I've been haunted by a song recently. Okay, that is so cliché. But, it sounds bad to say it's been bugging me. The song, "The Catcher in the Rye," is on Bryan Steel's debut CD, Of Roots & Restlessness. (You can hear 2 minutes of the song by clicking on "store" URL on his website.)

See, I've been playing this CD over and over again in my car, wanting to let the words sink in and stir up. And my mind hit a speed bump with this song, on the meaning of the title of Salinger's book. I think I get a feel for what Steel is saying in this song, because I read the book (I think everyone my age had to in junior high), and I remember Holden Caufield. What I don't remember is to what did the title of the book refer? So, I used the Internet.

First, I found that the book is still taught, at least in Long Island public schools. Elsewhere, I found the reference. In chapter 16, Holden hears a little boy singing, over and over again. "If a body catch a body coming through the rye." This is a kid's misquote of the Robert Burns Poem "Comin Thro' the Rye," which -- no surprise, it's the Internet -- you can read and listen to here. There's even an explanation of the reference in the book.

Okay, this has been way off course. Check out Bryan's CD. It is a winner.

You would think that notification of big winnings in an international lottery (for example, the HEMALOTERIJ NL,/INTERNATIONAL PROMOTION PROGRAMES.NL) would come in something more official than an email message.

The burning question I have is not why it took so long to get these "long awaited results." Nor, do I wonder why it slipped through my spam filter (scoring a measly 3.6 -- though it did end up in my "Maybe Spam" folder). No, I wonder why these lottery people -- why not one of them -- know how to correctly punctuate a sentence. I know English is a second language to the officials in the "INTERNATIONAL PROMOTIONS DEPT." But, in most languages -- at least western ones--doesn't everyone leave a space or blank after a period or comma and between words? And doesn't everyone capitalize the first word of a sentence?

Anyway, I guess I won't care once I claim my prize of "1,000,000.00Euros (ONE MILLION EUROS.) in cash" (in cash?!?!) using my claim number and contacting "MR MARK DUFFMAN Foreign Transfer Manager." Hmmm, I've already written too much. I would not want someone to claim this prize! Thank you, "Mrs. Liliana Remoud!"

I wonder how much 1 million Eurodollars in cash weighs.

As I mentioned earlier, I am leading Secure Email Day at N+I in Las Vegas on Monday, May 2, 2005. Here is how the day looks:

As when it first began as the ARPAnet, the Internet's killer-app is still email. Nearly everyone has and uses it, and businesses depend on it. Because of it's ubiquity and ease of use, it is also the most popular and successful threat vector for network and computer attacks from viruses, worms, spam, and protocol attacks, in addition to run-of-the-mill network eavesdropping. The good news is that techniques for taming email as "threat" while still permitting email as "tool" exist and the tools, if used correctly, keep getting better. Email Security Day is all about presenting the best methods and mechanisms to keep our email flowing and useful. It will also give you an opportunity to hear from and speak to some of the leading solution providers in this space.

Program Format:
Secure Email Day is a mixture of lecture, expert-lead group discussion, and a vendor panel.

Prerequisite:
A basic understanding of email and cryptography terms

Program Agenda

• Introduction and Problem definition
  • Why email is insecure
  • Why it should be
  • Challenges we face
  • Overview of solutions
• Cryptography
  Almost everything we talk about today will build on this and how it this is applied to email. This will be enough to bring the crypto-beginner up to speed without boring the crypto-knowledgeable.
  • Authentication, non-repudiation, integrity, and confidentiality
  • Keys both public and secret; and terms
• Email Security Solutions
  • Commercial and "home-grown."
  • What have you tried, what worked, what didn't, and why (Group discussion)
• Public Key Infrastructures (PKI) and Email
  PKI should be an enabler, and for some it is. For others it has been a stumbling block. Jon Callas, CTO of PGP Corporation will discuss the pluses and minuses and present "Improving Message Security With a Self-Assembling PKI."
• Spam Control, Part 1: Methods, mechanisms, services, and solutions.
• Spam Control, Part 2: What have you tried, what worked, what didn't, and why. (Group discussion)
• Grill the Experts
  Will secure email ever be ubiquitous? How do we sell the concept into our organizations? What are the hurdles to use and deployment, and when will we surmount them? This panel will answer these questions and more.
• Protecting and ensuring the integrity of information is not just a good idea. For some of us, it's the law.

At the faculty-led round-table discussion at the recent Mid-Atlantic Network Security Forum, my discussion topic was "Keeping your sanity while positively influencing your enterprise security posture" (or maybe it was a bit less wordy).

These are some of the things we came up with.

• Consistent, regular, targetted communication is important. "Targeted" as in speaking the executive language to the execs, and technical language to techies.
• Sometimes a grown-up with a customer-service orientation and an MBA who is also technical is an asset.
• Hold security forums aimed at the security people plus everyone else.
• Demonstrations of what can happen -- in a controlled, demo environment -- are useful.
• Build community. The security staff should know people and be known by them.
• Face-to-face, one-on-ones break down walls between countries, organizations, and levels in an organization.
• Before any changes: educate, educate, educate, and warn that they are coming.
• Keeping up with the change, maintaining a gradual improvement in the security posture is often just fine (i.e., good enough).
• "Old school" security management -- "Because I said so" -- just does not work anymore.
• Ask "what makes sense in our environment and our corporate culture?"
• Remember, those in power -- and maybe others -- may always ask, "But, why?" Or, "Prove it to me." Or, Which government regulation?"
• Ba patient, wait for the business case, take it one step at a time. But, stay the course, and stick to the plan.
• Oh, yeah. Plan.
• Sometimes the user is his/her own worst enemy. He/she doesn't need another.
• Concentrate on protecting your most important assets. Do the best you can with the rest.

In addition to these things, remember my blog Seven Things to Help Keep Sanity and Equilibrium.

The background: it is traditional, at the faculty-hosted "Gala Dinner" of the Institute for Applied Network Security Forum, for the faculty to be the entertainment. It is also traditional for faculty-member Marcus Ranum to come up with the assignment. In the past, we've had to come up with our (individual) favorite pet-peeve or rant in the area of computer and network security. (See a column based on mine at www.ianetsec.com/news/all_fc_avolio1.htm or this blog entry.)

At the recent Mid-Atlantic Network Security Forum the assignment was to come up with a haiku (at least structurally) based on a real network security story.

First the abbreviated story:

Not liking to make fun of current clients, this is something that happened back in 1993. My team and I were connecting a high-profile government site onto the Internet for, they believed, the first time. We were goign to install a firewall that we built special for the occassion. We suggested a review of the existing physical network to make sure we and they knew to where they were already connected. The review turned up an already-existing connection to the Internet through another organization. In fact, at the time this other organization was well-known for getting broken into.

The haiku: