“No Evidence” and Breach Notice

by adam on April 30, 2009

According to ZDNet, “Coleman donor data breached in January, but donors alerted by Wikileaks not campaign:” Donors to Minnesota Senator Norm Coleman’s campaign got a rude awakening this week, thanks to an email from Wikileaks. Coleman’s campaign was keeping donor (…)

Read the rest of this entry »

@Mortman MP3d on Threat Post

by alex on April 29, 2009

I’ll go ahead and promote David.  He’s interviewed over at Threat Post.  Pod/Talk cast it up! In this episode of the Digital Underground podcast, Dennis Fisher talks with David Mortman, CSO-in-residence at Echelon One and longtime security executive, about whether (…)

Read the rest of this entry »

Congratulations, Open Security Foundation

by adam on April 25, 2009

The Open Security Foundation, creators of OSVDB and DataLossDB have won SC Magazine’s Editor’s Choice award for 2009. It’s well deserved. In other Open Security Foundation News, about a dozen people asked me how to get a stylin’ DataLossDB t-shirt. (…)

Read the rest of this entry »

Standing Still

by Chandler on April 20, 2009

Following up on Ben’s comment to s/green/secure/g, infosec generally makes life /harder/ for people (at least in the short-term), all to keep bad things from happening. I’ll argue it’s even worse than that. Since “secure” is neither achievable nor a (…)

Read the rest of this entry »


by adam on April 19, 2009

Don’t miss this fascinating article in the New York Times, “Why Isn’t the Brain Green?” You can read it for itself, but then you hit paragraphs like this: It isn’t immediately obvious why such studies are necessary or even valuable. (…)

Read the rest of this entry »

Breach Notification Law Across the World

by adam on April 18, 2009

“Data Breach Noti?cation Law Across the World from California to Australia” by Alana Maurushat. From the abstract: The following article and table examine the specifics of data breach notification frameworks in multiple jurisdictions. Over the year of 2008, Alana Maurushat (…)

Read the rest of this entry »

Project Quant: Patch Management Metrics

by alex on April 17, 2009

Rich Mogull, Adrian Lane, (of Securosis) and Jeff Jones (of Microsoft) have started a “transparent” metrics project “to help build an independent model to measure the costs and effectiveness of patch management.”  They’re calling it (for now) Project Quant.  As (…)

Read the rest of this entry »

Evolution of Information Analysis

by alex on April 16, 2009

Real briefly, something that came to me reading Marcus Ranum over at Tenable’s Blog. Marcus writes: Usually, when I attack pseudo-science in computer security, someone replies, “Yes, but some data is better than none at all!”  Absolutely not true! Deceptive, (…)

Read the rest of this entry »

Black Swan-Proof InfoSec?

by alex on April 16, 2009

I came across an interesting take on Nassim Taleb’s “Black Swan” article for the Financial Times via JP Rangaswami‘s blog “Confused in Calcutta“.   Friends and folks who know me are probably tired of my rants about what I think of (…)

Read the rest of this entry »

A Curmudgeon is a Little Confused by the 2009 DBIR

by Brooke on April 16, 2009

I’ve given Vz’s DBIR a quick perusal.  The data are interesting indeed and the recommendations are obvious.  There is little new here in the way of recommendations – I guess nobody is listening or the controls are ineffective (or a (…)

Read the rest of this entry »