Research

It won’t surprise any of you to learn that I don’t follow Fox News on Twitter. I know, I can see the shock in your eyes, but I’m not the biggest fan of our friends on the right. Actually, I hate all 24 hour news stations – Fox biased to the right, MSNBC to the left, and CNN to the stupid. So I missed their announcement of to the demise of our commander in chief. It seems one of their Twitter accounts was hacked, and the attackers had a little fun with some bogus tweets. If you read this blog you probably know everything I’m about to write, but it’s probably a good time to review it anyway. If you use these services for business purposes, there are a few precautions to put in place: If you use social media in your business, make sure you set up accounts (or use your personal accounts) to monitor your official account. Be very cautious in how you handle your account credentials (who you give them to, how they are secured, etc.). The list of people with access should definitely be very short. Use an OAuth-based service or application to allow employees to tweet to your account without having to give them your account password. This is how most Twitter clients work today, for example. If you are large enough, talk to your provider ahead of time to understand how to report problems, and who to report them to. The last thing you want to be doing is hanging out waiting for a help desk person to see your request in the queue. Make contact, get a name, and establish a validation process to prove you are the owner of the account in an incident. You’ll also use this process if an employee goes rogue. Simple stuff, but I suspect very few businesses follow these basics. Share:

As mentioned last week, our girls are off at sleepaway camp. They seem to be having a great time, but you can’t really know. Obviously if there was a serious issue, the camp would call us. Since we dealt with the nit-uation, we have heard from the guidance counselor that XX2 is doing great, and from the administrator that XX2 needs more stationary. Evidently she is a prolific writer, although our daily mailbox vigil has yielded nothing thus far. We’ll save a spot for her at Securosis, since by the time she’s out of school, I’ll need someone else to pick up the mantle of the Incite. The one thing that is markedly different than when I went to camp is the ability to see daily photos of the camp activities. Back when I went in the 80’s camp was a black box. We got on the bus, we’d write every so often, but my folks wouldn’t really know how we were doing until they came up for visiting day. Now we can see pictures every day, and that’s when the trouble begins. Why? Because the pictures don’t provide any context. Our crazy overactive brains fill in the details we expect to be there, even if it means making stuff up. We read between the lines and usually it’s not a positive thing. So you see XX1 in a picture she isn’t wearing her skirt. What’s the matter, doesn’t she like her clothes? Or she is smiling from ear to ear, but is that a genuine smile? Or she’s at the end of the row of kids. Why isn’t she right in the middle? Yes, we understand this line of thinking makes zero sense, but your brain goes there anyway. And even worse is when the girls aren’t in any pictures. What’s the deal with that? Are they in the infirmary? Aren’t they having fun? Why wouldn’t they be attention whores like their Dad and feel compelled to get into every picture. Don’t they know we are hanging on every shred of information we can get? How inconsiderate of them. Yes, I am painfully aware that this behavior is nonsensical. Camp is the greatest place on earth. How could they not have a great time? Grandma got a letter from XX1 and she said her bunk is awesome. We know the girls are doing great. But I also know we aren’t alone in this wackiness – when we get together with our friends we’re all fixated on the pictures. I’m pretty sure having the ability to fill in details in the absence of real information saved our gene line from a woolly mammoth or something 10,000 years ago, so it’s unlikely we’ll stop. But the least we can do is make the story a happy ending each day. -Mike Photo credits: “Reading Between The Lines” originally uploaded by Bob Jagendorf Incite 4 U Most (but not all) is lost: Good thought-provoking piece here by Dennis Fisher entitled Security May Be Broken, but All is Not Lost. His main contention is that the public perception is awful, but that’s only half the story – folks who block stuff successfully are not highlighted on CNN. It’s part of why I call security a Bizarro World of sorts. Only the bad news is highlighted and a good day is when nothing happens. But the real issue that Dennis pinpoints is the continued reticence to almost everyone about share data on what’s working and what isn’t. Whether the sharing is via formal or informal ISAC-type environments, security benchmarks, online communities (like our sekret project), or whatever, Dennis is spot on. Until we start leveraging our common experience, nothing will get better. – MR Dropped Box: It’s hard to root for a company – whose product you use and like – when they keep making boneheaded moves. If you didn’t hear, Dropbox poured gasoline on the idiocy fire when they came out with new Terms of Service that grant them wide latitude to mess with your stuff. I was hoping for an acknowledgement of the security architecture issues on the client and server side, along with a roadmap for when they will be resolved. Instead they lawyered up and gave themselves immunity to do stuff to your stuff, and when customers complained, they basically said customers misunderstood them. Yes, customers must be wrong because Dropbox is the first company to hold vast stores of customer data, so no one else could not possibly understand the nuances of their business. Who over there is not getting it? Management? Tech staff? Their PR agency? Their lawyers? All of the above? Do they not understand they must never – under any circumstances – allow a stolen configuration file to grant any client access to customer data? There is no reasonable explanation for a cascading failure on the server side which exposes accounts. It might be understandable that you need to make ‘translations’ of content (though Mike says that’s a bunch of crap); so they should specifically only need permission to do that. Don’t use overly broad legalese, like derivative works, because that opens up totally unacceptable use cases! Why is anyone satisfied with a security document that fails to explain how they handle key management or multi-tenant data security? I moved everything except 1Password’s independently encrypted password store off Dropbox yesterday, and am evaluating Spideroak. I’ll come back as an advocate and customer if they fix their mess, but they continue to pat themselves on the back for bad decisions, so it might be a long wait. – AL Second: Hopping onto Twitter at one point over the weekend I thought Dropbox had been taken over by Kim Jong-Il and all my data printed out and personally mailed to Anonymous, the NSA, and my third-grade English teacher. Hunting it down (you know, by reading 2 tweets back), I learned it was a change in the Terms of Service. Then I read the new terms and I realized some

