The InfoSec Blog

UN privacy head slams ‘worse than scary’ UK surveillance bill

Posted by antonaylward

http://www.theregister.co.uk/2015/11/10/un_privacy_head_slams_uk_surveillance_bill/

Two points in this caught my attention.

Cannataci also argued forcefully that mass surveillance was not the way to
handle the threat from terrorism and pointed to a report by the Dutch
intelligence services that argues that point. "To get real terrorists, you have
to go for good old-fashioned infiltration," he argued, wishing that the security
services would spend less money on computers and more on real people who go out
and get real, actionable intelligence on what people are up to. "It's time to be
realistic and actually examine what evidence shows."

Where have I heard that before?
Oh, wait:

If you think technology can solve your security problems, then you don't
understand the problems and you don't understand the technology
-- Bruce Schneier

Essentially what he's saying is summed up by another Schneier quote:

People often represent the weakest link in the security chain and are
chronically responsible for the failure of security systems
-- Bruce Schneier, Secrets and Lies

Some thoughts on the performance of SSD RAID 0 arrays

Posted by Anton Aylward

My Friend Alan Rocker and I often discuss ideas about technology and tradeoffs.  Alan asked about SSDs for Linux:

> I haven't been following hardware developments very closely for a while, so I
> find it hard to judge the arguments. What's important?

Ultimately what's important is the management software, the layer above the drivers, off to one side. That applies regardless of the media and means that the view the applications take of storage is preserved regardless of changes in the physical media.

> The first question is, what areas are currently the bottlenecks and
> constraints, at what orders of magnitude?

The simple answer is 'channels'.

Everything old is new again

Posted by Anton Aylward

http://www.databreachtoday.com/whitepapers/seven-reasons-micro-segmentation-powerful-to-have-painless-to-add-w-2704

What's the saying "Those who forget history are doomed to repeat it over again"?

Weren't we doing this with routers and ... well if not firewalls as such then certainly filtering rules in the routers, way back in the 1980s?

Jon Postel, c. 1994

Jon Postel, c. 1994 (Photo credit: Wikipedia)

I recall attending a luncheon put on by Dell about "Software Defined networking". Basically it was having routers that were 'agile' enough to change routing and implement tactical policy by load, demand and new devices or devices making processing demands.

Again we were doing that in the 1980s. Working with ANS as they cut over the academic internet to the commercial internet with their "CO+RE" pseudo-product. basically it was that they had been supporting the academic internet and were not selling commercial services using the same backbones, trunks and "outlets" (sometimes known as 'point of presence'). This 'policy based routing' was carried out by custom built routers; they were IBM AIX desktop boxes -- the kind I'd used to implement an Oracle based time management/billing system for at Public Works Ottawa a few years earlier, along with some custom built T3 interface cards.

Everybody wants in on ‘Cybersecurity”

Posted by Anton Aylward

Intel Sets McAfee Free ...

http://www.databreachtoday.com/blogs/intel-sets-mcafee-free-p-2244?

... becoming what Intel bills as one of the world's biggest "pure-play cybersecurity companies."

When I graduated the hot topic was then chemistry, mostly organic but anything to do with chemistry was IN. Engineering was considered ho-hum, aviation was in the doldrums especially in Europe, and electronics & computing -- nobody blathered on about 'cybernetics' or 'cybersecurity' in public back then -- held no potential. The future was chemistry.

The Hidden Curriculum of Work

Posted by Anton Aylward

http://www.strategy-business.com/blog/The-Hidden-Curriculum-of-Work

I think part of the problem I have in dealing with the current generation of head-hunters and corporate recruiters is that they focus on the job description, the check-list. They focus on it two ways: the first is demanding it of the hiring managers, who are often ill equipped to write one. Many jobs are not circumscribed, especially in a field like IT which is dynamic and about continuous learning and adaption to changing circumstances. All to often the most valuable question I've been able to ask of a manager in a hiring situation amounts to "what do you need done?".
Their description of the work - the WORK not the JOB - only makes sense in context, a context that another practitioner understands, but someone in HR would hear as the gobbledygook of technology-talk. How can you base a bullet-list Job Description on that? Trying to translate it into a vernacular that allows the HR-droid to ask appraisal questions of candidates that the HR-droid can make sense of removes it from what the work is about.

Which leads to the second point.