I have worked for three consultant / VAR types over my career, but I have never been pure pre-sales until this job. And because of that, I am always working very close to the sales people and even our regional director of sales. So I am getting very familiar with the end-of-month / quarter / year sales dash that happens. But up to this point, I have never been close to our VP of Sales during this time. Well, today I get to be in the same room as one of our sales guys, our regional director, AND our Eastern VP of Sales. And I have never laughed so hard (internally) in my life.
Calling sales people, telling them to go smack our customers and get them sign PO’s. What’s our number now? Hey, just got another one for $7000 in GP!! WOO HOO!! Bob just got a last minute deal! Add another $3500 in GP! Damn, Susie’s account just pushed to next month! That sucks!
I swear, it is like being in a cat herding contest!
Of course, it is instructive for me as well. I have never been this close to the sales side of the house, so I need to soak this up so I can use it later in whatever job I end up in. If I ever go back to the trenches, I will definitely have more ammo to get better deals.
If you have some interest in web application security and you live in or are going to be in the Houston area on Oct. 10, come on by for a great presentation. Bring your copy of Cross Site Scripting Attacks: XSS Exploits and Defense for Jeremiah to sign.
I am going to be speaking about Accuvant for a bit (we actually compete with Whitehat Security on some levels), and then Mr. Grossman will do his thing. Should be great stuff.
BTW, here’s the Houston OWASP chapter website.
Mr. Cutaway felt honored me with a request for an email interview yesterday (you can read it here). And though it took a bit of time to answer it, I really appreciate it because it allowed me to really focus on a subject (it was about centralized logging), and I really got into it.
But it goes farther than just the interview. I have a Google alert setup that tells me when my name is being used out on the Internet (I may be narcissistic, but I also want to know when I am being mentioned out there for personal security reasons). So I get an alert, and I figure it is from the interview getting posted (since I haven’t been writing anything earth shattering enough lately for anyone to mention me ). When I open the alert, I see two mentions of my name. One from the interview, and one that seems to be referencing the interview. So I am thinking, “Someone is linking to the interview because they love me (they really love me!) and want other to know how much they should love me, too. it is only logical, right? RIGHT??!!
Alas, I was wrong. It was nothing but a splog, and a porn splog at that. How annoying! And now when someone searches for my name (probably just me), they might get a porn splog. Great…
Kudos to Joat on this post about this article @ Darkreading. Some expert in the article is warning of insider threats (we all know they exist) and how you can detect when an employee is about to get medieval on you. Joat advice is to secure your environment, keep a watch on people but don’t be so aggressive that you drive people off. Get your crap together to protect against problems. Don’t MAKE people the problem.
Joat says it better here:
I’ve got news for you: If you run a totalitarian environment (AKA micro-managed, micro-monitored), every single one of your users will be evil and you’ll end up wondering why your organization has such a high turn-over rate.
Joat also says that you have to use your brain and quit trying to automate every process (this is mentioned because of some software the article points out called WarmTouch). Very good point. I have this issue on a regular basis with clients looking at SIEM. They want something that does the job for them, but this just does not exist. You have to have people on the job. Unless LucasArts builds a real C3PO, that is just the way it is.
This post at Darknet.org.uk was devastatingly hilarious. Just the title alone made me crack up: Im In Your Leenucks Box Changing Your Password.
It is all about a professor teaching a technical class. He has some young punk who thinks he is the man when it comes to hacking. The prof teaches the punk a lesson in a hilarious manner.
We had a sales person ask for a recommendation on personal password management. Of course everyone recommended Password Safe. But then the fun began:
Pen and paper?
And tape it to the bottom of your laptop.
I just use “password” for all mine. Keeps it real easy
#4 – This one is mine:
I developed my own block cipher and use it to encrypt all my passwords.
Well, I say “developed”. To be fair, it is really just a derivative work. I basically improved on the AES standard by making it a 1024 bit key size and a 256 bit block size.
Of course, with the quantum computer I just developed, it won’t take much to crack that algorithm. Oh well, back to the drawing board.
I started to do that too but it was too easy.
#6 – the last one
Don’t beat yourself up! Try something a little more challenging. I use the complex XOR operation with the following key. Works every time!
x=a e=s n=p j=w q=r p=o f=d
That was fun.
Being the IT support for the family is a fairly regular occurrence. And now days, a lot of that involves security issues. For instance, just last week my sister-in-law decided to get satellite Internet at her house in back woods Mississippi (they had been using dial-up at my parents’ house on their computer, but the speeds were about 26.4 baud on average, and that was getting old). So she called me up and asked what she needed to do.
The first thing I asked her was how long it had been since her computer had been on the Internet. She said about 3-4 years. I knew at that point that I would have to make sure her PC had SP2 and was fully patched and firewalled before she even connected to the Internet, or she was going to be part of a botnet before she could say “malware.”
Plus, now that she is making the connection and it is going to be fairly speedy, she will probably be making the transition over to shopping on the Internet, paying bills on the Internet, yada, yada, yada…
But one of my favorite people out there, none other than Mr. Mike Rothman, has come to the rescue. He has written something that I think just might take off some of the burden from my back and the backs of so many geeks out there. He has written a guide to Internet security for the average Joe and Jane that are not in the business of worrying about security 24 hours a day.
Now I have not read this yet (I didn’t receive an advance copy, so I guess Mike doesn’t love me anymore ), but the description makes this a very promising book for the masses. Good luck with it Mike. If I can get a copy, I’ll recommend it to my family! Otherwise I’ll buy a copy and distribute it. How do you like that!
Oh, and yes, I stole the title from Alan. OK? I admit it! I couldn’t think of anything better!
