Read the CNN article and then think about whether you really want government this Homeland Security Initiative. [NYTimes]
I smell a class action suit against the credit agency that let the fraud occur. The Homeland Bill will take years to sort out.
In other identity news, the General Services Administration has posted the presentations from a conference on identity. Good to know someone is paying attention. Thanks to Scott Loftesness for the link.
P.S. Skied Killington today - love pre-season weekdays - no lines and great snow.
I'm not fully convinced security is in fact the #1 inhibitor to enterprise deployment of wireless LANs - I need real data to convince myself of that one. (Despite being one of the quoted data points in this article...)
What I DO find interesting, is the way the wireless LAN industry has been singled out for security problems in early standards. I have said it before: the marketplace has become security aware and will no longer accept new technologies that do not address security from the ground up.
Paying for port scans? You might be if you are connecting to the net via a wireless GPRS network that bills by bandwidth usage. It's bad enough GPRS network infrastructures are full of holes - to make customers pay for traffic because the service provider has not had the decency to install a firewall between the net and the wireless infrastructure is irresponsible.
Wired attacks have alread migrated to the wireless world. If a journalist can tell, shouldn't a the service provider be able to tell too?
Since the senate approved Bush's homeland security bill today, I thought I would provide a guide for vendors looking to make a buck or two from this colossal merger of federal agencies.
Abner’s guide for how to make Homeland bucks with your security product:
Step 1: Attach your brand to Homeland Security by plastering flags and the words "Homeland Security" all over your marketing collateral.
Step 2: Prove a threat exists that your product mitigates.
Step 3: Convince others your threat is a bigger threat than everybody else's pet threat.
Step 4 (optional): Find a non-security business problem your product also helps solve in order to establish a clear ROI.
Rinse and repeat as necessary.
P.S. While the above might actually work, I tend to agree Senator Byrd's questions are good questions to ask. With all the hubbub around establishing the Homeland Security Department why are our priorities still out of whack with reality?
The major papers all agree - Mr. Ashcroft is going too far... and for some reason still appears to be getting what he's asking for.
Tech News - CNET.com: Secret U.S. court OKs electronic spying
NY Times: A Green Light to Spy
In other news we got up at an ungodly hour this morning to watch the Leonids. Impressive, although last year was definitely better since the peak in Boston coincided with the beginnings of sunrise. Despite the light in the sky, we still saw a couple of big streaks across the sky and the sunrise over the water made the whole exercise worth it.
This page speaks for itself.
Craig Mundie marked the first year of Microsoft's Trustworthy computing intiative during the Silicon Valley Speaker Series. The transcript of Mundie's speech provides an interesting insight into how far Microsoft has come and some of the hurdles ahead.
The biggest question I have of Microsoft's security strategy is whether they have done enough soon enough.
Mr. Mundie says the right things when he speaks of building software that is
"secure by design, secure by default and secure in deployment." He equates security and reliability and he is aware of the cost the company's numerous privacy gaffes over the last several years.
The products receiving the most security attention either hit the market in late 2001 to 2002 or are still in development. The installed base is where the danger lies. Out of an estimated 400 million people on Windows, the vast majority are on Windows 95. I would like to a breakdown of what the server world looks like and the speed the installed base adopts the XP server OS. If Microsoft cannot convince the world to upgrade to newer versions, the company will find themselves in a marketing catch-22.
Best Case vs. Worst Case:
In a best case senario, MS products should become incrementally more secure as Microsoft's internal training adopts increasing amounts of security content, developers begin to innovate in a secure fashion, and products presently in the design state are actually designed secure from day 1. (Products that were in the design stage two years ago and coming to market in 2002 and 2003 will propably recieve security testing and design reviews.)
A worse case senario would be if Mr. Mundie's speech is all hot air and the organization has not found the religion, Mr. Mundie professes.
The impending catch-22:
In order to actually improve the security of the electronic infrastructure, and renew trust in Microsoft products, the company needs to migrate the installed base off of old products and onto new ones in the middle of a recession. From a marketing and perhaps a liability? point of view Microsoft must make the case to upgrade beyond "it's more secure because the last product that we told was secure really was not."
