Hard to believe it’s September already. As we steam through yet another year, I like to step back and reflect on the technical achievements that have literally changed our life experience. Things like the remote control and pay at the pump. How about the cell phone, which is giving way to a mini-computer that I carry in my pocket? Thankfully it’s much lighter than a PDP-11. And networks, yeah man, always on baby! No matter where you are, you can be connected. But let’s not forget the wonders of silicone and injection molding, which has enabled the phenomena known as Silly Bandz.

It's silly, until you are overrun by the bandz...Ugh. My house has been taken over by these God-forsaken things. My kids are obsessed with collecting and trading the Bandz and it’s spread to all their friends. When I would drive car pool to camp, the kids would be trading one peace monkey for a tie-dye SpongeBob. Bandz are available for most popular brands (Marvel, Disney, even Justin Bieber – really), as well as sports teams, and pretty much anything else. Best of all, the Silly Bandz are relatively cheap. You get like 24 for $5. Not like stupid Jibbitz. Of which, you could only put maybe 5 or 6 Jibbitz on a Croc. The kids can wear hundreds of these Bandz. My son is trying to be like Mr. T with all the Bandz on his arm at any given time.

I know this silliness will pass and then it will be time for another fad. But we’ve got a ways to go. It got a bit crazy a week ago, when we were preparing for the Boy’s upcoming birthday party. Of course he’s having a Silly Bandz party. So I’ll have a dozen 7 years olds in my basement trading these damn things for 2 hours. And to add insult to injury, the Boss scheduled the party on top of NFL opening weekend. Yeah, kill me now. Thank heavens for my DVR.

Evidently monkey bandz are very scarce, so when the family found a distributor and could buy a couple of boxes on eBay, we had to move fast. That should have been my first warning sign. But I played along a bit. I even found some humor as the Boy gets into my wife’s grill and told her to focus because she wasn’t moving fast enough. There was only 30 minutes left in the eBay auction. Of course, I control the eBay/PayPal account, so they send me the link that has an allegedly well-regarded seller and the monkey bandz. I dutifully take care of the transaction and hit submit. Then the Boy comes running downstairs to tell me to stop.

Uh, too late. Transaction already submitted. It seems the Boss was deceived that the seller had a lot of positive feedback but only as a buyer. Right, this person bought a lot of crap (and evidently paid in a timely fashion), but hadn’t sold anything yet. Oh crap. So they found another seller, but I put my foot down. If we got screwed on the transaction, it was too bad. They got crazy about getting the monkey bandz right then and now they will live with the decision. Even if it means we get screwed on the transaction.

So the kids were on pins and needles for 5 days. Running to the mailbox. Wondering if the Postman would bring the treasure trove of monkey bandz. On the 6th day, the bands showed up. And there was happiness and rejoicing. But I didn’t lose the opportunity to teach the kids about seller reputation on sites like eBay and also discuss how some of the scams happen and why it’s important to not get crazy over fads like Silly Bandz.

And I could literally see my words going in one ear and out the other. They were too smitten with monkey bandz to think about transaction security and seller reputation. Oh joy. I wonder what the next fad will be? I’m sure I’ll hate it, and yes, now I’m the guy telling everyone to get off my lawn.

– Mike.

  • Note: Congrats to Rich and Sharon Mogull upon welcoming a new baby girl to the world yesterday (Aug 31). Everyone is healthy and it’s great to expand the Securosis farm team a bit more. We’ll have the new one writing the FireStarter next week, so stay tuned for that.

Photo credits: “Silly Bandz” originally uploaded by smilla4

Recent Securosis Posts

This week we opened up the NSO Quant survey. Please take a few minutes to give us a feel for how you monitor and manage your network security devices. And you can even win an iPad…

Also note that we’ve started posting the LiquidMatrix Security Digest whenever our pals Dave, James, and team get it done. I know you folks will appreciate being kept up on the latest security links. We are aware there were some issues of multiple postings. Please bear with us as we work out the kinks.

  1. Home Security Alarm Tips
  2. Have DLP Questions or Feedback? Want Free Answers?
  3. Friday Summary: August 27, 2010
  4. White Paper Released: Understanding and Selecting SIEM/Log Management
  5. Data Encryption for PCI 101 posts:
  6. Understand and Selecting an Enterprise Firewall:
  7. LiquidMatrix Security Briefing:

Incite 4 U

  1. PCI-Compliant clouds? Really? – The Hoff got into fighting mode before his trip out to VMWorld by poking a bit at a Verizon press release talking about their PCI Compliant Cloud Computing Solution. Despite attending the inaugural meeting of the ATL chapter of the Cloud Security Alliance yesterday, I’m still a bit foggy about this whole cloud thing. I’m sure Rich will explain it to me in between diapers. Hoff points out the real issue, which is defining what is in scope for the PCI assessment. That makes all the difference. To be clear, this won’t be the last service provider claiming cloud PCI compliance, so it’s important to understand what that means and to ask the right questions, before you assessor does it for you. – MR
  2. Bar stool philosophy – Paul Asadoorian’s post on The Three Legged Stool Of Vulnerability Management is an accurate representation of the way vendors view assessment tradeoffs. The metaphor works as each leg of the stool shares the load, and there is a degree of tension between the three that leads to a centering affect. But the heart of the issue is what does this mean to users of Nessus and similar products? Users only care about the appropriateness of the scan: did it get the job done? Fast or slow, comprehensive or not, this discussion is only relevant to users for ways they can tune an assessment platform to their environments. Can security and compliance groups clear the detritus out of their reports? Does the operations staff have the option of using a less invasive data collection option? Can we actually enforce policy with the collected data? Customers don’t judge the stool by the legs, only whether it supports their weight. – AL
  3. Starting your IDS/IPS engine – A lot of folks ask us how to get started in the security business. My usual response is to just do something. And with the availability of good open source technology, setting up a few computers and playing around with the technology provides some early hands-on experience and competence. This post on Security Advancements at the Monastery goes into gory detail on setting up three open source IDS/IPS engines: Bro, Suricata and Snort. Lots of good detail here and even a bit of a discussion about the mudslinging between the projects now. And you know how I love mudslinging. Nice job, John. – MR
  4. New worst job: Technology Architect – CSOAndy (otherwise known as Andy Ellis of Akamai) references an interesting analogy from F5’s Lori MacVittie about how to think about load balancing and the cloud. Between homes, garages, separate buildings and now Andy’s valets, it’s all very confusing. Suffice it to say, this kind of discussion underlies my ideas about the nature of our applications decomposing sooner rather than later. Data can be anywhere. So can application logic, as well as presentation. This discussion makes it clear you have a lot of flexibility in how you provision traffic flow as well. Seems to me the job of the technology architect becomes a lot more complicated, since there are seemingly infinite permutations and combinations for how you build an application moving forward. And that means there are infinite ways to compromise it. Yeah, it just keeps getting better for us security folk. I’d probably still rather be a technology architect over elephant dung mover, but it’s a close call. – MR
  5. Vendors don’t die. They go to sleep and then sell for $200 million or not… – In the shocker of the week, CA once again flexes their wallet and buys a cloud-related play. This time it was Arcot Systems, ostensibly because this authentication thing for the cloud may be big. You see Arcot has been around forever. Maybe longer. They raised a lot of money, and then you didn’t hear from them. Ever. Evidently they’ve been selling something and that’s why it’s important for end users to make sure you understand the business profile of any vendors you are considering. Clearly Arcot was running profitably and that allowed them to find another potential market (cloud) and a sucker, I mean buyer, who will buy anything cloud-related for big bucks. So congrats to the Arcot guys. You win this week’s War of Attrition award. In late news from VMWorld, TriCipher met a less happy ending, being acquired by VMWare for three shekels and two cups of coffee. Actually the deal size wasn’t specified, but we suspect it’s in fire sale territory. – MR
  6. Takin’ care of business – Good post on A List Apart regarding Apps vs. The Web, looking at the success of apps and the different technologies that foster innovation. It’s an insightful look how app developers look at technology tradeoffs. But looking over the author’s shoulder from a security vantage, it’s clear why we still are – and perhaps always will be – riding the Security Hamster Sine Wave of Pain. Look at the motivation section and business drivers and programmer focus is clearly identified, and how cool new technologies simply catch fire. Security and privacy are certainly not mentioned, and why should they be? We’re are riding that happy roller-coaster of host-centric security up the slope, so everything’s fine! Just keep coding mobile applications! – AL
  7. Practice makes winners – (Not security related.) I have to admit I’m a Scott Adams fanboy. I think Dilbert nails the reality of life inside a tech company in a lot of ways, and the commentary on the Dilbert blog is thought provoking almost every day. Yesterday’s post was about practice and its correlation to winning. Adams uses pool as a metaphor to make the point that the winners are usually the ones who practice the most. Maybe not at a high level athletic event, but in most everything else. This is a very hard topic to get across to kids. We’ve become a society looking for quick fixes, short cuts, and the easy way to everything, and there is always a marketeer promising those things at the other end of the Google. I’ve found (like many of you) that the harder I work, the luckier I get and the more I win. Not that winning is the end-all be-all, but the lesson is there. If you (or your kids) want to be good at something, get off your respective asses and get to work. – MR