August 21, 2008 - Volume 3, #71
Good Morning:
Now that the Olympics are winding down, in the US the presidential
election is heading into full swing. With about 10 weeks before the
election, soon enough it's going to be all election - all the time. It
starts next week with the Democratic National Convention and then the
Republicans get their turn. On one hand I'm excited because it's a
historic election and we clearly need some change. On the other hand,
I'm sickened by the negative ads surfacing even before the conventions.
They've let out the attack dogs, and once they are on the loose - you
can't pull them back in.
Seth Godin has a great post here about why negativity sells in politics [1]. It's
within the context of the "stories" each candidate manufactures about
the other, but he's annoyed by it as well. I can tell you, this is
going to be a nasty election. There is a lot at stake, and even if you
have something good to say - that isn't interesting. Not to the media
anyway.
I don't want to totally blame the media, but they have a lot to do with
why most folks in the world are cynical, pessimistic, and downright
grumpy. All we see on TV are sensationalistic images of everyone else's
pain. Maybe 20% of the news is sort of positive and "feel good"
stories. And it usually is the last 5 minutes of the broadcast, after
the Lotto numbers.
In the US, it seems we've become a have-not society. We think a lot
more about what we DON'T have, rather than what we DO have. People make
more money than ever before, yet we are less happy. The stress is
enough to break most people on most days. So why would our politics be
any different? Our politicians sell us on what the other guy DOESN'T
have, not on what the candidate does have.
It's all disgusting. But it's not going to change because negativity
sells. That's right, being positive is a crappy marketing strategy.
It's sad, but true. Obama did try this different message in the
primaries and it was new and novel and different. And then the
negativity broke him down. It had to. He would have lost if he didn't
strike back.
And now the presidential election will be more of the same. I'm going
to try to tune out most of the crap. But it will be in the news, on the
TV, all over the Internet. Maybe I'll just hibernate until
mid-November. Clearly that's not an option, but it sure would be nice.
It's hard to try to stay positive, when everything around you
is negative.
I guess it is what it is. In hindsight, 2004 was the historic
election. That was when the entire US was "swift boated." And it's hard
to see how that is going to change in the foreseeable future. That's
the thing about the US. We do stuff and don't really think about the
long term impact and cost. I guess that's the American Way.
Have a great weekend. I'll need to spend the next 45 minutes doing
positive affirmations.
Photo: "Can
I please walk my dogs in peace?"
originally uploaded
by hand-nor-glove [2]
Technorati: Information
Security [3], CSO [4],
Security
Mike [5], Internet
Security [6]
 [7]The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [8] |
Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com [9]  [10] |
Top Security News
the PCI grand poobahs are starting to talk
about what's new and different [11]. Not a lot, but they are
moving to address some of the weaknesses in 1.1 that resulted in
breaches and/or confused the hell out of us. Things like wireless
security. Evidently they figure 802.1x is a good thing. Not clear if
that will be mandated, but perhaps "recommended." This is great for
everyone that sells networking and security services. Why? Because
802.1x is hard to do and most companies don't have the technical chops
to do it right. And we all know what happens when you configure things
incorrectly. There is also some more clarification about anti-virus,
evidently it needs to run on all operating systems. I'm sure the folks
that sell Linux AV are tickled pink by that prospect. Of course, those
nasty Linux worms are definitely creating a problem out there. Like
signatures are going to stop a root-kit. It just seems to me that PCI
is becoming like the TSA. Every time a new attack vector shows up,
there
is a new rule to stop it. A lot of it seems like security theater. Or
even better, kind of like the signature AV business. At what point does
PCI become so long (since it needs to have a new rule or clarification
for every attack every attempted), that it can't keep up? For the time
being, PCI has been a good thing. I hope it stays that way.
Link to this [12]
in NetworkWorld about how the CIA truly
trusts no one [13], not even the insiders. The watchers are
constantly watching the watchers and there are definitely lessons that
we can take out of this. The first is about the fact that a background
check on employees is a point in time. Kind of like an audit. But
tomorrow something can change and that could impact the insider. So
maybe doing ongoing investigations on people that have access to truly
sensitive data is a good thing. The CIA also audits everything and
looks for anomalies. REACT FASTER baby. That's what it's all about.
They know they can't possible protect every flank of the tens of
thousands that work there. But they can make sure everyone knows they
are going to be monitored and that "they'll" be watching. Is it a
deterrent for everyone? Of course not. But it works for most. And when
people's lives are at stake, every little bit of help is a good thing.
Link to this [14]
up in arms because once again Consumer
Reports has issued another anti-virus test [15]. It uses the old
software. Wah. It's not a fair testing methodology. Wah Wah. They spend
the entire front part of the article trying to scare everyone. Wah wah
wah. Larry is right that it's hard to explain security to lay people.
Me? I'm less concerned about right or wrong or how this is going to
effect the Big Yellow's market share. I'm happy that at least SOMEONE
is talking about security. No review is perfect. Every review can be
gamed. But the worst thing in our space is to not talk about it. If no
one is talking about it to the consumers, then they are certainly not
doing anything about it. And the fact is, there is very little
difference between any of the top tier offerings. That box is green.
One is yellow, the other is red. Big deal. They all work good enough.
But not talking about it is much worse. Personally, I don't know why
anyone pays for this stuff with all the free options out there, but
that's just me.
Link to this [16]
The Laundry
List
- Thanks to the Emergent Chaos guys for pointing out the classic XKCD voting machine AV comic. Anytime you can use condom and voting machine in the same sentence, it's cool by me. - Emergent Chaos blog [17]
- Who has time for that? TippingPoint announces a new portal with real time threat info. I'm sure it's great eye candy, but how many administrators can just sit and look at the portal to figure out which new policies need to be deployed to their boxes. Anyone, anyone. Bueller, Bueller. - TippingPoint release [18]
Top Blog Postings
http://taosecurity.blogspot.com/2008/08/getting-job-done.html [19]
Link
to this [20]
https://forums.symantec.com/syment/blog/article?message.uid=343671 [21]
Link
to this [22]
http://www.veracode.com/blog/2008/08/mbta-hack-is-it-really-this-easy/ [23]
Link
to this [24]