This reality of the information age might be particularly stark for the president, but it's no less true for all of us. Conversation used to be ephemeral. Whether face-to-face or by phone, we could be reasonably sure that what we said disappeared as soon as we said it. Organized crime bosses worried about phone taps and room bugs, but that was the exception. Privacy was just assumed.

This has changed. We chat in e-mail, over SMS and IM, and on social networking websites like Facebook, MySpace, and LiveJournal. We blog and we Twitter. These conversations -- with friends, lovers, colleagues, members of our cabinet -- are not ephemeral; they leave their own electronic trails.

We know this intellectually, but we haven't truly internalized it. We type on, engrossed in conversation, forgetting we're being recorded and those recordings might come back to haunt us later.

Oliver North learned this, way back in 1987, when messages he thought he had deleted were saved by the White House PROFS system, and then subpoenaed in the Iran-Contra affair. Bill Gates learned this in 1998 when his conversational e-mails were provided to opposing counsel as part of the antitrust litigation discovery process. Mark Foley learned this in 2006 when his instant messages were saved and made public by the underage men he talked to. Paris Hilton learned this in 2005 when her cell phone account was hacked, and Sarah Palin learned it earlier this year when her Yahoo e-mail account was hacked. Someone in George W. Bush's administration learned this, and millions of e-mails went mysteriously and conveniently missing.

Ephemeral conversation is dying.

Cardinal Richelieu famously said, :If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged." When all our ephemeral conversations can be saved for later examination, different rules have to apply. Conversation is not the same thing as correspondence. Words uttered in haste over morning coffee, whether spoken in a coffee shop or thumbed on a Blackberry, are not official pronouncements. Discussions in a meeting, whether held in a boardroom or a chat room, are not the same as answers at a press conference. And privacy isn't just about having something to hide; it has enormous value to democracy, liberty, and our basic humanity.

We can't turn back technology; electronic communications are here to stay and even our voice conversations are threatened. But as technology makes our conversations less ephemeral, we need laws to step in and safeguard ephemeral conversation. We need a comprehensive data privacy law, protecting our data and communications regardless of where it is stored or how it is processed. We need laws forcing companies to keep it private and delete it as soon as it is no longer needed. Laws requiring ISPs to store e-mails and other personal communications are exactly what we don't need.

Rules pertaining to government need to be different, because of the power differential. Subjecting the president's communications to eventual public review increases liberty because it reduces the government's power with respect to the people. Subjecting our communications to government review decreases liberty because it reduces our power with respect to the government. The president, as well as other members of government, need some ability to converse ephemerally -- just as they're allowed to have unrecorded meetings and phone calls -- but more of their actions need to be subject to public scrutiny.

But laws can only go so far. Law or no law, when something is made public it's too late. And many of us like having complete records of all our e-mail at our fingertips; it's like our offline brains.

In the end, this is cultural.

The Internet is the greatest generation gap since rock and roll. We're now witnessing one aspect of that generation gap: the younger generation chats digitally, and the older generation treats those chats as written correspondence. Until our CEOs blog, our Congressmen Twitter, and our world leaders send each other LOLcats – until we have a Presidential election where both candidates have a complete history on social networking sites from before they were teenagers– we aren't fully an information age society.

When everyone leaves a public digital trail of their personal thoughts since birth, no one will think twice about it being there. Obama might be on the younger side of the generation gap, but the rules he's operating under were written by the older side. It will take another generation before society's tolerance for digital ephemera changes.

This essay previously appeared on The Wall Street Journal website (not the print newspaper), and is an update of something I wrote previously.

The analysts paired up today:
Antonio Piraino (Tier1 Research)
William Fellows (The 451 Group)

My usual disclaimers on live-blogging: doesn’t include everything covered (just what was most interesting to me) and had to paraphrase some answers because I simply cannot type that fast.

Quick definition of Cloud Computing
WF: The cloud is a continuum of grid, virtualization and utility done right. It is about provisioning services instead of servers; flexible computing instead of fixed assets. Done right, the cloud abstracts users from the complexity of grid. Cloud computing is IT as a service. Cloud computing is the Third Way – not entirely in-house or outsourced, but an optimized hybridized version of both. In light of the Goldman Sachs report out resetting IT spending forecast from up 6% to down 1%, don’t underestimate the ability for enterprises to move from capex to opex by buying cloud computing instead of building it themselves.

The 451 Group conducted a survey on cloud computing in March, and then revisited it a month ago. Some interesting results:

• 84% have no plans to develop an internal cloud. 5% had no answer to this question. And for the 10% who did answer – the uses for a private/internal cloud were the same as those for a public cloud.
• Top 6 vendors they look to help them develop an internal cloud: Microsoft, IBM, Cisco, HP, Oracle, VMware

Is it all “upside” when it comes to cloud computing?

WF: Watch out for the Trojan horse, the red flag. What about the software needed to manage all this stuff? Any management software needs to take a holistic approach to solve the problem.

AP: Increased management requirements and capability – this is actually a great story for managed hosters who can hold your hand while getting you up into the cloud. Hosters alleviate the pain points, and this is why we’re going to see continued growth and focus in the managed hosting sector.

WF: I would argue that they’re too expensive. Look at Amazon – 10 cents a hit adds up.

AP: It’s almost impossible to do an apples-to-apples comparison between cloud providers. One reason is that they charge differently. I’d say that when you’re talking about the big cloud providers, you are right – that they are expensive over the long-term, but for use in the short-term, they can be optimal.

WF: The cloud is setting big expectations. Can IT deliver? It’s nice to talk about “shared resources for the greater good” but in any organization, you will still run into issues of power and control! Plus it’s still early days for resolution of regulatory issues and compliance around the cloud.

Final Thoughts

AP: Think of the opportunities of using cloud computing resources in the areas of testing and pre-production – short-term use/environment (quick up/quick down), inexpensive, opex not capex. We’re already seeing the cloud fostering much innovation.

WF: “It’s okay to fall in love with the term.” It is real but keep the expectations lower and realistic.

AP: I agree with you. The reality is that the cloud is driving a very fundamental underlying platform change. This is not just a term or something that will fall out of fashion. There’s a real need to build trust in the cloud and leveraging shared resources in this way – so use the cloud computing term cautiously; don’t abuse it and make the cloud seem like IT’s new toy.

I am in Barcelona, Spain with Michael Howard and Adam Shostack at the TechEd EMEA: Developers Conference.

In addition to teaching and attending security sessions, we are in Barcelona to formally announce the launch of the SDL Optimization Model, SDL Pro Network and the Microsoft SDL Threat Modeling Tool Beta!   For those of you who are unaware of these initiatives here’s a description of each…

SDL Optimization Model: The SDL Optimization Model was created to facilitate gradual, consistent and cost-effective implementation of the SDL in development organizations outside of Microsoft. It allows development managers and IT policy-makers to assess the state of the security in development and create a vision and road map for reducing customer risk.

Specific objectives of the model include the following:

·         Enable organizations outside of Microsoft to create more secure and privacy-enhanced software by successfully implementing the SDL

·         Allow organizations to self-assess current software development security practices and create a strategy for gradual improvement

·         Provide SDL Pro Network service providers with a consistent and effective framework for providing SDL services

SDL Pro Network: The SDL Pro Network is a group of security service providers that specialize in application security and have substantial experience and expertise with the methodology and technologies of the Microsoft SDL. SDL Pro Network service providers will guide and support organizations in implementing the SDL into their environments.

The primary focus area for all members, both now and in the future, will be to deliver on the program’s commitment to make the SDL available outside Microsoft, specifically focusing on these issues:

·         Protecting the customer - Helping customers adopt the SDL or general secure coding practices.

·         Improving the SDL - Leveraging member knowledge to understand how the SDL is used by customers, what needs to be modified and what customer needs must be met in the future.

SDL Threat Modeling Tool Beta: The Microsoft SDL Threat Modeling Tool Beta allows for structured analysis, proactive mitigation and tracking of potential security and privacy issues in new and existing applications.  Microsoft developed the tool and we use it internally on many of our products. This tool offers a threat modeling methodology that any software architect can lead effectively — in contrast with other processes, which are more expert-dependent. A few quick notes about the features:

·         Automated guidance and feedback in drawing threat diagrams

·         Guided analysis of threats and mitigations based on the STRIDE taxonomy

·         Integration with bug-and issue-tracking systems like Visual Studio Team Foundation Server

To learn more about these, visit the SDL portal, http://www.microsoft.com/sdl.

By the way, if you are in Barcelona and want to stop by and chat, the session list is below:

SDL Theater Sessions:

·         Getting started with the new SDL Threat Modeling Tool                             

Adam Shostack, Theater 1, Tuesday, Nov. 11, 15:20 – 15:40

·         You could do that but it would be wrong – a discussion of pros/cons of threat mitigations

Michael Howard & Adam Shostack, Theater 1, Thursday, Nov. 13, 10:20 – 10:40

General Sessions:

·         DVP308  How I Learned to Stop Worrying and Love Threat Modeling      Nov. 12, 10:45 – 12:00

·         DVP309  How to Review Your Code and Test for Security Bugs                  Nov. 13, 3:15 – 4:30

·         DVP312  Top Ten Strategies to Security Your Code                                       Nov. 14, 10:45 – 12:00

The best security program is at the business with the happiest customers.

There's a fine line between happy customers and playing piano in a bordello.

Sees a lot
Can tell the king he has no clothes
Can tell the king he really is ugly
Does not get killed by the king
Nice to have around but…how much security improvement comes from this ?

Changes happened faster that he was able to move
Did not read the signs
Good intentions went unfulfilled
A brutal way to ending a promising career
Sad to have around but…how much security improvement comes from this ?

Obviously these models of CISOs are not solving our information security problems. Instead Dr. Garigue points us to Charlemagne as a better model

King of the Franks and Holy Roman Emperor; conqueror of the Lombards and Saxons (742-814) - reunited much of Europe after the Dark Ages.

He set up other schools, opening them to peasant boys as well as nobles. Charlemagne never stopped studying. He brought an English monk, Alcuin, and other scholars to his court - encouraging the development of a standard script.

He set up money standards to encourage commerce, tried to build a Rhine-Danube canal, and urged better farming methods. He especially worked to spread education and Christianity in every class of people.

He relied on Counts, Margraves and Missi Domini to help him.

Margraves - Guard the frontier districts of the empire. Margraves retained, within their own jurisdictions, the authority of dukes in the feudal arm of the empire.

Missi Domini - Messengers of the King.

This is the way forward! Find software security champions in the architecture and development groups,help them understand the real security issues. They will find solutions you have not thought of. Same for DBAs, same for business analysts even. Its all about beating the bushes, education, and decentralizing security services. Specifically, he points out this important mandate for IT security

Knowledge of risky things is of strategic value

How to know today tomorrow’s unknown ?
How to structure information security processes in an organization so as to identify and address the NEXT categories of risks ?

To me this is our mandate and measure of effectiveness. Empower our customers, educate, and create business value. If I am a CISO  I don't want 20 people reporting to me who do firewall ruleset changes. I want one champion in 20 different groups - development teams, architects, DBAs, business analysts.

A concrete example, infosec can continue to go along with the herd and follow the "what everyone else is doing architecture" meanwhile developers are connecting every single thing in your business to the Web. I have been doing integration and new technology projects for a long time, and let me tell you - Change does not always create happy customers in the short run. But the chart below shows that information security is maybe more concerned with not causing waves rather than adapting.

The best security program is at the business with sustainable competitive advantage.

On the 31st episode of The Silver Bullet Security Podcast, Gary talks with Matt Bishop, professor of Computer Science at UC Davis and author of the book Computer Security: Art and Science as well as many peer-reviewed papers. Gary and Matt discuss Matt’s plan to work security analysis and secure coding into a wider computer science cirriculum, Matt’s early work with Mike Dilger on TOCTOU, whether or not progress is being made in the field of software security, and the role of training in large-scale software security initiatives. Their chat closes with a mention of Matt’s home menagerie (which does not include any one-legged chickens at this time).

• Matt Bishop
• IEEE Security & Privacy Magazine
• Computer Security: Art and Science
• Silver Bullet Security Podcast interview with Dorothy Denning
• Security Controls for Computer Systems: Report of Defense Science Board Task Force on Computer Security (the “Ware Report” referred to in the podcast)
• Secure Computer Systems: Mathematical Foundations - The Bell Lapadula model [PDF]
• Secure Computer System: Unified Exposition and Multics Interpretation [PDF]
• Testing C Programs for Buffer Overflow Vulnerabilities - Eric Haugh, Matt Bishop [PDF]
• TOCTOU
• Checking for Race Conditions in File Accesses by Matt Bishop and Michael Dilger
• “The Song of the One Legged Chicken”

So, what are we hoping to gain by creating a network of security consulting and training experts to work with customers who want to implement the SDL?  Generally speaking, this question has a two-part answer:  First, Microsoft is, and always will be a partner-driven company - we rely on the skills and capabilities of our partners to provide specialized services and broad geographic coverage for Microsoft products and services.  Second, even though there are talented folks in the Microsoft Services organization, it's clear that we will need help from our partners to scale to meet the demand.  I can't tell you how many times the folks on the SDL team have been approached by people - after an executive briefing, or a session at TechEd - asking for guidance in implementing SDL in their own organizations.  When we look at the demand and pair it with the geographic diversity of our customer base, it's clear that a partner approach is the right answer.

Now a few words about the partners who will be participating in the pilot phase...

After the decision was made to work with partners on SDL delivery, we had two primary criteria that we had to address; partner quality, and manageability of the SDL Pro Network pilot. We have all seen instances where individuals or consulting organizations have represented themselves to the IT community as having security expertise when in reality the "experts for hire" were simply reading a page or two ahead of the customer in whatever security tome was "in vogue" at the time. 

Based on those observations, it was clear that partner "quality" was a critical criterion.  Fortunately for us, we didn't have to look far to satisfy our quality bar - many of the companies in the SDL Pro Network pilot have direct experience with executing portions of the SDL on our products, or have delivered services to Microsoft in a security context. Design reviews, code reviews, penetration testing, training and other tasks critical to SDL implementation were (and are) common fare for these folks.

Despite the customer demand for SDL that I alluded to above, starting with a small pilot was the right thing to do; a small group of trusted consultancies supports our imperative for quality and it allows us to pragmatically grow the SDL Pro Network as the market matures.  As we continue to evolve and innovate with the SDL, we'll have a strong core of partners to help drive the software security message.

Will we grow the SDL Pro Network?  The qualified answer is: "When the market demands it..." - there are a number of talented potential partners who meet the quality bar - and clearly, the need for security in software development will grow to demand additional talented specialists. However, it's our plan to begin with a small set of partners of known expertise, and then respond to growing demand as it materializes.

So there you have it - the nuanced beginning and bright future of the SDL Pro Network...  I invite your comments, and encourage you to check in at the SDL Portal as we continue to build out the program

In a presentation late last week at the Director of National Intelligence Open Source Conference in Washington, Dr. Dwight Toavs, a professor at the Pentagon-funded National Defense University, gave a bit of a primer on virtual worlds to an audience largely ignorant about what happens in these online spaces. Then he launched into a scenario, to demonstrate how a meatspace plot might be hidden by in-game chatter.

In it, two World of Warcraft players discuss a raid on the "White Keep" inside the "Stonetalon Mountains." The major objective is to set off a "Dragon Fire spell" inside, and make off with "110 Gold and 234 Silver" in treasure. "No one will dance there for a hundred years after this spell is cast," one player, "war_monger," crows.

Except, in this case, the White Keep is at 1600 Pennsylvania Avenue. "Dragon Fire" is an unconventional weapon. And "110 Gold and 234 Silver" tells the plotters how to align the game's map with one of Washington, D.C.

I don't know why he thinks that the terrorists will use World of Warcraft and not some other online world. Or Facebook. Or Usenet. Or a chat room. Or e-mail. Or the telephone. I don't even know why the particular form of communication is in any way important.

The article ends with this nice paragraph:

Steven Aftergood, the Federation of the American Scientists analyst who's been following the intelligence community for years, wonders how realistic these sorts of scenarios are, really. "This concern is out there. But it has to be viewed in context. It's the job of intelligence agencies to anticipate threats and counter them. With that orientation, they're always going to give more weight to a particular scenario than an objective analysis would allow," he tells Danger Room. "Could terrorists use Second Life? Sure, they can use anything. But is it a significant augmentation? That's not obvious. It's a scenario that an intelligence officer is duty-bound to consider. That's all."

My guess is still that some clever Pentagon researchers have figured out how to play World of Warcraft on the job, and they're not giving that perk up anytime soon.

Interop NY

• East Coast version of this major networking show. ScienceLogic is the official provider for network monitoring and help desk for InteropNet, the world’s largest temporary network. See us in action in the NOC. Stop by the booth, #1045, to chat, pick up your own deck of EM7 cards, or fill out a survey for a free t-shirt.
• When: Conference runs from Mon 9/15 – Friday 9/19. Expo days are Wed 9/17 – Thurs 9/18.
• Where: The Javits Center, NYC.

VMworld 2008

• The largest virtualization show put on by VMware, the leader in the space. VMworld is only a couple of years old but growing like gangbusters. This year’s show should be an interesting one in light of all the turmoil surrounding VMware and Microsoft’s putsch, oops I meant push, into the space with Hyper-V.
• When: Mon 9/15 is Partner Day. Conference runs from Tues 9/16 – Thurs 9/18
• Where: The Venetian Hotel, Las Vegas.

Hosting Transformation Summit

• Executive-level hosting/service provider show run by The 451 Group (and Tier 1). The analysts at The 451 Group and Tier 1 discuss state of the industry and trends.
• When: Mon 9/15 – Wed 9/17
• Where: The Mirage, Las Vegas

ICE Summit

• Also run by The 451 Group, the ICE (Infrastructure Computing for the Enterprise) Summit will focus on “virtualization in context”. This overlaps the last day of VMworld (personally making my life a little harder).
• When: Thurs 9/18
• Where: The Mirage, Las Vegas

Inc 500 / Inc 5000 Conference & Awards Ceremony

• Since we made it on the list (#350!), we thought we should show the flag at the Inc 500 conference, culminating in an awards gala on Saturday night.
• When: Thurs 9/18 – Sat 9/20
• Where: Gaylord National Resort & Convention Center at the National Harbor (DC)

Stay tuned for live blogging and video from the various events with always lively commentary from the ScienceLogicians.