Research

Something didn’t add up. We got a call from the girl’s camp literally 3 days after they got there saying XX2 needed more stationery. We hoped this meant she was a prolific writer, and we’d be getting a couple updates a week. Almost 3 weeks later, we got 1 postcard. That’s it. A few of her friends got letters, but not nearly enough to have depleted her stash of letters/postcards. And the longer we went without a letter, the more ornery The Boss got. Mostly because she spent a bunch of time buying, stamping, addressing, and return labeling the additional letters. So to not get any mail was really adding insult to injury. Luckily we were going to see the girls on Visiting Day, so we’d get to the bottom of the situation. Maybe there were mail gremlins in the Post Office, getting their kicks by reading (almost) 8 year old chicken scratch. Maybe the small-town post office was just overwhelmed. Or maybe XX2 had screwed up a bunch of letters and just thrown them out, as opposed to trying to fix them. It could be anything, and we were determined to get to the bottom of it. When we got to the camp, we spent a few minutes with XX1, including meeting her counselors and seeing her bunk. It’s far from roughing it, but they still get a somewhat rustic experience. Then we made our way over the XX2’s bunk to do a similar assessment. With me as the bull in a china shop, I (of course) just blurted out what I know The Boss was thinking. “I’m so happy you are having a great time at camp, but what the hell? Who did you write to with all your stationary? It certainly wasn’t us!” XX2 looked very confused. She reiterated that she did write letters, and she wrote 3-4 to us. It looked like it might be a job for the late Columbo, who could solve this posthumously. Then we asked the key question: “When did you mail the letters?” She again looked at us quizzically. That’s when all the pieces fit together. “I need to mail one letter every three days to get into dinner. So I give them one letter.” Looks like we found the smoking gun. I then asked XX2 to show us her stationary box, and sure enough there were 6 letters and 3 postcards ready to go. I forget she is not even 8 years old yet. She took the instructions literally. She needed one letter to fulfill the requirement, and didn’t realize she could mail more than one letter at a time, or even on an off day. We got the characteristic, “oh well” shrug from her and then we all just busted out laughing. To be clear, I’m not sure we’d do anything different next time. I refuse to be one of those crazy, guilt-slinging parents who browbeat their kids about writing. If they aren’t writing, odds are they are having fun. And we may even save a few bucks in postage. That’s a win-win in my book. -Mike Photo credits: “Nobody Loves Me” originally uploaded by Robert Hruzek Incite 4 U The next wave of consumer security: Following (and participating in) the SIEM space, one of the biggest jokes was fraud detection. You know, you’d set your SIEM to look at transaction records and it would find fraud. It’s just data, right? Fraud is just another pattern, right? Not so much, but it’s still a magic chart requirement to have a solution in this space, even though the financial folks use purpose-built offerings to do it for real. But that doesn’t mean that reputation and pattern matching for fraud detection has no place in security. Actually, it does, and with a tip of the hat to Fred Wilson, I can point you to a new service called BillGuard that monitors your credit card transaction streams and can alert you to things that might be funky. Remember, consumers don’t care about security for its own sake. But they care about losing money to fraud and other nuisances, and this kind of offering should just kill it. Disclaimer: I haven’t used BillGuard, nor have I checked out their security. But the idea is right on the (proverbial) money. – MR Agile is the word: Uh-oh. The US Government is taking cyber-security lessons from businesses. Are things that bad? Actually, while the title of this post filled me with visions of Sony and other enterprises, the actual document is worth review. The government is effectively advocating an Agile process – its basic tenets read more like secure code development ideals than as network deployment. Most security experts urge building security into the products we deploy rather than bolting it on afterwards. And this encourages working with smaller (read: more innovative) security technology providers. Their guidance is a good fit with our own enterprise guidance. – AL A sign of the times: About a hundred years ago, I co-founded a company focused on driving broader adoption of PKI. We focused on application integration to add capabilities such as encryption and digital signatures. But it never took off, mostly because no one was willing to trade inconvenience for security. By the way, not much has changed. If security works, it’s behind the scenes, embedded within the user experience so users don’t need to know about it. Adobe is clearly going taking another run at digital signatures with their EchoSign buy. I’m not sure the outcome will be different this time around. EchoSign got some lift because it wasn’t about technology – it was about a seamless business process to eliminate paper from contract signing. We’ll see if Adobe learns from that, or just tries to add another option to the product – you know how the latter scenario ends. – MR Skype pwnage: It will likely be patched by the time you read this, but there is a cross site scripting vulnerability with Skype. In

As far back as I can remember, I have been a fan of testing your defenses. Some people call it pen testing, others refer to it as an assurance process, but the point is the same either way. The bad folks test your defenses every day, and if you aren’t using the same tactics to find out what they can get, you’re going to have a bad day. Maybe not today, maybe not even tomorrow. But the clock is ticking. Truly understanding your security posture gets even harder when you start thinking about the cloud and the complexities of architecting a totally new infrastructure. We have a zillion dollars worth of systems management installed to monitor and manage our data centers, although I reserve judgment on how suck-tastic that investment has been. Now that we are moving many things to the cloud (whatever that means), it’s time to revisit how we test our infrastructure. The existing systems management (and security) vendors are falling all over themselves to position their existing products as appropriate for managing cloud operations, but most of their solutions are heavy on slide decks and virtual appliances (same stuff, different wrapper), and lighter on the actual management technology. In fairness, it’s still early, so we shouldn’t totally count out the systems management incumbents, right? I mean, those are some innovative organizations, [sarcasm]no?[/sarcasm] Yet, this cloud thing will force us to totally rethink how we run operations, and thus how we test our environments. The good news is that many of the cloud services leaders are more than happy to share what they are doing, so you can learn what works and what doesn’t, avoiding the school of hard knocks. I mean, when before has a company basically shared its data center architecture? Thanks, Facebook. And now NetFlix is sharing some of their management approaches. Netflix’s concept is to use a Simian Army (not literal monkeys, but automated testing processes) to put their infrastructure through the ringer. To see where it breaks. To pinpoint performance issues. And to do it continuously, on an ongoing basis. They even have a chaos gorilla, which takes entire availability zones out of play, so they can see how their infrastructure reacts. The same discipline applies to security. You need to build a set of hacking simians to try to break your stuff. No, it won’t be easy, and you’ll need to do a lot of manual scripting and integration to build a security monkey. Although there are some offerings (like Core’s new Insight product), focused on running continuous testing processes, it’s still early in this market. So you’ll need to do a lot of the work. But the alternative is having your dirty undergarments posted on pastebin. But don’t forget my standard caveat: when you test using live ammo, be careful! Given the economics of cloudy things, you should have a test environment that looks an awful lot like your production environment. And let the monkeys loose on your test environment early and often. But some of these monkeys can/should be used on the production stuff. Although you can make the test environment look the same, it’s not. We learn that hard lesson over and over again. In the post, Netflix talks about shutting down production instances (with a lot of oversight, obviously), just to see what happens. They reminds me a bit of the kanban process in manufacturing, in that you mess with the working system to find the breaking points, to see where you can make it more efficient. The assumption that everything is working fine has never held water. The question is whether you search for what’s broken, or wait for it to find you. But most of all, I love both the metaphor and the message of Netflix’s approach. These guys test their stuff, so when half of Amazon AWS goes down they stay up. Obviously this isn’t a panacea (as their recent outage showed), but clearly there is something going on over at Netflix. So jump on the monkey bandwagon – they are taking over the world anyway. Share: