Net neutrality concerns and China's Telecommunication Act

Here we saw the public, drastic debate of the Net Neutrality, and careful considerations of a bill at backside, among stakeholders. As the representatives of the new voice from internet, those giants, Google, Yahoo, Microsoft criticized that the Net Neutrality bill might bring unpredicted potential demage to the internet users, while leaving a loophole to those triple-players or tradional operators who own and operate the internet transmission services. Of course, there must be a long way for the Net Neutrality into a real bill, but this kind of argument will help improve the maturity, integrity, fairness, will eventually benefit the end users.

At China, the Act of Telecommunications is not enacted yet, under longer than 25 year's tough development. The Act, at its draft stage, according to the MII, will be finalized at 2006. It was said the reason for continuously postponing was the uncertainty of the convergency of three networks (telephone, vedio, and data). Comparing to the openness and public participation reflected by the above report, we might better our legislation process to let more people and experts, enterprises involved. See more telecom, security and p2p related comments.

Technorati Tags: telecom, 3G, china, p2p, skype

Rails releases version 1.1.0

At March 28, the ruby-based open source rapid application development framework - Rails released its latest version 1.1.0 with a bunch of new features and plugins. See their official site at: http://www.rubyonrails.org


Technorati Tags: Rails, RoR, Ruby, "web2.0"

Technorati Tags: Rails, RoR, Ruby, "web2.0"

Good To Great - The Flywheel and The Doom Loop

The following is extracted from Good To Great by Jim Collins:

Key Points

-           Good-to-great transformations often look like dramatic, revolutionary events to those observing from the outside, but they feel like organic, cumulative processes to people on the inside.  The confusion of end outcomes (dramatic results) with process (organic and cumulative) skews our perception of what really works over the long haul.

-           No matter how dramatic the end result, the good-to-great transformation never happened in one fell swoop.  There was no single defining action, no grand program, no one killer innovation, no solitary lucky break, and no miracle moment.

-           Sustainable transformations follow a predictable pattern of buildup and breakthrough.  Like pushing on a giant, heavy flywheel, it takes a lot of effort to get the thing moving at all, but with persistent pushing in a consistent direction over a long period of time, the flywheel builds momentum, eventually hitting a point of breakthrough.

-           The comparison companies followed a different pattern, the doom loop. Rather than accumulating momentum – turn by turn of the flywheel – they tried to skip buildup and jump immediately to breakthrough.  Then with disappointing results, they'd lurch back and forth, failing to maintain a consistent direction.

-           The comparison companies frequently tried to create a breakthrough with large, misguided acquisitions.  The good-to-great companies, in contrast, principally used large acquisitions after breakthrough, to accelerate momentum in an already fast-spinning flywheel.

Unexpected Results

 -           Those inside the good-to-great companies were often unaware of the magnitude of their transformation at the time; only later, in retrospect, did it become clear.  They had no name, tag line, launch event, or program to signify what they were doing at the time.

-           The good-to-great leaders spent essentially no energy trying to "create alignment," "motivate the troops." Or "manage change."  Under the right conditions, the problems of commitment, alignment, motivation, and change largely take care of themselves.  Alignment principally follows from results and momentum, not the other way around.

-           The short-term pressures of Wall Street were not inconsistent with following this model. The flywheel effect is not in conflict with those pressures.  Indeed, it is the key to managing them.

-           Spending time and energy trying to "motivate" people is a waste of effort.  The real question is not, "How do we motivate our people?"  If you have the right people, they will be self-motivated.  The key is to no de-motivate them.  One of the primary ways to de-motivate people is to ignore the brutal facts of reality.

SOC at China

After 2003 in China, SOC (Securit Operations Center) keeps abuzz security market. To be lucky, I attained the opportunity to manage the first SOC project at China. That's Nov. 2002, I kicked off the first SOC project internally, when I worked for iS-One as the Chief Strategy Office. After the project initiation, I digged a lot of web information related to SOC.

At that period of time, SOC were mainly built and operated for MSS (Managed Security Service) providers, e.g ISS had six SOC globally. I tried to transfer the concept of SOC from MSS to enterprise security operations and was lucky to win the customer’s buy-in. Then we don’t have such product or even Proof of Concept (PoC) platform at all. We negotiated with eSecurity and made the final decision to build our first SOC upon it.

The first SOC project was finished at about June 2003 and thereafter SOC became a warming-up security market opportunity. Today most of the major players at China security market claim to have their own SOC platforms and solutions, while many of enterprises are starting to plan and build their own SOC. To be mentioned, most of these SOC projects don’t reach their initial expectation. While SOC was becoming popular at enterprise security management area, a few pioneer security companies in China began to make their fortune at MSS market with SOC. 263.com, Unihub, Beijing Capital Information Co. and etc. tasted this market at early to around 2002, but they found it difficult to make profit. A major security vendor - Topsec rolled out their SOC to provide MSS servcies at 2004, built on SOC product from ArcSight, while MSS is one of meaning that another major security vendor Venustech interprets their M2S vision. To be optimistic, SOC has been entering a new stage where SOC serves for enterprise internal security operations and MSS providers.

Technorati Tags: SOC, Security, MSS,Audit,

"Common Weakness Enumeration" Added to CVE Web Site

March 15, 2006, according to the official news from mitre.org, a new effort leveraging CVE entitled the "Common Weakness Enumeration (CWE)" has been added to the GET CVE page on the CVE Web site.

CWE is a community-developed formal list of common software weaknesses, idiosyncrasies, faults, and flaws. The intention of CWE is to serve as a common language for describing software security vulnerabilities, a standard measuring stick for software security tools targeting these vulnerabilities, and as a baseline standard for vulnerability identification, mitigation, and prevention efforts. Leveraging the diverse thinking on this topic from academia, the commercial sector, and government, CWE unites the most valuable breadth and depth of content and structure to serve as a unified standard. Our objective is to help shape and mature the code security assessment industry and also dramatically accelerate the use and utility of software assurance capabilities for organizations in reviewing the software systems they acquire or develop.

Based in part on the CVE List's 15,000 plus CVE names—but also including detail and scope from a diverse set of other industry and academic sources and examples including the McGraw/Fortify "Kingdoms" taxonomy; Howard, LeBlanc Viega's 19 Deadly Sins; and Secure Software's CLASP project; among others—CWE's definitions and descriptions support the finding of common types of software security flaws in code prior to fielding. This means both users and developers now have a mechanism for ensuring that the software products they acquire and develop are free of known types of security flaws by describing their code and assessment capabilities in terms of their coverage of the different CWEs.

The new section includes the CWE List, offered in a detailed Taxonomy view and a high-level Dictionary view; an About section describing the overall CWE effort and process in more detail; a Compatibility page; a Community Participation page; and list of Sources.

Technorati Tags: CVE, Security, Vulnerability

Technorati Tags: CVE, Security, Vulnerability

OSVDB say no to Mitre

How about the status of current vulnerability management market? Is CVE enough? Do you agree that Mitre control your vulnerabilities? OSVDB say no to Mitre. See comment from OSVDB (Open Source Vulnerability Data Base):

Vulnerability research is straight forward. There isn't a lot of black magic and secret arts when it comes to finding vulnerabilities. For the most part, 99% of vulnerabilites are very well documented (even if the 'researcher' doesn't document it), easy to understand by others in the field, and leave little to imagination. It has been years since we've seen a truly new class of vulnerability surface. If I post details of an overflow of *any kind* to this list, there are a hundred folks that can digest what I post in seconds, then go to town on me for not going into details, not looking at VectorX, FunctionY or Z.c =) The other side of vulnerability disclosure is the human element. The sociology and mindset behind what we do, and why we do it. This is the angle that has interested me for years, and the type of book I will grab before any 'technical' (generous term usually) security/hacking book. Not only are there dozens of questions that can be asked of the researcher about his mindset and ethical views, there are countless other people involved in the process. Does the researcher have partners? Is he an employee of a security company? What vendor is he dealing with? Which vendor is it? How many people is he dealing with on the vendor side?

Click to see the original post.