This is Jeffreycarr's Typepad Profile.
Join Typepad and start following Jeffreycarr's activity
Jeffreycarr
Recent Activity
Your link to Menn's article is wrong. It connects to the Arrington article instead of Menn's piece (http://www.reuters.com/article/2013/09/15/us-usa-security-snowden-tech-analysis-idUSBRE98E08S20130915). Regarding financial losses, I think that it's way too early to tell.
Hmmm...
Two straws in the wind for the Snowden flap: 1. When Silicon Valley corporate leaders are grilled over their view NSA by an outraged Michael Arrington, he uncovers a remarkably diverse set of views and ends up complaining, ”I’m not getting anyone to care so far on stage.” 2. When Joseph Menn of ...
Brilliant post, Jeff. I particularly enjoyed your "Beware of Social Media" advice. Thanks for putting your thoughts in print!
Fantasy Analytics
Sometimes it just amazes me what people think is computable given their actual observation space. At times you have to look them in the eye and tell them they are living in fantasyland. Here is how an example conversation: Me: “Tell me about your company.” Customer: “...
I'd be honored to accept. Thanks, Stewart!
Rethinking cybersecurity, retribution, and the role of the private sector
In upcoming testimony before the House Homeland Security Committee, I'll be assessing the Department of Homeland Security, with particular focus on cybersecurity. Probably the most important point I'll be making is a simple one: We will never defend our way out of the current cybersecurity cri...
You do propose that offensive capabilities be given to the private sector. You may not intend for those capabilities to be used in the extreme but you believe that some latitude is possible, correct? My position is that I have yet to see any evidence that InfoSec companies can determine attribution that's any better than 50/50 guesswork. In my opinion, that's not good enough to give them any latitude in attacking someone else's computer.
We probably too far apart in our respective positions to come to an agreement via a blog post but thanks for providing a forum for engagement and discussion.
Rethinking cybersecurity, retribution, and the role of the private sector
In upcoming testimony before the House Homeland Security Committee, I'll be assessing the Department of Homeland Security, with particular focus on cybersecurity. Probably the most important point I'll be making is a simple one: We will never defend our way out of the current cybersecurity cri...
Hi Stewart, private investigators aren't trained intel analysts, meaning that they don't know how to vet source material using analytic models nor do they apply negative analysis before making a pronouncement about attribution. So technically, no true analysis is being done by private investigators.
And, with respect, I've been intimately involved with incident response w/ breaches impacting Fortune 100 companies and can tell you with certainty that TTPs will not lead to "the data that we now lack". For one thing, researchers see what they are mean't to see by the attacker. For another, the only groups that have been identified are aliases for 20 or so hacker crews. We have yet to concretely pin an attack on an FIS or nation state unless that state has overtly claimed responsibility for it.
Advocating for offensive actions by private companies is like putting weapons of mass destruction in the hands of children. Poor intelligence analysis leading to failures happens by trained analysts on a regular basis. In at least one case, it led us into a Trillion-dollar war. Can you imagine the potential for wide-spread disruption if companies who think they know who attacked them strike back at the wrong nation state? That's a gamble that we don't need to take when a better defensive strategy will render most attacks impotent.
Rethinking cybersecurity, retribution, and the role of the private sector
In upcoming testimony before the House Homeland Security Committee, I'll be assessing the Department of Homeland Security, with particular focus on cybersecurity. Probably the most important point I'll be making is a simple one: We will never defend our way out of the current cybersecurity cri...
While collected data on attackers has increased, it remains narrowly focused on the TTPs of low-medium level hacker crews. We don't have an equivalent level of data about acts of cyber espionage from foreign intelligence services or their agents via multiple channels that are ignored by gov't and private sector security firms (i.e., in-country ICT infrastructure, vendors, insiders, social engineering). Therefore, since we can't know sufficient data about who will attack, when, or how, companies and gov't need to treat their critical data differently and completely reject the concept that we can keep an adversary out of our network. What we can do, however, is keep critical data from leaving. Therefore, improved defensive strategies must remain part of any future cyber security framework and offensive actions must only be initiated when attribution passes certain analytic tests applied not by DHS, DOD or the private sector but by trained analysts in the IC where more rigorous analysis is conducted.
Rethinking cybersecurity, retribution, and the role of the private sector
In upcoming testimony before the House Homeland Security Committee, I'll be assessing the Department of Homeland Security, with particular focus on cybersecurity. Probably the most important point I'll be making is a simple one: We will never defend our way out of the current cybersecurity cri...
RJ, I'm so happy to see you back. I was renovating my home office today and when I saw your book on my bookshelf I decided to look online and see what you were up to. When I saw that you re-opened your blog today, the same day that I decided to check up on you, I just had to laugh, grab a beer from the fridge, and introduce you to all of my Twitter followers. Cheers, my friend.
I'm baaaack -- The Spy Who Billed Me Comes in from the Cold
After going black a couple of years ago, I'm returning to The Spy Who Billed Me. The blog got a lot of attention, some of it good, some of it, well, you can guess. I broke several national security stories and the best ones are, unfortunately, the ones I chose not to break out of nationa...
Great work with multiple applications in and out of government. It also serves to validate the Importance of it's individual components for those of us working in related areas. Congratulations, Jeff!
Sensemaking on Streams – My G2 Skunk Works Project: Privacy by Design (PbD)
Over the last twenty-eight months I have been quietly running a skunk works effort that I’ve code named “G2.” To my delight, on January 28th, 2011 this system became officially viable and will be entering something akin to a “sea trial” phase through 2011. I believe this system will prove to be...
Thanks for adding "real-time audits" to your list. I've been hammering this nail every chance I get, including last week in India. Hopefully we'll see this become a key component in security architecture sooner rather than later. Keep up the good work, Jeff.
Big Data Flows vs. Wicked Leaks
I was invited to deliver a short keynote about "big data" at today's OECD roundtable focused on the economics of personal data and privacy. My presentation here. Most big data flows by design. But when big data leaks the consequences can be wicked. That said … protecting big data from wicked ...
Jeffreycarr is now following The Typepad Team
Dec 4, 2010
Subscribe to Jeffreycarr’s Recent Activity