Friday Summary: July 10, 2009By Rich
We have a few Securosis news items that hopefully you will find useful. We get a lot of feedback and ideas from readers about how they want to use our site, or when and how they view the posts. It’s an amazingly diverse group of preferences, scattered like a shotgun blast across the spectrum of options. We hear you, so in our quest to deliver the blog content through every new media medium we think you might like, we have implemented a couple new ways to read the blog and the research library.
Rich has been toiling away this past week to get an iPhone compatible site up and running. You can find it at www.securosis.com/iphone. You should consider this a beta release. There are a few bugs and behavioral issues to work out, but I don’t think Rich ever touched AJAX before this week, so he has done a pretty nice job at figuring it all out on his own. If you have comments or suggestions, or if you are an expert with AJAX and Expression Engine, by all means, please send us feedback and hints on what else you want to see. But be prepared as Rich may ask you some technical questions on debugging in return!
We have also made Securosis available on the Kindle through Amazon. As you know we are not like other research firms, and we do not charge for the vast majority of our content. Rich and I had along debate on whether to do this as you have to pay for the subscription, and that’s not really our style. And heck, neither one of us even owns a Kindle, but we just plain like the idea. The Kindle is a very cool device. As far as the subscription goes, we figured you had a choice in the matter, and can visit the web site or subscribe to the RSS feed and still get all the free content.
Speaking of RSS feeds, sometime in the near future, maybe even by the time you read this, we will have a dedicated Friday only RSS feed. Many of you have requested a weekly summary rather than the daily, so those who want the just the digest version, this is for you. There is also a sign up link to the right-hand menu.
And now for the week in review:
Webcasts, Podcasts, Outside Writing, and Conferences
- Rich was interviewed on Al Jazeera about the big DDoS attack that’s totally not cyberwar.
- Rich & Martin on the Network Security Podcast #157.
- Rich over at SC Magazine on Google Chrome security.
- Rich, again, on Chrome OS, this time at Dark Reading.
- And Rich’s Dark Reading column on Cloud Computing. (And no, those aren’t really security controls, sarcasm folks).
- Rich on dumping antivirus over at PC World.
Favorite Securosis Posts
- Rich: The post on Creating a Standard for Data Breach Costs.
- Adrian: Rich’s post on how Data Labels Suck nails it for me.
Other Securosis Posts
- The Securosis and Threatpost Black Hat Disaster Recovery Breakfast
- Dark Reading Column: Cloud Security
- Social Security Number Code Cracked
- Securosis: On Holiday
- Database Security: The Other First Steps
- Three Database Roles: Programmer, DBA, Architect
- Cracking a 200 Year Old Cipher
- Database Encryption, Part 5: Key Management
- Things To Do In Encryption When You’re Dead
- The Network Security Podcast, Episode 156
Project Quant Posts
- Mid-Project Update and Trip Report
- Project Quant: Document and Update Configuration Changes
- Project Quant: Clean Up Phase
Favorite Outside Posts
- Adrian: James Urquhart on Three debates that will benefit Cloud Computing
- Rich: This isn’t just the blog post of the week, it’s the post of the year. Bow down before Shrdlu.
Top News and Posts
- Goldman loses major source code, and possibly millions in the data theft of the year (it was an insider).
- Top 10 misconceptions about PCI.
- The DDoS attack that’s totally not cyberwar, and probably has nothing to do with North Korea.
- New attack on AES, but nothing to worry about.
- Facebook changes privacy… I hope it works out well this time, instead of that Beacon garbage.
- Microsoft 0day in DirectShow being exploited. Make sure you set that killbit until you can update.
- An 0day in Cold Fusion makes Rich sad, since he used to be a total Cold Fusion geek.
- JJ has a good post on NAC policies. Don’t trust her in a karaoke bar, but her NAC skills are solid.
- SSH 0day is probably a hoax.
- Apple releases an important Safari update.
- McAfee glitch fells PCs around the globe.
- More Metasploit goodness.
- Unisys Targets Cloud Security … it’s stealthy, all right.
Blog Comment of the Week
This week’s best comment comes from Patrick Florer in response to Creating a Standard for Data Breach Costs:
I have been working on something similar. Distinguishing between those costs that make sense on a per record basis and those that make sense on a per incident basis is very important. Some breaches can be measured by records lost. Others, like IP theft, cannot be measured in that way, so it’s important to take that into consideration, too. As a guide, I am using the breakout of loss magnitude provided by FAIR - primary and secondary losses - and the various categories within each. Also, when talking about the “cost” of a data breach, it’s important to recognize that a number of parties might have costs - the breached entity, business partners, customers, individuals, law enforcement (hence the public at large), shareholders, etc. So it also becomes a question of whose costs we are talking about.