Subconscious Search Monopoly Sentiments

And hey, that's from someone attending the Microsoft MVP for N-th time :

"I was invited to attend the Microsoft MVP Summit last week. If you want to know what the Summit is about or what a MS MVP is, Google is your friend."

Microsoft's MVP is a great corporate citizenship tool, whereas empowering and crediting the individual on a wide scale compared to internal reputation benchmarking is an indirect use of the "act as an owner" management tactic -- implement it. Supporting existing standarts -- look up interoperability -- benefits us all, reinventing the wheel without an unique vision besides ever increasing (projected) profit margins, wouldn't even benefit the company in the long term.

If you truly want to disrupt, disrupt by first (legally) taking the advantage of using someone else's already developed foundations to do so, the rest is attitude and hard to immitate competitive advantages. Good brainstorming questions in Anil's post whatsoever.

Spam Comments Attack on TechCrunch Continuing

In a previous post I commented on O'Reilly.com's war on spam according to their statistics, and thought you might find the most recent TechCrunch blog spam stats they've recently provided, informative as well :

"On January 4 we reported that the Akismet filter had stopped a million spam comments from reaching TechCrunch. At that point we’d been using it for about nine months. The number of blocked spam comments is now two million, just ten weeks later. That works out to about 15,000 spam comments hitting TechCrunch every day. If we did not have Akismet, we couldn’t allow anonymous commenting here on TechCrunch. We used to go through all spam comments to pick out the occasional false positive and accept it. Now, there are just too many to go through. All comments marked by Akismet as spam get deleted almost immediately."

I turned blog comments off quite a while ago and to be honest, the best comments, recommendations and tips, as well as people I've met through this blog, I received over email and backlinks. Keep 'em coming! Moreover, it's not just the inability of service providers to keep up with the aggresive generation of splogs, but malicious parties are already exploiting some of the fancy features that make blogs so flexible when it comes to personalization and social networking. Next time Fortinet will come up with another advisory, this time discussing MySpace so consider it as a cyclical shift from one provider to another depending on the current defenses in place -- blackhat SEO.

Personal Data Security Breaches Spreadsheet

Some stats try to emphasize on the number of people affected while forgetting the key points I outlined in a previous post related to why we cannot measure the real cost of cybercrime, and yes, duplicates among the affected people in any of the statistics available. The number of people affected will continue to rise, but that's not important, what's important is to identify the weakest link in this process, and for the time being, you're a "data hostage" in order to enjoy your modern lifestyle -- ever asked yourself what's gonna happen with your digital data after you're gone?

Spreadsheet nerds, here's something worth taking the time to around with, most importantly this huge dataset debunks the common myth of hackers taking the credit for the majority of personal data security breaches, whereas as you can see in the figures, on the majority of occasions -- and it's an ongoing trend -- companies themselves should get into the spotlight :

"On average, in 2005 personal records were compromised at a rate of 5.2 million a month. On average, in 2005 personal records were compromised at a rate of 5.8 million a month. Assuming a similar rate of growth, by November or December this year we we should cross the 2.0 billion mark. This is a conservative estimate because many of the news stories we archived were conservative on their own estimates of how many records were lost in particular incidents, and because a small number of incidents are reported without details of how many personal records were compromised.

View figures and tables of this paper as a *.pdf. View pre-publication draft of paper as a *.pdf. View dataset of incidents as a *.xls. View University of Washington Press office news release on this research."

Graphic presenting the risk of identity theft in the U.S only, based on the severity of data breaches, courtesy of the Danny Dougherty.

Complexity and Threats Mind Mapping

The folks at Security-Database.com -- who by the way expressed their excitement over my blog -- just released an outstanding mind mapping graph on the most common firefox security extensions used for various purposes starting from information gathering, and going up to data tampering :

"FireCAT is based upon a paper we wrote some weeks before (Turning firefox to an ethical hacking platform) and downloaded more than 25 000 times. We also thank all folks that encouraged us and sent their suggestions and ideas to make this project a reality. This initial release is presented as a mindmap and we are open to all your suggestions to make it a really good framework for all the community of security auditors and ethical hackers. We will make a special page for this framework soon to let you monitor this activity."

Great idea, reminds of Ollie Whitehouse's excellent mind mapping of mobile device threats. The semantics of security when applied in a visualized manner have the potential to limit the "yet another malware variant in the wild" type of news articles, or hopefully help the mainstream media break out of the "echo chamber" and re-publishing myopia, thus covering the basics.

Anyway, which is the most useful tool you'll ever encounter? It's called experience. Which is the most important threat to keep an eye on? It's your inability of not knowing what's going on at a particular moment, lack of situational awareness.

Threats of Using Outsourced Software - Part Two

Continuing the coverage on the U.S government's overall paranoia of using outsourced software on DoD computers, even hardware -- firmware infections are still in a spy's arsenal only -- in a recent move by the Defense CIO office a tiger team has been officially assigned to audit the software and look for potential backdoors :

"The Pentagon is fielding a task force charged with testing software developed overseas, according to a Defense Department official. The “tiger team,” organized within the Defense CIO’s office, is ready to move to the implementation stage, said Kristen Baldwin, deputy director for software engineering and systems assurance in the Office of the Undersecretary of Defense for Acquisition, Technology, and Logistics. Baldwin spoke yesterday at the DHS-DOD Software Assurance Forum in Fairfax, Va. “Tiger team” is a software-industry term for a group that conducts penetration testing to assess software security. “Success means they understand where their focus needs to be and how to prioritize their efforts,” Baldwin said. “They understand the supply-chain impact on systems engineering, and are ready to move forward in an effort to mitigate assurance risk.”"

There's another perspective you should keep in mind. Looking for backdoors is shortsighted, as the software may come vulnerabilities-ready, so prioritizing whether it's vulnerabilities or actualy backdoors to look for will prove tricky. The use of automated source code auditing may prove valuable as well, but taking into consideration the big picture, if you were to track the vulnerabilities that could act as backdoors in U.S coded software -- taking Windows for instance -- compared to that of foreign software, you'll end up with rather predictable results.

The bottom line, does shipping an insecure software has to do with source code vulnerabilities, or should the threat be perceived in relation to backdoor-shipped software? The true ghost in the shell however remain the yet undiscovered vulnerabilities in the software acting as vectors for installing backdoors, not the softwared itself shipped backdoor-ready. Meanwhile, are stories like these a violation of OPSEC by themselves? I think they are.

Timeline of Iran's Nuclear Program

Iran's a rising star these days. It's not just that the country recently launched it's first missile into space despite efforts of the international community to ban its nuclear program, got caught into obtaining sensitive military technology, is currently helping the enemies(Hezbollah) of its enemies(the U.S) but also, have Russia enriching their uranium in between legally supplying them with technology and upgrade parts the U.S put an embargo on -- business as usual. Here's a very in-depth and informative timeline of Iran's entire nuclear program saga :

"The Bush Administration has almost certainly not approved the timing of military operations against Iran, and consequently any projection of the probable timing of such operations is neccessarily speculative. The election of Mahmoud Ahmadi-Nejad as Iran's new president would appear to preclude a negotiated resolution of Iran's nuclear program. The success of strikes against Iran's WMD facilities requires both tactical and strategic surprise, so there will not be the sort of public rhetorical buildup in the weeks preceeding hostilities, of the sort that preceeded the invasion of Iraq. To the contrary, the Bush Administration will do everything within its power to deceive Iran's leaders into believing that military action is not imminent."

Here's another timeline, this time of U.S-Iran contracts from 1979 until today.