Incite 3/14/2012: My Kind of PeopleBy Mike Rothman
Like everyone else, I have a bunch of jobs. There is the day job and then my job at home. Well, it’s not really a job, it’s more a responsibility – to be a good husband and to teach my kids to be properly functioning adults. As most of you know, I take the parenting responsibility very seriously. I am constantly stressing hard work and best effort. Making the point constantly to my kids that the only thing they can truly control is their own effort.
But ultimately I am flawed, like everyone else, and I worry my flaws will be passed on to my kids. We get each kid’s schoolwork back on Thursday. Usually they do very well but sometimes they blow a test or quiz. The Boss spends a lot of time going through their mistakes to make sure they don’t make the same ones again. I peruse the papers and try to celebrate the good scores on the math quiz or the spelling test. But it’s hard. I’m on to the next thing already. What’s next on the list? No time to celebrate – too much to do. That’s how I’m wired.
But all the accomplishments and all the tasks checked off the task list pale in comparison to trying to teach the kids to be good people. To be nice and supportive and good friends. To be empathetic about other folks’ challenges, and to appreciate the charmed life they lead. Part of that process is sending them to sleepaway camp each summer. There they need to function as part of a group, without the Boss and me to tell them exactly what to do. Before we know it they’ll be out in the nasty, unforgiving world, so we hope they can learn some important lessons in a safe environment before it’s real.
Another aspect of their real life training is to show that everyone has their own challenges, and they can choose to make every situation either better or worse. USA Network recently aired a show called NFL Characters Unite, which provided a great opportunity to teach the kids about the importance of empathy and being kind. The show takes some NFL heavy hitters (Hines Ward, Jimmy Graham, Tony Gonzalez, and Tony Dungy) and tells their stories of suffering racism, bullying, and abandonment. A 6’5” and 250 lb guy, being bullied? Amazingly enough, yes. It showed how these guys overcame those challenges, and showed them each mentoring a kid in a similar position.
The show was really awesome. Not because it humanized the players, which it did. But it (hopefully) taught my kids a few things. First the impact of being unkind. They could see how bullying and meanness impact a kid. I also hope they learned not to judge a book by its cover. You’d never think NFL stars could be bullied or suffer racism. These guys are invincible, right? Not so much. The kids shouldn’t draw conclusions, but instead get to know folks and make up their own minds. Finally, perhaps they can appreciate how lucky they are to have a supportive family. Maybe, just maybe, when they get into a situation where they can choose to be kind or unkind, they’ll choose correctly. We hope they will reject peer pressure to go for the quick laugh, and stand up for someone who may not be able to stand up for themselves.
Ultimately, in 10 years, when all our kids are loose on the world, I can only hope they’ll be kind people. The kind of people I’ll be proud to know.
Photo credits: “In the end, only kindness matters” originally uploaded by SweetOnVeg
Lazy Deal Analysis: Dell goes SuperSonic(WALL)
Dell made news a year ago shelling out big bucks for SecureWorks, and now they are at it again, spending a reported $1-1.5 billion to acquire SonicWALL from the clutches of private equity. We actually like this deal – not only because it reinforces that Mr. Market Says Security Is Winning. But additionally, SonicWALL’s traditional business in the mid-market is a good fit with Dell’s distribution engine, and dovetails nicely with the SecureWorks services offering.
But this deal is all about IBM and HP envy. Do you think it will be long before Dell formally moves all their security stuff into a separate business unit? They want to compete with the big boys, and large enterprise wants security from their major IT providers. Both SecureWorks (via the VeriSign MSS deal) and SonicWALL (with its SuperMassive NGFW) have increasingly focused on the enterprise. We expect Dell to continue investing in services folks to wrap the integration layer around the products and services.
We have been hearing speculation about Dell acquiring Fortinet, but this deal seems like a much better option. It’s much cheaper, provides functionally comparable technology, and brings on less infrastructure to worry about integrating – especially at the enterprise level. And don’t forget about the biggest winners here: Thoma Bravo, the private equity fund that took SonicWALL private about 18 months ago for $717 million. Perhaps doubling in that time period is a huge win. But as Rich said in Mr. Market: the bankers always win.
