Rational Survivability

Talk about your weapons of mass distortion!  As much as I detest Rachel Ray, her proclivity for abbreviating ingredient names, and her lack of actual mad chef skillz, this is absolutely retarded.

The Chicago Tribune reports that Dunkin’ Donuts, for whom Ray is a spokesperson, has pulled an advertisement featuring her EVOO-ness because some nut job — Michelle Malkin — suggested that the scarf she was wearing in the commercial looked like a "jihadi (chic) keffiyeh" worn as traditional garb by Palestinians:

Dunkin’ Donuts has canceled an online advertisement featuring celebrity chef Rachael Ray after complaints that a scarf she wore in the ad offers symbolic support for terrorism.

Dunkin’ Donuts said Wednesday it pulled the ad over the weekend because of what it calls a "misperception" about the scarf that detracted from its original intent to promote its iced coffee.

Critics, including conservative commentator Michelle Malkin, complained that the scarf appeared to be traditional garb worn by Arab men. The ad’s critics say such scarves have come to symbolize Muslim extremism and terrorism.

Malkin decided to describe Ray’s choice of accessory as "hate couture."  Unbelievable.

Well, I guess I’ll have to go back to drinking Starbucks since consuming DD iced coffees is obviously the equivalent of state-sponsored (or at least costumed) terrorism.

Land of the free, indeed…

/Hoff

If Barracuda attempting to gobble up SourceFire today wasn’t interesting enough, check this out…

WALTHAM, Mass., May 30 /PRNewswire/ — Hyperbole, Inc., the the pioneer and leader in virtualization security solutions today announced it has emerged from stealth mode and raised $14 million in a Series A funding which it will use to expand its R&D efforts and grow its sales and distribution teams.

Hyperbole’s flagship product, HyperTension, provides a zero footprint and forensically tight paradigm-shift in the emerging virtualization security (VirtSec) market by automatically protecting all virtual infrastructure against known or unknown attacks without the need for expensive and clumsy IDS, firewall and IPS technology. 

With no agent software and no hardware requirements save for a specially-constructed tamper-proof USB device called the HyperDrive, HyperTension is able to secure any virtualization platform automatically within seconds and with no downtime required.

HyperTension provides an undetectable ring compression insertion technology that injects itself into memory space transparently and utilizes the flash memory space available in PCI cards present in the system to load, thereby not corrupting the main heap and rendering itself undetectable. 

Further, HyperTension will probe for the presence of parallelized graphics processing units (GPU) from leading graphics card providers and if found, will utilize them to provide the compute cycles necessary for operation thereby not impacting the on-board main CPU or cache, further lessening the impact of the solution running in virtualized environments. 

This allows for massive computation capabilities used to provide real-time memory-space attack detection functionality which can be manually or automatically adjusted using our patented HyperSensitivity comb filter technology.

Hyperbole’s patented HyperVentilation technology utilizes quantum cryptography and open source algorithms to create "holes" in memory to dynamically encrypt/decrypt the entire memory space of a virtualized host and upon register access, leverage commodity TPM solutions to authenticate and decrypt memory on the fly when used in conjunction with any of Hyperbole’s partner-supplied whitelisting solutions.

Once accessed, HyperTension automatically performs an ASLR operation for pointer obfuscation and then re-encrypts the memory space using a newly-generated quantum key derived from the unique properties of the hashed cache entries from the rotating cipher.

This provides unbreakable security since only authorized applications can attempt to gain access to HyperVentilated memory space which is also encrypted to prevent unauthorized access.

…

Speechless. 

/Hoff

My last couple of VirtSec posts have caused quite a stir in certain circles.

The “debate” between who “owns” VirtSec that originated as part of my response to Simon Crosby of Citrix regarding the same has been picked up and amplified on multiple fronts.

Greg Ness from BlueLane wrote a piece referencing it that was cross-posted on virtualization.com and that even made its way up to VC/investment blogs such as seekingalpha.com (Citrix vs. Chris Hoff 😉 and has had my mobile ringing/vibrating itself off my desk over the last week or so.

It’s hard to believe sometimes just how many people — and who — reads my steaming pile of blogginess.

The second post of interest was in regard to the provenance of VMware’s VMsafe and my reflection on prior art (Livewire) by VMware’s Rosenblum & Garfinkel which seems as though it could be the progenitor of the upcoming technology.

