I went to Jesper's presentation at Auscert in 2005 where he came out with the stunning "write down your passwords" revelation. (Previously espoused by Bruce Schneier years ago.)
His talk was an hour of how to jam as many funny pictures into a talk and attempt to get "in" with the geek crowd by poking fun at the security establishment.
It was kind pathetic.
He then went on to attend a Thor Larholm presentation and attack Thor at the end of it. It was stupid and untidy. I thought Thor handled it well. Jesper lost all respect from me @ that point.
BTW the attack was basically Thor going through some old.JPG processing vulnerability in windows and examining it. He stated at one point this can't have been reviewed as a very basic buffer overflow was missed.
Jesper then piped up and stated it was reviewed "because I reviewed it." Blah blah blah.
Jesper and another MS Security manager (I think there are about 700 managers personally responsible for security @ Microsoft.) continued the attack making themselves look rather silly and Thor look very balanced and well mannered.
What you talk about isn't akin to Biological diversity.
If you took the Biological diversity to the nth degree, what you are talking about is designing systems with the goal that SOME systems will survive a given threat being realised. Hence the species survives.
Biological Diversity in IT Security people are stating that we should use all flavour of Operating Systems, application systems etc...
The problem is we (humans) are not really interested in "some systems surviving."
We are interested in "ALL systems being secure." Whatever that means.
In this regard, I assert that the goal of Biology is survival. The goal for IT or Information security is stability, reliability and predictability. (OR CIA if you like those terms)
This is why technologies that provide immunity (hardened well understood builds and lists of known pathogens AV) OR rapid response (AV signature updates) to threats tend to be the successful products.
It is a bit hard to update your very large fleet to defend against a known vulnerablity when you don't know what the hell is in your fleet. This is why I don't like the "Biology" model being pushed as an answer to security problems. (By some VERY big names in the IT security profession.)
Usually comes right before an attack on the most used operating system on the market.;-)
The trouble is we have never had these kinds of population before. Remove the power generation and we have to return to old world techniques.
This effectively means we can no longer feed everyone.
No machines to pick the crops. No trucks to get them to us. Etc Etc...
We have an interesting energy problem because populations have never been this high.
Current financial wisdom relies on "growth". Growth is unsustainable for these reasons. We keep growing. We won't survive for too long. At least not in a meaningful way as we know it.
Oil will run out, Icecaps will melt and TheSims addon packs will stop coming out.
No it won't. It will give you a nice warm false sense of security though.
I hope you enjoy it. And your joke emails with dancing half naked chicks. After all, when people come after you for damaging the environment with stupid software, you can always blame IT for allowing you to see it in the first place.;-)
If you didn't want them or care about them you would probably shove them in front of a computer to shut them up.
I'm guessing you would also fail to care what games are rated/contain.
A quote from "A man for all Seasons" quite relevant to this comment I thought.
More: There is no law against that.
Roper: There is! God's law!
More: Then God can arrest him.
Roper: Sophistication upon sophistication.
More: No, sheer simplicity. The law, Roper, the law. I know what's legal not what's right. And I'll stick to what's legal.
Roper: Then you set man's law above God's!
More: No, far below; but let me draw your attention to a fact - I'm not God. The currents and eddies of right and wrong, which you find such plain sailing, I can't navigate. I'm no voyager. But in the thickets of the law, oh, there I'm a forrester. I doubt if there's a man alive who could follow me there, thank God....
Alice: While you talk, he's gone!
More: And go he should, if he was the Devil himself, until he broke the law!
Roper: So now you'd give the Devil benefit of law!
More: Yes. What would you do? Cut a great road through the law to get after the Devil?
Roper: I'd cut down every law in England to do that!
More: Oh? And when the last law was down, and the Devil turned round on you - where would you hide, Roper, the laws all being flat? This country's planted thick with laws from coast to coast - man's laws, not God's - and if you cut them down - and you're just the man to do it - d'you really think you could stand upright in the winds that would blow then? Yes, I'd give the Devil benefit of law, for my own safety's sake.
I would argue that the case for platform diversity is VERY difficult to make. PARTICULARLY in corporations.
The argument goes. In nature, species survival depends on diversity to maintain some portion of the population who can survive the onslought of some new contagion. SO in computers we should mimic nature and have a heterogeneous mix of software so our computer networks can survive worm/virus contagion.
BZZZT!
Networks and corps are different to species. Computers don't multiply and diversify as a natural result of that. The only thing diversity in computers gives you is a CRAPPY understanding of your network and the risks therein. Oh and a fairly good likelihood that SOME computers in your environment are vulnerable to EVERY exploit for EVERY platform released.
Corporates or networks don't need SOME computers to survive. They need ALL to survive. Data is sacred not computers. Data is located in far flung pockets of the network. The loss of even small amounts of data can be disastrous. Telling someone "it's ok cos' some of our computers survived" will get you fired.
As far as I am concerned for corps the solution is to have a well understood build that is well protected from likely contagions and strong procedures, processes and technologies to rapidly detect and limit any outbreaks.
Computer security is about building strong immune systems and rapid innoculation to new contagions. It probably will be for a long time. Survival of the fittest does not work.
Oh Contagions in computer terms are different to the real world as well. Real world contagions are mutations. Good ones are flukes. In computing they are intelligent in that the developer is motivated, malicious and works hard to defeat your defences. They test their software against common innoculations such as Anti-virus software and ensure it is resistant to them.
They USED to (2 weeks ago) collect ALL data. Even SSL traffic (Internet banking passwords and all). Now they don't do that any more.
They state they throw away personal information but do state they look at Credit Card numbers.
Do a five minute Marketscore Google search.
They've stopped doing that recently. I'm guessing because banks have started blocking their proxy servers. Now they let the users go straight there and send the info back. (Who knows what SSL info they send. They do use some SSL)
In reality Phishing sites don't even bother to SSL traffic. Most people don't check for the padlock. Especially the ones who are likely to fall for phishing attacks.
Slashdot Mirror
Okay so thats traffic shaping and I know its not as simple as I make it out to be but the approach used here seems crude and a waste of man hours.
"Man hours"? Don't you mean "evil genius" hours?
Wow! Now that would make for a popular nuclear missile target I'll bet.
I went to Jesper's presentation at Auscert in 2005 where he came out with the stunning "write down your passwords" revelation. (Previously espoused by Bruce Schneier years ago.)
.JPG processing vulnerability in windows and examining it. He stated at one point this can't have been reviewed as a very basic buffer overflow was missed.
His talk was an hour of how to jam as many funny pictures into a talk and attempt to get "in" with the geek crowd by poking fun at the security establishment.
It was kind pathetic.
He then went on to attend a Thor Larholm presentation and attack Thor at the end of it. It was stupid and untidy. I thought Thor handled it well. Jesper lost all respect from me @ that point.
BTW the attack was basically Thor going through some old
Jesper then piped up and stated it was reviewed "because I reviewed it." Blah blah blah.
Jesper and another MS Security manager (I think there are about 700 managers personally responsible for security @ Microsoft.) continued the attack making themselves look rather silly and Thor look very balanced and well mannered.
Got a source newer than 2001?
What you talk about isn't akin to Biological diversity.
;-)
If you took the Biological diversity to the nth degree, what you are talking about is designing systems with the goal that SOME systems will survive a given threat being realised. Hence the species survives.
Biological Diversity in IT Security people are stating that we should use all flavour of Operating Systems, application systems etc...
The problem is we (humans) are not really interested in "some systems surviving."
We are interested in "ALL systems being secure." Whatever that means.
In this regard, I assert that the goal of Biology is survival. The goal for IT or Information security is stability, reliability and predictability. (OR CIA if you like those terms)
This is why technologies that provide immunity (hardened well understood builds and lists of known pathogens AV) OR rapid response (AV signature updates) to threats tend to be the successful products.
It is a bit hard to update your very large fleet to defend against a known vulnerablity when you don't know what the hell is in your fleet. This is why I don't like the "Biology" model being pushed as an answer to security problems. (By some VERY big names in the IT security profession.)
Usually comes right before an attack on the most used operating system on the market.
The trouble is we have never had these kinds of population before. Remove the power generation and we have to return to old world techniques.
This effectively means we can no longer feed everyone.
No machines to pick the crops. No trucks to get them to us. Etc Etc...
We have an interesting energy problem because populations have never been this high.
Current financial wisdom relies on "growth". Growth is unsustainable for these reasons. We keep growing. We won't survive for too long. At least not in a meaningful way as we know it.
Oil will run out, Icecaps will melt and TheSims addon packs will stop coming out.
Not a good outlook really.
LOL! Nice 10 year old flaw.
There are better ways to pick on SecurID than that.
The reality is it changes the mix for the banks just enough to be useful. Not cheap though.
He's not but I'm the CEO of your company.
Now get back to work.
15 Naked advertisers. You?
And what do you think the crooks would do if every bank used this protection?
Trojan and Phish the hell out of all of them. There are only so many questions they can ask.
NOW the crooks have MORE private info about you.
