Related link: http://www.computerworld.com.au/pp.php?id=178822995&fp=16&fpid=0

I get asked sometimes about the future of security and about “what comes next” (for example, see this). And while some trends can be spotted, the correct answer should always be “we do not know.”


Why not? Because “the future of security is driven by the hacker.” There is no better way to say it, than was said by McAfee president in this article. All those wannabe experts who blabber about “staying ahead of a hacker” are missing this simple point.


He then continues: “The bad guy determines what next year’s threat is going to be and when you look at the hacker community, the big change over the last two years has been its move from very bright individuals who were basically seeking fame, to organized groups driven by fortune… We can’t say with certainty what the next type of attacks are going to be.”


And that is a large part of what makes security such a fun pursuit!!

Related link: http://www.csoonline.com/read/110105/machine.html

I did blog about the subject of “deperimeterization” as advocated by the so-called “Jericho Forum”. In his paper Simson Garfinkel points out several more problems with the approach they advocate, some of which overlap with what I mentioned in my previos blog post on the subject.


Namely, why break the classic perimeter protections and build some new “secure architecture”? Its not like firewalls are not doing their job, its just that they are not doing everything you need to protect yourself. At the same time, most things in the IT real seem to evolve slowly rather than get rebuilt “right” overnight.


So, don’t scrap the firewalls, just slowly head downstream with the rest of the world towards bigger adoption of “self-defending computers” (aka personal firewalls and client protection) and further towards adopting “self-defending documents” (aka what DRM might become)… But with every new layer of defenses, keep the old ones intact!

Related link: http://www.itweek.co.uk/itweek/analysis/2145504/offshoring-pushes-bs7799

Some of my blog readers have argued with me - few did so violently - on the role of ISO 17799 standard in security. As I mentioned before, I am still somewhat skeptical about its adoption in the near future. So, this article initially suggested that that its adoption is growing: “In 2002, fewer than 200 organisations worldwide had achieved BS7799 certification, according to the Information Security Management Systems (ISMS) International User Group. Today this number has risen to 1,870.”


However, it turned out that US is not in the Top3 standard adopters. While some orgs are using few of the ideas from the ISO documentation, the actual certification is lagging far behind (even behind India…). Any idea why nobody cares to do it? I suspect there is no sufficient pressure or motivation to certify, but the reasons are not entirely clear to me…

Related link: http://www.sans.org/top20

Just like last year, I would like to remind those who are not following the security news closely to take a look at the list of “The Twenty Most Critical Internet Security Vulnerabilities”, released by SANS.


Unlike last year, the list shows an interesting trend: a major shift away from platform vulnerabilities towards cross-platform applications. Such applications, when deployed without enough thinking, equally endanger Unix and Windows systems. In addition, an absense of glaring and commonly exploited hole in Unix/Linux is of interest (it seems like the times of FTP and RPC holes are all but forgotten…)



While some critisize the list for lack of specificity, it is still a required reading for anybody involved with security.

Related link: http://lxer.com/module/newswire/view/48802/index.html

Carla Schroder writes: The entertainment industry has put itself on the fast-track to destruction, using well-proven tactics as explained in Preventing DVD Playback on Linux Like Prohibition in the 1920’s. Are their heavy-handed tactics to lock up and control everything we touch signs of plain old human stubborness? Stupidity? Insanity? A bit of each? How else do you explain their inexplicable actions?

You might want to read this article, if you can get on the site. Traffic is high right now. Keep trying though. It’s worth a wait.

Various people have written to me to say that they’ve received email notification that their pre-ordered copy of Time Management for System Administrators has shipped!

I’m asking everyone with the book to mark their location on Frappr. This interesting application of the Google Maps API will show where your nearly fellow reader is.

Thanks! I hope you all enjoy the book!

Related link: http://qtparted.sourceforge.net/

When I originally first set up my Windows XP desktop system, I made the C: drive too small. Eight gigabytes was okay at first, but it started to fill up; even though I installed almost all of my applications and personal files on a seperate partition.

I bought a second hard drive and copied over the contents of disk D: onto it. My plan was to wipe the original D: NTFS partition and re-assign the space to C:. The new disk would be re-lettered to D: so my internal application and registry settings would still be intact.

I did almost everything through Computer Management except for the actual re-sizing. For that, I used QTParted running on a Knoppix 4.02 CD. I changed the C: drive size to 30 gigs and rebooted.

Windows noticed the size change, went through a CHKDISK run, and then rebooted without any problems. No files were corrupted, and I saw a noticeable improvement in a few applications with the new size.

There’s always a risk when you change the partition table with a filesystem on it, especially if you try to make that partition smaller. But I don’t see why I have to rely on an external utility in order to do this. If Windows will let me size the partitions for the initial installation, why won’t they provide me a tool to do it once the OS is up and running?

I am amazed how we still don’t have proper technology to produce technical content. If you are just starting on a software project you can, for example, choose to use your favourite text processor. (It is what I initially did for ModSecurity.) This choice is quick to start with and allows you to write comfortably. Unfortunately it is not adequate when it comes to publishing. The text processor I used, OpenOffice, produces nice PDF documents but it fails miserably when it comes to HTML output.

One approach that looks particularly promising is DocBook; I have been looking at it for years. DocBook is a XML-based markup language designed specially to be used with technical content. People behind DocBook have done tremendous work on the backend stuff. DocBook appears to be well-designed and well-documented. You will even find two complete DocBook books, containing everything you need to know, freely available online. The problematic area is authoring, because the support for DocBook in text processors is very limited. Until recently your choice was to write XML by hand or, at best, write with the help of an XML editor. But it is insane to write anything but the simplest documents this way. As if writing is not difficult enough and you need your tools to make it more difficult.

Book publishers are trying to get round this problem by customising the text processors, using special templates and macros. (Publishers also have a much bigger problem as they need to support collaboration between people involved in book writing too.) This approach generally works but it is an one way street. Toward the end of the process the manuscript is converted into something more suitable for use in production. (I don’t know what happens when you need to write the second edition, I haven’t tried that with my book yet.)

Authoring
For me, discovery of the XMLmind XML editor was a glimpse of hope. Here we have a tool that allows you to write DocBook in a way that is similar to that of writing using a normal text processor. Naturally, the feature set of this young tool cannot be compared with those of the mature text writing tools. Still, XMLmind editor is quite usable in its current state. What’s even better, the Standard edition is completely free. We appear have finally sorted the authoring part of the problem. All you now need is a little patience to learn the DocBook ways (you can start with DocBook 5.0: The Definitive Guide).

Publishing
After having written the documentation in DocBook you need to figure out how to convert it into one of the supported formats. You will need the following resources for that:

• XMLmind XSL Utility (http://www.xmlmind.com/foconverter/xslutility.html) supports both command line and GUI operation. This download will contain everything you need, except that you probably won’t get the latest versions of the DocBook components. As all other tools I mention here, this utility is Java-based so to use it you will need a recent Java runtime.

• Apache FOP (http://xmlgraphics.apache.org/fop/) is a command line tool. As such it is most useful when you need to automate the publishing process.
• DocBook Stylesheets (http://docbook.sourceforge.net).
• DocBook XSL: The Complete Guide (http://www.sagehill.net/docbookxsl/index.html) is mandatory reading if get stuck or if you are planning to customise your output.

