Another "ground-breaking column" in Network Magazine, (do we still say "in" when it is "on" the web page?). No, I am being unduly sarcastic. As I will suggest, it is not their problem, but ours.

The column, by Art Wittman is Security Is an Architecture, Not an Appliance. The premise: "The idea that security starts and ends with a prepackaged firewall is simply misguided." His column is right on target. But, don't we know this already? (And I suppose we do, but many people do not.) A search for "Firewalls are not enough," turns up 649 hits, including a paper I wrote that originally appeared in the Proceedings of the 17th National Computer Security Conference... in October 1994 and another I wrote—the cover story—for Information Security Magazine, "Firewalls: Are We Asking Too Much?" That was in May, 1999.

What new information does Wittmann's add? None, really. And to be fair, it is really just meant to be a lead-in to the magazine's current (not sure what month—I cannot tell from their web page) current issue that discusses host-based IPS technologies.

This seems to me to be part of the trends I related in "History Lost" and "The Same Old Drum Beat." Yes, application-specific controls are needed. Yes, firewalls are not and never have been enough. Nevertheless, we apparently have and continue to communicate to those with less clue than we have (see Seven Things to Help Keep Sanity and Equilibrium) that they are. I suspect, as I have for quite a few years, that the problem stems from the dilution of the network security clue-pool with those who took a course or two, got certified, and hung out a "security" shingle. As I rapidly approach a half-century of life, I am not suggesting anything radical. Just that the lack of practical experience may be part of the problem, and—as I suggest elsewhere—may be what leads us to repeatedly cover the same ground. I am not just ranting here, but I have no solutions to offer except that people do their homework. Some of our latest discoveries were already discovered many years ago.

If you read any Internet-technology-based news, you know that a recent security breach may have exposed 40 million credit card numbers. The actual number is probably smaller. And I suspect that the so-called "security vulnerabilities in the processor's systems," according to MasterCard, will provbably turn out to be well-known vulnerabilities or practices considered less-than-best.

So, what's a person to do? Do you stop using MasterCard and use Visa? That is hardly practical. But, we can start demanding that credit card companies enforce high security standards with the companies that support them.

Bruce Schneier writes about it in his blog.

The Register's story is here and InfoWorld does here.

Complete time-waster department. But, very cool.

You probably know that Google Maps has added satellite imagery. Not all of the data bases is high-resolution, but much of it is. A companion site, I found referenced at Eric Davis' Insamum is Google Sightseeing. Chech it out after work one day.

Are file-sharing programs a security matter? Today, the Associated Press reports "Confidential Data From Japanese Nuclear Plants Leaks Onto Net". The culprit was a virus-infected PC "loaded with file-swapping software." It included "photos of power generation facilities and workers' medical files--data that should not have been loaded onto a personal computer..."

No duh, as they say.

Have a policy about what is on your PCs, know what is on them, and deal with infractions.