How about "Align with the business?"

I normally have a lot of respect for CIO Magazine. Their journalists cover the topics that matter to CIOs, they remain focused on how to make the technology support the business, etc. That’s why I was surprised to see this CIO’s Guide To Safe Computing, which starts:

Ellyn believes that companies should strive for a holistic approach to achieving security. The top 15 strategies for computing responsibly are highlighted in the report and are practices IT departments of any size should implement if they haven’t already done so.

1. Establish strong identity management for network access, ideally including passwords, smart cards and biometrics.

2. Strictly control password management and administration; avoid outsourcing this at all costs.

Not until #14 do we get to policies, and even there, its not about the business.

Number 13 starts out well: “Inspect the software development practices of vendors to determine …” their ability to control backdoors? How about their ability to control the use of gets()?!?

To be fair, I haven’t read the report–it may contain language about business alignment which is hard to summarize into a bullet list.

0wned in 60 seconds

0:56 – A student system in Founders scanned victim on TCP port 445 (file sharing). Victim responded. Student system immediately closed connection and opened a new connection on victim port 445. Following LAN Manger protocol negotiation and MS/DCE RPC Bind, student system attacked victim with buffer overflow to exploit Microsoft LSASS vulnerability.

Less than 60 seconds from DHCP to buffer overflow. Read about it here.

"What's The Cybersecurity Czar's Job?"

But while we consider whether the position should be upgraded, we should also ask what the cybersecurity czar should be doing in the first place.

says Ed Felten, and he’s right. He suggests two main jobs: Securing the fed’s infrastructures (and in doing so, pulling for more secure product), and imposing liability rules. Ed correctly argues that neither of these require a “Czar.”

There’s a third role, which I think that the government might be able to play well, and that is helping us collect information. Today, being broken into is seen as an embarrassing failure. In many ways, it is. But, given the number of cases the cops are dealing with, its also very common. Much more common than you’d think. The federal government, either the FBI or DHS ought to be collecting crime statistics. They ought to be studying crime, and publishing analysis. The reporting of crime ought to be made mandatory, especially if there’s a financial impact. The analysis they do ought to be pinpointing common factors which do or don’t exist. (What the industry, without a trace of irony, calls “best practices.”)

This doesn’t require a “czar,” either, but its important, and its a role that only a government or insurer can effectively play.

Cherishing the Customer, Redmond Style

My 12-year-old at home doesn’t want to hear that he can’t put all the music that he wants in all of the places that he would like …

says Steve Ballmer. It’s good to see Microsoft, like the health care industry, catering to people other than end-users. If they were as smart collectively as they are individually, they’d build ways to let their kids put all the music they want where they want it. Doing so sells more music.

Cool Mac Utility

That said: my home directory is now encrypted which should make any further hardware maintenance a doddle (no more erase/flood before mailing) and I’ve blown-away the old UFS partition which although useful was tying up a few too many Gb. Alas the rebuild doesn’t seem to have fixed the lack-of-sleep-on-lid-closure problem. One more for Applecare.

(From Crypticide)

Reminds me that I’ve been meaning to mention Sleepwatcher, a tiny GPL daemon that allows you to script actions on sleep and wakeup.

For example, I have this in a ~/.sleep file: #!/bin/sh
/System/Library/CoreServices/Menu Extras/

That invokes the fast user switching login screen, so when my mac goes to sleep (I close the case), I need to login, but when I walk away, I don’t have to. Fits my security model pretty well.

PS: Doddle?
PS2: Note the passwords stored in swap issue Matt Johnston discovered in June, and I complained about in August, and as far as I know, remains unfixed. (And sorry to Matt for misspelling his name in my complaint.)

Why Is Private Health Insurance Such A Disaster?

Why cannot markets allocate this function to the least cost decider? Why does the usual solution — intermediation — appear to be working so badly?

Asks Tyler Cowen over at Marginal Revolution. I believe that a large part of the problem comes from a side effect of the employer subsidy. Because health insurers are selling to the employers, because their customers are the large employers, they are not motivated to keep happy the folks getting medical treatment. (Who may not even be employees, but their employees’ family.)

To use an analogy, what if your employer selected your phone plans? (Oh, wait, they often do, and cell phone customer service reflects that.) What if your employer chose what kind of car you drove?

More on Amit Yoran

The House will propose moving cybersecurity offices from the Department of Homeland Security to the White House as part of the intelligence reorganization, according to draft legislation obtained Wednesday by The Associated Press. The bill, expected to be introduced Thursday, would place cybersecurity into the White House budget office.

The new proposal would create a new Office of Critical Infrastructure Information Protection at the Office of Management and Budget. Its new administrator would be responsible for analyzing electronic threats from hackers and terrorists against vital networks, issuing warnings about attacks, reducing weaknesses and coordinating with private companies and organizations.

“We weren’t consulted,” said Harris Miller, head of the Information Technology Association of America, the industry’s leading trade group in Washington. “It’s not saying it’s a bad idea, but it’s out of the blue.” (All emphasis are mine.)

My read of this is that as a non-career bureaucrat, it was easy to backstab Mr. Yoran as part of other power struggles. There’s also a game theory tie here, which is that the “shadow of the future” ensures cooperation. Without that shadow to protect him, and without being high in the food chain, he ran into trouble.

(Quotes from a Ted Bridis AP story, relayed by John Cole, posting to Dave Farber‘s Interesting-People list.)