An Information Security Place

I just read this story over at SC Magazine about Julie Amero’s sentencing being pushed back for a month.  I think this is a precursor to a victory, and I am psyched at the number of supporters Julie has behind her from the IT and blogger world.

While I read the article, I started thinking about this on the line of the old “stupid user” issue that some of us Catalyst Community bloggers have been fighting against (see here and here).  Now we all know Ms. Amero is not stupid, but it struck me that this is really a gigantic case of IT geeks and security folks rallying behind one of these “stupid users”.  I think this is nothing short of miraculous, and I hope this is a start to a big push towards end-user and home-user education in security.

I wonder if Ms. Amero even knows that she is quickly becoming the “poster child” for those people who think education is a better path than making fun of end users?

Vet

I am mortified at this story.  Kathy Sierra at Creating Passionate Users has been receiving very graphic death threats on her blog and other blogs.  She doesn’t know if she is going to post anymore (I am sure she will come back from this), and she has cancelled all her speaking engagements.

I have to say that there are some really screwed up people out there.  And when it comes to driving someone away from their passion and their life, then I just feel like throwing up.  I was happy to see this post and this exchange of comments as well, but I am still just completely disgusted at some of my fellow human beings.

Vet

The blog is fixed.  For those of you familair with WordPress, you can change the format of your permalinks to reflect dates or numbers or whatever.  I have mine set to dates (click on the title of a post and then look at the URL to see what I mean).  For some reason WordPress got confused, and those links weren’t working.  I looked at my personal blog to see if it was ok, and it was fine.  But I noticed that the permalink format was set to default, which is pretty much just nonsense (to humans anyway), so I changed it to the date format I love so much.  Then I got the bright idea to just change the format on this blog, then change it back to the date format to see if it would get kicked into gear.

Well, sure enough, it worked.  Not sure what happened, but I think I will change my passwords just in case. I probably need to anyway.  Now if I can find my post-it notes so I can “document” my new password. 

Vet

I having been mulling over adding another contributor to my blog. My main strength is network security, and I have some good experience in compliance and security management. However, I am very weak when it comes to application security, and I would like to have someone who has strengths in that area to add to this blog.

If you are interested, shoot me an email at m1a1vet – @ – infosecplace.com. Send me some info about your background in application security, your resume, and some samples of your writing. To applicants and my readers, I will retain control of this blog and its content. This will merely be a contributing role, and it will not be a paying gig. It is a chance to get your voice out there. Not that my blog is just filled to the gills with readers, but I do OK, and I think it is a decent start for anyone who wants to start blogging. Also, this is not JUST for those interested in getting into blogging. If you are already blogging but would like to just simply help me out in the area of app security, I will be happy to consider you as a contributer as well.

Anyway, I have to get prepared for the mass rush to my doorstep because of this invitation.

Vet

Just a link for now.

Vet

And BTW, since Cutaway and Rothman are talking about their blog birthdays, I think I will follow along.

I hit the big number 1 on Feb 24.  Here’s a link to my first post (the original post was on Blogger).  It was a post musing about where security was going (and I have to say that it was not a bad job at trying to look into the future).  It was right after RSA 2006, and right after meeting Mr. McKeay, who was my inspiriation for blogging and has since become a good friend.  Thanks, Martin, for helping me get this blog noticed.  I owe you a lot.

I also want to thank Alan Shimel and Mike Rothman for helping put my blog on the map back then.  They were also inspirations to me.

Also, all you who read my stuff, the most thanks goes to you.  Like Alan says, I am amazed that people actually give a crap about what I think, but please keep coming back.  Makes me feel all warm inside.

Vet

The recent uproar, pandemonium, mayhem, hubbub, bedlam, and other synonyms caused by “The List” has taken us security bloggers in a direction that we might just need to help us look at the security industry and ourselves in a new light.  Take a second to read Mark Curphey’s post about the issue over at SecurityBuddha.com.

Here are some excerpts from the post:

Last Friday I decided to leave the Security Bloggers network… 

…for me the Security Bloggers network had a low signal to noise ratio and some of the other members were not folks I want to be associated with. This came to a head when ITSecurity.com produced a blog baited list of the top 59 most influential security people. The list is farcical in so many ways; no Dan Geer, Mike Howard, James Gosling, Andy Jaquith, Phil Venables, Spafford and so on.

