At a recent Institute for Applied Network Security Forum, I handed my PDA to my friend and colleague, Robin Roberts of Cisco, to show her some family photos.

"You don't use an encryption program?" she asked. I just looked at her sheepishly. "PDA Defense," she said.

So, I went and downloaded a trial version of PDA Defense.

PDA Defense provides access control for your PDA (in my case, a Palm Computer®), as well as strong encryption to protect. You can control what files or applications are encrypted (my calendar, contacts, and email, yes; my Bible and photos, no). You can set what applications or ata bases get wiped (destroyed) if there are too many wrong password attempts, as well as to destroy all records if there are too many at initial "login." ("That is just a loaded gun aimed at my head," Robin said.)

It also allows you to set a password an any and all application launches. So, for example, if my company policy was to password protect my corporate email records on my PDA with a password, I'd need a password to access my PDA, and would have to provide it again to get at my email.

It works, it is useable, and fairly painless. Does your organization have a policy that covers the security of PDAs?

slashdot points to this Computerworld story that says, "A Minnesota appeals court has ruled that the presence of encryption software on a computer may be viewed as evidence of criminal intent."

Maybe we have no one to blame but ourselves. Encryption software on a PC should be as commonplace as AV software. The technology has been around, and "products" available for almost 20 years. But, it is still rare enough that a jury can be convinced that only criminals have something to hide. I've no sympathy at all for people who prey on children. (See A Really Ugly Side of the Internet.) But, when will crypto be ubiquitous?

For some background on the availability and use of crypto on computers, see:

• From arms violations to gathering dust: The strange history of PGP
• PGP Corporate milestones
• PGP Timeline

I just checked my Vitae -- I've been doing this (computer and network security) full-time since 1992, and part-time for a few years before that. As may be evident from recent blog postings, such as The Same Old Drum Beat, I've become more curmudgeonly. As charming as that might be in me, it is in no way a desirable attribute. So, I wondered, just what is it that bugs me about this field in which I've (sort of) made a name and (sort of) made a living? I came up with a list of the five reasons I hate computer and network security.

• There's no way to get to a solution. It is a moving target! There are always more and bigger threats. Or, more precisely, there are similar threats manifested in bigger and badder ways.

  On the other hand... Ecclesiastes says (1:9.10), "What has been is what will be done, and there is nothing new under the sun. Is there a thing of which it is said, 'See, this is new'? It has been already in the ages before us." So, we can use variations of what has worked in the past, in new ways perhaps. Rather than making it frustrating, that should be what makes the job interesting. No?

• With users, everyone does what he or she wants anyway. The apostle Paul -- not specifically referring to our topic -- wrote, "As it is written, 'none is righteous, no not one: no one understands... all have turned aside... no one does good, not even one.'" (Romans 3:10 ffl.) Even earlier than that, the writer of the Book of Judges wrote, "Everyone did what was right in his own eyes." (Judges 17:6.) So, the security person is always the bad guy to the users.

  On the other hand... in Matthew's gospel, we find this: "When hs saw the crowds, he had compassion for them, because they were harassed and helpless, like sheep without a shepherd." Hmmm. Okay, they really do need a shepherd. Think of what the users would do without some direction, some guidance, some tempering of their destructive tendencies. Yes, they are smelly, but they sure do look cute. And they do need help.

• With upper management, it's the same old battles. They have a short attention span when it comes to technology. Unless they are technologists, and then they won't stop suggesting tweaks. And all they care about is making money.

  On the other hand... it really is about making money. Put another way, "security" is about managing risk which is short-hand for "managing risk and maximizing business." So, in an annoying way, they are just doing their jobs.

• Those darned users are never satisfied. They just want more, more, and more. They don't listen to reason. As I said in Seven Things..., "We ask for requirements, they give us solutions," and their "requirements are wants or desires in disguise."

  On the other hand... as I said later in the same blog entry, "It is the responsibility of the clueful to clue in the clueless." And, remember, they need a shepherd.

• Security practitioners keep going over the same ground, sometimes reinventing solutions, but under a different name. We're also enamored with analogies. Recently, I read a reference to a post to a mailing list I usually read. The mailing list post referred to four critical attributes of security that are likened to the four legs of a stool. A great analogy? Well, sort of. It works perfectly as an analogy if we're talking about a three-legged stool (which won't stand at all if one leg is missing). But, four legs minus one? Or a five-legged stool? I suppose it is weaker. (Though, I guess, I really mean the analogy.) We want to make analogies between the network world and the physical world. We draw bricks and moats, castles and draw bridges. We forget about history in our own discipline.

  On the other hand... No. No, there isn't an "other hand" for this one.

  Axel Eble, CISSP, comments on this in his own blog, I don't hate security. Thanks, Axel!

  Comment on this.
  [/security/] permanent link

A few week's ago at Interop, Marcus Ranum penned (okay, he 'keyed?') an editorial, "What is 'Deep Inspection?'" Well-written, of course, and more detailed than anything I've recently written, of course. I commend it to your reading.

In March 2004, in less detail, I wrote about the subject of forgetting history in our discipline, under the title Security Redux. In it I discussed the security of firewalls coming back, but never quite getting all the way back, to the things that Marcus and others taught in the early 1990s. In September 2003, I wrote an Information Security Magazine column, Debunking the Firewall Hype.

My question is... why are we still writing about this? Why is Marcus? Or, better yet, why don't we get it? He writes, "Customers need to understand their objectives and requirements, so they can best select technology that facilitates their mission." Absolutely true. But, that could have been written in the late 1980s. Heck, it probably was -- by Marcus.

Then this afternoon I got some spam sent through my Information Security Magazine mailbox (I guess I keep it in case they ever want me back :-)). It was an invitation from a PR firm to interview the president of one of their client companies. According to this email, he is a "'White Knight' professional hacker. A world-recognized expert in security issues..." I'd never heard of him, but I've only been doing this for 20 years. "The Hook" to the proposed interview -- "Security is an ongoing process, NOT just a product."

Well, stop the presses!

And another new and revolutionary idea: "Continued awareness and prevention is the mantra that is being evangelized by" the White Knight guy. They go on to say, in this enticement to call him for an interview, "The Facts: Companies and individuals are too passive, even complacent, when it comes to safeguarding their networks and PCs." Brilliant, eh? They invite me to speak to him "to gain a 360 degree perspective about the ongoing challenges of security breeches and fixes faced by organizations and individuals."

I don't know whether to laugh or cry. No, that is a lie. I laughed.

When are we going to get it? When can we move on to other things?

This is just a friendly reminder... not to you, but to the people you know who are not technical. According to this article in The Register, phishers are trying harder. Remind your aunt, your mom and dad, your grandmother -- remind anyone who has a bank account or credit card -- that financial institutions have phone numbers and web addresses (well,most of them). Never click on a URL in an email message from your bank or credit card company, at least not an one you don't expect. Open a browser and retype it in yourself. "But," you say, "I can't waste such time. Time is money!"

Exactly.

Last week at Interop, at Secure E-mail Day, one of the discussion topics was spam. I've written on the subject, for example here, here, and here.

Bruce Schneier writes about e-mail spam and VoIP spam in Combating Spam.

As I mentioned here, "it is traditional, at the faculty-hosted 'Gala Dinner' of the Institute for Applied Network Security Forum, for the faculty to be the entertainment. It is also traditional for faculty-member Marcus Ranum to come up with the assignment." This year it was almost limericks. Instead it was a version olf "Mad Libes." I did one, but using a limerick.

To "get" the limerick's references, you need to read this history of the Firewall Toolkit.

The limerick:

There once was a manager, Fred,
who to his best programmer pled,
"Make me a SEAL,"
and so with great zeal,
"It won't be a PIG," Marcus said.

I've been preoccupied with personal things and busy-ness with work. All good, none bad. But, I thank those of you who noticed my lack of writing here. And thanks for hanging in.