To produce PDF:

fop.sh -xsl $DOCBOOK_XSL_HOME/fo/docbook.xsl -xml input.xml -pdf output.pdf

To produce singe-page HTML:

xalan.sh -xsl $DOCBOOK_XSL_HOME/html/docbook.xsl -in input.xml -out output.html

To produce multi-page HTML:

xalan.sh -xsl $DOCBOOK_XSL_HOME/html/chunked.xsl -in input.xml -param base.dir ./output/

Although it is possible to use XSL to publish DocBook to text format I did not find the option very useful. You can get much better results creating text output from a single-page HTML using Lynx:

lynx -dump input.html > output.txt

FOP does not support RTF output at this time (although there is some talk of it being supported shortly), but you can produce it with the XSL utility. From the command line:

xslutil -out rtf output.rtf input.xml $DOCBOOK_XSL_HOME/fo/docbook.xsl

Related link: http://www.oreillynet.com/pub/wlg/8566

Two Boston Globe writers got a tip that Peter Quinn had
taken trips to open source conferences. So when Bostonians opened their
newspapers this morning, the story was plastered on the front page. It stinks.

While we have documents showing Microsoft’s lobbyists paying
for big trips for the former House Majority Leader and his family to go
to England and Scotland, Mr. Quinn wade trips to boring conferences.
The prices were cheap too.

To what depths will Redmond stoop to save their cash cow? They certainly don’t mind ruining a man’s career. This is another desparate attempt
to discredit Massachusetts OpenDocument adoption while no one is
watching on a holiday weekend. And what was Quinn attempting to do?
Save taxpayers money.

Related link: http://lxer.com/module/newswire/view/48268/index.html

Steven J. Vaughan-Nichols is one of my favorite writers. Whenever I see his stories, I give them a read and put them up on the Newswire at LXer.com, the same way I do with authors on the O’Reilly site.

Stephen wrote in todays article, “Liar, Liar, Pants on Fire: Microsoft and Open Standards”:

Kids know that when one kid lies all the time, the next thing out of his mouth is likely to be another lie.

So what’s the IT buying public’s excuse for thinking Microsoft’s new embrace of openness is anything other than a lie?

It’s one thing for Microsoft to declare that it will open up its Office XML file formats and have them be recognized as a formal standard by Ecma. It’s another thing entirely for this so-called standard to be a real open standard.

I posted the link at Digg.com with hopes others will enjoy the metaphor and understand the issues.

We also have an article up at Lxer.com called Does Microsoft’s Monopoly Power Extend to Government and Media? and we’re asking for some activism on the OpenDocument Format issue in Massachusetts. We would like to bring this to major media’s attention.

If you want to get this story into the mainstream media’s hands, please drop by and add a comment or take us up on our offer to hit some of the media pundits with an email.

Perhaps this is the time when all good men should come to the aid of their country. (Women too!)

Related link: http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/11-21-200…

Here is the reliable sign to tell a fake security compliance expert: they always misspel HIPAA as (gasp!) ‘HIPPA’. This press release is one of the best examples of what not do (unless your purpose is to look dumb, of course :-)) - misspel the name of the regulation when trying to sell services helping with it.

Related link: http://lxer.com/module/newswire/lf/view/48095/

I’m a Linux advocate. I always want Linux to win. But, I refuse to lie to myself when it comes to Apple’s potential with Mac OS X.

OS X for Intel would change the PC landscape like no other operating system has or could. Apple should open-source their operating system, port Openoffice.org to Aqua and bundle it for Intel PC’s.

Why? OS X is a stable and secure platform and offers the proprietary multi-media applications lacking in Linux. Reports of OS X for Intel indicate it performs well, has a great interface and provides a better overall experience than Windows. Some say the experience is vastly improved.

With Microsoft Vista barrowing heavily from the OS X look and feel, why wouldn’t someone want the original? Apple could do a number of things with Aqua. Keep it proprietary and sell it, if you must. Or open it up and let the open source development community give users lots of great applications.

Sell Aqua for Linux and people would buy it in droves. Make a media player for it and you will sell that too. You have nothing but revenue looking you in the eyes.

Apple could continue to bundle OS X with their hardware and they would increase their hardware sales. Continue to offer high-end hardware solutions and Apple won’t be able to keep up with demand. People will consider the value of OS X and purchase Apple hardware justifying the premium with the $300 software savings and the value of higher end hardware.

Make OEM deals that force the existing PC vendors to pay top prices for OS X. They’ll pay you simply because they cannot afford to pass up the opportunity they would lose otherwise.

Would I spend more money for a great Apple computer? I already have. I bought a Cube when OS X was in beta.

We wanted the Studio Monitor, keyboard and mouse, sound system and the designer looks. Oh, the Cube eventually died, but we kept everything else, connected it to an Intel Pentium 4 box and run SUSE 10 on that system. Give me OS X and I’ll install that without blinking.

My next purchase? A PowerBook with OS X. I’d then keep this IBM Thinkpad for emergencies and if I could, I’d dual book it with OS X and Linux.
What about Linux?

I would still run Linux where I could. I’d probably run it on Apple hardware. That’s correct, I would buy an Apple Server and run Linux on it as my web service platform. If Red Hat ported their RHEL 5 to the Apple platform, that would be my solution.

Linux developers would have a chance to make some money porting 17,000 packages to OS X, servicing them and selling them. Because, enterprises would move to Apple within a moment’s notice and without hesitation. Apple’s eco-system would grow and Apple would prosper like never before.

In spite of Apple’s proprietary stand, many Linux developers including Linus, have empathy for the Mac. Given the choice between an iBook and any Intel based Laptop, Apple usually wins. Given the opportunity to offer Apple, the channel would beg.

People use Windows begrudingly. They use Microsoft products because they have to use them. Give them an alternative and they switch.

Last week’s rejection of Steve Job’s offer to provide China with software for the MIT Children’s Notebook should have opened some eyes. Even with the superior interface and the special applications, China chose to stay with Linux. It makes one wonder why isn’t won’t riding the horse in the direction it’s going.

In the age of commodity hardware, Apple can adapt and win big.

You can digg this article.

Related link: http://www.EverythingSysadmin.com

We are just a few days away from the first shipment of O’Reilly’s newest book, “Time Management for System Administrators”.

When I started writing the book someone told me that time management is impossible for system administrators because we can’t define what a system administrator does.

Actually, we can.

In general, I find that everything system administrators do fit somewhere in 4 categories:

1. Easy things, that happen rarely.
2. Difficult things, that happen rarely.
3. Easy things, that happen often.
4. Difficult things, that happen often.

Category 1 (easy/rare) are things we should do manually.

Category 2 (difficult/rare) are things we should document on our internal wiki. For example, when I replace a bad disk on one of my RAID systems there is a complicated series of steps I must take. It happens rarely enough that I’ll never memorize the exact sequence. Therefore, I record it. The next time the issue comes up, I can refer to my notes. It goes after the next time.

Category 3 (easy/often) are things that should be automated. Because they happen often, the time spent creating the automation will pay off quickly. I remember once recognizing that there was going to be a growth of requests to move home directories from one server to another. This is a procedure that requires care and takes a long time, but isn’t particularly difficult. By automating the process we improved our ability to move homedirs without error, and saved a lot of time.

Category 4 (difficult/often) is where you want to delegate the task. By using off-the-shelf software (commericial or open source) you get the best of both worlds. Since the code is difficult to write, that ‘cost’ is divided among all the customers. Since the task is done often, it is worthwhile to automate. For example, we use workdprocessors constantly, and they are difficult to create (after the initial features are done). So we use vi, emacs, OpenOffice, or MS-Word. Backups are another situation. There are so many oddball combinations of hardware and since backups must happen accurately, succesfully, and very often, it doesn’t make sense to write our own backup software. That’s why we’re glad there is Backula, Amanda, and other such packages. We still have work to do (installation, integration, testing, etc.) but certainly not as much as if we were to write these systems from scratch.

Now, as Jon Stewart says on The Daily Show, I’m gonna blow you mind.

Documenting something turns a difficult task into an easy task.

The first part of automating something is to document the steps. Documenting the steps is often the most difficult part. When we can accurately document a procedure, it becomes easy to automate. It crosses over to the easy/often category and now becomes worthwhile to automate.

