It's fashionable to dismiss trade shows as so 1998, but there's usually always something that makes it worthwhile if you look hard enough. So it was, the coolest thing I saw at the RSA 2008 conference this week was a prototype portable virtualization technology that SanDisk will begin selling in the second half of the year.
The product, developed in conjunction with Check Point, lets you copy a protected version of your apps and then plug into any client machine. When you're done, the "virtualized" version of your desktop disappears after logging out.
Howard Schmidt, R & H Security Consulting
(Credit: Charles Cooper/CNET News.com)My hunch is that this concept is going to continue to gain popularity, especially given the ongoing advances in "cloud storage." By the way, MokaFive is already out with software that lets you fit an operating system and application stack on a USB iflash device. U3 also gained attention a couple of years ago. Kate Purmal, the former president of the company, is now a VP at SanDisk. There are a few others that I can't think of right at this moment.
When I met up with Check Point Software's CEO Gil Shwed to talk about the SanDisk relationship as well as the wider security arena, he was predictably upbeat in describing another advance in safeguarding portable data. But, he added, the ultimate success depends upon guaranteeing that the information will be "secure and protected."
Secure and protected. I can't tell you how many times I heard that line walking the show floor or in meetings the last couple of days. It's a great tech cliche these days. The rub is that no matter how good the technology offered by Check Point or any other security provider, we remain creatures of habit--and when it comes to security, bad habits, mostly. Every security expert I spoke with agreed that your typical computer user inadvertently functions as the bad guys' best friend. That was the other takeaway from the conference. Security professionals are at wit's end when it comes to persuading the rank-and-file to do the right thing.
Shwed and others say it's a matter of enforcing best practices. When Department of Homeland Security Secretary Michael Chertoff spoke on Monday, he pounded away at that theme. I heard the same thing from Howard Schmidt, who previously served as vice chair of the president's Critical Infrastructure Protection Board and as the special adviser for cyberspace security for the White House.
"The (best practices) concept is good but it's gotta be in your face," said Schmidt, now heading his own consultancy, R & H Security Consulting.
Schmidt's right but we're a long way from attaching DefCon 1 importance to the topic. I could go on for another 1,000 words enumerating the why's and wherefore's but suffice to say that society has been lulled into a false sense of assurance about digital security. Maybe it will take a concerted cyberattack to shake that lethargy. (Estonian government and business Web sites last year suffered denial-of-service attacks protesting the move of a World War II statue in Estonia. Meanwhile, the Arabs and the Israelis have been engaged in low-level cyber skirmishing for several years.) John Thompson of Symantec drew an analogy with the Smokey Bear campaign in the 1960s and 1970s, when the government sought to reduce forest fires through public education. Clearly, he said, it had had an impact.
"And now you have critical business and government information exposed, and people realize there's an underground economy involved in trading stolen data," Thompson told me. "Also, you have nation states (digitally) attacking each other for competitive edge in a global economy. And so the government realizes that now is the time to act. But when you talk about best practices and thinking holistically, or extending responsibility to more than just the IT heads, that's not new."
DHS has requested $192 million to spend on cyberdefense in the next fiscal year, up from the current $115 million. Given the other budgetary demands related to digital security, that doesn't leave a lot of shekels to foster public education. The implicit message is that Uncle Sam is waiting for the private sector to pick up the tab. I suppose it's just as well that individual companies fill the breach before they suffer the Big One.
(Credit:
Charles Cooper/CNET News.com)
SAN FRANCISCO--It turns out al-Qaida's leader and his cohorts aren't the biggest threat to our cybersecurity. You are.
Six years ago, Osama bin Laden represented the nightmare scenario for the computer security establishment. But more immediate cyberdangers lurk on the horizon. Experts attending the RSA conference that began here today say it's you--Mr. & Mrs. Computer User--who keep goofing up.
In fact, they contend, the future of cybersecurity hinges less on a latter-day version of spy-versus-spy against shadowy terror groups than on a more serious effort to instill best practices. Listening to their heeding was something akin to the scene in the movie Groundhog Day, where Bill Murray repeatedly wakes up to the same morning.
Security gurus have long urged the business world to turn network security into part of the corporate DNA. The message is not fully getting through. And now we're seeing the predictable results.
After listening to Symantec's John Thompson's morning keynote, I later kidded him about purposely scaring the hell out of people. He was a good sport about my joshing but pointed out that the information security landscape is increasingly punctuated by cases of data theft. He backed that up by reciting a litany of worrisome stats from his company's latest Internet security threat report. Truth be told, it makes for grim reading.
Symantec CEO John Thompson
(Credit: Charles Cooper/CNET News.com)
Among the report's highlights:
• 65% of the new code being released into the market is malicious
• The U.S. was the top country of attack origin in the second half of 2007
• The education sector accounted for 24 percent of data breaches that could lead to identity theft.
• Government was the top sector for identities exposed, accounting for 60 percent of the total
• Theft or computer loss resulted in the most data breaches that could lead to identity theft
• The United States had the most bot-infected computers worldwide
If the statistics are accurate, rank-and-file computer users are far from internalizing the security mantra. What's more, the findings suggest it will be quite some time before most people treat computer security as more than an afterthought. In the meantime, of course, Thompson didn't preclude the possibility of a terror or state-based organization launching a big cyber attack. But he believes the more likely danger to the nation's infrastructure will emanate from a different quarter.
