Ah, the witty people at jinx have a crossover from computers to zombies.

• Wednesday Zombie Post–The Zen of Zombie
• Wednesday Zombie Post–The Zombies
• Wednesday Zombie Post–Zombies on Uncyclopedia
• Wednesday Zombie Post–The Federal Vampire and Zombie Agency
• Wednesday Zombie Post–Ethical Zombies

So Slashdot already covered it, so there’s not much that I can add to the thousands of monkeys banging away at keyboards trying to produce the combined works of Shakespeare, but check out the StupidFilter. Meh, it’s good but it will probably about as effective as spam filtering.

However, the true beauty of StupidFilter is that they’ve seeded it with a corpus of bad YouTube comments and there is a page to view a random comment without any context. This is the true kernel of goodness in the project. It’s like modern performance art of the Interwebblagosphere, starring you and your misspellings, trolling, and flamebaiting. Best part is, the page title is “Concentrated Stupid”. =)

• Targeted Spam
• Give Me Your Free-Form Comments
• A Little Advice From Mike and Lee
• Is Myspace Satan?
• And Now for Something Completely Different…

I have two things happening this week.

First thing is I got my 5-year award from my company on Monday. I got a plaque and a watch and somehow I’m an anomaly, a security guy in the DC area who’s been with the same company for longer than 2 years. But like I tell people, I cheated a little by taking a “one-year paid vacation” to “someplace sunny” in “exotic Asian locales”. =)

Second thing is that on Friday I’ll be “officially smart” by having a degree. Yes, it’s a BS in Liberal Studies with a focus in Russian but at least it clears me for the next couple of hurdles–GSA schedule and billable rates being the first one.

Think I’m incorrigible now, just wait. But hey, isn’t that how the Straw Man got smart? Anyway, in the spirit of the Straw Man, something about this movie makes me echo the one comment that it has: “wtf?” but something about it makes me chuckle and think that I have to put it here, junk or not:

• Got Training?
• My New Fan Club
• Security Managers with PMP
• A Little Advice From Mike and Lee
• Personnel Turnover

Repeat after me: “This isn’t a legal contract, you don’t have to include boilerplate for CYA purposes.”

Actually, the boilerplate in  security documents does one of the following:

• Is a bunch of lies because it never gets updated
• Refers to common or shared controls which are written down somewhere else and you should be referring to them instead of including them verbatim
• Is a rehash of NIST/BS7799/PCI-DSS documents or standards that we all know anyway
• Is marketing information or “Ra-Ra” cheerleading
• Is an attempt at “malicious compliance“

None of these are what you really want to do.  So think about it next time you create a template for something.

• Observations on SP 800-37R1
• How to Not Let FISMA Become a Paperwork Exercise
• Response to “What is Information Assurance – The Video”
• Some Thoughts on “Malicious Compliance”
• It’s All About Common Controls!

Ah yes, more vendor spam, only this time, it came in a dead-tree version.

URGENT SECURITY NOTICE FOR $FooCorp:

IDENTIFIED AS SENDING SPAM

Dear Rybolov:

It has recently come to our attention that $FooCorp is sending spam. The end is nigh, we have the solution, send us a big bag of cashola and we’ll look the other way.

Ok, so I paraphrased. Actually, I was so amused I took it home to show my wife. =)

And as “evidence”, they enclosed a printout of IP addresses that are spambots. That’s cool and all, but none of those match $FooCorp’s IP range. Hmmm… could it be that these are spambots that are sending email from compromised machines outside of anything that $FooCorp controls? I think that’s the case…

But wait, they sell a “reputation guarantee service” that I can buy to be whitelisted because all these spammers using my domain for a return address have sullied my brand name. Wow, I don’t know why I didn’t think of it before. Oh yeah, it’s because it sounds like a protection racket: “You got a really nice SMTP relay there, I wonder what would happen to you if it became ‘unuseable'”. =)

Maybe I should set up a business doing the following (slashdot-stylie business model):

• Build email filter list (easy, just throw some grep and sed action at my spam box and I’ll have a good start)
• Sell the blacklist to people who want to block spam
• Sell the ability to be whitelisted to people who want to send email and end up on the wrong side of the list
• ???
• Profit

Now I know these guys, they make solid stuff and have a good reputation out there in the market. But they need to understand something: I find it offensive that that they think I don’t know my own IPSpace, and I don’t buy products from people with a marketing department that uses scare tactics like this.

• Targeted Spam
• My Stalking Spammers
• Some Thoughts on Comments to My Blog…
• Once Again, I’m not a Bank!
• On Why I Blog… FUD is the Reason for the Writin’

I had a good conversation this morning with a friend going over what to look for in picking a Manages Security Service Provider.  Since I have this wonderful relationship with our SOC (I’m both their customer and their LANLord), he wanted to know how, what, and where.

Over a year ago when I started getting involved in the managed service business,  I found Carnegie Mellon’s “Outsourcing Managed Security Services” (.pdf caveat).  I recommended that my friend go check it out, and on a lark I had a look at it.  It’s still relevant today.

And yes, Hoff, the report is from the “Networked Systems Survivability Program”.  Stuff that in your pipe and smoke it. =)

The one thing that keeps sticking in the back of my mind is MSSP service offerings.  So let me pick up the torch for Richard Bejtlich a little bit because deep down inside I like his Network Security Monitoring ideas.

Well, let’s say I’m a MSSP.  Not much of a stretch, really.  Now the problem with being a managed services provider is that I’m only as smart as my customers will let me be.  Some things sell themselves:  firewall monitoring and management; anti-virus deployment, monitoring, and management; and log monitoring and management.  Yes, it’s the same-old, tried-and-true security operations.  Some would say “tired”, and I would probably agree with that, too.

But when it comes to selling NSM (or any other new concept) as a service, it’s hard for me to sell.  The reason is that my customers don’t have a NSM problem, they have security, risk management, compliance, and auditor problems and the way that they understand to fix those problems is to outsource them.  Yes, that’s the the customer defining the solution space, but that’s the realpolitik of the market.

For a MSSP offering ala-carte service offerings, I have to frame NSM in a way that does the following:

• The customer can understand what they are getting
• The customer realizes a need for that service
• I’m not beaten on price by my competitors
• The customer’s auditors can understand how we are helping and that we have value

Basically, that’s just sound business, only my problem space is defined as providing an complex solution (security) on top of an already-esoteric solution (IT in general).

• Categories of Security Controls in Outsourcing
• Cloud Computing and the Government
• Lines of Business, Relationships, and Trustability
• Compensating Controls
• Security Assessment Economics