When I’m reading an article or an analysis about the effectiveness of a specific security tool I often get upset. The main reason is that security researchers (at least the one that I’m reading) are taking an “all or nothing” approach to security products analysis – it either works or not. Even when talking about defense in depth in conjunctions with Information/data/network security some people have a tendency to write about this “all or nothing approach”.
When I read Rich’s post on Web Application Firewalls I thought that it would be very useful if anyone could come with detailed analysis on the effectiveness of different products. Similar to the way that the National Highway Traffic Safety Administration (NHTSA) is measuring the effectiveness of seat belts. Even when using amperic data, researches will argue about the effectiveness of data:
A recently publicized claim by one analyst that seat belts reduce vehicle occupant deaths 70-80 per cent is based on studies found to contain fundamental systematic error. Deaths occur only 50 per cent less often to belted compared to nonbelted vehicle occupants in crashes, according to previously unanalyzed data from three U.S. states during recent years.
I’d like to see more information providing statistical analysis like used in this US Roads 1997 article, showing the effectiveness of security solutions under different circumstances:
- Mode of deployment
- Attack vector
- Policy used
- Other combined security tools/methods used
This will allow to measure the effectiveness of security tools and provide proper analysis that will allow an organization to perform proper risk analysis.
Wikileaks here, Wikileaks there, (information) leaks are everywhere. Now that the site is planning to release leaked documents from “a major US bank”, security professionals might start to think about “leak prevention” in line with “loss protection”.
It’s about time that I’ll write again. Forgive me father for I have sinned. It’s been too long since I wrote anything and thanksgiving weekend is a perfect time muse.
to make a long story short, the experience of buying with the iPad was sooo much better than using the laptop. In fact I can say write that without the iPad I wouldn’t have spend anything online this year. As much as I don’t think that Mac OS is suitable for the enterprise I think that iPad is the right tool for online shopping. IMO Mr. Jobs deserves a special award for his contribution to the economy.
Mr. Falciani is a former IT employee at the Swiss subsidiary of HSBC Private Bank (Suisse) SA that, according to the bank and French authorities, “obtained” sensitive customer information and hand it to the tax authorities in France. The data theft took some time until it was discovered and the bank was suffering some issues.
This is all history now…. The assets are up as HSBC Private Bank shrugs off data theft. The Bank also reported that it has spoken to almost all current clients that were affected by a data theft.
I’m sure that now, ANY bank is taking data protection and activity monitoring more seriously. Having said that, I do not think for a second that the risk management and security teams at the bank did not take such issues seriously. Working with different security teams for over a decade, I am sure that they were trying to do the right things for ever. Thanks to folks like Herve, the “risk” factor in data security risk management is more clear and security teams can spend what they need in order to improve security.
On a second thought, I’m sure that many security vendors and consultants also thank Mr. Falciani.
We get tons of spam comments in this blog. Whatever the reason, spammers keep trying. While our cloud-based anti spam system (Defensio) is doing well, we still get several comments that should be manually examined.
Defensio‘s blog spam web service aggressively and intelligently prevents comment and trackback spam from hitting your blog
There IS a limitation for a machine ability to analyze text and understand it. There are similar issues when humans (most of us) try to analyze political lingo. Reading the Top 10 worst political speeches of all times, I thought that some of our spammer’s writers should be considering a career change. Take this post for example, it’s one of the “best” I have seen in a long time. I’m announcing it, STOD (Spam Of The Day):
To be honest, it seems that you completely seized the bona fide substance of the position circumferent. While many look to have escaped the important concept of it, when it was posited previous is unadulterated plus concise. I am not sounding out that I harmonise on all details; all the same, you managed to have minded me grounds to ponder numerous of the major premises that I reckoned that I guarded as unshakable opinions in that attentivenesses. said, and now for someone like myself to think a bit more on some of the major details. All together I would state it is clear that you have clearly stated what needed to be said.
A political writer must be woking with those guys…
So summer is here and that makes it a great time to write about ice cream, and particularly the sugar content in ice creams. Sugar is not merely important to ice cream. IMHO, sugar is ice cream. Without sugar, we’d be eating vanilla scented sludge.
So how much sugar? Well, the main effect sugar has on ice cream is texture. Yes, the texture of ice cream is determined by the sugar content. Now since it is summer, and since I’d like to make a point I can later eat happily with a spoon, it is time to experiment by making a blueberry sorbet.
