The Apple iPad announcement set the interwebs alight, and there is no shortage of people blogging or tweeting about how it will or wont change their lives. I'm going to ignore those topics almost completely to make one of those predictions that serve mainly to let people laugh at me later for being so totally wrong..

Heres my vision.. Its not just the Hipsters and college kids who get iPads, its the execs and CEO's. They are happy for a short while using it just as an E-Reader, movie watcher and couch based web browser, but the app store keeps growing to support the new form factor. Apps like iWork for iPad (at only $10) means that sooner or later they are relatively comfortable spreadsheeting or document pushing on their iPad.. It doesn't take too long for them to realize that they don't have much heavier computing requirements anyway and besides.. the instant on experience is what they always wanted..

Now despite the fact that it didn't take people like taviso or charlie miller long to exploit the iPhone, the devices security model does present a security benefit over the traditional end user computing model. Sand-boxed Applications, signed code restrictions and a rudimentary app store check means that the device has not been hammered with malware or exploited en-masse. Now the CEO hears the CFO complaining about his latest desktop virus episode, or patch-day drama. "If only your desktop could work like my tablet..". Apple currently run OS X, and iPhoneOS for iPad and iPhoneOS for Touch/iPhones. Why not a version of iPhone OS that runs on its desktops ?

You get the App store and access to all the apps across all your devices.. and its pretty, and it just works..

At this point i have to mis-quote Martin Niemöller : First they came for the mp3 players, and i did not speak out - because i never really had one before anyway. Then they came for the cell phones, and i did not speak out - because it was really cool. Then they came for the tablets, and i did not speak out - because it was just a tablet. Then they came for our desktops - and it made perfect sense...

Security practitioners have long lamented the fact that we seem to be losing the war. Too much runs on our machines and the surface area is too large to defend and bad code is being written and deployed faster than we can test it.. Moving iPhoneOS to the desktop allows a contained, controlled computing platform that has the potential to be pushed through the organization from the top down. I think this is an important difference. Techies and Geeks can debate the pros and cons of wireless for ages, but it just takes one member of exco to need it and wireless deployments will happen. CEO's and execs with iPads will push cloud and tablet computing at a quick pace too. Despite the relatively tame initial response to the iPad, the stars seem well aligned for this to be an inflection point that leaves us with less computer and more consumer electronic devices.

Of course all this comes at a cost.. You trade some measure of control and surrender to the will of our Cupertino overlords..

-shrug- or maybe im just smoking my socks... :>

/mh

It's the last few hours of 2009 here in South Africa so i wanted to take the opportunity really quickly to wish the 2 readers of this blog all the best for new year..

Most security "pundits" are currently doing their 2010 predictions. (although in truth few of them so far have been particularly surprising or out-there.. "Adobe will be brutalized" ? really? hows that different to 08 or 09)(One really has to question how the current whipping boy for exploit writers managed to be a key contributor to Gary McGraws BSIM Model, but i digress)

I'm going to skip the prognostication this time, and instead will go for a new years resolution... From Tim O' Reilly's 2003 advice to "Buy where i shop" a little more.. I have previously spoken about @timoreilly's awesome and life-changing "Work on stuff that matters" talk, and this piece is kinda similar and scarily prescient considering its publish date.

Happy New Years to *

i go through a ton of books. Over the past 10 years, this has been dominated by books on computer security, computer science, programming (and some sprinklings of management classics).

I generally stay away from writing reviews, but was genuinely suprised at the number of 5 star reviews Viega's new book had received and felt i had to chime in.

I picked up "the myths of security" (what the computer industry doesn't want you to know) with hope, because O'Reilly books in general are well done and i really liked some of Johns previous books. Alas! I tried hard to think of a good thing to say about the book, and the best i can come up with right now is that "at least, it wont take up space on my bookshelf".

The book is tiny (48 chapters, where each chapter is between a paragraph to 2-3 pages) which isn't a bad thing, but it reads mostly as a collection of blog posts or hurriedly written notes-to-self.

Advertising++ The Foreword alone uses the word McAfee 14 times, and over the 48 chapters, the word McAfee goes on to appear about 65 times. This is acceptable on a blog, in a book i just paid for its slightly annoying.

Target Audience I agree with Bejtlich who cant figure the books target audience. One chapter might give explanations in crayon (presumably for the less sophisticated user) while the next chapter might give advice for how to label the security technology you plan to sell.

Consistency There are a number of times in the book where the author takes opposite sides of an argument (in different chapters). This is useful if coherently positioned as 2 sides of an argument, but if this is used on different arguments on different pages, it seems more like the author is merely choosing the position thats convenient to support his view at the time...

