An Information Security Place

Well, my good friend and blogging compatriot Martin McKeay has finally made it to the big time by actually having a press release issued about his move to StillSecure. I can honestly say that I have never known someone personally that had his own press release. Wow. I can count the Great McKeay as a close friend!

In all seriousness, Martin deserves this. He is a very well known figure in the security world as a security guru, he is a great writer and security journalist, and he is an all around nice guy. I count myself lucky to have him as a friend, and this could not have happened to a better guy.

All that being said, what about the title of this post? Well, I think StillSecure also deserves congratulations. I have known Alan for about a year now, and I have known Mitchell for quite a few months. And I have to say that these guys deserve Martin just as much as Martin deserves this great move. Alan and Mitchell are great guys, no matter what everyone says about them (sorry, I can’t be nice to people without jabbing them a little - I’m sure it comes from my terrible childhood, which led to my total lack of self esteem and utter lack of respect for my fellow humans, but in retrospect helped developed my writing skills because that is all I had to do in that closet I was locked in for most of my teenage years, but I digress - **sniff**).

But seriously, Alan and Mitchell have done so much to move the security industry forward. Even if you don’t count their work at StillSecure, you still have two guys who are blogging and plugging away at trying to make the security industry a fun and exciting place to work. They deserve to have a great talent like Martin out there evangelizing.

So I say congrats are deserved all around. God bless and good luck to all of you.

Vet

Here’s another Taekwondo toe picture for you. I got this injury tonight. I think I got it while I was sparring. I’ll keep you posted on the progress of the bruise (’cause I am sure you want to know, right?)

Still having fun, though. I got to run exercises today (all the stretches and pushups and squats and crunches, etc, etc, etc), which is a big deal since the instructor has to have faith you know what you’re doing. And he has me helping with sparring practice as well, so I feel pretty good that I have fooled him into thinking I know what I am doing so far.

Anyway, I am proud of my injuries. I guess that is a guy thing, though most of the blackbelts in the class are girls or women, and they are tougher than I have ever thought about being. And they hit hard.

Vet

This is what kills me. You have everyone saying that posting fights and generally screwed up stuff on MySpace and YouTube is bad (I agree), but you have a major media source (well, MSNBC USED to be a major media source) posting the most graphic parts of a video of a girl getting pummelled for everyone who doesn’t know how to use MySpace or YouTube (which is still a LOT of people).

Why must the media do this? For ratings? Come on, people. How about a little class and responsibility. This girl has suffered enough. Must you splash this all over the world via the Internet and cable / satellite?

Of course, I just posted a link to it, so I guess I am a scumbag to. But I’m just reporting the news.

Vet

Many of you know I am from Houston.  And it has recently made even national news that my governor, Mr. Rick Perry, mandated that the state add the controversial HPV vaccine as a mandantory vaccine for girls in the state of Texas.

He has been getting a lot of heat over this because he kinda went around the whole legislative process, and now reporters are asking for any correspondence from the Governor about the decision process for HPV between himself and his staff.  According to the governor and his staff, there at no such animal.  They say that Governor Perry does not use email from work, and he doesn’t even have a state-issued computer.  Therefore, there are no emails between himself and his staff AT ALL. 

On a side note, the governor’s mansion also issued a story today that they were selling ocean front property in Arizona and had several bridges for sale….  OK, I made that up.  Anyway….

Governor Perry’s spokesman Robert Black says, “That doesn’t mean Perry doesn’t use e-mail. But his e-mail account is personal and therefore not subject to open records laws, Black said.”

However, this excerpt from the story refutes that claim:

That’s not true, said Joel White, immediate past president of the Freedom of Information Foundation of Texas, a nonprofit organization dedicated to protecting and preserving the state’s open meetings and open records laws.

“I don’t think it makes any difference what computer he writes on any more than it makes a difference whether he uses government-issued stationery,” White said. “The question is: Is he sending personal correspondence or does it relate to official business? If it’s official business, it’s an open record.”

That has been the determination of the Attorney General’s Office in several informal rulings. For example, in response to a 2003 claim by the City of Kingsville that correspondence from personal e-mail accounts of the mayor and commissioners is not public information, the Attorney General’s Office wrote that to the extent that the e-mails pertain to official city business, “such information is subject to disclosure.”

To top it all off, our local news radio station, KTRH, has a picture on their website of what APPEARS to be be Governor Perry sitting at his desk with a laptop on the desk (bigger picture here).  And, I found this picture with a quick search that shows Mr. Perry when he was Lieutenant Governor.  There is a computer visible behind him (I sent the link to Scott Braddock who is covering the story - he replied with a thank you).

It is all getting kinda ludicrous.  And personally, it is cracking me up, even though the basic issue is a serious one.

Vet

I found out a couple of days ago that I was accepted as a speaker for the TRISC 2007 show in Austin (May 15-17).  I will be speaking about using security blogs as a important resource for security research.  I am excited about doing this since it is really only my second official speaking gig, and it will be my first on security blogging.  I plan on taking this out to other shows if it goes well here

For those of you who don’t know what TRISC is, it is the Texas Regional Infrastructure Security Conference.  It is a small, struggling show that is only in its third year and was originally conceived by some Texas InfoSec professionals as an answer to people looking for a more local security conference that answered Texas problems specifically.  But this small show can boast of some big name keynote speakers.  The first year (2005) we had Mr. Schneier himself (now officially one of my blogging buddies since I met him at the RSA bloggers’ gathering, right?), Ray Semko, and Ron Ross to name a few.  In 2006 we had Ira Winkler and Caleb Sima. 

So anyway, I am excited about doing the talk.  I will be publishing my OPML list from Blogbridge in my slides (I will be mentioning a few specifically, so I will take contributions starting next week ).  So maybe some of you will start seeing a little extra traffic - IF I can get some people down here who don’t use blogs much to start jumping on the blog bandwagon.

Vet

I got this from Bruce Schneier’s site.  Looks like the guys at Symantec have developed a way to change the DNS settings on your home broadband router’s DHCP scope by drawing you into a malicious website with some bad Java code.  So when your PC gets its IP address from your broadband router, it directs your home computer’s web requests to a malicious DNS server.  So now, for example. instead of going to your bank’s website, your requests are getting redirected to an address of the attackers choice that looks like your banks website.

The basic lesson is to change your broadband router’s password to something different than the default (and something difficult to guess).

Here’s the explanation.  Very cool, and pretty scary for all those people who never change the default password on their broadband routers (which is most people).

Bruce also makes this very good point:

Note that the attack does not require the user to download any malicious software; simply viewing a web page with the malicious JavaScript code is enough.

Vet

PLEASE, PLEASE, PLEASE do not truncate your post in your RSS feed. I use Blogbridge so I can pull down my feeds and read them when I am running around and don’t have Internet access. When I get to your blog and I see something interesting, if the post is cut off in the feed, I can’t get to it. Drives me frickin’ crazy!

OK.  I’m done.

Vet

Anyone heard of any action against these medical companies under HIPAA regulation? Neither have I.

This is the problem with government trying to fix a problem. While I agree with the basic attempt HIPAA is making at securing personal medical data, it just makes no sense to have anyone try to comply when nothing happens if you don’t.

And when a few CEO / CFO / COO types see this story and don’t see even any attempts at prosecution in the next few months, then they will start rethinking about their investment in security

Another thought is that these companies are HIPAA compliant and still have problems. If that is so, then it goes to show you that compliance does not equal security.

Vet

Steve Hunt at Security Dreamer recently posted a quick test for knowing if your network is vulnerable. The test: well, there is no test. You can take for granted that your network is vulnerable. Steve’s point? You don’t need a security consultant to perform a $30,000 security assessment to tell you that.

I see Steve’s point, but let’s take a step back here. I really think Steve is too narrowly defining the term “security assessment” (he never actually uses the words “security assessment”, but it is easy to determine that is what he is talking about). The type of assessment he is talking about is designed for those that have a somewhat solid security program in place and need to find the flaws with it. If you fall into this category, then you can benefit from this type of assessment because it will be an overarching, far-reaching, and deep-digging look at your systems, policies, procedures, etc. with the express purpose of telling you where your vulnerabilities lie.

But I think Steve is assuming you don’t fall into this category and you don’t have a good security program in place. If that is so, then you need to listen to Steve. Why? Because a huge assessment is probably going to give you a bunch of stuff you already know (or should know). You really don’t need anyone to tell you that you don’t have enough policies when your policy manual only has two sheets of hand-written notes. You don’t need someone to perform password auditing when you have a universal password for everyone that is, you guessed it, “password”. Essentially, you will be no better off than you were before you spent $30,000 for a deliverable thicker than War and Peace with no remediation plan included.

What you need is a whittled down security assessment to give you more of a “tell you what you need” approach rather than a “tell you what you don’t have” approach. There’s a fine line between those two approaches, but the gist of it is the first approach is a positive type of assessment that is designed to build a security program rather than tear into one. However, it is still an assessment because there is most definitely something in place for security, so it has to be assessed to create a starting point.

So if you are in the shape that Steve thinks you are, then you don’t need a full blown assessment. What you need is someone to help you build your security program. Steve is correct that you can probably do a lot of that building yourself and not pay some firm to do it for you. In fact, I would say the building of the program will be more expensive than the testing of the program, so it might be a good idea to do it yourself if you have the time to spare or don’t have the money to get help (I find the latter is generally the issue - if you have time, then you are among the few lucky ones).

But DO NOT forsake the idea of a full blown security assessment. It is a totally legitimate course of action to have a third party assess your security program once it is in place. However, you need to be discerning in who you choose for your assessment. Have them show you sample proposals and deliverables. Have them introduce some of their team to you. Check out resume’s. Don’t just throw a dart.

One more thing. You can tell me I am biased because I work for a security consulting firm. And you would be half correct. Yes, I am biased, but it is not because I work for a security consulting firm. I am biased because I believe a security assessment is a good security practice. I had an assessment performed when I was an information Security Manager (no, my current company did not perform the assessment). Though it was not the best done assessment, it still was valuable.

Vet

As many of you know from my toe post a while back, I am taking Taekwondo. Well, I just tested for my yellow belt. I passed, so now I am officially a yellow belt (yea, it is a VERY low belt). AND, I tied for best test out of about 20 people testing for yellow belt, green tab, and green belt. That felt pretty good as well.

Go here for a video of me breaking my boards.

Vet

There’s a good point in this article over at Roger’s Information Security Blog.  DELETE YOUR WIRELESS PROFILES!!  Anytime I go out of town and use a hotel’s wireless, I make sure I delete the profile when I come home.

Vet

OK, I have some braggin’ to do, but it is not about me.  It is about my lovely bride of 10 years.  April (that’s my wife) has been decorating cakes for a couple of years now.  She does wedding cakes, birthday cakes, etc. for friends and family.  She has a natural talent for it, and people are almost always struck at how good her cakes are.

A couple of weeks ago she entered a cake in a competitive cake show in Austin, TX.  She was still in the beginner class because of the amount of experience she had and the amount of formal training she had taken.  She thought she would probably get in the top three or four this year (she placed last year at the same show, but her cake was in a different category).  Well, she did even better than she expected by winning first place with her cake.  And not only did she get first place in her category (tiered novelty cakes), she ended up winning the best in the beginner’s class overall!  That means that her cake beat every beginner’s entry, no matter what category they were in.

She won $100, a VERY nice engraved Mikasa crystal vase, two medals, and a big tub of fondant (that is a fancy cake icing that gives a cake a very smooth appearance). 

And on top of all that, she got to meet some of the top cake decorators in the world at the show.  These are people that you see on the Food Network in the cake and sugar art contests (like Bronwen Weber).  A couple of them were judging the contest (one was Norman Davis), and they absolutely loved April’s cake. 

I have never seen my wife so excited.  Needless to say (but I will say it anyway), I am VERY proud of my wife.  She is very talented, and she is a great mom and wife.  Way to go, baby!

Vet

Since Alan and Mitchell have not blogged about this (Alan quickly mentioned it), I have to write about it.  This was by far one of the funniest and weirdest things that has happened to me in the last few years (since I don’t get out like I used to, this is not saying much - but it was still crazy).

Anyway, a bunch of us blogger people went for Thai food after the blogger gathering at RSA.  After a good time and some good food (and after looking around the restaurant and realizing we were the last group left), we decided to take off.  Alan, Mitchell, Rothman and some others decided to go out for some more fun, but I was just interested in getting some sleep.  So Mitchell, Alan, and I piled into one cab (I was in the front seat - we are all fairly big guys) and told the cab to take Alan and Mitchell to the bar and me to my hotel.

So we were all just BS’ing and talking about how fun the gathering had been.  We came to a stop light, and all of a sudden, the cabbie pulled out a huge wad of credit cards.  Seriously, there must have been at least 50 different credit cards in this stack.  This is suspicious to say the least, and Alan immediately pipes up and asks the cabbie if he had a little identity theft going on.  The cabbie immediately got upset and started hollering at Alan and accusing Alan of asking the question because the cabbie was a black man.

All of us were somewhat stunned, but Alan quickly started verbally defending himself.  The cabbie would hear none of it and became even more upset, telling Alan to think about his comment when he “laid his head on his pillow tonight” (which I think was around 3am for Alan - they partied a little bit that night).  Mitchell also joined in on the defense.  Since I was in the front seat and immediately in the range of the cabbie should he decide to get physical, I just kind of kept my peripheral eye on him and kept quiet for a bit.  But the cabbie kept getting louder and more upset, which just pushed Alan to be even louder (some of his comments made me choke with laughter, but I won’t post them here - they were not racist, BTW).

At this point, I wasn’t sure what was going to happen, and this guy basically had our life in his hands if he decided to go postal.  I tried to get the guy to calm down by telling him that we were information security professionals, and we would have asked the question if the guy was green, but he still would not leave it alone.  He told us that he had a $300 belt and basically explained that he had a lot of money.  I think he was trying to tell us that he didn’t have a need to steal, but I think it really just served to make me more suspicious.

Unfortunately, the bar that Alan and Mitchell were going to was closer than my hotel.  Alan and Mitchell piled out, and I got out so I could get in the back of the cab (I didn’t want to be up front with this guy - don’t ask me why I didn’t find another cab or just walk to the hotel).  As I said my goodbyes to Alan and Mitchell, I thanked Alan for leaving me with a pissed off cabbie.

I guess most of his ire was directed at Alan, because he was OK after he dropped them off.  He continued on his tirade, but it was just more like griping at this point.  I just listened and nodded my head for the rest of the trip (just a couple of minutes), paid the guy when we stopped (yes, I tipped him), and extricated myself from the cab quickly.  I said a prayer of thanks, then went up to my hotel room and went to bed.

So, having posted the story, here are some thoughts I have about it.  First, I really should have thought about getting the guy’s information from his cab license and calling the cops after he dropped us off, but it really never crossed my mind.  I was thinking more about just getting back to my hotel alive.  Second, I believe this guy was either totally legit and those cards were his,  or he was totally stupid.  Honestly, I believe the former is true because he just didn’t strike me as stupid.  Even though he was vociferous in his argument and wouldn’t calm down, he was still speaking intelligently.  However, it WAS stupid to pull out a bunch of credit cards in front of some guys he didn’t know.  So, I will pull out my psychologist hat and give you my take on this act.  I think that the cabbie was VERY proud of the wealth he had accumulated and liked to show it off to his passengers.  And because of that pride, he was very susceptible to defensiveness and perceived Alan’s comment as an insult.  Basically, he was so proud of his wealth and that he had accumulated it honestly that he would take any slightly negative comment as an insult to his character.

But whatever the reasoning behind his defensiveness, I have to say that it made for some fun and crazy memories and some good blogging material.  I can’t wait to get together with the bloggers next year.  But I will think twice about getting into a cab with Alan next time.

Vet

I think I am going to try this next time I fly.

All in all, the entire process took just over 10 minutes and got me through security significantly faster than going through the regular process.

Vet

WARNING: This may be a bit of a ramble.

I am a member of a Yahoo email discussion group for security professionals. One of the comments made today was about a man taking his son to an IT conference to see if he could get his son to “swear off IT as a career.” Though amusing, I am sure the gentleman was fairly serious about his statement. And though my children are too young to start thinking about a career, it made me wonder about the state of the IT industry in general and the security industry specifically and what those will look like in 20 or so years when my kids start getting out of college and enter the workforce.

Let’s look at kids today compared to when I was a kid. I regret that I did not get into technology when I was young. Honestly, I was introduced to computers at a fairly young age compared to most back then. I played with an OLD IBM (don’t remember the model number) back in fifth grade that one of my teachers owned and brought to class (she was a visionary). But it would have been great to be as deep into computers and technology as kids can get into today at a much younger age (I have a picture of my oldest son sitting in front of a computer at 2 years of age using the mouse to play a toddler game). The reason I say this is because when I was a kid, if you got into computers, you GOT INTO computers. There was no Internet. There was no plug-and-play. There was no mouse. You had to know what you were doing on a much deeper level. You knew how and why a computer worked as it did.

