Friday, July 27, 2012

Latest cyber security bill equivalent to The Maginot Line

The latest incarnation of cyber security—the bill designated S.3414.PCS (read it here)—spends hard-earned tax dollars to build a toothless bureaucracy while at the same time making it harder for businesses and individuals to protect themselves. Where licensed and bonded cyber privateers would be a positive net revenue generator to a sponsoring government, this law could best be described as, "Let's play defense only and make it really hard to let the world know who the bad guys are." Heaven forbid you should share/publish the identities of the people/organizations/governments that are attacking you.

No wonder cyber attacks are up (as the New York Times reports today). Our "best and brightest" are still trying to build the cyber equivalent of The Maginot Line. 

Tuesday, July 17, 2012

Yahoo security breach "Shocks Experts?" Gimme a break!

I've been biting my tongue since July 13th when the Network World story (see here) "Yahoo security breach shocks experts" invaded my personal data exhaust analytics processor. I've been carping on Yahoo's lack of security for almost two years (type "Yahoo" in the search bar to the left and see for yourself). Two words in the ludicrous headline—"shocks experts"—are an oxymoron. Any so-called expert who is shocked is no kind of expert at all. In my opinion, Yahoo deserves every single bad thing that has happened to them because they are persistently incompetent. Selah.

Tuesday, July 10, 2012

"Incident Response" is a really stupid concept

I just got a white paper announcement from one of the major IT publications from a sponsor touting scenarios for "incident response" teams. My fellow cyber privateers, when the balloon goes up there isn't time for a group of people to sit around a table and reach a consensus. You don't have a day, an afternoon, or even an hour. Your response to intrusions should be within milliseconds, it should be unambiguous, and it should be absolutely disproportionate. Which means it should be advertised to the point that no individual or government wants to come near your site. See Principle #22 on Defense (here) of the Perfect Virus. My idea of "incident response" is a PR firm issuing a press release explaining why no one in Beijing can complete a cell phone call for the next seven days. An object lesson for the government-sponsored intrusion into company XYZ's systems, courtesy of licensed and bonded cyber privateers operating under The Cyber Privateer Code of Conduct (see here). How's THAT for incident response?