We've got other positions open across the company too. Check them out here -- sales, engineering, public relations, and so on need help. Again, email me your resume.
tutorial about web security computer networking
Competitors of the new enterprise greeted Mr. Giuliani into their midst warily.
"What is he really bringing to the table as far as the security business part of it?" asked Chris Wysopal, the director of research and development for @stake, a company that also provides so-called white-hat hacking services.
"I'm not too worried," he said. "When we say, `We talk business,' it isn't like going out to the golf course. It's showing real numbers, and having the data to back it up."
So, Mr. Giuliani, could you comment on the BIND vulnerability that was exploited to threaten the root server system?
"I could make a comment on the Cubs game tonight," he said with a laugh, speaking by phone from Chicago.
And that is as it should be, said Allan Carey, an analyst with IDC, a research company. "He's talking on a different level; he's speaking to executives."
This story on a new report by the Economist Intelligence Unit quotes the foreward Rudy wrote for the report:
"$10m spent on corporate security will hit the bottom line today and may not show its worth for many years. But when a security incident does occur, that investment will pay for itself many times over. As mayor of New York, I remember thinking that the hundreds of millions of dollars we spent preparing for Y2K might have been wasted ... On the morning of 11 September, I realised that it wasn't. Having thought our way through a complete breakdown of the city's systems, we had the backups that allowed us to get a new command centre partly operational within two hours. Similarly, all of the work we did over the previous few years in preparation for a terror attack - including the drills, the tabletop exercises, and the creation of an emergency management centre - proved invaluable."
I'd never heard of this guy, and was skeptical when the article stated "Arquilla... helped develop the offensive cyber weapons used by the U.S. military in Kosovo, in Afghanistan and in the Gulf War." Google led me to this PBS interview, where we learn Arquilla helped build the Joint Surveillance and Target Acquisition Radar System while working for Central Command during the first Gulf War. JSTARS isn't what I'd call an "offensive cyber weapon," at least as far as computers go.
Still, this article wasn't a waste of time, as I made two discoveries. First, I learned Dorothy Denning now works at the Center on Terrorism & Irregular Warfare. Second, I found this Apr 03 PBS Frontline show called Cyberwar! is available in its entirety online. The title (especially the exclamation point) is derived from this 1993 paper by John Arquilla, Cyberwar Is Coming!. The show looks interesting and I plan to watch it and read the interviews when I have time.
The Proventia A series IDS offers products like the A1204 which can monitor and make sense of redundant or load-balanced links.
ISS offers a newsletter called "Connect," with the October issue (.pdf) devoted to Proventia.
What's the competition for ISS' product? Symantec announced its Symantec Gateway Security 5400 Series last month. Cisco announced "integrated network solutions" in Feb 03, but they're not a "converged solution." You need a product finder to make sense of Enterasys's offerings. While I still believe Sourcefire has the superior detection solution, I can see the allure of these "single box" appliances.
Don't be fooled into thinking a single box can serve all of your security needs. While the ISS demos stress their products can complement firewalls, I don't trust putting prevention and detection functions into a single system. Almost by definition, the detection aspect will not detect some attacks, leaving no record of intrusion. Why? If the product could detect the attack, why didn't it prevent it? (That's what customers say they want, correct?) So, there needs to be an independent, network-audit product to evaulate how well the prevention product performs. That's network security monitoring my friends. NSM recognizes that prevention will always fail, and that when it does defenders need a way to quickly scope the extent and impact of a compromise.
The new law places the determination solely in the hands of law enforcement and the system owner or operator. In those likely instances in which the interception does not result in prosecution, the target of the interception will never have an opportunity to challenge the activity (through a suppression proceeding). Indeed, such targets would never even have notice of the fact that their communications were subject to warrantless interception. However, the USA PATRIOT Act does include an exception prohibiting surveillance of someone who is known by the owner of the protected computer "to have an existing contractual relationship with the owner or operator of the protected computer for access to all or part of the protected computer."
At this point you may want to know more about PATRIOT by reading applicable laws. Remember that PATRIOT amended existing laws. To see the amended laws, you need to know the title and sections affected. For example, the EPIC article links directly to Cornell's US Code archive, e.g., Pen Register and Trap and Trace Statute or Interception and disclosure of wire, oral, or electronic communications prohibited, aka "The Wiretap Act." Alternatively, visit the Office of the Law Revision Counsel of the House of Representatives and search to find 18USC3121 or 18USC2511. Notice these laws don't just apply to the government -- they affect everyone.
Another resouce is part 3 of Slate's 4 part story on PATRIOT. The Electronic Frontier Foundation offers its views too.
Remember that state laws restrict monitoring. The Reporters Committee for Freedom of the Press offers an excellent guide to taping phone calls, with state-by-state summaries and an article on surreptitious recording. Use the state guide as a pointer to specific laws in each state, since the RCFP's focus is recording voice conversations and not electronic monitoring.
To validate the RCFP results I checked out the Code of Virginia and searched for "pen register" to get my bearings. I found Title 19.2, Criminal Procedure contains Chapter 6, Interception of Wire, Electronic or Oral Communications. 19.2-62, Interception, disclosure, etc., of wire, electronic or oral communications unlawful; penalties; exceptions is very similar to the Federal statute. The section below seems to give the only cover to perform monitoring:
"It shall not be a criminal offense under this chapter for any person... (f) Who is a provider of electronic communication service to record the fact that a wire or electronic communication was initiated or completed in order to protect such provider, another provider furnishing service toward the completion of the wire or electronic communication, or a user of that service, from fraudulent, unlawful or abusive use of such service. "
Finding California's laws was a little more difficult. I visited the state's search page, and after not getting useful hits on "pen register" I tried "interception." That yielded Section 629.50-629.98, INTERCEPTION OF WIRE, ELECTRONIC DIGITAL PAGER, OR ELECTRONIC CELLULAR TELEPHONE COMMUNICATIONS of the Penal Code. Since this pertains to law enforcement actions, I used the information from the RCFP site to check Section 630-637.9, INVASION OF PRIVACY. Here I found that interception and recording is illegal, unless:
"(b) This section shall not apply (1) to any public utility engaged in the business of providing communications services and facilities, or to the officers, employees or agents thereof, where the acts otherwise prohibited herein are for the purpose of construction, maintenance, conduct or operation of the services and facilities of
the public utility..."
Let's conclude this research with a check on Texas' laws. The Texas Penal Code offers CHAPTER 16. CRIMINAL INSTRUMENTS, INTERCEPTION OF WIRE OR ORAL COMMUNICATION, AND INSTALLATION OF TRACKING DEVICE. Looking at Section 16.02 we read:
"A person commits an offense if the person:
(1) intentionally intercepts, endeavors to intercept, or procures another person to intercept or endeavor to intercept a wire, oral, or electronic communication...
c) It is an affirmative defense to prosecution under Subsection (b) that:
(1) an operator of a switchboard or an officer, employee, or agent of a communication common carrier whose facilities are used in the transmission of a wire or electronic communication intercepts a communication or discloses or uses an intercepted communication in the normal course of employment while engaged in an activity that is a necessary incident to the rendition of service or to the protection of the rights or property of the carrier of the communication, unless the interception results from the communication common carrier's use of service observing or random monitoring for purposes other than mechanical or service quality control checks..."
Again we see language that mirrors the Federal statutes. Note I have avoided citing statutes which offer consent as a defense for doing monitoring. Consent can be obtained when intruders use "bannerable" services like telnet or FTP to access a victim. If an intruder doesn't access an interactive service, there's no way to obtain the intruder's consent and thereby use consent exceptions to justify monitoring.
For more information, read Dorothy Denning's latest. The Constitution Project released a survey of state wiretap laws last month.