It has been a very trying week, between all our current projects- both Rich and I have had untimely home repair work, Rich is recovering from the flu, and we are both scrambling to get work done before deadlines. We have been focused on a series for security spending justification, which we will be mostly posting in blog entries. This is one of the tougher projects I have ever worked on, especially when your goal is to provide pragmatic advice that does not require dusting off calculus. While I was never particularly comfortable with many of the economic models that have been bastardized adapted for security spending justification, I had never spent this much time examining them closely. Having now done so, wow, what a crock of s^&! ROI, NPV, IRR, ALE, ROSI: these things are worthless in terms of security justification. They just completely miss the concept of the value of information, and the careful balancing act between risk and security. Many concepts treated as orthogonal are not, and some of the loss calculations are non-linear. Typically half the relevant data cannot be quantified, and some is simply unavailable. I am happy to say that both Rich and I have had a few ‘ah ha!’ moments, and a few areas where we have disposed of some BS, and I look forward to posting and getting some comments on the subject.
Most of the other stuff going on here at the Lane household is related to ergonomics and comfort. Since I returned from San Jose, it has felt like one long moving project. With more fu iture than could fit into two houses, let alone one, there was a lot of packing and organizing. Yes, it has been 6 months since I got back to Phoenix full time, and the move project is just now winding down. We packed the closets and third garage space with stuff, and gave away a lot as well. Slowly and surely we have rearranged the fu iture to make things comfortable. New desk, new computers, new chairs. And four years of back-logged home repair projects: “fix this, paint that, move everything around. No, move it back”. I can now say I feel like I am done, and I am finally concentrating on having a little fun. That is what got me started on the Music rant (see link below) about FM radio. I was trying to get music into the kitchen, the office and the car, which is when I was confronted with the hideous reality that is FM radio. So it is time to get a music server in the house, and transfer 500 or so CDs into Apple Lossless format. And then start the search for new music to fill it up, and find some online stations worth listening to.
There was a LOT of interesting stuff in the news this week and we compiled a lot of links.
Here is the week’s security summary:
Webcasts, Podcasts, Outside Writing, and Conferences:
- In the Network Security Podcast this week, Martin & Rich discuss phishing, compliance costs, programming errors, and “How to suck at security”.
- Adrian quoted in eWeek article on DAM and SIEM integration.
- Rich’s TidBITS article on protecting yourself in Safari
Favorite Securosis Posts:
- Rich: There are no Trusted Sites: Paris Hilton Edition.
- Adrian: So it has nothing to do with security, but this is still my favorite post this week. Time to shop for a music server.
Favorite Outside Posts:
- Adrian: Martin’s PCI related blog list.
- Rich: This is a VERY impressive workflow for managing potentially controversial blog posts, and understanding the different categories of bloggers. I’m shocked this came out of the Air Force, not because they aren’t capable, but because it looks more attuned to the business world than the military. If you are a blogger, or work with bloggers, or read blogs, take the 2 minutes to read this. If you don’t fit any of those categories, what the hell are you doing on our blog? Get off our lawn!
Top News and Posts:
- Very sneaky approach to capturing ATM pin numbers.
- Trolls suck; just because you wrote down an idea, filed some paperwork, then completely failed to actually do anything with it doesn’t mean you get to sue the world. Oh wait, I guess it does.
- Microsoft patches Windows.
- TJX Hackers gets 30 years in prison. How many of you, in your best ‘Spicoli’ voice, said “Awesome! Totally awesome!”. Just me? No, wait, Rothman did as well.
- Oracle Critical Patch Update for January 2009. Our comments here.
- You would never know it from looking at the Sana site, but AVG has acquired Sana Security.
- This is crazy: Countrywide execs mock their own ads. In court, no less.
- BitArmor’s latest PR bit. I admire their moxy, but they’re taking a serious gamble, both in PR and liability.
- Maltego 2 tutorial: Maltego is an information collection tool that absolutely rocks. If you ever want to track down the connections between people, systems, documents, and whatever: Maltego is your friend.
- PCI hits POS– It’s about freakin’ time.
- Gunnar’s 2009 to do list.
- Steve Jobs taking a leave of absence from Apple. This does not look good.
Blog Comment of the Week:
We did not get any security related comments this week, but we did get several good observations on music. Rob’s comment on Phil Collins is the Mel Torme of my generation:
Radio? Are there still radio stations? I’m never out of internet range when I’m working, and if I’m not listening to my music I’m on Pandora (free subscription with my Squeezebox) or Radio Paradise. No commercials. Pandora does a good job of giving me the music I pick, and Radio Paradise has lots of good, new music. FM radio is so last century. 🙂
Now, time for a beer and a a few hours of frantic editing.