Network Security Blog

Happy Halloween, everyone!  There might be a better holiday, but few match Halloween for sheer fun and craziness.  Kids are great for reminding you just how exciting it can be.

Tonight’s podcast is a discussion about the convergence of physical and logical security in the enterprise and government.  I’d like to say the whole thing was my idea, but the truth is, Brian Contos approached me with this idea several weeks ago.  We discussed why the two disciplines are converging, the business drivers, what it means to both security and privacy, and what’s going to be happening in this arena over the next five years.  It’s a fascinating topic.

The guests tonight were Brian Contos, Chief Security Officer, ArcSight; William Crowell, security expert, executive business leader and former Deputy Director of the NSA; Dan Dunkel, president of New Era Associates; and Colby DeRodeff, GCIA, GCNA and Senior Security Engineer at ArcSight.

Network Security Podcast, Episode 50, October 31, 2006

Time:  1:14:39

Tonight’s music:  Halloween by the Coffin Shakers

Thanks again to Astaro for sponsoring the podcast.  Call them at 877-427-8276 to get your free demo unit.

Technorati Tags: security, McKeay, convergence, Arcsight

Mike Rothman at Security Incite sent me a link to this rant by Scott Adams this  morning.  I almost took it seriously until I got to the third or fourth paragraph.

Rich Mogull at Securosis call’s it like he see’s it: “If You Think Boarding Passes and ID’s Improve Security, You Shouldn’t Be in Security.”  Not that I disagree with him, but it’s harsh thing to say.  After all, if we were to use his logic, half of the TSA would be out on the street looking for a new career.  That’d be a bad thing, wouldn’t it?

Technorati Tags: security, McKeay, boarding pass, security theater

I guess the Security Round Table conversation on Instant Messaging was pretty timely:  IM attacks are growing at an incredible rate and shows no sign of slowing down. 

Just out of curiousity, how are your businesses handling this threat?  Are they A) installing proxies, B) Blocking it as well as they can or C) Ignoring it, hoping it will go away?  I’m not going to set up one of those fancy polling solutions, just leave me a comment.  This is, after all, a very unscientific poll.

Technorati Tags: security, McKeay, Instant Messaging

I don’t know about you, but I have two little superheroes that can’t wait for tonight!  And just in case you don’t recognize them, they’re Dash and Superman.  And me, I’m just an imp, minor creator of mischief.  Or someone who was too lazy to create a real costume.

                        

It’s wrong that businesses think that it’s okay to put this sort of measure in place:  a flyer delivery service in Australia has asked all of the teenagers working for them to strap on a GPS to be tracked while they make their rounds.  The business has even been thoughtful enough to include a letter of resignation with the GPS’s, so that their workers know exactly what’s important to the business.

Technorati Tags: security, McKeay, tracking

I finally found the time to edit the sound for the latest episode of the Security Round Table over the weekend, and asked Michael to post it for me.  Larry, Alan and I talked to Krishna Kurapati, CTO of Sipera systems about the potential and pitfalls of Instant Messenging in the enterprise.  For better or for worse, IM is here to stay and we’d better do what we can to adapt. 

Technorati Tags: security, McKeay, Instant Messaging, Security Round Table

If there’s nothing else I respect about Mike Arrington, it’s his directness and willingness to say exactly what he thinks.  So when he gives an online car purchasing service like CarsDirect a review like this, I have to think that maybe I’ll try the service next time I buy a car.  And since he was at the Disclosure Round Table last week, I know he’d be disclosing if he was involved in any way, shape or form with CarsDirect. 

The audio from the Disclosure Round Table (Why is it I seem to be drawn to any discussion calling itself a ’round table’?) is online over at the Social Media Club web site.  It’s long, at almost two hours, but I think this is the start of a conversation bloggers need to have. 

Mike Rothman didn’t quite call me naive for being a part of this and expecting it to make a difference, though I’m pretty sure he wanted to.  He makes a good point, in that the ‘unethical scumbags’ will always be unethical and no code of ethics we might write will change that.  However, I do believe that the majority of people out there would rather be ethical than not, and by writing out the ethical guidelines for bloggers, those who desire to be ethical will now what’s expected.  It’s more about giving bloggers a heads up before they step over the line, or just notification that there is a line to be crossed.

Will it work?  Heck if I know.  I’m an optomistic cynic:  I hope for the best out of people but plan for the worst.  Sometimes you’ve got to give people enough rope to hang themselves on the off chance they may find a better use for the rope.

Technorati Tags: security, McKeay, blogging, ethics, blogging+ethics

Here we have another wonderful example of our government spending more time and energy maintaining the illusion of security than actually making the country secure.   This is such an utterly ridiculous example of security theater.   And I’m sure the federal government and the FBI really appreciate every rational security professional in the country pointing out how stupid they’re being.

If you give people the ability to print their boarding passes at home, you also give them the ability to quickly and easily create fake boarding passes.  The stupidest part of this whole melodrama is that it’s not even that hard to get through the security at airports.  Heck, if you really want to get into the secure area, just go buy a cheap ticket on a local flight, which for me would be from Oakland to Las Vegas.  Who needs to go through all the trouble and possible problems of creating a fake pass when you can purchase the real thing so cheaply.  If I’m a bad guy, trying to do bad things, that’s what I’m going to do: go right through the security measures with a legitimate pass, rather than taking a chance that someone might catch on.

I think the thing that scares me the most about this is the righteous indignation our politicians are responding with.  It’s not like Christopher created the system and it’s weaknesses.  He’s not giving the terrorists a tool they didn’t have before or really even needed.  He’s pointing out a chink in the armor of our airports, somethign that never gave more than the illusion of security to begin with.   I’m not going to the point of declaring the way he’s being treated as illegal, but that s one threads I’m starting to read more often.

I like what Wil Wheaton said in a comment on BoingBoing:

I wish the government spent 1/10 the effort tracking down really bad guys as they spend going after American citizens who use their constitutional rights.

Some of the links I’ve been following:

• On Printing Boarding Passes, Christopher Soghoain-style.
• FBI Raids creator of fake boarding pass generator.
• Researcher raided by FBI for blowing whistle on Airport security
• FBI returns to “Fake Boarding Pass” guy’s home, seizes computers
• Fake Boarding Pass Generator guy and the FBI:  What about the law
• Wired: 27B Stroke 6:  I’m going to have to add this site to my RSS feeds.

Technorati Tags: security, McKeay, boarding pass, Christoper Soghoian