Posted: 05 Sep 2008 11:42 PM CDT
Over the last 5 years or so with the pronounced emergence of inexpensive multi-core COTS compute platforms and the rabid evangelism of virtualization, I have debated many times with folks who continue to suggest that "big iron" -- high performance equipment in the compute, network, security and storage domains -- is now "extinct" and that nobody buys bespoke equipment any more.
Many of them argued "All you need is a COTS PC, package up OS/Applications and voila! Instant appliance! Ready for the edge, ready for the core."
Not surprisingly, many of the networking/security/application delivery companies that these folks worked for ultimately introduced custom-engineered hardware solutions, melding their software with custom hardware and COTS elements to produce a piece of big iron of their own...
About a year ago, I wrote a blog on this topic highlighted by a post titled "All your COTS multicore CPU's with non-optimized security software are belong to us," in which I extrapolated some very interesting points regarding Moore's law and the hubris surrounding the gluttony of compute power offered by higher density chipsets without the corresponding software architecture to take advantage of it.
This is a little tickler to that post.
I come from the land of servicing large enterprises, service providers, municipalities and nation states and not the SME.
While there are certainly exceptions to the "rule," and it's reasonable to suggest that my perspective is skewed, I've always been careful to ensure I framed my discussions this way, so debating/contrasting the architectural slants of an SME with a Fortune 10 doesn't really move the discussion along any.
So, sticking with the large enterprise theme, there are two interesting divergent themes emerging: the centralization of compute and storage with the distributed nature of connectivity and information.
Without muddying the water too much about how these scenarios are not all that mutually exclusive, let's stick with the "centralization" theme for a moment.
The mainstream adoption of virtualization as an enabler brings us full-circle back around to the centralized mainframe model* of compute, networking and storage. Now that reasonably reliable, high speed and low latency connectivity is available, centralization of resources makes sense since people can generally get access to the assets they require and the performance to get from point A to point B is for the most part acceptable (and getting more so.)
Once again, the natural consolidation of functionality and platform architecture follows suit -- we're back to using big iron to deliver the balance of cost, resilience, performance and simplified management that goes along with squeezing more from less.
To wit, let's examine some recent virtualization-inspired, big iron plays:
These are just a few examples.
Each of these solutions delivers the benefits of hefty amounts of virtualized service, but what you'll notice is that they do so in massive scale, offering consolidated services in high-density "big iron" configurations for scale, resilience, manageability and performance.
In this period of the technology maturity cycle, we'll see this trend continue until we hit a plateau or an inflection point -- whether it is triggered due to throughput, power, heat, latency, density or whatnot. Then we'll start anew and squeeze the balloon once more, perhaps given what I hinted at above with clusters of clouds that define an amporphous hive of virtualized big iron.
But for now, until service levels, reliability, coherence and governance are sorted, I reckon we'll see more big iron flexing it's muscle in the data center.
What about you? Are you seeing the return of big iron in your large enterprise. Perhaps it never left?
I for one welcome my new blinking dark overlord...
* There's even a resurgence of the mainframe itself lately. See IBM's z/10 and Unisys' ClearPath for example.
Posted: 05 Sep 2008 10:28 PM CDT
Well the good news about our economy just keeps right on rolling in. First came word that unemployment rose to a 5 year high today at 6.1% (and for the first time I know security and IT people in that group who are finding it hard to find a job). At the end of the day word came out that the Federal Government will announce a bailout/take over of the two mortgage giants, Fannie Mae and Freddie Mac. This will result in just about all shareholders of these companies being wiped out and more importantly, you, me and the rest of US citizens are now guaranteeing and on the hook for all of those trillions of dollars of mortgages out there!
Fred Wilson says that this is the new MO of the fed. Wait until after the markets close on Fridays to announce the really bad news. Ever the optimist, Fred thinks that this could be the beginning of the end for the bad news and may represent the bottom. I say, things will get worse before they get better.
Brad Feld wrote today about cycles in the business world. Certainly the pendulum swings and what goes up, must come down. But Brad says he is 42 and thinks he has seen it all when it comes to cycles. I am 47 and realize that is not true either. Yes, there are cycles but each one is different enough. Yes things will get better some time, but the pain and damage being done is going to take a long, long time to recover from.
Try owning a house in Florida, Michigan or some parts of California. Politicians talk of change, but I am not sure what fundamentally is going happen that will change our present predicament. The sheer numbers are just scary.
I along with many others I am sure will be looking for signs that we are starting to pull out of this mess. But like in cycles past, by the time it is obvious that we are, the smart money will already betting on the next cycle.
Posted: 05 Sep 2008 04:39 PM CDT
My Xcon 2006 pass
Jumper sent me an e-mail about the upcoming Xcon 2008 Conference that will take place in Beijing from 18-19 October:
More details on the conference here at Security Focus.
For those of you who are unfamiliar with Xcon, I’ll give you a little background. The yearly host of the Xcon conference series is a group going by the name Xfocus. One of their 2007 conference attendees, XYZreg (Zhang Yi), a regular member of their security group, claimed to have broken Kaspersky Anti-Virus Technology. When I went to the conference in 2006, two of the major sponsors were Microsoft and NSfocus. NSfocus was one of the very first hacker sites in China, originally called the Green Army. The organizaton has a very confusing history.
If anyone is planning on attending the conference, please drop me a line.
Posted: 05 Sep 2008 02:50 PM CDT
After long and arduous work on behalf of the SPSP and many others, and after several private classes of the CPISM, the very first public bootcamp and exam proctoring occurred in Salt Lake City, UT last week. Even a short while after I see people updating their LinkedIn profiles with this designation. There were some stumbling blocks involving printing issues, but I think it went off as a great success.
It was so successful that the SPSP immediately booked another class in Dallas in November for not only the CPISM, but also the new CPISA. People have already been signing up and I expect these classes to sell out as well. In fact David Bergert, author of Payment Systems Blog, has already blogged about his registration.
Every place I go people are asking how they can become a QSA. The problem is, you cannot hold the designation of QSA unless you work for a QSA company, which requires a formal application and attestation to the PCI SSC. And, if you ever leave the QSA company you work for you loose any right to call yourself a QSA. This is why the SPSP has create the CPISA/CPISM for those “across the table from” the QSA. So you can hold your own in conversations and discussions regarding the payments industry and compliance.
Posted: 05 Sep 2008 02:22 PM CDT
Posted: 05 Sep 2008 01:19 PM CDT
Posted: 05 Sep 2008 09:45 AM CDT
The following information is an official statement from DIRECTI. In an email response from Sandeep Ramchandani the company’s Strategic Partner Manager, within which, DIRECTI has requested publication to clarify their position regarding the KnuJon and HostExploit reports and investigations.
(Editors Note: It is our blogs’ policy to accommodate all requests to publish explanatory information related to information security matters, verbatim, and without modification, as requested by the author(s) of the material, when that material provides information of interest to our readers, when the submitted material meets our editorial standards.)
So, without further ado, here is DIRECTIs official statement:
Posted: 05 Sep 2008 09:38 AM CDT
Posted: 05 Sep 2008 09:08 AM CDT
This morning customers that use the Sophos products weren’t able to get updates for a short spell. This was thanks to a “whoops” by one of the company’s ISPs.
From The Register:
I can well imagine that people were speculating about the possibility of a DNS attack. But, sometimes the correct answer really is the simplest one.
Posted: 05 Sep 2008 09:06 AM CDT
Of course, in order to nominate you need to join the ACM…
Awards with November 30, 2008 nomination deadlines
Posted: 05 Sep 2008 08:28 AM CDT
Create and Remember Secure Multiple Passwords
I was asked by a co-worker how I keep track of so many passwords for so many accounts, all of which have to change annually. I told her I use a custom formula in my head that allows me to determine what a password is on a given account. I don't have to remember 100 passwords, only the formula.
Passwords are the oldest and most widely used form of authentication, but also the weakest. To get the biggest bang for your buck, you must choose a password that incorporates as many character variations and the longest length possible. That means numbers, letters (both uppercase and lower), punctuation marks, any symbols allowed by the system, and at least 8 characters in length. If you are logging into multiple systems or websites, varying your password is also recommended. If a password is compromised, you don't want the attacker to gain access to every account you own on a single password. Each account a user holds should have its own unique password.
