Editors Note: We don't know who this is.. But I like the cut of his Jib.
But here is to hoping he writes some more in the future.
Note: if you're pressed for time (and aren't we all?), just look at
the end of this article for the 'too long; didn't read'
It's that time of year where right minded folks think back of what
transpired for the past twelve months. And so I have... please dear
reader, take a few moments and listen to my ramblings.
I regret to inform you that this posting is being written in my hidden
lair (aka the room I had prepared for use as my Y2K bunker). And
while it certainly is less comfortable than my den, it's entirely
apropos. You see, there's a 'secret' that we both know -- and it's
this: The wheels have fallen off the bus that is the information
security industry -- and nobody seems to have noticed.
I'm sorry to have laid such a bombshell at your feet like that. Let's
backpedal a bit and discuss why we find ourselves in this sticky
2011 started off as a decent year, with nothing really
earth-shattering happening. If anything, it was a bit on the boring
side. And then in the spring, the reports of the hacks started
rolling in. "Never fear" some industry pundits said "it's just a slow
news cycle, remember that summer where all they talked about was
sharks?" I for one am glad that news has picked up and than we can
now put all this hacktivism this behind... oh what's that you say?
Massive breaches are still happening? Well there goes that argument!
I'll save you a rehash of what was arguably a horrid year for our
industry... but I will say this, I pity the Verizon data breach report
team. I fear this next edition will look less like a business
document, and will likely be a massive volume, perhaps as thick as the
the TCP/IP Illustrated books. (Someone do a kindness to the Verizon
data breach report group and get them a thesaurus. They're going to
need help coming up with so many different ways to say "PWNED!")
The thing that's got my kickers in such a twist though is how cavalier
the industry has been about this entire year of repeated failures.
The perfect example of this is HB Gary. No, I'm not going to recount
that train-wreck... but i will say this. If you get so completely
compromised that your name becomes a synonym with fail, at least have
the common decency to be humble, learn from the mistakes, and then
share what you've learned with the industry. But no! They were at
Black Hat Vegas this summer -- months after "The Breach" giving away
(For the record: members of the PaulDotCom team have *repeatedly*
asked to speak with HB Gary... and next time we're going to save
everyone's time and interview a Chia Pet instead. It certainly will
be more informative!)
At this point, I'm risking an aneurysm I'm so frothing mad. So I'm
going to calm down a bit...
Now we find ourselves in an interesting bind. We certainly can
continue down this path. After all, it seems that many institutions
appear happy to stay the course, doing things in the manner we've
always done in the past... specifically throw more money into the
insatiable maw of threats, adversaries, risks, and of course vendors.
And while it's unkind to be so blunt, many of the people in the
information security business will profit greatly from this. (It's
crass to discuss so base a thing as money, but it's my belief you may
find yourself making handsome returns in 2012 investing with so called
'industry leaders' -- after all there's plenty of meat on the bloated
carcass that our industry has become.)
However, I fear this "traditional" approach (a.k.a. throw money at the
problem until it goes away) is very much an analog to armies going
'over the top' into no man's land during WWI. We know the machine
guns will cut us down, why not do something unexpected? I like the
active defense/hacking back things I've heard about on this site.
I've been interested in this unconventional approach, but like you...
I've not done anything other than listen to the 'sales pitch'. My
career resolution for the next year is to actually enact some of the
active defense mechanisms that the PDC crew have mentioned on their
podcasts, videos, and conference speeches.
The game simply has to change. Us good guys are getting slaughtered.
We need to do not just a better job of what we're doing... we need to
do something altogether different. We need to all up our game.
Stay tuned for more ideas and rants on this and other topics.
May the next year treat you better than this one did! (but prepare for
If you'd like to email Ranty McRanterson, email the PaulDotCom crew --
psw at pauldotcom dot com -- and they will track him down.
TL;DR: The first half of this year was almost forgettable. That
changed this spring... in a big time way. Breaches and attacks have
gotten worse and worse... not much end in sight. The good news is
that infosec pros can actually help make things better... but it will
take hard work. Let's all start doing things differently and enact a
few of the active defense measures that the PDC crew -- and those like
them -- have been talking about. Now is the time of action!