Saturday, April 17, 2010

Security NOW

This is a shout-out to those security geeks that listen to the podcast "Security Now" on the TWIT network. I have listened to this podcast since the beginning, not sure I might have had to review a half-dozen older ones when I first started. Last week podcast was about a specific problem with SSL certificate stores found in all browsers, but was casually identified as "SSL is broken". I posted a comment on the feedback site:
I grit my teeth every time you say SSL is broken. Yet most of the time it isn't SSL that's broken, but the policies some have chosen to use to simplify our lives. So as an example, last episode, the problem with SSL server certificates, this isn't broken SSL, this is a broken policy. I recommend SSL very often to protect healthcare. I'm involved in all of that stuff going on in Washington, D.C. around healthcare IT. I often have to reverse misunderstandings. In addition, I have to point out that the recommendations that we're giving with healthcare are to use mutual-authenticated TLS to a well-controlled certificate or CA branch that is highly controlled, following a system inspection and business agreement. This isn't just server authentication to a list that some browser vendor chooses.
I received an email from a colleague in GE's Energy division mentioning that he heard my feedback on this weeks podcast, clearly someone who was able to listen to the live recording. This morning I finally got to listening to the recording and sure enough my comment was his 'Comment #1' at almost minute 23. I was happily vindicated that Steve Gibson, the host of Security Now, agreed with my assessment. It was discussed and clarified for a whole 6 minutes (does that count against my 15 minutes of fame?). Policy is so important to think through, declare in writing, inspect for capability to enforce, and regularly audit that it is being executed.

I was happy to see that my blog google analytics showed that my numbers had increased by 36% since the live broadcast on Wednesday and in the days since while people listen offline. This even though I fully expect that 99.44% of the listeners of Security Now do NOT have JavaScript enabled. So I suspect that my blog site has been visited by so many more people that I will never know about. I hope they enjoyed my blog, feel free to place their own feedback on my articles, and visit often (even if I will never know they are there).