March 24, 2008 - Volume 3, #29

Good Morning:
It seems every year I remember why they call it March Madness. After I look at my brackets from the first weekend, I'm pretty mad. Make that very mad. So I have some good news for all of you Incite readers. There is no risk that I'm going to pack up, move to Vegas, and decide to make a living figuring out which teams will do well in the NCAA tournament.

I've done the same 3 brackets for the last 4 years. Inevitably I come in the bottom quartile. Some years I get lucky and end up in the 2nd quartile in one of the 3, but that doesn't mean much, since my payout is the same - nada, zilch, zero, the big o-ring. Thankfully I just use beer money to play these brackets.

As annoyed as I get at my own picking prowess, the tournament is great fun. You do need to appreciate how some teams come out of nowhere and rise to the occasion. Davidson? Come on now. That's a great story. Son of a former NBA star, that all the major schools passed on, rocks a powerhouse like G-town. That's just great drama. And next weekend, we'll probably see more. There is always a Cinderella, at least up to the Elite 8. Then reality usually sets in, but until then you've got to enjoy the fact that these unknown guys and teams get to play on a national stage.

For me, the Madness is a time to hang with my posse. I get together with a bunch of buddies for lunch on the 1st Thursday and Friday of the Madness. We drink some cocktails, watch the games, shoot the breeze and basically have a great time. Then the working stiffs go back to their offices, and me and two other buddies (who also work for themselves) tend to hang around for the next game or 3. Drinking more cocktails, shooting some more breeze and having lots more fun.

I do feel for my buddies that have a "job," but not that much. In exchange for stability, good health benefits, and a steady paycheck - they get to go back to work. They probably watched the games at their desk via streaming video (unless they got put in waiting room, shown above) - but they certainly weren't enjoying cocktails. It's all a trade-off, since they also don't have to worry about billing, collections, cash flow, pipelines, delivery, fulfillment, new products, monthly deliverables, grumpy clients, and all the other crap that I deal with on a daily basis.

Would my buddies trade places? I suspect some of them would. Some wish they had the stones to go out on their own and stop working for the man. Others are quite happy doing what they do. Would I change places? Not a chance. I've come to realize that I'm just not cut out to work for the man. No way, no how. I'll never say never - but it's pretty much never. The last thing I want to deal with is telling a boss why I need to take half a day on the first two days of the Madness. But that's just me.

Have a great day.

Photo credit: The Shifted Librarian [1]

Technorati: Information Security [2], CSO [3],Security Mike [4], Internet Security [5]

[6] The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [7]

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com [8] [9]

Top Security News

the Lockdown folks [10]. I've been there. To unceremoniously have to close your doors, leaving your customers in the lurch is terrible. It's very frustrating to build something and have no one else see value in it. All that time and money...poof. There's been lots of coverage, though I'll tip my hat to Network Computing [11] for having the most balanced perspective. The little tidbit about how a NWC contributor Syracuse lab [12] (oh, I mean the college) actually wanted to pay for a solution and having mediocre success is very telling. Not just for StillSecure, which got bounced out - or Lockdown - which clearly couldn't answer the call. Of course, the NACsters are spinning madly talking about the "execution problems [13]" and how "they are different. [14]" OK, Shimel is spinning madly, but you have to expect that. Unfortunately, this isn't the last we've seen of this kind of outcome for a NAC vendor. Fact is, the big publics and privates with big bankrolls don't see any value in acquiring assets in the NAC space right now. That doesn't mean that they won't, but not right now. To be clear, I do think there is value in NAC, especially the access control part. But this is not the Messiah technology, never has been. Despite what the vendors want you to believe...
Link to this [15]

this InformationWeek article is really a dilemma [16]. Sort of. The reality is that vendors and security service providers CANNOT afford to employ black hats. Period. End of discussion. Their customers put a lot of trust in these companies and hiring a convicted hacker would circumvent that trust. But what about end user organizations? It's not as cut and dry. For some it is, but they are wrong. The fact is security is a very resource constrained environment. Why would a talented professional (with a clean record) go work for a 100,000 person organization in a smoke stack industry, when they can see the world and make a lot better money doing consulting or going the vendor route? There is something to be said about the training that bad guys get as well. In order to really stop hackers, you need to think like one. Who is better at thinking like one than a former black hat? Ultimately it gets down to trust, as it always does. Do you trust the rehabilitation process? Can criminals reform? Do people get second chances? In any case, you should have a number of backstops to make sure that a bad actor doesn't take down your entire shop. Fact is, it's usually not the black hats that have been caught perpetrating insider fraud. If I was in that position, I probably wouldn't pull the trigger on bringing on a convicted hacker. Too much of an opportunity for others to say "I told you so." But if I had no other options? Glad I don't have to make that decision on a daily basis.
Link to this [17]

SearchSecurity does a good job of capturing the spirit of the guys [18]. Those were the wild and woolly days of security, before it was a business. When it was still fun. Now it's a business, and not as much fun. Now we see what good security researchers can do to shred a web site or application, and it's kind of commonplace. We aren't surprised by the 10,000th exploit for QuickTime or the way folks can get around pretty much any security system. But back in the mid-90's we were surprised. We had to be. That was real innovation. Something that is sorely missing from our business that has become an industry.
Link to this [19]

The Laundry List (crappy M&A edition)

Top Blog Postings

Bill Brenner notes that it's all about living to fight another day [23] when you have a data breach. Martin points out that thankfully HB had separated customer data from credit card data [24], so hopefully the damage will be minimized. Remember hope is not a strategy. I (for a change) take a bit of a different perspective on the data breach. It's going to happen, so you better be ready. Right, you need to be monitoring your stuff to try to detect these issues faster and get to the bottom of them sooner. Will people stop shopping at HB stores? Of course not. Will they continue paying with credit cards. I suspect they will. But HB will now be fighting years of class action lawsuits and other fees to clean up the mess. And in a 2% margin business, it definitely will hurt.
http://securosis.com/2008/03/18/picking-apart-the-hannaford-breach-what-might-have-happened/
[25]Link to this [26]

http://securitywatch.eweek.com/hannaford_data_breach_the_security_vendor_conundrum.html [27]
Link to this [28]

http://www.stillsecureafteralltheseyears.com/ashimmy/2008/03/sitting-on-your.html [29]
Link to this [30]