The InfoSec Blog

Customers are Ignoring You (Photo credit: ronploof)

http://blogs.hbr.org/cs/2012/05/customers_arent_as_savvy_as_yo.html

Perhaps the reason that Apple is ahead with the iPod, iPhone and iPad is that the competitors are offering too much choice.

That being said, ‘competitive advantage’ can lead to paralysis.

In the auto world, each badge, each product line has an ‘advantage’.
But what many customers want is a blend.

Suppose you had

• the hydropnumatic suspension of Citroen
• the crash survivability of Volvo
•  the fantastic new six speed high efficiency automatic gearbox that Chrysler is soon to release
•  the BOSE sound system of a BMW
•  the capacity of a Dodge minivan
•  the fuel efficiency of a Prius
•  the twin camera automatic following/crash avoidance system of a Subaru

all rolled into one ….

The problem is that you can’t.

For a while, the IBM-style PC chassis offered that kind of ‘blend’.
As the saying went …

Be very glad that your PC is insecure –it means that after you buy it,
you can break into it and install whatever software you want. What YOU
want, not what [content providers] want.
– John Gilmore of the EFF

But the majority of consumers are the “lemmings”. In reality its like the stage magician fanning a pack of cards and saying “pick a card, any card you want”. You don’t really have freedom of choice, you can only pick what’s offered to you, by the stage magician or the vendor.

And sometimes the constraint of choice, as Apple is doing, says “focus, focus, focus” and play to the Big Brother Knows What’s Best For You.
Sometimes it nice not to be stressed by having to make decisions, decisions that might not be optimal (even if the optimization curve is flat and the risk/return ratio is close to zero).

Related articles

• Consumption and Consumer Behavior (thinkingbookworm.typepad.com)

http://www.nytimes.com/2012/04/03/opinion/how-china-steals-our-secrets.html

This is better written than most ‘chicken little’ pieces, but please can we have ‘history’ of how most nations, including the USA, have engages in ‘industrial espionage‘.

I recall a presentation by CSIS that was making the point that Canada’s greatest threat on the Industrial Espionage scene was France, and France had been practising Industrial Espionage against the “English Speaking World” for centuries. And he had evidence to back that up from at lest Napoleonic times.

But then don’t forget that the “English Speaking World” stole such secrets from China as “Tea“:

For centuries, the secret of growing tea was one of China’s
most closely-guarded treasures. Along with silk, tea was an
extremely valuable agricultural commodity, prized as a luxury
item across Asia and into Europe.

In the mid-19th century, however, Briton Robert Fortune
dressed as a Chinese man (complete with queue) and set out
to discover the secret of tea-growing. He located the bushes
that produce tea, and stole seedlings that he transported to
British India. China’s tea monopoly was broken.

Robert Fortune (1812-1880) (Photo credit: Wikipedia)

Fortune’s explorations are detailed in a new book, For All
the Tea in China, by Sarah Rose. She frames this not
simply as a tale of Victorian exploration, but as early
industrial espionage – which, of course, it was.

I’m not saying this justifies anything, any more that the Opium trade or forcing products from the Industrialized West onto Asian markets, also part of or common historic context, justifies any reprisals.

I’m just saying Context is Everything and if you ignore history (especially when dealing with people for whom history is an important context) then you are setting yourself up for a sea of troubles.

Related articles

• For All The Tea In China – Sarah Rose (scottjb.wordpress.com)
• Different Ethical Issues Faced by the Global Software Companies (thinkingbookworm.typepad.com)
• Howes calls for cyber espionage inquiry (news.smh.com.au)
• Corporate Espionage Is Real – Even In The Pharma Industry (bioresearchonline.com)
• “Cyber Czar” wants Homeland Security to patrol America’s Internet borders (blacklistednews.com)
• Former Pentagon Official Says All Chinese Electronics In The US Could Have Built-In Trapdoors (businessinsider.com)
• FBI: Economic Espionage (gloucestercitynews.net)
• Trade Secrets and The Economy (psliplaw.wordpress.com)
• Richard Clarke: China has hacked every major US company (zdnet.com)
• FBI cracks down on economic espionage (wjla.com)
• Peter Thomas Senese’s THE DEN OF THE ASSASSIN Is A Geopolitical Financial Espionage Thriller Thrust In The World Of Cyber, Biological and Chemical Warfare (prweb.com)
• Chinese Economic Espionage: An Overlooked Concern (heritage.org)

Someone asked:

If you have a good information security awareness amongst
the employees then it should not a problem what kind of attempts
are made by the social engineers and to glean information from
your employees.

