Archive

Archive for the ‘General Rants & Raves’ Category

Hey, Hoff, You’re SO Much More of An Asshole In Real Life Than On Your Blog…

March 29th, 2008 9 comments

Asshole
Sometimes it’s hard being me. 

I am, admittedly, bipolar and schizophrenic.  Armed with a lack of patience, a fondness for bourbon and an expense account, I can go from hero to zero in the time it takes to read one of my mini-opus blog posts.

It takes me about 5-10 minutes to write one of my blog posts and it shows.  A lot of my thoughts are just that — thoughts.  Sometimes they’re not complete.  That’s actually your job.  Point ’em out and make us both think, but be prepared for passionate debate.

That said, I get asked all the time why I didn’t turn it up to 11 and rip someone a new one on my blog when they post marketing drivel or why I didn’t squirt a product with lighter fluid and set it ablaze instead of taking the less flammable road.

You see, my blog represents the kinder, gentler version of me (scary, I know.)  It’s me, getting in touch with my feminine side.

So I find it genuinely amusing when people are surprised that I am *more* of an asshole in real life than I am on my blog.  I feel that’s better than the other way around, honestly. 

I find it deliciously ironic that I seem to represent the minority in this characterization, so let me explain why it is that I’ve decided to be more restrained than I used to be:

  1. I’m getting older.  Maybe it’s a lack of fiber or almost 15 years of marriage, but somethings I just let roll off my shoulders these days.  It could be that training 4-5 times a week in Brazilian Jiu Jitsu lets me deal with all the bottled-up rage that a rear-naked choke, armbar or cross-collar choke seems to take care of.  Some people have Calgon to take them away, but for me, I’ve got nothing to prove besides the fact that I’m not afraid to say that I have nothing to prove.
     
  2. You people are smart.  If I ask very specific questions  and raise issues to which people respond like programmed spokesholes from the planet Marketron, you’ll see right through them and arrive at the same point as you would were I to lead you down the path.
  3. It’s a small freaking world.  I don’t want some dude I piss off now to run over my dogma with his Karma later.  It takes a ton to really get me going, and bad things will occur when you do.  One of my first blogging  turrets adventures ended up getting someone fired, and as hysterical as that is, unless what someone says is personally offensive, criminal or steps on the rights of others, I’ll poke a little and that person will look like an assclown all by themselves.
  4. Context is everything, permanence is scary.  It’s impossible to have a conversation via blogs.  Comment pong sucks donkey and more often than not, sentences get picked apart due to use of passive voice and arguments ensue debating the trees for the forest.  And it stays around forever.  If I have beef with someone regarding something, I’ll email them or *gasp* talk to them.  I don’t want some printout from the wayback machine being entered into evidence as People’s Exhibit #3.
     
  5. I’ve got 3 kids.  Besides having to act as moral compass, my three girls eat like piranha, need to learn how to be good humans, and require daily sacrifices at the Webkinz/Hannah Montana/Jonas Brothers altar.  That shit is expensive on all fronts.  I need a paycheck.  Yes, I’m a sellout to the man, er, woman.  You don’t seem to mind when I expense dinner and drinks though, huh?
     
  6. It’s best to pick your battles.  When something stinks, I tell you.  When I believe or don’t believe in something, I say it.  I just don’t need to pour gas on a fire for effect.  Sometimes, it’s just not worth the time, effort or exposure.  See #7.
     
  7. I’ve got better shit to do.  ’nuff said.

I do hope that opening the kimono and revealing my humanity  doesn’t alarm anyone.  Rest assured, however, that in person I really am a huge asshole.  I don’t have a lot of friends and that’s the way I like it.  I’m rarely wrong and given that fact, I’m loud, opinionated and don’t mind sharing. 

I think the real-life version of me is *so* much better than this one, but YMMV.

Ask anyone who’s had the misfortune of knowing me for any length of time.  If my Feedburner stats take a dump, so be it. 

/Hoff

Update: Just to be clear, I was laughing when I wrote this, so hopefully you are when you’re reading it.  This wasn’t a plea for pity nor was it because I’m being psychically marauded by a rogue band of empaths looking to bring me down.  I’m quite happy being me.  Thanks for the virtual hugs from those of you thinking I was needing one! 😉

Categories: General Rants & Raves Tags:

An Interesting Role Transition For Me…

March 25th, 2008 6 comments

I don’t write a lot about what I do for my day job/paycheck.  There are lots of reasons for that, but sometimes the Universe shakes things up a bit and this is one of those times.

I came on board as the Chief Architect of Security Innovation at Unisys eight months ago.  With the intriguing title came some really interesting opportunities to branch into areas that I didn’t have a lot of direct experience with while also maintaining a role of evangelist and sometimes-spokeshole.

I’ve been involved in areas of converged security with large sensor networks, issues of (inter)national security, public sector engagements and all sorts of mind-blowing non-classified military and federal activities.  It’s a whole other world. 

Floating about global business units is entertaining and stimulating, but at times a bit overwhelming and less mission-oriented than I am used to.  It’s cool to exercise strategy muscles in tactical maneuvers but I’m technically a start-up/turnaround guy who likes focused and goal-oriented challenges.

Last week I got an opportunity to do just that — work my strategy/futurist muscles — with a really refined focus by moving over into our S&T (Systems and Technology) division as the Chief Security Architect headed up by ex-HP exec Rich Marcello who is the corporate SVP and President of the S&T division. Rich is a very cool guy — he’s a Mac nut, iPhone owner and musician.  He definitely thinks outside of the box.

I’m tasked with crafting a comprehensive security strategy across all the S&T product, solution and services portfolios and aligning that with the rest of our strategic security initiatives across the company.

So besides working for a very cool guy and with an excellent team, this is really interesting to me because S&T is focused on the delivery of Real Time Infrastructure (RTI) solutions and services which are functionally based upon virtualization technologies and all the interesting things that go along with that.

I’m excited about this because (as if you can’t tell) I am rather interested in virtualization and security so now I get to put those two things together not only here, but as my day job, too. 

So, for those of you who were confused/wondering about what I actually *do* besides blogging, now you know!

OK, back to our regularly-scheduled programming…

/Hoff

Categories: General Rants & Raves Tags:

McGovern’s “Ten Mistakes That CIOs Consistently Make That Weaken Enterprise Security”

February 26th, 2008 11 comments

Mrburns
James McGovern over at the Enterprise Architect blog wrote a really fantastic Letterman’s Top 10 of mistakes that CIO’s make regarding enterprise security.  I’ve listed his in its entirety below and added a couple mineself… 😉

  • Use process as a substitute for competence: The answer to every problem is almost always methodology, so you must focus savagely on CMMi and ITIL while not understanding the fact that hackers attack software.
  • Ostritch Principle:
    Since you were so busy aligning with the business which really means
    that you are neither a real IT professional nor business professional,
    you have spent much of your time perfecting memorization of cliche
    phrases and nomenclature and hoping that the problem will go away if
    you ignore it.
  • Putting network engineers in charge of security:
    When will you learn that folks with a network background can’t possibly
    make your enterprise secure. If a hacker attacks software and steals
    data yet you respond with hardware, whom do you really think is going
    to win the battle.
  • Over Rely on your vendors by relabelling them as partners:
    You trust your software vendors and outsourcing firms so much that you
    won’t even perform due diligence on their staff to understand whether
    they have actually received one iota of training
  • Rely primarily on a firewall and antivirus:
    Here is a revelation. Firewalls are not security devices, they are more
    for network hygiene. Ever consider that a firewall can’t possibly stop
    attacks related to cross site scripting, SQL injection and so on.
    Network devices only protect the network and can’t do much nowadays to
    protect applications.
  • Stepping in your own leadership: Authorize reactive, short-term fixes so problems re-emerge rapidly
  • Thinking that security is expensive while also thinking that CMMi isn’t: Why do you continue to fail to realize how much money their information and organizational reputations are worth.
  • The only thing you need is an insulting firm to provide you with a strategy:
    Fail to deal with the operational aspects of security: make a few fixes
    and then not allow the follow through necessary to ensure the problems
    stay fixed
  • Getting it twisted to realize that Business / IT alignment is best accomplished by talking about Security and not SOA:
    Failing to understand the relationship of information security to the
    business problem — they understand physical security but do not see
    the consequences of poor information security. Let’s be honest, your
    SOA is all about integration as you aren’t smart enough to do anything
    else.
  • Put people in roles and give them titles, but don’t actually train them: Assign untrained people to maintain security and provide neither the training nor the time to make it possible to do the job.
  • Here are some of my favorites that I’ve added.  I’ll work on adding the expanded explanations later:

    1. Keep talking about threats and vulnerabilities and not about risk
    2. Manage your security investments like throw-away CapEx cornflakes and not as a portfolio
    3. Maintain that security is a technology issue
    4. Awareness initiatives are good for sexual harassment and copier training, not security
    5. Security is top secret, we can’t talk about what we do
    6. All we need to do is invest just enough to be compliant, we don’t need to be secure
    7. We can’t measure security effectiveness
    8. Virtualization changes nothing in the security space.
    9. We’ve built our three year security strategy and we’re aligned to the business
    10. One audit a year from a trusted third party indicates our commitment to security

    Got any more?

    /Hoff

    (A)vailability > (C)onfidentiality + (I)ntegrity…Part Deux: Film/Video NOT At 11…

    February 26th, 2008 4 comments

    Carcrash
    We had a little chat a few weeks ago at the apparent shock suffered by many a security professional in discovering that the three-legged stool of security was constructed of unequally leveraged legs of C, I and A.

    Some reckon that by all practical accounts C, I and A should not be evaluated or assessed in a vacuum, but depending upon your line of business, your line of work and how you view the world, often this is how things get done — we have very siloed organizations, so it leads to siloed decision matrices.

    Specifically, availability (or service delivery) in reality — despite what theory and purists espouse — often trumps "security" (the C and I functions.)  As distasteful as that sounds, this is endemic.  From operating systems focused on "usability" rather than security to routing protocols focused on rapid convergence and assumed trust as opposed to secure and authenticated mechanisms.

    To wit (from the Renesys Blog):

    Pakistan hijacks YouTube


    Late in the (UTC) day on 24 February 2008, Pakistan Telecom (AS 17557)
    began advertising a small part of YouTube’s (AS 36561) assigned
    network. This story is almost as old as BGP. Old hands will recognize
    this as, fundamentally, the same problem as the infamous AS 7007 from 1997, a more recent ConEd mistake of early 2006 and even TTNet’s Christmas Eve gift 2004.


    Just before 18:48 UTC, Pakistan Telecom, in response to government order to block access to YouTube (see news item)
    started advertising a route for 208.65.153.0/24 to its provider, PCCW
    (AS 3491). For those unfamiliar with BGP, this is a more specific route
    than the ones used by YouTube (208.65.152.0/22), and therefore most
    routers would choose to send traffic to Pakistan Telecom for this slice
    of YouTube’s network.
                               
                                  

    Yes, this is really a demonstration of unavailability, but what I’m getting at here is that fundamentally, the core routing protocol we depend upon for the backbone Internet transport is roughly governed by the same rules that we depend upon whilst driving down a road separated by nothing more than painted lines…you simply hope/trust that nobody crosses the line and crashes into you head-on.

    There is very little preventing someone from re-routing traffic.  This could result in either a denial of service (as the traffic would not reach its destination) or even something akin to an interception, "storage" and eventual forwarding for nefarious means.

    So, here we have a case where again we depend upon a protocol that was designed to provide (A)vailability, yet C and I are left floundering in the wings.  We’ll no doubt see another round of folks who will try and evangelize the need for secure BGP — just like secure DNS, secure SMTP, secure…

    This will hit deaf ears until we see the same thing happen again…

    /Hoff

    Read more…

    Categories: General Rants & Raves Tags:

    It Appears I’m Giving Two Keynotes @ RSA 2008, But They Spelled My Name Wrong…

    February 21st, 2008 7 comments

    Rsa_2008

    I was browsing through the RSA 2008 conference agenda today and noticed that two of my talks and topics I blog about constantly were being featured as RSA keynotes!

    How cool is that!?

    It seems besides the talk I’m already giving, the fine folks @ RSA forgot to tell me that I was to deliver these, also.

    They also accidentally attributed the speaking roles to someone else:

    KEY-101 The Role of Security in Business Innovation: From Villain to Hero Keynote Art Coviello, EMC/RSA

    – and –

    KEY-102 Information Centric Security: The Next Wave John Thompson, Symantec Corporation

    I’ll be busy sorting out this correction.

    In the meantime, you can just preview them here:

    Security and Disruptive Innovation

    Information Centricity

    😉

    /Hoff

    Categories: General Rants & Raves Tags:

    On the Chatham House Rule

    February 9th, 2008 5 comments

    Chathamhouse
    James Gardner reminded me of something that I wanted to bring up but had forgotten about for some time.  Yes, he’s Australian, but he can’t help that.

    You’d understand why that was funny if you knew that I grew up in New Zealand.  Or perhaps not.

    Let me first begin by suggesting that we owe many things to the empire of Great Britain. 

    There’s the Queen, crumpets, French jokes, that wonderful derivative affectation that causes all the women to swoon, the incessant need for either a cuppa tea or litres of beer, and some interesting cultural and business customs.

    One of those customs is that of the Chatham House Rule

    If you’ve ever been to the UK and attended a business meeting discussing sensitive subject matter, there’s a good chance that someone pronounced that all those participating are cloaked under the Chatham House Rule.

    If, as a gracious guest, you were not (at least by modern standards) subject to Her Majesty’s sovereign rule, you may have simply smiled and nodded politely not knowing who, what, or where this oddly-named domicile was and what it may have had to do with your meeting.

    The same could be said for that guy Robert and all his suggestions, I suppose.

    At any rate, for all of you who have wondered just what in Tony Blair’s closet you just agreed to when you attended one of these meeting governed by this odd architectural framework defined in the spirit of Chatham, you may now wonder no longer.

    The Chatham House Rule reads as follows:

    "When a meeting, or part thereof, is held under the Chatham House
    Rule, participants are free to use the information received, but
    neither the identity nor the affiliation of the speaker(s), nor that of
    any other participant, may be revealed".

    The world-famous Chatham House Rule may be invoked at meetings to encourage openness and the sharing of information.

    EXPLANATION of the Rule

    The Chatham House Rule originated at Chatham House with the aim of
    providing anonymity to speakers and to encourage openness and the
    sharing of information. It is now used throughout the world as an aid
    to free discussion. Meetings do not have to take place at Chatham House
    to be held under the Rule.

    Meetings, events and discussions held at Chatham House are normally
    conducted ‘on the record’ with the Rule occasionally invoked at the
    speaker’s request. In cases where the Rule is not considered
    sufficiently strict, an event may be held ‘off the record’.

    If you’re interested in what the Chatham House is, besides the link to the rule (above) you can check out the following link to learn about the home of the Royal Institute of International Affairs.

    Three things will likely come of this post:

    1. You can confidently acknowledge your understanding of The Rule and use it in the spirit under which it was constructed
    2. You’ve now realized that all that stuff you blabbed about from
      those prior meetings under The Rule (which you didn’t understand) is someday going to come back and punt
      you right in the blender
    3. You can now start evoking the Chatham House rule in random places regarding all manner of activities and confuse the hell out of people.  I quite like declaring it before ordering Chili Poppers and girlie drinks at TGI Friday’s, for example.

    You can probably guess why I’m writing this.

    Some people just never learn.

    My work here is done.

    Carry on.

    /Hoff

    Categories: General Rants & Raves Tags:

    America’s Next “Security Idol”

    February 7th, 2008 1 comment

    If you haven’t got enough of Nir Zuk talking, how about his gangsta rap?

    I present you with "Security Idol" featuring contestants: Junne Ipper, Chuck Point and Paolo Alto.

    Personally, I think Paula’s kinda hot in this video…

    Ya gotta love marketing…if you don’t figure it out by the end of the video, this is a viral effort by Palo Alto Networks.  Funny.

    If you’ve got scripting disabled, here’s the link to the video.

    Categories: General Rants & Raves Tags:

    A Shout Out to My Boy Grant Bourzikas…It’s How We Roll…

    January 19th, 2008 2 comments

    I was reading Jeremiah Grossman’s review of Fortify’s film "The New Face of Cybercrime" (watch the trailer here) and noted this little passage in his review:

    Then in a bold move, Roger Thorton (CTO of Fortify) and director
    Fredric Golding (with the 3 other panelists), opened things up to the
    audience to comment and ask questions. Right when they did that I was
    thinking to myself, OMG, these guys are crazy asking an infosec what
    they thought! To their credit they were very patient and professional
    in dealing with the many inane “constructive” criticisms voiced.

    The
    stand out of the panelists was Grant Bourzikas, CISO of Scottrade, who
    was able to answer pointed question masterfully from “business”
    interest perspective. Clearly he has been around the block once or
    twice when it comes to web application security in the real world.

    I was thrilled that Jeremiah pointed Grant out.  See, G. was one of my biggest enterprise customers at Crossbeam and I can tell you that he and the rest of the Scottrade security team know their stuff.  They have an incredible service architecture with one of the most robust security strategies you’ve seen in a business that lives and dies by the uptime SLAs they keep; availability is a function of security and Grant and his team do a phenomenal job maintaining both.

    I can personally attest to the fact that he’s been around the block more than a couple of times 😉  It’s very, very cool to see someone like Jeremiah recognize someone like Grant — since I know both of them it’s a double-whammy for me because of how much respect I have for each of them.

    Wow.  This got a little mushy, huh?  I guess I just miss him and his bobble-head doll (inside joke, sorry Evan.)

    My only question is how did Grant manage to escape St. Louis?

