An Information Security Place

I know many of you were waited with baited breath for my installment 2 of 2 of data classification, but I have decided to delay that for a while.  I want to look into some other things to write about, and since the announcement of the EMC acquisition of RSA yesterday, I am looking closely at that and the impact (if any) it may have on the data classification status.

What I am seeing so far from this is EMC basically leaving RSA alone so they can keep doing their thing.  Joe Tucci calls it EMC’s “string of pearls” approach.  Mike Rothman basically says the same thing in today’s Daily Incite:

“But historically, EMC leaves their big acquisitions alone - integrating technology where it makes sense, but letting them operate in the way they need to for their respective markets.”

This does position EMC perfectly for the wackos to come out of the wood work to start accusing them of trying to take over the world.  Just watch and see.

Vet

OK, I just have to think about this one for a while. I’ll get back to you…

I’m not sure anybody wants to see a full picture of me, but a friend (David Nester) sent me a blogging t-shirt, and I thought this was too cool. My 5 year old took the picture, so excuse the weird angle.  Click on it to get the big picture (if you dare).

  

Vet

Looks like they found the missing VA laptop and hard drive.  They also said that the “initial FBI forensics tests indicate the data on the laptop and disk has not been improperly accessed.”  

OK, everything is better.  I am not at all worried now.  Vets, you can quit worrying.

Uh huh…

Vet

I have been seeing articles and blog posts about HIPAA having no teeth. I posted something about it last week. Mike Rothman mentioned my post in today’s Daily Incite (welcome back, Mike), and he correctly interpreted my post as stating that HIPAA is basically useless when it comes to enforcement (at least, so far). But Mike went a step farther by saying this:

“…healthcare organization[s] continue to invest in security, but it’s to protect private information (to avoid the negative brand impact of a breach) and also to improve patient care (identity management and SSO stuff), but it ain’t because of HIPAA.”

Here’s the question: Will healthcare exec’s actually continue to invest in security if they see that HIPAA is not a real threat to them or their organization, even with the concerns that Mike states?

I know from personal experience that IT is typically not a healthcare executive’s favorite place to spend money. They would (somewhat justifiably so) rather spend it in the clinical areas, where they see the money being made. With HIPAA not being enforced and non-government compliance agencies like JCAHO not really looking at the IT side of things (unless you have an EMR (Electronic Medical Records) system, what is the incentive? I know many state (and likely federal soon) governments are forcing companies to notify when they have a breach, and that is a serious consequence, but I am not convinced that it is enough.

So have healthcare security pro’s ridden the HIPAA train as far as it will go?

Vet

This is absolutely hilarious.  The Onion cracks me up.

Articles like this frankly scare the hell out of me.  

Is centralized IT killing innovation?  Are we working against our employees by keeping them in boxes and limiting their maneuverability?  Are we inhibiting productivity by not allowing our employees to have access to tools that could help them get their job done faster?

What this reminds me of is the days when Microsoft gave not a crap about security and included every single little whiz-bang gadget in Microsoft Office and Internet Explorer without any real way of locking down what the users could do.  So what happened?  A flurry of activity by users who wanted to play with every tool available, a absolute nightmare for IT trying to support all these tools and the questions from every user trying to use them, and a mess of security holes and attacks caused by these same toys that we are still living with today.

I’m sorry if I want my network to be secure and not have to scramble to help my users figure out every little doohickey available in Office.

Ray Ozzie says, “IT’s requirements needn’t be inconsistent with end users’ desires.”  Well Mr. Ozzie (you just have to love that name), I have a question for you:

Why do we want to meet the user’s desires?  We must meet their needs!  Now, if they NEED to have a tool to get their job done and we can make it reasonably secure, then so be it.  If they want to download Weatherbug, then NO!

Mr. Ozzie (*chortle*), if you come out with a new toy that all my users want (PLEASE don’t bring back Clippy), then you better make it secure.  And even if it is secure, I am not going to just run out and get it on everyone’s desktop.  I have a job to do that does not include making all my users’ wildest dreams come true.  Pedro I ain’t!

Vet

I received my digital version of InfoSecurity magazine this morning, and it got me thinking (it hurt because I usually don’t start thinking until the afternoon). The article was about Australian computer crime statistics and how their computer crime was about money more and more and less and less about bragging rights. They made this statement in the article:

Attacks that use trojans and rootkits rose to 21% of all attacks, says the report. Many are able to switch off computer defences and evade detection. In addition, 60% were undetected by current defensive software until discovered “in the wild”. This means actual infection rates may be much higher.

You would think that my mind would move in the direction of computer crime and how the rate of mass-mailing worms has gone down so much since last year and the year before, and blah blah blah. However, if you have read my blog for any length of time, you know my mind works in strange and distorted ways. So it actually made me start thinking about compliance of all things!

So, after making you read all that (and I am assuming someone out there is still reading my post at this point), I’ll let you in on where my warped brain went.

The quote above said that 60% of the malware was not detected by current defensive software until they were discovered in the wild. Here is my scenario:

• You are a security manager in healthcare (just like me)
• Some PC’s on your network become infected by a trojan and information is stolen
  ID theft occurs due to the breach
• You do some investigation and find the trojan, but it turns out it was unknown (not find in the wild) and was targeted specifically at your organization
• You report the incident and follow incident-handling procedures and clean the trojan and any other malware found
• You report the trojan to your anti-malware vendor, who disseminates the info and writes signatures along with everyone else
• Because of the breach and the subsequent ID theft, your hospital has a HIPAA complaint filed against it
• The HIPAA police come out (not likely to happen, but you never know) and find out that you have some problems with your HIPAA compliance, but nothing that is directly related to this incident

My question is: do they still prosecute, slap fines, etc? In other words, during the course of the investigation, they find problems in another area of you HIPAA compliance that is not directly related to the incident. They conclude that you had proper policies, procedures, and safeguards in place for this incident (your safeguards simply couldn’t pick this up because it was not know in the wild). Can they still hold you liable for the problem they did find?

Maybe that is spelled out in the rule, but I haven’t seen it in my research. And since HIPAA has not really been tested in court (and who knows when it will be tested), I don’t know if / when we will get an answer to this or any other hypothetical question regarding this legislation.

Vet

I really liked this article (PDF) by Marc Prensky.  It talks about how kids today (D-Gen) are fundamentally different in their thinking and learning styles because of growing up in the digital age.  Good stuff, whether or not you believe it.

Vet

Amen

What are you protecting? What is on your file server? What is on your database server? What is on your web server (hopefully nothing much)? What is on your SAN / NAS / DAS? What is on your tapes? What is on your individual PC hard drives? What is on your PDA’s? What is on your thumbdrives? What is on your CD’s, DVD’s, floppies, etc?

Those are some scary questions. How did you answer them? Do you REALLY know where your data resides, and do you REALLY know how your data should be classified? Do you even have a classification scheme for your data? Do you know what data can be open to everyone, what data should be closed to only those who definitely need to see it, and all the data in between?

If you don’t, then get prepared for one hell of a project. Controlling your data by knowing where it resides is not easy. Users copy data everywhere they can. Laptops, hard drives on their PC, CD, thumb drives, floppies, etc. It is going to take time to pour through Word docs, Excel spreadsheets, and Access databases to find out what is where, then finding out what is what. This is a task that will likely take months and months of steady work, and could take even more time depending on how big you are.

But no matter how much time it will take, it is a must-do project. There is no alternative. And believe me, I am not preaching. This is a struggle for me as well. I work and struggle with this everyday. I was talking to a coworker yesterday about this, and our eyes starting crossing and our brains started smoking just thinking of the sheer amount of work that this was going to take. Nevertheless, we know it must be done.

So here is some advice:

First, if you have the budget, consider outsourcing this, at least in part. So many of us work for small IT shops in SMB’s, so we simply don’t have the bandwidth for this.

Second, come up with a data classification scheme (here is one that you can adapt to your organization). That way you can classify data while you are looking at it rather than coming back after the fact. Some data will not be obvious as to what classification you should give it, so you will inevitably have to backtrack. But you cut that time down if you get the scheme in place first.

Third, after you get a scheme together, get executive management buy-in. This helps in two ways: 1) they see your efforts and know what they are paying you for, and 2) you lessen your chances of them coming back and changing things later. That doesn’t mean it won’t happen, but a thorough explanation of what you are trying to accomplish and how you are going about it will really help. Actually, you should probably get them in the loop before you even start the first step, and then come back to them on this step.

Fourth, get some tools, even if you outsource. They will help cut your project time and cost down considerably. Arkivio is an information lifecycle management company, and they are supposed to have some good tools to help with the initial classification. I don’t have any experience with their stuff, but I have heard good things. You can also script searches to find obvious stuff (patient ID numbers, social security numbers, etc) and thrown the data into certain buckets in a report.

And while you are looking, don’t forget about the places where data can hide. Namely, recycle bins and email (mailboxes and .pst files). These are place that many administrators and managers don’t think about when they start down the classification project path, but these are often repositories for very sensitive data.

Now that you have your data located and classified, what do you do with it? I’ll talk about that in my next installment.

Vet

Here is episode 4 of my podcast. Just as fair warning, I tried adding some music to the podcast in the beginning and the end. I think it is a bit loud in the beginning, but I was having trouble getting the volumes right. Basically, turn down your speakers, headphones, whatever in the beginning and the end of the podcast, and adjust as necessary. Also, let me know if the volume of my voice is still too low.

The subjects I talked about tonight were somewhat varied. I did a self-plug about my Computerworld blog. I am really excited about it, so I had to say something about it.

I talked about Martin McKeay’s post about server room security and the implications of not properly building and securing your server room.

I tackled Microsoft’s foray into the security world and how they are committed to the course.

Another subject I commented on was a CNN article with an irresponsible tagline and opening paragraph about the VA laptop theft.

Go listen and let me know what you think.

Vet

Here is a great server room security post by Martin McKeay at his Computerworld blog.  Martin points out the issues with thieves starting to target servers.  But are they stealing the servers for the hardware or the data on the server?

If it is for the hardware, then there are many measures to lock down a server room.  Locks, cameras, racks with locks, etc.  Martin gives a good rundown of the security measures and points out that taking design of a server room seriously is crucial.

If it is for the data, then the thief has to have considerable intelligence on what servers have the data they want.  And that means that security by obscurity is also a valid concept in physical security.

As I have said before, thieves go for the weaknesses.  We have to look at security holistically.  All areas need to be secured, not just the attack vector de jour.

Vet

I recently accepted an offer at Conputerworld to be a weekly security blogger. I am not leaving my personal blog. In fact, Computerworld is very receptive to me having a personal blog and linking between the two to create more traffic. That will allow me to keep my personal brand and still have a more widely known venue to get my opinions out there. So basically, I am happy to be working with Computerworld, and I appreciate them bringing me on board.

My first post is here. Take a look, and look for my posts every week. I am still forming what I want to do at Computerworld. Since it will be weekly, I am thinking of making it a multi-issue post where I comment on multiple newsworthy security issues from the week. Let me know what you think.

Vet

I haven’t had a chance to look at this as far as the depth and detail, but it may be a good resource.

Vet

“Bill Gates’ drawdown of daily influence at Microsoft, the company he co-founded more than 25 years ago, won’t alter its course on security, analysts said Friday.”

This is from this story at Searchsecurity.com. Ummmm, ok. Did anyone think it would? Microsoft is actually being taken halfway seriously on security for the first time ever. Why would they think about changing that strategy? They have the power and the money to back up their security initiatives. They are going to be a major player in this market, no matter what anyone says.

The juggernaut has started foward momentum, people. Get used to it.

Another quote says:

It isn’t like Gates got hit by a bus. He’s still very much there for the next several years; he’s just signaling that the day will come when he won’t be, and planning an orderly succession.

This came from Jonathan Eunice, founder and principal IT advisor at Nashua, N.H.-based consultancy Illuminata Inc. Exactly! And he will still be plucking the strings of MSFT for years after he “steps down”.

Vet

This is exactly what I was talking about when I admonished Pete at Spire Security on his post about the VA data theft not being a big deal and that we should not worry.

First, you have the VA Secretary James Nicholson telling Congress that the harddrive on the stolen laptop was most likely erased because it fits the modus operandi of laptop thefts that had occured in the area.

So the VA Secretary wants to ease the minds of the people by telling them that the data was likely erased. Well, I guess that is his job, and it verywell may be true. It still does not ease my mind.

But the bigger point is the the title and first paragraph CNN used for the story:

Agency chief: Data on stolen VA laptop may have been erased

Thieves may have erased personal data on millions of veterans that was on a laptop they stole, the secretary of veterans affairs said Thursday.

“Man, that’s a relief! I’m glad I don’t have to worry about that anymore!” That was what the busy veteran said who did not have the time to read the entire story. But if he had read just one more paragraph, he would have read this:

At least, that’s the burglars’ modus operandi, Secretary James Nicholson said at a hearing before the House Government Reform Committee.

Not so reassuring now, is it? The beginning of this article is very deceiving. I am not saying it was done maliciously. It was simply designed to grab attention. Everyone was writing stories about the theft. People were getting bored with it. But write a quick blurb about the fact that the data may have been erased, and you get people to go to your page and maybe click your ads. Nothing wrong with catchy taglines, but this really can cause problems by making people stop putting pressure on the VA.

Not to mention the fact that the “At least” paragraph is bogus, since Secretary Nicholson also says the theives “may have been the same ones who committed similar burglaries in the area.”

Do not relax, people! Do not relax, VA! Fix this problem. Don’t give me a bunch of political crap. I want visible results!

Vet

Since I love the USA Network show “The 4400“, I keep wanting to make a joke here. But I won’t, since everything I can think of sounds pretty weak.

Anyway, Oregon had a government worker surfing porn and got a trojan. Now you have up to 2,200 Oregon taxpayers information compromised. Seems like typical stuff. But what I want to know is this: how did this worker get to porn in the first place? Why wasn’t this being blocked? Was was the website this trojan came from? Has this website been reported to the authorities and the major security companies and whoever is hosting the site? Was it actually a website, or were they getting porn from an IRC channel? have they checked for further infections? Was this a known trojan that should have stopped by anti-malware on the desktop or the server? Was it an unknown trojan that has been reported to the major anti-malware companies? Where are the big details here?

There is too much left out of this story to make me comfrotable. I am not an Oregon resident, and I have only been there once, so I am fairly certain I am not in trouble here. But some details need to come out to make sure this is not a new threat out in the wild. And more people than the employee need to be held accountable. Some government IT managers and execs need to be held to task for not blocking this type of traffic.

Vet

Microsoft and SANS are reporting a zero-day exploit (here and here) in Excel.

Martin McKeay has posted that phone tapping is not as effective as human intelligence, and I have agreed. But I also pointed out how difficult it is to get intelligence from traditional tactics with this type of enemy. It is not the same as gathering intelligence from communist governments, etc. I talked about this some more in my podcast.

Now Martin has replied to my previous post, and I have to say that his post is daunting. He is definitely passionate about this debate, and I agree with him on a number of points. I agree that phone-tapping is not a replacement for HUMINT.

But I have to take this debate a little farther. The NSA is not limiting itself to phone tapping. Bruce Schneier posted a link to this article this morning. It looks like the NSA is gathering information from MySpace and other social networking sites. Like Bruce, I don’t find this surprising. And to boot, it is not illegal. Anybody can grab this stuff from these sites. The NSA just happens to have more technology than most small countries, so they can be more effective at it. If people are crazy enough to let so much of their private lives hang out in public view, then they are going to have to deal with the consequences.

So what does the NSA hope to get from this data? Is it really effective as an intelligence tool? When you consider the sheer amount of data out there, the Internet would seem to be an ideal hiding place. And these social networking sites have added so much clutter to the Internet, it would appear to be impossible to gather any real, usable intel.

But I would say that it is effective, even with the high volume of data. Canada’s latest terror bust proves that website and Internet monitoring is effective at catching terrorists. This NY Times article (registration required) points out that the Canadian Security Intelligence Service “began monitoring Internet exchanges, some of which were encrypted” in 2004. The Canadian Broadcasting Corporation also reported that “the investigation began as security officials monitored traffic to extremist-related websites.”

And here is another point. Martin, have you considered that gathering data from social networking sites really is HUMINT? Many of these social networking sites have replaced coffee houses and the like. By using the Internet, a terrorist cell does not have to risk all its members or multiple members being captured by meeting at the same place. They can gather in relative anonymity in many places. It provides some safety. But it is still HUMINT to monitor these sites because they serve the same purpose: collusion to perform heinous tasks.

And on the subject of gathering intelligence on our citizens: if we limit intelligence gathering to non-citizens, aren’t we leaving out a huge number of potential suspects? Many of the terrorists have been citizens of the countries they have attacked. The CBC article mentioned above says, “All of the suspects were either born in Canada or were long-time residents. Luc Portelance, the assistant director of operations for the Canadian Security Intelligence Service (CSIS) called it a case of ‘home-grown terrorism.’”

Martin has said that I have come over to his side, and I agree that I have moved my thinking to a huge degree. Between Martin, Ira Winkler, Alan Shimel, and Bruce Schneier, I have received a healthy dose of reality. Couple that with the sheer amount of data being gathered, and I have almost totally changed my mind on this issue. I agree that this amount of intelligence gathering can lead to abuse. I hesitate to say a police state is in our near future, but I can follow the tracks into the future far enough to agree that it can happen. I don’t like it. It scares me. The capturing of so much info on so many people really makes my hackles rise. This has changed our country considerably, and in a short time.