Yes but as RSA demonstrated, it is a moving target.

You need to have it as a continuous process, educate new hires and educate on new techniques and variations that may be employed by the ‘social engineers’. Fight psychology with psychology! Read the rest of this entry »

http://hdguru.com/is-your-new-hdtv-watching-you/7643/

well 28 years actually …

So, the two-way tv sets of Orwell’s novel have arrived, over a quarter of a century late!

George Orwell in Hampstead On the corner of Pond Street and South End Road, opposite the Royal Free Hospital. The bookshop has long gone. (Photo credit: Wikipedia)

It just goes to show. Science fiction things like the Star Trek communicator (Motorola flip phones) or the tricorder (some of the enhanced versions of the Newton) or the data Pad (the real world version has an extra ‘i’) we do pretty quickly, but if its a mainstream novel, the kind of thing that my old Eng Lit teacher would approve of (he snivelled at SF and cringed at its mention) then it seems three isn’t the same enthusiasm about replicating its technology.

Related articles

• Books that Changed my Life: 1984 by George Orwell (caracaleo.com)
• Orwell’s Nineteen Eighty-Four forecast for Hollywood remake (guardian.co.uk)
• Near-Future Fiction (madgeniusclub.com)
• Orwell vs. The U.S. House of Representatives (pubcit.typepad.com)
• And the privacy invasion award goes to … (sgtreport.com)
• How to resist Big Brother 2.0 (blogs.reuters.com)
• Microsoft speaks on privacy following ‘NUad’ concerns (thenextweb.com)
• Glancee + Facebook = Orwell’s Big Brother in Spades….. (tishgrier.wordpress.com)

http://www.forbes.com/sites/insertcoin/2012/02/03/you-will-never-kill-piracy-and-piracy-will-never-kill-you/

NEW YORK, NY - JANUARY 18: Protesters demonstrate against the proposed Stop Online Piracy Act (SOPA) and Protect IP Act (PIPA) on January 18, 2012 in New York City. The controversial legislation is aimed at preventing piracy of media but those opposed believe it will support censorship. (Image credit: Getty Images via @daylife)

The full article is a bit wordy, and manages to avoid lecturing about how the media industry failed at “service” when it came to view tapes and DVDs, how they objected even those turned out to be immensely profitable. We all know that and we all know that despite the opportunity for profits that just about everyone else in the world seems able to cash in on, the RIAA etc seem to want to shut it down.

Well if they did there would be outcries not from all the people who had minor copyright infringements from quoting one another, but from all the businesses that were loosing customers, not just from direct action but from the word-of-mouth style propagation, reviews, snippets that had nothing to do with them but caused shut-downs and lockouts. A ripple effect. The Laws of Unintended Consequences doing what it always does, biting in the ass.

Yes, if the media industry provided the service that customers want piracy wouldn’t be an issue. As the article says, look at the economics.

It’s not a physical product that’s being taken. There’s nothing going missing, which is generally the hallmark of any good theft.

There’s a corollary to that: if the media companies were selling on the net their cost of reproduction is zero. They can sell the same movie hundreds of times over and it doesn’t cost them any more.

With VHS and DVD there is the cost of production, shipping and retail mark-up. There’s that for every sale. And those are costs that are going up year by year. And if there’s a mistake in estimates about volume then either there are lost sales for lack of product, or waste as it gets remaindered.

But with a ‘Net based distribution scheme there is only the cost of storage and bandwidth, and those are going down.

Its as if the RIAA have it exactly backwards.

So it costs, what, lets say $20 to buy a movie as a DVD.
That’s my budget. If I got to the store and found the movie I wanted was $5, then I’d be inclined to buy some more. Maybe at $5 a shot I’d spend more than $20 as I found other movies that I marginally considered. Now suppose that I didn’t have to drive to the store? Many people I know buy more books at Amazon than they ever did in a bricks-and-mortar store. many bricks-and-mortar bookstores are shutting down. Lower the cost of a movie to $1 and make it available on the ‘Net, mail buyers about new releases and packages the way Amazon does and there will be more impulse buying. See low-res, high-res and super-high res/HD, alternate endings, have consumers write reviews … you know how it goes, Amazon does it well.

Amazon have shifted from selling books to selling e-books. No more packaging, inventory or shipping. Instant gratification.

The RIAA are not just stupid, they are extremely stupid.

A stereotypical caricature of a pirate. (Photo credit: Wikipedia)

Related articles

• A Peek at a Few Trends (laf.ee)
• Software piracy in Canada exceeded $1.1B in 2011 (ctv.ca)
• What’s the true cost of piracy? (infographic) (venturebeat.com)
• US mistakenly seizes a music domain – and holds it for 18 months (art2science.org)
• Study: BitTorrent music piracy increases album sales (electronista.com)

http://www.techsecuritytoday.com/index.php/our-contributors/michael-vizard/entry/lifting-the-veil-on-cybercrime

This says it all:

At the end of the day, cybercriminal activity is not all that different
from more traditional forms of organized crime. Obviously, the way the
crime is perpetrated is new, but the ways in which cybercriminals
operate is not all that different from anything that has gone on before.

Heck, once upon a time there was no telegraph, no “Royal Mail” (or whatever the equivalent in your state/nation). But when those came along they offered new opportunities for fraud. Most places have laws in place again fraud perpetrated by mail or telegraph and telegraph
includes the telephone.

And this is where I get to wonder at how our politicians work, the knee-jerk “something must be done NOW” attitude.

Here in Canada we have a criminal code. It covers fraud. We don’t need new laws to deal with cybercrime because the ways our laws are written they are general and not reductionist. They specify the crime, not the technology used.

I get the impression that in the USA (and possibly other places) its the other way round. That’s why they need lots of new laws to address every fine-grained detail as the technology advances. Personally I don’t think this is a good way of working since it piles laws upon laws.

In science we was that in astronomy before Newton. The classical “Ptolemaic” system piled epicycles upon epicycles as corrections because the underlying model based on a geocentric approach and the idea of ‘perfect spheres’ was fundamentally flawed. Piling human laws upon human laws to deal with special cases of what is really a general
situation is no less flawed in approach.

Fraud is fraud is fraud. It doesn’t matter if its perpetrated by a hustler in person as in the scenes in “Paper Moon“, by mail, over the phone or using the Internet. Fraud is fraud is fraud.

We don’t need new laws; we just need a better understanding of how criminals use technology. We perhaps we security droids don’t, perhaps the public, the police, the legislators and the managers of the firms and organizations impacted by such criminals need that understanding.

But that’s not what detailed, reductionist legislation is going to achieve, is it?

Related articles

• Guarding your business against cybercrime (premierlinedirect.co.uk)
• Interpol Promises New Center to Fight the E-Mob (spectrum.ieee.org)
• Russian Cybercrime pays! (toinformistoinfluence.com)
• Cybercrime ‘cannot be stopped entirely’ (premierlinedirect.co.uk)
• Former National Cyber Czar Creates Cybercrime TV (prweb.com)
• There’s no business like Cybercrime business! (blog.bt.com)
• Impact of cybercrime underestimated as most crimes go unreported|Network security (c24.co.uk)
• European Commission wants a cybercrime centre (h-online.com)
• Everything you thought you knew about cybercrims is WRONG (go.theregister.com)
• FBI finds scammers impersonating the FBI now one of worst online threats (theneteconomy.wordpress.com)
• Educate Customers on Mass Marketing Fraud (ibaeducationblog.com)
• Cybercriminals offer bogus fraud insurance services (zdnet.com)

http://www.schneier.com/blog/archives/2010/08/hacking_cars_th.html

A few alarming things here.
More nanny State :

In other words, the nanny state is forcing upon us expensive and insecure systems that aren’t as effective as a human being just doing what he’s supposed to, but we should just think of the children we’re “protecting” with this misguided effort.

Never mind the basic Orwellian aspects.

But the basic problem is the knee-jerk reaction of Congress combined with lack of understanding of science and technology and legislation that, by specifying method rather than objectives, plays, misguidedly, into the hands of one vendor.

They did this with emission control.
The Japanese could beat the original standard by engine design.
The did this with the old Honda CVXX.
GM wasn’t worried, they said it was a technique only for small engine cars. The Honda did it for larger engines. At the time GM had cornered the market in platinum, so they got Congress to write the law specifying the HOW in their favour. Of course that advantage no longer exists, but we still have the expense of the platinum ‘converters’.

Now we have more expense.

TPMS became mandatory because of public backlash after the Firestone/Ford Explorer debacle. The public saw cars flipping over on TV and called up Congress and demanded
that they “do something!”

http://consumerist.com/2011/05/security-expert-sony-knew-its-software-was-obsolete-months-before-psn-breach.html

• Its not a camera, its computer that takes pictures
• Its not a car, its a computer that gets you from place to place
• Its not a watch, its a computer that tells you the time
• Its not a radio, tv, hi-fi, phone …. its a computer

Would you buy a computer from a company like this?

http://news.consumerreports.org/electronics/2011/05/data-security-expert-sony-knew-it-was-using-obsolete-software-months-in-advance.html

http://www.linuxfordevices.com/c/a/News/Kootol-joins-Lodsys-as-a-patent-troll/?kc=LNXDEVNL072111

The Debt ceiling crisis will pass; even if there is a crash, the USA can recover from it …

IF its core economic worth, that is its industrial productivity, is unharmed.

There are a number of ways this can be harmed, poor credit rating among them, lack of availability for investments. Read the rest of this entry »

Image via Wikipedia

I was at a presentation yesterday.
One of the vendor’s speakers, I’m sorry to say, was a CISSP.

OK, he wasn’t Ian Paisley or any other radical religious zealot.

BUT his was hectoring us and telling us that the Devil is out there gathering sinners (aka botnets) and tempting us (with web sites and spam) and just watch what he says: we must open our hearts to Christ (aka his company’s products) and be SAVED by following the One True Faith (only buying his company’s products) and repenting for our sins (having is company come in and do all the scans, consulting and so forth).

I was inoculated against the religious hectoring meme at a young age, but its still fascinating to watch. But like with religion, there are always people who are susceptible, and sadly, always groups willing to give such people a platform.

To be fair, that day’s event also had some good speakers. It had some straight forward and ‘humble’ people who explained matters clearly and without drama, stated the issues and the scopes of threats and
vulnerabilities and how and why their product id what it did.  All without the drama, all without the hectoring or intimidation.

Related articles

• Ian Paisley jnr: My views on gays have matured (politics.ie)
• A Paisley Affair (modedimitri.wordpress.com)
• The City: Belfast (newsweek.com)

http://www.zdnet.com/blog/apple/congressman-blames-us-unemployment-crisis-on-ipad/9968?tag=nl.e539

In it U.S. Representative Jesse Jackson Jr (D-IL) blasts Apple and Steve
Jobs claiming that the iPad is responsible for killing thousands of
American jobs.

Image by Socialdemokrater via Flickr

In the rambling manifesto Jackson claims that the iPad is to blame
because it enables anyone to easily download books and newspapers. Thus
everyone who works at bookstores (i.e. Borders) or the publishing
industry will lose their jobs to workers making iPads in China.

Over the top?

Well, he is a politician.

However, there is this:

Yet, last week, the president met with eight CEOs such as the heads of
Xerox and American Express to ask what he could do that would give them
confidence to invest in the United States. But these are precisely the
wrong people with whom to consult and the question is precisely the
wrong question. They are the wrong people because they have benefited
enormously from offshoring and from the distortions built into the
global system. Their interest is not the same as that of the United
States but rather that of their shareholders and, in some cases, of the
authoritarian governments of the countries to which they have moved much
of the production capacity. The question is wrong because rather than
trying to bribe them the president should, a la The Godfather, be making
them “offers they can’t refuse.”

