I’m very fortunate to have inherited Rothman hair, which is gray but plentiful and grows fast. Like fungus. Given my schedule, I tend to wait until things get lost in my hair before I get it cut. Like birds; or yard debris; or Nintendo DS games. A few weeks back the Boss told me to get it cut when I lost my iPhone in my hair. So I arranged a day to hit the barber I have frequented for years.

I usually go on Mondays when I can, because his partner is off. These guys have a pretty sophisticated queuing system, honed over 40+ years. Basically you wait until your guy is open. That works fine unless the partner is open and your guy is backed up. Then the partner gives me the evil eye as he listens to his country music. But I have to stay with my guy because he has a vacuum hooked up to his clipper. Yes, I wait for my guy because he uses a professional Flowbee.

But when I pulled up the shop was closed. I’ve been going there for 7 years and the shop has never been closed on Monday. Then I looked at the sign, which shows hours only for the partner – my guy’s hours aren’t listed. Rut roh, I got a bad feeling. But I was busy, so I figured I’d go back later in the week and see what happened. I went in Thursday, and my guy wasn’t there. Better yet, the partner was backed up, but I had just lost one of the kids in my hair, so I really needed a cut. I’m quick on the uptake, so I figured something was funky, but all my guy’s stuff was still there – including pictures of his grandkids. It’s like the place that time forgot. But you can’t escape time. It catches everyone.

Finally the situation was clarified when a customer came in to pay his respects to the partner. My fears were confirmed: my guy was gone, his trusty clippers silenced. The Google found his obituary. Logically I know death completes the circle of life, and no one can escape. Not even my barber. Truth be told, I was kind of sad. But I probably shouldn’t be. Barber-man lived a good life. He cut hair for decades and enjoyed it. He did real estate as well. He got a new truck every few years, so the shop must have provided OK. He’d talk about his farm, which kept him busy. I can’t say I knew him well, but I’m going to miss him.

So out of respect I wait and then sit in the partner’s chair. Interestingly enough he gave me a great cut, even though I was covered in hair without the Flowbee. I was thinking I’d have to find a new guy, but maybe I’ll stick with partner-man. Guess there is a new barber-man in town. Godspeed Richard. Enjoy the next leg of your journey.

-Mike

Photo credits: “Barber Shop” originally uploaded by David Smith

Incite 4 U

1. Can I call you Dr. Hacker?: Very interesting analysis here by Ed Moyle about whether security should be visionary. Personally I don’t know what that means, because our job is to make sure visionary business leaders can do visionary things without having critical IP or private data show up on BitTorrent. But the end of the post on whether security will be innovation-driven (like product development), standards-driven, innovation-averse (like accounting), or standard-driven, innovation-accepting (like medicine) got me thinking. I think we’d like to think we’ll be innovation-driven, but ultimately I suspect we’ll end up like medicine. Everyone still gets sick (because the viruses adapt to our defenses), costs continue to skyrocket, and the government eventually steps in to make everything better. Kill me now, Dr. Hacker. – MR
2. Learn clarity from the (PHP)Fog: One of the things that fascinates me about breaches (and most crisis events) is how the affected react. As I wrote about last week, most people do almost exactly the wrong thing. But as we face two major breaches within our industry, at RSA (“everyone pretend you don’t know what’s going on even though it’s glaringly obvious”), and Comodo (“we were the victim of a state-sponsored attack from Iran, not a teenager, we swear”); perhaps we should learn some lessons from PHPFog (“How We Got Owned by a Few Teenagers (and Why It Will Never Happen Again)”). Honesty is, by far, the best way to maintain the trust of your customers and the public. Especially when you use phrases like, “This was really naive and irresponsible of me.” Treat your customers and the public like adults, not my 2 year old. Especially when maintaining secrecy doesn’t increase their security. – RM
3. MySQL PwNaGe: For the past few days, the news that mysql.com has both a SQL injection vulnerability and a Cross Site Scripting (XSS) vulnerability has been making the rounds. The vulnerabilities are not in the MySQL database engine, but in the site itself. Detailed information from the hacked site was posted on Full Disclosure last Sunday as proof. Appearently the MySQL team was alerted to the issue in January, and this looks like a case of “timely disclosure” – they could have taken the hack further if they wanted. Not much in takeaways from this other than SQL injection is still a leading attack vector and you should have quality passwords to help survive dictionary attacks in the aftermath of a breach. Still no word from Oracle, as there is no acknowledgement of the attack on mysql.com. I wonder if they will deploy a database firewall? – AL
4. APT: The FUD goes on and on and on and on: I applaud Chris Eng’s plea for the industry to stop pushing the APT FUD at all times. He nails the fact that vendors continue to offer solutions to the APT because they don’t want to miss out when the “stop APT project” gets funded. The nebulous definition of APT helps vendors obfuscate the truth, and as Chris points out it frustrates many of us. Yes, we should call out vendors for inappropriate use of APT FUD. Yes, we should continue to work to define exactly what APT is. But at the end of the day it won’t matter. Too many security marketing folks are lazy, and APT gives them something to talk about (as opposed to figuring out real customer problems). Beat reporters are lazy as well, so they cover the APT FUD (instead of covering something that requires thinking and perhaps even reporting). And customers are also lazy, so they call vendors to ask for APT-killing widgets (as opposed to doing something productive like getting the CEO to stop surfing pr0n from his corporate laptop). Tthe beat goes on. – MR
5. Let’s bring it on! I sure do love me a good old knock-down, drag-out fight to the finish. Especially in the payment industry. It all started when VeriFone opened up by trying to kick Square (the guys who sell an iPhone card reader) in the nuts with claims their reader is insecure because it doesn’t encrypt on the device. Square responded, but that didn’t stop VeriFone from taking out… wait for it… Facebook ads! Now here’s the part most people don’t know – VeriFone is pushing the same claims in all other areas of the payment industry, including working groups with the PCI Council. Their position is that if you don’t encrypt while reading the magnetic stripe you aren’t secure. Most of this is behind closed doors, and it will be interesting to see what makes it out. I’m sure all the skimmers are working on their encryption upgrades as we speak. – RM
6. Mashdown: It isn’t talked about often, but having your cloud service cut off is a real possibility. A recent article in The Economist discussed the dangers in running a business where all your data is supplied by partners – in this case Amazon. But the problem is the same whether it’s Amazon or Google APIs, or running some other type of cloudy service such as EC2 or S3. If your provider decides you have violated their agreement, your business is offline until the lawyers figure it out or (if possible) you recreate your service on an alternative platform (assuming this is possible). In a multi-tenant environment, if one tenant is selling kiddie porn cops will shut down multiple sites and seize the servers as evidence. It’s a downside of mashups and shared resources that you’ll need to sort out with your provider. It will be a while before most IT professionals come to grips with the new realities of cloud environments, and think in terms of SLAs and new definitions of disaster recovery. – AL
7. DevilSSL: In the aftermath of FireSheep, the calls for ubiquitous session layer crypto have forced several popular websites to offer HTTPS connectivity as a option (and hopefully as a default). As Adam Ely points out, there are two edges to this sword, though I’m not sure I’d call HTTPS evil. Basically unless you plan for it on your web proxies/filters, HTTPS traffic is opaque. This is another example of being careful what you wish for. We all wanted SSL everywhere, and now that we’re getting some of it, we need to revisit our controls. And also find some other game to play besides Facebook session hijacker when hanging out at Starbucks. – MR