From marcin at kajtek.org Fri Oct 2 14:21:21 2009 From: marcin at kajtek.org (Marcin Antkiewicz) Date: Fri, 2 Oct 2009 09:21:21 -0500 Subject: [psysec] Fwd: Medical Vaccines as an Analogy to Information Security In-Reply-To: <7ed5f2120910012313n52b74c2bx84b64be6572ca8e8@mail.gmail.com> References: <4AC222BB.5060900@linuxbox.org> <7ed5f2120910012313n52b74c2bx84b64be6572ca8e8@mail.gmail.com> Message-ID: <7ed5f2120910020721m78976503v325d5591fd74acf0@mail.gmail.com> > In the information security field, we often encounter an ethical dilemma. > Should information become public, so that people can protect themselves, or > better decide how to do so. Or should it remain secret so that larger harm > is prevented? The world of Vaccines shows us an image of how medical > professionals deal with the issue. They have the cost-utility analysis, etc. Google will not turn up much data on the effectiveness, as the general public rarely wants to see study results, as those tend to be full of robust statistics (robustness as measured by news standards). Data on the efficiency of vaccines and vaccination programs is available on the CDC's site, see some random links: Reproducibility of Serologic Assays for Influenza Virus A (H5N1) http://www.cdc.gov/EID/content/15/8/1250.htm Outbreak of Influenza in Highly Vaccinated Crew of U.S. Navy Ship http://www.cdc.gov/ncidod/eid/vol7no3/earhart.htm Interventions to Increase Influenza Vaccination of Health-Care Workers --- California and Minnesota http://www.cdc.gov/mmwr/preview/mmwrhtml/mm5408a2.htm > Many interesting strategic and psychological lessons can be learned by > examining this field, when compared to information security. Very true. At the same time the medical/pharma areas have such an amount of funding and vested interests that IT-anything will never see. Insurance, for example, is keenly interested in developing very select areas in medicine, and funding actuarial and risk management studies. And they did it for a few decades now. On the other hand, and actuarial approach to understanding Security is not existent. I will take a wild guess, but today's Security is akin to the various awesome medial practices (cure-all pink liquis, etc) of about 100 years ago. Assuming that things progress as they used to, we might start seeing signs of maturity in the Security industry, in 30 years or so. It makes sense, the firewalls became commodity after 20, give or take a few. Now it's time for normalized reporting (breach and config), standardization of config and process practices, getting some form of standardized higher education buyin, and develop a way of determining by how my slip in a host configuration decreased the enterprise security, which would be accepted with 5% confidence interval by 90% CISSPs. I think it's very doable. On the other hand, even with all the cyber warfare, there will not be enough money and interest in Security for anything more than a small industry and heavy regulation. I am quoting from memory, so the numbers might be quite wrong, but the network security (not software, GRC, etc) market is somewhere around $5bn, which ?should be close to 1Q worth of sales at just Cisco, and about equal to income of a large, but still regional, insurance company (American Family). US coffee sales loom about $10bn, I think. > unsubstantiated claim made that mercury (Thimerosal, used in vaccines as a > preservative) somehow causes neurological damage leading to Autism. The claim is that it will cause neural damage to very young kids - find a developmental toxicologist, they will be more articulate. Mercury-free vaccines are available to small kids, and I am sure that is for a good reason. -- Marcin Antkiewicz From ge at linuxbox.org Sat Oct 3 19:19:04 2009 From: ge at linuxbox.org (Gadi Evron) Date: Sat, 03 Oct 2009 21:19:04 +0200 Subject: [psysec] Medical Vaccines as an Analogy to Information Security In-Reply-To: <7ed5f2120910012313n52b74c2bx84b64be6572ca8e8@mail.gmail.com> References: <4AC222BB.5060900@linuxbox.org> <7ed5f2120910012313n52b74c2bx84b64be6572ca8e8@mail.gmail.com> Message-ID: <4AC7A3A8.7010209@linuxbox.org> Marcin Antkiewicz wrote: [snip good comments] >> unsubstantiated claim made that mercury (Thimerosal, used in vaccines as a >> preservative) somehow causes neurological damage leading to Autism. > > The claim is that it will cause neural damage to very young kids - find a > developmental toxicologist, they will be more articulate. Mercury-free > vaccines are available to small kids, and I am sure that is for a good reason. Just a myth. Mercury-free vaccines became available due to the scare-factor and no change in the Autism rates was noted. Flu vaccines, as far as I read, are still built with