Incite 4/11/2012: Exchanging ProblemsBy Mike Rothman
I figured an afternoon flight to the midwest would be reasonably peaceful. I was wrong. Things started on the wrong foot when I got an email notification from Delta that the flight was delayed, even though it wasn’t. The resulting OJ sprint through the terminal to make the flight was agitating. Then the tons of screaming kids on the flight didn’t help matters. I’m thankful for noise isolating headphones, that’s for sure.
But seeing the parents walking their kids up and down the aisle and dealing with the pain of ascent and descent on the kids’ eardrums got me thinking about my own situation. As I mentioned, I was in Italy last week teaching our CCSK course, but the Boss took the kids up north for spring break to visit family. She flew with all of the kids by herself. 5 years ago that never would have happened. We actually didn’t fly as a family for years because it was just too hard. With infant/toddler twins and one three years older, the pain of getting all the crap through the airport and dealing with security and car seats and all the other misery just wasn’t worth it. It was much easier to drive and for anything less than 6-7 hours, it was probably faster to load up the van.
The Boss had no problems on the flight. The kids had their iOS devices and watched movies, played games, ate peanuts, enjoyed soda, and basically didn’t give her a hard time at all. They know how to equalize their ears, so the pain wasn’t an issue, and they took advantage of the endless supply of gum they can chew on a flight. So that problem isn’t really a problem any more. As long as they don’t go on walkabout through the terminal, it’s all good.
But it doesn’t mean we haven’t exchanged one problem for another. XX1 has entered the tween phase. Between the hormonally driven attitude and her general perspective that she knows everything (yeah, like every other kid), sometimes I long for the days of diapers. At least I didn’t have a kid challenging stuff I learned the hard way decades ago. And the twins have their own issues, as they deal with friend drama and the typical crap around staying focused.
When I see harried parents with multiples, sometimes I walk up and tell them it gets easier. I probably shouldn’t lie to them like that. It’s not easier, it’s just different. You constantly exchange one problem for another. Soon enough XX1 will be driving and that creates all sorts of other issues. And then they’ll be off to college and the rest of their lives. So as challenging as it is sometimes, I try to enjoy the angst and keep it all in perspective. If life was easy, what fun would it be?
Photo credits: “Problems are Opportunities” originally uploaded by Donna Grayson
We’re back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can access all of our content in its unabridged glory.
Vulnerability Management Evolution
Watching the Watchers (Privileged User Management)
Understanding and Selecting DSP
Malware Analysis Quant
Incite 4 U
Geer on application security: no silent failures Honestly, it’s pointless to try to summarize anything Dan Geer says. A summary misses the point. It misses the art of his words. And you’d miss priceless quotes like “There’s no government like no government,” and regarding data loss, “if I steal your data, then you still have them, unlike when I steal your underpants.” Brilliant. Just brilliant. So read this transcript of Dan’s keynote at AppSecDC and be thankful Dan is generous enough to post his public talks. Let me leave you my main takeaway from Dan’s talk: “In a sense, our longstanding wish to be taken seriously has come; we will soon reflect on whether we really wanted that.” This is an opportunity to learn from a guy who has seen it all in security. Literally. Don’t squander it. Take the 15 minutes and read the talk. – MR
AppSec trio: Fergal Glynn of Veracode has started A CISO’s Guide to Application Security, a series on Threatpost. And it’s off to a good start, packed with a lot of good information, but the ‘components’ are all blending together. Secure software development, secure operations, and a software assurance program are three different things; and while they go hand in hand if you want a thorough program, it’s easier to think about them as three legs of the proverbial stool. Make no mistake, I have implemented secure coding techniques based purely on threat modeling because we had no metrics – or even idea of what metrics were viable – to do an assurance program. I’ve worked in finance, with little or no code development, relying purely on operational controls around pre-deployment and deployment phases on COTS software. At another firm I implemented metrics and risk analysis to inspire the CEO to allow secure code development to happen. So while these things get blurred together under the “application security” umbrella, remember they’re three different sets of techniques and processes, with three slightly different – and hopefully cooperating – audiences. – AL
