December 18, 2007 - Volume 2, #164
Good Morning:
I talk frequently about how I treasure the innocence of kids. They
haven't come face to face with what is (in some cases anyway) a cold
hard world, and they actually believe in whatever is the flavor of the
day. With the holidays, the Boss and I always have to be careful,
especially when discussing good old Santa. This is a pretty confusing
time of the year for my kids. How do you explain to a 4 year old (and
even my 7 year old is not clear on how all this stuff works) that Santa
doesn't come to our house, even though they got tons of stuff for
Hanukkah. Their memories are pretty short. They are hammered with
images of Xmas and it's confusing.
Personally, I'd just as
soon tell the kids the truth about Santa. But after many discussions
with the Boss, we've decided to smile and play along and make up some
nonsense that pacifies the kids for a couple of minutes anyway. Why?
Because it wouldn't be fair to all their 4 year old friends that
actually believe. I'd feel pretty bad if it was our kids were that
delivered the cold hard truth that it's the parents, friends and other
family that provide all those great presents under the tree every year
and not old St. Nick.
But it's not just an Xmas thing. Like most parents, our kids worship at
the Disney temple multiple times per day. We've made the pilgrimage to
Disney World, but do you tell the kids that the Princesses are out back
smoking a butt during their breaks? Actually, I don't think they are
allowed to smoke in the costume, but all the same. Half of them
probably leave their dancing jobs during the High School Musical 2 show
at MGM and climb some pole at one of the clubs in town. A dancer is a
dancer, no? Or that the guy in the Frozone suit is an 18-year old
pimply faced teen?
It's a tough call. But actually not that tough. As long as my kids want
to believe that a dude in a red suit can traverse the entire world on a
sleigh in a night, more power to them. If they think that Cinderella
lives to take
a few pictures with them and then retreats to Prince Charming and the
Castle, I'm cool with that. They've got a lifetime of dealing with
reality ahead of them, there is no point in bursting their bubbles too
soon.
But it would be nice to suspend disbelief for a little while and just
dream a bit. That maybe with the upcoming US election we can get to a
happier, less partisan place, regardless of the side of the fence you
call home. That maybe we can make some progress in closing down those
gaping exposures that keep the bad guys flush with stolen private data.
That maybe our bosses will take what we do seriously, or at least a
little more seriously.
I know, I'm being optimistic again. It doesn't happen too often, so I'm
going to enjoy it for as long as it lasts. I spend most of the year
worrying about the things that I'm not getting done, as opposed to
celebrating all things that I have gotten done. It's just my nature. As
we close out the year, I suggest you take a look back and feel good
about all the stuff you've done. I'm sure it's more than you expected,
though less than you wanted. January 2 will be here before you
know it and then it'll be time to focus again on that to-do list.
Have a
great day.
last breath image originally uploaded by niddufias.afatsum@sbcgl obal.net [1]
Technorati: Information
Security [2], CSO [3],
Security
Mike [4], Internet
Security [5]
 [6]The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [7] |
Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com [8]  [9] |
Top Security News
XSSed.com [10] (as covered by Dark Reading [11]), I think
it's pretty cool. These folks act as an archive of all the publicly
disclosed XSS bugs, and will let you know if something you are in
control of shows up. It'll be even better if they do execute on the
idea of giving webmasters a days notice of an issue, so they can get it
fixed before it shows up in the archive. The online web scanning folks
are starting to play around with XSS tests as well, although it's not
easy to automate the process yet, but it'll get there. If you've got a
site that is frequently targeted by the bad guys, this is a service you
may want to check out.
Link to this [11]
phishers
are defeating CAPTCHA challenges [12] when signing up for bulk
email addresses and now these folks are coming up with interesting ways
to basically screen scrape a typical user interaction
with a banking web site [13]. If it wasn't so dastardly it would
actually be cool. Remember low and slow is the name of the game for
these folks. They don't want to be detected or caught until the money
is gone from the account. Another innovative attack was perpetrated on
the US National Labs. This one was a phishing attack that provided
access to the bad guys and they used that access to compromise a couple
of databases. The good news is that the bad guys only got to the
"unclassified Yellow network." Great, now I'll sleep better. As that
guy in the Guinness commercials says, "BRILLIANT!" Unfortunately we are
going to see a lot more "innovation" like this in 2008. So we'll need
to bring out A game, or it will be a mess.
Link to this [13]
this NetworkWorld op-ed, Paul Simmonds works
to make Jericho relevant [14] by recasting it's message around
"endpoint security," especially many of the new portable devices that
can drive us nuts. Conceptually, the message that Jericho is bringing,
which is really about securing inside-out, as opposed to outside-in,
continues to be mired in overly complex characterizations that are next
to impossible to follow. Take this for example:
That is simple to say? What a
mouthful. Devices, transactions, criteria, trust? Arghhh. I seriously
think the old Jerichonians need to invest in some real marketing. Not a
PR flack that is trying to get the muddled messages heard. There is a
pony somewhere in there, but it seems to continue to be buried under 2
or 3 tons of elephant dung.
Link to this [14]
The Laundry List
- My firewall is bigger than your firewall. As if it matters, but NetworkWorld does a speed test and amazingly enough, most are pretty fast. Though some (ahem, Fortinet, ahem) get caught with their thruput stats in the cookie jar, I mean UDP at max packet size. - NetworkWorld review [15]
- Symantec weighs in with 2007 trends and 2008 predictions. The verdict, 2008 will be more of the same. At least there is some consensus on that suckitude. - Symantec release [16]
- Spell check much. Fratto seems to have forgotten the l in Alcatel. No matter, he points out that ALU will get into be with all the NAC folks, except Shimel [17] I guess. - NAC Immersion Center [18]
- The end of an era. NetManage is acquired by Rocket Software. Remember when IP stacks used to be cool and valuable? Those were the good old days. - NetManage release [19]
Top Blog Postings
http://taosecurity.blogspot.com/2007/12/feds-plan-to-reduce-then-monitor.html [20]
Link
to this [20]
Hoff makes many of these points in his
comment to the post [21], and I'll just sum it up by saying, every
firewall vendor is a UTM vendor now. You can't draw this artificial
distinction anymore.
http://www.cutawaysecurity.com/blog/archives/218 [22]
Link
to this [22]
http://mitchellashley.typepad.com/the_converging_network/2007/12/product-bistro.html [23]
Link
to this [23]
http://sm-blog.securitymike.com [24]
Check out the
latest on
the Security Incite blog
http://blog.securityincite.com/ [25]
Read the
most recent Daily
Incite
http://securityincite.com/security-incite-rants/daily-incite [25]