Comments for Infosec Ramblings

Comment on Interesting Information Security Bits for June 23rd, 2008 by Adam On… » Blog Archive » Asleep at the wheel

Adam On… » Blog Archive » Asleep at the wheel — Tue, 24 Jun 2008 16:04:48 +0000

[...] this forum discussion has taken off. If you found yourself interested in the posts by Dre, Allen, or Kevin, head over to the forum [...]

Comment on Interesting Information Security Bits for June 23rd, 2008 by Andre Gironda

Andre Gironda — Mon, 23 Jun 2008 21:02:37 +0000

Alan over at Security Thoughts answers Dre’s post about the CISSP is on it way out. I tend to agree with Alan more that Dre, but understand Dre’s point also. How’s that for being wishy washy. Go read both

I already sent Alan a blog comment, but it’s waiting for approval. He must have mis-interpreted what I wrote (my guess is that he simply didn’t read it).

I really dislike that you’ve included him as a retort to what I wrote, as there are lots of better comments on our own blog about it. Plus, it kind of just blows away or discounts what I’ve written. Of course, someone would have to read the posts to understand what is going on here, and it would help if Alan would approve and/or respond to my comment, which apparently he won’t do just to mislead people more. Great work, blog-world!

Comment on Interesting Information Security Bits for June 12th, 2008 by Benjamin Wright

Benjamin Wright — Thu, 12 Jun 2008 19:43:49 +0000

Kevin: Legally speaking, what is “reasonable security?” FTC punished TJX for not having it, but FTC was wrong. Verizon says 9 of 10 data breaches could have been avoided if “reasonable security” were present. That implies 9 in 10 breach victims were in violation of law. The study’s outlook is that the solution to identity theft is locking down corporate data. But a security consultant/solution provider like this Verizon unit naturally sets a high bar for what is reasonable. And when Verizon evaluates if reasonable security could have prevented a break-in, it does so with benefit of hindsight. Yet the study goes on to say that in modern systems knowing where all your data reside is “an extremely complex challenge.” In other words, the sheer problem of locating data (so you can apply security) is very expensive, and mistakes by data-holders who act in good faith are easy. The reasonable measures expected by FTC and Verizon are extravagantly hard to implement in practice. Hence, the portion of incidents preventable by FTC/Verizon’s reasonable procedures is much lower than 90%. We need to focus more attention on other solutions to identity theft. –Ben http://hack-igations.blogspot.com/2008/03/ftc-treats-tjx-unfairly.html

Comment on Link posts: Valuable or just noise…. by Kevin Riggins

Kevin Riggins — Thu, 12 Jun 2008 13:40:12 +0000

@Zach Thanks for affirming that I am accomplishing what I intended with these types of posts.

@Kees I hadn’t really thought of that facet of these posts. Glad they help.

@CG I here what you are saying. I have 211 feeds that I classify as security related. It just works out that the most prolific posters tend to be in the security bloggers network. Thanks for the feedback. To date, I have really only been pointing to things I come across on blogs. I plan to extend that soon. Maybe that will be helpful.

Kevin

Comment on Link posts: Valuable or just noise…. by CG

CG — Thu, 12 Jun 2008 01:20:04 +0000

I like them but i wish you’d pull in links outside of the Security Blogger’s Network. I think that would add more value.

-CG

Comment on Link posts: Valuable or just noise…. by Kees Leune

Kees Leune — Wed, 11 Jun 2008 20:31:36 +0000

As a blogger I like sites such as yours. When I make it to the posts, I know that I was addressing a topic you find interesting, and hopefully other readers do to.

Comment on Link posts: Valuable or just noise…. by Zach

Zach — Wed, 11 Jun 2008 18:17:48 +0000

“bits ‘o info” (including news snippets, interesting stories posted elsewhere, and even collected links) are quite useful. They give you an idea of something you may not have otherwise come across. Sure, there’s StumbleUpon, del.icio.us, and the like (for the *social* aspect), but you get a good feel for what the poster is thinking or looking for during that time period (when on a blog), especially since the posted items are typically related in some way. Moreover, comments can provide even more insight about what the poster or blog owner thinks and maybe make the reader say, “A-ha! I wouldn’t have thought of that”.

The succinct answer? Your “Interesting Information Security Bits” are valuable and interesting. I say keep ‘em.

Comment on Your stuff is safe in our hotel….fail! by Kevin Riggins

Kevin Riggins — Fri, 06 Jun 2008 16:43:20 +0000

Benjamin,

Your first point is well taken and I in no way meant to imply that I should expect a hotel to be responsible for me leaving my expensive camera or laptop in my room and it disappearing. However, I have stayed in places where, in spite of hotel agreements, the front desk has stated that I “shouldn’t have any problems” or “we’ve never had any issues with theft”, etc…

I agree that it is unlikely that any comments I made would have been welcomed by managers. Your mention of suing does bring up another issue for the hotel though, brand value. Mention of brand during the conversation might make them a little more likely to listen. Of course, they have to care about their brand first

Kevin

Comment on Your stuff is safe in our hotel….fail! by Benjamin Juang

Benjamin Juang — Fri, 06 Jun 2008 16:18:48 +0000

1) I’m preetttty sure most hotel agreements state that they aren’t responsible for stuff left in rooms - the only time they’re responsible for your stuff is if you give it to them to lock up in a safe behind the front desk. However, allowing other people to access your room unintentionally due to a lack of controls may be something they could be sued for…?

2) Very carefully? Or you could arrange a demonstration… That would probably make the strongest impression, resulting in the most amount of change. Although it’s pretty unlikely that managers would care, especially since they’re safe from any lawsuits as a result of the agreement/contract they make you sign.

Comment on Interesting Bits - April 24th, 2008 by bk

bk — Mon, 26 May 2008 20:42:07 +0000

That security4all link seems broken (or rather also refers to securosis)