The Daily Incite - June 26, 2007

Submitted by Mike Rothman on Tue, 2007-06-26 09:00.
Today's Daily Incite

June 26, 2007 - Volume 2, #98

Good Morning:
Thank you very much (in my best Elvis voice). It's great to be back here at the Incite Cafe. After a loooooooooooong weekend, it's time to return to some normalcy. The Boss was at a family event this weekend, so she was gone from Friday afternoon and didn't return until the wee hours of the morning last night. So it was a Mr. Mom long weekend, and it was a lot of fun. But I can't say I was overly productive on the work front, which is fine by me.

Evidently drugging the kids before they go to bed is a good idea, since they slept in on both Saturday and Sunday. Lots of activities and a trip to the pool kept us busy all weekend. And getting the 3 of them ready for camp yesterday was a lot of fun (I don't envy my wife for doing that pretty much every day). Another highlight was trying to do a call with some clients yesterday afternoon, with the twins parked in front of Dora. That is, until a driving rainstorm knocked out power, so no more Dora. The good news is they didn't miss a beat and my UPS worked.

I also entered the world of virtuality. No I didn't spend all weekend, with the Boss away, building a fiefdom in Second Life. It's hard enough for me to stay on top of my First Life, so the idea of adding a second one is just not interesting. I went virtual on my MacBook, and it's very niiiiiiice (in my best Borat brogue). I did agonize a bit between Parallels and VMWare Fusion, but ended going with VMWare. It's still a bit raw (it only corrupted one virtual machine - causing me to start over - thus far) and the best feature (Unity) isn't available for Vista yet. But I'll be patient, and I figure VMWare will get it right. And it's half the price until the GA release hits in August. I like that!

Basically I only need it for email and GoToMyPC, whose Universal Viewer on the Mac is pretty weak. Yes, I know there are lots of ways to interact with Exchange from the Mac, but they all pretty much suck. Until Mac Office 2008 ships (which should be soon), Outlook is still far and away the best way to interact with Exchange. So that was the main driver for me to go virtual, since it will cost me less to do that than to move my email to Zimbra.

I'm running Vista in the VM and I can confirm (or deny) that User Account Control does interfere with things. But not that much. The arrows shot by Apple are a non-factor (though great marketing) because I get almost as many requests for authentication from Mac OS X. My biggest issue is that UAC doesn't ask for a password. Maybe because I'm logged in as Administrator (Hmm. Maybe I shouldn't be doing that?) it assumes I'm trusted. That's a bad assumption IMO.

It was also weird to have to start worrying about AV again, but that's the Windows world we live in. I'm also using NAT (as opposed to connecting the VM directly to the Internet), so I can leverage the mobile VPN running in Mac space and the Mac firewall. So far, so good. Having Windows available to me while traveling may come in handy some day. Stranger things have happened.

Have a great day.

Technorati: ,

The Pragmatic CSO

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"
www.pragmaticcso.com

Top Security News

Do as I say, not as I do - Fed style
So what? - I tend not to be the most patient or empathetic of folks out there, but I can feel some of the pain that US Federal CSOs and other technology folks are feeling. There was a pile on towards the end of last week because of a number of different, but related data points. First, an unclassified mail system was busted up at the Pentagon, as covered by the AFP. Then the blow hards in Congress give the Homeland Security CIO a beat down on just how insecure that agency is. It turns out DHS got shredded during an internal pen test. As always there are lessons to be learned here, including the complexity of trying to secure an environment comprised of over 20 different fiefdoms, with little central control, even less collaboration, suspect funding and little accountability. Is it any wonder it took 2 years to fill the cyber-czar position? The Feds have problems on the scale that no other organization on earth has to deal with. So if you don't work there, thank the heavens that you don't. If you do? Hemlock is one option. Or continuing to fight the good fight because there really isn't any other option. And just know a few years in that purgatory will position you for a good private sector job soon enough.
Link to this

Unexpected gifts from that Night in Paris
So what? - First it's Harry Potter, now it's the Paris video. All of these sacred works of art being the latest technique for the hackers to compromise personal information. The Harry Potter hack seems to be yet another wily social engineering scheme. Though I can't wait for my book to show up in late July and I'll be disappearing for a few days. I don't want to take the risk of a spoiler ruining it for me. The Paris job is a little bit worse because it goes to show how a stupid commerce web site can absolutely kill you. Those jackasses has little to no security on their website. So change a URL and get access to the subscriber database. I guess I don't feel too bad for the folks that were compromised, since they probably aren't the sharpest tools in the shed. $20 for a 30-day subscription?!?!? Evidently they don't realize there is lots of free stuff available. Or so I've heard.
Link to this

Reputation hits the network
So what? - Cisco finally closed the IronPort deal yesterday and with it took the opportunity to relaunch their Self-Defending Network story. Personally, I think the closest we'll ever get to a self-defending network is watching the Terminator or maybe Battlestar Galactica, where the machines gain consciousness. Interestingly enough, and counter to some of my public statements, Cisco plans to add reputation to their routers and switches. Hmmm. I still don't get it, despite NetworkWorld's attempts to explain it. I understand how reputation can certainly make content security more effective, but network security? I'm still not getting how reputation does much on a UTM device or even a switch. But Cisco has now taken that potential differentiator off the table from everyone else with a reputation system. Not sure if you noticed but this whole SDN 3.0 thing is about both infrastructure and information/data security, as Cisco pokes its head into the content layer. Having lived through the early email security wars, I can tell you network security and content security are TOTALLY different animals. We'll see if Cisco figures that out. On a related topic, IronPort resellers are worried about margins, and they should be. Margins will go down, but resistance is futile.
Link to this

The Laundry List

  1. Mirror mirror on the wall, who is the most secure of all? Vista? You have to be kidding me, but the answer really doesn't matter because they are all distinctly insecure in the hands of the common user - eWeek article
  2. Speaking of eWeek, private equity takes out ZD's Enterprise Group. Good luck with that. Publishing is a hard business. - ZD Release
  3. Your firewall sucks, so buy a new one. OK, Palo Alto isn't saying that, but they really are. The question is whether users understand that UTM isn't a new kind of firewall. - NetworkWorld coverage
  4. Why buy it once, when you can buy it twice for twice the price? eIQ and Mazu combine SIEM and NBA, which is a good idea, but they seemed to miss the part where customers said they want INTEGRATED solutions. - Mazu release

Top Blog Postings

If he told you, he'd have to kill you
It's not surprising that lots of folks are asking Jeremiah when his company is going to be next on the acquisition hit list. And no, he won't tell you because he can't. But he also shouldn't. You never build a company trying to sell it from the get-go. Solve customer problems, do it well, and everything else works itself out. And oh yeah, as Andreessen says, pick a good market. That is the #1 reason for company success or failure. The good news for Jeremiah and the other handful of players focusing on application security is that it's a fantastic market. It's early, but it's big. Jeremiah's point of the post is to rationalize (at least from his perspective) the reasoning for the SPI and Watchfire deals. I've covered that already and I largely agree with JG's viewpoints. I also believe that web application security is a real segment and I'm surprised there isn't more start-up activity.
http://jeremiahgrossman.blogspot.com/2007/06/web-application-security-market-is-hot.html
Link to this

Clausewitz was a wise MoFo
You definitely can learn a new thing every day. I had no idea who Clausewitz was, but MCW does and uses some of his Prussian military teachings to discuss security. This is good stuff and very apropos. I'm a big fan of thinking different, given that most attackers are unsophisticated and expect you to act in a certain way. If you don't, you cease to be the path of least resistance and the vast majority of bad guys will move on. You need layers, since a single point of failure will make for a bad day. Finally you need to do an incident post-mortem. It's OK if you screw up, but don't make the same mistake twice. Not sure the Clausewitz guy is Sun Tzu, but I think we can learn a lot from military strategy. Too bad most of the folks that write history are so dry that my eyes start to bleed.
http://mcwresearch.com/archives/496
Link to this

Colleges no longer the low hanging fruit?
I don't quite believe it, but Cutaway is on the ground in this space every day. The job of protecting a secondary education environment in the US is maybe the hardest security job out there. The customers (I mean students) don't like to be told what to do. They haven't learned that they don't know it all, and the research mindset in academia is about openness. None of which make this space conducive to a tight security posture. But starting at the data and working out is exactly the right way to tackle the problem. They can't build a moat, so they need to ensure the treasure troves are adequately protected. I hope some folks get on board with this and actually execute, since I'm a bit tired of hearing about yet another college data breach.
http://www.cutawaysecurity.com/blog/archives/156
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite

http://securityincite.com/security-incite-rants/daily-incite