CNET reported public, drastic debate of the Net Neutrality, and careful considerations of a bill at backside, among stakeholders. As the representatives of the new voice from internet, those giants, Google, Yahoo, Microsoft criticized that the Net Neutrality bill might bring unpredicted potential demage to the internet users, while leaving a loophole to those triple-players or tradional operators who own and operate the internet transmission services. A good blog post pointed out what the world will become if the net neutrality is killed off:
In other words, customers might only get to run applications approved by the carriers. Not only would that result in dramatically higher costs for consumers and businesses, but many speculate it would seriously hamper innovation.
Of course, there must be a long way for the Net Neutrality into a real bill, but this kind of argument will help improve the maturity,integrity, fairness, will eventually benefit the end users.
At China, the anticipated Telecommunications Act is not enacted yet, under longer than 25 year's tough development. The Act, at its draft stage, according to the MII, will be finalized at 2006. It was said the reason for continuously postponing was the uncertainty of the convergency of three networks (telephone, vedio, and data). Comparing to the openness and public participation reflected by the above report, we might better our legislation process to let more people and experts, enterprises involved.
Technorati Tags: telecom, 3G, china, p2p, skype
At March 28, the ruby-based open source rapid application development framework – Rails released its latest version 1.1.0 with a bunch of new features and plugins. See their official site at: http://www.rubyonrails.org
Technorati Tags: Rails, RoR, Ruby, "web2.0"
See post at Schneier's blog on "MySpace Used as Forensics Tool".It's a lesson to web surfers. Before you fill up those personal into the forms by BBS/BLOG/IRC/Mailinglist and other Myspace-like cyber sites, you'd better prepare to let those info known by everybody in the planet. Or don't do that.
At other side, that reflects the value of the technology of web data mining, not just web search engines like Google, Yahoo, and Baidu, and not just so-called community search engines like Google Blog Search and Qihoo, etc. The next generation web info mining tools should cover more applications where valued data hide themselves. The mining technology, just as today's search engine, is a kind of dual-edge sword. You can use it to protect yourself, others can make use of it to hurt you.
From its first appearance, SOC (Security Operations Center) was created for MSS (Managed Security Services). At 2002, when I tried to dig information on SOC with Google for the first similar project at China, I found the top matches came from ISS and its subsidiary organizations (ISS had 6 SOCs worldwide then), such as ISSKK, and its Taiwan agent – ISSTW.
,but this was not my target.
Another significant description of SOC is from NTT. NTT built up its SOC to provide MSS service to their customers! ie. Security can be sort of value-added service, besides being competitive advantages. See the following diagram on NTT’s SOC: Read more…
Sarbanes Oxley is bring blossoming business opportunities not only to the big 4 accounting firms, but also to a lot of software vendors, Among those technologies and products involved in SOX compliance programs, identity management is the focal point that a lot of giant vendors fight for, Microsoft, IBM, CA, BMC, HP, Oracle, Novell, Sun and …. I am very happy to see the following diagram:
where John Jackson from GM said "Identity is the foundation for everything we do".
"Ten years ago, the prevailing assumption was that if you were on the GM network, then you were a GM employee," says Jackson, who is on the board of the Liberty Alliance, a consortium developing protocols for sharing identities.
"Today, we have dealers and suppliers [on the network] that are not a part of GM. Add the fact that we are completely outsourced, and it becomes critical to track who you are and what rights you have so we can make sure that people only get to the information they are allowed to get to. Identity is the foundation for everything we do," he adds.
So important is this that GM has a 12-person identity group within the security team. The group continues to consolidate internal directories while expanding its identity federation deployment and building out virtual directories and SSO capabilities.
Users and analysts agree that identity is seeping into corporate infrastructure.
"In five years, what we talk about today as identity and access management will just be another part of the infrastructure, and it won't be sold separately. It will be part of your security foundation," says Sally Hudson, a security research manager at IDC.
Technorati Tags: IAM, Security, AAA,SOX
A Hedgehog Concept is a simple, crystalline concept that flows from deep understanding about the intersection of the following three circles:
- What you can be the best in the world at (and, equally important, what you cannot be the best in the world at)?
This discerning standard goes far beyond core competence. Just because you possess a core competence doesn’t necessarily mean you can be the best in the world at it. Conversely, what you can be the best at might not even be something in which you are currently engaged.
- What drives your economic engine?
