QOTD - Pescatore on Google Wi-Fi Snafu

In business models that depend on getting people to expose information in order to sell advertising around it, it seems like mistakes always seem to fall on the accidentally collecting too much information, versus mistakenly ever collecting too little. -- John Pescatore, VP at Gartner, Inc.
Src: SANS NewsBites Vol 12 Num 41

QOTD - Ranum on Online Privacy

If you don't want to make something public don't blog, facebook, tweet, or otherwise publicly announce it! Three people can keep a secret if two of them are dead and nobody has published it on the Internet for all their 'friends' to see. -- Marcus Ranum, CSO of Tenable Network Security
Src: SANS NewsBites Vol 12 Num 42

QOTD - Pescatore on Facebook & Privacy

There is a big difference between making user privacy controls "simpler" and making user privacy a core feature in all Facebook software development. Especially in a business model in which all revenue depends on getting people to expose information so you can sell advertising around it. -- John Pescatore, VP at Gartner, Inc.
Src: SANS NewsBites Vol 12 Num 41

QOTD - Baker on Risk Models

Wade Baker, of Verizon Risk Intelligence, replying to a post on the Security Metrics mailing list about whether risk models are useful for non-tangible assets (human life or infosec assets that can't easily be quantified):
Having an impact that is extremely high (ie, human life) doesn’t invalidate the use of a risk model. If the probable impact is so high as to be intolerable, that simply means that risk level is intolerable regardless of threat frequency (which means keep spending money). Of course, the question is whether the impact of something (even human life) is truly intolerably high. The government enters wars knowing that life will be lost. I drive my family around in a car knowing there’s a chance of a fatal accident.

As to [whether] the financial models don’t work because governments don’t have profit – governments spend the money of the people. I’d be quite happy if the government spent my money as though they had to be mindful of operating in the black.
Reprinted with permission of the author.

QOTD - Online privacy is like a Tattoo

Posting something online is almost as bad as getting a tattoo. The act of pulling it off or making it disappear ultimately is expensive, and it's never complete. No matter what you do about it, it leaves a little scar. -- Paco Underhill, author of "What Women Want" and "Why We Buy."
Src: In shoppers' online networks, privacy has no price tag

QOTD - Shostack on Infosec & Oil Platform Engineering

Replying to a series of posts on the Security Metrics mailing list about whether information security is (or can aspire to become) an art, a science, or an engineering discipline, Adam Shostack, author of The New School of Information Security, wrote:
I think we're more like oil platform engineers than bridge engineers. Our mistakes are hidden, hard to estimate, and residue is turning up in unexpected places.
Note: posted with author's permission

QOTD on Home Users

Home users remain the most susceptible to infected malware and socially engineered threats, such as advertisements and personal assistance sites. -- Official Microsoft Blog
Src: The Official Microsoft Blog – News and Perspectives from Microsoft : Microsoft’s SIR v8 Offers Insight and Guidance on Cyber Defense

QOTD on PowerPoint

"PowerPoint makes us stupid, " said Gen. James N. Mattis of the Marine Corps.

Brig. Gen. H. R. McMaster, in a telephone interview said about PowerPoint: "It’s dangerous because it can create the illusion of understanding and the illusion of control. Some problems in the world are not bullet-izable."

One slide in particular, packed with minute details, has made the news recently when General McChrystal was reported as saying: "When we understand that slide, we’ll have won the war."

Src: Enemy Lurks in Briefings on Afghan War - PowerPoint - NYTimes.com

QOTD on Malware Kits

Malware kits are developed, released, and updated just like legitimate products – complete with advanced features and minor releases to improve kit effectiveness. -- Official Microsoft Blog
Src: The Official Microsoft Blog – News and Perspectives from Microsoft : Microsoft’s SIR v8 Offers Insight and Guidance on Cyber Defense

QOTD on ATM fraud

Crooks can steal every dime you own in seconds, and you won't even know it. -- Jody Barr, for WIStv.com
Src: ATM skimmers steal your info in seconds, becoming more popular - WIS News 10 - Columbia, South Carolina

QOTD on Malware Kits

People can launch attacks without even knowing a line of code, and the infrastructure now exists to pay the attacker per exploit achieved.
With an attack kit there is literally 'an app for that' and it is driving the explosive growth in internet-borne threats such as spam and zero-day attacks with new kits popping up every day. -- Bradley Anstis, VP of Technology Strategy at M86 Security.
Src: Russia dominating automated malware kit market - V3.co.uk - formerly vnunet.com