Incite 4/14/2010: Just Think

By Mike Rothman

As numb as we are to most advertising (since we are hit with thousands of advertising exposures every day), sometimes an ad campaign is memorable and really resonates. No, seeing Danica Patrick on a massage table doesn’t qualify. But Apple’s Think Different campaign really did. At that point, Apple was positioning to the counter-culture, looking for folks who didn’t want to conform. Those who had their own opinions, but needed a way to set them loose on the world.

Now that is definitely thinking different... Of course, we all want to think we are more than just cogs in the big machine and that we do matter. So the campaign resonated.

But nowadays I’m not so worried about thinking differently, but just thinking at all. You see, we live in a world of interruption and multitasking. There is nowhere to hide any more, not even at 35,000 feet.

Flying used to be my respite. 2-5 hours of solitude. You know, put in the ear buds, crank up the iPod, and tune out. Maybe I’d catch up on some writing or reading. Or even at the risk of major guilt, I’d get some mental floss (I’m plowing through the Daniel Silva series now) and crank through some fiction on the flight. Or Lord help me, sometimes I’d just sit and think. An indulgence I don’t partake in nearly enough during my standard routine.

Yet through the wonders of onboard WiFi, you can check email, surf the Web, tweet to your friends (yo, dog, I’m at 30K feet - and you are not!) or just waste time. All for $9.95 per flight. What a bargain.

And if you absolutely, positively need to send that email somewhere over Topeka, then the $9.95 is money well spent. Yet in reality, I suspect absolutely, positively means when you get to your destination.

What you don’t see is the opportunity cost of that $9.95. Not sure you can put a value on spending 3 hours battling spies or catching up on some journaling or even revisiting your plans for world domination. On my way back from RSA, I did use the on-board WiFi and to be honest it felt like a piece of me died. I was pretty productive, but I didn’t think, and that upset me. The last bastion of solitude was gone, but certainly not forgotten.

So yes, I’m writing this from 34,701 feet somewhere above New Mexico. But my battery is about dead, and that means it’s time to indulge. There are worlds to dominate, windmills to chase, strategies to develop, and I can’t do that online. Now quiet down, I need to think…

– Mike.

PS: Good luck to AndyITGuy, who is leaving his ATL digs to head to Cincy. Hopefully he’ll keep writing and plug into the security community in Southern Ohio.

Photo credits: “think___different” originally uploaded by nilson

Incite 4 U

  1. Porky, Risk Management, Pig – Let’s all welcome Jack Jones back to bloggy land, and he restarts with a doozy – basically saying risk management tools are like putting lipstick on a pig. Being a vegetarian and thinking about actually putting lipstick on a pig, I can only think of the truism from Jules in Pulp Fiction, “we’d have to be talkin’ about one charming motherf***ing pig.” But I’ll summarize Jack’s point more succinctly. Garbage In = Garbage Out. And even worse, if the analysis and the outcomes and the quantification are lacking, then it’s worse than garbage out: it’s sewage out. But senior management wants a number when they ask about risk, and the weak security folks insist on giving it to them, even though it’s pretty much arbitrary. Off soapbox now. – MR

  2. Craponomics – Repeat after me – it’s all about the economics. (I’m starting to wish I took one of those econ classes in school). According to the New York Times, lenders sort of ignore many of the signs of ID theft because they’d rather have the business. The tighter the fraud controls, the fewer people (legitimate and criminal) they can lend to, and the lower the potential profits. It’s in their interest to tolerate a certain level of fraud, even if that hurts ID theft victims. Remember, the lenders are out to protect themselves, not you. Can you say moral hazard? – RM

  3. Partly Paranoid, with a chance of PR – From what I hear, Google is now paranoid about security. Call me a cynic, but when someone trashes your defenses, is your response to use more web-based computing products and services, like Google Chrome? I am sure they are thinking they’ll modernize their defenses with Chrome, and all those old threat vectors will be magically corrected. You know, like XSS and injection attacks. I am thinking, “Someone broke into my company, now Chrome’s source code is suspect until I can prove attackers did not gain access to the source code control system.” Give Google credit for disclosure, and odds are they will be more secure with Chrome, but that was just a stepping stone in the process. I am far more interested in the steps taken to provide redundant security measures and perhaps some employee education on anti-phishing and security. Something that helps after an employee’s browser is compromised. There will always be another browser hack, so don’t tell me the answer is Chrome. Blah. – AL

  4. Yes, you are an addict… – It was funny to read Chris Nickerson’s post on FUDSEC about being a security addict, especially since that’s the entire premise of the Pragmatic CSO. But we look at the problem from different perspectives. Chris is right in pointing out that although we security folks tend to be powerless, that doesn’t mean we are helpless. It’s an important nuance. Personally I found his 12 steps lacking, especially compared to mine. But he also was working within the context of one blog post, and I wrote a book. All kidding aside, there are things we can control and things we can’t. Security is a hard job and you have to have the right mindset to survive. Whether you subscribe to Chris’ 12-step philosophy or mine or none at all, realizing that you do what you can will make all the difference to your happiness in security. – MR

  5. Accidental Developer – Marisa Fagan of Errata Security conducted a useful survey a few months back on security and software development. When I was taking the survey, the question “What Software Development Methodology do you follow” had me thinking “I don’t”. Sure enough, “Ad-hoc” was the most popular answer. Does this surprise you? I think the popularity of that choice is a good illustration of how early we are in the evolution of software security. I have never followed anyone’s secure development cycle, as I haven’t yet seen a framework I was interested in until recently. This will change with the work coming out of Microsoft and other firms as templates for good development practices. I think that with the industry settling into the – dare I say it – “trough of disillusionment” with Agile, it’s going to take a while before Agile is sufficiently developed to embrace widely accepted principles for secure code development. What cracked me up when taking the survey was, looking for the “Ad-Hoc” check box, I saw “Securosis Secure SDL” as an option. I asked Rich if we had ever written a secure software development lifecycle, to which he responded something like “Yeah, stupid, you did.” I went back and searched the blog and, sure enough, I am stupid. Out of frustration at the lack of practical guidance I had cobbled together a rudimentary process, but not fully fleshed it out. I think it’s time to take a fresh look at the process, and come up with some applied practices for resilient code within an Agile methodology. – AL

  6. Why sell it when you can give it away? – In the endpoint fundamentals series, I talked about anti-malware and touched on free AV. In the corporate context, you get what you pay for given the non-existent advanced detection techniques and management. But from a consumer perspective, is free AV such a bad thing? Not if the advanced stuff you want is there, which makes Check Point’s one-day give-away of ZoneAlarm and an identity service from Intersections, timed to coincide with Patch Tuesday, interesting. On the other hand, this reeks of desperation from CHKP, which can’t seem to make inroads into the endpoint space. Anyhow, if you’re looking for a full endpoint suite for your mother-in-law’s computer, have at it – even if you like your mother-in-law. – MR

  7. Hardening the Cloud – Yesterday I was talking with an investment friend about how I expect to see big hardware refreshes marching hand in hand with cloud computing adoption. It turns out there are some problems related to cloud computing security that are difficult or impossible to solve in software alone. Chris Hoff discusses Trusted Execution Technology, which basically requires new hardware and software, some of which isn’t available yet. (TXT ideally allows you to only execute a VM on hardware that passes assurance checks). There are also memory protection enhancements important to cloud computing that will require hardware upgrades. As Chris says, it doesn’t look like any public cloud providers are using these boxes yet, but make sure you take them into account when planning internal deployments. – RM

  8. My Dad can beat up your Dad – I remember those childish elementary school taunts like it was yesterday. I always thought my Dad was pretty tough, but I also knew he carried heat when he was working in pharmacies in “undesirable areas”. Hard to outrun a bullet. But the rules have changed now, and the bullies (and their parents) who my kids will have to deal with are different in nature. Physical bullies I can deal with, but the email (and Facebook) gladiators are much tougher. Some tactics are discussed on the McAfee blog, as well as in NetworkWorld (featuring our buddy Martin McKeay). They have good ideas there, but I’m still a fan of monitoring – at least to provide an audit trail in case things do go south. And also education – I spend a lot of time teaching my kids wrong from right, so why wouldn’t I do the same for their Internet use? – MR

No Related Posts

Good point about confronting other parents!

