StillSecure, After All These Years

You could try ghostbusters, but don't bother calling the PCI council. So says Mike Fratto and Martin McKeay in response to my earlier article about when you have an obligation to go public. Of course I was responding to Martin's earlier post on the TJX employee getting fired. What all three of us agreed on though is that there is no place or person that an employee or any other person frankly can call to report a company that is not in compliance with the PCI.

Mike Fratto says "PCI has no teeth because VISA/Mastercard doesn't want to bite the hands that feed it." Martin says the PCI council has established a way for people to report violations because "that’d make the Council responsible for acting on those reports. And that’s something they really, really don’t want." So are the PCI regs toothless. I wouldn't exactly go that far. I think we have to draw a distinction about having the power to act versus actually exercising that power. Mike is right, so far the PCI council has to exercised the powers they were granted to impose sanctions and penalties. That doesn't mean they won't in the future though. I think they will have to make some "examples" otherwise people are going to begin to ignore the requirements all together.

Without some process to report violations the credit card companies are inviting the government to step in. This is exactly the reason as Mike Fratto points out that they imposed the PCI regs to begin with, that is to keep the government out. Until they do though, I think going public and the court of public opinion may be the only recourse.

No, not IPO public, but public about disclosing employer secrets which could provide a risk to the public. My friend Martin McKeay has written an article over the recent firing of an employee of TJX for disclosing in a public forum continued poor security practices by TJX. The same TJX I might add that as a result of slipshod security practices caused 100s of thousands of dollars, if not millions of dollars in bank fraud to occur.

Many have categorized CrYpTiC_MauleR, the employee who disclosed the information on hackers.org, as a "whistleblower". The term whistleblower is a term of art and in many circles will invoke some special immunity for the person who disclosed the confidential information. However, usually the disclosure of this information is made to a person or entity with the power or at least willingness to take corrective action. In this case, I think that is the missing pre-requisite. Just disclosing this information on a public message board does not meet the burden of defining this as whistleblowing. I think Martin is right on there. He says CrYpTiC (If I can call him that), was not a whistleblower in the strictest sense of the word and is not due any protection. He is just another person who violated his employment terms and his termination by TJX was perfectly justified. Let me say that I don't disagree with Martin about TJX having the right to fire CrYpTiC. They certainly do.

I have a problem with Martin when says that CrYpTiC should have done what he has done and that is keep your mouth shut and move on to the next opportunity. I think depending on the level of wrongdoing, not only is that wrong, but by willfully withholding certain information from the authorities it could make you guilty as an accomplice! Think about it Martin, if you knew your employer was committing a crime and you just quit your job rather than report that crime, you are an accomplice. When does the responsibility for the general good, outweigh your obligation to your employer. Is sticking your head in the sand and moving on while letting illegal or irresponsible behavior go on the right posture? I say not.

I think CrYpTiC felt strong enough about what TJX was doing was wrong that he posted it publicly. Though he did it anonymously and did not think it would be traced back to him, he felt strong enough that what TJX was doing was wrong and he wanted the world to know. When he made that decision, he also made the decision that letting the world know the truth was more important than his job at TJX. I am sure potential future victims of TJX fraud that will now be spared that loss would thank him for it.

Martin, there comes a time where keeping your mouth shut and moving along does not cut it. You have a duty to alert the proper authorities for the greater good of the public. The question is when does your duty to disclose surpass your duty to keep your employers information private? I think that is a personal question that all of us have to answer ourselves. Clearly criminal activity should be disclosed, otherwise you risk criminal exposure. Beyond that it is a judgment call. But saying not to disclose and just move on is appeasement at its worst.

The real question is why doesn't the PCI council or the government have a forum for people like CrYpTiC to go to in the future. That is what is needed!

Someone put chocolate on our peanut butter!  Mitchell and I got on a party line to record episode 53 and who else was on? None other than that dynamic duo from the Network Security Podcast, Martin McKeay and Rich Mogull! The 4 of us had a great time talking about one of Martin's favorite topics:  Privacy. Should what you put on line be held against you by your employer. Do you have any expectation to privacy for all of this information you are posting on Twitter, Facebook, etc.  These topics and more come under the glare of the 4 of us.