Ooops! Great idea ING.
Except Phishing relates to more than Banking.
There is Phishing on ebay, domain regsitrars, web hosting companies and rewards programmes.
Should they be responsible too?
Stupid idea.
Pretty inline with Schneier's borderline brilliant/mad history.
No it won't. It will give you a nice warm false sense of security though.
;-)
I hope you enjoy it. And your joke emails with dancing half naked chicks. After all, when people come after you for damaging the environment with stupid software, you can always blame IT for allowing you to see it in the first place.
I'm waiting for the cruelty to ensue.
"Place a hair into the reader."
"YOU INSENSITIVE PRICK!"
If you didn't want them or care about them you would probably shove them in front of a computer to shut them up. I'm guessing you would also fail to care what games are rated/contain.
I'm a bone arsed lazy WRT54G owner. Can you show me where to get firmware to do this? :-)
At this price I'm sticking with Star Wars Monopoly.
Amen brother. Whoever would have thought in 1994 that usenet posts would hang around forever.
*Sigh*
My logic fallucy meter is spinning off the dial!
A quote from "A man for all Seasons" quite relevant to this comment I thought.
More: There is no law against that.
Roper: There is! God's law!
More: Then God can arrest him.
Roper: Sophistication upon sophistication.
More: No, sheer simplicity. The law, Roper, the law. I know what's legal not what's right. And I'll stick to what's legal.
Roper: Then you set man's law above God's!
More: No, far below; but let me draw your attention to a fact - I'm not God. The currents and eddies of right and wrong, which you find such plain sailing, I can't navigate. I'm no voyager. But in the thickets of the law, oh, there I'm a forrester. I doubt if there's a man alive who could follow me there, thank God....
Alice: While you talk, he's gone!
More: And go he should, if he was the Devil himself, until he broke the law!
Roper: So now you'd give the Devil benefit of law!
More: Yes. What would you do? Cut a great road through the law to get after the Devil?
Roper: I'd cut down every law in England to do that!
More: Oh? And when the last law was down, and the Devil turned round on you - where would you hide, Roper, the laws all being flat? This country's planted thick with laws from coast to coast - man's laws, not God's - and if you cut them down - and you're just the man to do it - d'you really think you could stand upright in the winds that would blow then? Yes, I'd give the Devil benefit of law, for my own safety's sake.
I would argue that the case for platform diversity is VERY difficult to make. PARTICULARLY in corporations.
The argument goes. In nature, species survival depends on diversity to maintain some portion of the population who can survive the onslought of some new contagion. SO in computers we should mimic nature and have a heterogeneous mix of software so our computer networks can survive worm/virus contagion.
BZZZT!
Networks and corps are different to species. Computers don't multiply and diversify as a natural result of that. The only thing diversity in computers gives you is a CRAPPY understanding of your network and the risks therein. Oh and a fairly good likelihood that SOME computers in your environment are vulnerable to EVERY exploit for EVERY platform released.
Corporates or networks don't need SOME computers to survive. They need ALL to survive. Data is sacred not computers. Data is located in far flung pockets of the network. The loss of even small amounts of data can be disastrous. Telling someone "it's ok cos' some of our computers survived" will get you fired.
As far as I am concerned for corps the solution is to have a well understood build that is well protected from likely contagions and strong procedures, processes and technologies to rapidly detect and limit any outbreaks.
Computer security is about building strong immune systems and rapid innoculation to new contagions. It probably will be for a long time. Survival of the fittest does not work.
Oh Contagions in computer terms are different to the real world as well. Real world contagions are mutations. Good ones are flukes. In computing they are intelligent in that the developer is motivated, malicious and works hard to defeat your defences. They test their software against common innoculations such as Anti-virus software and ensure it is resistant to them.
Aaahhh. Rant over.
And yet like KFC, you keep coming back.
The (Like Microsoft) was the clue for me.
The Reg covers it off.
http://www.theregister.co.uk/2005/05/09/rosen_joke _jobs/
Unfortunately the prize they give away is your data.
They USED to (2 weeks ago) collect ALL data. Even SSL traffic (Internet banking passwords and all). Now they don't do that any more. They state they throw away personal information but do state they look at Credit Card numbers. Do a five minute Marketscore Google search. They've stopped doing that recently. I'm guessing because banks have started blocking their proxy servers. Now they let the users go straight there and send the info back. (Who knows what SSL info they send. They do use some SSL)
In reality Phishing sites don't even bother to SSL traffic. Most people don't check for the padlock. Especially the ones who are likely to fall for phishing attacks.