An Information Security Place

John Thompson is an ass.  There, I said it.  Whew…

So now, let me ’splain.   I did not really have an opinion of John Thompson until the 2005 RSA Conference (except for the acquisition of Veritas - it made sense to me, but it royally screwed me over at a critical time - explained below).  I just thought of him as another CEO of a pretty successful security company.  Either he had not done enough to stand out to me, or I simply had not paid attention to him up to that point.  Anyway, I was sitting in the audience at RSA 2005, and I had just finished listening to Bill Gates talking about their entry into security.  Like many people, I met this with apprehension and doubt, but I still listened with respect.  But then Mr. Thompson came up after Bill was done, and that respect factor went right out the window (for Mr. Thompson, that is).  He proceeded to rip Bill Gates up one side and down the other, and it was the single most rude and disrespectful display I have ever seen.

Now don’t get me wrong.  I am not a MSFT fanboy.  I have slammed them on many an occasion.  But what Mr. Thompson did was really beyond just trying to head off a competitor.  It was unprofessional, and it smacked of school-yard bully tactics.  And to add to it, Mr. Thompson had a crew waiting at the doors handing out review forms to see what the audience thought of his little speech.  I gave it negatives across the board, handed it back with a sneer, and then slapped the person who handed it to me (OK, that last part about smacking them was made up… but I DID sneer).

Now he is being downright condescending towards McAfee.  When asked how he felt about them since they are viewed as Symantec’s chief competitor, he said:

It’s a nice little company and they do a nice job. The industry needs competition. But we don’t see their portfolio as competing directly with ours. We help customers manage their infrastructures better.

Dude, come on.  Please get off your friggin’ crystal tower.  You can debate your quality versus their quality if you want, but pitiful statements like that are beyond ridiculousness.  Confidence is needed in a CEO.  Arrogance just looks petty.  Eric Hoffer said, "“Rudeness is the weak man’s imitation of strength."  You are looking pretty weak, Mr. Thompson. 

BTW, I am not a McAfee fanboy either.  But Mr. Thompson, I have run and managed both your AV products and McAfee AV products in ENTERPRISE settings.  McAfee has ALWAYS beat yours, hands down.  And that is in management, performance, and accuracy.  That is my experience.  And while I have limited experience in some of your other products, I can say that from the outside, your product line looks like a mismash of crap. 

And your acquisition of Veritas way back when?  I was actually one of the few people who thought that acquisition made sense.  But that also hosed me in so many ways.  Like when I was trying to perform my DR test in Arizona.  I’m a big boy, so I take responsibility for that kind of failure.   But horrible support from Veritas / Symnatec single-handedly screwed up my DR test.  Support was already bad at Veritas, and you jacked it up even worse.  Great job.

So there’s my rant.  I hope I don’t get sued for libel. :)  BTW, it looks like someone else out there feels the same way I do about Mr. Thompson (though they said it in a nicer way).

Vet

Monday was meetings.  Then spent Tuesday and Wednesday in New Orleans doing an eval install for Bluesocket (actually, the SE for Bluesocket did the install - I was there to learn).  Then I spent all day Thursday driving around one of our sales people from Dallas since she has a few clients down here in Houston (we had some good meetings, so it is worth it).  THEN Friday was spent driving roughly 6 hours (round trip) to Austin for ONE meeting (I also picked up one of our sales guys at the Austin airport - I love being a chauffeur).

That is often the life of a sales engineer.  Driving, flying, installing evals, driving, flying, talking to clients, flying, driving, driving, flying… You get the picture.  Just seems horribly inefficient sometimes.  But all part of the gig.

Vet

Man, Brian Krebs is just trying to talk about the incident over at the Obama blog where someone stuck in some code to redirect visitors to the CLinton website.  And what happens?  Just go over to Brian’s site and read the stupidity.

What is it about politics that brings the worst out in people??

Vet

Diebold Accidentally Leaks Results Of 2008 Election Early

My pastor writes a blog on our church website that I follow, and today’s message was very good.  Here’s an excerpt:

Life is a long series of “moving-up-a-level” experiences. We move from kindergarten to first grade, or from middle school to high school, or from engineer to project manager, or from club member to club president, or from team member to team captain, or from salesman to sales manager, or from second string to first string, or from busser to waiter. 

In this “moving up” process we spend a lot of time and energy desiring to move up and wanting more responsibility and more money and more control and more recognition—and we spend very little time and energy considering the struggles that are coming with that new level. At new levels there are new challenges.

 

This really struck me.  Almost everyone thinks about the next level and what it would mean for them.  Like Pastor Dave says, it means more money, more control, more power, more fame maybe.  But if we would just stop to see what bad things that new level involves, we might not be so eager to make that climb.

Now, Pastor Dave is in no way saying we shouldn’t strive for the next level.  Look at this quote:

There is nothing wrong with desiring a new level in life—just be sure you are prepared for the new devils at those new levels.

Obviously this is written from a Christian perspective, so you will have to apply the term "devil" to whatever your belief system happens to be.    "Devils" can be a term that can be used for any issue that arises when you move on to new challenges, no matter if you are Christian, Buddhist, Jewish, Muslim, atheist, or whatever.  But the message still applies.  Moving up brings new challenges.  Those can be exciting, but you might want to make sure you are prepared for those challenges before you start the climb (or even start looking for the ladder).

From a personal perspective, I can say that I made the climb early in my career.  I started in IT during the golden age of the 90’s.  If you had a CNE or a even a MCSE, you could pretty much write your own ticket.  Everyone needed a network admin, network engineer, webmaster, etc.  Everyone was growing, and they needed more people to grow with them.  So I sought and got promotions very quickly.  I learned a lot from those experiences, and I don’t regret any of it.  However, I know now through hindsight that I was not prepared for some of those jumps.  I struggled through a lot of those new jobs and levels.  I happen to learn better through doing, so it was good for me.  But not everyone learns that way.

So basically, use caution when seeking that next level.  Be patient and honest with yourself.  Sometimes delayed gratification is better.  Always seek to better yourself, but make sure you are doing it in a smart way.

Vet

I just received a nice little USB stick from LogLogic.  It has a bunch of info on how to sell their new MX line of products.  That’s great.  Seems to be a good idea.  But guys, you DO know what these are used for, right?  They immediately become wiped (that is, if the person is not too paranoid to actually use it).  Hopefully the person copies off the material before they wipe it, but that obviously cannot be guaranteed.

So here’s my gripe.  If you are going to give me a flash drive and want me to sell your stuff, make the drive 1 Gig or more.  This 512 meg crap just don’t cut it.  Dr. Anton, speak to your marketing people, man!

BTW, eEye did the same thing last week at RSA, but their drive was 1 gig.  Kudos to the eEye marketing folks!

These branded flash drives also make great attack tools.  The random USB drive might not be trusted.  But if it is branded, why not?

Vet

I have announced a few new security blogs here at An Information Security Place over the last couple of years (yes, I have been here for over two years now - just realized that myself).  Well, this time I am not actually announcing a new blog, but a new blogger.  I am specifically talking about Sam Van Ryder, who works over at Alert Logic.

While Sam has been a prolific blog commenter for a while now, he had never taken the next step into his own blog.  I guess he still has not done that, since he is actually blogging at Alert Logic’s blog.  However, he is officially part of the club now, no matter is he has his own blog or is using another platform to do so.  WELCOME, SAM!

Now, fair warning.  Sam works for a manufacturer, so I am sure we will have to hear the party line from time to time.  However, I know those guys over at Alert Logic very well (they are based here in good ol’ Houston), and I can tell you that they have some unwaveringly honest people over there.  So yes, they are going to speak well of their company.  That is to be expected, and I am totally fine with that.  But I know Sam will also be a refreshing voice that will do a whole helluva lot more than be a cheerleader for Alert Logic.  Just go judge for yourself by reading his first post.  His writing style is very good, and he has some good insights.

Great stuff, Sam.  Welcome to the club.  Now people can be star struck by you in a couple of years. :)  And kudos to Misha for getting you on there.  Now if you can kick his ass enough so he will start writing again…

Vet

I have been getting this crap steadily for the last month.  Driving me nuts.

Vet

Since I get an RSA press badge through my Computerworld blog, it is kind of expected that I meet with a few of the vendors and others that are interested in getting their latest news out to the world via the press.  So I did my duty and set up some meetings. 

There are always the small guys trying to get their name out there.  The startups sometimes have a decent story because they are passionate about what they have to offer, especially if they are blazing new trails.  However, most are really just trying to jump on some security bandwagon a bit too late and are really just spending a bunch of venture capital to get a booth at RSA in the hopes that someone will notice them in the far corner of the exhibition hall.  Sad and maybe cynical, but it is true nonetheless.  So, needless to say, I typically avoid those small shops unless I see some good potential (I did setup a meeting with one of them, but I had to cancel because of work).

I did talk to eEye about some of their new offerings.  I have a USB key with all their info, so I will look it over and share what I think is cool.  What I do remember is that they are coming out with some appliances that seem to offer some nice features.  I give more details later.  What I did like about the eEye story is that most of their technology is their own stuff.  They don’t OEM much at all.  While I get the OEM model for companies trying to get into new markets without a lot of effort, it also drives me crazy when a company that is supposed to be a leader in the marketplace just starts OEMing everyone’s stuff.  If you are going to be taken seriously as a security player, you have to do some of your own research.  It kinda gives street cred in a way.  So kudos to eEye for maintaining that within their company.

