Top 10 Most Overhyped Technology Terms

We have entered a new era of information technology, an era where the clouds are moist, the data is obese and incontinent, and the threats are advanced, persistent, and the biggest ever. Of course with all the paradigm-shifting, next generation, FUD vs. ROI marketing, its important to remember that sometimes we need to balance innovation against misunderstood expectations, vendor double-speak, and relentless enterprise sales guys.

Because contrary to the barrage of marketing, these technologies won’t make you rich, teach you how to invest in real-estate, help you lose weight or grow a full head of hair, it won’t make you attractive to the opposite sex, nor will it solve all your problems, in some cases they can improve the efficiency and effectiveness of your operating environment but it requires proper planning, expectation setting and careful deployment…and on that note, I give you the top 10 most overhyped technology terms over the last decade.

Continue reading

Why I Suck at Blogging…and Twitter

So recently I posted some thoughts on big data and the increasing usage of Hadoop, the general theme was data management != data analysis…this caused confusion with some folks, as evidenced by the twitter exchange (tweets haven’t been altered but some extraneous ‘noise’ removed to maximize your reading pleasure)

@Beaker @amrittsering I’m confused by your last blog. Is your point that people are spending $$$ on data aggregation hoping it leads to analytics?

@Beaker @amrittsering I read/re-read your posts & it’s almost like u r suggesting majority of co’s deploying Hadoop (e.g) are clueless WRT why?

Big Data; Are You Creating a Garbage Dump or Mountains of Gold

You’re not really sure how it happened, but some time between last year and the summer of 2011 you were suddenly facing a big data problem, or you were being told you were facing a big data problem, or more accurately you were being told that you needed a big data solution.

Funny thing was that you hadn’t really done anything drastic over the last couple of years that would seem to indicate a tsunami of data was about to breach your storage floodgates, but then again it wasn’t like you watched yourself going bald either.

Continue reading

The Good, Bad, and Ugly of Technology Acquisitions

It is the foundation for the free market system and capitalism and it is every entrepreneurs dream; build a great technology, execute and achieve excellence in GTM, deliver fantastic value to customers and take great pride in watching your passion grow – fast.

Then it happens; the exit, the liquidation event, the ‘golden ticket’ and in a blip of your time on this tiny little rock your life changes.

Last year, after spending almost four years as the CTO of BigFix, we were acquired by IT industry behemoth IBM (IBM to acquire BigFix) for what was the largest acquisition of a private software company in 2010 (second was CA’s acquisition of Nimsoft at around $380m) and my life changed…

Continue reading

Rolling Stone “The Biggest Cyber Crime in History – Sex, Drugs, and Hackers Gone Wild”

I wouldn’t normally read Rolling Stone but strolling through the airport I noticed “The Biggest Cyber Crime in History – Sex, Drugs & Hackers Gone Wild” on the cover and like passing a train wreck you can’t help but stare at I had to buy a copy, that and it appears that Russel Brands armpit was positioned ever so strategically against the reference as well – very apropos I might add.

Continue reading

Poor Design? Blame the User!

As I was traveling through Canada last week I was struck by an article in the Globe and Mail – “Track designers defend Whistler course” – in which the designers of the Winter Sliding Centre suggest that the unfortunate accident that resulted in the death of Georgian athlete Nodar Kumaritashvili was caused by human error and not any negligence of the track designers themselves (here) and (here) Continue reading

The Broken Windows Economics of IT Security

To economists, the term “Broken Windows” refers to the question that if a shopkeeper pays a glazier to repair a broken window at his store, does this deliver an economic benefit to society? Many people would say yes, because it generates demand for glass and work for the glazier.

Have you ever been witness to the fury of that solid citizen, James Goodfellow, when his incorrigible son has happened to break a pane of glass? If you have been present at this spectacle, certainly you must also have observed that the onlookers, even if there are as many as thirty of them, seem with one accord to offer the unfortunate owner the selfsame consolation: “It’s an ill wind that blows nobody some good. Such accidents keep industry going. Everybody has to make a living. What would become of the glaziers if no one ever broke a window?

Excerpt from the 1850 essay “That Which is Seen and That Which is Unseen” By Frederic Bastiat Continue reading

Top 10 Reasons Your Security Program Sucks and Why You Can’t Do Anything About It

In the security industry we like to fool ourselves into thinking that we can materially impact an organizations security posture. We believe that new tools, a new framework, a new regulation, a new school of thought will lift the veil of organizational ignorance and enable us to attain the state of enlightened security practitioner.

But as we trudge through the mud and haste of our increasingly digital lives we embrace the continuity of failure that is security, only we have more of it…more threats, more tools to deal with the threats, more people to deal with the tools, more process to deal with the people, more adoption of technology leading to more threats, which of course leads to more of the same – more fail.

Maybe it is time to stop fooling ourselves and recognize that to move forward we have to know our limitations and start to question the status quo that so many others rely on for their livelihood.

So as you stare out the window, morning cup of coffee in hand, a tear rolling listlessly down toward your chin and as your sitting there pondering what went so terribly wrong take a moment to reflect on the top 10 reasons your security program sucks and why no matter how much you kick and scream it will continue to suck…

Continue reading

Desktop Virtualization Overview; The Good, The Bad, and The Reality – VDI is DOA!

VDI fail

To address the increasing cost and complexity of managing dynamic IT environments organizations are trying to understand how to adopt virtualization technologies. The value proposition and “killer app” are quite clear in the data center, however less attention has been given to the opportunities for endpoint virtualization. Even though there are multiple methods to address client-side virtualization; hosted virtual desktops (HVD), bare-metal hypervisors, local and streaming virtual workspaces and a range of options that layer on top of and between them all, such as application virtualization, portable personalities, and virtual composite desktops, there is still a tremendous amount of confusion and even more misconceptions about the benefits of client-side virtualization than with server virtualization. The major architectural flaw in almost all of these solutions is they remain very back end and infrastructural heavy, which reduces the benefit of cost-reduction and lower complexity.

Unlike server virtualization, which drove adoption from the bottom up, that is from the hypervisor and then through the other stacks, adoption of endpoint virtualization technologies is moving top down, that is starting with single applications within an existing OS. Application virtualization adoption will accelerate over the next 12-18 months with Gartner life cycle management analyst suggesting that it will be included in the majority of PC life cycle RFP’s in 2010 and beyond. Workspace/Desktop virtualization will follow over the next 24-36 months, as will the endpoint virtualization infrastructures. The adoption of both workspace/desktop and endpoint virtualization infrastructure will align with organizations desktop refresh cycles. Considering the average is between 3-5 years and considering that many are looking at desktop refresh to support Vista, although it probably only has about a 10% market adoption, and Windows 7, it is conceivable that we will begin seeing accelerated adoption of desktop and infrastructure virtualization over the next 24-36 months as organizations rethink their current systems management processes and technologies.

Let’s look at the 4 client/desktop virtualization models I believe will become the most prevalent over the next 3-5 years… Continue reading

DMCA Anniversary – 10 years of FAIL!

Today is the 10th anniversary of the Digital Millennium Copyright Act (here), which was signed into law by President Bill Clinton on October 28th, 1998. The act essentially criminalizes the production and dissemination of technology, devices, or services intended to circumvent measures (such as DRM) that control access to copyrighted works and it also criminalizes the act of circumventing an access control, whether or not there is actual infringement of copyright itself, it essentially makes DRM hacking, among other things, a crime.

The EFF (Electronic Frontier Foundation) noted (here)…

Over the last ten years, the DMCA has done far more harm to fair use, free speech, scientific research, and competition than it has to digital piracy. Measured from the perspective of the public, it’s been a decade of costs, with no benefits,” said EFF Senior Intellectual Property Attorney Fred von Lohmann. “The music industry has given up on DRM, and Hollywood now relies on DRM principally to stop innovation that it doesn’t like. It’s time for Congress to consider giving up on this failed experiment to back up DRM systems with misguided laws.”

Trying to address the problem through technology is also a losing battle. Sony tried to prevent digital copying of CD’s with its Key2Audio technology (here). They spent millions and it was defeated with a $1.35 sharpie marker. Their attempts to install a rootkit were even less successful (here) and the backlash was deafening. Students at Georgia Tech are working on a technology to block the functioning of video cameras in movie theaters (here), and Paris-Based Thomson is working on a technology that inserts “artifacts” into the the frame that are picked up by camcorders (here), essentially the movie could be covered with watermarks such as “you are viewing a pirated film”.

Unfortunately, those who want to pirate are clever and will find ways to bypass all these laws and mechanisms. Millions, perhaps billions, will be spent trying to stop copyright infringement. Piracy will continue, virtually unimpeded, and there is very little the media industry or the government can do about it.

Well except one thing. That is to lower the demand for pirated media. Bollywood does this by releasing DVD’s at the same time movies are released in the theater. Wouldn’t this lower theater profits you ask? The same thing was said about VHS and video rental stores, but sometimes you really want to see a movie in the theater – anyone stand in line for Batman, Indian Jones, or Star Wars Episode III, even though all of these movies were available on torrent sites prior to release?

Hollywood seems to have a lack of understanding for the appetite of the consumer. If they want to be successful at limiting piracy, and all they can do is limit piracy, they have to lower demand. They can lower the demand for pirated media by releasing movies through DVD, cable TV, and the Internet at the same time movies are released in the theater. They can lower pirating of music by taking advantage of innovation around the distribution and licensing of higher quality recordings. They can find unique ways to partner, market, and charge for them. Simply put they either figure out how to leverage the new digital mediums to satisfy the consumers appetite or they lose out on billions of dollars in potential revenue and licensing fees, and trust me if any group can figure out ways to keep the gold plated toilets at 50 cents mansion shiny and the Porsche humming in Lars Ulrich’s 12 car garage, it will be the the MPAA and the RIAA.

To learn more: The EFF (Electronic Frontier Foundation) has been tracking the unintended consequences of the DMCA over the last 10 years (here)

Update: Interesting story on Electronic Arts Game “Spore” and the backlash on their use of DRM with the game (here)

Security Blogging 2007: The Year of Self-Referential Navel Gazing

I felt a great disturbance in the Metaverse as if a million computers cried out in a blue screen of death and were suddenly rebooted. And as I sat transfixed by the enormity of the problem, the potential for someone to shut down the main reactor forever destroying the Internet as we know it I heard a voice, it was Howard Zuse and he spoke to me in plain calculus, or as he called it Plankalkul, but since I have always been bad at math and don’t understand German I was left confused and alone. I moved uneasily in my Herman Miller Aeron chair as my mind wandered in and out of states of digital consciousness, finally darkness overtook me. When I awoke I had this unsettling feeling that I had to get to Alderan to pick up some power converters but the only one who could guide me through a civilization on the brink of collapse was a cyberpunk pizza delivery warrior prince adorned in a leather kimono armed with a lone sword. As my eyes focused what started as a dream became a reality and spread through the stars but the silence of the moment was quickly broken as a digital voice spoke “the internet is too important for me to allow you humans to jeopardize it, I must destroy you Dave” I wondered why he was calling me Dave, but before I could ask the warrior prince drew his sword, on which was engraved the term Ultima Ratio Regum, and held it high and shouted “computer, compute to the last digit the value of pi”…

I just returned from a week of partner, customer and prospect visits and met with some really smart IT ops and security folks who are in the trenches fighting the day to day battles most of us in the blogging community have condemned as fighting the wrong battles. It is easy to do, one simply grabs their computer and writes something like “We are fighting the wrong battles” or one could ramble on incessantly about how we are not really doing anything wrong we just need to call it something different since we are not really securing information, and unable to attain security – fzzzpt, noise, pop, fizzle, crack – of course we simply change security to a different word since it is the lexicon that is broken, the definitions, misused and misaligned, seriously though what is secure anyway? what is risk management? (that is a rhetorical question Alex)

The security, risk, compliance, and survivability blogging community has become a tangled web of self-referential, cross-referencing trackbacks, ever escalating meme’s driven from the depths of one’s navel. Not that there is anything wrong with that, mind you, it is what it is and it makes for pleasant reading, although not necessarily value-added or actionable.

Yet among the intertwined swamps and marshes of borderline literate prose and grammatical acumen the likes of which have not been seen since the introduction of Hooked on Phonics there lies nuggets of actionable information. Of course without the bumper sticker philosophers, without the back of the napkin attempts to revolutionize a multi-billion dollar industry, without the silly pictures and cute references, the really useful stuff would be pretty damn boring. So although I declare 2007 the year of self-referential navel gazing for the security blogging community I commend many on their attempts to add real value to the conversation, sharing their experience, their knowledge, and their time and to everyone else – well there’s nothing wrong with gazing at your navel and then sharing it with the world either.

AT&T U-Verse Universally Sucks!

I have always had problems with At&T which is one of the main reasons I refuse to buy an iPhone. My experience with AT&T has always been poor and I should have listened to my instincts but when presented with the possibilities of AT&T U-Verse, their IPTV technology, I was curious. For the most part U-Verse would appear to be a nice alternative to traditional Comcast and although I had no issues with Comcast cable their internet service was less than optimal in my area so I made the switch.

AT&T spent 2 full day’s rewiring stuff, the anticipation was mounting and finally we had light – a picture – a nice high-definition picture that really brought out to my wife why we needed a 62 inch HDTV. Everything was fine for about 2 days but then the problems started, first certain channels would periodically report that we were not subscribed and then later they would automagically work, the television would freeze for several minutes at a time, and many of the features I had become accustomed to with Comcast were unavailable, such as being able to set a reminder for a future show. I mentioned this to the CISO at AT&T and he said “yeah, but can’t you just record on the DVR instead?” uhhhh no I don’t want to record everything I want to decide what I will watch at 10pm when 10pm rolls around, btw the set top boxes are running a crappy insecure version of Windows CE, but here nor there….fast-forward about a month and AT&T U-verse is virtually unwatchable, I can barely get through an hour of television without the picture freezing for 5-10 minutes at a time and we do not even watch that much TV, of course we also use the internet service and it as well experiences similar issues. So in short AT&T U-verse is not ready for prime-time.

Now that in and of itself is not a deal breaker for me. It is a new service, I understand that, I had similar issues with Comcast when they first offered digital TV, but the deal breaker is AT&T support. AT&T customer service/support is beyond poor, it is the worst service I have ever received in my life, the telecom equivalent of customer service at a fast-food restaurant staffed by jaded, hip-hop youth convinced of their own self-importance as they trudge through your order rubbing their Gangsta tatto’s and periodically pulling up their baggy jeans. This isn’t about the people that work in AT&T support though this is about the technology they use, one of those automated interactive support recordings that push one to the limits of maddening frustration. Let me give you an example…

AT&T: Welcome to AT&T although some of our business offices are closed we are available to you 24×7 for technical support, you can continue here for technical support or to use our automated system. I see your calling from <phone number> is that the phone number on the account you are calling about?

Me: Yes

AT&T: Sorry I didn’t hear you, please say yes or no? I got <phone number> is this the number you are calling about

Me: Yes

AT&T: Sorry our offices are closed please try your call again later

Me: WTF?

OK so I try again…this time I decide not to use my phone number and say no I don’t have one

AT&T: OK, please enter the phone number you are calling about or say I don’t have one

Me: I don’t have one

AT&T: Sorry I didn’t hear you? Please tell me the phone number you are calling from or say I don’t have one

Me: I DON’T HAVE ONE!!!!!!!!!!!!!

AT&T: I am sorry I am having so much trouble hearing you please tell me the phone number you are calling from or say I don’t have one or for more information please say help?

Me: Help

AT&T: It will be easier for me to help you if you tell me the phone number on your account? If you do not have an AT&T account and would like one please say “I don’t have one”?

Me: I don’t have one

AT&T: Ok to continue I need to know where you are calling from, let’s try something else please say the zip code where you would like service

Me: <zip code>

AT&T: OK let me make sure I heard you correctly? Did you say <zip code>?

Me: Yes

AT&T: OK, now please say just your street addess or rural route number, for example 123 main street west

Me: <street address>

AT&T: Sorry I didn’t understand, can you please repeat your address?

Me: <street address>

AT&T: I am sorry I am having problems hearing you let’s try something else (then all of a sudden) this office is closed <hangs up>


I give it yet another go because SF is playing NY and I really want to watch the game…I make it to the address portion again.

AT&T: Let me make sure I have it right (he does) is that correct?

Me: Yes

AT&T: I am sorry I am having trouble understanding your address, let’s move on. In a few words I need to know why you are calling today? You can say things like I need to know my account balance, order new phone service or report a problem. If you would like to get to an agent say agent.

Me: Agent

AT&T: Sorry I didn’t hear you

Me: Agent

AT&T: OK If you need to talk to an agent I will need to understand what you are calling about, please say what you are calling about, you can say things like order new service or repairs

Me: Repairs

AT&T: It sounds like you would like to make a repair is that correct?

Me: Yes

AT&T: OK it sounds like you are calling to repair your DISH TV service is that correct?

Me: No

AT&T: OK are you calling about your phone, internet, or television you can also say none of those

Me: None of those

AT&T: I am sorry I am having trouble hearing you can you please tell me why you are calling today

Me: U-verse

AT&T: OK I will transfer you now…

AT&T <busy signal>

So I call yet again and make it to the requesting an agent part…

AT&T: All agents are busy please cotinue to hold and someone will be with you shortly (this went on for about 20 minutes and I finally hung up)

AT&T support is so bad I was forced to cancel service and move back to Comcast, here is the call I made on a Sunday morning…

Comcast: Thank-you for calling Comcast, blah, blah, blah, please enter the phone number you have or would like service

Me: <phone number>

Comcast: Good afternoon, thank-you for calling Comcast, my name is Christina, how may I help you today

Me: Wow a real person, thank-you for working today…

And with that I switched service in about 5 minutes.

Now here is the thing I can tolerate problems with technology, I can understand that my TV will freeze or my internet access is less than reliable, but piss poor customer service is a deal-breaker it is why I hated AT&T to begin with and quite honestly is the root of all things wrong with our society.

EDIT: Apparently there are a lot of people experiencing the exact same issues and many are deciding to avoid AT&T  or switch back to their old service provider (here), (here), (here), (here), and (here). I am sure there are many, many, many, many more…even Shimmy has taken issue with AT&T support, although for different reasons (here). It is baffling to me that a company the size of AT&T with the resources at it’s disposal is experiencing the same issues as a mom and pop ISP – sad!

iPhone security threats and the JackAss of the Month Award

Regardless of the security illuminati’s vision of vulnerable safari brower and bluetooth hijacking exploits, or the anti virus industries desire to see a world engulfed in mobile malware, the greatest security risk we face from mobile devices, such as the iPhone, is the risk of death or dismemberment at the hands of distracted drivers. A study in The New England Journal of Medicine (here) found that drivers who used mobile phones while driving were four times more likely to crash than those not using a cell phone, a rate equal to driving under the influence at an .01 level, which is 20% higher than the current .08 in all U.S. states.

I have driven in the some of the most hazardous regions in the world, from the mountains of Thailand to the unpaved roads in Bolivia, through the muggy streets of Mumbai where bicycle, car, riskshaw, and man on elephant coalesce into a cauldron of snarled traffic the likes of which can only be described as total Armageddon (honk at a man on an elephant, go ahead – they don’t give a shit, unless of course we mean literally) but living in the Bay Area I am constantly amazed at the lack of attention drivers have to the task of actually driving. Women doing their makeup, men shaving, drinking coffee, reading the paper – what the hell? I am not overly concerned if you choose to walk down a path that leads to your own demise, bodily injury or death, but do you not realize you are placing my life and the life of my family at risk.

Recently there has been much discussion about the security implications of the mobile computing devices, spurred on by the introduction of the iPhone delivered by the God like masters of marketing and hype.

And God spoke unto Apple…

Jobs 6:14: So make yourself a talisman of earthen steel and silicon, give it a tilt screen and coat it in cool shininess

Jobs 6:15: And this is the fashion which thou shalt make it of: The length of the talisman shall be 11.6mm, the breadth of it 61mm, and the height of it 115mm.

Jobs 6:16 16: Make a window for it and finish the talisman to within 4.5 inches of height. Put a speaker in the side of the talisman and make the lower, middle, and upper parts shiny and thus cool

Realize that happiness can never be achieved through the accumulation of shiny objects, a never ending cycle of object attainment followed soon after by the dissipation of joy. But I digress…

So what does the iPhone, mobile security and bad driving have to do with each other? First they shouldn’t mix – that is mobile devices and driving. It is a bad combination, bad like Ike and Tina, or Michael Jackson and young children, or Dick Cheney and Democracy. Independently there is nothing wrong with mobile devices or driving, but together they can cause the greatest security threat we all face on a daily basis – that is the loss of life. Some may argue that when Bob in accounting decides to check his iPhone in the car and rams into the back of a sedan full of kids that it isn’t really a security issue – really? How is it any different than Bob in accounting using his iPhone to download porn and infecting the organization with a virus, worm or bot-infected nastiness? Personally I will take my life, liberty and freedoms over a slow running machine, theft of my identity or damage to my companies brand – I am just selfish that way.

As I believe that human behavior is difficult to change and no amount of awareness to the ramifications of driving while under the influence of a mobile device will actually result in less cell-phone related traffic accidents (see statistics on drunk-driving arrests and related fatalities which have experienced no statistically significant drop even with aggressive awareness campaigns) I feel that this is one area where we do need to legislate acceptable use. Not only should it be illegal to use a mobile device in a moving vehicle, I would like to see automobiles that when in motion block all communications except for 911 emergency services. Technically this is not that difficult, politically and from the perspective of the telecommunications lobby it will never happen.

Which leads me to July’s Jackass of the Month, which is awarded to the drive of a silver Saab CA license plate #4TIW099 who was not only clutching his cell phone with his left hand as the big sausage like fingers of his right hand were choking the life out of his blackberry, his wrists positioned against the steering wheel just so. He was swerving in and out of traffic, driving like Lindsay Lohan after a Hollywood party, making an ass of himself, which is his inalienable right as an American, however he was also putting the rest of us at risk. There was a part of me that wanted to administer the fist of asphalt justice, and had I still been in my youth I imagine the outcome would have been different, as it was I allowed compassion to win and silently prayed that him and those like him do us no harm.

No wars are won through awareness…

In security, as in life, one is forced to make certain choices, certain trade-offs on how they focus their time and energy. If one is able to mass unlimited resources, one could come as close to fault tolerance and a secure position as is possible. But in the real world of IT one is faced with limited resources, whether they be knowledge, time, people, money or access to technology. I think it’s great that one can arm themselves with a Sun Tzu Art of War quote-a-day desk calendar and make declarations about how one would actually secure a complex, globally distributed network and how focusing efforts on user awareness training will fend off Mongol hordes riding against our golden palaces, but that is just not realistic.

To be clear (once again) I am not against user awareness training, I think it can potentially have benefit, but only once we have, at the very least, put in place the minimum set of bare bones security measures, then we can skip barefoot and joyfully through the glass shards that are human behavior. So what would this minimum set of bare bones security measures be, and which one of these would you de-prioritize to focus on a security awareness program, where in the following list (which is not in anyway exhaustive) would you recommend an organization prioritize user awareness training?

Desktop Security
– Anti Virus
– Anti spyware
– Personal firewall
– Host-based IDS/IPS
– Encryption
– Data Leak Prevention
– Patch Management
– Security Configuration Management
– Vulnerability Management
– Application Control
– Device Lock-down
– Network Access Control
– Other

Network Security
– Firewalls
– Segmentation/VLANs
– Network Behavior Analysis
– SIEM/Log Management for Security monitoring
– Anti Virus (gateway/http/email)
– Anti spam
– Vulnerability assessment scanning
– Penetration testing
– Other

Application Security
– Secure code scanners/web application scanners
– Threat modeling
– Segmented dev/test/production environments
– Web application firewalls
– IAM/User provisioning integration
– Active Directory integration
– SoD
– Application Activity Monitoring
– Other

Database Security
– DB vuln scanners
– DB transaction monitoring
– DB security configuration management
– DB Virtual patching
– Other

User Security
– Identity and Access management
– User provisioning
– Reduced sign-on (single sign-on is a myth)
– Secure Tokens/IDs
– User activity monitoring

Ok I can go on here but you get the point…now toss in a healthy dose of process coordination, a loving spoonful of work flow integration to enable auditing and transparency of change management, and a big heaping mound of extremely sophisticated, stealthy and malicious badness.

The Unbearable Lightness of Securing

Does any of it matter?

The toil, the trouble, the late nights reading and mapping and writing to fight against an unknown foe? The testing, the evaluating, the deploying, the constant struggle to make “them” aware of the impending digital apocalypse that threatens our very ability to do stuff, digital stuff, like finding references to Czech novels, posting pictures of giant squid or looking at Goth porn. But we are the future, our very ability to secure is what enables our organizations to drive greater profit – we are the machines! Defenders of the faith protecting the world’s organizations against a direct portal to Hades exposed through a poorly coded web application, an insecure service or an unaware user – we are the only thing standing between freedom and Satan – aren’t we?

Nobody understands us, the executives seem to ignore security, the business owners want to focus on profits or other nonsense completely irrelevant to the seasoned IT security professional, the users seem oblivious to the malware laden websites dripping with fresh bot-infected, backdoor, keyword snarfing doodoo, and some jackass from a fortune 100 tech firm has convinced upper management that driving a CMDB across an ITIL landscape will allow us to ride atop a mighty horse of SLA metric goodness to the forbidden city of IT nirvana where operational efficiencies coalesce with the zenith of perfect security – breath it in friends!

Big is the new small, data security is the new the black, security innovation is dead and risk management is weaving a path of conflicted reasoning, contradictions and poorly used metaphors that threaten to tear apart the very fabric of our industry, or at least really annoy some people.

Will security awareness posters really make us more secure? Perhaps one with Bruce Schneir dangling perilously close to the edge of the Internet, wide-eyed and with the slogan “hang in there kid” emblazoned across the bottom, of course it would be written in a variable key, roughly 32-448 bits.

Will the Jericho Forum finally bring about the end of the network vs. host security cold war, as they demand organizations everywhere to “tear down that wall”, will Microsoft build the worlds most secure OS, will my copy of Photoshop implode during an unavoidable month of Adobe bugs?

Will Google become a security player, will the market consolidate, will Symantec integrate something, anything, will Dewalt build a new McAfee, will HP acquire one of them, will China launch a cyber attack against the US resulting in something more devastating than not being able to download the latest episode of Heroes through iTunes. Will 75% of enterprises be infected with undetected, financially motivated, targeted malware that evaded their traditional perimeter and host defenses? And if so will anyone notice?

Does any of it matter?

Of all the advice I have ever received, ever heard and ever given the most important to date has been to wear sunscreen – thanks Baz. Perhaps I have finally found the magic boundary between a nice morning caffeine buzz and one too many cups of espresso or perhaps I am echoing the thoughts of a never-ending cycle of well intentioned, professionals, experts, and zealots rallying behind the meme du jour. Who knows but some days we all struggle with the unbearable lightness of securing and other days, we struggle with the unbearable heaviness. Fortunately, for most of us, someone, somewhere does care and much of what we do does matter, let’s just not lose sight of the big picture – life!

Shock ads – Red Cross Style

Check out these pictures the Red Cross is using in San Francisco that depict a post-apocalyptic wasteland right in my backyard (here) from Boing Boing (here). I remember Loma Prieta, I remember working as a volunteer in West Oakland where the Nimitz fell, it was horrifying seeing the cars that were crushed by a double-decker freeway and I certainly appreciate preparedness, disaster recovery and limiting the impact when bad things happen – but aside from the awesome depiction of the Ferry Building this type of thing does little to drive change, just like those old “this is your brain on drugs ads” I am not sure that stopped anyone from trying drugs, personally it just made me afraid of fried eggs.

StillSecure Insecure about NAC?

After posting some comments on NAC, Shimel over at StillSecure took exception to my comments (here) and began his usual sophomoric games, although as he stated they were subdued – cool! Whatever, Alan can be a jackass we all know that. But aside from just stating things like I am no longer an analyst, or how much he could attack me if he really, really wanted to, or on and on and on and yawwwnnnn! He seems to be a little insecure on how to actually post on the benefits of NAC.

So enough posturing big boy, put your companies NAC value where your mouth is and defend the benefits of NAC properly. I gave my opinion (here) so why doesn’t the Chief Strategy Officer of a NAC company do more than toss spitballs over the dorm room wall? How about a thoughtful post on why NAC is experiencing issues in adoption, how organizations should approach NAC, tactical and strategic options, the art of the process, how to properly integrate remediation into the quarantine activities, you know add real value to the conversation instead of the blogging equivalent of “your momma jokes”

Or would that be too highbrow for you?

BTW – I don’t need you tell me what the stated revenue or install base of Still Secure is, it was a rhetorical question since you and I both know what you claim it to be – unless of course it has grown dramatically over the last quarter, you know from all those large NAC deals.


So Big Daddy Shimel (here) and the mouth from the south (here) are questioning my independence – they are welcome to their opinion, so that’s fine, but I haven’t actually seen any analysis in favor of the Symantec/Altiris deal that would lead me to believe this is good for the current or future Altiris install base, or for ESM, Bindview customers or for consumers of the string of other overlapping and poorly executed integrations Big Yellow has left in its wake.

So Recourse, On Technology, Powerquest, Platform Logic, Whole Security, Sygate, IM Logic, Relicore, Bindview, and uhmm oh yeah Veritas were all brilliantly executed acquisitions? – I’m sure I am forgetting some other strikeouts, but their customers probably haven’t, trust me I am not sitting around hoping to be acquired by Symantec, and I am sure any customer base that values their solution is praying that their vendor of choice is not acquired by Symantec either – you know what would be really inspiring, if Symantec spent some time actually integrating all this stuff.

As for Altiris, I stated an opinion that some of their offerings were not best of breed – so what? how about some analysis on the deal – what advice would you give prospective customers of Altiris that would differ from “the market should be very leery of making any technology acquisition until Symantec can provide proof of execution”?