Feds raid 'extortionist' IT security biz Tiversa, CEO put on leave The CEO of a controversial cybersecurity outfit has been put on leave following an FBI raid of its headquarters. Federal agents raided Tiversa's Pittsburgh office earlier this month looking for evidence in a long-running investigation of its business practices. Soon after the raid, CEO Robert Boback was placed on leave and …
I have to wonder with all these security firms claiming they've spotted other corporate's info on the web along with some of the malware that show up. One would think that the market driven by miscreants themselves would be large enough without the FUD being added to it by some companies who have the "only" solution for a given bit of malware.
Here's one from the trenches from about 7 years back.
An announced 'audit' of some of our systems was carried out by an external IT consultancy, now, to explain what the SOP was, at that point we were operating under having something like 80% of the computers managed by two external companies, call them DHX and DHY, and the remaining 20%, in-house. We were having issues with viruses getting into the system, and they had decided that the machines run by DHX were the most probable vectors (turns out they were very wrong, amusingly so, in fact. someone who shouldn't have had admin rights on the DHY machines had demanded them, and was given them - he was doing everything as admin for months)
The audit was carried out of the machines maintained by DHX, and, Lo!, it came to pass that there was much malware installed, at least, according to their report. They recommended all sorts of fun and expensive things be installed and maintained by DHZ, a security specialist firm.
What they and our PHBs didn't know, we'd carried out our own audit both prior and post theirs (call me a suspicious and cynical bastard..ours was carried out on the Sunday, theirs on the Monday, our second one late Monday evening), so, after reading their report, I lobbed our report of the state of the machines on the day before and after their audit to the PHBs and asked them to get their consultants to explain the discrepancies.
I do so like shitstorms..fraud is such a loaded word to lob into an already heated conversation.
But then the government in its most feralfederal form (a TLA created by "Edgar Hoover, The Body Remover" that is both utterly clueless and discombobulated and evil enough to ship guns to Mexican Narcos because they can) actually pays them a visit in black "smoking man" limos.
No-one knows what's going on anymore.
Not even Fox Mulder.
When the Piranhas left school they were called up but were found by an Army Board to be too unstable even for National Service. Denied the opportunity to use their talents in the service of their country, they began to operate what they called 'The Operation'. They would select a victim and then threaten to beat him up if he paid the so-called protection money.
Four months later they started another operation which they called 'The Other Operation'. In this racket they selected another victim and threatened NOT to beat them up if they DIDN'T pay them the protection money.
One month later they hit upon 'The Other Other Operation'. In this the victim was threatened that if he didn't pay them, they would beat him up. This for the Piranha brothers was the turning point.
I'm wondering how the FBI made its selection.
I mean, the IT security industry seems mostly to be extortion. Find one of the inevitable vulnerabilities and extort money from either the vendor or the vendor's clients.
Security vulnerabilities are inevitable in complex software, witness how easy it is to find vulnerabilities to OS X, iOS, Android and Linus.
Security vulnerabilities can no more be totally avoided that someone can create a vandal proof 'main battle tank'.
Vehicles, including main battle tanks, depend on police and guard services to protect them from vandalism.
There is no way to prevent bricks though windows, keyed door, and knives through tires. Useful visual operating systems are simply too complex to be bullet proof.
It is like bank vaults. It is impossible to build a burglar proof bank fault. What insurance companies require is that your vulnerable 18" steel reinforced bank vault be connected to an alarm system that can summon police from a station no more than 15 minutes away. (Thermic lances take 15 minutes to penetrate steel reinforced concrete.)
Security lies in having police forces to interrupt criminals before they can succeed in completing their crimes.
"Find one of the inevitable vulnerabilities and extort money from either the vendor or the vendor's clients."
Maybe the FBI chose to investigate them because they did not find one of the inevitable vulnerabilities, but still chose to pressure for paid services?
Security lies in having police forces to interrupt criminals before they can succeed in completing their crimes.
Until PREVENTED crimes take political priority over SOLVED crimes, nothing will change. This is also why the whole CCTV gig is so misleading: no prevention there either, and I personally do not find any comfort in the fact that they will find my killer AFTER I've been knifed.
If he is a normal human (well, a normal mammal at least, and I suspect any motile life form). Those Pizzas and Jolt Colas don't digest themselves, do they?
(For suitable lax definition of "bug" as used by pretty much all people when talking about bacteria. Yes, even doctors when not speaking technically)
Vehicles, including main battle tanks, depend on police and guard services to protect them from vandalism. There is no way to prevent bricks though windows, keyed door, and knives through tires.
I think you might have picked a better analogy, I really doubt it's possible to chuck a brick through the window, or knife the tyres, of a main battle tank, and I'm not even sure you could successfully scratch it with a key...
Every audit I've ever seen from one of these "IT Security" firms reads like it came from a protection racket. "Nice infrastructure you have there, it'd be a shame if something happened to it..." Speaking as someone in the trenches, I have been asked to review their "reports" after they preyed on the clueless CIO and made him pay ungodly sums for their services. The truth is that security on an open set of systems is complex. Execs and standards bodies love their little checklists, but you'll never be safe from the idiot employee who clicks the link in their email for a cat video and gets malware.
I would be quite happy replacing the security snake oil salesmen (and other snake oil salesmen) with a professional licensure environment for IT. Security breaches would be punishable by something other than losing your job, then doctoring your resume and moving on. Companies who refuse to listen to security advice would face more than just a year of free "credit monitoring" for every customer. Of course, this will never happen but I can dream...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
