Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I’ll be subscribing to your feed and I hope you post again soon….

In self-defence, the (creative) industry should adopt 2 strategies:

1) An office for pre-emptive monitoring of patent applications, to blow
the whistle and demonstrate prior art as soon as the trolls file
applications. That will deprive them of a) the element of surprise, and b)
ammunition.

2) Defensive pre-formation of action classes to launch counter-suits.

There would be a cost associated with this, but if the big outfits pooled
what they already spend in routine legal fees and F-Off money on a single
office, they could probably administer the class rosters for the industry
and still save a portion. The only risk would be some idiot in the DoJ
trying an anti-trust suit.

If an attempt to file an extortion patent reliably and immediately
produced an expensive outbreak of counter-lawyering, the trolls might be
tempted to lurk under other bridges.

Yes ISO27k is risk-based and requires that you identify and characterise risks to your information assets, but no ISO/IEC 27001 does not say you have to assess ALL risks, or ALL threats, vulnerabilities and impacts. Whoever said so is reading more into the standard than it actually says.

The cyclical PDCA approach recommended in 27001 is like whack-a-mole: identify your assets, assess the risks, treat them, and go round again. Knowing that you will be going round again and again means there is no need to obsess about every last detail right now. The same applies to selecting treatments, and treating the risks: you can settle for ‘good enough for now’ because it’s not forever.

Rgds,
Gary

Yes, “Don’t Do That!” is a people problem, but I don’t think you can simply move people out of the InfoSec process. It is people who build and who use the technology. If Policy is an InfoSec issue, if Awareness is an InfoSec issue then so are these.

There’s more to social networking from an information security perspective than simple misuse of corporate IT resources and time. What about the leakage of sensitive corporate or private information, for example, or social media malware, or social engineering? Misuse of resources is trivial in comparison, and is really a people management or HR issue, not infosec.

Regards,
Gary

Intriguing idea, but I don’t know if I believe you one hundred percent….

Hmm. While the description matches Windows the same logic applies for Linux. If you choose to do cross-file system symlinks to the hidden file system.

Like the old joke says .. “Don’t do that, then”.

One interesting possibility for this is the Facebook system. It has been so successful because it allows an interaction system that resembles real life social interactions. One can control somewhat who gets to see what detail of one’s persona, so people are willing to share thoughts and ideas more readily.

It also has a number of tools for collaboration built in which arerather intuitive to use.

It also has an open API for add-ons that allows great flexibility for what data types it handles.

I have heard rumours that Facebook is about to open source its basic software, so it might be something one could use internally for collaboration.

Bill Royds
wgr2ca@yahoo.ca

I found your site on technorati and read a few of your other posts. Keep up the good work. I just added your RSS feed to my Google News Reader. Looking forward to reading more from you….

On my machine Mozilla Thunderbird an Mozilla Firefox are the big culprits

The Linux 2.6.21 kernel introduces the so called tickless-idle feature. This feature allows the processor to be really idle for long periods of time, rather than having to wake up every millisecond for the timer tick.

So, if you want to tune your Linux box for ultimate power efficiency, enable the tickless-idle feature in your kernel. It will help, but you also need to find out what programs are causing the machine to wake-up.

>>”Tom has a genuine understanding of cyber-safety issues being a digital native and having suffered such cyber-issues as computer addiction,” Senator Conroy said.

I think he understands about all those internet tubes.

There is something to be said for focusing on macular degeneration for an individual who is otherwise generally healthy but whose eyesight is going. But I think that is your point. One could say the same thing
about this American obsession with the death of 5000 on 9/11, when “Modifiable behavioral risk factors are leading causes of mortality in the United States.” and leads to the death of a million each year. (1238
JAMA, March 10, 2004 Vol 291, No. 10)

I think I’ve become cynical. I do what I do, because it is a requirement. I do try to improve security postures, but it is not in the way that clients expect nor is it what they requested. Such is the way of business.

I think Schneier’s (legitimate) point is that, on average, built-in security is more effective than add-on security. But it is also more expensive and less convenient. Built-in security will never be a high priority until people start dying in large numbers because of computer security breaches.

Security needs to “Become part of Everyone’s DNA”, part of the corporate culture, part of the way we do things. Our schools need to begin teaching or at least do a better job of teaching ethics and good computer security practices beginning already at kindergarten or before (by parents).

Our youth are the ones that still have the potential to learn that a difficult password to guess does not mean it has to be difficult to remember or that it does not have to be painful to change it periodically. Good security and practices can become habit and natural, part of what is done becuase it is right, not because some legislater said we shoudl do it.

Instilling good security habits and practices starting very young and reinforced throughout their schooling will make it possible for networks, applications, databases, systems, etc.. to be delivered that are secure because that is how you build them as part of the design and implementation life cycle, not needing to add the security in after they have been delivered and are in production. When you build a network it would no longer need to be built as a “secure network” because they are already one and the same thing because that is the natural way to build them. We don’t have secure network and insecure networks we have networks.

This will take time, but will need to one day get started. We will have to have a few Romper Room graduates build some networks before “Security will begin to be part of our DNA” not something you add on just enought new controls because some legislation said we have to.

Ken