What bothers me the most about this is the callous attitude that Dell had for the security, safety, and livelihood of the folks they sold to; from betanews:

Capacitors had been known to leak, and in some cases could pose a fire risk. The problems also posed a data loss risk, although the computer manufacturer made a concerted effort to play down any possible issues.

Nice. The NY Times continues the festival:

Crucially, in their complaints to Dell in the lawsuit, customers describe losing valuable information when their computers malfunctioned. Dell, by contrast, denied that that the capacitor issue had caused data loss.

So, Dell: putting us all at risk to cover their shame…  It’s just not right.

In one case, attackers were able to exert administrative control over the site, which enabled them to deliver bogus tweets pretending to originate from the accounts of a number of well-known members, including President Obama.

Hah!  It’s never any good when you let shady characters post content as the president of the US.  Semi-related, but in epic bad timing, a researcher demonstrated XSS issues in the platform… that’s not good.

Anyway, this is interesting to me in that the FTC should choose to exercise its muscle for cleaning up Twitter. I mean, they’ve gone after others in the past – but this is one of the relatively few in that there wasn’t actual cash at stake.  So… props to the FTC for taking the situation seriously.  No question that there were some serious issues and failure to uphold their security claims.  But I’m surprised at how forward thinking this is of them – most regulatory bodies are fairly slow to react.  Good job, FTC.

So, next stop: farmville?  I hear it’s a seedy underbelly of animal cruelty and lax agricultural safeguards…

All the brouhaha leads me to once again question the current certification process. Clearly there are issues, and all you have to do to see them is consider the “value” of the CISSP to the practitioner vs. the “value” of the CISSP to ISC^2. There’s a fundamental disconnect between what motivates people to get CISSP’s and what motivates ISC^2 to give it out. Look, the practitioner derives value from holding a CISSP due to its “exclusivity”; in other words, the fewer people that have the certitification, the more valuable it is to the credential holder – that’s why this issue with the college students is causing such a ruckus – it decreases the exclusivity of the cert. On the other hand, ISC^2 (as a for-profit entity) derives “value” from the CISSP due to popularity. That is, the more popular the cert is, the more people that they can get certified; the more people get certified, the more money they make – that’s why the college students thing seems like such a good idea to ISC^2. These two sets of goals, while balanced for the short-term, are at odds over the long-term.

Of course, the true malcontent would say that the value of the CISSP is neither about popularity nor exclusitivity, but is instead about utility. In which case, CISSP is already being eclipsed by yet another security certification – the most majestic of certs – the PI license. Umm… Yeah. See, since information security is (as a whole) an unlicensed discipline, practioners without CISSPs are just as free to practice as those with – CISSP may (or may not) increase your salary, but it doesn’t do bupkiss for your ability to do the work. However, a PI license is starting to be mandatory for some areas of infosec. Laughable though it may seem, some states such as Georgia are requireing infosec practitioners to have a PI license in order to provide expert testimony in a court of law. More specifically, when the case involves “acquiring evidence” (e.g. forensics and incident response), only the evidence of a licensed PI is acceptable. So Remington Steele, Magnum PI, or any other cheesy eighties dick has a better chance of getting a slot as an expert witness in a Georgia courtroom than a trained CISSP, CISM, CPA, CPR, CLAP, or any other combination of letters – unless that CISSP is really a CISSPPI (CISSP with a PI.)

So the question to ask if you want to get certified probably isn’t “how much experience do you have in security” but “do you look better in a tux or a hawaiian shirt?”

Don’t believe me? Check out the recent prosecution of Eric McCarty for pointing out a web application security flaw exposing personally identifiable information on the University of Southern California. Here’s a guy who found a flaw in a public web app, brought it to the attention of the folks over there, and got arrested for his efforts. Apparently, PII was avialable through the webapp, McCarty noted this, anonymously divulged the information through a third party (with the intention of having that get back to the University), and because he looked at that data he was arrested. Now, it seems to me that if the University of Southern California makes subscriber data available through their own incompetence, the folks who happen to come around and look at it shouldn’t get arrested for doing so.

So for a while now we’ve had NIPS (Network Intrusion Prevention System) and HIPS (Host-based Intrusion Prevention System); now apparently, somebody thinks that we need a completely new acronymn. Now, rather than staying with the anatomy motif and choosing something like LIPS (that would have been my pick), they’ve elected to use “PIPS”. I’m not entirely clear on what makes it “personal” – allthough both Panda and Gartner seem to imply that the fact that it’s integrated makes it personal… Maybe that’s it, although it seems to me that saying “PIPS” is more confusing than saying “suite”.

Anyway, given the tendency for people to slap an -IPS suffix on random letters, I wanted to use this humble forum to go on record as reserving the “CHiPs” acronymn for future use. Yep, that’s right – “Consolidated Holistic Intrusion Prevention System”. CHiPs is the natural evolution of the market, and provides a robust framework for prevention of nefarious activity. You heard it here first. Here are the features that differentiatie a true CHiPs:

- The use of two agents working in tandem
- Uses lightweight, maneuverable “mobile” agents
- Ability to locate and investiate mobile threats
- Designed “to protect and to serve” both consumer and enterprise PC’s
- Half the footprint of traditional mobile agents

This is coming, and man is it going to be awesome when it gets here.

What do you suppose would happen if I was involved in a hit and run, then I was videotaped almost running down a crowd of pedestrians, and then I told a crowd of police officers that I was drunk behind the wheel? I think it’s a safe bet that I’d spend the night downtown in the “windowless hotel”, don’t you?

Apparently, not so if you’re Paris Hilton. To illustrate the point that we’re all equal under the law – but that some of us are more equal than others – the LAPD let Paris and her friends stumble away unchallenged from a videotaped hit-and-run, obvious reckless driving, and a probable DUI. Don’t believe it? See it on video. It’s being rebroadcast by CNN to give it that air of legitimacy.

Interestingly, there’s a new trend among the hacker crowd: surreptitious injection of David Hasselhoff-laced content into otherwise “normal” messages such as websites, informational mailings, etc.

Personally, I love this. So also do folks over at “The Age” in Australia – they’ve reported several Hoff sightings or “hoffings” as it’s been called and they’ve even gone so far as to ask him about it. Surprisingly, he was pretty good natured about it and actually viewed it as a compliment; go David.

Thanks to Alan for passing this one my way.

“So when a bill came up in early April to consider allowing robotic traffic cameras at the busiest crossroads, mocking laughter from the gallery preceded the measure’s demise.”

Mocking laughter… Have I said how much I love it here recently?