Incite 8/31/2011: The Glamorous LifeBy Mike Rothman
It was a Sunday like too many other Sundays. Get up, take the kids to Sunday school, grab lunch with friends, then take the kids to the pool. Head home, shower up, and then kiss the Boss and kids goodbye and head off to the airport. Again. Another week, another business trip. It’s a glamorous life.
I pass through security and suffer the indignity of having some (pleasant enough) guy grope me because I won’t pass through an X-ray machine because the asshats at TSA don’t understand the radiation impact. Maybe it makes other folks feel safe, but it’s just annoying to people aware of how ridiculous airport security theater really is. Man, how glamorous is that experience?
When I arrive at my destination (at 1am ET), I get on a tram with all the other East Coast drones and wait in a line to get my rental car. The pleasant 24-year-old trying to climb the corporate ladder by dealing with grumps like me reminds me why I shouldn’t depend on my AmEx premium rental car insurance. I not-so-politely decline. She doesn’t want an explanation of why she is wrong, and I don’t offer it. Glamor, baby, yeah!
I get to the hotel, which is comfortable enough. I sleep in a bit (since I’m now on the West Coast), and at 5am realize the hotel is literally right next to mass transit. Every 5 minutes, a train passes by. Awesome. I’m glad my body thinks it’s 8am or I’d probably be a bit upset. And the incredible breakfast buffet is perfect. Lukewarm hard-boiled eggs for protein. And a variety of crap cereals. At least they have a waffle maker. So much for my Primal breakfast. With this much glamor, I’m surprised I don’t see Trump at the buffet.
But then my strategy day starts, and now I remember why I do this. We have a great meeting, with candid discussions, intellectual banter, and lots of brainstorming. I like to think we made some progress on my client’s strategic priorities. Or I could be breathing my own exhaust. Either way, it’s all good. I find a great salad bar for dinner and listen to the Giants’ pre-season game on my way back to the hotel. Sirius in the rental car for the win.
When I wake up the next morning, it’s different. Thankfully the breakfast buffet isn’t open yet. I head to the airport. Again. It takes me little while to find a gas station to fill up the car. Oh well, it doesn’t matter, I’m going home. I pass through security without a grope, get an upgrade, and settle in. As we take off, I am struck by the beauty of our world. The sun poking through the clouds as we climb. The view of endless clouds that makes it look like we are in a dream. The view of mountains thousands of feet below. Gorgeous. So maybe it’s not a glamorous life, but it is beautiful. And it’s mine. For that I’m grateful.
Photo credits: “Line for security checkpoint at Hartsfield-Jackson Airport in Atlanta” originally uploaded by Rusty Tanton
Incite 4 U
Painting the Shack gray: If you know Dave Shackleford, it’s actually kind of surprising to see Dave discuss the lack of Black or White in the security world. He’s not your typical shades-of-gray type guy. Dave will go to the wall to defend what he believes, and frequently does. A lot of the time, he’s right. In this post he makes a great point, which I paraphrase as everyone has their own truth. There are very few absolutes in security or life. What is awesome for you may totally suck for me. But what separates highly functioning folks from assholes is the ability to agree to disagree. Unfortunately a lot folks fall in the asshole camp because they can’t appreciate that someone else’s opinion may be right, given their own different circumstances. I guess you need to be wrong fairly frequently (as I have throughout my career) to learn to appreciate the opinions of other folks, even if you think they are wrong. – MR
Betting on the wrong cryptohorse: I will be the first to admit that I never went to business school, although I did manage IT at one. So I probably missed all those important MBA lessons like how to properly teamify or synergistically integrate holistic accounting process management. Instead I stick to simple rules like, “Don’t make it hard for people to give you money,” and “Don’t build a business that completely relies on another company that might change its mind.” For example, there are a few companies building out encryption solutions that are mostly focused on protecting data going into Salesforce.com. Seems like the sort of thing Salesforce themselves might want to offer someday, especially since data protection is one of the bigger inhibitors of their enterprise customer acquisition process. So we shouldn’t be surprised that they bought Najavo Systems. Great for Navajo, not so much for everyone else. Sure, there are other places they can encrypt, but that was the biggest chunk of the market and it won’t be around much longer. On that note, I need to get back to coding our brand new application. Don’t worry, it only runs on the HP TouchPad – I’m sure that’s a safe bet. – RM
Cutting off their oxygen: Brian Krebs’ blog remains a favorite of mine, and his recent posts on Fake AV and Pharma Wars read like old-fashioned gangsters-vs.-police movies. Fake AV is finally being slowed by very traditional law enforcement methods, as Ed Bott pointed out in his analysis of MacDefender trends. Identifying the payment processors and halting payments to the criminal organizations, as well as arresting some of the people directly responsible, actually works. Who knew? The criminals are using fake charities to funnel money to politicians in order to protect their illegal businesses. Imagine that! We know defenses and education to help secure the general public are ineffective, and clearly we need a multi-national law-enforcement component to deal with multi-national threats. Brian Krebs and others are doing great work spotlighting the problem! Keep fighting the good fight, Brian. – AL
Hiding in plain sight: Great analysis here by the F-Secure research team to find the actual email that started the EMC/RSA breach. I guess someone at EMC thought it was a good idea to upload it to Virustotal, where any researcher can find it and publish exactly what happened. While everyone was up in arms about what EMC/RSA wasn’t telling us, the actual attack was right there for everyone to see – if you only knew where and how to look. It’s not like we learned anything we didn’t know already about the attack, but it is interesting to be able to see and stage the attack. Though I differ a bit with F-Secure’s conclusion that this was an advanced attack. It wasn’t. Sure, it used a zero-day, but the tactics were not sophisticated at all. On the other hand, the attacker is clearly advanced. Big difference. – MR
Facebook declares bug victory – just ask them: Facebook considers its bug bounties a success, with a whopping $40,000 paid out so far. That’s at least 40 security bugs, and probably equal to their toilet paper bill for a month. For those of you who have run a QA organization, staffing the talent needed to find these bugs is a far more significant investment that $40k, so from that standpoint it’s a huge win. With Google’s and Amazon’s recent bug bounty successes, this model appears to have proven itself. To be clear, this is just low-hanging fruit – we can only hope these types of programs will be used as ad hoc review to supplement – but not as a substitute for – secure software development programs. They all need secure development to escape the hamster wheel of pain. – AL
Fighting bad habits: I started the Securosis blog a little over 5 years ago. That was back when I was still working at Gartner, and had no intention of starting my own analyst firm. Seriously, what kid of idiot starts an analyst firm? Anyhoo, over that time blogging has changed significantly. We don’t get nearly the number of comments we used to, and far fewer people maintain blogs or engage in community discussions (otherwise known as blog wars). Heck, my blogging has changed – in both tone and quantity – as I started to share this platform with others and build a business around it. Martin’s post on his relationship between blogging and work really hit a nerve. I ran into some of the same employer issues at Gartner (my fault, not theirs). Today I struggle with keeping the quality (and quantity) of writing up when I’m hammered with massive deadlines and a huge backlog of work to finish. Of course, adding 2 kids to the mix probably doesn’t help. It’s a lot harder to jumpstart the creative juices when so few people engage in cross-blog dialogs anymore. Sorry, folks, but Twitter doesn’t cut it for real dialogue. But in the end I hope the work and writing here speaks for itself – even when the words aren’t always mine, and even when it’s a bit sparser than back in the days when I whined about responsible disclosure for 12 hours each day. – RM
Get me some marshmallows with that PacketMotion: VMWare is at it again. Buying some technology for presumably a good price to continue fleshing out their plans for datacenter domination. Why do I think it was a fire sale? The deal didn’t even warrant a press release, as VMWare just announced it via a blog post. That must make the PacketMotion team just ecstatic. Welcome, new employees, we value your company so little we won’t pay $500 to formally welcome you. That just rocks. Kidding aside, this deal makes sense. Given that visibility remains a key issue for embracing this cloud thing, PacketMotion is a good fit for VMWare – offering the ability to derive some decent visualizations and reports. Given our preference to Monitor Everything, this give VMW more capabilities to bundle with their turnkey infrastructure. – MR