This is the Securosis Friday Summary. For those of you who don’t know this is where Rich and I vent. When I started working with Rich I used to loathe writing this intro; now it’s therapeutic. It gives me a chance to talk about whatever is on my mind that I think people might find interesting. Sure, most Friday posts talk about security, but not always. If such things bother you – as one reader mentioned last week – search within the page for ‘Summary’ to avoid our ramblings.
Security Burnout? Breach Apathy? Repetitive task depression? Been there, done that, got the T-shirt to prove it? If you have been in security long enough, you will go though some security industry induced negative mental states. It happens to everyone on the security treadmill – it’s the security professionals’ version of the marathon runners’ wall. A tired, disinterested, day-to-day grind of SOSDD. I know I’ve had it – twice in fact. As an IT admin reviewing the same log files over and over again, and also from writing about security breaches caused by the same old SQL injection attacks.
Rich, James Arlen, and I got into a conversation about this over dinner the other night. Rich and I have achieved a quiet inner peace with the ups and downs of security, mainly because our work lets us do more of what we like and less of the daily grind that folks in IT security deal with on a daily basis. Usually during my career, with vacations frowned upon for startup executives, conferences were a source of inspiration. Actually, they still are. Presentations like Errata security’s malicious iPhone and Jackpotting Automated Tellers can renew my interest and fascination with the profession. I go back to work with new energy and new ideas on what I can do to make things better. Somewhere down the line, though reality always settles back in. As with life in general, I try not to get too worked up about this profession, but to find the pieces that fascinate me and delve into those technologies, leaving the rest of the stuff behind.
On Monday during the RSA Security Conference, Mike, Rich, David Mortman, and I will be helping with the ‘e10+’ event. The idea of this session is to provide advanced discussions for security pros who have been in the field over 10 years. We talk about some of the complex organizational problems security folks deal with, and share different strategies for addressing problems. Of course there is no shortage of interesting problems, and there are some heavily experienced – and opinionated – people in the room, so the discussion gets lively. It’s not on the agenda, but it dawned on me that dealing with security burnout – both causes and reactions – would actually be a good topic for that event. How to put the fun back in security. I hope our talks will do just that. Rich has some great ideas on consumerization and risk (yeah, I know – who thought risk could be interesting?) that I expect to spark some lively debate. Usually during RSA I am too busy worrying about my presentation or meeting with people to see much new stuff, but this year I am looking forward to the event.
On to the Summary:
Our Research Page with every freakin’ white paper we’ve done in the last three years.
Bridging the Mobile Security Gap: Staring down Network Anarchy (new series).
Mike Rothman: Executive could learn a lot from Supernanny. Kevin hits it on the head here, just as Wendy did last week. Without even enforcement of the rules you’re lost. Unless you are Steven Seagal (and you’re not), no one is Above the Law.
Dave Lewis: How to close your Google account. Lots of blowback due to Google’s new privacy policy – here’s how you can protest.
Adrian Lane: Implementation of MITM Attack on HDCP-Secured Links. Fascinating examination of an HDMI encryption attack – in real time – for fair use. It’s a bit on the technical side but does get to the heart of why DRM and closed systems stifle innovation.
Rich: Pete Lindstrom’s take on recent SCADA vulnerability disclosures. I disagree with Pete a lot. It’s hit absurd levels in the past on a mailing list we are both on. And while I don’t agree with his characterizations of vulnerability research justifications, I do agree that for some things – especially SCADA – we need to think differently about disclosure.
David Mortman: Google+ Failed Because of Real Names.
Applied Network Security Analysis: Moving from Data to Information.
Fact-Based Network Security: Metrics and the Pursuit of Prioritization.
And it case you missed it: Our Research Page with every freakin’ white paper we’ve done in the last three years.
The spam tag cloud: Keeping you up to date on what’s important in life!
Trojan Trouble-ticket system. Say what you will about malware authors, but they’re usually highly adept at software development tools and techniques.
Defacement frenzy via our friends at LiquidMatrix.
No comments this week. We need to start writing better posts!