Final HKS post

Morning all.

I'm back at work, but wanted to take a moment and chat about a couple of things:

1. This experience was easily the best training I've ever had.

2. On my first day back, I was asked if I wore my new lapel pin to show everyone I went to Harvard. I answered back that I wore the pin to remind me of what I'd learned.

3. I have new tools in the toolkit. I have reminders in a Harvard logo'd binder on my desk next to my monitor, so when I need a refresher, it's right there. Inside I placed a few of the most important tools I'd previously lacked, with my handwritten notes from class.

That's it. I'm posting the remainder of the pictures:

 Steve Kellman's comic

 During my walk back to Soldiers Field.. my last night

 The gates into the dorm courtyard

 My study group

 Dinner at the Harvard Faculty Club

 Jeff, Paul, Nat and Mike

 More inside the Harvard Faculty club

 The walk from the Faculty Club.. Wrapping up on St. Patty's day. 

This was the start of a great night!

 John Harvard - do you recognize any of the faces in the

stained glass? I'll give you two of them.. Nixon, John Lennon

 The RedLine -- the second St. Patty's Day event. For those

who rode the bus from the Faculty Club, the bus dropped

everyone off here. Some stayed, some went back to the dorms for

some well needed rest. Obviously I didn't go back just yet!

 Me with Simon and Ibrahim

 A night of well mannered frivolity!

 Melancholy moments on my final walk to the dorm.

I'd just left the Friday 'reflections' class; a new graduate SEF.

 When it was nice, the walk along the Charles was the best.

 ...including the view of the woman's rowing teams!

OK all. That's it.

Harvard, out.

Wrapping it up at the Kennedy School

It's Thursday afternoon, 3:45 and we've just wrapped up our final class.

That means roughly 120 sessions of 45 minutes crammed into four weeks. Most professors used 90 minutes and taught two. Regardless, it's been a hell of a journey. Today we wrapped up by 3:30, and don't have any readings for tomorrow, but we need to pack out and be ready to check out of the dorms by 9:00 tomorrow morning. Unfortunately we have final sessions and reflections starting at 8.

...four weeks. I'm going to tell you, this is a life changing experience. Everything about the program is first class. It's hard to explain how these guys do what they do, but the program teaches leadership, history, personal accountability, lessons from the Presidential offices (from people who advised the Presidents), and more. In addition to the coursework, they really do everything possible to immerse you in the higher level thinking and culture of Harvard. Again, hard to explain. I'll do my best in actions when I return.

Besides the coursework and culture, one of my friends suggested I bring extra bourbon for the study groups at night. We used all of mine, and more from others. During the Balcony Summits, we solved world hunger, the crisis in the Middle East, we've fixed Israel, and know how to best assist Japan. Does anyone by chance have Hillary's phone number? I'm sure she'll want to know what we've come up with!

OK all, probably one more post tomorrow with pictures from tonight... final dinner, business attire at the Harvard Faculty Club.

Jeff

Tuesday morning.. week 4

Well, we're in the home stretch! It's Tuesday morning and I'm wrapping up my readings for the day and getting my case study prepared for the after-SEF project I'll be working on with my group.

It's been a hell of an experience! We wrapped up last week with a trip to the JFK library, but only after a week of reading, case studies, reading, and more case studies. The schedule is been hectic. They keep us busy from 8AM to early evening most days, with one study groups before class in the morning and many times dinner speakers.

Last night was Jeff Frankel. Jeff was an economic advisor to Clinton. While I didn't necessarily appreciate the message (he was very doom and gloom), nor the slant (he blames everything on everyone but Clinton), it was still interesting having him here, speaking to us over dinner. An interesting thought though... 1/5 of our current budget goes to pay for interest on money borrowed from the rest of the world to pay our bills. I've not confirmed the number, nor audited our budget, but if this is right, it's amazing that we can continue to operate.

We discussed the current budget mess and the continuing resolutions. He told us that even if the planned cuts went through, it accounted for only 6% of the current issue (with the implication that it wouldn't do much good). I'm a bit concerned by this. I had a woman who worked for me in a startup a few years back. She was my most junior person -an intern from a local college. When we started running out of money in the end, she requested to not take a paycheck. She told me "it takes a lot of drops of water to make an ocean, but every one counts.". 6%? That seems like it'd pay interest at least don't you think?

OK, now for more fun topics... pictures of the JFK Library and dinner. We had a great time!

General Odiermo, HKS Forum, Cyber...

I had the privilege of getting one of the very limited tickets to see General Ray Odiermo speak tonight.

Gen O is the current commander of the Joint Forces Command in Norfolk, VA. He's an impressive guy to hear speak, but more fun for me was that he speaks very passionately about Cyber!

I am a cyber guy, and work by day at the DoD Cyber Crime Center, and being the only cyber pro in my class at the Kennedy School, found this to be incredibly good stuff.

So this guy has got to be 6'5" and as broad as a bull dozer, with a rack of ribbons that pushed his combat infantry badge WAY up on his shoulder, but he speaks of Cyber like it's the next front. He's informed, smart, well spoken, and his last word on the subject --after speaking for almost thirty minutes --was that cyber is the thing. My classmates all looked at me, knowing I was the only cyber guy int he class, and knowing that I also am not afraid to speak, and they knew --we're working hard in this area. I don't talk much about what I do in class, but many know of DCISE and read our products. It's an amazing thing. Many of my classmates have even commented about how much is going on in the area. My roommate -a former P3 pilot and now Navy civilian commented that every high ranking official that comes through speaks of CYBER!

It's a good time to be a geek, and Harvard is creating in me a self-aware, bigger thinker.

I hope to be in this game for a long, LONG, time!

Jeff

Tuesday

Wow. Long day. Two case studies in Negotiations just took it out of me. We started in our "Extended SEF' groups at 8AM with classes on building teams and negotiations all day, ending with Joe Nye. Joe spoke about his book "Soft Power", hitting on global implications of the media, policy issues (i.e.: China's sensorship of the media), India, and finally, cyber.

While interesting (actually great talks) by the end of the day, after two fairly heavy interactive case studies in negotiation, and then Joe, my head is full. Thankfully we have a light reading assignment for tomorrow. I need the sleep.

That's it for now. I'm taking advantage of the light assignment and heading down!
Jeff

Saturday class! Wuhoo!

I'm a little late in posting, but wanted to get my pictures transferred over from yesterday.

So yes, we had class on Saturday. The day started with the remaining discussions of the Federalist Papers (it was kinda dry to have them read to us, but a great topic none the less). The discussions were all surrounding our founding fathers thoughts when they framed, and then tried to ratify the Constitution. The papers were actually a marketing piece put together to try and get New York to ratify the Constitution. It worked! Before heading out for a field trip, we had another class teaching politics in the federal government. The class flew by. As you might imagine, everyone had thoughts on politics. The resulting conversations made the class just fly by!

Noon brought lunch, and then we caught the "Yankee" buses for guided tours of Lexington (remember the shot heard around the world?). The minute men hadn't aged well, but were VERY good.