We also talk about HP's boast of employing 9 of the top 11 security hackers (shades of the infamous top 59 list).  There is a special message for all security bloggers and podcasters, as well as security media types who are attending RSA, if you don't know what we are talking about contact us.

If you like the content of these shows or have any other comments or questions, please drop us a line at podcast@stillsecure.com

Thanks to ClickCaster for hosting our podcast. Tonights music is the usual, To the Summit by Jon Schmidt. You can hear more from Jon at http://www.jonschmidt.com. Music transitions between segments are by our own Mitchell Ashley!

Or download here:

mp3 

One of the things that has made the SSAATY podcast enjoy any degree of success (in our own minds anyway) is the fact that rather than just me talking, I was smart enough to ask Mitchell Ashley to join me as co-host.  Originally Mitchell was sort of Ed McMahon to my Johnny, but over time our close personal friendship and interaction has resulted in our being equal co-hosts of the show.  I know that the energy we generate from our interaction is what powers our podcast and makes our guest interviews interesting as well.  The same goes for my friends Paul and Larry over at the PaulDotCom podcast (they actually have an even bigger cast and I have their new book, trying to find time to read it and review it).  So I am very happy to see that two friends of mine have teamed up on a podcast. Martin McKeay, one of my first friends in security blogging and whose podcast I first appeared on and Rich Mogull are teaming up with Rich as co-host on the podcast. The first episode was just posted.

I am sure that Rich will add much to Martins already great body of work.  I think they will both find that 1+1=3 when it comes to podcast co-hosts.  After so long of going solo, Martin will find having someone else to bang ideas, banter and thoughts off of is going to make the podcast much better.  Rich is a guy who has opinions on security for sure, but can tell a good story as well.  I wish both of them luck and if you get a chance, check out their show for sure!

I have remained silent on the whole Apple Worm/InfoSec Sellout/LMH-Maynor thing so far.  However, after reading an article in ComputerWorld, in addition to Martin's early, erroneous CW article, Cutaway's post and finally this blog post.  Dave Maynor finally responded on his blog, calling bullcrap on the whole thing.

My take on this is that the sellout, though he said not nice things about me, was afraid to identify himself because it would cost him his job. When he announced this Mac worm, things spun out of control and there was to much heat for him and risked blowing his cover.  From that point on the buzz spun out of control.  Too many people trying to figure out who he was and the next thing you know the site is pulled down. He had a thing for Dave, so people start looking at motive and Dave is their man.  So with the armchair Perry Mason's running wild, sellout sees a perfect opportunity to capitalize and take the heat off of himself.  Next emails start showing up, allegedly from Maynor that he is in fact LMH.

Guys lets stop the madness.  Dave Maynor is not LMH, either is sellout.  All of you armchair detectives back in the box.  If there ever was in fact a Mac worm, who cares frankly at this point.  It is amazing how these things spin out of control.

Martin anticipates me weighing in on an article by Chris Hoff on a new ad by Big Fix that ran in USA Today.  I paste the picture of the ad here strictly for context of course! 

Do I think it is sexist? Yes.  Is this the image I would want to convey for my security company? No.  Let me ask this question, if it was a hot blonde in a bikini would it be worse? Not sure. Does the big gun in her hands signify anything? Don't even want to go there. Is she a Vulcan or a Shadow Run Elf?  Does it really matter. Maybe there is an inside story on this that we are all missing.  Ryan, Amrit, is there anything we are missing?  Is this a representation of anyone who works there?

The bottom line for me is, I don't think our marketing team would want to invoke this kind of image.  I am sure the Big Fix team did some extensive research and know that this type of message and image is exactly what they are "shooting for" and appeals to their intended audience.

