Archive for October, 2008
When is a widget a solution, a system and/or a product? Is my car a product: a box with 4 doors? or is it a system consisting of liquids and gasses and salespeople and servicing dealers? or is it a solution to my problem of getting around Los Gatos, or from Los Gatos to SJC?
When I buy this car, what should be my POV? Should I be looking at it as a solution to the problem of getting around? Most cars fit that bill well, so perhaps I should by the first car I see. Should I regard it as a system and consider after sales support? Or should I just be looking at it as a product as measured by the torque or MPG?
Now to the point: How do I judge security solutions/systems/products?
For products, the old “feature/function/benefit” deal works. A firewall is a firewall. Perhaps easier to manage, but all that affects is the TCO which is difficult to forecast anyway.
Is it a system in that it is important that an AV company has a process to find new viruses and product features that allow them to provide upgrades? Or is it sufficient that the AV just has an upgrade feature with no discernable way to get new viruses from the field? Many security researchers will agree that it is the system behind the AV that is important. Otherwise the AV would be outdated.
In the AV case, the system is hidden by the product. When choosing an AV, it is difficult to ascertain which AV provider has better methods, better processes, better and faster analysis and better access to virus sources. So how do we choose? Well, for most security professionals, the answer is to either choose based on “out-of-bound” parameters, such as “who is my strategic vendor” or “who is faster”.
An interesting approach is taken by Benny Czarny, who’s company, OPSWAT makes an aggregator that integrates most of the virus engines into one. Called Metascan http://www.opswat.com/metascan.shtml, this engine cleverly resolves the problem of assessing the back end of the AV provider by eliminating the need to make a choice. Just license them all, or a subset, and your risk will be reduced.
But what about other solution/systems/products out there? As a decision maker, how do you gauge the service aspect of the product?
The definition’s example from answers.com explains my situation:
Bummer: Slang. One that depresses, frustrates, or disappoints: Getting stranded at the airport was a real bummer.
I was so happy to finish my meetings early. I got on the standby list for the earlier flight. The UA service representative was about to hand me my boarding pass when a red faced person rushed all the way in. Of course that he received his seat. One hour later, after unsuccessfully fighting with ORD’s wireless network, I was on the next flight, just to e deplaned few minutes before takeoff due to an hydraulic problem. Now I’m waiting for a new, unscheduled flight that will bring me home past the arrival time of my original flight.
Yes, the weather in Chicago suck as well.
Ok – So I have a vested interest in DLP. Sue me.
But here is a real cool use of DLP to detect plagurizing of dissertations:
1. Really cool use of the fingerprinting technology
2. I did not know that Dave’s wife was a professor
So Amrit is not the first to write a doomsday prediction for the current outcome of wall street greed-meisters (http://techbuddha.wordpress.com/2008/10/18/technocalypse-the-economic-crisis-and-its-impact-on-innovation/). But his predictions are indeed bleak.
But then – I think about security:
Won’t security become even more necessary now that cash is king, and CFO’s routinely tote a bag full of $100 bills? Won’t companies need security even more (to protect what’s left of the dreams, even if, as Amrit predicts, they are provided as a service) now that order is gone? Have we not learnt that from the doomsday films of the 70s?
Perhaps all security professionals should hear this message and make themselves visible. Buy a fur hat, large rings and a pimp suit. Or maybe not.
If you ask me – it is hooey. True: if you happen to be at retirement age, and kept all of your money in stock (geesh, what were you thinking?) then retirement is hereby postponed. Also, people who owned house they couldn’t afford could afford even less of them now. Get out quickly. But overall, Cargill still slaughters a humongous numbers of cows a day; ADM still harvests many tons of corn, and Kellogg’s still bakes cereals. Overall, we are still in a country with lots of resources and brainpower. When that is about to change, I’ll be writing this blog entry from Mumbai.
PS – The meisters who created this mess are now hiring lawyers. Perhaps justice will be served. I am still looking to when Dick Fuld gets his share.
Dave, a developer from Melbourne, Australia brings an interesting story . He was installing a newly purchased VPN product. When he loaded the VPN client software, he discovered that in the place of the usual boring software was an audio disk with 12 tracks of Spanish music (see Cisco\’s Hit). A lively discussion on Dave’s blog tried and successfully managed to identify the musician. You can watch the video below.
