logo
Published on Security Incite: Analysis on Information Security (http://securityincite.com)

The Daily Incite - October 9, 2007

By Mike Rothman
Created 2007-10-09 08:44
Today's Daily Incite

October 9, 2007 - Volume 2, #140

Good Morning:
Ah to be rested and refreshed and ready to jump back into the fray. OK, well refreshed anyway. Having a few days to think has gotten me good and fired up and ready to rant. So here goes. Check out Thursday [1] and Friday's [2] editions of Non Sequitur. My Dad turned me onto this comic a few years ago and I get it via RSS - so it couldn't be easier. There is some decent commentary most days, but it just doesn't resonate as often as Dilbert.

Given where the state of the security industry is and how it seems that most of the business is more about marketing now than actually solving customer problems, these two comics had me in stitches. The idea of just issuing a press release with "some geek-speak mixed in to make it sound sciency" is really relevant to a lot of the crap that makes its way into my inbox every day. Even better, when the friend (Jeffrey) asks "when does ethics ever come into the picture?" and our hero (Danae) responds, "when the client's check doesn't clear," makes me remember back to my days in the coal mine of security marketing.

Friday's version has Danae and her Dad discussing ethics. He protests for a minute, but when he realizes that the "client" has covered the mortgage for an entire year - he pretty much shuts his trap. Man, that hurts because it will hit close to home for a lot of folks reading this newsletter. It seems the security business isn't the only one where the truth has gotten lost in a web of acquisitions, potential IPOs, competitive deals, and ego. Companies routinely bend reality to fit into a nice press release which may result in the perception of leadership and some unsuspecting big company to come shopping for your warez. So the game goes on and on. Vendors announce and sell months ahead of their capabilities and typically have moved onto the next deal before what goes around comes around.

And a lot of folks have become fantastically wealthy playing this game time and time again.

I was on that path, but I seemed to have missed the fantastically wealthy part. I said things that were not necessarily LIES, but not necessarily the truth either. I positioned, I spun, I did what I had to do to compete. What I didn't do was really focus on solving the customer problem. There wasn't any time for that. It was too hard when I spent as much time fending off internal salvos (why don't we have billboards in the airport like the other guys?, just say our box is really fast) as I did trying to keep up with the competition.

After a while, it stopped being fun. So thankfully, I was given an opportunity to get off the train. Now I find myself basically making fun of the game and calling it a living. Calling folks out for what I think are disingenuous and ill-advised statements that don't help customers solve their problems. Many of you seem to get value out of my rantings and I couldn't be happier. It would be refreshing for some "good guys" that have built companies ethically and truthfully, without a lot of the marketing hype and false pretenses to get a good outcome.

That truly would be Bizzaro world.

My ranting doesn't mean that I don't like folks that do security marketing. Many are very close friends and they seem to love what they do. If you understand the game and can operate according to your own ethical compass, then it's all good. I couldn't, so I don't. But I do owe a debt of gratitude for all of the folks that slog away trying to differentiate me-too products in boring market spaces. You keep me very busy and allow me to do what I love to do. Sometimes I feel bad having fun at your expense, but not that bad.

Have a great day.


Technorati: Information Security [3], CSO [4], Security Mike [5], Internet Security [6]

The Pragmatic CSO [7]
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com [8]
 Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
pre-order your copy today

www.securitymike.com
 [9]
Security Mike's Guide to Internet Security [10]

Top Security News

McAfee has acquired SafeBoot for a cool $350 big in cash [11]. That's millions to you accountants out there. On what should be between $55-60 million in revenue this year, it's a good multiple. Less than CHKP paid for PointSec, but not too shabby. The funny thing is that McAfee owned PGP a few years ago and spun them out because it wasn't core to the business. And what business was that anyway? I think this is a pretty good deal for McAfee. A lot better fit than CHKP/PointSec. It's all about maintaining desktop agent real estate and continue to add more features to make it painful for customers to switch. Clearly laptop encryption is a critical piece of desktop defense and should be wrapped into the endpoint suite. The deal gives McAfee a bunch of bundling options and provides yet another capability to be managed by ePO. It also means that SYMC has to do something sooner rather than later on this front. Maybe they should buy PGP, which would just be hilarious. Maybe PGP would have better luck as part of the Big Yellow.
Link to this [11]

eBay and PayPal deciding to send all of their outbound mail signed with Yahoo's DomainKeys technology [12], now users will be able to tell whether messages are actually from eBay. Presumably anyway. But this isn't a no-brainer because users will need to be conditioned to actually look for the little key in their mailer. And Yahoo! Mail isn't the only service out there, so you still need to get everyone on board (especially Microsoft for use with Outlook Express and Vista Mail). Finally, even if users are used to looking for the key, it's just a matter of time before the fraudsters figure out how to spoof the signature. Everyone thought having a SPF record to validate a sender was going to be the silver bullet. WRONG! It turns out the bad guys can publish SPF records as well. And bad guys will be able to sign mail via DomainKeys too. It'll just cost them more money, which is good. Although this is a great development, it doesn't signal the beginning of the end of spam - not by a long shot.
Link to this [12]

it's time to force some good behavior by severely punishing bad behavior, which results in security breaches [13]. Maybe it's time for not only the CISO to be the fall guy (or gal) when something goes south, but also to put the head of the CIO on a stick at the same time. Parade both of their corpses around the lobby to make sure everyone gets the picture. How about that for a Pièce de résistance? I actually think Bob is on the right track here. We started to get activity on cleaning up financial reporting shenanigans once we had a few perp walks and high profile CEO trials. Maybe we shouldn't stop at the CIO, but why not take the CEO out as well. Ultimately how an organization cares for customer data is the CEO's responsibility. So he/she should be accountable for that as well. But as long as there seem to be a never ending stream of CISOs to be the fall-guy, I doubt it will happen.
Link to this [13]

The Laundry List

  1. Kerberos back from the dead also. MIT forms the Kerberos Consortium for those too young to die, but too old to actually be relevant. And no, Kerberos is not going to be "as ubiquitous as TCP/IP." - ESJ Newswire [14]
  2. The Top 10 reasons web sites get hacked, which is a misnomer. The article is about OWASPs new Top 10 list. Which is pretty much the same as the old Top 10 list. - NetworkWorld coverage [15]
  3. Blue Coat gets with the reputation program. They just call it "real-time protection." - Blue Coat release [16]
  4. Just what we need, another "improved" anti-virus test. Yet another test to be gamed, but really more of a way to brake ICSA's hegemony on testing AV products. - InfoWorld coverage [17]

Top Blog Postings

http://www.nevis-blog.com/2007/10/is-your-nac-gla.html [18]
Link to this [18]

http://mycsosolutions.net/2007/10/04/loose-lips-sinks-ships/ [19]
Link to this [19]

http://blog.tenablesecurity.com/2007/09/why-arent-any-n.html [20]
Link to this [20]

http://securitymike.blogspot.com [21]

Check out the latest on the Security Incite blog
http://blog.securityincite.com/ [22]

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite [22]

Source URL:
http://securityincite.com/blog/mike-rothman/the-daily-incite-october-9-2007

Links:
[1] http://community.livejournal.com/non_sequitur_/158175.html
[2] http://community.livejournal.com/non_sequitur_/158226.html
[3] http://technorati.com/tag/information%20security
[4] http://technorati.com/tag/CSO
[5] http://www.tecnorati.com/tag/Security%20Mike
[6] http://www.technorati.com/tag/Internet%20Security
[7] http://www.pragmaticcso.com
[8] http://www.pragmaticcso.com/
[9] http://tdi.securitymike.com
[10] http://tdi.securitymike.com
[11] http://biz.yahoo.com/prnews/071008/aqm128.html?.v=14
[12] http://yhoo.client.shareholder.com/press/releasedetail.cfm?ReleaseID=267325
[13] http://www.informationweek.com/story/showArticle.jhtml?articleID=202200827
[14] http://www.esj.com/newswire/article.aspx?EditorialsID=2831
[15] http://www.networkworld.com/news/2007/100407-web-site-vulnerabilities.html
[16] http://biz.yahoo.com/prnews/071008/aqm064.html?.v=25
[17] http://news.yahoo.com/s/infoworld/20071005/tc_infoworld/92398
[18] http://www.nevis-blog.com/2007/10/is-your-nac-gla.html
[19] http://mycsosolutions.net/2007/10/04/loose-lips-sinks-ships/
[20] http://blog.tenablesecurity.com/2007/09/why-arent-any-n.html
[21] http://securitymike.blogspot.com
[22] http://blog.securityincite.com/