Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine them into my new blog series "Fun Reading on Security." Here is an issue #3, dated May 22, 2008.
So my next iteration of fun reading on security, logging and other topics.
- Security and fraud: different worlds, same people? To me this story was pretty shocking; now I guess I should accept that for some people security business is just another scam.
- ROI Again? The paper goes like "Darn the terms and definitions, it is a good thing." But what "it" is? If you never define it, how can one claim that it is a good thing? Amrit then comes and drop kicks it. Thanks buddy, what "a paradigm shit"!
- A really good read (and I mean it!) about security evolution comes from Gunnar. Check the table he has and weep, really weep.
- "Fifty years of DARPA: Hits, misses and ones to watch" (past history) and "Fifty years of DARPA: Hits, misses and ones to watch, part II" (current project to watch) - extreme fun!
- An [ex-] TJX employee explains that TJX security is still horribly broken, yes, even after the breach and all the hoopla.
- Finally, one intelligent comment about Google "Indiagate" (warning: Slashdot link). This story reminds us that Internet + different countries, culture, laws = big problem that will only grow bigger.
- Third Annual Movie-Plot Threat Contest ends (winner, finalists, all entries)
- Read "State of Affairs" from RSnake, then "the nature of things" from Jeremiah, then "grossman and rsnake lay eggs" from LonerVamp. Welcome to the world where everybody is 0wned and nobody is talking! Think a little. Stop when you get to "... so it sounds like a good idea to be a blackhat today. should I switch sides?"
- Along the same line, Emergent Chaos on Blackhat Tax. Will it finally make security "a cost of doing business"? When I read stuff like I pray that a set of useful security metrics will be sent to us by the gods.
- Can security be "built-in" and "transparent to users?" Sorry, but no; read this, this and this. Security is about humans, not bad OSs and weak network protocols.
- Interesting discussion on ISO2700x and ISO17799, sparked by my blog post. So, why not ISO? People seem to insist on doing compliance regulation by regulation despite all the known inefficiencies of it...
- Finally, Richard Bejtlich's gem - no, GEM: "Security": Whose Responsibility?" Read it NOW! BTW, C-I-A is dead.
Enough for now!