Since the iPhone OS wasn't up to the task of thwarting the haxor community, Apple is taking (being forced by AT&T?) the step of forcing customers to activate AT&T service at purchase.
Given the length of time it took to unlock the iPhone I (3 months) it appears Apple did a decent job attempting to secure the iPhone SIM. Despite that, someone at either Apple or AT&T is convinced they lost out on revenue from iPhones that were purchased and then unlocked and used on other carriers or even as wifi only devices.
Here's a good reason to stick a little piece of black tape over the IR port of your screens in trade show booths.
Funny and true. If you have the word marketing in your title, please follow the man's instructions.
NBC lawyers managed to stop a story from being aired where their own site was broken into. Smart move, at least it gives them sometime to fix it before the vulnerability and exploit were made available to every teen geek in the country. (Assuming a few could find their way in anyway)
Meanwhile, in Ohio efforts to test the integrity of the voting system were apparently blocked by republicans who mysteriously also oversee the state's elections. Again, I lament why are slot machines so much more secure than voting machines?
Avi Rubin comments on "the "laboratory" defense employed by voting machine vendors.
And in other news of Lame responses to security vulnerabilities, here are the 2007 Pwnie Award Nominees.
Of interest to marketeers: Lamest Vendor Response, Most Over-hyped Bug, and Best Song.
What do you get when you attempt to combine rock music, IT security, and corporate (Intel) sponsorship?
These guys found a vulnerability and then crafted an exploit via the wi-fi connection and Safari. If Safari is going to the platform of Apple's choice for 3rd party app development, perhaps there is a bit more work to be done.
My favorite quote from the page describing the work.
Does this add credence to Apple's position that 3rd party applications are not allowed on the iPhone for security reasons? We don't think so. Almost all of the security engineering effort on the iPhone seems to have been spent protecting the revenue model, rather than protecting the user (which is, of course, an entirely understandable position). For example, a constrained environment is used to prevent users from loading new ringtones onto the phone, but the applications are not run in a constrained environment to contain damage caused by hackers who exploit them."
No time for comment other than to say this was a very hard problem that has the nice side benefit of boosting demand for the book.
NPR Radio Story on Harry Potter Security and why it's good for the book.
Bruce Schneier on the scope of the problem.
Reuters Description of Barnes and Noble Security
British Tabloid on the search for a worker at the publisher who revealed book details.
Description of contracts booksellers and libraries have to sign as well as penalties suffered by those who leaked other books in the series.
Picture of security guard with the books.
The iPhone / Harry Potter virus. Designed to attract Google juice?
Additional sites to check out attempts to turn the iPhone into what users want instead of what Apple thinks users want include:
The Hackint0sh iPhone forum
Hackszine lists a couple of early efforts
There is also a wiki of people attempting to port Linux to the iPhone and other such projects. They don't want direct links to the site, but they aren't hard to find if you are looking that way. Their IRC: #iphone @ irc.osx86.hu (reverse engineers only, eh?)
Finally, the iPhoneDevCamp landed all sorts of press coverage, some of it interesting.
Incidentally, I wonder what the return rates are on these phones as customers find out that the iPhone isn't perfect for them.
(I already know of one return. While he's probably not the exact target market and my sample is abysmally small, email on a smart phone should be flawless)
You heard it here first Someone will be running unapproved apps on the iPhone by the end of July. Wired posted a call to arms and this guy is looking for help with USB drivers. Good fun. Unless of course Apple actually went out and hired some real security gurus to render the hardware tamper proof and harden the OS.
Doubtful. No tamper resistant hardware here...nice teardown.
Side note - I only saw one example of a marketing ploy by a security vendor to cash in on iPhone hype: ISS stating the obvious [iPhone hype] "will make the iPhone a definite target"
DRM or Digital Rights Management is an uphill battle, the entertainment industry will never win.
One hopes that the entertainment industry one day figures out the difference between access control and accountability.
Ever wonder why every major technology vendor has a group of people dedicated to dealing with security vulnerabilities in their products? Because a group of guys were willing to stand up and expose the problems they found. CSO just posted a "Where are they now?" feature on the L0pht.
A bunch of people claim the coolest thing about the iPhone is that it runs OS X or at least a customized version... however the agreement with Cingular locks the OS to apps of Apple and Cingular's choosing.
$50 says it takes less than 3 weeks after the iPhone goes to GA that someone hacks the OS to run whatever they want.
iPod Linux (Yes, I know it's a different beast)
Update: An indepth look at third party apps and the iPhone.
Update 2: Let the iPhone hacking begin.
Update 3: Early iPhone Hacking Efforts
Update 5: Unlocking the iPhone Software, Hardware, and Lawyers! Yay.
Update 6: Apple finally launches an SDK and iPhone developer program. The catch, all apps must flow through Apple. Apple takes a cut and gets to assure AT&T that none of the apps will create odd network conditions. So long to the IT layer cake.
Update 7: Since technical methods of keeping the iPhone locked to AT&T failed, now you can't buy an iPhone without activating AT&T service. Score: Technology 0, Process 1 for now.
I'm playing with Google ads - mainly out of curiousity since there is little chance the entire Internet is going to coming knocking on my door. In the Google Links at the top of my main page 4 sets of ads are offered: LAN, Phone, OS, and RFID security. All of these produce ads for a cornicopia of security products and services as one would expect. The Phone security ads depart from this mix by offering services to bypass mobile handset security functions designed to lock a handset to a particular mobile carrier. These ads are targeted toward subverting phone security, rather than bolstering phone security. Interestingly a Google search for Phone Security produces the set of security products and analysis on phone security one would expect. View image (pop-up) in case the original goes away.
First they were for high security applications, then for mass consumer use, but ultimately they either get passed or suffer too many false negatives. Mythbusters shows what many in the security community have known for a while.
It's funny because it's true. Required reading for anyone who will ever give an analyst or press briefing.
Emblematic of much of what's wrong with security and yet comic as well. MAC pokes Vista's security in the eye in this advert.
Update: This entry is getting hit pretty hard. I suggest reading Matasano Chargen's well reasoned writings on OSX security and Apple security issues in general. For Vista security, I suggest checking out Joanna Rutkowska's recent writings. Vista is still an infant from a security review perspective with everybody cooing about new features and architecture, but we won't really know what it will be when it grows up a bit. Securosis has a well reasoned weigh in on this religious war as well.
Trying to market a gate that can stop a truck at 50 mph? Seeing is believing.
Data loss was a big topic of conversation at RSA this year. The number of these has been so repetitive that after a while we stop noticing... until, you see them all gathered in one place.
Note to marketers: Stealth is dumb if your promo looks like a bomb.
Update: The Weekly Dig has one of the best post game write-ups on this incident.
Update 2: Some company was raffling one of these off at RSA, so I had a chance to look at it up close. It didn't look like a bomb unless you think a bomb is a few D batteries with duck tape and wires. Also, these things were up for TWO WEEKS before the Boston PD hit the panic button, which doesn't say much about being vigilant. The City of Boston should take the $1 million from Turner broadcasting and run.
Welcome to Hackistan.
NY Times has an interesting piece today on the "market" for software vulnerabilities. Market is in quotes since there are a limited number of open market buyers and the vulnerability market is one of the few where the seller has to make a decision between selling to a good guy or bad guy. Layer in the used car effect where the vulnerability finder may have a better view of the capabilities of a new exploit than the buyer (assuming an exploit exists) and the vulnerability market is clearly an inefficient and scary place. Finally, vulnerabilities used to trade primarily in publicity currency, but now there are places where they can be sold, albeit not for enough to equal the average salary of a high end security researcher at any of the major IT or security vendors.
Coming to an airport near you: advertisements in the bins they run through the X-Ray machines.
The only messaging I've seen done well in these lines is the movie the Las Vegas airport shows with movie characters demonstrating how to keep the line moving. Right, and then the guy who sings a similar set of show tunes in San Francisco.
The company pitching these is called Securitypoint Media.
MSNBC wrote a story and IP followed up with a discussion on the availibility of outage statistics for US mobile networks today. There are a couple of companies than enable enterprises to get their own data on the performance experienced by their own users, but hiding outage data influences the level of trust people have in the cell networks beyond the network's ability to deliver.
Brilliant, but unsafe marketing from what one would assume to be the mobile carriers attempting to drive fixed line replacement revenues.
This IBM ad was one of the first information security ads on TV. It is almost quaint after a few years of its original use in 1999?, 2000?. I dig the speed this guy "gets in", finds what he's looking for, and then emails it to the whole company. He must know some sweet keyboard short-cuts. It's unclear if these two are insiders or outsiders, but the bit does get the point across that information is accessible, important, and moves fast. More IBM ads.
In a brilliant coup for Choicepoint, the company managed to get the NY Times to profile what went wrong and what they've done to fix their problems.
Simplify the problem with comedy. And amazingly Diebold continues to sell this stuff.
Update: Deleted Youtube link and replaced with very annoying pop-up link from the Comedy Central site.
Update2: The original - and best - piece the Daily Show did on e-voting in Sept of 2004? found on Avi Rubin's site full of excellent voting knowledge. Note to Viacom: Your search, player, and indexing of your online video content needs some serious surgery.
Here is a Sportscenter ad talking about new security measures at ESPN.
An extra "$2 million" or 2 million chips found their way into play over the course of the 2006 World Series of Poker in August. The Freakonomics Blog points to the story of two journalists who were able to track down what happened. Read the third installment of their series to learn what happened and why a transaction called a "color-up" introduces the potential for fraud in this fast growing er, activity.
Time will tell if this incident will taint tournament poker, provide incentive for new policy, or force all the players to forgo their rest breaks.
Some text from a SPAM I that came in this morning is below. Check out the use of the word "secure" in the URL - I wonder if Spammers have figured out that the notion of security increases response rates...
A unique (time sensitive) opportunity has opened the door
for people in your situation. If you still own or have
owned property, you will want to consider these options.
Simply confirm your details with our secure database here:
Remember, poor credit will not stop you from closing this deal.
Looking forward to hearing from you.
Verisign had a study many years ago that tried to show a positive correlation between security logos and ecommerce purchasing - looks like it has filtered down to the spamming community.
On a recent United flight, I noticed Bank of America running a short 2 min? infomercial on how and why they take the security percautions that they do. BofA's sitekey is a good solution to phishing problems, but probably not something the general public understands very well. Since I was pugged into my iPod at the time I was only able to catch the last bit of the ad, but it seemed fairly clear and straight forward as well as sending people to the online resource with similar content. bankofamerica.com/seccurity
As if the full-disclosure debate wasn't heated enough already, along comes a Lockheed Martin engineer at the end of his chain using Youtube to air his grievances. Fascinating.
In this IDC study on VoIP security we looked at the ways telephony vendors are approaching security. Let's just say it leaves a little to be desired.
I wrote years ago about how I thought it was obnoxious that broadband providers couldn't be bothered to spend a few extra dollars on memory to embed firewalls in their modems. No idea how widespread this is, but consumers yanking broadband and chucking PCs due to malware doesn't do much for the future of the networked home. Who bears the support costs for these issues? Dell? Verizon? SBC?
T-Mobile's aspirations to provide data services to large enterprises will have an interesting time recovering from news that twenty-one year-old Nicolas Jacobsen has had free reign within T-mobile's system. Of course Nicolas was dumb enough to get caught - and a secret service agent ?!? was dumb enough to use a Sidekick for emailing and reading highly classified documents.
The Mozilla organization announced it will pay out at least $10,000, for the identification of security vulnerabilities in Mozilla. Find a vulnerability, get $500. At first glance this seems like a good idea for the Mozilla organization to capitalize on the publicity generated from security problems in IE and keep a few steps ahead of the race for secure browsers.
However, there have been a few grumblings lately about a larger trend of vulnerability information for sale. Vulnerability information has long had value, but that value has traditionally traded for fame and marketing for the researcher in the best case or a privately held 0-day in the worst case. Mozilla is not the first organization to pay for vulnerability information. There are a few vulnerability alert services who have been paying for a while - but it is the first open source organization to do so and one of the first technology "vendors" to yell "we will pay you to break our product" to the internet.
A FAQ on Mozilla's bounty program.
It appears several congressional types are trying to apply policy to the technical problem of spyware. Delcan covers the issue this week.
Unfortunately he didn't even mention that the OS should enable consumers to easily control and remove the software running on their
toasters and refrigerators computers.
How about this for a choice: Get a better browser AND make yourself safer.
Mainstream sites like Slate and others are reccomending a move to Firefox off of IE. The conversation starts on security, but ends up at better functionality. Security and risk are slowly becoming an integral part of the technology aquisition process.
A CERT advisory last week makes a similar reccomendation, but how many users pay attention to CERT?
I noticed I have a few posts here on all the hand wringing over voting machines. I believe the issue of voting machine reliability is a leading indicator for customer perception and analysis of the reliability and security of many devices.
One thing missing from this debate has been a clear explaination of the threat model all the computer security types are up in arms about. Simply bumbling about yelling "the security is broken" gets attention from the techie community, but leaves the rest of the market scratching their heads wondering what should be done next. (Other than send a PR person into the fray to deny everything.)
Writing down and debating the threat model is a good start. Writing a threat model and proposing to turn it into a public challenge is one of the best ideas in a while. Avi Ruben has done just that.
Additionally, (via Farber's IP list) the NY Times today has an article on Kevin Shelley, California's Secratary of State, who has effectively stalled the market for electronic voting machines by demanding paper back-ups of all California elections. The voting machine vendors need to snap out of denial and start publically proving the validity of meaningless words on the quality of their products.
The NY Times posted a fantastic comparison between the government requirements for the security, reliability, and fraud testing of voting machines vs. slot machines.
Avi Rubin's May 5th testimony on the reliability of voting machines [pdf] is an interesting read. Especially this section:
Iíd like to stress one important point. Security and functionality are completely different things. Functionality is whether or not something works when it is used as planned. Functionality can be tested, and the tests can be used to make predictions about the future behavior of a system. Security, on the other hand, has to do with how a system behaves under unanticipated circumstances with an active, dynamic adversary trying to subvert it. By definition, you cannot test a system for security the way you test for functionality. It is inappropriate and incorrect to draw conclusions about the security of a system based on its past performance. The fact that this argument is consistently put forward in defense of the security of the DREs [electronic voting machines] demonstrates just how much real security expertise is needed in this process. You would not design a heart implant without feedback from cardiologists. You would not design defense systems for the physical security of this country without consulting military experts, and you should not design systems for computerized elections in this country without consulting computer security experts. I can assure you from my analysis of the Diebold machines that no such expertise was utilized.
The bottom line? After the debacle of the 2000 election in Florida our election officials spent wildly in the hope of avoiding a repeat. The problem is the election officials had no clue what they were buying, traditional tests were insufficient, and the technology vendors were happy to rush an immature product to market to chase election reform dollars.
Threat model for carriers: loss of control over client devices.
Granted the vast majority of users will never even remove the battery, but classically fraud has been the primary security focus of carriers - as opposed to trying to prevent denial of service attacks. Perhaps the real threat of unlocked phones comes in the form of increased support costs incurred when the user of an unapproved phone calls for support that customer service reps can't handle.
A few people at Microsoft recently launched a blog called Channel 9 to talk about how Microsoft is building their products. One post that will be interesting to both readers of this blog is an interview with Michael Howard discussing the concept of threat modeling and how threat modeling can influence design and functionality decisions. He needs to sharpen his story, but the concept of threat modeling is new to most of the software development world. One interesting data point - the Windows 2003 Server security review team consisted of 40 people.
Two great lines of questioning for tech customers:
1. How many people are on the security review team for this product? How many of them work directly for you and how many of them were outside consultants?
2. Could you walk me through the threat model you used to design this product?
How would your sales team do with those two questions? Scary.
Another software company's claims of quality and security have been debunked by a part time security researcher (he's a biologist at Harvard.)
Instead of dealing the problem by fixing the vulnerability or providing a technical response to the claim (like most large and grown up software companies,) Tegam has decided to sue the offending researcher.
Observe as this incident turns into another a text book case on turning a software flaw into a bonafide PR disaster.
Note to any computing device manufacturer still not paying attention:
Sooner or later someone will mess with your machine. When that happens what do you want your product to do?
a. Fail gracefully
b. Blow up a la mission impossible
c. Let college students play music
Apparently it's not bad enough that Diebold's voting machines have been dragged through the press lately. Next stop Diebold ATM machines. Should a purpose build machine really be running an general purpose operating system??
This email from Carnegie Mellon via Dave Farber's IP list:
>From: Carla Geisser <@andrew.cmu.edu>
>Subject: For your amusement: Broken ATM
>A Diebold ATM in Baker hall just crashed, and dropped to a Windows XP
>Several intrepid students started Windows Media player, and it was playing
>a variety of music with a nice visualizer.
>So much for security...
>Movies (with audio):
Avi Ruben, of Diebold voting machine penetration testing fame writes about his experience as an election judge. Election officals and voters love a new technology that was not designed with a decent threat model.
In other news voting machines in several towns didn't boot up this morning.
Microsoft suggests typing in URLs instead of clicking. Granted IE is broken and will take a while to fix and Microsoft can't reccomend a competitive product, but for the rest of us - Mozilla 1.6 anyone?
Worms and viruses continue to propigate faster and faster - so are the companies selling anti-virus solutions helping to sove the problem or do their products add fuel to the fire?
Combine elctoral machines with security vulnerabilities and what do you get? A PR disaster for Diebold. Diebold's actions in dealing with this issue and the vulnerabilities in their products - can you say mission critical for democracy? - are a case study in how not to deal with a vulnerability. Almost all software is vulnerable to attack and so few companies are capable of dealing these problems gracefully.
Here is a good summary of the movement against Diebold.
Security products are useful when they enhance an organization's control over information flows and system reliability. Products that filter or otherwise pick out malicious behavior are only useful as alarm systems if the number of false alarms (false positives in industry-speak) is small.
Wired has just run a story written by a woman who spent some time working as a baggage screener for the TSA. Her experience demonstrates the problems with scanning in the physical world. Unfortunately, scanning network traffic often produces similar amounts of false positive alerts.
The NYTimes had a story a few days/weeks? ago, now available in bits and pieces (or here) on how hobbyists have taken to modifying the Xbox to turn it into a PC.
While many think of this in the way car manufacturers view replacing parts of a car to improve performance, Microsoft is not pleased. Contrast the Microsoft attitude with the attitude of Lego - who has (I believe) worked to encourage people to tear their products apart. (Hmm, chances are good they might buy another one!) Good if your margin is in hardware, bad if it's in software
Bottom Line: Unless you design and build a system to be resilient to attack, you will not get much sympathy when someone uses your technology for something you did not intend.
The digital security industry has long understood that security through obscurity is almost always a temporary solution and never a solution that can be relied on. The rest of the world has yet to figure this out. According to the Washington Post a grad student has created a map of all US businesses and the physical communications links that connect them. Federal security types are aghast - even Richard Clarke, the erstwhile former counter-terrorism czar commented that the map should be burned... Seriously who is he kidding?
Maps are valuable. This one makes it very easy to determine where the weak points in our nation's communication systems lie - which means maybe we should be using it as a basis for building the redundancy and security that many customers thought they were buying all along. This map creates a body of information we should have had long ago - who cares if it exposes some poor decisions that were made along the way. It exposes the numerous places where communication lines are shared, mixed, and connected - leaving us with another reminder that in many cases it is impossible to tell where one entity stops and another begins. In cyberspace the perimeter is dead. We are all connected - which means the psychopath that lives on the other side of the planet might as well live next store.
Questions articles on this topic have yet to answer:
- What is the definition and severity of intrusion required to trigger an alert?
- Is this being done because most banks rely on customers to point out inconsistencies on account statements?
- How often do banks get hacked and then not say something? If the bank does not say something, how often is that a problem?
- Since when was the Software Business Alliance involved in setting security oriented government policy?
- Who are the true beneficiaries of this bill? Consumers - powerless to react? Or security software and services companies who will help banks prevent and investigate intrusions?
- Will security services firms be required to report intrusions at banks to government authorities? (and break long-standing non-disclosure and confidentiality agreements?)
- Will banks now report intrusions the same way airlines report on time arrivals and departures?
This is interesting legislation. However, I think it may be solving a problem that does not yet exist. Anyone who has read the legislation (or at least has a lijnk to it) and can provide answers to the questions above - please comment.
The AP is reporting that a recently discovered flaw in Microsoft's Passport could (in theory) result in a maximum of a $2.2 Trillion! dollar fine based on a settlement last year with the Federal Trade Commission.
The vulnerability looks like a pretty common web application vulnerability. The write up of the vulnerability is posted here.
Rough timing given that Bill has been trotting around the globe telling developers about how a little crypto in the hardware is going to make everything better...
When you look at my Guide to Homeland Marketing - I wrote it half in jest, but the story is playing out well. The use of Homeland Security in marketing is on the rise. Today's Washington Post took a visit to a recent government supply trade show to find numerous "Homeland Security Solutions" - in other words - Homeland Security has become the latest and greatest way to justify government purchasing.
Thanks to Dave Farber's IP list for the link.
CSO Magazine has just published a good article on why FUD is bad business: nobody wants to hear it.
Product marketing types take note - if you rely on FUD to sell your product, your customers will be unable to justify the expense. I especially like the comment about how CSOs who justify investments with FUD lose credibility with other executives.
Microsoft is sponsoring secure coding classes at several universities. Developer education in computer science and software development has been conspicuously absent from the curriculum for a long time. Regardless of how you feel about Microsoft's security initiative - kick-starting the inclusion of secure engineering principles in university level computer science programs is long overdue.
I doubt Scott Charney's Trustworthy Computing group at Microsoft and the marketing exec who tried to run this advertisement spoke much before this ad went to press. Charney's group is too savvy to be the source of a message claiming MS products are so secure hackers will become extinct. If a marketing exec is able to run ads like this, it does demonstrate the extent of cultural change MS needs to instill in the organization, before everybody understands and can achieve the goals of the Trustworthy Computing initiative.
On the other hand, the conspiracy theorist might say the Trustworthy Computing initiative is simply a marketing ploy that will not change anything about MS products. Attempting to run this ad reinforces the marketing ploy argument.
For some great commentary check out the /. conversation.
This is one small part of what makes marketing security so hard - when you try to claim victory, people in the know point at you and laugh.
According to the Washington Post, Visa receipts will soon show a lot less credit card information. Receipts will no longer show expiration dates and the card number will be limited to the last 4 digits.
All this to help curtail identity theft. I'd love to see Visa's analysis of how many identity thieves use the information from receipts to obtain credit card numbers and how this effort helps.
From a marketing and PR standpoint, it's certainly a good move - I wonder if Visa's lawyers determined the card numbers and expiration dates on receipts represent a liability risk?
Many point of sale (POS) terminals will have to be updated to comply with the new policy. Verifone, Trintech, and Hypercom should see some nice bumps in spending.
A story on Wired claims that finding holes in software is a waste of time since as far as we can tell most vulnerabilities are rarely exploited.
As I wrote in the paper The Injustice of Insecure Software, the penetrate and patch mentality of the software industry is inherently flawed. It does not work today and can not scale to meet the demands of software that plays an ever increasing role in the safety and health of daily lives.
The audacity of the current system is not that the majority of vulnerabilities do not turn into flaming exploits like Code Red and Nimda, but that most software vendors do not examine the unintended functionality of the software they write. Quality assurance groups are so focused on making sure software does what it is supposed to do that they rarely spend time examining unintended functionality.
As software becomes an integral part of the way things work in both the virtual and physical world, software customers can not continue to accept software riddled with security vulnerabilities. Just as a development team designs for performance, reliability, ease of use, and quality they must also design for security. By designing for security you get the value of quality and the ability to sell to the likes of GE and Sprint. You also get to avoid the costly and negative investment in patching the holes your customers find in your software.
For a view into some of the latest vulnerabilities that influence our life in the physical world, check out this article on traffic control software in the latest issue of Phrack.
The New York Times today has an article describing the challenge of identifying names within a large database. In this case, the database is of known terrorists and the article does little to convince anyone that security agencies will be able to screen for terrorists based on names. This software has a long way to go before it can be used confidently to identify individuals in a multi-cultural society.
Sprint is demanding secure software. I believe this will help them increase the reliability of their services. Security in the telecom industry used to be focused on fraud - preventing people from obtaining free telco services.
With packet-based networks, the telco threat model has shifted dramatically. Security is now a quality of service issue. Data communications hardware has long had to meet stringent reliability requirements. Security standards will augment those requirements.
I am currently aware of two major corporations with security requirements for software procurement: Sprint and General Electric. If you know of others, please comment.
As a side note - check out how dumb AT&T and Qwest sound in the article for not requiring vendors to deliever secure software.
Microsoft has know this for years, but others are starting to a clue into the value of digital identity. Carol Cove Benson has recently done a good job of describing this dynamic in this article on the marketing value of digital identity.
To be fair, this is where the PKI craze of the late '90s was attempting to demonstrate value. Web services, PKI, and the ability to derive business value from digital identity (apart from reducing fraud) may finally result in good solid authentication on the Internet. Too bad the Liberty Alliance may not pull it off.
As a side note, I predicted in 199 that PKI technology would find it's first large deployments embedded deep inside other applications. The suits simply could not figure out a way to make PKI deliver the business value that Carol describes. Web services apps, SAML, the Liberty Alliance, and a few marketing types that actually have a budget, might be able to get somewhere.
Also: You have to love Carol's rant against the word federate (and its derivatives)
Here is Webster's definition of federate (Normal people are supposed to know what this means? Webster's can barely figure it out.)
Main Entry: 1fed∑er∑ate
Etymology: Latin foederatus, from foeder-, foedus
: united in an alliance or federation : FEDERATED
Main Entry: 2 fed∑er∑ate
Function: transitive verb
Inflected Form(s): -at∑ed; -at∑ing
: to join in a federation
1 : something formed by federation: as a : a federal government b : a union of organizations
2 : the act of federating; especially : the forming of a federal union
I just came across an article by Gene Spafford on open vs. closed source security. His answer comes down to "it depends." If security is not a core component of the design goal - the end result is an insecure product.
I'm not fully convinced security is in fact the #1 inhibitor to enterprise deployment of wireless LANs - I need real data to convince myself of that one. (Despite being one of the quoted data points in this article...)
What I DO find interesting, is the way the wireless LAN industry has been singled out for security problems in early standards. I have said it before: the marketplace has become security aware and will no longer accept new technologies that do not address security from the ground up.
Paying for port scans? You might be if you are connecting to the net via a wireless GPRS network that bills by bandwidth usage. It's bad enough GPRS network infrastructures are full of holes - to make customers pay for traffic because the service provider has not had the decency to install a firewall between the net and the wireless infrastructure is irresponsible.
Wired attacks have alread migrated to the wireless world. If a journalist can tell, shouldn't a the service provider be able to tell too?
Since the senate approved Bush's homeland security bill today, I thought I would provide a guide for vendors looking to make a buck or two from this colossal merger of federal agencies.
Abnerís guide for how to make Homeland bucks with your security product:
Step 1: Attach your brand to Homeland Security by plastering flags and the words "Homeland Security" all over your marketing collateral.
Step 2: Prove a threat exists that your product mitigates.
Step 3: Convince others your threat is a bigger threat than everybody else's pet threat.
Step 4 (optional): Find a non-security business problem your product also helps solve in order to establish a clear ROI.
Rinse and repeat as necessary.
P.S. While the above might actually work, I tend to agree Senator Byrd's questions are good questions to ask. With all the hubbub around establishing the Homeland Security Department why are our priorities still out of whack with reality?
Craig Mundie marked the first year of Microsoft's Trustworthy computing intiative during the Silicon Valley Speaker Series. The transcript of Mundie's speech provides an interesting insight into how far Microsoft has come and some of the hurdles ahead.
The biggest question I have of Microsoft's security strategy is whether they have done enough soon enough.
Mr. Mundie says the right things when he speaks of building software that is
"secure by design, secure by default and secure in deployment." He equates security and reliability and he is aware of the cost the company's numerous privacy gaffes over the last several years.
The products receiving the most security attention either hit the market in late 2001 to 2002 or are still in development. The installed base is where the danger lies. Out of an estimated 400 million people on Windows, the vast majority are on Windows 95. I would like to a breakdown of what the server world looks like and the speed the installed base adopts the XP server OS. If Microsoft cannot convince the world to upgrade to newer versions, the company will find themselves in a marketing catch-22.
Best Case vs. Worst Case:
In a best case senario, MS products should become incrementally more secure as Microsoft's internal training adopts increasing amounts of security content, developers begin to innovate in a secure fashion, and products presently in the design state are actually designed secure from day 1. (Products that were in the design stage two years ago and coming to market in 2002 and 2003 will propably recieve security testing and design reviews.)
A worse case senario would be if Mr. Mundie's speech is all hot air and the organization has not found the religion, Mr. Mundie professes.
The impending catch-22:
In order to actually improve the security of the electronic infrastructure, and renew trust in Microsoft products, the company needs to migrate the installed base off of old products and onto new ones in the middle of a recession. From a marketing and perhaps a liability? point of view Microsoft must make the case to upgrade beyond "it's more secure because the last product that we told was secure really was not."
Or "we convinced you to buy the last product when times were good, but the quality was really bad and probably left you vulnerable to numerous attacks, so buy this new one and that won't happen again - trust us."
Even if products coming to market today have recieved world-class security reviews, they were designed two years ago when security was not a priority. Somehow Microsoft will have to convince the installed base to trust them again. I imagine they will get outside consulting companies to write white papers describing how much "more secure" product X is over the the last version.
In the security world, if you can not prevent someone from exploiting something, you build a level of accountability into the system, so that you can track them down after the fact. Trust is for sissies.
I wonder to what extent the market will hold Microsoft accountable for the security of their products?
1. "Trust is for sissies." is an original line from Dr. Daniel Geer or Bob Blakley - I'm not sure which one of them stole it from who.
I think security should be a core component of marketing, engineering, and training strategy for every tech vendor that sells infrastructure components and mission critical apps. Here's why.
