Wednesday, March 26, 2008

"Hacker Proof" - Update 2

UPDATE March 28th, 11:00am CDT
Judy was kind enough to try and get an answer to concrete questions I posed in my last reply (via comment). At this point, I think there is still some marketing "fluff" to cut through, so I will persist onward to try and get the answers I think you, the readers (and me) want.
UPDATE March 27th, 1:00pm CDT

I got another reply from Judy (see comments section) and she continues to address, some of my concerns from the original and subsequent posts. I have replied with my own comment to hers, this time in the comment section and not a new blog entry. Please take a read, her reply is worth the time it takes to read, and I hope mine is as well. Thanks!

After a very lengthy and rather well-written response from the folks over at Comodo (as you'll see in the comment to Update 1), I thought it through and have a response - which I would continue to welcome open debate on.

My response:
I understand that the Comodo brand and "HackerProof" program is all about creating trust. I've gather that from marketing material, and your rather lengthy explanation of your business model. I get it. What concerns me here is that there is still a rather gaping hole where an explanation of the "security services" should be. Let me address the 3 points that you brought up:
  1. "The Hacker-Proof seal confirms the site is safe from vulnerabilities that hackers can exploit" - I have yet to have someone or some piece of marketing literature explain this to me. I understand how verifying identity of a company, auditing its books, etc makes them more trustworthy - yes I understand that clearly - in fact, I wish ChoicePoint would have done that... but I digress. Please explain to me the how of this point. Enough marketing already, let's get to the meat of the product offering. Do you use scanners, ex-hackers, a combination of the two, some home-grown tools... what?
  2. b? (just picking on you now...) "The identity of the business has been authenticated and verified" - This service is very much needed, and should be a well-regarded piece of your business that I would actually pay for, as a customer. I, an avid online shopper, would actually pay a premium on goods (as much as 5% maybe?) to know for certain that some [trustworthy] 3rd party has verified that the company I'm sending my credit card information to, and buying goods/services from is legit. I applaud this piece of your business and I think, if well executed, this is a worthy service to the Internet.
  3. "that the site is worthy of a seal issued by a brand that over 100 people associate with security" - I'm not sure where you're going with this one, so I'm just going to leave it be. I understand you sell desktop protection tools - in fact, that's how I came across your site! I've yet to find your products (although this should not be entirely attributed to your company's lack of recognition) available or reviewed on a "well-known" publication, review, etc. Again, this may just mean I've not read enough, or haven't looked hard enough.
OK, so what have we learned here from Judy's reply? I indeed did miss the point slightly in my comparison of ScanAlert to Comodo in that while ScanAlert is merely a marketing machine, Comodo does provide a trustworthy Certification Authority as a business service. This lends credibility to the company, but does not give it a free pass on the finer points of my argument. While here and now I will concede that Comodo's "HackerProof" isn't necessarily a scam, I will still content that it is misleading. From what I have read so far, and heard from opinions offered to me - Comodo still only offers a "trustworthy certification" and can say very little for a site's ability to be "Hacker Proof", as stated on the seal. Therefore, I offer this opinion - Rather than the mis-leading "Hacker Proof" seal that's there now, change the shield logo to say "Certified Trustworthy by Comodo" or something of that nature. You're still mis-leading people into believing you're verifying the actual security of the applications/sites that affixes this seal to their splash pages. I see a half-hearted effort to say that there is some "security" done here - but I have no idea how you can honestly say that "The Hacker-Proof seal confirms the site is safe from vulnerabilities that hackers can exploit".

Let's clear it up. I think you, Comodo, needs to do one of 2 things here:
  • Demonstrate and make more transparent your "ability to confirm a site is safe from vulnerabilities that hackers can exploit" - how do you do this? I'm not asking for the secret sauce - just give me enough to make me sleep better
  • Change your seal to quit mis-leading people.
I thank Judy for her prompt reply, and I hope I have been able to continue to make my point clear, and not sound like I'm attacking the company without due cause. I am simply disgusted for what passes as "Security" these days in the online world - and something has to be done about it. At this point, I've decided to start with those that give out these "Hacker Safe"/ "Hacker Proof" seals... because I honestly believe they're misleading the public. Thanks for your reply - I welcome more dialogue.

Tuesday, March 25, 2008

"Hacker Proof" Update 1

I thought I'd update my readers on the progress of the invitation I've extended to the folks over at Comodo (the "HackerProof" logo people). As of tonight, I've gotten no reply.

I'm going to try and contact them directly via phone/email tomorrow, since those folks obviously don't Google themselves much. Perhaps it's arrogant to think that a company has resources which research scour the web to find things being posted or written about their company (particularly on my blog) - but, it's been 5 days and I figured that by now someone would have responded. I mean, heck, even the ScanAlert CEO replied relatively quickly, even if his reply didn't defend his company ... at all.

Anyway - invitation's still open folks. I want to hear from you so I can report it to these fine readers! Look for emails/calls from me in the coming days.

Oh, as a sidebar, you can pop this quickie into your browser to find blog postings for these guys:

Thursday, March 20, 2008

This time, it's "HackerProof"... oh boy

Company Name: Comodo Group
Slogan: Creating Trust Online
Product: "HackerProof" logo

You have got to be kidding me! I'm can't believe my eyes. Someone else figured they should get in on the scam ScanAlert ( aka McAfee is running. Exploiting the Internet buying public's desperate need to trust someone or something in the online world - these companies are falling all over themselves to give people that sense of security. Of course, this sense of security is, as far as I can tell, entirely false. As my previous blog on "Hacker Safe" mentioned (and was poorly rebutted to by their CEO) , "ScanAlert" is exploiting people's need to have something to trust and making money out of it -but they are doing relatively nothing to earn this trust.

These people, over in the UK, at Comodo Group are pulling the scam, it seems. I will admit - maybe I'm entirely wrong (and if so *someone from Comodo please set me straight*), but this service has very little to do with security, and everything to do with luring and converting web hits into purchases. Look over at this page if you want evidence of that.

Comodo's range of solutions gives businesses the ability to create online trust through proprietary technology that help e-businesses convert more customers, retain more customers and increase lifetime value.

OK then, please tell me about this proprietary technology you're using. I'd love to hear more! Does Comodo employ web scanning tools, automated scanners, both, none of the above? What's the frequency Kenneth? I found this PDF called "FastFacts" which tells a little more about the services Comodo offers, but now I'm slightly confused. So, Comodo is a "one stop shop" for all things security ... OK. It's obvious that the majority of the services are geared towards SSL certificates and creating bi-directional trust between user and site, so let's continue. Wait! There is a tiny, little blip on Page 4 of the above referenced PDF that says this:

Hacker Guardian
Vulnerability scanning solutions affording your customers
extra protection from hackers and malware threats.
Hrmm.... I don't feel all that much better about their "security offering". I still have no idea how their product/service works, besides putting a logo on my site to get people to trust it and buy from me. I'm sure there is some secret sauce here, some magic that happens. In my book, if you're going to give me a "HackerProof" logo (and let me start out by saying that anything that's Proof means its guaranteed not to happen) you're doing the following things to assure you can say that:

  1. Scanning the site's servers, hardware and entire environment for known defects or configuration flaws ranging from too many open ports, default account, missing patches and open services

  2. Scanning the web application itself extensively; this means source code, black-box testing and extensive scanning and re-testing

  3. Verifying my company's identity, URL and DNS parameters to be legitimate 24x7x365
Are the "HackerProof"-ers doing this? I honestly can't say. Would I put a paycheck on the fact that they aren't... hrmm. I'll tell you readers one thing. This one I'm going to get to the bottom of. I'm going to get someone at Comodo to give me an interview, so I can ask the questions that need to be asked, and hopefully get straight answers. Stay tuned.

Folks at Comodo Group, please contact me - I'd be thrilled to post a follow-up piece that says I was dead wrong!

India's culture in clash

With the IT boom in India in the past several years, many interesting laws have been tested and are now clashing directly with the country's need to continue to be competitive in the world labor market. One specific case, identified here, demonstrates exactly what happens when old law clashes head-on with the need to innovate and stay competitive.

By the looks of things, India has some very serious issues it needs to work out.

"According to state law governing Bangalore, where the Hewlett-Packard operations are based, women are not allowed to work in the evening. A special provision is made for information technology and related companies, which must ensure adequate transportation and security for female employees." --International Herald Tribune

Here we have a crisis. In order for India to stay competitive in the technical labor market (of which 50% is women) the state laws of Bangalore have to be updated. Or do they? It's a clash of capitalist interest versus age-old laws in some cases like this. Perhaps the law forbidding women to work at night is outdated, and surely that point can be argued well - but what if the state refuses to change the law? Will the capitalist interest of foriegn IT shops win out, or will traditional law prevail?

Analyzing this situation from a business perspective, the law on the books is simply impractical. In order for an IT company to stay competitive and continue to prop up India's economic boom IT shops must have round-the-clock labor forces which will inevitably include women. Further, it is arguably infeasable (from an economic standpoint) to provide security and transportation for each and every female worker who is working night hours. To expand this even furtheras the article being quoted here mentions, there is a shortage of licensed and certified drivers for companies to use. So you have a dilemma.

While the outcry for social responsibility will not go silent, it will inevitably be weighed against the need to stay competitive in the world market. Using some basic logic it can be inferred that increased security costs will drive up the cost of doing business in India, or, cause foriegn companies to look elsewhere. While I do not advocate the "do nothing" mentality, nor do I feel like capitalism should trump tradition I unfortunately recognize there will be some sort of "reality check" that happens in the very near future. I can only reason that India will find a way to maintain the security of its female workforce, while keeping its labor costs from skyrocketing. Perhaps it's time for the state to step up and do something?

In the final analysis, the fact that an executive of a large company is being held liable for the death of an employee is unfortunate. The debate in the court room will no doubt be over whether it is the company's liability, or whether there is some inherent risk associated with working those hours - after all it's not a slave camp, it's a choice right? I'm just glad I'm not on that jury.

I welcome your comments, concerns, or debate.

Monday, March 17, 2008

Observations on airport (in)security


As I travel (and it's been a steady stream of airports in the past few weeks) I can't help but notice aidports' security. Nothing stands out more at me than walking up to a cluster of flat screens trying to locate my flight which I already know is late, and finding a big, silly Windows blue-screen staring back at me. I realize these aren't "critical" systems to the operation of the airport - but I would figure that if something like this was down - someone would notice! Apparently I'm asking too much. The same cluster of flat panels showed the Critical Windows Error for about 90 minutes, before I had to board my plane and go. No one noticed.

I wonder what else goes un-noticed? I wonder about all those service terminals at the un-manned gates. I wonder about that combination fingerprint reader, card proximity reader and pin-pad that sits there un-used at the fron of the security screening line. I wonder about the Ethernet jacks that are visible and plug-able in half-empty terminals late in the evening. I wonder about all the may-as-well-be-open Access Points that I am all too worried about to connect to.

It's an airport, right? It's supposed to be secured like Fort Knox, no? What's happened to all that money the government has poured into making consumer flight more secure? It's sure not showing at the airports... unless you count security in flat screens and glitzy paintings.


Sunday, March 16, 2008

A disturbing trend... viral marketing in business

Working in corporate IT for the past several years, I started seeing a disturbing trend in recent years. I noticed that more and more things were marketed towards end-users and not to IT departments like in the past. Companies have started marketing their wares directly to the end-users with little care for what type of impact they would have on the IT support structures.

The perfect examples are the iPhone, and Google Apps. Both tools were marketed directly to the appeal of the end-user and made every effort to create a tool (or set of tools) which could be brought into the business environment by an end-user with as little effort as possible. This, of course, would allow things like Google Apps and the iPhone to make it into corporate environments in extremely large quantities, and without corporate IT being ready for their arrival. This is an interesting shift in strategy, and is a marked departure from the past way of doing things.

Ordinarily I would be all for a technology company making its products so simple to use anyone could buy and implement them - but I'm starting to see that go to an extreme. I saw more iPhones pop up, and more Google Apps pop up than my teams knew what to do with. This caused resource problems in the case of the iPhone, and serious privacy and security concerns in the case of Google Apps and so I'm left trying to find a happy middle ground between usability and corporate supportability. Allow me to comment further.

IT support infrastructures are built upon standardization and minimization of effort. Without those two components, the corporate IT support structure becomes chaotic and ineffective. To take that to an example - a large company's IT support works best when everything is standard in the case of a laptop (hardware), core-loaded applications (OS/apps) and support tools (antivirus, etc). When a user deviates from the "mold" that corporate IT sets out it becomes difficult to support and can create major security and privacy concerns for the company. It's even worse when you consider that with some of these technologies (such as Google Apps) an end-user can easily bypass corporate security policy and cause catastrophic results without intending to do so. The situation is getting worse out there.

To address the problems with these "virally marketed technologies/products" they are as follows:
  1. Corporate IT is unprepared for entry of new technology into the corporate environment
  2. Support issues (software/hardware conflicts, etc) between existing and new technology causes sytem crashes, and other issues creating held desk havok
  3. Security and privacy issues with untested, unvalidated, unapproved technologies

So, you ask yourself - if it causes security issues, support issues, and stability issues for everyone all around - why do companies market like this? Quite simply put - it sells product. The iPhone exploded onto the scene and infected companies before IT departments were ready to deal with it - but like it or not it was here to stay. This creates a big problem for corporate IT units.

Corporate IT is left fighting the new battle - unknown/untested/unvalidated technologies being marketed at their user base and making its way into the corporate environment. What can IT do? Nothing, as far as I can tell. Being prepared is a good start if we can figure out how to do that, but aside from that IT will always be in reactive mode unless someone, somewhere comes up with a much better idea. Can you lock out any "unknown/unapproved" technologies? Maybe - but it's often extremely expensive and will be argued that it stiffles business and innovation. Yikes.

Let's be honest with outselves. Corporate IT has a big problem. This problem will likely get bigger, and more menacing as more things are marketed to "get around IT bottlenecks". It all goes back to the image IT has of stiffling business and imposing harsh guidelines which don't enable businesses properly. So what's the soludion, really? Corporate IT must change its image, educate its users, and seriously keep an eye out for these disruptive, virally marketed technologies - because if you don't think there are any iPhones, Google Apps, or other tools in your environment... you either rule with an IT iron fist're in big trouble.


Where's Waldo? (A quick update)

Hello again readers, fans, and crawlers!

It's been a while since I last wrote and I wanted to take a minute to update folks and let you know what's been going on, and why I haven't written. First, I've changed day-jobs, which has stressed my time and I've been traveling almost non-stop the last few weeks. I'm going to be making a much more concerted effort to write regularly on topic going forward.

Now - for the shocker. As you hopefully read in an earlier post, I was very critical of the HP acquisition of SPIDynamics. (If you have no idea what I'm talking about, go back and read it, short read). I was critical of the acquisition, and in light of some of the other acquisitions in the security space I stand by my initial assessment. It's been almost a year, and I am thrilled to report that things have gone so well for the acquisition - that I now work for HP under the Security Software portfolio (better known as the ASC). You read that right. This is one of those situations where I felt so strongly about the positive synergies between HP and SPIDynamics, and the overall milestone results so far that I decided that I wanted to work there.

There you have it. No worries - my blog won't be going away, in fact, I will likely move it over to the HP Application Security Center (ASC) website where there is also a wealth of knowledge and other blogs, articles and resources for you to check out.

I'm thrilled to be a part of the HP family, and excited to be on the cutting-edge of Application Security, on a global scale.

Cheers, thanks for reading... and as always - more soon!