May 8, 2008 - Volume 3, #44
Good Morning:
If I've said it once, I've said it a thousand times, success in
anything that you do is based on how well you manage expectations. When
you expect little, you tend to be surprised on the upside. When you
expect a lot, well... you know. Reading Shimmy's post on the Iron Man movie [1]
made me think about why I go to movies and what I expect to get from
the time and money I spend.
Basically for me,
movies are about escaping. Not that my life is bad, quite the contrary,
but every so often taking a few hours to go into the land of someone
else's imagination is very useful for me. I do my best not to get into
the dogma of reality vs. unreality. Plot lines that don't make sense
just roll off my psyche, and I spend very little time trying to
understand the "true" meaning of any of these movies.
Why? Because they are movies. If I want reality, I'll go over to CNN
and remind myself how screwed up things are. If I want to be
overwhelmed, I'll just spend a few hours trying to keep up with my
kids. When I want to escape, I take in a movie or curl up with a
suspense, mystery or science fiction novel. Then I can shut off the
world, if only for a little while.
Personally, I thought Iron Man was a great movie. So I guess I'm with Farnum [2] on that. I don't
know a lot about the comic book lineage, so I wasn't worried about how
true they were to the Iron Man history. Robert Downey Jr. was very
believable as the main character. And the idea of a supersonic flight
suit? Why not? Again, if I want reality - I'll watch
Survivor - since that's very real.
I guess it's about mental health. All work and no play makes Mikey a
dull boy. And given the schedule I keep and the crap I consistently add
to my overflowing list of things to do, sometimes I just need to shut
down for a few hours and go into someone else's world. The Boss has
mandated that Friday nights are now movie night. No more catching up on
the crap that didn't get done during the week. No more watching some
crappy TV. Now it's about escaping from the week that was and setting
the stage for the weekend to come. I think it's a great idea.
That's my story and I'm sticking to it. Have a great weekend.
Photo: "Iron Man Suit"
originally uploaded
by kevitivity [3]
Technorati: Information
Security [4], CSO [5],Security
Mike [6], Internet
Security [7]
 [8]The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [9] |
Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com [10]  [11] |
Top Security News
he's decided that NAC is on death row [12]
and is awaiting it's three-drug cocktail into an eternity of hell fire
and disappointed VCs. Of course, Shimel takes this as validation that NAC is
for real [13], and it's not like he needs an excuse to jump on the
bully pulpit and wax poetic about all things NAC-virtuous. The reality
is the truth is somewhere in the middle. NAC clearly has it's
challenges, I've been one of the (only) voices that drove that point
home back in 2006, until it became popular to beat down NAC. Though
there are still
legitimate use cases for all three aspects of NAC (admission control,
access control and containment). It seems Richard forgets about the
first law of security (or he's gotten the mind-meld from Matasano),
which is to layer your defenses. Of course, NAC isn't going to stop a
clean computer from entering your network, but who says that NAC is the
answer to every problem? Maybe that's where everyone is getting hung
up. Let's try this again. Repeat after me, there is no silver bullet.
There is no silver bullet. There is no silver bullet. There is no
silver bullet.
Link to this [14]
browser defenses getting better [15].
Huh? So Vista does some ASLR and DEP (XP has limited DEP capabilities
too), so what? The applications have to use those defenses, which is
slow in coming. Also everyone has to have these latest operating
systems and have everything patched, and we certainly know that's not
the case in the real world. Larry even takes a shot at the beloved
NoScript, and now he's crossed the line. Listen, a web without
JavaScript is certainly sub-optimal. And I do spend a fair bit of time
authorizing different scripts on the various web sites I visit. But the
point is that I am making that decision, not some jackass web developer
that would rather drink Red Bull than ensure my browser can't be owned
via a XSS. NoScript gives me the power to
choose what scripts I want to run, and which I don't. To just blame all
the ills
of browser-based attacks on stupid users and social engineering is
missing the point. Attackers will take the path of least resistance,
and now that is through the user. Something like NoScript makes it a
bit harder, and that's why I tell everyone that will listen to use
it.
Link to this [16]
a survey that says 77% of IT decision makers
would buy network security equipment from an "alternative" vendor [17].
Meaning an "organization other than the market share leader." Hmmm.
That's interesting data. So how does Cisco (and Check Point, etc.)
maintain their huge market shares if all these customers will consider
another vendor. Thinking... Thinking... I got it. They are considering
the other vendor for
leverage. You'd be an idiot not to "consider" another vendor because
that gives you a bit of power (however small) over the incumbent to
break a bit on price. That's negotiating 101. I'm interested in the
other 23%, who basically say they'll buy from the market leader no
matter what. Just goes to show that you can get a survey to say
anything you want, you just need to phrase the questions correctly.
Such as, "would you consider buying a technology from an "alternative"
vendor (not the market share leader) that provides more functionality
at a lower price?" Hmmm. How many folks would say no? I guess around
23%. And that's why I'm such a big fan of these surveys.
Link to this [18]
The Laundry
List
- Yahoo shrugs off the Microsoft deal and embraces McAfee's SiteAdvisor to warn search users that some sites may be bad. This is cool, but I'm still using Google. - NetworkWorld coverage [19]
- Add USB thumb drives to the 10 most wanted list. They could bring malware in and take data out. Of course, we already knew that, but sometimes it's good to be reminded - Network Computing Daily blog [20]
- It was just a matter of time. Now other application dev shops are embracing security as a feature. Parasoft talks about their new application security offerings, built into the dev tools - of course. - Parasoft release [21]
- Funny post on the NoticeBored blog about how not to do security awareness training. Idiotic questions are my favorite. - Noticebored blog [22]
Top Blog Postings
http://gregness.wordpress.com/2008/04/25/data-center-security-five-critical-requirements/ [23]
Link
to this [24]
http://rationalsecurity.typepad.com/blog/2008/04/clouding-the-is.html [25]
Link
to this [26]
http://www.darkreading.com/blog.asp?blog_sectionid=403 [27]
Link
to this [28]