Or "we convinced you to buy the last product when times were good, but the quality was really bad and probably left you vulnerable to numerous attacks, so buy this new one and that won't happen again - trust us."
Even if products coming to market today have recieved world-class security reviews, they were designed two years ago when security was not a priority. Somehow Microsoft will have to convince the installed base to trust them again. I imagine they will get outside consulting companies to write white papers describing how much "more secure" product X is over the the last version.
In the security world, if you can not prevent someone from exploiting something, you build a level of accountability into the system, so that you can track them down after the fact. Trust is for sissies.
I wonder to what extent the market will hold Microsoft accountable for the security of their products?
1. "Trust is for sissies." is an original line from Dr. Daniel Geer or Bob Blakley - I'm not sure which one of them stole it from who.
I think security should be a core component of marketing, engineering, and training strategy for every tech vendor that sells infrastructure components and mission critical apps. Here's why.
1. Customers Are Becoming More Discerning:
Large customers are learning about the risks certain products and technologies represent to high value information - wireless LANs and web services are two current targets. Sales teams are likely to encounter questions concerning: security quality assurance, developer and customer security education, vulnerability response, and government regulations like HIPAA, Gramm-Leach-Bliley, EU Privacy Act and The Patriot Act.
2. Security Patches Are Expensive:
Large software vendors spend roughly $100,000 to produce a security patch for each platform a product supports – often driving costs to over a million dollars per vulnerability. The burden on customers is even greater as IT personnel work overtime to protect themselves from new vulnerabilities.
3. Leading Vendors Are Building Secure Reputations Haphazardly:
Microsoft, Oracle, IBM, Sun, and Cisco all use security as a message in their marketing efforts. These leaders and many others all address components of a customer’s desire to manage risk, but few profit from these efforts due to a focus on functionality and not the multi-faceted and interwoven tasks of managing risk.
Note: I intend on going into detail on each of these three points up in separate postings over the next couple of weeks. Stay tuned.
The latest issue of @stake's
Secure Business Quarterly is on vulnerability disclosure.
If you work for a technology vendor of any stature you need to read this latest issue and last year's Q3 issue on application security.
My take: Major software vendors spend between $100,000 and a million dollars per patch - and that's just to post a patch to a web site.
The cost in customer time in testing and installing patches and the increased load on customer service departments takes the figures through the roof.
According to CERT 2,437 vulnerabilities were reported in 2001, up from 1,090 in 2000 and 417 in 1999. At a conservative $75k per vulnerability, security patches (assuming the vendor patched the problem) cost vendors roughly $183 million last year. Nevermind the pain felt by customers, in a vendor's reputation, and the load on service reps responding to patches breaking applications.
Note: The cost per patch data comes from my own informal survey of several of the few vendors that are savvy enough to even track it.
1. Has invested heavily in touting the product security.
2. Still needs to make massive investments to convince the marketplace
- It's Microsoft.
Convincing the Issue Elites*, that your products are secure takes far more than a couple of well placed marketing campaigns. Microsoft not only needs to examine 80 million+ lines of code, but also needs to revise training programs for internal and external developers, examine the core architecture of how the OS interacts with applications, and then connvince a group of professionally paranoid engineers that progress has been made.
Selected Allchin/Forbes security bits and more in the full entry. Thanks to Scott Loftesness for bringing this chat session to my attention.
* Market research parlance for the people who are the trusted sources of information on particular issues - in this case security professionals.
EndoLast: What effect on business do you see from the drive to create uniform security standards for government IT systems?
JALLCHIN: Governments have some specific needs that businesses might not, but that depends on the government agency. The whole industry needs to improve related to security. We are committed to be a leader in this space. There is still a lot for everyone to learn in the security space. CC win for W2K is a step. CC will happen for XP shortly. Both are good steps, but much more is needed. I believe investments we are doing in things like Pallidium will give businesses a lot of control and a NEW level of security not achieved before.
Interesting - "a new level of security" Pallidium is a mechanism for content owners to CONTROL content. It does nothing to improve reliability. However, it could potentially help with larger authenication and authorization issues.
EndoLast: Could you elaborate on what you mean by a lot to learn in the security space?
JALLCHIN: Long answer... here it comes...
1. Can't the OS be made more security from viruses? Technically, it would seem to me that behavior blocking is a much better technique that Anti-virus approaches today. AV is after the fact. I want to find a way to stop it without loading a signature (which has to be created AFTER the outbreak).
Try separating the OS from applications that communicate with other computers - email and brower apps would be a great place to start.
2. PKI vs. private key.
3. Federation between companies with different models
Clearly one of the harder questions of the day. This forces security to be addressed in the application architecture and major standards like SOAP and XML.
4. role of biometrics, and on and on....
The roll of biometrics?? Biometrics have error rates. My money says no biometric company breaks the $150 million mark in the next 5 years. (Revenues from physical access control systems don't count)
There is nothing more powerful than technology adopted from the ground up. If you consider yourself even mindly web savvy and you don't know what backlinking is - read the title article.
I have few doubts the Wi-Fi News site is correct in critizing inacurate statements on wireless security. What I find most interesting is the amount of time and energy the wireless LAN industry is spending on security, now that a reputation for poor security has been established.
Note to developers of other technologies:
Just like oil companies and the safety of oil tankers, once you blow it, it takes a long time to regain customer confidence.
I believe the wireless industry will overcome these challenges, but I'm not convinced the market will be as accomidating for the next big technology that does not equate security with product quality.
At least 10 surveys over the last five years have asked executives how important certain qualities are to their business. Security consistantly appears in the top five. However, when queried on budgets and spending, security falls dramatically.
An article in Slate today examines a similar problem with our President's priorities. Talk is cheap.
Defending a perimeter or boundary of any type is expensive and often a poor allocation of resources. In the physical world is occassionally makes sense to defend a perimeter, in the digital world perimeter defense is a tough place to get a return on investments. Here are several examples and relevant bits of data...
1. The first goal of an external attacker is to obtain the privileges of an insider. Check out Honeynet.org for more.
2. Depending on which survey you examine (FBI/CSI, IDC, Gartner, Meta, etc…) roughly 70% of all major intrusions are committed by an insider. (See Computer Associate’s “Rose in Benefits” campaign.)
3. Lumeta, the network mapping company, estimates their average customer (think BIG corporations) knows where 70% of their network goes. If you don’t know where that other 30% is – how can you possibly defend it?
4. The big technology news in Panama this week comes from an attempt to block telephone calls that travel over the Internet instead of the traditional voice network (VoIP vs. POTS at C&W Panama) the slashdot bookies have 2:1 odds on VoIP) – check out the Politech post from Cisco.
5. As for #4 - digital music, IM chat over port 80, and wireless LANs everywhere simply prove that technology beats law in almost every case.
The Microsoft anti-trust saga continues. Read about it everywhere. (Media Unspun – second story)
1. Judge Colleen Kollar-Kotelly will be retaining jurisdiction over MS’s compliance with the original agreement.
2. The 9 states gunning for more got rejected in asking for more.
What this means for the security world...
A few months ago, Jim Alchin of MS testified that MS was unable to release details of an API for “security reasons.” My recommendation to Judge Kollar-Kotelly: Anytime Microsoft asks you to support them in holding back due to “security concerns” ask for the following:
- A review from an independent party able to conduct a thorough analysis*
- A detailed plan on how they plan on fixing the problem in order to comply with the settlement.
* Actually finding a truly independent party may be difficult as all security-engineering firms of significance either already do work or are trying to do work for Microsoft. Perhaps places like the NSA - that already serve as security advocates for government customers - can help. (Or maybe not, I'm guessing there is a fair amount of red tape between the judiciary and the NSA.)
One other interesting analysis not included in the Media Unspun list comes from today's issue of the laissez faire think tank CEI's C:\Spin newsletter. James V. DeLong, the author of that newsletter believes enforcing the orginal agreement will highten the current middleware guerilla war. I believe Microsoft will use security as a primary weapon in the war and it will come back to bite them in the end.