I know so many people have asked this question before in security, but just what is it we are trying to do? Are we trying to make a difference in security, or are we just trying to make a buck? Of course, you can ask the question, “Why can’t it be both?” But really, are we trying to do something about the state of security? If fact, why don’t I ask the real question: do we even care about the state of security? Or do we simply want things to keep rolling like they are?
Let’s look at it this way. I liken security to the medical field. I have run into doctors and nurses before who would like to be out of a job, meaning they would love it if modern science would find a cure for the disease in which they specialize (a lot of those people work right here in Houston at the MD Anderson Cancer Center). If their area of specialty was no longer needed, they would rejoice, and they would move on to another disease to fight.
But at the same time, you have some of those same medical professionals who make you wonder if they are just there because their momma wanted them to be doctors or because nurses make pretty good money. They do their job without much interest and bed-side manner, and then they go home.
The same is true about security. There are some security professionals who want to fix security ills. They want their family and friends to be safe from harm when they go online. They want everyone’s data to be locked safely away from criminal snooping. They care that the Internet is a dangerous place, and they want to do something about it.
Then there are others who heard in high school or college that information security seemed cool, and it also tended to pay big paychecks (not always true, BTW). They show up and maybe write a couple of policies or sell a couple of firewalls. But they are not there to make things better.
Now before we slam these people, we have to ask ourselves if they are really evil or bad. I think that most are not. They simply choose their profession based on misguided principles. The medical field is just too important a choice to make based on the fact that the men in your family have been doctors for three generations (ever see Gross Anatomy?). The same is true for security. It is not a field you go into just because you thought WarGames was cool (I guess I am also saying something about watching movies – I’m not exactly sure).
So I guess what I am asking is for all of us to be honest. Take a close look at what you are trying to accomplish. Security is a field that MATTERS. If all you want to do is make a buck, then do something that won’t get anyone hurt or ruin someone’s life (not sure what that is right now, but it dang sure ain’t security or the medical field). If you are trying to help others and you have a talent for security in some way (there is a lot of room for different talents in security), then let’s make security a goal we can all pursue together.
And hey, if we make a buck or two in the process, then we have proved that capitalism works.
Looks like Simple Nomad is going to be talking some more about IDS/IPS evasion and fingerprinting at IT Security World in San Francisco. I wrote about this earlier this year when Simple Nomad presented some of his findings at TRISC. It looked like some very cool stuff, and it presented an interesting dilemma if it can be done reliably.
OK, I have officially set a date, time, and location for BayouSec. It will be on Oct 4, 7pm, at the Dave and Buster’s at:
Richmond at Fountainview
6010 Richmond Avenue
Houston , TX 77057
If you are currently or are aspiring to be a security professional and live in or around the Houston area (or just happen to be in Houston at that time), come by and have some fun. This is strictly informal. No vendors, no security speech, no sponsors, nothing like that. Just plain fun.
See you there.
I recently found out about the Depart of Homeland Security’s Daily Open Source Infrastructure Report through a mailing list to which I subscribe. I decided to subscribe tot he report even though it is not centered only around infosec, and I have found that it has some great information in it, even if just to help my information addiction. Check it out.
First off, I have always thought my wife is smarter than I am. She is a serious science and math person, where I am more about more philosophy and literature (basically comes down to me not wanting to work hard enough to come up with a real answer for a question). But just like most people, including me, she had to learn to be security aware. It really comes down to the fact that most people are basically trusting. So when someone calls you and says, “I am so-and-so from such-and-such company”, we tend to say “OK, I believe you.”
Here’s what I am talking about. A while back, we signed up for a service that would send us a new water filter every 6 months for our refrigerator. It was very convenient, and it reminded us not to wait until the water turns a funny color before we changed filters. But when we starting moving into our new house, we got a new fridge which has a different water filter which the company we were using doesn’t sell. So, we canceled the old service.
Well, the cancellation didn’t go through for some reason, and they shipped a water filter and charged our credit card. The filter got lost in the mail since the post office didn’t forward it to our new address (probably better since we didn’t have to worry about shipping it back). So we called and told them what was going on. They said they would now cancel the service, and they would credit us for the lost filter. Great, thanks.
Well, this morning, my wife got a call from the same company. The lady said that for some reason they couldn’t find our credit card information in their system, so they could not credit our card. So, she asked my wife for our credit card number. My wife told her that she was not comfortable giving that information out to someone who called us.
OK, I love my wife so much. How many people would have just said, “OK…here it is.” More than likely everything is kosher with the call, especially since the story the lady gave fit so well with the situation. But that is not the point. If someone calls and asks for this kind of information, I don’t care if the caller ID says it is coming from the right number (it didn’t), the story fits well (it did), and you recognize the person’s voice (she didn’t because I made the original call). You still have to be cautious. And that company really needs to make themselves aware of this.
Awesome job, April. Have I told you I love you lately?
FYI, if you are in the market for a solution to help manage configurations on many disparate servers and network devices, nSolutions might be what you need. We are doing a couple of events with them in Houston (Sept 20) and Dallas (Sept 20). If you are familiar with Tripwire or nCircle, then you will know basically what nSolutions does. But they have some benefit over those two tools. I would tell you what those benefits are, but then you wouldn’t need to come to the event.
Shoot me an email at email@example.com if you are interested, and I will get you signed up.
Sorry everyone. I just got Internet at my new house (AT&T needs an ass-whoopin’ – I may talk about it in my personal blog), so I have only been able to get online during work hours. And though I sometimes blog when at work (I hope none of the Accuvant big bosses see this post ), I have been pretty swamped while I have been at work. So, no posting.
I am just glad to be back and having things settle down. I ain’t moving again for 20 years. I swear it!