An Information Security Place

OK, as much as it pains me, I have to respectfully disagree with The Shimel about his review on Iron Man.  First off, I really think you have to have some knowledge of the Iron Man comic story to truly appreciate this movie.  Clearly Alan does not have that history (and he is probably going to call me a dork or something since I do) when he makes statements like this :

I didn’t understand how he got the superpower, it was just a powered suit and how it worked was pretty silly.

HOLY CRAP!!!  That is near heresy in the Marvel Universe!  Tony Stark does not have powers other than he is extremely intelligent (I believe he developed some extrasensory powers one time, but I have not collected and read comics for a while).  That is what enabled him to make the suit and the piece of technology that powered the suit.

I have to say that while I do agree with Alan that the movie is predictable, I also must say that it is thus far the best big-screen representation of a Marvel Comics character.  It stayed very true to the original story, which is always very important to me.  In contrast, the Hulk movie was horrible and boring (have more hope for the next one), Daredevil was just pure idiocy (mostly because it Ben A Fleck in it - though the playground fight scene was almost as bad as the ice skating scene in King Kong), the Spiderman series has always been underwhelming (they have screwed that story up so bad that Spidey might as well be shooting webs out his ass), The Fantastic Four movies were just…well, I wish they weren’t (especially since they royally hosed Silver Surfer’s story and character, which really pissed me off since he is my MOST favorite Marvel character of all time), and the X-Men movies, while pretty dang good, were still off on the story lines.

I guess what this all comes down to is three categories:

1. You have no preconceived notion of what the movie was about, so you can enjoy it or dislike without baggage

2. You thought you had some idea what the history of the characters are, so when you see something other than what you expected you don’t like it (similar to Alan’s review in this case)

3. You are intimately familiar with the story line pre-movie and either love the movie for being accurate or hate it immensely because they screwed the story up completely.

Of course, then there’s the fourth group that would not go see the movie if they were strapped to a wild team of mad donkeys (my wife falls firmly into this category - love you baby).

So anyway, now that I have blown off some steam, I think the movie was good precisely because Tony Stark did NOT have superpowers.  He didn’t in the comic, and he didn’t in the movie.  Just a really smart dude who knows how to build really cool toys that just happen to blow up crap.  Kinda like Batman (yes, I know he is DC).

Man, I know way too much stuff about comics.  Oh, here’s a picture of me with The Hulk.  It’s remarkable how close our builds are, isn’t it?

And here’s what I looked like after I read Alan’s post on Iron Man:

UPDATE:  I think I will use the Hulk picture in the same way I use my Orange Juice Award picture, except it will be reserved for when someone pisses me off…

Vet

There’s a new security blog out there, and this one is another Accuvant employee (so you know it is going to be good). 

His name is Jim Broome, and his blog is called Jim’s Bloggyness.  Jim is an Assessments Team Lead at Accuvant, and he is one smart dude.  Here’s his profile:

Jim Broome, an information security industry veteran with over a decade of experience in the field, is a Principal Consultant with Accuvant?s assessment team and also acts as the technical lead for the assessment practice area.

Accuvant is a leading national security consulting organization that designs and executes strategies to address its clients? complex information security challenges. Jim?s role is to provide world class security consulting services to Accuvant clients while still providing technical leadership to the assessment team as a whole.

Experience

As one of Accuvant?s more seasoned assessors, Mr. Broome, has performed a number of consultative engagements including enterprise security strategy planning, risk assessments, threat analysis, application assessments, network assessments and penetration testing, and wireless security assessments for a large number of fortune 500 clients. These clients represent a variety of markets including manufacturers, telecommunications (cellular and traditional), public utilities, healthcare, financial services, and state governments.

Prior to joining Accuvant, Jim was a Principal Security Consultant for Internet Security Systems and a member of the X-force penetration testing team. At ISS, he was responsible for providing technical leadership to the Western Region consulting practice while performing his day-to-day duties of performing network assessments and penetration testing. Prior to ISS, he was the Director of Network Operations for Cavion.com, a managed service provider exclusively for credit unions. At Cavion.com, Jim was responsible for managing the network operations staff and security organization while maintaining 99.999% uptime.

Notable Accomplishments

With a been-there-done-that attitude, Jim is a constantly sought after consultant, due to his extensive level of knowledge in most areas of security implementation and management from both a technical and managerial level. As one of the original authors of several training programs including Checkpoint Software?s CCSA/CCSE program, Jim is a well regarded security/technology instructor and mentor to many administrators and IT management organizations.

Since coming to the Accuvant organization, Jim has been responsible for establishing and standardizing many of the solutions and techniques employed by the Assessment practice. This provides our clients with a level of consistency that is unparalleled in the industry and establishes Accuvant as the premiere security services company.

Certifications and Training

Jim is a Certified Information Systems Security Professional (CISSP); Checkpoint Certified Security Engineer (CCSE); NetScreen Certified Security Associate (NCSA); ISS Certified Engineer

Professional Education

BS in Computer Information Systems from Trinity College and University

Welcome to the blogosphere Jim.

Vet

Looks like my good friends over at StillSecure are doing a great job.  Read this review.  Awesome accolades go to Martin and Mitchell.

Vet

OK, now that I am settled in my hotel room in Dallas, I have some time to respond to Alan’s post calling me a hooker (like I said to Alan, at least he called me high-priced).  I will also be responding to a comment left by a reader who goes by the name of Shaneo.  You can read that comment here.

The first thing that strikes me about Alan’s and Shaneo’s comments is that they seem to think that selling products is what makes a person bad.  Either that, or they think I was making that implication.  Alan says:

To me Michael sounds a bit like an expensive call girl talking down on a lowly street walker.  At the end of the day they are both working girls, who work hard for the money, but they are what they are.  As long as Michael is putting the food on the table by selling products to customers, whether they be from a line card that Accuvant offers or from a specific vendor, he is selling nevertheless.

Shaneo says it like this:

You make me laugh! A VAR is still always a VAR - a sales engine. If you were an Independent consultants and didn’t sell any product, then I could support some of your statements.

…don’t put yourself so high and mighty above all the rest…When your a part of the food chain.

I seriously do not get why they think that because I sell products that I am a whore.  My point was never that selling a product was a bad thing.  In fact, my point in the original article wasn’t even to attack vendors, though I’ll admit I was harsh on the vendors (not apologizing, just admitting ).  My point was that I, as the trusted adviser to the client, need to make sure that their expectations are managed so that they can make the right decisions.  I made that point by saying that vendor marketing departments often try to make their products look like they can solve all ills and the client often buys what the marketing department says because they WANT to believe it. 

When Alan asked me in a comment what I would do if I worked for a vendor, I told him straight that I would have to look hard at the vendor before I made a decision “because of the situations I would be in that would require me to sell a product that was not a good fit”.  Do I think every vendor will try to sell something even if it is not a good fit?  No.  And I believe Alan when he says, “It is not some sort of pump and dump scheme over here.” But I also know that it is extremely hard for a salesperson (VAR or vendor) to turn down a sale, and it makes it doubly difficult when you are feeling pressure from above.  So the temptation is there to push the product whether it is a good fit or not.

Now where Accuvant comes into play is that we look at the product that the client is asking about, and since we are the trusted adviser in the situation, we have the leeway to tell them the truth.  If we don’t, then we can lose that status.  Not a good idea for a company that leads with services, not product.  And Alan, you asked, “if Accuvant did not have a product that was a good fit, would you send the customer to EnPointe, Cadre, Fishnet or another VAR?”  Actually, yes, I would.  And I can speak for most, if not all, of Accuvant when I say that they would as well.  That may be hard to believe, but I think you know me well enough to know that I ain’t jerking you around.  In fact, we have contracted with competitors before for stuff that we could not do because of lack of resources or whatever (and no, we did not make them wear Accuvant shirts and not tell anyone where they were from).  We have done that because we place our customers first.  If the competitor gets in and steals the business, then obviuosly we weren’t doing our job in the first place, and we deserve to lose the customer.

