Friday Summary: August 20, 1010By Adrian Lane
Before I get into the Summary, I want to lead with some pretty big news: the Liquidmatrix team of Dave Lewis and James Arlen has joined Securosis as Contributing Analysts! By the time you read this Rich’s announcement should already be live, but what the heck – we are happy enough to coverage it here as well. Over and above what Rich mentioned, this means we will continue to expand our coverage areas. It also means that our research goes through a more rigorous shredding process before launch. Actually, it’s the egos that get peer shredding – the research just gets better. And on a personal note I am very happy about this as well, as a long-time reader of the Liquidmatrix blog, and having seen both Dave and James present at conferences over the years. They should bring great perspective and ‘Incite’ to the blog. Cheers, guys!
I love talking to digital hardware designers for computers. Data is either a one or a zero and there is nothing in between. No ambiguity. It’s like a religion that, to most of them, bits are bits. Which is true until it’s not. What I mean is that there is a lot more information than simple ones and zeros. Where the bits come from, the accuracy of the bits, and when the bits arrive are just as important to their value. If you have ever had a timer chip go bad on a circuit, you understand that sequence and timing make a huge difference to the meaning of bits. If you have ever tried to collect entropy from circuits for a pseudo-random number generator, you saw noise and spurious data from the transistors. Weird little ‘behavioral’ patterns or distortions in circuits, or bad assumptions about data, provide clues for breaking supposedly secure systems, so while the hardware designers don’t always get this, hackers do. But security is not my real topic today – actually, it’s music.
I was surprised to learn that audio engineers get this concept of digititis. In spades! I witnessed this recently with Digital to Analog Converters (DACs). I spend a lot of my free time playing music and fiddling with stereo equipment. I have been listening to computer based audio systems, and pleasantly surprised to learn that some of the new DACs reassemble digital audio files and actually make them sound like music. Not that hard, thin, sterile substitute. It turns out that jitter – incorrect timing skew down as low as the pico-second level – causes music to sound like, well, an Excel spreadsheet. Reassembling the bits with exactly the right timing restores much of the essence of music to digital reproduction. The human ear and brain make an amazing combination for detecting tiny amounts of jitter. Or changes in sound by substituting copper for silver cabling. Heck, we seem to be able to tell the difference between analog and digital rectifiers in stereo equipment power supplies. It’s very interesting how the resurgence of interest in of analog is refining our understanding of the digital realm, and in the process making music playback a whole lot better. The convenience of digital playback was never enough to convince me to invest in a serious digital HiFi front end, but it’s getting to the point that it sounds really good and beats most vinyl playback. I am looking at DAC options to stream from a Mac Mini as my primary music system.
Finally, no news on Nugget Two, the sequel. Rich has been mum on details even to us, but we figure arrival should be about two weeks away.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Intel to acquire McAfee in $7.7 billion deal. Mike quoted as being baffled. Which is not a surprise…
- Adrian’s Dark Reading post on Database Threat Modeling And Strip Poker.
- Good interview with Mike Rothman on Infosec Resources
- Sending a Mac away. There are many things to expunge before you let a Mac (or any other computer) out of your personal possession. This list feels long but it’s short compared to taking a laptop to China…
Favorite Securosis Posts
- Mike Rothman: Acquisition Doesn’t Mean Commoditization.
- David Mortman: Tokenization: Selection Criteria.
- Adrian Lane: Since I am a contrarian I can’t go with David Mortman’s Acquisition Doesn’t Mean Commoditization, so I’ll pick Rich’s Sour Grapes Incite snippet. Not a whole post, but dead on the money!
- Rich Mogull: Acquisition Doesn’t Mean Commoditization
- Gunnar Peterson: HP (Finally) Acquires Fortify
Other Securosis Posts
- Liquidmatrix + Securosis: Dave Lewis and James Arlen Join Securosis as Contributing Analysts.
- Data Encryption for PCI 101: Introduction.
- Another Take on McAfee/Intel.
- McAfee: A (Secure) Chip on Intel’s Block.
- Acquisition Doesn’t Mean Commoditization.
- Incite 8/18/2010: Smokey and the Speed Gun.
- Tokenization: Selection Criteria.
Favorite Outside Posts
- Mike Rothman: Career Advice Tuesday = “How Did You Find Your Mentor”. Hopefully Mike and Lee didn’t find a mentor on FriendFinder. But seriously, everyone needs mentors to help them get to the next level.
- David Mortman: Cloud Computing & Polycentric Risk Tolerances.
- Adrian Lane: Quality analysis by Andy Jaquith on Horseless Carriage Vendor Buys Buggy-Whips.
- Rich Mogull: Young will have to change names to escape ‘cyber past’ warns Google’s Eric Schmidt. Honest assessment and totally untrustworthy all at once.
- Gunnar Peterson: Not a post, but consider this: $4.125B. That’s the average price of acquiring a security company this week.
Project Quant Posts
- NSO Quant: Manage IDS/IPS – Audit/Validate.
- NSO Quant: Manage IDS/IPS – Deploy.
- NSO Quant: Manage IDS/IPS – Test and Approve.
- NSO Quant: Manage IDS/IPS – Process Change Request.
- NSO Quant: Manage IDS/IPS – Signature Management.
Research Reports and Presentations
- White Paper: Endpoint Security Fundamentals.
- Understanding and Selecting a Database Encryption or Tokenization Solution.
- Low Hanging Fruit: Quick Wins with Data Loss Prevention.
- Report: Database Assessment.
Top News and Posts
- Something about some hardware company that bought some other security company. Supposedly big news.
- And some other hardware company buying another security company. Supposed to change the industry.
- Kinda cool feature for detecting Obfuscated URLs within iFrames
- Adobe Patches.
- Heartland story won’t die.
- George Hulme’s analysis of Healthcare Breach Costs.
- Well, duh! Addicted Gamer Sues Game-Maker, Says He is ‘Unable to Function’. That’s the definition of a good video game.
- Firefox on Fire.
- Not really news per se, but how often do you get a hillbilly parable about security?
Blog Comment of the Week
I think hashing might still be a viable solution. If an organization does not need access to the credit card number, but still needs to be able to show that a particular known credit card number was used in a transaction then hashing would be an acceptable solution. The key question is will a hashed card number suffice for defense against chargeback claims. If so, then organizations that do not offer one-click shopping or recurring billing may very well be able to avoid the hassles of key management and simply hash the card number.