Securosis Blog

Should network and application security proceed along separate, independent tracks?

Should software security focus solely on the in-context business issues concerning security, and have network security focus on not allowing the software and infrastructure to be undermined?

Nice! The Clear database was on a laptop that was stolen at SFO.

What a great database breach to shed light on this implied-security-related-but-really-not revenue opportunity known as Clear. I guess I am chuckling about this, but as I don’t know what is contained in that data set, I do not know how dangerous this leak is to the members who signed up for it.

The piracy trial is getting interesting. Vivendi SA’s Universal Music Group won a $222,000.00 verdict against defendant Jammie Thomas for making songs available via Kazaa. The problem is that no one downloaded the songs; they were only discovered by MediaSentry. The entire case hangs what constitutes “making available”, and how it differs from distribution. The judge in the case actually stated he may have committed a “manifest error of law” by instructing the jury that making files available is…

My kitchen table:

Thanks to the unorthodox release of the DNS bug, there’s been a lot of debate in the past few weeks over disclosure. I posed a question here on the blog, and reading through the responses it became obvious that all of us base our positions on gut instinct, not empirical evidence. Andrew Jaquith, in the comments, suggested we take a more scientific approach to the problem, and this inspired my latest Dark Reading article, and a poll. Here’s an excerpt:

It won’t come as a surprise to anyone, but Adrian and I will be out in Vegas for Black Hat and DefCon. I arrive Tuesday morning and Adrian arrives Tuesday night. He’s there through Saturday morning, and I’m around to the bitter end.

Denial : “Dan may be smart, but Tom Ptacek states the obvious that this isn’t a new threat. Maybe a new spin on an old flaw.”

Another off-topic post.

They say when you are frustrated, especially with someone in an email dialog, write-delete-rewrite. That means write the reply that you want to write, chock full of expletives and politically incorrect things you really want to say, and then delete it. Once you are finished with that cleansing process, start from scratch, writing the politically correct version of your reply. This has always been effective for me and kept me out of trouble.

If you can tell, with absolute certainty, that systems are vulnerable to an exploit without needing to test the mechanism, what good is served by releasing weaponized attack code immediately after patches are released, but before most enterprises can patch?

We’ve covered a lot of ground over the past few posts on endpoint DLP. Our last post finished our discussion of best practices and I’d like to close with a few short fictional use cases based on real deployments.