Comments for The CodeGuard Blog http://www.codeguard.org/blog Jim Molini's Software and Information Security Blog Fri, 27 Aug 2010 00:34:42 +0000 hourly 1 http://wordpress.org/?v=3.0.2 Comment on Human Capital Discussion – Part 2. by jmolini http://www.codeguard.org/blog/2010/08/11/human-capital-discussion-part-2/comment-page-1/#comment-61 jmolini Fri, 27 Aug 2010 00:34:42 +0000 http://www.codeguard.org/blog/?p=103#comment-61 Marc, Thanks for that update. I didn't know that these guys had already set up some kind of competing organization. However, any federal agency that wanted to hire a certification non-profit would have to open the bid to competition. Then this new firm would have to compete with organizations that have been doing certification work for decades. I'd be very interested to hear the selection board discussion when that happened. If you have a link to more info on this, please send it along. Jim. Marc,
Thanks for that update. I didn’t know that these guys had already set up some kind of competing organization. However, any federal agency that wanted to hire a certification non-profit would have to open the bid to competition. Then this new firm would have to compete with organizations that have been doing certification work for decades. I’d be very interested to hear the selection board discussion when that happened. If you have a link to more info on this, please send it along.
Jim.

]]> Comment on Human Capital Discussion – Part 2. by Marc Noble http://www.codeguard.org/blog/2010/08/11/human-capital-discussion-part-2/comment-page-1/#comment-60 Marc Noble Mon, 16 Aug 2010 16:34:45 +0000 http://www.codeguard.org/blog/?p=103#comment-60 Jim, You raise some interesting questions. To my knowledge, the authors did little reseach into the development of the ISSEP. I was the (ISC)2 representative to a meeting with the authors a week before the report publication. The ISSEP was not brought up. Also in attendance was ISACA, CompTIA, NIST and ANSI. The conversation was quite general in nature about better methods for testing information security professionals and lasted a bit more than an hour. The idea of licensing like doctors do was brought up by the authors however it was pointed out that doctors associations are managed at the State level, not the Federal level. I would also make the point that the licensing association is managed by doctors, in this case, it should be managed by information security professionals. The new association that you alude to is not led by information security professionals but by what appears to be a group from CSIS and Alan Paller. Interesting that the authors of the report are also on this new board which I believe raises questions about the report itself. Recently, one of the new board members raised an issue of a conflict of interest of current certification bodies doing training, doesn't the same rule apply for a board member releasing a report that is sharply critical of their competition? Something to ponder, Marc Noble Jim,

You raise some interesting questions. To my knowledge, the authors did little reseach into the development of the ISSEP. I was the (ISC)2 representative to a meeting with the authors a week before the report publication. The ISSEP was not brought up. Also in attendance was ISACA, CompTIA, NIST and ANSI. The conversation was quite general in nature about better methods for testing information security professionals and lasted a bit more than an hour. The idea of licensing like doctors do was brought up by the authors however it was pointed out that doctors associations are managed at the State level, not the Federal level. I would also make the point that the licensing association is managed by doctors, in this case, it should be managed by information security professionals. The new association that you alude to is not led by information security professionals but by what appears to be a group from CSIS and Alan Paller. Interesting that the authors of the report are also on this new board which I believe raises questions about the report itself. Recently, one of the new board members raised an issue of a conflict of interest of current certification bodies doing training, doesn’t the same rule apply for a board member releasing a report that is sharply critical of their competition?