Incite 4 U
Leaving an Anonymous Trail of Bits: We all talk about how as a good guy you need to always be right, while the bad guys only need to be right once. It turns out that no one can be wrong, ever, as our buddies at Threatpost detail by showing how some Anons left a trail, and the FBI (and other law enforcement folks) are getting much better at following such trails. Sabu forgot to Tor a few times and got bagged. Rob G talked a bit about it. And finally Nigel Perry talks a bit about how Sabu turning turncoat was obvious, in hindsight anyway – given his attempts to get his buddies to do bad stuff. I recently saw the movie Drive, and the bad guy says to the good guy that he can walk away, but he’ll always be looking over his shoulder. I guess that’s a universal truth – we all need to be looking over our shoulders all the time. – MR
Who is the fool? This week the Jester (or ‘th3j35t3r’) reported that he carried out a seemingly elegant attack against Al Qaeda, Anonymous, LulzSec/AntiSec, and other “bad guys” (including a US congressman). If you don’t know, Jester is an online vigilante who goes after those most of us would really define as bad guys. For this attack he changed his Twitter picture into a QR code that, when scanned on a mobile phone, linked to a web page, which dropped an exploit, which then analyzed the connecting phone and was (apparently) able to determine the Twitter handle of the user. For users on his sht list of Twits, the attack supposedly then attacked the client with a fair degree of success. Unfortunately he provided some in-depth tech details, which are either deliberate obfuscation or based on contradictory posts and incorrect. In other words this might be BS, and if it isn’t BS it might not have been a real attack, and if it was a real attack, he’s lying about which vulnerability he exploited. So what does this have to do with *your job? Nada. – RM
Apple iWallet: Apple has been granted a patent for the ‘iWallet’, which describes a method of conducting payment transactions via near-field communications with an iDevice. But that’s not the interesting aspect of the patent – the good part is the detailed explanation of configurable payment transaction rules. Apple has essentially rolled up many of the concepts we have been talking about in the payment space for mobile devices for the last 15 years: micro-payments or payment limits, primary and secondary account holders, a trust hierarchy, and payment rules from both merchants and merchant bank/payment processors. What’s not clear is where these rules are configured and stored – the diagrams suggest they are stored on the card, which means there must be a command interface for the iDevices in the iWallet, and additionally that the device must be the authority for transaction rules. That makes sense when you are trying to limit what your daughter can spend at the mall, but is not so good when an attacker compromises a device. The security story for Apple mobile payments is just beginning to unfold. – AL
Data teases: Jack Daniel (not the bourbon), perhaps the only guy I know as grumpy as I am, goes on a little rampage here, kicking the breach report gift horse in the mouth. Of course we all appreciate these folks’ work to package up their data, but it’s not enough. For the most part, the data is proprietary, which means we see exactly what they want us to see. Rich has been pushing vendors for a while to drive a neutral initiative, to package the data in a format people can use to realistically benchmark their own activity against the data set. The Verizon guys are closer, but as Bejtlich pointed out on Twitter, it’s still too complicated. And those are the two edges of this blade. We want more data and we want it to be easy. At least this gift horse is talking out of both sides of its mouth. – MR
The breach no one complained about: The pr0n site Digital Playground was breached last week, exposing some 40,000 “plain text” credit card numbers. This just a few days after a third party service provider leaked an undisclosed number of YouPorn customer names and emails. We really don’t hear about pr0n sites being pwned very often. Why? Because most of these sites take security very seriously. Pr0n sites were some of the first hacking victims I was aware of way back when, and the site admins I have spoken with say they are regular targets, given their volume of credit card business. So to hear of a p0rn site not only getting breached, but exposing plain text credit card and CCV numbers – which they are not supposed to store, according to PCI regulations – is very surprising. The parent company, Manwin Holdings, owns huge sites which process big bucks, so it’s unlikely they will be shut down by the PCI Council, but this is likely to incur a large fine. So why are we not hearing a public outcry about how the PCI assessment must have been bogus, or from the community of users who need new credit cards? Do you think they’ll lose customers over these breaches? Yeah, not going to happen. – AL
Security does as security does: Earlier this week I wrote a post (with help from by Mr. Rothman) on how Mr. Market prooves security is winning. It didn’t spur as much debate as I expected, and when I mentioned that on Twitter, Chris Hoff mentioned he also expected more criticism over his covering similar ground from a different angle. My favorite part of Chris’ post is when he says, “Most importantly, it’s really, really important to recognize that the security industry is in business to accomplish one goal: make money. It’s not a charity. It’s not a cause. It’s not a club. It’s a business.” Maybe that isn’t why you got into it, but next time you’re on the show floor watching some hired actor give away a Vespa to enable sales guys to hock firewalls, don’t be angry at the game you signed up for. There are things we can change and things we can’t, and no industry has ever survived on altruism. – RM
The changing nature of warfare: Yeah, we’ve all heard about cyberwar, whatever that means, and that the battlefields will be different moving forward. The folks at Northrop Grumman penned a report (h/t to Infosec Island) which is sure to result in all sorts of FUD and increased calls for spending on defense. As Jack D says, we shouldn’t kick the gift horse in the mouth, so I’m not going to complain, but it’s not like all the other first world countries aren’t building similar integrated cyberwar capabilities as an part of their respective war machines. Believe me, if any of this stuff was novel (or unique to the PRC) we wouldn’t be seeing it in a report. – MR