mercury. From larry at larryseltzer.com Sat Oct 3 19:27:07 2009 From: larry at larryseltzer.com (Larry Seltzer) Date: Sat, 3 Oct 2009 15:27:07 -0400 Subject: [psysec] Medical Vaccines as an Analogy to Information Security Message-ID: <9B9E7EA67E1B1342B2D25F3FD1B329300295555A@BE35.exg3.exghost.com> Adult vaccines are still preserved with Thimerisol. They make separate batches without for kids. I'm sure they're more expensive and probably have a short shelf-life. I got my seasonal flu shot a couple weeks ago but none of the kid version is available around here yet. Larry Seltzer Contributing Editor, PC Magazine http://blogs.pcmag.com/securitywatch/ Sent from my BlackBerry ----- Original Message ----- From: psysec-bounces at whitestar.linuxbox.org To: Marcin Antkiewicz Cc: psysec Sent: Sat Oct 03 15:19:04 2009 Subject: Re: [psysec] Medical Vaccines as an Analogy to Information Security Marcin Antkiewicz wrote: [snip good comments] >> unsubstantiated claim made that mercury (Thimerosal, used in vaccines as a >> preservative) somehow causes neurological damage leading to Autism. > > The claim is that it will cause neural damage to very young kids - find a > developmental toxicologist, they will be more articulate. Mercury-free > vaccines are available to small kids, and I am sure that is for a good reason. Just a myth. Mercury-free vaccines became available due to the scare-factor and no change in the Autism rates was noted. Flu vaccines, as far as I read, are still built with mercury. _______________________________________________ psysec mailing list psysec at whitestar.linuxbox.org http://whitestar.linuxbox.org/mailman/listinfo/psysec -------------- next part -------------- An HTML attachment was scrubbed... URL: From marcin at kajtek.org Sun Oct 4 05:55:45 2009 From: marcin at kajtek.org (Marcin Antkiewicz) Date: Sun, 4 Oct 2009 00:55:45 -0500 Subject: [psysec] Medical Vaccines as an Analogy to Information Security In-Reply-To: <4AC7A3A8.7010209@linuxbox.org> References: <4AC222BB.5060900@linuxbox.org> <7ed5f2120910012313n52b74c2bx84b64be6572ca8e8@mail.gmail.com> <4AC7A3A8.7010209@linuxbox.org> Message-ID: <7ed5f2120910032255q7689ab68j90cc1e530589f666@mail.gmail.com> > Just a myth. Mercury-free vaccines became available due to the scare-factor > and no change in the Autism rates was noted. Flu vaccines, as far as I read, > are still built with mercury. I am not against vaccinations. Just like I have found it very hard to believe that parents would blindly trust science when it has proclaimed formula to be a healthier alternative to breast milk, I do not want neurotoxins anywhere close to my younger kid. If Mercury is a neurotoxin, and neurotoxins are not good, and most folks agree that the basic development is not complete until about 3 yo, than why on earth would I want to put mercury into that brain? "If the facts don't fit the theory, change the facts", supposedly said Albert Einstein. I do not care what journal has published it, I do not care who was the first author. Basic safety rules prevail until they publish another paper in which they say Mercury is not that bad, or that the brain development is a very robust process. This is the same logic that makes me cringe every time I need to go into a meeting and yell at people who want to virtualize all of any infrastructure service DNS, aaa, telco, etc. The risks of having all of a critical function pushed into a longer dependency chain is too high to offset the savings realized by not buying that one machine. -- Marcin Antkiewicz From ge at linuxbox.org Sun Oct 25 23:09:26 2009 From: ge at linuxbox.org (Gadi Evron) Date: Mon, 26 Oct 2009 01:09:26 +0200 Subject: [psysec] Google Wave invitations Message-ID: <4AE4DAA6.2000703@linuxbox.org> A friend sent me a Google Wave invitation today. I still haven't received it. Back when they launched Gmail, you could only join by receiving an invitation from a friend, or buying one on eBay. It seems like Google added a time-wait scheme to this previous ploy. Brilliant marketing. The bastards. :) Gadi. From larry at larryseltzer.com Sun Oct 25 23:50:56 2009 From: larry at larryseltzer.com (Larry Seltzer) Date: Sun, 25 Oct 2009 19:50:56 -0400 Subject: [psysec] Google Wave invitations In-Reply-To: <4AE4DAA6.2000703@linuxbox.org> References: <4AE4DAA6.2000703@linuxbox.org> Message-ID: <9B9E7EA67E1B1342B2D25F3FD1B3293002DC3C28@BE35.exg3.exghost.com> I smell a phishing opportunity: To secure your free Google Wave invite we need a valid credit card number... Larry Seltzer Contributing Editor, PC Magazine larry_seltzer at ziffdavis.com http://blogs.pcmag.com/securitywatch/ -----Original Message----- From: psysec-bounces at whitestar.linuxbox.org [mailto:psysec-bounces at whitestar.linuxbox.org] On Behalf Of Gadi Evron Sent: Sunday, October 25, 2009 7:09 PM To: psysec Subject: [psysec] Google Wave invitations A friend sent me a Google Wave invitation today. I still haven't received it. Back when they launched Gmail, you could only join by receiving an invitation from a friend, or buying one on eBay. It seems like Google added a time-wait scheme to this previous ploy. Brilliant marketing. The bastards. :) Gadi. _______________________________________________ psysec mailing list psysec at whitestar.linuxbox.org http://whitestar.linuxbox.org/mailman/listinfo/psysec From pgut001 at cs.auckland.ac.nz Tue Oct 27 08:02:53 2009 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Tue, 27 Oct 2009 21:02:53 +1300 Subject: [psysec] Google Wave invitations In-Reply-To: <4AE4DAA6.2000703@linuxbox.org> Message-ID: Gadi Evron writes: >A friend sent me a Google Wave invitation today. I still haven't received it. There have been rather lengthy delays in gmail -> gmail deliveries recently, with some email (unrelated to Google anything invites) taking 24 hours or more to arrive. It could just be a normal accident. Peter. From ge at linuxbox.org Tue Oct 27 08:22:40 2009 From: ge at linuxbox.org (Gadi Evron) Date: Tue, 27 Oct 2009 10:22:40 +0200 Subject: [psysec] Google Wave invitations In-Reply-To: References: Message-ID: <4AE6ADD0.5000409@linuxbox.org> Peter Gutmann wrote: > Gadi Evron writes: > >> A friend sent me a Google Wave invitation today. I still haven't received it. > > There have been rather lengthy delays in gmail -> gmail deliveries recently, > with some email (unrelated to Google anything invites) taking 24 hours or more > to arrive. It could just be a normal accident. Nope, it has been confirmed as a planned delay. A waiting list, if you will. > > Peter. > -- Gadi Evron, ge at linuxbox.org. Blog: http://gevron.livejournal.com/ From ge at linuxbox.org Wed Oct 28 18:37:21 2009 From: ge at linuxbox.org (Gadi Evron) Date: Wed, 28 Oct 2009 20:37:21 +0200 Subject: [psysec] we are all lazy with passwords - survey Message-ID: <4AE88F61.1000302@linuxbox.org> http://arstechnica.com/business/news/2009/10/30-years-of-failure-the-user-namepassword-combination.ars -- Gadi Evron, ge at linuxbox.org. Blog: http://gevron.livejournal.com/ From raoul.chiesa at mediaservice.net Thu Oct 29 09:40:39 2009 From: raoul.chiesa at mediaservice.net (Raoul Chiesa) Date: Thu, 29 Oct 2009 10:40:39 +0100 Subject: [psysec] we are all lazy with passwords - survey In-Reply-To: <4AE88F61.1000302@linuxbox.org> References: <4AE88F61.1000302@linuxbox.org> Message-ID: <4AE96317.9050700@mediaservice.net> Gadi Evron ha scritto: > http://arstechnica.com/business/news/2009/10/30-years-of-failure-the-user-namepassword-combination.ars > > > Hi all. Finally, I got smth to say here on PsySec :) As Gadi knows, I've been hacking along my childhood (1986/1995), then I jumped to professional InfoSec, meaning that I'm running pentests since 1997. The article is totally true and the results are right: I'm not seeing that huge difference between the "password guessing" attacks back in the 80's and 90's, and those run nowadays. Especially when talking about critical infrastructures (SCADA, industrial automation, power plants, finance, telcos....) the passwords you may encounter in are just the same ones used in the past. So, stepping from "cisco/cisco" to "oracle/oracle", it's full of those "passw0rd", "changeme", etc. A few days ago Italian Postal Service (that, is acting as a bank as well) has been hacked. Officially, a web defacement. Not officially, it seems that the intruders have been able to dig very deep inside the network. I've seen some screenshots from the attack to the DB, and the passwords showed out there were really embarassing, easy to guess, defaults, etc... It's sad, I know. the issue here is not only the user IMHO, but also the security infrastructure all around. Back on VAX/VMS, for example, you had the "password history", and the sysadm was able to set a user account forcing him not reusing old passwords. This is a very low-level option, while nowadays it seems to be disapperead in many OS, sadly :( Regards, Raoul -- --------------------------------------------------------------------- Raoul Chiesa Founder, Chief Technical Officer CLUSIT,ISECOM,TSTF,OWASP/IT Board of Directors Member Osservatorio Privacy & Sicurezza - OPSI-AIP, Comitato Esecutivo United Nations consultant on cybercrime @UNICRI (http://www.unicri.it) @ Mediaservice.net Srl Tel: +39-011.32.72.100 Data Security Department Fax: +39-011-32.46.497 10141 Torino TO - ITALY Via San Bernardino 17 Disclaimer: http://mediaservice.net/disclaimer PGP Key: https://keys.mediaservice.net/r_chiesa.asc