May 6, 2008 - Volume 3, #43

Good Morning:
I was wrong. It's not the first time it's happened, and I'm pretty sure it won't be the last. I figured the Microsoft/Yahoo! deal was a slam dunk [link]. Intuitively it made sense. The premium was 62% and that was before the start of negotiations. Both Microsoft and Yahoo have been sucking Google's exhaust for years. Neither had been executing well to gain market share. The market is rapidly maturing and that means the big companies need to get bigger to survive.

I could go on for days, but I'd still be wrong. My fatal flaw (once again) is to look at the situation from a logical standpoint. There were lots of reasons for the deal to go through. What logical CEO would walk away from that kind of premium, knowing how fun it is to get your teeth kicked in by Google every day? I know Microsoft is the universal enemy of these companies, but why not just box up the whole things and make it Redmond's problem.

Who knew that Yahoo! would become a blowfish once in Microsoft's clutches?

I usually get the analysis right, but I also tend to forget about the human part of the equation. In this case, it's the sin of EGO. That's right, ego killed this deal. I think buyer's remorse had a bit to do with it as well (which made it easier for MSFT to walk away), but ultimately Jerry Yang's arrogance killed this deal. They walked away because they couldn't squeeze another 10% out of the deal. Unbelievable. It will be years before Yahoo's stock sees $33 again. Maybe it never will.  So now  the Yahoo's! will get to deal with mopping up 3 months of diversion, a couple emboldened competitors, and a couple hundred class action lawsuits.

The old adage, "be careful what you wish for," seems very appropriate now. Yahoo! is again independent, carving their own trail. Yang and his executive team made some big promises to make the case for independence. Now they'll need to deliver. Notwithstanding this is a team that has executed poorly for years. I doubt it will be any different moving forward. Personally, I used to be on Yahoo! pretty much all day. Now, if I'm there once a day - that's a lot. I'm on Google now all day. And I'm not alone.

Good luck to the Yahoo's. They are going to need it, especially when Google's search results drive 2x the cash flow of Yahoo's internal systems. They may as well just burn the place to the ground. It would save us all a lot of time.

Have a great day.

PS: My "shut down day" experiment went swimmingly. I didn't touch the computer all day and my cell phone was off for an entire 24 hours. You know what happened? Life went on. I was with the Boss all day, so she had her phone - in case of emergency, but the trains ran on time. The kids got up and went to sleep (with no help from us), we got to where we needed to be and even ate a few meals. Basically it was a good reminder that I can (and should) unplug more often.

Photo: "Microsoft is taking over Yahoo!" originally uploaded by gnal

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

A good bot is still a bot.
So what? - This SearchSecurity story brings up a pretty interesting ethical quandary. If you had the ability to neutralize compromised machines and eliminate the Trojan that is controlling it, should you? At first glance, the answer is probably no. Sony got hammered a few years ago when it came to light that they were using stealth rootkit technology to drive their DRM function. If the good guys use the same techniques as the bad guys, how do you know the difference? What if you dig a bit deeper and maybe use a healthcare analogy? If your kids had a dormant virus that at some point would awaken and turn them into a criminal, and you had a way to eliminate the virus without them ever knowing they'd been infected, would you? That seems like a no-brainer, right? Of course, in the court of public opinion it's not a no-brainer. A few vociferous individuals could create an uprising against tactics like these, even if they are good for you. And then as opposed to focusing on doing the right thing, the company creating the vaccine is defending themselves. No wonder why it's usually just a lot easier to let folks blow each other up.
Link to this

Should PAM stand alone?
So what? - NetworkWorld published a review of a couple of privilege account management tools (PAM) last week. These tools basically protect the account information and passwords for root and administrator accounts. Why is that an issue? Basically it's about separation of duties and accountability, mostly from a compliance standpoint. Administrators typically just use root to make whatever system level changes are required. They share the root password amongst themselves and they go about their business. But what if a machine is compromised? And it turns out it was because of a change that was made by the root account? How do you know who to investigate? How can you prove compliance and that you are protecting user data, when you can't say which administrator made what changes? Right, you can't. So for big companies, these kinds of tools can make sense. But why isn't this a function of the server and system management hierarchies that are already in place? Right. It will be, it's just a question of when. 
Link to this

Everyone wants it... but no one wants to pay.
So what? - I love these little profiles of Internet luminaries that have made their money and now play. I remember Dan Lynch from the Interop days when I was just a lowly networking analyst at META Group. Networld+Interop was the networking worlds RSA and it was a great show. Things were still new and shiny. Dan made some investments, I guess he made some money, and now he teaches. That's fantastic. Evidently he is still investing in some start-ups, but it seems his investment strategy is a lot less cogent than his analysis of the security market. He says: "Security isn’t easy to monetize, he says. “Everyone wants it but no one is willing to pay much for it. And even if you have a security solution, getting it adopted usually means a serious change to something someone’s doing.” I don't think any of us argue that case. But if I was an independent investor, and I knew Dan's statement to be true, do you think I'd be investing money in the latest, shiniest security widget? Especially when I could maybe find some other things that could be more easily monetized. Ah, another quandary of the security industry. Ultimately a few start-ups will make money, but most won't. And I understand that, so even if I could invest in security start-ups (I can't), I wouldn't. 
Link to this

The Laundry List

Top Blog Postings

Mirror mirror on the wall...
How many of you out there spend more time bitching than doing something? Be honest. Do you go home and kick your dog because your executives don't really care about security or what you do? It wouldn't be surprising and you certainly wouldn't be alone. It's time to take a look in the mirror. Yes, it will probably tell you that the VP of the Data Center is the fairest one of all. He/she does have the halo of virtualization over their head right now. In this post, Micki Krause talks about a self-assessment products by Billi Lee that can provide some insight for you. Amazingly enough, she even has a "12-step" program, or at least 12 questions to distill where your head is at. Personally, I never really found it useful to fill out a form to tell me what I already know. If you are grumpy, acknowledge it. If you feel marginalized in your environment, you need to accept that fact. Then you have some decisions to make. Is this the right line of work for you? Is it still your passion? Has the game beaten you down and now you dread making the commute to work? You already know the answer(s), but fear may be clouding your objectivity. I get it, I've been it. Now I'm past it. And it's a good place. Now go do 10 hours of meditation. Your boss probably won't even miss you and maybe you'll get some clarity.
http://www.bloginfosec.com/2008/04/08/are-you-a-savvy-ciso-learn-how-to-assess-yourself/
Link to this

Is Defense in Depth overrated?
Friggin' Matasano Thomas. He wakes up to write every couple of weeks and hurts my head. Fact is, I've gotten away from a lot of the knee-deep technology and it's been many years since I wrote code. So when he writes a provocative piece questioning the validity of defense in depth as a legit application architecture, I need to shake out a bunch of cobwebs and really think. It's much easier to not think, so that annoys me from the get-go. The first distinction I'd make is that Thomas (and his other big brained Matasano fellows) is talking about application architecture. I'm still a fan of full system defense in depth (you know, some layers on the network, some on the data center, some within the database and more within the application). Though you could probably make a lot of the same arguments, given if you can compromise the application then you will likely get a free pass through a lot of the other layers. The Matasanos basically dismantle a lot of the old, tried and true security architecture ideas, like attrition, delay, deterrence, and predictability. The answer seems to be one single "well-defined" defense. Is that kind of like the "1' that Curly talks about in City Slickers? This single defense should work, but what if it doesn't? Or something changes. So it worked yesterday, but it's not going to work tomorrow. Kind of makes me want to pack it in. But I can't do that, since my mirror (see above) says I need to keep fighting. Maybe I spend less on trying to stop attacks and more on figuring out I'm being successfully attacked and containing damage. Hmmm... Maybe there is a way to not just react faster, but to react BETTER.
http://www.matasano.com/log/1044/defense-in-depth-reconsidered-is-information-security-anything-like-war/
Link to this

The Mogull hits the doo-doo list
I always know a good piece of analysis because I get pissed that I didn't think of it. Per usual, the Mogull takes a minute to expand my own pea brain with what should be the 2nd corollary of the REACT FASTER doctrine. You need to react not just FASTER, but BETTER. Argh. So simple, so elegant, and so correct. I wonder how many hours of meditation it took Rich to spit out that insight. Probably not too many, and that's why he's on the doo-doo list. Of course Rich uses an emergency medicine metaphor to discuss his point, but don't lose the applicability to security. Rich says it a lot better than I could: "Don’t just react- have a response plan with specific steps you don’t jump over until they’re complete. Take the most critical thing first, fix it, move to the next, and so on until you’re done. Evaluation, prioritize, contain, fix, and clean." Of course, a lot of Rich is talking about is laid out in Step 8 of the Pragmatic CSO (Contain the Damage), and amazingly enough it works. But only if you do the work AHEAD OF TIME. The wrong time to find out your incident response plan is crap is when you are in the middle of an incident.
http://securosis.com/2008/05/02/react-faster-and-better-with-the-a-b-cs/
Link to this