Integrity of annoucing new "Silver Bullets"!
October 16, 2007

It’s no secret that the major vendors use the press to sell new products, but in the last year or so, I have noticed the journos getting wise to it and questioning whether the speel they are getting from the “security” vendors (you know who they are) is a public service announcement or marketing BS.

Here’s the tip….we know it’s mostly BS……they want the press, and they’re using you to sell their product. (Reader note: yeah…I know I am stating the obvious) But…..your editors know that, and you need to sell subscriptions………..oh and advertising…Where is the balance?

I would like to see more journos question new products.

I have seen the silver bullets for almost 15 years (in security) and never have I seen an article that says:

“Company X released Product Y. Product Y will solve all your security problems they say (DD: like they all do), but I reckon it is all bullshit. This company has been in the security field for 15 years and every new release is supposed to solve the “Enterprise” security problem, but it has not! So why would this new release be something that a (your) company would pay good dollars for?”

As an avid car, guitar, music, sports etc fan…..the mags I buy as part of my hobby(s), I expect to tell me what is good and what is not so good about new products being released. All of them do! They’ll pick every hole in a Ferrari, Fendor, Foo Fighters, All-Blacks (world cup) latest….but…..in our field, every new product in the press is supported by the marketing speel from that company….like it’s fact!

Come on IT Press…..before you talk it….have a look at it, test it, get security guys to pass opinion on it, hit it hard enough to help companies……and then write about it.

At present. you’re giving an easy ride into millions/billions of dollars for these companies whose existance relies on us never being able to secure ourselves.

Sad thing is that us security dudes play a small role in most cases (not always) in the decision making process for costly products like this for major companies that we work for……..money that could be better spent elsewhere.

Comments (3)
Posted in: Bad Stuff, Risk Management, governance


Arnie gets involved….

From California:

http://www.theregister.co.uk/2007/10/16/schwarzenegger_vetoes_data_bill/

The discussions that we see around data security is a positive step. More than lip service like we see in Australia in most cases.

Comments (0)
Posted in: Disclosure Laws, PCI, PCI DSS, cyber crime, governance


Law students being awesome hackers……what is going on?
October 11, 2007

The reason for the lack of posts recently is because I am away…..it’s harder looking after 2 young girls, 6 and 4 on school holidays in Noosa than it is running a business.

Pete Benson sent me this one yesterday and I have to admit, it blew me away on many levels. WTF:

http://www.computerworld.com.au/index.php/id;1057000875;fp;16;fpid;1

Being out of touch in paradise for the last 10 days, I have no idea where this went or whether there was a follow-up. I’ll add to this when I get back but if anyone has more to add now, please respond. This whole story sounds a bit suspect to me.

Comments (4)
Posted in: Bad Stuff, Disclosure Laws, Dumb Security, Risk Management, Vulnerability Management, WTF, Web Application Security, cyber crime, governance


Big Galoot Diatribe – White Hats, Security Conferences and Boy Scout Meetings…….

The rantings of Craig Chapman, Computer Forensics Geek.

As funny as it sounds, a while back I asked the serious question on Beast or Buddha?

How many white hats are actually black hats in disguise ?
http://beastorbuddha.com/2007/08/07/ethical-hackingthat-term-is-a-worry/#comments

Since then, its been reported that the so-called ‘white hat’ security professional Max Butler, has been arrested & charged with hacking offences including running a carder portal. Ironically, Butler also worked for a reputable organisation who’s name suggested they are good guys. (I believe Christian Heinrich also spotted this report). They probably are.
http://www.securityfocus.com/news/11487

We shouldn’t be surprised in any way. After all, its not unheard of for criminals to enter a certain profession in society with the motivation (and relatively easy access) of undertaking their chosen nefarious activities.

It makes a lot of sense, in a criminal way.

For instance;

- Paedophiles who become scout leaders, teachers or church leaders.
- Fraudsters & corrupt persons who become polititians or public officials.
- Arsonists who become fire fighters.

All of which leads me to ask the following:

1. Would a country planning a war also invite their enemies along to their pre-war planning meeting ?
2. Are tactics for defeating hackers, latest research etc openly discussed at IT Security conferences ?
3. Is there a strong likelihood that amongst the hundreds of IT security professionals attending a conference, some may be highly experienced black hat hackers ?
4. Is the IT security industry deluding itself about the preventative value of such conferences ?
5. Rather than helping to put the flames out, are large conferences a mechanism fuelling the fire ?

I think we know the answers to most of these questions so do we kid ourselves that the industry is not rife with people who can easily sway into the dark side or are already firmly entrenched there?

Food for thought.

Comments (11)
Posted in: Bad Stuff, Big Galoot Diatribe, Disclosure Laws, Dumb Security, Industry Specialists Talk, Risk Management, Vulnerability Management, Web Application Security, cyber crime, governance


Pre-Kiwicon catchup…….
October 4, 2007

Guys, I’ve just been asked to pass this onto any Aussies heading to Kiwicon or others who may be interested in attending:

The “Pre – Kiwicon 2K7″ EurekaStockadeSEC (Sydney, Australia) Gathering.

While there is no formal agenda at CitySEC Gatherings, this will provide an opportunity for ppl to discuss plans for Kiwicon 2K7 – if they haven’t left Australia for New Zealand yet :)

The “Pre – Kiwicon 2K7″ EurekaStockadeSEC Gathering
Date: Tuesday, November 13, 2007
Time: From 5:00PM
Venue: “The Establishment”, 252 George Street, Sydney, NSW, Australia

Further information on the venue can be found at
http://www.merivale.com/establishment

In addition to the announcement at www.citysec.org under “EurekaStockadeSEC
(Australia)”, I have created a Google Calendar for EurekaStockadeSEC at
http://tinyurl.com/28kcxk too.

Also, if you have not been too or at least heard of CitySEC, please refer to
the Sticky Post “What Is A CitySec Meetup?” on www.citysec.org for further
information.

Comments (1)
Posted in: Uncategorized


« Newer Posts