This is beaker's Typepad Profile.
Join Typepad and start following beaker's activity
Join Now!
Already a member? Sign In
beaker
This blog has permanently moved (April 2009) to http://www.rationalsurvivability.com/blog
Chief Security Strategist, Architect, CISO, Security Mechanic* and Evangelist/Prophet, Brick layer, Priest and Short Order Cook... *Used to be visionary, but the Union called & revoked my membership ;()
Interests: Small caliber firearms, power tools, interests? anything with wheels and an engine that puts me in harms way - supercharged small blocks, motorcycles and 125cc shifter karts, especially. kentucky bourbon, tennessee whiskey and fine sipping rums. cigars -- usually the kind that curl your toes and puts hair on your palms. paintball, jumbalaya and bbq'ing anything that at one time had a face and was not in the same genus/species fork as i am/was.
Recent Activity
beaker is now following The Typepad Team
Mar 15, 2010
Emil: I appreciate your comments. I also appreciate the marketing efforts that went in to this announcement, but I respectfully suggest that our definitions of "transparency" given the "simplexity" of the solution presented by The Spreadsheet Store example are not congruent. Clearly we agree about the hybrid nature of Cloud and its benefits, but we're going to end up with Clouds on Clouds on Clouds and while you're piece of the pie may "enable" (in your words) PCI compliance, it's really just one move in a complex shell game of attempting to reassign/transfer risk. This isn't YOUR shell game, you're just playing it, but while you provide an excellent service that I happen to like very much, what exactly have you done with Cloud Sites from a service delivery and technology perspective that someone else could not by simply redirecting the credit card in-scope data from touching their resources? Is it really that you're just the first to point out the obvious or can you explain more about how this is so markedly different from everyone else? I'm NOT trying to be antagonistic, but if we're going to discuss this, I'd like to distill it down for my readers. /Hoff
1 reply
Patrick: Your comments are exceptionally kind and humbling. Thank you very much. /Hoff (The AV guy assaulting me with the microphone was pretty funny...esp. since the video is blacked out for the first 3 minutes or so ;)
1 reply
That single description of "capability, applicability and maturity" (and ultimately security/resilience) will contribute to the deflation of value of Cloud Computing and its various constructs.
1 reply
To your points, Scott; 1) My argument was that given the commoditization of "servers," and with virtualization leveling the playing field, it's really not that much of a "radically different" market for them in my estimation. It's a platform. It will be sold as a solution. I don't disagree that it's a market they haven't traditionally sold into (servers) but think of this as an APPLIANCE, which Cisco has sold for years. It shouldn't be marketed or sold as a "server." It's unfortunate that people are calling it such. Further, Cisco doesn't enter a market to be #2 or #3. I totally agree that "servers" aren't a core competency for Cisco, but appliances and platforms are, which is what "California" will be. 2) I don't really understand your point here. Can you clarify what you mean? 3) Agreed. We'll see what happens next week when Sun's strategy changes again. Who knows, perhaps they'll bring back the Nauticus Switch and say they're a security company again... ;) -- Again, I was picking up on the issue you raised (that others have commented on) regarding the "distraction" theme. I don't think they're distracted at all. I think they're right on target. I originally predicted that we'd see apps running in the Nexus switches natively. "California" makes MUCH more sense, especially with VN-Link and the NX1Kv and what will follow.
1 reply
Awesome points/questions, Roland. The security v convenience trade-offs are getting more slippery these days. I wonder what browser engine the Kindle uses and how vulnerable it may be to web-based exploits and would that would/could mean to the device? I haven't even bothered to Google for Kindle Hacks yet...
1 reply
Chuck: Clearly I recognize VMware's market position. That's not what I am disputing. What I am annoyed with is the notion that "open" and "interoperable" and "standard" really means "if you want to be beholden to us," "if you run on our hypervisor," and "de facto by marketshare" respectively. VMware's clearly not the only company that does this, but they're starting to grate on their customers' nerves. Yes, market leaders enjoy the ability to throw their weight around, but the Cloud is fuzzy enough without polluting the definitions of these words and then hiding behind SoX/Fair Harbor statutes and not releasing details or dates on these supposed "open, interoperable standards." It's annoying.
