On a trip to the Bay Area recently, I drove past the first electronic billboard I ever saw. It’s right on the 101 around Palo Alto, and has been there at least 7 or 8 years.

This specific billboard brings up a specific and painful memory – it was also the first billboard I saw advertising Barracuda’s spam firewall many moons ago. But clearly it wasn’t the last. Working for CipherTrust (a competitor) at the time, I got calls and then started getting pictures of all the billboards from our field reps, who were sporting new phones with cameras.

They wanted to know why we couldn’t have billboards. I told them we could have billboards or sales people, but not both. Amazingly enough they chose to stop calling me after that.

That’s how I knew camera phones were going to be a big deal. At that point a camera built into your phone was novel. There was a time when having music and video on the phone was novel too. Not any more. Now almost every phone has these core features, and lots of other stuff we couldn’t imagine living without today. For example, when was the last time you asked a rental car company for a paper map? Or didn’t price check something you were buying in a store to see whether you could get it cheaper online?

And fancy new capabilities are showing up every day. Yesterday the Apple fanboys were all excited about thumbprint authentication and a fancy flash. Unless you are a pretty good photographer, there really isn’t any reason to carry a separate camera around any more. I’m sure Samsung will come out with something else before long, and the feature war will continue.

But keep in mind that just 7 years ago all these capabilities were just dreams of visionaries designing the next generation of mobile devices. And then the hard work of the engineers and designers to make those dreams a reality. And we are only getting started.

It’s a brave new mobile-enabled world. And it s really exciting to see where we will end up next.

–Mike

Photo credit: “Brave New World #1” originally uploaded by Rodrigo Kore

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Firewall Management Essentials

Ecosystem Threat Intelligence

Continuous Security Monitoring

Database Denial of Service

API Gateways

Newly Published Papers

Incite 4 U

  1. Touch me baby: I have long been skeptical of the possibility of widespread use of biometrics among consumers. What are the odds that someone could get a large percentage of consumers to carry around a fingerprint reader all the time? Phones were always the potential sweet spot, but most of the smaller optical readers we have seen integrated into smaller devices had serious usability issues. That’s why Apple’s Touch ID is so interesting (I wrote it up at TidBITS and Macworld). It uses a snappy capacitive sensor in a device with a crypto chip, ubiquitous network access, and even short-range wireless (Bluetooth LE). Plus, it is a single phone model which will see widespread adoption. Expect others to copy the idea (potentially a good thing, but good luck finding decent sensors) and to see some very interesting applications over the next few years. 2FA for the mass market, here we go! – RM
  2. Pull my finger: Schneier has it right that biometric systems can ‘almost certainly’ be hacked’, but shoving a fake finger in front of a fingerprint scanner isn’t it. Biometric analysis is more than just the scanner. Once you have scanned a retina or fingerprint, you send scanned data to some other location, comparing the data with a known representation of the print (probably a hash) in a database, and then send back a yea/nay to the service the user is trying to access – mobile phone, building, or whatever. That service may also perform some risk assessment before granting access. That entire ecosystem has to be secure as well. And the kicker is that the better the biometric detection piece, the more complex the system needs to be, leading to more potential methods to subvert the overall system! Biometrics should be a second factor of authentication, making fakery much more difficult. And the idea is popular because of the convenience factor for the user – biometrics can be more convenient than a password. But no one should consider them intrinsically more secure than passwords. Some people this is a bad idea. – AL
  3. Walenda CISO: Simon Wardley posted an interesting article about when it’s time to fire the CISO. You’d figure after a breach, right? Or maybe if a big compliance fine is heading your way. Those are both decent times to think about making a change. But Simon’s point is that when the CISO (or CIO, for that matter) can no longer balance the needs of business with the needs of security and make appropriate adjustments, then it is time for a change. Basically you need a tightrope walker, a Flying Walenda, to balance all the competing interests in today’s IT environments. If the business is constantly going around IT (to become Shadow IT), then there is clearly a failure to communicate or a resourcing problem. Either way, IT and/or security isn’t getting it done and some changes are probably in order. – MR
  4. Protection racket: I chuckled when completing the application for a corporate insurance policy, when I hit the information security section. I had to answer pretty much every question with a negative. Antivirus? Nope, we use Macs and alternate security. On-site backups? Not a chance – we’re all cloud baby. The questions weren’t horrible, but their ‘right’ answers surely don’t indicate any reasonable security level. I have always thought the insurance policies are incredibly limited, and expected insurers to fight to restrict damages far below client expectations. I was right – Liberty Mutual sued to only pay out for direct breach costs, but not ancillary costs resulting from the data loss (such as customer lawsuits). No surprises here – as usual insurance only covers a limited subset of losses, and certainly won’t help if you lose customer data. – RM
  5. The future of IPS? PSGs and more acronym soup: The folks over at Dark Reading contemplate the Future of IPS, and it seems like there is a consensus that there is value in how IPS technology has evolved to include context in the blocking decision. I actually think IPS is going away… Oh no! Is it dead? Am I pulling a Stiennon here? No. The threat detection and (possibly) prevention aspects of IPS are making their way onto a consolidated platform I call the Perimeter Security Gateway (PSG) that includes access control (firewall), threat prevention (IPS), and network-based malware detection. Crack the packet once and do lots of things, right? Yes, there are internal network use cases for this inspection technology beyond the perimeter. But I expect those to be separate box because the requirements will be different. And yes, I will be writing this up in Q4. So then you can all tell me I’m wrong… – MR
  6. Not so much: Andrew Oliver does not see the need for IaaS because – wait for it – we’ve already got it with virtualization. To test if Andrew’s theory is true, try this: Hand your credit card to your IT team and tell them you want 100 new servers to run a Hadoop cluster on. Today. This afternoon. And then have them send all the hardware back at the end of the week when the project is over. To equate IaaS with in-house virtualization simply glosses over all the work that goes into provisioning and setup of hardware, software, facilities, licensing, and other VMWare stuff before the two environments even begin to look similar. Possible reasons you “don’t bother” moving to IaaS include your inability to get the compliance or information governance assurances you need. It takes just as much or more work to set up security, and even more to negotiate compliance into IaaS contracts – this is what stalls many large enterprise IaaS deployments. There are reasons you might not move to the cloud, but saying “the benefits of IaaS have already been realized through virtualization” is complete BS. – AL
Share: