Understand the problem first
Recently I was talking to someone that was telling me about how he is going to start a business that helps people find things on the internet. He went on to explain that it is very difficult for people to find what they are looking for because there is just too much information on the Internet. I couldn’t resist, so asked if he had ever heard of Google. So he explained to me that Google sucks as do the other online search engines. He told me that his idea was a different way of thinking about search.
He started telling me why it was a different way of thinking but I had a question that I wanted him to answer first, and that was: What would you do differently from Google? After looking at me with a very perplexed look on his face he responded with: Well I don’t really know how they do what they do, but I know it can be done better.
Unfortunately this is all too the case. People try coming up with solutions without understanding the problem or how current solutions work. Why reinvent the wheel? Understand the problem. Understand the current solutions. Then you are in a better position to not only know what you are talking about, but prove it as well.
Filed under: Lesson Learned | Leave a Comment
Running into information
A few months ago I read the book Born to Run by Christopher McDougall and it motivated me to get off my ass and start running. I was a little too motivated and ended up fracturing my foot, but this post isn’t about me being a dumbass so we’ll skip over that part. Anyhow, so I start running around my neighborhood and all is fine except I have no idea how far I’m running and therefore don’t know if the times I am clocking are good or bad. There are a few different ways to accomplish this but I chose to use a website called MapMyRun.com.
It doesn’t take a genius to figure out what this site does, you punch in a location and then use the map to click along your running path to calculate distance. So I mapped out a few different routes to figure out how far I had been running and then made some changes to give myself a 2 mile and a 3 mile option. It is pretty cool, and accurate to boot but where am I going with this?
Well when you map a route you can save it. When you save it you have the option of the map being public or private…public being the default. You can also search these public maps saved by other users. A quick search in my small town and there are 192 maps found! Now where do most people start their runs from? If you said their house, you would be correct. So now I can see all of these runners and where they live based on their map. This site also offers up the username of the person who submitted the map. As with most internet services, some of the usernames are bizarre like techdulla, but some are like johnsmith22. Now I know where you live and what your name is. I also know that you run a particular 10 mile loop every Saturday morning. <Insert evil laugh here>
Just another example of people sharing information about themselves without realizing it.
Filed under: privacy | 2 Comments
Tags: information sharing, privacy, running
BlackHat is just a few days away
Soon I’ll be boarding a plane to Vegas for a week of information overload. This year I am going with a less structured plan of attack. Usually I try to schedule out my time at the conference, committing every waking hour to something…but not this time. I haven’t committed to any sessions, meetings, interviews, parties, nada! I feel less stressed about the week already.
A little story for all of you about a small start up firm I am helping. Usually I don’t share these stories because we have an investment in the company but this is not the case here. Too many startups are so interested in getting to market that they let everything else fall through the cracks, especially security. These folks needed to get a server that is currently in someone’s home in California shipped out to their Massachusetts office. My involvement was very limited, pretty much just telling them where to plug it in. I can’t help but ask questions though…..so my involvement grew.
First basic question was how did they plan on protecting this server since all they had was a public IP address. They hadn’t thought of that. THEY WERE GOING TO PLUG THE SERVER DIRECTLY ONTO THE PUBLIC NETWORK! That kicked off a quick lecture from me on why they need a firewall and general best practices. Next question was whether their internal people needed access to this server an how that was going to be accomplished. Again….they hadn’t thought about that either. They assumed the internal staff would magically have secure access to this server they were connecting only to the public network. I could continue with these basic questions and the lack of answers but you get the idea.
To make the story better, they plan to go live this weekend. The firewall is being delivered today and the server tomorrow. All they will have access to are a few wall jacks that have been preconfigured, one with a public connection and one on a private VLAN. They sublet space, so the in-house IT Staff where they work will not be around this weekend to assist in any issues that arise. What if the firewall is DOA? What if it never arrives? What if FedEx doesn’t come through with the Saturday delivery to a closed office? More stellar planning.
Glad it isn’t my server…
Filed under: Conference, Security, Startups | Leave a Comment
The new and improved….
Well not really. I disappeared for the past few months, no blog, no twitter, not much of anything except work and golf. The project I was spending most of my time on after RSA was one I couldn’t really talk about without breaching agreements and getting in trouble so going dark for a bit seemed like a good idea. A bit turned into much longer than I anticipated…think of it like a reboot, except interrupted by a BSOD that took me a while to recover from. I did manage to shave 10 strokes off my golf game though so it wasn’t all bad.
Enough of that and onto a story that should make you shake your head. About a month ago I had a meeting with the IT Leaders of various firms. We covered some good topics and offered advice on how people could solve specific problems they were facing. Most of these folks are intelligent, hardworking, and always willing to learn as well as teach when the opportunity arises. Some however, well, not so much. One conversation stood out and made me think WTF! A particular firm is building a portal to allow their partners/customers to share information with them. Contractors were implementing at the time of the meeting. There were a slew of questions around implementation, maintenance, and security….none of which could be answered by the IT Director of the firm.
What ever happened to understanding your environment? How can you be in charge of IT for an organization but not have the ability to explain how the pieces all go together? I don’t know about you, but if I don’t fully understand how it works, how I will manage it, and the security implications of implementation it sure as hell is not going into production. Ugh!
Filed under: Uncategorized | 1 Comment
A few months back Chris Hoff – then Chief Security Architect at Unisys challenged Simon Crosby – CTO at Citrix Systems to a sumo match. My oh my that would have been fun to watch, but alas it never came to fruition. I figured the next best thing would be to attend the Virtualization Security panel where the two of them could duel it out. On the panel with them were Michael Berman – CTO at Catbird and Steve Herrod – CTO and VP of R&D at VMWare, the moderator was Andreas Antonopoulos – Sr. Vice President at Nemertes Research. A good lineup for sure but would it live up to the hype?
It was very good, but it could have been even better. Andreas did an excellent job keeping everyone in line so props to him for that. Hoff was his usual self – poking, prodding and making his points as only he can. Crosby was trying hard to push buttons and seemed to succeed but there were points he tried to make without any legit information. Berman was very quiet and looked like he just wanted to stay out of the fray, probably a good choice. Herrod had many opportunities to bitch slap Crosby and in turn Citrix but unfortunately he didn’t. It was as if VMWare had put a gag order on him and gave him a script with a few phrases he was able to use. If Herrod had been more open and direct this panel would have been UNBELIEVABLE!
Crosby is fun to listen to but sometimes taking him seriously is difficult. For those who don’t know, he is of the belief that a virtualization platform company should secure the hypervisor but the remaining security in the virtual environment is someone else’s problem. His justification for this statement is that they are not security companies and should leave that to the professionals. He bashed VMSafe calling it weak, without ever seeing it mind you. He actually called Herrod incompetent at implementing security and when Hoff spoke up mentioning that Steve is not actually implementing the security Crosby then said that all of VMWare is incompetent. If he was on the street pitching this shit I would give him a few bucks thinking this poor crazy homeless guy needs something to eat before losing his mind. If the CTO gig doesn’t pan out for him at least he has a fall back. Seriously though, he is obviously a smart guy but seemed to just be tossing out the most absurd statements to get Herrod fired up hoping he would snap.
Herrod didn’t appear to be fired up but he should have been. I wanted to hear the VMWare representative flex some muscle and teach Crosby a thing or two about why it is important for VMWare to roll security into the product. There are so many examples he could have thrown out to prove his point, but he didn’t. Instead VMWare got slapped around without any real defensive action, or worse, without any offensive action. Luckily for Herrod and VMWare, The Hoff was on the panel. Hoff had no problem calling Crosby out on his outlandish remarks and mostly played the role Herrod should have. When he gets on a roll it is fun to watch, and he was rolling. VMWare should pay him some serious cash for protecting them against the bully. 
Look, I don’t care that VMWare is not a security company. I don’t care that their expertise isn’t on all things security. As far as I am concerned they are taking steps toward helping their customers implement more secure virtualized environments than they have today and that is the right thing to do. They will not get it 100% right out of the box, but something is better than nothing.
–DanO
Filed under: Conference, Security, virtualization, vmware | 2 Comments
Tags: Berman, Crosby, Herrod, Hoff, hypervisor, RSA, sumo match, Virtualization Security