"The threat landscape has changed," he said. "When people used to talk about the "Big One," they were thinking about that in the context of an attack on the infrastructure itself. That's still possible but less probable today because attackers have shifted to the information itself. They're much more stealth-like. Before, they wanted to become obnoxiously visible. Now they don't. They want to quietly penetrate defenses so they can sell what they steal in what's become a growing underground economy."
DHS Secretary Michael Chertoff
(Credit: Charles Cooper/CNET News.com)(He's got a point. Symantec's report found that bank accounts are the most commonly advertised item for sale on underground economy servers, accounting for 22 percent of all activity tracked.)
In years past, Thompson and other computer security executives have pushed the idea of making cyber-security as familiar to most people as the fire prevention campaign underwritten by the government in the 1960s and 1970s. Considering the amount of money Uncle Sam is spending on cyber-security these days, that's a pipedream.
Department of Homeland Security Secretary Michael Chertoff, who also presented a keynote on Tuesday, offered litte indication Washington was about to ride to the rescue. In remarks during his prepared speech and subsequent press conference, Chertoff offered a dutiful recitation of what he described as the President's interest in shoring up the nation's digital security.
But despite Chertoff's repeated commitment to doing the right thing - including a call to arms inviting Silicon Valley's best and brightest technologists to come to Washington to work on cyber-security - I wonder how many industry skeptics he'll win over. Until recently, DHS couldn't get a cyber-security director to stay in what essentially was a figure-head job much longer than a year. Off-the-record interviews with people familiar with the goings-on there have described the situation to me as a bureaucratic mess.
DHS finally staffed up by putting in Greg Garcia, a former official with the Information Technology Association of America trade organization, as assistant secretary for cybersecurity and telecommunications. More recently, Rod Beckstrom, an author and entrepreneur best-known for starting business collaboration software maker Twiki.net, was in charge of directing a national cybersecurity center that operates inside DHS.
Give Chertoff credit for being candid about where DHS has come up short. He said the government needs to reduce its (literally) thousands of network access points to around 50. At the same time, Chertoff wants his department to faster detect and analyze computer anomalies. A big part of that will involve a revamp of U.S. CERT's early warning system
"Even giving an adversary one bite at the apple before we've figured out the meta data or (digital) signature is one bite too many," he said.
In the end, however, money talks and you-know-what walks. The feds only have a $115 million budget to work with. Chertoff's department has requested $192 million for the new fiscal year but that's still doing it on the cheap. By comparison, we spend $720 million in Iraq each day.
On the eve of the RSA security conference, there's a showdown in the offing between "Old Europe" and U.S. search operators. Earlier Monday word leaked about a European regulatory plan to press search engine providers to dump personal search data after six months.
(Credit:
CNET News.com)
Barring the unforeseen, it's likely the European Commission will look kindly upon the plan. This would be quite a big deal, setting the stage for a continent-wide challenge to the way big search engine companies set procedures handling log deletion and browser cookies.
Until now, privacy advocates haven't gotten very far convincing search companies to drastically curtail the length of time they retain data. For instance, the argument made by Google is that keeping log data around can keep you safe, help prevent fraud, and improve search results (using the argument that "better data makes for better science").
That all may be true--though I've known more than a few security experts who argue otherwise--but this is less a matter of computer science than of public policy. And it's not a fight the search engine companies are going to win. Can you see some congressman campaigning back in the home district for reflection on the campaign plank, "What's good for Google is good for all the rest of us?" I don't think so.
On its public policy blog, Google sounded less than thrilled with the news, although it boiled any bitterness out of its official reaction.
We believe that data retention requirements have to take into account the need to provide quality products and services for users, like accurate search results, as well as system security and integrity concerns. We have recently discussed some of the many ways that using this data helps improve users' experience, from making our products safe, to preventing fraud, to building language models to improve search results. This perspective -- the ways in which data is used to improve consumers' experience on the web -- is unfortunately sometimes lacking in discussions about online privacy.
The Working Party's findings also stated that IP addresses should be treated as personal information, with the full weight of data protection laws. Based on our own analysis, we believe that whether or not an IP address is personal data depends on how the data is being used.
The findings are another important step in an ongoing dialogue about protecting user privacy online -- a discussion in which Google will continue to be engaged. It's also a debate in which we hope our users will participate.
Google figures that it's already met privacy advocates' demands by reducing to 18 months from 24 months the length of time it stores private data. I imagine Microsoft, which similarly retains data for 18 months and Yahoo, which keeps data for 13 months, feel the same. They can't be thrilled with what's going on because it presents a threat to their Internet business. Unfortunately for them, there's not a really good counter-argument. (Here's a good primer News.com assembled on the companies' respective privacy policies.)
Greg Sterling of SearchEngineLand.com offered a quote to Bloomberg that was spot on:
"Today's decision may threaten "the golden goose" of the broader business of Internet advertising, which uses customers' online records to offer personally targeted ads, Greg Sterling, an analyst at Sterling Market Intelligence in San Francisco, said in a telephone interview."
That's why you can expect search engine companies to fight as hard as they can, enlisting support from political and business allies. But when it comes to privacy, most people are less concerned with the stock price of big tech powerhouses than they are in keeping their personal data safe.
- prev
- 1
- next