I also talked with Enterasys, mostly because I used to hold some high-level certifications with those guys.  I worked with them way back in 2001, and they really had the edge as far as technology.  I believe they had the first partnership with Microsoft to get 802.1x going.  While not a true NAC play as far as malware and state-checking, it did limit access to resources at the port level.  That was revolutionary back in 2001, and if their management would have been worth a crap, they could be a major leader in the market right now.  But alas, twas not to be.

As mentioned in my previous post, I went to a blogger gathering with some marketing people over at Microsoft.  Shimmy, Martin, Dr. Anton, Mitchell, Hoff, and I all had a great time talking to the MSFT people (they let us talk ,so that is always a great time). 

I also got to have a nice little private chat with Howard Schmidt, Ed Zeitler, and Rob Ayoub about the Frost-Sullivan/(ISC)2 survey results (sorry that I can’t share them yet - it is embargoed for a couple of weeks).  It was a great conversation all around.  I had never met Mr. Schmidt, though I had attended some of his talks before.  It was nice to sit down and really get to know how he is in private conversation.  He was a really nice guy, and he was remarkably easy to talk with.  There was no hint of condescension (maybe there might have been if he had had thought I was just some journalist, but he found out I was a CISSP when I handed my card over).

Ed Zeilter is also a great guy.  Very open and had no airs about him.  Just liked to talk theory when discussing the results of the survey.  Rob Ayoub from Frost and Sullivan is someone I have met a few times (he is from San Antonio, so we cross paths at TRISC shows and other places).  He has always impressed me with his knowledge and good attitude.

On another note, I thought of something that I wanted to mention to the RSA Conference organizers for next years event.  I think it would be awesome to make a distinction between regular press and us blogger types on our badges.   I think bloggers are typically more respected than journalists because they usually have a day job that involves working in the industry, thus they tend to actually know the nuts and bolts.  Though I didn’t really experience any blatant shunning with my press badge, I did notice that people’s attitudes changed when they learned that I am a security engineer instead of some guy that just writes for a trade rag.  If they didn’t see my card before we started talking, the initial treatment I received was quite a bit different after I started asking in-depth technical questions.  The look in their eyes changes from a glazed "talking to another journalist" to a "this guy actually understands what he is asking".  We’ll see if the suggestion goes anywhere.

Vet

I was in Dallas a few weeks ago for a few sales call, and I met my sales guy in local McDonalds parking lot.  I needed to jump online real quick (still can’t get a broadband card OK’ed), and I noticed that the McDonalds had a AT&T WiFi sign on their front window.  I decided to try it since I have AT&T broadband at home, and I’ll be darned if it didn’t work.  Had a nice sign on page where I could input my broadband user name and password.  Very nice. 

Of course, there are not a whole, whole lot of Micky Dee’s that have WiFi.  So I usually find myself in a Panera Bread because, unlike Starbucks, they have free WiFi.  However, Panera’s are not near as prevalent as Starbucks, which often leaves me in a quandry (in my not-so-humble opinion, Starbucks should pay for my Internet access if I buy a coffee and a scone - believe me, I very rarely leave a Starbucks without at least having a tall non-fat no-whip mocha). 

But a few months ago I heard that AT&T was getting in on the action at Starbucks as well, and they supposedly were offering free WiFi to AT&T broadband customers.  SWEET.  So I went to few Starbucks over the last few weeks, but I never saw an AT&T WiFi sign.  Oh well.  I figured it was taking them a while to get it all in. 

Well, being the dumba&& that I sometimes am, I never just tried to see if they had it going by simply connecting to wireless and seeing if I saw an SSID out there.  So a couple of weeks ago I decided to give it a go.  And there was not an AT&T SSID anywhere.  Dang!  Oh well, I guess I’ll have to wait some more. 

But I really needed to get on the Internet (I had a proposal that was due, and I was about to be on the road for 4 hours), so I hooked up and prepared to shell out some money to T-Mobile.  And then, what did I see up in the top right-hand corner of the T-Mobile page (kinda small and inconspicuous, BTW)?  There was a AT&T Broadband image that beckoned me.  I clicked, signed on (just like McD’s), and I was on.  OH HAPPY DAY!! 

Now, I have not tried this at any other Starbucks yet, but my assumption is that it was not just this little Starbucks in Ennis, TX (25 miles south of Dallas on I-45).  So I am happy.  Now I can go to Starbucks, buy my mocha, and then surf to my heart’s content.

Vet

OK, I have to officially applaud Microsoft and their catering to bloggers.  What I am talking about is the lunch that Microsoft sponsored for security bloggers today at the RSA convention.  They invited a few of us bloggers to attend a lunch to talk about blogging, how we all came to be bloggers, and what they see as the They are very interested in our thoughts about blogging, where we see the evolution going in the future, etc. 

They also seems to be very interested in making sure they use blogs in a genuine fashion.  What I mean about that is this: they want the people that blog for them to present the issues in a real and honest fashion.  They recognize that someone who speaks the truth about what is going on with a product and gives people the feel of having an insider’s knowledge lends credence to their opinion and ultimately lends credence to the company itself.

Of course, the main issue they are trying to grasp is how they can use viral marketing to grow their business.  And guess what… that doesn’t bother me in the least.  They recognize the power of blogs in getting the word out.  And that is a good thing.

Good job, MSFT.

Vet

A quick post here.  In case you are interested, I am having fun at RSA.  Although I stayed out a little too late last night because Martin was dragging me to a bunch of parties (OK, I went willingly, but my feet still hurt this morning).  I got to see  a lot of my fellow bloggers before tonight’s get together, so that was cool.

I have to say that McAfee’s party was the coolest I have seen.  They really did it right.  The music was excellent, and even the weird stretchy lady outside was cool.  The lady in the weird makeup freaked me out, however.

And a quick shout out to Mr. Shimel and Mr. Rothman, who have both lost a lot of weight and are looking good.  Congrats on that guys.  Now give me your secrets.  I have a triglyceride problem I need to work on!

Vet

I just wrote a post about the Olympic Torch going through San Francisco on Wednesday and the security concerns for those of use that are going to be at the RSA Conference.  The first comment was helpful and gave a link to the map of the procession through San Francisco.  The second comment said this:

China’s human right record is no worse than the US. China does NOT torture prisoner at Guantanomo.

This is much ado about nothing.

The Tibetan minorities enjoy special right in China. They don’t lost tax credit for having more than 1 kid.

If anything, the Chinese police need to receive some training from the CIA and go after these Tibetan terrorists and thugs who are bent on murdering the Han and Hui people of China.

Wow, how nice that the Tibetan monks don’t lose tax credit for making a CHOICE to have more than one kid.  Man, that’s friggin’ freedom right there!!!  What a freakin’ idiot.

Notice the dropping of the "s" in a few spots, which indicates to me that it is written by someone from China that supports the evil regime in China.  Maybe a member of their pinko commie PR team.

Vet

Anyone else seeing these?

Vet

I have been reading the political-thriller novels of David Baldacci lately.  His novels are very good and very intriguing, and they are also generally very accurate.  Having said that, I want to point out that I am not writing this post to point out any mistake he made from a technical level (I have found a couple of small errors, but nothing really big at all). 

What I wanted to point out actually exists in many modern-day thriller novels.  Most (if not all) of these novels have a small character in them that I like to call the "Ubergeek" (I didn’t make up the term - it just fits).  One of Baldacci’s first novels is called Total Control, and it is no exception to this rule.  One of the main characters receives a disk (this was 1997, so no USB), and she needs to read the information on it.  She doesn’t want to use her computer at home since she is fairly sure someone has put some kind of spyware / keylogger software on it (the author never used those terms - not even sure those terms existed then).  She was a lawyer working for a large law firm, so she naturally called up the law firm’s computer expert (Ubergeek). 

Believe me when I say that this guy was a bona fide Ubergeek!  He knew every answer to every question this lady could ask.  And when he plugged in the disk she was trying to access and found that it is was encrypted, this guys had the tools to launch a brute force attack on it as well as the experience to ask her a bunch of personal questions and try variations of that information as passwords.  The when he couldn’t break it, he figured the guy had used a randomized password with over 14 characters.  This guy rocked!  At least Baldacci was honest enough (or it just fit his plot line better) not to have this guy capable of anything, including breaking the encryption with his willpower alone.  Too many novels do that.

I love this Ubergeek character in novels for a few reasons:

1. It signifies how much technology is needed in today’s world when someone has to create such a character to give realism to a novel set in today’s times
2. The character usually shines in one of the chapters (in a scene such as mentioned above), so that gives a geek like me a convenient place to break down how thorough the author’s technical research was and how much (s)he actually understands it (Baldacci generally does a pretty good job)
3. I love to see general terms like "firewall" thrown about to impress the average reader
4. I love to laugh when the "expert" gets it wrong because it gives me a wonderful feeling of superiority

I do have a couple of problems with the Ubergeek in Total Control.  I questioned his expertise when I found out the guy used AOL.  No true geek would do that, even in 1997.  And he was using a phone line??  A true geek would have had ISDN at least!

Vet