Frederick Giasson

You need a foundation before rising your house.
Avoid complexity when you talk of security, back to basis

I just get around a really interesting piece of news that talk about the last IT Security Summit conference of the Gartner research center. Normally peoples that talk in these shows talk about what you need in your enterprise to upgrade your security. Normally they talk about the last technology that you need to be up-to-date and a foot ahead of hackers. Victor Wheatman, vice president and research area director at Gartner said the opposite. His speech was about what enterprise don’t need in the field of computer security technology. He says that they need to go back to basis if they really care about their security infrastructure.

Wheatman also singled out “500-page security policies” and security awareness posters as things an IT manager would be better off not spending company resources on. “You do need security policies, but not ones so large that no one reads them. It is also important to have a business continuity plan. We got a lot of calls when the hurricanes came through Florida, but for the most part, that was a little too late.”

It’s the same as for physical security. If you are not the president of the United-States, you don’t need 10 bodyguards, an aerial surveillance and 15 hidden snipers when you walk on the street. You only need some awareness basic principles. A basic procedure like the code color of Jeff Cooper. More complex the procedure is, less people will follow it. It’s the same principles as them in self-defence. You’ll not use your kung-fu style if you are assaulted in a bar. You’ll use your gross skills that don’t need any reflection to use. You’ll not look at every person and think about all possible scenarios when you walk on the street. You unconsciously check for hints that can lead to a possible threat. It’s the same thing with a computer security policy; you need it as simple as possible for all of your employees. If you protocol is not simple and straight to the goal, your employees will not follow it. You can do one more elaborated for your system administrator, but not for your normal employees, this is not there job and they are a big part of your security infrastructure, take care of them! This fact is a question of human nature.

Another interesting thing that I noted in this article is this discussion:

Perhaps most importantly, an IT manager needs to demonstrate to the executives within the company how to take better advantage of the systems it already has through the use of security.

“We have an appalling absence of basic management metrics for our trade. If you can measure a problem accurately, you have the Holy Grail,” Smith said. “But what you also must have is a champion at the board level. Without senior-level support, nothing will ever happen and you are doomed.”

I already discussed of this in this article some weeks ago. It just connects my thoughts with this fact.

Review: The Myth of Homeland Security

I just finished to read The myth of Homeland Security. This is a good book about homeland security; mostly concentrated on United-States homeland security post 9/11. This is an apolitical essay on the subject. He bases his thoughts mostly on the analysis of the PATRIOT acts and other governmental writings. A thing that I really don’t like is that he didn’t do a bibliography; he justified this by:

“I had to write whole sections of this book based on partial information. But this book is not intended to be a history text or a reference. I’m making some inflammatory observations; I don’t want you, the reader, to ignore the substance of what I have to say by getting bogged down in the details of my research. So I didn’t quo sources.”

This is a good introduction book on the subject of homeland security. He ask the general questions of the subject and explain his point of view on them. I think that this is an honest writing from the part of the author. Some times, he lacks some deepening of his subject but this is excusable.

There is a good quote that resumes the general mood of the book: “Last week a friend forwarded me one of those “quotable quotes” emails that circle endlessly on the internet. At the bottom, it read: “You read about all these terrorists – most of them came here legally, but they hung around on these expired visas, some for as long as 10 to 15 years. Now, compare that to Blockbuster; you are two days late with a video and those people are all over you. Let’s put Blockbuster in charge of immigration”.

By moment I had doubts on his researches for this book. For example, at the page 111 he says in a You should know section: “The National Security Agency (NSA) is a completely separate “turf” that focuses on cryptography, communication security, and signals intelligence.” The problem is that if you read “Body of Secrets: Anatomy of the Ultra-Secret National Security Agency from the Cold War Through the Dawn of a New Century” you’ll see that the fall of CIA was mainly caused by the NSA who win the bureaucratic game for founds. The FBI probably not helped but to say that the NSA is completely separate turf this is two worlds. It’s possible that he is right, but I put a bémol here.

There is his home page: Marcus J. Ranum

This is my personal little review of the book, but you can have access to a full and complete review of the book by reading Robert M. Slade’s

Have a good read!

A9.com search engine
The consequences on your privacy

I just found a piece of news on Future Now blog that caught my attention. This talk about the new start-up of Amazon.com. This is a new kind a search engine. Basically it’s a sort of wrapper on other search engine, like google, with cool new features. You can get more information about the service here. Personally, I find these features really cool and interesting. You can use your Amazon account to log in at A9.com without any problem. Wow, thank Amazon for such cool things!

After a couple of minutes, I thought about it and I find that this cannot be done by magic. I remembered all books that Amazon proposed me when I logged in with my personal account, they were most of the time really interesting. Then I thought that this would probably be the same thing with the A9 search engine. There is the result of my little research, some tips and comments for your privacy about this search engine of a new kind. Personally I’m a big customer at Amazon, I buy approximately 30 to 40 books by years on there website. However, I’ll not use the A9 search engine because I don’t want that Amazon know not only my customer habits of reading but also all other subjects that I search for on the internet. I can deal with the fact that Amazon.com uses my customer habits to propose me interesting new books. I can deal with this because this can point me out some books that I never think of before. However, I don’t want that they propose me many others things. I need to control the pub that popup in my view. It’s what I do by doing the choice of not using this new search engine.

First, you need to know that they collect four type of information: [Source]

• Information You Give Us: We receive and store any information you enter on our Web site or give us in any other way. You can choose not to provide certain information, but then you might not be able to take advantage of many of our features. We use the information that you provide for such purposes as customizing the site for you, improving the site, responding to your requests, and communicating with you.
• Automatic Information: We receive and store certain types of information whenever you interact with us. For example, like many Web sites, we use cookies, and we obtain certain types of information when your Web browser accesses A9.com. If you would prefer not to be recognized on our site, we recommend that you use our alternate service located at generic.A9.com. On generic.A9.com, we will not recognize your A9.com or Amazon.com cookie. Information we gather on generic.A9.com will not be used in our data analysis (other than to detect abuse) and will not be used to personalize the services we offer you.
• E-mail Communications: To help us make e-mails more useful and interesting, we often receive a confirmation when you open e-mail from A9.com if your computer supports such capabilities.
• Information from Other Sources: For reasons such as improving personalization of our service, we might receive information about you from other sources and add it to our information.

What can be freaky are the definitions of “Information You Give Us” and “Automatic Information”:

• Information You Give Us: You provide most such information when you use A9.com to search or otherwise communicate with us. For example, you provide information when you enter search terms; set bookmarks; download and use our toolbar; communicate with us by phone, e-mail, or otherwise; and employ our other services. As a result of those actions, you might supply us with personally identifiable information or information about things that interest you.
• Automatic Information: Examples of the information we collect and analyze include the Internet protocol (IP) address used to connect your computer to the Internet; computer and connection information such as browser type and version, operating system, and platform; the full Uniform Resource Locators (URL) clickstream to, through, and from our Web site, including date and time; cookie number; and pages you viewed or searched for.

As you can read, they store many information about you and your search habits. It can be freaky. This information is gold. They have your entire profile. The have your name, your address, you postal code, your buying habits and your searching habits. If this information is not gold, what is it then?
Another thing is that this information can be accessible not just by Amazon but also by some type of police because “[they] release account and other personal information when [they] believe release is appropriate to comply with the law”.
You can always use the generic.A9.com server. They are not collecting any information on you. The only problem is that you don’t have access to the cool features. Instead, use Google; it’ll be more productive I think.
You can use the service if you can deal with the possible risks. The only thing that I’ll tell you is: be aware of your privacy on the internet. This is just an example among many others.