Rich here.
A funny thing happened this week.
As I wrote on Tuesday, someone hacked my Amazon Web Services account when I accidentally left my keys in code I pushed up to GitHub. The first line of my code was,
This is a bit embarrassing to write.
I take my role as a public figure in security pretty seriously. I am thankful every day that I get to do what I do (okay, maybe not the day I was in Kiev in December trying to find a menu I could understand). As an introvert it’s weird to be out there writing and speaking in public on security every day and have people actually read and listen. And to get paid for it.
It is entirely too easy to let this go to one’s head, and I’m pretty sure any of you reading this can start counting off some of the names. In my mind I need to keep earning it every day. That means actually knowing what I’m talking about, taking security seriously, and setting an example. I expect to be hacked in the course of what I do, but I strive to avoid dumb mistakes.
You know, practice what I preach.
Well, I made a series of mistakes – I suppose I am human (or at least humanoid) after all. And I got popped. I always assume something like that will get out, so I might as well break the news myself, and spill the gory details so maybe someone can avoid screwing up like I did.
I expected some criticism, but the exact opposite happened. The overwhelming support from the community was astounding. Nobody called me an idiot, and people recognized that I’m just a dude, trying my best, and making mistakes.
Contrast this to the recent communications from Target, Snapchat, or any other company that gets breached or screws up. They try their best to cover things up, release as little information as possible, and hope people forget.
It never works. Anyone with a modicum of crisis communications training knows that silence and obfuscation sow distrust and uncertainty. This isn’t rocket science.
Coming clean was scary and initially painful, but if I expect people to trust me, I need to be open about those sorts of things. In the end, I was riding high all day on the incredible support from the community. From my community.
The real lesson? I am totally going to screw some other things up on purpose and talk about it now. I mean, it has to work again next time, right?
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Adrian quoted in DBaaS article.
- Rich quoted in Dark Reading on speakers leaving the RSA conference.
- Rich quoted in Computerworld on the same issue.
- Dave Lewis (yes, our Dave Lewis) wrote up my little issue over at CSO.
- Another Dave article at CSO: Find security flaw, go to jail?
Favorite Securosis Posts
- Adrian Lane: Firestarter: The NSA and RSA. Despite looking and sounding like I am being pulled into a 4th dimension, my favorite this week is the inaugural Securosis Firestarter.
- Mike Rothman: Firestarter: The NSA and RSA. Yeah, everyone is going to pick Rich’s $500 screw-up post. But I am really excited at how our video podcast turned out. As long as we keep it short it will be a lot of fun to do in 2014.
- Mort: My $500 Cloud Security Screwup – Updated.
- James Arlen: Rich Mogull is the Most Honest Man in Infosec. Editor’s note: not really!
- Rich: Incite 1/8/2014: ReNew Year. Yep, new stuff coming – can’t wait to get it out there and see what works!
Other Securosis Posts
- Security Management 2.5: The Decision Process.
- Mikko Hypponen Still Speaking at the RSA Conference Updated.
- Security Management 2.5: Evaluating the Incumbent.
- Security Management 2.5: Revisiting Requirements.
- Firestarter: The NSA and RSA.
Favorite Outside Posts
- Adrian Lane: So You Wanna Boycott RSA Conference 2014. Why write this post again? Bill said it better.
- Mike Rothman: Don’t Tell Me You’re Busy. Thanks to our pal Jen (@mediaphyter) for reminding me of this classic post. We are all busy. But no one is too busy to return a call or text from a friend. And if you are, your priorities are screwed up.
- Dave Lewis: The 7 best habits of effective security pros.
- Mort: On Getting Naked in Antarctica. It’s not security related, but in honor of this week being so damn cold in the midwest & northeast…
- James Arlen: Applied Crypto Hardening – PDF
- Rich: How Netflix Reversed Engineered Hollywood. Some interesting big data lessons in here.
Research Reports and Presentations
- What CISOs Need to Know about Cloud Computing.
- Defending Against Application Denial of Service Attacks.
- Executive Guide to Pragmatic Network Security Management.
- Security Awareness Training Evolution.
- Firewall Management Essentials.
- A Practical Example of Software Defined Security.
- Continuous Security Monitoring.
- API Gateways: Where Security Enables Innovation.
- Identity and Access Management for Cloud Services.
- Dealing with Database Denial of Service.
- The 2014 Endpoint Security Buyer’s Guide.
Top News and Posts
- Snapchat hack results in 4.6 million accounts being posted online.
- Yahoo! Spread Bitcoin Mining Botnet Malware Via Ads.
- Video tells children it’s okay for TSA to molest them. So bad it’s awesome! TSA uses animated dogs as characters – if you own dogs, you know “Stop, Scream, & Pee” is more likely.
- Firm Bankrupted by Cyberheist Sues Bank via Krebs.
- Inside TAO.
- How Worried Should We Be About the Alleged RSA-NSA Scheming?
- Office 365 Token Vulnerability. A couple weeks old but a good read.
- Infographic: ISO 27001:2013 Changes
- Skipfish Scanner Used In Financial Sector Attacks
- Five Product Security Questions Nobody At CES Wants You To Ask.
Blog Comment of the Week
This week’s best comment goes to Jay, in response to Security Management 2.5: Evaluating the Incumbent.
More good stuff here and sound analysis. I think we’ve done a good job identifying where the SIEM market is or should be going. Hope you intend to provide some sort of perspective on switching costs or at least the potential payback associated with a migration to any replacement technology that incorporates all these features/requirements.
Comments