Friday Summary: March 23, 2012
This should not matter: The Square Register. But it does. What do I mean by that? Check out the picture: There’s something catchy and slick about the set-up of an iPad cash register and the simple Square device. It looks like something Apple would produce. It seems right at home with – almost a natural extension of – the iPad. I run into small shop owners and independent business people who are using Square everywhere. It’s at Target, right next to the Apple products, and the salesperson said they have been flying off the shelves. People say “Wow, that’s cool.” And that’s how Square is going to win this part of the burgeoning personal payment space. The new competitor, PayPal’s Here, is marketing the superiority of their device, better service, and lower costs. Much of that ‘superiority’ is in the device’s security features – such as encrypting data inside the device – which early Square devices currently deployed do not. That’s a significant security advantage. But it won’t matter – next to its competitor, ‘Here’ looks about as modern and relevant as a Zip drive. Being in the field of security, and having designed mobile payment systems and digital wallets in the past, I care a great deal about the security of these systems. So I hate to admit that marketing the security of Here is doomed to fail. Simplicity, approachability, and ease of use are more important to winning the customers Square and PayPal are targeting. The tiny cost savings offered by Paypal do not matter to small merchants, and they’re not great enough to make a difference to many mid-sized merchants. A fast, friendly shopping experience is. I’m sure Paypal’s position in the market will help a lot to drag along sales, but they need to focus more on experience and less on technical features if they want to win in this space. While I’m sharing my stream of consciousness, there’s something else I want to share with readers that’s not security related. As someone who writes for a living these days, I appreciate good writers more than ever. Not just skilled use of English, but styles of presentation and the ability to blend facts, quality analysis, and humor. When I ran across Bill Simmons’ post on How to Annoy Fans in 60 Easy Steps on the Grantland web site I was riveted to the story. I confess to being one of the long-suffering fans he discusses – in fact it was the Run TMC Warriors teams, circa 1992, that started my interest in sports. But even if you’re not a Warriors fan, this is a great read for anyone who likes basketball. If you’re a statistician you understand what a special kind of FAIL it is when you consistently snatch defeat from the jaws of victory – for 35 years. It’s a great piece – like a narration of a train wreck in slow motion – and highly recommended. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich quoted on the 2012 DBIR report. Rich quoted in IT Security News. Favorite Securosis Posts Adrian Lane: Incite 3/21/2012: Wheel Refresh. I’ve been there. Twice. My wife was so frustrated with my waffling that she bought me a car. Mike Rothman: Last week’s Friday Summary. Rich shows he’s human, and not just a Tweetbot automaton. Kidding aside, anyone with kids will understand exactly where Rich is coming from. Rich: Watching the Watchers: The Privileged User Lifecycle. Mike’s new series is on Privileged User Management – which is becoming a major issue with the increasing complexity of our environments. Not that it wasn’t a big issue before. Other Securosis Posts How to Read and Act on the 2012 Verizon Data Breach Investigations Report (DBIR). Understanding and Selecting DSP: Technical Architecture. iOS Data Security: Protecting Data on Unmanaged Devices. iOS Data Security: Secure File Apps for Unmanaged Devices. Talkin’ Tokenization. Favorite Outside Posts Dave Lewis: Too many passwords? Just one does the trick. Adrian Lane: The NSA Is Building the Country’s Biggest Spy Center (Watch What You Say). There is so much interesting stuff in this article that I don’t know where to start. Great read. Mike Rothman: Give it five minutes. This is great advice from 37Signals’ Jason Fried. People rarely remember you because of how smart you are. But they definitely remember you if you are an know-it-all, and not in a good way. Rich: Verizon DBIR 2012: Automated large-scale attacks taking down SMBs. Mike Mimoso’s article on the DBIR. He provides a little more context, and the report is a must-read. Project Quant Posts Malware Analysis Quant: Metrics–Monitor for Reinfection. Malware Analysis Quant: Metrics–Remediate. Malware Analysis Quant: Metrics–Find Infected Devices. Malware Analysis Quant: Metrics–Define Rules and Search Queries. Malware Analysis Quant: Metrics–The Malware Profile. Malware Analysis Quant: Metrics–Dynamic Analysis. Malware Analysis Quant: Metrics–Static Analysis. Research Reports and Presentations Network-Based Malware Detection: Filling the Gaps of AV. Tokenization Guidance Analysis: Jan 2012. Applied Network Security Analysis: Moving from Data to Information. Tokenization Guidance. Security Management 2.0: Time to Replace Your SIEM? Fact-Based Network Security: Metrics and the Pursuit of Prioritization. Tokenization vs. Encryption: Options for Compliance. Top News and Posts Google Hands Out $4500 in Rewards for Chrome 17.0.963.83. Adam’s analysis of 1Password findings in Secure Password Managers report. Report: Hacktivists Out-Stole Cybercriminals in 2011. Three times during my career I have heard “20XX was the year of the breach.” And for 2011 that again looks like a legitimate statement. Bredolab Botmaster ‘Birdie’ Still at Large via Krebs. Microsoft Donates Software To Protect Exploited Children. NSA Chief Denies Domestic Spying But Whistleblowers Say Otherwise. Confirm nothing, deny everything, and make counter-accusations. When you see this from a government, you know you hit the nail on the head. BBC attacked by Iran? Blog Comment of the Week Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Ryan, in response to iOS Data Security: Secure File Apps for Unmanaged Devices. Great post, Rich. Another thing to note about mobile EDRM is that the better solutions will allow you to