Beyond the anecdotal story there are few things that we can learn from this incident. I’m not picking on Cisco specifically: In the past, one of the products that I was managing was built by very large OEM partner that was responsible for building the appliance, packaging, forwarding etc. Though it was very rare, we had few incidents when customer X received parts of a printer with his order (inside the appliance package), while another customer received the wrong CDs etc. Errors do occur and I believe that Cisco will do everything it can to learn from this manufacturing snafu and improve its quality assurance process. However from a security risk management point of view , this incident is a reminder to trust no one:
Every CD should be considered suspicious, even if it arrived inside a box that has the Cisco logo. Due to the popularity of Cisco’s gear there’s a second hand market and also some fake devices. Softpedia tells that even the United States government is reportedly using some 3500 fake Cisco-branded network devices, including routers, network switches and hubs. “According to the investigation results, the fake devices are worth up to $3.5 million.”
Trust no one is the moral of this story. On a side note, this story also explains why the DOD is investing so much money looking for the kill switch.
Enjoy the music!
(Arik, What’s going on down there in Australia?, we’re getting a steady stream of weird reports recently
In his latest posting (http://securitypie.com/workers-more-prone-to-lie-in-email-so-what/), Sharon refers to a hypothetical detector for lying over email. Now such things exist, and have existed for quite some time. Plotters connected to sensors have been used as lie detectors since its evolutionary invention spanning some 40 years and multiple devices during the turn of the last century. Every so often a handheld lie detector would appear on the classified ads of some local newspaper or one of the inflight magazines or skymall.
Now everyone knows (or should know) that the jury is out about the accuracy of lie detectors. Now why is that significant?
There are 4 possible outcomes of a lie detector test:
Did not lie
Not lied and not caught (0,0)
Lied and Not Caught (1,0)
Not lied but caught (0,1)
Lied and caught (1,1)
Trying to looks trendier, I decided that it’s about time to upgrade my not-so-new Blackberry. I just need to get ‘em to stare at my device, I thought to myself. My standards are not too high. I don’t need a camera, movies, mp3, sliders, voices or anything like it. It just need to be cool, trendy, light and above all, attune to my email habits. The first device that I tested was the iPhone 3G. I asked the doctor to land me his phone and after installing active sync server and protecting it with the SE, I was ready to go.
The good things:
The device is sexy and cool. The UI is simple to use (I do not read manuals) and intuitive. The app store is amazing. I will not be the first nor the last person to say that Apple changed the world with this application. Two big thumbs up for the idea and execution. Web surfing is great: it works fine in multiple languages, handles dynamic content well. Attachment management works well as well.
But sadly I report that the iPhone is almost unusable when it comes to handling my emails. Here’s why:
Read the rest of this entry »
New research finds workers more prone to lie in email. I did not read the entire research yet but it does look like an interesting topic with a lot of potential. Over the years email (security) evolved from server protection (do you remember swatch) to content protection. From a security research stand point, content detection methods were mostly static, focusing on white listing, black listing or even behavior. Data Fingerprinting changed our (mine for sure) approach for content protection. It was possible to identify and classify even small chunks of information. New profiling technologies will also allow us to understand normal behavior and in a way, create a way to distinguish between good and bad.
According to the research, people feel justified when lying using email. Liuba Belkin co-author of the studies and an assistant professor of management at Lehigh University said that “There is a growing concern in the workplace over email communications, and it comes down to trust, ….in an organizational context, that leaves a lot of room for misinterpretation and, as we saw in our study, intentional deception.”
Assaf just published his expert opinion on the nature of experts. Since I DO consider myself an expert in few areas, I feel that I have to explain what makes me an expert. It’s not the amount of reading (there’s always one more book) or opinions I’ve heard (where I’m coming from everyone is highly opinionated and has more than one opinion). It’s not the amount of studies I had (it took my wife less time to complete her DVM then it took me to get my B.sc). What makes me, as well as many others, an expert is the fact that I did many good mistakes and learned a lot a long the process. Thomas Edison once said, “I make more mistakes than anyone I know. And eventually I patent them.”
I have recently completed a book called “The Billionaire’s Vinegar: … “. In this book Benjamin Wallace spins a fascinating tale of how a group of very rich Americans spent 100’s of thousands of dollars on a select cache of wine bottles that were allegedly linked to Thomas Jefferson and were found in a non-disclosed location in Paris. Very soon questions of provenance started to emerge, culminating in a very expensive law suit waged by Bill Koch against the purveyor of the wines, a German collector named Hardy Rodenstock. The book is well written and is a highly recommended read.