    /Hoff

    Answering A Very Difficult Value Question Regarding Information Security

    November 24th, 2007 12 comments

    MoremoneyEarlier this week I was in Nice, France speaking on the topic of the impact that the consumerization of IT has on security and vice versa.

    We had a really diverse set of speakers and customers in attendance.

    When you can pool the input and output from very large financial institutions to small law firms against the presentations from business innovation experts, security folk, workforce futurists, industry analysts and practitioners, you’re bound to have some really interesting conversation.

    One of the attendees really capped off the first day’s discussion for me whilst at the bar by asking a seemingly innocuous (but completely flammable) question regarding the value that Information Security brings to the table against its ability to provide service and not stifle agility, innovation and general business practice.

    This really smart person leads the innovation efforts at a very large financial institution in the UK and was quite frankly fed up with the "No Department" (InfoSec group) at his company.  He was rightfully sick of the strong-arming speedbumps that simply got in the way and cost money.

    The overtly simplified question he posited was this:

    Why can’t you InfoSec folks quite simply come to your constituent customers — the business — and tell them that your efforts will make me x% more or less profitable?

    In his organization — which is really good at making decisions based
    upon risk — he maintained that every business decision had assessed against it an
    acceptable loss figure.  Sometimes those figures totaled in the
    billions.

    He suggested then that things like firewalls, IPS’s, AV,
    etc. had a near zero-sum impact when measured in cost against these
    acceptable losses.  Instead of the old axiom regarding not spending $100,000 to protect a $1,000 asset, he was actually arguing about not spending $100,000 to offset an acceptable loss of $1,000,000,000…

    Interesting. 

    I smiled as I tried to rationalize why I thought for the most part, nobody I knew could easily demonstrate the answer to his question.  Right, wrong or indifferent, I agreed that this was really a fundamentally crappy topic to bring up without something stronger than wine. 😉

    Speedbumps
    It turned into quite an interesting conversation, during which I often found myself putting on various hats (architecture, security, operations, risk management) in an attempt to explain — but not justify — the status quo.

    I demonstrated what I thought were some interesting counter-questions but for the most part found it increasingly uncomfortable each time we ended up back at his initial question.   The more complex the answers, the more divergent from the concept he was focused on became.

    Imagine if you were the CSO and were being asked this question by your CIO/CFO/CEO as the basis for the on-going funding of your organization: "We can comfortably sustain losses in the hundreds of millions.  Why should I invest in security when you can’t demonstrate that you enable my business to achieve its business goals in a way which can make us more profitable or offset my acceptable losses?"

    It’s why businesses exercise any option to swerve around the speedbumps IT/Security are perceived as being.

    Categories: General Rants & Raves Tags:

    Pimp My Blog: TypePad Says “Rational Security Is the Schizzle, Yo!”

    October 24th, 2007 12 comments

    PimpmyblogFrom the "Tooting Your Own Horn" Department…

    The lovely folks at SixApart – purveyors of the fine SaaS/Hosting functionality "TypePad" (amongst others) have kindly named the blog of your’s truly as today’s "TypePad Featured Blog."

    So, out of the approximately 1.2 Million blogs claimed as being hosted by SixApart, I seem to have offended enough of you and consumed enough bandwidth to warrant attention.  I’m praying I won’t receive an email politely suggesting that I upgrade…

    So, I’d like to start by thanking all the people who make this blog possible…Ummmm…

    OK, so moving on, I’d like to thank all of you who read my little steaming pile of blogginess…last count has approximately 2,000 subscribers, although I believe my kids run 100 simultaneous instances of Google Reader under fake names in exchange for WebKinz and iTunes credits that I upload when they generate page views.

    Seriously, though…blogging is a lot of fun.  I love blogging my ideas and interacting with the lot of you.  Even Rothman.  No, especially Rothman.  The only man I respect for wearing Crocs with socks in Vegas in 100 degree heat.  Black, of course.

    I’ve learned quite a few interesting lessons since I started   blogging over a year ago (thanks to Alan Shimel who encouraged me to do so) and look forward to learning a lot more.  One of things I’m going to force myself to do is write less — less words, that is.  You people have the attention spans of gnats in heat, so I’m going to make it more A.D.D. friendly.  Besides, when I leave big logic holes due to less words, you seem to participate more.

    I’ve already told my wife I need an iPhone to make sure the blog renders correctly under Safari running on a mobile.

    Now that I’m Blog King for a day (and Alex Hutton has one) she couldn’t possibly turn me down, right?

    /Hoff

    Categories: General Rants & Raves Tags: