StillSecure, After All These Years

As I wrote about earlier this was the first year of the Social Security Blogger Awards. Rich Mogull did a great job lining up a blue-ribbon panel of judges and I think the winners of the awards were very deserving.  You can see the complete list of winners and the full video on the RSA conference blog here.  But here is just part 1 of the video with Rich, Martin and then me:

As most of you know, this years Security Bloggers Meet up at the RSA conference is going to be a quite a party. In addition to the usual food, drink, podcasting and mingling among the who’s who of security blogging and media, this year we also have the Social Security Awards.  The Social Security Awards are the security blogging awards and we have over 1500 blogs nominated in the 5 categories!  At the end this month the finalists will be given over to our all star panel of judges and the winners will be announced at the awards ceremony at the meet up. 

Yours truly is the MC for the awards. I had invited Beyonce to come down and do a musical number with me ala Hugh Jackman at the Oscars, but she was busy and I don’t think will be at the meet up.  But you never know.  If not perhaps Martin McKeay, Rich Mogull and I could do a “if I were a boy” musical number ;-)

Anyway, what I wanted to say before going off on that tangent is that none of this would be possible without the very generous sponsors who have donated money, equipment and services.  In these tough times putting on an event this size is not cheap.  Also though not listed, a special thanks to the RSA conference folks themselves who have given so much to make this event a reality. Thanks to all of them!

Our latest sponsor, Seagate is donating prizes for for the Social Security Award winners and now has given us a NAS as a door prize as well!  How cool!  Now if we could just get a nice package of prizes and gifts for the event organizers!

I posted this a few weeks ago, but we are getting near the end of nominations. If you have not done so yet, please be sure to nominate your favorite security blogs for the Social Security Awards!

Another dream of mine becomes a reality.  One of the things I have longed thought of doing was starting a security bloggers awards program. With over 200 blogs in the Security Bloggers Network, some recognition for the best of the best would be great.  There are so many great security blogs out there, with so much great content, in my mind it was only natural that we have some sort of recognition for the very best.  How to do these awards without making it a popularity contest though?  Where and when to hold an awards ceremony? Logistics, statistics and such.

It all came together this year.  Working with my fellow Security Blogger Meet up committee members, Jennifer Leggio, Martin McKeay, Rich Mogul and Jeanne Friedman we have made a Security Bloggers Awards a reality!  I am proud to give you the "Social Security Blogger Awards".  Pretty cool, huh?

This initial year of the Social Security Awards will feature awards in 5 categories:

* Best Security Podcast
Who is the voice you listen to week after week?
* Best Technical Security Blog
Who is digging deeper than anyone else?
* Best Corporate Security Blog
Which vendor's contributing the most to the blogosphere?
* Best Non-Technical Security Blog
Who's got the best 30,000 view?
* Most Entertaining Security Blog
Who keeps you riveted? Or who makes you laugh?

We will allow readers to nominate specific blogs, come up with finalists and than have a combination of reader votes and a blue ribbon panel of judges.  The judges we have lined up are:

Brian Krebs
Washington Post
Bill Brenner
CSO Magazine
Kelly Jackson-Higgins
Dark Reading
Dennis Fisher
TechTarget
Jeremiah Owyang
Forrester Research

There will be awards and surprises at the awards ceremony which will take place at the Security Blogger Meet up at RSA this year. You don't have to be a member of the SBN to be nominated, but like the old man says, "it couldn't hurt". If you would like to nominate your blog or have someone else nominate you can use this picture and link to http://www.socialsecurityawards.com

For those of you wondering, I and the rest of the committee and judges are not eligible to be nominated or win any awards.  Also in case you are wondering these awards are not for sale and you can't buy your own category ;-)

Anyway, I am really proud to see this idea becoming a reality. I hope that it will be a great program that will grow better year after year.  For now though, what are you waiting for?  Go nominate you favorite security blogs!

Author's note: Martin posted some good articles on this at the RSA Bloggers meet up site and his own blog, even if he did steal my graphic.

Related articles by Zemanta

• The Social Security Blogger Awards

RENOWNED SECURITY BLOGGER MIA SINCE TAKING JOB

The Pragmatic, Inciteful Mike Rothman Has Gone Missing From His Blogging Since Taking a "Real Job"

(Alpharetta, GA. – November 2, 2008) – The mouth of the south, renowned security blogger, Mike Rothman has turned up missing in action shortly after announcing his acceptance of a full time position as a vendor puke with eIQ. Several inquiries have been made, but even “the boss” has been mum on his whereabouts. Several prominent security experts are already suspecting foul play and some even whisper of some sort of left wing conspiracy.

