"consumers hate tokens."

"Everyone wants to be the single federation platform for everyone else."

"Federation will never work. It won’t work because the single most important consumer Web applications in the world are scared of it. Banks hate the concept because it becomes a weakest link in the chain problem."

"Tokens don’t actually solve most security problems, like man-in-the-middle, phishing, and keystroke-logging malware."

"Oh yes, and finally, consumers are going to have to carry around 13 of them just to make sure they can log into whatever they need to log into since no one will federate."

"Global federation is nowhere near a solid concept in the consumer space, despite what the vendors will try to sell you."

"This is a long term problem. If you work on it and make any progress against it, you'll find yourself much smarter at the far end, than you were at the near end.

When I was in Norway about 5 years ago, I was there very close to the summer solstice. I was wandering around town at 2 o'clock in the morning and there was plenty of light out. You come to a sign that says New Minsk about 60 km and it points south.

And I ask the lady "what country is this?"

She scratched her head for a bit, and said "well I think its Norway"

I said "well who plows the roads?"

"well Norway does, but he have to pay them."

There is a triple boundary in this town that I was in between Norway, Finland and Russia.

But what I did there, was, I had a card about wallet size, I stuck it into a machine, I punched in four digits, and it gave me about 2,000 krone, whatever the hell that is.

Now there are a lot of participants in that transaction. When I put a card into that machine, punch in a pin, and it gurgles for awhile, and finally gives me, a fairly large amount of money. There are a lot of participants in that transaction. The bank that owned the machine that gave me the money, it gave some money away -- that bank wants it back. The pin is necessary to convince my own bank that I'm me. But I don't want my pin to be broadcast all over the world. My bank in the us, it hasn't really given out or taken in any money, really. But there is a lot of credits involved here. Somebody needs to charge somebody else for having more money available. Even though there was actually no cash transfer.

And the problem that I have in mind is
- who are all the participants in an ATM transaction?
- what do those participants need to satisfy their problems?
- how is that in fact done?

In a general way, does the atm system actually work in some reasonable sense? To which the answer is by the way: yes. The atm system damn well works. With extremely high reliability and accuracy. It surprises me. Its quite a bit different than voting machines.

I started blogging about 2 and half-years ago because I felt like it would be fun to add my two cents to the public debate.  When Brad Feld introduced me to the Feedburner guys I was given an insiders view into the quickly developing blogging world.  When Feedburner started networks, I thought it would be interesting to start a network of all the security blogs that I was reading.  I also inherently knew in my gut that eventually there would be some common good that would benefit all of the members of the network by aggregating our content and buying power for ads. I also believed and still do believe that there are other ways that a network such as the Security Bloggers Network can be a force for good.

However, reading the SBN feed tonight I was just blown away! From being on the road, I had not read the SBN feed in my Newsgator reader for almost 2 days.  I had over 160 articles cued up in the feed.  Forget for a moment that the Security Bloggers Network now has over 160 blogs and a combined feedburner subscriber base of almost 67,000 readers!  The content is king.  Going through the articles I could not believe the total coverage, the ongoing commentary and give and take, but most of all it was the quality.  There are so many great members of the network who are just so damn smart and are writing about such important stuff.

I am humbled and incredibly proud of the what the Security Bloggers Network has become. If you are interested in security, whether it be the technical aspects of security, the business of security or the security industry, you cannot afford to miss this SBN feed. 

We are kicking around a lot of new activities and ways to publicize the member blogs of the network over the coming months.  Stay tuned for details, but in the meantime keep reading, you won't be sorry!

I started blogging about 2 and half-years ago because I felt like it would be fun to add my two cents to the public debate.  When Brad Feld introduced me to the Feedburner guys I was given an insiders view into the quickly developing blogging world.  When Feedburner started networks, I thought it would be interesting to start a network of all the security blogs that I was reading.  I also inherently knew in my gut that eventually there would be some common good that would benefit all of the members of the network by aggregating our content and buying power for ads. I also believed and still do believe that there are other ways that a network such as the Security Bloggers Network can be a force for good.

However, reading the SBN feed tonight I was just blown away! From being on the road, I had not read the SBN feed in my Newsgator reader for almost 2 days.  I had over 160 articles cued up in the feed.  Forget for a moment that the Security Bloggers Network now has over 160 blogs and a combined feedburner subscriber base of almost 67,000 readers!  The content is king.  Going through the articles I could not believe the total coverage, the ongoing commentary and give and take, but most of all it was the quality.  There are so many great members of the network who are just so damn smart and are writing about such important stuff.

I am humbled and incredibly proud of the what the Security Bloggers Network has become. If you are interested in security, whether it be the technical aspects of security, the business of security or the security industry, you cannot afford to miss this SBN feed. 

We are kicking around a lot of new activities and ways to publicize the member blogs of the network over the coming months.  Stay tuned for details, but in the meantime keep reading, you won't be sorry!

There is a great article in Business Week this week that talks about a scam that bank and credit card companies are pulling on consumers.  It has resulted in the banks winning arbitration cases against consumers to the tune of a 99.998% clip.  That is right, 99.998%.  It has turned arbitration, where an impartial judge makes determination into the biggest home field advantage this side of the NBA play offs.

It seems many of the credit card agreements that govern your use of credit cards call for arbitration to settle any disputes between you and the credit card company.  Well the credit card company gets to pick the arbitration company. Many pick the National Arbitration Forum, which markets itself to the credit card companies as a form of collection agency.  The whole system is basically stacked against the consumer, which results in the credit card companies getting their way.  Business Week does a great job of digging in here and finding out all of the dirty secrets of this scam.  I highly recommend you read the article for all of the details.

I don't think too many people disagree that over the last years there has been a big swing in the pendulum favoring business's over the consumer. Many of the laws and rules that were put in place to protect consumers over the years have either been thrown out or ignored.  Our bankruptcy laws have been totally rewritten to the disadvantage of the consumer.  Lazes-fare attitudes toward regulating business has seen oil companies raking in billions of dollars a quarter while we pay 4 dollars a gallon.  Health insurance companies raising rates higher than inflation while hospitals have to close for not making enough money.  A mortgage industry that without oversight has written loans that has our finance system to the brink of disaster. A return of inflation and recession at the same time.

Not too advertise my own political views, but do I think it is time for a change?  Your damn right I do!  I hope that the press shining the light on some of these injustices will make it easier for a new era in Washington to make right (no pun intended) some of the wrongs in our system.

There is a great article in Business Week this week that talks about a scam that bank and credit card companies are pulling on consumers.  It has resulted in the banks winning arbitration cases against consumers to the tune of a 99.998% clip.  That is right, 99.998%.  It has turned arbitration, where an impartial judge makes determination into the biggest home field advantage this side of the NBA play offs.

It seems many of the credit card agreements that govern your use of credit cards call for arbitration to settle any disputes between you and the credit card company.  Well the credit card company gets to pick the arbitration company. Many pick the National Arbitration Forum, which markets itself to the credit card companies as a form of collection agency.  The whole system is basically stacked against the consumer, which results in the credit card companies getting their way.  Business Week does a great job of digging in here and finding out all of the dirty secrets of this scam.  I highly recommend you read the article for all of the details.

I don't think too many people disagree that over the last years there has been a big swing in the pendulum favoring business's over the consumer. Many of the laws and rules that were put in place to protect consumers over the years have either been thrown out or ignored.  Our bankruptcy laws have been totally rewritten to the disadvantage of the consumer.  Lazes-fare attitudes toward regulating business has seen oil companies raking in billions of dollars a quarter while we pay 4 dollars a gallon.  Health insurance companies raising rates higher than inflation while hospitals have to close for not making enough money.  A mortgage industry that without oversight has written loans that has our finance system to the brink of disaster. A return of inflation and recession at the same time.

Not too advertise my own political views, but do I think it is time for a change?  Your damn right I do!  I hope that the press shining the light on some of these injustices will make it easier for a new era in Washington to make right (no pun intended) some of the wrongs in our system.

From the Last Hope:

For Immediate Release

THE LAST HOPE TO FEATURE HACKER RADIO

At The Last HOPE conference, hackers will broadcast their minds and their iPods.

In the center of the summer’s top hacker event will be a small isolation booth. “Radio Statler!” as the station is called, will send out a three day broadcast of all-original material. From the center of Manhattan, around the clock, discussions of the past, present, and future of technology, creativity, and humanity itself will be transmitted.

The first night of the conference, July 18th, the station will carry a program called Digital Music Night, hosted by Peter Kirn, editor of createdigitalmusic.com. The three hour live concert will feature a convergence of artists and musicians using custom, original tools for performing live in new and bizarre ways, including:

* Houseplants hooked up to live computer visuals and music
* A mutant trumpet, halfway between the digital and acoustic worlds
* Packets of data visualized as three-dimensional eye candy
* An animated digital art sketchpad controlled by Wii remote
* A set of digital gloves for gestural DJing
* A robotic drummer
* Computer-generated vocals that sing your spam folder to you
* Live digital art made from vintage game consoles and computers

The station will give additional talk and interview time to the conference’s speakers, broadcast the keynotes and other popular seminars, and offer attendees who don’t speak at the podium a chance to share their ideas. Many hackers who already do their own podcasts are being asked to contribute and do special programs for the conference.

Program and content submissions are still being taken, volunteers are being sought, and the organizers are looking for promotional sponsors to help cover the cost of broadcasting. More information can be found at http://radio.hope.net/ or by emailing projects@hope.net.

Damn, I’ll have to break out Garageband or maybe I’ll have to submit one of these tracks? HA!

Damn these infernal mornings.

Click here to subscribe to Liquidmatrix Security Digest!

And now, the news…

1. 1st Source Bank replacing debit cards after security breach | Network World
2. Microsoft Warns Of Bug In Apple’s Safari | CRN
3. Going Back to Basics To Fight Botnets | Top Tech News
4. EU security agency warns over insecure printing | The Register
5. Information at thieves’ fingertips | Times Union
6. McAfee Names The Most Dangerous Domains | Information Week
7. IBM Complimentary Security Health Scan | Bitpipe
8. ‘Hacker’ left child porn images on computer, lawyer insists | The Toronto Star

Tags: News, Daily Links, Security Blog, Information Security, Security News

Gartner IT Security Summit - June 1-3, 2008 - Washington, DC.

Alright - call this an omnibus posting.

I had planned to do a better job of intra-day postings, but the schedule here is hectic and as anyone who knows me can attest, I really do work to get maximum value out of any conference that I go to.

Highlights here - much more detail available if anyone comments/emails me to ask.

Day 1
Opening Keynote - The next 10 years in IT Security - Rated: Good.
Keynote - Google’s Security - Rated: Excellent.
Keynote - SciFi Authors’ Future View of IT Security - Rated: Excellent.

“F” Track - Gartner Analysts/Researchers speak on the topic of “The CISO” - Rated: Mediocre to Good.
Exhibition Floor - Rated: Good.
Food - Rated: Hotel Std. Bring Pepto
Product Highlight - Alcatel-Lucent OmniAccess 3500 Nonstop Laptop Guardian It’s a way to lojack your laptops - a device that stores your crypto keys, 2nd factor auth token, acts as your 3G WWAN, GPS enabled, has an on-board Linux which acts as the “IT department’ controlled/controllable machine. Main feature - remote kill the laptop you lost.

Day 2
Keynote - Security Architecture for the Next 10 years - Rated: Excellent
“F” Track - Gartner Analysts/Researchers speak on the topic of “The CISO” - Rated: Good to Better
Exhibition Floor - Rated: I don’t want to try to get that much shwag through airport security. SRSLY.
Food - Rated: I cannot wait for my kitchen. I cannot eat this much commercial grade food and stay healthy/alive. Amazing how even the fresh fruit is labelled “Hotel Froot”. It’s like an episode of the Simpsons.

Overall Review: I’ll probably come back - the issue of credibility in ensuring that I can quote someone that the business / IT folks respect rather than just my own opinion is a good thing, however, as a prominent (ha - take that Mike) security blogger, I’m a 4-5 on the CISO-CMM — and I’m surrounded by a whole lot of zeros and ones. Gartner is a good host, they take feedback seriously and are very interested in delivering some real value to people like me.

What needs to be fixed:

1. You may have noted that I’m not really chuffed by the food, and you’d be damn right. What is it with the “Conference Hotel/Venue” market that gives them such perfect 2 dimensional homogeneity of image and food? Fix the food.
2. Reorganize the environment such that I spend less time walking back and forth down this hallway.

3. Wifi… oh terrifying wifi. If there was a Wall of Sheep here, you couldn’t read it - it’d be scrolling too fast. Don’t you idiots have a freakin’ VPN?
4. BoF Sessions would be good — there’s not a whole lot of time in the schedule just to stir around and talk to people. There should be a number of areas that allow for free form communication amongst attendees. Have Gartner Analysts in and around those areas to spur conversations.
5. And lastly - Washington? WTF? Flying in to the DC area is practically a strip search. Conferencing is getting harder as the airline industry squeezes - and if I’ve got to fly, I want as little friction as possible.

It’s been a blast, but I need to pay attention and watch the countdown to my airport transfer at 1600.

Tags: Gartner, Gartner IT Security Summit, Alcatel-Lucent, OmniAccess 3500, Security Conferences