Flat Stanley has it pretty good. If you have elementary school age kids, you probably know all about him. Flat Stanley is a cute story about a kid who gets flattened, and then spends most of the book trying to regain his natural form. Many teachers have kids do a Flat Stanley project, where they color a picture and send it to a friend or relative.

The recipient then takes pictures of Flat Stanley doing something from their daily routine and writes a letter to send back with the photo. The kids learn a bit about someone else, and they have to read the letter. Win/win. Last week, XX2 gave me her Flat Stanley to take on a trip. I started at SecTor CA up in Toronto, so Flat Stanley got to take a picture by the CN Tower.

While I’m on this topic, I need to shout out for the folks behind SecTor CA. It’s a great conference, with great speakers and a great community. If you are in or around Toronto, you need to get to SecTor CA. They even invited Stanley to get up on stage and talk about his curious life (picture below). The audience was enthralled.

1000 folks to hear me speak? Bring it on...Evidently Stanley doesn’t make too many high-profile keynote speeches, so XX2’s teacher showed the class the picture. It was a big hit. Turns out the wonderful Arlen clan also has lots of experience with Flat Stanley. So we traded stories of what they did with Flat Stanley. They even heard tales of Flat Stanley going to London and attending the Royal Wedding. That dude gets around.

Then I took Flat Stanley on my annual golf trip with the boys. Why not? That keynote speech business is hard work, and Stanley needed a bit of R&R. I’m pretty sure I should have had Stanley hit a few drives for me since – he couldn’t have done worse. Let’s just say I should stick to writing and pontificating. I did get some good photos of Stanley in the golf cart, and putting in a birdie. Stanley is a child, so I put him to bed before the evening festivities. And that’s all I’ll say about that.

But all told, Flat Stanley has a pretty good gig. He travels around the world and experiences interesting stuff. Which, when I come to think about it, is kind of what I do. And I’m not flat either. That would be a win for me.


Photo credits: Mike Rothman on his rockin’ iPhone 4S

Incite 4 U

  1. Getting Binary on Risk Assessment: If there is one thing I can say with a high level of confidence, it’s that math guys will defend math. Alex Hutton doesn’t disappoint, as he critiques Ben Sapiro’s Binary Risk Assessment thought balloon (presented at SecTor CA). Alex is balanced but objects to calling Ben’s approach risk assessment, instead he calls it a way to assess vulnerability severity. Vernacular and semantics – the tools of lawyers and, seemingly, math guys. What I like about Ben’s approach is that it’s simple and quick. Most real risk assessment methods are neither. And given the need to prioritize actions in real time, it’s better to be quick than right to 5 decimal places. So I like Ben’s approach – read it and use it. That doesn’t mean you shouldn’t still push toward true risk quantification (if you have that kind of threshold for pain), but understand that there is a time and place for each approach. – MR
  2. NoSQL on NoCloud: I am not surprised that Oracle launched a NoSQL database at OpenWorld. NoSQL threatens the relational DB status quo with cheaper, more agile capabilities, with greater data capacity. What does surprise me is their release of NoSQL on a big-ass big data appliance. So new, yet so old school. This is especially interesting in light of the news that Oracle’s acquiring RightNow while talkin’ smack about how Salesforce.com is the roach motel of cloud. I think some of this puffery is because Oracle was late to adopt the cloud, much as Microsoft was with the Internet, but they are certainly making a concerted cloudy push now. Regardless, the big appliance deployment could really work. It’s anti-cloud, but wears like a comfortable old jacket. And it’s so self-contained that it’s generic storage, like a SAN, and you’ll likely be able to outsource security and maintenance and just worry about pushing data. I think this will be very popular for small enterprises who just need to get work done without worrying too much about new technologies. – AL
  3. Security small guy syndrome: I think I have ranted about this one before, but one of my pet peeves is people in security talking about how “We have to educate the users/developers/business/whatever.” Because, more often than not, when they say ‘educate’ they really mean ‘indoctrinate’. To me it always sounds like small guy syndrome – you know, the kid who has all the answers if the stupid world would just listen! Chris Eng pokes at a recent presentation that sounds like it falls into this category. It isn’t that security shouldn’t talk to development or try to work with them, but we will never succeed if we don’t understand their priorities in the context of our own bias. Even then their priorities will never completely align with ours because we have different jobs. So my advice is try to work with developers, but don’t expect to change them – instead assume you will be adding whatever else you need to improve the end product (secure code, right?). – RM
  4. Cyber-insurance: Win or Futility? We are starting to see better analyses of whether cyber-insurance makes sense. I have been pretty negative because it wasn’t clear to me that the underwriting was based on any real loss data – which means the environment has been rife Ouija board pricing. There is a good primer on NetworkWorld explaining how to maybe use cyber-insurance effectively, and I have seen a pitch by Jake Kouns at Metricon (sorry – I couldn’t find a link to Jake’s deck) that helped clarify things quite a bit for me. Like any other insurance product, it’s all about buyer beware. Understand what the policy protects against and very clearly understand the exclusions. You can’t necessarily buy enough coverage (nor would it be a good business decision) to fully cover a situation like Heartland, but it still makes sense to weigh the premiums against the financial potential for loss. Oh, yeah – that sounds a bit like security. – MR
  5. Maliciously Good: As much as we all love comic books, the problem with vigilante justice is that it lacks controls and accountability. There is no better example of the slippery slope than someone on the side of ‘good’ losing perspective and abusing their ‘power’. At least so say the comic books, a large chunk of global mythology, various religious texts, and made-for-TV movies. When Anonymous first appeared I thought we might finally be seeing some important social activism, but they quickly devolved into random pranks and blatant criminal attacks which mostly damaged the innocent. But, like any network army, we see them spinning back the other way and turning their gunsights on some seriously bad guys. But as much as part of me wants to cheer this action, my pragmatist side has to wonder if they just blew a law enforcement operation or otherwise damaged society’s ability to catch these perverts. I don’t know, and Anonymous probably doesn’t either, which is the problem. – RM
  6. Cloud QA: Good pen testing, fuzzing, and dynamic web application testing, are all destructive. They can seriously break an application – which is why we don’t perform rigorous testing on live sites. Not intentionally anyway. But the security testing ideal is to mimic live sites as closely as possible – the code, the data, and the environment. And that’s one reason the cloud is perfect for QA. Cheap, on-demand resources that scale up and down as needed. Mike Vizard’s post on Narrowing the DevOps Gap touches on this, but it’s not really a visibility issue – the cloud addresses the resource management problems. Every QA organization I have ever run had huge resource bottlenecks – the available archives of clean test environments, clean test data, and resources available were usually a third of what we needed. Run a test, and the infrastructure would be idle for days while we reviewed test data and patched code, and then reset test platforms. But this dynamic use model is exactly where the cloud excels. Plus, even though Amazon and Rackspace are public cloud providers, you can carve out private areas to perform testing on real code – with real data – and still be highly secure (auditors be damned!). IaaS clouds are a boon to QA organizations! – AL
  7. Unbounded Attack Surface: Just in case you thought you could really stop a determined attacker, forget it. This Dark Reading story shows how even a low value target like a PBX could be used to gain access to the keys to the kingdom. The pen testers at TrustWave used a PBX field technician account (why does that exist anyway?) to compromise help desk voicemail, and then helped a user troubleshoot their VPN account to piggyback on their token authentication. And they were in! So as much as you try to close all the holes, there are an infinite number – which is why we still fall back on Reacting Faster and Better. The pen test guys are good, but so are the adversaries. – MR