Saturday, July 24, 2010
New Blog location on oculislabs.com/company/blog
We've just released a major revision to our website and we are now able to host the blog there. Please go to http://www.oculislabs.com/company/blog/ for the latest.
Sunday, June 20, 2010
At SOFIC with Klas Telecom
I'm just returning from SOFIC 2010 (Special Operations Forces Industry Conference 2010) in sunny, hot Tampa Florida. Oculis Labs was featured in Klas Telecom's booth at the show, where we demonstrated a new small version of Chameleon running on the Klas Telecom GRRIP secure mobile platform.
You can see the whole kit in this picture. You're seeing a complete computer and TS/SCI communications package that fits in a 28lb "fly-away" case. The GRRIP is sitting on its case in this picture, and the new small-form Chameleon sensor is sitting on top just under the monitor. This Klas product is quite a serious achievement. Special Operations uses them extensively in the most rugged field conditions to reach back and access SIPRNET and JWICS via the BGAN network. In civilian-speak, this means the guys in the field can access highly classified networks from the mountains in Afghanistan. Klas Telecom has been very successful in delivering thousands of these essential tools for remote computing.
The obvious extension of the platform is to put Chameleon on it to protect the display against prying eyes. There is a really great fit between Klas and Oculis Labs in this respect. The customer goes to great lengths to ensure the security of their classified networks, but until now has not had the ability to protect the display from some pretty serious risks (think: translators, local liasions, even coalition forces).
We had great interest at the show. The first day was busy, the second a bit slower, and on the third day we got a lot of attention. As is typical with Chameleon, people who had seen it earlier started bringing over their colleagues and management to take a look. We're looking forward to working with Klas to see where this goes.
You can see the whole kit in this picture. You're seeing a complete computer and TS/SCI communications package that fits in a 28lb "fly-away" case. The GRRIP is sitting on its case in this picture, and the new small-form Chameleon sensor is sitting on top just under the monitor. This Klas product is quite a serious achievement. Special Operations uses them extensively in the most rugged field conditions to reach back and access SIPRNET and JWICS via the BGAN network. In civilian-speak, this means the guys in the field can access highly classified networks from the mountains in Afghanistan. Klas Telecom has been very successful in delivering thousands of these essential tools for remote computing.
The obvious extension of the platform is to put Chameleon on it to protect the display against prying eyes. There is a really great fit between Klas and Oculis Labs in this respect. The customer goes to great lengths to ensure the security of their classified networks, but until now has not had the ability to protect the display from some pretty serious risks (think: translators, local liasions, even coalition forces).
We had great interest at the show. The first day was busy, the second a bit slower, and on the third day we got a lot of attention. As is typical with Chameleon, people who had seen it earlier started bringing over their colleagues and management to take a look. We're looking forward to working with Klas to see where this goes.
Monday, June 7, 2010
Weakness at the seam: electronic vs physical security
I noticed recently that government security blogger Bob Gourley is updating an article he originally published in 2003 titled “Cyber and Physical Security Unite”. The article clearly remains relevant today. In fact we have more to be concerned with today than before, particularly at the seam where electronic data meets the real world.
We need to be more intelligent about protecting electronic assets from physical threats, and not treat the two as separate issues. Today the practitioners in these two security spheres are usually independent. As a result, some of the most vulnerable spots are to be found along the seam where the two intersect.
Computer IT experts focus on protecting data "on the wire" with firewalls, encryption, VPNs, IPS, etc. This is all good. Physical experts tend to look at perimeters. Also good.
The under-rated risk is where that electronic information enters the real world at the computer monitor. The logical data protection control ends as the data is handed off to the physical world where it can be viewed by anyone who happens to have physical access. The rules associated with who can view what in the electronic world are rarely matched with who as has access in the physical world.
Think about your own work environment. You have an access card to get into the building, and a password to access the company financials you use to do your job. However there is nothing to stop other employees from looking at your computer screen. They have physical access to get into the building, but they don't have a need to see those sensitive financials. It's a simple example of how physical and electronic protections are not working together.
We put more and more of our lives into electronic assets every day. The value of protecting our data increases constantly, but social engineering and shoulder surfing are more serious today than ever. Security practitioners need to admit the risks go beyond just electronic, or just physical and make sure they protect information at all points along the way. If you are a security manager looking to protect computer screens against eavesdroppers I urge you to look at Oculis Labs PrivateEye and Chameleon products.
We need to be more intelligent about protecting electronic assets from physical threats, and not treat the two as separate issues. Today the practitioners in these two security spheres are usually independent. As a result, some of the most vulnerable spots are to be found along the seam where the two intersect.
Computer IT experts focus on protecting data "on the wire" with firewalls, encryption, VPNs, IPS, etc. This is all good. Physical experts tend to look at perimeters. Also good.
The under-rated risk is where that electronic information enters the real world at the computer monitor. The logical data protection control ends as the data is handed off to the physical world where it can be viewed by anyone who happens to have physical access. The rules associated with who can view what in the electronic world are rarely matched with who as has access in the physical world.
Think about your own work environment. You have an access card to get into the building, and a password to access the company financials you use to do your job. However there is nothing to stop other employees from looking at your computer screen. They have physical access to get into the building, but they don't have a need to see those sensitive financials. It's a simple example of how physical and electronic protections are not working together.
We put more and more of our lives into electronic assets every day. The value of protecting our data increases constantly, but social engineering and shoulder surfing are more serious today than ever. Security practitioners need to admit the risks go beyond just electronic, or just physical and make sure they protect information at all points along the way. If you are a security manager looking to protect computer screens against eavesdroppers I urge you to look at Oculis Labs PrivateEye and Chameleon products.
Monday, April 26, 2010
The message is the message
I came across a great new presentation tool recently and used it to create a talk on Cybersecurity for the Greater Baltimore Council last week. The tool, called Prezi, gives you a single infinite canvas to write on, and then lets you create interesting presentations by moving around and zooming in and out of the scene. You may be surprised at how effective this is for dynamic messaging.
I've never accepted the adage by Marshall McLuhan that "the medium is the message". It seems to my engineering mind that taken literally this cliche would mean there would be only a few different messages possible, one for each different "medium". If not to be taken literally, then it falls into the broad liberal arts category of "it means what we mean it to mean when we say it, and is not subject to direct analysis".
Having done a presentation in a new medium now, I'm sticking to my original belief: the message is still the message. However, this new tool sure does help to make the telling more effective. I've made the presentation public so you can check it out too. Click here to view it in your browser.
I've never accepted the adage by Marshall McLuhan that "the medium is the message". It seems to my engineering mind that taken literally this cliche would mean there would be only a few different messages possible, one for each different "medium". If not to be taken literally, then it falls into the broad liberal arts category of "it means what we mean it to mean when we say it, and is not subject to direct analysis".
Having done a presentation in a new medium now, I'm sticking to my original belief: the message is still the message. However, this new tool sure does help to make the telling more effective. I've made the presentation public so you can check it out too. Click here to view it in your browser.
Friday, April 9, 2010
Beware inside the Hive
The observation "People are like bees" caught my eye in a book I'm reading by Terry Pratchett and Neil Gaiman called Good Omens: The Nice and Accurate Prophecies of Agnes Nutter, Witch.
The gist of the full quote was that the security systems that people set up are similar to bee hives. Bees are very attentive about defending their hives from outsiders and will attack anything that tries to get too close. But if you can get into the hive itself the worker bees will assume you're supposed to be there, that "management" is ok with the whole idea, and let you go about your business.
This analogy is not far off from what happens in our real offices. Social engineering hackers like Kevin Mitnick used a variety of schemes to get under the radar and into the relatively safe regions "inside the hive".
Think about it: the photocopy repairman is walking around the office, the delivery guy is in the mailroom, the guy in the suit is looking for someone down in accounting. What do you do when you see these things? 99% of the time you let them go if you're like most people.
It's a safe bet that this kind of vulnerability will persist as long as we have offices. Your IT security, and office manager may be aware of it and have reminder programs in place, but chances are that unless you work in a government classified facility a motivated thief, attacker or competitor would have little trouble getting a look around.
The conclusion: don't assume your workspace is private or secure. Think about what you're showing on your desktop and computer screen, and take steps to keep it private.
