When I see the term ‘nutcracker’, I figure folks are talking about their significant others. There are times when the Boss takes on the role of my nutcracker, but usually I deserve it. At least that’s my story today because I’d rather not sleep in the doghouse for the rest of the year. But that’s not what I want to talk about. Let’s discuss the holiday show (and now movie) of the same name.

To open up the book of childhood angst, I remember Mom taking me to see a local production of the Nutcracker when I was about 8. We got all dressed up and I figured I was seeing a movie or something. Boy, was I terrified. The big mouse dude? To an 8 year old? I still have nightmares about that. But as with everything else, I’m evolving and getting over it. At least when it comes to the Nutcracker.

Both of my girls dance at a studio that puts on a big production of the Nutcracker every winter. They practice 3-4 times a week and have all the costumes and it’s quite a show. All building up to this weekend, where they’ll do 5 shows over 3 days. I’m actually looking forward to the shows this year, which I think may correlate to getting past my fear of a 14 year old with a big mouse head.

This will be XX1’s third year and XX2’s first. They start small, so XX2 will be a party girl and on stage for about 5 minutes total. XX1 gets a lot more time. I think she’s a card and a soldier during the mouse battle. Though I can’t be sure because that would require actually paying attention during the last month’s 7×24 Nutcracker preparation. They just love it and have huge smiles when they are on stage.

But it brings up the bigger idea of year-end rituals. Besides eating Chinese food and seeing a movie on Xmas Day. This year I’m not going to be revisiting my goals or anything because I’m trying to not really have goals. But there will be lots of consistency. I’ll spend some time with my family on our annual pilgrimage up North and work a lot as I try to catch up on all the stuff I didn’t get done in 2010.

I’ll also try to rest, as much as a guy like me rests. 2010 was a big year. I joined Securosis and did a lot of work to build the foundation for my coverage areas. But there is a lot more to do. A whole lot more. We are working hard on an internal project that we’ll talk more about after the New Year. And we need to start thinking about what we’ll be doing in Q1. So my holidays will be busy, but hopefully manageable.

And I’ll also leave some time to catch up on my honey-do list. Because the last thing I need is to enter 2011 with a nutcracker on the prowl.

