Monthly Archives: May 2006

Normalized Crime

Interesting laundry list here of what’s wrong with IT security:
Individuals and most companies simply do not have the time, money, skill and resources required to effectively manage all of today’s risks and threats.

Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security. A long-overdue wake up call for the information security community. by Noam Eppel Vivica Information Security Inc.

And commentary on it in a blog:
He points out the various types of malware, then proceeds to work on the SANS Institute (http://isc.sans.org), Symantec and panda virusometer as tools that are always reassuring because they rarely if ever go above green, seemingly meaning that the very tools we use to monitor the internet threat condition have adopted a process of procedurally incurred chaos as normal. That the threat levels of all the botnets, click bots, phishing scams have been normalized in our security communities.

Security Absurdity – Is information security “Broken”., by Dan Morrill, 16 May 2006, ITtoolbox Blogs > Managing Intellectual Property & IT Security Comments (0) | Trackbacks (0)

I’d go even beyond this. Continue reading

Long Island Perils

No, not a baseball team. The Long Island perils are what insurers think they are facing:

Allstate says it won’t write any new homeowners policies in New York City, Long Island or Westchester County. Although Long Island hasn’t been struck by a major hurricane since 1938, "The probability exists for New York to be hit," says Trevino. MetLife also is cutting back on new homeowners policies near the coast. New York’s legislature is considering a bill to create a permanent, state-run insurer of last resort to provide wind and fire insurance for coastal homes.

Strapped insurers flee coastal areas By Marilyn Adams, USA TODAY, Updated 4/26/2006 12:27 PM ET

The same thing is happening in Florida and along the Texas coast. Some people may find it surprising that insurers also don’t want to cover New York and Massachusetts coastal areas. Who would have thunk it?

Continue reading

Partly Right

I agree with much of this blog post:

More specifically, Verizon’s chief congressional lobbyist Peter Davidson was reported to have warned that the financial services industry "better not start moaning in the future about a lack of sophisticated data links they need" if Net neutrality laws were passed. In such a case, the communications industry may not invest in new networks.

Davidson’s got it half-right. Service providers should be able to charge more for better connections. It’s the only way you and I are ever going to see VoIP connections that work well all the time.

Verizon’s Half-Truths About Net Neutrality by Dave Greenfield, networkingpipeline, May 09, 2006

As I’ve said before, I have no objection to an HOV lane, where certain classes of service would get faster access; we already have those; users and servers can buy various speeds of access, and companies such as Akamai make a business out of picking the fastest routes.

But the telcos need to provide a further guarantee, so we don’t end up back in the days of trading guns for modems.

Continue reading

Visible Value

A longstanding problem with anybody selling security products is that they don’t have an ROI like normal products. Does it bring in sales or increase efficiency? Or by another formulation of the old rule of thumb, does it make money or save money? Either way, if the purchasing executives take the rule of thumb too seriously, then security looks like a cost with no benefit.
So we came up with Value Protection,” Larson says. “You spend time and capital on security so that you don’t allow the erosion of existing growth or prevent new growth from taking root. The number-one challenge for us is not the ability to deploy the next, greatest technology. That’s there. What we need to do now is quantify the value to the business of deploying those technologies.”

Value Made Visible How American Water’s Bruce Larson uses a simple metric to build bridges with business partners and justify security spending at the same time, By Scott Berinato CSOonline.com, April 2006

That seems like a pretty good elevator pitch to sceptical executives.

Personally, I always thought security was about protection; what else would it be? (Well, several things else, but I’ll come to that.) Continue reading

Their Capers’ Fertile Fields

Here’s another variation on Their Capers’ Success:
According to the chief systems engineer of the US National Security Agency/Central Security Service, the task of protecting the country’s vital telecommunications and computer systems information is becoming more difficult. “We not keeping pace, we’re moving backwards. We’re taking a step back. Technology is outpacing what we can provide from an information assurance perspective,” he added.
Much of it is attributable to the fact that information management and sharing has been underemphasized or usually forgotten with the result that a lot of networks contain vast amount of duplicated data or even superfluous data

Network security lacking – Experts Opine, Steve Hagen, Network Security Journal, 2 May 2006

So not only are we not cooperating enough to catch miscreants, we’re also leaving duplicate information lying about that makes it easy for them to caper, and this problem extends to the intelligence agencies.

-jsq

Their Capers’ Success

Here’s a key point as to why crackers, miscreants, and criminals still seem to have the upper hand:
The digital underground is a meritocracy; hackers rate themselves on their technical prowess and their capers’ success. This means they must be open with information about their tools, targets and methodologies. In contrast, security professionals usually only share what most everyone already knows, not their actual experiences. But, keeping mum means missing out on useful intelligence and potential help.

Peer-to-Peer by: Erik Sherman, Information Security, Issue: Jan 2005, Two Seattle CISOs, Kirk Bailey and Ernie Hayden, are pioneering a new level of trust and cooperation to secure their enterprises.

The bad guys have to use an open source method to do what they do, while the white hats too often don’t cooperate enough to combat the black hats’ leverage. Black hats brag about their exploits while white hats often don’t reveal anything happened even when they’re successful at repelling an attack. While hiding inside a fortified perimeter may make some sense for problems that actually take effect inside the firewall, it makes no sense for perils outside the firewall, such as slowdowns, disconnects, congestion due to somebody else’s securitiy failure, etc. For that, we need collective action.

-jsq

PS: The article could use some updating of its terminology. Real hackers wouldn’t be caught dead in the current criminal black hat culture.

What Telconet Could Mean

It may seem mysterious to many people why net neutrality is such a big deal. Most people on the Internet today don’t remember what it was like back in the day when telephone companies controled communication. When you couldn’t connect a telephone to Ma Bell’s network; only their technicians could do that. When telcos charged per minute, and on data networks often per byte.

Some people who remember dialup modem networks such as UUCP and FidoNet are half-seriously proposing that we could start those back up and make do. Maybe they forget what it was like.

Does anybody else remember that in the early days of EUnet (European UUCP) guns were illegal in one country while modems were illegal in another (because only the national telco was permitted to connect telephone equipment), so there was some trade in guns for modems.

And how EUnet actually extended to Moscow and other parts of the Soviet Union, often carring mailing lists gated from ARPANET, long before glasnost. Everybody running EUnet knew about this, but nobody wanted to talk about it because they were all afraid of the U.S. Commerce Department.

May those days not come again.

-jsq