When I discussed this openly with Waters in Muddy Waters comments they kindly replied that “customers are loath to be a reference client for a vendor,”  like this fact somehow justifies having 600 people, most who have never actually used the software in practice, vote on how great it is.  

Follow the Yellow Brick Road.

Or, as Mark Adler pointed out in his well written blog post The First Annual Fluffies for CEP , a secretive “panel of renowned judge” is going to tell us, via Jolt, who has the better solution?  Holy Cow Batman!   Let me buy a nice layout in your magazine  or web site,  please, so “my software company” will be on the short list for the “the awards”.  

Follow the Yellow Brick Road.

All this smoke-and-mirrors. share-the-love, marketing reminds me of The Matrix a bit, where the world as we observe it, is a complete artificial construction, where most people in the Matrix believe they are “real” because they do not know that they really just a computer generated program designed to keep humans happy as they sleep in some cold goop with electrodes stuck up their you-know-what, really just bio-batteries insuring the light bill is paid.

Follow the Yellow Brick Road.

Or better yet, these fluffies are similar to most of the Webinars we see where there are questions from “the audience” but we know that most of these questions did not come from the “audience” - yet we all seem to continue ”the  audience” myth just like Santa Claus and the Easter Bunny! 

Follow the Yellow Brick Road.

The Easter Bunny, Santa Claus, the Tooth Fairy and the Fluffy Awards are real, if you want them to be real.  Just close your eyes and click your heels three times….

Follow the Yellow Brick Road. Follow the Yellow Brick Road.
Follow, follow, follow, follow,
Follow the Yellow Brick Road.
Follow the Yellow Brick, Follow the Yellow Brick,
Follow the Yellow Brick Road.

We’re off to see the Wizard, The Wonderful Wizard of Oz.
You’ll find he is a whiz of a Wiz! If ever a Wiz! there was.
If ever oh ever a Wiz! there was The Wizard of Oz is one because,
Because, because, because, because, because.
Because of the wonderful things he does.
We’re off to see the Wizard. The Wonderful Wizard of Oz

Collaboration in the Cloud

Forward thinking companies use collaboration technologies to melt away the physical distance between disparate offices, remote workers and suppliers.  Investments in R&D projects to create the next generation of business collaboration technologies and starting to bear early fruits and are worth paying attention to - especially if you get paid to “do security”.  One major focus area is Virtual Worlds.

Teleporting Virgins

The big news in the Second Life research community is that avatars (”virtual people”) have successfully teleported between distinct virtual worlds.  The virgin teleporters went from a Second Life Preview Grid - an experimental grid completely disconnected from the Main Grid - to a virtual world running IBM OpenSIM.

At this stage there is intentionally no asset transfer going on at all - in other words, you can’t take your “stuff” from one world to another - but that will come in time as the Open Grid Protocol is extended.  Today just login and teleport are supported.  No stealing those trade secret “assets” yet ;-).

Linden Labs speaks to this issue:

Q: How will Linden Lab prevent property from being copied into other virtual worlds?
We’re paying extremely close attention to that question. We will be designing this with the Second Life community to ensure their needs are met. We want to stress that when it does become possible to move avatars between worlds, we will take the utmost care to protect the rights of Second Life property owners and creators. Linden Lab will not design a system that lets people openly violate the permissions of SL goods and take them to other worlds. We recognize that intellectual property is the engine that drives Second Life, and we are completely committed to preserving the qualities that make Second Life the unique, innovative and dynamic place that it is today.

With my “hacker-vision” ™ enabled I see *all kinds* of opportunities for mischief here.  I’m betting we’ll see imaginative attacks as the usual cat and mouse game of vulnerability research and vendor response plays out.  “Sorry boss, someone hijacked my avatar and now I’m stuck on this desert island for who knows how long!”.

Threat Profiling Second Life

Getting back to reality, people are already exploring Virtual World security.  Michael Thumann of ERNW in Germany is a pen-tester and security researcher and in this 10 minute video, Michael shares the result of his security research on Second Life.

He covers:

• In-game cheating
• Identity theft
• Attacking 3rd party servers using Linden Scripting Language (think about the liability issues and the providers ability to track abusers)

For those interested in more detail, the full presentation he gave at BlackHat Europe 2008 in Amsterdam is here (pdf).

Of particular note, Michael applied a formal threat model approach to the research - STRIDE from Microsoft.

In a future post I’ll talk more about threat profiling in the context of Cloud Computing vulnerability research and specific API security vulnerability classes we can expect to see exploited.

The towers are gone now, reduced to bloody rubble, along with all hopes for Peace in Our Time, in the United States or any other country. Make no mistake about it: We are At War now -- with somebody -- and we will stay At War with that mysterious Enemy for the rest of our lives. 

It will be a Religious War, a sort of Christian Jihad, fueled by religious hatred and led by merciless fanatics on both sides. It will be guerilla warfare on a global scale, with no front lines and no identifiable enemy. Osama bin Laden may be a primitive "figurehead" -- or even dead, for all we know -- but whoever put those All-American jet planes loaded with All-American fuel into the Twin Towers and the Pentagon did it with chilling precision and accuracy. The second one was a dead-on bullseye. Straight into the middle of the skyscraper. 

Nothing -- even George Bush's $350 billion "Star Wars" missile defense system -- could have prevented Tuesday's attack, and it cost next to nothing to pull off. Fewer than 20 unarmed Suicide soldiers from some apparently primitive country somewhere on the other side of the world took out the World Trade Center and half the Pentagon with three quick and costless strikes on one day. The efficiency of it was terrifying. 

We are going to punish somebody for this attack, but just who or what will be blown to smithereens for it is hard to say. Maybe Afghanistan, maybe Pakistan or Iraq, or possibly all three at once. Who knows? Not even the Generals in what remains of the Pentagon or the New York papers calling for WAR seem to know who did it or where to look for them. 

