Best of Breed, or Best of Mediocrity?

Posted on July 28, 2006 by jared

Having worked for some time as a software engineer in the enterprise security software world, I know that customers (enterprises) look for "best of breed" software. For a large company customer, this usually means that a software solution distinguishes itself in some way that makes it work well in their environment. Often, this translates to reliability, cross-platform support, person-to-person support and the ability to function beyond what is advertised.

As many are aware, there is "consolidation" going on in the security market. Big fish are swallowing smaller fish, and it's lucrative, in the short term, for everyone except customers. Supposedly, the consolidation means that two separate products can be "integrated", or unified. Never mind the previous competitive relationship that may have existed between the product teams and their management. For some reason, people seem to think that competition evaporates and that the two product teams will happily work together to build the next generation "Best of Breed" software solution.

Not so.

In any big corporation or software company, there are constant power plays being made. You could call this "decision making", and if you have uncommonly good leaders, you might even say good decisions are being made. Unfortunately, it is human nature for most people to misuse and abuse positions of power. Instead of making product decisions that are best for their merged customer base, they make decisions that keep themselves in a position of power.

So, we have two best of breed products: Overdog and Underdog. Underdog is easier to manage, but isn't as complete in its offerings. Overdog is more complete, but is more expensive to deploy and manage. Overdog has the advantage of being used in Fortune 500 companies. Underdog, on the other hand, is trying to break into that market space.

Enter Big Fish -- a.k.a. Consolidator. Consolidator buys Overdog, and a few years later, buys Underdog. We take two products, both "Best of Breed" in different ways, and expect to see them merged together to make something "next generation" -- better, faster, stronger, and easier to use.

Whenever there is a consolidation, talented people get fired, and their creative ideas and abilities are lost. Product integration never happens as easily as anyone would like to believe (if it happens at all). And in the end, customers end up with a product that we can best label as "Best of Mediocrity". Consolidation means that customers lose their "Best of Breed" solutions.

What can you expect from Software Consolidators? Mediocre solutions. Look elsewhere for excellence.

The purpose of security…

Posted on July 27, 2006 by jared

A coworker made these assertions about security. I think they're worth repeating:

The purpose of security is to establish accountability of an individual.
The purpose of auditing is to verify the trust that has been placed in an individual.

Is Data Mining Fools Gold?

Posted on July 27, 2006 by jared

Here's a thought provoking article about the problems of large-scale data mining by governments. It's written by a person living in the UK.

"Data-mining is complicated, and the more data you are mining, the more false positives your software will throw up. If you act upon a false positive for a motoring offence, it's an inconvenience for the motorist, but for an alleged case of child abuse, it can rip the family apart and ruin the child's life."

"Furthermore, gathering large amounts of data is inherently dangerous. Whatever information governments find interesting will also draw the attention of criminals. Databases can be hard to keep secure, and it's not necessarily hackers that we should be worried about, but unauthorised access by employees of the agencies that use these databases. Equally, the more data you have, the more difficult it is to maintain accuracy. In 2000, an audit of the Police National Computer found that 86% of records contained errors, 85% of those errors were serious, and some were libellous."

"Technology can be a very powerful tool, but what it can't do is replace real human beings or traditional investigative work. Designed badly or used poorly, databases are the technological equivalent of fools gold."

Mongrel web server

Posted on June 5, 2006 by jared

Here's an interview with Zed Shaw, the author of the Mongrel web server -- a web server for the Ruby programming language that is good for use in combination with Ruby on Rails and other Ruby-based web-app frameworks. It's interesting in that it's fast, secure, cross-platform, and it's not a heavyweight solution (compared to Apache). Why is it more secure than Apache at the HTTP protocol level? Mongrel utilizes the Ragel State Machine Compiler to generate the protocol parser, "and that is very strict and seems to block a huge number of attack attempts simply because it is so exacting."

How to recover from identity theft

Posted on June 5, 2006 by jared

"Identity Theft" is societies catchy phrase for impersonation and fraud. Recently, my bank and other financial insututions have mailed advice on how to help prevent fraud, but they don't ofen explain how to recover from it. This link has useful, step-by-step advice: HOW TO: Get through having your identity stolen.

Hard Drive Encryption: PGP Disk, LUKS, BitLocker

Posted on May 16, 2006 by jared

Why encrypt a hard drive? It makes it safer to dispose of an old hard disk... your data won't fall into the wrong hands. This only matters if you want data to remain confidential. Laptop owners should consider using hard disk encryption.

When is it a bad idea to encrypt a hard drive? First, if you have a dual-boot computer (Linux and Windows), and you want Linux to be able to access all of the data on the Windows drive. Second, when the data confidentiality is of low concern and the data availability is of high importance.

Bruce Schneier writes about Microsoft BitLocker, which will be available in Windows Vista:

BitLocker Drive Encryption is a new security feature in Windows Vista, designed to work with the Trusted Platform Module (TPM). Basically, it encrypts the C drive with a computer-generated key. In its basic mode, an attacker can still access the data on the drive by guessing the user's password, but would not be able to get at the drive by booting the disk up using another operating system, or removing the drive and attaching it to another computer.

PGP Disk is a current solution -- no need to wait for Vista. On Linux, there are many solutions. The most current is LUKS and dm-crypt:

Apparently, HAL in Fedora recognizes LUKS volumes. It's also possible to encrypt only your home directory with LUKS.

Update 5 June 2006

See also http://www.truecrypt.org/ and Wikipedia's guide to disk encryption software.

Security Myths and Passwords

Posted on May 16, 2006 by jared

Professor Eugene Spafford “is one of the most senior and recognized leaders in the field of computing.” Here’s what he has to say about password security.

http://www.cerias.purdue.edu/weblogs/spaf/general/post-30

In the practice of security we have accumulated a number of “rules of thumb” that many people accept without careful consideration. Some of these get included in policies, and thus may get propagated to environments they were not meant to address. It is also the case that as technology changes, the underlying (and unstated) assumptions underlying these bits of conventional wisdom also change. The result is a stale policy that may no longer be effective…or possibly even dangerous.
Policies requiring regular password changes (e.g., monthly) are an example of exactly this form of infosec folk wisdom.

Read the article for more details.

jaredrobinson.com

Category Archives: Security