I guess you still know the discussions a while ago where it was made public that notebooks can be searched without suspicion when you cross the border to the US. Actually the truth is, that this can happen everywhere as far as I understand. To be clear: I am not a lawyer, I am an engineer. However, when I discussed this with a lawyer, he explained to me that anything I carry with me when I cross a border can be searched – something we got used to, no? The notebook is just part of the “anything” in the statement above.

So, the nervousness is really about the customs officer keeping a notebook and getting access to the data, which is scary but again, is this any different to carrying paper across the border – except for the sheer volume but basically if you carry confidential documents across any country’s border the customs officer can search you and have a look at your paper.

So far so good but it seems that some customs officers took their time when they actually wanted to search a notebook – a few months until an year.  They simply kept it. Now a court in the US ruled that this is illegal: Judge limits DHS laptop border searches

So, while the search at entry is still acceptable due to the points I made above, the confiscation of a computer for a longer period of time seems to be illegal. Will be interesting to see how this will develop.

Roger

You know that we have Tablet PCs since Windows XP and I think I did not have many PCs at Microsoft which were not tablets. How often do I use them as a tablet? Not too often but when I am in a customer meeting and do not use my notebook to present, I use it to take notes. That’s basically to me the application I use it and it does good service.

The question often is, why did Tablet PCs not really take off as they did not broadly – and I do not know. Now, Apple launched the iPad and before it was on the market, tablets are hype – great marketing I have to admit. And then, finally, I read this article today: Tablets to outsell netbooks by 2012, report says – wow. The interesting part of the article is Consumers “didn’t ask” for tablets. Apple is successfully teaching consumers to want the iPad – as I said: Great marketing, great demand generation

Let’s see whether this really happens the way Forester predicts.

Roger

Probably not. However, it indefinitely is a security risk. We are talking about this since a looooooong time as such copiers are sold since 2002. I just recently heard that the criminals are looking into this heavily and now it is even discussed publically on BCS News: Copy Machines, a Security Risk?

Actually a really good video.

Roger

Today, I had the opportunity to talk to a group of partners on Cloud and security. The goal was to make them ready for the Cloud and make them ready to answer the customer’s questions. One block – obviously – was about security and as I look at it (and as I said), this starts with the customer's processes. In addition, you need a clear and implemented data classification scheme. I am convinced that a Cloud provider, which offers the needed transparency and a secure environment (and does not only tell you that they are as secure as e.g. a bank) will often reduce your risk exposure if your overall IT organization is mature enough.

Now, I read this study: New Study Says Senior Leaders are Increasingly Distant from Security, Privacy – a study by Carnegie Mellon and therefore not from a consulting company who wants to sell services. To look at some data and quote the article:

Westby says a comparison of the level of board participation in key areas for IT security governance show the facts:

• Review/Approve Annual Budgets - Sixty-one percent of 2010's respondents say they never review budgets, compared to only 40 percent from the previous survey;
• Review/Approve Top-Level Policies - 2010's survey shows that 33 percent say they never do, compared with 23 percent previously.
• Review/Approve Roles & Responsibilities - 43 percent of respondents say they never take part re: IT security personnel, compared with only 28 percent last time.

And these are the customers who want to move to the Cloud? In my opinion the board is key, when it comes to risk management and they have to get involved and take part of it.

Is this the board’s fault? This would be too easy from my point of view. This is just the way a lot of security professionals handle this problem and complain that the board is not interested in such themes. What did we as a community do to change this? In the best case we implement risk management process and include the board in those processes – and speak techie language, not the board’s language. We rarely show how a risk might affect the business process but how it affects the technology. Last but not least we never show the board how we could use security to help the business to grow.

Let’s stick with the Cloud for a second. The standard security person tells his/her board that we cannot go to the Cloud because of security (heard that very, very often). Why do we not approach it the other way round: We should actually move our “company internal” data to the Cloud to reduce cost and increase security? This is actually true in a lot of cases.

All of a sudden security becomes an asset instead of a blocker – we have to change our attitude! It starts with us!

Roger

The debate is probably as old as the Open Source software development model: Which one is more secure: Open Source or shared source as we at Microsoft run it? I know that we could now enter a religious debate about that, which I do not want to as I do not really believe in the value of such debate.

However, it is always interesting to see who is looking how at this debate. Does it help security if everyone can see the code or does it help the attackers? We have a program which we call Government Security Program, giving governments under certain circumstances (e.g. protection of intellectual property) access to our source. Sometimes we have the debate with government officials whether having access to the code could allow an attacking government to get an advantage in the area or cyberwar or cyber espionage. Looking at that debate, OpenSource would even be worse as it means access for everybody.

Now, I just read this article: Open-Source Could Mean an Open Door for Hackers. It is about a paper looking at data from Intrusion Detection Systems and their finding is that flaws in open-source software tend to be attacked more quickly and more often than vulnerabilities in closed-source software. An interesting statement in the light that we know that there are more vulns in OpenSource software than in shared source and fairly often it is because of the lack of processes enforced to engineer security into the product from the beginning.

Another thing which is important to me is "As defenders get out their patches, the attackers have more incentive to move on to a different exploit," Ransbotham [the author of the paper] says. In other words, having a strong incident response (besides the engineering process) is at least as important.

This should be something the industry adopts. We made our engineering process called Security Development Lifecycle public and I think our incident response is wide known as well as being a best practice. So, something people should finally come to adopt

Roger