This first point about leaving the security blogger’s network was disconcerting to me at first.  I am a member of the Security Blogger’s network, and I am proud of it.  But Mark’s point came through that he just thought the bad stuff is outweighing the good stuff on the network.  I admit that I do not always read the feed coming from the network (I subscribe, but I usually pick out individual blogs), so I can’t say that I agree or disagree.  But Mark’s comment that he did not want to be associated with some of the members is hard stuff indeed (there’s nothing wrong with the statement, by the way).

But the above statements were also referring to the list, so let’s carry on with that.  Another excerpt:

The noise of self congratulation for “falling f0r for it” became deafening and very annoying. Over the last month I have also read some ridiculous blog postings about PCI from people who I honestly doubt have ever held a corporate security job in their lives and just don’t have a clue (and yes, I am happy to debate you charlatans on a public stage at a conference of your choice about that topic if you have the balls).

Some speakers and projects seem to spend more time telling you about why they are such experts and “thought leaders” than they do producing anything of value.

Well then.  That makes the first excerpts look like child’s play.  These words are harsh and hard-hitting.  And when I read them, I had to take a step back and look at my thought processes on blogging about security.  Of course, my low self esteem kicked in, and I thought I might be one of those charlatans.  I had posted a good deal about PCI in the last few months, so I had to self reflect to make sure I was on track and had not tried to misrepresent at all.  Also, it made me think that I was one of those that was happy to be on the list (I’m a sucker that way).  While I also publicly stated that it was obviously a ploy to generate traffic to IT Security’s site and was not very representative of the true influencers in IT security, I still admit that I patted myself on the back a bit.  And that leads me to my ultimate point, and I’ll start make that point by quoting myself (how’s that for conceited).  Here’s some of what I said on my comment to Mark:

That is a very bold statement, and I was going to comment to your post by saying that you need to call out the charlatans instead of just posting that statement. But by your reply to Alan [blogger's note: read the comments for context], it looks like you are going to do just that. I don’t think the security blogging world and the security industry as a whole would be hurt by some kind of shakeup, and if you feel like the one to do it, then I say more power to you.

I have stated this before on private conversations to other bloggers, but I think the security blogging family is getting somewhat incestuous, and we are possibly breeding malformed kids (everyone seems to want to jump on the security blog train). Of course, as Alan said in his comment, I also think that most of these will be weeded out eventually.

So what do I mean by “incestuous”?  Simply, I think security blogging has become a huge fad in the industry.  That’s not necessarily a bad thing, and there are a lot of people saying a lot of good things out there.  But when you have this many people blogging about so many related subjects, it gets kinda crazy.  There are only so many issues to blog about, and people start feeding off of other people, and you inevitably get those who really never say anything original or do say stuff that is original but is plain wrong.  And you get events like the blogger’s gathering at RSA (which was a great event that I vow to attend every year it is held) where we all get together and pat each other on the back and tell each other how cool we are.  I just think it all has the propensity to lead to many of us becoming legends in our own minds, and I think we all need to make sure that does not happen.

We all just need to take a step back, think about where we are in security as individuals, where we are in security as an industry, and where we are in security as a community of bloggers.  Are we making a difference?  Are we putting out good information?  Are we posting just to post so we can grow or maintain our readership and be part of a group for ego’s sake, or are we trying to help?  And notice that I am using the word “we” throughout.  I am not exempting myself from this reflection and honest appraisal of my worth to the security community. 

As for whether a blog is good or bad, honestly, I am not of the mind to start judging blogs.  As was said in the comments to Mark’s post, if bloggers write good stuff, then their readership will grow.  If not, people will unsubscribe, and eventually the bad ones will die on the vine.  But we also have a duty to call out those that misrepresent for selfish purposes or those that simply post from a faulty foundation.  The former would be the ones that need to be drummed out.  The latter need to be shown the error of their ways.

Again, please don’t think me arrogant in this posting.  I truly believe this is something any industry needs after a while.  Honest self reflection is always a good thing, and we might just bring about some honesty and good direction for the security industry.

And a last couple of points:

First, I am impressed by Mark Curphey’s blog.  He hits hard, but he calls ‘em like he sees ‘em.  LoverVamp called it when he commented on Mark’s latest post: “For being new to blogging, you have a particular clarity and honest rawness to your postings. You could have fooled me!” 

Second, his Security Bullshit cartoons are genius.  I am sure someone has already made the connection, but this guy just might be the Scott Adams of security.

Vet

Here’s a thought.  Everyone that was on the list of 59 should form a gang called ”The Listers”.  We can all get tattoos with a picture of a stylish “59″ inside of a flat panel monitor, buy black motorcycles with the same logo on the fuel, and seek out rude cab drivers to pelt with racist comments.  Then maybe we’ll get some respect. 

