logo
Published on Security Incite: Analysis on Information Security (http://securityincite.com)

The Daily Incite - October 30, 2007

By Mike Rothman
Created 2007-10-30 06:52
Today's Daily Incite

October 30, 2007 - Volume 2, #148

Good Morning:
I had better keep working on my karma because I don't want to spend any time in purgatory when I'm done here. Purgatory scares the hell out of me (no pun intended). You see I have a package of books in Customs purgatory North of the Border (which is Canada for you non-US folks) and it's not a pleasant place to be. Especially when you are trying to take a few days off for family time.

Now I'm not one to give props easily. In fact, I hate most things. Attaboys from me should be put into a little card sleeve and stored to sell at a baseball card convention in about 15 years. It could be as valuable as a Clemens rookie card. Or at least a friggin' Hazelnut Latte (non-fat, of course). But after dealing with FedEx on this little customs issue, the US Postal Service seems like the second coming.

You see I ship a bunch of books to international locations. The Internet truly provides unbelivable global reach. I dutifully fill out the packing slips and print out the international mailing label, which I generate from the USPS web site. I attach the mailing label to the package, drop it off at the post office and go on my merry way. I figured dealing with FedEx was similar. Not so much. I found out I needed to specifically name FedEx as my "broker" to clear customs. That means I need to fill out a form. Of course, the FedEx folks didn't tell me about that form when I dropped off the package. Evidently I'm supposed to just "know" that.

OK, no big deal. I get the form faxed to me and it seems I need a "Canadian Business Number." What is that and how to I get it? It seems no one knows. So I go around and around with FedEx and a host of Canadian agencies until finally I'm directed to the right group that can issue my business number. Of course, only after I fax them a bunch of stuff, including proof of my company's incorporation. Thankfully, I keep everything accessible on either my MacBook or my PC (which is accessible remotely). So I run down to Kinkos, print out the papers and fax the forms.

I do have to say the folks that issued my business number were great. We played phone tag a bit, but they kept trying and we finally got it done - within 4 business hours of my request. Unfortunately my experience with Customs was closer to burning hell fire than anything else. It seems that faxing the proper forms to customs TWICE wasn't enough. When I called this morning to see what the hell was going on with my package, they said they couldn't find the fax. Let's just say I was less than ecstatic, but I kept my cool because bureaucrats and $10/hr call center reps don't take to spit and venom very well.

I did get a call maybe 2 hours later saying the found my fax and now they are just waiting for Customs to approve the form, so then the package could be cleared and my package can finally be delivered.

And to think, I paid about triple the price to get the two day FedEx service last Tuesday to absolutely positively get the package there by last Friday. I could have used the trusty old USPS, gotten the package there today and not had to figure out where the random fax machines were during family time. Thankfully the Boss and the rest of my family are very understanding as I spent time on the phone and peeled off to find Kinkos in the middle of the night.

Argggh. Hopefully the package will get out of purgatory today and get back on it's journey. Have a great day.

Technorati: Information Security [1], CSO [2], Security Mike [3], Internet Security [4]

The Pragmatic CSO [5]
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com [6]
 Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
pre-order your copy today

www.securitymike.com
 [7]
Security Mike's Guide to Internet Security [8]

Top Security News

Trend Micro acquiring Provilla [9] and this deal makes a lot of sense. Provilla was pretty small, but had a bunch of OEM partners (including BigFix and Reconnex) that needed a desktop agent for DLP. Though I do think that Trend is still missing some of the true "endpoint" policy management capabilities (like enforcing an endpoint connection policy, etc.) that will be required as endpoint security becomes truly integrated over the next 18 months. That's right, one agent on the desktop to do everything security that you need. Interestingly enough, the DLP market has segmented into desktop stuff (like Provilla and Onigma/McAfee) and gateway/enterprise. The gateway/enterprise folks claim to have robust endpoint agents, but at the end of the day - it's more about integration with the stuff that's already on the desktop. Who the hell wants yet another agent on the desktop to manage? So seeing a Vontu or Vericept integrate with McAfee or Trend's desktop agent would be a good thing for customers. But since everyone still thinks they can "lead" this market - it probably won't happen, but it should. Finally, there aren't a lot of companies left that focus on the desktop side of DLP, if any. That means some other endpoint security vendors are going to be left out in the cold and need to build it themselves, which doesn't help time to market.
Link to this [9]

