Busy
A lot to do today, so I won't be able to post much. I have an appointment in an hour, then I'm off to Wash-U for a presentation. On top of that, my internet connection is down. I'm dialing in right now - bleh. So I couldn't do much if I wanted to. I have a deadline for an article this weekend, but will post if something catches my eye.
posted by mt at 10:09

The struggles of a CSO
Excellent article outlining the challenges facing today's CSO. The first paragraph blew me away. Why are companies cutting loose CSO's now? Just to save money?

The departure of these and other information security veterans from Fortune 500 companies reflects the beginning of turbulent times for chief security officers (CSO). Since Sept. 11, CSOs have faced new pressures to prove the value and effectiveness of their security measures, even as they struggle politically for legitimacy within their corporations and for support from the technology and business units they're trying to protect, say analysts.

posted by mt at 14:49

Movie hype, with a point
The second half of this Drudge report turns into a shameless movie plug (the quotes from the movie exec), but I appreciate the message. It's necessary right now, as Spielberg says, but we have to keep it in check.

"Right now, people are willing to give away a lot of their freedoms in order to feel safe. They're willing to give the FBI and the CIA far-reaching powers to, as George W. Bush often says, root out those individuals who are a danger to our way of living. I am on the president's side in this instance," Spielberg will say. [DRUDGE's Dept of Prepublication] "But How much freedom are you willing to give up? That is what my movie is about."

I've been waiting to see this movie for quite some time. If done correctly, it could become a Sci-Fi classic.
posted by mt at 13:03

Sting
The Register looks into a recent experiment by a credit card security company. They floated a bogus exploit in an IRC chatroom, then observed the results. An interesting read. They point out that the majority of "participants" were unimaginative and quick to give up.

Within 24 hours approximately 200 cyber warriors had bitten the hook, and not one figured out that they were stuffing around on a Linux box.

posted by mt at 11:02

Privacy in the UK
There's some bad things going on across the Atlantic. I had to read the list twice to believe it. Something like this can't be far from proposal in the US.

The RIP act currently allows the police, customs & secret service to read "Traffic Data" about anybody in the UK. That is, web logs, phone records, mobile phone data (including position information) and email information (including recipients). They can obtain this information without a warrant.

posted by mt at 16:57

Assessments
A good article explaining assessments - what they are and why you need them. And when you're finished, thinking about how badly your company needs one - call us, we can do it.

What users really need to do is to understand what the specific risks are that their company or home network faces from being connected to the Internet. In the same way that you don't borrow your business strategy from e-Bay, you probably shouldn't borrow your IT security strategy from them either. You need to develop an IT security strategy to meet your unique needs. You understand your company's own unique risk profile.

posted by mt at 11:37

Go read this
A fantastic piece of reporting by Kevin Poulsen of Security Focus. This is one of the first main stream articles on the more serious issue behind the SNMP vulnerabilities discussed earlier this year - ASN.1. The following excerpt demonstrates just how serious this issue could be.

It was the Internet and SNMP that got the press, but some experts, including high-level government officials, were immediately concerned that the same attack method might be equally effective against other networks and protocols relying on ASN.1. It's a long list, and includes some of the most critical systems in North America. The SS7 network that controls telephone call routing uses ASN.1 coded messages. Parcel delivery companies use ASN.1 to track their packages. Some credit card verification systems use it, as do digital certificates. And electric utilities use ASN.1 to control substations and transformers remotely.

posted by mt at 09:57

Should I do it?
I've heard about those Nigerian email scams for several years. But I've never gotten one, until this morning. It came to my business account, which is strange, since it's relatively spam free. I should delete it, BUT they claim I'll get 25% of 40.2 million dollars. If only it were that easy.
posted by mt at 09:41

Huh?
Step 1: Read this article.

Sophisticated online "mentors" are helping unsuspecting young people cause serious damage to personal computers, says an RCMP report.

Step 2: Login to an IRC server, visit a chatroom called hack, or 3l337 or maybe 2600.
Step 3: Ask someone to "teach" you how to hack.
Step 4: Observe vile comments and insults. Notice you are banned from the chatroom.
Step 5: Wonder what sort of research went into such a report. Fifteen minutes maybe?

Seriously though, I question the validity of such a study. I've seen the aforementioned scenario happen hundreds of times. The underground community definitely shares information, but only after you've proven yourself. I'm baffled as to how stuff like this gets released.
posted by mt at 09:30

Secure Linux
If you haven't heard of SELinux, check this Wired report out. The project, which involves the NSA, focuses on creating an extremely secure version of the Linux OS. I second the advice given in the piece: this is not for newbies. Unless you have a security consultant or administrator working for you, it might be a bit much. Very heady security stuff.
posted by mt at 14:00

Cool. And a little scary.
Sounds like a neat idea, but nobody would be on my "buddy list".

June 11, 2002 | SAN DIEGO -- It's 11 p.m. Do you know where your boyfriend is? If he attends the University of California at San Diego, finding him may be as easy as turning on a PDA.

The university is equipping hundreds of students with personal digital assistants that allow them to track each other's location from parking lot to lecture hall to cafeteria. The technology is sophisticated enough to pinpoint where a person is in a building -- say, a dorm -- within a margin of error of one floor.

posted by mt at 11:06

Politicians
I'll never understand them. I realize that they can't "know" everything. But surround yourself with people who can give you solid, sound advice. What has me up in arms today? This:

"How do you know - when you hire an IT security company to do a vulnerability assessment - that they know what they're doing?" Clarke asked. "Maybe there should be an outside process to certify those vendors."

Now - what's scary about this? First, this man advices the president on cybersecurity manners. Second, does he really think our nation's infrastructure problems stem from unqualified security personnel? No, our problems come from uninformed, understaffed IT departments facing a budget crunch. Third, does he not know that two very good standard already exist? CISSP, GIAC - anyone? I'm all for getting rid of the BS'ers in the security industry. Believe me, they are out there. But that should not be a concern of our government at this point. Why don't we work on plugging the massive holes first? And my favorite quote:

"Some of what we do may be a little dirty, but we're doing it," Clarke said at the Networked Economy Summit in Reston, Va.

Some have interpreted this to mean that only big consulting companies will be able to achieve the aforementioned certification. Lovely. We all know how pleased customers are when a Big 5 company roles in, runs a prepackaged vulnerability scanner, prints out the report and charges you 50k.
posted by mt at 09:57

Isolating the internet
Simson Garfinkel has a commentary up at MIT's Tech Review. While he doesn't suggest it outright, he hints at a massive firewall, designed to protect America. It's an idea which I'm sure has been considered, but it's completely unfeasible. We are all going to have learn to deal with security. It's a tradeoff for the multiple benefits globabl connectivity brings. In time, we'll get it right.

A big part of the Internet’s magic is the liberation from concern over distance and borders. Last September’s terrorist attacks were so devastating, in part, because a group of attackers from halfway around the world reached through our national borders and attacked civilian targets. The same basic thing—not costing lives, but destroying property and wreaking great economic damage—happens every day on the Internet.

posted by mt at 10:46

The payoff
Nothing like several hours of hard work paying off. I am speaking to you from my new laptop, wirelessly. 802.11 is amazing, about time I set it up here. See you all tomorrow.
posted by mt at 22:27

Tech day
I'm doing some hardcore tech work today, so I won't post much. But if things go well, my productivity should increase. Makes me sound like a machine, doesn't it?
posted by mt at 15:23