A friend told me this week they were on Pinterest. I responded, “I’m sorry! How long does your employer allow you to take off?” I was seriously thinking this was something like paternity leave or one of those approved medical absence programs. I really wondered when he got sick, and what his prognosis was. He told me, “No, I’m on Pinterest to market my new idea.” WTF? Turns out it’s not a medical sabbatical, but another social media ‘tool’ for sharing photos and stuff.

When I Googled Pinterest to find out what the heck it actually was, I found a long blog about the merits of using Pinterest for Engagement Marketing, which happened to be at the blog of an old friend’s company. Soon thereafter I fired up Skype and was chatting with him, finding out what he’d been up to, how the kids were, and what mutual friends he had seen. That led to a LinkedIn search to find those friends mentioned, and while looking I spotted a couple other people I had lost track of. Within minutes I’d emailed one and found the other on Twitter. My friend on Twitter told me to check her blog on marketing over social media, which referenced another mutual friend. I emailed him, and when I hit ‘send’, I received a LinkedIn update with a list of several friends who recently changed jobs. I messaged one and texted the other to congratulate them. The next thing I knew I was chatting on FaceTime with one of these friends, in a pub in London celebrating his new position. We talked for a while, and then he said he ran into a fraternity brother and texted me his email. I emailed the fraternity brother, who sent back a LinkedIn invite telling me he’d Skype me later in the day, and included a funny YouTube video of Darth Vader riding a unicycle while playing bagpipes. As I watched the bagpiping maniac a Skype message popped up from another friend telling me she’s changed jobs (and have you noticed all of the people in tech changing jobs recently?). She invited me to speak at an event for her new company, listed on Meetup. I declined, sending her the Gotomeeting link to a conflicting event, but told her I’ll be in town later in the week and sent her a calendar invite for lunch. She sent back a list of Yelp recommendations for where to go.

All in about an hour one morning. For an asocial person, this whole social media thing seems to have permeated my life.

It’s freakin’ everywhere. In case you hadn’t heard, Facebook’s making an Initial Public Offering right about now. But love them or hate them, each social media site seems to do one thing really well! LinkedIn is a really great way to keep in touch with people. No more shoebox full of business cards for me! And it’s totally blending work and home, and combining groups of friends from different periods of my life into one ever-present pool. Twitter is an awesome way casually chat in real time with a group of friends while getting work done. BeeJive lets me chat on my mobile phone with the guys at Securosis. Skype offers cheap calls of reasonable quality to anyone. Some companies actually do follow Twitter with live human beings and respond to customer complaints, which is great. And Facebook offers a great way to infect your browser with malware!

That said, every social media site still sucks hard. I’m not talking about users making asses of themselves, but instead about how every site tries too hard to be more than a one-trick pony, offering stuff you don’t want. I guess they are trying to increase shareholder value or some such nonsense rather than serve their audience. Skype was trying to branch out with their ‘mood’ feature – who thought that crap was a good idea? And now Pinterest is copying that same bad idea? Facebook Social Cam? Or LinkedIn communities, which seem to be a cesspool of bad information and people “positioning themselves” for employment. Corporate Twitter spambots are bad but they’re not the worst – not by a long shot. It’s the garbage from the social media companies who feel they must inform me that my “contacts are not very active”, or remind me that I have not responded to so-and-so’s request, or promote some new ‘feature’ they have just created which will likely interfere with what they actually do well. Who decided that social media must have nagware built in?

And in spite of all the horrific missteps social media makes trying to be more than they are, these sites are great because they provide value. And most of them provide the core product – the one that’s really useful – free! Much as I hate to admit it, social media has become as important as my phone, and I use it every day.

Oh, before I forget: If you have emailed us and we have failed to respond in the last couple weeks, please resend your email. We’ve got a triple spam filter going, and every once in a while the service changes its rule enforcement and suddenly (silently) blocks a bunch of legit email. Sorry for the inconvenience.

On to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences

• Mike on the “Renaissance Information Security Professional”.
• Rich quoted on Adobe’s fixes on c|net.
• Mike’s Dark Reading post: Time To Deploy The FUD Weapon?

Favorite Securosis Posts

• Mike Rothman: Understanding and Selecting Data Masking: Introduction. Masking is a truly under-appreciated function. Until your production data shows up in an Internet-accessible cloud instance, that is. Hopefully Adrian’s series sheds some light on the topic.
• Adrian Lane: Write Third. Rich nails it – the rush to be first kills journalism/integrity/fact checking/perspective/etc. Most ‘writers’ become automated garbage relays, often with humorous results, such as one of my all time favorite Securosis posts.

Other Securosis Posts

• [New White Paper] Vulnerability Management Evolution.
• Incite 5/16/2012: Moving up Day.
• Friday Summary: May 10, 2012.

Favorite Outside Posts

• Mike Rothman: IBM’s Cyber-Bullying Activity Kit. Having a child entering middle school has opened my eyes to the hazards of bullying, and put me on alert about cyberbullying. IBM has an activity kit to educate parents and help discuss the issues with kids. There are tons of resources out there, so this is as good as any. But it’s an important conversation to have with your kids. So do that.
• Adrian Lane: Scamworld. “Desperation never makes a good deal.” It’s hard to fathom why scams like this and ‘419’ scams succeed, but hope and desperation seem to be the main reasons people misplace their trust in scammers. Very interesting read, so grab a beer and plan on a few minutes plowing through this one.
• Rich: We are all Byron Sonne. “I can’t remember a time in my life when I didn’t poke and prod. You can’t be good at security if you think any other way.”

Project Quant Posts

• Malware Analysis Quant: Index of Posts.
• Malware Analysis Quant: Metrics – Monitor for Reinfection.
• Malware Analysis Quant: Metrics – Remediate.
• Malware Analysis Quant: Metrics – Find Infected Devices.
• Malware Analysis Quant: Metrics – Define Rules and Search Queries.
• Malware Analysis Quant: Metrics – The Malware Profile.
• Malware Analysis Quant: Metrics – Dynamic Analysis.

Research Reports and Presentations

• Vulnerability Management Evolution: From Tactical Scanner to Strategic Platform.
• Watching the Watchers: Guarding the Keys to the Kingdom.
• Network-Based Malware Detection: Filling the Gaps of AV.
• Tokenization Guidance Analysis: Jan 2012.
• Applied Network Security Analysis: Moving from Data to Information.
• Tokenization Guidance.
• Security Management 2.0: Time to Replace Your SIEM?

Top News and Posts

• Facebook and LilyJade worm.
• UTM market on the upswing, expert says. Only they have been called Next Gen Firewalls for some time, and Secure Web Gateways before that. UTM is so 2008.
• Adobe decides to patch current revisions.
• Google Chrome patches.
• Bitcoin Hack.
• SEC Guidance Is a Really Big Deal.
• No way! You can hack surveillance camera feeds? Who knew?
• Cyber Espionage & Strategic Web Compromises.
• Pre-pay card fraud results from Global Payment breach.
• Free Byron – and Bryon is Free is big news this week.

Blog Comment of the Week

Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to an Anonymous commenter, in response to Understanding and Selecting a Database Security Platform: Comments and Series Index.

• At first glance it seems kinda compliance heavy. Although compliance is still a key driver, we see security concerns increasing and being a greater motivator. Chalk it up to Anonymous or whoever, but this seems to be real based on our customer experience.
• There seems to be a lot of focus on FAM – – based on our previous conversations, you guys told us that FAM is cool, but the market isn’t ready for it and adoption is several years away. If that is still true – is FAM being overemphasized in this paper?
• Where do you draw the line for products to be considered DSP, vs. just DAM or assessment?
• I’d like to see more commentary on learning systems and the potential for false positives. It’s mentioned in a few places, but I’m not sure the risk associated with false positives is emphasized enough.
• Network Monitoring – is it worth making any commentary on the network traffic overhead generated or it’s impact on the network?
• Heuristic analysis section – same comment on false positives – they seem to be downplayed here. This is a very real concern and a fundamental difference in different scanning approaches.
• On database discovery – I think there are differences here in how people do discovery – specifically active discovery (scanning) vs passive discovery (basically identifying via monitoring the network). It’s worth highlighting and identifying the pros and cons of each. And you might want to mention value of being able to discover on “any port” vs. just the standard assigned database ports.
• Blocking – Few customer use blocking, wheras a great number of customers set monitoring policies to react–cutting off user accounts or integrate with other security tools vs. the ‘all or nothing blocking’. Blocking has more impact on the environment and false positives in this environment are more problematic.
• In the Deployment section, you don’t really get into issues of scalability and ease of deployment. This is one of the key things people tell us – especially those that have made the mistake of believing vendor claims and are now throwing them out. I think it’s a key consideration in an effective deployment and definitely a “real world” consideration.