Incite 6/2/2010: Smuggler’s BluesBy Mike Rothman
Given the craziness of my schedule, I don’t see a lot of movies in the theater anymore. Hard to justify the cost of a babysitter for a movie, when we can sit in the house and watch movies (thanks, Uncle Netflix!). But the Boss does take the kids to the movies because it’s a good activity, burns up a couple hours (especially in the purgatory period between the end of school and beginning of camp), and most of the entertainment is pretty good.
Though it does give me some angst to see two credit card receipts from every outing. The first is the tickets, and that’s OK. The movie studios pay lots to produce these fantasies, so I’m willing to pay for the content. It’s the second transaction, from the snack bar, that makes me nuts. My snack bar tab is usually as much as the tickets. Each kid needs a drink, and some kind of candy and possibly popcorn. All super-sized, of course.
And it’s not even the fact that we want to get super sizes of anything. That’s the only option. You can pay $4 for a monstrous soda, which they call small. Or $4.25 for something even bigger. If you can part with $4.50, then you get enough pop to keep a village thirst-free for a month.
And don’t get me started on the popcorn. First of all, I know it’s nutritionally terrible. They may use different oil now, but in the portions they sell, you could again feed a village. But don’t think the movie theaters aren’t looking out for you. If you get the super-duper size, you get free refills of both popcorn and soda. Of course, you’d need to be the size of an elephant to knock down more than two gallons of soda and a feedbag of popcorn, but at least they are giving something back.
So we’re been trying something a bit different, born of necessity. The Boss can’t eat the movie popcorn due to some food allergies, so she smuggles in her own popcorn. And usually a bottle of water. You know what? It works. It’s not like the 14 year old ticket attendant is going to give me a hard time.
I know, it’s smuggling, but I don’t feel guilty at all. I’d be surprised if the monstrous soda cost the theater more than a quarter, but they charge $4. So I’m not going to feel bad about sneaking in a small bag Raisinettes or Goobers with a Diet Coke. I’ll chalk it up to a healthy lifestyle. Reasonable portions and lighter on my wallet. Sounds like a win-win to me.
Photo credits: “Movie Night Party” originally uploaded by Kid’s Birthday Parties
Incite 4 U
Follow the dollar, not the SLA – Great post by Justin James discussing the reality of service level agreements (SLAs). I know I’ve advised many clients to dig in and get preferential SLAs to ensure they get what they contract for, but ultimately it may be cheaper for the service provider to violate the SLA (and pay the fine) than it is to meet the agreement. I remember telling the stories of HIPAA compliance, and the reality that some health care organizations faced millions of dollars of investment to get compliant. But the fines were five figures. Guess what they chose to do. Yes, Bob, the answer was roll the dice. Same goes for SLAs, so there are a couple lessons here. 1) Try to get teeth in your SLA. The service provider will follow the money, so if the fine costs them more, they’ll do the right thing. 2) Have a Plan B. Contingencies and containment plans are critical, and this is just another reason why. When considering services, you cannot make the assumption that the service provider will be acting in your best interest. Unless your best interest is aligned with their best interest. Which is the reality of ‘cloud’. – MR
It just doesn’t matter – I’m always pretty skeptical of poorly sourced articles on the Internet, which is why the Financial Times report of Google ditching Microsoft Windows should be taken with a grain of salt. While I am sometimes critical of Google, I can’t imagine they would really be this stupid. First of all, at least some of the attacks they suffered from China were against old versions of Windows – as in Internet Explorer 6, which even isolated troops of Antarctic chimpanzees know not to touch. Then, unless you are running some of the more-obscure ultra-secure Unix variants, no version of OS X or Linux can stand up to a targeted attacker with the resources of a nation state. Now, if they want some diversity, that’s a different story, but the latest versions of Windows are far more hardened than most of the alternatives – even my little Cupertino-based favorite.– RM
Hack yourself, even if it’s unpopular… – I’ve been talking about security assurance for years. Basically this is trying to break your own defenses and seeing where the exposures are, by any means necessary. That means using live exploits (with care) and/or leveraging social engineering tactics. But when I read stories like this one from Steve Stasiukonis where there are leaks, and the tests are compromised, or the employees actually initiate legal action against the company and pen tester, I can only shake my head. Just to reiterate” the bad guys don’t send message to the chairman saying “I IZ IN YER FILEZ, READIN YER STUFFS!” They don’t worry about whether their tactics are “illegal human experiments,” they just rob you blind and pwn your systems. Yes, it may take some political fandango to get the right folks on board with the tests, but the alternative is to clean up the mess later. – MR
Walk the walk – A while back we were talking about getting started in security over at The Network Security Podcast, and one bit of consensus was that you should try and spend some time on a help desk, as a developer, or as a systems or network administrator, before jumping into security. Basically spend some time in the shoes of your eventual clients. Jack Daniels suggests going a step further and “think like a defender”. Whenever I see someone whining about how bad we are at security, or how stupid someone is for not making “X” threat their top priority, odds are they either never spent time in an operational IT position, or have since forgotten what it’s like. And for those defenders, quite a few seem to forget the practical realities of keeping users up and running on a daily basis. Hell, same goes for researchers who forget the pressures of developing on budget and target. Whatever your role in security, try to understand what it is like on the other side.– RM
Good enough needs to be good enough… – Interesting and short piece on fudsec.com this week from Duncan Hoopes addressing whether this concept of good enough permeating the web world is a good or bad thing for security. At times like these, the pragmatist in me bubbles to the surface. We have to work with our budgets and resources as they are. We could always use more, but probably aren’t going to get it. So we rely on “good enough” by necessity, not as primary goal. But the reality is we can never really be done, right? So our constant focus on reacting faster and incident response are driven by the reality that no matter how much we do, it’s not enough. Gosh, it would be great to have HiFi security. You know, whatever you need to really solve the problem. But that never lasts, and soon enough you’d need an AM radio with a single speaker because that’s all the money left in the budget. – MR
Carry on To my mind, David Mortman’s post on Broken Promises and Mike Rothman’s post on In Search of … Solutions are two parts of the same idea. Does a technology solve, partially or completely, the business problem it’s positioned to solve? But Mike complains that vendors trying to pass off a mallet as a mouse trap just doesn’t cut it, and customers need to ask for a better mouse trap. Mort is saying: stop bitching about the mouse trap because it isn’t perfect but at least solves much of the problem. These posts, along with Jack Daniel’s post on Time for a new mantra, are more about the frustrations of the security community’s inability to make meaningful changes. Seriously, being a security professional today is like being an anti-smoking advocate … in 1955. It’s difficult for the business community to care about unknown consequences or unknown damages, or even to believe proposed security precautions will help. But security professionals self-flagellate over our inability to get management to understand the problem, and vendors’ failure to make better products, and IT departments failure to efficiently implement security programs. Ultimately security teams and vendors are not the agents of change – the business has to be, and it will be long time before businesses embrace security as a required function. –AL
tmz.com, and then some of them will tell all their friends. – MR