I still go see a lot of live music. Yes, it’s a luxury, but I’d rather give something else up than my handful (OK, maybe two handfuls) of shows every year. On Monday night we saw Sting with his big orchestra. It was definitely a more mellow show than when we saw him a few years ago with his band (right, The Police), but it was a good show nonetheless.

We are all individuals -- to a point. I usually go to shows with the Boss and we each have different things that we like and don’t like about live music. Over the past few years we’ve learned to accept each other’s show angst. She likes to sit close and sometimes when the budget and availability work out, we get decent seats.

In the event we don’t get close, she’s usually looking for an opportunity to move up. That gives me angst. Bordering on paranoia. When I’m in someone else’s seat I’m figuring each person who walks by wants their seats back and will probably hit me with a bat. I know, it’s not logical, but it causes me angst. It kills my proverbial show buzz.

The Boss has no irrational seat squatting fear, so she just waits to be ejected and is cool with that. But she’s got show issues too. It makes her nuts when someone around us is talking. I mean nuts. I should call her Ms. Shush. Since she’ll usually just tell them to uh, quiet down. She does have a point in that these people pay a hundred bucks to go to a show and then talk about their goiters or sports teams or some asshat at work. Go figure. But the extraneous noise doesn’t bother me. I focus on the performer and tune everything else out.

I could get annoyed that she’ll disappear for most of a show and meet me later if she gets a better seat. And she could get annoyed that the chatter doesn’t bother me. But that’s not productive. Now we know each other’s angsts and we accommodate. I let her go walkabout and if she does stay in our seats, I’ve become a burgeoning Mr. Shush because I know her experience is better if everyone shuts their traps.

And it works for us. But only if you embrace your partner’s individuality and learn to roll with it. Maybe I have learned something after 13+ years of marriage.

– Mike.

Photo credits: “Individuality Redux” originally uploaded by spaceamoeba

Recent Securosis Posts

  1. Friday Summary: June 25, 2010
  2. Understanding and Selecting a Tokenization Solution: Introduction
  3. Are Secure Web Apps Possible?
  4. NSO Quant: Manage Firewall Process Map
  5. NSO Quant: Manage IDS/IPS Process Map
  6. Adrian and Rich are wrapping up DB Quant

