Make the list of who is compliant (and by default, not compliant) public. Allow consumers to decide if they want value security enough to do something about it.
Update : Yes, I know it’s the QSAs not ASVs that certify. Dumb mistake on my part.
Yesterday I posted an analysis of the Hannaford breach in which I made a contentious statement.
The conference season is upon us. This week we discuss SOURCE in Boston and RSA with our guest, Jennifer Leggio. We spend a bit of time on the Hannaford breach and my Mac antivirus article.
I just published an article on TidBITS on this very issue.
Basically, I don’t think the average Mac user needs it yet. AV comes at a performance cost that isn’t justified by the risks it addresses. It isn’t that Macs are more secure than Windows- it’s that they aren’t as big a target yet, and I’m not convinced that desktop antivirus will help much once Mac malware really starts proliferating.
There goes another one.
According to multiple sources, the Hannaford Brothers grocery chain suffered a major breach with 4.2 million credit cards exposed. Hannaford had published an FAQ for their customers. Odds are it will be months until we find out what really happened, but I’m going to speculate anyway, pick apart the press coverage and FAQ, and see if we can learn something from this now.
David here again. Chris Hoff, in his often imitated but never duplicated way, recently reopened the massive can of worms that is security awareness training. Go ahead and read the comments on both posts — they are energizing to say the least. I’ve included a paper that I wrote for our customers below. Given the original audience, it’s on the more formal side. Let me know what you think….
I’m out in Boston for the SOURCE conference where Hoff and I just presented on Disruptive Innovation and the Future of Security. It went well, but we’re only giving ourselves a 6 out of 10. We tried to stuff in too much content and didn’t focus as much as we should. We’ve already mapped out the next version and I wish we were giving it before June (our next scheduled show).
I was reading an article by Rsnake this morning on the problems of using a username as a primary key, and it reminded me of something I’ve been meaning to write about for a while.
I’m pretty excited about speaking at the Source conference in Boston next week, despite the expected 6 hours of agony while flying with this damn shoulder.
I thought it was a slow news week, but once we got recording there was a heck of a lot to talk about this week. Martin and I spend a little time on two hardware-based attacks- a bit of a redux on the cold boot encryption attack, and discussion of the firewire Direct Memory Access attack. Seems like your RAM is taking a beating these days. We update the WikiLeaks coverage and Martin spends a little time on PCI.