May 1, 2008 - Volume 3, #42
Good Morning:
I tend to be one of those hyper-connected guys. I don't do twitter, but
besides that I don't really have email too far away and I can be found
in my RSS reader a couple of times a day. I like to think I'm "in the
loop." A lot of the time I'm not
sure how healthy it is. At night, there are times when I have to
specifically repress the need (dare I say addiction) to hit the iPhone
slider and see what has accumulated in my inbox.
Believe me, there
isn't that much interesting stuff in my email. But I like to see it
anyway. And it's a constant battle. I suspect many of you fall into
that category as well, battling those same demons.
Thus, when I saw this post on Web Worker Daily [1] about "Shut Down
Day," I was intrigued. The picture to the left is called "Unplug for
safety," but this concept is more about unplugging for SANITY. Can I
actually shut down my machine(s) and not be connected? Yes, even my
iPhone. For a full 24 hours? Is it possible?
The honest truth is that I don't know. But I'm going to try. It'll be
easier for me for a couple of reasons. First, it's not like I'm trying
to do this during the week. Saturdays are somewhat manageable and
although I've been known to work a bit over the weekends, it's
definitely possible for me to skip it.
Second, the Boss and I will be tied up all day at an event. And I mean
all day. So now I have a fighting chance, since it would be a lot
harder to unplug if I was in the house watching some crappy baseball
game.
So we'll see how it goes. I'm kind of excited by the
possibility of becoming the master of my domain again. I don't expect
to need to unplug very often, but it will be nice to know that I can.
Have a great weekend.
Photo: "Unplug for safety"
originally uploaded
by mag3737 [2]
Technorati: Information
Security [3], CSO [4],Security
Mike [5], Internet
Security [6]
 [7]The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [8] |
Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com [9]  [10] |
Top Security News
the
new contest to come up with interesting ways around malware detection
suites [11], I could only laugh. Of course, Cyndi Lauper's "Girls
just want to have fun" was also thundering in my eardrums because
that's what this is about. In the immortal words of Sgt. Hulka, the AV
vendors need to "Settle down, Francis." It's like the PwnToOwn context
at CanSec. Some folks will find some interesting holes and the vendors
will patch them. Same deal here. Maybe the AV vendors are worried that
the crazy kids at DEFCON will pierce their veil of their marketing
hype. Maybe the big world of all those stupid lemmings will finally
realize that any machine can be owned at any time by some rather
mediocre hacking talents. We wouldn't want them to learn that now would
we? And I'll also punch a hole in the idea that there are already
enough samples to keep researchers busy. Who knows, maybe with a minor
financial incentive, the DEFCONs will find something interesting.
Something (oh the horrors) that we may not already know about. I'm good
with this contest and I think these are valuable endeavors. First, you
get kind-of smart folks trying to break things in a semi-controlled
environment. Second, you are teaching these folks how to think like
hackers, which is one of the first things that security professionals
need to master.
Link to this [12]
imminent death of the NAC client at the
hands of the bundled NAP client [13]. With Windows XP SP3 being
deployed over the next few months (it takes a few months for these
things to be widely deployed), the NAP client will be within most of
the Windows devices out there. That means this idea of client vs.
client-less is largely done. Of course, it's been a moot argument for
quite a while since the answer has always been both. For some managed
devices, a client makes sense. For other devices you don't control, you
need a client-less option, and pretty much all the NAC vendors can do
both. We could split hairs about disolveable vs. Nessus-based plug-in's
vs. active-x, but it's all the same to me. If I put on my Stiennon
suit, does that mean I'll trust the endpoints any more than I did
before? Of course not. I still need to verify who they are, and more
importantly monitor what they are doing. Just in case. But having the
client out there can't really hurt NAC adoption. But I'm not sure it's
going to help either. Hold that thought for a few seconds...
Link to this [14]
Jim Rapoza gets it mostly right in this
eWeek slideshow [15]. My classic "Farce of Market Sizing [16]" post back
from 2006 hits the same topic, but from a different angle. And NAC as a
market has certainly gone through a bunch of phases. This latest NWC reader survey about NAC
doesn't bring good news on the surface [17]. Fewer customers are
interested in NAC this year, than last year. Isn't that bad? Maybe not.
Given the macro-economic backdrop, I suspect most users are focusing on
those projects they absolutely need to get done, and the one's that are
a bit less critical get put on the back burner. At least it seems the
users are being honest with themselves about where NAC falls on the
priority list. But this isn't really bad, it's natural. There is no
question that the concept of LAN Security (bigger than just NAC, more
about campus network evolution) will take root. The question is when. I
think if the hype around NAC deflates a bit, then folks can think a bit
more rationally about how best to move towards a secure LAN
environment. Which is really what they should have been thinking about
all along.
Link to this [18]
The Laundry
List
- Learn about Stiennon's new gig. Ask him to bring back a koala when he goes to visit the mother ship. - NetworkWorld coverage [19]
- NetworkWorld jumps into the time machine and goes back to when Voltage first introduces IBE. A PKI without keys? How novel! And how irrelevant how it actually works. Slow news week, I guess. - NetworkWorld coverage [20]
- Prevent online theft? Authentium claims their SafeCentral "prevents" malware. Big claims for sure, and seems too good to be true. - Authentium release [21]
- Secure Computing also asks us to jump into the time machine and forget that pretty much every other security vendor runs their stuff in a VM image now as well. The good news is that I don't forget. - SCUR release [22]
Top Blog Postings
recent [23] ranting [24], but I've hardly talked to
anyone in the space over the past two weeks that hasn't wholeheartedly
agreed with my contentions that Easy PCI marketing is a sham. Yet, if
everyone is agreeing with me, why do I expect to continue seeing these
ridiculous positions and claims for years to come? Basically because
I've seen the movie before and as long as their are customers that want
to believe, the vendors will be there to feed them a plate of crap.
http://robnewby.blogspot.com/2008/04/captains-blog-supplemental-pci-is-dead.html [25]
Link
to this [26]
http://www.computerweekly.com/blogs/stuart_king/2008/04/on-trial-role-of-the-ciso.html [27]
Link
to this [28]
http://fraudwar.blogspot.com/2008/04/nowadays-all-you-need-to-do-is-visit.html [29]
Link
to this [30]