I also agree that our intelligence gathering agencies have been hamstrung in many ways, and I think they should be built back up to a high level of effectiveness. That is and always will be our most effective tool at fighting these baddies. But Martin, the terrorist threat is immediate. What do we do until then? There is where I have problems. I just don’t know how to effectively deal with the threat until then. I am not disagreeing. I just haven’t heard an alternative from anyone. And I am not saying I have one either. This is the ONLY reason I have not completely condemned these methods.

Sheesh…

Vet

[In case you see a couple of versions of this post (my RSS reader shows updated versions as separate posts), I must tell you that I have updated this post a couple of times due to some poor wording and garbled sentences. The message has not changed, just the wording. Thanks to Martin for pointing it out.]

I just discovered the Security Curve Weblog. Looks likes some good commentary. The most recent post is about McAfee and their announcement of getting back into vulnerability discovery. I liked the thoughts that were given, and the writing style is good.

And since I just posted a question about using my comments on other blogs for my own blog postings, I am going to go ahead and post my comments from the above post:

This issue has been looked at from some time now, with the conspiracy
theorists saying McAfee and Symantec hire hackers to create viruses to gen business. I never believed those allegations, but this is in the same
vein. However, now it is explicit, so it brings it out even more into the
public eye.

The concepts of ethical hacking and hiring greyhats to
find vulnerabilites have always been lightning rods for security pros.
Will a hacker always be ethical? Who’s to say a greyhat won’t sell McAfee a vulnerability then turn around and sell it to someone else for malicious purposes?

I also find it somewhat interesting that people tend to explicitly trust the motivations of those who find vulnerabilites on their own and report them to the proper organizations. But that is another conversation.

Vet

I often find that my best blogging is done as comments to other blogs. Is it wrong to take your own comments from other blogs and post them on your blog? They are my words, and I get most of my inspiration from other people’s writings (yes, I do have original thoughts – sometimes I just need grease to lube the gears).

I don’t think there is anything wrong with it, but I don’t want to cross any blogging lines that I am not aware of.

Vet

I just finished recording the third episode of An Information Security Place Podcast. It is considerably longer than the previous podcasts, mainly because I talk about multiple subjects rather than just one of my posts, and I expound a little more than usual. If you have comments, suggestions, gripes, complaints (if I make your ears bleed with my incessant droning), please let me know.

In this episode, I talk about a few things. The first thing I talk about is the ongoing discussion Martin McKeay and I are having on the NSA spying. My previous post goes into Martin’s argument about how HUMINT is more effective than phone tapping. As he points out in his announcement of episode 31 of his podcast, the ball is in his court.

I also go into virtualized appliances and some of the discussion Alan Shimel and Chris Hoff are having (go read Chris Hoff’s “smackdown” posts - quite the read!).

I talk about my practical advice post and what it takes to sell security to execs. Thanks to Mike Rothman for linking to that article, BTW.

And finally I talk quickly about my general annoyance of why people can’t spell “HIPAA” correctly.

So take a listen and let me know what you think. I need some feedback on quality of content and quality of sound. I don’t have a hookup like Martin has, so I need to know how this sounds like this, or if I need to start some investing.

Also, I have created a podcast archive area on my right toolbar (I only have one, but it IS on the right) for easy access.

Vet

Link to podcast

Martin McKeay’s Network Security Blog

Alan Shimel’s Blog

Chris Hoff’s Rational Security Blog

Mike Rothman’s Security Incite Blog

Martin McKeay posted an interesting take on the NSA stuff. He argues that HUMINT (human intelligence) is a much more effective tool for stopping terrorists. I agree with Martin on this point, but I think the premise is a tad bit naïve. I have to ask if he has considered how difficult it is to infiltrate these types of organizations. The US intelligence services have a very hard time getting moles in those places. The culture differences alone are vast, and we are not talking about a political difference similar to the Soviet Union where people became disillusioned with what their government was doing to them. We are talking about seriously ingrained, whacked out religious ideas that have been drilled into these people since childhood. They just don’t tend to switch sides.

Another point is that the sheer amount of time it would take to get people up the ranks in organizations like Al Qaeda would be substantial. Organized terrorism has really only been around in this type of force since the late 60’s and early 70’s. Even if we could get someone in there, they would just be getting up in the ranks, even if they had managed to stay alive this long.