Something to ponder,

Marc Noble

]]> Comment on Right to Privacy? Not if u txt… by Scott Barman http://www.codeguard.org/blog/2010/06/24/right-to-privacy-not-if-u-txt/comment-page-1/#comment-55 Scott Barman Mon, 28 Jun 2010 20:34:48 +0000 http://www.codeguard.org/blog/?p=98#comment-55 Employers have the right to read your emails and voice mails. Three court rulings are cited for this: 1. Bourke v. Nissan (http://www.loundy.com/CASES/Bourke_v_Nissan.html) 2. Smyth v. Pillsbury (http://www.loundy.com/CASES/Smyth_v_Pillsbury.html) 3. Shoars v. Epsion (http://fac-staff.seattleu.edu/mchon/web/Cases/shoars.html) All three cases say the same thing: the company owns the computers, software, and manages the services (either itself or hires someone to do it), then the company can do whatever it wants with the service it owns. So it could be said that the above cases have moved to text messaging. Employers have the right to read your emails and voice mails. Three court rulings are cited for this:
1. Bourke v. Nissan (http://www.loundy.com/CASES/Bourke_v_Nissan.html)
2. Smyth v. Pillsbury (http://www.loundy.com/CASES/Smyth_v_Pillsbury.html)
3. Shoars v. Epsion (http://fac-staff.seattleu.edu/mchon/web/Cases/shoars.html)

All three cases say the same thing: the company owns the computers, software, and manages the services (either itself or hires someone to do it), then the company can do whatever it wants with the service it owns. So it could be said that the above cases have moved to text messaging.

]]> Comment on Digital Borders: Maybe It’s Time. by Sunny Molini http://www.codeguard.org/blog/2010/06/01/digital-borders-maybe-its-time/comment-page-1/#comment-52 Sunny Molini Wed, 23 Jun 2010 15:45:21 +0000 http://www.codeguard.org/blog/?p=95#comment-52 I just realized that I never addressed the arms regulation bit. If government were to establish itself as the governor of information, they might begin to regulate private mechanism that hide traffic from their supervision. Government restrictions on gun control and government restrictions on data traffic control should both be lumped into the same category of undue restrictions of freedom. I just realized that I never addressed the arms regulation bit. If government were to establish itself as the governor of information, they might begin to regulate private mechanism that hide traffic from their supervision. Government restrictions on gun control and government restrictions on data traffic control should both be lumped into the same category of undue restrictions of freedom.

]]> Comment on Digital Borders: Maybe It’s Time. by Sunny Molini http://www.codeguard.org/blog/2010/06/01/digital-borders-maybe-its-time/comment-page-1/#comment-51 Sunny Molini Wed, 23 Jun 2010 15:42:31 +0000 http://www.codeguard.org/blog/?p=95#comment-51 Once that kind of power is assumed by the government, how do you propose that it is constrained to non 'massive and intrusive' purposes. Different points of view could define 'known malware' differently. I'd like to draw some similarities from this to arms regulation. The technology currently exists for users to secure their home systems relatively well for low cost, the most secure of which are difficult to use. The private market has recently release significant improvements to user systems that protect against almost all malware fairly well. I'm thinking of the default Windows firewall and Microsoft Security Essentials. Both of which, while maybe not the best, are very good programs that will leave users substantially better protected than without them. Also, with the prevalence of wireless networking, most users are behind a NAT firewall from their home routers even if the password on that router is still 'admin.' The Internet is the home of information flow for now and the foreseeable future. Please forgive my reticence to yield control to the government to govern the flow of information. Once that kind of power is assumed by the government, how do you propose that it is constrained to non ‘massive and intrusive’ purposes. Different points of view could define ‘known malware’ differently.

I’d like to draw some similarities from this to arms regulation. The technology currently exists for users to secure their home systems relatively well for low cost, the most secure of which are difficult to use. The private market has recently release significant improvements to user systems that protect against almost all malware fairly well. I’m thinking of the default Windows firewall and Microsoft Security Essentials. Both of which, while maybe not the best, are very good programs that will leave users substantially better protected than without them.

Also, with the prevalence of wireless networking, most users are behind a NAT firewall from their home routers even if the password on that router is still ‘admin.’

The Internet is the home of information flow for now and the foreseeable future. Please forgive my reticence to yield control to the government to govern the flow of information.