This is going to be a very expensive war, and Victory is not guaranteed -- for anyone, and certainly not for anyone as baffled as George W. Bush. All he knows is that his father started the war a long time ago, and that he, the goofy child-President, has been chosen by Fate and the global Oil industry to finish it Now. He will declare a National Security Emergency and clamp down Hard on Everybody, no matter where they live or why. If the guilty won't hold up their hands and confess, he and the Generals will ferret them out by force. 

Good luck. He is in for a profoundly difficult job -- armed as he is with no credible Military Intelligence, no witnesses and only the ghost of Bin Laden to blame for the tragedy.

One unintended lesson I take away from Hunter's life is how important patience is. Obama is a politician and may yet disappoint us all, but I gotta believe Hunter would be seriously impressed. If he had waited another couple of years, he may have seen a lot of the stuff he fought for in 1968 and 72 come to fruition. Sometimes you are just 36-40 years ahead of your time and you have to be ok with that and figure out how to deal if possible. (Note - it sure sometimes feels this way in software security). Speaking of security:

Security 

by Hunter S. Thompson (1955). 

Security ... what does this word mean in relation to life as we know it today? For the most part, it means safety and freedom from worry. It is said to be the end that all men strive for; but is security a utopian goal or is it another word for rut? 

Let us visualize the secure man; and by this term, I mean a man who has settled for financial and personal security for his goal in life. In general, he is a man who has pushed ambition and initiative aside and settled down, so to speak, in a boring, but safe and comfortable rut for the rest of his life. His future is but an extension of his present, and he accepts it as such with a complacent shrug of his shoulders. His ideas and ideals are those of society in general and he is accepted as a respectable, but average and prosaic man. But is he a man? has he any self-respect or pride in himself? How could he, when he has risked nothing and gained nothing? What does he think when he sees his youthful dreams of adventure, accomplishment, travel and romance buried under the cloak of conformity? How does he feel when he realizes that he has barely tasted the meal of life; when he sees the prison he has made for himself in pursuit of the almighty dollar? If he thinks this is all well and good, fine, but think of the tragedy of a man who has sacrificed his freedom on the altar of security, and wishes he could turn back the hands of time. A man is to be pitied who lacked the courage to accept the challenge of freedom and depart from the cushion of security and see life as it is instead of living it second-hand. Life has by-passed this man and he has watched from a secure place, afraid to seek anything better What has he done except to sit and wait for the tomorrow which never comes? 

Turn back the pages of history and see the men who have shaped the destiny of the world. Security was never theirs, but they lived rather than existed. Where would the world be if all men had sought security and not taken risks or gambled with their lives on the chance that, if they won, life would be different and richer? It is from the bystanders (who are in the vast majority) that we receive the propaganda that life is not worth living, that life is drudgery, that the ambitions of youth must he laid aside for a life which is but a painful wait for death. These are the ones who squeeze what excitement they can from life out of the imaginations and experiences of others through books and movies. These are the insignificant and forgotten men who preach conformity because it is all they know. These are the men who dream at night of what could have been, but who wake at dawn to take their places at the now-familiar rut and to merely exist through another day. For them, the romance of life is long dead and they are forced to go through the years on a treadmill, cursing their existence, yet afraid to die because of the unknown which faces them after death. They lacked the only true courage: the kind which enables men to face the unknown regardless of the consequences. 

As an afterthought, it seems hardly proper to write of life without once mentioning happiness; so we shall let the reader answer this question for himself: who is the happier man, he who has braved the storm of life and lived or he who has stayed securely on shore and merely existed?

A ship is safest at port, but thats not why we build ships.

I stumbled across a great video on a blog post from the SOURCE Boston conference.

Careers in information security are often difficult to navigate, with the industry changing more and more radically every year. This is even more true in an economy that isn’t necessarily thriving. We’re going to talk about the important skills, traits and knowledge that a security pro needs to build a long-term and successful career – not just the usual stuff (like “get certified”), but the real-world knowledge that teaches you how to have the job that keeps you challenged, growing and well-compensated.

If you are even thinking about a role in Information Security or wandering about your next step in the industry - this in-depth talk by Lee Kushner and Mike Murray is for you.

How do you keep yourself special? Share in the comments…

Today I have been authorized to share with you some of the unique facets of the Mozy Awesome Process that until now have been tightly controlled trade secrets of Mozy, Inc. It all starts with giant robots (virtually perpetual sources of raw Awesome). We attach them to special Awesome Siphons of our own design and pipe the yield directly into our engineers’ development workstations. Further, peripheral Awesome needs are farmed from old He-Man reruns, a roomful of ninjas wailing on electric guitars, and our captive Happy Fun Ball.

The crude Awesome is skillfully transformed by Mozy engineers into powerful software and hardware configurations, then carefully inspected and regulated according to a host of eldritch acronyms: SWAGs, PMQs, PRDs, and the ever-inspiring CFRRCs. Once a successful creation is stamped with the Seal of Acronymic Approval for Mozy (SAAM), it is subjected to final endorsement by the mystical, revered Mozy Leprecorn*. Finally, a highly trained team of Box Monks put the new Awesomery into place in the Mozy systems, where it becomes available to you, the user.

Our rigorous Awesome Enforcement Policies and Magical Oversight have brought us to what we believe is the most Awesome-efficient development process in the world of backup software.

Be safe,
Paul Cannon
Mozy Software Engineer

*Leprecorn (noun): a rare but phenomenal creature; half Unicorn, half Leprechaun, and all magical.

Visit Mozy now for a great reliable online backup service, I use it myself.

Vote for Mozy
Lifehacker is currently holding an online backup showdown. Show your love for Mozy. Vote now.