Back in September of 2006, I wrote an article about this being a "golden age" for security blogging and podcasting.  I was afraid at the time that this golden age of innocence may be short-lived due to commercial pressures that would take away the special comradeship that exists among the security blogging community.  I am happy to report that so far that is not the case.  The folks at ITSecurity.com have put out a list of the 59 Top Influencers in IT Security.  Reading the list I was amazed at how many of these folks I have developed relationships with over the years via blogging.  The community is really making a difference and leading the industry.  I know Martin (number 11 on the list, congratulations!) thinks we are just talkers and the real heroes are the doers, but still I am very proud to be associated with this group of folks.  I hope we can use our leadership and influence to do good things around security.

Of course, I would be remiss if I did not mention that I was listed number 2 on the list behind Amrit Williams.  I am humbled and grateful for the recognition.  Other notables and friends Mike Rothman at 7, Mitchell at number 9, Michael Farnum and Michael Santangelo and just about everyone else.  Congratulations to you all, you all deserve it.  I was also really proud to see at number 19 the Security Bloggers Network, which is now 65 blogs strong.  I feel responsible for starting the Network and hope to see it continue to grow in influence and usefulness.

No, it is not a remake of an old 60's folk song (Abraham, Martin and John), but the newest member of the StillSecure blogging/podcasting corps, Martin McKeay joins Mitchell and I for a look at whats happening in security.  It is a bit long, but we cover some good topics.

In this weeks Converging Minute, Mitchell talks about open source business models and licenses and how it is changing.

In This Week in Security, the three of talk about:

1. Open Source licenses
2. Symantec banging on Vista
3. Randal Schwartz's party for "nothing"
4. Sourcefire IPO

If you like the content of these shows or have any other comments or questions, please drop us a line at podcast@stillsecure.com

Thanks to ClickCaster for hosting our podcast. Tonights music is the usual, To the Summit by Jon Schmidt. You can hear more from Jon at  http://www.jonschmidt.com.  Music transitions between segments are by our own Mitchell Ashley!

http://clickcaster.com/resource/audio/stillsecure--after-all-these-years--podcast--33-alan--martin-and-mitchell.mp3

This is not a post about Mitchell.  But most of you may already know what we announced and made official today.  My good friend Martin McKeay has joined our company as product evangelist.  Martin was one of the first people I met through blogging and over time we have developed a close friendship.  Also, over that time I have admired Martin for his ability to take his technical background and marry it to his passion for blogging, podcasting and journalism to become the person he is today. 

Martin's role in our company is to evangelize our products and some of the research that Mitchell's team is working on.  Over time Martin's role will become more defined and I am sure he will be a valuable contributer.  When Mitchell and I were speaking about this role, it seemed a natural to me for Martin. Everything just lined up right, in that Martin was looking to go in a new direction, we needed his exact mix of technical and marketing skills and his web 2.0 chops.  In Yiddush/Jewish there is a word beshert, which roughly translated means, it was meant to be.  Actually the concepts of fate and pre-determination and all of that mystic stuff are rolled in to bershet too.  Bottom line is it it just feels right.

So Martin, welcome to the StillSecure team.  We are proud and happy to have you on board.  We are also sure that you are going to be a valuable piece of the puzzle towards our success. If nothing else, between Mitchell, you and I, we will be well represented in the blog-o-sphere. To the rest of you security bloggers/podcasters out there, not to worry, eventually we will hire you too ;-)

Well the answer can be summed up in 3 bullets:

1. Mitchell is lucky most of his necessary organs and appendages are attached to his body.  First he lost his Motorola Q phone on the shuttle bus from the show.  Luckily he had phone insurance and was able to get a replacement. Of course he lost all of the numbers and info stored on the phone.  Then at the bloggers party (more on that later) after a full day of recording some great interviews (including a fantastic discussion on booth babes with Ross, Rothman, the Phantom Blogger and me), Mitchell leaves the damn, brand new portable recorder at the place and it is now gone!  They don't have portable podcaster machine insurance so Mitchell is out on that one.  Frankly, I wouldn't have been quite so heartbroken if we had at least downloaded the audio files on there.  I am going to start bringing a tag with Mitchell's name and phone number as well as the hotel he is staying at for Mitchell to wear at these events, in case he gets lost too.

2. In the immortal words of Dean Wormer in Animal House, "fat, drunk and stupid is no way to go through life". I try not to get too crazy at shows and make sure I get a good nights sleep, as my schedule at these things are usually packed.  Well, I was so excited about meeting so many virtual friends in person at the bloggers party, I went to three more places drinking with the boys and stayed out until almost 3am.  Even with Mitchell losing the podcasting equipment, I still could have put an update on the days activities up. I didn't when I finally got to my room, because I was afraid at what drunken ramblings would find there way on to the blog.  I guess Mitchell was not as worried about that. Instead I threw my clothes all over the room and went right to bed.  Four hours later, I woke up still buzzing and headed over to the show before going back to pack and finally flying home.  I think for the next show, I am going to go on a diet, so I will just be drunk and stupid.

3. The Blogger/Podcaster party- As Martin, Michael Farnum, Rothman, Mitchell and I don't know how many others have mentioned, the party even exceeded our expectations. I have not had this much fun in a long time.  I was really looking forward to this event for a long time. I really felt like I knew most of these folks already.  Some of them like Farnum, Martin, Rothman and even Ross, I count on as my blogger family (maybe posse is a better word).  I can't wait for next years show and have some ideas I will be blogging and discussing later.  One fact that was really heartening to me was that most of the folks there were also part of the Security Bloggers Network.  The network has really picked up and if anyone security blogger/podcaster wants to join, drop me a line at podcast@stillsecure.com. Also, Rich Mogul is someone I was really looking forward to meeting. I think we will continue to keep in touch and become fast friends.  As a result of the good will and free drinks (thanks Microsoft and Fortinet), it resulted in me continuing on a binge for the rest of the night. As Michael mentioned I did have an altercation with a cab driver, but it was all in a nights work. I am not going to rehash it here, Mitchell and Michael can if they want.  Just another moment with Shimel, as far as I am concerned.

So, I have no update for day 3, the dog did not eat my homework and now you know why.  If I can ever get around to it, I will try to

My friend Martin McKeay is back up and writing over at ComputerWorld.  Martin was under the weather for a while and glad to see him feeling better and blogging.  Martin writes today about the fact that under the Stored Communication Act (SCA), the government has had the ability to view email for nearly 20 years.  Having been in the ISP/Web Host business, I can tell you that generally, if a government official asked us for access to records we complied, rather than risking the wrath of the government. I agree with Martin, the ability of the government to read my mail anytime they wanted does make my a bit uncomfortable. However, right or wrong that is the way it is.

In fact, whether it be the government or your employer or someone else, you have to assume that any email you write can be read and used by someone else.  It is just a fact of electronic/digital life that we do not have the same expectations of privacy in our digital communications as we do in the analog world.  I don't agree with it.  I also am uncomfortable with the ease of access available to private information on any one of us on the web, but these are consequences of living in this digital information age.  Sure there are ways to shield your communications.  You can send mail through a server not on your ISP, but through some anonymous service, you can encrypt your messages in transit, you can wipe out your hard disks.  The question is how many hoops do you want to jump through and is it worth it.  I would bet most of us just don't care enough to jump through these hoops.  So, right or wrong, agree or disagree, our privacy being violated regarding our email is just something we have to live with I think.

Sometimes people send me comments via email that don't make the comments section on the blog.  Some of these are important enough that I think you all should be made aware of them.  In that vein, Kim Markle over at Juniper informs me the acceleration technology for the Juniper BOBs comes from their acquisition of Peribit, not Redline.  Also, on the Juniper BOB article, Michael Farnum corrects me in that it seems the Juniper secure gateways do have some partner's AV and content filtering options available.  Thanks to Kim and Michael for the updates and education!

As to my post yesterday on Zillow, I committed a blogging faux pau, by not linking to Martin McKeay when I called him out yesterday as Captain Privacy and asked him to comment. Martin actually formally responded to my post and you can read it here.  Both he and Andy ITGuy pointed out that the Zillow information was always available at the local tax records center, so it is less invasive what Zillow is doing.  While I was aware of this, much of the information that Choicepoint keeps or that search engine where you can look up peoples facts (I forget their name now) is also culled from publicly available information.  However, it is the ease of availability and distribution that makes it to easy for the casual seeker that I think bothers me.  Anyway, thanks for commenting guys.