Look, I know this dang list was a bunch of crap.  I know that it was a machine created to drive traffic to the IT Security website (dang it, I linked to it again).  I know me being one of the top influencers in IT Security is about as real as me being an influencer in Britney’s decision to shave her head (of course, she did go to high school in my hometown, so maybe I did influence her decision – **GASP**).  But really, is it such a bad thing?  Like LonerVamp says, “No matter what, that list is still a great resource to plunk all those sites and blogs into your favorite RSS tool and keep up with our industry.”  Of course, he was really dissing “The Listers”, even though he said for us not to take offense.  You’re on our list, LV!! (pun intended)

So I am going to be honest and say, “I like being on the list,” even if it was thrown together and has about 50 typos.

And to all you “non-listers”, don’t get on our bad side.  We don’t want to have to use our influence to squash you.

Vet (A.K.A. Lister 16)

I made the list of “The 59 Top Influencers in IT Security”.  Me?   I am humbled and honored to be in the list, but I have NEVER thought of myself as having this much influence.  I think maybe my connections with Martin, Mike, Alan, and others on the list got me noticed, and I think my opinions and ideas are decent, but I don’t think I am one of the 59 Top Influencers.

That being said, don’t take me off the list!  Maybe the extra traffic will make my blog uber-profitable like Alan’s, and I can get bought out!  Get the contracts ready, Chris!  Man, I’m seeing dollar signs already!

Vet

Mike throws out some good advice for VARs here.  Basically, do what is right for your customer, and you will have a loyal customer.

Some more advice: VAR’s have bad reps.  Don’t be a VAR.  Sell stuff, but be the advisor that Mike talks about.  If all you do is show up every year when maintenance is due, you are  not a partner.  And remember, customers don’t have to buy maintenance through the same company where they bought the product. 

You want to keep selling?  Get to know your customer.  Be their friend.  Be their advisor.  They will remember it.

Vet

I guess I am a corporate whore now, but this webinar looked very interesting to me.  I’m sure there will be some of the usual  vendor stuff, but our PCI compliance manager will be on the talk, and I guarantee you this guy knows PCI very well and will not BS you.  Anyway, if you are interested, click the link at the bottom of the announcement and sign up.

Special Webinar:

Demystifying PCI Compliance: Simplifying The Path To Protect Your Brand And Your Network

        

Recent reports on the sharp rise in credit-card theft and large-scale security breaches have increased security concerns among consumers, banks and government agencies alike. As a result, every retailer needs to reconcile the urgent need for PCI-compliant security with the equally essential need to increase sales and reduce costs through mobile applications. Now, see how you can achieve just that with this special online event that brings together experts from every essential domain, including a leading security researcher, a PCI auditor and a retail mobility authority. During this event, you will:

-     Discover how PCI compliance does not have to be complicated or costly.  
-     Learn about the recently revised PCI v1.1 data-security standard and specifically what you need to do to comply.
-     Hear real-world examples of a step-by-step migration path to PCI compliance across wired and wireless retail networks.
-     See best-practice examples of what security experts consider a PCI-compliant retail store network.
-     Learn about these essential security considerations before deploying new in-store applications designed to boost productivity and enhance the in-store experience.

Date: March 22, 2007
Time: 2pm ET/11am PT
For more information and to attend, go to www.chainstoreage.com/arubawebinar

Vet

I am not going to post about DST.

I am not going to post about DST.

I am not going to post about DST.

I am not going to post about DST.

I am not going to post about DST.

I am not going to post about DST.

I am not going to post about DST.

I am not going to post about DST.

I am not going to post about DST.

I am not going to post about DST.

I am not going to post about DST.

I am not going to post about DST.

I am not going to post about DST.

I am not going to post about DST.

Vet

OK, I just about blew orange juice out my nose when I read this.  And the comments are almost as funny.  The combination of comments 9 and 10 is hilarious.

Vet

Doing some JUNOS training today and tomorrow.  We haven’t dug into it yet, but I can tell you one definite strength right now.  JUNOS is one code train versus Cisco’s 8000 versions.  Cisco used to make my head spin trying to figure out what code rev I needed.  JUNOS doesn’t have all that.

The first router Juniper came out with was the M40 many years ago.  You can take their latest code level and put it on that old M40, and it runs with no problems.  Try that with Cisco.

Vet