It seems informal networks are getting a bit more credibility, as explored by Peer-to-Peer in Information Security Magazine. Not news for our CISSP study group, but hopefully it's something that will become more recognised.

I noticed this yesterday, but Russell has the full story of what seems to be News24 being duped into pointing to a web site to gather credit card numbers. Seems quite possible with the generally impressionable and attention-seeking South African media. Of course, it could be scarier - maybe they just happen to be the only people to know of eBay being hacked (um, no?), and maybe the police really are running an unsecured Internet site with no obvious affiliation to the SAPS that asks people to enter their credit card details...

Karel Rode (organiser of the CISSP study group I attended) represented the Security SIG at a presentation on security for the ISOC Cape Town community forum - really good talk, look him up if you want a presentation. Marc Welz from the Western Cape Linux Users' Group followed him with how Open Source affects security - both good, bad, and utterly unchanged.

Seems Barry has been busy and installed a Planet or two; Planet Rhodes for bloggers at my alma mater and Planet Security for his hand-picked security feeds. Russell Cloran provided some much-needed artistic direction. ;)

Well, some good from over two years using and developing Open Source security solutions in a highly-stressful finger-pointing telecommunications environment: Barry Irwin, is going to be presenting a paper at Infosec South Africa 2004 currently entitled Lessons learned and Challenges facing the deployment of Open Source Security Infrastructures in the Global Telecommunications Arena, based on our work together doing security at iTouch.

It has been suggested that Microsoft can use the Windows source code leakage and the ensuing exploits as an argument for security by obscurity by keeping source closed, and thus against the security of source availability inherent to Open Source. But that's just silly...

It seems Ben Rothke's views on ``best practises'' co-incide with mine. He says ``Best practices, however, are inherently problematic. They often don't work consistently for all organizations. Companies may justifiably deploy systems differently to conform to their cultures and their needs. Force-fitting one company's practices onto another doesn't work.''

Congratulations to Barry on receiving his CISSP certification (despite dangerously relying on me to sign off his endorsement).

Dan Geer's dismissal from security firm @stake may have seemed a good idea at the time to placate Microsoft, but it showed Dan's commitment to what he had helped researched to be the truth about the monoculture that Windows has created. This wasn't a personal attack, nor was it jealousy, nor indeed some open source ploy for some cheap points off Microsoft - it was a security professional with over 30 years of security research experience performing some thinking and research into the security problem of today. eWeek's Integrity at Stake discusses how this may backfire on @stake - they can be seen to be lacking integrity by having a company policy not to mention security problems their customers may have, and thus may not be providing the best service to all their customers. ``If patients suspect that a doctor is prescribing medication not because patients need it but to maintain a good relationship with a drug company, that doctor's practice would justifiably suffer. In IT security, the same principle should apply: The burden of proof is on those whose livelihood depends on the trust of others.''

Back from a marking hiatus, Barry is back with a good summary of recent Windows security problems and related news coverage entitled More Microsoft Security Woes. Great stuff.