Rothman originally sounded optimistic about continuing his blogging workload and not abandoning his legion of fans in the RSS feed world. However, it appears that a “real job” has proven more than he had bargained for. Could it be, that after for so long making fun of others who blogged in addition to their full time jobs, the task is more daunting than Mike could handle? Could the Security Twits have kidnapped him? Where is Mike Rothman?

Other rumors flying around the blogosphere have reports of Rothman sightings. One report had him canvassing door-to-door on behalf of Ron Paul in Montana. Still others say that Rothman has been in an “undisclosed location” (the same undisclosed location Dick Cheney uses) working on Barak Obama’s cybersecurity plans. Rothman’s name has been floated as a possible Czar in an Obama administration. Some are saying Mike was holding out to be the Sheik of cybersecurity, not the Czar. Others say Mike was far too pragmatic to get mixed up in politics.

Several other well known security bloggers were asked to comment on Rothman’s whereabouts:

Chris Hoff of Rational Survivability said, “I hope and pray for the best for Mike. Unfortunately my suspicion is that he has been virtualized and sucked up into the cloud. We all know how insecure that can be.”

Martin McKeay of Network Security Blog said, “You know Mike always made fun of my privacy views, but for once I wish we had a way to get past privacy laws and find out what really happened to Mike. I may have to don my purple tights and Captain Privacy suit to lead the search for Mike”

Rich Mogull of Securosis had this to say, “Mike did ask me for a hazmat suit that I used for the Democratic convention. I hope something did not go terribly wrong and Mike winds up as a green, muscular super hero”.

Amrit Williams of Techbuddha had nothing to say at all about Mike. In fact he said he never really liked Mike anyway.

JJ of Security Uncorked said, "I think Mike is just holed up somewhere in the Deep South working on the next set of 802.1x standards. But if I don't start blogging more they may be putting out MIA releases on me next"

Richard Stiennon (sorry Rich, couldn't find your blog URL) said, “Though I am sorry to see Mike’s disappearance, it does leave a real vacuum for blogging security analyst and Stiennon’s first law is “blogging abhors a vacuum”

Alan Shimel  of StillSecure, After all these years, put perhaps the finishing touch on the Rothman situation saying, “You know Mike was a fast-talking NY guy who always spoke his mind. His up front, in your face style might have just rubbed someone the wrong way. He could very well be the security industry’s Jimmy Hoffa. But you know being the huge Giant fan he is, I am sure he would not mind being buried in the end zone of the new Giants Stadium”

In the meantime a Ten ($10.00) Dollar reward has been offered by the Security Bloggers Network for any information leading to the whereabouts of Rothman. Anyone with information regarding this mystery can email podcast@stillsecure.com. All information will be kept confidential, as well as HIPAA and PCI compliant.

**All names and quotes are purely fictitious. Who knows where Rothman really is?**

You could try ghostbusters, but don't bother calling the PCI council. So says Mike Fratto and Martin McKeay in response to my earlier article about when you have an obligation to go public. Of course I was responding to Martin's earlier post on the TJX employee getting fired. What all three of us agreed on though is that there is no place or person that an employee or any other person frankly can call to report a company that is not in compliance with the PCI.

Mike Fratto says "PCI has no teeth because VISA/Mastercard doesn't want to bite the hands that feed it." Martin says the PCI council has established a way for people to report violations because "that’d make the Council responsible for acting on those reports. And that’s something they really, really don’t want." So are the PCI regs toothless. I wouldn't exactly go that far. I think we have to draw a distinction about having the power to act versus actually exercising that power. Mike is right, so far the PCI council has to exercised the powers they were granted to impose sanctions and penalties. That doesn't mean they won't in the future though. I think they will have to make some "examples" otherwise people are going to begin to ignore the requirements all together.

Without some process to report violations the credit card companies are inviting the government to step in. This is exactly the reason as Mike Fratto points out that they imposed the PCI regs to begin with, that is to keep the government out. Until they do though, I think going public and the court of public opinion may be the only recourse.

No, not IPO public, but public about disclosing employer secrets which could provide a risk to the public. My friend Martin McKeay has written an article over the recent firing of an employee of TJX for disclosing in a public forum continued poor security practices by TJX. The same TJX I might add that as a result of slipshod security practices caused 100s of thousands of dollars, if not millions of dollars in bank fraud to occur.

Many have categorized CrYpTiC_MauleR, the employee who disclosed the information on hackers.org, as a "whistleblower". The term whistleblower is a term of art and in many circles will invoke some special immunity for the person who disclosed the confidential information. However, usually the disclosure of this information is made to a person or entity with the power or at least willingness to take corrective action. In this case, I think that is the missing pre-requisite. Just disclosing this information on a public message board does not meet the burden of defining this as whistleblowing. I think Martin is right on there. He says CrYpTiC (If I can call him that), was not a whistleblower in the strictest sense of the word and is not due any protection. He is just another person who violated his employment terms and his termination by TJX was perfectly justified. Let me say that I don't disagree with Martin about TJX having the right to fire CrYpTiC. They certainly do.

