Stop SOPA and PIPA: We openly declare our support for the efforts to prevent the ability for governments to police the Internet.

Kudos to Wikipedia


Talkback and comments are most welcome

Related posts

Privacy Ignorance - Was Eric Schmidt thinking?

Last weekend I got into a discussion with an insurance supervisor on the topics of risk assessment. He explained the process of work of actuaries in insurance, and that there are standardized tables of probabilities for an event to occur, like sickness and death, and how it is used to calculate insurance premiums.

After digesting the explanation, my reaction was that I found the holy grail of the Information Security Risk analysis: All it takes is for enough amount of incident event be collected into a statistical table, and all possible types of information security incidents will have a standardized table of frequency and impact - no more assessments over the entire organization!

And in such a great and utopian solution, at least a quarter of the time the information security personnel will fell like they are doing actuarial jobs.

But I was quickly brought back to reality by the expert in insurance, with a good question: Actuarial tables are compiled based on information that is mandatory to be published - illness, fires, theft, even death. How will you collect accurate information from information security, when it's not mandatory to publish them?

And he was perfectly correct: Collecting information to compile an actuarial table for information security will be impossible. There are very few companies in the world that will release any information that there was an information security incident if it hasn't impacted the public in a very obvious way. Also, the value of the impact is calculated in any number of methods, and different items are included in the value, making the valuation of the incident an incomparable attribute from one incident to another.

Having a standardized method for risk assessment in information security based on hard numbers would be great. But since the factors included in any incident are very complex and varying, and also consistent incident reporting is nearly impossible, we will be sticking to the current qualitative methods.


Talkback and comments are most welocme

Related posts

Example Risk Assessment of Exchange 2007 with MS TAM
Risk Assessment with Microsoft Threat Assessment & Modeling  

Just before the sad event of Steve Jobs death, obtained a MacBook. While everyone is still immersed in reading the biography, we embarked on the journey of using a new OS for the first time. Here are the positive experiences and gripes that we found when using it in a multi-purpose multi-platform environment.

Please note that we are just starting up using the Mac, and some of our issues may have solutions that we haven't found yet.


The environment
The MacBook arrived in the very mixed environment of Shortinfosec

• Domain - an active AD Win2008 functional level domain, but used only for testing. The computers are only added to the domain to do research related to the domain.
  
• Computers - Work is done on our laptops - HPs, Lenovo and Acer running Windows 7, Vista and Ubuntu.
• Virtual environment - Virtual Box and VMWare player based virtual machines, mostly bridged network
  
• Network - 802.11 n Wifi and wired 1 Gbps Ethernet network. Cisco and Huawei network elements
  
• VPN - Cisco IPsec VPN for remote access
  
• Storage - iSCSI based storage server, built around an Openfiler storage server, on the wired LAN segment
  
• Printing - a very old HP LaseJet printer, so old that we have to use a Centronix to USB convertor, so we attach it to any laptop we need.
  

What we do on this environment:

• Testing and honing skills of attack tools
• Running test scenarios on corporate products
• Active Directory fiddling and trying to break
  
• Playing games
  
• Blog management
• A lot of article and paper writing
  
• Java development
• Odd accounting jobs
• Lots of games ;)

The positives
We like to start on a positive note, so here are the things we like about our Mac

• User experience - as Steve Jobs insisted, the user experience of working in Mac Applications on the Mac is seamless. Everything just runs. Even attaching external hardware a 20 year old printer was a breeze - much easier then doing the same on Vista.
  
• Battery life - the battery life is simply outstanding. The commercials say that the Mac can do 7 hours on battery, and that is quite true, for working in word processor, at 65% screen brightness.
• Portability - not really comparable, since all other laptops are 15'', but the Mac is very easy on the shoulders, and an excellent companion at meetings.
  
• Speed of functions - all implemented functions within the OS are implemented VERY WELL. For example, the Cisco IPSec VPN connection using the native Lion client authenticates at least 10 seconds faster than the Cisco VPN Client for 64bit Windows 7 (we actually measured)
  

The gripes
Naturally, not everything is that great, and here are the frustrations that we faced with our Mac.

• The keyboard shortcuts - putting an IT pro who worked on a PC and Unix for 20 years in front of a Mac running OSX is a special kind of hell: NONE of the keyboard shortcuts are the same, and it a significant effort to shift to OSX shortcuts. They are not illogical, only completely different, which hampers productivity for anyone used to do much of their work on a keyboard.
  
• Interoperability with other platforms - There are interoperability gripes with a lot of stuff. The Mac can join an AD domain (sort of), but we had a lot of stress getting the Mac to use cached credentials. Mostly the same happened with a Linux based LDAP service.
  
• Software is missing - A lot of productivity software that we are used to is missing for Mac - we stumbled on Visio, then on MS Project, then on Notepad++, then on 7zip... We didn't go into developing Java in Eclipse, because of the following point. Mind, there are replacements for most of the software we were missing, but productivity was hampered since we needed to find the appropriate software, buy it and learn how to use it. VMware player is nonexistent for Mac, we are limited to VirtualBox.
  
• Lacking native support for obvious items - first disaster - no support for NTFS write. We had to revert to the dreaded FAT32, which was a deal breaker for development. As if that wasn't enough, iSCSI is not natively supported, which further killed any attempt at accessing the large Java codebase on our iSCSI fileserver.
• Remote access - So far we haven't discovered an efficient native tool to access and work on our Mac remotely. The Apple Remote Desktop is a shameless highway robbery - why should any company or user need to pay any money to access and manage a single Mac remotely? We are at the moment trying out VNC, which is not a very preferred platform.
• No Native or Free Disk Encryption - (Updated, thanks to comments on reddit.com). Up to OSX 10.6 only Sophos SafeGuard provided full disk encryption for a Mac. For OSX 10.7 there is FileVault full disk encryption, but we haven't tried it.
  

Conclusions and thoughts
We are not abandoning the Mac - it is a great tool and an asset in our little lab. But in the current state of things, it takes a lot of effort and compromise to fully migrate to a Mac platform, especially since a multi-environment knowledge is required.

If today someone asks us whether a Mac is a good idea for company use, we would not be very supportive for the following reasons:

• Business Software lack of compatibility
• (Updated per the comment of Ryan Black) Incompatibility with writing to NTFS filsystem (which is everywhere) (previously stated NTFS fileservers - fileservers are accessed through SMB, which is supported)
  
• Learning Curve for efficient use

Talkback and comments are most welcome


Related posts
Information Risks when Branching Software Versions
8 Golden Rules of Change Management