When I'm not traveling, I like to work from home some days rather than endure the trek from Seattle to Redmond (although it's much better now that our own employee transit service has expanded into my neighborhood -- the existence of which is sad commentary on the availability and reliability of Seattle's public transit companies).

This means, of course, that I need fast and stable network connections. Comcast with their PowerBoost is working very well for me. But I just can't find a decent wireless router at all. My Lenovo T61p (with Intel 4965abgn adapter) just won't stay connected to my D-Link DIR-628 and IT'S DRIVING ME CRAZY! (Yes, I've tried various driver versions, from both Lenovo and Intel.)

My house is in an area with a lot of wireless activity -- sometimes I can see nine or ten SSIDs. I'm running draft N on 2.4GHz (which occupies two non-adjacent channels, currently 1 and 4), and I suspect the problem is collision interference. I could shift the router to 5.2GHz, which I probably would help, but then the rest of the computers in my house won't connect. Why, you ask? Well get this: the DIR-628 is part of D-Link's RangeBooster N family. So I stayed in the family and got two DWA-542 adapters for the desktop computers. Yet they only do 2.4GHz! Silly me, I assumed that being in the same family means full support of the router's capabilities.

I'm very tempted to replace my router again -- and I'm thinking that the best option is to get one with dual radios. That way I can move my T61p to 5.2GHz and replace the desktop adapters, while still having single-channel 802.11b/g on 2.4GHz for the Wii and my PlayStation Portable.

Now my request: tell me about your experience with home routers. What do you really like, and why? What should I buy?

A few folks have tried to tie “maturity” to “if the code is robust” or “if the product has certain product features.” The way we have addressed this emerging controversy over at The CEP blog is to center the discussion around the Gartner Hype Cycle, which is a pretty good model for representing the maturity, adoption and business application of specific technologies.

On CEP Maturity and the Gartner Hype Cycle

Since many folks work very closely with Gartner, I expect they are keenly aware of Gartner’s view on technology adoption maturity models and their definitions. Just for our readers who might not be as familar, I quote Gartner’s definitions below to be complete from here:

A hype cycle is a graphic representation of the maturity, adoption and business application of specific technologies. The term was coined by Gartner[citation needed], an analyst/research house, based in the United States, that provides opinions, advice and data on the global information technology industry.

Since 1995, Gartner has used hype cycles to characterize the over-enthusiasm or “hype” and subsequent disappointment that typically happens with the introduction of new technologies. Hype cycles also show how and when technologies move beyond the hype, offer practical benefits and become widely accepted. According to Gartner, hype cycles aim to separate the hype from the reality, and enable CIOs and CEOs to decide whether or not a particular technology is ready for adoption. A longer-term historical perspective on such cycles can be found in the research of the economist Carlota Perez.

A hype cycle in Gartner’s interpretation comprises 5 steps:

“Technology Trigger” — The first phase of a hype cycle is the “technology trigger” or breakthrough, product launch or other event that generates significant press and interest.

“Peak of Inflated Expectations” — In the next phase, a frenzy of publicity typically generates over-enthusiasm and unrealistic expectations. There may be some successful applications of a technology, but there are typically more failures.

“Trough of Disillusionment” — Technologies enter the “trough of disillusionment” because they fail to meet expectations and quickly become unfashionable. Consequently, the press usually abandons the topic and the technology.

“Slope of Enlightenment” — Although the press may have stopped covering the technology, some businesses continue through the “slope of enlightenment” and experiment to understand the benefits and practical application of the technology.

“Plateau of Productivity” — A technology reaches the “plateau of productivity” as the benefits of it become widely demonstrated and accepted. The technology becomes increasingly stable and evolves in second and third generations. The final height of the plateau varies according to whether the technology is broadly applicable or benefits only a niche market.

The term is now used more broadly in the marketing of new technologies.

We used the Gartner Hype Cycle in Two-Thirds of Our Readers Say CEP is Still Immature as a basis for having interested readers vote, and in a unscientific straw poll, the readers indicated that, in their view, CEP is still immature.

At the CEP Blog we ground our discussions and terminology on maturity in Gartner’s models on maturity, and we ground our discussions on event processing in the art-and-science of a long standing domain in event processing - multisensor data fusion (MSDF).

Dear network vendor,

As someone that is forced to configure and implement security on your hardware, I would greatly appreciate stable code and properly functioning features. Unfortunately, I cannot always choose the hardware my customers are using in their infrastructure. However, if you would like for me to recommend they continue purchasing and using it, then the product must demonstrate to me that it is: capable, reliable, predictable and well-documented. If your product is not meeting these requirements, I’m forced to recommend other solutions to your (current) customer.

Stable Code. If I have to spend 2-6 hours per implementation working through your product’s bugs, and then must either spend time on a support call or spend time getting packet captures to prove to you it’s not working, I am not a happy camper because you’re slowing down my progress. Your customer is not happy because they’re paying for that time and I’m not cheap.

Features. Don’t publish in technical documentation that your product, or code can do something, only for me to find out later that it cannot. On-site in the middle of an implementation is not the time to architect Plan B. Let me know before, either through technical docs, white papers, best practices or release notes. I do read those. If you want to bend the truth, do it the marketing fluff, not my technical documents.

Documentation. If your product does do what you say it does, then please do document and explain the concepts and procedures. Examples are good, but explanations are mandatory. A correct CLI reference is always lovely as well. If there are got’chas or tricks, please also document those. Again, white papers or release notes are fine. Having to track down the one security engineer from your company that holds the magic key is not practical, nor scalable. Plus, he may be on vacation during my install, which would make me irate.

Support. If your product is not functioning or performing as expected, do NOT expect your customers to have a current maintenance contract to address a known issue or bug (or an un-known issue or bug for that matter). If they found a bug for you, you should probably give them a maintenance contract for a year… or two. If you don’t let us call support, I will find one of your pre-sales engineers and we will use him or her for post-sales support, which is not what you want them to do. But that’s your problem, not mine.

I believe that sums up the major issues. Specifically, I am interested in security, RADIUS, SSH, SNMP, DHCP and 802.1X functions. Before you add another bell or tweak another whistle, please make what you have works… consistently. That should be first, so it’s my Feature Request #1.

Respectfully,

jj

# # #

The interesting thing to me is the big question of certifying companies v/s individuals.  I think the endgame will involve doing both because you certify companies for methodology and you certify people for skills.

This is the problem with certification and accreditation services as I see it today:

• Security staffing shortage means lower priority:  If you are an agency CISO and have 2 skilled people, where are you going to put them?  Odds are, architecture, engineering, or some other high-payoff activity, meaning that C&A services are candidates for entry-level security staff.
• Centralized v/s project-specific funding:  Some agencies have a “stable” of C&A staff, if it’s done wrong, you end up with standardization and complete compliance but not real risk management.  The opposite of this is where all the C&A activities are done on a per-project basis and huge repetition of effort ensues.  Basic management technique is to blend the 2 approaches.
• Crossover of personnel from “risk-avoidance” cultures:  Taking people from compliance-centric roles such as legal and accounting and putting them into a risk-based culture is a sure recipe for failure, overspending, and frustration.
• Accreditation is somewhat broken:  Not a new concept–teaching business owners about IT security risk is always hard to do, even more so when they have to sign off on the risk.
• C&A services are a commodity market:  I covered this last week.  This is pivotal, remember it for later.
• Misinformation abounds:  Because the NIST Risk Management Framework evolves so rapidly, what’s valid today is not the same that will be valid in 2 years.

So what we’re looking at with this blog post is how would a program to certify the C&A service providers look like.  NIST has 3 viable options:

• Use Existing Certs: Require basic certification levels for role descriptions.  DoD 8570.1M follows this approach.  Individual-level certification would be CAP, CISSP, CG.*, CISA, etc.  The company-level certification would be something like ITIL or CMMI.
• Second-Party Credentialing:  The industry creates a new certification program to satisfy NIST’s need without any input from NIST.  Part of this has already happened with some of the certifications like CAP.
• NIST-Sponsored Certification:  NIST becomes the “owner” of the certification and commissions organizations to test each other.

Now just like DoD 8570.1M, I’m torn on this issue.  On one hand, it means that you’ll get a higher caliber of person performing services because they have to meet some kind of minimum standard.  On the other hand, introducing scarcity means that there will be even less people available to do the job.  But the big problem that I have is that if you introduce higher requirements on commodity services, you’re squeezing the market severely:  costs as a customer go up for basic services, vendors get even less of a margin on services, more charlatans show up because you’ve tipped over into higher-priced boutique services, and mayhem ensues.

Guys, I’m not really a rocket scientist on this, but really after all this effort, it seems to me that the #1 problem that the Government has is a lack of skilled people.  Yes, certifying people is a good thing because it helps weed out the dirtballs with a very rough sieve, but I get the feeling that maybe what we should be doing instead is trying to create more people with the skills we need.  Alas, that’s a future blog post….

However, the last thing that I want to see happen is a meta-game of what’s going on with certifications right now–who certifies those who certify?  I think it’s a vicious cycle of cross-certification that will end up with the entire Government security industry becoming one huge self-licking ice cream cone.  =)

Bookmark to:

In development for more than 30 years, the research is beginning to bear fruit, and may soon spawn more powerful bombs, warheads that tear apart stone and concrete, mines that can be set to stun or kill, and grenades that can swat rockets or mortar rounds out of the sky like flies.

"You can get effects that are more precisely tailored to a particular target," says John Pike, director of Washington military research group GlobalSecurity.org. "And you're able to get a greater effect out of a smaller munition."

Reactive materials are combinations of materials that are normally stable, but, when subjected to sudden shock -- such as striking a target -- release a large amount of energy. Depending on the composition and warhead design, the energy can be released as heat, a blast or a combination of the two. Unlike conventional explosives, RMs cannot be set off by fuses. Technically, they are classified as flammable solids, and they are less hazardous to transport and store than explosives.

While they're more energetic than explosives, RMs are not intended to be a substitute. Instead, they will replace warhead components normally made of metal.

An analysis of U.S. military procurement papers and defense contractor presentations, as well as interviews with companies working on the technology, suggests that a wave of munitions using reactive materials may be headed for a battlefield near you.

The material can dramatically magnify the yield of conventional bombs, and do away with the waste embodied by a bomb's inert metal skin. The U.S. Air Force's 5,000 BLU-122 bunker buster, for example, contains just 780 pounds of explosives; the other 80 percent is the bomb's thick steel casing. DARPA's Reactive Munition program (.doc) aims to replace that steel with RMs, to create a bomb with a blast four times as powerful. Alternatively, a new bomb could be half the size of existing weapons but twice as powerful.

Conventional warheads could also benefit from an RM makeover. For centuries, shells have blasted out steel shrapnel, small pieces of metal that cause damage with their high speed. Defense contractor Alliant Techsystems is developing a warhead called BattleAxe for the Air Force that uses fragments made of RM instead of metal. Those fragments will explode on impact, making the warhead far more effective against soft targets like trucks.

RM shrapnel is also being touted as the ideal way of shooting down incoming rockets and mortar bombs (.pdf).

A radar-guided defense pod can automatically engage incoming rockets or other threats using RM-based grenades. Weapons designers suggest that RMs can be five to ten times as effective as the existing inert shrapnel for this task. Moreover, RM shrapnel can be engineered to burn out at a set distance, so there is no hazard to nearby friendly forces.

Bullets can even be made of RM. The Navy's new electromagnetic railgun has been criticized because it can only fire solid slugs, not the usual explosive shells. However, documents reveal that tungsten-based RM rounds are being developed for the weapon. These will explode on impact, making the railgun effective against buildings, ships and vehicles.

Shaped charges are another application where RMs can increase the effectiveness of existing designs. In a shaped charge, a hollow metal cone is surrounded by explosive material, which is then detonated, forcing the blast through the small end of the cone.

"The action is analogous to stamping on an open toothpaste tube, ejecting the liquid contents," says Douglas Millard of British defense contractors QinetiQ.

Replace the metal liner with RM, and the explosive power of that jet will increase dramatically.

"Such reactions are highly exothermic and therefore lead to the release of large amounts of energy, which is in addition to the kinetic energy within the jet," Millard says. "An increase in the energy coupled into the target occurs and this results in the creation of greater damage to the target."

QinetiQ is marketing an RM-based shaped charge called Connex for oil-well perforation in the civil market. Meanwhile, the U.S. Army is developing a demolition charge called Bam Bam that blasts a jet of RM deep into stone or concrete, producing massive damage

One version of the Bam Bam charge is intended for demolishing bridges and other structures. An alternative version blasts broader, shallower craters in roads or runways, making them useless.

RMs will also transform another mutation called the Explosively Formed Penetrator, a modified version of the shaped charge. Instead of producing a narrow, short-range jet, the Penetrator fires an aerodynamic slug of metal over a long distance. It's best known as a favored weapon of insurgents in Iraq. Again, replacing the metal with RM makes a much deadlier weapon -- after punching through armor, the slug releases energy like a grenade going off.

If you're a weapons designer, RMs also offer amazing flexibility. Alliant Techsystems is building a variable landmine (.pps) -- a so-called "dial-a-yield" weapon that can produce a range of different effects.

At the lowest setting, most of the output would be light -- a dazzling warning that would be impossible to miss. A higher setting would produce intense heat, creating a "discomfort zone" to drive off intruders. The third setting produces a nonlethal blast, like the concussion stun grenades used by Special Forces. If lethal force is called for, the mine could be set to produce either inert shrapnel or reactive shrapnel that explodes on impact.

