I know it is Vegas, but overall the booth babes were not out in force at Interop.  The biggest defender was Blue Cat networks, who once again had a frat boy set up with girls dressed in very skimpy skirts and leggings inviting giddy geeks in to play some virtual golf.  Of course this follows past years where Blue Cat had girls dressed in skin tight jump suits putting you in flight simulators.  Of course the girls scanned your information while they strapped  you in.  This sort of exploitive behavior from Blue Cat has become expected.  I don't know if I were a woman, if I would want to work at that company.  For the most part, the booth babes are employed by companies looking to put fannies in seats at presentations.  These woman are usually good looking but not dressed to crazy and try to to get you to sit down, listen to a presentation and maybe win a prize. I don't have a problem with this, depending on how they are dressed.

In the you never know category though is my experience with this potential booth babe from D-Link.  A quick look at the picture to the right would indicate, yes a booth babe for sure. However, I had a chance to speak with this young lady and was surprised to find out that she was an expert on 802.1x.  She knew all of the potential radius attributes supported by every single Cisco switch.  She also was able to set up the DHCP server on the D-Link Routers and to top it off explained to me exactly how D-Link was using the data stored in a MAP server to provide greater security utilizing the new TCG IF-MAP standard. Of course you believe all this right and know she was not just a booth babe.  What do you think?

The big news at Interop yesterday was the new IF-MAP specification and standard announced by the Trusted Computing Group/ TNC group. Some may call it TCG NAC 2.0 but it actually goes way beyond just NAC. IF-MAP represents a method that allows disparate security technologies to talk to each other and leverage the information gathered from multiple sources to make better and more secure decisions about network devices, users and traffic. It has huge implications for not only NAC, but IDS/IPS, vulnerability management, SIMs, etc. Also, it represents a real opportunity for the TCG/TNC to move out beyond the shadow of NAP and really become a dominant standard for the network and security industry to rally around.

The idea behind IF-MAP is that data is stored in a central container called a MAP or meta-data access point. This data can be called upon or supplemented with more data from a wide variety of sources. You can publish, search or subscribe to the data. The format is XML. The diagram (which you can click on for a bigger version) on the left shows a sample multi-vendor configuration, but the combinations are endless. To get a better flavor for what you can do you can click here to see a PDF presentation by the TCG of IF-MAP.

I had a chance to speak about IF-MAP with Steve Hanna and Mike Fratto. If it does indeed become widely adopted this can have a profound impact on our industry. Also, Steve and the TNC is very much looking to diversify and distribute the administration of the MAP among many vendors so that it does not become a single vendor steered standard. I applaud Steve and the rest of the group for working so hard on MAP. I challenge the rest of the industry to take a look at it and work towards adopting it. It truly can help be a win for all security vendors, but most of all a win for security administrators who would finally be able to use best-of-breed products from different vendors and have them talk to and work with each other.

My wife Bonnie and I don't get out to the movies as much as we used to. When we do it is often with the kids, so we miss out on many of the adult (no, I don't mean those kind of adult) themed movies that come out. We wait for the DVD, but even than I miss many. I compensate by watching movies on planes a lot. Recently I caught The Kingdom with Jaime Fox and We Own the Night with Marc Wahlberg and Joaquin Phoenix. Both good, powerful movies. However, last night on my way out to Vegas for Interop I watched a movie that will change my life. It is the Kite Runner, based on the book of the same title by Khaled Hosseini.

The movie tells the story of two boys growing up in pre-Soviet invasion Kabul, Afghanistan all the way up to the year 2000, with a pre-9/11 Taliban regime in charge. You can read the Wikipedia article I linked to or better yet go rent the movie or read the book (I am going to read it next) for all of the dramatic details. However, let me talk a bit about my take away from this film. First of all, like many Americans I had a pre-concieved notion of Afghanistan as a poor, backwater, backwards place that welcomed a repressive regime like the Taliban to power and were part of the Muslim world that runs from the Med through to Pakistan. Nothing distinctive and in fact lets face it, I am not sure we humanize the people who live in that part of the world, as we do Europeans or our fellow Americans. I knew little to nothing of Afghan history or lifestyle. Our American view of the world makes it hard for us to remember that children are children the world over and their lives are special. Whether it be something as simple as flying a kite or aspiring to be a writer, all children share the same dreams, hopes and challenges. Yes, in a place like Afghanistan with its ethnic tensions, there is room for a level of violence we don't often see here (but even that is BS, me living in Boca doesn't see it, but live in an inner city bad neighborhood in the US and is life any better for a child?). But parents are parents the world over and they love their children and have hopes for their children the same way you and I do. People have values they believe in and may not be the most religous, but are never the less good people.

The movie made me think about my role as a father, husband and American. The whole American immigration experience is such a great influence on the world. We have the ability to take people from anywhere and they become Americans. The father in the movie goes from being a man of power and wealth in Kabul, to working in a gas station here. The father-in-law was a general in Afghanistan, but just a lower middle class worker here. But they don't lose their identity or the pride and sense of who they are and most of all their values. They don't lose their identity into the melting pot, but we add their identities to our tapestry of life here in this country. That is the real special sauce in what makes America

That part of the world is not just full of religous extremists. There are real live human beings there who think and feel very much like we do. Yes there are incredible challenges with religous extremism to overcome, but there is a core of real people who are worthy of our efforts. At the end of the day, that is what the movie has succeeded in doing for me. It has made the Afghan people real.

When I work from my home office I usually keep CNN on in the background to keep up on the world. However, I have to say that it is just too damn depressing. A sample of today's news:

1. Gas prices continue to go up about a penny or two a day, over 30 cents in last few weeks!
2. Oil hit new highs
3. Credit card companies are raising interest rates and fees drastically
4. Food staples like wheat, rice, etc. are up from 10% and up
5. Some crazy nut in Austria locked his daughter in a dungeon for 24 years and fathered 7 children with her, one who died and he disposed of the body (This is just a disgusting story)
6. Home prices remain depressed and foreclosures remain high
7. Airlines either have to merge or go out of business

Geez, what this country needs is a good fantasy for us to lose ourselves in. A new Star Wars or something to take our mind off of dealing with reality. It has got to get better, doesn't it?

Getting ready to head out to Interop tomorrow. I have a bunch of interviews and meetings scheduled, but if you are going to be at the show, stop by the StillSecure booth and say hello or drop me a note or twitter to get together. Interop is always a blast and I am looking forward to see what is new this year.

So here is one of my pet peeves about the IT world. Too many "technical" people consider themselves (pick one:) superior, smarter, more ethical, better than, their marketing counterparts. Hey people, everybody is selling something all of the time, even if it is themselves. Case in point, a recent "spat" between my bud Mike Rothman and another friend, Misha Govshteyn. Now Rothman and I go back a bit and have had our share of blog bad blood, but all in good spirit. Misha is a good guy too. Anyone who knows where to find a schmaltz herring in Houston after all can't be too bad. And my friend Farnum who serves as the peanut gallery in this story is solid as well. OK now that we have the players, lets lay out the story.

It seems that Alert Logic had a webinar titled _ Simple & Affordable PCI Compliance w/ Alert Logic. Mike thought that this was very misleading marketing from the slimy, no ethics, don't understand the real pain marketing folks at Alert. They are preying on the simpletons who are responsible for security and PCI compliance in the world and Mike delivers his full venomous wrath (according to Misha anyway, I bet Mike could be worse) on Alert Logic and their marketing team. Misha than responds with his own venomous wrath, that Rothman is literally full of baloney, a shameless self-promoter on par with Michael Savage. To add fuel to this fire comes Michael Farnum, who tells Misha in his comments that while he likes Alert Logic, "many manufacturers use their marketing as fly traps."

OK, here is my take. To Mike Rothman: come on Mike, you never did anything like that when you were a marketing guy? What are you some kind of reformed smoker? What would you have them name the webinar: "PCI is hard and our stuff can only help a little". Give it a rest. Also a little respect for the people they are marketing too. I think they realize what is what and can separate the bull from the cream. To Misha, hey at least Mike gave you some PR. I understand your frustration but instead of pointing at everyone else, say we stand by the name and that does it. Most of all to my buddy Farnum, dude, we know what you do, it is just a question of price. If those Venus Fly Trap marketing people weren't drawing people in, you would have to have a second job to feed the family and many not have the leisure time for blogging.

