Securosis

Research

How Much Security Will You Tolerate?

I have found a unique way to keep anyone from using my iMac. While family & friends love the display, they do not use my machine. Many are awed that they can run Windows in parallel to the Mac OS, and the sleek appearance and minimal footprint has created many believers- but after a few seconds they step away from the keyboard. Why? Because they cannot browse the Internet. My copy of Firefox has NoScript, Flashblock, cookie acknowledgement, and a couple of other security related ad-ons. But having to click the Flash logo, or to acknowledge a cookie, is enough to make them leave the room. “I was going to read email, but I think I will wait until I fly home”. I have been doing this so long I never even notice. I never stopped to think that every web page requires a couple extra mouse clicks to use, but I always accepted that it was worth it. The advantages to me in terms of security are clear. And I always get that warm glow when I find myself on a site for the first time and see 25 Flash icons littering the screen and a dozen cookie requests for places I have never heard of. But I recognize that I am in the minority. The added work seems to so totally ruin the experience and completely turn them off to the Internet. My wife even refused to use my machine, and while I think the authors of NoScript deserve special election into the Web Security Hall of Fame (Which given the lack of funding, currently resides in Rich’s server closet), the common user thinks of NoScript as a curse. And for the first time I think I fully understand their perspective, which is the motivation for this post. I too have discovered my tolerance limit. I was reading rsnake’s post on RequestPolicy Firefox extension. This looks like a really great idea, but acts like a major work inhibitor. For those not fully aware, I will simply say most web sites make requests for content from more than just one site. In a nutshell you implicitly trust more than just the web site you are currently visiting, but whomever provides content on the page. The plugin’s approach is a good one, but it pushed me over the limit of what I am willing to accept. For every page I display I am examining cookies, Flash, and site requests. I know that web security is one of the major issues we face, but the per-page analysis is not greater than the time I spend on many pages looking for specific content. Given that I do a large percentage of research on the web, visiting 50-100 sites a day, this is over the top for me. If you are doing any form of risky browsing, I recommend you use it selectively. Hopefully we will see a streamlined version as it is a really good idea. I guess the question in my mind is how much security will we tolerate? Even security professionals are subject to the convenience factor. Share:

Share:
Read Post

Friday Summary- January 23, 2009

Warning- today’s introduction includes my political views. History Whatever your political persuasion, there’s no denying the magnitude of this week. While we are far from eliminating racism and bias in this country, or the world at large, we passed an incredibly significant milestone in civil rights. My (pregnant) wife and I were sitting on the couch, watching a replay of President Obama’s speech, when she turned to me and said, “you know, our child will never know a world where we didn’t have a black president”. Change One thing I think we here in the US forget is just how much we change with the transition to each new administration, especially when control changes hands between parties. We see it as the usual continuity of progress, but it’s very different to the outside world. In my travels to other countries I’m amazed at their amazement at just how quickly we, as a nation, flip and flop. In the matter of a day our approach to foreign policy completely changes- never mind domestic affairs. We have an ability to completely remake ourselves to the world. It’s a hell of a strategic advantage, when you really think about it. In a matter of 3 days we’re seeing some of the most material change since the days of Nixon. Our government is reopening, restoring ethical boundaries, and reintroducing itself to the world. Faith When Bush was elected in 2000 I was fairly depressed. He seemed so lacking in capacity I couldn’t understand his victory. Then, after 9/11, I felt like I was living in a different country. An angry country, that no longer respected diversity of belief or tolerance. A country where abuse of power and disdain for facts and transparency became the rule of our executive branch, if not (immediately) the rule of law. I was in Moscow during the election and was elated when Obama won, despite the almost surreal experience of being in a rival nation. When I watched the inauguration I felt, for the first time in many years, that I again lived in the country I thought I grew up in- my faith restored. Talking with my friends of all political persuasions, it’s clear that this is also a transition of values. Transparency is back; something sorely lacking from both the public and private sector for far longer than Bush was in office. Accountability and sacrifice are creeping their heads over the wall. And lurking along the edges of the dark clouds above us is self sacrifice and unity of purpose. I’m excited. I’m excited more about what this mean to our daily and professional lives than just our governance. Will my hopes be dashed by reality? Probably, but I’d rather plunge in head first than cower at home, shopping off Amazon. Oh- and there was like this really huge security breach this week, some worm is running rampant and taking over all our computers, and some idiots keep downloading pirated software with a Mac trojan. Here is the week’s security summary: Webcasts, Podcasts, Outside Writing, and Conferences: Martin and I talk a bit about all sorts of things- including Obama’s tech agenda, on The Network Security Podcast. I seem to run off on 3 separate rants. I wrote up the Heartland data breach for Dark Reading. I did a few interviews on the breach, including the MIT Technology Review, SearchSecurity, and SC Magazine. Favorite Securosis Posts: Rich: My Heartland post, because it got Slashdotted. Adrian: Perhaps it is the contrarian in me, but my favorite post is The Business Justification for Data Security. There is a lot of information here. Favorite Outside Posts: Adrian: Hoff’s ruminating on Cloud security of Core services. The series of posts has been interesting. I follow many of these blog posts made on dozens of different web sites, but only for the occasionally humorous debate. Not because I care about the nuts and bolts of how Cloud computing will work, how we define it, or where it is going. The CIO in me loves the thought of minimal risk for trying & adopting software and services. I am interested in the flexibility of adoption. I do not need to perform rigorous evaluations of hardware, software, and environmental considerations- just determine how it meets my business needs, how easy is it to use, and does the pricing model work for me. After a while if I don’t like it, I switch. Stickiness is no longer an investment issue, but a contract issue. And I am only afraid of these services not being in my core if I run out of choices in the vendor community. I know there are a lot more things I do need to consider, and I cannot assume 100% divestiture of responsibilities for compliance and whatnot, but wow, the perception of risk reduction in platform selection drops so much that I am likely to jump forward without a full understanding of other risks I may inherit because of these percieved benefits. Not that it’s ideal, but it is likely. Rich: Sharon on Wwll the Real PII Stand Up? He raises a great issue that there are a bunch of definitions of PII in different contexts, and an increasingly complex regulatory environment with multiple standards. Top News and Posts: Barack Obama’s inauguration stopped all activity at Securosis as Adrian came over to watch for a couple hours. His speech is worth a reread even if you watched it live. A lot of trusted websites are serving malware. The NSA spied on everyone. Except you, of course- you’re too boring. Conficker worm bad. I thought you Windows users figured out that patching thing? Actually, I highly suspect the infection numbers are inflated. Blog Comment of the Week: We didn’t post much, but the comments were great this week. Merchantgrl on the Heartland Breach post: They were breached a while ago and they just happened to pick that day to finally announce it? Several people have brought up the Trustwave audit of

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.