What’s really set me off this morning is the back and forth on the flight time. I know that there are many things that can cause a flight delay, but to move the departure time, in both directions, four times within one hour, how is that possible? I can only imagine the reaction of ScienceLogic customers if we announced the release date for the next version of the product and then proceeded to change it four times that week. There really isn’t another business in the world, other than the airlines, that could get away with this.

Assuming I eventually get to Interop NY, I will be on the look out for vendors that are working on ways to send me to my next meeting over Gigabit Ethernet!

The New York Times rounds up using cell phones as hotspots: Though the reporter, Bob Tedeschi, mentions the issue of having to have an unlimited data plan to avoid unpleasant charges, and worries about bad drains and malicious users, he doesn't note that many carriers don't allow this kind of sharing or routing without a separate "tethering" plan, that can run $20 or more per month. Also, U.S. carriers have now all imposed a 5 GB per month reasonable use cap; some will cut you off, some charge you more, some cancel your service based on exceeding this use.

Gigabit Wi-Fi? Someday: TechWorld considers the IEEE's Very High Throughput (VHT) study group, which wants to start work on 1 Gbps or faster Wi-Fi standard for completion in 2012. With 802.11n offering raw symbol rates up to 600 Mbps--even though no devices have shipped with the radios and antennas to offer that optional high speed yet--there's interest in other frequencies that would allow faster encodings, as well as aggregating multiple links to achieve high speed rates. My experience in testing and using 2.4 GHz with Draft N would show that wide or aggregated channels doesn't work very well. The article's writer, Peter Judge, notes that ultrawideband had potential (over short distances) to approach the gigabit mark, but that UWB hasn't really reached the market in any substantive way years after it was promised to be a big technology.

Flight attendants express concerns about in-flight broadband porn: When I've spoken to airlines, industry experts, and service providers, I find that they all have stories about how porn is viewed on computers, through DVD players, and in convenient magazine form on planes today. Adding the Internet may provide new salacious imagery, but the problem predates Internet access, and filtering Internet service is never as good a solution as a social one. Someone idiotic enough to view porn on a plane over the Internet is also stupid enough to bring along inappropriate DVDs they watch while seated next to children. Flight attendants already have the power vested in them to take care of this. The flight attendants for American might be expressing this concern as part of a bargaining issue, where their responsibilities but not commensurate pay have increased.

Spokane ends free Wi-Fi: Remember Vivato? Boy, I sure do. A company with a reach far exceeding its grasp, Vivato initially powered Spokane's downtown network. The network has continued to run on some basis--I'm not sure using what equipment--and now will move from free to fee. OneEighty Networks will charge about $10 per month to cover the costs of the network, for which local businesses at one point chipped in.

Brazilian TAM airline signs up for in-flight calling, messaging: OnAir has signed up the Brazilian carrier TAM, which will deploy the service on its Airbus A320 craft. Brazil hasn't yet provided regulatory approval, so no launch date is noted. TAM is the largest domestic and international carrier for Brazil.

“PCI Risk Management”

Now usually when I see a term like this, I can only imagine that such things are the byproduct of rapidly decaying brain cells.  In my mind I imagine there’s a conference room somewhere with some marketing types all hopped up on the vapors from industrial solvents spewing terms like “protectivity” or “advanced adaptive deep packet inspection” into the ether with all the acumen of an intoxicated long-horned bovine.

BUT

I thought about this, and it’s really not a bad idea - depending on how you define it.  Now I just couldn’t make the effort to read how the author used the term (I have a short pain threshold), but here’s my thoughts on what PCI Risk Management should be.  If we define Risk as the probable frequency and probable magnitude of future loss.

Then managing the risk inherent in PCI DSS compliance could mean:

1.)  The expected frequency of being out of compliance and how much that will cost us.

Because let’s face it - being in or out of PCI compliance is still a subjective judgment.  First, we have what our ever-qualified assessor says.  But in the case of an incident, it’s really someone else who has the final say in whether or not we were “compliant” at the time of incident.  So we can only know for certain if we’re in compliance after the fact - i.e. after there’s an incident.  So if we cannot really “know” if we’re compliant - we have a probability problem to solve!  Sounds like “risk” or “secure” doesn’t it?

So we could view the PCI as a threat community to deal with.  This gives us the first angle of what we could call PCIRM (this sort of term begs to be it’s own acronym, doesn’t it?) - the simple creation of a probability statement that says there is some belief that we could be found out of compliance - regardless of our efforts - and the calculation of what the impact would be to our organization (like defending frivolous 90 bajillion $ law suits from tiny financial institutions whose lawyers smell blood in the water).  Note that you may or may not want to add the value of the money and time spent on PCI compliance into your loss magnitude calculations.  It’s a sunk cost at that point.

However, there’s another side of the coin.  We can find out the risk of being out of compliance, but is there risk in being *in* compliance?  I think there is.  So our second aspect of PCI Risk Management might be:

2.)  The expected frequency of being in compliance and how much that will cost us.

An alternate view of how we could view the Payment Card Industry as a threat community would involve trying to figure out the probable frequency with which they will make onerous demands of our security budget, and the impact of those demands.

Now note that we would have a “secondary risk” to measure here.  I’m thinking that it’s not improbable that our PCI efforts may not be the most efficient use of or time and money.  So if we’re spending money on what PCI says we must, and neglecting areas of our IRM landscape that would actually reduce organizational risk more than those PCI efforts - then PCI compliance is costing us some real value by reducing our capability to manage real risk.  However,  and it’s quite a long tail event but, imagine that we’re unlucky and an incident happens!  This incident may become, in no small probability, the byproduct of PCI requirements.  Being diligent in risk management, we might want to study this likelihood, too.

So there you have it.  In both cases PCI Risk Management involves looking at the Payment Card Industry as a threat community, and determining the probable impact of having to deal with PCI DSS.

Now if you’ll excuse me, I have a white paper to write and I’m fresh out of acetone-based paint remover.

POST SCRIPT

I should make it clear that Risk Management should (and is) obviously being performed by those with PCI concerns.  PCI, if you will, is simply a sort of ISMS.  And the development of an ISMS can assist IT management with the process of developing metrics and analysis concerning the organizations capability to manage risk.  There’s nothing wrong with PCI in this regard.

But I figured I should make the effort to read what the author was advocating, and the document this “PCI Risk Management” term was drawn from was really a set of “best practices” for PCI and “best practices” above and beyond what PCI requires.  This is not risk management (and no, adding “risk assessment” - in quotes because the author is really referring to vulnerability management - to the list of best practices doesn’t make it risk management, either).  It is more witch-doctory.

From Cisco:

Cisco Intrusion Prevention System (IPS) platforms that have gigabit network interfaces installed and are deployed in inline mode contain a denial of service vulnerability in the handling of jumbo Ethernet frames. This vulnerability may lead to a kernel panic that requires a power cycle to recover platform operation. Platforms deployed in promiscuous mode only or that do not contain gigabit network interfaces are not vulnerable.

Cisco has released free software updates that address this vulnerability. There is a workaround for this vulnerability.

Update or workaround? Which is it then? At the very least get your patch on.

Article Link

Wi-Fi over Ethernet combines electromagnetic resonance--the ability of a EMF to excite signals in wires--with excess wired capacity in a manner similar to how broadband over powerline works. Where properly equipped 802.11af Ethernet switches and adapters are available, coupled with WOE-capable Wi-Fi systems, the Wi-Fi signals will simply be picked up and carried by the Ethernet network. Switching and transmission then become limited to the extent of the wired network--which will improve throughput and range. (A future standard might allow passive powering of lightweight devices from Ethernet, which is a neat reversal.)

This is in the same category of new convergent standards such as Bluetooth over 802.11 and FireWire (IEEE 1394) over IEEE 741-2007: ways to provide better specs on one standard by combining it with another that has a complementary purpose.

Now, of course, modern computing systems tend to include gigabit Ethernet and Wi-Fi, so why do we need a third modality that combines the two? Partly because of new devices like the MacBook Air and smartphones like BlackBerrys with Wi-Fi built in. Without an Ethernet adapter, the range of these devices can be limited, and throughput restricted.

You were waiting for the magic number: How fast is WoE? Nearly 1600 Mbps raw speed, and about 30 Mbps of raw throughput. Before you scoff, remember that you might be able to use WoE over hundreds of meters across a switched Ethernet network, where a Wi-Fi signal might stretch just a hundred or two hundred feet. If Wi-Fi beats WoE, a computer will use Wi-F.

The Wi-Fi Alliance hasn't set the date of their certification yet, but I'm told it will happen any day. The mark will be added to the list of A, B, G, Draft N, WMM Power Save, and other symbols, as AF. The industry is considering a campaign around the phrase, "WoE is me(tm)!" trying to capture the excitement of the new synergy. Again, unfortunate acronym.

The IEEE has finalized and approved a draft, but final ratification isn't expected until 1 April 2009.