Kirk, Jim, and I slam some vendors on drinking their own Kool-Aid, i.e. not running directly competing products in your production network!
Segment 2:
Geek Toys - 8 Gig laptops and how Apple sucks (Jim said it!) - and Kirk reminds Jim that this is an Infosec podcast AGAIN.
Consultants Corner - Kirk opens up the PA DSS discussion, and we talk about some possible ramifications to the POS (”point of sale” for clarification) industry
We say goodbye, but not before we turn this whole podcast into a political debate (not really) since the next podcast will be AFTER the election (the most important one in history according to everyone that said that about the last election)
Music Notes:
Intro/Outro - Digital Breaks - “Therapy”
Segway 1 - Jimmie Bratcher - “Bad Religion”
Segway 2 - Kickstart - “Theme Song”
Posted by Michael Farnum on Friday, October 31st, 2008
First off, let me say that I do not like political posts on security blogs. I cannot tell people what not to post on their own blogs. It is their business. But I don’t have to like it, and I will say so.
Having said that, this is a political post - though not in the sense that I am endorsing or criticizing any candidate. It is about a political issue that really struck a nerve with me today, and I really can’t keep these thoughts to myself. I am probably opening myself up to a flame war, and oh well if it happens. So here goes.
Now, I have to state for the record that I disagree with hate crime laws for the most part because they politicize a lot of actions that are already a crime in the first place. I just don’t think we need those laws because all it does is cause racial strife when the person simply needs to be punished for the crime. I say all of that because of the story going around about the effigy of Sarah Palin being hanged in a Halloween display in West Hollywood, California (CA is not exactly a red state, so I guess it is not a big surprise - BTW, John McCain was also being burned in the display). When I saw that this Halloween display did not meet the criteria of a hate crime, I had to start wondering what that definition is and what would have happened if that had been Barack Obama in that display.
Granted, that is not a hugely original thought. Every other comment on that story asked the same question (and a lot of freaks got out of control over it in their comments). But seriously, if Barack Obama was being hanged in effigy, I seriously doubt the cops would not be saying that it "doesn’t rise to the level of hate crime".
There would be outrage by everyone, including ME, because it would be overtly racist and motivated by hate. But is hate inherently limited by the race of the individual it is propagated against? For that matter, is hate drawn around racial lines only, and not by other factors? Can’t hate be motivated by political differences, as this display is? Can’t hate be motivated by a person who doesn’t like the color green and attacks his neighbor because he painted his house that color? Do you see where I am going with this?
If we are going to define a crime along the lines of emotion and intent, then we HAVE to do so equally across the board, and that is where these types of laws fail. They are defined by politics, and this country needs to get off it’s PC ass and start doing things from a more practical perspective. I understand the issues around race and the problems we have had in this country. I wasn’t around during the race riots, but I was raised in a small Southern town that still had scars from those days when I was growing up. The racial lines are still very evident there. But if we are going to keep bringing up this issue in this country and then ignore the fact that hate and racism (not synonymous terms) can happen in both directions, then we are never going to progress beyond seeing people as colors first.
I have a dream that my four little children will one day live in a nation where they will not be judged by the color of their skin, but by the content of their character.
Martin Luther King Jr.
Vet
Posted by Michael Farnum on Wednesday, October 29th, 2008
I have some friends that have a start-up security product company looking for some developers to help out. They are looking for anyone willing to come in and have some fun developing brand new products from the ground up with a company that has some new patents in the data protection area of security (the crown jewels, right?). Looks like their funding is solid, even in this economy.
They need some people who know encryption very well and have some experience and ideas in the key management space.
They are also looking at some contract work for some people who knows the Windows architecture VERY well.
If you fit these areas and are interested, or if you know of someone, contact me through my Contact Me Page. I’ll get you in contact with the right people
FYI: the company is based in Houston, TX. They are willing to work with people elsewhere in the country, but I think this is going to be limited to US residents.
Vet
Posted by Michael Farnum on Monday, October 27th, 2008
I am currently reading Michael Santarcangelo’s book Into the Breach (sorry it is taking so long Michael, just busy - I have 2 others I am supposed to be reading and reviewing as well). This is not a review of that book (that is coming later). I want to make some comments on a particular point he made in chapter 5, entitled "The Strategy to Protect Information".
In that chapter, Michael talks about how many people are shocked to learn where information is stored in their organization when the information discovery process is undertaken. He states that people are so used to just copying the information wherever they need to get their job done that they didn’t even know that the data was stored in a central location. This is very true, but this is not the point that I want to discuss. The point I want to discuss is observation.
