The Daily Incite – 12/09/09 – Plunger Tales

Today's Daily Incite

December 9, 2009 – Volume 4, #37

Good Morning:
Like many of you, I’ve got some friends that are pretty hardcore geeks.
They measure not just aggregate number of computers in their house, but
also the ratio of computers to people. Some are in the 1.5-2 range, and
others have embraced personal virtualization, so their ratio is off the

But that isn’t a relevant measure for me. I’ve got my share of devices
and I’ll be building a lab over the next few months, so my ratio will
dramatically "improve," in the eyes of my geeky friends anyway. But I
was reading an interview with Tom Petty in Rolling Stone last night,
and he made a statement like "it’s really was better back then."

You thought your job was bad...Now, to be clear, lots of
things are better today then they were. Connectivity, computing power,
content have all improved. One place where we’ve taken a huge step back
in flushing power. That’s right, I’ve got angst this morning about the
current state of toilets. Don’t laugh, this is a serious problem.

You see, I eat a lot of roughage. Being a vegetarian, there isn’t much
else for me to eat, but it’s also good for my digestive system and
helps keep my mass in control. But there is a downside to all that
roughage. I don’t just drop the kids off at the pool, I drop a

Today’s low flow toilets are not built for guys like me, who are not
small and eat a mostly green diet. With a clog rate hovering around
75-80%, which means I need to have plungers. EVERYWHERE. I basically
have close to a 1.5x plunger to bathroom ratio in my house. Well, for
most clogs the mini-plunger will do and each bathroom is outfitted with
one as standard equipment. But sometimes you need specialized tools,
like the plunger with flanges. Or maybe the orange plastic one that
looks like an accordion. I’ve also got 2 different snakes when plunging
doesn’t get it done.

Yet, sometimes even a toilet snake doesn’t work. About once a year
(usually corresponding to one of the kids trying to "hide" an entire
roll of toilet paper in the toilet) I have to get out the heavy
artillery. I have a device that uses compressed air to pretty much blow
anything stuck in my toilet clear to the treatment plant. Now that is
cool, but I have to remember to wear my Intel bunny suit to keep

Thankfully my kids haven’t figured out the meanest thing they
can do to me is to hide the plungers. And I’m counting on all of you to
keep my secret. I guess that’s kind of like my Kryponite.

I think maybe the Europeans have this one right. They don’t worry about
low or high flow. They just figure if it can be solved with a toilet
brush, it’s not really a problem.

Have a
great day, and may the force be with your alimentary canal.

Photo: "Poopy
the Plunger
" originally uploaded
by zoomar

Technorati: , ,,

The Pragmatic CSO

Pragmatic CSO:

Available Now!

Read the Intro and

"5 Tips to be a
Better CSO"

me on Twitter:



