Back before Jerry Garcia moved on to the big pot cloud in the sky, I managed security at a couple of Dead shows in Boulder/Denver. In those days I was the assistant director for event security at the University of Colorado (before a short stint as director), and the Dead thought it would be better to bring us Boulder guys into Denver to manage the show there since we’d be less ‘aggressive’. Of course we all also worked as regular staff or supervisors for the company running the shows in Denver, but they never really asked about that.
I used to sort of like the Dead until I started working Dead shows. While it might have seemed all “free love and mellowness” from the outside, if you’ve ever gone to a Dead show sober you’ve never met a more selfish group of people. By “free” they meant “I shouldn’t have to pay no matter what because everything in the world should be free, especially if I want it”, and by mellow they meant, “I’m mellow as long as I get to do whatever I want and you are a fascist pig if you tell me what to do, especially if you’re telling me to be considerate of other people”. We had more serious injuries and deaths at Dead shows (and other Dead-style bands) than anywhere else. People tripping out and falling off balconies, landing on other people and paralyzing them, then wandering off to ‘spin’ in a fire aisle. Once we had something like a few hundred counterfeit tickets sold for the same dozen or so seats, leading to all sorts of physical altercations. (The amusing part of that was hearing what happened to the counterfeiter in the parking lot after we kicked out the first hundred or so).
Running security at a Dead show is like eating an elephant, or
running a marathon. When the unwashed masses (literally – we’re
talking Boulder in the 90s) fill the fire aisles, all you can do is walk
slowly up and down the aisle, politely moving everyone back near
their seats, before starting all over again. Yes, my staff were fascist pigs, but it was that or let the fire marshal shut the entire thing down (for real – they were watching). I’d tell my team to keep moving slowly, don’t take it personally, and don’t get frustrated when you have to start all over again. The alternative was giving up, which wasn’t really an option. Because then I wouldn’t pay them.
It’s really no different in IT security. Most of what we do is best approached like trying to eat an elephant (you know, one bite at a time, for the 2 of you who haven’t heard that one before). Start small, polish off that spleen, then move on to the liver.
Weirdly enough in many of my end user conversations lately, people seem to be vapor locking on tough problems. Rather than taking them on a little bit at a time as part of an iterative process, they freak out at the scale or complexity, write a bunch of analytical reports, and complain to vendors and analysts that there should be a black box to solve it for them. But if you’ve ever done any mountaineering, or worked a Dead show, you know that all big jobs are really a series of small jobs. And once you hit the top, it’s time to turn around and do it all over again.
Yes, you all know that, but it’s something we all need to remind ourselves of on a regular basis. For me, it’s about once a quarter when I get caught up on our financials.
One additional reminder: Project Quant Survey is up. Yeah, I know it’s SurveyMonkey, and yeah, I know everyone bombards you with surveys, but this is pretty short and the results will be open to everyone.
(Picture courtesy of me on safari a few years ago).
And now for the week in review:
Webcasts, Podcasts, Outside Writing, and Conferences
- A ton of articles referenced my TidBITS piece on Apple security, but most of them were based on a Register article that took bits out of context, so I’m not linking to them directly.
- I spoke at the TechTarget Financial Information Security Decisions conference on Pragmatic Data Security.
Favorite Securosis Posts
- Rich: I flash back to my paramedic days in The Laws of Emergency Medicine—Security Style.
- Adrian: How Market Forces will Affect Payment Processing.
Other Securosis Posts
- Application vs. Database Encryption
- Database Encryption, Part 2: Selection Process Overview
- iPhone Security Updates
- Facebook Monetary System
Project Quant Posts
Favorite Outside Posts
- Adrian: Rsnake’s RFC1918 Caching Problems post.
- Rich: Rothman crawls out from under the rock, and is now updating the Daily Incite on a more-regular basis again. Keep it up Mike!
Top News and Posts
- Microsoft Office Security Updates.
- iPhone 3G S. I smell another Securosis Holiday coming up.
- T-Mobile Confirms data theft.
- Snow Leopard is coming!
- No penalty apparently, but the Sears data leak fiasco is settled.
- Black Hat founder appointed to DHS council. Congrats Jeff, well done.
- VM’s busting out.
- Symantec and McAfee fined over automatic renewals.
- China mandating a bot on everyone’s computer. Maybe that isn’t how they see it, but that’s what’s going to happen with the first vulnerability.
- Security spending is taking a hit.
- Critical Adobe patches out.
- Mike Andrews points us to a Firefox web app testing plugin set
- Bad guys automating Twitter phishing via trending topics.
Blog Comment of the Week
This week’s best comment comes from Allen in response to the State of Web Application and Data Security post:
…
I bet (a case of beers) that if there was no PCI DSS in place that every vendor would keep credit card details for all transactions for every customer forever, just in case. It is only now that they are forced to apply “pretty-good” security restrictions on the data that the price is no longer negligible so they are fighting to get rid of the information. Its like Moses on Mount Sinai when G-d presented the ten commandments to him –
“I have this tablet with 5 commandments on it. Do you want it?”
“How much is it?”
“Its free”
“I’ll take two.”
Getting business to understand that protecting information costs money and getting rid of some information is a quick win is half the battle won. I think PCI has done that for some companies and the only issue that I have with PCI is that it is not applied to all information.
Comments