To have to refer back to Microsoft for a security anecdote makes me squirm a bit, but it’s worth it. I remember reading this when it first came out, and thinking it was great. In revisiting it (since it’s referenced in a book I’m reading called The Future of the Internet – And How to Stop It) I still think it’s great. What simpler way to describe the basic trust mentality needed for ALL Internet users than this:

There’s a nice analogy between running a program and eating a sandwich. If a stranger walked up to you and handed you a sandwich, would you eat it? Probably not. How about if your best friend gave you a sandwich? Maybe you would, maybe you wouldn’t—it depends on whether she made it or found it lying in the street. Apply the same critical thought to a program that you would to a sandwich, and you’ll usually be safe.

The whole article is entitled 10 Immutable Laws of Security and can be found here.

I have a fiercely independent streak. I like raising hell, I don’t want to be quite like the other doubles-tennis yuppies of the world, and foremost, I firmly believe that I am in control of every single aspect of my life. This may give you a glimmer of insight into my religious beliefs, as well, but we won’t address that here.

I can be as good at something as I want to be.

I can learn anything I want to.

I will never tolerate a shitty, micromanaging job or boss. Ever.

There’s plenty of money out there – go get it.

If you are out of shape, that’s your fault, and you WILL suffer from it, most likely. Change this. Now.

Sounds simple, more or less, right? This is a much-abbreviated version of the true life philosophy I adhere to, but it’s a few of the key points. I am never satisfied with things either – and that’s OK. You can always improve, and there’s almost always someone better at something than you are.

Where the hell am I going with this? Well – here:

http://www.ganas.com/declaration_mov_flash6.swf

This lady captured a lot of the Shackleford mojo in a presentation that is worth seeing. You’ll enjoy it, promise.

This has been an unbelievably busy month, with lots of travel. I changed jobs (left CIS and went to Configuresoft), had a million projects to wrap up in the consulting realm, and finally went to the RSA show in San Francisco.

Wow, just not that exciting this year. Last year, I was totally blown away by the “widget overload”. In other words, there were a lot of features for sale, looking for a home. This year, the buzzword mania was sickening. “PCI Compliance in a Box!” or “Firewall/IDS/IPS/DLP/Encryption in a simple appliance!”. Everybody is jumping on the compliance bandwagon, for sure, and many of the products I saw were still firmly in the widget category.

I’d love to see security moving more into integrating with IT and operations overall, instead of fighting so damn hard to be special. Guess what? Network guys can manage firewalls and IDS, too! It’ll get there – it has to. Those that fight it will be wondering where their super-special jobs went in 5 years, guaranteed. And I’m not saying there aren’t some specialized skills, because there definitely are – setting up PKI or access management infrastructures is not trivial. However, IT Ops is still IT Ops, and security is becoming part of everyone’s job, not the other way around.

RSA is definitely a show you need to attend if you work in the industry, no two ways around it. Some good content, good speakers, and San Francisco is always fun. But people take these keynote speeches way too literally – I mean, it is *definitely* in John Thompson’s and Art Coviello’s best interest to keep a little FUD in the game – why in the world would they say things are getting better? No $$ in that. Gotta move products…

Til’ next time I get 10 free minutes…

I just finished reading the book ‘Blink’ by Malcolm Gladwell, and I was really impressed with Chapter 4, entitled “Paul Van Riper’s Big Victory”. The chapter deals with the notion of “analysis paralysis” in a big way, and tells the story of the DOD’s Red and Blue Team exercises started in the early 2000-2001 timeframe, dubbed “Millenium Challenge”. Paul Van Riper, a retired Marine general, ran the Red Team, and he ran it with a very interesting personal philosophy: you can never see and/or understand the whole picture in a war or battle. Why? You can’t know what the enemy is thinking, or exactly how they’ll act.

Napoleon subscribed to this same theory, and it obviously worked well for both men. To keep it short, Van Riper took what he *did* know and leveraged it to the utmost. He behaved in unpredictable ways, launched preemptive strikes against the Blue Team, and essentially succeeded in kicking their asses every which way to Sunday. This didn’t sit so well with the acronym-laden Blue Team leaders, who promptly called “Reset!” and set all sorts of restrictions on Van Riper so that he, in essence, couldn’t win the second time around. Then, (typical government mindset here), they actually had the gall to *celebrate* when they “won” the second time. Hilarious! No wonder our govt works so well and the Chinese are enjoying the fruits of our sensitive databases.

All that aside, it really drove home a major point (as the book does in general): Trust the gut. Don’t get all caught up in meeting after meeting, trying to decide on the absolute best course of action after comparing every possible alternative known to man. Think quickly, go with what feels right, and get things done. For god’s sake, don’t come up with internal acronyms if you can help it. Do hackers have to follow rules? Not so much, so expect the unexpected and learn to react fast. Information security practitioners are tasked with preparation for, and defense against, inevitable attacks from malware and anything else that comes our way. We can learn some lessons here.