All the good-to-great companies attained piercing insight into how to most effectively generate sustained and robust cash flow and profitability. In particular, they discovered the single denominator – profit per x – that had the greatest impact on the economics. (It would be cash flow per x in the social sector.)
- What you are deeply passionate about?
The good-to-great companies focused on those activities that ignited their passion. The idea here is not to stimulate passion but to discover what makes you passionate.
Despite its vital importance (or, rather because of its vital importance), it would be a terrible mistake to thoughtlessly attempt to jump right to a Hedgehog Concept. You can’t just go off-site for two days, pull out a bunch of flip charts, do breakout discussions, and come up with a deep understanding. Well, you can do that, but you probably won’t get it right. It would be like Einstein saying, “I think it’s time to become a great scientist, so I’m going to go off to the Four Seasons this weekend, pull out the flip charts, and unlock the secrets of the universe.” Insight just doesn’t happen that way. It took Einstein ten years of groping through the fog to get the theory of special relativity, and he was a bright guy.
It took about four years on average for the good-to-great companies to clarify their Hedgehog Concepts. Like scientific insight, a Hedgehog Concept simplifies a complex world and makes decisions much easier. But while it has crystalline clarity and elegant simplicity once you have it, getting the concept can be devilishly difficult and takes time. Recognize that getting a Hedgehog Concept is an inherently iterative process, not an event.
The essence of the process is to get the right people engaged in vigorous dialogue and debate, infused with the brutal facts and guided by questions formed by the three circles. Do we really understand what we can be the best in the world at, as distinct from what we can just be successful at? Do we really understand the drivers in our economic engine, including our economic denominator? Do we really understand what best ignites our passion?
- Extracted from Good To Great by Jim Collins
There was a report on “VoIP in China” at TMCnet.com and Theregister retailed it yesterday. VoIP technology is a revolution brought by the IP prevalence. It lowers the operation costs of both the carriers and the consumers. See my previous post on “Skype blocked at China“, where I expressed my points on the way in China for Skype and other web phones.
In fact, the revenue growth of those two fix line operators (China Telecom and China Netcom) depends on their broad-band internet access and some of the value-added services. But the growth of such two kind of services can not fill the revenue hole by voice revenue decline. Especially when the leading mobile operator – China Mobile claimed a few days ago that they would by far lower their roaming and inbound call price. That’s a hard time for CTG and CNC, hurted by the “replacing consumption”. The contribution of their PHS products is just to collect money by burning more money.
At 2007, the main four operators will get their own 3G licenses. And the consolidation and upgrade of their BSS/OSS systems will be reaching a milestone to support more multiple-play products. It’s a critical point for CTG and CNC, who have huge scale local communication networks. Theoretically they will have a fair competition base.
Currently there are a drastic argument at engadget.com, arose by a post on “China gives VoIP two year sentence”. I agree and appreciate the comments from Terence and LG and etc. China never ban Skype, never claim Skype illegal. People can use Skype just as other part of the world. China just doesn’t want to grant such a license to permit INTERCONNECT with PSTN. That’s the right of a government to decide when and how to grant such licenses, no business with the socialism and politics. Read more…
SOC (Securit Operations Center) keeps abuzz in China security market after 2003. In fact, I kicked off the first SOC project at Nov. 2002, internally when I worked for iS-One as the Chief Strategy Office. After the project initiation, I digged a lot of web information related to SOC. At that period of time, SOC were mainly operated for MSS (Managed Security Service) providers, e.g ISS had six SOC globally. I tried to transfer the concept of SOC from MSS to enterprise security operations and was lucky to win the customer’s buy-in. Then we don’t have such product or even Proof of Concept (PoC) platform at all. We negotiated with eSecurity and made the final decision to build our first SOC upon it.
The first SOC project was finished at about June 2003 and thereafter SOC became a warming-up security market opportunity.
Today most of the major players at China security market claim to have their own SOC platforms and solutions, while many of enterprises are starting to plan and build their own SOC. To be mentioned, most of these SOC projects don’t reach their initial expectation.
While SOC was becoming popular at enterprise security management area, a few pioneer security companies in China began to make their fortune at MSS market with SOC. 263.com, Unihub, Beijing Capital Information Co. and etc. tasted this market at early to around 2002, but they found it difficult to make profit.
A major security vendor – Topsec rolled out their SOC to provide MSS servcies at 2004, built on SOC product from ArcSight, while MSS is one of meaning that another major security vendor Venustech interprets their M2S vision.
