• Low-tech is very effective. Movie-plot threats -- terrorists with crop dusters, terrorists with biological agents, terrorists targeting our water supplies -- might be what people worry about, but a bunch of trained (we don't really know yet what sort of training they had, but it's clear that they had some) men with guns and grenades is all they needed.

• At the same time, the attacks were surprisingly ineffective. I can't find exact numbers, but it seems there were about 18 terrorists. The latest toll is 195 dead, 235 wounded. That's 11 dead, 13 wounded, per terrorist. As horrible as the reality is, that's much less than you might have thought if you imagined the movie in your head. Reality is different from the movies.

• Even so, terrorism is rare. If a bunch of men with guns and grenades is all they really need, then why isn't this sort of terrorism more common? Why not in the U.S., where it's easy to get hold of weapons? It's because terrorism is very, very rare.

• Specific countermeasures don't help against these attacks. None of the high-priced countermeasures that defend against specific tactics and specific targets made, or would have made, any difference: photo ID checks, confiscating liquids at airports, fingerprinting foreigners at the border, bag screening on public transportation, anything. Evenmetal detectors and threat warnings didn't do any good:

  "If I look at what we had, which all of us complained about, it could not have stopped what took place," he told CNN. "It's ironic that we did have such a warning, and we did have some measures."

  He said people were told to park away from the entrance and had to go through a metal detector. But he said the attackers came through a back entrance.

  "They knew what they were doing, and they did not go through the front. All of our arrangements are in the front," he said.

If there's any lesson in these attacks, it's not to focus too much on the specifics of the attacks. Of course, that's not the way we're programmed to think. We respond to stories and not analysis. I don't mean to be sympathetic; this tendency is human and these deaths are really tragic. But eighteen armed people intent on killing lots of innocents will be able to do just that, and last-line-of-defense countermeasures won't be able to stop them. Intelligence, investigation, and emergency response. We have to find and stop the terrorists before they attack, and deal with the aftermath of the attacks we don't stop. There really is no other way, and I hope that we don't let the tragedy lead us into unwise decisions about how to deal with terrorism.

So I was very interested when I heard that Opus Interactive, a customer of ours, had “joined the VMware vCloud initiative as a VMware Service Provider”. I talked to Eric Hulbert, CTO of Opus Interactive, to get some details directly from the source.

Eric shared our own caution about making “cloud-ready” announcements. There have simply been too many companies talking about cloud solutions that lack any substance – usually based on definitions of cloud computing that are hazy or just too broad. The backlash against the cloud hype is often quite justified. But in Opus’ case, there are real components that if they don’t add up to a “full” cloud computing solution just yet, are well on their way – and enabled by VMware’s program for service providers (VSPP).

Opus Interactive is serious about virtualization, which is an indispensable tool in their stated goal of creating a high-density micro-data center with the smallest footprint possible. They are 100% wind-powered and have already virtualized much of their data center, reducing the amount of hardware necessary to run the business and driving down costs to produce even more competitive advantage in a crowded marketplace.

VSPP for vCloud provides a rental model of VMware licenses – e.g., for Enterprise ESX or VDI. VMware Service Providers report on their customers’ virtual machines (vm) and pay only for what is actually used. This model lets Opus Interactive quickly spin up a vm to get a new customer up and running in about an hour and stay very cost competitive at the same time; Opus offers their vClustr entry-level virtual server for only $99.

Cost-effective, rapidly scalable computing “on-demand” based on shared resources, managed by “expert” third-parties, enabled by virtualization technology and pay-per-use vm licenses. Cloud computing? Instead of thinking about a single definition of cloud computing, perhaps it’s more relevant as the market matures to think about a continuum of cloud computing. And by that definition, Opus Interactive is providing cloud services, enabled by VMware’s VSP program. Next on the schedule, automated provisioning and perhaps in the future, API’s that make it even easier for application developers to test and deploy apps on Opus Interactive’s cloud platform – which, by the way, uses EM7 for its core management solution.

Corporate custodians of confidential medical data should be closely monitoring events connected to a nightmarish computer security breach in the St. Louis region.

Express Scripts is one of the nation’s largest pharmacy benefits managers. The company, with headquarters in St. Louis County, handles approximately 500 million prescriptions per year for 50 million workers at 1,600 American companies. Early in October, it received an extortion letter, the details of which it released on Nov. 6.

The letter included personal information on about 75 Express Scripts clients — Social Security numbers, dates of birth and, in some cases, information about prescription medications. Whoever sent the letter demanded money from the company — the amount has not been disclosed — and threatened to use the Internet to reveal personal and medical information about millions of people if the demands were not met.

...

Beyond the scale of the problem for Express Scripts — and the potential impact on the company is enormous — the issue extends well beyond the mounting concerns about identity theft, a phenomenon with which most people have become at least somewhat familiar.

The greater problem is the unique nature of personal medical records, the importance of moving to computerization of such records to improve health safety and reduce costs and the irreversibility of the damage people can suffer if confidential medical information becomes public. The stakes are so high that a federal law establishes strict standards for maintaining the privacy of medical information and stiff fines for failing to do so.

Medical records of all kinds — paper and, especially, electronic — must be protected with the most sophisticated kinds of security systems available, including backup protections and automatic alerts of security violations. Yet Express Scripts learned of this breach in the “worst way,” as InformationWeek.com security correspondent George Hulme put it in an online report: “via an extortion letter.”

The Express Scripts breach raises many questions for all elements of the health industry: hospitals, clinics and doctors’ practices, benefits management firms, insurance companies, pharmacies, employers and government agencies:
Are they using the most advanced information security technology possible? Do they minimize the amount of data they collect and keep it only as long as necessary? Do they have strict protocols governing access to personal and medical data — and systems to enforce those protocols? If criminals were to hack into their systems, how would the companies know? How soon? And are the systems capable of instantly cutting off illegal access as soon as a breach is discovered?

Confronted with a grave breach of electronic security, Express Scripts has responded by contacting law enforcement, establishing an informational website, offering a substantial reward and hiring a private consulting firm to help clients who have privacy concerns and investigate situations that “appear to be tied to identity theft” and provide “identity restoration services.” There is no question that the company is taking the situation extremely seriously.
Given the ongoing criminal situation, information about how Express Scripts’ data systems were compromised — and whether it could have been avoided — has yet to be disclosed. But the American people have the right to expect that their sensitive personal and medical information is zealously protected and kept secure — not only by Express Scripts but also by every person or company entrusted with it.

"Customers and customer relationships...have tangible measurable value to businesses, and their value is much easier to communicate to those who fund projects. So in an enterprise risk management scenartio, their vlaue informs the risk management process...[For example, consider] a farmer deciding which crop to grow. A farmer interested in short term profits may grow the same high yield crop every year, but over time this would burn the fields out. The long term focused farmer would rotate the crops and invest in things that build the value of the farm and soil over time. Investing in security on behalf of your customers is like this. The investment made in securing your customer's data build current and future value for them. Measuring the value of the customer and relationships helps to target where to allocate security resources."

He makes the argument that the Digital Theft Deterrence and Copyright Damages Improvement Act of 1999 is very much unconstitutional, in that its hefty fines for copyright infringement (misleadingly called "theft" in the title of the bill) show that the bill is effectively a criminal statute, yet for a civil crime. That's because it really focuses on punitive damages, rather than making private parties whole again. Even worse, it puts the act of enforcing the criminal statute in the hands of a private body (the RIAA) who uses it for profit motive in being able to get hefty fines.

Imagine a statute which, in the name of deterrence, provides for a $750 fine for each mile-per-hour that a driver exceeds the speed limit, with the fine escalating to $150,000 per mile over the limit if the driver knew he or she was speeding. Imagine that the fines are not publicized, and most drivers do not know they exist. Imagine that enforcement of the fines is put in the hands of a private, self-interested police force, that has no political accountability, that can pursue any defendant it chooses at its own whim, that can accept or reject payoffs in exchange for not prosecuting the tickets, and that pockets for itself all payoffs and fines. Imagine that a significant percentage of these fines were never contested, regardless of whether they had merit, because the individuals being fined have limited financial resources and little idea of whether they can prevail in front of an objective judicial body.

Another news story.

After Interop Las Vegas you may have seen our analysis of the data that we collected and delivered in our NOC view.  I thought I’d recreate the same data for NY and do a short comparison.

1) Like in Vegas, uptime for the network 100%.  This is no small feat considering that we introduced a new wrinkle in NY, taking down the primary NOC while the education portion of the show was still going on.  This was a forced failover to the backup systems, and it went flawlessly.  I’d like to give a little credit to EM7 on the 100% uptime as it caught a failover to battery power that allowed AC to be restored before a series of critical equipment would have gone down.

2) Again like Vegas, the average monitored device in the show network didn’t even hit 10% CPU utilization.  Still lots of computing overhead availabe in the show network.

3) The NY show network wasn’t nearly as busy as in Las Vegas, sustaining an average of only 27Mbps of usage (versus 56 Mbps) in Vegas.

4) Power consumption for the network and NOC in NY clocked in at 445kwh per day, about 25% less than the Las Vegas show.  This wasn’t because the equipment was any more power efficient, but instead because the show was smaller and therefore there was less network gear.

5) Finally, a stat we didn’t track too carefully in Las Vegas, but that I find interesting.  During show hours the wireless network average 1,100 users attached.  That’s a lot of people and a lot of wireless devices.

The good news is there was nothing too unexpected in the data, overall the smaller show led to a smaller number of tickets and smaller consumption of resources across the board.  We hope to have the opportunity to work with the InteropNet team again next year and take a look at this data year-over-year for each show.

So, my dear readers, imagine how amazed I was to find myself being truly inspired by my CEO,  for the first time in my working life! Philippe’s “no-B.S.” approach definitely works for me. I listened to his speech at a company meeting last week and – I am serious! – that was the most interesting, visionary AND inspiring speech that I’ve heard in a long time. It was clear what we’ve been doing, what worked, what didn’t and what we need to be doing and why it will work.

I already learned more than a few things from him just by listening to him  speak or conduct a meeting (or by watching him beat up a job candidate…). For example,  one CAN be “positive, but not marketing-ish,” even if situation is difficult. If one has an issue, one has to face it with no sugarcoating rather than ’play’ positive and pretend the issue is not there. One can have BOTH a driving vision AND be attentive to customers. One CAN release something when it is ready, not a year before :-) Etc, etc.

Finally, while some choose to lay people off, we at Qualys  ARE HIRING!  Come join us and help build the SaaS security platform that actually works! Specifically, we are looking for TAMs (kind like an SE, but better :-)), PMs and a lot of engineers.

• The transport – processing Syslog events takes up a heck of a lot less processing power than collecting from a Windows box. Same with collecting data over an ODBC connection.

First, I enjoyed DeepSec conference and I am grateful for the invitation to speak there. I love European conferences – and not only for having infinitely (with that being an under-statement of the year) superior coffee during breaks :-)  In particular, I liked the audience for my presentation (slides will be posted here soon) and I think the audience liked my material and myself too :-)

What also impressed me a lot was Ivan Ristic speech, which was the second day keynote. He started by simply stating that ‘security industry has failed’ and that ‘a desktop is lost.’ His proof was in typical numbers like “75% of corporate systems are infected with at least 1 malware piece per system”, “1 million of malware types” and “25,000 unique malware samples a day seen.”  However, he then broadened the subject and talked about how not only “a trusted desktop” is gone, but the entire world of “trust everything [on a system], all the time” is gone (his ideas were similar to what I planned to present in my HITB 2008 presentation about “the 0wned world”)

I also like how he positioned all those “security user prompts” (in Vista and even before) as a proof that security technologies have failed and now we have to rely on the user to make security decisions (which will obviously fail as well since users are now fully conditioned to “see a chunk of technical mumbo-jumbo, then click OK”)

It was also interesting how he connected a lot of security failures to his “#1 reason: all programs run with all privileges of the user that runs them.”  In fact, he illustrated it by reminding the audience that “everybody runs untrusted code every day today [web browser + Javascript, etc] while nobody did this 30 years ago.”  He also beat up blackisting as an approach to security (but then again, everybody does it today :-)) - what was interesting that he opined that “we will spend the next 10 years proving that whitelisting will fail just as we spent previous 10 years proving that blacklisting fail.” His main point was that global “onslaught” of whitelisting and code signing will kill all sorts of useful things AND provide little security.

He then called for everybody to think about solving the hard, possibly non-sexy problems. This is the part where I could have used more details :-)

So, a fun speech (even though my telling of it is a bit jumbled… check out his slides whenever they are posted) – and a fun conference overall. Worth a 12 hour flight :-)

After 26 days, and almost 350 million e-mail messages, only 28 sales resulted -- a conversion rate of well under 0.00001%. Of these, all but one were for male-enhancement products and the average purchase price was close to $100. Taken together, these conversions would have resulted in revenues of $2,731.88 -- a bit over $100 a day for the measurement period or $140 per day for periods when the campaign was active. However, our study interposed on only a small fraction of the overall Storm network -- we estimate roughly 1.5 percent based on the fraction of worker bots we proxy. Thus, the total daily revenue attributable to Storm's pharmacy campaign is likely closer to $7000 (or $9500 during periods of campaign activity). By the same logic, we estimate that Storm self-propagation campaigns can produce between 3500 and 8500 new bots per day.

Under the assumption that our measurements are representative over time (an admittedly dangerous assumption when dealing with such small samples), we can extrapolate that, were it sent continuously at the same rate, Storm-generated pharmaceutical spam would produce roughly 3.5 million dollars of revenue in a year. This number could be even higher if spam-advertised pharmacies experience repeat business. A bit less than "millions of dollars every day," but certainly a healthy enterprise.

Of course, the authors point out that it's dangerous to make these sorts of generalizations:

We would be the first to admit that these results represent a single data point and are not necessarily representative of spam as a whole. Different campaigns, using different tactics and marketing different products will undoubtedly produce different outcomes. Indeed, we caution strongly against researchers using the conversion rates we have measured for these Storm-based campaigns to justify assumptions in any other context.

Spam is all about economics. When sending junk mail costs a dollar in paper, list rental, and postage, a marketer needs a reasonable conversion rate to make the campaign worthwhile. When sending junk mail is almost free, a one in ten million conversion rate is acceptable.

News articles.