Announcing: The Month of No Bugs (MONB)!

Wednesday, September 1, 2010

Announcing: The Month of No Bugs (MONB)!

It is with great excitement and anticipation that I announce the Month of No Bugs (MONB)! This month, I promise NOT to look for any new bugs out there, NOT to artificially elevate my bugs above all others, NOT to complain that vendors should give me the attention I deserve, NOT to pound my chest and [...]
Continue Reading...
Disclosing the Elephant in the Room of the Disclosure Debate

Friday, July 23, 2010

Disclosing the Elephant in the Room of the Disclosure Debate

There has been a lot of discussion lately about vulnerability disclosure, with Google and Microsoft respectively weighing in with their latest opinions on the topic. There is really nothing new here, as evidenced by the Google folks referencing a 9-year-old Bruce Schneier essay on the topic. I have written extensively on the topic and the related [...]
Continue Reading...
There is no such thing as *Real* Value

Wednesday, May 26, 2010

There is no such thing as *Real* Value

Rich Mogull has started a fire on his Securosis blog addressing questions of value and loss. I would like to provide some feedback. Most importantly, I would like to address this point: “I consider that an implied or assumed value, which may bear no correlation to the real value” Rich’s reference to something called a real value [...]
Continue Reading...
Charlie Miller’s “Teach a Man to Fish” approach to disclosure: the happy medium?

Thursday, April 29, 2010

Charlie Miller’s “Teach a Man to Fish” approach to disclosure: the happy medium?

Pre-eminent bugfinder Charlie Miller mentioned an interesting approach to disclosure after he compromised another Apple system - demonstrate the attack, describe how the vulnerability was found, and let the chips fall where they may. (Actually, I think his “teach a man to fish” approach might have been ancillary to the pwn2own contest…) At this stage of [...]
Continue Reading...
Rudeness, risk and vulnerability disclosure

Monday, April 26, 2010

Rudeness, risk and vulnerability disclosure

Robert Graham at Errata Security has yet another thoughtful post - this one on the “rudeness” of vulnerability disclosure. His key point: “However, vuln disclosure isn’t friendly. It is an inherently rude act.” It is an interesting post, primarily focused on the psychological relationship between bugfinders and vendors, but the thing I find the most puzzling is [...]
Continue Reading...
Security Budget Planning in Three Easy Steps

Wednesday, March 10, 2010

Security Budget Planning in Three Easy Steps

Gunnar Peterson has a great post on security budgeting. His essential point is to apply a “flat tax” to all IT spending. The value is in its simplicity. We can get a lot more complex (and often do), but this is an excellent starting point. Don’t forget the business and don’t forget we are “optimizing” our [...]
Continue Reading...
prev next
Posted on March 17 2010 Read more...

I’m having a zen moment

"Security Experts Warn Firms of the Higher Risk of Lower-Risk Flaws" Is it a paradox or something Confucius would say? I am going to meditate on it overnight and write something tomorrow.
Posted on March 12 2010 Read more...

Does it work? Washing your hands edition

This just in (sort of) from Slate.com (via Overcoming Bias): How to Sell Germ Warfare A Columbia University study also found no reduction in common infections among inner-city families given free antibacterial hand soap, detergent, and cleaning supplies. The same year, University of Michigan epidemiologist Allison Aiello summarized data on hand hygiene for the ...
Posted on March 12 2010 Read more...

Does it work? P.S.A. Prostate Cancer Tests Edition

This just in (sort of) from the New York Times: The Great Prostate Mistake EACH year some 30 million American men undergo testing for prostate-specific antigen, an enzyme made by the prostate. [...] The annual bill for P.S.A. screening is at least $3 billion, with much of it paid for by Medicare and the Veterans ...
Posted on March 12 2010 Read more...

Are you a “whore” or a “prude”?

I was talking to my friends Tony and Mike today at our local ISSA meeting and the subject of social networks came up. I was explaining that it makes me uncomfortable to get LinkedIn requests to get connected from people that I hardly know. My reasoning for this is that (I believe) there is an ...
Posted on March 11 2010 Read more...

Advanced Persistent Threat - a rose by any other name

It is a curious thing, watching and reading and listening to folks debate the Advanced Persistent Threat (APT). with all the brouhaha, I don't really believe there is a whole lot of difference in belief between the skeptics and the advocates. What is happening is simply the popularization of a term that has been around ...
Posted on March 10 2010 Read more...

Security Budget Planning in Three Easy Steps

Gunnar Peterson has a great post on security budgeting. His essential point is to apply a "flat tax" to all IT spending. The value is in its simplicity. We can get a lot more complex (and often do), but this is an excellent starting point. Don't forget the business and don't forget we are "optimizing" our ...
Posted on March 4 2010 Read more...

RSA Conference 2010 - Ghost of Conference Past

I was talking with my buddy Ben Rothke tonight about the security graveyard - companies that are no longer with us (he's been a part of a number of them, but I'm not making any connections ;-). He also challenged me to find an old list of companies exhibiting at RSA. Herewith is a list ...
Posted on February 2 2010 Read more...

More Breach Costs “per record”

Ponemon Institute has issued its annual report on the cost of data breaches. I wrote last year about using per record costs for data breaches. An excerpt: It is common when estimating costs of data breaches to quote costs "per record". Most recently, Ponemon Institute released a study that asserted a cost of $202 per record ...
Page 2 of 102«12345»...Last »