Securosis

Menu

Research

Friday Summary – December 11, 2009

Adrian Lane December 10, 2009 1 Comment

I have had friends and family in town over the last eight days. Some of them wanted the ‘Arizona Experience’, so we did the usual: Sedona, Pinnacle Peak Steak House, Cave Creek, a Cardinals game, and a few other local attractions. Part of the tour was the big Crossroads Gun Show out at the fairgrounds. It was the first time I had been to such a show in 9 or 10 years. Speaking with merchants, listening to their sales pitches, and overhearing discussions around the fairgrounds, everything was centered on security. Personal security. Family security. Home security. Security when they travel. They talk about preparedness and they are planning for many possibilities: everything from burglars to Armageddon. Some events they plan for have small statistical probability, while others border on the fantastic. Still, the attendees were there to do more than just speculate and engage in idle talk – they train, plan, meet with peers, and prepare for they threats they perceive. I don’t want this to devolve into a whole gun control discussion, and I am not labeling any group – that is not my point. What you view as a threat, and to what lengths you are willing to go, provides an illuminating contrast between data security and physical security. Each discussion I engaged in had a very personal aspect to it. I don’t know any data security professionals that honestly sit up at night thinking about how to prepare for new threats or what might happen. For them, it’s a job. Some research late into the night and hack to learn, but it’s not the same thing. As data security professionals, short of a handful of people in capture the flag tournaments at Black Hat, the same level of dedication is not there. Then again, generally no one dies if your firewall fails. For each of the dozen or so individuals I spoke with, their actions were an odd blend of intellect and paranoia. How much planning was a product of their imagination and resources. Are they any more secure than other segments of the population? Do their cars get stolen any less, or are their homes any safer? I have no idea. But on one level I admired them for their sharing of knowledge amongst peers. For thinking about how they might be vulnerable, planning how to address the vulnerabilities, and training for a response. On the other hand I just could not get out of my head that the risk model is out of whack. The ultimate risk may be greater, but you just cannot throw probability out the window. Perhaps with personal safety it is easier to get excited about security, as opposed to the more abstract concepts of personal privacy or security of electronic funds. Regardless, the experience was eye opening. On a totally different subject, we notice we have been getting some great comments from readers lately. We really appreciate this! The comments are diverse and enlightening, and often contribute just as much to the community as the original posts. We make a point of listing those who contribute to white paper development and highlighting interesting comments from week to week, but we have been looking for a more concrete way of acknowledging these external contributors for a while know. To show our appreciation, Rich, myself and the rest of the Securosis team have decided that we are giving a $25 donation to Hackers for Charity (HFC) in the name of whoever drops the best comment each week. Make sure you check out the “Blog Comment of the Week”! On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Chris explains What is Google Voice? over at Macworld. David Mortman on Data Not Assertions over at the New School. Rich was part of the Black Hat Virtual Event. Rich was quoted on Bit.ly in The Tech Herald. Rich on the Network Security Podcast. Adrian in Information Security Magazine’s December issue on Basic Database Security. While not directly Securosis related, the RSA Security Blogger’s Meetup is on. Favorite Securosis Posts Rich: David Mortman’s Changing the Game? post is now up to 37 comments. I’m voting for the entire thread, not just the original post. Adrian: Meier’s DNS Resolvers and You post. Mort: Rich’s post on Possibility is not Probability. Meier: In Violent Agreement. Other Securosis Posts Verizon 2009 DBIR Supplement Security Controls vs. Outcomes Class Action Against Express Scripts Dismissed Project Quant for Databases: Project Quant: Database Security Planning, Part 2 (part 4 overall) Project Quant: Database Security Planning (part 3 overall) Favorite Outside Posts Rich: This isn’t my “favorite” post, but it’s probably the single most important thing you need to read on the Internet this week. Eric Schmidt, Google’s CEO, says you only need to worry about privacy if you’re doing something bad. I guess when they say, “Do no evil” they’re talking to us… with an “or else!” at the end. Adrian: Spire Security: Should we change passwords every 90 days? Chris: WPA Cracker: $17 or $34 to check a sniffed WPA(2) password against Moxie’s list. It’s a steal! Top News and Posts Hackers in the cloud! And not the ones on planes. Facebook Changes Privacy UI (and maybe reduces privacy). The Totally Awesome Frequent Flier/US Mint Loophole Put this in the category of “things I wish I had thought of”. Ending the PCI Blame Game Mike Bailey puts XSS into perspective. Amrit’s totally snarky (yet amusing) holiday gift guide Blog Comment of the Week We are going to do something a little different this week … both because we had so many excellent comments, and because we are launching the Hackers for Charity contributions. This week we have three winners! Chris Hayes in response to Mortman asking for a FAIR analysis in comments on Changing The Game ? @Mortman. Interesting request. A FAIR analysis can be used to demonstrate variance in resistance strength (formerly referred to as “control strength”). A FAIR analysis is usually done for a unique scenario. For example, password frequency change for an Internet facing app – where access to a small amount of confidential information is possible. A system password policy that requires complexity,

Share:
Read Post
dinosaur-sidebar

Research

view all

Sign Up for Our Newsletter

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.