Good point Alan...

One additional comment, as I read all of the schadenfreude laden blogs: If this breach was given a root analysis, you'd probably have to point the finger at a very basic element in risk management - "tuam cognoscere proprietas." That is, know your assets!

If you don't have a good inventory of your assets and do not apply a good configuration management practice to those assets, you can't protect them. This isn't about firewalls, and IDS, and all of the best tools and toys on the market. As you walk the floor of the upcoming RSA Conference, remember that it comes down to the most basic business processes that will provide the best bang for the buck in terms of risk management, not all of the gadgets.

While a switch to this technology is something that I encourage, it does take some serious consideration. We had to distribute the SSL certs to all of the internal clients and there were some problems with how that was handled - not a fault of the firewall, but of processes that hadn't been properly worked out. We also had some issues with a lot of our custom applications. These could not be filtered to the extent I had hoped for. Writing rules requires assistance from PA and it's a pain. NAT'ing is not as robust as I get from Cisco ASAs. Throughput was not an issue at all.

These are not install-and-forget devices, because you're dealing with application and user mappings. It takes a different mindset than an infrastructure tool that is relatively static. My recommendation to the company was to not do a complete replacement, but to phase into the technology to give people time to adjust to learn the nuances of maintaining these devices.

I always liked the best-of-breed solutions, which runs contrary to the trend. When you get a security company that offers "all the above" solutions, you can't just buy one thing. They always try to sell you a suite or a pseudo-integrated solution where the only integration point is the logo. I think the IBM purchase of ISS wasn't a good culture mix and X-Force is now a shadow of its former self. I hope HP doesn't kill Arcsight the way so many other great products have been when they get acquired. I still don't get the Intel / McAfee deal. Symantec has its own issues as it struggles to be more than just a security company with their archiving and other projects. I am not sure it is a good acquisition option unless they get split up. Looking at their revenue, and the sale price of these other companies, they won't be cheap and there are not many companies that can afford them. Dell certainly can't. Perhaps Oracle may since Ellison is looking for any way to stick it to HP.

Looks like they patched the issue:
http://www.macworld.com/article/152923/2010/07/fi...

Follow-up Post:
http://threatpost.com/en_us/blogs/researcher-show...

Researcher to Show Off GSM Intercept Attack at Defcon, Las Vegas, July 2010.

Saad, great comments! I actually agree with you to some extent and used hyperbole to make my point, which appears to be what the Italian courts did in this ruling.

I think you nailed the core issue here - the law itself - or rather, the interpretation and scope of the law. While the intention of the "consent" principle in EU privacy laws is to allow individuals to control their private information, its application is too broad. This Italian case is but one example. Avoiding sophistry, if the same standard were applied to all Internet services, such as Facebook, news media, blogs, web cams (traffic cameras, police cameras, or otherwise), search engines, behavioral marketing and other online media, nothing could be posted that might be considered private information without the explicit consent of the individual.

I believe it is the court's responsibility to interpret such laws in a pragmatic, objective manner. The crime that was committed was by those directly involved. Google did its duty to remove the content when they were informed. To expect consent from everyone who has any information about them posted online is a burden that would seriously limit what we can do on the Internet.

This is obviously a matter for debate and many more privacy issues like this will continue as our society tries to catch up to the available technologies. This is nothing new. One of the first mentions of the "Right to Privacy" can be traced back to the seminal 1890 article in the Harvard Law Review written by Samuel Warren and Louis Brandeis (http://faculty.uml.edu/sgallagher/Brandeisprivacy...

To quote one of their concerns at the time, "Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that 'what is whispered in the closet shall be proclaimed from the house-tops.' For years there has been a feeling that the law must afford some remedy for the unauthorized circulation of portraits of private persons."

This was in response to the newest technology at the time: cameras.

Thanks again for the comments!
Bobby

I am adding a comment from Saad Kadhi that he posted on another blog site where I mirror my blogs. I think his observations are valid and worthy of a response.

Saad Kadi says:
--- cut here ---
"Does every C-level executive need to sit in front of a monitor and scan the content that they host?" no but they have to comply with the law and if the Italian law says that you must seek the consent of every person on the video before making it available online, then you must. There is a similar law in France (le droit à l'image) and it has legitimate reasons for existing, mainly related to dignity.

"If the prosecutor was compelled to go after other culpable individuals, why not prosecute the parents of the kids who did this? Why not go after the phone company or ISP that carried the signal to make the connection to Google Video? They carried the content, didn’t they?". Because the parents are not guilty according the Italian privacy code you are mentioning. They didn't take the video, they didn't broadcast to million of users etc. As for the phone company and the ISP, last I heard moving bits from one place to another is not exactly broadcasting. Your argument sound fallacious to me. If someone takes a picture of you and it ends up in a tabloid, you won't be getting anywhere suing the company that makes the paper or the ink under the Italian privacy code.

"Taking this to the next level, why wouldn’t the phone company be liable for prank calls..." Nice sophist move but a bit too obvious.

"Should Google fight back and stop offering services to anyone in Italy?" Rest assured, they have good lawyers.

"I sure as hell don’t support heavy handed government intervention." Agreed but again, this doesn't seem to be the case here as infringing laws doesn't really count as a heavy handed government intervention.
--- ereh tuc ---

Saad, great comments! I actually agree with you to some extent and used hyperbole to make my point, which appears to be what the Italian courts did in this ruling.

I think you nailed the core issue here - the law itself - or rather, the interpretation and scope of the law. While the intention of the "consent" principle in EU privacy laws is to allow individuals to control their private information, its application is too broad. This Italian case is but one example. Avoiding sophistry, if the same standard were applied to all Internet services, such as Facebook, news media, blogs, web cams (traffic cameras, police cameras, or otherwise), search engines, behavioral marketing and other online media, nothing could be posted that might be considered private information without the explicit consent of the individual.

I believe it is the court's responsibility to interpret such laws in a pragmatic, objective manner. The crime that was committed was by those directly involved. Google did its duty to remove the content when they were informed. To expect consent from everyone who has any information about them posted online is a burden that would seriously limit what we can do on the Internet.

This is obviously a matter for debate and many more privacy issues like this will continue as our society tries to catch up to the available technologies. This is nothing new. One of the first mentions of the "Right to Privacy" can be traced back to the seminal 1890 article in the Harvard Law Review written by Samuel Warren and Louis Brandeis (http://faculty.uml.edu/sgallagher/Brandeisprivacy...

To quote one of their concerns at the time, "Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that 'what is whispered in the closet shall be proclaimed from the house-tops.' For years there has been a feeling that the law must afford some remedy for the unauthorized circulation of portraits of private persons."

This was in response to the newest technology at the time: cameras.

Thanks again for the comments!
Bobby