Emergent Bits of Security
(Updated shortly after posting with Eric Rescorla’s evidence presentation.)
- Nick Owen has a post about Net Present Value and Annual Average Loss Expectancy. If you think security is all about vulns and 0day, you probably don’t need to read this post, and your boss is going to keep rejecting your spending proposals.
- Carrie Kirby argues in the San Francisco Chronicle that “Security breaches not on rise :”
Yet consumer-privacy watchdogs say that contrary to appearances, there has probably not been an increase in security breaches.
Instead, there has been more disclosure, precipitated by the same California law that forced ChoicePoint to come clean, they said. The law requires data-holding organizations — from universities to banks to data aggregators like ChoicePoint — to notify Californians if anyone gains unauthorized access to unencrypted data, such as driver’s license, Social Security and account numbers.
- This Is London reports on the British Military network being brought to its knees…by people emailing a video.
So many officers downloaded the four-minute 52 megabyte file that the system – designed to withstand attacks by hackers, came to a halt under the strain. Computer screens controlling British air defences and warplanes around the world are reported to have gone blank for five hours.
- Another jet was diverted to Bangor because of the name of a passenger. At ScaredMonkeys, Red asks, “Why y can’t this be done when the plane is on the ground?” It’s a great question, my guess is that there are multiple lists, and they’re not properly synchronized. (Actually, we know that to be true, given the troubles that Johnnie Thomas and Don Young have had getting off the list. We don’t know if that’s causing these diversions.)
- Eric Rescorla has posted slides (pdf) about “What can the evidence tell us about information security?” from the Information Security Decision Conference.
- Finally, Caffinated Security brings us “Security Carnival #1.” Carnivals are regular/semi-regular roundups of posts in a theme. I’m glad to see there’s one for security, and hope it takes an open-tent approach.