Philippe Courtot is more than just Chairman and CEO of Qualys, Inc. He’s one of the pioneers of the IT industry. Philippe has repeatedly turned innovative companies into industry leaders while creating significant customer and investor value. Prior to Qualys, Philippe was the Chairman and CEO of Signio (acquired by VeriSign in 2000 for more than a $1 billion); President and CEO of Verity (a company he took public in November 1995); and CEO of cc:Mail (acquired by Lotus in 1991).

I had a chance recently to chat with Philippe and thought I might share that here:
(more…)



It does feel like the calm before the storm. You can see the direction things are taking now and there seems to be no turning back. The Banks are going to start pushing back hard on who is ultimately liable for customer information security breaches. Westpac most recently in; Westpac accepts no blame in security breach.

Related Categories that cover this in BorB:

PCI: http://beastorbuddha.com/category/pci/
Disclosure Laws: http://beastorbuddha.com/category/disclosure-laws/

It’s only a matter of time you would think in Australia but who knows?



Kiwicon 07 is a new conference being setup by IT security guys for the IT security community in NZ, and beyond. Awesome guys!

Posted in: Research, news


I feel sick and angry everytime the Australian Government takes a position and promotes how great they are at keeping Australia as a leader in IT and Technology. What a load of crap!

Lets have a look at some facts:
- In the early 90s Australian companies were doing some amazing things with IT. The old saying was, “we did so much more, with so much less” so was true. So many Oz companies were showing their global colleagues how to do things. That doesn’t seem to happen as much now from what I see.
- We had great early take-up of the Internet, technology in general and mobile. I remember in the mid-nineties doing a lot of work in Asia: Singapore, HK, Thailand and even Japan and thinking, gees, Australia is so far ahead of you guys……not anymore….not even close.
- Most emerging IT Companies out of the US were basing their Asia Pacific HQs out of Sydney, Australia in the early to mid-nineties……not anymore…..any left at all?
- IT guys saw a big future in our industry here at home.

Since then:

- How many great Oz and NZ IT people are doing some amazing things OS because they realised they had no opportunities to do these things at home?
- How far behind the world are we in technology deployment? (and don’t quote me Internet use stats – cool, but on slow speeds…who cares?)
- How many Big companies call Australia home as their Asia Pacific base?
- How many IT geniuses believe they can achieve their best by staying at home?
- We’ve become a follower!

Australia has moved forward but we’ve moved forward at a far slower rate than most of our major trading partners and regional neighbours. We’re not a force in IT which I believe we once were but we produce great people who do go on and become a force around the world. Please Howard, don’t bullshit us anymore on how great your technology policies and initiatives have been. We don’t have much to show for it from a Government perspective.

My thoughts on the security side of things are well documented in here. Enough said for now…..



Okay, the SMH reports; Turkish hackers bring down insurer’s site. This is a funny story, in a weird/bad sort of way but hopefully another company that learns their lessons before being hit really bad:

- “Hackers” or kids having some fun?
- “Spokesman Robert Whelan said despite customer fears that their account information may have been compromised, no customer details were accessed.” - probably not in this case given the type of attack and who did it but seriously guys, do you really know if that is the case?
- “Customer information for AAMI is all kept on a very separate infrastructure on our website,” - Hmmmm…..if this was so easy, gees…..
- “Earlier today, AAMI, which offers general insurance, was scrambling to find out how a group calling itself the “Ay Yildiz Team” hijacked its website, replacing it with an anti-Israel message”- Ain’t rocket science generally in cases like this!
- “When contacted at around 10.15am this morning, an AAMI spokesman said he did not know what had happened. “We only found out 15 minutes ago and I’m now trying to find out what is going on in the way of whether this was just a hack into the front part of the site or it went deeper,” he said. Philip Olsen, an AAMI customer who discovered the hack around 9.30am, said he was concerned that his account information may have been compromised. “I called them and they had no idea it was a problem, so their claims that my account information, including credit card info, was safe seemed hollow at best,” said Olsen. “If they [the hackers] can get on their main web page and deface it like that, what else can they get access to,” he said.” - Philip Olsen: AAMI Security Monitoring Manager?! Hire that dude!

What am I doing even writing this? Must be a Friday thing. Off to Zone-H with you all!



Risk Management evolved essentially from the insurance industry. Most pundits agree that it started to gain momentum as a broader business practice in the 1970’s and 80’s. About the time, AS/NZS 4360 (Australian and New Zealand Standard for Risk Management) was first published in late 1995 was the first I was hearing and seeing “Risk Management” discussed as a practice within IT (and IT Security). Since then, the term “Risk Management” has been widely bandied about in meetings, boardrooms and between IT professionals when discussing their approaches to managing IT security risks in their organisations. But, is business really managing IT security risks? My blunt assessment of the Australian IT industry – We’re not even close!
(more…)



If you don’t already subscribe to Patrick Gray’s Risky Business Security News Podcast, it’s well worth a look. Paul Craig from SA is on this weeks show talking about the .NET vulnerabilities.

Since the advisory, quite a few people have asked our opinion on whether we thought Microsoft was slack in getting the patch out, given we first reported the vulnerability last year. We stick by our position that in this circumstance, we would have been surprised and worried if something had come out quickly …given the amount and complexity of work required. See SMH story also.

Paul sums up our position on some vendors in his interview on Risky Business. MS does okay!



We recently polled a sample of senior security managers and specialists to get their thoughts on what they perceived were the 10 most important security tools/systems for their organisations.

Why? For no other reason than we were interested to see what industry people were thinking, using and planning for.

The following is a summary of the findings: (more…)

Posted in: Research


The rantings of Craig Chapman, Computer Forensics Geek.

Lest Big Galoot be accused of souding too flippant at the undeniable benefits of “Standards” in our lives, let’s not forget an often overlooked human side of the increasing “Standardisation” of our world and those who feel the irrepressible urge to write them.

Standards make many people happy, warm and comfortable as does a nice pair of fluffy slippers and a cup of warm cocoa. This is not necessarily a bad thing. I like my cocoa and slippers as much as the next bloke. But make no mistake, standards are sometimes touted by those who feel an overwhelming need to compartmentalise theirs and other peoples lives by standardising the way in which everyone does things.

For those mother hens of the world who seem to take pleasure in writing procedures & processes for everything we do – from walking our dog off its leash in the park, to spitting on a footpath, is it more a case of process – at the expense of performance?

A recent article at CIO mag http://www.cio.com.au/index.php/id;1626336618;fp;4;fpid;51238 proposes that new network forensics standards are “crucial to the speed and fairness of the US judicial system.”

What a complete load of puffed-up, breast-beating, piffle! (more…)



My thoughts on this are pretty clear and most people who have followed Beast or Buddha would know I take a pretty cynical position on the Australian Government’s approach to IT Security. But hey, the gov guys did create about 6 awesome whitepapers in the last 12 months or so to ensure Australian business security continues to match it with the best in the world. A must read for every CEO and CIO – telling you everything you need to know about Wireless, VoIP, SCADA and a few others. Shame you’ll never find them or even think to look for them – even greater shame, you’ll probably have no interest anyway as you’re too busy doing other things.

It is good to see I am not the only one being critical of government’s lack of effective understanding of real-world business security concerns and issues. Recent story from SC Magazine; Australia failing on e-security is worth a look. Bill Caelli also puts it out there that government needs to get serious in terms of developing some legislation “to enforce a more security-conscious approach”.

Ain’t gonna happen I am told Bill….but we do have some nice whitepapers to read.



Older Posts »