Securosis

Research

Seen at the Library

Working from the library today and they have this on every door. Boulder was pretty liberal, but even they didn’t have a gun check at the library. I love living in the Southwest. Of course I know a bunch of people with concealed carry permits, just not here in Phoenix/Scottsdale. (yes, I know it also means knives and such, so stop spoiling everyone’s fun) Share:

Share:
Read Post

Stomp the Trolls: The Troll Eradication Project

troll 1 |trōl| noun: 1. A cowardly creature that hides behind anonymity to demean, harass, or threaten others (sometimes illegally) because they lack the intelligence to engage in real dialog or debate. 2. A pathetic, almost-life form that leaches off society without contributing anything of value. Trolls are the lowest form of life. Ugly, pathetic creatures of absolutely no worth, they strive to destroy the good work of others through intimidation. Trolls may lack intelligence, but they can be persistent pests, and in large numbers they can destroy a community. Some trolls are more aggressive and represent a physical danger, and must be dealt with harshly only by trained professionals, typically law enforcement. Trolls have been tolerated in our society for too long- these… things… must be confronted and destroyed. While full eradication is impossible, concrete steps can be taken to limit their impact on the world. Trolls can be marginalized through persistent effort, but only when a community acts together to condemn their behavior. You can participate in the Troll Eradication Project by taking a few simple steps: Reduce their habitat: Trolls live anonymously; very few have the intestinal fortitude to carry out their activities when they can be identified. Should trolls appear, forcing them to identify themselves will often scare them away. In some cases, more radical action needs to be taken and their ability to communicate restricted. Confront them: Trolls are cowardly, and will often flee confrontation when a community bands together. Some trolls may attack individuals, but few are willing to confront entire communities openly. Eliminate their food: Trolls feed off the negative energy they create. In some cases, persistently ignoring them may cause them to seek food elsewhere. Call in a professional: Some trolls are dangerous and violate the law. In these cases, law enforcement should be notified promptly. Outright threats and harassment are clearly illegal and should only be dealt with by professionals. Remember- only YOU can prevent trolls. We must control the troll threat before our communities are overrun. < p style=”text-align:center;”> Seriously folks- after yesterday’s events, we just can’t put up with this anymore. Share:

Share:
Read Post

We Cannot Tolerate This

I read a few posts today on the deplorable harassment of Kathy Sierra (read Scoble, Feld, Kathy’s Site). Basically, Kathy is giving up on blogging and public speaking out of fear due to a series of death threats and online sexual harassment. It’s absolutely disgusting. And as someone who has been a member of online culture since the BBSs of the 1980’s, I’m simply embarrassed. There is one way to describe those who perpetuate this- fucking cowards. I know these people. They are everywhere on the Internet- hiding behind semi-anonymous IP addresses and spewing their garbage on every forum, IRC channel, or blog they can slap their pathetic personality on. I know them in the real world; too cowardly to face authority, but more than willing to make anyone they perceive as weaker miserable for no more reason than to inflate their pathetic egos. I’ve helped more than a few of them learn just exactly how “special” they are as we kicked them out or took them to jail. I’m probably violating my policy of not blogging about technology, but this is a cultural issue, not an industry issue. Except that it highlights the need for those of us in security and law enforcement to provide the same protections online that we do in the physical world. We can’t do this just by hiding behind our own walls; we need to band together as a community and figure out ways to improve online safety without violating online privacy (the usual mistake). Our society has very very few limits on freedom of speech, but threats and harassment to create fear are clearly unacceptable. Reading Kathy’s blog it looks like she is already working with law enforcement, and I sincerely hope they catch and prosecute those involved. There is no excuse for this. We cannot tolerate it. And those of us in security have the same responsibilities online as we do in the physical world to do our part. Share:

Share:
Read Post

If You Have HDTV Check This Out

I watched Planet Earth on the HD version of the Discovery Channel last night. It’s friggen awesome- the best use of my HDTV since the World Cup. I mean, where else can you watch a 20 foot Great White shark launch itself out of the water in slow motion in high definition as it munches on a sea lion fur seal? Only thing better would be sharks with freaking lasers on their heads. There are a lot of security tie ins- ranging from situational awareness to… aww, who am I kidding, it’s just really cool. Like IMAX at home. I highly suspect animals were harmed during the filming of this particular production.* *not that I like to see things getting killed, been around too much death for that, but this is a seriously amazing documentary. Updated: it was a fur seal, not a sea lion. You’d think I’d know that. Thanks Alan… Share:

Share:
Read Post

BeanSec with the Hoff

Nope, not the lifeguard dude. Someone a bit more interesting. I bet that Night Rider dude never climbed Kilimanjaro despite some serious leg injuries. Chris Hoff wins the official award for “Best Host for Security Geeks in Boston”. I rolled in Tueday night and after an excellent dinner we won a secondary award for “Worst Dressed in the Hotel Bar at Midnight”. He followed this up by letting me tag along to BeanSec over in Cambridge, where I also got to catch up with Mike Murray. The life of a road warrior can get a bit lonely at times; it was great to spend two nights hanging with my peers in casual environments rather than catching up on Dancing with the Stars or Armed and Famous. BeanSec was pretty cool, and I’m thinking we need something similar in Phoenix. PHXSec? Thanks Chris- hopefully I’ll get the chance to return the favor someday… Share:

Share:
Read Post

Worthless Security Theater at the Empire State Building

Last week was one of those crazy travel ones. I headed to NYC for some client work, and since my wife had never done the tourist route there she came along and I took some time off to show her around. I’m not from NYC, but I’m from the part of Jersey that likes to think we are (technically, I lived closer to Manhattan than some of the other boroughs). After a few days in the city we headed down to Richmond, VA to catch up with my family. It was a ton of fun- we caught up with a bunch of friends and spent a couple nights staying with Chris Pepper and his wife Amy- who it turns out are pretty exceptional hosts, even when their daughter’s a little sick. It’s weird going back to post-9/11 New York. Aside from the skyline of my childhood being forever altered, there’s a different vibe in parts of the city. (And why the f* don’t we have any real progress on a new WTC?!? Are politics so bad in this country we can’t get anything done anymore?). One of those vibes is security- I hadn’t been in the Empire State Building for about 10 years, but the day was clear so we decided to give it a shot. Aside from the dramatically inflated prices and lines (carefully hidden so you can’t see them where you buy your ticket) there was the ever-present x-rays and magnetometers. Magnetometers de-tuned to such a level that I walked through with my jacket, belt, and watch on- and cellphone and camera in my pocket. Maybe that thing would have stopped a rifle, but I had more than enough metal for all sorts of badness on me. Then again, I suppose if it’s all just for show, there’s no reason to actually inconvenience people. No wonder ticket prices are up. Stupid. Stupid. Stupid. Share:

Share:
Read Post

Heading to the Boston Area

Not the city, but just outside. Drop me a line if you are in the area- I’m out there for 2 days so actually have a free evening. Share:

Share:
Read Post

If You Want to Kill All Humans, This is a Good Start

From /. No, not some discussion on something controversial like global warming. Just the FDA approving use of a potent antibiotic in cattle against warnings by the AMA and other medical and scientific studies. You know, one of those drugs that the nasty bugs are becoming resistant to. There are enough articles out there on antibiotic resistant bacterial infections that you don’t need me to rant on it. It’s bad. I know 2 people that have died because of these things personally (both contracted in a hospital). Share:

Share:
Read Post

Black Belt Brain + White Belt Body = Pain

I’m really hurting today. And it’s not a hangover. As I think I’ve mentioned before I’m back into martial arts after a 2 year gap (the result of moving across state lines and getting married). It’s pretty amazing how much you can forget when you take a 2 year break from anything. What’s worse is that your body forgets more than your brain. All those synaptic connections go dormant, if they haven’t withered and died. The weird thing is it’s a strange mix of what’s left at the end. Timing, focus, and distancing are gone. Some physical techniques are still there, or maybe half there. Yet my brain still thinks I’m a black belt. It still charges in expecting to emerge victorious. Yeah, right. If anything, I’m more dangerous. I still have some skills, but that bit of rust and amorphic muscular response makes me feel like that bug dude in Men in Black. I’m more scared about accidentally hurting someone than anything else. I figure it will take me at least a year or more of training to feel normal again. I’m sure there’s some general lesson on life hidden in here, but I’m in too much pain to really think about it. *Farnum- never take a break. Trust me. Share:

Share:
Read Post

Alarm Ads That Lie- Is a False Sense of Security Dangerous?

I was catching up on some old TiVo and saw an ADT commercial that really tweaked me. You know the one, it has a woman alone in the kitchen when the bad guy smashes the window to pop the door and do all sorts of nastiness. Her alarm starts blaring, scares off the bad guy, and it’s ADT to the rescue. There are two things that bother me about this: The average default alarm installation doesn’t include glass break detection. Those free-with-service ADT (or anyone) systems just include contact sensors for someone opening doors or windows, and usually one motion detector. Glass breaks can cost over $100 more each, only cover about a 30’ radius, and are prone to false alarms. Sure, maybe the alarm would go off when the bad guy opened the door, but only if… How many of you set your alarm when you’re home during the day? Nope, maybe only those of you in a real nasty part of town. Definitely not in the nice suburbs like our luckless victim. I really don’t like deceptive advertising- especially when it imparts a false sense of security. I wonder how many people think those sensors on their windows will go off if someone smashes them? How about all those people that lose bikes out of their garages every year because garage doors aren’t normally sensored? I realize I’m exaggerating a bit to make a point. Just having an alarm can really reduce your risk of any kind of break in, and if you’re in a higher risk area I recommend alarms (and have one myself in Phoenix). But if advertising is going to play on FUD, it’s irresponsible to create a false sense of security. Having dealt with multiple alarm installers over the years, very few of the sales guys (as opposed to the installers) educate customers on the gaps in the system, or additional high-cost options.* *which is a little surprising, although I suspect they worry about sticker shock to the average consumer. Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.