The idea buffet at RandyKolb.com » 2007» November
With the latest trends in security vulnerabilities moving from old-school threats (e.g., email payloads) to more recent trends (phishing scams and XSS vulnerabilities), it seems we need to revise the notion of browser security “state”. Specifically, I’ve been thinking this should be tied to non-proprietary databases leveraging social network capabilities. Basically, a certain level of global security approval.
I realize there are risks that need to be mitigated in this—lots of work to be done here—but I’m hoping it will be birthed from a consortium and not one security company.
The result: one way to implement this would be a security toolbar. Of course, displaying this would be optional. This would show the relative sense of security realized from the global community. Somewhat akin to what you find in the Security Task Manager tool from Neuber GmbH, if you’ve ever used that. Essentially, STM users collectively vote on the perceived security level behind Windows processes and drivers. In this case, however, all vote on websites. A tangent to that would be setting acceptable security levels. You might only want to visit sites ranking higher than “6.4″, for example.
Secure Computing Corporation has an implementation of this model. Their “TrustedSource” (which bugs me that they used a “.org” extension when they’re every bit a for-profit entity) is what they call a “global threat correlation engine”. It’s basically an aggregated white list for global sites. Making the list is proprietary to Secure Computing’s interests; this is where I believe a non-partisan social net endorsement would be a better solution. That data needs to be protected, naturally, from external threat. It also needs to be outside the hands of any one entity to be of real value to all.
Don’t know if you’ve read the Microsoft announcement this week about Windows Server 2008. The news came out from Teched in Spain and, distilled down, there will be eight different versions available. Compare that with the three currently available (Standard, Enterprise, and Datacenter) and it doesn’t sound so bad. On the surface anyway.
Can anyone guess at how may SKU’s there will be? Let me make it easier. Can anyone guess how many SKU’s there are today with only three versions? Answer: I don’t know. At least that will be the average answer, I’d venture, even from MSFT employees. Even going off Microsoft.com pages, you’ll get at least 12 versions for Server 2003, although not all can actually be purchased from MSFT. Where it gets more challenging is in the details. How many CAL’s do you need? Got virtual? Are you clustered? Oh, do you need an External Connector with that?
So, in reality, how many SKU’s will there be with the advent of Hyper-V, MSFT’s latest virtualization technology? This is where I begin thinking, “Man, this is ripe for online selection/configuration!” This is partly spurred on by the seeming difficulty in getting quick, qualified sales support from Redmond (actually, this is true of most large vendors, not just MSFT). Now, I’ve had the pleasure of working with their team in the Twin Cities, and they’ve been great, but there have been other times in other places where this has been a struggle.
This fits a classic scenario where selection/configuration pays off big: product complexity and limited sales resources. I want to go in with my project’s full requirements, and pull out some relatively precise budget planning numbers. I don’t have time for a full quote at this point. Well, they’ve got one, two, actually. I have to admit, I was surprised. Unfortunately, they only work for virtualization environments.
Isn’t the whole process a little too complicated to be left to the under-initiated? If only MSFT could work with Tacton, or one of the other leaders in online sales configuration, they could make life so much simpler and easy to understand for their customers. Now, if they could only make it cheaper. Until both happen, LAMP continues to look better and better to a lot of people looking for a way out of the forest.
Let me preface this: You may already be aware of some or all of these security threats but I found the following presentation as a whole both fascinating and alarming. This afternoon Ziff Davis and MessageLabs presented “Today’s Internet Security Landscape: A Closer Look at Evolving Threats” . It’s now available streamed and if you’re at all concerned about email security it’s an hour worth your time.
Did you ever wonder why you get those crazy emails about hot stock tips for some thoroughly obscure ticker symbol? Mark Sunner, Chief Security Analyst at MessageLabs, who gave the presentation, clears that up, explaining why it’s tied to identity theft and money laundering.
Man, I wish I didn’t have to say this but the architectural caliber of the latest malware is near brilliance; they’ve really got grid computing down. The presentation also gives some context as to how these tools of crime are funded, which is also enlightening. From StormWorm and SpamThrough to Russian and Ukrainian boutique spam bots (yes, they’ll craft custom “professional-grade” malware, configured to your specs, for a price) to social engineering preying on the onslaught of social networks, this was alarming. Don’t think I’ve lost this much color during a presentation since hearing about the true value of USD’s since departing from the gold standard.
That last point, the one about social networks, really bears clarification. We all place so much personal info on sites such as MySpace and LinkedIn, it shouldn’t come as an entire surprise that targeted attacks are starting to arise from that info. Specifcially, elements of crime getting at “C” level officers of organizations, or perhaps using that info as they craft new spam attacks. If you saw a message in your inbox that was from your CEO or CTO, and the message header seemed to mimic with near perfect accuracy the name and type of message you’d expect, and then, if within the body it said something like, “click here for project details”, wouldn’t you be inclined to open the message? How about if it was from someone in the upper echelons of your support organization stating “install this upgrade asap”?
That “near” perfection is achievable through data mined from social networking sites. Makes me wonder if I’m over reacting. But it also makes me wonder what sites like LinkedIn will do to protect their users, their sites’ integrity, and their overall business model.