I'm not passing judgement on Facebook's one-time password system. Not because I don't care about it, I just don't know enough about that technique. So what's the consensus on it? Going too far and potentially messing folks up even though it's more secure? Falling short of the mark and not providing adding any real security? Or did it hit the mark just right? Let me know at jherrington at fortify dot com.

Some interesting security news stories out in the past couple of weeks/days:

• The NSA just did a document dump. Looks like a lot of this stuff goes way, way back.
• NuCAPTCHA is going to try embedding the CAPTCHA text in a video. Certainly a novel approach.
• There is some news out that security jobs will be more in demand than ever as two out of three companies report successful hacks.

I apologize for not blogging as much in the past few weeks. Things have been pretty busy around here with the pending new release. Additionally we are doing a lot of hiring, and also looking to do that Fortify Camp sometime next year. If you have any leads or ideas in any of those areas please contact me at jherrington at fortify dot com.

We are internally involved in a project to address the default set of reports that we ship in F360. As part of that process we are looking for people who use the system who want to give us feedback on the current set of reports, what custom reports they have made, and what holes they see in the report set we currently have. If you are interested in being part of that process drop me a line at jherrington at fortify dot com.

At least for the time being it appears that comments to this blog are going into an abyss that I personally, along with the other bloggers, do not have the proper diving equipment or certification to explore. Please understand, we want your comments, they are the reason we do what we do. So while we are preparing for our dive certification exams please send your comments to jherrington at fortify dot com and I will see to them personally.

I apologize for any inconvenience this may have caused. We really, really want your feedback.

Wired has an amazing chart of the 163 security regs that military folks have to get through before they can make IT changes. Wow.

Scott Charney of Microsoft advocates a public health model for malware and botnets. I found Charney's paper worth the time to read. He offers some fine definitions of individual defence, collective defense, active defense, and offense as means to combat cyber crime, and compares these to their physical conuterparts.

That said, I'm not getting in line for a laptop health certificate. I do not find the public health model valid. It's an old saw in cyber threat modeling. I object to it as a false analogy. Measures like vaccination and quarantine are weighed carefully against civil liberties because in public health concerns, we deal with people and populations. Computers, ISPs, and the like do not have such advocates. My ISP can choke off my traffic, and no one would blink.

Furthermore Charney acknowledges that his proposal sacrifices privacy at the intent of security. Using his health model, he further blunders in his discussion on anti-smoking regulations as a comparative privacy loss for the public good. We must acknowledge that smoking in public is a willful act, unlike my computer's infection. Downloading software doesn't compare to lighting up.

It's time that security researchers shelve our copies of Outbreak and The Hot Zone. We need a model for the spread of software threats that applies to software threats.

This year HP put on an innovation camp in the Lake Tahoe area. We have been thinking about doing something similar for security in the middle of next year time frame. With a little help from HP. And maybe even in Lake Tahoe if we can swing it. ;-)

The camp would be a free-form get together of people involved in the field in security as well as people in the security research field. You can present stuff or not. Though presenting is preferable. The idea is to get some bright minds together in one place and then stir the innovation pot for a while to create some energy and excitement.

If your interested let me know at jherrington at fortify dot com. Hopefully I can get enough folks who are interested to make the event possible.

Another cool article on the Stuxnet worm, how it was designed and how it spread beyond it's intended limits.