1. Customers Are Becoming More Discerning:
Large customers are learning about the risks certain products and technologies represent to high value information - wireless LANs and web services are two current targets. Sales teams are likely to encounter questions concerning: security quality assurance, developer and customer security education, vulnerability response, and government regulations like HIPAA, Gramm-Leach-Bliley, EU Privacy Act and The Patriot Act.
2. Security Patches Are Expensive:
Large software vendors spend roughly $100,000 to produce a security patch for each platform a product supports Ė often driving costs to over a million dollars per vulnerability. The burden on customers is even greater as IT personnel work overtime to protect themselves from new vulnerabilities.
3. Leading Vendors Are Building Secure Reputations Haphazardly:
Microsoft, Oracle, IBM, Sun, and Cisco all use security as a message in their marketing efforts. These leaders and many others all address components of a customerís desire to manage risk, but few profit from these efforts due to a focus on functionality and not the multi-faceted and interwoven tasks of managing risk.
Note: I intend on going into detail on each of these three points up in separate postings over the next couple of weeks. Stay tuned.
The latest issue of @stake's
Secure Business Quarterly is on vulnerability disclosure.
If you work for a technology vendor of any stature you need to read this latest issue and last year's Q3 issue on application security.
My take: Major software vendors spend between $100,000 and a million dollars per patch - and that's just to post a patch to a web site.
The cost in customer time in testing and installing patches and the increased load on customer service departments takes the figures through the roof.
According to CERT 2,437 vulnerabilities were reported in 2001, up from 1,090 in 2000 and 417 in 1999. At a conservative $75k per vulnerability, security patches (assuming the vendor patched the problem) cost vendors roughly $183 million last year. Nevermind the pain felt by customers, in a vendor's reputation, and the load on service reps responding to patches breaking applications.
Note: The cost per patch data comes from my own informal survey of several of the few vendors that are savvy enough to even track it.
1. Has invested heavily in touting the product security.
2. Still needs to make massive investments to convince the marketplace
- It's Microsoft.
Convincing the Issue Elites*, that your products are secure takes far more than a couple of well placed marketing campaigns. Microsoft not only needs to examine 80 million+ lines of code, but also needs to revise training programs for internal and external developers, examine the core architecture of how the OS interacts with applications, and then connvince a group of professionally paranoid engineers that progress has been made.
Selected Allchin/Forbes security bits and more in the full entry. Thanks to Scott Loftesness for bringing this chat session to my attention.
* Market research parlance for the people who are the trusted sources of information on particular issues - in this case security professionals.
EndoLast: What effect on business do you see from the drive to create uniform security standards for government IT systems?
JALLCHIN: Governments have some specific needs that businesses might not, but that depends on the government agency. The whole industry needs to improve related to security. We are committed to be a leader in this space. There is still a lot for everyone to learn in the security space. CC win for W2K is a step. CC will happen for XP shortly. Both are good steps, but much more is needed. I believe investments we are doing in things like Pallidium will give businesses a lot of control and a NEW level of security not achieved before.
Interesting - "a new level of security" Pallidium is a mechanism for content owners to CONTROL content. It does nothing to improve reliability. However, it could potentially help with larger authenication and authorization issues.
EndoLast: Could you elaborate on what you mean by a lot to learn in the security space?
JALLCHIN: Long answer... here it comes...
1. Can't the OS be made more security from viruses? Technically, it would seem to me that behavior blocking is a much better technique that Anti-virus approaches today. AV is after the fact. I want to find a way to stop it without loading a signature (which has to be created AFTER the outbreak).
Try separating the OS from applications that communicate with other computers - email and brower apps would be a great place to start.
2. PKI vs. private key.
3. Federation between companies with different models
Clearly one of the harder questions of the day. This forces security to be addressed in the application architecture and major standards like SOAP and XML.
4. role of biometrics, and on and on....
The roll of biometrics?? Biometrics have error rates. My money says no biometric company breaks the $150 million mark in the next 5 years. (Revenues from physical access control systems don't count)
I have few doubts the Wi-Fi News site is correct in critizing inacurate statements on wireless security. What I find most interesting is the amount of time and energy the wireless LAN industry is spending on security, now that a reputation for poor security has been established.
Note to developers of other technologies:
Just like oil companies and the safety of oil tankers, once you blow it, it takes a long time to regain customer confidence.
I believe the wireless industry will overcome these challenges, but I'm not convinced the market will be as accomidating for the next big technology that does not equate security with product quality.