Alan also says:

Michael here is another example you site.  The vendor who is upset with you for bringing in his competitor in a deal.  Of course he is.  You would be too.  In fact you are upset by it and you even say that your dander was up because the vendor admitted he wanted another reseller in there.  You wouldn’t mind the vendor suggesting another reseller? See the point.

Well Alan, I see the point you are TRYING to make, but you actually miss it.  Read my paragraph again:

 But what really got my dander up was that I knew that the guy had not brought me in to the client.  In fact, the client requested Accuvant (the client and I were old friends - we had worked at another reseller together).  And in the course of the conversation with me, the sales guy got so flustered that he actually admitted that he had suggested another reseller first (a big mistake on his part that essentially killed his argument, no matter what my argument had been).  This was just pure and simple dishonesty, and it irked me tremendously.

Go to the end.  I wasn’t upset because he suggested another reseller.  I was upset because the vendor was dishonest about saying that he had brought me to the deal when he had actually suggested another reseller first.  That is what makes me wary of vendors.  I have seen that kind of dishonesty time and time again, both from the reseller POV and the client POV.

Another Alan quote:

As long as you are getting paid to put products in at the customer, whether you make and sell them or just sell them, you still sell.  As long as you sell, you are as guilty or innocent, moral or immoral as anyone else in the food chain.

This goes back to my original question.  Why does selling make me guilty or innocent or immoral or moral?  That makes no sense.  It is not the act of selling that makes a person bad.  Guilt and immorality come into play when the sales person or the marketing department or whomever makes false statements to make a sale, and that applies to the VAR or the vendor.  And I know plenty of VARs who sell based on the best spiff that month.  But everything I have seen from Accuvant since before I worked here and after I have been here 9 months tells me that we don’t follow that kind of crap.  Have we had people collect on spiffs before?  Hell yes.  But it was not the driver behind the business.  And if you don’t believe we are on the up-and-up, just ask a customer (thanks again, LonerVamp).

Alan again:

First of all Michael assumes that only someone like a VAR would tell the customer that a case study or lab result are “done in pristine situations”. Why would a vendor be disqualified from saying that?

They’re not.  But do they?  It is not in their interest to do so.

Mr. Shimel again:

Then he talks about telling the customer the truth about how long it takes to install the product. Do you think a vendor is going to lie about this?  Especially if the vendor is selling install professional services along with the product.

Because it is often a bait-and-switch.  Alan, I have seen this so many times it is impossible to name them all.  In fact, one of your competitors in the NAC space does this very thing.  In all honesty, I don’t think the sales person is actually lieing.  However, when he says the product installs in 30 mintues (OK, I exaggerated by saying 5 minutes), he is not telling the full truth.  Does the product physically install in place in that amount of time?  Yes.  They are specifically trying to counter Cisco NAC because they have seen the uber-pain people have gone through trying to implement CleanAccess.  But it takes time to determine the business behind the need for the product, create the policies to fit those needs, get the agent installed on all the workstations, etc.  And yes, a security manager or administrator worth his salt will know the intricacies involved and will know that is a shortsighted claim.  But the fact that he says it and uses it in every sales call creates the need for me to manage the customer’s expectations and let them know all of the other details if installing a product like this.

And if you don’t believe that this is a problem, let me tell you that I have had to convince customers numerous times that getting this product (and others whose salespeople make similiar claims) installed is not just plugging in a couple of patch cables and letting rip.

Anyway, in the immortal words of Forrest Gump:

And that’s all I have to say about that.

I’m going to bed.

Vet

Why do Alan and Mitchell call the Still Secure, After All These Years blog and podcast “SSATY” instead of “SSAATY”? 

Is there a conspiracy against the letter “A”? 

Do they not like the letter “A”?  I would think not since it starts Alan’s first name and also starts Mitchell’s last name. 

Does it help Alan cut costs to leave out the extra “A”?  Maybe so since he has recently announced a very successful quarter at his blog.

Did the blatant pursuit of fame and fortune drive the “A” away?

Did the “A” drive away in a cab after Alan pelted it with racist comments?

I should probably just ask Alan and Mitchell, but that would be too easy.

Vet

I just finished a post at my Computerworld blog about grassroots security. Basically, I am talking about securing the Internet by securing the typical user. So now, I am goign to say much the same thing, but I am going to use a different metaphor. It is in the title, but I will draw it out a bit here.

Have you ever worked at an organization that takes safety seriously? Or have you ever been a firefighter? What is one of the things they teach you about putting out a fire? That’s right - you aim at the base of the fire. Spraying water at the tips of the flames don’t do jack!

So this is what the Security Catalysts group is all about. A part of that initiative (actually, a really BIG part) is teaching the regular user what is going on with security and how they can secure themselves and help secure the community. So, starting out this initiative is Michael Santarcangelo’s first production of a series of vidcasts called the Family Security Series.

This is a very important first step in a very important project. Please think about ways you can help this effort, even if it is a local and independent movement. But I would also ask you to consider joining the Security Catalyst forums so we can pool our efforts. And even think about applying to join theTrusted Security Catalystss as well. It doesn’t cost anything. All you need is a good security background and a passion for security.

We are trying to make a difference. Consider joining the team.

Vet

Well, my good friend and blogging compatriot Martin McKeay has finally made it to the big time by actually having a press release issued about his move to StillSecure. I can honestly say that I have never known someone personally that had his own press release. Wow. I can count the Great McKeay as a close friend!

In all seriousness, Martin deserves this. He is a very well known figure in the security world as a security guru, he is a great writer and security journalist, and he is an all around nice guy. I count myself lucky to have him as a friend, and this could not have happened to a better guy.

All that being said, what about the title of this post? Well, I think StillSecure also deserves congratulations. I have known Alan for about a year now, and I have known Mitchell for quite a few months. And I have to say that these guys deserve Martin just as much as Martin deserves this great move. Alan and Mitchell are great guys, no matter what everyone says about them (sorry, I can’t be nice to people without jabbing them a little - I’m sure it comes from my terrible childhood, which led to my total lack of self esteem and utter lack of respect for my fellow humans, but in retrospect helped developed my writing skills because that is all I had to do in that closet I was locked in for most of my teenage years, but I digress - **sniff**).

But seriously, Alan and Mitchell have done so much to move the security industry forward. Even if you don’t count their work at StillSecure, you still have two guys who are blogging and plugging away at trying to make the security industry a fun and exciting place to work. They deserve to have a great talent like Martin out there evangelizing.

So I say congrats are deserved all around. God bless and good luck to all of you.

Vet

[Updated post - I added quite a bit]

I am about to leave the RSA conference. I am a little disappointed that I was not here all week. The last two years I arrived Monday and left Friday and got to go to all the sessions I could make it to. But that was when I was an Information Security Manager for a non-profit psychiatric clinic. They were used to sending doctors and their execs to conferences, so it wasn’t a foreign concept to them. Now that I am a presales SE for a security consulting firm, I have to make sure I am available for meetings and such as much as possible.

I really am grateful that I am here at all this year. I really came in just for the security blogger gathering, and I wouldn’t be here at all if it wasn’t for that. Of course, I did meet with a potential client while I was here, so I feel much more justified.

Speaking of the blogger gathering, I have to agree with Martin that it was a great event. I loved meeting everyone that I have been IM’ing and emailing and podcasting with for a year now (BTW, my blog is almost 1 year old - Feb 24, 2006 was my first post). My favorite part had to be the big bear hugs I got from Alan Shimel and Mitchell Ashley at StillSecure (the most exciting event of the evening was the cab ride from the Thai restaurant to my hotel, but I will give Alan a chance to blog about that first). Those two guys crack me up, and they are really cool guys.

I also finally got to meet the great Mike Rothman. I like that guy a lot.

I also got a thrill when I met people that said they read my blogs. I agree with Alan when he comments on how flattering it is to have someone say they read and actually value what I write.

I also enjoyed meeting Cutaway from Security Ripcord. That guy is as down-to-earth as you get. Just a good guy who doesn’t put on any airs. He’s a Marine (some would say former Marine, but once a Marine always a Marine). I was in the Army, so we inevitably end up talking military stuff. If you add Martin to the mix (ex-Army), it really gets deep.

One other person I really enjoyed meeting was Washintonpost.com’s own Brian Krebs, who writes the Security Fix blog. Brian is a celebrity in the security world because he writes for such a distinguished publication. But he is also respected by security professionals because he writes some good stuff and knows what he is talking about. And he was a nice guy, and he was also humble. I had to thank him personally for the great job he did of exposing the scandal with the Connecticut substitute teacher that was convicted for exposing her students to pornography (here and here).

Some other big names that were there:

Bruce Schneier - It was pretty cool to actually get to introduce myself to him. I’ve met him, but only quickly at shows and at a book signing. This was more personal.

Richard Stiennon - VERY nice guy. And all we bloggers thank him and Fortinet for sponsoring the event (we thank Microsoft as well).

Rich Mogull - Gartner man himself. Another down-to-earth and very likeable guy. And he is a second dan is taekwondo.

Ron Gula - It was a pleasure to meet Ron as well. Another good guy who could easily be arrogant but was not.

There are others, and I don’t mean to leave anyone out. I just can’t remember everyone. Suffice it to say that this was a group of people who were just excited to meet a bunch of peers and talk about security (though I don’t think we talked about security as much as we just BS’ed and had a good time networking).

Vet

It is rare these days to meet a person with true vision. I mean a person who can just look at a topic and instinctively know what it would take to succeed in that arena. It is even more rare to find a person that is also passionate about the topic to which they are applying their vision. And the rarest find is a person who has all of the above AND the nerve and the fortitude to do actually try to do something with that vison and passion, all the while inspiring others to join up and do the same.

Well, my faithful readers, I have found one of these rare people. Many of you know Michael J. Santarcangelo, II. Known affectionately as Santa to some (play on the name for you thinking he’s fat and jolly and has a white beard and rosy cheeks and… you get the idea), Michael is founder of The Security Catalyst blog and podcast. Instead of writing a bunch of stuff about him, here’s his bio from the above site:

One of the top rated and most requested speakers on security issues and certification training, Michael is a coach, consultant, professional speaker, and leader active in reshaping the future of information security. His rare approach of blending multiple disciplines together allows him to connect with audiences around the world as he invites people to think differently. He brings this passion and energy to podcasting as the Security Catalyst and works to explain and demystify security so everyone is able to protect themselves.

Michael is the catalyst behind Security 2.0. In addition, he is the founder of the Catalyst Community, The Trusted Catalysts, Security School House (announced September 2006) and was the founding President of the Tech Valley (New York) ISSA Chapter. Michael holds a Bachelor of Science Degree in Policy Analysis from Cornell University.

Now, before you people start wondering if I have some unnatural attraction to Michael, let me state that I am writing this (and will be writing more) because I believe Michael knows the sad state security is in now days and really wants, even needs, to do something about it. How do I know? I’ll tell you how!

Michael has brought together a group of security professionals (including yours truly) to form a group called The Trusted Catalysts and the Catalyst Community. In joining The Trusted Catalysts, I have conversed with Michael via email and chat, and I thought he had a good vision. But then I actually got to talk to Michael on the phone yesterday, and it truly struck home just what Michael is all about. The guy had so much to talk about he seemed about to burst at the seams (I don’t mean that in a bad way - I asked him to explain what all he had in mind for the Catalysts, and I got it). He is a wealth of information and experience, and he wants to give that away. He’s not a selfish person who wants to be the one guy who knows it all and people have to come to. He wants to genuinely help the security community. I guess I stand corrected. That is the rarest kind of person.

I am saying all this because I want to give you a heads up if you don’t know about Michael and the Catalyst Community. You need to watch the Catalyst Community over the next year and the years to come. I think this community will grow, and I think it will become a tremendous force in the security industry within a few years. And with Michael’s vision and inspiration, it will be a truly positive force, unlike what one security focused organization has become - I won’t name names, but it starts with “(” and end s with “2″.

Thanks to Michael for his passion, vision, energy, candor, and unselfishness. I hope I didn’t embarrass you too much. And I like the hair (or lack thereof).

Vet

Alan and Mitchell at the StillSecure After All These Years podcast interviewed me last week for their podcast. It is up here at Alan’s site and here at Mitchell’s site.  I gave an update on my move to the channel, about honesty in selling security, the converging of the security professional and the general IT professional article I wrote at CW, and some other stuff.  It was fun.
Thanks to Alan and Mitchell for having me on again. I really enjoy talking about myself, as anyone can plainly see, and Alan and Mitchell actually seem to genuinely be interested in the people they interview. They are two great guys that I hope to meet soon at the RSA Conference security blogger gathering (not sure if Mitchell is going to be there, but I know Alan is going to show).

Thanks for the kind words, guys. You are two class acts.

And Alan, notice that I did not alter the picture in any way!  Or did I?
Vet

Mitchell Ashely wrote a piece on conflict of interest yesterday. It was specifically concerning analysts because of the firestorm of posts about some analysts recently jumping ship and going to manufacturers.

Mitchell’s post got me to thinking about some things specific to me (because I am my number one fan, and because the analyst sopa opera just doesn’t interest me too much). What I mean is my recent job change and how it effected my blogging.

If anyone is new and doesn’t know to what I am referring, you can read about it here. But in short, I recently moved from the security management world to the consulting / reseller world. This was quite a change, and I learned soon after the change that I would have to steer clear of some subjects on my CW blog because of, you guessed it, possible conflicts of interest. What I mean is, if Accuvant (my employeer) partners with a certain vendor, then it would be a conflict of interest if I wrote something negative about a competitor of that vendor. So CW said, basically, no posting about specific vendors at all.

Initially, I bristeld at these restrictions and considered dropping away from Computerworld. It bothered me because I felt like I was being told that I could not speak my mind (similar to what Mike Rothman went through recently at Network World - I am not apple-to-apple comparing what Mike went through to what I was looking at, since Mike was speaking his mind on his own blog, and Network World let him go for it, which is bogus). Basically, did I want some organization telling me what I could and could not say?

Then, I got to thinking about the issue a little more closely, and I realized a few things. One, this is their sandbox (I got that analogy from Rothman), so I had to play by their rules. Second, they are a business that has to protect their objectivity (though some people will argue whether any of these technology media outlets are objective)., Third, and this mattered the most to me, I could still post my personal views on my personal blog. I know this didn’t protect Mike, but so far I have had no issues with my editors at CW, and I think that will stick.

So the conflict of interest issue was settled in my mind because I still have a free voice at my personal blog. If CW was to ever let me go for something I posted there or on my personal blog, then c’est la vie. I can go on.

Vet

If you don’t follow my ComputerWorld blog, well…. you should! Presently I am a once-a-week blogger over there (though I don’t always get to it that often), but I will soon be a regular three-posts-a-week blogger. They have lost a couple of bloggers due to burn out, so the editor over there offered me a spot.

The bloggers they lost were writing a post a day, so I hope the three posts a week won’t be so hard and I can last a while. Anyway, I am excited about it.

Thanks to all of you who read my stuff and actually think I have something constructive to say.

BTW, here’s the PhotoShop job Alan Shimel did on me while disagreeing with my online shopping post at CW.

Thanks Alan for letting me have the picture. That made my day, even if you were tearing me apart!

Vet

 

Before you read this post, go take a look at my “Rules” for my blog.

 

OK, now that you are back, let me piss off some people.  During this election season, I have to say that most of the security bloggers out there stayed out of the fray by sticking to what their blogs are about, namely: security.  And my blog rules state that I will do the same.  Basically, if you want to discuss a law or other political issue that pertains to security, then fine.  I will do the same.  Martin McKeay and I have had our friendly blog disagreements concerning phone tapping, phone tracing, tracking terrorists, and privacy stuff.  Alan Shimel and I have done the same to a degree.  All that is fine because that kind of stuff is relevant to security.  You can make judgements and assumptions as to our political leanings based on what we have posted (and maybe the region of the country we each live in), but that is no guarantee as to where we stand because we have made no definitive statements on the subject (I haven’t read all of Martin’s or Alan’s stuff, but I haven’t seen it in any of the stuff I have read).

I say this because I read a couple of posts from security bloggers during this last election season that, in my opinion, are just a little off.  One post was by the Great One, Mr. Schneier himself.  He says he is glad to see the Republicans get some of the brunt of the electronic polling problems.  He backs off of that kinda quickly, but it shows his bias clearly.  Another is by a blogging buddy of mine, Christian Koch (might not be a buddy after I writie this, but I hope all is still well).  In his post, he doesn’t even try to hide his feelings at all (not saying that he should have to, but you will see where I am going with it below).

First of all, I want to say that I respect everyone’s views, even if I don’t agree with them or understand them.

Second, if you have a blog, then it’s your fingers doing the typing, so you have full freedom to write about anything you want.  I get that, and I would never say you can’t. 

However, don’t we, as security bloggers, owe it to our readers to stay a level above all this mud slinging and give content that is relevant to security?  It seems a tab bit like false advertising if you have a blog that is advertised as a security blog and you use it to blast a politician or a political party because you don’t like their politics.

And another reason not to show which side you are on is because it tends to taint your readers’ opinions of you from then on.  If you try to come at an argument with logical, non-biased opinions, your debate will still be tainted by your blantantly-stated political beliefs.  That is no better in my mind than if you stated that you liked TippingPoint IPS better than anyone else’s, then tried to go into a debate about IPS products and tried to stay neutral.  There is nothing wrong with stating your opinion on the matter because you are free to say what you want.  But your opinion will be tainted from then on.  And you would never again be able to be neutral on the debate (at least, not for a long time) because you can’t switch to neutral once you have got in gear.

Anyway, my two cent’s worth.  You may think I am just frustrated because I did not like the outcome of the election.  But you really can’t make that statement, because I have never said which side I am on, regardless how many clues you think I have given.  So there!

And Christian, just to hopefully ease hurt feelings, I thought the cartoon in your post was pretty funny.

Vet

I forgot to mention that I was a guest panelist on Alan Shimel’s SSAATY podcast last night.  This was a great panel.  I had a great time, and I think we really hit some key points and offered some solutions to security admins and managers out there that need some help selling security to execs.

The panel consisted of yours truly along with Martin McKeay (Network Security Blog, ComputerWorld), Bobby Dominguez (Sykes) and Mike Rothman (SecurityIncite, NetworkWorld).  It was hosted by Alan and Mitchell, two of the best podcast hosts I know, and though I have never met either face to face, I know they are both good guys.

One person that was scheduled but ran into some emergency security management duties was Michael from mcwresearch.com.  I understand why he couldn’t be there, but I really missed his insight.  I would have loved to hear some of his horror stories.

BTW, I was VERY impressed by Bobby Dominguez.  I have never talked to Bobby, but I figured out very quickly yhat he has a vast amount of experience, expertise, and just plain ol’ smarts.  You REALLY need to listen to this guy.  Hopefully he will start a blog soon himself.  He has a lot to offer the community.

Martin is always good to have on a discussion like this because he has a lot of experience in this area.  He never ceases to impress.

And Mike Rothman, well…, he’s Mike.  What else need be said?  And we actually agreed on something in the podcast, if you can believe it!  Actually, Mike and I agree on a lot of things.  We just like to disagree to make it exciting.

And of course, there’s me.  ‘Nuff said!

Anyway, the podcast should be up soon.  Go look for it in the next few days at Alan’s blog.

Vet

You probably don’t need me to post this since you probably read Martin’s blog if you read mine, but he landed an interview with Bruce Schneier and got it posted yesterday.

Well, to make it even better, Bruce posted the link on his blog today. Martin is seeing some increasing traffic now for the podcast, and he is as giddy as a schoolgirl.

Way to go Martin!

Vet

As I mentioned in my last post, I had the honor to virtually meet Mitchell Ashley, CTO of StillSecure, while recording Alan Shimel’s podcast last night.  Alan kiddingly calls Mitchell “Ed McMahon” because he is regularly joining Alan on his podcasts.

Mitchell has recently been inspired to start his own blog.  I started reading it when I saw the announcement at Alan’s blog, and I am impressed.  Mitchell obviously knows the business and is a smart guy, so i think you would do well in reading his stuff.  I know he will be successful in his endeavours (because I link to his blog, of course).

Vet