The Security Roundtable, that crazy bunch of security/podcasting guys that I am lucky enough to be part of, has just posted episode #5.  For this one, our special guest was Dan York of the VOIPSA and the Blue Box podcast.  We all got a good lesson on VOIP security.  Definitley take a listen.  You can get it here.

Besides Dan, the Round Table members on the panel for this one were:

Paul Asadorian | Pauldotcom Security Weekly

Martin McKeay | Network Security Podcast

Larry Pesce | Pauldotcom Security Weekly

Michael Santarcangelo | The Security Catalyst

Alan Shimel | SSAATY (Still Secure After All These Years)

I love doing these round tables and hope you have as much fun listening to them

An All Star Cast brings you "Selling Security up the Ladder". In what may go down as a classic, tonights episode of SSAATY is proud to give you:

Martin McKeay of Network Security blog and podcast and ComputerWorld

Michael Farnum of An Information Security Place and ComputerWorld

Bobby Dominguez of Sykes, Inc. and

Special Guest Star: Mike Rothman of Security Incite

Discussing how to make your executive team take security seriously and approve the budget and resources you need to secure the enterprise.  Don't miss this one!

We will return to our regular format next week.  Enjoy the show.

As usual thanks to ClickCaster for hosting my podcast. Tonights music is again from Jon Schmidt, To the Summit.  You can hear more from Jon at http://www.jonschmidt.com.

If you don't see a media player, click here

http://clickcaster.com/resource/audio/stillsecure-after-all-these-years-episode-15.mp3

I was putting the final touches on the agenda for tonights SSAATY podcast.  I think this is going to be our best podcast yet.  We have an All Star cast with a virtual who's who of security bloggers and podcasters on the panel.  The topic is, selling security up the ladder.  The panel is made up of Martin McKeay of Network Security blog and podcast, Michael Farnum of Information Security Place, Michael Rothman of Security Incite, Michael Wright of MCWresearch and Bobby Dominguez of Sykes. To think that we could assemble such a distinguished panel on rather short notice speaks volumes about how powerful the blogging/podcast medium has become.  I also think that because we have not yet reached the point where blogging and podcasting has become too commercial (at least in regards to security), it is still possible to call on members of the community to do worthwhile shows like this.

My thoughts are that as the medium continues to grow and commercial pressure increases, we are going to leave behind this golden age of innocence where people are doing their blogs and podcasts as much for the passion as for the money and fame.  I saw it happen to the web and to many other things. I guess it is inevitable.  Until then, lets all enjoy it while we can.

In case you are interested, we will be recording tonight and I will be posting the podcast as soon as possible, within a few days for sure.  Be on the look out as it should be a good one!  BTW, if this is the golden age of blogging and podcasting, does that make Rothman Uncle Milty?

My friend Martin McKeay has his heart in the right place in defending Eric McCarty who "poked around" the USC web site found a vulnerability and is now being prosecuted for his poking around.  I agree with Martin that he is probably pressured into taking a plea on this case because he does not have the resources to fight it.  However, what Martin is overlooking, is that McCarty (who is not some USC student innocently on the site, but a security professional) was illegally on this site and used the flaw to access 7 records.  I am not claiming that he did anything wrong with those 7 records but he knew the law and broke.  There is a right way and a wrong way to do this and McCarty clearly did this the wrong way. 

If someone broke into your house and discovered something illegal you had in the house (drugs or illegal immigrants, take your pick), would that person go tell the government, should that be admissible? No it was obtained illegally.  But forget the legal machinations here, let me tell you what I think the real issue is.  Vulnerability "researchers" in their never ending quest for glory and acclaim go to far in going onto entities web sites where they have no business going!  If USC wanted a penetration test of their site, they could have hired Mr. McCarty or someone else.  When people like McCarty do this for free, I don't buy it.  I question their motives and put them only slightly ahead of paparazzi on the slime scale.  I am sorry he has to pay up, but I hope it sends the message to the vulnerability vigilantes out there.

Editors Note: further reporting revealed that McCarty had actually been turned down for admission to USC. Email discovered on his computer showed that he had bragged to a friend that he was getting back at them for not admitting him. Again, his motives speak louder than anything else here.

Thomas over at Matasano blogs on two recent article by Pete Lindstrom and Rich Mogull around the constantly swirling disclosure debate.  Mike Rothman and Martin McKeay have joined in here, and of course I have already been down this road with Ross Brown. Thomas actually lays out some good points that he has made in previous posts.  However, at this point I think everyone has taken a shot at this and it is safe to say reasonable folks are going to disagree reasonably.  The shame I think is that at the less extreme ends of the views, there is enough common ground to come to a consensus.  I gues we will have to let the emotions calm down a bit and then revisit.

Yesterday's XSS-eEye articles got me to thinking more about responsible disclosure last night.  I think to most of us, responsible disclosure means that someone finding a vulnerability before making their findings public, would contact the vendor of the vulnerable product and give them a reasonable time to correct and fix the problem.  OK, I don't think anyone would argue with that.  The developer gets a chance to fix the problem before everyone knows about it, the public using the product gets a patch or fix before the bad guys supposedly find out about the hole.  Sounds easy and good.  But then other issues pop up.  Among them are:

• What do you do if the vendor does not fix the problem? Easy you announce the vulnerability and make your findings public.  This raises yet other questions.

• How long do you give the vendor to fix the problem?  What is a reasonable time?  Is it measured in weeks, days or months?  I have never seen a good answer to this one.  In my mind it is a two step process.  First I think the vendor has to acknowledge the vulnerability fairly quickly (within 10 days).  Once acknowledged, I think a fix should be done within 45 days (this way they can fit it into a monthly patch cycle like Microsoft).  Of course the downside of this, is the bad guys could find the hole in this time and exploit it.

• What if the vendor does not acknowledge or fix? Some people will tell you that does not happen anymore. In this new age of vulnerability cumbaya (a Rothman word) vendors are only too happy to find out about holes in the product and are grateful for the researchers finding them (NOT).  Others say with companies like Tipping Point and others ready to "buy" these vulnerabilities and the resources to publicize them, vendors have a gun to their head and have no choice but to acknowledge and fix them. Still others (like Martin McKeay) think there are researchers finding bugs every day who cannot get the time of day from the vendors.  I think that this is out of date material frankly, but if you can show me real world examples of recent experience like this, I would change my view perhaps.


• The next thing is, if the vendor fixes the hole and announces it. What is the motive of the person or company that found the hole announcing they were the ones who found it.  Do they want a medal or a chest to pin it on?  It just seems like that is all about the personal glory.  Sure you can make your product better by protecting your customers with this information and you should.  But announcing to the world that you found it and therefore somehow that makes you a macho security company?  Just a little too much for me. I have to question this type of behavior and think it then makes you a target.

As you can see responsible disclosure is easy to say and sounds good.  However, in practice it is not always that easy.  There is a lot of confusion over what responsible is, over how vendors respond and what a person who finds a vulnerability should do.  I for one would like to see a well accepted guideline by a group like SANS or someone to help guide people on this.

So it didn't take long for Ross Brown, CEO of eEye to respond to the latest XSS claim by Valery Marchuk, which I wrote about here. You heard it here first, Ross acknowledges that this time Valery is correct.  The XSS flaw does work!  However, in Ross's words, so what?  Ross finds this objectionable actually on a few fronts.  Let me summarize them:

1. So What - So is it a Pyrrhic Victory?  I don't pretend to know enough about this type of stuff to say for sure.  But if you can use this for phishing, is there some way to get people thinking they are on the eEye site and really somewhere else giving their information out?


2. Responsible disclosure -I think this is a good point.  As I have stated in the past, I am a big believer in responsible disclosure and giving a vendor a chance to respond.


3. What is the motive here on disclosing a "harmless" flaw - Could be Ross, no doubt eEye is a high profile target to find a vulnerability in.  Then again so is Symantec, McAfee and ISS, companies that eEye has found flaws in their products.