RM munitions may face legal challenges. Under the St. Petersburg Declaration of 1868, the use of explosive projectiles with a weight of less than 400 grams is forbidden, as is using incendiary ammunition, like napalm, against personnel. But RMs are not technically explosive or incendiary, and although the effect on human targets might cause protests from some groups, they are likely to be accepted, human rights experts say.

"Like any weapon, it would have to go through a lengthy effectiveness and then legal review, " says Marc Garlasco, senior military analyst at Human Rights Watch. "If used in the open against military targets, it does not seem to have any obvious problems at first blush."

However, there may be technology issues too. Although the developers sound very upbeat in all their descriptions of RM munitions, producing material that will reliably release energy only when required is extremely challenging.

"The fact that they've been working on it so long and don't seem to have fielded anything yet suggests that there may be a problem with the technology," GlobalSecurity's Pike says.

Normally new weapons are fielded rapidly if there is a military demand -- assuming they work. So far, RMs have not made it into the field, and the technology may not be as mature as developers suggest.

But Pike also notes that there has been an unprecedented surge in munitions development over the last few years, with "all kinds of weird stuff" being developed.

So after decades of being kept very quiet, reactive materials may soon be making a lot of noise.

---

Check out Danger Room for more on reactive materials.

• Student Loan Borrower
• Parent Loan Borrower
• Consolidation Loan Borrower
  

• Direct Portfolio College Savings - Account Owner, Beneficiary
• Stable Value Plus College Savings - Account Owner, Beneficiary & Account Successor
• Prepaid Tuition Fund - Account Owner, Beneficiary & Account Successor
  

• Early Achievers Scholarship Program - All Participants
• College In Colorado Scholarship Program - All Participants
• College Opportunity Fund (COF) Participants - Paper Applications Mailed In Only
  

“Security in the cloud” just got more complicated with the introduction of “Cloud Mashups”.

What Do You Get When You Cross Salesforce.com and Amazon S3?

The answer we are told is Appirio Cloud Storage - a fully integrated Salesforce.com add-on that uses Amazon’s Simple Storage Service (S3) to store larger files. Previously, Salesforce.com users were limited to 5MB file uploads.

Read this quote from Appirio and think about it from a security perspective:

We’re excited not only about the service itself, but also what it represents. It shows where the industry as a whole can head - as the platforms mature, there is a substantial opportunity for ISVs to tie together the different clouds and provide offerings that extend and fill in the platforms themselves. In traditional enterprise application integration (EAI), packaged integrations were difficult to commercialize. The permutation of versions and customizations created and “n times n” problem, making it too expensive to create something “packaged” that appealed to more than a very small number of customers. But in the cloud, because SaaS providers commit to stable interfaces - Salesforce has maintained backwards compatability for more than a dozen revisions of its API - “integrating the cloud” can become a new class of solution.

From a security risk assessment perspective, you now need to factor in 3rd parties that hook into your “primary” cloud providers API.

If your company goes with Appirio, company data is now stored in Amazon S3 buckets paid for by Appirio, instead of storage paid for by Salesforce.com. This means your data is actually split across both providers (!) - old attachments and CRM data with Salesforce.com and new attachments with Appirio (if someone from Appirio is reading this and can say differently, please do).

As it happens, Salesforce.com already uses Amazon for computing and storage so its the same back-end storage. But what happens when another cloud storage provider pops up that offers a better deal? Lets say salesforce.com stays with Amazon S3 but Appirio migrates to the new player to attract more customers.  [Just to be clear, not picking on Appirio here - this applies to *any* ISV - particularly those that store data somewhere else in the Cloud].

Multiple cloud storage providers for a single app, raises some issues.

• Is ISV obligated to tell you they are migrating to a cheaper cloud storage provider? (think cross border data transfer issues).
• What security ‘certification’ will take place of the new provider and what visibility will you have of that?
• How much notification do you get before the switchover?
• If you don’t want to go with the new provider, but that is the only supported option, what happens to all your data? Even if we *assume* an export function is provided you still need to find an alternate ISV that has coded a compatibility layer to access your existing data. If you can’t, where do you export the data too? Will we have ‘frozen clouds‘?
• What integrity checks take place to ensure data was properly migrated over?
• When the migration happens, what clean-up happens at the source? (can anyone say forensic wiping?). What about any backup tapes or off-line copies? Who is responsible for making sure those are wiped/destroyed?

Suddenly your cloud storage arrangements have gotten more complex and thus, less secure. Security issues aside, how does an agile business cope with this? With multiple providers, data portability becomes a real issue.

And we haven’t even dug into the API level security issues yet! (yeah, you get to assess that too!).

As an Information Security community, we have to start figuring out some of these issues before we find our options severely limited…

What do you think?