Some Stuff You Might Find Interesting 9-8-2009
IT’S A TAB DUMP
Hey, because of the holiday, I missed posting some stuff for you all about security & visualization last week. So I thought I’d make it up to you today (plus, I’m about to declare Firefox tab bankruptcy, as I tend to find things to mention on the blog here and then leave the tabs open indefinitely. I have about 47 tabs open right now).
VISUALIZATION FUN
All about a cool gov’t dashboard from Down Under:
http://infosthetics.com/archives/2009/09/about_new_south_wales_putting_open_data_online_the_australian_way.html
[link no longer works]
Flowing Data has a visualization tool discussion:
http://flowingdata.com/2009/09/03/what-visualization-toolsoftware-should-you-use-getting-started/
At The Intersection of Security & Visualization?
VizSec 2009 in Atlantic City, NJ (USA) http://vizsec.org/vizsec2009/#key
Not to denigrate the choice of Bill Cheswick too much, because I’d jump at the chance to see him speak, but if I can get on my soapbox – why is this conference so myopically focused on InfoSec practicioners? With all apologies to Raffy, we (as an industry) have no freaking *CLUE* how to go about creating useful information visualization. Look at our SIEMs. Look at our so-called GRC dashboards. How many CISSPs do you know that have read Stephen Few? Is Ben Fry in your RSS reader?
At the risk of repeating myself our (InfoSec) problems are just not that unique. But we, as a community, continue to exhibit this bias that we’re this amazingly special discipline that nobody understands and the rest of the world has nothing to offer us. It’s like we’re IT’s version of emo teenagers.
Visualization Folks on Twitter in case you’re interested:
http://twitter.com/ia/
http://twitter.com/craigmod/
http://twitter.com/flowingdata
AND NOW – SOME LINKS
Does Minimalism Contribute to Security?
http://minima.al3x.net/post/27523216/By-avoiding-complexity-when-possible-and-containing
[link no longer works]
Wonderful quote there from Colin Percival. The problem of striving for a minimal code base (esp. in web apps) is balancing the simple with the desire for a relatively rich user experience (Seriously? Cool AJAX effects do not lend themselves to “minimalism”). It’s not trivial using a Total Quality Management “Kansei” process (understanding how the user uses software), but one can create a great application that also reduces the cost of maintenance.
Cyber-Government
http://www.govtrack.us/congress/billtext.xpd?bill=s111-773&version=is&nid=t0%3Ais%3A286
Hey, it’s the Senate introduced Cybersecurity Act of 2009 (S. 773). Read it and weep!
The Cloud
http://cloudsecurity.org/2009/08/31/cloud-cartography-side-channel-attacks/
[link no longer works]
Craig Balding writes up his views on Cloud Security research paper (link to paper – http://people.csail.mit.edu/tromer/papers/cloudsec.pdf ). It’s a great read if you’re interested in applied threat models.
Cool Post from Bejtlich
Extreme Asymmetry in Network Attack & Defense:
http://taosecurity.blogspot.com/2009/09/extreme-asymmetry-in-network-attack-and.html
Gunnar on an OWASP Podcast
http://www.owasp.org/download/jmanico/owasp_podcast_39.mp3
[link no longer works]
Recorded or in person, I’ve never found a conversation with Gunnar to not be insightful.
Innovation in Search and Artificial Intelligence:
http://machine-learning.blogspot.com/2009/09/innovation-in-search-and-artificial.html
You want the future of InfoSec? It’s buried somewhere in there. And Here ( http://entrepreneur.venturebeat.com/2009/08/14/probability-management-the-new-arithmetic-for-risk/). [link no longer works] Plus Game Theory.
Another twitter feed for security: @secviz