Announcing: The Month of No Bugs (MONB)!

Wednesday, September 1, 2010

Announcing: The Month of No Bugs (MONB)!

It is with great excitement and anticipation that I announce the Month of No Bugs (MONB)! This month, I promise NOT to look for any new bugs out there, NOT to artificially elevate my bugs above all others, NOT to complain that vendors should give me the attention I deserve, NOT to pound my chest and [...]
Continue Reading...
Disclosing the Elephant in the Room of the Disclosure Debate

Friday, July 23, 2010

Disclosing the Elephant in the Room of the Disclosure Debate

There has been a lot of discussion lately about vulnerability disclosure, with Google and Microsoft respectively weighing in with their latest opinions on the topic. There is really nothing new here, as evidenced by the Google folks referencing a 9-year-old Bruce Schneier essay on the topic. I have written extensively on the topic and the related [...]
Continue Reading...
There is no such thing as *Real* Value

Wednesday, May 26, 2010

There is no such thing as *Real* Value

Rich Mogull has started a fire on his Securosis blog addressing questions of value and loss. I would like to provide some feedback. Most importantly, I would like to address this point: “I consider that an implied or assumed value, which may bear no correlation to the real value” Rich’s reference to something called a real value [...]
Continue Reading...
Charlie Miller’s “Teach a Man to Fish” approach to disclosure: the happy medium?

Thursday, April 29, 2010

Charlie Miller’s “Teach a Man to Fish” approach to disclosure: the happy medium?

Pre-eminent bugfinder Charlie Miller mentioned an interesting approach to disclosure after he compromised another Apple system - demonstrate the attack, describe how the vulnerability was found, and let the chips fall where they may. (Actually, I think his “teach a man to fish” approach might have been ancillary to the pwn2own contest…) At this stage of [...]
Continue Reading...
Rudeness, risk and vulnerability disclosure

Monday, April 26, 2010

Rudeness, risk and vulnerability disclosure

Robert Graham at Errata Security has yet another thoughtful post - this one on the “rudeness” of vulnerability disclosure. His key point: “However, vuln disclosure isn’t friendly. It is an inherently rude act.” It is an interesting post, primarily focused on the psychological relationship between bugfinders and vendors, but the thing I find the most puzzling is [...]
Continue Reading...
Security Budget Planning in Three Easy Steps

Wednesday, March 10, 2010

Security Budget Planning in Three Easy Steps

Gunnar Peterson has a great post on security budgeting. His essential point is to apply a “flat tax” to all IT spending. The value is in its simplicity. We can get a lot more complex (and often do), but this is an excellent starting point. Don’t forget the business and don’t forget we are “optimizing” our [...]
Continue Reading...
prev next
Posted on October 19 2009 Read more...

Social Networking Security

Hang on, I'll get to it after I get to the next level of Farmville...
Posted on October 18 2009 Read more...

Best Practices for creating Best Practices

Given that best practices are here to stay, I thought it important to come up with a set of best practices for creating them: Don't let the "practices" part of best practices get in the way. Best theories work just as well. Don't let the "best" part of best practices get in the way. Mildly useful practices ...
Posted on October 16 2009 Read more...

Should you swap out Windows for better security?

Brian Krebs at Security Fix does excellent research into breaches, but I cringed when I saw his advice to "business owners" about how to protect themselves from cybercriminals: "The simplest, most cost-effective answer I know of? Don't use Microsoft Windows when accessing your bank account online." In my opinion, this is horrible advice, especially to small and ...
Posted on September 17 2009 Read more...

Information Systems Security Association

I am off to the Information Systems Security Association (ISSA) annual meeting this weekend where I'll be taking over as Director of Operations, a volunteer position. I would be interested in hearing your thoughts about the organization - things it does well, where it could get better, etc.Comment here or send me an email.
Posted on September 15 2009 Read more...

The Question of Low Priced PCI Assessments

Branden Williams at Verisign (who has a great security blog, especially for its coverage of PCI issues) posts about a Bob Carr, Heartland Payment Systems, interview. The gist of the interview is don't hire the low-cost bidder. Branden's final comments: Of course, this attitude requires foresight. Which would you rather do: ask for more money today, or ...
Posted on September 14 2009 Read more...

Whenever I read a post like this…

Bruce Schneier posts on how he signs guest registers using somebody else's name:Since I read that, whenever I see a tourist attraction with a guest register, I do the same thing. I sign "Robert J. Sawyer, Toronto, ON" -- because you never know when he'll need an alibi.This type of thing goes on all the time among ...
Posted on September 10 2009 Read more...

Implied Value of Life

When I wrote a while back about implied value, I was thinking about this story I saw a while back in the New York Times. In it, economist Stan Smith used an implied value calculation to estimate the value of life experience which he calls "hedonic damages":THERE is economic damage from a wrongful death: the ...
Posted on September 9 2009 Read more...

Why won’t anyone define what “failure” and “hopeless” mean?

It is easy for security folks to get into a funk. We exhibit huge levels of confirmation bias associated with the publicity associated with "how bad things are" and ignore the often boring and yet extremely more common case of things [on the Internet] being "good". So folks end up saying the Internet is failing ...
Page 5 of 102« First...«34567»...Last »