ReadWriteEnterprise

The modern-day philosopher Thomas Kuhn theorized that scientific revolutions are only brought about by practitioners who are not already trained to think a certain way - or to use Kuhn's terminology, in keeping with a given paradigm. When people train themselves to believe something, they expect their observations to match their beliefs, and thus may fail to observe something truly revolutionary. And it is observation that is the "step one" of science.

So it was with the face of Thomas Kuhn looming largely overhead that a panel of two security architects, a noted Gartner researcher, and two risk management professionals met at the RSA Conference in San Francisco last week. Two worlds collided here, and this was one of the focal points. One side represented the existing paradigm. The revolutionaries came in suits with calculators and adjustment formulas. And Gartner's Bob Blakley literally wore a Satan suit just to make sure the fire and brimstone kept flowing.

"I don't know how you can call something this dumb a 'smart grid.'" This from the former Assistant Secretary for Policy at the Department of Homeland Security - the man who created the job. Serving nearly three-and-one-half years at DHS, and before that, several years with its predecessor agency and with the NSA, Stewart A. Baker got a first-hand look at the present and future battlefronts of electronic terrorism. You could read his book, or you could get the gist of his impressions from its title: Skating on Stilts.

Sec. Baker was referring to the relative state of readiness and resilience of the computer equipment protecting America's energy distribution networks and industrial control systems. Presently a senior counsel at the Washington, D.C. law firm of Steptoe & Johnson, LLP, he introduced his firm's report on our present status. "I thought I would start with some obvious things," he began. "Security sucks."

One of the more embarrassing revelations from last week's RSA Security conference in San Francisco was that bigger businesses take longer to discover security breaches. The DNSchanger Trojan, which was in the wild in 2009 and whose proprietors were busted last November, is still leaving damage behind in government systems days before a scheduled deadline (now extended) for it to have been eradicated.

And yet the DNS changing malware - so deceptively simple it can't even legitimately be called a hack - may yet be undetected in targeted systems. At RSA last week, SANS Institute Faculty Fellow Ed Skoudis, a world-renowned author in the anti-malware field for over two decades, reiterated the dangers of leaving the DNS command and control channel open to outside influence.

The conventional wisdom has been that industrialized hacking organizations have become particularly successful with social engineering - coaxing employees into doing something stupid that unlocks their networks' security. Analysts at the RSA Conference in San Francisco last week spoke of increasing incidents of telephone calls - actual human beings from call centers, pretending to be "Windows Security" or some other service, offering to help employees eradicate a non-existent virus from their systems and asking for their passwords outright.

If such incidents are indeed increasing, then they were no match last year for a staggering rise in external threats directed against data center servers. This according to data pre-released last week by Verizon and given to select reporters, in advance of the carrier's annual Data Breach Investigations Report. As the report's director of research and intelligence, Wade Baker, told ReadWriteWeb, data collected from its own security investigative team's caseload with Verizon's own enterprise customers - which include the U.S. Secret Service - shows some 92% of threat agents contributing to security events were discovered outside the firewall.

Passwords are dead. Of course, passwords have been dead for over a decade, but the problem with this dead technology is that it just won't die. The successful breach of security nearly one year ago on the RSA division of EMC targeted an all-too-weak two-factor authentication system.

For a moment during the Tuesday round of keynotes at the conference that bears his company's name, RSA Executive Chairman Art Coviello, Jr looked despondent, helpless, like an executive pleading the Fifth. But this time, Coviello didn't just blame the usual suspects. Striking a strange new theme that resounded through the entire conference, he cited employees' irrepressible desire for a new mobile device, and companies giving it to them, as the eventual culprit.

Everyone knows you can learn a lot by trawling data coming from social media services like Twitter, Facebook and Flickr. But sometimes the data will surprise you. For instance, you'd expect to be able to glean product feedback from Facebook's public feed, but did you know that shoplifters tend to brag about it in social media?

Chris Moody, COO of Gnip talked about exploring social data and the real-world use cases for some of that data at the Strata Conference.

Last year, I was slated to attend the first O'Reilly Strata Conference, but the 2011 Snowpocalypse intervened and said "no flights for you, St. Louis." Not only did I miss the inaugural Strata Conference, but it seems like I missed out on all the hype and irrational exuberance for big data as well.

The first day of the 2012 conference was dedicated to half-day tutorials and the all-day Strata Jumpstart. The Jumpstart sessions were geared for business leaders looking to see "how information can transform the enterprise."

It's not the "Big Data" we usually talk about, which refers more to the size of the data than of the company behind the management tool. It's the term Bruce Schneier uses to refer to the industry that has evolved around data as a commodity, the way the energy industry was once considered "Big Oil." Schneier - the celebrated cryptographer-turned-technologist and easily the RSA Security Conference's biggest draw, and a CTO at BT - believes "Big Data, Inc." poses as great a threat to personal security and privacy as malicious actors.

"I mean Big Data as an industry force, like we might talk of Big Tobacco or Big Oil or Big Pharma," Schneier told an overflow crowd of attendees. "I think the rise of Big Data is as important a threat in the coming years, one we should really look at and start taking seriously."

"You can't always get what you want" is literally the theme of this year's RSA Security conference in San Francisco. "With increased speed and cunning, hackers are taking advantage of the openness of today's infrastructures," said EMC's executive vice president Art Coviello, Jr. And exacerbating the problem, he said, is the fact that despite openness and open architectures, people aren't banding together for solutions.

This at a conference that officially opened Tuesday morning to a gospel choir prophesying the coming of the age of Getting What You Need. Hopefully Aretha Franklin received a cut of the royalties when one soloist, breaking from script, sang her original lyrics instead of the ones inscribed on the big-screen closed caption: "I-N-F-O-S-E-C, find out what it means to me."

The cloud is huge. Client access devices are small, and they're everywhere. Personal computers are virtual. Access to all of these resources is continual. Control over the world's single most precious information resource - identity - has become a jump ball.

Next week, ReadWriteWeb will be covering the annual RSA security conference in San Francisco. I never attend a conference without an agenda, and no, I'm not talking about the pamphlet and the floor plan. There's an agenda all my own, and it's based on the subject matter that I've discovered you want to know more about.