Category Archives: Risk mitigation

The top 10 mistakes made by Linux developers

My colleague, Dr. Joel Isaacson talks about the top 10 mistakes made by Linux developers. It’s a great article and great read from one of the top embedded Linux programmers in the world.

The Little Engine That Could

Copyright 2004 Joel Isaacson. This work is licensed under the Creative Commons Attribution License.

I  try to explain what are the top 10 mistakes made by Linux developers as I see it. I’m aware that one person’s mistake is another person’s best practice. My comments are therefore subjective.

I will use an embedded Linux device, the WRT54GS, a wireless router as an illustration of an embedded Linux device.An interesting article about this device can be found in: http://www.pbs.org/cringely/pulpit/pulpit20040527.html.

“The Little Engine That Could” How Linux is Inadvertently Poised to Remake the Telephone and Internet Markets – By Robert X. Cringely

So what are the top 10 mistakes made by Linux developers?

10 – Pick a vendor.
9 – Then pick a platform.
8 – We are not in Kansas anymore.

Support Issues

10 – Pick a Vendor

  • In my experience picking a large foreign company for support is not the best way to go for various reasons.
  • More about this later.

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

Is network PVR the best direction for the big studios ?

The distribution of video over multicast-broadcast networks and content storage at by users with Windows PCs and PVRs has created a huge threat surface for digital content.

Typical to flawed security countermeasures, HDCP and AACS exacerbate and enlarge the threat surface rather than enhance revenues and reduce risk.

In this article we will show that Network PVR services may be an effective strategy for studios to mitigate the risk of content piracy.

Background

NetFlix, Vudu and Universal Studios Home Entertainment are skipping over HD-DVD/Blu-ray formats in favor of what some industry observers say is inevitable – download-only distribution.

Beginning November 23 2007, Vudu started giving new buyers “The Bourne Identity” and “The Bourne Supremacy” pre-loaded on their set-top boxes in HD. Buyers can purchase a downloaded copy of “The Bourne Ultimatum”, for $25 starting December 11, 2007.

The VUDU box and services sounded pretty cool to me when I first saw it – until I realized that the price of the “The Bourne Ultimatum HD” on Amazon is $27.99 with free Super Saver Shipping and the I don’t need to buy the Vudu and commit to their service. It’s two bucks less with Vudu but the VUDU STB sets you back $250 (reduced from $400). The Vudu business model does not seem extremely compelling. Although you have a hard disk – you cannot go back and view a movie if you ran out of time in a single sitting. The Netflix business model of having 3-5 movies for unlimited usage still seems a winner and in comparison, Vudu just doesn’t seem to have all the movies we’d want to see.

The price of SD (standard definition) DVDs is between USD2-5, depending on where you live and HD DVD seems to be going for about USD25-30, depending on the movie and season of the year. It’s cheaper and more convenient for a consumer to rent or buy a DVD from NetFlix or Blockbuster then to pay Vudu. if you want to see the latest episode ofDexter you can’t even get it on Vudu, and BitTorrent is more accessible not to mention, free.

While Vudu seem to have done some impressive engineering work on their STB, if they get any widespread traction, it may only be a matter of time until some irritated user cracks their box or bypassess the content protection.

What is HD (High Definition) video?

There is a good deal of confusion regarding exact definitions and consumer electronics product requirements for HD (high definition). HD refers to the quality of the picture (not to the means of digital content protection). Digital HDTV broadcast systems are defined by the number of lines in the vertical display resolution, the scanning system: (progressive (p) or interlaced (i) and the number of frames per second. The 720p60 format is 1280×720 pixels, with progressive encoding at 30 frames per second. The 1080i50 format is 1920×1080 pixels, with interlaced encoding at 25 frames per second. For commercial naming of the product, either the frame rate or the field rate is dropped, e.g. a “1080i television set” label indicates only the image resolution.

Is HD for digital TV only? (no)

If you have have an older TV set with an analog RCA interface, you’re in luck – the issues of digital HDTV are eliminated by connecting your TV set to a DVD player using the analog HD signal output with RCA connectors instead of HDMI. The analog outputs of most HD devices will replicate the resolutions of the digital outputs i.e. 720p and 1080i, so fidelity of the picture is maintained. Connectivity is via standard VGA HD15 connector or high-resolution component video output using 3 x RCA connectors. Analog HD signals can also be distributed over standard Cat5 cable up to a few hundred meters, which is pretty convenient if you have a large house or a small hotel.

What is HDCP?

High-bandwidth Digital Content Protection (HDCP) is a proprietary DRM scheme for protecting premium HD content. HDCP was developed by Intel Corporation to control digital audio and video content transmitted on DVI (digital video) and HDMI (high definition media) interfaces in consumer electronics devices such as DVD, STB, TV Sets. Compliance with HDCP requires a license from Digital Content Protection LLC, a subsidiary of Intel. In addition to paying fees, manufacturers agree to downgrade quality when interfacing to non-HDCP compliant devices. For example, HD video is downgraded to DVD quality on a non-HDCP compliant TV set. HDCP also incorporates a black-listing scheme of cracked devices using a key-revocation scheme where the black list is stored on the DVD media.

HD content protection – fundamentally flawed

The HDCP black-listing scheme defies the laws of physics and reason. For example, you may be a perfectly law-abiding citizen, but if someone in Timbuktu hacks your model XY500 DVD player, the device key is revoked, and you will never be able to play discs that came out after the date the device was compromised. If a hacker taps into the HDMI / HDCP signal copies a movie enroute to your model TV Set, the HDCP device key can be revoked and your 80 inch TV will never play high-definition again.

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

Will security turn into a B2B industry?

Information security is very much product driven and very much network perimeter security driven at that:   firewalls, IPS, DLP, anti-virus, database firewalls, application firewalls, security information management systems and more.

It is convenient for a customer to buy a product and feel “secure” but, as businesses become more and more interconnected, as cloud services percolate deeper and deeper into organizations, and as  government compliance regulation becomes more complex and pervasive; the security “problem” becomes more difficult to solve and even harder to sell.

I believe that there are 3 reasons why it’s hard to sell security:

The first is that it’s complex stuff, hard to explain and even harder to build a cost-justified security countermeasure plan and measure security ROI.  The nonsense propagated by security vendors like Symantec and Websense do little to improve the situation and only exacerbate the low level of credibility for security product effectiveness with  pseudo science and ROI calculations written by wet-behind-the-ears English majors marcom people who freelance for security vendors – as I’ve noted in previous posts here, here, here and here.

The second is related to prospect theory. A CEO is risk hungry for a high impact, low probability event (like an attack on his message queuing transaction processing systems) or theft of IP by a competitior and risk averse to low impact, high probability events like malware and garden variety dictionary attacks on every ssh service on the Net.

The third is related to psychology.   Why is it a good idea to cold call a CIO and tell him that the multi-million dollar application his business developed is highly vulnerable?    Admitting that his software is vulnerable and going to the board to ask for big bucks to fix the problem is tantamount to admitting that he didn’t do his job and that someone else should pay the price.  Very bad idea.

This is why cloud services are a hit.

Security is baked into the service. You pay for the computing/storage/messaging resource like you buy electricity. The security is “someone else’s problem”  and let’s face it, the security professionals at Rackspace or Amazon or Google App Engine are better at security than we are. It’s part of their core business.

The next step after cloud services is the security industry evolving into a B2B industry like the automotive or energy industry.  You don’t buy brakes from a McAfee and a car from Checkpoint – you buy a car from GM and brakes are part of the system.

That’s where we need to go – building the security into the product instead of bolting it on as an after-sale extra

Tell your friends and colleagues about us. Thanks!
Share this

Offensive security

I have written several times in the past here, here and here about the notion of taking cyber security on the offensive

James Anderson, president of Professional Assurance LLC, says that there is no evidence that governments can protect large firms from cyber attacks. “National security authorities may not even acknowledge that their interests align with a company that has suffered a cyber attack; therefore, companies must think about retaliation,” he says.

Should a company take retaliatory steps beyond simply increasing its own defensive perimeter? The answer depends on the seriousness of the attack and the potential threat from future attacks. Anderson says that simply turning over evidence to law enforcement may not save the company from future cyber attacks. But, if the attack had to do with a government’s critical infrastructure, authorities may take an interest; however, there are no established service levels for government response.

For example, Anderson says some activities that might be considered retaliatory are:

  • legal information gathering to identify attackers,
  • direct blocking of network traffic from specific origins,
  • use of transaction identifiers that label the traffic as suspicious,
  • placement of honeypots,
  • identifying and actively referring botnet details for blacklisting or referral to authorities or industry associations, and
  • certain types of deception gambits against suspected internal malefactors.

This is not the first time that I’ve heard the notion of retaliation using cyber space methods. There are two things wrong with this direction – a) retaliation and using cyber security methods to attack the attackers.

The notion that there are two separate universes,  a physical universe and a cyber universe is wrong. There is one continuum of cyber space and physical space. Forget retaliation and go on the offensive.  That means use counter terror techniques to discover hacker cells, infiltrate and disrupt them in the physical world. The problem of course is the price tag. It’s cheap to mount a cyber attack but if an attacker knew that they would lose their life if they attacked a US government installation with malware, a deterrent would be created.

Retaliation doesn’t create deterrence – at most, retaliation makes people angry. Just look at the reaction of Palestinian terrorists to Israeli retaliation raids.

Retaliation in cyber space is too late, too little.  Instead – I call on the US and other governments to actively combat cyber terror with the same resolve that they attack physical world terrorists.

Tell your friends and colleagues about us. Thanks!
Share this

Practical security management for startups

We normally associate the term “small business” or SME (small to medium sized enterprise) with commercial operations that buy and sell, manufacture products or provide services – lawyers, plumbers, accountants, web developers etc…

However – there is an important class of small business operations that is often overlooked when it comes to information security and is the technology startup.   A high tech startup is an SME by all definitions – usually less than 50 employees but it doesn’t buy and sell and neither does it provide professional services.   Unlike other small businesses, a high tech startup is almost purely focussed on product research and development. Almost all startups have a very high percentage of software development. Even if the startup develops hardware – there is still a strong software development focus.

Intuitively – one would say that a primary concern for a startup is IP (intellectual property) protection and that starts with protecting source code.

Counter-intuitively this is not true. There are two basic reasons why source code leakage is not necessarily a major threat to a startup:

1) If the startup uses FOSS (free open source software), there is nothing to hide.  This is not strictly speaking correct – since the actual application developed using FOSS has immense value to the startup and may often involve proprietary closed  source code as well.

2) A more significant reason that source code leakage is of secondary importance is that a startup IP is invariably based on a combination of three components:    Domain expertise, implementation know-how and the implementation itself (the software source code).   The first two factors – domain expertise and  implementation know-how are crucial to successful execution.

The question of how to protect IP still remains on the table but it now is reshaped into a more specific question of how best to prioritize security countermeasures to protect the startup’s domain expertise and  implementation know-how.  Prioritization is of crucial importance here, since startups by definition do not generate revenue and have little money to spend on luxuries like data loss prevention (DLP ) technologies.

Software Associates works exclusively with technology and medical device developers and I’d like to suggest a few simple guidelines for getting the most security for your money:

The startup management needs to know how much their information security measures will cost and how it helps them run the business. Business Threat Modeling (TM) is a practical way for a manager to assess the operational risk for the startup in dollars and cents. The advantages of the business threat modeling methodology are:

  • Threat modeling places the focus on asset management and Value at Risk reduction before acquisition of information and security technologies.
  • Threat modeling helps select  the right countermeasures often prioritizing monitoring before active data loss prevention (for example)
  • Threat  modeling, when done right, quantifies risk in dollar terms. This is particularly important when reporting back to the investors on exposure to data loss of IP.
  • Threat modeling helps justify investments in security, compliance and risk management to the management board – simply because it puts everything into financial values – the value at risk and cost of the security portfolio.

These are similar objectives to GRC (Governance, risk and compliance) systems.

The problem with most GRC (governance, risk and compliance) and ERM (enterprise risk management) systems is that they don’t calculate risk, they make you work hard and they’re not that easy to use.

I think that we can all agree that the last thing that a hi-tech startup needs is a system to manage GRC activities when they’re working to make the next investor milestone.

Startup management needs a simple security management approach that they can deploy themselves, perhaps assisted with some professional consulting to help them get started and get a good feel for their exposure to security and compliance issues.

How does a practical security management methodology like this work? Well – it works by using common language of threat modeling.

You own assets – for example, expensive diamond jewelry stored at home. These assets have a dollar value.

Your asset has vulnerabilities – since you live on the ground floor and your friendly German Shepherd knows where the bedroom is and will happily show anyone around the house.

The key threat to the asset is that an attacker may break in through the ground floor windows.

The countermeasures are bars for the windows, an alarm system and training your dog to be a bit less friendly around strangers with ski-masks.

Using countermeasure costs, asset value, threat probability of occurrence and damage levels, we calculate Value at Risk in financial terms, and propose an prioritized, cost-effective risk mitigation plan.

That’s it – adopt a language with 4 words and you’re on a good start to practical security management for your high tech startup.

Tell your friends and colleagues about us. Thanks!
Share this

The cloud concierge

The Israeli ISPs are really really bad.  Just abysmal. It hurts me just to think about the level of customer service and data security incompetence that would make an Iraqi ISP running an operation in a store front beam with pride.

I assume that we are not the only business to suffer from Netvision (and Bezeq International and 012).

Perhaps there is a business opportunity for a “cloud concierge” service  that would provide a VIP front end to the best of the international cloud service providers but with a local presence.  The cloud concierge would help customers select and implement the right product,  application, security and provide a guaranteed SLA using unbunbled services from providers like dnsmadeeasy, rackspace and peer 1.

My wife doesn’t get it. She asks: “What is the concierge angle here?  I reply – “How do you get basketball tickets, a recommendation to a good restaurant and a local metro card in a foreign country without the hotel concierge?”

Hmm., she says. “OK, now I get it. but how are you gonna make money out of it when anyone can google for cloud services?”

Got me there babe. Right to the bottom line. Then again, she already has a celebrity stylist service to buy shoes online. Why on earth would she need a cloud concierge?

Tell your friends and colleagues about us. Thanks!
Share this

The importance of data collection in a risk assessment

A risk assessment of a business always starts with data collection. The end objective is identifying and then implementing a corrective action plan that will improve data security in a cost-effective way, that is the right fit for the business.

The question in any risk assessment is how do you get from point A (current state) to point B (cost effective security that is the right fit for your business).

The key to cost-effective security is data collection.  Let’s recall that compliance regulation like PCI DSS 2 and the certifiable information security management standard ISO 27001 are based on fixed control frameworks. It’s easy to turn the risk analysis exercise into a check this/check that exercise, which by definition, is not guaranteed to get you to point B since the standard was never designed for your business. This is where we see the difference between ISO 27001 and ISO 27002.

ISO/IEC 27002 is an advisory standard meant to be applied to any type and size of business according to the particular security risks they face.

ISO/IEC 27001 (Information technology – Security techniques – Information security management systems – Requirements) is a certifiable standard. ISO/IEC 27001 specifies a number of firm requirements for establishing, implementing, maintaining and improving an ISMS (information security management standard), and specifies a set of 133 information security controls. These controls are derived from and aligned with ISO/IEC 27002 – this enables a business to implement the security controls that fit their business,and help them prepare for formal certification to ISO 27001.

Let me explain the importance of data collection by telling a story.

After reading this article in the NY Times  An Annual Report on one mans life, I was reminded about a story I read about Rabbi Joseph Horowitz (the “Alter from Novardok”) (1849–1919), relating his practice of writing a daily report on his life.

One of the things I learned from the musical director of the JP Big Band, Eli Benacot, is the importance of knowing where you are really holding in terms of your musical capabilities.  Many musicians, it turns out, have the wrong self-perception of their capabilities.  Sometimes, one sees a professional musician who is convinced of his proficiency and even within an ensemble he (or she) is incapable of really hearing how poorly they actually play.

Many times we feel secure but are not, or don’t feel secure when we really are. For example – a company may feel secure behind a well-maintained firewall but if employees are bringing smart phones and flash drives to work, this is an attack vector which may result in a high level of data loss risk. On the other hand – some people are afraid of flying and would prefer to drive, when in fact, flying is much safer than driving.

After we collect the data and organize it in a clear way, we then have the ability to understand where we are really holding.  That is the first step to building the correct security portfolio.

So, let’s return to the Rabbi Joseph Horowitz, who wrote a daily and annual report on his life. Here is his insight to implementing change – certainly a startling approach for information technology professionals who are used to incremental, controlled change:

“Imagine this scenario: A person decides that he wants to kasher his kitchen. But he claims, ‘Changing my dishes all at once involves throwing out an entire set and buying a brand new one. That’s quite an expense at one time. I’ll go about the kashering step by step. Today I’ll throw out one plate and replace it with a new one, tomorrow with a second and the next day with a third.’

“Of course, once a new plate is mixed with the old ones, it becomes treife like the rest. To kasher a kitchen, one must throw out all of his old dishes at once.

“The same holds true in respect to changing one’s character traits or way of life. One must change them in an instant because there is no guarantee that the anxieties and pressures that deter him on any given day will not deter him the following day, too, since anxieties and pressures are never ending. ”

(Madreigat Ha’adam, Rav Yosef Yoizel Horowitz).

 

Tell your friends and colleagues about us. Thanks!
Share this

10 guidelines for a security audit

What exactly is the role of an information security auditor?  In some cases, such as compliance  by Level 1 and 2 merchants with PCI DSS 2.0,  external audit is a condition to PCI DSS 2.0 compliance.   In the case of ISO 27001, the audit process is a key to achieving ISO 27001 certification (unlike PCI and HIPAA, ISO regards certification, not compliance as the goal).

There is a gap between what the public expects from an auditor and how auditors understand their role.

Auditors look at transactions and controls. They’re not the business owner and the more billable hours, the better.

The “reasonable person” assumes that the role of the security auditor is to uncover vulnerabilities, point out ways to improve security and produce a report that will enable the client to comply with relevant compliance regulation. The “reasonable person” might add an additional requirement of a “get out of jail free card”, namely that the auditor should produce a report that will stand up to legal scrutiny in times of a data security breach.

Auditors don’t give out “get out of jail” cards and audit is not generally part of the business risk management.

The “reasonable person” is a legal fiction of the common law representing an objective standard against which any individual’s conduct can be measured. As noted in the wikipedia article on the reasonable person:

This standard performs a crucial role in determining negligence in both criminal law—that is, criminal negligence—and tort law. The standard also has a presence in contract law, though its use there is substantially different.

Enron, and the resulting Sarbanes-Oxley legislation resulted in significant changes in accounting firms’ behavior,but judging from the 2009 financial crisis from Morgan Stanley to AIG, the regulation has done little to improve our confidence in our auditors. The numbers of data security breaches are an indication that the situation is similar in corporate information security.  We can all have “get out of jail” cards but data security audits do not seem to be mitigating new risk from tablet devices and mobile apps. Neither am I aware of a PCI DSS certified auditor being detained or sued for negligence in data breaches at PCI DSS compliant organizations such as Health Net where 9 data servers that contained sensitive health information went missing from Health Net’s data center in Rancho Cordova, California. The servers contained the personal information of 1.9 million current and former policyholders, compromising their names, addresses, health information, Social Security numbers and financial information.

The security auditor expectation gap has sometimes been depicted by auditor organizations as an issue to be addressed  by educating users to the audit process. This is a response not unlike the notion that security awareness programs are effective data security countermeasures for employees that willfully steal data or bring their personal device to work.

Convenience and greed tend to trump awareness and education in corporate workplaces.

Here are 10 guidelines that I would suggest for client and auditor alike when planning and executing a data security audit engagement:

1. Use an engagement letter every time. Although the SAS 83 regulation makes it clear that an engagement letter must be used, the practical reason is that an engagement letter sets the mutual expectations, reduces risk of litigation and by putting mutual requirements on the table – improves client-auditor relationship.

2.Plan. Plan carefully who needs to be involved, what data needs to be collected and require input from C-level executives to  group leaders and the people who provide customer service and manufacture the product.

3. Make sure the auditor understands the client and the business.  Aside from wasted time, most of the famous frauds happened where the auditors didn’t really understand the business.   Understanding the business will lead to better quality audit engagements and enable the auditor and audit manager to be peers in the boardroom not peons in the hallway.

4. Speak to your predecessor.   Make sure the auditor talks to the people who came before him.  Speak with the people in your organization who did the last data security audit.   Even if they’ve left the company – it is important to understand what they did and what they thought could have been improved.

5. Don’t tread water. It’s not uncommon to spend a lot of time collecting data, auditing procedures and logs and then run out of time and billable hours, missing the big picture which is” how badly the client organization could be damaged if they had a major data security breach”. Looking at the big picture often leads to audit directions that can prevent disasters and  subsequent litigation.

