20 posts categorized "rich mogull"

January 06, 2012

And The Nominees Are . . .

social security bloggers awards 12No I am not announcing the choices for the Oscars.  Something even better.  It is time to announce the nominees for the 2012 Social Security Bloggers Awards.  Voting will open today and remain open until January 30th.  Of course the winners will be announced live at the 6th annual Security Bloggers Meet up at RSA Conference!

So before we get to our nominees, a word from our sponsors:

sponsors meetup

Actually a few other things to mention first as well:

1. Our judges - The nominees for the Social Security Blogger Awards are made by our blue ribbon panel of judges.  We did not announce their names before hand this year to limit the "lobbying" that they have been subjected to in the past. But now that the nominations are public, they are open to be influenced by food, liquor, baubles or other means.  Seriously a huge thank you to our judges:

Kelly Jackson Higgins

Bill Brenner

Larry Walsh

and special guest judge:

Wendy Nather

2. Eligibility - In years past anyone associated with organizing the bloggers meet up was DQ'ed from being nominated. Frankly that was silly. The fact is that Rich, Martin, Jen and Jeanne (my organizing committee fellow members), don't have a lot to do with the awards.  So the only one not eligible for any awards is me. It isn't fair to keep good blogs and people down.  Also judges could not nominate their own work, but other judges could nominate someone who is judging.  So for instance, Wendy Nather was nominated by another judge unbeknownst to her.

3. New Category - This year we are adding a new category for Security Bloggers Hall of Fame. I will be adding this to the Security Bloggers Network Site after RSA. This category is sort of a lifetime achievement award for security bloggers.  But it doesn't mean they are on their last leg.  This first year we are going to add two bloggers to the Hall of Fame.  In future years we will add one new blogger a year.

4. Who can vote - Again, I did not want to go through the ballot box stuffing that we had a few years back. So only security bloggers and podcasters can vote. If you write on security and have a URL to prove it, you can vote. Me and my election commission members will be going through each vote by hand, so please don't even bother trying to game this. Don't ruin a fun event with bad form.

OK with that out of the way, here are the nominations for the 2012 Social Security Bloggers Awards:

Best Corporate Security Blog:

Fortinet Security Blog http://blog.fortinet.com/

Denim Group http://blog.denimgroup.com/

Trend Micro Cloud Security Blog http://cloudsecurity.trendmicro.com/

Veracode Security Blog http://www.veracode.com/blog/

Kaspersky Lab Blog https://www.securelist.com/en/

Sophos Naked Security Blog http://nakedsecurity.sophos.com/

Best Security Podcast:

Threat Post http://threatpost.com/en_us/podcast

The Network Security Podcast http://netsecpodcast.com/

Eurotrash Security Podcast http://www.eurotrashsecurity.eu/index.php/Main_Page

Pauldotcom http://pauldotcom.com/

Exotic Liability http://www.exoticliability.com/

The Southern Fried Security Podcast http://www.southernfriedsecurity.com/

The Most Educational Security Blog:

Cognitive Dissidents http://blog.cognitivedissidents.com/

Tao Security http://taosecurity.blogspot.com/

F-Secure blog http://www.f-secure.com/weblog/

The New School Security Blog http://newschoolsecurity.com/

AppSecInc Blog http://blog.appsecinc.com/

Evil Bytes/John Sawyer http://www.darkreading.com/blog/archives/evil-bytes/index.html

The Most Entertaining Security Blog:

Rational Survivability http://www.rationalsurvivability.com/blog/

Andrew Hay's Blog http://www.andrewhay.ca/

Uncommon Sense Security/Jack Daniel http://blog.uncommonsensesecurity.com/

New School Of Information Security/Adam Shostack http://newschoolsecurity.com/

Naked Security http://nakedsecurity.sophos.com/

Securosis Blog http://securosis.com/blog

The Blog That Best Represents The Security Industry:

Krebs On Security http://krebsonsecurity.com/

Uncommon Sense Security http://blog.uncommonsensesecurity.com/

SANS Internet Storm Center http://isc.sans.org/

Securosis blog https://securosis.com/blog

The Single Best Blog Post or Podcast Of The Year:

Martin McKeay, Curing the Credit Card Cancer http://www.mckeay.net/2011/11/28/curing-the-credit-card-cancer/

Veracode Blog http://www.veracode.com/blog/2011/08/musings-on-custers-last-stand/

Moxie Marlinspike's ThoughtCrime Labs http://blog.thoughtcrime.org/authenticity-is-broken-in-ssl-but-your-app-ha

Idoneous Security http://idoneous-security.blogspot.com/2011/12/what-your-analyst-wishes-you-knew.html

The First Two Members Of The Security Bloggers Hall Of Fame: (please pick 2)

Adam Shostack (Emergent Chaos, New School of Security)

Brian Krebs (Washington Post, Krebs on Security)

Rich Bejtlich, Tao Security

Chris Hoff, Rational Survivability

Graham Cluley, Naked Security

Bruce Schneier, Schneier On Security

OK, there you have it. Your 2012 Nominees for the Social Security Blogger Awards. You can vote if you like, right now by clicking here

Posted at 10:18 AM in awards and PR, Martin McKeay, rich mogull, security bloggers network, the security industry, tradeshows | | TrackBack (0)

December 13, 2011

The Death of Product Reviews

English: This is a logo owned by Google Inc. f...

Image via Wikipedia

My friend Bill Brenner has a post up on his Salted Hash blog today about a recent browser security study done by Accuvant LABS. The study shows that Google Chrome was the safest browser tested. Like Bill, I use Chrome too and agree with the Accuvant study.

The problem for Bill is that the study was sponsored by Google, the makers of Chrome. The fact that they paid for this study in Bill’s mind and in many other people’s minds calls the legitimacy of the entire study into question. Even if it is correct, it just doesn’t sit well with Bill.

Frankly I have the same problems with most product reviews, bake offs, analysis reports, etc. I have written about this before as well. In my mind it is a big reason why no one seems to pay attention to product reviews anymore.

It doesn’t make a difference if it is an “independent lab” doing the testing, a magazine’s testing department, industry awards or an analyst firm analyzing the market, the first thing I look at is who is paying for it. Sometimes finding out who is paying for it is not so easy or transparent either.

To be fair, some firms like Securosis for instance will say upfront that some research they are doing is being financed by a paying customer. Such was the case when Mike, Rich and Adrian did a dive on “fact based security security metrics”. The boys said upfront and at the bottom of the page that they thanked Red Seal for sponsoring the research.

Now does that mean that everything they wrote was for the benefit of Red Seal? I know Rich, Mike and Adrian too well to believe that. But it does give me pause when I read the report to remember that fact.

But I will say that over time I have come to soften my attitude on this issue (I must be getting old). For me it is a case of forewarned is forearmed and I take that disclosure in terms of evaluating how much weight to give the research. The same way a juror has to weigh the testimony of a witness depending on their believability.

In the case of Bill’s browser study, same thing. The chances that Google had a heavy hand in the study by Accuvant is pretty low, but it is something to consider. That is just the way it is.

But for Bill and the other doubting Thomas’s out there, what is the alternative?

One alternative is what Rick Moy and the guys at NSS Labs are doing. They have turned this equation on its head. They make their money from the end user, so the vendors being tested have little to no influence.

As Bill says just because Google paid for it doesn’t mean the study is wrong, but it does give you something else to consider. But since no one wants to do these tests or studies for free, someone has to pay and that is the truth of it.

Related articles
Enhanced by Zemanta

Posted at 03:57 PM in awards and PR, General Background, General Security, marketing, rich mogull, Security Incite | | TrackBack (0)

December 12, 2011

Blogging is a Conversation

For those of you who may be wondering, yes there will be a killer Security Bloggers Meet up at RSA this year. There will also be another Social Security Blogger Awards with some new categories as well. More on those in another blog. But the reason I write today is something Rich Mogull said on our blogger meet up organizing committee call.

Rich said “lets face it, the security blogger’s community isn’t what it used to be”. While I don’t disagree with Rich, I went back and looked at some of the numbers and some of the security blogs. While Rich is right, we don’t see as many as blog posts from the community as we used to, I think we all agree that Twitter probably plays a significant role in that. In fact the Tripwire 25 most influential people in security list seems pretty skewed towards twittter users. But that being said, there are still plenty of security blog posts being posted. The SBN feed is still fresh with lots of new posts every day.

One thing I do see is many of the posts come from corporate security blogs rather than individuals. Many of the corporate blogs don’t develop the personality that a good personal blog does. More importantly what has changed is another thing Rich brought up. We don’t comment anymore. We don’t blog back anymore.

People are blogging and putting their 2 cents into the conversation, but no one is repsonding. Oh, maybe they respond on twitter, on but it doesn’t make it into the blog. Blogging has always been and will always be a two way street. A blog should be a multi-party conversation with the blogger putting forth his ideas and others responding. They can agree, disagree, or concur, but they put their thoughts into the conversation.

One of the great things about reading a hot blog post was following the thread of comments, that was where the real action took place. Whether it was a Rothman post on Security Incite/Securosis or Tom Pcatek on Matasano, a good threat with 50 comments kept you reading for more.

Now maybe Twitter is where blog comments have gone and some of the discussion. Can we have a plug in that captures the real time of twitter comments and discussions back to the original blog post? Doesn’t sound too hard.

How about writing a blog post in response to another blog post? That is part of carrying on the conversation as well. Need something good to blog about? Go look at what your community is writing and join in.

Adam Shostack over on Emergent Chaos has a post up about Threat Modeling as a result of a conversation he had with Wendy Nather, who has her own good blog post about “what your analyst wishes you knew” (and she is not talking about your psychoanalyst either).

I am going over to both of those blogs and adding my voice to the conversation. I already tweeted Wendy’s post, but I realize that is not enough. If we are going to keep the Security blogging community strong and vibrant we have to add our voice on blogs.

What about you? Are you ready to rejoin the conversation?  If so, head over to your favorite security blog and join in.  Or better yet, write a blog in response to someone else’s blog.  It starts with you and you and you.

Related articles
Enhanced by Zemanta

Posted at 11:47 AM in General Background, rich mogull, security bloggers network, Weblogs | | TrackBack (0)

July 27, 2011

Palisades DLP Webinar with Rich Mogull of Securosis

As some of you may know I have been doing a series of webinars on DLP with the good folks over at Palisades Systems. They are aimed at DLP for the SMB and mid-enterprise level, but anyone interested in DLP will find them interesting and useful.

Rich_MogullThe next and perhaps best in the series is scheduled for August 2nd from 2pm to 3pm eastern time.  The special guest star for this webinar is none other than my friend Rich Mogull of Securosis.  Of course Rich is one of the foremost experts in the market on DLP.  He covered the space for Gartner before founding Securosis. 

We will be conducting the webinar in a conversationalist format with lots of time available for questions.  It should be a great event.  If you register and tune in live you can ask questions too. If you can’t make it live, you can still listen to the recorded version later.

So if you are interested in DLP don’t miss this one.  The Palisade Systems solution has really evolved over the last few years and has garnered lots of attention, be sure to tune in!

Related articles
Enhanced by Zemanta

Posted at 08:48 AM in links and appearances, rich mogull | | TrackBack (0)

January 18, 2011

Don’t Forget To Vote

Just wanted to put out a reminder that there are less than two weeks left for voting in this years Social Security Blogger Awards. You can vote here:http://www.zoomerang.com/Survey/WEB22BQFS9A3BN/.

Remember you must leave a verifiable email address and blog address in order for your vote to count. From what I am told, our votes this year have already exceed the total number of votes last year. But make your choices known.

Here are the finalists:

Best Corporate Security Blog

Best Security podcast

Most educational security blog

Most entertaining security blog

Security Blog that best represents the industry

The single best security blog post of the year

This may be our strongest slate of finalists ever. Every single nominee is a strong contender. I am sure the races will be close, so every vote counts.  Don’t wait vote now!

Related articles
Enhanced by Zemanta

Posted at 10:24 AM in awards and PR, Chris Hoff, General Background, Martin McKeay, rich mogull, security bloggers network, the security industry, tradeshows, Weblogs | | TrackBack (0)

January 11, 2011

Mike Rothman and Ashimmy on Dell-Secureworks and more

rothmanMike Rothman has been appearing as a guest on my podcast for 5 years or so now. It is always a pleasure to have him on.  To kick off the new year Mike weighs in on the Dell-Secureworks deal.  Who would have though Mike would have something to say about it?  Of course Mike has something to say on just about everything, but it is always fun and interesting.

Besides the Dell deal, Mike and I talk about security incidents and brand damage in reply to an article George Hulme had in Infoweek yesterday. We also touch on RSA Conference coming up in about a month and what Mike and the rest of the Securosis team will be doing there.

One place they will be is at the Security Blogger Meet up where the Social Security Blogger Awards will be handed out. Mike is a nominee for most entertaining security blog for his weekly incites. If you haven’t already voted, head over to this link and vote!

In the meantime enjoy the podcast!

Related articles
Enhanced by Zemanta

Posted at 12:42 PM in awards and PR, links and appearances, MandA, podcasting, rich mogull, Security Incite | | TrackBack (0)

May 19, 2010

3 Newest Members of the SBN

sbn-logo As I suspected there is fresh blood out there in the security blogosphere.  As a result of Rich’s post and my follow up this morning, I am proud to welcome the 3 newest bloggers in the Security Bloggers Network:

1. The Security Ninja Blog at: http://www.securityninja.co.uk/feed

2. The Harmony Guy at: http://theharmonyguy.com/

3. The Security Braindump Blog at: http://securitybraindump.blogspot.com/

Who by the way got into blogging on security as a result of subscribing to the SBN blog.  Great!

Of course you can get all of the great content of these bloggers and 250+ more by subscribing to the SBN feed here.

Related articles by Zemanta

 

Reblog this post [with Zemanta]

Posted at 03:50 PM in rich mogull, security bloggers network | | TrackBack (0)

January 26, 2010

Its a mad, mad, mad world

madworld Regardless of whether you think the  Aurora/Google/China incident was a simple hack or the most sophisticated thing since the cotton gin, I think it is going to mark a historical demarcation line. From this point forward the PA (post-aurora) era will have governments, corporations and individuals the world over recognizing that the new battleground is a cyber zone.  This is a lesson that the folks in the US Department of Defense have recognized for a long time. While we were busy every year yelling about FISMA and so forth, the people on the front lines of this cyber cold war have been trying to stay afloat against a sustained assault on our networks that has been going on for years. They are not perfect, but the fact that a genuine disaster has not occurred as a result is no small testament to their diligence, hard work and intelligence.

Whether you take the position that Rich Mogull has laid out in his firestarter post on APT, namely that this is espionage and not warfare and we just need to deal with it or the NY Times approach that the Google/Aurora incident was part of the ongoing digital warfare that is underway, is I think irrelevant. When I boil it down, it is only a matter of degree. Espionage is an act of war, punishable by death. You can have cold wars and hot wars and then there are simmering wars. This new war is of a different type of war, but the stakes are no less dear. It is for control of the world. 

We are in the 2nd decade of a new century. There are many countries who think that it is their manifest destiny to become the "America" of the 21st century. This war, like many before it is for economic dominance. This makes private corporations that are economic powerhouses targets. Don't think for a second that we here in the US are not gearing up for this type of war either.

For me the real issue is that the game and the rules have changed here. We have not yet come to terms with how this game should be played or even what the rules should be. We are still a cold war generation. Our rulers learned the game during the cold war rule set. We yearn for a deterrent that will put the brakes on an adversary going beyond what we deem to be the line.

In the good old cold war we had MAD. Mutually assured destruction was what we could bank on. The Soviet Union  didn’t want to end the world anymore than we did. We and they knew that if we allowed things to go to far, there was no turning back. So we could have our little “hot wars” in Korea, Vietnam, Afghanistan without pushing either side too far. Only the Cuban missile crises really brought us to the brink.

Of course we let our surrogates fight the fight the world over. We supported them with weapons, money and training. So did the other side. There were lots of little skirmishes that did not directly have our troops involved, but were part of the game nonetheless. The bottom line is that there was an understanding of what would be tolerated and what would not be tolerated. The prodding and probing was as ritualistic as anything from the feudal societies of the middle ages.

In cyber warfare (sorry Rich it qualifies as warfare. The stakes are as high in terms of human life and resources as any other war. Especially when we are talking about critical infrastructure) there needs to be a tacit understanding of what will be tolerated and defended versus what goes to far. We need to decide what are the repercussions for going to far.

Having Google pull out of China is one remedy, but if one nation or faction or entity violates the rules of the game, the consequences need more bite. They should be ostracized by all the others. It should be made clear that the cost of undertaking such action, far outweigh the benefits. Whether the Aurora incident was with the knowledge of the Chinese government or not, the message has to be to “take care of your own”. They are responsible.

I don’t have the hard and fast answers as to what those consequences should be. But we need to set the rules now. Right now it truly is a Mad, Mad, Mad World. The game has changed. The players are making up new rules as they go. You can’t play a game without rules. That become anarchy. But the balance will be restored, it always does. We just need to make sure the rules are understood by all parties and that it is better to play by the rules than outside of them.

Related articles by Zemanta

Reblog this post [with Zemanta]

Posted at 11:13 PM in Current Affairs, General Security, rich mogull | | TrackBack (0)

December 08, 2009

No harm, no foul

Rich Mogull had a good post up recently called “Possibility is not Probability”. In it Rich lays out his frustration with the tendency in the security industry (and elsewhere) to assume that everything possible will probably happen. That is why they call it risk management.  The job is managing the risk. Part of the job is weighing what are the odds of an event happening versus what is the cost of preventing it and  as importantly, what would the cost of it happening be. If the cure is more harmful then the disease, you have a problem.  Also when you try to prevent too many things that may be possible, but are not probable you, lose creditability with business stakeholders. So the security guy becomes the guy (or girl) who says no, because anything could possibly turn out wrong.

Now Rich with his paramedic background always likes to analogize to medical scenarios. Let me point to a legal one.  In law there is the doctrine of “no harm, no foul”. This was the logic a Federal Court in Missouri recently used in throwing out a law suit by a class of individuals whose personal information had been disclosed in a data breach case.  Though the data was in fact breached, none of the plaintiffs could show any actual damages. The judge in this case wrote:

"Abstract injury is not enough to demonstrate injury-infact," Judge Buckles wrote. "The injury or threat of injury must be concrete and particularized, actual and imminent; not conjectural or hypothetical."

This is exactly the point. No harm, no foul. It may be possible that some harm may come of this breach, but a remote possibility is just not going to cut it. The same analysis has to apply to security strategy. What is the likelihood of success? What are the potential damages? What is the cost of prevention?  Our security hairs may stand on end knowing that we could stop a potential security incident from happening given unlimited resources, but real world acumen has to be applied because we live in a world of limited resources.

Posted at 08:44 PM in rich mogull, the security industry | | TrackBack (0)

May 07, 2009

Social Security Blogger awards video

As I wrote about earlier this was the first year of the Social Security Blogger Awards. Rich Mogull did a great job lining up a blue-ribbon panel of judges and I think the winners of the awards were very deserving.  You can see the complete list of winners and the full video on the RSA conference blog here.  But here is just part 1 of the video with Rich, Martin and then me:

This first years awards were a learning experience in many ways. I hope that we can take the lessons learned and improve for next year!

Posted at 12:12 AM in awards and PR, Martin McKeay, rich mogull, security bloggers network | | TrackBack (0)

Next »
My Photo

Subscribe to my blog

Enter your email address:

Delivered by FeedBurner

Lijit Search

Blog Networks

Creative Commons License
This work is licensed under a Creative Commons Attribution-Share Alike 2.5 License.

Search

Lijit Search

Attend a Computer Forensics Boot Camp to better your skills and become a better worker

Categories

Track my blog stats

Blog powered by TypePad
Member since 10/2005

About