1 reply
Mos def, James...that's what I was hinting about as it relates to the conversion...what happens to the original document? The Kindle (and devices like it) just highlight the impending acceleration of collisions in the enterprise between compliance/security and the consumerization of IT. The iPhone's doing it already. As these devices converge more functionality onto smaller and more portable platforms (as we've seen with "laptops") it will get more and more interesting. Take the use of Netbooks and Cloud...wheeeeeeeee!
1 reply
Bloggus ergo sum. Of course.
1 reply
I'm 5'10. Don't worry about WEIGHT. Concentrate on how much bodyfat reduction you see and muscle you gain. Remember, muscle weighs more than fat. I know people who GAIN weight on P90X -- muscle -- and lose tons of fat. P90X isn't a "weight loss" program... Are you measuring your BF%
Toggle Commented Feb 25, 2009 on Progress Pics: Day 90 at Hoff's P90Xperience
1 reply
Allen asked "What would make you trust SaaS providers?" Generally, my CEO or CFO. :( I don't "trust" third party vendors with my data. I never will. I simply exercise the maximal amount of due diligence that I am afforded given prevailing time, money, resources and transparency and assess risk from there. Even if the data is not critical/sensitive, I don't "trust" that it's not going to be mishandled. Not in today's world. I'm not trying to be elusive and lofty in my response, that's just how I roll. /Hoff /Hoff
1 reply
It's pretty straightforward: Week 11 was the last time for chest and back Week 11 was the last time for shoulders and arms Which means I didn't do those routines for basically 2 weeks prior to starting my second round and those are the routines that give my shoulders the worst time: I have 2 separated shoulders (one class 3 and one class 1) so if you want PAIN, I'll make you a video. When I started the second round, I didn't start with the same weight level as I left off, I upped them all. While I successfully completed the exercises, I also had very heavy BJj training that week also. The routines in week 12 aren't the same as those in week 12, but that's hardly the point. I overdid the beginning of Round 2 and I didn't take a recovery week between the end of round 1 and starting round 2 . As much as I hate the recovery weeks, I now know that was a bad idea. Also, do you have P90X+ yet? If not, you will discover that it specifically says on page 6 to take a recover week (or 2 or 3) in between rounds and gives a specific recovery workout: M: 30 mins. aerobic w/ X Stretch (basically what I did today) T: Yoga X W: Cardio X Th: Core Syn F: 30 mins. aerobic w/ X Stretch S: Yoga X S: Off I'm not suggesting you do anything different, but that's the reason I took the rest of this week and chilled to work on stretching, light cardio and get my body back to normal before i start X+. For the same reason I take a week off BJJ every 8 weeks, it dawned on me the recovery weeks are necessary, whether you like to think they are or not. /hoff
1 reply
I think my reply to Michael (which didn't show as such) crossed the wires with your comment. Spot on and synched, Captain! /Hoff
1 reply
Indeed...which is why you better damned well understand what happens when THAT happens. Nothing particularly new there, right? Proprietary solutions without standards for portability and interoperability must be taken into account whether you're moving to the Cloud or simply outsourcing operational responsibilities of a piece of your infrastructure. Welcome to the nasty realities of vendor lock-in. It should come as no surprise to anyone that it looks the same and has many of the same consequences with Cloud as it does anywhere else. This sort of thing works up and down the SPI model, not just with PaaS, but also with IaaS and SaaS. /Hoff
1 reply
Joel: Did I understand correctly that you think the Berkeley paper gives a more precise and accepted definition of either Cloud Computing or virtualization!? I know Sun is involved as an affiliate sponsor of the RAD Lab, but I respectfully disagree that it's more "fun." ;) 'Twould appear you haven't seen my opinion on the Berkeley paper (or others if you're suggesting that their definition is "accepted") since you posted it here... http://rationalsecurity.typepad.com/blog/2009/02/berkeley-rad-lab-cloud-computing-paper-above-the-clouds-or-in-the-sand.html /Hoff
1 reply
Thanks, Tim. Yup, you were right. You said that you thought I'd get down into single digit BF and I did! Tell me I'm going to win millions in the lotto tomorrow, willya!? ;) I'm still researching CE, but I think I'll do another round of P90X and integrate P90X+ and some Total Body Solutions as well as stay to a more strict diet -- I didn't eat any junk, I just went off the tracking wagon and I think I was bonking too much. Thanks again, /Hoff
Toggle Commented Feb 16, 2009 on Progress Pics: Day 90 at Hoff's P90Xperience
1 reply
OH! That discussion about APIs and PaaS was on your blog! ;) Time to go read!
1 reply
Joe: I'd have to add "security" to each layer if I did with the physical; that's why it's currently in the uber-bubble to the left. However, I built this into a slide for a preso. I did and called out/aligned each of the layers with a corresponding security function and physical security (including stantions, guards, CCTV, keypads, etc.) were listed. Make sense?
1 reply
I believe I addressed all of those elements/issues, Lori. Thanks!
1 reply
JP: There's been a couple of discussions around that very point I've seen fly by over the last couple of days, so I'm going to go catch up on those to gain some more background. I see applications (such as those with web apps & web servers, etc. that also have API's, so that's why I added the API layer in the SaaS grouping also. I think that's what the recent discussions were pointing out, also. It may not be a direct "cloud" function to provide this capability, but many of those same apps are moving to the cloud. How would you handle/diagram this notion? /Hoff
1 reply
In regards to BlueLane, the answer is yes, I do think something will come of it. I am intrigued as to what those "practical piece(s) of evidence" are. Care to share? Have you used either the virtual or the Patch Proxy products? I was one of their first customers, so I'd love to hear your practical experience with the technlogy. I believe, just like with Determina, that the technology will essentially bolster the underlying functionality exposed by VMsafe in the long term. It will help harden the VMM and the rest of the ecosystem can participate in a complimentary fashion. Speaking of which do you think Determina was a "back room VC deal also?" That's where Nand M. and Alex Sotirov (both of whom have left VMware at this point) came from... Besides that, guess who heads up VMware's security efforts now that Nand has moved on? Allwyn from Blue Lane. ;) Not every acquisition has to be revolutionary in terms of how or what it contributes to. If they had BL for a song, then the value they get could pay off in spades. I guess we'll have to wait and see. /Hoff
1 reply
Just so we're clear, despite the current performance, scale and distributed management problem with virtual appliances (of all sorts, not just security,) we're certainly going to see more and more deployed given that the VM/VA *is* the de facto atomic unit of our new infrastructure, even at limited/lower performance. The thing I'm reacting to in Neil's post is the suggestion that security vendors are simply sitting around twiddling their thumbs *rejecting* virtualization. They're not. They may be having difficulty placing those bets and dealing with the problems at hand, but as we both point out visibility and management *are* security problems...and depending upon one's perspective may be more attractive, more lucrative or more easily solved than the "security" problem. In the interim (until VMsafe arrives) we're basically forced into unnatural acts to replicate functionality, but at the same time, with affinity between VM's and *some* policies thanks to the hooks into the VI management piece, we've actually already made progress. ...and they'll be more to come. Fighting it? Just like there are many styles of martial arts, not all of them requires a punch in the face to be effective...and so it is with VirtSec. This is very much a time where getting offline and redirecting force makes a lot more sense if you're a vendor. /Hoff
1 reply
@Mark A. Thanks. As frightening as it is to post those, I'm also proud of going from tubby to not so tubby, so I'll take what comes with putting myself out there as a necessary tax ;) @Critter Yes. I am going to integrate P90X+ as well as the 1-on-1 stuff which is great. I'm also going to include some of the Total Body Solution rehab routines for my injuries. I may ALSO try the ChaLEAN Extreme stuff...a different style... We'll see!
Toggle Commented Feb 14, 2009 on Progress Pics: Day 90 at Hoff's P90Xperience
1 reply
That's an absolutely valid point, Rafal. Security has sort of gone by the wayside as the megatrends of disruptive innovation have eclipsed some of the more mundane and difficult problems (like security.) I think we're going to see a renewed effort in this area. We have to. As the enterprise flips (quite literally) inside to out in a more pronounced fashion, all the "metastructure" that goes with it will, too. This means we are going to have to really adapt our models and solutions for securing this. It's a long haul, big picture venture, too. This is NOT (as you state) going to happen overnight, but it *will* happen. /Hoff
1 reply