I opted for a simple sorbet to test the effect sugar concentration has on the texture of the sorbet. I took a Costco bag of frozen blueberries, defrosted and blended them to create the ice cream base mixture. I then created a syrup: 33% Sucrose, 33% Trimoline – an invert sugar (sucrose that has been split to the two monosaccharides: glucose and fructose) and 33% water (all by weight).
I poured the base into 3 Pacojet beakers, and adjusted the sugar content of each (using the syrup) to obtain the following brix reading: 16 Brix, 20 Brix and 25 Brix. I used an Atago Pen-Pro refractometer to measure the refractive index of the base mixture (Note: Brix would represent the exact sugar percentage ONLY for a pure sucrose in water solution; in this case, since we have other solubles, the measurement is a qualitative assessment and should not be assumed to be an accurate percentage of sugar).
I froze the beakers for 48 hours to a measured -24.1C, and processed 1 portion of each beaker. Here is the result:
From left to right, the brix levels are: 16, 20 and 25 brix. The results show a direct correlation between sugar content and the texture of the sorbet. When sugar levels are low, the sample exhibited a powder texture not unlike fine ground coffee. This was similar to snow, or frozen shaved water. The 20 brix sample exhibited the texture of fine, moist dirt, while the 25 brix sample has a smooth sorbet texture.
A taste test showed that the 3 resulted in a completely different mouthfeel and taste sensation. The powder was light powder, sort of like eating talc. The 20 brix sample reconstituted to a paste sensation (actually pretty unique and enjoyable), while the 25 brix sample was a true, sorbet experience.
Our Google ranking must be higher now. Otherwise, I can’t explain the increase in the amount of spam (via comments) that Securitypie.com is receiving. It might be Assaf’s recent rant on Google and Windows or maybe that we are now running a newer version of WordPress.
Whatever the reason is, we are getting much more spam. Some of it is lame, other (though few) is more sophisticated. In the future we should publish the best spam messages….
So it is becoming an epidemic: Youngsters around the world, who have access to highly classified documents, share them.
In Israel, we had a well publicized case of Anat Kam, now 23, an army secretary who had decided, on her own accord, to release classified documents to a reporter. http://www.nytimes.com/2010/04/09/world/middleeast/09israel.html
And, as AB loves to say, what happens in Israel will always happens elsewhere. So the US now has an information “spy” of it’s own, one specialist Bradley Manning, 22, who released to secret documents on Wikileaks. See http://www.theregister.co.uk/2010/06/07/wikileaks_arrest/.
Both were young, both were not “spies” in the sense that they were not “operatives” of a state, but were still at an age where “correctness of action” and “ideology” and “duty” are mixed up. IMHO, these immature individuals were unable to identify the severity of their action. Sure, they intentionally released data they thought warrented public scrutiny; they wanted to promote transparency since they were brought up on the notion that sunlight disinfects; and they believed that their democracy was strong. They thought they were “doing the right thing”.
They were unable, however, to fathom the risk that their actions would create. What does a secretary know about international diplomacy and politics? What does she know about combat operations? Can she anticipate how many deaths would she directly cause by the disclosure of the data? Having sat through some complex classification exercises, I can safely say that she had no clue. As for Bradley Manning, the fact that he boasted of his “accomplishments” to fellow hackers and over Facebook reveals his lack of understanding of the severity of what he did.
So we expect youngsters to handle confidential data. Data they are severly ill equipped to fully grasp and understand the consequences of a data exposure. We assume it is their sense of duty: It worked in the past. But now these youngsters have laptops, smartphones, USB keys and other devices.
Now governance controls are important. Neither of these occurences were detected via some sort of data governance scheme, but some time after the leaks had occured. Really, shame on our security forces!
However, even governance controls, while important, are not enough. It is now even more important for HR to step up to the plate and seperate the mature, responsible adults (even at age 18) from the rest. The easy access to distribution mechanisms make silly leaks possible, and likely. Immature individuals, like mssrs Anat Kam and Bradley Manning should never have been allowed near sensitive data.
Google has decided that “due to security concerns” it will phase out Windows on its endpoints. See http://www.ft.com/cms/s/2/d2f3f04e-6ccf-11df-91c8-00144feab49a.html.
