As numb as we are to most advertising (since we are hit with thousands of advertising exposures every day), sometimes an ad campaign is memorable and really resonates. No, seeing Danica Patrick on a massage table doesn’t qualify. But Apple’s Think Different campaign really did. At that point, Apple was positioning to the counter-culture, looking for folks who didn’t want to conform. Those who had their own opinions, but needed a way to set them loose on the world.

Now that is definitely thinking different... Of course, we all want to think we are more than just cogs in the big machine and that we do matter. So the campaign resonated.

But nowadays I’m not so worried about thinking differently, but just thinking at all. You see, we live in a world of interruption and multitasking. There is nowhere to hide any more, not even at 35,000 feet.

Flying used to be my respite. 2-5 hours of solitude. You know, put in the ear buds, crank up the iPod, and tune out. Maybe I’d catch up on some writing or reading. Or even at the risk of major guilt, I’d get some mental floss (I’m plowing through the Daniel Silva series now) and crank through some fiction on the flight. Or Lord help me, sometimes I’d just sit and think. An indulgence I don’t partake in nearly enough during my standard routine.

Yet through the wonders of onboard WiFi, you can check email, surf the Web, tweet to your friends (yo, dog, I’m at 30K feet – and you are not!) or just waste time. All for $9.95 per flight. What a bargain.

And if you absolutely, positively need to send that email somewhere over Topeka, then the $9.95 is money well spent. Yet in reality, I suspect absolutely, positively means when you get to your destination.

What you don’t see is the opportunity cost of that $9.95. Not sure you can put a value on spending 3 hours battling spies or catching up on some journaling or even revisiting your plans for world domination. On my way back from RSA, I did use the on-board WiFi and to be honest it felt like a piece of me died. I was pretty productive, but I didn’t think, and that upset me. The last bastion of solitude was gone, but certainly not forgotten.

So yes, I’m writing this from 34,701 feet somewhere above New Mexico. But my battery is about dead, and that means it’s time to indulge. There are worlds to dominate, windmills to chase, strategies to develop, and I can’t do that online. Now quiet down, I need to think…

– Mike.

PS: Good luck to AndyITGuy, who is leaving his ATL digs to head to Cincy. Hopefully he’ll keep writing and plug into the security community in Southern Ohio.

Photo credits: “think___different” originally uploaded by nilson

Incite 4 U

  1. Porky, Risk Management, Pig – Let’s all welcome Jack Jones back to bloggy land, and he restarts with a doozy – basically saying risk management tools are like putting lipstick on a pig. Being a vegetarian and thinking about actually putting lipstick on a pig, I can only think of the truism from Jules in Pulp Fiction, “we’d have to be talkin’ about one charming motherf***ing pig.” But I’ll summarize Jack’s point more succinctly. Garbage In = Garbage Out. And even worse, if the analysis and the outcomes and the quantification are lacking, then it’s worse than garbage out: it’s sewage out. But senior management wants a number when they ask about risk, and the weak security folks insist on giving it to them, even though it’s pretty much arbitrary. Off soapbox now. – MR
  2. Craponomics – Repeat after me – it’s all about the economics. (I’m starting to wish I took one of those econ classes in school). According to the New York Times, lenders sort of ignore many of the signs of ID theft because they’d rather have the business. The tighter the fraud controls, the fewer people (legitimate and criminal) they can lend to, and the lower the potential profits. It’s in their interest to tolerate a certain level of fraud, even if that hurts ID theft victims. Remember, the lenders are out to protect themselves, not you. Can you say moral hazard? – RM
  3. Partly Paranoid, with a chance of PR – From what I hear, Google is now paranoid about security. Call me a cynic, but when someone trashes your defenses, is your response to use more web-based computing products and services, like Google Chrome? I am sure they are thinking they’ll modernize their defenses with Chrome, and all those old threat vectors will be magically corrected. You know, like XSS and injection attacks. I am thinking, “Someone broke into my company, now Chrome’s source code is suspect until I can prove attackers did not gain access to the source code control system.” Give Google credit for disclosure, and odds are they will be more secure with Chrome, but that was just a stepping stone in the process. I am far more interested in the steps taken to provide redundant security measures and perhaps some employee education on anti-phishing and security. Something that helps after an employee’s browser is compromised. There will always be another browser hack, so don’t tell me the answer is Chrome. Blah. – AL
  4. Yes, you are an addict… – It was funny to read Chris Nickerson’s post on FUDSEC about being a security addict, especially since that’s the entire premise of the Pragmatic CSO. But we look at the problem from different perspectives. Chris is right in pointing out that although we security folks tend to be powerless, that doesn’t mean we are helpless. It’s an important nuance. Personally I found his 12 steps lacking, especially compared to mine. But he also was working within the context of one blog post, and I wrote a book. All kidding aside, there are things we can control and things we can’t. Security is a hard job and you have to have the right mindset to survive. Whether you subscribe to Chris’ 12-step philosophy or mine or none at all, realizing that you do what you can will make all the difference to your happiness in security. – MR
  5. Accidental Developer – Marisa Fagan of Errata Security conducted a useful survey a few months back on security and software development. When I was taking the survey, the question “What Software Development Methodology do you follow” had me thinking “I don’t”. Sure enough, “Ad-hoc” was the most popular answer. Does this surprise you? I think the popularity of that choice is a good illustration of how early we are in the evolution of software security. I have never followed anyone’s secure development cycle, as I haven’t yet seen a framework I was interested in until recently. This will change with the work coming out of Microsoft and other firms as templates for good development practices. I think that with the industry settling into the – dare I say it – “trough of disillusionment” with Agile, it’s going to take a while before Agile is sufficiently developed to embrace widely accepted principles for secure code development. What cracked me up when taking the survey was, looking for the “Ad-Hoc” check box, I saw “Securosis Secure SDL” as an option. I asked Rich if we had ever written a secure software development lifecycle, to which he responded something like “Yeah, stupid, you did.” I went back and searched the blog and, sure enough, I am stupid. Out of frustration at the lack of practical guidance I had cobbled together a rudimentary process, but not fully fleshed it out. I think it’s time to take a fresh look at the process, and come up with some applied practices for resilient code within an Agile methodology. – AL
  6. Why sell it when you can give it away? – In the endpoint fundamentals series, I talked about anti-malware and touched on free AV. In the corporate context, you get what you pay for given the non-existent advanced detection techniques and management. But from a consumer perspective, is free AV such a bad thing? Not if the advanced stuff you want is there, which makes Check Point’s one-day give-away of ZoneAlarm and an identity service from Intersections, timed to coincide with Patch Tuesday, interesting. On the other hand, this reeks of desperation from CHKP, which can’t seem to make inroads into the endpoint space. Anyhow, if you’re looking for a full endpoint suite for your mother-in-law’s computer, have at it – even if you like your mother-in-law. – MR
  7. Hardening the Cloud – Yesterday I was talking with an investment friend about how I expect to see big hardware refreshes marching hand in hand with cloud computing adoption. It turns out there are some problems related to cloud computing security that are difficult or impossible to solve in software alone. Chris Hoff discusses Trusted Execution Technology, which basically requires new hardware and software, some of which isn’t available yet. (TXT ideally allows you to only execute a VM on hardware that passes assurance checks). There are also memory protection enhancements important to cloud computing that will require hardware upgrades. As Chris says, it doesn’t look like any public cloud providers are using these boxes yet, but make sure you take them into account when planning internal deployments. – RM
  8. My Dad can beat up your Dad – I remember those childish elementary school taunts like it was yesterday. I always thought my Dad was pretty tough, but I also knew he carried heat when he was working in pharmacies in “undesirable areas”. Hard to outrun a bullet. But the rules have changed now, and the bullies (and their parents) who my kids will have to deal with are different in nature. Physical bullies I can deal with, but the email (and Facebook) gladiators are much tougher. Some tactics are discussed on the McAfee blog, as well as in NetworkWorld (featuring our buddy Martin McKeay). They have good ideas there, but I’m still a fan of monitoring – at least to provide an audit trail in case things do go south. And also education – I spend a lot of time teaching my kids wrong from right, so why wouldn’t I do the same for their Internet use? – MR