Is this a reaction to the monkeynet project? You have to wonder.

We had SAFECode announced last year and now comes ICASI, (Industry Consortium for Advancement of Security on the Internet). Release:

How they’re going to; “enhance global IT security by proactively driving excellence and innovation in security response” is something I think we all look forward to hearing more about.

I was just thinking to myself the other day, we’re about due for another consortium! :-)

Recent update on SAFECode.

Enjoyed this post at Wade’s on; How the Australian Carriers Missed it.

By YanaBanana and Drazen Drazic

Not talking about a new theory here but maybe some points worth discussion. Starting ramble:

With the increase in technology becoming more accessible and affordable to the masses, we face a good deal of unseen or unintended consequences on security in general.

Eg; Insurgencies in countries such as Iraq where homemade rockets are used, are getting more sophisticated. If anyone has ever tried to build a rocket (not the WMD type), (like myself), you will find that it is surprisingly hard to get it to fly straight. With processors/microcontrollers getting cheaper and more accessible, it’s relatively easy to make extremely good guidance systems now to attach to your homemade rocket – ready to fire at any target you wish.

Now apply this kind of thinking to something less bodily harm inducing such as GSM cracking. Not long ago, it was extremely expensive to get any sort of decent RF equipment to sniff GSM traffic, and then the computing power to actually break the poorly designed encryption (A5/1 and A5/2).


This one’s had quite a bit of press time, and discussion around the blogs recently – moreso as the deadline has approached. In Australia, it’s been relatively quiet in comparison to the US though. I think the fact that compliance across the board here is a way behind the US has a lot to do with that, with many organisations here still either unaware of their responsibilities or far off from being compliant.

Is all the publicity and debate around PCI DSS requirement 6.6 a bit of a storm in a teacup? I think so. I’ll put the case forward also that if your are compliant with the PCI DSS now, the new requirement 6.6 is superfluous:


Trend Micro announced today that they are now protecting the consumer by going after the bad guys directly. While specific details were not released, I ascertain from the advertisement in the Sunday paper today that they have developed some technology to fight the bad guys on their own turf and are able to neutralize threats from them before they can affect you and I.

“Only Trend Micro PC-cillin Internet Security Pro gives you bulletproof protection from every trick invented to steal your identity. Its unique Web Threat protection blocks bad stuff at the source, before it gets near you and your PC. And its keystroke encryption makes it impossible for someone to get your password”

We await more information on this. Amazed this has not made headline news in the IT media! :-)

Related post.

At Securus Global (blatant marketing plug for all readers should you need our services), when I hire specialists to join the team, “certifications” to me, mean zip…nothing….zero! We get CVs all the time and we are in a proud and lucky position based upon our reputation that people want to work at SG! I feel honoured by that and every CV sent to us, makes me feel like SG, as an organisation, is somewhere, where real industry passionate dudes want to work!

If you’ve seen my latest stuff on Twitter, you will know that I am having a go at BS certification. (Yes, I know I do PCI DSS but you know my thoughts on that!).


Why didn’t someone remind me! Was it good?

I also missed the Over the Horizon forum, but it was for experts…..but I don’t know any experts who attended. Feeling very unloved at the moment. :-) (Thanks Nick for this link)

Posted in: Risk Management

A lot of recent posts here and in the forum talk about responsible and true representation of services and products being marketed. The focus though has been on security products and vendors, but why restrict it to just them? The whole software industry thrives under a no liability market that no or few other industries enjoy. There is something wrong with that!

They’ve been in that lucky position since day 1 pretty much. Produce flaky products (but with a heap of features to sell and continue to sell) and have no liability should your product cause problems to those people that buy it! If problems occur, NO LIABILITY AND LEGAL REPURCUSSIONS ON THE PEOPLE WHO CREATED THE PROBLEM!

The problem always sits with those who purchased and use that software!


By Big Galoot

Here we go again. Yet another example of highly questionable reporting in our local IT media. Ladies & gents, these type of ’stories’ need to be highlighted for what they really are – paid advertising.

This time, it’s our old friend at Symantec – schmoozing big time, one expects, in the hope of favourable commentary & cheap brand exposure in the Australian IT newspaper.

Whats the ’story’, you ask?


By Donal O Duibhir

Donal looks at “The Common Configuration Scoring System” draft from NIST:

Initial thoughts: It would be nice to see CCSS as an output metric generated by the tools here:, but further investigation leads me to believe the initiative hasn’t been
as well thought through as CVSSv2 or the OSSTMM Risk Assessment Values here: perhaps.


Older Posts »