http://www.msnbc.msn.com/id/38790670/ns/technology_and_science-security/?gt1=43001
Umm, wow, this is not good.
Cybersecurity and National Policy
•April 17, 2010 • Leave a CommentDan Geer recently published the article Cybersecurity and National Policy in the Harvard Security Journal. He outlines his views of the state of cybersecurity and makes some fascinating observations. For those of you who aren’t familiar with him, just googlehis name for more information.
Here are some snippets:
“I currently define security as the absence of unmitigatable surprise.”
“To set the rest of what I am going to say on the bedrock of its foundation, the United States’s ability to project power depends on information technology, and, as such, cyber insecurity is the paramount national security risk. This point bears repetition: because the United States’s ability to project power depends on information technology, cyber insecurity is the paramount national security risk.
Those with either an engineering or management background are aware that one cannot optimize everything at once — that requirements are balanced by constraints. I am not aware of another domain where this is as true as it is in cybersecurity and the question of a policy response to cyber insecurity at the national level. In engineering, this is said as “Fast, Cheap, Reliable: Choose Two”. In the public policy arena, we must first remember the definition of a free country: a place where that which is not forbidden is permitted. As we consider the pursuit of cybersecurity, we will return to that idea time and time again; I believe that we are now faced with “Freedom, Security, Convenience: Choose Two”.”
How Robber Barons hijacked the telegraph system
•December 3, 2009 • Leave a CommentArs Technica has a great article about how people locked in control of the telegraph system and the news media via the Associated Press.
I am always amazed at how history repeats itself. This may be especially relevant given some companies are trying to merge content creators with content delivery, such as the Comcast-NBC deal that is being formulated now.
iPhone fix
•September 7, 2009 • Leave a CommentThis article helped me to fix my iPhone if anyone else has problems with iTunes syncing: http://www.webmilhouse.com/7b/?p=150
Twitter for Botnet control
•August 17, 2009 • Leave a CommentArbor Networks is posting that Twitter is being used for botnet control. Those of you who know me, I said as soon as I read about Twitter that it could be used as a botnet C&C.
As new technologies start being adopted in the mainstream, cyber criminals will always adopt it if it is cost effective and if it allows them to circumvent protections.
BlackHat 2009 Presentation
•August 3, 2009 • Leave a CommentSo BlackHat and Defcon 2009 are both over. I have put up the final slides here:
http://peterguerra.files.wordpress.com/2009/08/bhturbotalk_economics_guerra.pdf
Let me know if you have any questions.
SLE, Quantitative versus Qualitative Risk, and Finance
•July 7, 2009 • Leave a CommentThe CISSP and other risk management frameworks typically use a combination of Quantitative and Qualitative methods for risk analysis. Both of these methods rely on a probability calculation — i.e., how likely is something to be attacked. I would argue that with the current threat environment, if something is turned on and plugged into a network, that probability number should always be 1.0 (or 100%). In other words, any asset that is plugged into a network has a 100% chance that it will be attacked in some way over time. What does everyone else think?
BlackHat 2009
•June 6, 2009 • Leave a CommentMy abstract was accepted for BlackHat 2009: http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Guerra. Yay!
BlackHat is always a good time, hope to see you there.
White House Cyber Security Review is out
•May 29, 2009 • Leave a CommentThe White House just released their Cyber Security Review online: Cyber Security Review
In addition, Melissa Hathaway, released a statement on her blog talking about the contents of the report.
It is interesting that this happened about the same time as the Cybersecurity Act of 2009 is moving through the Senate. Here is some commentary about that Senate Bill.
A good friend of mine has been saying for years that if we don’t get our own act together, eventually the government is going to regulate our industry and/or require some form of licensing for security professionals. Looks like he was right.
