Podcasts, Security

Security Pros Stage Podcast Takeover (Podcast #53)

14 Feb , 2008  


I guess the security guys have been reading all about the Microsoft acquisition attempt of Yahoo because this week, Martin McKeayand Rich Mogull staged their own hostile takeover by hijacking the recording ofour SSAATY podcast! 

BustSeriously, Rich and Martin join Alan and me to do our first East-meets-West,Network Security Podcast -plus- SSAATY Podcast. We had a blastrecording the podcast together.

Our discussions center around the impact of all the personal informationdisclosed on blogs, podcasts, comments, social networking sites, Twitter, etc.,etc.

How do and how will employers use the information available about you on theInternet? Will all the teenager pranks and foibles poured out on socialnetworking sites come back to bite workers later their careers or in life? Can apresidential candidate get elected if they have an online past that can easilybe dug up and used against them?

It’s an interesting topic that was spurned byan article Martin found, "Off The Clock: Should Your Personal Online Chronicles JeopardizeYour Career? ".

Enjoy the podcast and please drop us any suggestions or questions at podcast@stillsecure.com.

Icon_enclosure_music_7mp3 file

Microsoft, Security

Can Contests End the OS Security Debate?

8 Feb , 2008  

It looks like CanSecWest is starting a trend. After last year’s "PWN to Own"contest netting in a "owned" MacBook, now the 2008 conference is pitting WindowsVista, Mac Leopard OS X and Linux against each other. Next thing you know, we’llbe having a winner take all cage match for the championship.

cage matchFirst, let me say that I love the idea of this contest. It’s the securityequivalent of watching those side-impact car crash videos we see on the NBC newsmagazine shows. This OS hack-a-thon contest is sure to draw a crowd, and debatefollowing the results. But I like the idea of contests like this, where devicesand software are tested out in the open by real people. I think we’ll learn alot and possibly debunk some of the OS security myths and claims along theway.

Speaking of contests, my friend Ross Carlson is cooking a contest idea to pitsimilarly configured Mac, Windows and Linux systems along with power users ofthe respective operating system, performing a series of common and not so commontasks. I don’t know if Ross will end up pulling it together or not, but if hedoes, I’d go to watch. More than the results, I’d like to see the reactions ofthe participants and audience when the results are tallied.

Cloud, Podcasts, Security

Podcast #52 – Scott Converse announces Medioh

29 Jan , 2008  


Alan was in town last week for us to record episode 52 of the SSAATY podcast.After some dinner at CPK in Boulder CO, we got together at Scott Converse’recording studio down the street.

Not only is Scott the CEO of ClickCaster where we host the SSAATY podcast,Scott is our podcast guest on this rollicking, in-studio edition where we havelots of fun doing our usual shtick. It’s a lot more fun doing the podcast whenAlan and I are in the same city and I think that will come across pretty clearlyas you listen in to our madness.

I guess the podcast is the "in place" announce career moves and company launches –During the interview, Scott tells us about his exciting new Internet TVventure Medioh! I also announce my joining Absolute PerformanceInc. as CTO, a rockin’ SaaS On Demand software and enablement company based inBoulder.

In addition to talking shop about Medioh and Absolute Performance, Alan and I cover theacquisition mania of Sun / MySQL, Oracle / BEA and VMware / Thinstall, Vernier’s inevitable plummet into thesun, and recent announcements of multi-gigabit IPS products.

Welcome me in congratulating Scott Converse on his launch of Medioh. Enjoy the podcast and feel free to drop us any suggestions or questions at podcast@stillsecure.com.

P.S. Is it just me or does Scott have a slight resemblance, albeit younger, to one of myfavorite actors Charles Durning? Maybe next podcast we’ll have Scott announce us as the Soggy Bottom Boys (O Brother, Where Art Thou?).Scott_converse_2


Icon_enclosure_music_7mp3 file

Product Mgmt, Security

Last Breath for Vernier? or How to do a startup reset

9 Jan , 2008  

It’s not easy to reposition a startup in a market. Once is tough, twice..very difficult. Vernier took their Nessus-based vulnerability scanning offeringinto the NAC direction in 2005/2006. Now Vernier is repositioning themselves as a user access control auditingtype of solution. I take that as a pretty strong message that NAC hasn’t workedout all that well for them. We’ll learn more about their new offering witha hinted at announcement in February.

I think what the NAC market has learned is that solving just a part of theNAC problem isn’t enough. I recall envisioning NAC as a remote access problem,but very quickly realizing it was much broader than just policy enforcement atthe traditional network edge. The network edge was dissolving and customerseither saw NAC as a way to solve very specific problems (like controllingcontractor security and access), in specific portions of the network (studentcampus networks) or they wanted a ubiquitous solution across anenterprise network. It was very clear early on that vulnerability scannertechnology was an impendence mismatch with the needs of a broader scale NACdeployment.

Tangential moves, applying existing technology to fringe or tangentialproblems, usually doesn’t pan out at least in my experience. While some parts ofthe solution set apply, products aren’t architected to be highly adaptable to newdomains. That’s why startup "resets" are so difficult to pull off, the same wayvulnerability scanner products don’t make great NAC solutions. It often requiresrecapitalization, major technology refactoring, and retooling the business to operatein a different market space selling to a different set of customers.

I often wonder if it’s more luck or just sheer will power that makesa startup reset work, in the often rare cases it does. I’ve only experienced onestartup reset and it was successful but that was under pretty rare business andmarket conditions. Vernier’s situation caused me to ponder, reflect, and kind of think out loudabout startup reset situations. I guess this blog post reflects that bit ofwandering and thinking.

Resets are a pretty low percentage play from thebusiness playbook but the one thing I’d say that’s key to success is patience.It takes time and can’t be done overnight. You can’t do a turn around with ahalf baked solution. It has to have enough substance to really validate theproduct and market match are viable. You can’t short cut this — it really is like restarting the company again. If the fundamentals aren’t there — getting a really tight match between product and customer/market — it’s sure failure all over again.

Patience is nothing that a lot of time and moneycan’t solve, but those resources are usually in short supply in thesesituations. And investors want to put their money to work on something with the potential for a return, vs. "throwing good money after bad" so the saying goes. Ultimately the match between product, market and execution weren’t there the first time. Have the conditions changed sufficiently within the business to increase the success a second time around? Sorry to say that it’s unlikely. Those are just some of the many dynamics that go into pulling a startup reset off.


The IRS has a refund waiting for you. Not!

28 Dec , 2007  

A phishing scam is circulating via email posing as the IRS claiming there’s a refund waiting. Given two seconds of thought, who would actually believe this email?

Unfortunately, many recipients of the phishing email will do just that. But think about it. When is the last time the IRS contacted you to let you know they have a refund waiting. All you have to do is click a link and it’s yours. Also look at the email (text below) and notice the misspelling of "deparment".

After the last annual calculations of your fiscal activity wehave determined that you are eligible to receive a tax refund of$109.23. Please submit the tax refund request and allow us 3-9 days inorder to process it.

A refund can be delayed for a variety of reasons. or example submitting  invalid records or applying after the deadline.

To access your tax refund, please click here [malicious link removed]

Best Regards,
Tax Refund Deparment
Internal Revenue Service

In addition to breaking laws about scams like phishing attacks, I’ve got to believe there’s some law against impersonating a federal agency like the IRS.

I would expect lots of refund scams as the new year approaches posing as the IRS, retailers and others.

Update: I was lax in thanking my buddy Blake Nelson (stud salesman of performance management software for SaaS businesses, btw), who turned me on to this IRS phishing scam. Thanks, Blake, for taking care of your buds.


FTC Hands Off When It Comes to Selling Your Personal Information

18 Dec , 2007  

Byron Acohido and Jon Swartz, of USAToday and coauthors of Zero Day Threat book, remain on message with their quest to expose the hypocrisies oforganizations that play it loose with your personal information. Their most recent article is about criticisms the FTC hasn’t upheld its responsibilities to protect consumers information.

Ftc_chairmanIn June of 2005 FTC Chairman Deborah Platt Majoras testified in front congress "This information is like gold …and it ought to be treated that way."

But now that the credit bureaus are playing fast and loose by sellingpersonal information of loan applicants to others who follow up with additionalloan offers to lure you away to another loan provider. That’s been a big factorin the sub-prime load scandal leading to so many mortgage foreclosures.

Now when questioned why credit bureaus can so freely sell this information,Platt Majoras says "We’ve not heard that the FTC simply is not doing enough withrespect to the credit-reporting bureaus," she says. "If people feel that way,then I do want to hear about it."


Then the FTC has their head in the sand and isn’t listening, or franklyignoring the present credit crunch in an effort to avoid taking anyresponsibility for the mess.

It’s time the FTC take responsibility for protecting the consumer and thepersonal financial information we are forced to entrusted to the creditbureaus.

Microsoft, Security

Better Security Doesn’t Automatically Mean A Better Product

17 Dec , 2007  

I’ve been writing quite a bit about Vista (and February’s Vista SP1) and amnow beginning to write about the Windows Server 2007 RC1 on myNetwork World blog. It’s not news to anyone that Vista has had some roughspots since it’s introduction in early 2007.

What’s interesting is that we all anticipated the introduction of Vistabecause of improvements in security. Today we hear very little about security inVista. That could be good, and could be bad. In many ways Vista is a big leapforward from the security model in Windows XP. Though there have been manypatches and fixes, we’ve not had a major vulnerability scare to date with Vista(cross our fingers, lets hope we don’t.)

But the focus on improving security in Vista caused Microsoft to take theireye off of something very important; the user experience. User Account Control(UAC) forgot the lessons of so many personal firewalls and created another"barking dog" Vista users had to put down. Performance and reliability issues,something any operating system rewrite will inevitability face, became front andcenter because new dual core machines and big disk drives don’t have don’t havethe same zip we are accustom to in Windows XP and Windows 2000. While addingsomewhat of a "cool factor", Aero and 3D icons only updated the Windows Explorerexperience, not made it easier or more useful to end users.

The lesson is that while intending to fix or improve an area of your product,security in the case of Windows, it cannot come at the expense of the experienceto which users have grown accustom. This is a lesson I’ve learned myself in myown product development experiences over the years. Sometimes you do take a hitand delay new features to address a more fundamental need in a product, butforcing the user to step back and accept reduced functionality or lesserperformance caused a significant backlash for Vista.

Rewriting something like the Windows operating system is a massiveundertaking. Frankly, I’m surprised in many ways there haven’t been biggerproblems than we’ve experienced. I’ve used Vista since it’s introduction and nothad to revert back to Windows XP. That I’m pretty surprised about. But I thinkit is still worth stepping back and learning from what Microsoft hasexperienced over the past year with Vista.


IPv6 or Vista the cause for security concern?

7 Dec , 2007  

Symantec and Ericsson are say Vista’s tunneling of IPv6through IPv4, called Teredo, is a security risk. In essence it creates atunneled session through firewalls, routers and other NAT’d devices which wouldbe unrecognized as traffic would contained in IPv4 datagrams. Here’s thedocument Hoagland and Krishnan reviewed this week at the IETF IPv6 OperationsWorking Group.

The issue really is one of the Teredo tunneling approach,not something unique or specific to Vista. Teredo could technically be done onany platform. Vista does have Teredo tunneling turned on by default. MicrosoftTechNet has instructions for disabling Teredo in Vista.


Cisco TrustSec and What Cisco Learned From Cisco NAC’s failures

6 Dec , 2007  

Trustsec_postsI have two blog posts up on my Network World blog about the Cisco TrustSec announcement. Rather than repeat them here, these two links will take you to my posts.

Policy, Policy… Whose Got The Policy?

What Cisco TrustSec Learned From Cisco NAC Failures

Podcasts, Security

Podcast 50 -“The Big 50″and more

3 Dec , 2007  

MicrophoneWelcome to our 50th podcast. Has it really been that many? Well, the links don’t lie so I guess we’ve hit a new high water mark.

For our 50th podcast, Alan and I kick back and just talk about what we want to discuss. No guests this time, just us ‘ums.  During The Converging Minute I talk about virtualization and security, and how the two are intersecting. Alan and I then turn to topics of interest where we discuss:

  • Is security slowing down the adoption of virtualization?
  • What good is "menstrual NAC" – you know the kind that only checks devices once a month and my new rules on NAC
  • The new space race to put IP technology into space being led by Cisco
  • Can UTM be 50% of the network security market?

It’s nice to get back to our regular show format, and I hope you enjoy it too. Also, something that I’m very remiss in mentioning is to thank Alan for all of the additional work he does on the podcast.

Alan’s been "sound engineer" on the podcast since day one, and while we don’t edit our discussions or interviews (they are pretty much as is, just like we recorded them), there is still quite a bit of work involved. Every podcast, Alan splits and combines the channels, splices all the segments together, level-ates the file so everything is the same volume level, and then uploads the file to our ClickCaster site. So "thanks big Al" for all the extra things you do for our podcast.

Enjoy the podcast and feel free to drop us any suggestions or questions at podcast@stillsecure.com.

Icon_enclosure_music_7mp3 file