We got a great history lesson by these *ahem* young minute men, and then jumped back in the Yankee bus for a guided trip to Concord where we were met by the local historian, and our professor, Steve Keller. Steve had the best stories, and took us to Minuteman State Park and Walden Pond. We got a in a bit of hot water at Walden Pond because the snow limited the parkability of those big busses. It was actually kinda funny. When accosted by the short rotund woman in brown, who needed to know who to write the ticket to, he gave another professor's name (Pete Zimmerman). She was happy. We were allowed to leave. Concord was great. Below are two pictures of the monument. The park was covered in heavy melting snow making walking on the trails wet and muddy. Many of my classmates were wearing sneakers, so we didn't go far.

Dinner was at the Colonial Inn.. This is actually the original home of Ralph Waldo Emerson, but obviously dated before him. The Colonial Inn has been operational for over 300 years, and was one of the prime meeting places in Concord, MA. I think the waiter lived through the entire thing, but in the end, it turned out he'd only been with the Inn for 20 years. Regardless, he had the history lesson down pat and kept the wine flowing freely. After dinner several of us retired to the front porch for cigars before getting back on the Yankee Bus for our trip back to Soldiers Field.

Tomorrow brings our first day of negotiation class. I'm here to tell you folks, if you ever get the opportunity to come to SEF, DON'T turn it down. These guys know how do it right. This is the best training I've ever had!

Jeff

Friday... one more day to go before the weekend!

Yes, we have class on Saturday. Two case studies and then a historical walking tour of Lexington and Concord. Why you ask? We're in the modules where we're learning about the framing of the government. We spent time this afternoon in discussions of the Federalist Papers after a morning of organization building and a case study on navigating Fed politics. The lunch speaker today was Shelly Metzanbaum -the Associate Director of OPM's Performance Management program. Interesting stuff.

It was a good day. Dinner was to be in the Penthouse dining room with a guy dressed as James Madison, talking about the papers and framing of the Constitution. I bagged out. I ended up with a massive sinus headache about 2, so I figured I'd try and kick it before the walking tour and dinner out tomorrow. I held out until after the final class before dinner, then headed back.

Tomorrow should be another great day. Going to head to bed early and try and kick this headache.

Jeff

Harvard Cyber Security Symposium

Broadcast live today from 12-6:30. I'll be in class, but an interesting roundup of panelists.

http://harvardnsj.com/live/

12-1:          
"The future of the Internet" (lunchtime debate) Jonathan Zittrain, Stewart Baker

1:15-2:45:  
Privacy concerns in cyberspace: Kevin Bankston (EFF), Dr. Joel Bremmer (former NCIX), David Hoffman (Intel), Susan Landau (Harvard)

3:00-4:30:  
Defense and Deterrence in Cybersecurity and Cyber Warfare: Steven Chabinski (FBI), Duncan Hollis (Temple Univ), Martin Libicki (RAND), Noah Shactman (Wired Mag), Eric Rosenbach (Harvard)

5-6:30:       
Keynote: Steven Bradbury (DA Atty Gen, DoJ)

Enjoy!
Jeff

Harvard.. Thursday week 2

Almost half way through the program. Today was a little shorter, but even with the shorter day I ended up a little late this morning. We had a light reading day, so I spent the morning sitting at the kitchen table in the dorm reading forward. Coffee and case studies; the breakfast of champions! About 8:30 I realized I hadn't showered, was engrossed in a case about revamping the MTA, and it was time to go. By 9:00, I was FROZEN from the walk (14 deg F plus a heavy wind) to school (maybe just under a mile??).. headed straight for Dunkin Donuts and then in my seat by 9:10.. not bad, but still, I want every minute I can get out of these people and the program!

Today was a fun treat. I met with the Sr. Researcher for the Minerva project. Minerva is a DoD funded collaborative project between Harvard Kennedy School and MIT's computer science program. The program topics have a familiar ring, except for one very interesting piece (at least through my lense!). They're focusing on cyber in the horizontal as it relates to International Relations. What a concept! A DoD funded cyber project that actually considers international relations issues! I've been asked to present. Likely going to talk about challenges in the heterogeneous global corporate environment --all unclas and should add value. From my perspective, it's also a two slide talk that will last about 45 minutes, so it should be perfect. One benefit here is they use very little in the way of PowerPoint. I'm finding more value in the blackboard discussions than being preached at through PowerPoint. I'll likely do the same thing.. two slides, two sets of graphics; no text.

The day, again, was AMAZING. I can easily declare Gary Orren is by far the best professor I've ever had. I can declare that without even thinking. Gary teaches persuasion. It's a baseline program before heading into negotiation next week, but just the fact that I've now been through six sessions of the mechanics behind good, persuasive communications is something I've never had. Gary gave me new tools, and believe me, I've already started practicing in some of my emails. 

Tomorrow is another lunchtime speaker. It's on the agenda as 'special guest'. Not sure what that means, but it seems to mean that HKS doesn't want to advertise the fact that high profile guests will join us at lunch. So more tomorrow. I'm looking forward to the surprise!

Ok, time for bed. I took about thirty minutes tonight to watch some mindless television and do some reading for pleasure. I took care of tomorrow's readings this morning ;)

Jeff

It's been a hell of a week...

It's just after 10PM. I had a bourbon and cigar on my porch with my roommate (a retired Navy P3 pilot/Commander) and we just found out a classmate was selected for AF Brig General! What a night. What a day.. all of them, just packed.

Anyway, Breakfast at 7, study group from 8-9, and classes every 90, minutes until finishing with dinner and a movie that will be the subject of tomorrow's first class. Reading more case studies than I've ever read before. For tomorrow, it's a civil war case on dealing with communications/persuasion of a mutinous unit.

I've been trying hard to network as best possible with the limited free time, so tomorrow it's the Minerva project --a joint Harvard/MIT program on cyber in international relations. Additionally, have a speech on increasing the tax on cigarettes designed to practice our new persuasive speech frameworks.

This is a great education.. a once in a lifetime experience.

Ok, off to bed. I'm exhausted and have to be up and in by 8:30 tomorrow. Getting a break.

Jeff

Sunday night.. heading into week 2!

Just left Spangler. What a great place. It's the main building for Harvard Business School. The Kennedy School folks share the facility for food since the graduate dorms (apartments) are all on the HBS campus on Soldiers Field Road.

Anyway, tonight was preparing for a role playing exercise to take place on Thursday morning. I'd mentioned a class on persuasion last week. This is by far, the best class to date.. and I've only been here a week! This is probably the class I needed most, but there are more coming. This week is three more sessions on persuasive comms this week, plus (as if there needed to be a plus!) we start on negotiation! I"m telling you, these guys give us nuts and bolts 'how to' lessons to actually do better communications, and anyone who knows me will tell you it's an area I could do better. I'm filling my toolkit with everything these guys will give me!

So, favorites? Gary Orren on persuasion. Ron Ferguson taught us how to tear apart ANY statistical analysis with fool proof tips to looking at stats with a critical eye. Pete Zimmerman talks of strategy and planning, and although I see myself as a pretty savvy strategist, this guy makes me look like a rank amateur. Steve Keller is on for tomorrow for our second session on building solid performance management plans. Bottom line, this place is cool as hell!

Re the forum? Last week it was Eric Cantor and William Perry. This week we're told it's a 'special guest'. I'm told they only book three days in advance, but it's well worth sitting in seats obviously engineered for college students before the experience the middle aged spread, but it's totally worth it.

Ok all. More to come. This is a once in a lifetime experience and I've got work to do to make sure I make the most of it... although tonight did include bourbon and cigars with my new friend from the UN. He's a political analyst for the the Secretary, and is a terrific conversationist. Does this mean I've been worked over? Probably. It's a good thing I only know about broubon and cigars!

Jeff

Harvard.. Thursday

So today was probably one of the best (BEST!!!) lectures I think I've ever heard in any course.. a day full of a 43 year professor (the one who taught Obama!) talking about communications and persuasion. Gary Orren had us for a full day, with a full framework for better targeting and framing communications to persuade others (voluntarily) to change course. WHAT A DAY.

Better? It was topped off with two speakers at the Forum (Agora -- a food market by day, speaking pulpit at night)... unfiltered Q&A. Eric Cantor (http://www.majorityleader.gov/) talking on the budget. The talk was terrific, but HIV activists protested at the end and were walked out. Regardless, an incredibly civil session! Finally topped off the night with a lecture from William Perry. What a day!

Jeff

My arrival at HKS...

Shirley asked me to post pictures of my immediate arrival, so here goes... This is my little room. There's a common living room as well, but nothing special. The view from the room however is really nice. The room is on the 4th floor of a dorm overlooking Soldiers Field Road, the Charles River, and the main Harvard Campus. The dorms are shared with Harvard Business School, so who knows, I may be sharing a dorm with the next Warren Buffet! Speaking of networking, it's already starting. Had lunch with two guys also here for the Senior Exec Program --the Regional Director for the Park services from Philly, and another from the Fed Trade Commission. Great conversation over lunch.

Ok, I'm off. Need to change into a suit for opening day. We were asked to be in business attire. You know how much I hate wearing a tie, but I'll do it just this once... in case they take pictures ;)

Jeff

Another mover into the MSSP space?

Just running through my required reading. I know, it's a little late, but heck, I'm a bit of a multi-tasker, not-so-good television tonight, and I'm in between good books. Ok, not really, I'm reading "The Accidental Salesperson".. it's actually pretty good, but I've had enough for today.

Anyway, in my browsing my required reading and RSS feeds, I came across an interesting post. ADP (the payroll outsourcing company) is  advertising for forensic people for their 'converged security' practice. About five seconds of digging --http://www.indeed.com/q-Converged-Forensic-jobs.html --shows several postings for ADP's new outsourced practice. Funny, I know there's money attached. I saw something from a year or so ago that talked of $355b government spending for cyber security, but a payroll company? Wow. Talk about teaching old dogs new tricks! I'm impressed! The bigger question? Will they be successful? What exactly does ADP call 'converged'? I know what I call it, but the definitions seem to change.. infosec = cyber. What exactly does converged mean in the market today?

Jeff

On Value...

I’ve been dieting since the beginning of the year. Anyone who knows me knows I need to be on a diet, but last night, after heavy jonesing for Chinese food, I broke down and had Chinese food.

At the end of my meal I sat thinking about what I’d just eaten. The dumpings weren’t hot; the sweet and sour sauce obviously from a can (bag?); and the meal as a whole just tasteless and lacking. It was going to cost me at least an hour on the treadmill and frankly, just wasn’t worth the calories I’d eaten. On my way out the door I stopped at the register to pay. The owner asked (as they always do) how my meal was. I said nothing. She obviously saw the painful grimace in my face as I held back my criticism and pushed a little more. In a slow, and deliberate way, I explained –my dumplings were cold, my sweet and sour pork was plain, and the meal as a whole was simply lacking. The woman explained that the dumplings should have been hot, but the sweet and sour pork is “the way we do it”.

So here’s a clue. “The way we do it” means “There’s a reason you only have five people in your restaurant at the peak of the dinner hour”. “The way we do it” is directly related to the fact that you’ve got a sign on your front door announcing a price reduction on your buffet.

What’s this got to do with tech? I do consulting –not full time, but on request under the name Hammerhead Research. So this piece isn’t a plug for Hammerhead, but it reinforces a message that demonstrates exactly what I have been telling clients (and now my government bosses) for years.

1.     Know your customer.

2.     Know exactly what your customer considers valuable.

3.     Know who your competitors are, and your value proposition in relation to them.

4.     Create products that add value

5.     Don’t stray. Pick your value proposition, stick to it, and deliver it consistently.

6.     In the commercial world, target customers who both need the value you add, and have the ability to pay.

It’s a pretty simple formula actually. It took a startup failure, $800K in angel funding and being sued for me to learn this lesson in retrospect.

Two years or so ago I authored a plan for a Fortune-100 company who wanted to move from the physical security monitoring space (think ADT, but not ADT) into the computer security space. They wanted to become a global-scale managed security service provider, competing with ADT in the consumer market by integrating wireless unified threat management (UTM) devices into home fire and security monitoring systems. If a fire, flood, home invasion, or cyber bad guy set off an alarm, one of this company’s monitoring centers would be alerted. It would then be evaluated, and the analyst could make pre-determined decisions on how to react. 

To understand the customer, I researched consumer demand for information security devices. Not surprisingly, most consumers don’t know what they don’t know. Anti-virus was deemed by most to be enough. Consumers are already price conscious when it comes to home monitoring, with $25-$40 being the current market pricing.

To research the space, I studied current offerings, and gaps in current physical security and MSSP offered services. I called on (by phone and in person) customers who were showcased on potential competitor websites to find out what they liked and didn’t like about their current provider. I polled competitor salespersons about future company plans (those guys will tell you anything!). I performed this service across the spectrum of providers that might compete with the new business in this F-100.

In the end, the company decided not to enter the market. Consumers were highly price sensitive, don’t understand the need (yet), and the market fragmented by a perceived lack of value in the home monitoring market and a low opinion of the companies selling services. In my opinion, this company was smart to not become just another monitoring company. While the computer monitoring service would likely differentiate them from the rest, the value proposition wasn’t strong enough (in the customers’ eye) to generate long-term sales.

This is one example. I’ve researched and authored dozens of startup plans or turnaround studies for companies large and small who simply don’t understand the value proposition. I’m hoping the owners of that Chinese restaurant read this post.

Know your customer

Know your competitor

Know your value proposition

Deliver consistently

Repeat!

On Virtual Internet Experience and Good Hygiene...

I was reminded yesterday of my tracking of Invincea. Virtualization -great strategy! I'd like to offer a few thoughts however, as with any application, remember this.. architecture counts, as does basic system hygiene. Hygiene is the process of keeping systems up to date, patches installed, antivirus up to date, etc.  Realizing there are probably 400 things that need to be kept up to date to keep your networks from stinking like bad breath, and only one needs to go wrong to allow in hackers, System hygiene is one of the hardest things, but one of the most important things, to do. In fact, I'd argue that ensuring the basics of system hygiene are far more important than applications you might buy. Pay attention to how applications get deployed- especially virtualization, and you'll have better results in the end.

I've seen several schemes for virtulization of the users' internet experience. Please don't get me wrong. I'm a HUGE fan of the strategy --so long as it's implemented correctly. IPS alone wasn't the panacea; nor will virtualized internet experiences. How does this get accomplished? Think about the kinds of things users must (or want) to do. What things do they need to do to not feel pain of virtualization? They need to browse, share email, download. They need to move information from the virtual space (for internet use) to the corporate network. So now we've moved from the realm of a virtualized internet experience to a need to move information to and from the corporate intranet. How does this happen? Good system hygiene and architecture. The basics of defense in-depth, and dedication to keep those items clean an up to date (hygiene).

Bottom line. VCs tell startups "Sell across the street before you sell across the ocean".

I'd tell admins and CIOs, Practice good hygiene before you spend money on more advanced infosec offerings promising to stop advanced persistent threats. Ya can't get there from here.

Jeff

Bit9 (and a bit of a rant about Infosec Pros!)

I have to tell you, every now and again I get a presentation from a product vendor that just makes me go "Wow. I wish I'd thought of that!" Bit9 was one of those.

During my travels I keep hearing the name Bit9, but hadn't really been exposed to their product. I attended a conference in January where they had a booth, but I hate those things. You can never have a serious talk. I guess they are a good way to get exposed to a lot of things and then circle back, but I always try and take notes on which to circle back on, and then either forget, or end up misplacing the literature.

Anyway, I did see Bit9 during the conference but didn't get to spend any time with them. When I returned, I forgot about them, only to be reminded a couple of months ago. So I set up a time, and offered my staff a lunch 'n learn.

Bit9 is a tool used (I'm sure they have others, but I loved this one) to identify installed malware on a system. More importantly, I was surprised to see that Bit9 is the brains behind some of my other favorite tools like Mandiant's MIR and is delivered by about a dozen others providing services. Interestingly enough (maybe I hadn't looked hard enough) I was under the impression that this space was wide open for exploitation with very little competition and a reasonable barrier to entry... meaning if I went to a VC for money to build the solution, a business case could be made, and I'd have enough of a run on my competition to be able to make a few bucks before they caught up. I still think that... the market for malware identification is still wide open and the AV vendors don't seem to have a clue.

Back to the point. Bit9 backends several malware identification tools with a database in a 'cloud' (marketing speak for two datacenters in Massachusetts). Regardless, the cloud is a massive repository of unique indicators each representing specific pieces of malware. The Bit9 tech is deployed to scan an environment using a client based system which compares files on a system to those in Bit9's database. The management console was, as you'd expect, pretty. Pretty without functional does no good, but in this case, the management console was totally functional. Running in a browser, it can be operated by any SOC or remote worker.

Bottom line: If you're looking for malware identification/remediation and whitelisting tools, save yourself some time. I've heard the name from some of the best companies in the world. Bit9 appears to have something real. I'd look at them first.

[rant]
In sitting with my team (and others I've worked with), it seems vendor presentations are peppered with questions like "You do X, why don't you do Y?"

This case was no different. Scope creep in vendor presentations is easy, and often takes away from the presentation. In this case, Bit9 has some really nice tech. They found their niche, filled it nicely, and are licensing the hell out of it to others who provide services in their space. Well done. What they didn't do was lose focus on their principle value proposition... finding malware on a host.

I'd love for one magic bullet solution. I'd drop it in my environment and turn it loose. It'd solve every problem I have, and those I haven't thought of yet. My users would be happy, it'd be free, and wouldn't require any maintenance... never going to happen.

Bit9 focuses on malware. Other technologies focus on other areas. Good management finds that first thing, with that first customer and puts it out of the park. Bad management finds thousands of customers and delivers mediocre solutions. I'm with Bit9.
[/rant]

Jeff

Invicea bake-off in a large company Internet isolation strategy

I had the opportunity to speak with a colleague last week. This gentleman is the CIO for a very large company and is in the middle of a bake-off between Invicea and another virtualization offering.

I'd discussed virtualization with him previously, but not in the form you're probably thinking. This is not a datacenter reduction strategy, rather an internet isolation strategy. He's trying to figure out a way to isolate his corporate network from the open internet.

My discussion started like this... "I'm interested in understanding how the Invincea test is working for you." His response? "No virtualization offering is worth anything by itself. Let me show you the what we wanted, what we did, and the architecture that we had to build behind it." In the end, this CIO built one reference architecture in which he tested two virualization strategies. Both were intended virtualize only Internet Explorer on the desktop.

His measures of success were easy to understand and very straight forward:

1. Isolate to the greatest extend, the internet from the corporate environment.
2. Do it with the least possible pain experienced in the end user experience.

I'd had a strategy discussion with him about a year ago. We discussed several options, including other virtualization applications, but also the use of simple terminal services, as well as a more simple idea.. issue everyone an iPhone. In the end, the iPhone dog didn't hunt and was dropped for discussions of the limitations of terminal services versus the implementation of an application virtualization strategy.

They've done a great job in that year, and now have about 1200 users in the pilot. Invincea had strengths and weakenesses, as did the other product. The other product has a significant price advantage, but is a tool developed for one thing, then used in another (therefore, no support for this particular use). Invincea on the other hand is a small company and therefore, more willing to accept development money and allow this large company to shape its product strategy.

Bottom line: No one application (including this wonderfully promising tech) is the cure-all. Remember defense in depth? Invincea handles only one of those layers, but with the right architecture in place provides a truly viable option. There are others however. Don't be afraid to look around. One company I talked with was experimenting with qmu! Others, VMWare, simple terminal services, etc. Do you homework. Do the architecture. And remember, in the end, nothing's cheap!

Jeff

Killed my SafeSocial account...

Great idea, not so good execution.

SafeSocial sent me the following:

"We have some cool news for you. Your parent, JEFFERY STUTZMAN, signed you up for something called SafeSocial.

You know how sometimes the adults in your life worry about you on the Internet because stuff can happen on sites like Facebook that isn’t safe? SafeSocial is a way for your parents to protect you and keep you safe without invading your personal space too much. It will make everybody's life easier."

I thought to my self, is this in language that my kids would respond to? Maybe. Regardless, after receiving this email telling me my parent (me) had some cool news, I decided to go back and look at the results. If I'm going to pay nine bucks a month for the service it needs to provide value. In this case, even though I have a couple of social networking accounts, SafeSocial didn't really do much for me. My five day trial period was up. I'll try it again later.

