StillSecure, After All These Years

A bloggers network to be proud of

Sat, 05 Jul 2008 06:54:00 +0000

I started blogging about 2 and half-years ago because I felt like it would be fun to add my two cents to the public debate. When Brad Feld introduced me to the Feedburner guys I was given an insiders view into the quickly developing blogging world. When Feedburner started networks, I thought it would be interesting to start a network of all the security blogs that I was reading. I also inherently knew in my gut that eventually there would be some common good that would benefit all of the members of the network by aggregating our content and buying power for ads. I also believed and still do believe that there are other ways that a network such as the Security Bloggers Network can be a force for good.

However, reading the SBN feed tonight I was just blown away! From being on the road, I had not read the SBN feed in my Newsgator reader for almost 2 days. I had over 160 articles cued up in the feed. Forget for a moment that the Security Bloggers Network now has over 160 blogs and a combined feedburner subscriber base of almost 67,000 readers! The content is king. Going through the articles I could not believe the total coverage, the ongoing commentary and give and take, but most of all it was the quality. There are so many great members of the network who are just so damn smart and are writing about such important stuff.

I am humbled and incredibly proud of the what the Security Bloggers Network has become. If you are interested in security, whether it be the technical aspects of security, the business of security or the security industry, you cannot afford to miss this SBN feed.

We are kicking around a lot of new activities and ways to publicize the member blogs of the network over the coming months. Stay tuned for details, but in the meantime keep reading, you won't be sorry!

God took me off the grid

Fri, 04 Jul 2008 19:28:24 +0000

I had every intention of blogging during the long holiday weekend. Catching up on email and work at some point was on the agenda as well. However, this morning in the middle of email my laptop froze up. I could not do anything with it and so had to power down. On start up I got a missing media notice and it looks like my hard drive went kaput. Luckily my Windows Mobile phone has everything I need to stay connected. Email, typepad blog platform, etc. Well we went to my family in Hollywood Beach for a fireworks display and BBQ tonight. I left my phone in a backpack, so I would not take it in the beach or water with me. Great it rained, the backpack got soaked and my phone is down now too!

So I think it is God telling me to go off grid this weekend. I am writing this on Bonnie's desktop machine. The kids are staying with my cousins and Bonnie and I are headed down to Key Largo for the weekend. I have her spare pink Razor with my Sim card for phone calls, but that is it. No email, no computers, no blogging! Speak to you all Sunday night or Monday, enjoy your weekend!

Hopefully, I had one article written scheduled for tomorrow morning. I hope it publishes.

A thin line between blog theft and promotion - another opinion

Thu, 03 Jul 2008 18:24:36 +0000

Rich Mogull has been writing a bit about his disagreement with a the SecurityRatty site posting his content (original posts here and here). These posts have set off a rash of comments and other articles on both sides of this issue. Finally Rich wrote his defining post on this topic here. Rich's position is that he owns his words. Ratty took them without his permission, ads nothing to the conversation or commentary at all and actually hosts the content rather than just linking to it. Now for those who don't know, SecurityRatty is a site allegedly owned and operated by some Russian CISSP dude. Basically, they claim they are an RSS aggregator and they just republish blog posts in their entirety. A couple of things to note though:

1. SecurityRatty does not usually add any content of their own or edit the posts in any way
2. They link back to the blogs or articles which are aggregated
3. They do appear to sell some advertising on the site
4. You can search their aggregated content on their site
5. At least recently they are removing content and feeds from their site if you request it.
6. They did not ask anyones permission that I know of before posting content

OK, now that the groundwork is laid, let me give my Shimel view on this. I disagree with Rich. Hey it is a big world and I think there is room for a dissenting opinion here. The reasons I disagree with Rich are:

1. Though Ratty plainly posts up others content, he does not hold it out as his own. He plainly gives credit to those who actually created the words and in fact links back to their sites.
2. Rich is publishing his data under a creative commons license, I am not sure if the meager ad on Ratty would qualify this as a commercial site.
3. Rich distinguishes what Ratty does from Google and other search engines (who clearly profit from Rich's content) by the fact that they just point to it. Not all together true. They also keep a cached copy of the content that you can go to as well.
4. The fact is that I have a tough time seeing any harm to Rich here. In fact if Ratty were not pointing back to Rich's site, if he did not make it as easy to see that it is just an aggregate feed or if Ratty were adding his own comments and not clearly delineating his from Rich's, I would feel differently. Some of this is directly in contrast to Rich who says that if Ratty did add his own views to Rich's, that would make it right by him.
5. Finally, I would go even further than Rich not being harmed by Ratty. I think Rich actually benefits from Ratty. It is yet another outlet for Rich's content and though not everyone reading it at Ratty may go back to Rich's site, they do know it is him and can go back easily. In fact if Rich did advertise at his site, I could understand him losing hits at his site. Otherwise if Ratty just pointed back, one could say the more hits Ratty generates, it could cost Rich more money. Much like people who link to graphics hosted elsewhere.

So, Rich I see that Ratty has stopped aggregating your content so that should be enough of a victory for you. In the long run though I think it is a Pyrrhic victory and you would have been better off with Ratty publicizing your words.

StubHub millionaires?

Wed, 02 Jul 2008 21:08:05 +0000

One of the cool things about the first dot com bubble was the "ebay millionaire". These were people who built businesses around selling goods at auction on ebay. There has been much written and said about the methods of these people and certainly it was a big attraction to people selling on ebay. I had an interesting plane ride home today where I met someone and discovered todays equivalent. I call it the StubHub millionaire. It is a testament to American ingenuity and shows that given the tools, people will find a way to exploit and make money.

Up until fairly recently you bought tickets to sporting events and other entertainment from a box office or ticket agent such as ticketron. The "after market" in ticket sales or scalping as it was called in NY was often times illegal. There were though some legal ticket brokers that you could buy tickets from. Now with the advent of StubHub and similar type of ticket reselling outlets on the web though, the infrastructure is in place for anyone to sell tickets on line. You would think that most of these people selling tickets were people who had either extra tickets to an event or perhaps a season ticket holder looking to unload some tickets to help defray the costs. Not the case!

There is a now a whole class of businessman who buys season tickets to multiple teams, sports and cities and than uses outlets like StubHub and others to sell these tickets. The guy I spoke to today had season tickets to 6 different NFL teams, 3 major league baseball teams and multiple basketball and hockey teams. Many of his tickets are sold months and weeks before the event. If any are left within 14 days of the event he puts them on ebay. His average mark up is about 40 to 50% of face value, but by buying season tickets he pays below face, so his actual margin is closer to 60 to 70%. He keeps a few tickets for him and his family to go to a few games a year.

This started as a hobby for him with Yankee season tickets, but he has done an analysis and compared to what he would make investing that money in the market, he has come out way, way ahead. He thinks that on a 12,500 investment, he makes about 40k! That is not bad. This year when all is said and done he will make six figure income from the resale of tickets he bought. Think about it, no office or anything. Just list your tickets and let people buy them. Take some of the money and buy more tickets.

So what the heck am I doing trying to show people why it is important that they put good security in place on their computers? There has got to be a better way.

NAC vendors loading up fuel in the tank

Wed, 02 Jul 2008 08:09:00 +0000

First it was Bradford Networks announcing they had raised another 8 million dollars in venture funding to help them break out beyond the edu market. Now comes word that Forescout has raised a like amount amount of additional capital. This was based upon a 80% growth rate for Forescout. This is well below the numbers I have seen Ray, Ken and Gordon throw about in interviews and at presentations. I guess you can spin all you want about how many customers you have or have won, but when it comes to raising cash, you can't play as fast and loose as you do in your marketing.

Also this is a series E round for Forescout and brings their total raise to 44 million dollars. That makes for a tough number to make work. They need to roll some hard ways to make that bet pay off. I was led to understand they just raised 6 million last September. That makes 14 million in a little under a year. Can you spell big B-U-R-N.

The thing about both of these raises is that in the present market, just like the gas you put in your own tank, the gas these NAC vendors are putting in their tank is I am sure quite expensive!

The many faces of NAC

Wed, 02 Jul 2008 05:55:52 +0000

For a long time I have been writing and speaking about the many ways that NAC can help with securing your endpoints and your network. Yesterday, Tim Greene lays out some good reasons for NAC and the many ways it can help. However, he couches it in terms of NAC as a personal firewall. I am not sure I agree with that one at all. Personal firewalls are usually thought of as host based security on the endpoint. While NAC certainly has an aspect of that, NAC is inherently about networks as well.

I am reminded by this article of Senforce. They had one of the best personal firewalls in the market and were often called a NAC solution. But when you spoke to Nolan Rosen and the folks at Senforce, they would tell you that they were not a NAC solution, but needed a network based NAC component to compliment their product. That was the basis of a partnership we had with them. In any event, I think we are seeing NAC used for a variety of uses and we will continue to see it evolve in the market.

Xobni and LinkedIn - perfect together

Tue, 01 Jul 2008 02:53:00 +0000

A while back I wrote about how much I liked the Xobni email add on for Outlook. A short time later I heard rumors that Microsoft was buying them, but that appears not to be true at this point, though I still think it makes a lot of sense. In the meantime, I have continued to use and be impressed with Xobni. I have come to rely on its ultra fast search and the way it organizes threads of conversations and groups of people, as well as attached files.

An interesting thing though about Xobni. As I was given invitations, I would send them out to people I know. Though many of them liked the functionality of the product, they said that it slowed their Outlook to a crawl and just did not think the performance hit was worth it. Maybe I got used to the slowness or I am just not seeing it, but I did not see what they saw. In any event, many people were not using the product.

Well the Xobni folks just released a new version of the product that promises improved performance. I hope that helps those people who were complaining about this. It also offers several other new features, the biggest being LinkedIn integration. I really like this LinkedIn integration as it gives you yet another layer of information on the people writing to you. All in all, I think this just makes the product more indispensable than it is already. It is now available to the public, so I would encourage you to check it out for yourself!

SC Magazine World Congress 2008

Sun, 29 Jun 2008 19:30:22 +0000

For a while over the past few years it seemed like there was a security show a month. It got so watered down that it was hard finding any value in some of these shows. Over the last few years though in a case of natural selection I guess, many of these shows began falling by the way side. This past year I have attended a few good shows and over all I would say the shows have been better attended. I think shows that have great content and not just a trade and exhibit floor provide the value that people want to see.

In any event, the folks at SC Magazine first approached me about show they were planning in the NY area, around the time of RSA. I think a good security show in the Northeast would be great. I also have a lot of respect and admiration for the Haymarket Media group who run SC Magazine. So I am really happy to write about the first SC Magazine World Congress taking place December 9and 10th at the Javits Center in NYC. I will be there for sure and hopefully you will be too! Mark your calendars.

Some firms don't admit security breaches - Geez, ya really think so?

Sun, 29 Jun 2008 12:51:24 +0000

It's not often that security issues make mainstream media outlets. So when I saw this article on cbsnews.com I wanted to see what kind of "investigative journalism" the same folks who do 60 minutes would bring to the story. The story takes the particular case of Direct Marketing Services, Inc, the parent company of Montgomery Ward. It does a good job documenting the breach, the discovery of the breach and how the company complied with credit card company rules by notifying Visa, Mastercard, Discover, etc. but did not notify the 51,000 potentially affected customers. It also does a nice job of giving credit to Affinion Group Inc.'s CardCops for spotting and discovering this theft.

The article than goes on to say that 44 states have passed statues making disclosure and notification of security and confidential breaches to affected consumers mandatory. The article does caution though that based upon the volume of data being sold in "online black markets", there are many more breaches than we are being told about. I think it good that CBS bangs the drums on this, but frankly that "evidence" is a bit flimsy. I also found it gratifying that the article blames the credit card companies themselves for not doing more to publicize these breaches, so that they don't have to issue new cards. Just goes to prove what has been written before, that in the bigger picture the cost of doing business may include the risk of compromised data and big business has determined that that is a risk worth taking.

Maybe the NAC used car salesman can claim them as a customer too? In NAC quality counts!

Fri, 27 Jun 2008 19:36:27 +0000

Dark Reading had a good article today talking about GuideWorks, the TV Guide/Comcast joint venture's 2 year odyssey with NAC, which finds them finally starting to see some good results. I immediately went to the website of the NAC used car salesman to see if they claimed them as a NAC customer too, but didn't see anything yet. But with those guys you never know.

Seriously though folks, this story is a classic NAC story. GuideWorks had guests and unmanaged users visiting their offices all the time. When they would ask to plug in they were told sorry, wait till you get back to your hotel. Over time this answer became unacceptable and they realized they needed a way to give these people a way to get on the net and get their email while keeping their network secure. This very same need drives many initial NAC deployments.

Like many other NAC customers they wanted something easy, not add major overhead or network changes and easy to administer. Again straight out of the NAC playbook. In the Summer of '06 they began a pilot of the Tipping Point NAC product which is based on the old Roving Planet technology. Now Roving Planet was more of a wireless security company, but near the end they rebranded themselves as NAC and Tipping Point uses that with their IPS devices to enforce. Best of all for GuideWorks the price was sub 10k.

Here is where the other side of NAC comes in. This is what the article says:

While NAC tools are often advertised as plug-and-play, GuideWorks found that the NAC setup required a high level of networking expertise. Fortunately, the Inglewood site had plenty of technical expertise because that’s where many of the company’s developers are stationed. In addition, GuideWorks put one of its front-desk employees in charge of setting up new accounts. But because her technical background was limited, the company had to walk her through a learning curve.

Now the company is planning to deploy the system at its Radnor office, which will be a bit more challenging since there’s less technical expertise there, and that office gets a greater number of visitors. So GuideWorks has been on the search for employees to support the NAC system there. The company expects to have NAC up and running there by the end of the summer.

So 2 years after trial they are rolled out in one office and have to hire employees to support the NAC system at the next office. This was a problem with many of the failed NAC companies over the last few years and I think the problem with this Tipping Point solution. Just providing guest access should not be that hard! Yes the StillSecure Safe Access solution would have been much easier and faster to implement, but to be fair, any of the leading NAC solutions would have been up and running easier as well.

While this article was supposed to serve as reference and case study for the Tipping Point NAC solution, it is far from inspiring. If I were a customer looking into NAC, I don't think this would make run out and look at the Tipping Point solution. Moral of the story is, just because you made a good IPS doesn't mean you have a very good NAC product. When it comes to something like NAC, quality counts and buying a 2nd tier solution can cost you in time to implementation and total cost of ownership.