Photo credits: “Mouse King and Nutcracker” originally uploaded by Mike Mahaffie

Incite 4 U

1. The (R)Snake slithers into the sunset: We need to send some props to our friend Robert Hansen, otherwise known as RSnake. I’ve learned a lot from Robert over the years and hopefully you have too. As great a researcher as he is, he’s a better guy. And his decision to stop focusing on research because it isn’t making him happy anymore is bold, but I’d expect nothing less. So who picks up the slack? The good news is that there is no lack of security researchers out there looking for issues and hopefully relaying that knowledge to make us better practitioners. And if you weren’t sure what to start poking, check out RSnake’s list. That should keep all of you RSnake wannabes busy for a while. – MR
2. The price of vanity: Is WikiLeaks doing what it is supposed to do? I was reading about the shakeup after the WikiLeaks incidents and how it has caused shuffling of U.S. diplomats and intelligence officers, in essence for reporting on what they saw. But I don’t have sympathy for the US government on this because the leaks did what leaks do: spotlight the silliness of the games being played. I understand that comments like these reveal more than just the topics being discussed; and that and who, how, and why information was gathered tells yet another story. But it seems to me that the stuff being disclosed is spotlighting two kids passing notes in high school rather than classified state secrets. Unless, of course, you really think Muammar Gaddafi seeing someone on the side is an issue of national security. Sure, it’s an embarrassment because it’s airing dirty laundry rather than exposing state secrets. There is no doubt that WikiLeaks will drive security services. People who consider themselves important are embarrassed, and in some cases their reputations will suffer, and being embarrassed will make it harder for them to maintain the status quo (if WikiLeaks is successful, at least). Care to bet on what will drive more security sales: data security requirements/regulation or political CYA? – AL
3. That cloud/virtualization security thing is gonna be big: Early on in the virtualization security debate a lot of vendors thought all they needed to do was create a virtual appliance running their products, toss them into the virtual infrastructure, set up some layer 2 routing, and go buy a Tesla. It turns out the real world isn’t quite that simple (go grab a copy of Chris Hoff’s Four Horsemen presentation from a couple years ago). Juniper recognizes this and has announced their acquisition of Altor Networks. Altor provides compliance and security, including a hypervisor-based stateful firewall, for virtualization and private cloud. But even if the tech is total garbage (not that it is), Juniper scores a win by buying themselves a spot in the now-defunct VMSafe program. Unlike the VShield zones approach, with VMSafe participating vendors gain more direct access to hypervisor-level APIs for security functions. The program is frozen now, but VMware is supporting it indefinitely for existing partners, of which Juniper most definitely wasn’t until they bought Altor. – RM
4. Password cracking as a metric/indicator for an organization’s security posture: From the SANS Handler’s Diary we learn the following: “The strength of passwords used is a good indication of the security posture of an organisation, considering the userid and password combination is in many cases the first and last line of defence. It is quite important to get it right.” Really? Passwords? As an indicator of the security posture? What year is it again? And what’s your evidence for that? Oh, none, I see. It may be a measure of compliance, but it’s not a measure of posture. The rest of this article is yet another tutorial on using John the Ripper. eyeroll The article ends as badly as it starts: “If you have some nice metrics that you create to measure effectiveness of controls in place in your organisation, let us know. Might be as simple as measuring the number of viruses sent out of an organisation by email (hopefully 0) to measuring the number of attacks dropped by the firewall, etc.” Talk about useless metrics. Neither tells you anything about your posture or maturity. Execs don’t care about # of blocked attacks/dropped viruses unless you can also tell them how many weren’t dropped (succeeded). It’s meaningless and a waste of bits, like that entire post. I guess the SANS editors were off that day, based on this dreck getting through their (usually good) filter. – DM
5. Truth in survey fiction: I normally completely ignore any vendor-defined survey. (Yes, we sometimes perform surveys that a vendor licenses, but we develop the questions in the open so vendors never get to define them, and we release all the data). But for once I think a survey might have underestimated the problem. eEye (yes, they’re still in business) commissioned a survey asking security pros to estimate the amount of their time dedicated to compliance initiatives. The result? 1 out of every 2 spends 50% of their time on compliance. To be honest, I think the other half spends 100%. It’s funny how compliance has come to completely dominate our dialogue and effort over the past 10 years. By ‘funny’ I mean ‘suxage’. – RM
6. Hackers exploit everything: Or that seems to be the message of the MessageLab blog when they released a series of posts on trends they expect to continue in 2011. “Hackers target ______”; you can pretty much fill in the blanks. Targeted attacks and diversification of attacks. Hardware and software. Stealth and in the open. Hackers are doing it all. They’re in your computer and probably in the hedgerow in front of your house. If you aren’t careful, they may hack your Xmas tree too. So look sharp, people – the hacker invasion is here. Maybe just Duck and Cover for the entire holiday season. – AL
7. MSFT finally killing Big AV?: Here we go again. In what seems to be a bi-annual event, someone figures the hegemony of Big AV will be done, and the cash cow will be slaughtered, right? This time it’s Microsoft Security Essentials, posited by a stock analyst to impact Symantec’s market share (and thus its stock). Yeah, not so much. Free AV clearly isn’t the answer. Why? First off you are dealing with inertia. Most consumers just pay for whatever comes on their shiny new PC. And then they renew year after year. Even though they can get these branded offerings via their ISPs and a bunch of other places for free, they don’t. Another complication is that Free AV doesn’t work. It’s not like the full packages work either, right? So this is more ado about nothing. Same old, same old. Though it’s time to blow up the whole endpoint protection thing. But that’s another topic for another day. – MR
8. I love it when a plan comes together!: Not security related per se, but in news of the weird, and Explosive-laden California home to be burned down? Burn it down. Really? This guy George has been living there for years, making explosives – probably while microwaving dinner – without incident. But it’s too dangerous to empty out so you’re going to burn it down? Not flood it or freeze it? Yep. Burn down a house – not exactly noted for being a clean burn. What about the rest of the area, you ask? Good question! Sounds like they hired BP to figure this out. All I can picture in my head is the exploding whale fiasco. Stay tuned! – AL