It's slightly odd when compared with his take on security spend to hear the author say this about the TSA and their "Security Theater": "But there's some hidden value here—it makes people feel safer. Whether it works well or poorly, it is better than nothing and it makes people feel better."

General whining (by me). The author dedicates a chapter to Mobile Phones titled "OK, Your Mobile Phone Is Insecure; Should You Care?". He concludes with: "Sure, there will always be the occasional virus for smartphones, but I don't see an epidemic emerging. At the end of the day, there is still lower-hanging fruit for the bad guys. It is still far easier for them to make money attacking traditional PCs and laptops then going after mobile phones. That may eventually change, but I'm not going to hold my breath."

I think the view that you only need to be worried about the ability of your device to withstand an attack "epidemic" is wrong on so many levels. Im far less worried about my iPhone becoming part of a botnet than i am of the fact that these days huge parts of my life are on it, and can be grabbed by Charlie Miller if he is willing to pay the $0.20 to send me a few SMS'es.

In his Epilogue, he writes: "But instead of preaching that the customer is hosed, I'm preaching that the security industry is hosed—I don't think customers are hosed at all." which is an interesting contrast to his chapter on PKI that ends with "That leaves the Internet fundamentally broken."..

Of course the lines that most bothered me were in the chapters on Privacy and Anonymity. Privacy gets just under 200 words but includes the classic line: "privacy is nice in theory, but if you don't have anything to hide, what's the big deal?"

Hmm.. OK.. lets see the take on anonymity before responding.

Anonymity gets 166 words (wow - 100 words more than the word McAfee!) and once more ends with the classic: "Oh, and I've got nothing to hide anyway…."

The author cites the example of Zero-Knowledge, who built a paid service to surf anonymously which "worked pretty well, but nobody cared".

Once more, i think there is so much wrong here, that im not sure where to start. Having to convince someone that Privacy is important even if you cant sell it seems like a pretty old argument to be having..

In general, i think its safe to say that the book left me disappointed, and a little bit afraid that somewhere decision makers could be forming an opinion on an entire industry based on ~250 words dedicated to a topic that deserves much more thought..

/mh

[Zappos.com] is one of those companies people love to write about. They make headlines for their use of new media and their CEO (Tony Hsieh) is as .com legendary as one gets.. (he sold LinkExchange in 1998 for $265 million and under him zappos went from $1.6 million in sales (2000) to $840 million in sales (2007)).

He recently gave a talk at the [Web 2.0 conference].

He talks about how they invest in the customer experience, free shipping bouquets, and suprise shipping upgrades to get customers products delivered before they expect it.. This is all cool, and im sure people love them for it, but then he goes on to mention their number 1 priority as a company..

"Its actually not customer service. Our #1 priority as a company is company culture!"

He goes on to say "Its our belief that if we get the culture right, the rest of the stuff like great customer service will happen naturally". The remaining 10 minutes of his talk are on why company culture matters..

I have so much i want to say about this, and why i think building and maintaining the right culture makes or breaks an organization, but i dont think i can beat his simple eloquence. "Our #1 priority as a company is company culture, Its our belief that if we get the culture right, the rest of the stuff .. will happen naturally"

/mh

Interesting post by Michael Dahn at pcianswers.com discussed (again) the difference between compliance and security. Do you know the joke about the difference between a canary? Apparently, its one leg is the same. Well, according to the post, the difference between compliance and security is... there is no spoon. I'm sounding facetious, but the post is actually not bad. Read more…

But actually, there was another part of the post that caught my eye. Its the comments about 'Attack Vector based Risk Management' or 'AVRM'. Not much is said about this except:

This means simply that you cannot economically defend your home until you better understand the evolving threat landscape. For example, if you know that attackers are breaking into cars in your neighborhood and stealing the 8-track players then putting another lock on your front door will not solve the problem. You need to start parking your car in your garage or putting a better surveillance system outside your house. Sure you could build a fortress to keep all your systems inside but that’s not economically feasible (especially these days.)

And later:

Try to imagine a world where there are not QSAs making point-in-time assessments but an internal and ongoing process of review and maintenance. It is only then that you will realise the truth, which is to say that it’s not compliance you dislike but the attackers, and only by understanding their motivations and patterns can you better protect against them.

There's not much more on the topic (anywhere on the net), but it resonates quite a bit with our own thinking about 'Corporate Threat Modeling' (Slides on CTM from CSi NetSec 07). I'd be interested to see more on how this works...

/charl