A few thoughts:
1. Understandably Google is repositioning it’s own Chrome OS and Mac OS as an alternative to Windows as part of their competitive struggle with Microsoft.
2. Google’s CIO is attempting to sweep Google’s proven incompetence in securing the email accounts of Chinese activists as a byproduct of Microsoft’s OS. This method was used 12 month earlier by bank executives claiming “we weren’t at fault; it was those damn credit default swaps and collateralized debt obligations”. Google is incompetent. Microsoft might also be also be incompetant, but it is beside the point.
3. Google is implying that replacing all endpoints is a security strategy. It is not. Google should invest in understanding security: an endpoint should not be the only line of defense. I recommend developing a comprehensive security strategy based on risks to their (and my) data and executing against that strategy. As part of their security strategy, a broken endpoint should NEVER be allowed to poke holes in their infrastructure.
4. If there was a culprit, it was Explorer. Perhaps Google should use a different browser? Also, Google CIO should read about Windows 7. It has a much better security model.
5. Mac is being more successful in the workspace anyway. Anyone who has gone to a meeting and counted the number of Mac’s knows this, and it started long before Aurora came along (in fact, I think it happened when Apple moved away from silly white plastic to the me-too Sony VAIO Aluminium/Magnesium look).
6. Is Bing crawling under Google’s skin?
7. Google should keep at least a few endpoints of Microsoft for the sake of product quality. At least to do compatibility and QA for Google products running on Explorer and Microsoft OS. I can foresee Google’s CIO being busy for the next few years signing waivers for Microsoft OS. I suggest e-signatures.
So email bites. Today an associate sent an email they shouldn’t. Not to worry, will be taken care of. just one extra recipient to call and ameliorate.
Facebook bites. Not in privacy. CEO Zuckerberg told us all that we don’t expect privacy and he is probably correct. Now I don’t think that we all necessarily want to voluntarily give up our right to privacy, but that we all put our status up on Facebook, pictures of spouse, kids, etc. Pretty soon we become an open book.
The recent debacle over privacy settings and the “turn Facebook off” day reminded me of the scene in Monty Python’ Life of Bryan when Stan wants to have a baby, so I paraphrase:
Judith: Why do you want to be Loretta, Stan?
Stan:I want to have privacy.
Reg: You want to have privacy?!?!?!
Stan: It’s every man’s right to have privacy if he wants them.
Reg: But you can’t have privacy.
Stan: Don’t you oppress me.
Reg: I’m not oppressing you, Stan — you haven’t got a womb. Where’s the privacy going to gestate? You going to keep it in a box?
(Stan starts crying.)
Judith: Here! I’ve got an idea. Suppose you agree that he can’t actually have privacy, not having a womb, which is nobody’s fault, not even the Romans’, but that he can have the *right* to have privacy.
Francis: Good idea, Judith. We shall fight the oppressors for your right to have privacy, brother. Sister, sorry.
Reg: (pissed) What’s the *point*?
Reg: What’s the point of fighting for his right to have privacy, when he can’t have privacy?
Francis: It is symbolic of our struggle against oppression.
Reg: It’s symbolic of his struggle against reality.
So assume the right to have privacy is there, while privacy, well, is nigh dead. Nada, Kaput. Gone. To paraphrase the famous Python Dead Parrot sketch:
‘E’s not pinin’! ‘E’s passed on! This privacy is no more! He has ceased to be! ‘E’s expired and gone to meet ‘is maker! ‘E’s a stiff! Bereft of life, ‘e
rests in peace! If you hadn’t nailed ‘im to the perch ‘e’d be pushing up the daisies! ‘Is metabolic processes are now ‘istory! ‘E’s off the twig! ‘E’s kicked the
bucket, ‘e’s shuffled off ‘is mortal coil, run down the curtain and joined the bleedin’ choir invisibile!! THIS IS AN EX-PRIVACY!!
Where Facebook should be investing is teaching youngsters how to position themselves for the future. An elephant never forgets. But elephants do die. Databases never forget and never die. (or perhaps it is their backups that live forever.).
Indiscretions, pictures with a bung, proclivities, all live forever. Get used to it. Children must learn to manage their online image if they are to have a chance in their 20′s.
What is Facebook doing to teach them how to manage their online presence?