Incite 1/25/2011: Prized PossessionsBy Mike Rothman
So I was sitting in Dunkin Donuts Sunday morning, getting in a few hours of work while the kids were at Sunday school. You see the folks who come in and leave with two boxes of donuts. They are usually the skinny ones. Yeah, I hate them too. You see the families with young kids. What kid doesn’t totally love the donuts? You snicker at the rush at 11am when a local church finishes Sunday services and everyone makes a mad dash for Dunkin and coffee.
You see the married couples about 20 years in, who sit across from each other and read the paper. You see the tween kids fixated on their smartphones, while their parents converse next to them. It’s a great slice of life. A much different vibe than at a coffee shop during the week. You know – folks doing meetings, kibitzing with their friends while the kids are at school, and nomads like me who can’t get anything done at the home office.
There is an older couple who come in most Sundays. They drive up in a converted van with a wheelchair ramp. The husband is in pretty bad shape – his wife needs to direct his wheelchair, as it seems he has no use of his hands. They get their breakfast and she feeds him a donut. They chat, smile a bit, and seem to have a grand time.
I don’t know what, but something about that totally resonates with me. I guess maybe I’m getting older and starting to think about what the second half of my life will be like. The Boss is a caretaker (that’s just her personality), so should I not age particularly well, I have no doubt she’ll get a crane to load me into my wheelchair and take me for my caffeine fix.
And I’d do the same for her. She probably has doubts because I’m the antithesis of a caretaker. On the surface, it’s hard to imagine me taking care of much. But we entered a partnership as kids (we got married at 27/28) without any idea what was in store. Just the knowledge that we wanted to be together. We have ridden through the good and bad times for over 15 years. I will do what needs to be done so she’s comfortable. For as long as it takes. That’s the commitment I made and that’s what I’ll do. Even if she doesn’t believe me.
We were out last weekend with a bunch of our friends, and we played a version of the Newlywed Game. One of the questions to the wives was: “Name your husband’s most prized possession.” The answers were pretty funny, on both sides. A bunch of the guys said their wife or their kids. Last time I checked, a person isn’t a possession, but that’s just me. But it was a cute sentiment.
The Boss was pretty much at a loss because I don’t put much value on stuff, and even less value on people who are all about their stuff. I figured she’d say our artwork, because I do love our art. But that’s kind of a joint possession so maybe it didn’t occur to her. She eventually just guessed and said, “Mike’s iPad is his most prized possession.” That got a chuckle from the other couples, but she wasn’t even close. My iPad is a thing, and it will be replaced by the 3rd version of that thing when that hits in 60-90 days. I like my iPad and I use it every day, but it means nothing to me.
The answer was obvious. At least it was to me. Maybe she missed it because it’s so commonplace. It’s with me at all times. It’s easy to forget it’s even there. But for me, it’s a reminder of what’s really important. Of the thing I value the most. My most prized possession is my wedding ring. And there is no second place.
Photo credits: “Nobel-Prize” originally uploaded by Abhijit Bhaduri
We started two new series this week, so check them out and (as always) let us know what you think via comments.
- Bridging the Mobile Security Gap: Staring down Network Anarchy: This series will focus on how we need to start thinking a little more holistically about the tidal wave of mobile devices invading our networks.
- Implementing and Managing a DLP Solution: Rich is taking our DLP research to the next level by getting into the specifics of deployment and ongoing management of DLP. It’s not enough to just pick a solution – you need to make it work over time.
And remember you can get our Heavy Feed via RSS, where you can access all our content in its unabridged glory.
Incite 4 U
Cyberjanitors: Someone needs to clean up the mess: I’m not a big fan of poking someone in the eye without offering potential solutions. Jeff Bardin goes after RSA a bit, particularly their focus on response, which means they have given up on stopping attackers. Wait, what? Sorry man, there’s doing what you can to stop the bad guys before they get it, and then there’s Mr. Reality. Jeff is calling for “true innovative thought that uses cyber intelligence, counterintelligence and active defense and offensive measures…” WTF? Like what, launching DDoSes on everyone you think might attack or be attacking? I hate this puffery. Yeah, don’t wait to be attacked, go get ‘em, tiger! Well, Jeff, how do you suggest we do that? There were always those guys who gave the janitors a hard time in high school. Making a mess and generally being asses. They didn’t understand that not everyone gets to chase shiny objects. Someone has to pull out the mop and clean up the mess because there is always a mess. Do we need to innovate more? Clearly. But saying that a focus on detection and response is giving up is ridiculous. – MR
Overaggressively managing reputation: Comments are one of the truly great features of the Internet, giving people fora to voice their opinions – especially when it comes to crappy products and services. Fora are also havens for spambots, paid shills, and retarded trolls with nothing better to do than spew hatred. Thankfully most people can tell the difference and the misuse is self-defeating. But many small businesses owners don’t get this and hire ‘reputation management’ firms. Sometimes this is based upon their fear of bad reviews, but usually it’s because they want to bury crappy business practices. Rexxfield and Reputation Defender draw my ire, partially because I consider their business model anti-democratic – their offerings mostly consist of legal threats and Search Engine Optimization (SEO, or Google spamming). Or so I thought – but the latest accusation is that Rexxfield is illegally hacking sites to drop index tags so Google bots don’t index the unwanted material, or prevent the comments from being displayed. Their tool – called Googlecide – allegedly injects commands to alter site’s metadata, but I imagine there are a handful of other methods they could employ, depending on the underlying site engine. Whether Rexxfield is guilty or not, I am willing to bet someone is doing this – but it requires a shockingly poor misunderstanding of social media and is an easily traceable hack. Like monkeys with loaded handguns, this cannot end well. – AL
Thomas gets owned: Years ago I was in a foreign country talking to people. I can’t tell you the year, country, or names – for reasons that will be obvious in about a sentence. They were involved with a government agency that ran the municipal trains. Or maybe it was a private company. And perhaps they were national trains. Or not… I really shouldn’t say. We were talking about security and I started talking SCADA. The two managers in the room made eye contact as I started pointing out the issues of connecting control systems to the Internet. I paused. I asked if they had had any… issues. And maybe at some point in time a former disgruntled contractor might have remotely accessed train controls. Possibly they affected running trains. Theoretically this happened on two separate occasions. But no. Certainly. Certainly trains couldn’t have been crashed if said former contractor had been a tad angrier. Or a tad more intoxicated. In light of some unexplained hacks of a US train system this seems far less hypothetical. Then again, it was over 10 years ago that I sat in that room and listened to their stories, and for most of these years we have been told that these sorts of things can’t happen. At least, that’s what they say outside the room. – RM
An ounce of prevention… The title of Don Bailey’s Dark Reading post I Left My Data In El Segundo made me laugh – both because of the irony that “I Left My Heart In San Francisco” was playing in the background when I stumbled across the post, and because I have been to decidedly un-San-Francisco-like city of El Segundo. shiver But while Don had me with the intro, I wouldn’t have steered the article onto a discussion of two-factor authentication for corporate security – instead I would have gone into individuals’ need to protect personal data. Personal VPN tunnels, Full Disk Encryption, and strong password management vaults are not only effective – they don’t interrupt my work. If your laptop falls into the wrong hands, you’re covered. Your stuff can’t be intercepted in the hotel lobby. Heck, full drive encryption on the Mac is so good I forget it’s there. NoScript is very effective for protecting my browser – although it is limited to the crappy Firefox – and only rarely interferes with accessing content. Security need not be the impediment to productivity it once was, but it does require you give a $#(%) and take a few preparatory steps. If you travel with a laptop you need to spend a few minutes to protect yourself before your next trip! No excuses – it’s simple and cheap! – AL
Do you think you’re Superman? Lenny Z brings up an interesting point, talking about the Illusion of Invulnerability. He mentions a study about how many healthcare professionals don’t wash their hands enough because they feel somewhat invulnerable to all the mess around them. They need to feel this way – we wouldn’t have many doctors or nurses to care for and treat patients, if they consciously thought about their chances of getting the bubonic plague or all the other diseases which are conveniently available in a hospital. Does this apply to security folks? Are we less cautious because it only happens to the other guys? Do we skirt our own policies because we’d never fall for that ruse? I don’t think I do – given my reliance on OpenVPN, 1Password, and single site browsers (as Adrian mentioned above), but maybe there is something here. Especially given how often I roll my eyes when Rich describes the latest (20th) hoop we have to jump through to log into our own damn website. I’m pretty sure he’s clear on our vulnerability. – MR
I will keep this very short and simple. Apple announced their earnings, and their last quarter was the second most profitable quarter of any company in history. In 3 months they signed up 85 million iCloud users. In 2011 they sold more iphones than every previous year combined. Apple’s profits exceeded Google’s revenue. If you do not think the cloud and mobility will change every single aspect of your security operations within the next 5-10 years you should retire. Quickly. (Thanks to John Gruber for compiling all these links – RM
Hacking yourself is getting easier: I should dig up the first time I used the phrase “hack yourself.” It had to be 2007 or even earlier. I have being tilting at windmills, regarding penetration testing and using live ammo on your defenses, for a long time – to minimize the surprise when real attackers do their thing. So when I see that Metasploit has an AMI so you can run a pen test tool on AWS, it’s awesome. The low bar defined by HD Moore’s Law just got lower. Now you can’t even use the excuse of not having a spare machine around to run the tool. But make sure you adhere to the service terms, which are described in that post, or Amazon will toss you out on your butt. And our man Krebs points out a Simple Phishing Toolkit that makes it really easy to phish your employees to (hopefully) teach them why they shouldn’t just click on stuff. The bad guys are using these tools to break your stuff – so shouldn’t you be using them too, if only to figure out how successful they’ve been and will be on their next pass? – MR