Cyberfortress vs. low-hanging fruit

My 9/21/06 “Zeichick’s Take” about automotive security brought several letters-to-the-editor, one of which made an excellent point that applies well in the physical security world, but which in my opinion falls down in cybersecurity.

Steve Brewin wrote,

“Apparently the vast majority of crime is committed by amateurs chancing on an easy opportunity. The simple lock removes the easy opportunity, amateurs will look elsewhere. Professionals play for much higher stakes and while they can easily bypass such simple security mechanisms, the probability of an attack from them is massively less. Most targets are not worth their time. For most, the cost of installing systems capable of thwarting their attacks is disproportionate to the risk.

The insurance assessor explained that while most viewed their offer as a marketing exercise, their statistics told them that the discount they were offering was small compared to what they expected to save in the cost of claims alone.“

That’s very true. Professionals can unlock cars, remove The Club, jimmy house doors open, even break a laptop security cable with a small bolt cutter. So can a determined amateur, who can pick up the right tools, or practice simple techniques. But what about the casual amateur? The kid walking through the parking lot who sees an brand-new iPod sitting in a car? For that kid, a locked door may sufficient to make him move on.

In other words, if someone is bound a determined to steal YOUR things, locks probably won’t help. But if they’re just looking to steal SOMETHING, they’ll pick the lowest-hanging fruit. Your security system simply ensures that your fruit isn’t the lowest-hanging target.

But that falls down when it comes to cybersecurity — because of the shotgun approach. Even the most casual script kiddies use sophisticated ports scans, SQL injection, worms and other automated techniques. Those are the equivalent of trying to break into every car in the parking lot simultaneously. I’m not sure that hoping that someone else’s computer is a lower-hanging target is enough. It’s unfortunate, but our neworks, servers, desktop AND applications have to become fortresses. At every layer of the stack, we’re being targeted.

Z Trek Copyright (c) Alan Zeichick

2007 editorial calendars are up!

(Cue the trumpet sound effects) The 2007 editorial calendars for SD Times and Software Test & Performance are now avialable.

For those of you who don’t follow such things, a magazine or newspaper’s editorial calendar provides insight into some of the feature articles that the publication will cover during the next year. It’s traditional for them to come out in September or October. Edit calendars often also provide information for advertisers regarding the cutoff dates for reserving ad space and for delivering ad materials. Edit calendars are used by writers, advertisers, and corporate communications professionals.

It’s important to note that edit calendars are always subject to change without notice. While we do our best to predict the long-lead stories for our publications, software development is a fast-evolving industry. So, you might want to bookmark the editorial calendars, and check back every few months to see if they’ve changed.

There’s one 2007 edit calendar still to come, for Eclipse Review. We’ll post that in a few weeks.

Z Trek Copyright (c) Alan Zeichick

Eclipse bugs resolve later…or never

One of the challenges for any software development project — whether enterprise or for-sale, open source or not — is what to do about all those pesky defects that nobody’s going to fix. Why aren’t they going to be fixed? It might be that they’re not a show-stopper, or that there are other priorities, or there’s no easy fix, or simply that nobody wants to do it.

Every non-trivial software project has bugs that won’t be fixed. Sometimes you know that it’s not going to be fixed, and at other times, everyone has the best of intentions, but it just never gets done.

One of the benefits of most open source projects is transparency. Take Eclipse, which uses a public bugzilla feed to let users and contributors report defects. When defects are reported, often they’re resolved, but sometimes they’re marked RESOLVE LATER. Does that mean that the issue truly will be resolved later, or as some people suppose, is that a polite euphemism for RESOLVE NEVER?

Let’s face reality: Not every bug is going to be fixed. Yes, it would be nice to have less ambiguity, and to know, for certain, that a specific bug is going to be (or not going to be) addressed. But at least with a system like the RESOLVE LATER system, you can see if action is being taken or not. With non-open-source projects, or OSS projects that take place with less transparency than Eclipse, bug reports go into a black hole.

By contrast, with commercial software, a bug will only be fixed if the software owner sees the business value of fixing it. While I agree that RESOLVE LATER is suboptimal, it’s easy enough to see that a bug that’s been ignored for months or years isn’t going to be addressed. And that’s valuable information.

Z Trek Copyright (c) Alan Zeichick

Goodbye, Patricia

The HP spying investigation is getting stranger by the day. When the company reported that its chairwoman, Patricia Dunn, was going to step down as of January, many of us knew that wouldn’t hold — she had to go, and she had to go now. Only a few days later, after more revelations, she resigned effective immediately on Sept. 22.

But what about the new chairman, CEO Mark Hurd? He’s presided over a remarkable turnaround; HP’s fortunes and reputation have improved tremendously since he took over from the disastrous Carly Fiorina. It would be a significant blow to HP were he to be forced out due to this scandal — but that’s a real possibility, given numerous reports that Hurd was in the loop regarding Dunn’s espionage on board members and journalists.

Indeed, as reported in this Fortune story published that same day, Hurd admits to having known that HP was involved with questionable activities. Isn’t it his job to intervene? It doesn’t look good for Hurd, and it doesn’t look good for HP.

Z Trek Copyright (c) Alan Zeichick