By LonerVamp

Looking forward to seeing Agile SSDL :)

Honestly, I don’t think its the end of the world if the security community isn’t using a secure development lifecycle in their development. That security know-how is getting baked in from experience. (You’ll miss out on all the exciting efficiency benefits, but hey, you can lead a horse to water…) It’s the development community at-large that will benefit from the framework. In a perfect world, these methodologies will evolve such that a development team can use them without having to hire security experts to mediate the whole lifecycle.

By Marisa Fagan

@loner, as always, thanks for the feedback. About to board the return flight home and trying to get my writing done, so I can think a bit. ;-)

In terms of the cyber-bullying. I do plan to monitor, but I also plan to make sure my kids understand why I’m doing it. They need to understand anything they write on a social network is public, so their parents will be seeing it too. Even a private chat in Facebook can be cut and pasted, and then it’s public. That’s an important lesson to learn early.

It’s also important to be able to confront other parents with information about what their kids do, which may be inappropriate. There have been two examples recently in my social circle where the parent could not possibly believe their precious kid would do something not so precious. Nothing like a chat log file to make the point.

But ultimately kids need to learn how to deal with difficult people. Some are bullies, some are just assholes, but they (and we) will come across them almost every day of our existence. The earlier they learn to diffuse situations and take the power away from bullies, the better their life will be.

But then again, that’s my thinking, which I’m sure will change over time.

By Mike Rothman

Nice opening post, especially with the kicker at the end that you’re actually writing it on a plane! :) I definitely find myself purposely unplugging at times (even if I’m still playing with something electronic) and protecting my private time when reasonable. I wonder if this ultimately has to do with the typically American concept of super-efficiency…milking every waking moment with something productive…at the expense of the great, relaxing, leisure things in life. I could listen to a podcast during this normally quiet hour in my day! And so on…

@Porky Risk…Pig: It doesn’t help that every security professional shotguns everyone else’s measurements…and with good reason! At some point, I think we’ll have to accept that every company CEO is different, and it takes a person to distill the necessary information down for her consumption. No tool will ever be enough, just like no tool ever determines if a product will be successful.

@My dad can beat up your dad: Ugh…I have some pretty strong opinions about cyberbullying and home internet monitoring…but I tend to shut up a bit because I don’t have kids and I’ll likely rub parents wrong (not that my humor isn’t dark enough to do that anyway!). While social networking didn’t exist when I was in school, I certainly have to give a lot of caution to taking away a child’s privacy. Protection is one thing, but being overly controlling and in their business is often a recipe for a lifetime of resentment…especially in their most carefree years of life where they have hours upon hours of free time without the burden of responsibilities or death anywhere on the horizon. I think it is simply most important to keep honest communication open (both ways) and make sure actions are taken when something awry happens. If someone isn’t your friend, why are you “friends” on Facebook with them? Masochistic? Sinister plans?

With rare, very saddening exceptions, a vast majority of kids will survive despite the rigors of childhood and school and self-discovery outside protective umbrellas.

(I do make one exception. If there is monitoring and intrusion of privacy, they should never find out and you should never make them suspect it. It should be a silent angel watching over. But once you flaunt it or they find out, that is when the resentment and deeper hiding will happen…imo. Again, this is from a one-sided perspective and does not apply to all personalities. :)  )

By LonerVamp

Mike, Thanks for the well wishes. I will miss Atlanta and having lunch with you from time to time. I will keep writing and try to add what I can to the Southern Ohio Security community. I look forward to running into you at cons when I can get to them. Thanks for your friendship and sage advice over the years.

By Andy Willingham

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.