Wednesday, March 17, 2010

Honey, can I have your SSN?

Interesting article today in the Washington Post by Sara Kehaulani Goo called "Dinner, Movie -- and a Background Check -- for Online Daters."

I'm one of the 31% of Americans that the article says personally know someone who is using online dating services, and for the single guy I know, one of these services has worked very well for years. If I were in his situation I'd use such sites. Still, there's a downside to online dating if you get hooked up with certain kinds of criminals or fall in love with a supposedly single person whose actually married.

In Sara's article we can see a microcosm of identity and privacy issues - authentication, background checks, reputation services, privacy and more. In particular, some of the sites are starting to offer

- criminal background checks
- verification of marital status
- double blind phone numbers for talking with a person anonymously

Third party sites of course also offer these and other services. For example, while I haven't heard of an online dating site that offers a reputation service yet, there is one called dontdatehimgirl.com where "girls" can report serial cheating and other misdeeds of the miscreant, or why not just assassinate someone's character?

This is not a reputation service in the sense of ebay or amazon, of course. Probably wouldn't want to date someone with the reputation "99.6 satisfied - feedback from 964,551 users..."

Then I suppose SSN is not enough - gold diggers could pay extra to get someone's credit score.

Anyway, it was an interesting article. Check it out at http://www.washingtonpost.com/wp-dyn/content/article/2007/01/27/AR2007012701210.html

Sunday, March 7, 2010

During International Information Integrity Institute (I4’s) most recent meeting last year, Donn Parker gave his perspective on the organization’s history and why it was founded.

Donn B. Parker is a retired (1997) senior management consultant from SRI International in Menlo Park, California who has specialized in information security and computer crime. He has written numerous books, papers, articles, and reports in his specialty based on interviews of over 200 computer criminals and reviews of the security of many large corporations. The Information Security Magazine identified him as one of the five top Infosecurity Pioneers (1998).

Perhaps his lasting achievement was to form I-4. I-4 (http://i4online.com) is an information sharing organization whose members comprise CISOs, CSOs and other senior security managers from corporate, government and academic organizations. I-4 has been around since 1986 to keep its members aware of the most advanced information security concepts and controls.

Donn saw the need for information sharing in the security field early on. Donn does not believe in risk assessment, but recommends doing due diligence by benchmarking, which can be facilitated by information sharing in groups like I-4. While I don’t see eye to eye with Donn on risk management, I do agree on the need for information sharing, for neither risk management nor any other information security program can be conducted in a vacuum.

Information sharing requires trust. There are many things that should not be revealed in surveys or public conferences, and yet information security practitioners desperately need to hear the real score from their peers.

Close knit law enforcement and military communities have had such trust. This trust often extended (and still extends) into industrial and other corporate physical security departments, often run by retirees from the law enforcement and military communities. But information security is still a relatively new field, at least when computers are involved, and close knit networks of interpersonal trust are few and far between.

It was for these reasons that Donn Parker and kindred spirits founded I-4. After a long incubation in SRI, they eventually documented 82 controls, which ultimately fed into the UK’s BS7799 which in turn evolved into ISO 17799 and ISO 27001. I-4 went into one of its heydays and eventually capped its membership at 75 so as to keep the sense of trust and confidentially. There was even a waiting list for new members at that point.

Through the dotcom bubble and the downturn and intervening recessions I-4 has survived. Don Parker and Bruce Baker retired, and eventually John Thurlow took over, and now Jim Wade is the Executive Director for the organization. Loyal administrative assistants and members have carried I-4 through a number of transitions of the supporting company that provides conference and logistics support (these companies have had colorful names such as Atomic Tangerine, RedSiren and lately GeTronics).

Fast forward to today – the good news is there’s no waiting list for I-4 currently. I recommend it – there are great people there, excellent conferences with everything under NDA and no vendor marketing, and a relatively small investment required for participation. Security professionals can pretty much get out of I-4 what they put into it, that’s the way information sharing works. They have a meeting on February 12-15 in Monterrey. Its not too late to plan to attend, if you are interested, you can contact their web site, or myself I suppose.

At the end of the Donn’s speech, Jim Wade brought up Donn’s wife – the “power behind the bald eagle.” What a moment! We could all wish for such a rich professional legacy…

Tuesday, March 2, 2010

Security 2.0? No, Symantec 2.0? Maybe

Vendors will try anything to get attention, so I suppose one shouldn't be surprised that Symantec keeps pressing forward with a strange term like Security 2.0.

According to CIO Magazine, http://www.cio-today.com/story.xhtml?story_id=1230048NUQOC&nl=5, Symantec chairman and CEO John Thompson laid out his company's Security 2.0 vision, which he said is less about locking down the physical network perimeter and more about protecting digital collaboration and transactions.

Well, ok. But then Thompson went on to say that problem of worms and viruses is largely solved…That's strange – there's a huge divergence between what Symantec’s own threat reports say and what their executive marketing pitch now is. Perhaps Symantec is worried that another vendor will move to the "forefront" of the anti-malware market (this was a pun on Microsoft's upcoming anti-virus offering in mid 2007).

But its dead wrong to say malware is diminishing. In fact, its just changing. While it is true that viruses and worms have less impact than they did at their apex in the early 2000s, the breadth of spyware, Trojan horse programs, spam and web attacks (many targeted, or “low and slow”) has greatly expanded to more than fill the gap, anti-malware solutions remain inadequate, and most organizations still very worried. Also, recent attacks on MySpace and Second Life demonstrate once again that worms and viruses will resurface for each new computing environment.

It would be nice to see Symantec easing off the FUD gas pedal, if they weren’t stepping on the hype pedal with the other foot.

For if Security 2.0 is a takeoff of Web 2.0, that’s not much of a launching pad. Web 2.0 is an ill-defined term that means different things to different people. And as for security, we’ve doing it since the dawn of human civilization. The more we invent, the more things stay the same. So its not as if we should draw a line under everything heretofore and start over with Security 2.0.

Even if there is no Security 2.0, there may be a Symantec 2.0. They are fielding new products and services such as database audit software, data leakage detection, and message content filtering. They later plan archiving tools to categorize and index data from e-mail and instant messaging, and an analysis tool called Discovery Accelerator for administrators to mine archived messages for legal discovery or evidence gathering.

The substance of this is all very interesting, but Symantec might have named it better. Its not Security 2.0, but it is progress.