In South Carolina, Governor Perry emphasized that he would make
Washington disappear from the lives of the people in his audience. That
did not strike me as the comment of a person using all his power to find
jobs.

But think about it for just a moment. There will be no more significant
fiscal stimulus for the economy. The emphasis is all on debt reduction,
cutting expenditures, and retrenching. Not only will the federal
government be cutting back, but the state and municipal governments are
already slashing and burning. All of this will result in further job
reduction, less consumer spending, and declining stimulus which in turn
will lead to reluctance on the part of business to invest. In these
circumstances, the only possible source of jobs is a reduction of the
trade deficit.

He or she who wakes up to this fact first is likely to be the next president.

That’s my emphasis in red.

These executives are responsible to the shareholders, though the board.  If the economic climate and system of taxation – that is the employment costs, make it favourable to employ foreign workers rather than American workers than that is what these people will do.  If they do otherwise then they are clearly not acting in the best interests of their corporations and will be dismissed and replaced by someone who will.   This is basic corporate economics, and any politician who fails to recognise it may popular for crowing about “America First” but is displaying woeful ignorance.

The other way to look at it is that US workers have priced themselves out of the market.

Image via Wikipedia

A people that values its privileges above its principles soon loses both.
– Dwight D. Eisenhower, Inaugural Address, January 20, 1953

Related articles

• The Biggest Problem With iPads (tomrippon.wordpress.com)
• The first restaurant to rely completely on iPads in New York City (thenextweb.com)
• Controversial Congressman Plays Outsized Role In 2012 Race (huffingtonpost.com)

We were discussing which should be done first and someone said:

The first has to be risk assessment as it is foundation of information
security. You first need to know where is the risk before putting up
any controls to mitigate that risk. Putting up adhoc controls will not
make the controls effective nor will it protect the organizations
against the risk.

While I understand the intent, I think that is very prejudicial language.

Donn Parker makes a very good case that we have the cultural context – read that sophistication and awareness of the baseline risks – to see that there should be a set of baseline controls. IAM, firewall, AV, backups and so forth. We don’t need to leave the assets exposed to threats while we we wait around for a Risk Analysis to tell us that these baseline protective controls are needed.

You don’t need to know the specific risks any more than you need to know the specific risks to have a lock on the front door of your house and close your windows.

I certainly wouldn’t call this approach “ad-hoc”. Read the rest of this entry »

http://news.discovery.com/earth/megastorm-californias-other-big-one.html

Just in the last 15 years, since microwave technology aboard satellites
produced images of water vapor in the atmosphere, scientists have come
to realize that most major winter rainstorms over California, and
virtually all flooding episodes, are the result of the unloading of
airborne streams of tropical moisture that have come to be called
“Atmospheric Rivers.” (Hence the name, ARk – Atmospheric Rivers 1,000.)
The scenario envisions nearly a month of uninterrupted rainfall over
northern and southern California.

“The hypothetical storm depicted here would strike the U.S. West Coast
and be similar to the intense California winter storms of 1861 and 1862
that left the central valley of California impassible,” the authors
said. “The storm is estimated to produce precipitation that in many
places exceeds levels only experienced on average once every 500 to
1,000 years.”

In addition to property and “business interruption” losses of anywhere
from $725 billion to $1 trillion, the team estimated that emergency
managers would be faced with the task of evacuating 1.5 million people
during the storm and its aftermath. “The numbers that have been
presented here are shocking, no doubt about it,” observed co-author
Laurie Johnson, a private planning specialist who worked on Katrina
Hurricane recovery. Such a storm could pose “a fiscal crisis that will
cascade through every level of government.”

All that is says is that 1,000 years storms exist, and can occur. The only thing new here is they understand more about the mechanisms of these 1,000 years storms when they do happen, not that one is imminent.

I’ve got some more news for you: one day, the sun will Red Giant and engulf the entire Earth. The damages will exceed a trillion dollars.  The probability of this is 1.0 …. in astronomical time-scales.

