May 22, 2008 - Volume 3, #50

Good Morning:
If we click our heels a few times, maybe we can get to Camelot. Unfortunately it seems that Camelot is on fire and mostly burned to the ground. I was sad when I heard about Senator Ted Kennedy's brain tumor. Similar to Alan [1], I've always had a fascination with the Kennedys and what kind of deal old man Kennedy must have cut with the Devil to have bestowed such angst on his family. As opposed to Alan, I spend zero time thinking about how different the world would be if Bobby didn't get shot, or if Teddy didn't drive off that bridge. That's pointless because I think the global predicament we are in has much more to do with human nature, than with bad luck or an assassin's bullet.

But I do feel bad because one of the last political icons from my youth will be gone sooner rather than later. Whether it's one year or two years or whatever, Teddy can now see the light at the end of his tunnel. I wonder what he'll do in the time he has left? Will he keep fighting the fight in DC? Will he sail a lot and withdraw from the public eye? What would you do? I ask myself that question sometimes, but I can't calibrate a good answer because it's more of an intellectual exercise at this point. When you are in the middle of it, I doubt there is much intellectual at all.

I'd like to think I'd handle it like Randy Pausch. For those of you not familiar with the inspiration that is the CMU Professor that has terminal pancreatic cancer, you should learn about this guy. He did a famous pitch at CMU called "the Last Lecture. [2]" Millions have watched it on YouTube. I suggest you take an hour out of your day and watch it too.

You'll laugh, you'll cry, but most of all you'll be inspired. How this guy is dealing with his own imminent demise is amazing. He's fighting, but he also knows that is futile. Most of all, he is enjoying every day he has. He's spending it with the people that matter to him. He's teaching a new generation (not just his family) life skills, much like he taught countless students computer science skills. 

I also bought his book [3], which expands a bit on the Last Lecture video and codifies his thoughts a bit more cogently. Most of this stuff is common sense, but it's very hard to practice in day to day life. It's very easy to get frustrated with stupid things. Like the fact that I need to hound Leah to get her socks on in the morning to get her ready for the bus. Or that I have to badger the twins to pick up their toys after they are done with them. Every time.

None of that stuff is important. I'm sure I'll still do it because old habits are hard to break and I guess it would be great if I could get the kids to keep the house somewhat tidy. But it's not worth getting bent out of shape about. It's really not.

I've been trying to change my attitude a bit along these lines and it's made a difference. Recently I found I wasn't having fun working on a fairly significant project for a client. So I walked away. It was probably stupid and arrogant to leave money on the table when I'm a one-man band, but I wasn't having fun. And if anything, I see what Randy Pausch is dealing with and what Sen. Kennedy is now dealing with and I realize that I should be having fun. Every day. Every single day.

Ask yourself whether you are having fun. Do it now! Are you? Be honest. Ask that same question every day for a month. If you find that most days you aren't having fun, then make a change. None of us has time to waste. Seriously. Change is hard and it's scary. But getting a death sentence and feeling like you've squandered a lot of time doing stuff you hate should be a lot scarier. It was for me.

Have a great weekend.

Photo: "Camelot Fire" originally uploaded by roemerman [4]

Technorati: Information Security [5], CSO [6],Security Mike [7], Internet Security [8]

[9] The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [10]

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com [11] [12]

Top Security News

Big Yellow is trying to evolve security to be - dare I say it - less annoying. [13] Wow. I wasn't even sure that anyone in Big Security realized there was anything wrong with the existing model. Truth be told, although the goal of "zero-impact" security is a laudable one - it's not practical. The approach of looking at deployment of software as one of the factors to determine if it's malware is suspect. PrevX has used a similar model and that's been panned in comparative reviews. Yet, I can beat them down too much because at least this kind of interview shows a dissatisfaction with the status quo that is comforting. But we've heard Big Yellow words before with little ability to actually innovate and execute. I'm not holding my breath, let's just say that. 
Link to this [14]

NetworkWorld about a wireless security lab run at Lockheed [15]. These folks spend most of their time trying to figure out the holes in wireless and what can be done to protect not just the battlefield (where Lockheed makes most of their coin), but also at home and in other places. The verdict? We're screwed. Ubiquitous wireless connectively exponentially increases the attack surface that needs to be protected. We also need to understand that as the distinction between corporate network and home networks blur with VPNs and WiFi access that it becomes all the more important to try to restrict how and where sensitive data travels. Per usual, I'll tell you to start asking more questions. Why is that private data on the laptop? Should that fat client application be rearchitected to work in a remote (or virtualized desktop) type of architecture to centralize (and therefore more effectively protect) the private data? Strangely enough we've seen this movie before and the return to the terminal host model does bring some data security advantages that shouldn't be minimized. Of course, the definition of the "host" is much different than it was back in the 70s, but that's another story for another day.
Link to this [16]

Dave at LiquidMatrix [17] for pointing me towards the most recent FISMA grades [18], as reported by Brian Krebs. There is good news and bad news. The good news is that now the government gives themselves a grade of "C," which is up from C- last year. Outstanding performance. I'm sure some bureaucrat is enjoying a big steak on Capital Hill for that. 8 agencies scored an A. 9 agencies failed, including the Department of Defense and the Nuclear Regulatory Commission. Great, since neither of those agencies house sensitive data. But ultimately, as Bejtlich points out frequently [19], these scores mean nothing. It gives Congress some fodder for witch hunts after the summer break, but what is the true impact? Are these guys going to lose funding? Will heads roll? Will anything change? Does it even matter? Is the DoD any more likely to get nailed than one of the agencies that got an "A?" I think not because your number can come up at any time, regardless of what FISMA says.
Link to this [20]


The Laundry List

Top Blog Postings

ridiculous the USAF's plan to build a proactive cyber-strike force [25] was, but then says the police and military must "strike back" against threats. Hmmm. Do we have to just react or do we proactively turn some cyber-deserts into glass? I'm not sure I know the answer because it's an ethically murky area. Though I do believe in the deterrent effect. It will stop 80% of the sane folks from doing bad things. You'll never stop the other 20% because they are so desperate (or just don't care) that the risk of being annihilated is not much of a risk. Maybe it's time for Air Coryell [26] to make a comeback.
http://taosecurity.blogspot.com/2008/05/offense-kills-pirates.html [27]
Link to this [28]

http://srmsblog.burtongroup.com/2008/05/is-microsofts-s.html [29]
Link to this [30]

http://blog.modsecurity.org/2008/05/whats-the-score.html [31]
Link to this [32]