Friday Summary, March 20th, 2009
Happy Friday! Rich is off with the family today and probably sneaking in some time to play with his new Mac Pro as well. If I know him, at the first opportunity he will be in the garage, soldering iron in hand, making his own 9’ mini-DVI cable to hook up his new monitor. Family, new baby, and cool new hardware mean I have Friday blog duties. But as I just got back from the Source Boston show, there is much to talk about this week. Across the board, the presentations at Source were really excellent, and some of the finest minds in security were in attendance, so Stacy Thayer and her team get very high marks from me for putting on a great event.
Starting out with a bang, Peter Kuper gave a knockout keynote presentation on the state of financial markets and venture funding for startups. A no-nonsense, no-spin, honest look at where we are today was both a little scary and refreshing for its honesty. He has a post here if you want to read more of his work. David Mortman kicked off the morning sessions with I Can Haz Privacy, updating us on a lot of the privacy issues and legislation going on today. He highlighted the natural link between personal privacy and LOLCATS like no one else, and kept audience participation high by rewarding questions with some awesome homemade wheat bread. The always thought-provoking Adam Shostack gave a presentation on The Crisis in Information Security. I am in complete agreement that despite the hype, breached businesses will continue to function and operate as they always have, and the sky is not falling. And as always, his points are backed by solid research. Even if individual companies generally do not fall, I do still wonder about broader risk to the entire credit card system given its ease of (mis)use, its poor authentication, the millions of stolen credit card numbers floating around, and demonstrated capabilities to automate fraud.
Hoff had his best presentation yet with The Frogs Who Desired a King. While you may or may not be interested in security or cloud computing, this is a must-see presentation. Even if you have been reading his Rational Survivability blog posts on the subject, the clarity of the vision he presented regarding the various embodiments of cloud computing and the security challenges of each is more than compelling, and he has backed it up with a staggering amount of research. I’ve got to say, Chris has raised the bar for all of us in the security field for the quality of our presentations.
After almost missing the show because of a number of issues on the home front, including spending 4 days at the emergency vet clinic as someone accidentally poisoned one of my dogs, I got on the plane and I am glad I made it. I gave a presentation on Data Breaches and Encryption, examining where encryption technologies help and, just as importantly, where they don’t.
My personal “Shock and Awe” award went to Mr. James Atkinson of Granite Island Group TSCM for his presentation on “Horseless Carriage Exploits and Eavesdropping Defenses”. I had no idea that all of these devices were in full effect in most automobiles today, nor that it was this easy to do. Having now given it some thought, though, I think I may have run into some of the devices he discussed. I will be looking through my car this weekend.
It was good to see Dennis Fisher again … and he is just launching a new security news network called Threatpost. This effort is sponsored by Kaspersky and they have started off with a ton of stuff, so it’s worth checking out.
Now I am off to try and enjoy the weekend, so here it is- the week in review:
Webcasts, Podcasts, Outside Writing, and Conferences:
- Rich and Adrian presented Building a Business Justification for Data Security through SANS. We co-presented with Chris Parkerson of McAfee … and apologies to Chris as Rich and I ran a little long.
- Adrian chatted with Amrit Williams on the subject of Information Centric Security on the Beyond The Perimeter podcast this week. It should be posted soon.
- Adrian presented Data Breaches and Encryption last week during the Source Boston event.
- Rich joined Martin McKeay on the Network Security Podcast this week, talking about Google behavioral ad targeting, Comcast passwords exposed, and the new DNS trojan. They were joined by Bill Brenner of CSO Online so you’ll want to check this one out!
Favorite Securosis Posts:
- Rich: Adrian’s post on Immutable Log Files.
- Adrian: My post on Sprint Data Leak… I try not to post on breaches as there are so many, but this has been so bad for so long that I could not help myself.
Favorite Outside Posts:
- Adrian: Rafal’s post on the Fox News Fail … not for the original post, but the dialog afterwards.
- Rich: Sure, we’re suckers for a plug, but Jeremiah posts a good list of recent web security related topics.
Top News and Posts:
- Comcast usernames and passwords leaked.
- Oracle releases multiple Linux security patches.
- Wikileak exposes Blacklist
- The PCI compliance shell game …. compliant with the standard right up until the nano-second after they were breached.
Blog Comment of the Week: From Ariel at CoreSecurity …
Actually, Kelsey reinvented an idea that was previously exposed and published by Futoransky and Kargieman from Core () and implemented in the msyslog package () since 1996.
I learn something new every day! Now, if so many great security minds think this is a good idea, why does no one want this technology?