Blog

Incite 9/14/2011: Mike and the Terrible, Horrible, No Good, Very Bad Day

By Mike Rothman

I have been looking forward to this day… well, since the Falcons’ season was abruptly cut short by a rampaging Pack last January. We had a little teaser with that great game Thursday, and although both teams couldn’t lose, having the Saints drop a tough one was pretty okay. I weathered a tumultuous lockout during the offseason. Even a bumpy pre-season for both my teams (NY Giants and ATL Falcons) couldn’t deter my optimism. Pro football started Sunday and I was fired up.

Yeah, this guy had a pretty bad day...The weekend was going swimmingly. I was able to survive a weekend with the Boss away with her girlfriends. With a little help from our friends, I was able to successfully get the Boy to his football practice, XX2 to her softball game, and both girls to dance practice Saturday. I got to watch a bunch of college football (including that crazy Michigan/Notre Dame game).

The kids woke Sunday in a good mood when I got them ready for Sunday school. I got some work done and then got ready to watch the games at a friend’s house. Perfect. Until they started playing the games, that is. The Falcons got crushed. Ouch. They looked horrible, and after all the build-up and expectations it was rather crushing. It was terrible for sure.

I do this knock-out pool, where you pick one team a week and if they win, you move on. If they lose, you are out. You can’t pick the same team twice, and it’s a lot of fun. But I’ve shown my inability to get even the easiest games right – I have been knocked out in the first week 2 of the last 3 years. Of course, I picked Cleveland because Cincinnati is just terrible, with a new QB and all. Of course Cleveland lost and I’m out. Yeah, that’s horrible. Just horrible.

But things couldn’t get worse, right? The Giants were in Washington and they’ve owned the Redskins for years. Until today. The Giants have a ton of injuries, especially on defense. And it showed. They couldn’t stop a high school team. Their offense wasn’t much better. Man, tough day. Looking at the schedule, both teams dropping their games this week will hurt. Yup, that’s a no good day.

And to add insult to injury, as I’m mumbling to myself in the corner, the Boy comes downstairs with his Redskins jersey on. Just to screw with me. Seriously. I know I shouldn’t let an 8-year-old get under my skin, especially the day before his birthday, but I wasn’t happy. Maybe I’ll laugh about it by the time you read this on Wednesday, but while I’m writing this on Sunday night, not so much. I sent him upstairs with a simple choice. He can change his shirt or I could insert a few metatarsals into his posterior region. It’s very bad when I can’t even handle a little chiding from my kids.

It was a terrible, horrible, no good, very bad day. But putting everything in context, it wasn’t that bad. I’ve got my health. I do what I love. My biggest problems are about getting everything done. Those are good problems to have. An embarrassment of good fortune, and I’ll take it. Especially given how many around the world were mourning the loss of not only loved ones, but their freedom, as we remember the 9/11 attacks.

-Mike

Photo credits: “bad day” originally uploaded by BillRhodesPhoto


Incite 4 U

  1. Design for FAIL: Part of the mantra of most security folks is to think like an attacker. You need to understand your adversary’s mindset to be able to defend against their attacks. There is some truth to that. But do you wonder why more security folks and technology product vendors don’t do the same level of diligence when designing their products. Mostly because it’s expensive, and it’s hard to justify changing things (especially the user experience) based on an attack that may or may not happen. Lenny Z makes a good point in his post Design Information Security With Failure in Mind, where he advocates taking lessons from ship builders. I’d put airplane manufacturers in the same boat. They intentionally push the limits, because people die if a cascade of failures sinks a ship. Do your folks do that with IT systems? With security? If not, you probably should. It’s not about protecting against a Black Swan, but eliminating as much surprise as we can. That’s what we need to do. – MR

  2. Jackass punks: No, this isn’t a diatribe against Lulzsec. Imagine you’re sitting at home and you start getting weird emails from some self-proclaimed degenerate who starts talking about showing up at your house. And you get emails from motels this person stayed at, holding you responsible for damages. And the person was on the lam from the law. Heck, they even have their own MySpace page. MySpace? Okay, that’s probably the first clue this is a scam, or a Toyota marketing campaign gone horribly wrong. Toyota set up a site where people could enter the personal details of their friends (or… anyone), who would then be subject to a serious Ashton Kutcher-style punking. Talk about insanely stupid. As much as we bitch about security marketing, this definitely takes the cake. While I don’t think $10M in damages is reasonable, Toyota certainly earned the lawsuit. – RM

  3. Pay-nablement: It’s easy to do online payment. The trick is in doing it securely, and I am not so sure that the ‘Buyster’ payment system has done anything novel for security. Buyster links your phone number to a bank account. To use the service you need to enter your phone number and a password – what could go wrong? In return you get a payment token via a message, which you can then pass to a merchant. This model keeps the credit card number off the merchant site, but they would need to modify their systems to accept the token and link to the Buyster payment processor. Not unlike a one-time-use credit card number. Text message or email delivery of the token is not clear – nor is it clear whether they validate the phone through a SIM card, certificate, or token – it’s trivial to clone a phone. Most payment systems like this are not all that secure, as phone numbers and IMs can be faked, and passwords can be guessed or sniffed via MITM. This looks like another quasi-secure payment enablement system in the mobile payment land grab, minus the consumer protections provided by credit card liability limits. Details, details. – AL

  4. How deep is deep enough for the DoJ? At the Intel Developer Forum this week, the chip guys and their new toy McAfee announced a new integration called DeepSAFE, purported to protect computers below the OS level. Obviously rootkits are a big problem, so a method for ensuring control at the hardware level would be useful. Intel/McAfee didn’t talk necessarily about protecting a virtualized infrastructure below the hypervisor, but that’s another obvious use case (for an attack we haven’t really seen yet). So maybe the Intel/McAfee deal was about more than financial engineering – but probably not. I can imagine the folks at Symantec and Trend gnashing their teeth at all the grin-fracking Intel did about providing open access to the hardware APIs during the anti-trust investigation of that deal. I guess there are different definitions of open access. – MR

  5. HIPAA fines? Unlikely: Companies are being warned that HIPAA is to be taken seriously. Why now, all of a sudden? The Department of Health and Human Services will now get a percentage of the fines. We have been hearing how HIPAA will enforce the regulation for almost a decade with only a single major example. Look at PCI as an indicator: There were several major incidents, including Worldcom and Enron. Now, as illustrated by off balance sheet assets and collateralized debt obligations, it’s clear PCI enforcement is no longer fashionable. I expect HIPAA will follow the same path into irrelevance. Compliance remains the top motivator for the purchase of security products so if the HHS does begin to fine you should look for a considerable uptick in masking, encryption, and DLP technology sales. I expect a lot of hot air, without enforcement. Same old, same old. – AL

  6. An iTunes mystery: When I first started hearing about fraud on people’s iTunes accounts I assumed they were a result of some sort of standard hack or stupidity. But as Lex Friedman lays out at Macworld, I may have rushed to judgment. People’s prepay credits are disappearing, and it looks like accounts are being attacked in some way other than brute force password guessing. Credit cards are safe, but that might be due to the bad guys worrying about fraud or being stopped by CVV numbers. Still, it’s a fascinating mystery – one Apple clearly isn’t talking about, shockingly enough. Looking at it, I almost have to assume some sort of deep systemic flaw in their system, or some widespread hack and harvesting of credentials across multiple platforms. I’m stumped and curious, and if you have any ideas, please drop them in the comments. – RM

  7. Perimeter security re-architecture? The cat’s out of the bag: The folks at TheInfoPro (bought by 451 recently) wrote a little love note to Palo Alto recently, showing how much they have won the mindshare battle of these next generation, for application-aware firewalls. Many folks are looking at them, and they serve multiple purposes. If I was Websense or Blue Coat, I would probably be soiling my undergarments right now. Regardless of what the Big G says about the lack of consolidation in the large enterprise, it’s hard to envision a perimeter of 4-5 distinct devices a few years from now. Web filters are likely the first to go, and stand-alone IDS/IPS next. Why? Because moving to application-based policies (as opposed to port/protocol policies) duplicates much of the value of today’s IPS. Will this happen overnight? Nope. Will every network security vendor converge on this application-aware reality of a new type of perimeter security gateway? Yup. And the boxes are getting better, as evidenced by Joel Snyder’s recent review of the Palo Alto box. Also check out David Newman’s performance test, which shows PAN scales up pretty well, but slows down when turning on multiple things – such as SSL and IPS. Guess Nir Zuk is constrained by the laws of physics after all. – MR

No Related Posts
Comments

Re point 1, taking this approach as an incumbent takes a lot of courage and credibility.  For years, our industry has been selling our execs that if we buy technology X and change business process Y, we’ll be secure.  Now, we know that isn’t working out well but there’s a lot of reluctance to go back and say “you know all that stuff we’ve bought, it probably isn’t going to work as well as I said it would, so I need to spend some more money to deal with the failures”.  People are too afraid of losing their jobs to make that case, I think.

Re point 7, I don’t disagree with you but I suggest IDS/IPS will go before web content filtering.  If I look at my network, which isn’t particularly different from most, I have lots of firewalls (for example, for “lite” DMZ’s in remote offices) but my users don’t browse through them all.  I don’t like having to have what is largely an ineffective device (IDS) in tandem with every firewall so I am highly motivated to use integrated capabilities, and UTM’s have offered this for years. 

I have just a few places I need web content systems so am not overly fussed in the redundancy.

By ds


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.