Documenting a process has another big benefit. Once we document it, we can delegate it. Until I had documented the process for replacing a disk in my RAID system, I was the only person that could do the task. Once it was documented I can ask a junior engineer to do it for me. They can come to me with questions, but the task can be taken “off my plate.”

The best time management techniques result in giving the task to someone else.

And it reduces my stress-level too.

System administrators often have a difficult time taking vacations. When we do, it’s difficult to de-stress because we’re still “on call”. You can’t relax if you are staying mentally prepared to spring into action and fix a problem. You might as well be back at the office.

However, if I’ve documented all those processes that “only I know how to do”, then other people can do a better job of covering for me. I can go on vacation with confidence.

Finally, I can also feel less stressed because I feel less trapped in my job. Nothing creates more stress for me than feeling trapped. I start getting grumpy, irritable, less productive and less fun to be around.

When I document-as-I-work (particularly easy when I use a wiki), I maintain a good record of how things are done, I can delegate tasks to others easier, and I feel less trapped. I am less grumpy, irritable, more productive and much more fun to be around.

What wiki do you use?

Related link: http://digg.com/linux_unix/Linux_News_Questions_Microsoft_s_Need_for_a_

If you offer a superior product then why would they need a “Get the Facts” campaign? I thought it was a cardinal rule in marketing not to name your competitor. But, Redmond’s most famous computer technology firm has learned that buyers make decisions based on who else uses a product. They know decision makers will say to themselves, if Rayovac uses it, then it must be good enough.

So what do you see? Just about any time a major publication runs a story about Linux, Microsoft gets them to place a “Get the Facts” advertisements nearby and often right in the middle of the story. That seems pretty suspect to me.

Do you ever wonder if publications run Linux stories just to get a little of Microsoft’s ad money? Great business model:
Linux developer writes article about great Linux feature. A magazine publishes it. Then, Microsoft buys a “Get the Facts” add. Then the publisher pays the Linux developer. Everyone wins!

Too many studies on the total cost of ownership (TCO) of Windows versus Linux have arrived at vastly different conclusions.

People with experience in polling know that you can take a premise and form it into a question and survey on that. If you change the premise and form another question you can survey again and you will get a different answer.

For instance, one survey asks participants about a complete rollout of Linux versus Windows in existing Windows shops. I wouldn’t even make such a radical change in an organization’s infrastructure. So take that premise, form a question and survey participants and you will get a result favoring Microsoft, unless you just got raided by the BSA.

It seems like the Boyz in Redmond are all over 40 now. So, I ‘m wondering why they don’t just settled down and make some software instead of worrying about Linux. Personally, I hate those ads, they can mess up a nice web page.

Diggable

Related link: http://lxer.com/module/newswire/view/47357/index.html

Carla writes: Most women, when they plan their careers, think in terms of having jobs. But why limit yourself? The computing world is a haven for the self-employed, and the FOSS world supplies tools and opportunities you won’t find anywhere else…The whole idea is to do something that you find personally rewarding, get paid for it, and do it your way.

I consider Carla one of my favorite writers. She an outstanding technician. Every howto she writes works. That’s sometimes a better outcome than I have come to expect.

As a colleague, I have seen her work behind the scenes and she has remarkable talent in the craft of writing and in grokking and explaining technology. I consider her gifted.

In this current article you find Carla’s heart or dreams and aspirations. She says “control your destiny”. While that may appear as sound advice for women; it’s sound advice for everyone.

I took to the road of self-employment a couple of decades ago. So, I understand the cognitive dissonance associated with those steps. You might discover how your fears could hold you back. Carla offers sound advice on this score and also gives you some assurance when you do it the open source way.

I consider Carla a polymath because she’s really skilled in a number of disciplines with communication being one. Thanks tuxchick!

