The Security Skeptic

A colleague forwarded me an article entitled Laptops Content may be Subject to Inspection upon Entering the United States today. The 9^th Circuit Court of Appeals in California thinks it's OK for Customs Officials to seize and search travelers' laptops upon entering the U.S. without a search warrant or probable cause. The case on which the court based this decision - one involving the seizure of a laptop containing child pornography - could not have been more convenient. The defendant is engaged in activities the public considers repugnant. The recovery of the images reads like the script of the hugely popular TV series, CSI. Customs agents and the TSA already examine laptops as a one of many homeland security measures.

So, really, how much of a stretch is it to allow agents to boot and surf your laptop?

IMO, a huge one. There is little difference between the information you store on your laptop hard drive and that ugly metal file cabinet that occupies the corner of your home office. Our courts have a responsibility to understand rather than fear technology. Before a court concedes what has been recognized and defended as an inalienable right since the 18^th century, it ought to consider how decisions it applies to the virtual world will affect the physical world.

This and related articles (e.g., Border Insecurity) discuss the impact on corporate privacy, i.e., examination of sensitive documents and the forced disclosure of passwords. The impact is far more fundamental. Why are courts and the federal government so eager to abandon warrants and due process? Is a world free of terrorism better than a world where you and your property can be seized and searched without probable cause?

I'm skeptical we can ever achieve the former, and I'm very reluctant to concede the latter.

Archived at http://www.securityskeptic.com/arc20060901.htm#BlogID557 by Dave Piscitello  

During an email exchange, a colleague reminded me that "anything can be done in software".

Since the topic we were discussing involved abuse and possible misuse of protocol responses, and since I am tired to tears of this nonsense, I grumpily replied, "If we could just fix that *anything can be done in software* issue all our problems would be solved."

The good news is that education is deteriorating globally and soon only a handful of people will be creative enough to write anything novel. :-O

Archived at http://www.securityskeptic.com/arc20060901.htm#BlogID556 by Dave Piscitello  

Ofir Arkin's published a really nice paper that lays out the spectrum of network admission control (NAC) features, explains (conceptually) now NAC operates, and analyzes the architectural flaws that can be exploited to bypass NAC and permit a rogue endpoint to connect to a "NAC protected" network. The paper describes the strengths and weaknesses of current software NAC solutions (DHCP proxy Authenticated DHCP, Broadcast listener, and CISCO NAC) and hardware NAC solutions (inline and out of band) and how the weaknesses can lead to bypass. This is very interesting reading. Check it out.

Archived at http://www.securityskeptic.com/arc20060901.htm#BlogID555 by Dave Piscitello  

I received dozens of comments to my BlogID 552, Media "Certified" Security Experts (Gurus), many from CISSPs. Here's a sample of from the best of the lot:

As a CISSP, I am embarrassed by the behavior so many exhibit; the pious attitude is nothing short of elitism...Unfortunately, too many are hung up on certification – which is why I completed the CISSP – to silence the masses. My apologies for the elitist CISSPs that judge by acronyms after one’s name." - CS

I think the idea of only needing a CISSP appended to your name means you are an "expert" is ridiculous. I am glad you decided to post on your blog about this...it is alarming to me that people think having a CISSP automatically means you are an "expert". After all it is a test, to be honest, not a very hard test. I could train my fish to pass a test. - JR

and my personal favorite...

Richard Mitchell, brilliant essayist and commentator on the education biz, two decades ago foresaw all the assorted testing people now use as "litmus tests" of various kinds. He was commenting specifically on testing likes of which we now have with the current administration's education reforms, but it applies elsewhere, too. "Minimum competency testing will ensure precisely that." Richard Mitchell, "The Graves of Academe" - MO

Colleague and friend Joel Snyder gave me the biggest laughs, commenting

I guess that whole "look up a PhD" database doesn't seem to be linked to the "look up someone who can pass a dorky test" database.

For the record, I also received email from Bob Johnson, in which he explained his position regarding what he calls Editorial Malpractice, and added, "At no time did I intend to impugn the authors. If you are offended I do apologize."

In my response to Bob, I took the opportunity to comment on Bob's issue with editorial malpractice, as follows:

Editors have broad license. I have worked with dozens of editors in refereed, trade, and for fee journals and publications. Most editors are diligent and investigate the credentials of authors who freelance for them. Many editors are sensitive to the fact that practitioners who have 20-30 years' tenure in networking and security do not pursue certifications and have (in my opinion) appropriately concluded that it is best to use a collegial style of byline. I am certain you worked hard for your CISSP. Joel Snyder worked considerably harder for his PhD, and he is not listed as Dr. Joel Snyder.

Time to move on. After a few email exchanges, I'm comfortable that Bob and I can agree to disagree. I also think he's probably a decent guy and I'll look forward to meeting and chatting with him some day.

Archived at http://www.securityskeptic.com/arc20060901.htm#BlogID553 by Dave Piscitello  

Who ever imagined that registration of a domain name could provide a means of deriving recurring revenue? Domain traffic monetization does just that. Register a domain name and host a web page. On the page, place advertisements for 3^rd parties that provide referring links to the advertising party. In the referring link, embed an identifier that identifies you to the advertiser, and the advertiser will pay you a fee for each referral. Earn an income while you sip tea on your porch.

You may know domain traffic monetization by another, less opaque, name: pay-per-click. Pay-per-click is easy to remember because each time the visitor clicks on a link on your web page, you are paid for the "click" or referral. Domain traffic monetization is one of many reasons why virtually every domain name that has ever been registered has some value to someone.

I can't help but wonder how the PPC business model can sustain millions of independent PPC sites, where the budget domainers use Google AdSense and Yahoo! Publisher Network. There are only so many web users, and the number of clicks, while not constant, will not grow exponentially. It may not grow at all. In fact, one could argue that interest and *trust* in referral sites will diminish over time. What happens when the number of clicks per minute hits the knee in the curve, and the referral trajectory flattens out? I think the answer is that there's more intense competition to retain and increase clicks at sites. If this is indeed the answer, then won't revenue per site wane? Isn't consolidation the only way to maintain market share and grow revenue?

I see evidence of these phenomena on my site. At its peak, my AdSense revenue was paying for my broadband access, my static IP addresses, and replacement/upgrade hardware. In a year's time, with increased visits and the same content refreshment rate, I'm making about 1/10^th of my peak income. From this and similar anecdotal evidence from colleagues, I'm willing to speculate that (a) large monetizers are already gaming search engines and drawing traffic to their consolidated PPC landing pages, and (b) there's far too little revenue in PPC for the small site operator to bother.

This post marks the beginning of the end of AdSense on my site. My blog pages will no longer carry ads. My static pages will be updated as I find time. It was a nice run while it lasted:-)

Archived at http://www.securityskeptic.com/arc20060901.htm#BlogID554 by Dave Piscitello  

Bob Johnston, CISSP, questioned my qualifications as well as the qualifications of several colleagues in a recent post to Yahoo's CISSP mailing list. In a post with the subject line: Media "Certified" Security Experts (Gurus), Bob says,

I do not know about the rest of you, but I am quite tired of the media quoting and "certifying" security experts that do not possess a credible certification.

I made this statement based on the fact that the publications do not cite their certifications and when I attempt to identify them few if any possess any of the major certifications worthy of mention.

Bob claims that he cannot locate anything of substance to have use declared as gurus. His attempts to identify me and my colleagues appears to have been limited to a search argument against a database that returns a result of "No match on last name for CISSP/SSCP."

I truly wish Bob had made a more concerted effort to determine our qualifications before impuning our reputations. For example, a basic Google search on my full name returns over 76,000 hits. The top five include citations for books and RFCs I've published and my company home page and resume. Amusingly, a search on Joel M. Snyder will return over 2 million hits, and the result with highest relevance is indeed my colleague and close friend, who will have forgotten more about networking and security by noon today than most professionals might hope to learn in a lifetime.

Neither I nor my colleagues control how an editor chooses to brand or promote us or our works. I've made a pointed effort to explain my personal belief regarding the differences between Security Expert, Professional, or Practitioner. In the linked post I say, "Only a handful of people in the world are qualified and have accomplished enough in the short span where Internet Security has proved meaningful to be labeled experts." I truly believe this and do not place myself in this category. Moreover, I do not believe that satisfying the criteria for any security certification alone puts one in this category.

Later in his post, Bob asks,

"Before I make and a$$ of myself and write a challenging letter to the editor, can any of you say anything great about the others?

For the record, I have worked with Joel Snyder and Brad Johnson, I respect both enormously, and it's relatively simple to search and conclude both are amply qualified security practitioners. Dan Minoli was a colleague at Bellcore. I had the opportunity to serve as consulting editor to several of the dozens of books on telecommunications and enterprise network management he published with Artech House. BTW, Dan describes himself as a network practitioner, not expert. Mandy Andress is blessed by a positive result from the CISSP/SSP search; by Bob's measure, this alone indicates that her qualifications are beyond reproach and need not be amplified here.

I sincerely wish Bob had judged me and my colleagues based on what we wrote for Network World and and have published elsewhere rather than worrying over the presence or absence of a CISSP/SSP appended to our bylines. The email in our bylines is there for a reason. If Bob or others disagree with what I or my colleagues write, contact any of us by email. I suspect such an email exchange will prove to be more positive and enlightening than one that begins by carping at a NWW editor.

Archived at http://www.securityskeptic.com/arc20060901.htm#BlogID552 by Dave Piscitello