I have a problem with Martin when says that CrYpTiC should have done what he has done and that is keep your mouth shut and move on to the next opportunity. I think depending on the level of wrongdoing, not only is that wrong, but by willfully withholding certain information from the authorities it could make you guilty as an accomplice! Think about it Martin, if you knew your employer was committing a crime and you just quit your job rather than report that crime, you are an accomplice. When does the responsibility for the general good, outweigh your obligation to your employer. Is sticking your head in the sand and moving on while letting illegal or irresponsible behavior go on the right posture? I say not.

I think CrYpTiC felt strong enough about what TJX was doing was wrong that he posted it publicly. Though he did it anonymously and did not think it would be traced back to him, he felt strong enough that what TJX was doing was wrong and he wanted the world to know. When he made that decision, he also made the decision that letting the world know the truth was more important than his job at TJX. I am sure potential future victims of TJX fraud that will now be spared that loss would thank him for it.

Martin, there comes a time where keeping your mouth shut and moving along does not cut it. You have a duty to alert the proper authorities for the greater good of the public. The question is when does your duty to disclose surpass your duty to keep your employers information private? I think that is a personal question that all of us have to answer ourselves. Clearly criminal activity should be disclosed, otherwise you risk criminal exposure. Beyond that it is a judgment call. But saying not to disclose and just move on is appeasement at its worst.

The real question is why doesn't the PCI council or the government have a forum for people like CrYpTiC to go to in the future. That is what is needed!

One of the things that has made the SSAATY podcast enjoy any degree of success (in our own minds anyway) is the fact that rather than just me talking, I was smart enough to ask Mitchell Ashley to join me as co-host.  Originally Mitchell was sort of Ed McMahon to my Johnny, but over time our close personal friendship and interaction has resulted in our being equal co-hosts of the show.  I know that the energy we generate from our interaction is what powers our podcast and makes our guest interviews interesting as well.  The same goes for my friends Paul and Larry over at the PaulDotCom podcast (they actually have an even bigger cast and I have their new book, trying to find time to read it and review it).  So I am very happy to see that two friends of mine have teamed up on a podcast. Martin McKeay, one of my first friends in security blogging and whose podcast I first appeared on and Rich Mogull are teaming up with Rich as co-host on the podcast. The first episode was just posted.

I am sure that Rich will add much to Martins already great body of work.  I think they will both find that 1+1=3 when it comes to podcast co-hosts.  After so long of going solo, Martin will find having someone else to bang ideas, banter and thoughts off of is going to make the podcast much better.  Rich is a guy who has opinions on security for sure, but can tell a good story as well.  I wish both of them luck and if you get a chance, check out their show for sure!

I have remained silent on the whole Apple Worm/InfoSec Sellout/LMH-Maynor thing so far.  However, after reading an article in ComputerWorld, in addition to Martin's early, erroneous CW article, Cutaway's post and finally this blog post.  Dave Maynor finally responded on his blog, calling bullcrap on the whole thing.

My take on this is that the sellout, though he said not nice things about me, was afraid to identify himself because it would cost him his job. When he announced this Mac worm, things spun out of control and there was to much heat for him and risked blowing his cover.  From that point on the buzz spun out of control.  Too many people trying to figure out who he was and the next thing you know the site is pulled down. He had a thing for Dave, so people start looking at motive and Dave is their man.  So with the armchair Perry Mason's running wild, sellout sees a perfect opportunity to capitalize and take the heat off of himself.  Next emails start showing up, allegedly from Maynor that he is in fact LMH.

Guys lets stop the madness.  Dave Maynor is not LMH, either is sellout.  All of you armchair detectives back in the box.  If there ever was in fact a Mac worm, who cares frankly at this point.  It is amazing how these things spin out of control.

Martin anticipates me weighing in on an article by Chris Hoff on a new ad by Big Fix that ran in USA Today.  I paste the picture of the ad here strictly for context of course! 

Do I think it is sexist? Yes.  Is this the image I would want to convey for my security company? No.  Let me ask this question, if it was a hot blonde in a bikini would it be worse? Not sure. Does the big gun in her hands signify anything? Don't even want to go there. Is she a Vulcan or a Shadow Run Elf?  Does it really matter. Maybe there is an inside story on this that we are all missing.  Ryan, Amrit, is there anything we are missing?  Is this a representation of anyone who works there?

The bottom line for me is, I don't think our marketing team would want to invoke this kind of image.  I am sure the Big Fix team did some extensive research and know that this type of message and image is exactly what they are "shooting for" and appeals to their intended audience.