To be optimistic, SOC has been entering a new stage where SOC serves for enterprise internal security operations and MSS providers.
Technorati Tags: SOC, Security, MSS,Audit
March 15, 2006, according to the official news from mitre.org, a new effort leveraging CVE entitled the “Common Weakness Enumeration (CWE)” has been added to the GET CVE page on the CVE Web site.
CWE is a community-developed formal list of common software
weaknesses, idiosyncrasies, faults, and flaws. The intention of CWE is to serve as a common language for describing software security vulnerabilities, a standard measuring stick for software security tools targeting these vulnerabilities, and as a baseline standard for vulnerability identification, mitigation, and prevention efforts. Leveraging the diverse thinking on this topic from academia, the commercial sector, and government, CWE unites the most valuable breadth and depth of content and structure to serve as a unified standard. Our objective is to help shape and mature the code security assessment industry and also dramatically accelerate the use and utility of software assurance capabilities for organizations in reviewing the software systems they acquire or develop.
Based in part on the CVE List’s 15,000 plus CVE names—but also including detail and scope from a diverse set of other industry and academic sources and examples including the McGraw/Fortify “Kingdoms” taxonomy; Howard, LeBlanc & Viega’s 19 Deadly Sins; and Secure Software’s CLASP project; among others—CWE’s definitions and descriptions support the finding of common types of software security flaws in code prior to fielding. This means both users and developers now have a mechanism for ensuring that the software products they acquire and develop are free of known types of security flaws by describing their code and assessment capabilities in terms of their coverage of the different CWEs.
The new section includes the CWE List, offered in a detailed Taxonomy view and a high-level Dictionary view; an About section describing the overall CWE effort and process in more detail; a Compatibility page; a Community Participation page; and list of Sources.
[Tags]CVE,Security,CWE[/Tags]
Personally I think there are three trends at security management area. The first is more regulations, best practices, frameworks, standards and laws, so organizations and enterprises must adapt themself to comply those restrictions and suggestions. The second is that security is penetrating into core processes and business applications, deeper and deeper. As the proof, we can see that security managers are paying more and more attentions to data and application security. The third is integration and platform, ie. security information should be shared and exchanged between security devices and functions, so that an architecture similar to SOA and middlewares will be introduced into security technologies.
So a war for the backend standard is going among Microsoft, IBM, Sun, CA, Oracle and other players, or briefly between MS's passport and SAML. 
As a de facto standard, related to the above three trends, SAML is of my interests for a long time. It's an important standard for web services and B/S structure applications, developed and maintained by ID-FF and OASIS. It help build up an open IAM base which other security mechanism and policy will run on.
See the following report at techtarget.com by Rich Seeley.
Read more…
A friend lead me to a wonderful article to those guys who is thinking to kick-off his/her own business. It’s full of wisdom and thoughts. I strongly recommend you to read it thoroughly. See the below…….
I gave a talk at ETech on Monday called “Entrepreneuring for Geeks.” I’ve given this general talk a few times now — how can the more technically minded among us move into making companies of our own? I really enjoy the talks because I really enjoy entrepreneurs; at least, I enjoy the ones who are really excited about making something fantastic through their efforts. “Do you want to sell sugar water for the rest of your life, or do you want to change the world?” Right.
Read more…
At recent Blackhat Europe, Philippe BIONDI and Fabrice DESCLAUX published their latest investigation on Skype titiled “Silver Needle in the Skype“. Previously a test by Network World studied the cryptography algorithm underneath Skype and drew a conclusion that Skype is security enough for end users. Another whitepaper by Tom Berson expressed the similar viewpoint. But, with heavy reverse engineering of Skype, Philippe and Fabrice investigated deeply how Skype operates and exchange information. The following is their conclusion:
Good points
Skype was made by clever people
Good use of cryptography
Bad points
Hard to enforce a security policy with Skype
Jams traffic, can’t be distinguished from data exfiltration
Incompatible with traffic monitoring, IDS
Impossible to protect from attacks (which would be obfuscated)
Total blackbox. Lack of transparency.
No way to know if there is/will be a backdoor
Fully trusts anyone who speaks Skype.
I agree mostly to the author by my Top Ten Concern to Skype Security. 
How about the status of current vulnerability management market? A common question leads to drastic argument. Is CVE enough? Do you agree that Mitre help you master the vulnerability management? See comment from http://archives.neohapsis.com/archives/dailydave/2006-q1/0152.html, which is from OSVDB(Open Source Vulnerability Data Base):
Vulnerability research is straight forward. There isn't a lot of black magic and secret arts when it comes to finding vulnerabilities. For the most part, 99% of vulnerabilites are very well documented (even if the 'researcher' doesn't document it), easy to understand by others in the field, and leave little to imagination. It has been years since we've seen a truly new class of vulnerability surface. If I post details of an overflow of *any kind* to this list, there are a hundred folks that can digest what I post in seconds, then go to town on me for not going into details, not looking at VectorX, FunctionY or Z.c =)
The other side of vulnerability disclosure is the human element. The sociology and mindset behind what we do, and why we do it. This is the angle that has interested me for years, and the type of book I will grab before any 'technical' (generous term usually) security/hacking book. Not only are there dozens of questions that can be asked of the researcher about his mindset and ethical views, there are countless other people involved in the process. Does the researcher have partners? Is he an employee of a security company? What vendor is he dealing with? Which vendor is it? How many people is he dealing with on the vendor side?
Security Vulnerability Management (SVM) became one of the main security product categories at 2005, which in fact has been used to map open ports and vulnerabilities for a long time, for example, ISS scanner from ISS, NetRecon from Axent (acquired by Symantec at 2001), and Cybercops from NAI (currently McAfee) are old three ones. After a few years of evolvement, security scanners are developed into a series of SVM or vulnerability assessment products. Refer to the article at SCMagzine, there are three types of VA tools:
There are three types of VA tools. First are scanners, which give little beyond listing vulnerabilities, their relative importance and suggested remedies. These are very useful, because they can be used easily, mostly automatically, and offer a good ongoing quality assessment. The downside is their limited functionality compared to other tools we tested. These tools, however, such as Nessus/NeWT and Saint are very good value and have a definite place in your testing arsenal.
The second type of tool is the full-featured appliance, which not only perform vulnerability scans, but correlate results to regulatory compliance, patch management and a host of other reporting functions. These can be pricey, but are the right answer for many organizations – if nothing else, they address the critical issue of compliance. We were extremely impressed with these appliances.
Finally, we have the (currently unique) tool that does just what experienced pentesters do: scan and follow up with penetration attempts. This tool, Core Impact, behaves exactly as one would expect a hacker to behave. It scans for vulnerabilities and then attempts to penetrate. Saint Corporation will soon introduce a competing product.
To help decide which of these three types of tools you need, look at expected outcomes and testing methodology. Organizations with significant risks in core areas – such as banks with online banking systems – need to pull out all the big guns to ensure that they are safe and in compliance. For these organizations, a combination of a tool that maps scan results against compliance issues and outputs a clear report, and a tool that attempts penetration makes sense.
For smaller organizations with limited tester and financial resources, a scanner might be enough.
Organizations that want to simplify patch management should look at products that offer patch management tied directly to the scan results.
All in all, vulnerability assessment and the report are not what the security administrators want. What they want is to secure their information assets. So built-in asset-based security risk model and integrated patch management are always welcome by the security administrators.
An interesting new at Forbes.com said that McAfee Still Leads Symantec In Worldwide ISP Security. That’s by far different at China, where, IMHO, Trendmicro and Symantec lead the anti-virus market at ISP security, while Symantec is competing against CA at other ISP security products.
Piper Jaffray senior research analyst Gene Munster said McAfee maintains the lead over Symantec in internet service provider security
relationships.
In the U.S., McAfee’s ISP relationships cover about 33.7 million subscribers, while Symantec’s cover about 8.5 million subscribers, according to the analyst. In Europe, McAfee’s relationships cover approximately 0.6 million subscribers, while Symantec (nasdaq: SYMC
- news - people ) covers about 15 million subscribers.
“The trend of more ISPs offering free anti-virus, anti-spyware, and pop-up blocker software to customers has seemingly stabilized,” the analyst said in a report Tuesday.
All 16 ISPs that the analyst checked offer anti-virus or anti-spyware software or both. Recently, EarthLink (nasdaq: ELNK - news - people
) began offering free Symantec antivirus protection when it terminated its $3.95 fee.
Additionally, AT&T (nyse: T – news - people ) displaced Zone Labs with Webroot for anti-spyware protection and currently has no antivirus provision, according to Munster.
The research analyst maintained ratings of “outperform” on both McAfee (nyse: MFE - news - people ) and Symantec.
Recent Comments