Monday, April 28, 2008

Your Moment of Zen

With apologies to the Daily Show, I present- your Moment of Zen:

"Your systems are vulnerable and will be compromised"

It may be shocking at first, but it is true and you know it.  You may argue about the definitions of "vulnerable" and "compromised", but that misses the point.  Our systems are vulnerable and will be compromised.  Now what do we do? 

  • Focus on the things you can actually accomplish.
  • Accept that we really do need a "Plan B", (and maybe C, D...) 
    • Work on those plans.
  • Prioritize work based on real exposure.
  • Think about risk
    • There are many "deep thinkers" in the Risk field, but start with a little "shallow thought" and work your way up.

I have been thinking about this for a while and a panel discussion at RSA really crystallized the idea for me (and many others).  It is not a new idea, Chris Hoff has expressed it in his move from "Rational Security" to "Rational Survivability".  Mike Rothman's "Pragmatic CSO" includes elements of it.  My belief that moving forward, even incrementally, is better than trying to solve all of the big problems also touches the idea.

Possibly more significant than the agreement of esteemed panel (Mike Rothman, Ron Woerner, Rich Mogull, David Mortman and Martin McKeay) was the general agreement from the audience.  It has always been true, but now it is OK to accept it- and move on.



Wednesday, April 23, 2008

The Linkedin "John Smith" scam

I had my doubts, but I tend to be fairly open with Linkedin requests and keep a mental track of those I really know and those I don't- so when a highly-linked Mr. John Smith (including links to people I *really* know) sent a connection request, I added "him". A bunch of others did, too. No big deal for most folks who think about what info they share (and how much of it is available elsewhere). Turns out Mr. John Smith was an "awareness campaign" or "publicity stunt" depending on your point of view. I received this email today:
Dear LinkedIn user: Meet Mr. John Smith!

You have a profile on and you have chosen to connect with "John Smith". This itself is not a problem, if it wasn't for the fact, that John Smith doesn't really exist (in real life). The profile was invented as part of a security experiment were we try to determine and illustrate potential risks using social networks, such as LinkedIn. The presentation was just released on the Fraud Europe conference in Bruxelles today.

We decided not to release any detailed information about who and how John Smith got connected with in his network. However, we felt obligated to inform all Linkin accounts hooked up with John Smith about this piece of research and the release of the final edition of "Social Networking Risk - Who Do You Want to be Today?".

With the paper being released we will delete the "John Smith" profile!

If you've not already guessed it, you're receiving this e-mail because you are linked with john Smith. We hope this will be a leason learned and nothing else ...

All data harvested during the past year, will be deleted. We will also inform LinkedIn and asking them to remove the profile.

You can download the presentation given at Fraud Europe conference at the following URL:

The technical paper, used as background for this presentation and released in January 2008, can be downloaded here:

Best regards,

Dennis Rand, Security- and Malware researcher
CSIS Security Group
Oh, well. But my next question is this- what about that "Information Security" group on Linkedin? A few friends and I questioned the legitimacy of that (after joining) at a recent event.

Bottom line, if it is on the Internet it is out there for all to see. Remember that, act accordingly, and you'll be OK.


Tuesday, April 22, 2008

The "Theme" of the Expo at RSA

I am working on a few posts on RSA, things like "Your Moment of Zen" and "Confessions of a Booth Babe", but first...

One of the oft asked questions at RSA was "What's the theme?" There was an official Turing theme, but it didn't really take. I spent quite a bit of time in the Expo with all of the vendors, so I proposed:
"Simple solutions to complex problems"
Rich Mogull suggested this refinement:
"Meaningless, content-free answers to important questions"

From the Expo floor there was also a strong undercurrent of:
"Buy our product and you will be (fill in the blank) compliant
(and thus secure)."

No surprises, really, but it is depressing how few people selling stuff (any stuff, not just security stuff) are aware of their own market. Security is hard and the odds are against "winning", so the hyperbole (100% effective against SPAM!) and oversimplification just annoy and offend the educated customer.

Don't get me wrong, overall I had a great time at RSA, but the stupid sales weasels just amaze and appall me. Keep in mind that I have spent the past thirty years in and supporting the car business, I know stupid sales weasels when I see them.


Saturday, April 19, 2008

Hypocrisy, Patriotism, Bullshit.

No security angle here, just an incendiary rant.  (Unless we're talking economic security, but we won't go there).  You've been warned.

A few weeks ago I spent the weekend in Gettysburg, Pennsylvania.  Gettysburg is a great town, rich in history of course; but also a nice college town with a well-maintained downtown and a real sense of community.

Sure, there are the obligatory tacky tourist traps- including sacrilegiously named stores, restaurants, and hotels (winner in this category, "Gettysburg Battlefield Resort"), but not all of the tourism is bad.  The Park Service is trying to restore many areas to period-appropriate condition and has just opened a new visitor center.

The Rant:

On the edge of town, out by the highway, is Battlefield Harley-Davidson (not near the battlefields, by the way).  Battlefield Harley-Davidson is housed in a large steel building, near failed and failing auto dealers and the requisite highway off-ramp hotels and shopping centers.  Like most H-D dealers, it is a large and impressive facility, nicely landscaped and well-maintained.  When you enter the building, you are greeted by dozens of shiny new Harleys, but beyond the front line is the magic- a bewildering array of clothing, accessories (both motorcycle and "lifestyle" accessories) and trinkets.  This is the stuff anyone can afford, even if you can't swing a new 'Glide.  Unfortunately, much of it poor quality and almost all of it made in China.  For a company which touts quality and wraps itself in the American flag as much as Harley-Davidson does, you might expect some true patriotism and dedication to quality American-made goods- but you won't find it.  Even the more expensive goods are almost exclusively Chinese, so it isn't just the cheap stuff they outsource.

This isn't really about Battlefield H-D (except the BS name and proximity to sites of historic patriotism), it is about Harley-Davidson's corporate greed.  Want to sell inexpensive stuff made in China?  OK, there are some issues with that, but it is a legitimate business model.  Want to milk false patriotism for a buck?  (Note, I believe John Deere gets a dishonorable mention in this arena, too- for similar reasons).  That's fine for spineless cowards and hypocrites.  I'll pass on that ride, thank you.



Thursday, April 17, 2008

RSA Security Bloggers Meet-up

Several people have already written about this, so I'll keep it short. I really enjoyed it; I reconnected with some people, met some Internet acquaintances and Security Twits in person for the first time, and met new people, too. I had a great time and I'm already looking forward to the next one.

Thanks again to Jennifer Leggio (Mediaphyter), Martin McKeay, Rich Mogull, Alan Shimel and everyone else who helped make it happen.

Mediaphyter's blog post has a pretty thorough list of attendees, scan it and you'll see why I am not trying to repeat the effort here.


Wednesday, April 16, 2008

New NAISG Chapter, Connecticut River Valley

NAISG recently announced our sixth chapter:

"We are pleased to announce the formation of the Connecticut River Valley chapter of NAISG. This chapter will serve the Springfield, MA and the Enfield/Hartford, CT areas. More details will be announced as they become available."

As always, information will be at the NAISG website.