I Think We’ve All Had Audit Interviews Like This…

by alex on March 19, 2010

Pretty much how my last NCUA 748 pre-audit went.

Why I’m Skeptical of “Due Diligence” Based Security

by alex on March 17, 2010

Some time back, a friend of mine said “Alex, I like the concept of Risk Management, but it’s a little like the United Nations – Good in concept, horrible in execution”. Recently, a couple of folks have been talking about (…)

Read the rest of this entry »

National Broadband Plan & Data Sharing

by adam on March 17, 2010

I know that reading the new 376 page US “National Broadband Plan” is high on all your priority lists, but section 14 actually has some interestingly New School bits. In particular: Recommendation 14.9: The Executive Branch, in collaboration with relevant (…)

Read the rest of this entry »

‘Experts’ misfire in trying to shoot down Charney’s ‘Internet Security Tax’ idea

by Russell on March 17, 2010

Industry ‘experts’ misfired when they criticized Microsoft’s Scott Chareney’s “Internet Security Tax” idea. Q: How many of these ‘experts’ know any thing about information economics and public policy responses to negative externalities? A: Zero. Thus, they aren’t really qualified to comment. This is just one small case in the on-going public policy discussions regarding economics of information security, but given the reaction of the ‘experts’, this was a step backward.

Asking the right questions

by Chandler on March 16, 2010

Schneier points me to lightbluetouchpaper, who note a paper analyzing the potential strength of name-based account security questions, even ignoring research-based attacks, and the findings are good: Analysing our data for security, though, shows that essentially all human-generated names provide (…)

Read the rest of this entry »

Elsewhere in the New School department

by adam on March 15, 2010

Dennis Fisher wrote “Why Bob Maley’s Firing is Bad for All of Us:” The news that Pennsylvania CISO Bob Maley lost his job for publicly discussing a security incident at last week’s RSA Conference really shouldn’t come as a surprise, (…)

Read the rest of this entry »

Data void: False Positives

by Russell on March 10, 2010

A Gartner blog post points out the lack of data reported by vendors or customers regarding the false positive rates for anti-spam solutions. This is part of a general problem in the security industry that is a major obstical to rational analysis of effectiveness, cost-effectiveness, risk, and the rest

Everybody Should Be Doing Something about InfoSec Research

by adam on March 10, 2010

Previously, Russell wrote “Everybody complains about lack of information security research, but nobody does anything about it.” In that post, he argues for a model where Ideally, this program should be “idea capitalists”, knowing some people and ideas won’t payoff (…)

Read the rest of this entry »

Krebs on Cyber vs Physical Crooks

by adam on March 9, 2010

In addition, while traditional bank robbers are limited to the amount of money they can physically carry from the scene of the crime, cyber thieves have a seemingly limitless supply of accomplices to help them haul the loot, by hiring (…)

Read the rest of this entry »

Everybody complains about lack of information security research, but nobody does anything about it

by Russell on March 9, 2010

There has been a disconnect between the primary research sectors and a lack of appropriate funding in each is leading to decreased technological progress, exposing a huge gap in security that is happily being exploited by cybercriminals. No one seems to be able to mobilize any signficant research into breakthrough cyber security solutions. It’s been very frustrating to see so much talk and so little action. This post proposes one possible solution: Information Security Pioneers Fellowship Program (ISPFP), similar to Gene Spafford’s proposal for a Information Security and Privacy Extended Grant (ISPEG) for academic researchers.