Everybody wants in on ‘Cybersecurity”

Intel Sets McAfee Free …


… becoming what Intel bills as one of the world’s biggest “pure-play cybersecurity companies.”

When I graduated the hot topic was then chemistry, mostly organic but anything to do with chemistry was IN. Engineering was considered ho-hum, aviation was in the doldrums especially in Europe, and electronics & computing — nobody blathered on about ‘cybernetics’ or ‘cybersecurity’ in public back then — held no potential. The future was chemistry. Continue reading Everybody wants in on ‘Cybersecurity”

Purpose unclear. Why are the FBI *really* trying to subvert encryption?

Tim cook says Apple will fight a federal order to help the FBI hack an iPhone.  

An earlier version of this page has a paragraph which seems to have been deleted later;

It was not immediately clear what investigators believed they might find on Farook’s work phone or why the information would not be available from third-party service providers, such as Google or Facebook, though investigators think the device may hold clues about whom the couple communicated with and where they might have travelled.

Is that “Whom” grammatically correct?

This does raise a ‘why’ in my mind.
Cant the other service providers (who would it be, AT&T, Verizon?) supply the ‘traffic analysis of who they communicated with? Isn’t this the sort of “metadata” that the government spies are supposed to be collecting?

Opening the phone won’t give the content of the messages past, they are gone like the snows of yesteryear[1]. Dead as the author of that famous quote.

So what are the FBI looking for? The address book? I’m not sure how helpful that will be and its likely to cast suspicion on innocent parties. Continue reading Purpose unclear. Why are the FBI *really* trying to subvert encryption?

Why Silicon Valley Will Continue to Rule


The historical, cultural and economic context described here sums up why
efforts to replicate ‘the valley’ in other countries, other places,
according to governmental whims, never happens, never works, never will.

People around the world have tried to reproduce Silicon Valley. No one
has succeeded.

And no one will succeed because no place else — including Silicon Valley
itself in its 2015 incarnation — could ever reproduce the unique
concoction of academic research, technology, countercultural ideals and
a California-specific type of Gold Rush reputation that attracts people
with a high tolerance for risk and very little to lose. Partially
through the passage of time, partially through deliberate effort by some
entrepreneurs who tried to “give back” and others who tried to make a
buck, this culture has become self-perpetuating.

See also





U.S. Defense Secretary Carter emphasizes culture change needed to


Yes the government needs a culture change if it is to address its own and the national issues pertaining to security, technological, in general, internet related and more. But not like this.

A real culture change would involve hiring the likes of people such as Marcus Ranum, Gene Spafford, Becky Herrold., and more significantly the very vocal Bruce Schneier AND PAYING ATTENTION TO WHAT THEY SAY AND CARRYING OUT THEIR RECOMMENDATIONS.  And please note: none of this is new or radical.

But a read of Bruce’s articles blog and published articles will make it clear to any intelligent reader, even those outside the InfoSec community, that they won’t. The culture change it would require would impact too many vested interests and long held beliefs, even though Bruce — and others — have long since shown them to be in the same class as The Emperor’s New Clothes.

When the government talks of cyber-security experts it really doesn’t want people who think in terms of policy and strategy. The fact that most government agencies could do better if they carried out the recommendations that have been made to them — but consistently don’t[1] — tells you something about their innate culture. Just adopting the GAO recommendations would take a culture change. Adopting ‘uber 133z h4x0r’-wannabes for job roles that are written as what amounts to jumped-up netadmin and sysadmin positions doesn’t make for good security[2].

Yes, a culture change is needed. But the kind of changes that the ‘insiders’ — and that goes for the media too — envision don’t really amount to a meaningful change.

[1] http://www.gao.gov/key_issues/cybersecurity/issue_summary#t=1



[2] The idiom “rearrange the deckchairs on the Titanic” comes to mind
Or perhaps the Hindenburg.


