In what reeks of payback (after iiNet pulled out of the Internet censorship trial being run by Conroy), Conroy calls iiNet’s defence in the case brought against the company by the Australian Federation against Copyright Theft as something “that belongs in a Yes Minister episode“. I tell you what Senator, if that is the case, you yourself have been sucked right out of the TV show and into our lives – so you should know!

I’ve discussed this case a number of times here. What irks me most of all is that they’ve gone after the easier target and the rest of the industry is just sitting back and leaving it to iiNet to defend on their own. That decision may haunt the other ISPs after a precedent is set. (If it goes against iiNet). Short-sighted thinking!

Looking forward to seeing what decision is made on the National Broadband Network. Going on recent history, this should be interesting.

Another security appliance and we’re even more secure – everyone’s happy. Who’s measuring the effect, impacts, any benefits etc and how are they doing it? No, please don’t answer that one. Everyone has an opinion and more than likely, whatever you deem as the best way is more than likely not being followed anyway… lets just leave it and assume the thing is working as the vendor said it would.

Thanks David Reyne for this gem. You legend you:

Swapping David for well read CIO. Oh don’t bag the CIOs again. It’s not their fault. It’s just easier if you just believe all you are told and it’s another project ticked off.


Setting the scene with recent somewhat provocative posts to generate some thinking, debate and discussion to get some interest before some context and substance in this post. Hopefully. And yes, a heap of emails, tweets, DMs and phone calls received today. (Gees, not bad for a Sunday. Do infosec dudes ever switch off and have a break?). To be honest, while most were supportive, a few were asking me what the hell I was basing my points on, and was I shooting myself in the foot with some vendors now and in the future? (Hey, big assumption that anyone actually reads this stuff I write). For the latter, I probably was/am but as most people know, I am not scared to put my opinion out there for critique, flames, but most importantly, as mentioned, to generate thoughts and discussion. It’s not a glory boy thing and it is what it is and I don’t profess it to be anything it is not. (Refer to top right corner of home page for the disclaimer).

So getting to the point of this (…finally you’re probably thinking). WAFs are an easy target to generate discussion (polarising more than most other technical topics at present), but I’m not just talking about WAFs here. They’re just the example. It could be anything from technology entrenched into our industry, through to strategic thinking and approaches that look at where our industry is, where it should be and most importantly, the steps to make valuable, and most importantly, significant steps to improve IT, business, home and society in general. Read on:


We hope any rumours are just that. Anything being announced later this week?

Interesting reference to Heartland being the “exception”. Reality? hmm…..

Posted in: PCI, PCI DSS

So far so little but a lot of hype! Some plug them big time, but lets be real, do they cut it to a level worth the hype?

Realities are they don’t work at present to a level that warrants the hype.

Accepting small benefits versus the additional risks they introduce is a concern. If your WAF is an “appliance”…..potentially good night! 0day already…..didn’t your vendor/consultant warn you about these? Am I being paranoid about this?

It’s another AV? No, not that good yet. If anyone tells you otherwise, let me know. :)

Posted in: Uncategorized

From Risky.Biz, Dec’s article on PCI: Six ways you can bork PCI

Makes a load of sense to me but then we’ve been talking this for a long time.

Posted in: PCI, PCI DSS

- Just got back from New Zealand. As always, great to get over there but wish I had more time. NZ has to be the pound for pound world leader in researchers and research. So many good guys there! And there’s also Kiwicon.

- Pat’s kicked off a new site at Risky.Biz. Some really cool stuff now and a heap of new things coming up. Good luck with it all Pat!

- Been following the SPSP/PCI SSC latest here at Mike’s site.

- New jobs posted at Beast Hot Jobs. Still working to get this going. Yeah, I know, wrong time but hopefully we’ll get there. Check it out.

- Internet Filtering/Censorship in Australia: Trying not to post too much on this because I keep hoping it will just die, but everytime I start to think it is going away, it comes back. Example here. Things in NZ are not much better, potentially worse. All really scary stuff.

- I wonder what I could have seen if I plugged my laptop into the cable poking out at Sydney Airport where another parking payment machine should have been. Nah…probably not much.  :)

I enjoy David’s writing and his analogies between insecure software and the issues we face from it today and those in other industries and other times.

He’s kicked-off a series of posts titled; “Cyber Security at the Crossroads” on his blog. Worth a read:

Cyber Security at the Crossroads: Introduction
Cyber Security at the Crossroads: Bad Treatment

This higher-level view vs. “otherworld” case studies – present and past, is often overlooked in our industry, but it is the way to opening up understanding, awareness and discussion on this topic to broader society. Is there a better way?

Declan had a clean t-shirt in the morning but by 10am, the imagine of Fatemah had appeared on it. Freaky! (Top right)

Related to this? Hmmm….
Please no pilgrims to the Securus Global offices until we get this looked at by qualified experts, (eBay).

- Centralised password management tool here. Vuln free delusions – be fun to “test” this one. Consolidated risk. Nice!

- Data Breach Disclosure update in the US here. Fundamentals still missing to make this a fair and workable law for all. Wrote about this in Risk Management Magazine pp 14-15 in the September 2008 Edition. (May have to sign-in now to read it).

- My costs to maintain PCI QSA status to top 30K in 2009. Add another 20 odd K if we decide to become an ASV also again. PCI SSC doesn’t really care about my thoughts on why some of the costs are just money making grabs on their part. Danger for all is that if only the Big guys eventually are the only ones who can afford this, the level of QSA expertise and subsequent advice/service to merchants, service providers and the industry as a whole is going to become weaker so who wins? Do I battle these guys again or just suck it? No appetite at present for another battle with them. Read on:


Older Posts »