Israeli Software

In Hebrew it is called "tzniut" (צניעות), in English it is called modesty.

Having lived here for over 30 years I can attest how arrogant Israelis can be, yet one of the best saying in Hebrew is "to walk in modesty", referring to how you dress, speak and conduct yourself in general.

It didnt happen but the week of Oracle database bugs might have been one of those "lets show everyone how smart I am" plays that seem to be common in the security industry.

Arun Koshy posted a very apt quote to the Dailydave which I will bring here verbatim (and quote another old Hebrew saying - "Those who quote words of wisdom from others, help bring deliverance to the world"

Recently, we got to listen to an old man who designed missile guidance systems and stuff in his younger days, here are a few things that he shared :

- Never consider yourself bigger or better or greater than others. In my dealings with people who considered themselves great or small, I always treat them as real people equally valuable to G-d.

- Judge people by their attitude and effort and not by their output.

- Learn to fan the flames than put out the fire. We naturally tend to overlook the 98% which was done well but magnify the 2% that was not.

- Pray for everyone in sight.. Forgive those who hurt you unreasonably.. understand that healed people heal people and hurt people hurt people.

Very simple stuff but if it works for this old gun, I have a feeling that it may work for the rest of us.

Good stuff Arun. You have my vote.

Shabat shalom...Danny

The great ruckus over Microsoft paying Novell for Suse Linux intellectual property seems to have died down as quickly and as vehemently as it flared up 3 weeks ago.

My interpretation was that it was about business and market share, not about Intellectual Property and Free Open Source (unlike some of my more vocal colleagues in the Israel Linux community).

I explained that Microsoft will want to reduce the market for independent Linux consultants professional services by promoting the notion that Linux Windows Integration is Important and by providing products.

I could not have gotten better vindication to my theory than seeing the massive add campaign by HP at the sourceforge.net Web site for Linux Windows integration this afternoon. Apparently the HP marketing people agree with my threat analysis and are responding with a preemptive attack - so here is the ad copy (At the risk of providing HP some free publicity - not that they need it from me):

Why does HP have eight consecutive years of Linux market share leadership? How about:

* Unbiased multi-platform approach to open source and Linux
* Proven ability to independently support 99% of service requests for our best-of-breed partner-based portfolio
* Single-source accountability and solution support from over 6,500 Linux professionals across 160 countries
* Integrated and supported HP Open Source Middleware Stacks
* Long-established HP value-add in management, high availability, and virtualization available on Linux
* Cost-saving consolidated infrastructure of HP BladeSystem
* Unwavering commitment to the open source community.

A common mistake in the information security world is to use network security tools (like firewalls, IPS and extrusion prevention systems) as band-aids to fix root problems in software.

Bruce Schneier has been lobbying that software security should be a regulatory/compliance play where a software vendor will need to comply with government software security standards and if their bugs cause damage, they will be found accountable and be liable to payment of a fine.

I am skeptical of government regulation of software security ever happening (although if it did it would be great for business) however - a recent OASIS working meeting seems to suggest that there may be another way to tackle the problem from the top down - i.e. by mandating government use of vendor neutral security standards and open source software in order to grow public accountability through transparency.

OASIS - the Organization for the Advancement of Structured Information Standards, is a non-profit consortium focussed on developing e-business standards. They recently had a session in the EU where a draft resolution was proposed linking open source, software security,
and public accountability.

“The house proposes that within 10 years all European governments will have adopted systems based on open security standards for all external electronic communication. By then, governments will use open source software exclusively to implement those open standards in order to be accountable to citizens, business and other governments.”

The naive reader might conclude that OASIS is pushing an anti-Microsoft agenda. However, the converse is true. Open security standards are about being vendor-neutral and open to review in a similar way that open source encourages peer review.

There is absolutely no question at all, that security by obscurity is worthless and that the strongest security measures (whether they are in encryption or for software security) are those where the algorithm is held up to public scrutiny. The accumulated effect of eyeballs only results in improved quality of the software and results concomitantly in improved security.

When OASIS says Open Source software to implement open security standards, they are saying let's apply the peer review principle to both the algorithm (the standard) and the implementation (the software). This is a good thing - since in Europe (at the very least), transparency and free market may be stronger than government regulation for corporate software governance. (I am skeptical of this working in Middle Eastern or Eastern European countries).

The question still remains, are the Europeans ganging up on Microsoft or not ?

I did a search on sourceforge.net today and proved a thesis I've had for a long time - namely that more and more Open Source projects are being developed for Microsoft Windows operating systems. Today, December 2006, out of 12,000 projects, 5100 were on Windows and 6900 were for Linux; almost half of all Open Source projects on sourceforge are on the Windows platform.

It is no wonder - if you get a new PC or notebook - it will be running Windows XP, its dead simple to install MySQL on a Windows machine or Ruby on Rails or PHP, or Perl or Postgres - you name it. And - its free. And - it's open source.

Open Source applications are used for any operating system, not just Linux, thus making the OASIS proposal universal in its application.

This leaves us with a more fundamental question: Is anything a government do really transparent, and does this really improve software security?

Let's say that the French Health Ministry uses Squirrel Mail for its Web mail access, Squirrel mail is a well known FOSS product that works on either Windows or Linux platforms using Apache. There might be an XSS vulnerability in the product or the Ldap application they use for single sign on might be vulnerable, or the Web server itself might have weak passwords - any number of problems might exist.

In other words, it's a good first step, a necassary but not sufficient condition.

There was an article this week in "Dark reading" (apparently sponsored by Mcafee) that is bringing us the gospel that :

Security people should spend a little less time thinking like IT experts and a little more time thinking like insurance experts, according to new report from the London School of Economics and McAfee. ...Imagine if security worked like insurance. You could tell your manager, 'We can spend $4,000 on this, and reduce risk by 14 percent, or we can spend $2,000 on that, and reduce risk by 7 percent,'" says Carmichael (the CSO of Mcafee)

Chances are, your firm is not running information security like a business unit with a tightly
focused strategy on customers, market and competitors.

The sales people in your firm have sales quotas and are measured by gross profit margin and collections. The people who run manufacturing and distribution have quotas for manufacturing throughput and inventory cycle times.

Do your CSO, CIO, information security professionals and software developers have measurable quotas and compensation for meeting or exceeding their information security numbers? Chances are, your firm is not running information security like a business unit with a tightly focussed strategy on customers, market and competitors.

Without well-defined, standard, vendor-neutral threat models and performance metrics. there cannot be improvement; and improvement is what our customers want.

A business lives on it's information assets. Whether you're a contractor digging ditches for a cable provider or if you're the cable provider CEO you live on information. Key company assets (such as customer records) are digital and live in a PC, a Windows server, a Linux server or mainframe; the paper is a "hard-copy" not the original.

Your firm manages fixed assets and produces 10Q reports if publicly traded, but do you tag and valuate digital assets that are key to the operation? Can you calculate ROI for digital asset protection technology or prove compliance with Sarbanes Oxley 906 without measuring the value of your key operational digital assets ?

Choose a business strategy for information security. Information security today works on a cycle of reaction and acquisition.

Infosec needs to operate continuously and proactively within a well-defined, standards-based threat model that can be benchmarked against the best players in your industry just like companies benchmark earnings per share.

In his classic article, "What is strategy?" Michael Porter writes how "the essence of strategy is what not to choose...a strong competive position requires clear tradeoffs and choices and a system of interlocking business activites that fit well and sustain the business". Security of your business information also requires a strategy.

Measure in order to manage, improve and comply There are widely accepted and practiced revenue models, costing models and performance metrics that work for all kinds of business units. To cost a product or service, we see that a distribution business uses mark up margins, a manufacturing unit uses bill of material costing and a professional services unit uses standard and activity costing. If you want to evaluate cash flow, just look at cash flow from operations. or free cash flow (FCF) - simply cash from operations, minus capital expenditures. True, FCF omits the cost of debt but you have an objective indicator to go by that can be measured every week, every quarter, every month of the year.

A major supermarket chain recently lost $5M because their purchase prices of fresh produce were extruded to a competitor by an employee using instant messaging. The firm has locked doors and cameras, but locked doors and cameras can't help the CEO understand his total risk profile and evaluate cost-effective countermeasures for data asset protection.

Living in Israel is like living in a Jewish shtetl (small village) in Eastern Europe.

Everybody knows whos sleeping with everybody else, people are afraid (yet despise and collect rent for) the local Polish landowner, the men (as Yuri Slezkine defines it) belong to a social and anthropological category known as "service nomads," an outsider group specializing in the delivery of goods and services. It is a question of survival - "Is the latest edict Good for the Jews"?

Its the same in the information security industry - everybody wants to believe that regulation is good for the industry and whenever one of the movers and shakers (like Basel-2 or Visa) wiggle people start getting all shivery and excited.

A goyishe system engineer who works for one of my clients recently sent me an email how Visa is now using financial incentives to get merchants, acquirers and card issuers to be PCI-compliant. So big deal, now Visa is using a carrot in addition to a stick. He implied that it would be good for business for his company who are in the extrusion prevention space.

Unfortunately for all you security technology vendors out there; merchants, acquirers and issuers can be self-compliant by filling out a checklist. If they want a higher level of compliance they can throw some money at a GRC consultant like KPMG. If they want ongoing monitoring on their ecommerce sites - they can pay a Visa-authorized vendor $50/month to scan their web site for vulnerabilities and be PCI compliant.

See PCI Compliance Scanning of Websites

Until the card associations tell issuers and acquirers and merchants over a certain volume of transactions that a content monitoring system is mandatory - PCI's relevance to network security vendors will tenuous and limited to prose in their marketing collateral.

For now, PCI is a checklist item for the data asset prevention vendors, it is not a sales driver.

Man - it has been tough keeping up with the blog, work keeps getting in the way and I always try and schedule time for practicing and riding, but not really suceeding.

A friend and partner in the sax section in the JP Big Band - Dr. Jeff Green is not only a solid sideman on bari - he's also a brilliant translator. He just sent me an amazing translation of an excerpt of from a Hebrew book that just came out.

Heah - I was just talking about how living in Israel is like living in a shtetl - I work in the security community and talk to clients all the time about assessing threats and vulnerabilities and providing economically effective countermeasures - well:

"Who would of thought that the Katyusha would catch me outside? Six years I don't go out. I walk without thinking, house-market-work-house-clinic-work- house-market-house-work. Comes the katyusha and catches Simona off her path."

I think you'll enjoy reading this: Elves

Danny

My friend Itzik Walzer is great about keeping his friends and colleagues up to speed on new tech development in Japan - Itzik (aka Todo) has been in Japan for over 10 years, we worked together at Intel Jerusalem and he is one of the principals in iLand6 based in Tokyo.

To Americans, “winny” is the sound a horse makes in children stories. But in Japan, Winny is the name of the dominant Peer-to-Peer file sharing protocol.

While eDonkey and BitTorrent are the PTP protocols used around the world for sharing of music and video, in Japan over 95% of the file sharing is through the Winny protocol.

Winny was developed by Isamu Kaneko, a researcher at Tokyo University, who made the program available on his website, posting a warning against misuse. Kaneko was
arrested in 2004. And last week he was found guilty of assisting copyright theft, fined $13,000, and ordered to take down the site.

The decision shocked everyone except the judge.
The 2004 arrest had scared off Japan’s IT industry from any activity related to PTP – legal or illegal. From executives of Fujitsu and Mitsubishi to the guy-in-the-street, people are wondering how Japan can keep a cutting edge when they arrest a guy for creating technology that other people choose to misuse.

Similar court cases in Taiwan and Korea recently found the defendants innocent, and Kaneko’s verdict will certainly be appealed.

Meanwhile, where will Japanese teenagers turn? To legal downloads? To foreign PTP sites? Or, to the familiar “legal gray zone” of ripping CD’s borrowed from the rental shop.

iLand6 focuses on the Japan Communications Market, in sales and business development. iLand6 Capital and Development Co., Ltd. Tokyo, Japan www.iland6.com Todd Walzer: twalzer@iland6.com