Anyway, Ross agrees that it is an interesting topic and I am hard at work on trying to work with an independent source (Martin McKeay) to do a podcast on this.  I will also give Valery a chance to respond as well.  When and if Ross posts to his blog on this, I will track back.  Will keep you posted!

Well in the continuing saga of the on again/off again XSS vulnerability on the eEye site, I received an email today from Valery Marchuk, the Russian security researcher who originally found and published the vulnerability.  Valery takes issue with Ross Brown and the eEye folks claim that they have not been able to recreate this vulnerability and think it may not exist.  Valery says, "Well, what else we can expect from the security company, which cannot protect its own web site?" He has put up another example of the XSS here and has posted the same message he sent me to the full disclosure list here.  In my role as a journalist here (just the facts, mam, nothing but the facts), I have asked Ross Brown, eEye CEO, to comment on this.  Have not heard anything yet, but will be sure to report back if and when I do.  I am thinking of having a podcast with Martin McKeay and inviting Ross and maybe Valery to discuss this further.  Martin has different views than I on responsible disclosure, so it could be fun.  Anyway, stay tuned for continuing developments on this one.

As those who read my blog regularly know, I have been involved in a bit of a debate with Mike Rothman, Richard Stiennon and Chris Hoff over NAC and Secure Network Fabric.  The back and forth led Martin McKeay to put together a podcast with all of us to discuss this matter civilly (for the most part).  We all agreed to post this under the Security Roundtable as a neutral site.  It has now been posted and you can listen for yourselves here.  Though we all got our shots in, I am not sure if we drew any conclusions or if there were any knockouts. We did surprisingly agree on somethings though, which shows there is hope yet for peace in the world.  Please have a listen and let me know your thoughts.  I also have a one question poll on NAC on the right sidebar of my blog. Please take the time to answer!  If we get enough response, we may have a part 2 to this discussion.

As I have mentioned earlier, tomorrow night I am taking part in a skypecast with Richard Stiennon, Mike Rothman, Martin McKeay and Chris Hoff on the merits of NAC and something Richard calls Secure Network Fabric.  Martin is playing referee and we will be hosting it through the Security Roundtable.  If you are interested in chiming in, I think you can, by joining our Skypecast. It is scheduled at 8:30 PM East Coast time. If not, I am sure we will post it via the Security Roundtable within a few days for you to listen to.  It should be really fun. 

As I was telling Mitchell Ashley yesterday, the fact that we are even having this podcast and discussion is really a testament to the power of the Internet, blogging, etc.  Mike Rothman has an article today about how research is different today that it was 8 or 10 years ago.  Mike talks about the availability and depth of information available via the net and blogs.  He is dead on, however there is another angle to this.  Eight or ten years ago, as a vendor, I would hire a PR agency to help my firm deal with the analyst community.  We would pay money and try to curry favor with them, trying to keep them current and briefed on what we are doing (actually that is pretty much what we do with some of the analyst dinosaurs now).  However, thanks to the power of the written and spoken word via blogs, podcasts and the net, I have the ability on equal footing to put my views out there side-by-side with respected and experienced analysts like Richard and Mike. I interact with folks like Mike and Richard, as well as countless other security folks on an almost daily basis.  Instead of privately briefing them and then hoping they at least can see my point of view, if not agree with it, I have the chance to sit side by side with them and bring my case to you.  This would have been unimaginable a short time ago.  The power of it, is I think turning the analyst game on its ear.  A new breed of analyst like Mike and Richard are filling this vacuum. It is also changing how users, customers and the media get their information and spin on security strategy and technology.  I am honored and lucky to be part of it and am glad I am using it to my advantage, I hope.  See you all tomorrow night!

So my little diatribe regarding Richard Stiennon seems to have taken on a life of its own. I guess when I wrote it, I did not realize that I was being so hard on Richards views (I just disagree with them).  Of course I can always count on my meek, mild-mannered buddy, Mike Rothman to keep things in perspective. His comment on Shimel KO's Stiennon got the ball rolling.  Then Chris Hoff chimed in with his blow by blow recount that calls it a draw and interjects himself into a three-way donnybrook (personally I thought reading Hoff's recap, I easily won this one on points).  Rothman not to be outdone, fires back with his retort here, that is actually very well reasoned.  Richard then says enough and comments back to our remarks here. He wisely thought it better to comment on Rothman's, a fellow analysts blog, then venture into the lions den of the vendors lair ;-)  Of course Rothman, showing no mercy, then picks apart Richards arguments, yet again, showing no love for his fellow analyst. 

Well now, none other than Martin McKeay has joined in with an offer to be a special guest referee in a battle royal between the 4 of us.  I think we are going to try and record a podcast Thursday night, when it will be posted I am not sure.  I am sure that all of us will point to it off of our blogs.  It should be quite a brouhaha, but we all promise to keep it civil (yeah right).  I invite you all to listen, with all proceeds going to the security analysts retirement home (where all security analysts go when they make to many wrong predictions (and you thought they just were sentenced to start-up hell)).  Feel free to send in your comments and best wishes.  For now, I am going into training, to make sure I am at my best with these dangerous fellows ;-)  Mitchell Ashley, who was an innocent non-combatant, until Hoff took a swipe, has volunteered to be my second and cut man in helping me get ready.  Wish me luck!

PS- I hope you all realize this is all in jest with no hard feelings among any of the parties.   But it will be a good chance to talk security!

I give you episode 8 of StillSecure, After all these years.  This week I was very lucky to have as my special guest, none other than Martin McKeay.  Martin is one of the most popular bloggers and podcasters in security today.  I turned the tables on Martin a bit and had a chance to interview him about who he is and what makes him tick.  If you are interested to know about more Martin or are thinking of starting to blog or podcast yourself, you should listen to this interview.

Besides the interview, I also spoke about the upcoming Black Hat conference in Las Vegas next week, Symantec's recent earnings announcement, Watchguard's acquisition and something I really want to create awareness of NAC mashups.

Tonights music is from Martin Rodruguez and is called Ulysess.  I did not play the whole song at the end to keep the time down.  Enjoy!

If you don't see a media player, click here

http://clickcaster.com/resource/audio/stillsecure-after-all-these-years-podcast-8.mp3

I missed this one a few days ago, but thought it ludicrous enough to mention anyway.  Oracle just released their quarterly update patch.  Looks like a lucky thing they did, seems it takes care of 65 discovered vulnerabilities, some 23 or so critical.  I wonder what Martin McKeay and my friends on the Security Roundtable would say about this.  Funny, I don't see anybody jumping up and down like they do when Microsoft puts out a patch.  Take 3 months worth of Patch Tuesdays, and you have just about the same amount of patches here.  Anybody want to tell me that Microsoft's record on these are worse than the rest of the industry?  Here is another thing I don't understand, with all of the critical data kept in Oracle databases, why aren't their customers demanding better written software and more frequent updates. Quarterly updates is just not responsible or reasonable in today's atmosphere.  This type of response I think screams for more public disclosure by people finding these holes.

One of my favorite blogging/podcasting people, Martin McKeay, posted on his Computerworld blog yesterday, an article about the debate over instant versus responsible disclosure.  This was in addition to a conversation on the Security Roundtable Podcast that we had the other night and will be posted hopefully soon. Martin and I are on opposite ends on this one.  I think that instant disclosure in many cases amounts to yelling fire! in a crowded movie theater. What good does it do?  Do you think consumers are going to do something with the information?  Most only know that when Microsoft issues a patch, if they are using WSUS or Windows Update they get a patch.  Using a 3rd party patch is I think playing Russian Roulette.  The only good I can see it doing is maybe putting some pressure on the software vendor to get something out because the public knows about the vulnerability.  However, the other side of that coin is, force them to rush out a patch and quality suffers.

Now don't get me wrong, in my view of responsible disclosure, after a vendor has been made aware of a vulnerability, they should put out a fix in a reasonable time, otherwise it is perfectly OK to announce the hole publicly.  But overall, I think we are all better off if the vendor is given some time to patch or fix the vulnerability before the it is made public knowledge.  I don't believe all hackers know of every vulnerability out there.