For those of you who are not American Football fans, we’re in the middle of the playoffs over here. Teams work all year to get into the tournament and secure a high seeding. And of course the best laid plans sometimes end up at the wrong end of a blowout (yes, ATL Falcons, I’m talking about you). This past week’s NFC Championship provided a lot more drama than in the past, and not because it was a competitive, exciting game.

Instead it was the reaction from all sorts of folks when Chicago’s QB, Jay Cutler, was taken out the game with an alleged knee injury. It did seem kind of strange, with Cutler walking around on the sideline. How hurt could he be? In years past, the commentators and analysts would weigh in and focus on the game. But the game has clearly changed.

Lots of folks chimed in on Twitter and in blogs about how hurt (or not) Cutler was. Some NFL players called him a wimp. Some questioned his heart. All in real time. And even better, without any real information from which to judge. You don’t need no stinking proof. Guys in testosterone overload talked smack about needing to be taken off the field on a stretcher before they’d leave a championship game. The chatter around the news has actually become the news, which is rather weird.

The past 48 hours haven’t been about how Chicago played the game or even the Packers trip to the Super Bowl after sliding into the tournament as #6 seed. It was about Cutler. Now he’s got to defend whether he should have been playing on a Level 2 MCL sprain (which is really a tear). Welcome to the Real Time generation. Who needs proof? There’s tweeting to do!

We see this in security as well. You have folks live tweeting conference presentations, and half the time in meetings during their work days. I hear about stupid clients and funny jokes, in real time. This is both good and bad. I used to judge my pitches based on heads nodding and how many folks came up after the session and chatted. At least now I know where I stand. If I suck, someone in the crowd has tweeted it. Why have an off-day with 100 folks, when you can be laid bare to the entire Twitterverse? Likewise, if I’m killing it, I get that feedback right when I step off the stage.

Fortunately I haven’t gotten so wrapped up around this real time feedback that once I’m done I defer real life conversation to re-tweet flattering comments. Though Rich has been known to use Twitter for Q&A when he moderates panels. I’m still trying to calibrate the true effect of this real-time communication, but I have time. Real time isn’t going away anytime soon.

-Mike

Photo credits: “Pile of Peanuts” originally uploaded by falcon1961

Last Call. Vote for Me.

Is it too late to grovel? I think you can still vote for the Social Security Blogger Awards. The Incite has been nominated in the Most Entertaining Security Blog Category. My fellow nominees are Jack Daniel’s Uncommon Sense, the Naked Sophos folks, and some Symantec bunker dwellers from the UK. All very entertaining and worthy competition.

Help a brother out with a vote. If I win, Swedish pumps for all! Yeah, baby!

Incite 4 U

1. Trojan opens the malware umbrella: It seems the Trojan man has upped the ante in the latest round of malware punch/counter-punch. Cloud AV helps leverage reputation and a much broader library of bad stuff to detect, and dramatically improves effectiveness to still pretty crappy. So it’s not surprising that bad guys would just block calls to any external service from the AV client. It’s no different than when some malware uninstalled other root kits. Once a machine is owned, why wouldn’t they install the software they want and disable stuff they don’t? Even worse, it’s not clear how the AV vendors can block this behavior. Any ideas? – MR
2. A little security theater on the way out: Back in 2005 when the FFIEC told banks they had to start using two-factor authentication, the industry responded with one of the most impressive acts of security theater I’ve ever seen. Instead of giving us all tokens or linking our accounts to text messages on our phone, they used these idiotic browser/system detection technologies that are effectively worthless. But according to my former colleague Avivah Litan in this NetworkWorld article, the FFIEC might be correcting their mistake. Get ready for the screaming from both banks and consumers, but this one could tighten the window the bad guys have to drain your account once they grab your credentials. – RM
3. Scratching Bottom: When I used to develop software, prior to release I would do a sanity check of the publicly exposed methods in my code to determine my “threat surface”. More to the point, what interfaces would attackers target, and which methods in particular could expose functions or data critical to the system? It’s a rather myopic programmer’s view of attack surface, but addressed the parts I was most interested in and the components under my control. When Microsoft announced the Attack Surface Analyzer last week I was somewhat non-plussed, as their tool focuses on “classes of security weaknesses as applications are installed on the Windows operating system”. As a developer my responsibility was the top of the stack, not the bottom. Sure, I might be responsible for Apache `httpd` and the database, but not the platform nor other supporting applications. But security of the platform matters – even if attack surface analysis of the OS is not part of your SDL/release management process. Tools like Threat Surface Analyzer would be handy to `diff` revisions over time so you could confirm applications and OS configurations are what you expect. Most IT admins have tools that verify application sets, and others to verify configuration and patch settings, but this is a different – dare I say ‘holistic’ – view of the system. Worth checking out if you deploy web apps on Microsoft’s stack. – AL
4. The attackers aren’t always out there: Wait, an article talking about the insider threat and not mentioning WikiLeaks? For that alone I give it some props. Of course, it uses lots of ancient FUD – flinging around examples of insider attacks like an employee running a pr0n site on a corporate server, logic bombs, and deprovisioning FAIL. But the message is the same. You can’t assume the bad guys are just *out there*. They could be in here, too. Which means you can’t trust anyone. And you have to monitor the crap out of your environment, just to make sure. React Faster and Better. Learn it. Live it. Love it. – MR
5. IT still floats to the top: I hate to admit how many times I’ve either heard of, or worked at, companies where someone with uncanny political savvy but a complete lack of intelligence can screw things up for everyone else. Heck, I’m dealing with it in my own community association, which is seriously annoying. Like I have time to deal with the numbnuts. This is highlighted in a depressing Security Monkey post where a “new EVP” snows the board and wrecks both careers and a well-run operation. My last company had a serious similar issue until hiring a new CEO who cleaned house and got things moving in the right direction. We all hate it, but this highlights the importance of those cruddy “soft skills” that Rothman dude is always talking about. As for me? There’s a reason I work for myself. – RM
6. Look! A shiny object: I’ve been reading the surge of coverage over Google Adding Opt Out capabilities to Chrome, and making opt-out capabilities available to others. Much of the discussion has been about balancing user privacy against faceless marketing organizations’ ‘right’ to serve you. As I write this, I just ran across a news site that had 17 cookies, JavaScript, iFrame, Flash cookies, 14 ghost tags, pixels, and beacons from companies I want nothing to do with. A lot of web sites treat your browser like a public toilet without your knowledge, dumping what they can on your machine, attaching to every session they can scrabble into. I really like the FCC’s position, asking for a “Do Not Track” mechanism, which is great. What bugs me is that the discussion has devolved into how to deal with cookies. Google’s response about “technical challenges with opt-outs” is all about cookies and nothing about any of the other tracking mechanisms. Sure, I know, I am not supposed to bash Google because they offer this functionality on a voluntary basis. And they won’t be evil, right? But throwing up dire concerns about ‘state’ is FUD, IMO, as very few users care about state. Most users are worried about privacy, and few are even aware of the extent to which their personal information is being used. “Do Not Track” is likely to become “No Cookies”, with marketers publicly pretending that they care about privacy while they quietly move to non-cookie tracking. – AL