As while back, I spent some time categorizing tactics vendors use to create Fear, Uncertainty, and Doubt (FUD) as a buying catalyst for their products. We followed up with a survey trying to understand what kinds of security marketing content is useful at different stages of the sales cycle. I’m parsing and doing some lightweight analysis of the survey results as we build our inaugural vendor newsletter. Given space restrictions I couldn’t analyze all the data, but I do want to focus on one of my pet peeves: competitive attacks. When I was on the vendor side, one of the things that got my goat was the insistence on focusing (almost exclusively) on the competition. Everyone – both sales reps and customers – expected us to provide information sales reps could use to beat the competition. The dirtier and nastier the better. Some folks spread rumors about competitors’ finances, or bogus reports that competitive products fell over at customer sites, or that competitors were kicked out of Account X or Y. It all made me sick. Mostly because I thought it didn’t work. I figured prospects would appreciate information about how our products solved their problems. Unfortunately I had no data to prove that, beyond anecdotal reports of pissed-off prospects not appreciating hit pieces sent directly to their CIOs (two levels above where the decision got made). So we asked questions to provide a sense of if and where competitive attacks are useful, and to compare them against less-aggressive competitive analyses. To be clear, we aren’t dealing with a lot of data here. Only 32 responses, but enough to build my soapbox and support me urging vendors to stop worrying about competitors and start worrying about customers. Let’s take a look at the data on specific competitive attacks. The question was phrased: “Competitive Attacks”: This is down and dirty hand to hand combat tactics, where the vendor attempts to make the competition look bad. There are seemingly no boundaries here, where vendors will question financial viability, spread rumors about staff defections, gossip about investors pulling money out, or anything else to make the competition look bad. Click the image for a full-size view. Almost half of respondents believe this behavior negatively impacts their perception of the vendor. A lot less responded that it negatively impacts their view of the competitor. Very few said these tactics actually improved their perception of the attacker. And few used this information to guide vendor selection or justify selection of specific vendors. When we looked less aggressive competitive analyses, the results were a bit more favorable – but not much. “Competitive Analysis”: Some vendors will provide information (usually informally) about why its product/service is better than the competition. They may question the product’s technical capabilities, and/or talk about how they replaced the competitor in an account. They may also provide some reference accounts to discuss why they are better than the competitor. Click the image for a full-size view. About a quarter of respondents use this information in the selection process. As a client, I’m a fan of getting as many reference accounts as I can. Then I call them up and spend very little time on the vendor they chose. I ask why they didn’t choose the other vendors. They are usually pretty forthcoming about companies that didn’t make the cut. I put little stock in what they say about the vendor who gave me their name. Why? Because I know more than I should about the back-room arrangements that take place to get very busy practitioners to spend some of their days doing favors for sales reps. But those are stories better told over frosty beverages. Listen, I’m not naive here. I understand how the game works. Direct sales is like a street fight. You use whatever advantage you can. I can only tell you that the most successful reps I’ve worked with spent a lot more time focused on customer problems, and much less on the competition. Smart customers buy products based on who solves their business problems best, and do their homework on what products really work in the field. If a product falls over, they know about it from their own research, not the sniping of a competitor. But at the end of the day, it gets back to people. I’ve always done business with folks I like, and I’m not a big fan of dirty tactics. So if you badmouth your competition I’ll generally send you on your way. But that’s me. Share: