Wednesday Zombie Post–Will Fix Computer for BRAINZ!

Posted November 14th, 2007 by

Ah, the witty people at jinx have a crossover from computers to zombies.

Similar Posts:

Posted in Zombies | No Comments »

The Stupid Filter as the New Zeitgeist

Posted November 13th, 2007 by

So Slashdot already covered it, so there’s not much that I can add to the thousands of monkeys banging away at keyboards trying to produce the combined works of Shakespeare, but check out the StupidFilter. Meh, it’s good but it will probably about as effective as spam filtering.

However, the true beauty of StupidFilter is that they’ve seeded it with a corpus of bad YouTube comments and there is a page to view a random comment without any context. This is the true kernel of goodness in the project. It’s like modern performance art of the Interwebblagosphere, starring you and your misspellings, trolling, and flamebaiting. Best part is, the page title is “Concentrated Stupid”. =)

Similar Posts:

Posted in Odds-n-Sods | No Comments »


Posted November 13th, 2007 by

I have two things happening this week.

First thing is I got my 5-year award from my company on Monday. I got a plaque and a watch and somehow I’m an anomaly, a security guy in the DC area who’s been with the same company for longer than 2 years. But like I tell people, I cheated a little by taking a “one-year paid vacation” to “someplace sunny” in “exotic Asian locales”. =)

Second thing is that on Friday I’ll be “officially smart” by having a degree. Yes, it’s a BS in Liberal Studies with a focus in Russian but at least it clears me for the next couple of hurdles–GSA schedule and billable rates being the first one.

Think I’m incorrigible now, just wait. But hey, isn’t that how the Straw Man got smart? Anyway, in the spirit of the Straw Man, something about this movie makes me echo the one comment that it has: “wtf?” but something about it makes me chuckle and think that I have to put it here, junk or not:

Similar Posts:

Posted in Odds-n-Sods, The Guerilla CISO, Zombies | 4 Comments »

Guerilla CISO Tip–Avoid “Boilerplate”

Posted November 12th, 2007 by

Repeat after me: “This isn’t a legal contract, you don’t have to include boilerplate for CYA purposes.”

Actually, the boilerplate in  security documents does one of the following:

  • Is a bunch of lies because it never gets updated
  • Refers to common or shared controls which are written down somewhere else and you should be referring to them instead of including them verbatim
  • Is a rehash of NIST/BS7799/PCI-DSS documents or standards that we all know anyway
  • Is marketing information or “Ra-Ra” cheerleading
  • Is an attempt at “malicious compliance

None of these are what you really want to do.  So think about it next time you create a template for something.

Similar Posts:

Posted in The Guerilla CISO, What Doesn't Work | No Comments »

More Vendor Craziness

Posted November 9th, 2007 by

Ah yes, more vendor spam, only this time, it came in a dead-tree version.



Dear Rybolov:

It has recently come to our attention that $FooCorp is sending spam. The end is nigh, we have the solution, send us a big bag of cashola and we’ll look the other way.

Ok, so I paraphrased. Actually, I was so amused I took it home to show my wife. =)

And as “evidence”, they enclosed a printout of IP addresses that are spambots. That’s cool and all, but none of those match $FooCorp’s IP range. Hmmm… could it be that these are spambots that are sending email from compromised machines outside of anything that $FooCorp controls? I think that’s the case…

But wait, they sell a “reputation guarantee service” that I can buy to be whitelisted because all these spammers using my domain for a return address have sullied my brand name. Wow, I don’t know why I didn’t think of it before. Oh yeah, it’s because it sounds like a protection racket: “You got a really nice SMTP relay there, I wonder what would happen to you if it became ‘unuseable'”. =)

Maybe I should set up a business doing the following (slashdot-stylie business model):

  • Build email filter list (easy, just throw some grep and sed action at my spam box and I’ll have a good start)
  • Sell the blacklist to people who want to block spam
  • Sell the ability to be whitelisted to people who want to send email and end up on the wrong side of the list
  • ???
  • Profit

Now I know these guys, they make solid stuff and have a good reputation out there in the market. But they need to understand something: I find it offensive that that they think I don’t know my own IPSpace, and I don’t buy products from people with a marketing department that uses scare tactics like this.

Similar Posts:

Posted in Rants, What Doesn't Work | No Comments »

Carnegie Mellon’s Guide to MSSPs

Posted November 7th, 2007 by

I had a good conversation this morning with a friend going over what to look for in picking a Manages Security Service Provider.  Since I have this wonderful relationship with our SOC (I’m both their customer and their LANLord), he wanted to know how, what, and where.

Over a year ago when I started getting involved in the managed service business,  I found Carnegie Mellon’s “Outsourcing Managed Security Services” (.pdf caveat).  I recommended that my friend go check it out, and on a lark I had a look at it.  It’s still relevant today.

And yes, Hoff, the report is from the “Networked Systems Survivability Program”.  Stuff that in your pipe and smoke it. =)

The one thing that keeps sticking in the back of my mind is MSSP service offerings.  So let me pick up the torch for Richard Bejtlich a little bit because deep down inside I like his Network Security Monitoring ideas.

Well, let’s say I’m a MSSP.  Not much of a stretch, really.  Now the problem with being a managed services provider is that I’m only as smart as my customers will let me be.  Some things sell themselves:  firewall monitoring and management; anti-virus deployment, monitoring, and management; and log monitoring and management.  Yes, it’s the same-old, tried-and-true security operations.  Some would say “tired”, and I would probably agree with that, too.

But when it comes to selling NSM (or any other new concept) as a service, it’s hard for me to sell.  The reason is that my customers don’t have a NSM problem, they have security, risk management, compliance, and auditor problems and the way that they understand to fix those problems is to outsource them.  Yes, that’s the the customer defining the solution space, but that’s the realpolitik of the market.

For a MSSP offering ala-carte service offerings, I have to frame NSM in a way that does the following:

  • The customer can understand what they are getting
  • The customer realizes a need for that service
  • I’m not beaten on price by my competitors
  • The customer’s auditors can understand how we are helping and that we have value

Basically, that’s just sound business, only my problem space is defined as providing an complex solution (security) on top of an already-esoteric solution (IT in general).

Similar Posts:

Posted in Outsourcing, What Works | No Comments »

« Previous Entries Next Entries »

Visitor Geolocationing Widget: