Poor Design? Blame the User!

As I was traveling through Canada last week I was struck by an article in the Globe and Mail – “Track designers defend Whistler course” – in which the designers of the Winter Sliding Centre suggest that the unfortunate accident that resulted in the death of Georgian athlete Nodar Kumaritashvili was caused by human error and not any negligence of the track designers themselves (here) and (here) Continue reading

The Broken Windows Economics of IT Security

To economists, the term “Broken Windows” refers to the question that if a shopkeeper pays a glazier to repair a broken window at his store, does this deliver an economic benefit to society? Many people would say yes, because it generates demand for glass and work for the glazier.

Have you ever been witness to the fury of that solid citizen, James Goodfellow, when his incorrigible son has happened to break a pane of glass? If you have been present at this spectacle, certainly you must also have observed that the onlookers, even if there are as many as thirty of them, seem with one accord to offer the unfortunate owner the selfsame consolation: “It’s an ill wind that blows nobody some good. Such accidents keep industry going. Everybody has to make a living. What would become of the glaziers if no one ever broke a window?

Excerpt from the 1850 essay “That Which is Seen and That Which is Unseen” By Frederic Bastiat Continue reading

Cyber Warfare Needs Cyber Civil Defense

Hardly a day goes by with some news article, op ed piece, or screaming commentator on a bottom of the dial cable channel proclaiming the dire prospects of cyber war. But unlike traditional kinetic wars with identifiable enemies, overt acts of war, and some notion of what constitutes victory, we’re still at the stage where the concept of cyber war is a carnival of ambiguity, speculation, red herrings and heated debates on topics that may turn out to have no lasting importance at all.

Continue reading

Cyber Warfare: Should We Be On The Offensive?

The world needs a treaty to prevent cyber attacks becoming an all-out war, the head of the main UN communications and technology agency warned Saturday.

“A cyber war would be worse than a tsunami — a catastrophe,” the UN official said, highlighting examples such as attacks on Estonia last year Continue reading

Is Social Media Destroying Rational Debate?

(this post is dedicated to all those I have debated – poorly – on twitter and in blogs)

I must admit that I do enjoy the experience of a good debate, the adrenaline rush, the give and take with a qualified adversary, the thrill of victory and hopefully the expanse of ones views. So often though many of us fall back on cheap tricks, emotional triggers, and framing points of view in extremes or black and white terms – all of which result in polarizing, as opposed to elevating the discussion. This is not a new phenomenon and has been used through the years by some of the most prolific personalities in history. In some cases the result is for the betterment of all and sometimes it is to the detriment of many.

What is new is social media, such as twitter, blogs, facebooks, etc., which provide an excellent mechanism to reach a large population of geographically dispersed people – that is good. Unfortunately the speed at which information is disseminated as well as the lack of detail and time used to build an argument that can facilitate healthy communication is severally impacted in these mediums – that is bad.

I don’t know how many of you have tried to carry on a debate in 140 characters, but it is a poor forum for anything beyond where one should eat dinner and even that can quickly border on contentious if not bounded properly.

Here is an example of a bunch of recent twitter debates (modified slightly and the names have been changed to protect the silly):

Continue reading

Top 10 Reasons Your Security Program Sucks and Why You Can’t Do Anything About It

In the security industry we like to fool ourselves into thinking that we can materially impact an organizations security posture. We believe that new tools, a new framework, a new regulation, a new school of thought will lift the veil of organizational ignorance and enable us to attain the state of enlightened security practitioner.

But as we trudge through the mud and haste of our increasingly digital lives we embrace the continuity of failure that is security, only we have more of it…more threats, more tools to deal with the threats, more people to deal with the tools, more process to deal with the people, more adoption of technology leading to more threats, which of course leads to more of the same – more fail.

Maybe it is time to stop fooling ourselves and recognize that to move forward we have to know our limitations and start to question the status quo that so many others rely on for their livelihood.

So as you stare out the window, morning cup of coffee in hand, a tear rolling listlessly down toward your chin and as your sitting there pondering what went so terribly wrong take a moment to reflect on the top 10 reasons your security program sucks and why no matter how much you kick and scream it will continue to suck…

Continue reading

White House Announces New US CyberSecurity Coordinator

After what few probably realize was a tremendous amount of political posturing President Obama has finally appointed Howard Schmidt as US Cybersecurity Coordinator. Schmidt who also served as a cybersecurity adviser under President Bush will be responsible for establishing, defining and coordinating cybersecurity across public and private critical infrastructure. I have worked with Howard and know him to be a highly competent individual that will have a positive impact on this administrations Cybersecurity efforts. Congratulations Howard and best of luck in your new role! Continue reading

Climategate, TSA Leaks, A National Data Breach Notification Bill and The Law of Inevitable Disclosure

Riddle me this: When one does not know what it is, then it is something; But when one knows what it is, then it is nothing…what is it?

Recently we have witnessed a series of high-profile leaks, this in and of itself is nothing new we have been experiencing an orgy of disclosure since the early part of the decade, but the latest “disclosures” highlight the law of inevitable disclosure, which goes something like – if more than one person knows it then it will at some point in time be disclosed. Continue reading

AT&T Wages Holy War Against Data…


AT&T has openly admitted that their data coverage sucks (here) and all but admitted defeat in the telcom data wars. although they are the sole service provider of the iPhone – the world’s most pervasive handheld data device – AT&T has decided that for them to maintain the service quality (which already blows) they will need to implement new fees to encourage folks to limit their use of the iPhone. Wow, seriously, so they suck even more than I thought when I first railed against AT&T (here). Continue reading

Note to Self: 2009 Holiday Gift List

From Computer World UK (here)

Black Friday and Cyber Monday have come and gone. Now it’s time for Amrit Wednesday, or Thursday, or Friday—oh, whatever—to pay our industry back for all the dubious cheer it spread in 2009. Believe me, when it comes to this list, it’s much better to give than receive. Here goes:

Continue reading

Gartner Magic Quadrant Under Fire – Lawsuit Alleges Defamation and more

Gartner Magic Quadrant

A storm is brewing throughout the analyst community as one of the largest and most influential technology analyst firms comes under fire for one of their highest prized research artifacts – The Gartner Magic Quadrant (MQ) – ZL Technologies has filed a lawsuit alleging damages from Gartner’s Email and Archiving MQ and the MQ process as a whole, in which ZL has been positioned as a Niche player since 2005.

From ZL technologies website (here)…

ZL Technologies, a San Jose-based IT company specializing in cutting-edge enterprise software solutions for e-mail and file archiving, is challenging Gartner Group and the legitimacy of Gartner’s “Magic Quadrant.” In a complaint filed on May 29, 2009, ZL claims that Gartner’s use of their proprietary “Magic Quadrant” is misleading and favors large vendors with large sales and marketing budgets over smaller innovators such as ZL that have developed higher performing products.

The complaint alleges: defamation; trade libel; false advertising; unfair competition; and negligent interference with prospective economic advantage.

For those unfamiliar with analysts, Gartner and the Magic Quadrant let me provide a quick overview:

Continue reading

50th “Beyond The Perimeter” Podcast HighLights

btp2

Not too long ago I embarked on a creating a podcast series that would provide more regularity than the blog. Beyond the Perimeter has been a tremendous amount of fun and as we just posted our 50th podcast I wanted to reflect on some of the highlights and wonderful guests we have been honored to have joined us.

Beyond the Perimeter iTunes subscription

Beyond the Perimeter Direct XML Feed

Continue reading

Has Technology Killed Privacy?

BigBrother-1984

From Computer World UK (here)

There is little doubt that advances in technology have radically changed many aspects of our lives, from healthcare to manufacturing, from supply chains to battlefields, we are experiencing an unprecedented technical revolution.

Unfortunately, technology enables the average person to leak personal information at a velocity that few understand. Take a moment and think about how much of your life intersects with technology that can be used to track your movements, record your buying patterns, log your internet usage, identify your friends, associates, place of employment, what you had for dinner, where you ate and who you were with. It may not even be you who is disclosing this information. Continue reading

The Long IT Security Industry Winter

The Great Depression

I recently had the opportunity to sit down with Peter Kuper and discuss the impact the economic crisis has had on the IT security industry on the latest Beyond the Perimeter podcast (here). Peter Kuper, former analyst Morgan Stanley and SC Gowen, now associated with the IANS (Institute for Applied Network Security) organization notes that IT security spending is down, and with it, investments in security start-ups and innovation initiatives. Kuper believes that good new technologies and well managed companies can still attract investors and customers. Furthermore, the industry supports tier of robust, established private IT security companies weathering and even prospering in current conditions. While the short term remains challenging, Kuper believes that good technologies and companies can still get a foothold in the current economic environment. You can read more from Peter at the IANS blog (here), below are some recent comments from Peter (here)

Continue reading

Bill To Provide Presidental Authority to Turn Off the Internets

The Constitution

CNET’s Declan McCullagh recently posted an article on aspects of the Cybersecurity Act of 2009 “Bill would give President emergency control of the Internet

The new version would allow the president to “declare a cybersecurity emergency” relating to “non-governmental” computer networks and do what’s necessary to respond to the threat. Other sections of the proposal include a federal certification program for “cybersecurity professionals,” and a requirement that certain computer systems and networks in the private sector be managed by people who have been awarded that license.

There has been a lot of discussion and debate about how the new administration would address cybersecurity. With a string of disillusioned Cyber Czars, advisers, and a dizzying array of federal agencies vying to lead the efforts President Obama has certainly been in the unenviable position of setting the future direction to secure critical infrastructure and to ensure our prosperity.

This is a massive logistical problem, growing even more so as technology advances and becomes adopted as part of our digital fabric. Unfortunately there will be mistakes, errors in judgment, and poorly written policies that may very well lead to significant self-inflicted damage. The concept that the President, under an emergency situation, can take control of aspects of the Internet is very troubling.

Conceptually, and given the events of 9/11, it would seem logical that under a massive sustained attack on our critical infrastructure and our digital assets – both public and private – that it would be warranted for the administration to do whatever would be required to regain control and eliminate the threat. The reality is that this is extremely difficult to do and more importantly enables a malicious actor to create a situation that forces the administration to respond and in doing so create more havoc than could have been created by the malicious actors on their own.

This is a recipe for disaster and provides a very real vector for attacking the entire United States in a way that would not normally be afforded to those who wish to do us harm. Continue reading

Sysadmin of the Year – Rock on!

sysadminrockstar_hi

Is there a rock star in your midst?

We’re talking about sysadmins here—the unsung rock stars of IT. The kind of sysadmin that plays the network blindfolded and upside down like Stevie Ray Vaughn, makes ch, ch, changes faster than David Bowie, smashes hackers like Pete Townsend does with guitars, keeps the show going like Bill Graham, and does it all with Ringo’s good humor.

Sysadmins can really rock your world. Now it’s time to rock it back. Continue reading

The US Cyber Challenge Wants You

UncleSam

As part of the administrations continuing efforts to actually do something tangible to improve the security posture of US critical infrastructure and to better deal with a severe lack of technical talent the CSIS (Center for Strategic and International Studies) announced the US Cyber Challenge (here) to identify and develop 10,000 cyber security specialists.

One of the fundamental deficiencies of the current US critical infrastructure protection programs (there are many of them), is the astonishing lack of qualified technical security specialists. This program aims to develop the next generation of technically advanced cyber warriors and security specialists.

The United States Cyber Challenge

The US Cyber Challenge is a national talent search and skills development program. Its purpose is to find 10,000 young Americans with the interest and skills to fill the ranks of cyber security practitioners, researchers and warriors. Some will, we hope, become the top guns in cyber security. The program will nurture and develop their skills, and enable them to get access to advanced education and exercises, and where appropriate, enable them to be recognized by employers where their skills can be of the greatest value to their nation.

Improving our private and public sector security posture will be an ongoing process as we adopt new technology innovations and as the dynamic global environment shifts between hostile and friendly actors. Recruiting the next generation of technically advanced security specialists and developing the skills today to deal with tomorrows threats is key to ensuring we have a population of talent to enable continued growth and prosperity of the United States and its citizens. Like so many times in our history, the hopes of an aging nation rest on the shoulders of America’s youth.

Continue reading

North Korea Cyber Scape Goat of the World

North Korean Cyber War

Never before have so many misrepresented so much about so little…

In all my years in the security industry I do not believe I have read more misinformation than the nonsense surrounding the recent DDoS attacks. Apparently North Korea is waging Cyber Warfare, or if not an actual all out cyberwar they are behind a targeted “cyber attack”.

Let’s look at what we know…

  • Multiple US and South Korean websites fell victim to sustained distributed denial of service attacks (happens all the time)
  • The DDoS attack used tens of thousands of compromised hosts (I have seen bigger)
  • The compromised hosts appear to have been infected using well known and easily shielded against malware (What else is new?)
  • The organizations that were impacted and had taken proper measures to defend against a DDoS were not materially impacted (At least someone was thinking ahead)

This is just business as usual on the Internet – nothing to see here folks – these DDoS attacks could have been just as easily launched by an awkward prepubescent child with about 2 years of computer experience as they could have come from a coordinated, state-sponsored, North Korean attempt to test our defenses.

Just so we are clear this is no more Cyber Warfare than me running to the Mexican border and throwing 10,000 apple pies at the Mexican Federales is a coordinated US invasion of Mexico. Continue reading