Research

Last night I managed to pull a serious Munson. My car battery was dead, so I jumped it from my wife’s car. Then both batteries were dead (her car literally shut down when I tried to start mine). Then my brother in law came over, and managed to jump both cars. We left them running, then turned them off- and both were dead again. One more trip from my brother in law and we were up and running. We drove around for a bit and then stopped to run an errand. We stopped, and restarted, one car at a time so we always had one running vehicle. Both restarted, so we ran them for a minute longer and then ran our errand. Come back, and both are dead. Mall security jumped her car, drove on the highways for 20 minutes, parked it at home. Dead. Dead. Dead. Her car is a hybrid, and we think my battery is dead and something about jumping it blew something in her electrical system. Good times, my friends. Good times. At least I get some amusement this morning out of this article with some of the usual statistical dribble used to scare people into buying products. There’s no need to go into detail- it’s just a survey talking about how few companies perform email encryption, how hard and manual it is, and how employees would use it more if it were easier. This is all, of course, tied into some Nevada law and sponsored by an email encryption vendor. They forget, of course, to mention how few compromises there are of unencrypted email. No reference at all to any real cases where encryption would have prevented the loss of personal data (never mind any fraud associated with said loss). In short, nothing useful to help you make any kind of risk decision. Remember, I’m not against numbers, nor am I against email encryption (I use it occasionally for business communications), but I am against silly numbers with no bearing to anything important. We need more quality metrics and surveys, not this dribble that likely won’t fool a single security professional into buying a product. You might, likely, use email encryption anyway, but this sure won’t affect your decision. Share:

Finally took the plunge last week- I went out and bought a Mac. Actually, I bought a couple of them. That was not what I originally intended, as my plan was to get a top-of-the-line MacBook Pro and a high-end monitor to go with it. But every time I sat down in front of my wife’s iMac, I was really impressed with the quality of the display and the simplicity of the machine itself. When I learned the 24-inch version had the Core 2 Duo at 3GHz, I was sold. Given the amount of travel I do I needed a laptop, so I picked up an entry-level MacBook as well. It worked out about even money as far as hardware costs, and it will only cost me a little more for software, so I kind of feel like I got two for one. For the last week I have not been blogging all that much as I have spent every waking hour moving files, downloading software, installing, configuring, and learning a bunch of new applications. I don’t think I have bought this much personal software before. And with Rich and myself reworking the Securosis infrastructure at the same time, it has been a hectic week. For those who do not know me; I started my career with UNIX; moved to CTOS; then a mixture of Windows, UNIX, and Linux for about 5 years; but over the last 8 years it has been almost all Windows PCs. So learning a new OS is no big deal, and the UI design on the Mac is pretty darn easy, which has helped smooth the transition. But I must say I am glad that there is a UNIX-based OS sitting underneath … makes me feel a little more comfortable and made the learning process faster. I wanted to share the experience as I was wondering if some people had come to the same conclusions that I have about the Apple products. First the MacBook: The MacBook is nice-looking, but nothing all that spectacular IMO. While the 2.4GHz Intel processor is fast and I like the OS, the keyboard is decidedly ordinary and the display is really not all that great. Contrast, color saturation and accuracy are all pretty poor. Tried to calibrate as best I could without tools, but I only think I am going to get so far with this effort. My real concern at the moment has been stability. I have only been running the machine for a couple of days and Mail has hung twice, and the machine would not respond to shutdown requests. I installed all of the patches I could and hopefully that will help. I also upgraded the machine to 4gb, and when I did, I found an interesting white residue caked on the pins of the DIMMs. I am wondering if the installers are putting talc or something on the pins to make insertion easier, but there was so much I have to wonder if there were memory errors. Seems to be more stable now and I am hoping for the best. The iMac- in a word, WOW! It is the nicest machine I have ever owned. Fast. Put 4 gig of memory in it. The aluminum keyboard has a great feel to it. Keep looking for the right mouse button, but that’s OK, I am retraining myself. But the most amazing thing about this box is the monitor. 24 inches of real estate. The color, depth and detail is stunning. It’s fun just to look at the pre-supplied backgrounds. And everything has worked without a hitch. Software installed in a fraction of the time of other platforms. The one time I messed up I simply drug the application to the trash, started from scratch, and was done in two minutes. The only anomaly I found is the machine is spec’ed for DDR2 800, but came with DDR2 667. Other than that, perfect. The MacBook is nice, but the iMac is why I am beyond happy. Hard for me to imagine that this is true, given the long line that I had to wait in when I went to the Apple store. Plus I know 5-6 people who just switched to Macs, and half the people I know are saving up to get iPhones. With a product that is this solid, I don’t think that they have a lot to worry about. Share:

‘This is a very interesting article by Robert Westervelt over at Tech Target, and I wanted to make a couple of follow-on comments. Way back when, as a DBA, my morning ritual was to get into the office, grab a cup of coffee, and review the database and web app logs. Just wanted to make sure that the databases were running smoothly and there was nothing unusual going on I had a single web app and 5 or so databases. Took about 30 minutes. But that was pre-tech collapse, where DBA’s only had 10 or so databases to manage. If you are managing 100 or more database, you are not reviewing logs on a regular basis without automation. Whether it be security, systems management or configuration management, you have to have help. And today, you are buying a tool for each, and of those, 2 of the 3 are not typically supplied by the database vendor or the tools vendor. We talk a lot about security products for databases here at Securosis, but few of them operate the way that DBAs and IT operations personal want them to work. Yes, I understand separation of duties and I understand that the DBA is not the best person to provide security analysis, but still, a single platform to provide all these operational aspects would make sense. I used to love to go to the IOUG events around the country. I used to give presentations at some, but I wanted to go because I always learned something from the lectures or presentations. There was such a wealth of knowledge, and when you have hundreds of DBA’s with unique problems and willing to experiment, they often run across very cool solutions. I ran across some Perl scripts once for data discovery that were really amazing, and I borrowed from this source as much as I could. It dawned on me that Oracle has an amazing resource here and does not leverage this for either their, or their users, benefit. The model I am thinking of is Firefox and the community plug-ins. It would be nice to have the ability to browse and download utilities from the community at large and try them out. OEM could really use that kind of lightweight option. And, yes, this means I have my doubts that Fusion Middleware is going to be leveraged by the people that manage Oracle platforms and databases. Share:

What do you think our new financial law will be? What piece of legislation will be enacted by our government to protect us from the greed that caused this current financial crisis? Last time it was Sarbanes-Oxley. Who will be the poster child for our current financial crisis? Who will be the “Keating 5” this time around? You know it is coming. It has every other time greed has torpedoed our economy. And it is an easy target for any politician when there is only one side to an issue. I mean, how many voters are pro-financial crisis? I am actually asking this as a serious question. I am really at a loss for a plan of action that would be effective in stopping financial institutions from making bad loans, or how the government could effectively regulate and enforce. The typical downside to bad business practices (falling stock value, bankruptcy) have been nullified with mergers and government funding. In this case the greed seemed to be evident from top to bottom, and not just within a company or region, but the entire industry. Financial institutions to the buyer and most of the parties in between. Yes, lenders skirted process and sanity checks to be competitive, but it took more than one party to create this mess. Buyers wanted more than they could afford, and eagerly took loans that led to financial ruin. Real estate agents writing the deals as fast as they could. Mortgage brokers looking for any angle to get a loan or re-fi done. Underwriters in absentia. Appraisers ‘making value’ to keep business flowing their way. You name it, everyone was bending the rules. So that is really is the question on my mind: what will comprise the new regulation? How do you keep businesses from saying ‘no’ to new business? How do you keep competitive forces at bay to reduce this type of activity from happening again? My guess about this (and why I am blogging about it) is that enforcement of this yet-to-be-named law will become an IT issue. Like Sarbanes-Oxley, much of the enforcement, controls and systems, along with separation of duties necessary to help with fraud deterrence and detection, will be automated. Auditors will play a part, but the document control and workflow systems that are in place today will be augmented to accommodate. Let’s play a game of ‘trifecta’ with this … put down the name of the company who you think will who will be the poster child for this debacle, the name of the politician who will sponsor the bill, and the law that will be proposed. I’ll go first: Poster Child: CountryWide Politician: John McCain Law: 3rd party creditworthiness verifications and audit of buyers If you win I will get you a Starbuck’s gift card or drinks at RSA 2010, but something. Share:

We had a killer episode of the Network Security Podcast this week as Jeremiah Grossman and Robert “Rsnake” Hansen joined us to talk a bit about their new clickjacking exploit. I definitely had some fun on this one, even though Jeremiah and Robert couldn’t dig too deeply into the details. We also managed to sneak in a bit on open source voting, and the top 10 ways to know you’ve been exploited. But mostly, you want to hear is making fun of each other. This was also one of our first episodes we streamed live. Although we record at irregular times, we plan on live streaming as much as we can. Just keep an eye on us on twitter (rmogull or netsecpodcast) for a few hours warning if you want to listen in and harass us over IM. You can download the episode here, and full show notes are at NetSecPodcast.com. Share: