Disqus - Latest Comments for rybolov

Re: Two Cultures?

rybolov — Fri, 06 Jul 2007 12:51:31 -0000

You're so right it hurts. Although you guys don't talk about my favorite subject of information security management, I'm rapidly becoming one of your fanboys. =)

Re: The Technology Liberation Front » Archive » Why buy when you can regulate for free?

rybolov — Tue, 28 Aug 2007 10:33:26 -0000

It's all about what we call "switch costs".

For a long time the tech industry has tried to avoid compatibility in order to lock users into their technology. IBM did it (think both mainframe era and the IBM PC), Microsoft sure does it (monopolistic behavior), Cisco does it sometimes (EIGRP), the "last mile" service providers do it (try running your own cable line and it gets cost-prohibitive really quick). Sometimes, the technology is cheaper because of the tight vertical integration, other times it's more expensive because the vendor knows that you can't afford the switch costs.

It also makes sense because as a vendor/contractor, you'll amortize the initial standup costs to average out over a period of time--say, a year. If your customers leave prior to that year, then you lose money on the whole deal.

The only people who want compatibility are users who like low switch costs and vendors who sell infrastructure that has to plug into everything else. Yes, that's the majority of the populace.

Re: Why DRM Doesn’t Work

rybolov — Wed, 10 Oct 2007 13:29:08 -0000

Once again, it's not the technology that needs to change, it's the business model. The more that the message gets out, the better we all are in the end.

Re: E-Gov Act reauthorization: A new hope for XML?

rybolov — Tue, 13 Nov 2007 20:20:08 -0000

Hi guys

Check out Adam Shostack's thoughts on what good the government can do. You guys are very much inline with each other here.

I think the trick is to have the data behind the data, and that's where xml and other importable data structures come in.

Re: Which Law Firm Practice Wins - Government Contracts or Privacy?

rybolov — Mon, 26 Nov 2007 15:22:14 -0000

It's the Donald Kerr version of privacy, not the "Dining Cryptographers" version of privacy. =)

Re: Sunlight is the Best Disinfectant

rybolov — Mon, 17 Mar 2008 22:56:55 -0000

Hi Jim

Do what they do in Big-4 accounting firms: since you cannot audit a company that you have a financial interest in, they have a database of holdings. It can work 3 ways: you can be notified when a conflict of interest exists, you can disqualify yourself from official business because you have financial interests, and you can remove your financial interests in order to avoid a conflict of interest.

Unfortunately, this carries yet another overhead burden for our beaurocrats. And then there's the practicality of it: everybody has an interest, even when it's an indirect interest (holdings of spouse or other family members).

Point is, there already are useable models out there in the accounting world that we can adopt.

Interesting to note that in rejecting to hear the Microsoft/Novell appeal, Justice Roberts abstained from the vote because he is a MS shareholder.

Re: Do you have the “S.I.G.N.S.” of Net / video game addiction?

rybolov — Thu, 20 Mar 2008 10:59:53 -0000

I can stop anytime I want to, I just choose to be like this. No, really. =)

Re: Lost Laptop Follies, Part 7: NIH Loses Health Records

rybolov — Mon, 24 Mar 2008 14:59:10 -0000

Hmmm, it seems to me that each agency was required in July 2007 by OMB to have a breach notification policy within 120 days. http://www.whitehouse.gov/omb/memoranda/fy2007/...

Also, just so you know, the Government Accountability Office has nothing to do with accountability, they're just the auditors for Congress. It sounds loftier than it really is. =)

Re: Lost Laptop Follies, Part 7: NIH Loses Health Records

rybolov — Mon, 24 Mar 2008 14:59:25 -0000

Re: The Technology Liberation Front » Archive » Internet Habits and the Presidency

rybolov — Mon, 28 Jul 2008 11:57:08 -0000

Hi Sonia

My theory is that the upcoming election is more about generational issues than anything: it's the political power of the Baby Boomers against Generation X and the Millennials. If the time for a changing of the guard is not this election, it definitely will be in 2012.

The interesting thing to me is that both candidates disguise the generational issue with words like "change" or "Internet literacy".

Re: Promoting & Upgrading the TLF

rybolov — Thu, 22 Jan 2009 19:13:18 -0000

Hey guys, your twitter stream gives me the same value as your RSS feed. I'll follow you on twitter when you do something different on it that I can't get out of a feed reader. =)

Re: The Key to Open Government is Through Processes, not Products

rybolov — Fri, 13 Feb 2009 09:50:08 -0000

Hi Braden

We get to fixated on products and vendors when we don't know what the specific requirements are. In other words, for as much talk as there is about transparency, nobody knows what it really means so they want to get somebody else to define it for them. The downside is that if you're selling a service or product, you can make the requirements fit exactly what it is you're trying to sell.

Organizational Conflict of Interest.

Re: A Federal Takeover of Cyber Security?

rybolov — Mon, 16 Mar 2009 10:00:46 -0000

Hi jim and Tim

The key problem for security is mentioned in the Princeton podcast: there is a shortage of skilled labor and a shortage of people who are cross-trained into having some security skills.

One thing I want to make clear: there is no return on investment for security. Security is a cost, and only in very rare circumstances is there a return on security costs. Instead, good security is cost reduction or loss prevention, an entirely different model.

We do have some industry self-regulation happening. PCI-DSS is a good example.

I do see a disconnect in Jim's article. Forensics do not equal liability, they equal the ability to track down the "real" evildoer, but you still might have an issue of negligence. Negligence is a better model for us to look at when we set public policy.

If you really want to push security in public policy, have a look at the various data breach laws that have been pushed. S.459 comes to mind. http://thomas.loc.gov/cgi-bin/bdquery/z?d110:S495: