I love how that phrase (and song) completely lost its meaning as soon as we had to start writing 3 0's on our checks. I'm not thinking about that catchy tune by the purple one, I'm talking about Y2k and all that surrounded the months, and in some cases years leading up to the clock rolling over.
If you were in IT during that time, you remember what it was like. Everything had to be upgraded. Everything had to be compliant. If one thing isn't compliant the whole grid would go dark. Public restrooms would cease to function because a managed hub at the water treatment plant would think it was 1900 and would cease to process waste because there wasn't indoor plumbing in 1900. People horded water. Other people horded guns.
I split the difference and horded water guns.
Since we're 8 years past those heady days, I'll get to my point. Truth is, there was a real threat that if unmitigated, would have caused lots of headaches in processing of some very important things. The deeper truth is that lots of CIO's, IT managers, consultants, developers, and rank and file IT geeks used the threat of Y2k to push pet projects, pad budgets, add badly needed staff, rack up bonuses and enjoy ridiculous perks. In general, we were gettin' while the gettin' was good.
Again, I'm not saying there weren't issues that needed to be corrected. I am saying that there forklift upgrades of every piece of network gear in the company I worked for at the time didn't account for the real risk; only the risk that our Cisco rep wasn't on budget for his timeshare in Aspen.
What has me thinking about this is Dan Kaminsky's well publicized DNS hole. I respect Dan and his work highly, and like Y2k, this is a real threat. However, I agree with Richard Bejtlich of TaoSecurity: the disclosure and handling of this real threat leaves a lot of unanswered questions. Dan made the announcement that there's a bogyman under the bed, and said he'd show everyone what it is at the upcoming Blackhat and Def Con conferences. He notified vendors and providers and gave them the resources to evaluate and create solutions. For the past month Dan has played it close to the vest. A lot of speculation floated out through blogs and news articles. Lots of people began seeing the effects of FUD (fear, uncertainty, & doubt). In my discussions with IT managers and CIO's in the past few weeks I've begun to see the same glimmer of hope for the glory days of Y2k. "Screw R=VxTxA (Risk = Vulnerability X Threat X Asset value) I can use this to upgrade our Firewalls!" Ok, not that drastic, but I'm afraid that could be the road we are headed.
It's a threat folks. It needs to be addressed. However, it is our responsibility as Security Professionals to look at the big picture. We need to be ever viligent to avoid chicken little syndrome and be sure to differentiate between 'threats' and 'risks'.
Let's think back to Y2k one last time. 0:00:00 01/01/00 came and went. The lights stayed on. Everything worked. Champagne corks popped and the toilets still flushed. In the days that followed I heard managers, CEO's CFO's and common Joes say the same thing: "boy that was a load of BS." Folks, we shot ourselves in the foot. We used a perceived risk to ride the wave of FUD, and lost a lot of credibility in the process. The people that understood the real risks understood that lots of vital work was done, those that didn't thought we were all giving them steaming shovelfuls.
Since this is all about "risk" let's think about the risk in this slippery slope. Every instance where we cry wolf, every time we talk over the heads of the less technical, every time we neglect to realize business needs we risk reducing our credibility when there really is a significant threat.
Alright, it's 1999... You say it, 1999 don't stop, don't stop, say it 1 more time.
Tuesday, July 29, 2008
Wednesday, July 16, 2008
like walking in on your parents.
You know what I'm talking about. That instant that you realize not only should you have knocked, but you should have waited for a reply too... You're forever scarred. You've witnessed the 2 most iconic figures in your life do things that those 2 iconic figures should have only done to conceive you and your siblings, and only then with the lights off.
Twitterspam is like that. Sadly I received my first today. Me being "me" I didn't automatically follow the sender, but I took a closer look, and I didn't like what I saw.
The sender is following 4,374 people. 203 were following him. I followed the link to his profile and found it was a combination of street/gangsta speak and consistent pleas to buy a stock. This was a first for me, like Russell Simmons (seriously? you don't know who he is? Def Jam? Did you ignore the 80's entirely?) had made a copy of a copy of himself.
The innocence that was Twitter is now lost. I fear a future of the already borderline annoying "microbloging" becoming "microspamming" thousands of emails, txt's and popups for crap I don't care the least bit about.
Won't someone please think of the twitterers?
Twitterspam is like that. Sadly I received my first today. Me being "me" I didn't automatically follow the sender, but I took a closer look, and I didn't like what I saw.
The sender is following 4,374 people. 203 were following him. I followed the link to his profile and found it was a combination of street/gangsta speak and consistent pleas to buy a stock. This was a first for me, like Russell Simmons (seriously? you don't know who he is? Def Jam? Did you ignore the 80's entirely?) had made a copy of a copy of himself.
The innocence that was Twitter is now lost. I fear a future of the already borderline annoying "microbloging" becoming "microspamming" thousands of emails, txt's and popups for crap I don't care the least bit about.
Won't someone please think of the twitterers?
Subscribe to:
Comments (Atom)