Rich Mogull has started a fire on his Securosis blog addressing questions of value and loss. I would like to provide some feedback. Most importantly, I would like to address this point: “I consider that an implied or assumed value,…
Random
Charlie Miller’s “Teach a Man to Fish” approach to disclosure: the happy medium?
by Pete Lindstrom • • Comments Off
Pre-eminent bugfinder Charlie Miller mentioned an interesting approach to disclosure after he compromised another Apple system – demonstrate the attack, describe how the vulnerability was found, and let the chips fall where they may. (Actually, I think his “teach a…
Rudeness, risk and vulnerability disclosure
by Pete Lindstrom • • 1 Comment
Robert Graham at Errata Security has yet another thoughtful post – this one on the “rudeness” of vulnerability disclosure. His key point: “However, vuln disclosure isn’t friendly. It is an inherently rude act.” It is an interesting post, primarily focused…
Security Budget Planning in Three Easy Steps
by Pete Lindstrom • • Comments Off
Gunnar Peterson has a great post on security budgeting. His essential point is to apply a “flat tax” to all IT spending. The value is in its simplicity. We can get a lot more complex (and often do), but this…
RSA Conference 2010 – Ghost of Conference Past
by Pete Lindstrom • • Comments Off
I was talking with my buddy Ben Rothke tonight about the security graveyard – companies that are no longer with us (he’s been a part of a number of them, but I’m not making any connections . He also challenged…
Addressing the Advanced Persistent Threat (APT)
by Pete Lindstrom • • Comments Off
In the past few weeks, the Advanced Persistent Threat (APT) has been all the rage in the infosec world. Security professionals everywhere are taking sides about whether APT is new or not, despite (or perhaps due to) the lack of…
Quick and Dirty Risk Calculations – CSI Survey Edition
by Pete Lindstrom • • Comments Off
The Computer Security Institute recently released its 2009 survey results (must register). One of the charts in the executive summary lists the frequency of occurrence in the survey population. Without any other information more pertinent or specific to your organization,…
Notes on the Heartland breach
by Pete Lindstrom • • Comments Off
The Heartland saga continues and it appears that things are going its way. Not only has the company been on a campaign to make lemons out of lemonade by selling the equipment (“end-to-end” encryption) to their customers (and, presumably others),…