Securosis

Research

Friday Summary: July 22, 2011

I imagine with this heat wave covering most the country you’re likely on your way to the beach – or at least some place better than work. So with me traveling, Mike suffering through physical therapy, and Rich spending time with the family, this week’s summary will be a short one. A friend sent me this video earlier in the week – I don’t know if you have seen these before, but if not take some time to look at this video on 3-D printer technology. It’s just one of the coolest things I have seen in years. I originally got interested in this a year or so ago when learning about some of the interesting stuff you can do with Arduino and I remain fascinated. Feed in a CAD design – even with non-connected moving parts – and it will literally print a physical object. If you notice, the printer in the video uses HP bubblejet printer cartridges – but filled with the resin hardener rather than ink. The technology is simple enough that you could literally build one at home. And pretty much anyone with basic CAD capability can design something and have it created instantly. As 3D printers evolve, so that they support other materials beyond plastic, And these designed can be shared – just like open source software – only in this case it’s open source hardware. What I find just as interesting is that people keep sending me links to the video, expressing their hopes and visions of the future. When teachers send me the link they talk about using these types of technologies to encourage student interest in technology. When I talk to car enthusiasts, they talk about sharing CAD models of hard-to-find car parts and simply re-fabricating door handles for a 1932 Buick. Star Trek nerds fans talk about the realization of the replicator. When I talk to friends with a political bent who are frustrated that everything is made in China, I hear that this is a disruptive technology that could make America a manufacturing center again. That is more or less the take behind the Forbes video on 3-D printers. Whatever – check out the video. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich quoted by The Register in: Major overhaul makes OS X Lion king of security Favorite Securosis Posts David Mortman: Donate Your Bone Marrow. You could save a life. Do it now. Mike Rothman: Friction and Security. Wouldn’t it be great if we had KY Jelly for making everyone in IT work better together? Adrian Lane: Rise of the Security Monkeys. Only because I have a Monkey Shrine. Seriously. It’s a long story. Other Securosis Posts Incite 7/19/2011: The Case of the Disappearing Letters. Mitigating Software Vulnerabilities. Friday Summary: July 14, 2011. Favorite Outside Posts Mike Rothman: Howard Stern questions Citrix marketing strategy. You have no idea what my first thought was when I saw this headline. Though Stern knows a bit about marketing on the radio. Just goes to show how marketing technology has changed over the years. David Mortman: Phone hacking, technology and policy. Adrian Lane: Security Tips for Non-Techies. Dealing with non-technies on security issues more than I like, I feel your pain. Project Quant Posts DB Quant: Index. NSO Quant: Index of Posts. NSO Quant: Health Metrics–Device Health. NSO Quant: Manage Metrics–Monitor Issues/Tune IDS/IPS. NSO Quant: Manage Metrics–Deploy and Audit/Validate. NSO Quant: Manage Metrics–Process Change Request and Test/Approve. NSO Quant: Manage Metrics–Signature Management. NSO Quant: Manage Metrics–Document Policies & Rules. NSO Quant: Manage Metrics–Define/Update Policies and Rules. NSO Quant: Manage Metrics–Policy Review. Research Reports and Presentations Security Benchmarking: Going Beyond Metrics. Understanding and Selecting a File Activity Monitoring Solution. Database Activity Monitoring: Software vs. Appliance. React Faster and Better: New Approaches for Advanced Incident Response. Measuring and Optimizing Database Security Operations (DBQuant). Network Security in the Age of Any Computing. The Securosis 2010 Data Security Survey. Monitoring up the Stack: Adding Value to SIEM. Top News and Posts Using data to protect people from malware Comcast Hijacks Firefox Homepage: “We’ll Fix” Feds Arrest 14 ‘Anonymous’ Suspects Over PayPal Attack, Raid Dozens More Microsoft Finds Vulnerabilities in Picasa and Facebook How a State Dept. contractor funneled $52 million to secret family Anti-Sec is not a cause, it’s an excuse. Azeri Banks Corner Fake AV, Pharma Market via Krebs. Blog Comment of the Week Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Betsy, in response to Donate Your Bone Marrow. As a recent transplant recipient with three close friends also recipients plus a best friend recently diagnosed with leukemia, your post is spot on. Signing up to be a donor is trivially simple and, as you say, a direct path to saving or vastly improving lives. Visit organdonor.gov for a good source of information on how to donate. Thanks for your post. Share:

Share:
Read Post

Hacking Spikes and the Real Time Media

The Freakonomics blog assembled an interesting quorum on security. Industry heavyweights like Schneier weighed in on the following question: Why has there been such a spike in hacking recently? Or is it merely a function of us playing closer attention and of institutions being more open about reporting security breaches? Aside from Bruce there were opinions from folks at Imperva, IronKey, Aite Group, and BAE Systems – most of it decent. Some contradictory points, but get a bunch of folks to weigh in and that’s bound to happen. In something targeted to a mass market readership, some of these folks threw in the APT and PCI terminology. Seriously. Which really underscored to me how most security folks have no fracking clue on how to talk to a non-security audience. But that’s a story for another day. Since I wasn’t invited into the quorum (sad panda), I figured I’d rant a bit on the question. So if they kind folks at Freakonomics invited me to participate (hint, hint), here’s what I’d say. In general I have to agree with Bruce Schneier. There hasn’t been a huge spike in hacking. Sure, the number of data breaches is up, but the number of stolen identities is way down. The real change is the increased reporting on hacking. That’s right – security has finally come into your living room. And it’s a scary place for most folks. For instance, a few months back the Anonymous hacker collective broke into the website of Westboro Baptist Church – on live TV. Unless you’ve been to the Black Hat conference or a similar technical forum, you probably haven’t seen a lot of computer attacks happen live. That was cool. It was newsworthy. So the media picked up on this hacking stuff. Combined with the disclosure of previously off-limits information on sites like WikiLeaks and Pastebin, now you have real news. When the contact information of undercover Arizona police officers is posted on the Internet, or the tactics of The News of the World come to light, it’s going to make news. And it has. We do have more visible attacks as well. When hackers take down Sony’s PlayStation Network for weeks, that’s newsworthy. Steal some plans for the Joint Strike Fighter, which happened a few years ago, and it barely makes news. Take down a multi-player game and all hell breaks loose. This is the world we live in. We can talk about the increasing sophistication of the hackers (as a number of them did), but that’s crap. Most of these attacks have not been sophisticated at all. We can also talk about the laws requiring data breach disclosure, but that’s also crap. Disclosures have been happening for years, and this mainstreaming of hacking is much more recent. Compounding the issue is the real-time media cycle. Driven by anyone with a computer Tweeting whatever they want, and dimwit media outlets running with it without proper fact checking (or, often, even understanding what they’re saying), and you have a perfect way to game the system. We see it every day with the NFL labor negotiations. Some player – perhaps clued in but just as likely not – tweets something, and everyone thinks it’s gospel. Within seconds it’s broadcast on ESPN and NFL Network. It’s on TV so it must be right, right? It’s not gospel. It’s not anything besides what’s always been happening. Now it’s in plain sight, and that’s uncomfortable for most folks. Especially the ones who find their corporate and personal secrets on public web sites. Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.