Related link: http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453096362

Most of you are aware of the “Sony DRM rootkit” story (I blogged about it a few days ago). When the story broke out, I started wondering whether any anti-virus vendor would step forward with courage and add a signature for it. And now one did! Great work, CA. So, now we know that Sony is officially in the malware business…

Related link: http://www.digg.com/linux_unix

OK. I found another home and I feel quite prosperous.This reminds me of the days when I could choose my favorite part of America and go live a while. Now, I spend so much time in Cyberspace, it’s nice to have familiar landing fields.

If you don’t know about Digg.com then you may want to take a mini-vacation and enjoy the fun. For my readers, I suggest a visit to their Linux/Unix area. If you have an article you want to post, do it there. The readers get to decide if your posting should make the main page. What a refreshing change of pace.

I have also written a little piece called Wikipedia contributors wonder if they digg our friends at Digg.com about the site.

Seems that our friends at Wikipedia don’t exactly know how to treat the upstart technology news website that combines social bookmarking, blogging, RSS, and non-hierarchical editorial control. You might start there to read the comments.

But if you just want to jump-in like I do when I see a natural pool down in Austin on a hot summer day, go for it. I’m sure you will really digg Digg.com.

[Ed: Take a look a the Alexa graphic showing the difference betwen Digg and Slashdot. It should surpise you. ]

Related link: http://news.com.com/Hotel+card-keys+edge+toward+extinction/2100-1029_3-5939429.h…

For those curious, the title I chose was just a wee bit sarcastic.

It’s an interesting read, but there’s no in-depth conclusion as to whether or not there was any real security concern in the beginning. If the hotels are changing the format of the cards, are they acknowledging that there is a risk?

If you designed a card system right, it would contain the smallest amount of data possible: A true random 64 or 128 bit integer (or maybe more) that is shared only by the card and by the door lock it’s associated with. If the card is lost, it’s worthless to anyone who finds it; unless they’re ballsy enough to try every single door in the hotel.

But now there’s the possibility that the cards may contain personal data. No hotels have been explicitly named, so it’s hard to tell if this is a widespread issue or just a few isolated cases.

If I were to guess, I’d say that the hotels that do add the data are the ones that give you extra services. If the hotel mentions your card can do extra stuff like buy food, or enter the Magic Kingdom, then it probably contains personal information.

If the hospitality information wants to help alleviate these fears, then they should keep their guests informed. Guests should be told that they explain to guests that lost or stolen cards should be reported immediately, and they should disclose the consequences of what could happen if a card was misused.

Buying into new technology like smart-cards or proximety cards, only adds a layer of obscurity by using a less common media format. And hotels would ironically drive down the cost of smart card technology, since there will be an increased demand to build readers for every one of their doors. Magnetic card readers can start at around $100 (for reading tracks 1,2, and 3). Ironically, you can purchase smart card readers for even less than that.

So either way, you’re still stuck with the need to take proper precautions with your cards. Once you’re done with your hotel stay, it be cut, chopped or shredded. If you need to keep the card, it needs to be kept in a secure place. If it’s lost or stolen, the hotel should be made aware of it right away.

Related link: http://www.computerworld.com/printthis/2005/0,4814,105905,00.html

This paper talks about using system logs in order to discover the “root cause” of the problem. The process discussed is “detection, identification, determination, resolution and reflection.” Great! But the article claims that you have to search logs in order to discover the real issue.

This is where I disagree.

If you are using some supposeduly sophisticated application to search logs, why don’t you use that same software (or, appliance, whatever) to highlight the root causes for you? I would prefer the intelligence of this software to be utilized for showing me what I need to know as opposed to for letting me search and then figure out what the results are until my brain turns blue…

And, in case you are wondering, its not easy to do it, but it sure is possible.

Related link: http://lxer.com/module/newswire/view/47135/

Don Parris writes: “I realize the title might mislead you to believe that I’ve been trapped in a dank, dark underground dungeon for a year. In reality, though, I have been without Microsoft Windows for over a year. On November 1 of last year I blew away my old Windows 98/SUSE Linux 8.0 Professional dual-boot installation, and loaded SUSE Linux 9.2 Professional, by itself, on my box. While I know others have been Windows-free for much longer than a year, others simply cannot imagine doing without it.”

He later writes: “I can track my personal, as well as our ministry’s finances via GnuCash. I have experienced phenomenal stability, had very little to do in terms of managing the system, and been able to lead a relatively productive life over the course of the last year. I’ve noticed, too, that I revamp my system far less frequently. It used to be something like every six months. Now, I only do so when I upgrade. What’s more, I can edit those text files in the /etc folder if and when I need to make adjustments - no mysterious Pandora’s Registry to deal with. Ironically, I rarely need to make adjustments.”

If you didn’t guess it, Don’s an ordained minister and one of the Senior Editors at LXer.com. He’s actually one of the best writers with whom I have worked.

You can read his article at Lxer. It a great read.

Oh yes. One of our readers say he’s a true Linux evangelist.

Related link: http://www.nymissa.org/event_detail.html?topic=45

In this minor bit of self-promotion :-), I wanted to invite my blog readers who are in NYC to attend my presentation at ISSA this Thursday, Nov 10. To disclose, this presentation will not be entirely vendor-neutral, but it will be fun anyway (if you are into that sort of thing :-))

Here is what I will speak about: “While fighting threats such as attackers from the Internet, internal network abusers and various forms of malware occupies a large part of daily lives of security practitioners, many organizations are well underway in looking at another critical part of the risk formula: vulnerability. Such activity is one step organization can take to be more proactive in their security process. Thus, vulnerability scanners have become a staple at many organizations. However, many of those suffer from the same disease that hit early intrusion detection systems (IDS): they are just too noisy. In addition, they don’t tell you what you should actually do about all those reports and vulnerability notices, just as most intrusion detection systems will not tell you whether you should care about a particular alert. In addition, many of the vulnerabilities cannot be fixed by simply updating to the latest affected product version, but require tweaking and the configuration of various system parameters. Thus, the vulnerability management space was born out of a need to intelligently prioritize and eventually fix the discovered vulnerabilities. This talk will look at a current vulnerability management challenges and show how your existing SIM (security information management) solution can help dealing with the challenge. People sometimes view SIMs as solutions to manage IDS and firewall log data, but in reality market-leading SIMs can do a lot more.”

Related link: http://www.securitycurve.com/blog/archives/000265.html

Lots of folks talk about the upcoming physical and information security convergence. Here is a blog entry that makes use of this fun metaphor: “physical security” and “information security” are only similar by using the same word, specifially: ‘”Lead guitar” and “lead pipe” have similar spelling; are they the same?’

It seems a hard nut to crack, there are important similarities and there are differences, which seem to be just as important. Any opinions? Maybe I can build another poll on convergence…

Related link: http://lxer.com/module/newswire/view/46917/index.html

Intel’s move into India, China, Brazil and Egypt has allowed it to move outside the box of Microsoft’s governance with Linux as the linchpin of its marketing strategy. One has to wonder if the such a move makes sense. In the short-term, it might cost Intel but it depends on how quickly they can gear up in the gigantic and untapped markets they’ve established themselves.

They stated that “some expect the Microsoft Windows* market share, today well in excess of 90 percent worldwide, to erode in the coming years. Market share for Mac OS X* is expected to remain flat and demand for every other non-Microsoft desktop operating system is expected to dwindle. So Linux, already the fastest growing desktop operating system, is poised to continue making desktop inroads”.

Does that mean they see the move of Apple Computers to the Intel chip as less significant than Linux? Or was this published before the announcement by Mr. Jobs?

For an indepth look at what no hardware manufacturer has ever done before with Linux, read Intel® Linux™ versus Microsoft® Windows and Chinese Halloween with Intel to get an idea of what Intel has done for DesktopLinux.

Related link: http://lxer.com/module/newswire/view/46808/index.html

Today on LXer.com, two of my collaborators joined me in writing a story about Intel’s Government Assisted PC Program in rural China. Word of the program came from a source we believe came from inside Intel. Basically, the story is a leak.

As we researched and vetted the article, I came to realize that the company could single handedly replace Microsoft as the largest supplier of Desktop software globally. Their initiaitves in developing nations staggers the imagination.

What did we learn?

Intel has approached the market correctly by cooperating with Governments in India, China, Brazil and other countries. They have put money to work in those places so that the countries involved become self-sufficient.

The PC’s Intel makes are high quality, low priced units. For example the system in rural China costs $350 and has Linux as the “user-friendly” OS. Rural China looks like it will have 4000 service centers to sell, educate and service the PC’s.

The press in the United States has missed the boat. Intel has contradicted the Microsoft story and is proving Linux works.

What did we want to know?

Why Intel won’t do the same thing in the United States.

Bravo for Intel and now let’s see the poor people in our country get similar treatment to those in the rest of the world.

Related link: http://www.securityfocus.com/brief/34

Seeing stuff like this makes me want to say something cheesy, like: “Welcome to the 21st Century!”

So, basically, hidden software-vendor-installed malware will fight it off on poor users’ PC. Evil will fight evil and the user will loose either way… “Trojan vs Rootkit, Part II” :-)

“Called the Warden, the anti-cheating program cannot detect any files that are hidden with Sony BMG’s content protection, which only requires that the hacker add the prefix “$sys$” to file names.”

Related link: http://spiresecurity.typepad.com/spire_security_viewpoint/2005/11/another_doomsd…

Can one man change the world of security? Pete Lindstrom quest to “eliminate” vulnerability research seems to suggest ‘no’ :-)

Here is some discussion that occurs on his blog after he posted a challenge to describe a fictitious scenario: ‘what will happen if all whitehat vulnerability discovery will stop, as if by magic?’

>Anybody want to toss out their idea about what would happen if bugfinders stopped looking for bugs? What do you think the impact would be?

In brief, I said the following:

“Well, I like SciFi, so I will play. In all likelyhood I am wrong, but then again this thing will never happen anyway…

In general, I think that some version of Thomas’s scenario will get realized (obviously, circa 200X and not 1992). Let’s assume that all white-and-light-shade-of-gray-hat folks just stopped researching and, obviously, publishing vulns. What will happen?

First, everything of value will get owned (from the pool of whatever is not 0wned now :-), of course) by a few people. There will be fewer “incidents”, however, as many sites won’t even know that they just got owned. They will be made aware that their IP and money are suddenly in the wrong hands. Malware will likely drop, the only worm/virus incidents (admittedly rare) will be hugely damaging as there will be no protections as reliable as current singature-based ones (anomaly-based stuff at this stage is generally less reliable; not that I am not saying that signature-based are better - only that currently they are more reliable). Script kiddies will all but vanish, left to pick up the pieces of whatever trickles from the underground.

I suspect the list of ‘advanced blackhats’ is now longer now than it was in 1992. Thus, they will be able to pretty much do whatever they want (maybe not launch ICBMs, however :-)). With time, as software security degrades even further, more folks will be able to ‘join the club’ and share the proceeds, first owning whatever the first group did not :-) Vendors will go to less patches (after all, why bother?), making life simpler for some people (admins!), but complicating it for others. Backup solutions will sell like crazy, though…

Overall risk? To be honest, I dunno (Celebrate, Pete! :-)). For folks running high-value targets, the risk will likely go up since they will lose all protections that rely on knowing about vulnerabilities e.g. NIDS, NIPS, scanners (and will keep the behavioral/anomaly-based ones). For others, it might decrease, as all the ‘hunters for low hanging fruits’ will go the way of the Dodo…”

Discussion still continues…

Related link: http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html

Nice one! According to this report, Sony DRM software uses rootkit-like technology to prevent users from doing some things on their own machines…