I’m not sure where I’m going, but I’ll get there in 140 characters – or

Incite 4 U

  1. Cloud
    security is overblown
    – Sometimes I just have to laugh at
    some of the stuff I see in the trade rags. I dug this InformationWeek
    blog post from Alexander Wolfe out of the archives because after baring
    my soul about my plunger issues, I figured I needed to take someone
    else to task for a good dose of idiocy. This guy’s position is that cloud security may be overblown because we
    already have an answer – encryption
    . That’s the answer to
    everything. We’ve already got the architecture, and if we’d just
    encrypt everything it doesn’t matter where it resides, right? Uh huh. I
    guess Hoff needs to find something else to do now, since all the
    thinking he’s been doing about cloud security isn’t relevant. Having
    barely survived the PKI wars in the late 90’s, I can’t say much besides
    that encryption isn’t a panacea to anything.
  2. Next year’s
    PCI emerges
    – Many in the security industry are looking
    for what’s next. What’s going to be the next attack, regulation,
    widget, etc to spur sales of products that no one needs. I think I
    found it, it’s the HiTrust CSF. Neil Roiter does a bit of work to describe
    the opportunity to security resellers
    . Now to be clear, the
    concept of a framework to protect healthcare information is valuable.
    I’ve got no issue with that, but I’m already playing out the fiesta
    driven by the industry parasites to make whatever widget they are
    selling today a "key" part of the HiTrust CSF. Of course, healthcare
    organizations will be able to be "certified" through a HiTrust
    certification program. Which will likely mean as much as PCI compliance
    or a SAS70 audit. But I guess I shouldn’t complain, I’m just another
    one of those parasites, feeding off the fat of the land, calling
    everyone else a parasite.
  3. Time to start
    looking for the BBD?
    – Over the past 18 months, many
    security folks have basically kept their head low and tried to make
    sure they weren’t on the list to be downsized. But now with the economy
    (seemingly) improving, does that mean it’s time to start looking for
    the bigger, better deal (BBD)? It depends. In this CSO article, Jack
    Phillips from IANS voices the concerns of large company CISOs that are
    worried their employees might look for greener pastures elsewhere
    If you are staff level, I think how your company treated you during the
    downturn is instructive. If you felt abused and like a piece of meat, I
    suspect it won’t get better during the upturn because that is a
    cultural issue. The words may change, but the behaviors likely won’t.
    For managers, unfortunately now is the wrong time to try to make it
    right for team members. If you treated (or were forced to treat) your
    people like crap, blaming the economy and just letting it happen, you
    will reap what you have sown. When those employees find something
    better, don’t wonder what happened. And build a culture where people
    want to work there, regardless of the economy. 
  4. Quant comes
    to the database
    – I’m a fan of the work Rich and Adrian do
    in their "Project Quant" initiatives. Every security person struggles
    with understanding the relevant metrics to track both security and
    operational efficiency. So spending time to decompose the actual
    process behind a function and look to quantify those functions (by
    having folks in the community share their own data) is valuable. The
    Securosis guys started with the
    patch management
    front and are now focusing on database
    security. This post represents early work on establishing the process model for database
    . I suspect the goal is to build Quant models for all
    the major aspects of security, which will be a great thing for all of
    us that still can’t answer the questions about whether we suck at
    security or not. At least from an operational perspective.
  5. How deep is
    the moat?
    – Many of us security talking heads spend a lot
    of time focusing on what’s next. So things like application security
    and database security are big issues. Unfortunately most of the world
    is still trying to figure out how an IPS works. Far too many may have
    spent some time building a moat (in terms of a perimeter security
    strategy), but really have no idea whether it works and if they are
    protected from the badness "out there." This piece by Joel Snyder on SearchSecurity reminds us
    about how and why to validate those perimeter defenses
    . Now
    to be clear, the cutting edge stuff represents real attack vectors and
    I’m not minimizing the importance of those aspects. I’m just reminding
    myself (and maybe all of you) that most organizations have no idea how
    to test their defenses, and they really need to learn.
  6. Security and
    Business Strategy, huh?
    – I’m constantly reminded that
    most security professionals still think it’s about the bad guys. They
    are our foils and provide us with innovative attacks to keep us on our
    toes, but we always need to remember security is a means to an end, in
    that ultimately we have to contribute to helping the company either
    make money or save money. Here is a link to Part 1 of an interview with SANS Stephen
    Northcutt talking about some of these issues
    . I also like to
    ask security folks whether they know their companies mission statement
    and how often they get face time with business leaders. For those that
    don’t understand their business, they’ve got a very small shot at being
  7. Finding the
    impact of what we do
    – The always entertaining Shrdlu
    goes in a bit of a tirade here about the "meaning of metrics" and before
    Thanksgiving did a far better job than I have to isolate the issues
    with how we count things. The reality is we tend to focus on things we
    do, not the IMPACT of what we do. I’ve long held the belief that
    security folks have to really manage two sets of "metrics." There are
    operational metrics that indicate how well we do security. And there
    are other metrics that need to quantify the real business impact
    (either positive or negative) of what we do. Business folks don’t care
    about operational metrics, but they sure do care if they can’t take
    orders because some hacker group has poked huge holes in the e-commerce
    application. Operational metrics should be reasonably consistent
    regardless of what business or size of company you are in. Impact
    metrics will be very specific to your company and depending on culture
    may or may not be consistent even within your vertical. For better or
    worse, the success of most CISOs is directly correlated to how well
    they understand the impact metrics.

*** This is a Security Bloggers Network syndicated blog from Mike Rothman's blog authored by Mike Rothman. Read the original post at:

Avatar photo

Mike Rothman

Mike is a 25+-year security veteran, specializing in the sexy aspects of security, such as protecting networks and endpoints, security management, compliance and helping clients navigate a secure evolution to the cloud.

mike-rothman has 38 posts and counting.See all posts by mike-rothman