The best security program is at the business with the happiest customers.

There's a fine line between happy customers and playing piano in a bordello.

Sees a lot
Can tell the king he has no clothes
Can tell the king he really is ugly
Does not get killed by the king
Nice to have around but…how much security improvement comes from this ?

Changes happened faster that he was able to move
Did not read the signs
Good intentions went unfulfilled
A brutal way to ending a promising career
Sad to have around but…how much security improvement comes from this ?

Obviously these models of CISOs are not solving our information security problems. Instead Dr. Garigue points us to Charlemagne as a better model

King of the Franks and Holy Roman Emperor; conqueror of the Lombards and Saxons (742-814) - reunited much of Europe after the Dark Ages.

He set up other schools, opening them to peasant boys as well as nobles. Charlemagne never stopped studying. He brought an English monk, Alcuin, and other scholars to his court - encouraging the development of a standard script.

He set up money standards to encourage commerce, tried to build a Rhine-Danube canal, and urged better farming methods. He especially worked to spread education and Christianity in every class of people.

He relied on Counts, Margraves and Missi Domini to help him.

Margraves - Guard the frontier districts of the empire. Margraves retained, within their own jurisdictions, the authority of dukes in the feudal arm of the empire.

Missi Domini - Messengers of the King.

This is the way forward! Find software security champions in the architecture and development groups,help them understand the real security issues. They will find solutions you have not thought of. Same for DBAs, same for business analysts even. Its all about beating the bushes, education, and decentralizing security services. Specifically, he points out this important mandate for IT security

Knowledge of risky things is of strategic value

How to know today tomorrow’s unknown ?
How to structure information security processes in an organization so as to identify and address the NEXT categories of risks ?

To me this is our mandate and measure of effectiveness. Empower our customers, educate, and create business value. If I am a CISO  I don't want 20 people reporting to me who do firewall ruleset changes. I want one champion in 20 different groups - development teams, architects, DBAs, business analysts.

A concrete example, infosec can continue to go along with the herd and follow the "what everyone else is doing architecture" meanwhile developers are connecting every single thing in your business to the Web. I have been doing integration and new technology projects for a long time, and let me tell you - Change does not always create happy customers in the short run. But the chart below shows that information security is maybe more concerned with not causing waves rather than adapting.

The best security program is at the business with sustainable competitive advantage.

Information Week’s new blog, Plug Into the Cloud, is already in the thick of the controversy on the emerging cloud computing trend. A recent post lists a bunch of highly opinionated comments on the topic by site visitors, running the gamut from “Cloud computing is kind of like the Emperor’s New Clothes” to “cloud software can actually be more expensive than the software I load onto my hard drive.”

Jeff Doyle writes an interesting post about resistance to IPv6 adoption (what, you think we forgot?). Instead of the usual focus on IPv6 as an application issue, he points out that it’s actually an infrastructure thing. Would you wait to upgrade routers, switches, software, or servers until you can find a way to make the newer systems profitable? Would you wait to increase bandwidth only after you have customers waiting to use it? If you’ve answered these questions “no”, then why are you waiting to upgrade to IPv6?

We posted about whether or not there were recession proof products in IT yesterday. Network World Management Maven Denise Dubie also writes about readers weighing in on IT and the economy – from having to do even more with less to seeing the economic downtown as an opportunity to highlight IT’s true value to the business.

And finally, on the lighter side: What would we do without crazy billionaires and their crazy purchases? According to a New York Times article, a company controlled by Google’s top execs just added a fighter jet to their roster. “Presumably no attacks on Microsoft are planned at this time.” (image from Wikipedia)

As they were walking around, Jeff saw some interesting looking produce and pulled out his Canon G-9 Point-and-Shoot and took a few pictures. Within a few minutes a man came up dressed in plain clothes, flashed a badge, and told him he couldn't take photos in the store. My brother said "no problem" (after all, it's a private store, right?), but then the guy demanded my brother's memory card. My brother gave him that "Are you outta your mind" look and said, "No way!" Can you guess what happened next? The guy simply shrugged his shoulders and walked away. My brother saw him in the store a little later, and the guy had a bag and was shopping. My brother made eye contact with him, and the guy turned away as though he didn't want Jeff looking at him. Jeff feels like this wasn't "official store security," but instead some guy collecting (and then reselling) memory cards from unsuspecting tourists (many of whom might have just surrendered that card immediately).

Coming from a modest background, the boy wanted to live lavishly with a fine haircut and brand-name clothes, and he found he could achieve that by committing fraud from names and credit card information purchased on international hacking forums.

“His knowledge of the codes and payment gateways is as good as that of a professional hacker,” said a senior crime branch official who has been interrogating this teenager picked up from Mulund in Mumbai, involved in an online payment scam on eBay. Three other persons who were arrested in Ahmedabad for their involvement in the scam are in police custody.

Now, when I was a kid, I learned that education was the road to making money. If I was a good student and got through college, I could get a good job, live comfortably, maybe achieve something good for the world. There’s a problem when college is seen as a “useless” alternative for this. Don’t get me wrong, I think it’s great if students take the initiative and learn how to teach themselves new skills — but not when it comes to using their knowledge for fraud and theft.

I was reading a review in the NY Times today about a new summer time show coming to CBS.  It is called Swingtown and I was originally attracted to it because it is a look back at the mid 70's.  That was the age of my adolescence, so it naturally attracted me.  Well this show is about the mid-70's OK, but the wilder side. It is set in a suburb of Chicago and is about wife swapping, partying and other hedonistic activity that is supposed to sum up the era.  And on CBS yet!  That's right, the folks who give us 60 Minutes, Murder She Wrote and Touched by an Angel, now bring us the swingers of the 70's. 

I grew up in a suburb in the 70's and while I do remember our parents hanging out drinking Harvey Wallbangers and some of them getting divorced, I don't think they were the type to pass around Quaaludes and engage in orgies, like depicted in this show.  But hey, maybe I am just naive. This certainly sounds more like an HBO series to me, but I have to admit I will watch and see it what it is about. Just the 70's clothes and hairstyles should be entertaining for me. I am You Tubing the official trailer:

If you like this trailer, here is a link to a longer video showing more highlights. Let me warn you that this one is a bit racy!

BT opens up its hotspot network, while maintaining control: Can BT, by controlling the hardware and network infrastructure, let businesses effectively become new hotspots in its OpenZone network? I discuss this and more in this mobile post.

So without my luggage I had to do something about clothes for my presentation at the Americas Growth Capital conference today. Wearing Levis jeans with a t-shirt and sneakers was just not going to cut it.  I waited until 10am (with still no word on when my luggage would show up, thanks Delta!) and than walked over to Macys, a few blocks from my hotel.  I went to the men's department and picked out a nice shirt (on the clearance rack), a matching tie (clearance too), underwear, socks and casual shoes.  I could not get pants that would fit.  Though I have lost a lot of weight, I am still one pants size to big for off the shelf at the likes of Macys. 

When I went to the cashier to pay they asked me how I would like to pay.  I explained to them that I had lost my luggage and had to make a presentation.  I told them my wife had a Macys account and I would like to use that.  I didn't have her charge card and I am not an authorized user of the card.  I than gave them Bonnie's Macys charge card number and our zip code and they charged my whole purchase!  I am sure that somewhere PCI or not, this is not kosher.  Anyone with the account number and zip code could have done this.

Now, maybe they liked my story and I have an honest face.  Frankly, I am glad they did as it helped me get my clothes.  However, it just doesn't feel right and shows you that even with PCI and everything else in place, you can still abuse credit cards.

A British company has developed a camera that can detect weapons, drugs or explosives hidden under people's clothes from up to 25 meters away in what could be a breakthrough for the security industry.

The T5000 camera, created by a company called ThruVision, uses what it calls "passive imaging technology" to identify objects by the natural electromagnetic rays -- known as Terahertz or T-rays -- that they emit.

The high-powered camera can detect hidden objects from up to 80 feet away and is effective even when people are moving. It does not reveal physical body details and the screening is harmless, the company says.

If this is real, it seems much less invasive than backscatter X ray.

This might not be everybody's idea of utopia -- and it certainly doesn't address the inherent value of privacy -- but this theory has a glossy appeal, and could easily be mistaken for a way out of the problem of technology's continuing erosion of privacy. Except it doesn't work, because it ignores the crucial dissimilarity of power.

You cannot evaluate the value of privacy and disclosure unless you account for the relative power levels of the discloser and the disclosee.

If I disclose information to you, your power with respect to me increases. One way to address this power imbalance is for you to similarly disclose information to me. We both have less privacy, but the balance of power is maintained. But this mechanism fails utterly if you and I have different power levels to begin with.

An example will make this clearer. You're stopped by a police officer, who demands to see identification. Divulging your identity will give the officer enormous power over you: He or she can search police databases using the information on your ID; he or she can create a police record attached to your name; he or she can put you on this or that secret terrorist watch list. Asking to see the officer's ID in return gives you no comparable power over him or her. The power imbalance is too great, and mutual disclosure does not make it OK.

You can think of your existing power as the exponent in an equation that determines the value, to you, of more information. The more power you have, the more additional power you derive from the new data.

Another example: When your doctor says "take off your clothes," it makes no sense for you to say, "You first, doc." The two of you are not engaging in an interaction of equals.

This is the principle that should guide decision-makers when they consider installing surveillance cameras or launching data-mining programs. It's not enough to open the efforts to public scrutiny. All aspects of government work best when the relative power between the governors and the governed remains as small as possible -- when liberty is high and control is low. Forced openness in government reduces the relative power differential between the two, and is generally good. Forced openness in laypeople increases the relative power, and is generally bad.

Seventeen-year-old Erik Crespo was arrested in 2005 in connection with a shooting in a New York City elevator. There's no question that he committed the shooting; it was captured on surveillance-camera videotape. But he claimed that while being interrogated, Detective Christopher Perino tried to talk him out of getting a lawyer, and told him that he had to sign a confession before he could see a judge.

Perino denied, under oath, that he ever questioned Crespo. But Crespo had received an MP3 player as a Christmas gift, and surreptitiously recorded the questioning. The defense brought a transcript and CD into evidence. Shortly thereafter, the prosecution offered Crespo a better deal than originally proffered (seven years rather than 15). Crespo took the deal, and Perino was separately indicted on charges of perjury.

Without that recording, it was the detective's word against Crespo's. And who would believe a murder suspect over a New York City detective? That power imbalance was reduced only because Crespo was smart enough to press the "record" button on his MP3 player. Why aren't all interrogations recorded? Why don't defendants have the right to those recordings, just as they have the right to an attorney? Police routinely record traffic stops from their squad cars for their own protection; that video record shouldn't stop once the suspect is no longer a threat.

Cameras make sense when trained on police, and in offices where lawmakers meet with lobbyists, and wherever government officials wield power over the people. Open-government laws, giving the public access to government records and meetings of governmental bodies, also make sense. These all foster liberty.

Ubiquitous surveillance programs that affect everyone without probable cause or warrant, like the National Security Agency's warrantless eavesdropping programs or various proposals to monitor everything on the internet, foster control. And no one is safer in a political system of control.

This essay originally appeared on Wired.com.