Thursday, March 25, 2010
March Madness, Dilbert, and Boss Mode
Scott Adams (creator of Dilbert, blogger and generally interesting guy) wrote a blog post recently that really caught my eye.
He says CBS Sports contacted him to ask him to create a "business-looking" screen that a viewer could quickly pop up using the Boss Mode button built into CBS's video feed viewer. The idea is that if an employees is watching March Madness (the NCAA basketball tournament) on his computer during working hours he could quickly hid the fact from his boss. Further, they wanted the content to look business-like, but to actually be funny on closer examination.
It is nice to know CBS Sports has a sense of fun. That's all this is of course. Some commenters have decried the waste of corporate bandwidth, and the poor morality of shirking work. As a CEO myself, I don't see it that way. I measure my team on what they accomplish. If they can do an excellent job and still watch the game, then they are excellent as far as I'm concerned. The corollary is that if someone is consistently only delivering excuses for why the job is not done well, then they are a problem that must be dealt with.
Anyway, what really grabbed me about Scott's blog post is that our product PrivateEye has a Boss Mode that solves this problem exactly, and in my opinion far more elegantly than with a keyboard button. There's an option in PrivateEye to turn on Boss Mode - a setting that lets you choose what you want your screen to show in an 'emergency'. When it's on and you're looking at your screen you can enjoy the game (or your work) normally, but if anyone else looks at your screen or you turn your head away PrivateEye immediately displays your chosen Boss Mode view.
The idea is more elegant than hitting a button on your keyboard because that's a dead giveaway that you were up to no good. With PrivateEye, all you do is look away and it happens automatically. If this sounds implausible to you, please suspend disbelief for a minute because the product is real. You can check out video of it working here.
Sorry for the commercial, I try not to do that in this blog. I'm just really excited that someone like CBS is, in a humorous way, acknowledging the display privacy issue too. Now what we really need is to get on their radar screens for next year. Coming in 2011: March Madness, On Demand, In the Privacy of your Cube (powered by Oculis Labs). Catchy, isn't it?
Sunday, February 28, 2010
RSA Conference 2010: Bring Back the Weird
Its the day before I travel to the annual RSA Security conference, the big security industry event where everyone gets together to promote their wares, check out the competition, and network to find that next job. I've been coming to the RSA show since 1997 and, (no surprise here), it has changed over the years.
Other long-time industry folks feel free to disagree with me, but I think I've seen a dramatic decline in excitement, weirdness, and surprise at the show in the past 5 years.
In the beginning, the buzz was all about the crypto wars: new companies would come out with new "great' crypto systems every year. Some were good, some were snake oil, and most were just unnecessary. (I'm thinking, for example, of the guys who announced the unbreakable million-bit encryption system. It was super-strong, and used 'matrices and new science'. The only problem was the customer was left to figure out how to move those huge keys around. For the non-crypto folks: this is a pretty big oversight) It was obvious something big was going to happen in security, and in this wild-west period everyone was trying to stake a claim. It was great for the crypto community players. This period was hard on customers though, as they had to make career-defining security decisions without enough solid information.
The years from 2001-2004 settled down a bit. With the collapse of the internet boom, a lot of the noise left the market. Companies settled down and sold good, well planned products that actually solved the current security issues pretty well. It was easier to select a product then. If you needed a VPN, (and you knew you did - the press was doing a reasonably good job too) you could go out and evaluate a dozen compatible VPN servers from a dozen decent companies that all contained sensible crypto. The security industry had come into its own.
Having worked out a sensible model, the next thing, naturally, was to break that model. Security is no-longer a stand-alone feature that companies bolt on to their IT systems. No, security is an integral part of the network, client, OS, and storage system. The latest era has been one of integration and consolidation as IT giants like Cisco, EMC, and Microsoft have made security a core competence and built it into the product.
I observed this shift from the inside at my previous company. Initially, we made the specialty crypto chips and sold them to Cisco and others. Then more players came in to the market. To grow, we had to move upstream and started selling the protocol software that runs the security system. As the market matured, even that business was squeezed. The latest model was to license the crypto chip designs to the big chip makers so they could integrate it into their systems. All the basics a customer needs comes in their network switch now. There is little room left for a pure-play security company in network security.
What is a pure RSA-conference-attending security vendor to do now? What we are seeing at the RSA show these days, is a combination industry maturation and opportunistic marketing. The main players are now IT companies (EMC/RSA, Cisco, Microsoft, CA, IBM, Novell, and Google).
But there is another trend happening: read the blurbs for many of the exhibitors and you might be forgiven for thinking you were looking at an auditor's conference. This is a very typical blurb:
Stuff like this will chill the heart of any security enthusiast. And there are dozens of these compliance-officer-pleasing companies in the market now. This is the opportunistic thing I was telling you about: it sells because of government regulations and fear of lawsuits. Not that the security community has anything against selling on fear, we've done it for a long time, but this seems a long way from security to me. It seems like accounting. In any event, my hat's off to the evil geniuses that figured out they could shift the market and sell this stuff under the guise of security.
So what will this year's show bring? What will be remembered and talked about later? Who knows, I'm heading out to see with a small thrill of anticipation. But you know what I want: The resurgence of weird.
Other long-time industry folks feel free to disagree with me, but I think I've seen a dramatic decline in excitement, weirdness, and surprise at the show in the past 5 years.
In the beginning, the buzz was all about the crypto wars: new companies would come out with new "great' crypto systems every year. Some were good, some were snake oil, and most were just unnecessary. (I'm thinking, for example, of the guys who announced the unbreakable million-bit encryption system. It was super-strong, and used 'matrices and new science'. The only problem was the customer was left to figure out how to move those huge keys around. For the non-crypto folks: this is a pretty big oversight) It was obvious something big was going to happen in security, and in this wild-west period everyone was trying to stake a claim. It was great for the crypto community players. This period was hard on customers though, as they had to make career-defining security decisions without enough solid information.
The years from 2001-2004 settled down a bit. With the collapse of the internet boom, a lot of the noise left the market. Companies settled down and sold good, well planned products that actually solved the current security issues pretty well. It was easier to select a product then. If you needed a VPN, (and you knew you did - the press was doing a reasonably good job too) you could go out and evaluate a dozen compatible VPN servers from a dozen decent companies that all contained sensible crypto. The security industry had come into its own.
Having worked out a sensible model, the next thing, naturally, was to break that model. Security is no-longer a stand-alone feature that companies bolt on to their IT systems. No, security is an integral part of the network, client, OS, and storage system. The latest era has been one of integration and consolidation as IT giants like Cisco, EMC, and Microsoft have made security a core competence and built it into the product.
I observed this shift from the inside at my previous company. Initially, we made the specialty crypto chips and sold them to Cisco and others. Then more players came in to the market. To grow, we had to move upstream and started selling the protocol software that runs the security system. As the market matured, even that business was squeezed. The latest model was to license the crypto chip designs to the big chip makers so they could integrate it into their systems. All the basics a customer needs comes in their network switch now. There is little room left for a pure-play security company in network security.
What is a pure RSA-conference-attending security vendor to do now? What we are seeing at the RSA show these days, is a combination industry maturation and opportunistic marketing. The main players are now IT companies (EMC/RSA, Cisco, Microsoft, CA, IBM, Novell, and Google).
But there is another trend happening: read the blurbs for many of the exhibitors and you might be forgiven for thinking you were looking at an auditor's conference. This is a very typical blurb:
[Company X] delivers enterprise governance, risk and compliance (GRC) solutions. ... [X] enables companies to manage enterprise risks, demonstrate compliance, automate business processes, and gain visibility into corporate risk and security controls.
Stuff like this will chill the heart of any security enthusiast. And there are dozens of these compliance-officer-pleasing companies in the market now. This is the opportunistic thing I was telling you about: it sells because of government regulations and fear of lawsuits. Not that the security community has anything against selling on fear, we've done it for a long time, but this seems a long way from security to me. It seems like accounting. In any event, my hat's off to the evil geniuses that figured out they could shift the market and sell this stuff under the guise of security.
So what will this year's show bring? What will be remembered and talked about later? Who knows, I'm heading out to see with a small thrill of anticipation. But you know what I want: The resurgence of weird.
Subscribe to:
Posts (Atom)