If anyone else has feedback on this service, my personal opinion? It's a great idea. I'd love to see it. I probably won't pay nine bucks a month for it, but would consider say, four or five.

Thoughts?
Jeff

SafeSocial.com - Great idea! My thoughts...

I received an ad this morning for AOLSafeSocial. The idea is, parents can monitor their kids Facebook, Myspace, Twitter, etc., accounts via one portal, and the thing would both check the reputation of your child's online social network friends, and report any bad sites that your child may have been exposed to.

Having one new teen and another a bit younger, both knowing they're not allowed to have sex before their 42 (or I'm dead, whichever comes first) I had to try this.

Here's how it worked for me:

1. I clicked the AOL link which took me to safesocial.com.
2. The interface looked relatively sparse, but I did it anyway.
3. I decided that since I too have social networking memberships, I'd try it on myself first to see how it went. I added my email and name to the 'who do you want to spy on' (my words not theirs) field and clicked submit.
4. SafeSocial then sent me a link to my address telling me someone wants to monitor my social networking use. Do you really believe my 13 y/o daughter would consent to my monitoring her? (hint: not only no, but... you know the rest!)
5. Since I was experimenting on me, I clicked 'agree'.
6. Immediately SafeSocial squealed on me. It told me that I was on LinkedIn, which is not normally a site for kids. It then checked facebook and twitter.. both seemed ok (for now).

Couple of thoughts:

• My daughter will never allow my monitoring, nor should she have the option. I pay for her service, she's a minor in my charge, and I should be able to monitor without her consent. Love the idea of the service, but would have preferred to see it be more seamless.
  
• $9.99 isn't a bad price if the service actually delivers. I can say, I received multiple emails immediately upon signing on for the service.
  

Looking forward to seeing how this shakes out. My daughter is going to kill me!

Jeff

Mobile threats?

Damn! I knew I should have attended Blackhat this year!!

------------------------------------------------------------------------------------------

"It collects your browsing history, text messages, your
phone's SIM card number, subscriber identification,
and even your voicemail password." -
mobile.venturebeat.com

http://mobile.venturebeat.com/2010/07/28/android-wallpaper-
app-that-steals-your-data-was-downloaded-by-millions/

questionable Android mobile wallpaper app that collects
your personal data and sends it to a mysterious site in
China, has been downloaded millions of times, according to
unearthed by mobile security firm Lookout.

That means that apps that seem good but are really
stealing your personal information are a big risk at a time
when mobile apps are exploding on smartphones, said John
Hering, chief executive, and Kevin MaHaffey, chief
technology officer at Lookout, in their talk at the Black Hat security
conference in Las Vegas today.

"Even good apps can be modified to turn bad after a lot
of people download it," MaHaffey said. "Users absolutely
have to pay attention to what they download. And developers
have to be responsible about the data that they
collect and how they use it."

The app in question came from Jackeey Wallpaper, and
was uploaded to the Android Market, where users can download
it and use it to decorate their phones that run the Google
Android operating system. It includes branded
wallpapers from My Little Pony and Star Wars, to
name just a couple.

It collects your browsing history, text messages,
your phone's SIM card number, subscriber identification,
and even your voicemail password. Itsends the data to a web site,
www.imnet.us. That site is evidently owned by
someone in Shenzhen, China. The app has been downloaded
anywhere from 1.1 million to 4.6 million times.
The exact number isn't known because the
Android Market doesn't offer precise data. The search
through the data showed that Jackeey Wallpaper and
another developer known as iceskysl@1sters! (which
could possibly be the same developer, as they use
similar code) were collecting personal data. The wallpaper
app asks for "phone info," but that isn't necessarily a clear warning.

The Lookout executives found the questionable app
as part of their App Genome Project. Lookout is a mobile
security firm, and it logged data from
more than 100,000 free Android and iPhone apps as part
of the project to analyze how apps behave. It found that the
apps access your personal data quite often. On Android, each
user is asked if they give their permission to access an app,
but on the iPhone, where Apple approves apps, no permission
is needed.

Roughly 47 percent of Android apps access some kind
of third-party code, while 23 percent of iPhone apps do.
The executives also found that many apps use third-party
software programs to do things such as feed ads into an app.
Often, developers unquestioningly use the software
development kits of those third parties in their apps,
even if they don't know what they do. In many
cases, there is a good reason for the use of personal information.
Ads, for instance, can be better targeted if the app knows a
user's location.

Hering said in a press conference afterward that he
believes both Google and Apple are on top of policing their
app stores, particularly when there are
known malware problems with apps. But it's unclear what
happens when apps behave as the wallpaper apps do,
where it's not clear why they are doing
what they are doing.

More on Invincea

Last night I had dinner with an old friend. As often times, the conversation rolls around to information security, and the new threats. One tactic for protecting against these new threats appears to be, at least on the surface, is virtualization. How can a company remove access to the Internet while maintaining the ability of those who require access, to get it in a safe way --all without killing the user experience to the point where they'll find alternative means of gaining access.

As mentioned before, I've seen pitches from VMWare, talks on using Med-V, thin client solutions --all of whom believe they have the answer. Not sure if they do, but one thing is for sure. My friend is the Director of Information Security for a very large company and they've doing a pilot/bake-off, and this little, out of no-where company called Invincea is actually one of the companies in the bake-off. Amazing. I can't wait to hear how this goes.

... More to follow on that.

A bit of advice for Invincea? Knock this one out of the park!

I'm liking what I'm hearing about this tiny company so far. I'm going to continue to track it. If anyone from the company is reading this (Dr. G did respond directly to me yesterday), I'd love to talk to a few reference companies!

JS

Anyone ever heard of Invincea?

I hadn't until just a few minutes ago. I was performing research for a consulting job for an investor who's considering making an investment in a security company. I'll sometimes do these on the side. Anyway, in this case I happened a cross a company called Invincea --using the words in their summary:

"Developed a patent-pending, revolutionary technology for protecting computer workstations from Internet attacks."

I love these words. Nothing thrills me more than patent-pending, revolutionary technology for protecting computers from Internet Attacks! Right now, I'm typing with sweaty palms and my hearts racing because the thought of new, patent pending revolutionary new software to protect my computer workstation from Internet attacks makes me, well, downright giddy!

So I read on... at the website (http://www.invincea.com/), I found a white paper. All startups have them. I was hoping to also find a list of reference customers I might contact while contemplating this paper. You see, the company is headed by the standard board of venture capital execs, but also by Dr. Anup Ghosh. That name might ring a bell for many reasons -DARPA program manager, NSA? That said, he's a smart guy and at first glance the company looked interesting. Now, while I haven't taken the time yet to look at the patent application, just reading the whitepaper tells me a little about the product:

1. It's revolutionary (their words not mine.. I'll stop making fun of them now ok?)

2. It uses virtualized browsers

3. It captures everything that happens during utilization of the browser during an attack

4. It sends everything from the virtualized session to a database somewhere (local or, as it states, in the cloud -I'm guessing Invincea is offering a managed service as well as software?)

Thoughts:

Virtualization seems to be a great buzzword for protecting from drive-by downloaded malware. I've seen a number of vendors (most of our favorites) pitch their wares on how good their product is in protecting from these threats. Some say the product can be reset at the close of each session (actually they all say that); some talk about how the virtual wall between the child and parent operating systems can't be broken (it's true, I've heard this before). Invincea however seems to be using a honeynet process in a virualized session. I like it. If you can't beat'em, set a smart trap for 'em. It seems to me, to be the best of both worlds -protection and collection; intel gain/loss (speaking in a purely network protective context of course!). 

What's next? I'm really interested in seeing some reference customers posted on the site. I've seen presentations on the technology before it became Invincea. I had doubts at the time. It looked to me to be far to much overhead to be powered on an already overburdened laptop, but what the hell. If it works, it could be good!

Back to you Dr.~!

I HATE COMCAST!!!

I hate Comcast!

I was paying a fee for a DVR from Comcast. Most of the time, many of the features didn't work. For example, the machine often froze, on demand NEVER worked, and on top of everything else, Comcast had to reset my system several times a month.. all for the high value, very low monthly price of $130.

So, I bought an Elgato Hybrid stick, inserted it in my trusty Mac Mini, hooked the whole thing up to my flat screen and off I went. All those ClearQam channels plus the local stuff. LOVE IT. The story gets better hang with me.

Comcast announced a few months ago that everything was going to digital.. and they did. My Elgato handled it nicely until... Comcast seemingly started encrypting more signals! I lost the Discovery Channel!

Finally over the weekend after missing Mike Rowe I broke down and bought a TiVo --only to find out that I need a multi-streaming CableCard --a PCMCIA card that plugs into the backend of the Tivo. So, on Sunday I enter into a chat session with a very nice Comcast rep who tells me "no problem! I'll ship you one.. or better yet, you have a Comcast office right around the corner from your apartment". If you go pick one up it'll save you ten dollars in shipping. I agreed.

So yesterday I took time over lunch and ran to the Comcast office. After waiting in line for twenty minutes the CSR told me that I had to schedule a service appointment. SHIT! FOILED AGAIN BY F*ING COMCAST! No appointments after 5! I have a secretary who scraps for every timeslot during my day and Comcast wants me to stay in the apartment waiting for one of their idiot flunky high school dropout (ahem) technicians? I asked if they could call so I could meet them... no. I didn't get a card. I didn't schedule a service appointment.

Today I called Comcast. I finally ended up with an appointment. The CSR on the phone put 'a note in the file' to tell them to call thirty minutes before they arrive. She couldn't promise anything. We'll see.

Poor customer service
High price
Low value programming
Three hour time slots required for delivery
Uneducated technicians (the last one sporting Appalachian goatee)

Let me say it again: I HATE COMCAST!!!

Jeff

Is Google the new NSA?

Am I the only one worried about this?

I've been watching Hulu and keep seeing Google ads for Chrome.

Every time I turn around, I see ads for the Google Droid (cell phone).

Here's a question for you.. does anyone know how Google makes money? It's not the same as other phone manufacturers, or Apple, or netbook manufacturers. They make money by selling hardware and/or software, and take a cut from the cellular providers for every two year contract.

Google makes money by collecting and selling information. Of course they're going to make money on the device itself, and from a cut from the cellular providers, but their main source of revenue is from collecting information -YOUR information, and selling it to marketers, data miners, analysts, researchers, or anyone else who will pay.

Now we've all heard the stories of how much information NSA (and other SIGINT collection agencies in the world) collect, and how much they process but these agencies get what can be collected over the air. Google has a better source --the handset itself. Can you think of better way to understand individual user preferences, calling patterns, behaviors? I can't. It's the one electronic device that we use the most; we depend on to stay connected, and Google gets to see it all. Where exactly do all of those apps connect back to? How does the phone stay in touch with Google? How much information is being collected? Who uses this information? Try Googeling "Google versus NSA" and see how many results come back.

Now take this a step further.. Google, although being challenged by Microsoft's Bing owns the search market, is moving quickly with their 'Chrome' browser, owns the blog I'm publishing this on, owns YouTube (and all of it's subscribers), Google Earth, Mail, Wave, Google Voice, and endless apps that they collect information from, and now, Droid.

Silly, but I keep having visions of a movie from last summer "Eagle Eye" and the automated actions of a supercomputer who used information collected from all of these devices and software, analyzed it, and used it to control every movement Shia LeBouf and a second unwitting victim. In the movie they referred to this information as 'collective intelligence'.

The difference between Google and NSA? NSA has intelligence oversight. Google does not.

Am I the only one worried about this?

The NEW Infosec is upon us! (but we're still armed with old products!)

Everyday I read dozens of articles regarding cyber war, DDoS, cyber espionage, the President's cyber czar (which, as I understand, remains unfilled), a TON of pro and con opinions in the press, and dozens of analyst opinions. This doesn't include vendor pitches and the deluge of advertising aimed at the Information Security dollars that will be spent in the coming years.

I'm going to lay it on the table in the hopes that someone will get it... today is the first of a couple of blogs offering comments about where we are, why we have issues, and hopefully, what we can do about it.

Here's number one... Vendors.

Vendors -companies who sell infosec products -don't get it!

Entrepreneurs want to hype their companies all with the hopes of making their products, companies and books looking better than than they really are will say anything to make it sound like the products are the best thing since sliced bread. In fact, many just don't get it. I can't tell you how many presentations I've sat through, only to ask the hard questions --hard questions about not the 80% of the threats they've built their pitches on, but about the top 20% of the threats that come in through spam, phishing, and drive-bys --all fueled by sophisticated social engineering? Yeah? Whadya gonna do about that?? So vendors, here it is --your products are built on the old threat models. Get with the program. Hire people with recent experience and sell GOOD products rather than products that try to solve EVERY problem. Find the pain point in the market, get really good at it, and fill the hole as best you can. Do your homework! Use a competitive intelligence guru who knows your space and can tell you exactly what your competitors are doing. Please, for the love of God, please, don't come see me without having detailed competitive intelligence in your back pocket. I swear, if I hear one more entrepreneur tell me they don't have any competition I'm gonna puke.. and then kick you out of my office.

Medium sized vendors.. I've got to pick on Security Information Management for a moment. Great idea, but it's making our SOC analysts dumb. They have come to rely on the boob tube with absolutely no idea what's going on the background. These products have turned skilled analysts into movie watchers. What's worse? The vendors have'em hooked like crack whores. Once the licenses are bought, and the SOC works on the SIM/SEM GUI, the company never looks back and will continue to pay over and over and over and over and over. They'll keep coming back for more because the sunk costs are two high to leave behind without without the CISO getting really red faced over the already money spent. Why do I have so many issues with SEM/SIM? Remember the old days when we watched a VT100 screen with IDS logs passing by? We were inundated with information but had no idea which ones were important. Today we have the same issue. How do you know what's important? OK, I'm a pretty seasoned guy, and can (sometimes) tell by looking, but most SOC analysts aren't. They need to know what's bad and what isn't. Then, they need to be able to look deeper. So, SIM guys, make it so! Bells and whistles aren't worth a damn if everything looks important. I can't tell you how many times I walked into the SOC, saw the SEM top ten list on the big screen and asked what was happening with the number one... I always got the same answer ... "It's a false alarm." Bull shit.

Larger vendors (like the Antivirus Vendors), can sit on their laurels and enjoy the fruits of ineptitude. That's right, I said ineptitude. Do we really know how (in)effective antivirus is? It's a good thing it's cheap! If it didn't why would we need so many layers in our defense in depth program? A/V should be able to kill anything landing on the computer, but, alas, they cant. Instead they have to rely on a whole slew of other technologies to do their job, and guess what? There's no way to correlate all of those things together to tell what's good and what's not! Sorry folks, I've come to the realization that A/V vendors would rather expand their market rather than make their product more accurate.

Bottom line. Vendors are out of touch with their market. Here are a few things that'd make things a WHOLE lot better.

1. Small and medium size companies --use Competitive Intelligence as a regular part of your marketing team. CI can help with pricing strategies (by finding out what competitors charge), product management, and long range planning. For the cost of one engineer, you can have a VERY clear idea of what you're facing and where the niche is.

2. Larger companies? Pay attention to your customers. Premium service packages are nice, but not if you're only catching 10% of the problems. The products should work first time, every time, and be right.

Next time... Magic Quadrant!

Jeff

We Have A Cyber Czar, and He Has Spoken

I couldn't help it. I took a link from Bob Gourley's CTOVision blog where he tells the world that we ALREADY have a Cyber Czar. His name is Vladimir Putin!

http://ctovision.com/2009/05/white-house-cyber-policy-review-and-a-cyber-czar/

Bob tells it like it is, so there's no need for me to :)

Enjoy!

Jeff

eWeekNews: Discovery Features Make DLP Smarter... really?

Lawrence Walsh's article (eWEEKNews, 2009-05-29) entitles "Discovery Features Make DLP Smarter" made me both scratch my head and chuckle a little. It's a story I've heard many times, and in fact commented on a few days ago in my blog notes entitled 'Vendor Hype'. In this case, it didn't take long to see something in the news about the one very item that I always think about when I think about vendor hype. Sorry Larry. You know I love ya!

Over the past several years (since 2004?) I've been keeping a close eye on the DLP space. This for many reasons. First if they can ever figure out how to go beyond SSNs, credit card numbers, and a few other key pieces of PII without the high false positive rate, this solution would be an absolute win. I'm not saying PII isn't important, but PII can be found using MANY tools, not just the expensive solutions offered by Vontu, Reconnix, and a half dozen others out there. There's something good that comes with these solutions (don't get me wrong!) but it is very simply this --they can find simple strings in moving data that they can flag on to tell you when something is leaving the enterprise that probably shouldn't.

I chuckle because one vendor in particular took a host based approach --Verdasys --to finding data and watching it move, while the rest seemed to believe they could do a better job of flagging it in motion. Now it appears they're heading in the same direction. The network based tools want to do host based detection/protection, while the host based providers want to start moving in the direction of the network.

That said, I polled several reference customers of a couple of DLP vendors. Not one of them reported their DLP vendor having done great jobs in the areas not considered their sweet spot. The network providers don't do host based work well.

Hunting critical information to effect its protection? This is a task not easily performed. Here's why... even in a small environment, data doesn't always sit where you think it should. While shares and repositories are likely places you'd want to find source code, work product, finished proposals, PII, or anything else you might consider important they almost always sit on the users computers and in many cases, private backup disks and other removeable media. Another critical issue --I've worked in LARGE enterprise (100,000+ users) for the last several years. One thing that troubles me in large enterprise is that most times the owners of those environments have no idea, nor any accounting, for where critical information resides. This is especially true of any company who's growth came from the heavy acquisition strategy used in the '90s!

OK, it's easy to be negative. Here's what I'd like to see to solve the problem:

1. DLP vendors need to consider integrating spiders into their applications that can do pattern matching in an attempt to flag data in a data classification schema. Once this is performed, do a bucket analysis of each of the different flags and let a human review the schema to ensure it's accuracy, and how the data should be protected. Use company policy (if it exists) to enforce as needed.

2. Performing hash value calculations on anything in a database and then watching them leave the enterprise isn't an effective solution. First, as I mentioned above, it's rare to know where everything resides. Second, documents have lives of their own. Hash values will change every time the document changes. It's impractical.

3. Consider integrating with digital rights management solutions. DRM DOES tagging, as well as offers access credentials. By integrating DRM solutions into DLP, you get the best of both worlds without having to build another solution.

DLP vendors need to think about partnering to offset some of their gaps. One does host based protection well. Others do network based protection well. Stop trying to be something you're not and pair up!

As always, feedback welcome! Mine is only one opinion :)
Jeff

Study finds IT security pros cheat on audits --Is this a surprise?

In an article received on twitter yesterday, the author (Angela Moscaritolo, on May 27, 2009) discusses the fact that IT Security Pros cheat on Audits. The article may be seen at:

http://www.scmagazineus.com/Study-finds-IT-security-pros-cheat-on-audits/article/137546/

It should come as no surprise that corners get cut in audits. I wouldn't call it cheating per se, nor am I defending those who blatantly gundeck (a Navy term for cheating on assigned tasks) for a few reasons, but here are two:

1. In smaller/medium sized companies, resources generally don't exist to carry out the full scope of even the most basic audit frameworks (measuring against 800-53, ISO, etc.), thereby leaving gaps in the completed audit when compared to the plan.

2. In larger companies, the audit teams report to the board of directors, not the ISO or CFO as will the Risk team or Information Security team. Auditors get treated like every other auditor.. they get what they ask for -nothing more, nothing less. I've worked as an auditor, and worked with auditors several times in the past eight years and know the drill quite well. If an auditor is uninformed, they don't ask good questions, and as a result, get inaccurate information.

Tips for doing better audits?

1. Look for experience IT/Security people that can be taught auditing. Certifications are good, but not perfect. CISA is common among the large consulting organizations, but again, personal experience leads me to believe that not all CISAs are created equal.

2. Create an environment of cooperation between the audit team and the infosec/risk team. If an audit is going to happen at a certain location, why not leverage the audit team to perform a risk assessment at the same time. There's an opportunity for resource sharing if you can get legal to sign off.

3. Cross train and labor share. Use infosec people as auditors, and get auditors involved in sitting in the SOC. This makes everyone smarter, and eventually, the company better.

4. Find a good framework and stick to it. Measure the results location versus location, program against program, or division against division. It's not a report card but a score card that offers baseline, and hopefully upward trending.

Most importantly, remember, auditors get treated like auditors. They're outsiders and need to know what to ask, and whom to speak with to get the right information. They get this through bonding and familiarity in the organization. Train them well, get cooperation with infosec, and you'll see markedly better, and more consistent audit results.

Happy hunting!
Jeff

Podcast: More Targeted, Sophisticated Attacks: Where to Pay Attention

What timing! I just blogged about this this morning.

The conversation is 20 minutes long, but the piece with Marty talking about new issues --Social Engineering and (still) bad code is about 6. It's worth a listen. I'd love comments back. Thoughts? What other issues should we be concerned with during this period of adjustment to new threats?

More Targeted, Sophisticated Attacks: Where to Pay Attention
http://www.cert.org/podcast/show/20090526lindner.html

Featuring:
Marty Lindner - CERT Julia Allen

RSS: http://www.cert.org/podcast/exec_podcast.rss

Information Security Vendor hype?

It seems we're in an entrepreneurial dilemma... especially in the information security field.

Entrepreneurs/innovators/tech sales people create, commercialize and sell new, innovative tools, but it seems we've hit a plateau where the entrepreneurs don't understand the new market. In this down-turned economy how many infosec companies have failed? How many have been bought? I'd guess far fewer acquired than failed but then again, that's always been the case. Now it seems harder. It seems entrepreneurs are stuck in two areas that they just can't seem to find their way clear of:

1. New attack methods are not caught by old security tools! No matter how many signatures you stick into an IPS, it's not going to be able to stop a C2 channel heading out your door when it's buried inside of FTP! Don't tell me about Data Loss Prevention or losing the perimeter. I've had all the sales garbage that I can stand from the likes of Vontu and Verdisys. While both good ideas, DLP is not a solution for identifying and stopping badness inside your enterprise. The solutions stop 'not so smart' people from doing stupid things but do not stop smart people from stealing information from you.

2. Entrepreneurs are so busy selling (hyping) their products, and so busy with their noses pointed squarely at their keyboard (or financials), they've lost touch with what infosec practitioners really need... and the worst part is, they're not getting it from the trade magazines either! SC Magazine has gone from a robust magazine with good information to an ad rag full of expensive ads and very little content that will give entrepreneurs information to help them focus their product lines and strategy. So here's a bit of advice folks (from a guy who gets pitched more times than most), stop pitching. Leave your marketing materials at the door. Do your homework and be ready to answer hard questions. If I visit your company, I don't want to talk to your business development people. I want the techies. I want to see the results of your product on your company network, and I want to see the demonstrated ROI realized by you. I want to talk down and dirty tech. Tell me why it works. Show me that it does. Tell me it's current limits... then, and only then, will we have more to discuss.

3. Venture capitalists continue to push offshore development because the numbers make sense. You know what though? I won't buy it if there's no way to assure the security of the product, and EAL certification isn't it. Show me something that hits a product squarely with the newest attacks and handles it well. Base certification on that. Until then, VCs, you're limiting the ability of your portfolio companies to be able to sell to government and government contractors.

There, I said it. Want to know what the market looks like? Want to know what the market is going to look like? Want to know what kinds of threats your security tools need to be able to handle? Contact me. I'll tell you.

Jeff

Update to the IPhone delimma

You may recall my post in May where I complained loudly about the issue of upgrades, AT&T, and Apple after having waited for four hours online to proudly upgrade to the iPhone. I should say, I'm a Mac user. There's not a Windows device in my home, save Office 2008.. I LOVE my Macs.

That said, I was enamored by the Blackberry Bold on the day it came out. I've been using it for about a month or so now, and after comparisons between the bold and the iPhone, I'm a pretty happy guy for buying the bold.

Here's why:
1. Battery life in the original iPhone wasn't so good. In the 3G model, it was worse. The Bold has the same problem. I rarely use in on WiFi only because the 3G does the trick, so I leave it off and save the battery. Regardless, I get about 8 hours of life.

2. The Bold is fast, responsive, and the keyboard is exactly what you'd come to expect from Blackberry. It works every time, and my fat thumbs don't miss the keys. Unfortunately that wasn't the case for the iPhone. I spent much time correcting typos, and then finding creative ways to vent frustration.

3. The bold works well with Exchange, and syncs nicely with my Mac.

4. I'm used to it! A Blackberry is nothing short of a must have technology for anyone that must remain connected. While I'm probably not that needed, I like to feel like I am, and the Blackberry keeps me connected.

OK.. much of it's personal preference, but.. that's my story and I'm sticking to it!

Jeff

Eight Analysts' IT Predictions

http://seekingalpha.com/article/112538-eight-it-analysts-predictions-for-2009?source=feed

Short, interesting read.

I have thoughts (you knew I would!)...

1. Shadow IT use will grow. Not called out by the analysts, but IMO, because of new infosec threat landscape, required controls, and the need for enterprise to take and maintain positive control over every computing asset, you'll see a TON of new shadow IT to skirt those requirements... I also think big enterprise will offer pseudo approval of this practice... "If we don't know about it, we don't have to report it when it gets whacked." Right?? Hmm...

2. Cloud computing. I know we're seeing a lot of hype around cloud computing, applications, and services.. IMO, it's coming fast. Companies are going to realize that paying for their own internal IT isn't as cost effective as having someone do it in the cloud, paying by the account and/or use. Additionally, if cloud computing is used, and there's a break-in, the owner of the data now has somebody to sue for damages! In a time when you can't help be get broken into, doesn't it make sense to have someone to point the finger at?

3. Cost reductions? No surprises there. The main role of a CIO is to apply current technologies to increase competitiveness through either top-line growth (sales), or bottom line growth (through cost avoidance and/or
increases in efficiencies/effectiveness).

Anyway, good stuff...

Happy New Year!

Jeff

Not all that will return from China is going to be Gold!

Originally posted on HuntBI.com.. Steve Hunt's business intelligence advisory site is a posting that I placed a few days ago regarding my concern over all of those computers connecting to the Internet in China. The posting can be viewed at http://www.securitydreamer.com/, with an exerpt shown below..

NOT ALL THAT COMES HOME FROM CHINA WILL BE GOLD!
8/8/08
J.L. Stutzman, CISSP
Hammerhead Research, LLC

What happens in Vegas stays in Vegas right?

What happens in China won’t necessarily stay in China.

What do I mean by that? In the Navy there was a sea story. It went something like this…
We pulled into . When we pulled in, the Captain came over the 1MC (the general shipboard loudspeaker system) and gave us a country brief. He told us to be careful. He told us that if we got into a fight, to win, and to be careful with the women- always. Sexually transmitted diseases ran wild in many of the ‘sailor ports’. The story I remember talked about how the hospital corpsman onboard the ship would use a Sharpie to put the name of the sailor on the pair of syringes used to rid us of whatever we picked up. The syringes were then stuck into a dartboard in the Chief’s Mess. As the story goes, the dartboard was always full.
So here’s the deal….
Chinese cyber spies WILL steal your stuff!