JerryGamblin.com.

The Relativity of Wrong… in the security industry.

Randy Raw, my professional mentor (not that I pay him, but I look to him for guidance in my profession… although he probably deserves to be paid for putting up with me) sent me a link to an article by Isaac Asimov on the relativity of wrong.

Reading it got me thinking about how security people see the security industry and Asimov hits it out of the park with this quote:

The basic trouble, you see, is that people think that “right” and “wrong” are absolute; that everything that isn’t perfectly and completely right is totally and equally wrong.

We do this all time.  If someone doesn’t have perfect security they have no security.  Next time a major company is breached watch the articles and tweets flow about how lax their security is.  No matter how they were attacked someone will put out the boiler plate article about how their security sucked.

Asimov closes with a line that I think is awesome:

What actually happens is that once scientists get hold of a good concept they gradually refine and extend it with greater and greater subtlety as their instruments of measurement improve. Theories are not so much wrong as incomplete.

I love a paraphrase to this quote and need to get it on a shirt…. 

Security is not so much wrong as it is incomplete.

In security we are always gradually refining all of our security theories and policies. If you look back at your companies security policies 2 years ago they weren’t wrong they were just incomplete.

What do you do when the Status quo becomes the Status:NO?

Recently I have noticed a disturbing trend in my professional and personal life.  It has become way easier for me to say “Sorry, I can’t help with that.  I do (this) at (that time) already” or “no, it works ok now let’s not change it.” or worst of all “If we do that these people might complain”.

My Three Keys to “Status: No”-ing are: 

• Highlighting the pain a few vocal critics might inflict instead of the benefits for the many.
• Exaggerate how good things are now in order to make change look unnecessary.
• Acting like my schedule is completely booked and taking on any additional responsibilities would be impossible.

I have become comfortable in my routine so I lie to myself about areas that need improvement and growth.  I have become a creature of habit. I have lived, worked and worshiped at the same place for the last 8 years of my life.

Basically it boils down to:  

I am not the new kid anymore.

I am part of the establishment now and when you become part of the establishment you do what the establishment does, you fight change. I defend the way things are because they are ingrained in my routine.  I am like the lady who cut off the end of the ham because that’s the way her mom did it.

So I guess my challenge is going to be: Figure out how to see what the new kid would see without actually being the new kid.

The older I get the more I value the investment of time. Its often a deciding factor of success or failure.

Here is my slide deck from last nights Ignite COMO event.

Ignite talks are five minute lightning talks with auto advancing slides every 15 seconds. It is honestly one of the hardest talks I have ever given.

This picture of me dunking at a pool party is too embarrassing to not share.

This XKCD comic hits is out of the park on password complexity vs a pass phrase. 

For a long time it was nearly impossible to tell who owned a cell phone because it didn’t provide a name on the caller ID.

Recently tnid.us has came to the attention of the security community and is giving out that information for free. I am not exactly sure how they do it but out of 10 numbers I checked 9 gave me the real name of the owner and one gave me “wireless customer”.

Good news is that there is a way to get off their list. They have a delete option that I would recommend you use if you value what little privacy your cell phone number carries.

QR codes are pretty awesome right?  They are the new cool thing to stick on websites, menus, billboards, real estate signs, shirts, etc.

I mean you hold your phone up to them and they can give you a secret message, they can send txt messages from your phone, or give you a URL to visit.  Pretty stinking cool right?

Scan these on your phone and see what they do.

The only thing is that there is no way to tell a malicious QR Code from a good QR Code.  So if your QR code app doesnt tell you explicitly what it is going to do before it does it you should obviously look for a new app.

Hat Tip: SANS

One Saturday a month I get up and drive nearly 100 miles round trip to go and purchase some of the best meat in Missouri.

About 5 miles south of Freeburg Missouri is The Butcher Shop LLC

Even with gas at $3.60 a gallon it is worth the gas money and the time investment.

What we buy most of is their frozen beef in 1 pound tubes for ~$3.25 a pound. It is not marked but the beef has to be 90% lean. I hardly ever have to drain it after browning. The same thing in the supermarket in town here cost me $4.00 a pound.

They also have a wide variety of sausages they make in the store. Their breakfast sausages variety are awesome (we love the maple)  but they make some of the best Italian sausage I have had.

One of the best things they sell is their hotwings that they make in house.

They are literally some of the best hot wings I eat. They are nearly as good as my favorite hot wings ever.