Shipping anything is pretty easy nowadays. When someone buys the P-CSO, I head over to the USPS website, fill out a form, and print out a label. If it takes 5 minutes, I need more coffee. Shipping via UPS and FedEx is similarly easy. Go to the website, log in, fill out the form, print out a paper label, tape it to the package, and drop it off. I remember (quite painfully) the days of filling out airbills (in triplicate) and then waiting in line to make sure everything was in order.

As many of you know, Rich and Adrian are teaching our CCSK course today and tomorrow. It’s two days of cloud security awesomesauce, including a ton of hands-on work. I did my part (which wasn’t much) by preparing the fancy Securosis-logo USB drives with the virtual images, as well as the instructor kits. I finished that up Sunday night, intending to shippthe package out to San Jose Monday morning.

So I get onto FedEx’s site (because it absolutely positively has to be there on Tuesday) and fill out my shipping form. Normally I expect to print the label and be done with it. But now my only option is to have a mobile shipping confirmation sent to me. What the hell is a mobile shipping confirmation? Is there an app for that? I read up on it, and basically they send me a bar code via email that any FedEx location can scan to generate the label right there. Cool. New technology. Bar codes. What could go wrong?

I take my trusty iPhone with my shiny barcode email to the local FedEx Office store first thing Monday morning. The guy at the counter does manage my expectations a little bit by telling me they haven’t used the mobile confirmation yet. Oh boy. Basically, FedEx did send a notice to each location, but they clearly did not do any real training about how the service works. The barcode is a URL, not a shipping number. The folks at the store didn’t know that and it took them about 10 minutes to figure it out. It was basically a goat rodeo.

The FedEx Office people could not have been nicer, so the awkward experience of them calling a number of other stores, to see if anyone had done it successfully, wasn’t as painful as it could have been. But the real lesson here is what I’ll tactfully refer to as the elegant migration. Maybe think about supporting multiple ways of generating a shipping label next time. At least for a few weeks, while all the stores gain experience with the new service. Perhaps do a couple test runs for all the employees. Why not give folks a chance to be successful, rather than forcing them to be creative to find a solution to a poorly documented new process while a customer is standing there waiting.

When we launch something new, basically Rich, Adrian, and I get on the phone and work it out. It’s a little different when you have to train thousands of employees at hundreds of locations on a new service. Maybe FedEx did the proper training. They may have asked folks to RTFM. Maybe the service has been available for months. Maybe I just happened to stumble across the 3 folks out of thousands who hadn’t done it before. But probably not.

– Mike

Photo credits: “RTFM – Read the F***ing Manual” originally uploaded by Latente

Incite 4 U

1. Better close those aaS holes: The winner of the word play award this week is none other than Fred Pinkett of Security Innovation. In his post Application Security in the Cloud – Dealing with aaS holes, Fred does a good job detailing a lot of the issues we’ll deal with. From engineering aaS holes (who aren’t trained to build secure code), to sales aaS holes who sell beyind their cloud’s capabilities, to marketing aaS holes (who avoid good security practices to add new features or shiny objects), to management aaS holes (folks who forget about good systems management practices, figuring it’s someone else’s problem), there are lots of holes we need to address when moving applications to the cloud. Fred’s points are well taken, and to be clear this is a big issue we address a bit in the CCSK curriculum. Folks don’t know what they don’t know yet, which means we’ll be trying to plug aaS holes for the foreseeable future. – MR
2. Payment shuffle: Will interoperability and commerce finally push the adoption of smart cards in the US? Maybe, or at least the card vendors hope they will, with European travelers starting to have troubles with mag stripe cards. It’s not like this hasn’t been tried before. I remember reading about Chip and PIN (CAP) credit cards in 1997. I remember seeing the first US “Smart Card” advertised – I think by Citi – as a security advantage to consumers in 1999. That didn’t go over too well. Consumers don’t much care about security, but you already knew that. Europe adopted the technology a decade ago, but we have heard nothing in the US consumer market since. Why? Because we have PCI, which is the panacea for everything. Haven’t you heard that? Why improve security when you can pass the buck. Yup, it’s the American way. – AL
3. Closing the window: Last night RSA released a new letter to their customers about their breach, and the attack on Lockheed and other defense contractors. Lockheed confirmed in a New York Times article that information stolen from RSA was used to attack them. Fortunately Lockheed managed to stop the attack. If I wasn’t out in California to teach the CCSK class this week I’d probably write a more detailed post because it’s definitely a big deal. There is now no doubt that customer seeds were stolen. And whoever stole them (IPs linked back to China) used the seeds to attack at least three major defense contractors simultaneously, less than 3 months after the initial breach. Sorry, but this isn’t the work of “hackers”. In their letter, RSA announced that they will replace tokens for those who need to protect IP and their infrastructure, and an alternate program (leveraging risk-based authentication) for consumer deployments. Rumor is that tokens are already being replaced for defense/government clients, and it seems the attackers moved fast to get in before the window closed. This is 2011-style geopolitics in action, folks. – RM
4. The truth is somewhere in the middle: Following up on Rich’s last point on RSA issuing new tokens, let me point to a good post on the VZ Business security blog providing an alternative analysis. Subsequent to Dave Kennedy’s analysis here, Lockheed did confirm the RSA seeds were used maliciously, but as Dave pointed out Lockheed’s other defenses prevented the attack from compromising data. My point isn’t about whether Dave is right or the speculation is warranted. I just want to make very clear that we do not, and we may never know exactly what happened. Do not believe all you read. Do not take the word of unsubstantiated sources – or even substantiated sources – as gospel. And make sure you do your own risk analysis. As Dave says, unless you are in the military-industrial complex (or dealing with/against Chinese organizations), odds are you won’t be specifically targeted. Stay abreast of the situation, but take a few deep breaths and don’t overreact. Build a plan to replace your tokens on your timeframe. Continue to follow RSA’s remediation advice. Unless you see definitive proof that you are under attack using the seeds right now, settle down, Francis. – MR
5. TwitSec: I wish I could disagree with with him, but Martin McKey nailed it with New to Security? Get on Twitter. Few people read blogs anymore (take it from us – we know…). Seldom do we see the good old blog fights of yore on security topics. Now we get 140 character fragments, which are not particularly helpful for education but provide phenomenal access to the security community. The Tweeter makes it very easy for everyone (even n00bs) to bounce ideas around and get quick references on topical material. It’s almost like an index to just the right material you need, and a convenient way to get questions answered by people you trust. While you’re certainly not going to learn security kung fu through Twitter, it’s a valuable tool for quick research and reference. As well as a great way to get access to world class expertise in a very egalitarian manner. – AL
6. Mass marketing zombies: Of course, I don’t like the FUD-flinging message in McAfee’s zombie apocalypse infographic. And I wonder if these folks really believe that the 3 steps to being zombie-free are: 1) update your anti-virus, 2) run a complete scan, and 3) stop opening attachments from people you don’t know. The scariest part is that I think these folks may actually think the first two steps help. But all the same, their fun graphics-oriented approach is exactly what we need to appeal to the mass market. Remember, our biggest enemy in protecting consumers is ignorance. Folks don’t understand technology but they can grok simplicity, and can handle 2-step processes to avoid doing stupid things. So far we, the security industry, haven’t communicated with them effectively enough. This is a baby step in the right direction. – MR