Most kids today take technology for granted, just like kids from my generation took TV for granted. It is there, it has always been there, and it will probably always be there. It is a part of life, and they know it like they know how to brush their teeth or put on their shoes. And taking technology for granted is the problem. A friend of mine commented recently that kids were so much more security savvy than we were back in the day. But his tone and the context showed that he was making an offhanded comment rather than stating a fact. Basically, he assumed that kids knew more because they always had computers around. I made the comment that having technology does NOT mean that kids look at things in a more secure-minded way. In fact, I argued that the opposite is more the case. They don’t always know that there is a problem with getting online and sharing information. Many kids just view it as a way to talk with their friends and play games. They probably aren’t aware that there are a bunch of bugs and security flaws in their OS, so patching is not a foregone conclusion by any means. The average kid isn’t aware of botnets and keyloggers and other types of malware beyond your basic virus or worm. Most computers come with a 90-day trial of AV software, but how many buy the new stuff and update it?

So, should kids today look at IT as a viable career path? Yes, of course. If you put a kid today who is computer-savvy against a kid of my era who was computer-savvy, the average kid of my day would almost always beat the average kid of today. But there are exceptions to that rule. I have met some “kids” online via blogging that are “on-the-ball” big time when it comes to computer and Internet security. But they don’t take the technology for granted. They are of the same breed as those kids from my day. They want to know the how and why. I hope they continue down that path, and I pray there are more of these kids out there that will help us move along in IT and security.

Now, having said all of that depressing stuff, what do I think about my kids getting into the field? The difference I see between my children and today’s children is that the IT industry will probably be a completely different field in 20 years. I see us on the verge of some crazy discoveries in technology. These are developments that may revolutionize the industry to such a point that IT will really be something completely different than today. And because this is where technology is going, kids today can get on the ground floor and be at essentially the same point that my generation was when technology started making crazy leaps and jumps. I think it will be new and refreshing and will resemble what we went through in our generation.  I am excited about my kids getting into IT in the future.

But we need our kids to want to know why and how. Every generation has its visionaries, but they just aren’t there in the numbers they used to be, and their visions are different.   The young people I see today are still every bit as smart as they were back then.  But they seem to be limited to filling gaps instead of breaking ground. Everything new is productized, packaged, and sold. There are a lot of young, smart entrepreneurs who build a company around a point product and sell it off, then start again. These types of people and products have their place in our society and economy. But they are not the old-type visionaries. We need to come alive again.

Vet

Kurt made too much sense about making my email address accessible, so I decided to go out and search for a web form plugin for Wordpress.  Now you can contact me using this form at my Contact Me page.  A link is also available on the upper right corner of my site in the “Internal Links” section.

Vet

…because I didn’t have an email address on my blog. Well, I finally posted it. It’s on my “About” page. So there.

While you’re there, you can gaze on my handsome face as well.

Vet

As I have explained, I didn’t get to go the full week at RSA.  And while I was there, I was doing interviews or just generally screwing around, so I missed all of the keynotes.  When I heard at the conference that Larry Ellison from Oracle didn’t show, I about blew beer out my nose.  Typical crap for that ego maniac.

Then, I read this story entitled, “RSA: Symantec’s Thompson Swipes at Microsoft”, and all I could think was, “what’s new?”  This is the same crap Mr. Thompson pulled when I was at RSA in 2005.  And it was even more sadistic because he came on right after Bill Gates.  At first everyone was kinda laughing and thinking it was good.  But then it got quiet, and the air got tense in the hall.

While I don’t defend Microsoft a lot, I do not think it is very mature for a grown man who is the CEO of a major security company to play these kind of games.  It is ridiculous and silly.  Everyone has problems with Mr. Gates and his products.  But a little decorum from Mr. Thompson would be nice.

Vet

[Updated post - I added quite a bit]

I am about to leave the RSA conference. I am a little disappointed that I was not here all week. The last two years I arrived Monday and left Friday and got to go to all the sessions I could make it to. But that was when I was an Information Security Manager for a non-profit psychiatric clinic. They were used to sending doctors and their execs to conferences, so it wasn’t a foreign concept to them. Now that I am a presales SE for a security consulting firm, I have to make sure I am available for meetings and such as much as possible.

I really am grateful that I am here at all this year. I really came in just for the security blogger gathering, and I wouldn’t be here at all if it wasn’t for that. Of course, I did meet with a potential client while I was here, so I feel much more justified.

