Incite 2/9/2011: Loose Lips Sink Ships
I think we’ve taken this instant gratification thing a bit too far. Do you remember in the olden days, when you didn’t know what you were getting for your birthday? Now we get no surprises, pretty much as a society. The combination of a 24-hour media cycle, increasingly outsourced manufacturing, and loose lips ensures that nothing remains a secret for long. I remember the day IBM announced the hostile acquisition of Lotus back in 1994. I was at META at the time, and we were hosting a big conference of our clients. No one knew the deal was coming down and there was genuine surprise. We had a lot to talk about at that conference. Nowadays we hear about every big deal weeks before it hits. Every layoff. Every divestiture. It’s like these companies have their board rooms bugged. Or some folks in these shops have loose lips. And what about our favorite consumer gadgets? We already know the iPad 2 isn’t going to be much of an evolution. It’ll have a camera. And maybe a faster processor and more memory. How do we know? Because Apple has to make millions of these things in China ahead of the launch. Of the 200,000 people who work in that factory, someone is going to talk. And they do. Probably for $20. Not to mention all the companies showing off cases they needed a head-start on. So there is no surprise about anything in consumer electronics anymore. But this weekend I hit my limit. You see, I love the Super Bowl. It’s my favorite day of the year. I host a huge party for my friends and I like the commercials. You always get a chuckle when you see a great commercial. It’s a surprise. Remember the Bud Bowl? Or Jordan and Bird’s shooting contest? Awesome. But no more surprises. I saw a bunch of the commercials on YouTube last week. You have to love VW’s Darth Vader commercial, but the novelty had worn off by the time the game started. I know you try to create buzz by moving up your big reveal (it’s been happening at the RSA Conference for years), but enough is enough. We try to teach the kids the importance of keeping secrets. We talk freely in our house (probably a bit too freely) and we’ve gotten bitten a few times when one of the kids spill the beans. But they are kids and we used those experiences to reinforce the need to keep what someone tells you in confidence. But they are in the middle of a world where no one can keep a secret. Which once again forces us to hammer home the age-old refrain: “Do as we say, not as they do…” And no, I’m not telling you about our super sekret project. Unless you are from the WSJ, that is. -Mike Photo credits: “Loose Lips” originally uploaded by fixedgear Big Head Alert Well, it wasn’t enough for me to offer up free refreshments to those meeting up at the Security Blogger’s Party at RSA, in exchange for a vote for most entertaining blog. But the accolades keep rolling in. Yours truly has been nominated for the Best Security Blogger award by the fine folks at SC Magazine. I’m listed with folks like Hoff (does he even blog anymore?) and Bruce Schneier, so I can’t complain. Although the Boss did call the handyman this morning – it seems we need a few doors expanded in the house for my expanding head. Yes, I’m kidding. I’m fortunate to surround myself with people who remind me of my place on the totem pole every day. Yeah, the bottom. I’ll be the last guy to say I’m the best at anything, but I certainly do appreciate being noticed for doing what I love. You can vote. And no, I haven’t contracted with RSnake to game the vote. Not yet, anyway. Incite 4 U PR writing a check your defenses can’t cash: That title came from a Twitter exchange I had earlier this week about the HBGary Federal hack. Basically the CEO of this company talked smack about penetrating and exposing a hacker group and… wait for it… lo and behold they eviscerated him. As Krebs describes, it was a good hack. These Anonymous guys don’t screw around. And that’s the point. Just like our friend the World’s #1 Hacker, if you talk smack you will get hurt. The folks from HBGary are very smart. And even if they could detonate malware (using their own damn device), a determined attacker will find your weak spot. And more often than not it’s the human capital who drinks your coffee, uses your toilet paper, and maybe even gets something done, sometimes. So basically here is a message to everyone out there: STFU. These stupid PR games and testosterone-laden boasts of hacking this or hacking that show you as nothing more than a “big hat, no cattle” hacker. The folks who really can don’t have to talk about it. And odds are they’ll stay anonymous. – MR The Endpoint Is the Network: One of the wacky things about cloud computing is that it royally screws up so many of the existing security controls. Network monitors, firewalls, vulnerability assessment, and even endpoint agent management all sort of go nuts when you start moving machines around randomly in the fluff of the cloud. To work consistently your security controls need to track the virtual machines, no matter where they pop up. I’m just getting caught up, but CloudPassage looks interesting. It uses an agent and security management plane to consistently apply controls as machine instances move around, even in hybrid models. Yes, we now have to dump everything back into the endpoint we built all that ASIC-based hardware for. Sorry. – RM Looking in the Mirror: Rocky DeStefano posted a nice table of common SIEM evaluation criteria on the visiblerisk blog. This is a handy set of RFI questions that companies looking to