituents got canned for talking out of school about security (or lack thereof) at TJX. Is this a whistle blower situation? Or is this a justified public execution for someone with loose lips. There are lots of other opinions out there, from folks like Lonervamp, Dan Sullivan and Stuart King and the voices are all over the map. Personally, I'm with Stuart. This isn't a real whistle blower case because this guy didn't follow the proper chain of command. I don't really have definitive proof about who he talked to, but a regional manager isn't the right place. After losing 97 million identities, I figure TJX has someone in charge of regulatory compliance. That person is the place to complain, not a regional manager - who is more worried about margins and same store sales. And he posted his thoughts on a web site. A real whistle blower would go to the Feds or to TJX's PCI assessor or someone that has some power to poke someone in the eye and get some action going. So if you just want to vent, then by all means vent. But do it anonymously troll-boy. If you want to change things, then find out who has the biggest bat and throw them a meatball.
http://ha.ckers.org/blog/20080522/tjx-whistle-blower/
Link to this

Y.O.U are the still the weakest link
The folks over at Neohapsis Labs start the post with: "One web page and one email is all you need to gain access to a major corporation’s internal network." OK, name that tune. Then they go on to remind us of what we should be painfully aware of (as much as we try to forget). It's the employees stupid. They are the path of least resistance. Whether it's a persistent VPN or a well placed social engineering email, if an attacker can gain access to your folks - much of the battle is already won. So what do you do? Again, nothing really new here, but good reminders of what to focus on. User education, external pen tests, and stronger authentication on Internet-facing systems. Duh. But how many folks actually do that in practice? Maybe you because you care enough to remain current on security stuff. But most of other folks aren't as enlightened.
http://labs.neohapsis.com/2008/05/22/easiest-way-into-a-company/
Link to this