Adrian here, and happy Friday the 13th! It’s been a week since Independence day, and it feels like it’s been a month. Mike wanted us to comment on our feelings about Independence Day and what freedom means to us. For me that was easy. As as I usually do, I worked on Independence Day. Always. It’s not a day off. To me, taking time off is anathema to independence. I celebrate independence by working, because working is what earns me the right to be free. I’m long past the age of military service to my country, so I serve it by trying to build and contribute. And at this moment I feel very lucky to have the opportunity to work and make a living, and great business partners to work with. There is always a boatload of stuff to do here at Securosis, so I have been quietly ‘celebrating’ my independence by finishing up a bunch of writing. It may sound weird, but that’s just me.

It’s also odd, given the amount of writing, that what makes the Friday Summaries fun is that I get to write about whatever captures my interest. This week it’s something that popped up in a Fast Company article, The Many Pivots of Justin.tv, a couple weeks ago. The comment that has been running through the back of my mind is “Free and easy streaming poses a particular threat to sports, whose broadcast rights are so valuable, and so perishable”. Content security was one of my first challenges in security, and has proven unsolvable. I think it’s absolutely fascinating, how technology keeps changing this debate over and over again before our eyes, and to me that quote captures the essence of the entire content security battle.

The value of sporting events is ephemeral. Most people won’t watch a game after they know the results, and vanishingly few events have a shelf life longer than a few days. But in order for companies to make money from that content, they need to get it to the consumer – and that is the problem. It’s one of the very first things I learned in security: You can protect digital media, or you can use digital media. It’s one or the other. Try to do both, and you are only as secure as your least trustworthy audience member. So when you send a sporting event to 200,000,000 people, someone will do something you don’t like. You know, record a game, or show sports at a bar.

It’s probably difficult to remember, but professional sports are broadcast free of charge. Every week, in every major US city, professional sports games are broadcast over radio and television. These are available free of charge. When cable TV and satellite providers came along, they offered a more reliable picture, and some additional channels, for a fee. They would love for you to forget that there are free broadcasts, and that you are really paying for the distribution network that moves someone else’s content – which may or may not be freely available elsewhere.

I bring that up because streaming live sporting events over the Internet is just the technology challenge du jour to closed systems such as satellite and cable TV. Tomorrow it could be iPhones. If 30 years ago rabbit ears had been 1,000 times more sensitive, there would be no cable networks today. If suddenly Sutro Tower in San Francisco was broadcasting at 200,000,000 Watts, you would likely see Bay Area sporting events everywhere in the country – free of charge. And despite over-the-air broadcasts being the de facto model 30 years ago, either technology advancement I described could be legal or illegal today – depending on the wishes of the content owner. Ultimately, if content is being used in a way its creator does not approve of, that’s copyright infringement. If they approve of it, as with Slingbox, it’s okay. If it’s Justin.tv or anyone else, they don’t. The difference is in control. While copyright laws make sense logically, when you physically broadcast media, right or wrong, you lose control. Consumable media cannot effectively be secured. It’s a losing game, but one with huge money at stake.

As a content producer myself, I totally back the rights of the people who produce television – especially sporting events. What bothers me is the deep levels of greed from the people who run the distribution channels – who all believe they are losing money to ‘pirates’, and are attempting to criminalize what’s broadcast for free over the air, because they think they are being cheated. They’re all thinking that those 27 million viewers on Justin.tv must be their audience and so they are all mentally dividing up the same pile of virtual money they should be earning. But in reality it’s a new audience, one that only exists with a combination of lower cost and higher convenience. What broadcasters should be doing is looking for a way to monetize the broadcasts before content creators go direct to consumers. You know, like local over-the-air broadcasters did with advertising? They should be thanking Justin.tv for building a market for them to take advantage of, and looking for ways to charge advertisers for the feeds going out.

This will be a recurring battle for the next, well, forever. Technology will advance. People will innovate. Markets will evolve to become more efficient. And people who want their sports will look for the best, cheapest, and most satisfying way to get it.

On to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences

• Rich quoted on iOS Security.
• Adrian’s Let’s Ask “Why?” at Dark Reading.
• Mike’s Dark Reading Column: Flame’s impact on Patching.
• Adrian’s 15 Ways to Get More From Log Files on Dark Reading.

Favorite Securosis Posts

• Mike Rothman: Q1 Vendor Newsletter. We launched a quarterly newsletter for our vendor retainer clients. Here’s the inaugural piece, and it kicks butt. The recently completed Q2 version is even better (hint, hint)…
• Rich: Mike’s latest on endpoint malware tradeoffs.
• Adrian Lane: Freedom.

Other Securosis Posts

• Evolving Endpoint Malware Detection (and Index of Posts).
• Friday Summary: June 29, 2012.

Favorite Outside Posts

• Mike Rothman: Louis C.K. Beats Back Scalpers. I love reading about folks who disrupt existing business models. Louis C.K. is going directly to his fans, reducing prices, increasing profits, and screwing the parasitic middlemen (promoters, scalpers, etc.) – it’s inspiring.
• Adrian Lane: Productivity API to Improve Efficiency. The article is a little abstract and laced with a bit of PR optimism, but it’s a worthwhile post that describes one approach to delivering content and apps to new (read: mobile) platforms without having to rearchitect and rebuild apps – because we know that total rebuilds of back-office infrastructure are just not feasible.
• Rich: The Top Mistakes Companies Make In Data Breaches. The opening to this article is pretty bad, but the advice itself is spot on.

Project Quant Posts

• Malware Analysis Quant: Index of Posts.
• Malware Analysis Quant: Metrics – Monitor for Reinfection.
• Malware Analysis Quant: Metrics – Remediate.
• Malware Analysis Quant: Metrics – Find Infected Devices.
• Malware Analysis Quant: Metrics – Define Rules and Search Queries.

Research Reports and Presentations

• Evolving Endpoint Malware Detection: Dealing with Advanced and Targeted Attacks.
• Implementing and Managing a Data Loss Prevention Solution.
• Defending Data on iOS.
• Malware Analysis Quant Report.
• Report: Understanding and Selecting a Database Security Platform.
• Vulnerability Management Evolution: From Tactical Scanner to Strategic Platform.
• Watching the Watchers: Guarding the Keys to the Kingdom.

Top News and Posts

• 453,000 credentials stolen from Yahoo!
• Bank’s shoddy security was to blame for robbery.
• Multi-platform backdoor malware targets Windows, Mac and Linux users.
• Megaupload’s Kim Dotcom Offers to Surrender to the FBI. With the good point that the FBI seizing your assets (before any actual conviction, assuming one does eventually happen) makes it hard to hire lawyers and wait for the wheels of justice.
• Keyless BMWs a Boon to Hacker Thieves.
• Cocaine Incorporated. A good lesson on why preventative security are worthless without detective controls.
• EU Kills ACTA.
• Canadian Gov Push for Security post Stratfor Hack. Government funding drive or real threat? Hard to tell.
• Die, Google Wallet, Die. I want it to die too, but for different reasons. The author’s problems are not unique to Google’s product.
• Microsoft Security Bulletin for July 2012.
• Chinese malware used to steal secrets from Indian Navy.
• MemSQL Launches Next-Generation Database. The MySQL engine, running against RAM.
• Online Bank Thefts on the Rise.
• US-CERT discloses security flaw in Intel chips.

Blog Comment of the Week

Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Jon, in response to June 29th Friday Summary.

Key management means something different to almost everyone so it’s great that you’re trying to bring some standard language to the topic. I think you’ve got the 4 main scenarios spot on but I tend to think of the term ‘silo’ as applying to your third scenario rather than the second – i.e. aligning it with organizational silos within an enterprise (such as storage) rather than a single product or application.