Stomping on ALE's grave

Short post: I belive they still teach Annualized Loss Expectancy (ALE) as a way of calculating security risk in the programs like CISSP. While I will write a whole post later on why CISSP is so outdated and irrelevant, ALE is one of the worst aspects. It should be killed and the grave stomped on thoroughly. Here is why....

Removable media control - lessons learned

I really should be completing my requirements doc but I keep playing with Chrome and Ubuntu, and when I see incidents like this still happening I have to write a short post on removable media control, Starcraft 2 is also now a major distraction :)

Why do banks ask you for your password when THEY call you?

Short post: why don't companies in the UK positively identify themselves before asking for a users password when they call you over the phone?

Cloud computing security - what is the fuss?

There are probably a number of good reasons why you shouldn't jump on the Cloud computing band wagon, but security should not be one of them and here is why....

Preparing for Chrome, living without Windows

A bit of a different blog post starting today, a living journal. I really belive that Microsoft Windows strangle hold on the personal and corporate OS market is under significant threat. As I have detailed before, any endpoint from anywhere, zero and thin client is the future and is starting now. Majority of corporate applications except Sharepoint and Exchange (and who needs those with Gmail and Google Apps) runs on Linux, end users want to use Macs, Linux, mobile OS like iOS, Android, Palm OS and Blackberry. Tablet PC's are great for certain use cases (presentations, video, ebooks, mindmapping) and Chrome OS will be the game changer that takes away Microsoft Windows 7 massive market share. Finally virtualization means that even if you can't live without Windows for 5% of tasks and hardware, run Chrome or Ubuntu and run Windows in Virtualbox / VMWare or vise versa - corporations can easily deploy these types of builds to zero client and thin client endpoints.

So in preparation for Chrome OS, I am going to run without Windows for 2 weeks and journal my progress here.

Follow along with your RSS reader so you can check updates on the train on your mobile. Please add your own experiences or advice as comments or links to your journal or blogs.

UPDATE: August 2010 - I am now continuing this as I experiment actually with Chrome OS

Laws of Identity in Practice

If you are not familiar with Kim Cameron's identity blog or his "laws of identity" they are worth a read. I have been involved in a number of identity management (IDM) projects so I thought I would analyse how I have found the laws applied in practice in banks in Australia and London. The laws are more applicable for designing identity systems and maybe not identity management systems but I shall press on and consider them in an enterprise context.

The FUD that is used to sell DLP

Reasonably short post again, I just read this article titled "Why your organization needs to implement DLP", and had to write about it.

Fixing verified by Visa

Ok short post again. What's wrong with verified by Visa / Mastercard securecode and how to fix it.

Turning bankers to engineers in a generation

Ok so I warned you that I will have some non-infosec postings on this blog, this is one of those: how do we fix this situation where most of the talent wants to be bankers to make the money and a lot lower percentage of truly gifted people want to be an engineers, scientists and entrepreneurs - you know those people that actually contribute to advancing the world?

Here is how...

iPhone and Android securely in the enterprise

I was recently doing some investigation, thinking and evaluating how to bring the iPhone and Android securely into the enterprise (also called Bring Your Own Device (BYOD). I was interested in implementing not just a point solution but as a strategic initiative that could still be deployed in phases.

The following diagram is a conceptual architecture of how I think think this should be done:

Apple class action - ridiculous but could be costly

Ok had some long posts so time for a short one.

I think the class action against Apple and AT&T is ridiculous but could be costly

Practical lessons learned from implementing a Data Loss Prevention (DLP) program

Last year I had a chance to be involved in implementing a data loss prevention tool (Symantec Data Loss Prevention) and also to evaluate the RSA offering.

This a post of my reflections on the experience and some lessons learned which will hopefully benefit anyone needing to this currently or in the future...

Security Return On Investment (ROI)

Regardless of where I have worked both in consulting / professional services (trying to sell stuff) and as an end user / industry (trying to get funding to buy stuff) security ROI has always been a challenging topic.

Ultimately in seven years in security (not long I know to get this smart) I have only seen one effective reason for any expenditure on security.

Blizzard WoW SC2 Real-ID


Hello world!!

For my very first entry something that has a nice intersection of my interests/passions: gaming and information security - identity management: Blizzards decision to introduce realid (a system that shows your real name when you post on forums as well as when you are playing a Blizzard game such as World of Warcraft or the upcoming Starcraft 2). This is a major (for gamers and infosec people) change from what it used to be which was your handle or character name was displayed only.

Just like sex and humour everything is in the timing, I am not going to rant about the evils of realid because interestingly enough bowing to public / pundit opinions Blizzard has just announced that realid will be scrapped. As people know me would attest though, that is not going to stop me from having an opinion about it and I actually hope that it gets introduced in an improved form.

Kim Cameron who I respect immensely and who I have been a follower of for a while has an excellent post on the topic where he naturally ties it to his laws of identity. I really want to elaborate on my real life experiences implementing identity management systems in enterprises and how they comply with the laws identity but that's for another post.

I have always been a person that loved a debate and would like to think I can see the pro's and cons in most things (even killing baby kittens :). So I would like to say what I liked about this real-id proposal and what I didn't like about it. However I definitely don't sit on the fence on much so there is a thumbs up or thumbs down at the bottom.


  • It had about a 30-40% probability of significantly reducing trolling and silly forum posts - achieving key project objective not bad.
  • It is really handy to be able to know when your friend is online, regardless of the character they play and the game they play
  • As far as I am aware you could still put/change a fake name
  • From a Blizzard bottom line perspective definitely a way to leverage the massive, hugely loyal fan-base for additional monetization as a social network


  • Choice, consent and opting in - turning this on without a public/forum discussion period, a pilot and trial period, not enlisting (or not enlisting the right/motivated) IDM experts to advise or not listening to them. Also not learning any lessons from companies that done this before and got the t-shirt e.g. Facebook. Basically this and probably many other factors, resulted in a draconian system which game users very little choice, options to opt-in/out and that violated privacy and identity principles and alienated their most valuable asset
  • Potential for some very real and practical breeches of privacy and the exposure of a user identity in a context they did not approve or want e.g.:
  • The ability for someone to search on all posts for all posts by someone and then tie that to other identity identifiers that they have revealed with our without their knowledge / consent e.g. social networking sites such as Facebook / linked in or just Google which picks up things like honours and awards from schools, clubs, professional organizations
  • The potential for an in game bully to follow a target across games and characters (already a risk to a degree without real-id)
  • The ability for an employer, girlfriend/boyfriend etc to identify and link a person they know in another context (e.g. work, interview, date) to a Blizzard game profile and behaviour - some would see this as a good thing if you have nothing to hide, you behave properly and you are always "yourself" to everyone in every context. But I'm not so I have a issue with it.
  • Overall: I am glad it was scrapped because it was not designed nor implemented in manner that respected their users nor complied with privacy and identity principles. However I would be disappointed if this is the last we hear of real-id, with the right requirements, design and implementation process Blizzard could achieve their monetary and gaming experience objectives while balancing the user impact. 

Some simple suggestions which many people smarter than me have already made include:

  • don't re-invent the wheel, 
  • align to the identity laws and privacy principles e.g. EU privacy directive, 
  • provide users options such as opt-in/out, delete all posts, which characters and games real-id applies to
  • get user consent for use of their Blizzard identity in the contexts proposed - make this simple, transparent and easy to use and change
  • Comments / contrary views / corrections welcome. If you got this far, thanks for reading.


Written by