Research

I spent last weekend at my 20th college reunion. I dutifully flew into Ithaca, NY to see many Cornell friends and (fraternity) brothers. It was a great trip, but I did have an experience that reminded me I’m no spring chicken any more. I guess I could consider the unbelievable hangover I had on Saturday morning as the first indication that I can’t behave like a 20-year-old and expect no consequences. But it gets better. We were closing da Palms on Saturday night and an undergrad called me over because he had about 3/4 of a pitcher left and graciously asked for some help. I scurried over (because who turns down free beer?) and we started chatting. So he asked me, “When did you graduate?” I responded that I was Class of 1990. He looked at me cross-eyed and I figured he was just respecting my beer drinking prowess. Not so much. He then said, “Wow. I was born in 1989.” Uh. This kid was crapping his pants when I graduated from college. I literally have T-shirts that are older than this guy. That put everything into perspective: 20 years is a long time. Of course the campus has changed a lot as well. Lots more buildings, but the biggest change was the ever-present fences. In the last year, there have been numerous suicides on campus. It’s actually very sad that kids today can’t deal with the pressure and have no perspective that whatever it is, and however hard it feels, it will pass. So they jump off any number of bridges overlooking Ithaca’s beautiful gorges. Splat. So the Cornell administration figured one way to stop the jumpers is to put 10-foot-high fences on all the bridges. It now looks more like a detainment camp than an Ivy League university. That’s sad too. Cornell is one of the most beautiful places I’ve ever been. Now not so much. It’s still a campus, it just feels different. Being the engineers many of my friends are, we tried to come up with better solutions. The ideas (after a number of beers, as I recall) ranged from a big airbag on the bottom of the gorge to a high speed blower to keep the jumper suspended in air (like those Vegas rides). We also talked about nets and other ideas, of course none really feasible. I guess I’ll just have to become accustomed to the fences, and remember how things were. With the understanding that like my ability to recover quickly from a night of binge drinking, some things are destined to stay in the past. – Mike. Photo credits: “Fenced In” originally uploaded by Mike Rothman Incite 4 U Getting to know your local Hoover – No, this isn’t about vacuums, but about getting to know your local law enforcement personnel. It seems the FBI is out there educating folks about how and when to get them involved in breaches. The Bureau is also taking a more proactive stance in sharing information with the financials and other corporates. All this is good stuff, and a key part of your incident response plan needs to be interfacing with law enforcement. So defining your organization’s rules of engagement sooner rather than later is a good thing. – MR String theory – Kelly Jackson Higgins had the most interesting post of the past week, covering Dan Kaminsky’s announcement of Interpolique. Actually, the story is mostly a pre-announcement for Dan’s Black Hat presentation in Vegas later this summer, but the teaser is intriguing. The tool that Kaminsky is describing would automatically format code – with what I assume is some type of pre-compiler – making it far more difficult to execute injected code via string variables. The only burden on the developer would be to define strings in such a way that the pre-compiler recognizes them and corrects the code prior to compilation/execution. That and remembering to run the tool. This is different than something like Arxan, which acts like a linker after compilation. Philosophically both approaches sound like good ideas. But Interpolique should be simpler to implement and deploy, especially if Recursion Ventures can embed the technology into development environments. Dan is dead right that “… string-injection flaws are endemic to the Web, cross all languages …” – the real question is whether this stops injection attacks across all languages. I guess we have to wait until Black Hat to find out. – AL Hatfields and McCoys, my ass – Evidently there is a feud between Symantec and McAfee. I guess a VP shot another VP and now the clans have been at war for generations. Computer security changes fundamentally every couple years. And fervent competition is always a good thing for customers. Prices go down and innovation goes up. But to say the AV market is a two-horse race seems wrong. To get back to the Coke vs. Pepsi analogy used in this story, in this market Dr. Pepper and 7Up each have a shot because some customers decide they need a fundamentally different drink. Security is about much more than just the endpoint, and if the Hatfields or McCoys take their eyes off the Microsofts and the HPs, they will end up in the annals of history, like the DECs and the Wangs. – MR Speed may kill… – Sophos is hoping that the security industry has a short memory. They just announced a ‘Live Protection’ offering in their endpoint suite that uses a cloud service to push signature updates. Right, that’s not novel, but they are using speed as the differentiator. So you can get real-time updates. Of course that assumes you won’t have a Bad DAT(e) try to slip your devices a roofie that renders them useless. Needless to say, there is a bunch of marketing hocus-pocus going on here, since Sophos is also talking about their speed gain resulting from not pushing full signature updates, but doing some analysis in the cloud. Ah, calling Dr. Latency – this is something

One of the biggest problems in security is that we rarely have a good sense of which controls actually improve security outcomes. This is especially true for newer areas like data security, filled with tools and controls that haven’t been as well tested or widely deployed as things like firewalls. Thanks to all the great feedback you sent in on our drafts, we are happy to kick off our big data security survey. This one is a bit different than most of the others you’ve seen floating around, because we are focusing more on effectiveness (technically perceived) of controls rather than losses & incidents. We do have some incident-related questions, but only what we need to feed into the effectiveness results. As with most of our surveys, we’ve set this one up so you can take it anonymously, and all the raw results (anonymized, in spreadsheet format) will be released after our analysis. Since we have a sponsor for this one (Imperva), we actually have a little budget and will be giving away a 32gb WiFi iPad to a random participant. You don’t need to provide an email address to take the survey, but you do if you want the iPad. If we get a lot of recipients (say over 200) we’ll cough up for more iPads so the odds stay better than the lottery. Click here to take the survey, and please spread the word. We designed it to only take 10-20 minutes. Even if you aren’t doing a lot with data security, we need your responses to balance the results. With our surveys we also use something called a “registration code” to keep track of where people found out about it. We use this to get a sense of which social media channels people use. If you take the survey based on this post, please use “Securosis”. If you re-post this link, feel free to make up your own code and email it to us, and we will let you know how many people responded to your referral – get enough and we can give you a custom slice of the data. Thanks! Our plan is to keep this open for a few weeks. Share: