Securosis

Menu

Research

Incite 11/10/2010: Hallowreck (My Diet)

Mike Rothman November 10, 2010 No Comments

I fancy myself to have significant willpower. I self-motivate to work out pretty religiously, and in the blink of an eye gave up meat two and a half years ago – cold turkey (no pun intended). But I’m no superhero – in fact over the past few weeks I’ve been abnormally human. You see I have a weakness for chips. Well I actually have a number of food weaknesses, but chips are close to the top of the list. And it’s not like a few potato chips or tortilla chips will kill me in moderation. But that’s the rub – I don’t do ‘moderation’ very well. As I mentioned last week, for XX1’s birthday weekend we had a number of parties, which meant we had to have snacks around for all the visiting kiddies. Rut Roh. Yeah, the big bag of Kettle Chips from Costco. Untouched by the kids. Mowed through by me. Not in one sitting, so I guess I’m improving a bit. But over the course of 4-5 days I systematically dismantled the bag one bowl at a time. I guess I figured I couldn’t have a full-on binge if I did one bowl at a time, right? I’d have to get up and down to keep filling the bowl. I guess that’s how I got a portion of my exercise last week. Moderation, no so much. And of course, hot on the heels of the parties was Halloween. So the kids came back with bags and bags of candy. Normally my sweet tooth is contained. Maybe once a week I’ll have some ice cream with chocolate syrup. But with Almond Joys and Butterfingers and Peanut M&Ms around, you might as well put a crack pipe in Lindsay Lohan’s bedroom. Even worse, the Boss (who can’t eat chocolate – food allergies) got a 56oz bag of M&Ms. My hands aren’t big, but they can grab about 30 M&Ms in one swoop. And they did. Arghhh. So on Saturday night I put my foot down. The candy had to go. Thankfully they were collecting candy bars for the troops – and by the way, what the hell is that about? What better to send to the frackin’ desert than a couple of truckloads of chocolate bars. I heard those don’t melt on the surface of the sun, and that speaks nothing of their nutritional value (or lack thereof). But I guess they don’t want us donating produce to send to the troops, even though that makes a lot more sense. So, I put my foot down and decreed that the candy must go. The kids dutifully sorted their candy and we let them keep about 10 pieces to be doled out over the next few weeks. The Boss also stashed away some surplus for movie days, so we could use that instead of paying $10 for a box of Raisinettes at the theater. Maybe that’s kind of a dick move, getting rid of the candy because I struggle with self-control. But I’m cool with it. You don’t stock your fridge with beer if you are an alcoholic. You don’t buy a bong for a pothead’s birthday. And you don’t leave the Halloween candy in the house for those who struggle with their weight. Yes, I’ve made progress and working out hard 5-6 days a week gives me some buffer, but having that stuff around is just stupid. So we won’t… – Mike. Photo credits: “That’s a lot of Halloween candy. Bartell’s Drugs, Queen Anne, Seattle, 09/01/06” originally uploaded by photophonic Incite 4 U SCADA hysteria, coming to critical infrastructure near you: As I mentioned in my Storytellers post last week, I was at SecTor, and a lot of great discussion emerged from the conference. I have to give a shout-out to our contributor James Arlen, who from all indications did a great job of deflating the hype around SCADA attacks. Yes, Stuxnet happened and showed what is possible, but the sky isn’t falling. James points out that these systems are built for fault tolerance, and that compromising one control system isn’t likely to take down the power grid. Listen, I don’t want to minimize the risk – we all know these systems are vulnerable. But we do need to be wary of overhyping the issues, and James did a good job presenting both sides. His conclusion is key: “But, he encouraged security professionals to take a deep breath and assess the situation rationally.” Look for this one when it gets posted by the SecTor folks. – MR Cutting out the middle man: The Wall Street Journal highlights how major websites are limiting the number of tracking technologies they allow leeches ‘partner’ sites embed into their web pages. Why? Are they doing this for privacy concerns? Hell, no! And they’re not doing it to save the children, lower your cholesterol, reduce carbon emissions, or any other smokescreen. It’s about money and control, as always. The have lost control by allowing marketing firms to directly gather customer data, resulting in less data and money for site owners. Some firms found tracking software that they did not know about, while others found partners gathering information they did not even know was available. With many web sites desperately trying to stay in business, there will be significant investment into their own tracking software and data marts on the back ends, in order to monetize their data directly. We’ll see them code their own, and we will also see spyware “marketing software” vendors selling more plug-ins. And user privacy will be exactly the same as before, only the web sites will get a bigger slice of the financial pie. But that’s okay … it says so in the new end user (you have no) privacy agreement. – AL If you can’t beat ‘em, sue ‘em: There is no doubt that Microsoft once abused their position with anti-competative practices. I don’t mean in terms of what features they included in Windows, but all that back-room dealing and wrangling with hardware providers. That’s why I’m so amused by Trend trying to drum up antitrust

Share:
Read Post

LinkedIn Password Reset FAIL

Mike Rothman November 10, 2010 No Comments

It’s never a good day when you lose control over a significant account. First, it goes to show that none of us are perfect and we can all be pwned as a matter of course, regardless of how careful we are. This story has a reasonably happy ending, but there are still important lessons. Obviously the folks at Facebook and Twitter take head shots every week about privacy/security issues. LinkedIn has largely gone unscathed. But truth be told, LinkedIn is more important to me than Facebook, and it’s close to Twitter. I have a bunch of connections and I use it fairly frequently to get contact info and to search for a person with the skills I need to consult on a research project. So I was a bit disturbed to get an email from a former employer today letting me know they had (somewhat inadvertently) gained control of my LinkedIn account. It all started innocently enough. Evidently I had set up this company’s LinkedIn profile, so that profile was attached to my personal LinkedIn account. The folks at the company didn’t know who set it up, so they attempted to sign in as pretty much every marketing staffer who ever worked there. They did password resets on all the email addresses they could find, and they were able to reset my password because the reset notice went to my address there. They didn’t realize it wasn’t a corporate LinkedIn account I set up – it was my personal LinkedIn account. With that access, they edited the company profile and all was well. For them. Interestingly enough, I got no notification that the password had been reset. Yes, that’s right. My password was reset and there was zero confirmation of that. This is a major privacy fail. Thankfully the folks performing the resets notified me right away. I immediately reset the password again (using an email address I control) and then removed the old email address at that company from my profile. Now they cannot reset my password (hopefully), since that email is no longer on my profile. I double-checked to make sure I control all the email addresses listed on my profile. To be clear, I’m to blame for this issue. I didn’t clean up the email addresses on my LinkedIn profile after I left this company. That’s on me. But learn from my mishap and check your LinkedIn profile RIGHT NOW. Make sure there are no emails listed there that you don’t control. If there is an old email address, your password can be reset without your knowledge. Right, big problem. LinkedIn needs to change their process as well. At a minimum, LinkedIn should send a confirmation email to the primary email on the account whenever a password is reset or profile information is changed. If fact, they should send an email to all the addresses on the account, because someone might have lost control of their primary account. I’m actually shocked they don’t do this already. Fix this, LinkedIn, and fix it now. Share:

Share:
Read Post
dinosaur-sidebar

Research

view all

Sign Up for Our Newsletter

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.