I think we’ve taken this instant gratification thing a bit too far. Do you remember in the olden days, when you didn’t know what you were getting for your birthday? Now we get no surprises, pretty much as a society. The combination of a 24-hour media cycle, increasingly outsourced manufacturing, and loose lips ensures that nothing remains a secret for long.

Ask HBGary Federal about loose lips...I remember the day IBM announced the hostile acquisition of Lotus back in 1994. I was at META at the time, and we were hosting a big conference of our clients. No one knew the deal was coming down and there was genuine surprise. We had a lot to talk about at that conference. Nowadays we hear about every big deal weeks before it hits. Every layoff. Every divestiture. It’s like these companies have their board rooms bugged. Or some folks in these shops have loose lips.

And what about our favorite consumer gadgets? We already know the iPad 2 isn’t going to be much of an evolution. It’ll have a camera. And maybe a faster processor and more memory. How do we know? Because Apple has to make millions of these things in China ahead of the launch. Of the 200,000 people who work in that factory, someone is going to talk. And they do. Probably for $20. Not to mention all the companies showing off cases they needed a head-start on. So there is no surprise about anything in consumer electronics anymore.

But this weekend I hit my limit. You see, I love the Super Bowl. It’s my favorite day of the year. I host a huge party for my friends and I like the commercials. You always get a chuckle when you see a great commercial. It’s a surprise. Remember the Bud Bowl? Or Jordan and Bird’s shooting contest? Awesome. But no more surprises. I saw a bunch of the commercials on YouTube last week. You have to love VW’s Darth Vader commercial, but the novelty had worn off by the time the game started. I know you try to create buzz by moving up your big reveal (it’s been happening at the RSA Conference for years), but enough is enough.

We try to teach the kids the importance of keeping secrets. We talk freely in our house (probably a bit too freely) and we’ve gotten bitten a few times when one of the kids spill the beans. But they are kids and we used those experiences to reinforce the need to keep what someone tells you in confidence. But they are in the middle of a world where no one can keep a secret.

Which once again forces us to hammer home the age-old refrain: “Do as we say, not as they do…” And no, I’m not telling you about our super sekret project. Unless you are from the WSJ, that is.


Photo credits: “Loose Lips” originally uploaded by fixedgear

Big Head Alert

Well, it wasn’t enough for me to offer up free refreshments to those meeting up at the Security Blogger’s Party at RSA, in exchange for a vote for most entertaining blog. But the accolades keep rolling in. Yours truly has been nominated for the Best Security Blogger award by the fine folks at SC Magazine. I’m listed with folks like Hoff (does he even blog anymore?) and Bruce Schneier, so I can’t complain. Although the Boss did call the handyman this morning – it seems we need a few doors expanded in the house for my expanding head.

Yes, I’m kidding. I’m fortunate to surround myself with people who remind me of my place on the totem pole every day. Yeah, the bottom. I’ll be the last guy to say I’m the best at anything, but I certainly do appreciate being noticed for doing what I love. You can vote. And no, I haven’t contracted with RSnake to game the vote. Not yet, anyway.

Incite 4 U

  1. PR writing a check your defenses can’t cash: That title came from a Twitter exchange I had earlier this week about the HBGary Federal hack. Basically the CEO of this company talked smack about penetrating and exposing a hacker group and… wait for it… lo and behold they eviscerated him. As Krebs describes, it was a good hack. These Anonymous guys don’t screw around. And that’s the point. Just like our friend the World’s #1 Hacker, if you talk smack you will get hurt. The folks from HBGary are very smart. And even if they could detonate malware (using their own damn device), a determined attacker will find your weak spot. And more often than not it’s the human capital who drinks your coffee, uses your toilet paper, and maybe even gets something done, sometimes. So basically here is a message to everyone out there: STFU. These stupid PR games and testosterone-laden boasts of hacking this or hacking that show you as nothing more than a “big hat, no cattle” hacker. The folks who really can don’t have to talk about it. And odds are they’ll stay anonymous. – MR
  2. The Endpoint Is the Network: One of the wacky things about cloud computing is that it royally screws up so many of the existing security controls. Network monitors, firewalls, vulnerability assessment, and even endpoint agent management all sort of go nuts when you start moving machines around randomly in the fluff of the cloud. To work consistently your security controls need to track the virtual machines, no matter where they pop up. I’m just getting caught up, but CloudPassage looks interesting. It uses an agent and security management plane to consistently apply controls as machine instances move around, even in hybrid models. Yes, we now have to dump everything back into the endpoint we built all that ASIC-based hardware for. Sorry. – RM
  3. Looking in the Mirror: Rocky DeStefano posted a nice table of common SIEM evaluation criteria on the visiblerisk blog. This is a handy set of RFI questions that companies looking to evaluate SIEM providers should ask, to get a better understanding of product differences. I have also found that review of a list like this is a good tool for would-be customers to get their own house in order – so to speak – regarding priorities, requirements, and identifying the appropriate stakeholders prior to starting the process. The whole evaluation process goes much more smoothly when you select the right vendors to evaluate, but it’s even better when you have cleared all the internal political and budgetary problems prior to staring the project. Having been on both the vendor and customer sides of this process, customer side problems are more likely with complex projects such as SIEM. – AL
  4. Heading off to the great PDP in the sky: RIP, Ken Olsen, who founded Digital Equipment Corp. He died over the weekend, and no it wasn’t because the VAX in his bedroom sucked all the oxygen out of the room. He was 84 and was one of the real pioneers of the computer business. Even if he did wonder what anyone would need with a computer in their home. I know some of you kids have never heard of DEC, but suffice it to say it was an important computer company when your parents were in diapers. In fact a lot of the upper echelon talent running today’s computer giants cut their teeth selling, installing, building, or programming DEC machines. – MR
  5. Hack to Learn: A $25 toolkit called TinieApp helps you author Facebook malware. I thought this was a really cool tool for educational purposes. Schools teaching computer science should look into kits such as this, as an awareness program when teaching kids about data security. It’s hard to understand the threat unless you have seen it first hand, and having kids learn basic attacks is a way to teach them about threats to code and how to protect themselves in a social media environment. I even thought about buying a copy, but apparently they only accept stolen credit cards for payment and I am fresh out. – AL
  6. Don’t touch it: Mike and I are hard at work on our React Faster and Better Series on advanced incident response, but the reality is that approach/process only works for large organizations with dedicated response resources. Most of the rest of you will rely more on outside help if something gets bad enough. Mandiant is one of those companies, especially if you are dealing with APT, and they posted some guidance for first steps when the worst happens. Their key point? Try not to touch too much and ruin the evidence. If you don’t know what you’re doing, you can make the situation a lot worse by reacting too quickly without the right knowledge. Kind of like jumping into a flood to save someone (and drowning) instead of waiting for someone with a rope. – RM
  7. Chasing the elusive security benchmark: There are plenty of folks in the industry (spearheaded by the New School dudes) who have been calling for more quantitative analysis of our practices. And their calls have been falling on deaf ears for years. I have also been somewhat vocal about the need to quantify important stuff, and the idea of benchmarking your performance versus others is a key aspect of the Pragmatic CSO. In fact, one of my hare-brained ideas was to try establishing a benchmark. I got nowhere on my own. Then I worked with the CIS folks on their metrics initiative, which eventually would have resulted in a publicly available benchmark. Yeah, slow going there. But now the folks at nCircle seem to have something interesting, their new Benchmark offering. And they even silently bought a struggling metrics player (ClearPoint Metrics) to bolster their quant quals (h/t to 451 Group for digging up that nugget). Fact is, the benchmark will only be as good as the data, so here’s to hoping nCircle can gather some data and will be willing to community source it in some fashion to so the quant can quantify. – MR
  8. Privacy is Job #1: My wife opened a new business account at the local big bank. Once she finished, the staff member filled my wife’s new account folder with all sorts data sheets for services and products we don’t want. Two things caught my eye: one was a set of identity and security ‘products’ to help big bank customers prevent having their identities stolen. The second item in the pack was someone else’s home equity loan details – including account numbers, routing numbers, name, balance, and some other personal data. I’ve seen sales people stoop in this manner, but the person checked out on the tax records. On second thought perhaps my wife should reconsider those security services.