But seriously folks, marketing people have a hard job too. It is not that they are not technical or don't understand what is involved in PCI compliance or the like. It is their job to make these webinars appealing. I don't think most marketing people think of what they are doing is being misleading. They try to make these webinars deliver as advertised. The same way engineers try to make a product work as intended. Lets understand that it "takes a village" to develop, market, sell and support a product. Everyone has their job to do and for the most part do it the best they can and again for the most part with the highest of professional standards. Thinking that marketing people are slimy fly traps does a disservice to them, the people they market too and frankly comes across as self-serving arrogance.

Just a quick note on some recent events I will be attending. I am really psyched to be moderating a panel on NAC (does that mean I can give all of the panel a hard time?) at the IT Hot Topics Conference 2008 at Grandover Resorts & Conference Center, in Greensboro, NC. I also get a chance to play golf on a great course, the afternoon of the 16th! You can read more about the conference and some of the other guests and tracks on Jennifer (JJ) Jabbusch's blog here.

Also, I am at the Intrusion World Conference & Expo May 14th at the Baltimore Convention Center. I am speaking on a number of topics. You can check out the site for details.

If you are attending either of these, stop by and say hello!

I received the following email yesterday purporting to be from the BBB. It looked phishy to me, so of course I did not click the link and did a little investigating. However, I could see how someone would be fooled on this one, thinking someone filed a bogus complaint against them. Almost as good as the subpoena story I heard from a customer last week. Beware of stuff like this!

BBB CASE #841246605

Complaint filed by:	Brian Williams
Complaint filed against:	Business Name: StillSecure Contact: Alan Shimel BBB Member: YES
Complaint status:	-
Category:	Contract Issues
Case opened date:	4/20/2008
Case closed date:	-

Download a copy of this complaint so you can print it for your records (DON'T CLICK THIS)

On February 23 2008, the consumer provided the following information: (The consumer indicated he/she DID NOT received any response from the business.)

The form you used to register this complaint is designed to improve public access to the Better Business Bureau of Consumer Protection Consumer Response Center, and is voluntary. Through this form, consumers may electronically register a complaint with the BBB.Under the Paperwork Reduction Act, as amended, an agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid OMB control number. That number is 246-967.

© 2008 US.BBB.org, All Rights Reserved.

Martin and a bunch of others have written about the recent clarifications around section 6.6 and 11.3 of the PCI DSS. Jim Carr over at SC Magazine ran an article on it today that he interviewed me for. While I am not the PCI expert Martin is, I was happy to contribute my 2 cents (ain't I always).

Anyway, sounds to me like these new clarifications are going to wind up with a lot of web application firewalls being sold.  Here at StillSecure we are thinking about some ways to take those to the next level as well. Hopefully we can announce something soon on this.  Overall, just another indication that right or wrong, compliance is driving a lot of the spending in security today.

I was reading Ellen Messmer's report today about the security incident over at Lending Tree. Yeah, I know another information breach by insiders case, BFD.  But I think there is something different about this one.  From what I am reading this is more a case of corporate espionage than the usual hackers for fraud and financial gain type of deal.  For a long time now we have been hearing from people like Bruce Schneier in this article talk about the front in security moving from dealing with script kiddies working for kicks to organized cybercriminal gangs that are in it for financial gain. Mostly the gain is about identity theft and gaining access to funds fraudulently.

In the Lending Tree case though there was not evidently a motive to use the ill begotten information for identity theft or fraud.  Rather they represented Glengary, Glen Ross leads.  That is the names, contacts and qualifications of people looking for mortgages.  A mortgage company would consider these leads more valuable than gold, more valuable even that gasoline!  So to my mind this is more a case of corporate espionage where a company that is competitive to Lending Tree infiltrated their networks through people, rather than technology to gain access to their corporate crown jewels. 

This sort of stealing your competitors information has been going on for decades, well before computers and cybercrime were around.  However, this is a great example of some things not going out of style.  Obtaining your competitors information is a great motive, computers are just the container where the information is kept.  Sort of like cracking a safe.  It is always easier getting into a safe if you are given the combination, than if you have to crack it yourself. 

Yet another front in the cybercrime war that security folks need to be on guard for!