Test post

Over the summer, Adam and I were talking and I said that I’d like a place to do some personal blogging as opposed to things I normally do, which are targeted at one place or another.

I’d like to be able to blither about security, but also about whatever. Photography, cooking, you know, things that most people who blog blog about.

We set this up and I have finally gotten around to making a test post.

So thank you, Adam and the rest of the jazz combo. I’m Jon Callas, and I’m on bari sax and english horn.

New breach blog

overflowing-data.jpg

Evan Francen is maintaining a breach blog with more structure and commentary than either PogoWasRight or Attrition.

As I looked at it, I had a couple of thoughts.

  1. The first is that he doesn’t reference Attrition DLDOS numbers. (Then again, Pogo doesn’t either.) I think this is a mistake. When we founded CVE, it was because there were lots of independently maintained data sets like this, and correlation had become a problem. It feels like this is the same sort of data, and so getting coordination around cross-referencing would be great.
  2. My second thought is that in posts like his “The Breach Blog Month in Review November, 2007,” he attempts to derive cost information from the Ponemon Institute’s $197 number and multiplying it by the number affected. I think it’s possible to do better in several ways:

    • The numbers are broken out in the reports, and some of them are per-individual, and others are per breach. People deriving numbers should use the detailed information that the Institute offers.
    • There’s also the cost of lost business. Of the 5 organizations reporting a second (or later) breach, 4 were governments or government agencies: HMRC, Montana State University, the US Department of Veterans Affairs, and the Commonwealth of Massachusetts. It’s quite difficult for someone to stop interacting with HMRC or Massachusetts. It’s not possible to lose veteran status. It may be possible to get Montana State to destroy all personal data about you, but I doubt it. The fifth, Capital Health, is likely one or one of a very few health care options available to their customers. Given that the 2007 Ponemon report states:

      The cost of lost business continued to increase at more than
      30 percent, averaging $4.1 million or $128 per record compromised. Lost business now accounts for 65 percent of data breach cost

      For those organizations, the cost of a breach could justifiably be counted as no more than $69. ($197-$128=$69)

Anyway, it’s great for a wide spectrum of breach analysis to emerge. That chaos and competition will lead to better analysis and better security for us all.

Image: “The Breaking Dam,” by ReubenInStt

“Security Vulnerability Research & Defense”

My co-workers in SWI have a new blog up, “Security Vulnerability Research & Defense.” They’re planning to…well, I’ll let them speak for themselves:

…share more in-depth technical information about vulnerabilities serviced by MSRC security updates and ways you can protect your organization from security vulnerabilities…

The two posts below are examples of the type of information we’ll be posting. We expect to post every “patch Tuesday” with technical information about the vulnerabilities being fixed. During our vulnerability research, we discover a lot of interesting technical information. We’re going to share as much of that information as possible here because we believe that helping you understand vulnerabilities, workarounds, and mitigations will help you more effectively secure your organization.

I’m excited. I see the good work that the team does in understanding vulnerabilities, and I’m glad that we’re sharing more of it.

How to Treat Customers

My friend Austin Hill has a new blog, Billions With Zero Knowledge. He’s got a really good post up “Crowdsourcing or Community Production – An Interview with Hugh McGuire from Librivox.”

What’s most interesting to me is how new companies are trying to tap into customer enthusiasm to build not only value for their customers, but a community. The companies that really succeed at building a community will find it a double edged sword–their communities will be their biggest asset, and the hardest thing to change. At the same time, it’s done great things for companies like Flickr, and it’s a welcome change to be treated as a person, rather than as a monetizable eyeball.

In every dream home, a heartache

Barry Ritholz, an NYC hedge fund manager, blogs about a WSJ story. The gist:

On Sept. 21, 2001, rescuers dug through the smoldering remains of the World Trade Center. Across town, families buried two firefighters found a week earlier. At Fort Drum, on the edge of New York’s Adirondacks, soldiers readied for deployment halfway across the world.
Boards of directors of scores of American companies were also busy that day. They handed out millions of bargain-priced stock options to their top executives.
[…]
A review of Standard & Poor’s ExecuComp data for 1,800 leading companies indicates that from Sept. 17, 2001, through the end of the month, 511 top executives at 186 of these companies got stock-option grants. The number who received grants was 2.6 times as many as in the same stretch of September in 2000, and more than twice as many as in the like period in any other year between 1999 and 2003.

WSJ, 7/15/2006
I find myself surprised at the instinctive greed this story reveals to us. As Mr. Ritholz says:

What makes this so pathetic is that corporate executives could have stepped up AND BOUGHT STOCKS IN THE OPEN MARKET if they believed they were so cheap. It would have been reassuring to a nation to see the leaders of industry voting with their own dollars.
[…]
In 1929, when the stock market crashed, JP Morgan (and others) stepped in. They bought stock with their own dollars, they saved Wall Street. Oh, and they were rewarded for it — both monetarily, and in the history books.

Amen.
As an aside, Ritholz’s two blogs are worth a few minutes.

“Security To The Core”

In a post titled “self-evidently wrong post title” “Blog Posts Do Not Include The Words ‘dizzying array of talent,’” Tom Ptacek points out that Arbor Networks has a blog. Jose Nazario’s “The Market-Driven (Vulnerability) Economy” post is pretty good.

However, I think we need video of Dug Song reading this text, which in “News Flash: Arbor Networks Joins the Security “Blogosphere,”” is attributed to him:

Our holistic approach to network security reflects the dizzying array of talent represented here, with backgrounds ranging from biochemistry to Internet infrastructure research, network processing hardware to mission-critical network operations. In the coming months, we hope you will be entertained, pleasantly surprised and maybe even enlightened by what we have to share. It is just another way for us to give a little back to the community.

In fact, I want video of Dug walking into a room, sitting down, and then reading that text, because I don’t think he could do it without giggling. I know I couldn’t.