“Hi. I’m Mike. And I’m an addict.” I start every chapter of the Pragmatic CSO with those very words. There there are many things you can be addicted to. Thrills. Sex. Sugar. Booze. Drugs. Twitter. Pr0n. Caffeine. Food. Some are worse than others, though none of them really good for you. But now I have to face up to another addiction. The need for gadgets. I’m jonesing for a new MacBook Air. Big time. Like waking up in the middle of the night wanting some SSD goodness in a petite 2lb package. Jonesing, I say, and it’s not pretty.

Now there are folks with much worse gadget addiction than me. They are the ones standing in line at Best Buy for the latest Zune. Those folks have a problem. To be clear, so do I. I have a perfectly workable 15” MacBook Pro. It’s been a workhorse for two and a half years. For what I need, it’s fine. Why can’t I be happy with it? Why do I long for something new? The problem is my gear isn’t shiny anymore. I need a new trophy. Need. It. Now.

I feel inadequate with a late 2008 MBP. In the bagel shop where I was writing this morning, there was a guy with an MB Air. I felt envy. Not enough to poach his machine when he tok a leak (by the way, it’s two frickin’ pounds – you can take it to the loo), but definitely envy. But then I looked over my other shoulder and saw a guy with an old school Apple laptop. And I mean old school. Like before they had a MagSafe connector, meaning a PowerBook G4. Oh, the horrors. I don’t know how that guy gets out of bed in the morning.

And it’s worse when we have a Securosis meeting. Rich gets all the new toys. He’s got an MB Air 11”. I know he scoffs at my MBP. My laptop is older than his kids. Really. But Adrian is a different animal. He’s into high end audio equipment and dogs. My addiction is cheaper. At least I have that going for me.

Over two years with the same laptop is a lifetime for me. Some guys trade in their wives every couple years. I trade in my laptop. The Boss likes that approach much better. Normally it’s not an issue, since I tend to hold down a job for 15 months, so I get a new toy every time I get a new job. I get my fix and have no issue, right? Not so much anymore – I’m not changing jobs any time soon. At least that’s what Rich and Adrian keep telling me. But I am getting smarter. Knowing this little issue I have, I made proper provisions this year by doing a side project over the winter and expressly earmarking those fees to breathe the (MB) Air.

I’ve got motive. I’ve got opportunity. I’ve even got the funds. I know, you are wondering why I don’t just hop on the Apple web site and order it? This is why. They expect a new Air in the summer. That’s only what, 2 months away? It’ll be worth the wait. That’s what I keep telling myself. It will be smokin’ fast. And shinier. The next 2 months will be a struggle. I want it now. But I’m repressing my urges because I know how bad I’d feel when someone else got the shiny fast one, 4 days after I took delivery of my slow, dull one. I need to do some NLP to associate those bad feelings with the late 2010 MB Air. I will awaken the giant within, just you watch. That will keep me off the gadget juice.

I’ll hold out because I have a plan. Every day, I’ll do my affirmations to convince myself that I’m still a good person, even though I use a late 2008 MBP. It will work. I know it will. The power of positive thinking in action. I’ll send a DM to my sponsor every day because I’m not addicted to Twitter. Not yet anyway. That will keep me on the straight and narrow. And doggone it, people like me, right?

But we all know what happens when you repress an urge for too long. Gosh, that iPad 2 looks awfully shiny…

-Mike

Photo credits: “Apple addiction” originally uploaded by new-york-city

Since I don’t do enough writing here on the Securosis blog, I figured I’d inflict some pithy verbiage on the victims, I mean readers, of Dark Reading. I’ll be posting on their Hacked Off blog monthly, and started with a doozy on why the RSA breach disclosure was pretty good. Surprisingly enough, I took a contrarian view to all those folks who think they should know everything, even if they aren’t RSA customers. It’s not about you, folks – sorry to bruise your egos.

Incite 4 U

1. Mea culpa roll with a side of SQLi: Do you ever wonder what a Barracuda roll tastes like? You can ask the folks in Hong Kong who used an automated SQLi attack to feast on Barracuda’s customer list over the weekend. The good news is that not much data was lost. Some customer and partner names and emails. The bad news is the breach happened because of an operational FAIL to put WAF back into blocking mode. As usual, people are the weakest link. But this disclosure is a great example of how to own it, explain it, and help everyone learn from it. A side of SQLi is not quite as tasty as miso soup, but news of the attack goes down a lot easier with a large serving of mea culpa. – MR
2. Trust No One: I keep stealing a slide Gunnar did a while back (from Chris Hoff, who showed it to me first). It’s a table showing all the big advances in the web and web applications, and then the security tools we use to secure them. In every case, it’s firewalls and SSL. But between the Comodo breach and the EFF’s SSL Observatory project we now know that not only do Certificate Authorities get hacked, some of them issue certs for things like localhost (me want). CAs are like any other commodity market – price and convenience quickly trump security every time. But is SSL broken? Or is it merely the best of the worst options? Moxie Marlinspike suggests that our problem isn’t trust, but trust agility. It’s a great concept, and we need to wait until his next post for proposed solutions, but this is a must-read for security folks. – RM
3. Security is 2 legit, 2 legit 2 quit: Found myself humming Wookin’ pa (Cyber) nub when I read Andrew Hay’s post because – sadly – I remember the “Buh-Weet Sings” SNL skit. While that reference is funny, a more accurate example is The Last Starfighter. No? Have you not seen recent ads for the Sub Hunt game? Or looking at Xbox jockey learning to be drone pilots, or using Gears of War as a US Army recruitment and assessment technique? Have you noticed that several schools are opening major programs in Information Security? Yep, it’s finally happening: cybersecurity is a legitimate career. What makes me happy about this is the US government finally noticing it has a serious deficit in computer security skills, and are trying to do something about it. Recognizing that many of the good hackers are non-conformists looking to bust stuff is a step in the right direction. – AL
4. Breach data: the other white meat We share information, we learn. Still wonder why we suck at security? So when I see my pals at Verizon post some analysis on the data gathered via their VERIS application, I’m excited. Then I see it’s based on 62 data points. Not happy that’s all the data they have so far. To be clear, any data is better than what we have now, but institutionally we need to get more comfortable sharing data. That’s the key to getting better. I’m doing a series now on benchmarking, hopefully laying out a case for better sharing and how to leverage the data we collect. Unlike eating large quantities of bacon, sharing poses no risk of heart disease – I promise. So go and upload your data. Now. – MR
5. Old skool clouds: My kids aren’t the only ones in my house who have comfort items. I may not drag a binky with me on the road, but I have my favorite comfort foods, t-shirts, books, and desk toys (a wind up Bender, for the record). These things make me happy, just like many IT administrators and executives are comforted by working with big vendors vs. startups. No one ever got fired for buying IBM, right? So when the big boys like IBM and HP start offering cloud services, do you really think they need to play the same game as Amazon? The Loose Couple blog amusingly deconstructs IBM’s new cloud (hint – it involves a postal truck, written contracts, and 4-figure signup fees), but we shouldn’t be surprised. These offerings don’t target developers with credit cards – they’re for CIOs who spend more time golfing with their IBM rep than attending employee birthday lunches. – RM
6. I drop (your) box wherever I want: For those of us worried about being HBGaried, the idea of pivoting from one security weakness into the motherlode of data breaches looms large. So Derek Newton’s post Dropbox authentication: insecure by design hit a nerve. Grab the config file, and you get a copy of the victim’s entire dropbox, neatly unencrypted by the client software without authentication. The attacker does not get the password, but it’s likely the real owner won’t be able to detect pwnage because nobody monitors the website’s logs to determine how many copies of their folder exist. Reading threads on the Dropbox site sent shivers down my spine, as Dropbox ‘members’ exhibit shocking security naivete – advising key revocation for unwittingly shared accounts misses the point, and it’s just a matter of time until reality crushes the support team’s untested theories. Dropbox should, at the very least, have a client password option that requires authentication prior to launching. They should also provide an option for admin authorization processing for new clients. They’ll also need a more sophisticated account recovery mechanism. Dropbox is an awesome tool, but they need to address these obvious security gaps before one of their clients gets hosed – small companies seldom survive that kind of black eye. – AL
7. And control is a bad thing?: Apple’s App Store is routinely vilified by the anarchists for being ‘closed’ and requiring approval for every app that goes out to the zillions of iDevices. Then you read a nice analysis by TippingPoint’s DVlabs about an owned AMI posted to Amazon EC2 and wonder how much carnage we’d see on iOS if Apple didn’t check every app. Methinks a lot. Obviously it’s buyer beware when spinning up instances in AWS, and folks doing that need to be more sophisticated than a 10-year-old with an iPod touch, but there is still a raft of opportunity to do some real damage with tainted AMIs. The social Darwinist in me says idiots who download untrusted apps (or spin up and use untrusted AMIs) get what they deserve. But in reality, for mass-market applications, we really do need someone to save us. From ourselves. – MR