June 29, 2006

Good Morning:
No more Spanish today, I promise. And true to my word, there wasn't a lot of activity yesterday, so I picked a fight. Actually the fight came to me in the form of Eric Ogren trying to convince me that Microsoft usually has a "big" story when they enter a commodity market. So check out my response to Eric on the blog. I think he owes me a beer. One of the great things about having been in this space for so long is that I can poke my old friends and they can poke back. But we all drink beers when the scrap is finished.

I'll also point to a blog post by Thomas at Matasano regarding some comments that Symantec's John Thompson made in the press regarding Microsoft. I have a very similar opinion to Thomas and it seems that Symantec is hoping that Microsoft will go away. As my father in law says "If you hope, you are a dope." I know Thompson is no dope, but publicly hoping Microsoft will go away is not a winning strategy.

Have a great day.

Top Security News

How encryption is used
So what?- I'm not sure how I missed this feature story in last month's SC Magazine about encryption. It's a pretty good discussion because it classifies the customer requirements as well as I've seen. Encryption is actually a number of distinct capabilities to solve distinct problems, like protecting data in motion and data at rest. Of course, there is no standard time that you should encrypt stuff, it will depend on what you are trying to protect and from what types of attacks. The article also highlights how some users are doing encryption and that's always interesting to read.
http://www.scmagazine.com/us/news/article/563000/cover+story+hard+decipher/ [1]

More survey mania
So what? - Without a lot of real news today, let me point to another vendor survey that doesn't really tell us anything. SC Magazine highlights a SafeNet survey that shows that 70% of users only use passwords. And? I'm surprised that 30% use stronger authentication. Passwords may be fine, it depends on what you are protecting - so these surveys are stupid. You can't generically say that passwords alone aren't strong enough. And they also confuse authentication and authorization, since stronger authentication only makes sure you know who the person is, not what they are authorized to access.
http://www.scmagazine.com/us/news/article/566416/70+percent+professionals+rely+passwords+alone/ [2]

Right back at you Entrust
So what? - It probably wasn't 5 minutes after the release announcing the VeriSign/GeoTrust deal, that Entrust announced a trade-up promotion for GeoTrust customers. Now GeoTrust goes back at them basically dropping the price of the certificates by 60%. First of all, these promotions rarely work because the only time someone is really shopping for a certificate is when there's has expired. So trade up programs are only applicable to a small percentage of customers every month. And all of the vendors make it pretty easy to renew, so I don't have specifics about churn rate, but it's not very high. Secondly, Entrust has a lot more to lose, given that VeriSign/GeoTrust is going to be a LOT bigger than Entrust in the certificate business. Also expect the acquisition to close in early October, because this promotion ends in September and it's smart to try to maximize damage to Entrust while GeoTrust is still independent.
http://www.geotrust.com/about/news_events/press/PR_entrust_062806s.pdf [3]

A bunch of drunks stumbling down the street
So what? - I remember the days back in college where after a particularly good party, a bunch of friends and I would need to provide more than moral support to make sure we got back to the house. Reading this announcement by Network Intelligence about integrating NBAD data, I get the same feeling. My disdain for SIM is well known, though of all the players Network Intelligence does have a clear path to focus on log management (which is a much more interesting and relevant problem to solve). And integrating NBAD data does provide a more complete view of what's going on, but there's a few issues. Not enough customers are using NBAD for this to move the needle and once they get the data - what are they going to do with it. I still remain convinced that information for information's sake is useless. What's not clear is how this data helps to remediate problems more effectively. So maybe NI didn't tell their story effectively in the release, or maybe this is just more Barney stuff as NI tries to keep SIM relevant.
http://www.network-intelligence.com/news/pr/156.asp [4]

Since we can't stop it, let's study it
So what? - Maybe I'm being a bit harsh because a lot of cool technology does come from academia and the world renowned research institutions, but putting in place an "ID theft research center" seems like a smokescreen to me. Yes, we need to study the nature of the problem and since lack of education is the single biggest contributor to ID theft, maybe these folks can build a curriculum for mass market education. So, am I happy that secondary education is going to be training more people about information security - yes. But we as an industry don't have the time for academics to work through the process to find actionable solutions.
http://www.securityfocus.com/brief/240 [5]

Top Blog Postings

Thompson continues to play the ostrich game
Thomas over at Matasano didn't let some idiotic statements made by John Thompson fly past, and we should thank him for that. I couldn't agree more with his assessment about what seems to be a continuing trend of Symantec hoping that Microsoft will go away if they just keep their head in the sand long enough. These kinds of public statements make the Big Yellow seem more and more like Netscape. And we all know what happened to those folks as they disregarded the threat that Microsoft posed to their business.
http://www.matasano.com/log/343/thompson-vs-msft-dog-not-hunting/ [6]

Shostack joins Microsoft
Normally I wouldn't mention a pretty high profile security person joining Microsoft because customers don't care. But given John Thompson's clear disregard for them and the contention that Microsoft has no credibility in security circles, I couldn't resist pointing to the recent announcement that Adam Shostack is joining Microsoft. Though I've never met Adam personally, I know a lot of people that think very highly of him and if you read his Emergent Chaos [7] blog, you can see he is a passionate security practitioner. To be clear, I think Microsoft still has a lot of work to do, but this post provides some insight into why a small company, start-up guy like Adam would join the biggest software company in the world.
http://www.emergentchaos.com/archives/2006/06/im_joining_microsoft.html [8]
[9]
Is an ASP safer?
Data security is all the rage and in this post from a few weeks ago, Alan Shimel challenges the idea of how a 3rd party can secure data more effectively than he can. He is right. In a data security battle, I take Shimel over salesboom.com every day. But not too many customers have a Shimel in their corner, so that line of thinking is moot. Fact is, customers are responsible for their own data. They need to do adequate diligence on data protection whether they are running their own apps or whether a 3rd party does it for them. The Wall Street Journal doesn't care if it was an ASP that lost YOUR data, you're still the one with the black eye and the huge bill to pay for the disclosures.
http://ashimmy.typepad.com/ashimmy/2006/06/is_your_data_sa.html [10]

YOU are the weakest link
Yes, I repeat themes over and over again. No I don't think you are stupid and can't get the message the first time. It's just that when I continue to see validation points of important concepts, I feel compelled to share. In this post, Ken Camp reminds us that it is the people that are the weakest link and social engineering is still the most effective way to compromise a network. It's no wonder that compromising the physical boundaries of an organization is the first place that most penetration testers start.
http://ipadventures.com/?p=1020 [11]