]]> Comment on Eating Crow – Google Goes For Broke in China by Ron Ploof http://www.codeguard.org/blog/2010/03/23/eating-crow-google-goes-for-broke-in-china/comment-page-1/#comment-47 Ron Ploof Wed, 24 Mar 2010 22:16:57 +0000 http://www.codeguard.org/blog/?p=85#comment-47 Oh, Jim. I know exactly how you feel. Just a tip...I've found that Tabasco sauce masks the gameyness:-) Keep up the great work! Oh, Jim. I know exactly how you feel. Just a tip…I’ve found that Tabasco sauce masks the gameyness:-)

Keep up the great work!

]]> Comment on Google Leaving China – Part II by The CodeGuard Blog » Eating Crow – Google Goes For Broke in China http://www.codeguard.org/blog/2010/02/10/google-leaving-china-part-ii/comment-page-1/#comment-46 The CodeGuard Blog » Eating Crow – Google Goes For Broke in China Tue, 23 Mar 2010 17:22:53 +0000 http://www.codeguard.org/blog/?p=81#comment-46 [...] as the issue itself had strong cultural overtones, (see my earlier post) anyone reading the post from outside the USA may wonder about the title. We [...] [...] as the issue itself had strong cultural overtones, (see my earlier post) anyone reading the post from outside the USA may wonder about the title. We [...]

]]> Comment on Google Leaving China? If you believe that… by The CodeGuard Blog » Eating Crow – Google Goes For Broke in China http://www.codeguard.org/blog/2010/02/05/google-leaving-china-if-you-believe-that/comment-page-1/#comment-45 The CodeGuard Blog » Eating Crow – Google Goes For Broke in China Tue, 23 Mar 2010 16:41:03 +0000 http://www.codeguard.org/blog/?p=78#comment-45 [...] me start by saying that I was wrong.  Yep.  That’s the best way to begin this post.  This morning I read on Wired.com that Google [...] [...] me start by saying that I was wrong.  Yep.  That’s the best way to begin this post.  This morning I read on Wired.com that Google [...]

]]> Comment on Google Leaving China – Part II by jmolini http://www.codeguard.org/blog/2010/02/10/google-leaving-china-part-ii/comment-page-1/#comment-44 jmolini Tue, 23 Mar 2010 16:37:16 +0000 http://www.codeguard.org/blog/?p=81#comment-44 Thanks Paul, I was looking at the news on this and preparing my next post. They've surprised a lot of people. Haven't they? Even though they've just moved to Hong Kong, it's a clear break with the policy. The next few weeks will be interesting, won't they? Thanks Paul,

I was looking at the news on this and preparing my next post. They’ve surprised a lot of people. Haven’t they? Even though they’ve just moved to Hong Kong, it’s a clear break with the policy. The next few weeks will be interesting, won’t they?

]]> Comment on Google Leaving China – Part II by Paul Johnston http://www.codeguard.org/blog/2010/02/10/google-leaving-china-part-ii/comment-page-1/#comment-43 Paul Johnston Tue, 23 Mar 2010 15:00:58 +0000 http://www.codeguard.org/blog/?p=81#comment-43 Now they have the date of April 10th that everyone thinks they will finally make the move to leave china. Even some of the security sites are reporting this: http://www.enigmasoftware.com/google-leaving-china-april-10th/ and now even CNN is trying to figure out what will happen http://news.blogs.cnn.com/2010/03/23/google-and-china-parting-ways-what-does-it-mean/?hpt=T2 now that google is redirecting traffic from the Chinese Google. This will be very interesting to see what pans out. Now they have the date of April 10th that everyone thinks they will finally make the move to leave china. Even some of the security sites are reporting this: http://www.enigmasoftware.com/google-leaving-china-april-10th/ and now even CNN is trying to figure out what will happen http://news.blogs.cnn.com/2010/03/23/google-and-china-parting-ways-what-does-it-mean/?hpt=T2 now that google is redirecting traffic from the Chinese Google. This will be very interesting to see what pans out.

]]>