Sunday, October 24, 2010

Go read this…

Thanks to Alex Hutton for pointing out a great article in the Atlantic.  It is about medical research, but it transcends that topic and really applies to many areas of research and study.  The article is called Lies, Damned Lies, and Medical Science and leads with:

“Much of what medical researchers conclude in their studies is misleading, exaggerated, or flat-out wrong. So why are doctors—to a striking extent—still drawing upon misinformation in their everyday practice? Dr. John Ioannidis has spent his career challenging his peers by exposing their bad science.”

My favorite quote from the article may be:

“Maybe sometimes it’s the questions that are biased, not the answers”

That is very close in intent to something I often say, which is “if you want to know how the illusion works, do not look where the magician points”.

It is an interesting and (hopefully) thought provoking article.



Saturday, October 9, 2010

BSides slideshow

Here’s a little slideshow of photos from BSides events in Las Vegas (both ‘09 and ‘10), San Francisco, Austin, and Boston.


I cannot believe how far this has gone, and we’re just over a year into it.



Wednesday, October 6, 2010

Verizon’s PCI Compliance Report

A couple of days ago I pointed to the new Verizon Payment Card Industry Compliance Report (PDF available at

I have read and digested it, I have also read and been unable to digest (or even keep down) some of the “supporting” information.

Short version- it is a first try, and it has useful data- data you will not find elsewhere.  Some of that data and accompanying analysis can help organizations battling PCI compliance, and those who audit/assess or consult organizations attempting to comply with PCI-DSS.

There is, unfortunately, some complete crap surrounding the data, some of the report was apparently written by myopic PCI cheerleaders.  A lack of overall understanding of the security landscape, and the occasional straw man may make you want to stop reading before you get far- but don’t give up, there is much more good than bad, just keep your reality distortion shields up and you will learn from the report.  You can also learn from the mistakes of others, which is not as visceral as learning from your own mistakes but is much less painful.

Some things really jump out at you- like the 78% non-compliance rate at the initial assessment.  At the time of the initial assessment over 50% of organizations were not compliant with 8 of the 12 requirement areas.  Requirement 11, regular testing of security systems and processes came in dead last in initial compliance.

The report states that the 22% that were found compliant at the initial assessment were mostly experienced at PCI-DSS, but many that had been found complaint previously were deficient in the subsequent assessments included in this report.  It would be great to know how many of the formerly complaint were assessed by Verizon previously as opposed to how many were assessed by other QSA firms- and how the compared.  Not holding my breath for those stats, but they would be telling.  The lack of quality assurance in the QSA space is one of the things I have railed about in the past, this data could really help the PCI council address some of these problems (if they had any interest in doing so).

It will be interesting to see what conversations come from this report.



Monday, October 4, 2010

Another report from Verizon, this one on PCI

The good folks over at Verizon Business have cranked out another report, this one on on PCI.
I urge you to read the PDF for yourself (yes, PDF, and file format we should trust just as  much as EXE these days).  The blog post and podcast underwhelmed me, but you may see value in them.


The Blog post is at

and a short podcast:

I need to digest it before adding commentary.  Remember that Verizon Business has a large PCI practice.  I’m not saying there is any bias or spin- but it would be naive to overlook that fact.  Also, keep in mind that like the DBIR, the sample organizations are self-selecting, they are companies which can afford, and use Verizon for business services.  (That’s one of the great things about the latest DBIR, the addition of Secret Service data for normalize results).