Marketing Is Dead – Harvard Business Review


Of course you have to have a catchy title, but what this really says is

… in today’s increasingly social media-infused environment,
traditional marketing and sales not only doesn’t work so well, it
doesn’t make sense. Think about it: an organization hires people —
employees, agencies, consultants, partners — who don’t come from the
buyer’s world and whose interests aren’t necessarily aligned with his,
and expects them to persuade the buyer to spend his hard-earned money on
something. Huh? When you try to extend traditional marketing logic into
the world of social media, it simply doesn’t work.

Yes but there are assumptions there.
Marketing WHAT to WHOM?

As opposed to just selling.

See also:


Which makes the point that book publishers have come adrift as far as
marketing in the Internet world goes.

English: Infographic on how Social Media are b...
Enhanced by Zemanta

An OP-ED by Richard Clarke on China


This is better written than most ‘chicken little’ pieces, but please can we have ‘history’ of how most nations, including the USA, have engages in ‘industrial espionage‘.

I recall a presentation by CSIS that was making the point that Canada’s greatest threat on the Industrial Espionage scene was France, and France had been practising Industrial Espionage against the “English Speaking World” for centuries. And he had evidence to back that up from at lest Napoleonic times.

But then don’t forget that the “English Speaking World” stole such secrets from China as “Tea“:

For centuries, the secret of growing tea was one of China’s
most closely-guarded treasures. Along with silk, tea was an
extremely valuable agricultural commodity, prized as a luxury
item across Asia and into Europe.

In the mid-19th century, however, Briton Robert Fortune
dressed as a Chinese man (complete with queue) and set out
to discover the secret of tea-growing. He located the bushes
that produce tea, and stole seedlings that he transported to
British India. China’s tea monopoly was broken.

Robert Fortune (1812-1880)
Robert Fortune (1812-1880) (Photo credit: Wikipedia)

Fortune’s explorations are detailed in a new book, For All
the Tea in China
, by Sarah Rose. She frames this not
simply as a tale of Victorian exploration, but as early
industrial espionage – which, of course, it was.

I’m not saying this justifies anything, any more that the Opium trade or forcing products from the Industrialized West onto Asian markets, also part of or common historic context, justifies any reprisals.

I’m just saying Context is Everything and if you ignore history (especially when dealing with people for whom history is an important context) then you are setting yourself up for a sea of troubles.

Enhanced by Zemanta

Naval War College uses Russian software for iPad course material



The Navy’s premier institution for developing senior strategic and
operational leaders started issuing students Apple iPad tablet
computers equipped with GoodReader software in August 2010,
unaware that the mobile app was developed and maintained by
a Russian company, Good.iWare, until Nextgov reported it in February.

OK so its not news and OK I’ve posted about this before, but …

Last week I was reading another report about malware and it stated that most malware yamma yamma yamma had it origins in the USA. No doubt you’ve seen reports to that effect with different slants.

So the question here is: Why should software produced in the country where there are more evil-minded programmers be superior to software produced in Russia? Continue reading Naval War College uses Russian software for iPad course material

Please Realize That Piracy is a Service Problem.


NEW YORK, NY - JANUARY 18:  Protesters demonst...
NEW YORK, NY - JANUARY 18: Protesters demonstrate against the proposed Stop Online Piracy Act (SOPA) and Protect IP Act (PIPA) on January 18, 2012 in New York City. The controversial legislation is aimed at preventing piracy of media but those opposed believe it will support censorship. (Image credit: Getty Images via @daylife)

The full article is a bit wordy, and manages to avoid lecturing about how the media industry failed at “service” when it came to view tapes and DVDs, how they objected even those turned out to be immensely profitable. We all know that and we all know that despite the opportunity for profits that just about everyone else in the world seems able to cash in on, the RIAA etc seem to want to shut it down.

Well if they did there would be outcries not from all the people who had minor copyright infringements from quoting one another, but from all the businesses that were loosing customers, not just from direct action but from the word-of-mouth style propagation, reviews, snippets that had nothing to do with them but caused shut-downs and lockouts. A ripple effect. The Laws of Unintended Consequences doing what it always does, biting in the ass.

Yes, if the media industry provided the service that customers want piracy wouldn’t be an issue. As the article says, look at the economics.

It’s not a physical product that’s being taken. There’s nothing going missing, which is generally the hallmark of any good theft.

There’s a corollary to that: if the media companies were selling on the net their cost of reproduction is zero. They can sell the same movie hundreds of times over and it doesn’t cost them any more.

With VHS and DVD there is the cost of production, shipping and retail mark-up. There’s that for every sale. And those are costs that are going up year by year. And if there’s a mistake in estimates about volume then either there are lost sales for lack of product, or waste as it gets remaindered.

But with a ‘Net based distribution scheme there is only the cost of storage and bandwidth, and those are going down.

Its as if the RIAA have it exactly backwards.

So it costs, what, lets say $20 to buy a movie as a DVD.
That’s my budget. If I got to the store and found the movie I wanted was $5, then I’d be inclined to buy some more. Maybe at $5 a shot I’d spend more than $20 as I found other movies that I marginally considered. Now suppose that I didn’t have to drive to the store? Many people I know buy more books at Amazon than they ever did in a bricks-and-mortar store. many bricks-and-mortar bookstores are shutting down. Lower the cost of a movie to $1 and make it available on the ‘Net, mail buyers about new releases and packages the way Amazon does and there will be more impulse buying. See low-res, high-res and super-high res/HD, alternate endings, have consumers write reviews … you know how it goes, Amazon does it well.

Amazon have shifted from selling books to selling e-books. No more packaging, inventory or shipping. Instant gratification.

The RIAA are not just stupid, they are extremely stupid.

A stereotypical caricature of a pirate.
A stereotypical caricature of a pirate. (Photo credit: Wikipedia)


Enhanced by Zemanta

Upside and downside: How I hate Journalists


And this doesn’t actually stop them form making use of ‘insider information’ they just have to declare it within 30 days.

No, wait, sorry … you mean that the legislators are saying that legislators shouldn’t do something that is illegal anyway? Or that, if they do something that is already illegal, it is OK as long as they declare it within 30 days? …

It gets worse:


I’d like to claim the system is rigged so ‘the rich get richer’ but if I did that some people who claim they are right wing would accuse me of being left wing. Indeed, this tells me that their political outlook has not progressed since 20 June 1789. This one-dimensional view fails to describe the rich variety of political attitudes in the Washington, never mind the rest of the USA and points elsewhere on the physical compass.


Just those two show we need more that 4 axes to describe a political stance. But as I mentioned in a previous post, journalists are simple-minded and expect the rest of the world to be as limited in outlook and understanding.


Try this test:

How does this all relate to InfoSec, you ask.
Well part of that Political Compass is a view of ‘how authoritarian’.
And that gets back to issues we have to deal with such as Policy and Enforcement, Do We Let Employees have Access to the Internet, and the like.

Hans Eysenk pointed out that the right wing (e.g. Fascism and Nazism) had a lot in common with the left wing (communism). Both are repressive, undemocratic and anti-Semitic. So on these issues, at least, the left-right distinction is meaningless.

How many more such simplistic distinctions such as those foisted on us by journalists are equally meaningless.

Some while ago my Australian fellow ex-pat Les Bell, who apart from being a CISSP is also a pilot, pointed out to me that the method of ‘root cause analysis‘ is no longer used in analysing plane crashes. The reality is that “its not just one thing”, its many factors. We all know that applies in most areas of life.

I suspect most people know that too; its not restricted to the digerati.
There is the old ditty that explains how because of a nail an empire was lost, but no-one is proposing that we fix the failing of the “American Empire” by manufacturing more nails.

Except possibly Journalists.


Enhanced by Zemanta

“Cybercrime” is still Crime and “Cyberfraud” is still Fraud


This says it all:

At the end of the day, cybercriminal activity is not all that different
from more traditional forms of organized crime. Obviously, the way the
crime is perpetrated is new, but the ways in which cybercriminals
operate is not all that different from anything that has gone on before.