Speaking of the blogger gathering, I have to agree with Martin that it was a great event. I loved meeting everyone that I have been IM’ing and emailing and podcasting with for a year now (BTW, my blog is almost 1 year old - Feb 24, 2006 was my first post). My favorite part had to be the big bear hugs I got from Alan Shimel and Mitchell Ashley at StillSecure (the most exciting event of the evening was the cab ride from the Thai restaurant to my hotel, but I will give Alan a chance to blog about that first). Those two guys crack me up, and they are really cool guys.

I also finally got to meet the great Mike Rothman. I like that guy a lot.

I also got a thrill when I met people that said they read my blogs. I agree with Alan when he comments on how flattering it is to have someone say they read and actually value what I write.

I also enjoyed meeting Cutaway from Security Ripcord. That guy is as down-to-earth as you get. Just a good guy who doesn’t put on any airs. He’s a Marine (some would say former Marine, but once a Marine always a Marine). I was in the Army, so we inevitably end up talking military stuff. If you add Martin to the mix (ex-Army), it really gets deep.

One other person I really enjoyed meeting was Washintonpost.com’s own Brian Krebs, who writes the Security Fix blog. Brian is a celebrity in the security world because he writes for such a distinguished publication. But he is also respected by security professionals because he writes some good stuff and knows what he is talking about. And he was a nice guy, and he was also humble. I had to thank him personally for the great job he did of exposing the scandal with the Connecticut substitute teacher that was convicted for exposing her students to pornography (here and here).

Some other big names that were there:

Bruce Schneier - It was pretty cool to actually get to introduce myself to him. I’ve met him, but only quickly at shows and at a book signing. This was more personal.

Richard Stiennon - VERY nice guy. And all we bloggers thank him and Fortinet for sponsoring the event (we thank Microsoft as well).

Rich Mogull - Gartner man himself. Another down-to-earth and very likeable guy. And he is a second dan is taekwondo.

Ron Gula - It was a pleasure to meet Ron as well. Another good guy who could easily be arrogant but was not.

There are others, and I don’t mean to leave anyone out. I just can’t remember everyone. Suffice it to say that this was a group of people who were just excited to meet a bunch of peers and talk about security (though I don’t think we talked about security as much as we just BS’ed and had a good time networking).

Vet

I’m heading out to RSA at San Francisco for a couple of days to do some interviewing and some general perusing.  However, the real reason I am going is the security blogger gathering.  I am really looking forward to meeting so many people that I have been conversing with for the last year via my blog.

I have a press badge courtesy of my CW blog, so I am going to have to check out the press area and see what kinda goodies they have back there.  I’ll wave at you from behind the glass!

Vet

Looks like a company responsible for editing in-flight movies accidentally edited out “God” from the movie The Queen.  I know this story isn’t really security related, but I thought it was interesting because I experienced this when flying to Accuvant’s sales kick-off a couple of weeks ago in Colorado.  I kept wondering if I was imagining that “God” was being bleeped (it was a silent bleep - basically “God” was edited out completely).  Turns out I wasn’t going crazy (or crazier anyway).  I thought about writing or calling to ask about it, but I forgot about it with family and work stuff.  I figured it was some politically correct nonsense.  I am glad I was wrong.

What is kind of amusing is this:

Klein [president of the editing comany] discovered the mistake after a London-bound Air New Zealand passenger complained earlier this month and the airline apologized for showing “the incorrect version of the film.” The “Godless” version of “The Queen” was followed on the London flight by a showing of the movie “The Departed.” Obscenities in “The Departed” weren’t edited out, and the inconsistency prompted the complaint.

Sounds like these guys need to check their QA procedures.

Vet

The VA is missing a hard drive with 48,000 veterans’ records on it.  20,000 of them were NOT encrypted.  Huh?

Vet

I picked up on this story from a post at the nCircle blog.  Looks like Skype is trying to make themselves palatable to security admins by hooking up with security companies.  The first one they are partnering with is FaceTime Communications, who produce software and appliances that help businesses monitor and secure use of instant messaging.  Also in the article:

Skype is looking to team with a number of security companies, also for consumer applications. In a recent interview, Skype Chief Security Officer Kurt Sauer said the company is in discussions with security firms to provide add-ons to its software to scan text sent through Skype’s chat feature for malicious links.

I think this is a good move for Skype and will likely help them become more “sticky”, but I still agree with Andrew at nCircle:

I’d welcome a Skype client that I could monitor, configure and centrally manage. Until then, keep it away from my networks.

Vet