As have been overly reported over the past week, Steve Jobs is gone. As Rich so adroitly pointed out, “His death hit me harder than I expected. Because not only do we not have a Steve Jobs in security, we no longer have one at all.” You know, someone who seems to be the master of the universe. Perfection personified. Of course, the reality is never perfection. But what’s perfect is imperfection.

Jobs failed. Jobs started over. He took chances and ultimately triumphed. Jobs had the perspective you wished you could have. This is clearly demonstrated by what I believe to be the best speech written in my lifetime (at least so far), Steve Jobs’ Stanford Commencement speech. Why? Because if you pay attention, really pay attention to the words, it’s about the human struggle. Do what you love. Follow your own path. Don’t settle for mediocrity. Live each day to the fullest. Realize we are here for a short time, and act accordingly. It’s not trite. You can and should strive for this.

You see impact and legacy works itself out, depending on the actions you take every day. Probably none of us will have an impact like Steve Jobs. Nor should we. You don’t need to be Steve Jobs. Just be you. You don’t have to change the world. Just make it a little better. Be a giver, not a taker. Believe in some kind of karma. Pay it forward. Do the right thing. Lead by example, and hopefully people around you will do the right thing ti. If that happens, we all win, collectively.

I’m not going to say don’t change the world. Or don’t try. We need folks who want to change things on a massive scale, and will do the work to make it happen. My point is that it doesn’t have to be you. As Steve Jobs said,

“Your time is limited, so don’t waste it living someone else’s life. Don’t be trapped by dogma – which is living with the results of other people’s thinking. Don’t let the noise of others’ opinions drown out your own inner voice. And most important, have the courage to follow your heart and intuition. They somehow already know what you truly want to become. Everything else is secondary.”

Change happens in many forms. We all want to leave the world better than when we got here. That’s what I’m working for. It’s not my place to strive for a legacy or to worry about my impact. All I can do is get up every day and do something positive. Some days will go better than others. And eventually (hopefully many years from now), I’ll be gone. Then it will be up to others to figure out my impact and legacy.

Since I don’t know when my time will be up, I had better get back to work.

–Mike

Photo credits: “Legacy Parkway shield” originally uploaded by CountyLemonade

Incite 4 U

1. Take my cards, give me back my wallet: It’s always interesting to see the market value of anything. Not just what you think something is worth. But what someone is actually willing to pay. So thanks to Imperva for mining some bad sites and posting the Current Value of Credit Cards on the Black Market. If you take a look at what’s in my wallet, you’ll see about $15 bucks worth of cards (2 AmEx, a MasterCard, and a bank card). My wallet is worth at least $30, since it’s nice Corinthian leather (said in my best Ricardo Montalban voice). So take my cards, but I’ll fight you for my wallet. – MR
2. Free malware scans: Google announced a Free Safe Browsing Alert for Network Administrators this week, alerting IT when malware is discovered by Google on their machines. The service leverages their malware detection capability announced last year, which discovers malware through a combination of user generated Safe Browsing data and Google’s site indexing crawlers. IT admins can register for alerts when Google discovers malware on the public servers within their control. This free tool will be disruptive to all the security vendors positioning malware detection as a ‘must-have’ feature – so long as it works. Hard to see how folks can continue charging a premium for this ‘differentiating’ service. – AL
3. How about a tour of Alaska? We all know that no matter what you do, bad stuff still happens. As we always say around here, you will be breached at some point. The true test of your security mettle isn’t if you keep the bad guys out, but how you respond when they get in. A lot of that is in the heart of our paper on advanced incident response. One of the main things we talk about in that paper is knowing when, and how, to escalate your incident response process and bring in the next level of experts. While we didn’t explicitly mention it, having your command and control center for air combat drones infected with a virus would be pretty high on the list. It seems the folks on the ground failed to escalate and let the cybersecurity experts get involved. The cybersecurity command learned about it by reading Wired. If a four star general is learning that your control center for those buzzing things sometimes armed with missiles might be a staging depot for the latest warez, it might be time to break out your cold weather gear. -RM
4. Maybe actually do something: OK, time for some snark. I just had to see what pearls of wisdom were in the article 8 ways to become a cloud security expert. Basically it’s a list of conferences and a few blogs. So let me get this straight. Go to RSA or the CSA Congress and you are all of a sudden an expert. C’mon, man! I have a different idea. Why don’t you actually do something in the cloud and protect it. Yeah, maybe build an instance, harden it, configure some security groups, set up an application and database, and then try to break it to see how you screwed up. And with the accessibility and low cost of cloud services, it couldn’t be easier to play around. Yes, Hoff’s blog is awesome (when he decides to write), but reading Hoff (the blog) will not make you Hoff (the cloud security expert). You need more than a few trips to the tattoo parlor and BJJ studio for that. – MR
5. Value-added malware: Folks claim that malware is increasingly interdependent, with researchers claiming that most infections are not isolated events, but instead chains of malware leveraging one event into another. Given the data we see, I liken it more to the use of frameworks, or how developers can use LAMP stacks to quickly deploy new code while leveraging the work of others. Only in this case the malware stack is distributed. Think of it as value-added malware, with an open API allowing different contributors to mix and match code to put their own spins on infecting platforms. Once again, virus, malware, and worm authors demonstrate good programming practices – much in the same way we have witnessed the bad guys’ clever uses of encryption, obfuscation, and updating code – in the architecture of their malware. – AL
6. Spoil the Botnet, Spare the Pron: For a long time know most of us have known that one of the best ways to stop botnets and worms is to isolate infected systems at the ISP level. The ISP is the point of contact to the user, and their gateway to the Internet. Much of this traffic can be detected (for now), and between terms of service and regular old customer service the ISP can play a major role. While I honestly thought we’d have this problem wrapped up by now, it turns out to be a thorny issue. ISPs don’t want to be regulated, and they also don’t want to be responsible for the headaches of telling customers they might be infected and the cleanup after the fact. Besides, that would take away from all the resources dedicated to shutting down P2P traffic and sucking up to Hollywood every time someone hits BitTorrent because they can’t find a legitimate way to pay for and download that movie they fell asleep in because they kids were sick and keeping them up all week. -RM
7. It’s hard to repeat: It’s an unbelievable accomplishment to win a pro sports title for a couple years in a row. Evidently it’s just as hard to maintain PCI compliance from year to year. Our trusty data gatherers at Verizon did their annual analysis of PCI data (summary by Dark Reading), and the news isn’t good. It seems PCI isn’t so shiny anymore, and merchants are a successful as the Steelers after a Super Bowl appearance. The issue is that any assessment represents a point in time, and without continued focus that compliance thing is fleeting. Remember folks, security is never done – and that means you are likely out of compliance before you get your PCI RoC (report of compliance). I’m not a big fan of the PCI Council’s stance that any breached organization cannot be compliant, but this kind of data shows there may be truth to that sentiment. – MR