A third point is what type of person would switch sides to give intelligence. Typically, moles in many organizations and governments we wanted to infiltrate were in it for the money and the thrill it gave them. Your typical terrorist doesn’t crave these things (well, maybe the thrill). They are doing it for their god. The type of person who is going to switch sides would have to experience a fundamental shift in their life view. The atrocities they would have to commit to not give themselves away would be staggering. How do you convince someone like this to keep beheading people and planning major attacks that will kill innocents just to gather intelligence?

So I agree that the typical HUMINT gathering is a better tool than gathering phone numbers. But you have to look at how it could be done, and I just don’t think it is possible with this type of enemy, at least not to any large degree.

Vet

Nothing is inspiring me greatly in the security world today.  I just don’t want to talk about what everyone else is talking about.  So, I decided that I would throw down some practical advice from a security practitioner.  Here goes:

Be SOCIAL!  

Here is a clue.  Many executives and board members think you are throwing money down an ever-growing hole that never shows return.  DO NOT let your pride get in the way of making yourself visible to that CEO, CFO, COO, etc.  Let them know what you are doing.  How do you do that?

First, hire a hacker buddy.  Next, open a hole in your firewall.  Third,…wait, that’s not right.

Sorry about that.  OK, here we go:

DO…

• …make personal appearances at company functions.
• …make eye contact
• …say hello to people in the hallway.
• …eat lunch with your coworkers.
• …talk to people at the water cooler.
• …put up pictures of your kids.
• …talk to people about your kids.

DON’T…

• …sit in your cubicle lined with Wargames memorabilia and mumble to yourself that you are doing a good job and that you don’t have to justify your existence while thinking of how Picard is a better Enterprise captain than Kirk (here come the flames).

Let ‘em know you are a person.  Then, and only then, can you expect to start giving them some info on what you actually do in your job.  Think about it.

Vet

Alan Shimel posted about my short blurb on the FCC getting a positive ruling on the issue of requiring broadband providers and IP telephone service providers to comply with US wiretap laws. Since he took issue with my post (dang him!), I felt the need to clarify. Here is my response to his post:

Alan,
I feel the need to clarify this blog post, and I was actually going to do so on my blog later today. I guess I will just copy this comment into my blog since you have forced me into action. I really meant this to be tongue-in-cheek, but I wrote it a little early, so I might not have been fully awake, so it obviously was not very effective.
If the government is going about this legally, if the courts uphold their position, and if the tap is justified, then I support it. I have posted that I have concerns that the government was not using warrants before (this is a change in my earlier position), and Martin McKeay and I had a discussion about that (should be in his podcast tomorrow).
Of course, many would argue that it is still not right to do it and civil disobedience is justified, but I don’t believe that in this case. Hope that clarifies my position.

I agree with Alan on this one. If the government goes about the tap legally and in full compliance with the law (warrants, the whole bit), then I have no issue with this ruling and the use of the law to catch the baddies.

I must point out that the InformationWeek article had a negative tone to it.

Vet

Go see this story at Information Week. Looks like your Skype calls are free game. Break out the encryption!

Vet

Here are some definite steps in the right direction.  I see some inkling that they are taking this beyond just the laptop issue, so that is a sign that they may be taking this as a lesson to be applied to their whole infrastructure.  We’ll see how they handle it.

Vet

I recently discovered Christofer Hoff’s Rational Security blog while reading Alan Shimel’s feed. I have to say that I am very impressed with Christofer’s writing’s and knowledge. I plan on reading his blog, and I suggest you do the same.

However, be prepared for real opinions that don’t pull punches. Christofer lets you know what he thinks. In this PC age, you might be shocked. But it really wakes you up, and I enjoy that.

Keep up the good work, Christofer.

Vet

I finally got around to listening to episode 30 of Martin McKeay’s Network Security Podcast where he and I discussed numerous things.  I am pleased with the results, and I look forward to hearing next week’s podcast as well.

But I didn’t post this to talk about my melodious voice (yea, right – more like my rambling, hick-accented voice).  I am posting to correct a mistake.  One topic we discussed about was the post at Spire Security about the VA data theft not being as big a deal as everyone thinks because of the high number of records that were on the laptop.  If you have listened to the podcast, I said that it upset me that Ira Winkler agreed with the post.  It wasn’t Ira Winkler that agreed with the post.  It was Mike Rothman.  He posted about it here.  I wanted to clear that up.

Now, I know Mike reads my blog, and I am sure he understands that everyone is going to disagree, so I am posting this with confidence that he will continue to read my blog after this post.  If he stops reading my blog, I will dig up even older pictures of him from the Internet.
Vet