If I say it over an over again, it must be true …

“Keeping to your message, repeat it many times, and ignore the criticism” are key principles of success in Washington DC policy work. If you say something over and over again, it must be true. It does not matter if the message is true, based on facts, or have any empirical data to support your assertion. Read More


New Intelligence Squared debate – The CyberWar threat has been Grossly Exaggerated

Has the Cyber-War threat has been Grossly Exaggerated? Thanks to Intelligence Squared (I2) and Neustar for first – bring I2 outside of New York and second for setting up an Oxford-style debate to address the “market saturation” of the cyber-warfare threat. I’ve been a strong critic of the overhype, exaggeration, and fiction expounded by “individuals” Read More


Conficker – the “Fortunate 500”

Conficker has been a dual edge sword to the industry. On one hand, it a nasty “weapons grade” hijacking malware with nefarious consequences – ranging from a platform for crime to a threat  Global Telecom’s, SCADA, and other critical infrastructure.  On the other hand, it is an example of what cyber-civic society can do when Read More

What do you tell the boss?

NSP-SEC Top 10 SP Security Techniques – Updated Slides

NSP-SEC Top 10 SP Security Techniques is one of the core foundation tutorials for ALL Telcos, ISPs, Cloud Operators, Mobile Companies, and other large ASNs (including Enterprises).  This is the foundation for network security. If you are being stupid if not doing these basics and trusting your “firewall.” Note though this that all the recommendations Read More

60 Minutes

The flaws with the 60 Minute Report on “Cyberwar: Sabotaging the System”

We need to expect more out the press, policymakers, and the pontificating “Cyberwarfare Experts” producing stacks of reports about the “Cyber-security threat.” Graham Messick, the CBS producer of this 60 minutes episode on “Cyberwar: Sabotaging the System,” did not do his due diligence as a reporter. A standard tool for building balance in a story Read More

TCP State Saturation Attack

DOS Trends Are Changing – More Effective Attack Classes.

Yes, DOS trends are changing.  CERT-FI‘s release of the “Sockstress” details yesterday has a few people confused.  Outpost24 discovered some new TCP state abuse technique which can cause a range of issue on a TCP stack (see CERT-FI’s release details). It is a serious issue. But, if it is serious, why is there not a Read More

Internet for Policy Makers

Beware, Liability does roll down hill

In my own work, I mention to my peers how everything has changed in today’s Converged Internet/Global Telecommunications world. Liability and accountability rolls down hill. If something happens where the operator is found at fault, that finding does not stop with the operator. It will ‘roll down hill’ to the vendors and now the auditors. Read More

Internet for Policy Makers

Is the “Full Disclosure” vs “Non-Disclosure” Debate Dead? NOT

I was watching Matthew Watchinski walk through the events and activities behind our Adobe vulnerability this past Feb (see US CERT’s “Adobe Acrobat and Reader Vulnerability TA09-051A“). What struck me about Matt’s talk is a statement he made near the end: “… Full Disclosure vs Non-Disclosure debate is dead. I leaned this because my E-mail Read More