Heck, once upon a time there was no telegraph, no “Royal Mail” (or whatever the equivalent in your state/nation). But when those came along they offered new opportunities for fraud. Most places have laws in place again fraud perpetrated by mail or telegraph and telegraph
includes the telephone.

And this is where I get to wonder at how our politicians work, the knee-jerk “something must be done NOW” attitude.

Here in Canada we have a criminal code. It covers fraud. We don’t need new laws to deal with cybercrime because the ways our laws are written they are general and not reductionist. They specify the crime, not the technology used.

I get the impression that in the USA (and possibly other places) its the other way round. That’s why they need lots of new laws to address every fine-grained detail as the technology advances. Personally I don’t think this is a good way of working since it piles laws upon laws.

In science we was that in astronomy before Newton. The classical “Ptolemaic” system piled epicycles upon epicycles as corrections because the underlying model based on a geocentric approach and the idea of ‘perfect spheres’ was fundamentally flawed. Piling human laws upon human laws to deal with special cases of what is really a general
situation is no less flawed in approach.

Cover of "Paper Moon"

Fraud is fraud is fraud. It doesn’t matter if its perpetrated by a hustler in person as in the scenes in “Paper Moon“, by mail, over the phone or using the Internet. Fraud is fraud is fraud.

We don’t need new laws; we just need a better understanding of how criminals use technology. We perhaps we security droids don’t, perhaps the public, the police, the legislators and the managers of the firms and organizations impacted by such criminals need that understanding.

But that’s not what detailed, reductionist legislation is going to achieve, is it?


Enhanced by Zemanta

The Decline of the Physical Desktop


What’s interesting here is that this isn’t preaching “The Cloud” and only mentions VDI in one paragraph (2 in the one-line expanded version).

Also interesting is the real message: “Microsoft has lost it”.

Peter Drucker, the management guru, pointed out that the very last buggy-whip manufacturer in the age of automobiles was very efficient in its processes – it *HAD* to be to have survived that long. (One could say the same about sharks!)

“Keeping desktop systems in good working order is still a labour of Sysiphus ..”

Indeed. But LinuxDesktop and Mac/OSX seem to be avoiding most of the problems that plague Microsoft.

A prediction, however.
The problem with DOS/Windows was that the end user was the admin and  could fiddle with everything, including download and install new code. We are moving that self-same problem onto smart-phones and tablets. Android may be based on Linux, but its the same ‘end user in control’ model that we had with Windows. Its going to be a malware circus.

Enhanced by Zemanta

Economic Impact: Patent trolls chase app developers out of the U.S


The Debt ceiling crisis will pass; even if there is a crash, the USA can recover from it …

IF its core economic worth, that is its industrial productivity, is unharmed.

There are a number of ways this can be harmed, poor credit rating among them, lack of availability for investments. Continue reading Economic Impact: Patent trolls chase app developers out of the U.S

Sony backs U.S. ineffective cybersecurity legislation

Magic Link
Image via Wikipedia


“If nothing else, perhaps the frequency, audacity and harmfulness of
these attacks will help encourage Congress to enact new legislation to
make the Internet a safer place for everyone,” the Sony executive said.

“By working together to enact meaningful cybersecurity legislation we
can limit the threat posed to U.S. all,” he said.

To people like us, IT Audit and InfoSec types, ‘control‘ come in 3 forms

  • preventative
  • detective
  • compensatory

It seems that this legislation focuses on the 3rd and not the first.
It might even be seen to discourage the second.

Enhanced by Zemanta

Congressman blames U.S. unemployment crisis on iPad


In it U.S. Representative Jesse Jackson Jr (D-IL) blasts Apple and Steve
Jobs claiming that the iPad is responsible for killing thousands of
American jobs.

Jesse Jackson i Almedalen 2011
Image by Socialdemokrater via Flickr

In the rambling manifesto Jackson claims that the iPad is to blame
because it enables anyone to easily download books and newspapers. Thus
everyone who works at bookstores (i.e. Borders) or the publishing
industry will lose their jobs to workers making iPads in China.

