August 19, 2008 - Volume 3, #70
Good Morning:
It's really amazing how a little change in perspective can totally
change your outlook. I'm wired as a cynical pessimist. That means I
tend to look for the downside in everything, and even when it's mostly
upside - I'm still looking for the downside. No wonder I do security,
eh? But it does make for a pretty bumpy ride because you are never
really "happy." Or only happy for short bursts of time before your
internal wiring reminds you that things can (and probably will) go
wrong and you need to be prepared for that.
Obviously this is a tough way to go through the day. It's amazing that
you can put two people - one optimist and one pessimist - through
exactly the same situation and see how different their perspectives
will be. So I'm working on trying to change this about myself.
Of course, it's almost impossible to change the way you are wired.
Since a lobotomy isn't high on my list of things to do, I figure I need
to make the best of my psyche and employ some little tricks to smile
more and appreciate the great stuff that happens every day.
I call the technique "little things." In that I'm looking for the
little things that are funny and give me an opportunity to remember how
lucky I am. For example, I had a bunch of little things when I took the
boy to the Falcons game on Saturday night. But the best was when we
were on the train home and I asked him what his favorite part of the
game was. I figured it would be the two exciting long runs from Michael
Turner. Or a good tackle or a completed pass. But I forgot I'm dealing
with an almost 5 year old here. His response was "I had a bunch of
treats." Of course, cookies and Dippin' Dots are exactly what would
appeal to him. That made
me smile. That was a little thing.
Or when I went to the Boston/Styx show on Sunday. Two of my favorite
bands growing up, it was great to see the old favorites live. And to
see how much they (especially Styx) still enjoyed playing the songs
they've probably played 10,000 times over the years. You wouldn't know
it by seeing their performance. It was like things were brand new.
That's a little thing too.
Or even yesterday when the barista at Starbucks made a mistake in my
favor and I ended up with the venti (that I ordered), but got charged
for a grande (the medium size). Again, I think I saved maybe a buck.
But the folks behind the counter and I had a good laugh about it. And
that was a little thing. Sure it's nothing major, but these little
events help take my focus away from the fact that it won't be too long
before I start looking over my shoulder again and assessing the risk of
sitting at the far corner table facing the door (which I usually pick
so I can see everyone that walks in and out).
I know I can't turn off those aspects of the way I think. But I
certainly can try my best to look at things a bit more positively. Have
a great day. And pick maybe three "little things" to
appreciate today. It'll totally change your outlook - for the better.
PS: I ranted a bit yesterday about password resets [0], and mentioned
Shimmy and My Little Pwnie in the same post. :-) But my email broadcast
systems was tempermental, so I couldn't send it out to folks that get
the TDI via email. Sorry about that.
Photo: "Airplane
02 nano"
originally uploaded
by watdoenwijmetnl [1]
Technorati: Information
Security [2], CSO [3],
Security
Mike [4], Internet
Security [5]
 [6]The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [7] |
Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com [8]  [9] |
Top Security News
He did a masterful interview of the FBI's
head cyber dude on his blog [10] and it's fascinating, and I'm not
sure in a good way. They go through all the typical geek cred stuff
(like the FBI guy favors Linux and builds his own video cards), but
when it gets to security - that's when it gets interesting. Sure the
guy still banks online (as do I) and most folks out there have no idea
how to protect themselves, which I agree with. He also makes the point
that security will be a differentiator for some institutions
(especially
banks), which I'm a bit skeptical of - but I understand the theory,
which assumes that people care. It's when Brian asks him about how the
FBI is evolving, our favorite special cyber agent becomes very testy.
He even calls Brian "unpatriotic" by even asking the question about how
the FBI is trying to catch bad guys. It's that one statement that
really undermines all the positive PR work the FBI has been trying to
do. It seems our cyber security chief forgets that there are only so
many ways to catch a thief. And it's important for us common folks to
gather the right data to actually maybe assist the FBI in their
investigations. But it's all very secret and hush hush, so we can't
talk
about that kind of stuff. We wouldn't want to give the bad guys any
tips. Like they don't know how to do a forensic scan of a device. It
hearkens back to the days of Hoover's file
cabinet. Clearly they shouldn't be talking
about specific investigations, but to not talk about techniques? They
think perceived mystique is a selling point. I think it seems a bit too
close to the Wizard of Oz. Don't look behind the curtain, y'all.
Link to this [11]
InformationWeek reports did a hands-on test
drive of Microsoft's NAP [12] (this is a PDF file) and it's kind
of interesting to see how Microsoft's under the radar (for the last
year anyway) approach to proliferate NAP in most places will likely
work. If you recall, MSFT got caught up in all the hype back in 2006
and was really selling the "future" of NAP. Of course, it was mostly
vapor and APIs. But then they stopped talking about it. And with Server
2008 on the street, now they can start doing it. The reviewers tested a
bunch of different enforcement methods (DHCP, IPSec, VPN, Terminal
Services and 802.1x) and the product seems to work (if you can believe
a review, anyway). There are some gotchas (like turning on the NAP
client service on the devices), but nothing that isn't more than a
minor
pain. To me the crux of the decision isn't about to NAP or not to NAP.
It's about how to leverage NAP to solve the real problems, be it
guest/contractor access or even specific access control. And it will be
interesting to see how the NAC vendor community looks to take a page
out of the MSFT play book and "embrace and extend" NAP, so their
products add value when NAP is there. For the NAC industry - their
window is
still open to add value for heterogeneous markets and ease of
configuration/use. But those aren't long term value propositions.
That's why I keep maintaining that NAC functionality will become a
feature of the network. We'll see in 5 years if I was right.
Link to this [13]
NetworkWorld article details, not much has
changed [14]. The same old attack methods are still working well,
and the defenses aren't. We don't like to draw attention to the fact
that we aren't getting the job done, so we sweep the issue under the
rug and hope it goes away. It's not and if anything, the bad guys are
making rootkits harder to find and eradicate. So what to do? Continue
blocking, tackling and monitoring? Again, you may not be able to figure
out if/when a device gets nailed, but you can figure out it's doing
something funky. Then you investigate and remediate it, if need be.
Link to this [15]
The Laundry
List
- CHKP announces a better virtual VPN-1 SPLAT. Is that the sound it makes when the cat is thrown off the 30 story building in Second Life? Hoff seems to think this is a big improvement [16] in terms of high availability. I'll take his word for it. - CHKP release [17]
- Security at Cisco is growing up? That's good, maybe one of these days they'll get out of diapers and won't have to keep cleaning up turds on the floor. Though this interview does provide a good perspective on how yummy eating your own dog food can be. - NetworkWorld interview [18]
- CoreTrace stops all the bad stuff during the Race to Zero at DEFCON. It seems there may be something to this white listing stuff. But we can't forget how strong the signature based inertia is in the security business. - CoreTrace release [19]
- Deal: Symantec buys PC Tools. Looks like there will be more crap in the Big Yellow retail box before long. - Symantec release [20]
Top Blog Postings
Adam's answer [21] is to stop sending
links to users and to train them to actually type in an address that
you know is legit and then bookmark it. It's an interesting idea, but
it's not really practical. Because these businesses are all about
making it easier for the customer to find their site and do business
with them. They'll deal with the shrinkage and fraud because that
represents a lot less financial impact in the aggregate then providing
a more difficult user experience. And these companies are willing to
shell out for the VeriSign SSL cert tax. And that seems to be the way
it is.
http://www.emergentchaos.com/archives/2008/08/certifiably_silly.html [22]
Link
to this [23]
http://siblog.mcafee.com/?p=278 [24]
Link
to this [25]
http://1raindrop.typepad.com/1_raindrop/2008/08/mainframe-mindset.html [26]
Link
to this [27]