Incite 4 U

  1. Toothless FTC ‘Settles’ with Twitter – So it seems Twitter got a slap on the wrist recently from the Federal Trade Commission for misleading consumers about protecting their privacy. The Twitter folks settled to make the problem go away, which was the right thing to do. Twitter is now barred for 20 years “from misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of nonpublic consumer information.” That’s a relief. And they need to be subjected to a security program review every other year for 10 years. Again, what major service provider doesn’t do this? In the article it does talk about some stuff that Twitter was (or wasn’t) doing, which are good practices. Like requiring strong admin passwords and not allowing administrators to store those passwords in their personal email. Duh. Anyhow, the FTC getting involved is fine, but if they want organizations to be more serious about privacy, they need more impactful consequences. – MR
  2. Assured Integrity on Bogus Data – Richard Bejtlich’s post on Dealing with Security Instrumentation Failures, along with the referenced articles on Si(EM)lent Witness hits on a trifecta of weaknesses in security monitoring devices at large: dropped or missing events, capturing only one side of a conversation, and touting the integrity of an already suspect data stream. In everything from IDS to DAM, dropped transactions are a real problem. Network monitoring that captures a request but fails to capture the response is a real problem. Both receive hand-waves from vendors and surprisingly from security practitioners as well, who assume the other 98% of events is enough. But have they quantified the loss, or the percentage of records that are missing? The percentage that are missing a portion of the data? Examine carefully the claims of SIEM, DAM, and other event storage vendors that the data is totally secure – privacy and integrity are typically 100% assured. But the stream before it arrives at its destination? Suspect! I used to play the injection game, throwing garbage statements on the wire that were completely ignored by the application, but picked up by the monitor because it had the right IP and port. Since they failed to collect response codes, this counted as legit traffic. I am not saying that you can necessarily do anything about it, but give it some thought, and have some test cases to verify how your tools handle them, or what the packet loss expectancy really is. – AL
  3. A Different Kind of Disclosure – We all know the disclosure debate will never end. It’s basically religion on all sides; with few willing to change their positions and little more than anecdotal evidence available, you can spin it however you want. But I think we can all agree that no one wants to find out about a vulnerability like WellPoint did. A customer figured out she could see others’ records by manipulating the URL (yes, about the most basic vulnerability a web application can have). Instead of reporting it to WellPoint she called her lawyer. WellPoint found out they were vulnerable when she sued them for breach of privacy. Then again, it seems the exposure may have mostly been limited to her and her lawyers poking around. WellPoint fixed the problem in 12 hours, and I’ll be curious to see whether they counter-sue or pursue criminal charges. Or whether the FBI busts in and arrests her on drug charges. – RM
  4. The Location Middle Ground – Although I have embraced some social networking stuff, I still consider myself a Luddite, and I’m OK with that. When I was recently at my college reunion, a friend was all into FourSquare, broadcasting his whereabouts to the Interwebs. I don’t get it. First off, I don’t want anyone to know where I am at any given time – it’s my business if I want to work at a Starbuck’s or a park or my home office. But for some aspects of location, I’m not sure how we lived before mobile phones and GPS. I mean, how else would you figure out where the closest Baja Fresh is in a new city? But privacy is still a major exposure, as pointed out in a recent NetworkWorld post. How are these companies using that data? And what’s to stop someone from extracting a crapload of stuff from FourSquare or Google or anywhere else, which could be used for who knows what? So as opposed to most 20-somethings today, who don’t seem to care about privacy, I’ll keep my location to myself, thank you very much. – MR
  5. A Small Exhaust Port, Just above the Main Port – A few years ago I gave a presentation on Web 2.0 (whatever that means) security. One of the issues I highlighted was inclusion of third party code/functionality. You may not realize it, but I’d say 99.999% of you have some sort of external code running through your site; anything from Google Analytics to advanced JavaScript libraries hosted elsewhere. I know this because I block a heck of a lot of it using various browser plugins. This inclusion is a very common practice, but means you are funneling someone else’s programming right to your customers via your site. One thing I hadn’t thought about for that presentation is that when you perform a vulnerability assessment against your own site, the odds are you can’t really scan the embedded code, since it’s running someplace else that might consider your scan an attack. WhiteHat Security ran into this problem even though they are vulnerability assessment experts. Jeremiah does an amazing job of disclosing their (minor) security foible, why it happened, and the limits of assessing external code. For the record, that’s one reason we try and host everything on our site, mirroring the code locally. – RM
  6. Dealing with the New Workforce – Our job as security professionals is to make sure the sensitive data within our organizations remains safe without adversely impacting how business operates (too much). But we can certainly get to the point of being a bit aggressive in our recommendations. I’m with the Imperva folks, as they point out some good recommendations from SecureWorks about protecting financial transactions against attacks like the Zeus Trojan, but I agree that others – like using a dedicated machine/VM for online banking – just won’t happen much because they’re too much of a hassle. But that’s not my point here – it’s that our workforce is changing and that means our protection strategies must change too. As a recent survey from Cisco shows, our new recruits are likely to work around our security controls, and will leave if we don’t let them do what they want. It’s not good or bad, it just is. So the idea of traditional command and control is out the window. Instead we focus on reacting faster/better and containing the damage, and grumble about how those crazy kids are screwing everything up. – MR
  7. Killing Innovation, One Startup at a Time – I spent a weekend earlier in the year ripping most of my CDs into iTunes. With Apple Lossless encoding it took about 170gb of space. I realized then that when I buy a Mac mini to become a music server, I will need to move all that content over. I was thinking about how cool it would be if I could just put the library in Dropbox and share it to any device. It appears that someone else had the idea, as mSpot is offering a service to do half of it. For me that would mean some $28.00 a month(!!!) just to store my own music. Plus it only supports one device, and I have 3 computers and four devices I want to use. I started thinking about the security aspects when I read the bottom of their press release: “The Recording Industry Association of America calls cloud-based music servers ‘an exciting development in the market place’”. Yeah, provided they can make money and not worry about security. What happens when people XSS their site and start grabbing other libraries? How exciting will it be when not just a single CD is stolen, but a huge music library? Odds are that if mSpot’s pricing and service model don’t kill them, the RIAA will, as soon as they get hacked. – AL
  8. As Things Move Faster, Standards Slow down – Last week, the PCI Security Standards Council announced they were changing the standards timeline (PDF), basically lengthening the time between updates to the PCI-DSS from two years to three years. That’s a relief, since we all know the rate of technology adoption and emergence of new attack vectors is slowing down accordingly. Not. The logical part of my brain understands that many retailers have lots of stores and it’s hard to change things quickly enough to even keep up with the current two year cycle. Then the pragmatic part remembers that my credit card number has been compromised at least 3 times that I know about (involving new card issuance), and I lose my empathy for the ‘poor’ retailers. Actually the truth is somewhere in the middle – the DSS is pretty stable at this point and shops adhering to the 12 requirements are in decent shape. Yes, they can get pwned, but that goes for anyone. And this gives us another opportunity to stress the fact that any standard/guidance/regulation is going to the lowest common denominator for your security posture. If you think you are done once you get the stamp, you are sorely mistaken. – MR