SunSec Rises Tonight!

We’ve got people flying in from other states and I’m even getting a haircut! Tonight at 6pm at Furio in Scottsdale we’re reviving that most noble of institutions- security geeks hanging out, drinking, and lying about their l33t skilz. CitySec meetups are informal gatherings of anyone interested in security. We hang out, drink, and talk amongst ourselves. No presentations, no speakers; just a chance for local people to connect. You don’t need to be a full-time security geek to show up (that means you Tom, don’t make me taunt you). Happy Hour runs until 7 and that’s when they serve the normal food (gets a little Scottsdale-snobby after that). Drinks run all night, and the first round is on Securosis. Cya there, and email or IM me if you want my cell number in case you get lost… Share:

Read Post

Why You Shouldn’t Run An Open Wireless Network Like Bruce (Or Chuck Norris)

Bruce Schneier is one of the more venerated figures in the information security world, and rightfully so. But reading his article in Wired today, I think he might want to stick to encryption. (I know and like Bruce, so this isn’t a personal attack.) Bruce has long bragged that he runs a totally open home wireless network. He considers it a kind of “pay it forward” charity. I love open WiFi and don’t have a problem with free access. Someday I might even open up part of my own network, although it’s probably not worth it considering where I live. Bruce breaks the potential security risks down into two categories: Somebody abusing his network for illegal activity- spam, file sharing, attacking other systems, and so on. Connecting to his network and attacking his home systems. He evaluates these risks as acceptable: Odds are a bad guy will use one of the five open, anonymous coffee shops down the street rather than parking in front of his house for (probably) hours on end. By saying that he instantly guarantees that some prankster will park their VW van out front and spam everyone from “Bruce Schneier’s House”. Perhaps not, but he does accurately outline the potential legal risks. In his own words, “I’m also unmoved by those who say I’m putting my own data at risk, because hackers might park in front of my house, log on to my open network and eavesdrop on my internet traffic or break into my computers. This is true, but my computers are much more at risk when I use them on wireless networks in airports, coffee shops and other public places. If I configure my computer to be secure regardless of the network it’s on, then it simply doesn’t matter. And if my computer isn’t secure on a public network, securing my own network isn’t going to reduce my risk very much.” While these risks might be acceptable to Bruce, I don’t recommend them for anyone else, including myself. Depending on population density, your risk of abuse of an open network may be higher. I could open part of my network in my current location without much worry, but I’ve previously lived in places where the pedophile living below me would take advantage of an open network. That’s not an exaggeration- for most of the time I lived in a particular condo in Boulder the person below me was known for risky activity. Never convicted, but concerning enough I sure as hell wouldn’t want him on my network. The risk of the RIAA going after you might also be higher if you live someplace with enough close neighbors that it’s worth someone’s effort to use your network to mask their activity. It’s a low risk for me where I am now, but has been high in the past. Very few people have the skills to secure their home network to the same degree as Bruce. I also suspect his network wouldn’t withstand a penetration test by a determined attacker. My home network is very secure; all systems are patched, firewalls turned on, and trust relationships are minimal. That said, I know I could crack it. I don’t encrypt all traffic (wireless is all WPA2 though) and I have some open file shares. Why? Because it’s “secure enough” for my home, and anything that leaves the walls and connects through the public Internet is totally locked down. In some cases, thanks to my consumer devices, I’m limited in the amount of security I can apply. I wouldn’t make a big deal out of this, but Bruce is a role model to those interested in security. I can guarantee at least a few people will open up their networks to emulate Bruce, and be the worse for wear because of it. He also mentions the risk of violating his ISP’s terms of service: Certainly this does concern ISPs. Running an open wireless network will often violate your terms of service. But despite the occasional cease-and-desist letter and providers getting pissy at people who exceed some secret bandwidth limit, this isn’t a big risk either. The worst that will happen to you is that you’ll have to find a new ISP. To give the press quote, if Bruce is doing this himself it looks like he has appropriately evaluated his personal risks and they are within his personal tolerance. If he’s recommending this to others, that’s just plain stupid. I’ve thought about opening my own access up via a separate, segregated segment, but it’s not worth the effort since almost no one around me would need it. Don’t follow Bruce’s example- he’s an industry pundit making a point. If you want to open up your wireless network, and are comfortable violating the terms of agreement with your ISP, please use a well-segregated open access point. Don’t just let anyone wander around and see what’s on your TiVo (since all TiVos have an open web server you can’t lock down without hacking, it ain’t that unusual a risk). Oh, and the Chuck Norris thing? Share:

Read Post

Yes, I’m Giving A DLP Webcast. No, I Won’t Post The Picture

I hate it when Farnum scoops me on my own presentation. On January 22nd I’m giving a live webcast on DLP. The topic is Demystifying Data Loss Prevention, and I’ll be covering everything from defining DLP, through the top features to look for, to running the selection process. The webcast is sponsored by Websense, but is my usual objective content. You can register for it here. I believe there will be live Q&A; if not I’ll set up a side-channel chat room for questions. There is more disinformation and weirdness regarding DLP than in any other market I’ve covered. This is your chance to stop by, hear what I think, and ask questions without having to hop on an airplane or pay my ridiculously high consulting rates. Share:

Read Post

Top Five Database Resultions- Registration Open And Looking For Reviewers

Updated : Forgot to list the date, it’s January 25th. Update 2 : Fixed stupid mistake in mailto link. Bad ex-web programmer. Bad! I must be the [edited] of webcasting or something. Considering I get paid for these you could probably use another word, but this is a family friendly blog. ZDNet has opened registration for my webcast on database security. As mentioned before, this one is designed to walk the line between DBAs and security admins- taking 5 key recommendations and giving actionable advice for each audience. It’s sponsored by Oracle. Since I want to make sure this one is really on target, if you are either a DBA interested in security, or a security admin interested in databases, drop me a line and I’ll send you a draft for review. I have a couple people taking a look already, but I’d like some input from people dealing with day to day operational issues. Just email me at Here’s the full description of the event: The spotlight on database security and increasing demands for regulatory compliance require DBAs and security professionals to work more closely than ever before – both integrating and separating job duties. Security and database teams are being challenged to learn at least SOME of the skills of each other’s domains while applying these principles practically to achieve compliance and keep out the bad (and even some not-so-bad) guys. Join us for this informative eSeminar with useful information for both database and security professionals, where long-time database security industry expert Rich Mogull will highlight the top five recommendations for database security and compliance in this new year. Featured topics will include: Segregation of Duties for DBA and Security Pro alike Database Vulnerability Configuration Management Auditing and Activity Monitoring See how your resolutions for ‘08 compare with our experts – and bring your questions for the Q&A session following the presentation. Register now to ensure your spot at this important event. < p style=”text-align:right;font-size:10px;”>Technorati Tags: Database Security, Oracle, Separation of Duties, Webcast Share:

Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.