The babies are born!

Long time has passed since the last post in our blog. Were we sleeping?
Not really.
We were just busy in cooperating with OneShield UTM manufacturer and we were thinking that facts are better than words.
As previously announced online and through conferences, WabiSabiLabi was selected by Delemont Technology as a 0day signatures contributor for a new generation of UTM (Universal Threat Management) appliances.
You'll be able to find all the technical details here.

There are already four different models of OneShield UTM appliances, they are all ready to be deployed to defend your network and a fifth one is on its way. As you can see from the pictures below, the appliances are now a reality, thanks to the effort of Delemont Technology (located in the Venice Gateway for Science and Technology) which is the owner of the OneShield brand, the Eurotech Group, which is the hardware provider and WabiSabiLabi backed up by the private security researchers community, which will contribute to the applaince 0day signatures packs.

More details about the appliances and the security researchers rewarding scheme behind them will be disclosed at the HITB security conference (Oct. 27th - 30th - Kuala Lumpur - Malaysia), where curious people, journalists, prospect clients and distributors will be able to touch them.

Meanwhile, enjoy them in a live test installation.

For more information about the OneShield UTM appliances you are welcome to contact OneShield's Development Manager Mr. Alberto Boratto: a.boratto [at] delemont.com


SecurityFocus: we can't believe our eyes

Recently on SecurityFocus (read: Symantec) appeared an article written by Jamie Reid, a privacy, security and risk consultant to healthcare agencies in Toronto.

While reading the article, we could not believe our eyes. In a nutshell, the article is brilliantly demonstrating why the current level of money offered by traditional security vendors to security researchers (yes, somobedy finally used the proper term) for their 0day findings is not representing the real value of them. No need to report here SecurityFocus columnist's ideas backing up such statement, we totally agree with them, especially with the final part which is stating that perhaps, the proper model should be a model including a sort of revenue sharing scheme. Just go and read the article.

But... there is a but. To demonstrate that the traditional security vendors' model is not providing a proper value to the researcher's efforts, the columnist wrote:
"Competitors in the bug-buying space like WabiSabiLabi's auction scheme, and iDefense's VCP offer lower rewards, but provide different structured incentive packages for disclosing 0-day exploits to them."

Initially, we didn't pay much attention to it, but then... questions started to pop up in our mind.
As everybody knows, stating something like "Competitors in the bug-buying space like WabiSabiLabi's auction scheme(...) offer lower rewards" is actually not representing the reality. In fact, WabiSabiLabi doesn't offer ANY sort of reward at all. We just provide a marketplace, where the reward level is the natural result of the interaction of offer and demand. Why the need to say that WSL itself is providing low reward to researchers? It puzzled us.

Then we paid attention to the fact that the columnist is wishing for security researchers a sort of revenue sharing model, deliberately (?) forgetting to mention that WabiSabiLabi announced such scheme since the time of its very foundation. Go and read our almost-one-year-old post.

At that point, we mailed to Jamie Reid, pointing out the fact that we were not providing "low rewards scheme" and that we were already promoting since a year our revenue sharing scheme, hoping that he would have corrected his article.
Guess what? We received a polite mail in which he answered "Thank you. That's an interesting model. I will be interested in following up in a year or so about how it is working". But no amendments on his article.

A distracted columnist? Or perhaps an anticipation of a future Symantec's move toward a different approach in the security research industry?

As you know, we are working hard since one year in the realization of such rewarding scheme, having initially half of the world against us. Our efforts are concretizing in the recently announced partnership for the production of the UTM OneShield Security, which will integrate a revenue sharing model, for those security researchers who are contributing with their findings.

We took all of the risk and heat, we faced the shadiness of the current laws, we took all the insults from that part of the researcher's community which didn't agree with us, we standed strong hits from some lobbied press.
Nevertheless, we are still alive so it might be the right time from the big industry to take advantage of the results of our work?

We'll see. It will be interesting for us, to see how our competitors (who much criticized our model, defining it unethical) will find excuses to adopt it.

Our forecast? Perhaps they will adopt only part of it. They won't adopt the auction part but they will eventually adopt the revenue-sharing scheme.

With a problem: it will be the demonstration that they abused of the work of the security researchers, paying them peanuts, up to the moment somebody popped out of the blue and forced them to adopt new business models, in which security researchers are not anymore considered as freebies or peanuts workers.

Please remember... that somebody, was us.


Are South Africans aliens from another planet?

They must be, at least this is what we think after being invited to hold a keynote speech at the ITWeb Security Summary 2008, (Johannesburg - South Africa), and after having checked the reaction of the attendees at the end of it.

Let us get it straight: the speech was about WabiSabiLabi's marketplace project and it was held in front of a crowd of 400 attendees.
At the end of the speech, the conference host fired up a question to the crowd:"Who think that WSL is doing the right thing in providing a marketplace for security research, raise the hand".
We panicked waiting for the response but then ... 399 hands attached to security professionals' bodies were raised.
To counter-check, the host asked then: "Who is against such initiative?". Only one hand up.

Are we THAT good in selling ideas? Or maybe it's just the marketplace idea itself that, when supported by proper motivations, doesn't find any difficulties in being adopted or even supported by security professionals?

Or is it that South Africans are aliens from another planet? We are still wondering...

Meanwhile, a few words about the ITWeb conference. We are always bragging how good the Swiss are in organizing things. Well, they have indeed some good competitors in South Africa. The ITWeb conference is a top international event, period.

Pros, Cons and Kudos

Symantec's "free of charge" espresso coffee machine at their booth. Finally, some good hardware.
Thanks a lot, from the deep bottom of an Italian heart.

ITWeb's catering service. We have the proof that aliens don't know how to properly cook pasta.
Yes, boiling it for less than two and a half hours will also help to spare Africa's energy resources and will contribute to lessen the power outages.

Johnny Long for his fabulous speech and his charity initiative. People, vendors...what are you waiting for to support it?
Johnny Cache, for being so... smurky. He knows what we mean ;)
Dino Covotsos, for being a good friend and for sponsoring through his company Johnny Long's charity initiative.
Kudos also to the Serbian community, Paul, Janine, Alissa, Mariette, Ilva and all the new and old friends we found over there.

Final round of kudos to South Africa, for giving us such dramatic sunsets.

From Earth, over.