Mixed emotions

On July 29, 2006, in news, Security, by

Mixed emotions.

There’s no other way to describe the feelings about this.

And even more after reading these links….



I’m just reminded of the mixed emotions I felt when hearing that the Sysinternals guys were bought out by Microsoft….

As far Dr. J leaving…good for him like Michael says, his schedule was brutal…..but the mixed emotions are totally and purely selfish ones…..there was always a feeling that here was someone behind the wall that was “MVP” like and spoke with an indepedent voice… one who spoke for the customer.  Oh there are still more behind the wall that are like him… but it’s still means I have mixed emotions nonetheless.

… several years back as a naive geek I went in search of the Security answers.  I wanted to harden my server and I figured those folks who did this in big server land had all the answers.  So I joined this online group that was going through hardening guides to come up with a consensus.  The Center for Internet Security.  And I’d get up to call in at 7 a.m…. which if you know me that means I have to be up, showered, dressed as as soon as the call is over I’m off to work… so that means I’m getting up way earlier to get ready.. and I’m not a morning person.  I was a several year SBS MVP by that time, into watching Patch Management, not sure if I had gotten my GSEC from the SANS org by that time…but nonetheless I was this padawan looking for guidance from those that had all the answers.

I mean someone must know all the answers about … like if I disable that service exactly what programs need that and would complain, right?  I mean someone has figured all this stuff out right?

uh… well… no.

I soon figured out that given the complexity of software, the fact that my vendors never tried to code securely in the first place, that no one really knew if I turned that THING off if something would blow up on me.  And in those phone converstations, I could tell that the folks on the phone call really respected the folks from Microsoft.  They knew they were going to get honest answers and no fluff or spin.  I still remember one person in the group commenting on how they felt Microsoft had made great movement towards Security … and a great deal of that belief was due to interactions with the folks from Microsoft who gave the “face” to the corporation.

So as I listened… and piped in timidly when I felt worthy (yeah I know ..you are probably going TIMID?  Susan?  Ms. 2×4?  Has she ever been timid?  But this was before the blog era and going into an impressive venue means you lurk for a while before you make a fool of yourself)  …. and as I realized more and more that I had to harden myself… and learn myself… and there wasn’t any silver bullet or easy button to help me.

I was extremely honored to be a reviewer of his and Steve Riley’s book, Protect Your Windows Network.  It was a blast to get chapters and then make comments (hopefully they felt the same about my comments)… it was like standing in front of Leonardo DaVinci and Michaelango and giving a critique.

My extreme best wishes in your new position.. Amazon.com is fortunate to have you on their team.

… uh.. this now means I need to log in and change that password because my Amazon.com online book buying password is soooooo old and sooooooo sucky it’s really and truly embarrassing.  And while many of us don’t have an unique password for everyone online site (let’s be honest shall we?  We have typically a base password that we then make a derivative of for other sites)….this one on Amazon…. he’d truly be severely disappointed in me if he saw how truly and utterly sucky it was.

There’s no other excuse other than laziness for not changing it.

Oh yeah… he’s needed there… there’s no password complexity recommendation page, nor guidelines to setting a good password… in fact they need to have force me to change my password a long time ago… I’m not sure if that will be his job…but if not… I think I figured out what he needs to do on day one.

In the meantime… one really really sucky password has now been changed:

You have successfully modified your account!


One Response to Mixed emotions

  1. alunj says:

    Your password should be as strong as is required to protect the assets behind it.
    Any time you create a password for a site that stores your credit card, and can be used to buy valuable stuff and send it to a random destination (as opposed to buying a limited range that gets sent only to your home address), you should think about increased strength.
    Your password should be renewed as often as is required to protect against someone guessing, deducing, or being told, the password.
    If your password is derived from a password you use at other sites, then the administrator of any of those sites may be able to guess how to get in to your account at any of the others. A unique password does not suffer from that problem; a unique, strong, random password is so unlikely to be guessed at that you may not need to change it during the lifetime of the account.
    Password changes – this is a dirty little secret – are mandated mostly to protect against the subtle spread of damage caused by people sharing their passwords with one another.