June 26, 2008 - Volume 3, #60

Good Morning:
I know the exact moment that I lost my taste for math. It was sophomore year of engineering school in my 4th semester of calculus. The lesson for the day was to figure out some wacky theorem on how to calculate the area on the inside of a sphere. WHAT? Right, I would much rather have been drinking beer, but I decided I wanted to study engineering - so I persevered.

Now I have a lot of respect for the folks that are actually interested in counting things in Angstroms and calculating the resistance of a nanotube. These folks have come up with some of the great innovations of our time. But I've also come to appreciate the fact that high level math isn't that interesting to me.  

Yet, my disdain for math can be a bit of a challenge at times. Last week I was ranting about how expensive gas is, and many of you sent me comments and even pictures showing how crazy prices are where you live. I appreciate that.

So earlier this week, I decided to do my part and search around for a cheaper tank. Not a cheaper ride, like a Prius or something. As much as I like the new car smell, the idea of dropping $30K on a new ride right now is distinctly uninteresting - if only to save a few bucks at the pump.

So I figured I would drive over to my local Costco and fill the tank. Everyone knows Costco has the cheapest gas around, no? So I diligently left Starbucks, checked out the price of premium at the gas station that I passed on the way ($4.29) and then drove about 10 minutes to Costco. 

Drum roll please... The price at Costco was $4.24. That's right, I saved a nickel a gallon - which for the 14 gallons I needed, added up to a whopping 70 CENTS. Yes, I should pay more attention to the math. Between the 30 minutes of wasted time driving out of my way and the extra gas I burned to hike over to Costco - I probably lost money on the deal.

And that is one of the problems we all suffer. It's context. We (OK, I won't speak for you), I mean I get fired up about something and then engage in a Pyhrric victory that ended up having the exact opposite effect. Maybe the law of unintended consequences is rearing its wily head or something like that. But I'm going to try to take a deep breath before I go on my next wild goose chase to save less than a buck. 

Have a great weekend.

Photo: "NooNoo studying calculus" originally uploaded by __dino__ [1]

Technorati: Information Security [2], CSO [3],Security Mike [4], Internet Security [5]

[6] The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [7]

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com [8] [9]

Top Security News

I don't see a near term revenue opportunity [9] for all the vendors that are trying to focus (and push on the string) on it, doesn't mean it's not an issue or that we should be thinking about how to architect our environment to make it secure virtualization-friendly. TechTarget figured out a way to get Matasano Thomas to put pen to paper and bang out a tip on building security into a virtualized server environment [10]. Read it and think about it. The idea of not running financial applications on virtualized shared hosting is a bit of heresy, but it's certainly something to think about. It also seems that virtualization is front and center at Burton's annual soiree [11]. They are beating the drum for solving the operational issues of virtualization, as opposed to throwing the latest security widget at it. At least many of the talking heads are in agreement about that. Which means it's probably wrong, but we'll play it out for a little while anyway.  
Link to this [12]

a new mandate that will require a security certification for workers in civilian agencies [13]. This actually could have far ranging impacts on the security education market, in that these certifications would have to be accredited by the Feds to be accepted. Then you'd have a huge demand for all the security professionals out there to get their papers, so they can continue to work. We all know there is very little correlation between certifications and competency, right? So is this about improving security or putting a bunch more beaurocrats to work to administer these kinds of ridiculous programs. I guess when the current administration decided to throw billions after security, they didn't specify between products, services or education. Arghhh. Not to be a conspiracy theorist, but it seems that SANS is pretty well connected in the halls of the Beltway and they would be probably the biggest beneficiary of this kind of mandate - no? Too bad I don't eat meat anymore because this is going to be quite a pork barrel.
Link to this [14]

the "newest" capability of DLP is encryption [15]. You mean you'd actually want to protect data at rest, and that you'd maybe think about encrypting a mail message or file with confidential information in it BEFORE it hits the big, bad Internet? Of course you would, but I don't get what's new about this. The email security gateways have done outbound filtering for years. They've also had partnerships with the encryption vendors to actually remediate on the policy violations detected by the filters. I've called the outbound email (and web) filtering stuff "poor-man's DLP" and they've been doing encryption, so is it a surprise - or even novel - that the DLP vendors are jumping on that bandwagon? And is this new even for them? It's not. Through the wonders of a 10-second search on Google, I found a partnership release from PGP and Vontu [16]. Right, it's dated May of 2005. That's pretty new.
Link to this [17]


The Laundry List

Top Blog Postings

http://www.networkworld.com/columnists/2008/061908-backspin.html [22]
Link to this [23]

http://www.rsa.com/blog/blog_entry.aspx?id=1295 [24]
Link to this [25]

http://blogs.msdn.com/sdl/archive/2008/06/17/sdl-threat-modeling-past-present-and-future.aspx [26]
Link to this [27]