Over the top?

Well, he is a politician.

However, there is this:

Yet, last week, the president met with eight CEOs such as the heads of
Xerox and American Express to ask what he could do that would give them
confidence to invest in the United States. But these are precisely the
wrong people with whom to consult and the question is precisely the
wrong question. They are the wrong people because they have benefited
enormously from offshoring and from the distortions built into the
global system. Their interest is not the same as that of the United
States but rather that of their shareholders and, in some cases, of the
authoritarian governments of the countries to which they have moved much
of the production capacity. The question is wrong because rather than
trying to bribe them the president should, a la The Godfather, be making
them “offers they can’t refuse.”

In South Carolina, Governor Perry emphasized that he would make
Washington disappear from the lives of the people in his audience. That
did not strike me as the comment of a person using all his power to find

But think about it for just a moment. There will be no more significant
fiscal stimulus for the economy. The emphasis is all on debt reduction,
cutting expenditures, and retrenching. Not only will the federal
government be cutting back, but the state and municipal governments are
already slashing and burning. All of this will result in further job
reduction, less consumer spending, and declining stimulus which in turn
will lead to reluctance on the part of business to invest. In these
circumstances, the only possible source of jobs is a reduction of the
trade deficit.

He or she who wakes up to this fact first is likely to be the next president.

That’s my emphasis in red.

These executives are responsible to the shareholders, though the board.  If the economic climate and system of taxation – that is the employment costs, make it favourable to employ foreign workers rather than American workers than that is what these people will do.  If they do otherwise then they are clearly not acting in the best interests of their corporations and will be dismissed and replaced by someone who will.   This is basic corporate economics, and any politician who fails to recognise it may popular for crowing about “America First” but is displaying woeful ignorance.

The other way to look at it is that US workers have priced themselves out of the market.

Dwight D. Eisenhower photo portrait.
Image via Wikipedia

A people that values its privileges above its principles soon loses both.
Dwight D. Eisenhower, Inaugural Address, January 20, 1953

Enhanced by Zemanta

IT AUDIT VS Risk Assessment – 2

We were discussing which should be done first and someone said:

The first has to be risk assessment as it is foundation of information
security. You first need to know where is the risk before putting up
any controls to mitigate that risk. Putting up adhoc controls will not
make the controls effective nor will it protect the organizations
against the risk.

While I understand the intent, I think that is very prejudicial language.

Donn Parker makes a very good case that we have the cultural context – read that sophistication and awareness of the baseline risks – to see that there should be a set of baseline controls. IAM, firewall, AV, backups and so forth. We don’t need to leave the assets exposed to threats while we we wait around for a Risk Analysis to tell us that these baseline protective controls are needed.

Risk Analysis

You don’t need to know the specific risks any more than you need to know the specific risks to have a lock on the front door of your house and close your windows.

I certainly wouldn’t call this approach “ad-hoc”. Continue reading IT AUDIT VS Risk Assessment – 2

Career Insights from Stephen Northcutt, CEO of SANS



I get a lot of enquiries from wannabes who, as they put it, want to “break into security“. I presume they see it as more interesting than the work they are doing.

They come in all varieties, from high-school kids asking about what degree they should take to people with no actual work experience asking if they should take a CISSP or CISM.

The luminaries of our profession, be they CISSPs or people like Marcus Ranum and Bruce Schneier who lack such certifications, all came up the same way that Stephen Northcut did and many of us here did – the long way. And gained the practical experience and understanding of the issues along the way. Continue reading Career Insights from Stephen Northcutt, CEO of SANS

RIM vs. Indian government continues


… and the UAE.

RIM is between a rock and a hard place.
They say no to this and they loose a market; and the Indian market is big. They say yes to this and the customers don’t trust them, so why should they buy RIM rather than some other insecure service? Continue reading RIM vs. Indian government continues

When organizations put a lot of eggs in one basket – desktop side


This is a chicken-little story.

We’ve been putting many computer eggs in one hardware basket for a long, long time.
What do you think mainframes running MVS and VM/CMS were?
What were things like air traffic control?

The ‘desktop’ is a fuzz concept that gets confused with a GUI.
Those mainframes – think airline ticket and reservation – could handle many hundreds of remote terminals, keeping them updated.

What’s a dumb terminal if not the ultimate in ‘thin clients’? Continue reading When organizations put a lot of eggs in one basket – desktop side

Google Phasing out Windows


“According to a report in the Financial Times, Google are phasing
out the use of Microsoft‘s Windows within the company because of
security concerns. Citing several Google employees, the FT report
reports that new hires are offered the option of using Apple Mac
systems or PCs running Linux. The move is believed to be related to a
directive issued after Google’s Chinese operations were attacked in
January. In that attack, Chinese hackers took advantage of
vulnerabilities in Internet Explorer on a Windows PC used by a Google
employee and from there gained deeper access to Google’s single sign
on service.

Security as a business decision?
Don’t make me laugh!
Look at what precedence they’ve shown!
Look at Microsoft’s attitude and approach to security (no matter how flawed the end result) and compare it with the public stance Google has taken.

No, this is about Business Politics.
Microsoft has been ‘staggering’ this last decade and now Apple is on the ascendency and the real battle will no longer be in the PC world but in the consumer world with embedded systems.
On the surface this will be Android vs Apple, but since embedded Linux goes so much further, embedded in TVs, GPS units, traffic light controllers, and perhaps it will even replace UNIX in telephone
exchanges (ha-ha-ha!) there’s more potential.
(Freudian slip: I just wrote portential.)

Yes, Microsoft hasn’t been asleep in the embedded market, or the phone/PDA market, but compared to Linux its a resource hog. To top that, its also proprietary, so vendors rely on Microsoft for the porting to new processor/hardware and for support. Linux/Android doesn’t have that limitation. And there are plenty of ‘kiddies’ eager to play with Android (source) on a new toy.

No, this isn’t a security issue, its a business and political issue.
If Google is pushing its range of Android products then it doesn’t want to have people – journalists, investors, bloggers – saying “yes, but you USE Windows even though you preach Linux”.

Or perhaps you though Google was taking the “High Moral Ground”?
No, I think they are taking the advice of Sun T’Zu and applying it to business

“For them to perceive the advantage of defeating the enemy, they must
also have their rewards.”

Betcha Google will be supplying Android phones/slates/pads to its workers.

“He who knows when he can fight and when he cannot, will be victorious.”

Look at that ZDNet article and think about the timing of Google’s announcement.

“It is essential to seek out enemy agents who have come to conduct
espionage against you and to bribe them to serve you. Give them
instructions and care for them. Thus doubled agents are recruited and used.”

Think about that one.

“Opportunities multiply as they are seized.”

And look how Android is spreading.
Balmer said Linux was a virus – yes a “meme”.

“Thus, what is of supreme importance in war is to attack the enemy’s strategy.”

Indeed. Microsoft has proclaimed a commitment to “security”. Bill Gates said so. That is their “strategy”. But Google is working on the fact that Microsoft products still have security flaws. Regardless of the reality, that is “voice” of this announcement. They are saying that Microsoft’s strategy isn’t working. They are attacking it in the minds of the consumers.

Reblog this post [with Zemanta]

“Impact” is not a Metric

I never like to see the term ‘impact’.
Its not a metric.

I discuss how length, temperature, weight, are metrics whereas speed, acceleration, entropy are derived values. In the same sense, ‘impact’ is a derived value – “the cost of the harm to an asset”. The value of an asset can be treated as a primary metric, but how much it is “impacted” is a derived value.

This is the same kind of sloppy thinking, the same failure to identify tangible metrics as we see when people treating ‘risk’ as if it were something tangible, never mind a metric! Continue reading “Impact” is not a Metric