You will want to develop a personal method of managing multiple passwords. That way you will only need to remember the method, not each individual password. To develop your personal technique, open your mind and create something easy to remember but hard to guess.
Create a Multiple Password Formula
This is an example. Design your own using any number of things. Take characteristics of your life that are static and some that are dynamic. Let's create a 10 character password that is different for each system or website, and will be changed every year. We'll need to create a formula that is simple to remember.
A fictitious password for a Fidelity account.
1st and 2nd character
4th and 5th characters
9th and 10th characters
Now when John Smith logs into Fidelity he types in "fy.NH_0K08" which is much better than him using a birthday "04121972." Instead of just 10 to the 8th power in possibilities, this technique has given him much more security against password crackers due to the incorporation of so many character types.
Once you have a method of your own constructed, it will only be a short time until you have the formula memorized and it becomes just as simple as typing in a birthday. For John Smith all he has to remember is first and last letter of website, period, capitalized reverse initials, underscore, last number of DOB + year, capitalized K (note the ones that are capitalized are initials which is an easy association), and the current year.
You could get however extreme you want with your own technique. Maybe taking the first letter of the site "F", finding its place in the alphabet "6" and using that to determine which letter in your name to use. John Smith – 6th letter – "m". You see? This could get as difficult as you wish. Just make sure your not using the same password for each account and that it changes at least yearly.
Password Reset Concerns
If you had a password formula such as this, you would rarely need to have your password reset. The questions often asked for password reset authorization are, in reality, a second password. A fellow security blogger wrote an article titled, "A Different Approach to Password Reset" that effectively outlines such concerns. Below is an excerpt.
Do yourself a favor and create your multiple password formula now.
Posted: 05 Sep 2008 07:53 AM CDT
Saw a great commercial today while watching CNN. It showed people sitting in front of piles of cash and saying how much was in the pile. Frankly with the kind of commercials you hear on CNN I thought it was going to be how these people saved paying the IRS buy hiring some tax service (aren't those commercials tiresome already).
Instead it turns out that it is a commercial for Nortel touting how much money you will save on energy by using more efficient Nortel switches over Cisco equipment. This is part of a whole series on the Cisco energy tax and I think pretty effective. You can see the commercial here.
This posting includes an audio/video/photo media file: Download Now
Posted: 04 Sep 2008 03:32 PM CDT
The PaulDotCom Security Weekly Monthly Summaries are the recordings from the monthly Late-Breaking Computer Attack Vectors webcast. This month we I will discuss some of the latest attacks, including:
You can download the slides to this presentation here:
Posted: 04 Sep 2008 02:40 PM CDT
Microsoft (NasdaqGS: MSFT) has released their Security Bulletin Advance Notification for September 2008 with Minor Updates. Virtually every Microsoft mainstream OS, Media and Office product will be patched. Most issues revolve around the now, nearly ubiquitous Remote Code Execution Vulnerability caused by flaws in VBScript, JScript, etc .
The full text appears after the jump.
Posted: 04 Sep 2008 12:11 PM CDT
Well, I was on a bit of a roll this week. Didn’t quite wake up early enough this morning to post the news on time. On the upside we have the lion’s share of the speakers picked for Sector.ca this year. If you haven’t signed up yet please do so while there are spots available!
Click here to subscribe to Liquidmatrix Security Digest!.
And now, the news…
Posted: 04 Sep 2008 11:24 AM CDT
Posted: 04 Sep 2008 10:14 AM CDT
One thing that has been starting to get more press are medical implants that are wireless. Researchers in China have devised a way to encrypt signals in these biometric devices using the patients heartbeat.
An interesting thought. But, could this also provide the key to break the crypto? Using a high powered parabolic microphone one could feasibly record the heartbeat of a target while they’re sitting at a sidewalk cafe.
Now imagine that the biometric device that you are looking to control is a heart monitor or insulin dispenser. This could potentially have horrific consequences. Sure the researchers say that it would be “impossible for attackers to use recorded data as a key at a later date”. Never say never. Of course this falls into the FUD category but, makes for an interesting movie plot line.
Posted: 04 Sep 2008 09:45 AM CDT
Today we venture together into new territory. I am eager to conduct our first “Talkcast” - to explore the way we make recommendations to our users about how they should be protecting their home computers.
The idea of a talkcast is to be more like a talk radio program. We are going to use: http://www.talkshoe.com to host our effort.
The specific program starts here: http://www.talkshoe.com/tc/25233
The program starts at noon. After a brief introduction, I’ll introduce our guest - Dave Cole from Symantec - and then we’ll get down to an interactive conversation.
Posted: 04 Sep 2008 09:25 AM CDT
Also of interest is a fascinating report of cyber-criminal activities from INFOSEC researchers at HostExploit.com Jart Armin, James McQuaid and Matt Jonkman, where they focus on the evidence of direct connections between and betwixt a source of malware and illegal, internet based pharmacies and one of ICANN’s sponsors (apparently not vetted adequately at the ICANN offices in either Marina Del Rey, CA or in Brussels, Belgium)!
The entity is monikered LogicBoxes, of which, ICANN has apparently noted as a sponsor for various meetings that occurred both in India and the United States (Los Angeles, California and Delhi, India, to be specific).
Posted: 04 Sep 2008 08:50 AM CDT
In the ongoing saga (also relative to previously published demands made by DIRECTI to ‘takedown’ blog posts here at Infosecurity.US) ) triggered by research undertaken by anti-spam watchdog KNUJON. Garth Bruen, of KNUJON fires back a response to Directi , after the jump
(Editors Note: Garth Bruen’s comments are published with his consent.)
from Garth Bruen at KnujOn
Hello Mr. Ramchandani,
Let's address the points you bring up.
1. (EstDomains) We did not say that Directi owns EstDomains. We know you
2. ("Phantom Registrars") There are a few issues here. First, we
3. (Atrivo) We did not state that Directi was linked with Atrivo, we
4. (PrivacyProtect) If you are no longer using PrivacyProtect.org we
5. (unsuspended domains) If you say it was a technical error, we will
6. (ISPs) If you claim you are cleaning up the Registry, I want to
7. (PrivacyProtect, again) I received all of your attempts to explain
8. (illicit domains) Once again, I want to believe you. However, when
9. (ICANN RAA) You said: "the job of policing the internet cannot be
And, we are of course ready to discuss any of these further and glad you
> —– Original Message —–
Collect, analyze, enforce, repeat…
Info Security Summit 10.31.08
Posted: 03 Sep 2008 09:16 PM CDT
When it comes to protecting home computers, “Is freeware free?”
This is not a question aimed at the enterprise. Instead, this is a question that cuts to the heart of the advice that security professionals offer to those who depend on that experience and insight to guide them, be they parents, siblings, friends, co-workers or even people we met in passing. Professionals are often called upon to make quick decisions based on experience and training (we can argue later whether this is good or bad). While this may be an accepted business practice - does it work as well when it comes to advising families on how to protect their computers?
I think we need to step back and consider. If someone asks you if they should spend money for a paid software solution to protect their home computer or simply use “freeware” solutions - what is the best answer? What do you recommend today? Why?
To aid in the process, I offer for consideration a report that details my experience evaluating freeware through the lens of a consumer. The report is short. It is designed to be an opportunity to stop, think and engage in the conversation.
Based on a challenge, I stepped back and examined the situation in a manner different than normal for me. I worked to experience the process of finding, downloading, installing, configuring and using freeware solutions. I considered the time spent and took an effort to measure pop-ups, messages and potential frustrations. Taking the time to step back literally changed what I thought and what I recommend. It forced me to examine the “truths” I believed in favor of real experience.
Come join the discussion in the Security Catalyst Community here: http://www.securitycatalyst.org/forums/index.php?topic=960.0
(and join me for a live Talkcast on Thursday — Noon Eastern — to discuss this with special guest Dave Cole)
This posting includes an audio/video/photo media file: Download Now
Posted: 03 Sep 2008 03:23 PM CDT
The New Orleans, Louisiana Field Office of the United States Federal Bureau of Investigation (FBI) has announced the availability of a Disaster Fraud Hotline to report Hurricane Gustav related fraudulent activity.
|You are subscribed to email updates from Security Bloggers Network |
To stop receiving these emails, you may unsubscribe now.
|Email Delivery powered by FeedBurner|
|Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader.|
|If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610|