6. Don’t repeat what you did last year.  Renewing a 2,000 hour audit engagement that regurgitates last years security check list will not reduce your threat surface.  The objective is not to work hard, the object is to reduce your value at risk, comply and …. get your “get out of jail card”.

7. Train the client to fish for himself.   This is win-win for the auditor and client. Beyond reducing the amount of work onsite, training client staff to be more self sufficient in the data collection and risk analysis process enables the auditor to better assess client security and risk staff (one of the requirements of a security audit) and improves the quality of data collected since client employees are the closer to actual vulnerabilities and non-compliance areas than any auditor.

As I learned with security audits at telecom service providers and credit card issuers, the customer service teams know where the bodies are buried, not a wet-behind-the-ears auditor from KPMG.

8. Follow up on incomplete or unsatisfactory information.  After a data security breach, there will be litigation.  During litigation, you can always find expert testimony that agrees with your interpretation of information but

The problem is not interpreting the data but acting on unusual or  missing data.  If your ears start twitching, don’t ignore your instincts. Start unraveling the evidence.

9. Document the work you do.  Plan the audit and document the process.  If there is a peer review, you will have the documentation showing the procedures that were done.  Documentation will help you improve the next audit.

10. Spend some time evaluating your client/auditor.   At the end of the engagement, take a few minutes and interview your auditor/client and ask performance review kinds of questions like: What do think your strengths are, what are your weaknesses?  what was succesful in this audit?  what do you consider a failure?   How would you grade yourself on a scale of 10?

Perhaps the biggest mistake we all make is not carefully evaluating the potential we have to meet our goals as audit, risk and security professionals.

A post-audit performance review will help us do it better next time.

Tell your friends and colleagues about us. Thanks!
Share this

The security of open source software

A conversation with a client this morning revolved around software development tool alternatives in an environment of Web Socket.
Why not use Flash on the client and AMF on the server side?, the client asked. I hesitated for a moment and answered – because Adobe is proprietary and closed source and the only developers looking at the code are Adobe employees. If you’ve ever gotten a white screen of death and a cryptic #1707 upload failed message – you know what I mean. Everything else – the security vulnerabilities of Flash, the cost of development, the support costs, all derive from the closed-source proprietary software.

In 2011, there seems to be more awareness that Open Source software is more secure and more reliable. In reality, the most secure systems available today are based on the open source model and peer review. There is absolutely no question that the secret to creating great software that is also secure software is by marshaling as many smart people as possible to the task.

Natalie Walker-Whitlock wrote an excellent article – The security implications of open source software almost 10 years ago and it’s still an excellent read.

Traditionally, software security was equated with secrecy. You lock up your house, your car and your valuables. In the software community, you “lock up” the programming source code as a means of securing it against hackers and competitors.

To the closed source camp, a system can’t be truly secure when its source is open for all to read. This is patently a very bad idea since with good guys and bad guys all looking at a supposedly secure system, disclosing the source discloses software defects and by remedying defects, the software becomes more reliable. More reliable software slows up intruders and reduces the attack surface and, in the event of a data breach, keeps damages due to data loss at a minimum.

Tell your friends and colleagues about us. Thanks!
Share this

Paying the price for peace

An exceptional post by Lilac Sigan “To bad it doesn’t pay to be a nice guy” suggests that Israel may be better off in the long term with its relations with Turkey by demanding a quid-pro-quo (The Turks are demanding reparations and an official apology from Israel for boarding the now infamous Gaza flotilla boat – the Marmara).

There is a larger issue that Israel has with foreign policy and that is constantly being defensive.    I believe that the root cause of Israel’s perennial problems with public relations is the “need to be loved and be thought a nice guy by the rest of the world”.  This in itself, is rooted in 2,000 years of being a minority in the Diaspora, having to keep a low profile in order to stay alive.

An interesting corollary that may be derived from the post is the notion of the price to be paid for peace and who pays the price. Conventional wisdom is that the Americans and the Israelis need to pay the Arabs for peace.   The fact that this wisdom has no basis in reality or history is immaterial.  But – the same conventional wisdom states that Israel is the key to peace in the Middle East. If so, then it follows that the question should be not how much Israelis should pay but how much the Arab and Palestinian nations should pay Israel for peace.

Just like being assertive is important on a personal and business level, the world will think better of Israel when Israels leaders stop being defensive and attempting at being the perennial “nice guy”.

Tell your friends and colleagues about us. Thanks!
Share this