Securosis

Research

EFF Challenges Telecom Immunity

I missed including this in the Friday summary. The Electronic Frontier Foundation is challenging the legality of telecom’s being granted immunity in their participation of NSA’s warrant-less spying on US citizens, claiming the executive branch of the government has overstepped it’s authority. Indirectly they will open the entire program up for scrutiny as well. EFF Senior Staff Attorney Kevin Bankston: “In our constitutional system, it is the judiciary’s role as a co-equal branch of government to determine the scope of the surveillance and rule on whether it is legal, not the executive’s. The Atto ey General should not be allowed to unconstitutionally play judge and jury in these cases, which affect the privacy of millions of Americans.” Seems to have a point. This is going to be a very interesting and very important fight for personal privacy, as well as an interesting inspection of the close relationship between industry and sections of our government. And this case will be argued in a political climate that has less 9-11 fear and more annoyance with corporations misbehavior, so I think that EFF will have traction and we will be seeing this in the headlines for some time. Share:

Share:
Read Post

Three Steps Forward, One Back

What did you think of the new MacBook? I think they are nice, I don’t want a new one bad enough to upgrade. I bought my MacBook last month knowing full well that they were going to release the new models on the 14th of this month, but the advancements would not be enough for me to wait. Most of the articles & analysis I read were a little harsh, with much of the focus on the price drop, or lack of drop, when I was focused on usability. Maybe they are right, and with the economic slowdown the price reduction is not enough to capture larger appeal and Apple will get hammered. Still, I think this is a nice advancement. I had seen the leaked photos of the Aluminum case and that looked a lot nicer and more durable that the plastic one; when you travel as much as I do, that seems to be a very nice upgrade. And as it has proven to be with my aluminum desktop cases, I am sure that the heat loss through the case itself will be valuable in keeping the machine cooler with faster processors that we will be made available in the future. If you have ever over-clocked machines before, you know how much Aluminum cases help dissipate heat and improve the lifespan of electronic components. The biggest problem I have with my MacBook is the mediocre video quality. It’s not just that the graphics card in the current model is under-powered, rather the color, contrast and sharpness it is just ‘Blah’! The new LED backlit display should solve much f this problem. Yeah, the graphics engine is a big boost as well, but really, what hard core gamer is going to use a laptop for a first person shooter? I thought not. I am going to call the Mini-display port a wash. Why? It will be awesome when attached to the new 24 inch monitor, no doubt about that. But how many MacBook owners are going to buy a $900.00 Monitor? If the analysts are complaining the price $999.00 point is too high for the MacBook, doubling the price makes this option miss the target buyer. Nice technology, perhaps not appropriate for the current generation of buyers. Personally I am glad that the BluRay player was not included in the new MB. This, in my opinion, is the current generation of Laserdisc players. Yes it offers better performance, but few want it. Did you see that only some 8 million Blu-Ray disks have been sold this year? They have sold almost that many Blu-Ray players if you take into account the current generation of Playstations; this is a dismal adoption rate. And if you are like me, I would rather have video on demand as it seems like a more dynamic & efficient way to get movies and television. And I am not lugging around Blu-Ray player that will probably be obsolete within months. All of which is in line with Apple’s strategy (http://www.apple.com/appletv/whatson/movies.html). That takes us to my one disappointment: Firewire. This is how I will hook up my Drobo. This is how I hook up my camera. This is how I update the maps on my Garmin. It’s fast. It’s nice to have the option. Sure I can get adaptor cables and use USB, but I would have preferred a dedicated port. Removing this was probably not such a good idea, and I wonder if we will see its return in future models. All in all, I think the MacBook made three steps forward and one back; couple that with a price drop and I say that is pretty darn good! Share:

Share:
Read Post

Your Simple Guide To Endpoint Encryption Options

On the surface endpoint encryption is pretty straightforward these days (WAY better than when I first covered it 8 years ago), but when you start matching all the options to your requirements it can be a tad confusing. I like to break things out into some simple categories/use cases when I’m helping people figure out the best approach. While this could end up as one of those huge blog posts that ends up as a whitepaper, for today I’ll stick with the basics. Here are the major endpoint encryption options and the most common use cases for them: Full Drive Encryption (FDE): To protect data when you lose a laptop/desktop (but usually laptop). Your system boots up to a mini-operating system where you authenticate, then the rest of the drive is decrypted/encrypted on the fly as you use it. There are a ton of options, including McAfee, CheckPoint, WinMagic, Utimaco, GuardianEdge, PGP, BitArmor, BitLocker, TrueCrypt, and SafeNet. Partial Drive Encryption: To protect data when you lose a laptop/desktop. Similar to whole drive, with some differences for dealing with system updates and such. There’s only one vendor doing this today (Credent), and the effect is equivalent to FDE except in limited circumstances. Volume/Home Directory Encryption: For protecting all of a user’s or group’s data on a shared system. Either the users home directory or a specific volume is encrypted. Offers some of the protection of FDE, but there is a greater chance data may end up in shared spaces and be potentially recovered. FileVault and TrueCrypt are examples. Media Encryption: For encrypting an entire CD, memory stick, etc. Most of the FDE vendors support this. File/Folder Encryption: To protect data on a shared system- including protecting sensitive data from administrators. FDE and file folder encryption are not mutually exclusive- FDE protects against physical loss, while file/folder protects against other individuals with access to a system. Imagine the CEO with an encrypted laptop that still wants to protect the financials from a system administrator. Also useful for encrypting a folder on a shared drive. Again, a ton of options, including PGP (and the free GPG), WinMagic, Utimaco, PKWare, SafeNet, McAfee, WinZip, and many of the other FDE vendors (I just listed the ones I know for sure). Distributed Encryption: This is a special form of file/folder encryption where keys are centrally managed with the encryption engine distributed. It’s used to encrypt files/folders for groups or individuals that move around different systems. There are a bunch of different technical approaches, but basically as long as the product is on the system you are using, and has access to the central server, you don’t need to manually manage keys. Ideally, to encrypt you can right-click the file and select the group/key you’d like to use (or this is handled transparently). Options include Vormetric, BitArmor, PGP, Utimaco, and WinMagic (I think some others are adding it). Email Encryption: To encrypt email messages and attachments. A ton of vendors that are fodder for another post. Hardware Encrypted Drives: Keys are managed by software, and the drive is encrypted using special hardware built-in. The equivalent of FDE with slightly better performance (unless you are using it in a high-activity environment) and better security. Downside is cost, and I only recommend it for high security situations until prices (including the software) drop to what you’d pay for software. Seagate is first out of the gate, with laptop, portable, and full size options. Here’s how I break out my advice: If you have a laptop, use FDE. If you want to protect files locally from admins or other users, add file/folder. Ideally you want to use the same vendor for both, although there are free/open source options depending on your platform (for those of you on a budget). If you exchange stuff using portable media, encrypt it, preferably using the same tool as the two above. If you are in an enterprise and exchange a lot of sensitive data, especially on things like group projects, use distributed encryption over regular file/folder. It will save a ton of headaches. There aren’t free options, so this is really an enterprise-only thing. Email encryption is a separate beast- odds are you won’t link it to your other encryption efforts (yet) but this will likely change in the next couple years. Enterprise options are linked up on the email server vs. handling it all on the client, thus why you may manage it separately. I generally recommend keeping it simple- FDE is pretty much mandatory, but many of you don’t quite need file/folder yet. Email is really nice to have, but for a single user you are often better off with a free option since the commercial advantages mostly come into play on the server. Personally I used to use FileVault on my Mac for home directory encryption, and GPG for email. I then temporarily switched to a beta of PGP for whole drive encryption (and everything else; but as a single user the mail.app plugin worked better than the service option). My license expired and my drive decrypted, so I’m starting to look at other options (PGP worked very well, but I prefer a perpetual license; odds are I will end up back on it since there aren’t many Mac options for FDE- just them, CheckPoint, and WinMagic if you have a Seagate encrypting drive). FileVault worked well for a while, but I did encounter some problems during a system migration and we still get problem reports on our earlier blog entry about it. Oh- and don’t forget about the Three Laws. And if there were products I missed, please drop them in the comments. Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.