March 1, 2007 - Volume 2, #37
Good Morning:
Let's talk about vindication today. My friend Dave Maynor sort of got his yesterday at Black Hat DC. Dave was front and center in the Apple WiFi driver exploit fiasco at last year's Vegas Black Hat, and he's finally gotten to tell his side of the story (here [1]). Lots of press coverage (here [2], here [3], here [4]) ensued. But does it matter?
The answer to that question is yes and no. First, Dave need to clarify his role. There is still lots of confusion about who did what, but there can be no shred of a doubt that Dave (and Jon Ellch) sent Apple stuff and they used it in some capacity. But on the other hand, Apple has not and will not fess up to Dave's role in helping them find the bugs. The Apple fanboys still think Dave is a direct descendant of the Devil (even though he has as much Mac gear as anyone I know) and telling his story at Black Hat isn't going to change it. I imagine he's not doing this to regain the love of the Apple fanboys.
But ultimately, it was a story that had to be told. If only to get some free marketing for Dave's new shop, Errata Security. Given my background in marketing, figuring out a way to get into all the major security pubs is a big PR coup. Even with the HID/IOActive issue, Errata has gotten a lot of press. So Dave hit a double with this one, he told his side of the story and got lots of PR. It's all good.
And for any of you that think I shy away from criticism and only like to poke at other folks - think again. Cutaway blasts me for only providing a piece of the puzzle of training the next generation of CSOs (here [5]) and a self-serving piece as well. I'll have more to say in tomorrow's P-CSO weekly (you can get that either through the RSS feed or via email - sign up at www.pragmaticcso.com [6]), and he's made some good points. Points I need to think long and hard about.
As if I didn't have enough to do today....
Have a great day.
Technorati: Information Security [7], CSO [8]
 [9] | The Pragmatic CSO is Here! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [10] |
Top Security News
here [11]). The numbers you can take with a grain of salt, but the point is important. "IT employees will need to speak the same language as business stakeholders." Now if that isn't Pragmatic, I don't know what is. The second has to do with applying Six Sigma to security operations (here [12]). Huh? Well, it doesn't get any more business- focused than Six Sigma. This quote says a lot as well, "This has been the key for success: talking about business value provided, supported by the "metrics" we developed using Six Sigma tools." I know Andy Jaquith's new book on metrics hits at the end of this month (here [13]), so it will be interesting to see how this kind of dialog and Andy's thoughts maybe are able to push the metrics discussion forward. After a long time moving backwards.
Link to this [13]
here [14]). It starts with a spam attack, but then proliferates by adding links to other Internet applications (like blogs, for instance). Folks that go to the bad website are then compromised (assuming they don't have adequate protection) and the cycle starts again. Devilishly innovative. But it continues to highlight some of the problems we continue to see with browsers. Mozilla security head Window Snyder comments on what the Firefox team is doing to fix some of the issues (here [15]). Suffice it to say, the browsers will always be playing catch up and that's why a layered defense is critical. You need to have protections at the gateway and on the endpoints because you can't depend on the application folks to get it right soon enough.
Link to this [15]
here [16]) and it's interesting. If you look at it from a security perspective, I'm not sure interesting is the word I'd use. HID has managed to paint a big target on their head. I agree. Steve Hunt suggests folks upgrade to a more "secure" platform (here [17]), and I'll leave that to him - since I don't know a hell of a lot about RFID security. Dark Reading's Terry Sweeney also weighs in (here [18]) with a great title (Lawyers, Guns and Money). Clearly this is a big faux pas by HID and my guess is that they will pay a severe price for their "sue first, think second" approach. But if anything, this really highlights some of the RFID problems that need to be discussed. So I guess maybe we should be thanking HID as well, in a smack them upside the head way.
Link to this [18]
The Laundry List
Whit Diffie hits the PR circuit and he has some interesting stuff to say. - here [19]
Top Blog Postings
here [20]), Chris adds some depth to the virtualization discussion. Of course, he can't resist poking Cisco in the eye when the "data center" and associated network functions may be in the confines of a single box. Obviously the nature of what we consider the "network" changes in this new world and he's right in saying the old way of just putting a bump in the wire to protect things won't really work. It'll be interesting to watch. Then Chris jumps on that poor sap that figured that SOA will make his life easier (here [21]) without really factoring in the seismic shift of decomposing applications. And this is a classic quote: "Paying for sins of the past with currency of the future and confusion in the present isn't exactly showing alignment to the business as an enabler." Brilliant. But you need to read it about 10 times to let the depth of that sentence really sink in. How does he come up with this stuff?
Link to this [21]
http://riskmanagementinsight.com/riskanalysis/?p=114
[22]Link to this [22]
http://andyitguy.blogspot.com/2007/02/business-or-security-experience.html
[23]Link to this [23]