Forwarded from: security curmudgeon 

: http://www.informationweek.com/news/security/client/showArticle.jhtml?articleID 7100989 
: 
: By Rob Preston
: InformationWeek
: April 12, 2008
: (From the April 14, 2008 issue)
: 
: Last year, RSA chief Art Coviello championed industry consolidation, 
: arguing that as a handful of major vendors (EMC, Cisco, IBM, 
: Microsoft) built security into their infrastructure platforms, 
: standalone security challengers would fall by the wayside--all within 
: three years. "If I'm proven wrong about the timing," Coviello said 
: last year, "I won't be proven wrong in the need for this." The likes 
: of Symantec and McAfee begged to differ, and the industry continues to 
: debate the strengths and weaknesses of all-in-one security 
: architectures.

I think Mr. Coviello should also champion "all hackers laying down their 
virtual weapons" as it is probably just as likely to happen as vendors 
like Cisco or IBM eliminating simple vulnerabilities (let alone the 
complex ones).

IBM is still having problems with simple buffer overflows:

2008-03-11 - IBM AIX reboot Local Overflow
http://cve.mitre.org/cgi-bin/cvename.cgi?name 08-1601 

Cisco is still using default accounts and passwords:

2008-01-23 - Cisco Application Velocity System (AVS) System Accounts Default Password
http://cve.mitre.org/cgi-bin/cvename.cgi?name 08-0029 

RSA still can't properly enforce a blacklist:

2008-03-17 - RSA SecurID WebID RSA Authentication Agent (IISWebAgentIF.dll)
postdata Variable Blacklist Bypass
http://cve.mitre.org/cgi-bin/cvename.cgi?name 08-1470 

When companies can get over the small hurdles, then perhaps we can 
tackle the bigger issues and shoot for three year time frames.

: More than 80% of the IT, security, and business executives RSA 
: recently surveyed with IDC "admit that their organizations have shied 
: away from business innovation opportunities because of information 
: security concerns," Coviello told the RSA audience. The main 
: challenge: Move the internal conversation about security away from 
: fear mongering and worst-case scenarios toward how security can 
: augment new products and services. Or at least don't get in the way. 
: It's tantamount to the security pro's Hippocratic oath: First, do no 
: harm.

Move away from fear-mongering, but RSA proudly lists Ira "I can steal a 
billion dollars from any company" Winkler as a blogger. Good start!


-==-
Let identityLoveSock take your personal information into 
their wanting hands. http://www.identity-love-sock.com/ 
Because victims have money too.