It’s the economy, stupid: One of the weirdest things I’ve realized over years in the security industry is how much security is about economics and psychology, not about technology. No, I’m not flying off the deep end and ignoring the tech (I’m still a geek, after all), but if you want to make big changes you need to focus on things that affect the economics, not how many times a user clicks on links in email. One great example is the new database the government and cell phone providers are setting up to track stolen phones. Not only will they keep track of the stolen phones, they will make sure they can’t be activated in the US. Bad guys will still steal them, foreign providers will still activate them after they’ve been shipped overseas, and some real jerks will figure out how to falsely register legitimate phones to get them cut off. But that still increases costs for the bad guys and reduces their profits, which should make a nice little dent in the market, and thus theft rates. – RM
Checklists don’t replace professional judgement: Great post here by Adam on applying the Checklist Manifesto to information security. It seems (as usual) that you can break security folks into two camps. The folks who want the checklist because they don’t want to think. And those who hate checklists because they become the de facto method of doing anything. Obviously that’s an oversimplification, but the point is that we security folks live in a complicated world with an infinite number of permutations. “So it’s important to understand that checklists don’t replace professional judgement, they supplement it and help people remember complex steps under stress.” Adam works back to the fact that we don’t have enough data to even know what the right steps on the checklist should be. He’s not wrong, but it will be years before we get that data. What we have now are decent ideas of the right steps to take in almost any security related process. That doesn’t mean you should follow the checklist to the letter, but you shouldn’t dismiss these practices out of hand either. – MR
In need of a tune-up: Ed Bott over at ZDNet asks whether, given the recent security problems, we can stop using Java? The answer is an unequivocal ‘yes,’ if you don’t mind a bunch of your stuff not working. I’ve been asking this same question for years about Adobe products – specifically Flash – which treat my machine like a public toilet. But that’s the problem with pervasive software, be it Flash, Java, or old versions of Internet Explorer. They all have security bugs and they’re heavily targeted because they are all embedded just about everywhere. Go ahead, try turning off Shockwave, Java, Silverlight, WebEx, and all those other browser plug-ins and making it through a day without needing one of them. You won’t, so you’ll turn it on, and then forget to turn it off again. If it’s not Java, it’s going to be some other product everyone uses that gets targeted, so this is a circular argument. The real answer is that the specific technology doesn’t matter. Drive your car recklessly or stop doing maintenance, and sooner or later you’re going to be spending some time on the side of the road. Computer software is not so different. – AL
Pwnaccino: Yes, Apple really screwed up by not patching Java on OS X sooner and releasing the Hounds of Botnets on the Mac community. But Java? In my informal surveys at conferences and in client meetings, most security professionals cite it as their top patching concern, even over Flash these days. Java’s a mess from a security standpoint, and is now controlled by a vendor who doesn’t have the best reputation on these matters. And it runs… on everything. Roel Schouwenberg covers the issues nicely over at Threatpost. I really try to avoid having Java on any machines, but I’m stuck with it more often than not. Those of you in enterprises are probably even more worried and frustrated than I am. To be honest, I don’t think there are good answers. At best I think the OS vendors will need to look at sandboxing Java on their platforms, which may be impossible since they don’t control the code. Any way you look at it, it’s ugly. – RM
Popping the security bubbly: Congrats to our friends at Palo Alto Networks, who filed their S-1 this week, which is the first step to an IPO. What we see is a company showing tremendous growth and playing into a huge market. It looks like Splunk will likely get their IPO done soon at a valuation approaching $1 billion. And speaking of other things you can buy for $1B, how about a photo sharing site? Facebook bought Instagram, all 13 employees and no revenue, for $1B. You know Dr. Evil is cackling somewhere. But the difference between the security deals and the Internet deals? Right, the security companies have real businesses, selling hundreds of millions of dollars worth of gear every year. The Internet companies? Well they have a lot of downloads. This kind of deal does feel kind of bubble-like, as many folks commented after the announcement. Is that a bad thing? Not if you get your money out. It’s the folks holding the bag in the trough who get screwed. – MR