The logic or risk analysis that equates a once in five billion years event that has an impact of trillions of dollars with monthly events that cost hundreds of dollars is lunacy.
There are many inconvenient events that do occur on a monthly basis [again with probability 1.0] that cost hundred, even thousands of dollars, and we ‘just live with them’.  If you doubt that statement look at the incidents of automobile deaths and injuries and of deaths and disabilities due to pollution.  I’m sure any insurance company or government statistics office will be happy to supply you with the details.

One thing is very clear: we are not good at recognizing where the real threats and risks are.

Someone on a forum I subscribe to suggested that there is a major risk of network administrators misusing their privileges. Why admins rather than CFOs, CEO or other staff, I don’t know.

“Major”?
As in often?
As in large impact that stops the business operating?

If its that bad why not just get rid of them?
Its probably easier to automate their job than that of the CFO.

I’ve written here and elsewhere that many people from a technical background don’t understand ‘risk’. Not only do businessmen view risk differently, but risk only occurs when you have something that may offer an advantage – else why would you be doing it?

The limiting case is gambling at a casino or playing . You be against odds because because you might win. Business take business risks because they can make a profit.

But in gambling and business you can only loose as much as you bet, and you have a pretty good idea of the odds – in a casino you know them for sure. In InfoSec we don’t know the odds (except when they are a certainty, like SPAM or Viruses).

So think in business terms.
Companies employ system and network administrators.
Big deal.
They also employ accountants and CFOs.
Who do you think could cause more harm to the business?
A network admin reading other people’s mail or a CFO that defrauds the company by writing phony cheques?

So if a network admin is a “major” threat because of what he _might_ do, *if* you employ a scum-bag and *fail* to do a background check or get him pizzed off, then what grade of threat do you think a similar CFO rates?

Context, I keep telling you, is Everything.

http://www.bankinfosecurity.com/articles.php?art_id=2914

Fascinating.

I get a lot of enquiries from wannabes who, as they put it, want to “break into security“. I presume they see it as more interesting than the work they are doing.

They come in all varieties, from high-school kids asking about what degree they should take to people with no actual work experience asking if they should take a CISSP or CISM.

The luminaries of our profession, be they CISSPs or people like Marcus Ranum and Bruce Schneier who lack such certifications, all came up the same way that Stephen Northcut did and many of us here did – the long way. And gained the practical experience and understanding of the issues along the way. Read the rest of this entry »

In a discussion of Open Source vs Closed Source/Commercial …

Voice 1: Maybe because they’re not customers? (in the paying for a service sense)
Voice 2: Well, I don’t understand that model. I expect to pay for code that someone writes because otherwise I cannot expect someone to stand by the stuff when it doesn’t work.

Ironically I’ve never found that to be the case.

The stuff I pay for, cable service, hosting; and the stuff I use that someone else pays for (i.e the people I work for), commercial hardware, software and service; are the other way round to what you might think.

The support sucks! Read the rest of this entry »

http://www.zdnet.com/blog/india/rim-vs-indian-government-continues/135?tag=nl.e539

… and the UAE.

RIM is between a rock and a hard place.
They say no to this and they loose a market; and the Indian market is big. They say yes to this and the customers don’t trust them, so why should they buy RIM rather than some other insecure service? Read the rest of this entry »

http://www.h-online.com/security/news/item/Report-Google-phasing-out-internal-use-of-Microsoft-Windows-1012679.html

“According to a report in the Financial Times, Google are phasing
out the use of Microsoft‘s Windows within the company because of
security concerns. Citing several Google employees, the FT report
reports that new hires are offered the option of using Apple Mac
systems or PCs running Linux. The move is believed to be related to a
directive issued after Google’s Chinese operations were attacked in
January. In that attack, Chinese hackers took advantage of
vulnerabilities in Internet Explorer on a Windows PC used by a Google
employee and from there gained deeper access to Google’s single sign
on service.

Security as a business decision?
Don’t make me laugh!
Look at what precedence they’ve shown!
Look at Microsoft’s attitude and approach to security (no matter how flawed the end result) and compare it with the public stance Google has taken.

No, this is about Business Politics.
Microsoft has been ‘staggering’ this last decade and now Apple is on the ascendency and the real battle will no longer be in the PC world but in the consumer world with embedded systems.
On the surface this will be Android vs Apple, but since embedded Linux goes so much further, embedded in TVs, GPS units, traffic light controllers, and perhaps it will even replace UNIX in telephone
exchanges (ha-ha-ha!) there’s more potential.
(Freudian slip: I just wrote portential.)