Michael has made an observation here. He has studied people’s reaction to this step, and he had put it down on paper. It may seem like a little trivial piece of information that will make you laugh when you tell your buddies over a beer - "That guy in payroll was clueless! He copied the executive payroll data into a spreadsheet about 3 years ago onto his laptop and was paying them from the data stored there! He was doing a lot of that work from home! He didn’t even know that the new payroll system had been put in place a year ago!" But in reality, that observation has huge ramifications. That person COULD have been doing their job much more efficiently and SAFELY for the last 3 years. The risk of him putting executive payroll data in a spreadsheet on his laptop and taking it home was huge. But for some reason, he did not know that the new payroll system had been implemented.
But again, the point of this post is not that the payroll data was at risk. The point is that I have seen that same reaction time and time again over the last 14 years I have been IT. There have been numerous times when I pointed out to a user that they were using data from the wrong source. Maybe they had thrown together a quick Access database on their PC after they took a local community college course. That has happened so many times. But I typically just pointed them in the right direction (or was advised to let them keep doing what they were doing because they got their job done). It took me so long to actually see the ramifications behind that issue happening again and again over the years. If I would have just stopped and thought about things earlier in my career in IT, I would have been able to see the forest a lot more clearly. I would have been able to better handle situations like that more efficiently and more wisely at a much earlier point in my 14 years (maybe I could have written a book about it 10 years ago ).
So my basic point is this. Use your observation skills. Stop and think. Don’t get so caught up in your day-to-day job that you don’t stop to observe and discern. It can seriously impact the way you do your job, and usually in positive ways. If you don’t pause to make sense of what is going on around you, you get swept up in doing everything in a less efficient way. If you can’t see the underlying cause of problems, then you keep treating the problem as individual little slices of time instead of a systemic problem that could be causing larger concerns in your organization and in your industry as a whole.
Vet
Posted by Michael Farnum on Thursday, October 9th, 2008
Some readers / listeners had sent some comments / complaints / gripes that the feed for the podcast was only showing up to episode 4. I tried a few things that didn’t work (pinging the feed from Feedburner, resynching, etc), so I deleted the feed and created a new one. That STILL did not work, and that pissed me off.
So I tried one more thing. Basically, I created the first 4 posts by typing them all the way out in the Wordpress interface. I use a podcasting plugin that creates an enclosure for each podcast in the post. Then I thought I was getting smart by simply copying and pasting the HTML from the old posts to make the new posts since there is really very little that changes from post to post (just the name of the podcast file, which is just an incrementing number). I guess that caused something to break in the feed. I had to go back and delete the posts for episode 5 and 6, then recreate them using the old method. Now the feed is current. I hope it stays that way. You may need to re-subscribe to the feed, but the URL is the same as it was, so you might be OK.
BTW, I am using a beta version of the podcasting plugin. Let me know if you see any weirdness.
And once again, thanks for listening!!
Vet
Posted by Michael Farnum on Tuesday, October 7th, 2008
To everyone reading this, take it from me that Palo Alto Networks has some excellent stuff. I have seen this put into production networks and watched it give tremendous insight into what is getting in and out. I wish this box had been around when I was an Information Security Manager and Network / Security Engineer. It would have made my life a lot easier because I would have been able to block traffic according to layer 7, not just the traditional port / IP combination like in typical firewalls. Please read below for a tease of what you will see if you are in the Houston area and come see the seminar.
The network security space is in desperate need of innovation! It’s no secret that the Internet generates the majority of traffic on today’s corporate networks. The question is, how can you know exactly what that traffic is, and control it in a way that’s best for your business?
Comprehensive Internet visibility and control is now essential – not just of network ports, but of the actual applications, users, and content flowing through the firewall. Unfortunately, traditional firewalls are missing three key ingredients that prevent them from delivering the Internet security and protection your organization requires.
Please join us for a 90-minute seminar that puts a spotlight on what’s really happening in today’s enterprise networks, and provides strategic guidance on how to regain the visibility and control you need.
SEMINAR HIGHLIGHTS
New research on the top high risk applications running on more than 50 enterprise networks today
Insights into a new generation of evasive applications and related threats capable of bypassing your firewall controls
A look at three new network security requirements – missing from traditional firewalls – that will restore IT’s ability to manage these and other Internet risks
In addition, you’ll hear from a CISO of a leading Midwest bank, who has experienced the pain that comes with the inability to control Internet traffic, but is now enjoying unprecedented network visibility and control.
LOCATION Date: Wednesday, October 22nd, 2008
Time: 11:30 am to 1:00 pm (registration begins at 11:15 and lunch served)
Place:
Sullivan’s of Houston 4608 Westheimer Houston, TX 77027 (MAP & DIRECTIONS) Phone: (713) 961-0333 To reserve your place at this luncheon, please click HERE.
Vet
Posted by Michael Farnum on Wednesday, October 1st, 2008
).
