logo
Published on Security Incite: Analysis on Information Security (http://securityincite.com)

The Daily Incite - July 23, 2007

By Mike Rothman
Created 2007-07-23 10:46
Today's Daily Incite

July 23, 2007 - Volume 2, #107

Good Morning:
I've got mixed feelings about religion. Yes, I'm a believer - but I neither expect nor care whether anyone else is. Unfortunately not everyone shares my laissez-faire attitude. The sad truth is that religion is behind almost every major war and lots of other catastrophes. It is something to behold (and not for good reasons) that a belief system would get folks to go to war with others that don't believe. But what do I know, I'm just a hack with a keyboard?

I bring this up because I need to confess. Not being a Catholic, what I know about the ritual of confession is largely from movies, TV, and a scant few conversations with friends. The dark room, the baring your soul to an unseen minion. It all seems pretty cloak and dagger to me. But the idea of acknowledging your sins and asking for forgiveness is very powerful. And I need to own up to the fact that I've taken this "vacation" thing a bit too far. I let go on the healthy eating and exercise plan for the past two weeks and I've been less productive than I need to.

It was great to be away for a week and then with my road trip last week, I was out of sync. I like to think I strive in an unstructured environment, but maybe not so much. Today is a new day, and after getting on the scale this AM - the damage was pretty contained. My work deliverables aren't exactly "late," but I'll crank those out over the next day or two. But I need to get back on the wagon. I'll get back into my routine, just in time to head out to Black Hat next week and have things thrown into a tizzy by travel and all sorts of other hijinx.

So what does this have to do with anything? Sometimes you get out of sync. Sometimes your routines are thrown to the wind. Fix it and move on. There's no use in beating yourself up about it. What's done is done, as long as your transgressions don't have jail time involved and you make proper amends, then it's all good. That's my plan. On that note, I have a routine to get back into.

Have a great day.

Technorati: Information Security [1], CSO [2]

The Pragmatic CSO [3]

 The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"
www.pragmaticcso.com [4]

Top Security News

AP story on security researchers [5] makes some points that I just can't get on board with. Since when do you pay your mortgage with "appreciation." That and $4 will get you a cup of coffee. Security research is a business like anything else. Some companies will pay for bugs to get a perceived jump on the competition. From where I sit, there is nothing wrong with that. It's not clear if end customers will receive any value. If so, then a market will emerge. If not, then it won't. But these folks certainly have a right to try. And I'm not sure what school of economics Schneier graduated from, but his quote in this story is dumb. Good and bad guys driving the price up? Actually competition drives prices down.
Link to this [5]

Network Computing about Fratto's experience setting up a NAC test bed [6]. I think testing in a pseudo-production environment is a critical part of the procurement process. But getting the test bed right is pretty hard and getting it to even roughly approximate a real-world scenario is tough. That being said, it's important because you never know how something is going to perform until you try it. I know this is a shocker, but sometimes vendor sales folks stretch the capabilities of their product. Maybe it's in the "next" release or whatever - but since your credibility is on the line if you give the green light to a product, you need to make sure it does what it's supposed to.
Link to this [6]

HP buying data center management software provider Opsware for $1.6B [7] in cash. Nice outcome and clearly shows that HP is being very aggressive on the software side of the house. Now Opsware wasn't really a "security" player, but they do large scale configuration and operations management. Security is one of those functions and when dealing with an increasingly virtualized data center - the ability to abstract security is really table stakes. This is another data point towards security being a feature of larger IT operations. I also think this has a negative effect on the exit strategies of the other configuration management players (Big Fix, ConfigureSoft, etc.) in that HP was a logical acquirer for specialized technology in this space. But like we saw when Cisco bought Airespace and they said security was built in - that took Cisco out of the market for a stand-alone wireless IPS company. And two years later, the wireless IPS players are still standing alone. Same thing is likely to happen to the configuration management players.
Link to this [7]

The Laundry List

  1. Another deal - Aruba buys Network Chemistry's wireless security business. Speaking of wireless IPS, Aruba gets it's piece - likely for a song and a dance. There is little standalone value to wireless security. - Network Chemistry release [8]
  2. Yup, it's the marketing. Steve Gold is chagrined that SYMC chased the buzzword with their new anti-bot offering. And that's a surprise? - Security Watch blog [9]
  3. Another for the too little, too late files. AOL introduces "Internet Security Central," which is basically a get McAfee for free web site. You just need an AOL email address (and those are free, sports fans). Who said AV wasn't a total commodity?  - AOL release [10]

Top Blog Postings

http://andyitguy.blogspot.com/2007/07/out-of-control-network.html [11]
Link to this [11]

here [12] and here [13]) is going to jump all over me, but if you are an end-user - the answer is a resounding no. In fact, I think all of these gyrations about open source vs. closed source vs. free as in beer are a waste of time. To me it's pretty simple, you either are paying for something or you aren't. If you aren't then you can't expect support and you can't make money off of it if you are a vendor. Parasite vendors that don't license the right to use the open source technology in their stuff are scumbags and they should be outed as cheats and scoundrels. Any other licensing discussions equate to the Full Employment Act for Lawyers of 2003. That's why most lawyers are a pain in the ass. They split hairs and focus on words instead of getting things done.  There are exceptions to the rule, but I have a low opinion of most lawyers, if you couldn't tell. And furthermore, Snort is Sourcefire's code, they can and should do whatever they want with it. You don't like it? Go buy/use something else.
http://securitysauce.blogspot.com/2007/07/what-up-with-snort-licensing.html [14]
Link to this [14]

http://ravichar.blogharbor.com/blog/_archives/2007/7/8/3079153.html [15]
Link to this [15]

http://blog.securityincite.com/ [16]

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite [16]

Source URL:
http://securityincite.com/blog/mike-rothman/the-daily-incite-july-23-2007

Links:
[1] http://technorati.com/tag/information%20security
[2] http://technorati.com/tag/CSO
[3] http://www.pragmaticcso.com
[4] http://www.pragmaticcso.com/
[5] http://biz.yahoo.com/ap/070721/selling_security_info.html?.v=4
[6] http://www.networkcomputing.com/blog/dailyblog/archives/2007/07/making_a_test_b.html
[7] http://biz.yahoo.com/bw/070723/20070723005480.html?.v=1
[8] http://biz.yahoo.com/bw/070723/20070723005457.html?.v=1
[9] http://securityblog.itproportal.com/?p=982
[10] http://biz.yahoo.com/bw/070718/20070718005837.html?.v=1
[11] http://andyitguy.blogspot.com/2007/07/out-of-control-network.html
[12] http://www.stillsecureafteralltheseyears.com/ashimmy/2007/07/snort-gpl-open-.html
[13] http://www.stillsecureafteralltheseyears.com/ashimmy/2007/07/marty-roesch-cl.html
[14] http://securitysauce.blogspot.com/2007/07/what-up-with-snort-licensing.html
[15] http://ravichar.blogharbor.com/blog/_archives/2007/7/8/3079153.html
[16] http://blog.securityincite.com/