Yes, Microsoft hasn’t been asleep in the embedded market, or the phone/PDA market, but compared to Linux its a resource hog. To top that, its also proprietary, so vendors rely on Microsoft for the porting to new processor/hardware and for support. Linux/Android doesn’t have that limitation. And there are plenty of ‘kiddies’ eager to play with Android (source) on a new toy.

No, this isn’t a security issue, its a business and political issue.
If Google is pushing its range of Android products then it doesn’t want to have people – journalists, investors, bloggers – saying “yes, but you USE Windows even though you preach Linux”.

Or perhaps you though Google was taking the “High Moral Ground”?
No, I think they are taking the advice of Sun T’Zu and applying it to business

“For them to perceive the advantage of defeating the enemy, they must
also have their rewards.”

Betcha Google will be supplying Android phones/slates/pads to its workers.

“He who knows when he can fight and when he cannot, will be victorious.”

Look at that ZDNet article and think about the timing of Google’s announcement.

“It is essential to seek out enemy agents who have come to conduct
espionage against you and to bribe them to serve you. Give them
instructions and care for them. Thus doubled agents are recruited and used.”

Think about that one.

“Opportunities multiply as they are seized.”

And look how Android is spreading.
Balmer said Linux was a virus – yes a “meme”.

“Thus, what is of supreme importance in war is to attack the enemy’s strategy.”

Indeed. Microsoft has proclaimed a commitment to “security”. Bill Gates said so. That is their “strategy”. But Google is working on the fact that Microsoft products still have security flaws. Regardless of the reality, that is “voice” of this announcement. They are saying that Microsoft’s strategy isn’t working. They are attacking it in the minds of the consumers.

Related articles by Zemanta

• Mac OS X and Linux are no magic security bullet for Google (arstechnica.com)
• Google to ban Microsoft Windows: report (cbc.ca)
• Google bans Microsoft Windows over security concerns: report (business.financialpost.com)
• Microsoft counters report of Google’s dumping Windows (infoworld.com)
• Silicon Alley Insider: Google Dumps Microsoft Windows Company-Wide — Blames Windows For China Hacking Attack (businessinsider.com)
• Who Needs Windows? Google Starts Putting Their Computers Where Their Mouth Is (techcrunch.com)
• ‘Quit Microsoft’ Day and ‘Quit Apple’ Day? (techrights.org)
• Google vs. Microsoft: It’s On! (fool.com)
• Google bans Microsoft Windows on office computers (telegraph.co.uk)
• Google is phasing out the internal use of Windows (joostteam.com)

I never like to see the term ‘impact’.
Its not a metric.

I discuss how length, temperature, weight, are metrics whereas speed, acceleration, entropy are derived values. In the same sense, ‘impact’ is a derived value – “the cost of the harm to an asset”. The value of an asset can be treated as a primary metric, but how much it is “impacted” is a derived value.

This is the same kind of sloppy thinking, the same failure to identify tangible metrics as we see when people treating ‘risk’ as if it were something tangible, never mind a metric! Read the rest of this entry »

Take a look at

Forget ROI and Risk. Consider Competitive Advantage
by Richard Bejtlich

I note the line that so many of us in the InfoSec business have encountered and complained about …

As we’ve seen during the last few years, “risk” has turned out to be a dead end too. The numbers mean nothing. Even if you could somehow measure risk, it’s easy enough for managers to accept a higher level of risk than the security manager.

Indeed.

But so many ‘authorities’ – ISO-2700x, ISACA’s COBIT, ValIT and RiskIT as well as its Professional Practices – all focus on Risk Analysis.

We’ve recently seen mention of NIST 800-30.
There on page 9 a nine-step (why not 12-step?) program for what they call “Risk Assessment”. Actually it isn’t; it involves controls and results. I makes it look sooooo simple! But as many practitioners have pointed out, in many ways, its not like that in reality. Many of us question if its doable.
Read the rest of this entry »