May 20, 2008 - Volume 3, #49
Good Morning:
Darwin was not wrong. He may not have been right about everything, but
when it comes to natural selection - he was right on the money. It's
all about adapt or die. We see it every day. In your business, in your
life - if you can't see what's happening and act accordingly, it
doesn't work out too well for you. Yet, if you can embrace the changes
and you get pretty lucky - then you can prosper in the new world order.
I bring this up
because this is my summer of concerts. The Boss and I do see a lot of
live music. We live pretty modestly, but do enjoy seeing great
bands play great music.
Tonight I'm going to see the Eagles, and later on this summer I'll see
Chicago and the Doobies, Steely Dan, Rush, Boston/Styx, R.E.M, and
probably a bunch others. If I wasn't travelling a bit over the
summer Dave Matthews and Tom Petty would be on the list as well.
Let's just say TicketMaster loves me.
We do see some contemporary acts as well, but there is nothing like
seeing a skeleton with a guitar get up there and play songs I
know every word to. And for that I pay a princely sum.
These artists from the 70s and 80s have adapted. Most haven't had a
"hit" on the charts for years. But they sell out concert halls at $150
a ticket. Guess where the money is in music nowadays. You have bands
giving away their music, if only to stimulate demand for their shows. I
know, I know. None of this is new. Bands like the Dead, Phish, and
Widespread Panic have used this model for years. And it's worked for
them.
And the record companies sit there and haven't adapted. They've sued
the crap out of housewives in Wichita and college students in
Bakersfield. Even high schoolers as well. Their business has been
upended and they haven't adapted. Right, it's ugly and it's going to
get even uglier.
The Eagles distributed their last album exclusively through Wal-Mart.
That was a pain, since I like to get my music from Amazon, but
evidently WMT is paying the band 4 TIMES the royalty payout on each
unit. So they'll sell 25% of the number of albums as their Greatest
Hits packages, and make just as much. And by the way, Wal-Mart also
makes more per unit because they don't have to cut in the record
company on the
deal. That's called a win-win, unless you are the record company.
But some companies are adapting and bringing new models to the music
business. Folks like LiveNation, who have no issue making 9-figure
commitments to lock in touring revenue from artists (like Madonna and
Jay-Z) that will put asses in seats. Will it pay off for LiveNation?
Time will tell. I can only say I'd rather be on the concert side of the
business rather than the recorded music business. I personally will
spend 20x the amount on concerts this summer as I will on recorded
music.
How does that apply to security? I'm not sure. I don't study these
other industries and markets because I think everything is directly
related to my day job. Although there have been a number of times that
I've been able to relate a problem in the security business to
something I've seen in another industry. If you are one-dimensional
(all security, all the time) then you can't have that perspective.
So fire up iTunes, renew your subscription to Fortune, expand your
brain a bit and have a great
day.
Photo: "Phil and Justice love to play
Califone"
originally uploaded
by benprks [1]
Technorati: Information
Security [2], CSO [3],Security
Mike [4], Internet
Security [5]
 [6]The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [7] |
Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com [8]  [9] |
Top Security News
some
interesting perspectives on Web 2.0 disclosure [10]. He uses an
example of a bug in Zoho Writer to illustrate the need (or maybe the
not need) to disclose when personal information may have been violated.
First of all, how is Zoho going to know when
someone has private information in a specific document? Second, if you
store your personal information in the cloud, and it doesn't have like
15 layers of security (like the my1password service), then you are an
idiot. These online word processors are wonderful for collaboration -
but if I'm doing something really sensitive, then I use friggin' Word
and I password protect the document. But back to disclosure, given a
lot of stuff is going to be in the cloud over time. I have mixed
feelings because I know many of us are already numb to the constant
flow of data breaches. If you start sending out alerts every time you
fix a bug (without confirmation that it's been exploited), then we are
going to start ignoring it. Yet, on the other hand (there is always
another hand, isn't there?), people have a right to know. So basically,
we are right back where we started. A murky vulnerability discourse
discussion. And I suspect we'll have a similar outcome. These issues
will be disclosed in the press and on blogs and the service providers
will respond.
Link to this [11]
NetworkWorld piece starts to bring up some
of the discussion points [12]. Of course, security is always the
after-thought, but you being the forward thinking TDI reader that I
know you are, can get out ahead of it. Basically, you can't be sure
anything is secure in the cloud, so that means you have to secure it
yourself. That means building your applications with some semblance of
data protection. Yes, it's hard to do and yes, it's a bit more
expensive than just doing nothing. But ultimately if you can't prove
your data hasn't been tampered with and that it's open for anyone to
steal, then I suspect your auditor may have a bit of an issue with
that. Over time, I do believe the storage service providers will get
this done (since it's certainly in their best interest to take this
objection off the table), but in the meantime if your app folks are
looking at storing data in the cloud - you probably need to have a
clear conversation about how that will impact the data security plans.
Link to this [13]
Rich loved my reminding everyone that pretty
much everything is
vulnerable [14]. And yes Rich, I get that rootkits are different.
As if we needed one, here is another reminder that we
really can't trust anything. It seems PayPal was open to a XSS attack [15],
but given PayPal's adoption of the extended validation SSL certs (to
turn your address bar that wonderful shade of green) - your little XSS
attack gets the benefit of the green bar. Once again, the point is that
you need to focus as much effort on containment as anything else that
you do. XSS and CSRF are going to happen and even the most savvy of
people are going to fall for it. Thus, you better have your act
together to respond, contain the damage and ensure it doesn't happen
again, even though it will. No, what we do isn't futile, but if we
expect to be successful all the time - I figure that would be pretty
delusional.
Link to this [16]
The Laundry
List
- I've stayed out of the US Air Force bot army discussion, and a good thing I did. All you need to know is written by the Tao Master himself, who slices this idea into bite sized pieces. - TaoSecurity blog [17]
- Brand protection must be a real business, since the Big Yellow is getting into it. How long before someone snaps up Cyveillance and the other dwarfs in the space? - Symantec release [18]
- That HackerSafe deal just keeps paying dividends for McAfee. Now the guy in charge of ScanAlert's security services is under indictment for securities fraud. Maybe HackerSafe doesn't scan for that either. - NetworkWorld coverage [19]
- 10 more universities qualify for the NSA's information assurance designation. I wonder how much the big pipe from the universities servers to NSA's servers cost? Kidding, I think. - NetworkWorld coverage [20]
Top Blog Postings
http://riskmanagementinsight.com/riskanalysis/?p=351 [21]
Link
to this [22]
http://shavlik.typepad.com/mark_shavliks_blog/2008/05/garnter-note-on.html [23]
Link
to this [24]
http://rationalsecurity.typepad.com/blog/2008/05/virtualizing-se.html [25]
Link
to this [26]