Heading for some 'Rest and Realization' on Tuesday. Back soon.
Sunday, June 24, 2007
Damn straight
Creativity expert Sir Ken Robinson challenges the way we're educating our children.
Thursday, June 21, 2007
Dear Sirs..
Another bold question if I may. The topic is trust. The subjects are sheeple and computer systems. The framework is IT Security. The context is always changing. The goals are the same. Intent is irrelevant. Miscreants abound.
Excuse me arguing by analogy, but this online age verification system to access movie trailers, sums up many of the major issues and ignorances in IT Security.
http://blogs.csoonline.com/dirty_trailers_cheap_tricks
As the depth, pace and breadth of technology increases, no one can be expected to be an expert in all systems and subsystems they either use, interface with or build upon. Knowing what's going on 'under the hood' is becoming increasingly abstract and esoteric, especially to the standard consumer of computing resources. The issue is compounded by depth of code, system complexity, legacy systems, and third party drivers and modules, which are either knowingly or unknowingly part of a solution. Users require protection from both themselves and others while interfacing with systems or when having their information stored or utilised.
Unfortunately global systems span geo-political boundaries. Global systems which can be highjacked and used to attack more innocents.(Unfortunately systems will continue to be or will become vulnerable over time!) And I am talking about any node here; routers, switches, firewalls and traditional endpoints.
I am leaning towards the belief that more services should be available to end-users in their local cloud. Not necessarily mandated, but available - depending upon the environment. This is a highly complex and potentially volatile area, and arguments abound, however the question should be 'what's effective?'. DAMN -> fast, reliable and cheap. Though I like reliable!
How can you trust unmanaged systems and users? (also known as an information processing nodes!). See previous post.
How can you trust managed systems and users?
How can you trust infrastructure nodes?
Expect them all to fail. Expect them to be compromised. Expect to lose trust in them.
Now where does that leave us?
Let's look at the enforcement points on a simple systems trust model again... See previous post. (I like to think of the diagram as the equivalent of a Feynman diagram for IT Security, tee hee!)
So some stuff to think about. Here's a new acronym/phrase for you akin to SOA(Service Orientated Architecture).
SOV(Service Orientated Vulnerability) can be a compound or blended vulnerability.
SS(Service Surface) interface, network, user, back-end etc
IS(Interface Surface) subset of the above and takes in to account multiple new input vectors as the future interface will have more than one API/endpoint/processor per endpoint utilising new input devices and virtualisation.
Fun, fun, fun.
Every node will be a client.
Every node will be a server.
Every node will be a cache.
So now, do you trust the node, or introduce another trusted node to watch the node.
This could go on ad infinitum. At some point you hope there are enough checks and balances to watch the watchers.
Can we checksum people, anyone?
Schneier gets credit for leading me to the age verification system... http://www.schneier.com/blog/archives/2007/06/age_verificatio.html
Excuse me arguing by analogy, but this online age verification system to access movie trailers, sums up many of the major issues and ignorances in IT Security.
This morning, the New York Times has a nice story on gateways to online movie trailers that contain adult content. Trailers online will be preceded by colored tags, just like the green one you see in theaters that indicates the preview is acceptable for anyone watching. A yellow tag indicates the trailer may include PG-13ish content and a red one indicates an R-rated trailer, as it does in theaters, though red tags are rarely used in theaters.
The trailers that appear on the studios' movie sites, the story said, also have time of day restrictions, ostensibly viewable only between 9 p.m and 4 a.m.
More here
As the depth, pace and breadth of technology increases, no one can be expected to be an expert in all systems and subsystems they either use, interface with or build upon. Knowing what's going on 'under the hood' is becoming increasingly abstract and esoteric, especially to the standard consumer of computing resources. The issue is compounded by depth of code, system complexity, legacy systems, and third party drivers and modules, which are either knowingly or unknowingly part of a solution. Users require protection from both themselves and others while interfacing with systems or when having their information stored or utilised.
Unfortunately global systems span geo-political boundaries. Global systems which can be highjacked and used to attack more innocents.(Unfortunately systems will continue to be or will become vulnerable over time!) And I am talking about any node here; routers, switches, firewalls and traditional endpoints.
I am leaning towards the belief that more services should be available to end-users in their local cloud. Not necessarily mandated, but available - depending upon the environment. This is a highly complex and potentially volatile area, and arguments abound, however the question should be 'what's effective?'. DAMN -> fast, reliable and cheap. Though I like reliable!
How can you trust unmanaged systems and users? (also known as an information processing nodes!). See previous post.
How can you trust managed systems and users?
How can you trust infrastructure nodes?
Expect them all to fail. Expect them to be compromised. Expect to lose trust in them.
Now where does that leave us?
Let's look at the enforcement points on a simple systems trust model again... See previous post. (I like to think of the diagram as the equivalent of a Feynman diagram for IT Security, tee hee!)
So some stuff to think about. Here's a new acronym/phrase for you akin to SOA(Service Orientated Architecture).
SOV(Service Orientated Vulnerability) can be a compound or blended vulnerability.
SS(Service Surface) interface, network, user, back-end etc
IS(Interface Surface) subset of the above and takes in to account multiple new input vectors as the future interface will have more than one API/endpoint/processor per endpoint utilising new input devices and virtualisation.
Fun, fun, fun.
Every node will be a client.
Every node will be a server.
Every node will be a cache.
So now, do you trust the node, or introduce another trusted node to watch the node.
This could go on ad infinitum. At some point you hope there are enough checks and balances to watch the watchers.
Can we checksum people, anyone?
Schneier gets credit for leading me to the age verification system... http://www.schneier.com/blog/archives/2007/06/age_verificatio.html
Sunday, June 17, 2007
Friday, June 15, 2007
What does IT Security and a HIV/STD test have in common?
Answers on a S.A.E. ( Self Addressed Email )
Thursday, June 14, 2007
Symbiosis
If one doesn't separate the human from the endpoint system e.g. which is what client side security is really all about, then - and only then - will we make progress in the IT security battle. The human, peripherals and machine comprise the client side endpoint which needs to be protected in its entirety! Now let's think about Integrity, Availability and Confidentiality again.
Aside: Lines are being blurred between the conceptual client and server roles each day. Service orientated enterprise architectures are only a minor part of the puzzle... Let us never forget the users, administrators, operators and developers as part of the overall puzzle. (Or is it a mystery?)
Aside: Lines are being blurred between the conceptual client and server roles each day. Service orientated enterprise architectures are only a minor part of the puzzle... Let us never forget the users, administrators, operators and developers as part of the overall puzzle. (Or is it a mystery?)
Dorky is right!
IT Security needs more than this Open University style waffle.
I prefer the 'Look Around You' approach to learning ;)
I prefer the 'Look Around You' approach to learning ;)
Wednesday, June 13, 2007
A text from the ether
I got this message via text from a friend today:
"How many wasted thought cycles do we have each day, each month, each year, in a lifetime? How does fear rule our actions, control our thoughts, overrule our instincts, and dictate our emotions? Are we conditioned how to act and react? Are we bred to slave over data in the workplace? Have our minds been turned in to computers? Have our bodies been bred to consume? Are we drugged from childhood? Are we awake and if we were, how would we know?"
And here is a nice TED talk from Tenzin Bob Thurman (Uma Thurman's Dad!), who became a Tibetan monk at age 24, about a topic I would refer to as 'enlightened self-interest':
"How many wasted thought cycles do we have each day, each month, each year, in a lifetime? How does fear rule our actions, control our thoughts, overrule our instincts, and dictate our emotions? Are we conditioned how to act and react? Are we bred to slave over data in the workplace? Have our minds been turned in to computers? Have our bodies been bred to consume? Are we drugged from childhood? Are we awake and if we were, how would we know?"
And here is a nice TED talk from Tenzin Bob Thurman (Uma Thurman's Dad!), who became a Tibetan monk at age 24, about a topic I would refer to as 'enlightened self-interest':
On my tech mind.
- Complexity Crunch
- Feedback Loops
- Change Management
- Reliability(Integrity)
- Loosely Coupled
- Mobile
- Everything is a client, everything is a server, everything is a cache
- Distributed content inventories
- Intelligent packets
- Metrics
- Quality of information
- Feedback Loops
- Change Management
- Reliability(Integrity)
- Loosely Coupled
- Mobile
- Everything is a client, everything is a server, everything is a cache
- Distributed content inventories
- Intelligent packets
- Metrics
- Quality of information
Sunday, June 03, 2007
The Blue Packet
This is a great post from a site I like about the mobile Telco industry. It made me laugh out loud. Things that evoke an audible response from you are special, whether good or bad!
Link ( also in image ) : http://the.taoofmac.com/space/blog/2004/11/08
Subscribe to:
Posts (Atom)