Grey bar Blue bar
Share this:

Thu, 4 Jun 2009

Open Patch Management Survey

Rich Mogull (who's stuff I really quite dig) has launched an 'Open Patch Management Survey' via the SecurityMetrics blog. Its an interesting idea, and they plan to release both their analysis *and* the raw data, which might be really insightful for our VMS stuff.

Corporations can take the SurveyMonkey survey at, and there's some nice material already available at

Here's the rest of Rich's message (pls forgive the cross-post):

Our goal here is to gain an understanding of what people are really doing with regards to patch management, to better align the metrics model with real practices. We're doing something different with this survey. All the results will be made public. We don't mean the summary results, but the raw data (minus any private or identifiable information that could reveal the source person or organization). Once we hit 100 responses we will release the data in spreadsheet formats. Then, either every week or for every 100 additional responses, we will release updated data. We don't plan on closing this for quite some time, but as with most surveys we expect an initial rush of responses and want to get the data out there quickly. As with all our material, the results will be licensed under Creative Commons.

We will, of course, provide our own analysis, but we think it's important for everyone to be able to evaluate the results for themselves. All questions are optional, but the more you complete the more accurate the results will be. In two spots we ask if you are open for a direct interview, which we will start scheduling right away. Please spread the word far and wide, since the more responses we collect, the more useful the results.

If you fill out the survey as a result of reading this email please use SECURITYMETRICS as the registration code (helps us figure out what channels are working best). This won't affect the results, but we think it might be interesting to track how people found the survey, and which social media channels are more effective.


Mon, 16 Jul 2007

Adam Shostack on Biometrics..

hmmm... i have heard this somewhere before....

" However, in cases where your finger is used to identify or authenticate you, it's much harder to change your password. "


Thu, 31 May 2007

Do you group your passwords?

This has probably been pondered, but something occurred to me whilst entering my new home.. The guard house grants access based on your fingerprint. The system works pretty sweetly..

Now.. because i have about a zillion accounts, i kinda group my passwords.. since i know services admins on most irc networks read your password, i use XXX for low level access (this might include try once trial software logins).

Slightly more reliable software logins (vmware page / ms partner page) i will use YYY.. i think most people do this..

Whats interesting is that biometric readers deny us this luxury.. So, while my complex thinks its cute.. they take my reading and store it on their win95 machine (clearly i exagerate) but if Internet Banking ever goes biometric (which it often threatens to do) i've just given away my login.. Can you tell someone "no.. i dont want to auth using biometrics, cause its the only finger i got!" i think maybe we should..