Security Pie

A friend forward me the following article from the Consumerist with links to Zynga’s CEO Mark Pincus Youtube movie. So here’s what he said on the video (I guess that he did not know that someone is recording):

I knew that i wanted to control my destiny, so I knew I needed revenues, right, fucking, now. Like I needed revenues now. So I funded the company myself but I did every horrible thing in the book to, just to get revenues right away. I mean we gave our users poker chips if they downloaded this zwinky toolbar which was like, I dont know, I downloaded it once and couldn’t get rid of it. *laughs* We did anything possible just to just get revenues so that we could grow and be a real business…So control your destiny. So that was a big lesson, controlling your business. So by the time we raised money we were profitable.

Personally, I do not see ANY problem with that. In fact, despite the somehow graphic langue and maybe some over bragging, I think that Mark Pincus was/ is doing the right thing. All we have to do is wait and see how it goes…

So Yahoo! is taking down Geocities.

Still among the top 200 networks, Geocities which was up for more then a decade and was the first example of an open, simple to use, free personal Internet is now being closed. 2,000,000+ sites hosted on Geocities will be gone forever.

There are many morals for this story, but I’d like to point you to just one. Only 10 years ago Yahoo! acquired Geocities for ~ $4,000,000,000 (in stock….) to get this site.

The agreement, which combines two of the World Wide Web’s most popular destinations, would be the largest acquisition involving a Southern California Internet start-up. It also would solidify Santa Clara, Calif.-based Yahoo’s position at the head of the portal pack.

Can it happen again? Can one of today’s web-based leaders will be taken down and its content will be lost forever?

Will anyone pay such amount today?

11.22.2009 Update:

Almost a month later and the site is still pretty high on Alexa…..

Change log

11.22.2009 12:35 am Changed So Yahoo! is taking down Geocities today to So Yahoo! is taking down Geocities..

Recently, I have been enjoying the tower defense (TD) genere game on my iPhone. In the game, I try to prevent little animations of monsters from arriving at my castle and doing some malicious deeds like devouring the cute, helpless inhabitants of the castle.

Now I am not aware of any monsters that are scary, so to get into the mood I imagine that the monsters are packets with malware. Scary.

Also, since I have little experience with bows, arrows, cannons, balistrades and other primitive weapons, I imagine a sequence of firewalls, clusters of network IPS/IDS, proxies and host security apps.

After setting up the defenses, I then watch helplessly as those sinister packets slowly (but determined) make their way towards the castle eventually devouring the residents. In the world of TD you mostly fail. Success means you move onto the next level to spend time yet again watching malicious packets devouring your residents. But then nothing happens. This is where my metaphore for security as a TD game collapses:

1. In TD, you have many failed attempts and one success. As a security expert, you’d better succeed more!
2 In TD, the monsters end by eating the residents. In security, the malicious packets must create value for the hacker: either sabotage, or data theft.

In a data theft scenario, the malicious packets will have to walk back past the defenses with the data. That gives us a whole new opportunity to find and disable the attack vectors.

In security, we are usually told that building the anticipated attack trees and ensuring all branches are covered makes for a safer network. Anticipating attack paths is hard. Anticipating intent is easier (steal or damage). Adding the escape path branch to the list of monitored points just makes sense, even if TD doesn’t.

/al

According to HBP statistics, quoting the Kauffman Foundation, entrepreneurs have been key drivers of economic recovery in past recessions. In fact, since 1980, companies less than five years old have accounted for virtually all net new-job creation in the U.S.

Considering myself as an entrepreneur I read the Entrepreneurs’ Gloom Contradicts Wall Street Optimism.

The Foundation’s September 2009 study of more than 400 entrepreneurs and would-be entrepreneurs shows that 75% think the United States cannot have a sustained economic recovery without another burst of entrepreneurial activity.

Duh. Isn’t that clear? Elementary…

The following statistic tidbit got my attention:

75 percent think the United States cannot have a sustained economic recovery without another burst of entrepreneurial activity.

Duh. Isn’t that clear? Elementary…

Reading the survey summary  (pdf) the following slide was not surprising:

The US is not doing enough

I found out that many successful, talented entrepreneur that are currently in the US with  H1 visa are unable to start a business in the US, even if they willing to go through this difficult process.

The vast majority of entrepreneurs think it should be easier to start a business:

Starting a business in the US

For many entrepreneurs, starting a business in THE US, is NOT an option. You don’t need a Nobel Prize in economy to understand why the US economy need to make it easier to H1 visa holders to start a business in the US and help boost economy.

Finally a bold contester for the “big bucks spent for nothing in a marketing movie”, “what did they think” and “you are so cool. NOT” categories.

Someone from the Windows 7 marketing team thought that the following movie would be funny and interesting. Well, it is not. Personally I feel so stupid spending 6:14 minutes trying to understand if there is a hidden message. I even tried to run it backwards and looked at other movies in this channel, trying to determine if this is indeed an original / legal 
Microsoft publication (it looks legit).

They got the cast right: a young and an older women. The stereotypical geek and a black person (humm, is a real black person? ) but what about the plot?

WTF?

(4:46:13 PM) ashleybishop8327: Hey
(9:31:58 PM) Sharon: BOT
(9:32:13 PM) AshleyBishop8327: whats a bot? im 100% all real and natural, from tits to ass!
(9:32:27 PM) Sharon: so you are not a bot
(9:32:40 PM) AshleyBishop8327: whats a bot? im 100% all real and natural, from tits to ass!
(9:32:59 PM) Sharon: now I’m confused. Are you a bot or not?
(9:33:11 PM) AshleyBishop8327: whats a bot? im 100% all real and natural, from tits to ass!
(9:33:28 PM) Sharon:
(9:33:42 PM) AshleyBishop8327: hello?
(9:35:27 PM) Sharon: bot
(9:35:42 PM) AshleyBishop8327: whats a bot? im 100% all real and natural, from tits to ass!

Last week Greg Shipley wrote a nice epilog in InformationWeek regarding lessons learnt from Albert Gonzalez data heist (http://www.informationweek.com/news/security/management/showArticle.jhtml?articleID=219501227). He observed that while we are all cavorting merrily at the prospect of the imminent “hanging” of this thief of “modern data horses”, we did little to address the concern of data security. From my perspective, the CEO’s of the companies involved seemed happier to participate in this modern “burning of the witch” then to address the lack of security for what I sincerely hope is not my data.

Similarly, Sharon’s last post discussed the lugubrious habit of equating encryption with security, with a complete disregard to processes, systems and people.

Well, security is getting to be pretty complex, and we humans, in complex situations, tend to flock to iconography.

Original icons are of the deity sort. But postmodern icons can be anything. Espresso crema, evil high fructose corn syrup, local produce, Ken Lewis lying to investors, reduction of carbon footprint.

Encryption can be an icon.
DLP can be an icon (in fact, DLP is fast appearing as an icon, albeit a useless one, on many a security and network products).

Since data security is a need, it can be addressed via a methodical evaluation of risk and rigorously balancing the business virtue vs. the risk of loss; technology becomes a facilitator of process and methods – a requisite part – but nonetheless just a part – of the solution.

Alternatively, it can also be addressed by installing a system of icons: a statue of ganesh, a road prayer, a hamsa, a statue of the virgin mother, a DLP solution, or an encryption solution will all achieve the same – and wanting – results.

For the security practitioner, icons are comforting: they own the latest, the highest performing, the best rated, etc. But unlike board members, who really account for nothing but their quarterly signatures, comfort does not alleviate the need to deliver. Owning the CD of a multi-million dollar high quality application is useless if you can’t afford the 10 servers it needs to run, the abundance of professional services needed for set up and the 100 administrators needed for it to run. All this while the board is waiting to decide if a sacrificial goat is needed.

This has occured in the past. The roads of security are littered with the carcasses of “ex security experts” who have expired when the icons of firewalls became technologies that had to be configured properly and maintained. Similarly, PKI took its pound of flesh to the security alter and raised it to the PKI as an icon gods.

Data security is already setting up to be the kali of the security world. On one hand, effective, business centric data security makes VPs. I know many system operators and administrators who became security and compliance VPs. Similarly, I know many who have been badly burnt by the data security goddess. Those are better off seeking a different employment (barista, perhaps?).

As for me? I am getting to taste the vice of pride, being involved in a market that is fast becoming the chopping block of mediocrity. Bring it on, icon peddlers!

Encryption != Security

I was reading “Enabling cloud Storage for the Enterprise” white paper from Emulex . First, I’d like to the compliment the unknown author. I’ve read (and wrote) many white papers. This document is among the best.

As always, I have some reservations about the Data Security arguments that were made.

First, the unknown authors claim that “When moving data outside of the data center, as is the case with public cloud storage, security concerns become a top priority” since “When data is kept within the confines of a data center, there are recognized methods for ensuring that it is kept safe”. While I totally agree that there are recognized methods to protect data inside the data center, I do not agree that placing data in the cloud is a top concern. In most cases the end user or even the organization that is placing the data in the cloud is unaware of its location and even if it does, security (unfortunately) is not a top priority. I’m saying that when we discuss security in the context of  ”the cloud” one should demand security. In the same way that business users are demanding secure systems today, they should demand it when “the cloud” is involved.

But there is a bigger problem with the security section of this document. A big problem. There is a logical flow with the main security assumption made in that section since the document assumes that IDA (Information Dispersal Algorithms) is good (“enough” ?) to be used as the method to secure the data.

I have an issue here since the white paper sets an agenda that encrypted data should be considered as secure, since ”To make use of the data in the cloud, a hacker or SSP employee would have to also gain access to a quorum of the data slices stored elsewhere” but we know – by way of living, that no encryption method is secure enough, as the problem is related to the application that will get hacked.

Indeed if the risk that Emulex writes about is related to employees stealing drives with data, then encryption might be good enough (depending upon encryption  management  and so many other factors).  But as we know, security issues are mostly related to the way that the application is accessing the data, which will not be encrypted since the application is required to access the data…  Just think about SQL injection and why it happens…

Bruce Schneier begins his book Secrets and Lies by saying “I have written this book partly to correct a mistake” that he made with his utopian vision of cryptography and algorithms keeping “your deepest secret safe”.  I will allow myself to paraphrase that when it comes to secure Cloud Storage ”Cryptography can’t do any of that”. I suggest that anyone that thinks that security=(only) cryptography will think again.

” … Cryptography is a branch of mathematics. And like all mathematics, it involves numbers, equations, and logic. Security, palpable security that you or I might find useful in our lives, involves people: things people know, relationships between people, people and how they relate to machines. Digital security involves computers: complex, unstable, buggy computers.”

BTW, IDA was developed by Michael Rabin that won the Turing Award in 1976 and the Israel Prize (in computer sciences) in 1995.

Image source: http://ulcercity.blogspot.com/

The Heroes

So Marvel is getting acquired by Disney ($4 billion and some change). Personally, I like the idea. It will make life easier as now I do not have to think who owns a specific comic character. If Marvel shareholders approve the deal, they would receive $30 per share in cash and 0.745 shares of Disney for each share of Marvel that they hold. The deal is valued at $50 per Marvel share, more than a 29% premium, based on Friday’s closing price. Shares of Marvel (MVL) soared 26% in morning trading.

But the story is even better. Marvel, once a bankrupt company and the target of a how-to-mess-a-company book that was acquired for $82 m (and change) is now sold.

“When Ron Perelman bought Marvel in 1989, he described the company, home to heroes like Captain America and the Fantastic Four, as “a mini-Disney in terms of intellectual property.” His junk bonds and grandiose expansion plans swiftly raised Marvel’s market value to over $3 billion, but also brought its debt past $600 million, at which point corporate raider Carl Icahn smelled blood. He managed to wrest control of the company from Perelman, but the takeover process dragged Marvel through bankruptcy court for years. “

As a person interested in business strategy, I can only admire the level of thoughts, planning and execution my colleagues delivered. (I’m also jealous for the amount of fun and satisfaction they had during this fun ride).

Security pie was the first to alert you to “The unprecedented use of the term unprecedented in the current crisis is terrifying” back in September 08. Hopefully you used that warning wisely and moved all your money and houses to a safe place like Iceland.

Well, here we are again with another scoop.

“We have hit the bottom” “prices are stabilizing” “leading indicators show us that a recovery is imminent” are all positive leading signs that we had enough with the emotional rollercoaster that are sideffects when we invest our collective psyche in hysteria, and would now like to displace that hysteria with a well earned sense of complacency.

But English is beautiful just like American customers remind me of non-confrontational adolescents: the word imminent is boundless. It can be now, and it can be a year from now (i.e. nascent).

I for one, will start a political movement called “Recovery Now”. That is if I were a non-confronational adolescent.

/al