The large, spectacularly colored American burying beetle has disappeared from more than 90 percent of its former range due to disruption of its food chain by humans, including the human-caused decline of top predators like wolves and bears and carrion species such as passenger pigeons. The beetle was put on the endangered species list in 1989.
Whether you agree or not with the essence of the campaign, their rhymes and images are truly excellent. It only takes a minute to memorize the entire list. Great inspiration for information security slogans. I have written before about the effectiveness of rhymes like “ctrl-alt-delete when you leave your seat”.
* An end-user will not be able to tell the difference between these counterfeits and authentic Petzl products (see below for more information)
* They have serious quality, performance and safety problems.
For these reasons, Petzl decided to alert its end-users and begin legal action against the counterfeiters.
This has many potential uses for both good and bad. It basically takes the old concept of secret tracking devices and tries to make them into security commodities for everyone to enjoy.
In an ACM SenSys 2010 paper, we present AutoWitness, a system to deter, detect, and track personal property theft, improve historically dismal stolen property recovery rates, and disrupt stolen property distribution networks. A property owner embeds a small tag inside the asset to be protected, where the tag lies dormant until it detects vehicular movement.
More to the point, from a market perspective, if we accept the commodity of electronics as a general argument then an encryption and backup/restore strategy is far simpler and less costly than tracking, capturing and recovering stolen electronics.
When someone grabs your iPhone and makes a run for it you will probably have a better piece of mind with encryption and recent backups than with trying to chase and detain the attacker. As someone at the RSA Conference said after he left his phone accidentally in a Taxi “even if I could get it back it would probably be bricked”.
Information is not really that much safer with the AutoWitness control option. It adds marginal value versus other controls and can actually introduce new risks. As an inexpensive device to monitor someone, on the other hand, it provides a *new* source of information — can add significant value at a lower cost than with other controls.
Nonetheless, just like a lot of the other forensics and investigation tools, I bet this will continue to be marketed as a disaster recovery solution.
For some teams, especially teams that are not building out-of-the-box simple web apps, and Agile teams that are following Continuous Delivery with frequent deployments to production, or Continuous Deployment updating production several times a day, that’s a lot of work.
And WAFs add to operational cost and complexity, and there is a performance cost as well. And like a lot of the other appsec “solutions†available today, WAFs only protect you from some problems and leave others open.
I do not disagree in principle, but this is just another way of saying we want something more effective for less cost.
As long as we’re posting our wishes why not push the onus back onto developers? Can’t they just develop more useful and secure code for less cost?
It has to be simpler. It’s too hard to write secure software, too easy for even smart programmers to make bad mistakes – it’s like having a picnic in a minefield. The tools that we have today cost too much and find too little. Building secure software is expensive, inefficient, and there is no way to know when you have done enough.
There aren’t any easy answers, simple solutions. But I’m still going to look for them.
Can’t hurt to look, right? There has to be an easy assembly-line way to make coding more like making a picnic basket from McDonalds instead of all the complicated and messy work of cooking in a kitchen…even for a day in the minefields. Good analogy, Jim. That security problem was easy to solve in the real world, right?
Clearing minefields is a long, slow, time-consuming process, and there is no room for error.
Oh well, move along. Nothing to see here. Don’t look at Jim’s poor analogy blown to bits.
The Environmental Protection Agency says they have settled with the manufacturer of Crocs over a case of unproven health claims.
Perhaps Henry Ford put it best, when he famously said the cost of practicing security was never justified:
Security is bunk. If you are safe, you don’t need it: if you are breached it is too late.
Ok, I confess I adapted that. He actually was speaking about the cost of exercise to stay healthy…
Exercise is bunk. If you are healthy, you don’t need it: if you are sick you should not take it.
On the contrary, the low cost of exercise (while you don’t “need” it) may in fact be part of the benefit. You invest while you are healthy as a preventative measure because if you try to use shortcuts or put it in later you will not achieve the same return on investment.
Back to the WAF, Jim might find that “a lot of work” spent on security for the firewall might actually be worth it in terms of understanding security of his apps better, improving them overall, as well as preventing breaches and known attacks. I wager he will find the cheap and easy cure for application security around the same time that he finds the cheap and easy cure for health.
Even if you find it, it might not go where you want today (Photo by me)
a blog about the poetry of information security, since 1995