a new set of initiatives (called PABT - Payment Application Best Practices) that indicate how card holder data should be handled by the payment applications [10]. This will have a serious impact on all of the payment software vendors and all of the small merchants who utilize these shopping carts because they don't have the resources to do it themselves. Like me. If the systems cannot store card numbers AT ALL, then how do you do a recurring payment subscription service? Does that kill my one-click capability at Amazon or any other online merchant where I keep a credit card on file (which is about two)? Obviously there are things that need to be clarified relative to PABT and in general, I think defining how the data can/must be handled is a good thing. But Visa needs to be careful that they don't end up legislating the destruction of markets.
Link to this [10]

As Mich Kabay details in his NetworkWorld column - DON'T LIE [11]. Basically, you need to come clean as early as you can. Get HR involved. Get Legal involved. Make sure the liability of your organization is limited and controlled. Figure out when and if law enforcement needs to be involved. By the way, all of this needs to be documented and structured AHEAD of the breach. For those of you who haven't read the Pragmatic CSO yet, I have an entire step about incident response and damage containment. This piece provides some of the main ideas, but none of the detail. Hint, hint.
Link to this [11]

The Laundry List

  1. Shareholder activists targeting Websense. Yes, everything is a feature and web filtering is too, so Websense should be finding a bigger, more established partner. Activist shareholders have a way of making that happen. - Seeking Alpha coverage [12]
  2. SHOCKER! Tumbleweed misses Wall Street estimates (again). Light revenue and slipping competitive position doesn't bode well. The good news for TMWD shareholders is that it can only go to zero. - Tumbleweed earnings release [13]
  3. More earnings weakness from Secure Computing. The release tries to paint a nice picture of a "record" quarter, but both revenues and earnings were below expectations and Q4 guidance was also light. Wall Street isn't fooled, stock is down over 10% in after hours trading. - Secure Computing earnings release [14]
  4. Yet another on the "miss" parade. VASCO is light on both the top and bottom lines, relative to expectations. Was trading at 40, now it's at 25. Got to love those haircuts. - VASCO earnings release [15]
  5. Finally, a smaller public security company that made their numbers. SonicWALL hits the numbers and Q4 guidance. - SonicWALL earnings release [16]

Top Blog Postings

http://blogs.zdnet.com/security/?p=618 [17]
Link to this [17]

http://jeremiahgrossman.blogspot.com/2007/10/why-crawling-matters.html [18]
Link to this [18]

http://www.cigital.com/justiceleague/2007/10/26/the-risk-of-too-much-risk-management/ [19]
Link to this [19]


http://securitymike.blogspot.com [20]

Check out the latest on the Security Incite blog
http://blog.securityincite.com/ [21]

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite [21]

Source URL:
http://securityincite.com/blog/mike-rothman/the-daily-incite-october-30-2007

Links:
[1] http://technorati.com/tag/information%20security
[2] http://technorati.com/tag/CSO
[3] http://www.tecnorati.com/tag/Security%20Mike
[4] http://www.technorati.com/tag/Internet%20Security
[5] http://www.pragmaticcso.com
[6] http://www.pragmaticcso.com/
[7] http://tdi.securitymike.com
[8] http://tdi.securitymike.com
[9] http://www.eweek.com/article2/0,1759,2207358,00.asp
[10] http://securityblog.itproportal.com/?p=1127
[11] http://www.networkworld.com/newsletters/sec/2007/1022sec1.html
[12] http://seekingalpha.com/article/51128-shamrock-activist-accumulates-5-stake-in-websense
[13] http://biz.yahoo.com/bw/071025/20071025006174.html?.v=1
[14] http://biz.yahoo.com/iw/071029/0321215.html
[15] http://biz.yahoo.com/prnews/071025/aqth017.html?.v=28
[16] http://biz.yahoo.com/prnews/071029/aqm199.html?.v=9
[17] http://blogs.zdnet.com/security/?p=618
[18] http://jeremiahgrossman.blogspot.com/2007/10/why-crawling-matters.html
[19] http://www.cigital.com/justiceleague/2007/10/26/the-risk-of-too-much-risk-management/
[20] http://securitymike.blogspot.com
[21] http://blog.securityincite.com/