Incite 8/25/2010: Let Freedom Ring

By Mike Rothman
It’s funny how different folks have totally different perceptions of the same things. Obviously the idea of freedom for someone living under an oppressive regime is different than my definition. My good fortune to be born in a certain place to a certain family is not lost on me. But my wacky idea of freedom took on an interesting meaning this past weekend. The Boss was out of town with one of the kids. So I was responsible for the other two, and that meant on Saturday I started the day helping out our friends at their son’s

Backtalk Doublespeak on Encryption

By Adrian Lane
*Updated:** 8/25/2010 Storefront-Backtalk magazine had an interesting post on Too Much Encrypt = Cyberthief Gift. And when I say ‘interesting’, I mean the topics are interesting, but the author (Walter Conway) seems to have gotten most of the facts wrong in an attempt to hype the story. The basic scenario the author describes is correct: when you encrypt a very small range of numbers/values, it is possible to pre-compute (encrypt) all of those values, then match them against the encrypted values you see in the wild. The data may be encrypted, but you know the contents because the encrypted values match.

Webcasts on Endpoint Security Fundamentals

By Mike Rothman
Starting in early September, I’ll be doing a series of webcasts digging into the Endpoint Security Fundamentals paper we published over the summer. Since there is a lot of ground to cover, we’ll be doing three separate webcasts, each focused on a different aspect. The webcasts will be very little talking-head stuff (you can read the paper for that). We’ll spend most of the time doing Q&A. So check out the paper, bring your questions, and have a good time. As with the paper, Lumension Security is sponsoring the webcasts. You can sign up for

Data Encryption for PCI 101: Encryption Options

By Adrian Lane
In the introductory post of the Data Encryption for PCI series, there were a lot of good comments on the value of hashing functions. I wanted to thank the readers for participating and raising several good points. Yes, hashing is a good way to match a credit card number you currently have determine if it matches one you have already been provided – without huge amounts of overhead. You might even call it a token. For the purpose of this series, as we have already covered tokenization, I will remain focused on use cases where I need to keep the original

FireStarter: Certifications? We don’t need no stinkin’ certifications…

By James Arlen
It’s time that the security industry stopped trying to play paramilitary games and started trying to do a good job (aka “best practices”.) It would be a very pleasant change. Currently, the three major information security religions – ISACA, ISC2, and SANS – offer a total of roughly 75 different certifications. This laundry list of certifications leads to a set of fairly serious problems: Security professionals need fold-out business cards Organizations need an equivalency look-up table for resume filtering These problems are entertaining to describe this way, but also present a real problem - how can you objectively determine whether or not

Friday Summary: August 20, 1010

By Adrian Lane
Before I get into the Summary, I want to lead with some pretty big news: the Liquidmatrix team of Dave Lewis and James Arlen has joined Securosis as Contributing Analysts! By the time you read this Rich’s announcement should already be live, but what the heck – we are happy enough to coverage it here as well. Over and above what Rich mentioned, this means we will continue to expand our coverage areas. It also means that our research goes through a more rigorous shredding process before launch. Actually, it’s the egos that get peer shredding – the research just

Liquidmatrix + Securosis: Dave Lewis and James Arlen Join Securosis as Contributing Analysts

By Rich
In our ongoing quest for world domination, we are excited to announce our formal partnership with our friends over at Liquidmatrix. Beginning immediately Dave Lewis (@gattaca) and James Arlen (@myrcurial) are joining the staff as Contributing Analysts. Dave and James will be contributing to the Securosis blog and taking part in some of our research and analysis projects. If you want to ask them questions or just say “Hi,” aside from their normal emails you can now reach them at dlewis and jarlen at Within the next few days we will also start providing the Liquidmatrix Security Briefing

Data Encryption for PCI 101: Introduction

By Adrian Lane
Rich and I are kicking off a short series called “Data Encryption 101: A Pragmatic Approach for PCI Compliance”. As the name implies, our goal is to provide actionable advice for PCI compliance as it relates to encrypted data storage. We write a lot about PCI because we get plenty of end-user questions on the subject. Every PCI research project we produce talks specifically about the need to protect credit cards, but we have never before dug into the details of how. This really hit home during the tokenization series – even when you are trying to get rid of credit cards

Another Take on McAfee/Intel

By Rich
A few moments ago Mike posted his take on the McAfee/Intel acquisition, and for the most part I agree with him. “For the most part” is my nice way of saying I think Mike nailed the surface but missed some of the depths. Despite what they try to teach you in business school (not that I went to one), acquisitions, even among Very Big Companies, don’t always make sense. Often they are as much about emotion and groupthink as logic. Looking at Intel and McAfee I can see a way this deal makes sense, but I see some

McAfee: A (Secure) Chip on Intel’s Block

By Mike Rothman
Ah, the best laid plans. I had my task list all planned out for today and was diving in when my pal Adrian pinged me in our internal chat room about Intel buying McAfee for $7.68 billion. Crap, evidently my alarm didn’t go off and I’m stuck in some Hunter S. Thompson surreal situation where security and chips and clean rooms and men in bunny suits are all around me. But apparently I’m not dreaming. As the press release says, “Inside Intel, the company has elevated the priority of security to be on par with its strategic focus
Page 190 of 320 pages ‹ First  < 188 189 190 191 192 >  Last ›