Hi All,

Let's not start that again...

As of late there has been a heated debate among the community that various forms of standards and compliance are effective/ineffective at actually securing systems and networks. Just a quick note:

First post I read today is from Ascension Risk Management. There was a point/counterpoint that was detailed that, suffice to say, leaned towards the fact that standards and compliance are not effective. In order for something resembling standards to be effective, it must be made too narrow or not actionable. This is a good argument, but it doesn't tell the whole story.

The next blog post I read is from Emergent Chaos. This post was about the fact that after Former/embattled/kind-of/not Senator Norm Coleman's campaign's infrastructure was broken into, and there may possibly have been a breach, donors found out via Wikileaks, rather than the campaign. One quote sticks out:

We need public, documented and debated standards of how such decisions should be made. With such standards, organizations could better make decisions about risk. Additionaly, both regulators and the public could be more comfortable that those piping up about risk were not allowing the payers to call the tune.

So within the same day, there is one school saying that standards are ineffective and there is another stating that we need more standards in order to shuffle through the varied methods people use in regards to security related tasks. What a vicious circle.

I am on the fence. I think that without standards, there are a good amount of small and medium sized businesses that would have no security or extremely lax security. Standards do help to push these organizations into doing more to protect data. On the other hand, with a competent security practitioner, these standards are simply "fill in the box" tests that people adhere to. That security practitioner is likely doing things to secure the infrastructure more than the standard accounts for.

I think standards are simply not scalable. If there must be policy, it should reflect the end result, not the means. It is better to say "you are liable for any breach that occurs" than "you are not allowed to have SSLv2 on your hosts". In this way, it should create an incentive to have network owners and operators think about how to go about security. If there's a breach, they are liable, after all.

well, if you can call them thoughts

Long time since my last post. There has been a lot going on in the personal aspects of my life. One of the things that I am happy about, though, is that Red Sox baseball is now in full swing. Today is the first of the infamous Red Sox/Yankees games.

So, speaking of Conficker...

Today's game is turning out to be as hyped up with no results as Conficker. Even the blogosphere is less active about Conficker Since April 1st. Admittedly, this worm is the first really widely spread worm since my intro to the technology industry. I was expecting to hear of/see infections first or secondhand, but I have not. While I'm happy the Conficker was contained in my area of the planet, It was hyped up quite a lot.

Today's game is not going so well for the hype either. Joba Chamberlain's outing was uneventful. This is similar to the April Fools Day event. Lots of hype, but no substance. In fact, Youk was walked twice - not beaned.

All of that being said, today's game will have a winner and there will be some events that are worth cheering or booing. This is like Conficker - there is substance, but it is not in the exciting, ratings grabbing manner. Daily attendants of either will find something interesting and there will be something new to learn.

Edit: This game (and the series as a whole) was actually quite exciting. Maybe the best is yet to come from Conficker...

Quick Update: Conficker did not display "Happy Birthday Vovo!" like I had hoped. (nor did it do much at all - but that doesn't mean it is any less troublesome).

My favorite new April Fool, the funny RFC, actually make a little bit of sense this year. In the past, it told you how to send IP in the most efficient manner to how to monitor your network properly. This year it is a way to teach IPv6 and get more IP addresses out there. It is a joke, because these addresses are not "real" but it's an interesting thought. I think I will use the analogy to explain IPv6 from now on... (I'll always give credit to rfc 5514). They actually made a facebook app :o)

Google introduced an automated you for gmail, but I liked the printed and mailed emails idea better (from a previous year).

And in case you want squeeze bacon, see ThinkGeek

Sorry for not posting for a bit, my personal life has been busy lately (we moved, hopefully the last time for a long, long time.).

There has been a lot said about the Conficker (downadup, kido, april fools day worm, etc...). I can't really add anything new that hasn't already been said on the Security Bloggers Network. What I would like to say is that I hope that what it does is simply make all the infected computers say "Happy Birthday, Vovo!" because the now infamous April 1st target is my Vovo's birthday and I always for get to call. (If it does do this, I swear, I didn't make it happen...).

(Yes this is my sense of humor, and if you like it then I am your friend for life - nobody gets me :o)

sort of...

A lot of people use Google to find information on a "target" or "mark". A lot of times this is either a person, organization or machine. If your mark is a person, there is now a web service that can do this easily, www.pipl.com. The New York Times outlines this with the article When Googling a Person (or Yourself) Isn't Enough.

Okay, so these services have been around and the end of the world didn't show up. This is a typical kind of piece that is important to know about, but not to lose sleep over. The information that Pipl finds is not generated by searching databases that are normally off-limits. It does dig a bit deeper than google does by default, but all the info is still public. The bigger question when you find something about yourself that you didn't expect is how did the original recipient of this information make it public and why did I not know.

I think Pipl is a good thing because it allows average people find information that nefarious people may have found anyways. Thoughts?

I was typing an email to my wife and noticed that MS Outlook knows that Comcast should be capitalized. I wonder what other conglomerate is large enough and to have their name be known to Outlook.