This video was put together by Donal and Wade at the recent RSA Conference in San Francisco (April 2009). For more information and/or to get involved, go to:

Dan Kaminsky, Pete Lindstrom and Marcus Ranum put forward their thoughts on Australia’s plan to censor the Internet. Dan talks about many of the issues that Securus Global’s Matthew Strahan talked about in his interview with ban.this.url. Surprising that these concerns have barely rated a mention here. Marcus certainly adds some interesting analogies and angles to the whole debate.

Related Posts on Internet Filtering. Thanks to Donal and Wade for representing BorB at the Blogger Meetup at the conference.

Okay, thanks for the responses to the last post. Yep, this does deserve it’s own post.

Makes a mockery of leaders in technologies (like SaaS eg; Qualys) that have been doing great things for years that are now classified as in the same cloud….lumped in with the likes of the below.

Reboot: “I think it’s to late though….critical mass of acceptance of the term [cloud] is now to great! We’re going to have to live with many failed technologies that have a new lease of life now under a “new” name. Bit like this Ferrari here.”

- Donal going all multimedia on us and taking the censorship debate to the streets of San Francisco; nocleanfeed-usa-feedback. D’s also been working on nodecity. If you are decision maker for your business communications, this is worth a big look, and do contact Donal for more information.

- Christian (best of the west) at un-excogitate asking the question as to whether Information Security people could work less hours. :) Also checkout his post on Sandboxing a Windows VM on Ubuntu.

- Anton analysing the Breach Report 2009. I’m so cynical and have so little time for surveys that having someone else dissect the things works for me. Thanks Anton. Seriously though, I suppose it is one of the better ones. A few things I really question in the report but don’t want to get into it. LOL.

- Great to see a Big 4 dude want to punch people re: Cloud Computing. Go Matthew…join the club. I think it’s to late though….critical mass of acceptance of the term is now to great! We’re going to have to live with many failed technologies that have a new lease of life now under a “new” name. Bit like this Ferrari here. :)

- If you’re trying to stay away from Twitter, then this link to Security Twits won’t be of interest to you. Otherwise, this is a good place to start for infosec industry people.

Posted in: Too cool

Just reading the latest thread here in the Forum. It’s a fair point raised. Something we’ve talked about for a while…..

In my opinion, it [hiring convicted hackers] demonstrates something deeper than just the face-value story of convicted hacker being hired and the ethical issues associated with that. (I’ll leave discussion on that part as it’s been done to death before).

What it really demonstrates in my opinion is seriously dumb senior management who seem to have a belief that rogue “hackers” bring to the table something special…..something they have no idea that they can already get in the scores in the mainstream professional Information Security industry. (eg; As I have said before, I believe pound for pound NZ has some of the best IT Security researchers in the world….If I was TelstraClear, I’d have about 20 others on the list before hiring the kid they did). Look, good luck to the guys being hired. You have to make a living and if someone wants to offer you money/job etc well….


The Introduction – Living it Easy

Having worked in more heavily regulated environments such as the banking and finance sector in many Asian countries (for example; Singapore and Japan), compliance pressures through something like the PCI DSS don’t seem nearly as onerous, nor as huge an immediate and ongoing effort on the part of businesses.

Coming from that world/perspective, something like the PCI DSS is not really new and not really that impossible/difficult as it seems to many people in countries like Australia, the US and other parts of the world where regulatory impacts upon IT and IT security have been relatively minimal to negligible.

It is all relative and comes down to the business environment you work in and you are used to. Read on:

This is far from my first post on the role of the CIO. While most posts have been focused on the [CIO] failures to fully understand the role of Information Security professionals and the industry in general, many [posts] have also looked at the fundamental failures of CIOs and their roles in business. The two are interdependent.

Somewhere around the late 90s, this “CIO” title started to became the role “title” of choice for the most senior IT person in the organisation. Out went “IT Director”, “IT General Manager” and similar titles, and in came the trend of “CIOs” starting to consider themselves business people. Now at the time, most CIOs were IT people and drawing that long bow to be now viewed by their own staff as “business people”, created one of the major turning points.

This has been a catalyst for leading our industry into more than 10 years of little change in regards to significant IT development, better security, and to an extent, relatively effective control of IT in a business, any potential, and most importantly, understanding and forceful commitment to the emerging Information Security industry and the rising impacts of the latter to business. Is this the reason good information security adoption has lagged, and to many extents, is just plainly non-existent in many organisations?

Taking this deeper, without that critical mass of acceptance at that senior level – the representative voice of IT to the business and flow-on effects to society as a whole has failed. Accountability means little to nothing in the overall scheme of things pertaining to longer term strategy – “Governance” in IT security overall would be deemed a failure. Risk Management across an enterprise from a holistic view is a failure. (In silos, there are some successes but what overall benefit if the business as a whole has no business-wide understanding of itself). Without this review and the most basic and potential root cause analysis and planned treatment of the root causes, we have the lack of progress, (though some would call total failures)….should we expect to be in a better position now or in the short term future?

Part II will look at more detailed analysis of the CIO in business and their relation to IT Security. Thanks to Donal for this one:

Why aren’t CIO’s competences being analysed from within their own departments? While I know so many good CIOs, I’ve met far more who are out of the their league and you wonder what they really know. If they want to be “C-level” people, they need to be more scrutinised in the same way as CEOs and CFOs (even though we know that is also far from ideal a lot of the time)..

Stay tuned for Part II

- This is probably my favourite read in recent times: Marcus Ranum’s essay on The Anatomy of Security Disasters. I’m not going to disect it and offer up differing views because for one, it’s a good post and secondly, I agree with most of it (Gees, see my next link). In an ideal world…maybe…..real world; Risk Management methodology “implementations” are quite sad at the best of times. More here. Scroll down to some of the older posts and Ostrich Risk Management – still the most successful Risk Management approach today in IT security.

- Had to laugh at this one from Donal’s Ockham’s Razor. Anything from Life of Brian is good. Hey, he’s not the messiah but we can still use the parables can’t we?

- My favourite PCI DSS commentator (along with Mike), Anton Chuvakin does an exceptional job as usual – this time covering the not so widely reported in Australia, US House of Representatives Hearing on PCI DSS. No need to expand more on that.

- Everyone’s on the Twitter bandwagon. Thought this was pretty cool here. Still hard to explain to those not on it. Still wondering myself.

- Had a laugh during the week about industry preciousness. Always funny to see how others judge their own self-importance and what’s cool and what isn’t in our line of work. I reckon get over it. It’s not a rock star or movie star cool type of industry we’re in. So many people taking themselves so seriously in terms of their own importance, relevance and celebrity in a small and very internal looking industry. That effort and model overall needs to be flipped on it’s backside with information flowing out to broader society instead of an eternal mutual self-congratulatory environment. Those guys who are flowing that information out have my respect. Ah, flame on. :)

Have a good Easter break to all of you that celebrate it and make sure you watch Life of Brian at some stage over the weekend since it’s that time of the year.

By Declan Ingram

An interesting thing happened today. Someone asked me to find a Australian web development company who advertise themselves as developing secure code. (Editor Note: Surely that goes without saying Decman? LOL)

Simple Google search, I thought…Well guess how many web development companies I found who specify that they write secure code?

NONE. Yep! That’s right. Of course if you ask them, “Hey are the sites that you develop secure?”. You know the response is going to be “Oh Definitely!”, until they hand you the completed site, all shiny and new……you perform some security testing and BAM – the response becomes “Oh CRAP!”

So, if there are any developers out there who want a niche – learn to write good code and advertise it…..but first, let me know….there may well be a job in it for you!

PS. It is possible that all web developers write secure code, so it isn’t a differentiator worth advertising… which case next time I go flying, I’ll take a screaming pig and not a Robin 2160!

Editor Note: This can be done but “security” costs extra on websites – or so many of our clients have been told by dev shops in the past after our testing for them has broken the sites :) To be fair as you know, we’ve spent a good deal of time with dev shops after such events to help train their developers and credit to those guys. They should be using this as a differentiator. Sad that something like this which should be standard is considered such.

As always, let me know if I am missing someone from the small local bloggers list.

- Pat’s probably been the busiest with his new site Metl’s been stirring it up with his posts and Securus Global’s Declan Ingram, as always, thoughtful posts on PCI DSS approaches. Catch all the latest Risky Business podcasts now from the site.
- Christian’s been quiet since his Zombie post. I hope he’s okay.:)
- Donal’s as always is putting out thought-provoking ideas at Ockham’s Razor. His latest project is worth a look here at Nodecity.
- Jarrod’s been banging out quite bit lately at /dev/null covering all from Internet Filtering, PCI, Dealing with Vendors and his OWASP presentation.
- Matthew’s Infamous Agenda has an interesting new look.
- Beast or Buddha; well probably still stirring it up and upsetting a few people. A few new jobs at Beast Hot Jobs. Worth a look!

The number of security guys on Twitter seems to grow everyday. This is a good source of who’s who and best place to start if you are new to Twitter. Whether you like it or not, Twitter is growing in popularity……wonder how long that will last.

Posted in: news