The very tail-end update of that post referenced another piece of research produced by Komoku based upon similar work focused on rootkit defense. As I pointed out, Komoku was recently acquired by Microsoft.

I added those comments deliberately as a parenthetical — almost like a bookmark — because what I intended to do next was directly compare and contrast the technology architectures and approaches of VMware, Citrix and Microsoft as it relates to security integration.

It seems a bunch of really bright folks caught onto that because a slew of links (such as this one) followed — driven mostly by Alessandro’s (virtualization.info) post titled “Is Microsoft Working On VMsafe-like Framework”

I think that’s an excellent question 😉

It’s pretty clear where Citrix’s CTO stands on the matter — as flawed as I see his shortsighted market approach (note I didn’t say *technical approach*) — but Microsoft stands to gain an interesting foothold in regards to security should they play this game correctly.

I found it interesting that others are starting to recognize that the virtualization battle isn’t going to be won by a shoot-out and the hypervisor-version of the OK corral. It’s the effectiveness of the ecosystem and the ability for the channel to serve it up and the customers to implement it.

People are sick of sweeping up the decaying corpses of good technical solutions that suck in terms of integration, implementation, operationalization and accountable support — especially when they have to keep paying for it. Ah the “best-in-breed” versus “good-enough” debate again?

Not to further pick on Citrix (or Xen specifically) but here’s a great post from Schley Andrew Kutz from the searchservervirtualization.com blog titled “Xen: An endangered species in the virtualization ecosystem?“:

While Citrix Systems’ Xen’s ubiquity may help the technology earn a legacy as the invisible hypervisor, it may also prove the most challenging next step for IT administrators and developers who want to find or develop software that leverages, supports or extends the Xen hypervisor.

…

While ultimately it may not prove difficult to develop cutting-edge technology compatible with the Xen hypervisor, it may prove so to market it. If you are in the business of selling virtualization add-on products, you want to ensure that your product is compatible with VMware Infrastructure, because that is where the sales are.

…

As Xen’s legacy may be to become the ubiquitous, embedded hypervisor for all to use, its strength may also be its greatest detriment to Xen-based virtualization platforms. Xen’s strength is its practical application as the invisible, reused, resold, embedded hypervisor, but invisibility just hasn’t worked in Citrix’s favor. Instead, it shields partners from building ecosystems around Xen and has marginalized the brand name.

Amen to that.

Take heed, Citrix. I maintain your CTO is blinded by what can only be described as a denial of market realities and an undying (arrogant) allegiance to what some might consider to be an architecturally superior product on some fronts, but a lacking solution on many others.

Securing the hypervisor is definitely important. However, securing both the hypervisor and the assets that sit on top of it by providing the most extensible, effective and manageable means of doing so is really what’s important to customers. Sometimes, it has to be about more than where you came from. Sometimes it’s about where you’re going.

I’ll be finishing up my post on where I think Microsoft ought to go shortly.

/Hoff

One of the things I try to do when looking forward for inspiration in solving problems is to ensure that I spend enough time looking back to gain perspective.  I’ve been thinking a lot about models for virtualization security lately.

As I surveyed the options (or lack thereof) splayed about before me in terms of deployment options and available technology to solve some of the problems I’ve been researching, I was struck by what I can only describe as a ghost of future’s past. 

It shouldn’t really surprise me like it does, but I always giggle when reminded of my own favorite saying: "Security is like bellbottoms — every 20 years or so, the same funny-looking kit comes back into style."

As it is with jeans, it is with security solutions.

I dredged up some of my collected research from moon’s ago on the topic and dusted off a PDF that I had completely forgotten about as I was trying to piece together some vague semblance of something that strangely reminded me of VMware’s VMsafe.

I cracked a gigantic smile when I saw the authors — Tal Garfinkel and some guy named Mendel Rosenblum (now co-founder and chief scientist at VMware.)

The PDF in question is titled Virtual Machine Introspection ("productized" as LiveWire) and presents the following case:

In this paper we present a new architecture for building intrusion
detection systems that provides good visibility into the state of the
monitored host, while still providing strong isolation for the IDS,
thus lending significant resistance to both evasion and attack.  

Our approach leverages virtual machine monitor (VMM) technology. This mechanism allows us to pull our IDS “outside” of the host it is monitoring, into a completely
different hardware protection domain, providing a high-confidence
barrier between the IDS and an attacker’s malicious code.

We achieve this through the use of a virtual machine monitor. Using this approach allows us to isolate the IDS from the monitored host but still retain excellent visibility into the host’s state. The VMM also offers us the unique ability to completely mediate interactions between the host software and the underlying hardware. We present a detailed study of our architecture, including Livewire, a prototype implementation. We demonstrate Livewire by implementing a suite of simple intrusion detection policies and using them to detect real attacks.

I got to thinking about the relevance of this approach because of some of the arguments that Simon Crosby made in our debate recently.  I wanted to spend some more time thinking about the architectural differences between VMware and Xen so I could try an appreciate the genesis of Simon’s comments in context.

This paper and the Livewire prototype was created circa 2002.  It’s six years later and we’re just now starting to see products and technology being announced as "new and fresh"  that is basically just like Livewire.

While it’s certainly not the first and only research on this topic, it’s interesting to see that sometimes the wisdom of the past just takes just a little longer to cook before it’s fully baked, ready for icing and ready to be consumed.

If VMsafe is an example of the evolution of prior art like Livewire, what else do we have to look forward to that’s buried somewhere waiting to come back to life?  Oh wait, those mainframes are coming back, aren’t they?  What’s old is new again.

/Hoff

{Update: I also found some cool related stuff from Tim Fraser called Virtual Machine Introspection for Cognitive Immunity (kernel rootkit mitigation using VM Introspection) from Komoku which was acquired about a month ago by, gasp, Microsoft…}

I’m in New York presenting as faculty at the IANS NY Metro Security Forum.

Marcus Ranum and I spent today presenting the “Network Potluck” track on Log Consolidation/Analysis/Correlation, Next-Generation Network Security and Endpoint/Mobility Security.

Further, I gave a couple of presentations on virtualization security.

For those of you unfamiliar with the Institute (IANS,) you should check it out. What an absolutely incredible gathering of faculty and partners from such a stacked and diverse set of verticals. The agenda and format is really unique and it’s unlike any other forum I’ve attended:

The Forum is a highly interactive experience. Modeled on the Harvard Business School teaching method, it emphasizes expert-led, real-world discussions that draw on the experience and expertise of participants to drive insights to new levels.

This is not a person yapping at you from behind a PowerPoint, it’s a moderated dialog between real practitioner’s from some of the most forward-thinking companies on the planet offering you real advice (and seeking it) regarding what works and doesn’t.

Tomorrow is “solutions provider” day where we put the vendors through their paces and the opportunity for real face-to-face “no bull” sessions between vendors and customers — moderated by faculty members — begins.

Look forward to seeing you at an IANS event!

/Hoff

I do these every once in a while.

Enjoy

—

The Air Force, it seems,
wants its own net of bots
how many you ask?
The good colonel says "lots!"

The best defense is offense
to defend, they’ll attack
After the DDoS
you’ll get your game console back

Seems NATO’s on board
the Baltics are chuffed
the Cybersecurity center
means attacks will be stuffed

If your cable’s from Charter
they’ll know you surf porn.
Want your privacy back?
Get Obama on the horn

Speaking of privacy,
can you say P-R-N-G?
if you’re running Ubuntu
I’ve pwned your root key

The free email archival
from NSA — quite a mess
they got knocked off the air
‘cos of bad DNS

Seems virtualization security’s
not Simon’s problem to fix
beyond hypervisors
they simply don’t mix

Troubled by compliance?
governance giving you fits?
risk management efforts
driven by auditor twits?

Fear not my good lemmings
I’ve the answer, you see
close your eyes, send a check
Behold: GRC!

Check Point launched ForceField
sandboxed browsing – how zen
I installed it, went browsing
but it broke VPN

Nessus licensing changed
not that much of a hassle
though some might have to pay
for the  coolest new NASL?

Dave & Busters suggests
that you eat, drink, and play
Three dudes from east europe
took that quite the wrong way

Yahoo’s in turmoil
Ichan wanted a "yes!"
HP spent near twelve billion
and they bought EDS

HSBC lost a server
Oh what could be finer
than your banking details
floating ’round China

Oh rootkits, we love thee
Where are you hiding them then?
In software, in firmware?
Oh, look! SMM

Don’t forget IOS,
there’s a rootkit there, too
pwnage of routers
means no sleep for you!

Intrusion tolerance solutions?
What’s that you may query?
It’s admitting that losses
are real, not theory 

New PCI — deadline’s coming,
what will you do,
to comply with the new stuff
in version 1.2?    

And finally,
I’m bullish on Google, I am
except when their mailer
starts sending me spam 

It seems I have fallen victim to a series of misunderstandings these days.

First there was Joanna-Gate and now Simon Crosby, Citrix’s CTO, suggests in a blog entry titled "Chris Hoff & The Mother Of All Misunderstandings" that I’m puffing on the wrong end of my cigars for disagreeing with his position.

I’m a little concerned that Simon’s response to me was issued on what is listed as the "beta" version of Citrix’s official blog.  Perhaps the virtualized version hasn’t made it out of QA yet? 😉

Simon’s response was extremely well crafted to avoid responding to most of my actual points, was contextually oblique at points, and was a fantastic marketing piece for Xen Citrix, but I wish he’d paid more attention to the actual points within my post. 

Further his little quips/comments on his hyperlinks "Who is this guy, anyway?  Think before you type dude, we’re not idiots," etc. didn’t go unnoticed – cute but juvenile)

I am, however, honored that Simon would accord me the high-status of being "…normally fairly clued-in:"

I
reckon that Hoff, who is normally fairly clued-in,  has put the smoking
end of the cigar in his mouth before thinking through this argument.
He’s horribly confused, but as smug as always, so let me clarify what I
said, and what it means.

…but I can assure you that I’ve only ever done that with a cigar once,
and it was for a much better reason than blogging.  If you must know,
it was Kentucky’s finest bourbon.  That is all I’m going to say about
that. 

I’m glad he’s "clarifying" what he said, since I will also.  I seem to have that effect on people.  Must be the accent thing…

The reason for my allergic reaction to Simon’s comments stem from my opinion that it is the responsibility of virtualization platform providers to ensure that their "[virtualized] data center operating system platforms of the future" don’t become the next generation of insecure infrastructure.

Simon sums up his opinion:

In summary an assertion that the virtualization platform vendor has
to fix the sad state of the OS/App world by making it secure is
demanding too much.  It would mean that we have to be experts in every
piece of system software including all of the vulnerabilities of all
OSes and their apps.  In my view the reason the state of security is
poor now is because of the monolithic approaches of traditional OS and
app vendors. 

We will focus manically on our layer, make it
secure, tiny and bulletproof to attack in its own right.  And we will
work closely with experts in security of OSes and Apps to give them an
opportunity to implement guest-level security outside the guest,
through privileged interfaces that themselves are secure.

After 15 years of dealing with this crap, I respectfully suggest that it is not too much to ask and it’s about time we stood up and did.  First  you criticize OS/App. vendors and blame them for the state of security because of their "monolithic approach" and then you go on to propose the exact same thing!

Focusing only on your little patch of grass is short-sighted and it won’t work.  Just like it hasn’t worked in the past.  It’s a disaster waiting to happen, and you’re enabling it. 

I shudder at the potential tunnel vision of virtualization platform providers only focusing on the security of the hypervisor without taking the bigger picture into consideration and expect a piecemeal approach to securing the expanse of the virtualized environment to suffice.

It’s clear you’re making arguments about security from an engineering and code-base perspective that is simply disconnected from the realities of what it means to actually deploy these solutions. 

Virtualization is more than just the hypervisor.  You should know that by now, Simon.  The company that acquired your company knows all about that.  The hypervisor will shortly become a commodity, so in the long term the value brought to bear has to be more than just an ultra-thin layer of code:

…and furthermore, we’re going to deploy many of them:

I wish to make it clear that I hold all virtualization platform vendors to the same level of scrutiny and criticism, not just Citrix. 

I happen to like Xen very much.  I like VMware, also.  I think the latter is more realistic and measured when it comes to addressing the need and approach in recognizing that as a major layer in the infrastructure, there’s more required than to just secure the hypervisor and leave the remaining mess to someone else to solve.

I think Simon’s blog title is apropos, but I think the misunderstanding is his.

It’s important to understand that I’m not suggesting that virtualization platform providers should secure the actual guest operating systems
but they should enable an easier and more effective way of doing so when virtualized.

I mean that the virtualization platform providers should ensure the security of the instantiation of those
guests as "hosted" by the virtualization platform.  In some cases this means leveraging technology present in the virtualization platform to do things that non-virtualized instances cannot. That’s more than just securing the hypervisor.

Securing the hypervisor whilst closing your eyes to the likelihood
that the majority of attacks against it and other guests will come from "guests" within the same system is planting your head in the sand.  That means that there will be a need to ensure that certain behaviors specific to the hosted guests are mitigated to ensure that bad things don’t happen — to the guest or the hypervisor.

Transferring the responsibility to secure the environment to third party security ISV’s in order
to secure the VM’s
and preventing them from compromising one another or the hypervisor is
difficult for me to comprehend, especially when they are playing catch up of what virtualization means within the context of security.

Fundamentally, attempting to mate static and topology-dependent policies to incredibly dynamic and transitive technology delivered by virtualization will simply fail.  Third party security ISV’s will simply require a complete re-tool to even get close to delivering this and will need to provide intimate hooks to allow for this policy/guest affinity to occur in the first place.

I consider the virtualization infrastructure layer as that of an operating system and as such, I would expect that the underpinning mechanicals are as sound and secure as possible while also ensuring that anything running on top of it is as secure as possible, also.

Let’s take Microsoft (with or without Hyper-V) as an example:

Microsoft is fundamentally concerned now with making the OS as
resilient and secure as possible whilst preventing the applications and
interaction with elements riding on top of the OS from doing bad things
to the system as a whole; this isn’t just to protect the OS, but the
assets on it. 

This is really what I’m getting at.  Yes, Microsoft is an OS provider.  Shortly, that OS provider will integrate virtualization directly into the operating system.  That means more, not less, direct integration and security embedded as a function of the virtualization platform.  Citrix, VMware, etc. are all just operating system vendors of a different shape and size.

It’s unclear to me, Simon, whether your arguments are meant to justify a business model, a lack of planning, a crafty plan to perpetuate the security hamster wheel of pain, or all of the above.  It’s clear to me, however, that you’ve not felt the pain of actually having to use the products you suggest should be deployed in order to secure this mess.

I promised myself I wouldn’t turn this into one of those cut/paste blog pong entries, but the following really confused me:

But we are not in the business of specifically securing guests or their
applications, other than through offering a secure virtualization
platform.  Even VMware with VMsafe simply exposes APIs to third party
security vendors, so that customers can choose their preferred security
partner to secure guests.  I think that the VMware Determina
acquisition was very smart, and that hints to me that VMware sees
itself having a greater role in the security of guest OSes, since it
could choose to be in the vulnerability checking business without 3rd
party security vendors, but thus far they are working very openly with
the ecosystem.

So which is it?  You’ve established that Citrix is not in the business of securing guests or applications (you must mean Xen specifically, because somebody at Citrix spent quite a bit of money on this stuff with their other acquisitions) and that you believe it to be a lousy idea, but you think that VMware’s approach through their Determina acquisition as well as the capabilities of VMsafe is "…very smart?"

Simon, you’re the CTO and I’m the security wonk.  If we didn’t disagree, I’d be alarmed.  However, I think you might want to rethink your approach to how you market the security of your platform.

I’ve got a cigar for you anytime you want one.  I’ll let you light it.

/Hoff

In July of last year, I prognosticated that Google with it’s various acquisitions was entering the security space with the intent to not just include it as a browser feature for search and the odd GoogleApp, but a revenue-generating service delivery differentiator using SaaS via applications and clean pipes delivery transit in the cloud for Enterprises.

My position even got picked up by thestreet.com.  By now it probably sounds like old news, but…

Specifically, in my post titled "Tell Me Again How Google Isn’t Entering the Security Market? GooglePOPs will Bring Clean Pipes…" I argued (and was ultimately argued with) that Google’s $625M purchase of Postini was just the beginning:

This morning’s news that Google is acquiring Postini for $625 Million dollars doesn’t surprise me at all and I believe it proves the point.

In fact, I reckon that in the long term we’ll see the evolution of the Google Toolbar morph into a much more intelligent and rich client-side security application proxy service whereby Google actually utilizes client-side security of the Toolbar paired with the GreenBorder browsing environment and tunnel/proxy all outgoing requests to GooglePOPs.

What’s a GooglePOP?

These GooglePOPs (Google Point of Presence) will house large search and caching repositories that will — in conjunction with services such as those from Postini — provide a "clean pipes service to the consumer.  Don’t forget utility services that recent acquisitions such as GrandCentral and FeedBurner provide…it’s too bad that eBay snatched up Skype…

Google will, in fact, become a monster ASP.  Note that I said ASP and not ISP.  ISP is a commoditized function.  Serving applications and content as close to the user as possible is fantastic.  So pair all the client side goodness with security functions AND add GoogleApps and you’ve got what amounts to a thin client version of the Internet.

Here’s where we are almost a year later.  From the Ars Technica post titled "Google turns Postini into Google Web Security for Enterprise:"

The company’s latest endeavor, Google Web Security for Enterprise, is now available, and promises to provide a consistent level of system security whether an end-user is surfing from the office or working at home halfway across town.

The new service is branded under Google’s "Powered by Postini" product line and, according to the company, "provides real-time malware protection and URL filtering with policy enforcement and reporting. An additional feature extends the same protections to users working remotely on laptops in hotels, cafes, and even guest networks." The service is presumably activated by signing in directly to a Google service, as Google explicitly states that workers do not need access to a corporate network.

The race for cloud and secure utility computing continues with a focus on encapsulated browsing and application delivery environments, regardless of transport/ISP, starting to take shape.   

Just think about the traditional model of our enterprise and how we access our resources today turned inside out as a natural progression of re-perimeterization.  It starts to play out on the other end of the information centricity spectrum.

What with the many new companies entering this space and the likes of Google, Microsoft and IBM banging the drum, it’s going to be one interesting ride.

/Hoff

In an article over at SearchSecurity.com, Simon Crosby, the CTO of Citrix, suggests that "Virtualization vendors [are] not in the security business." 

Besides summarizing what is plainly an obvious statement of fact regarding the general omission of integrated security (outside of securing the hypervisor) from most virtualization platforms, Crosby’s statement simply underscores the woeful state we’re in:

While virtualization vendors will do their role in protecting the hypervisor, they are not in the business of catching bad guys or discovering vulnerabilities, said Simon Crosby, chief technology officer of Citrix Systems.

Independent security vendors will play a critical role in protecting virtual environments, he said. "The industry has already decided a long time ago that third party vendors are required to secure any platform," Crosby said. In this interview, Crosby agrees that using virtual technology introduces new complexities and security issues.

He said the uncertainties will be addressed once the industry matures.

I’m sure it’s reasonable to suggest that nobody expects virtualization platform providers to "…catch
bad guys," but I do expect that they employ a significant amount of
resources and follow an SDLC to discover vulnerabilities — at least in
their software.

Further, I don’t expect that the hypervisor should be the place in which all security functionality is delivered, but simply transferring the lack of design and architecture forethought from the hypervisor provider to the consumer by expecting someone else to clean up the mess is just, well, typical.

I love the last line.  What a crock of shit.  We’ve seen how well
this approach had worked with operating system vendors in the past, so why
shouldn’t the "next generation" of OS vendors — virtualization
platform providers — follow suit and not provide for a secure operating environment?

Let’s see, Microsoft is investing hugely in security.  Cisco is too.  Why would the other tip of the trident want to?  VMware’s at least taking steps to deliver a secure hypervisor as well as API’s to help secure the  VM’s that run atop of it.   Where’s Citrix in this…I mean besides late and complaining they weren’t first?

So, in trade for the "open framework for security ecosystem partnership" cop-out, we get to wait for the self-perpetuating security industry hamster wheel of pain to come back full circle. 

The fact that the "industry" has "decided" that "third party vendors are required to secure any platform" simply points to the ignorance, arrogance and manifest destiny we endure at the hands of those who are responsible for the computing infrastructure we’re all held hostage with. 

Just so I understand the premise, the security industry (or is it the virtualization industry?) has decided that the security industry instead of the OS/infrastructure (virtualization) vendors are the one’s responsible to secure the infrastructure — and thus our businesses!?  What a shocker.  Way to push for change, Simon.

I can’t even describe how utterly pissed off these statements make me.

/Hoff

I don’t know what the the hell Ptacek and crew are on about.  Of course defense-in-depth defense-in-breadth is effective.  It’s heresy to suggest otherwise.  Myopic, short-sighted, and heretical, I say!

In support, I submit into evidence People’s Exhibit #1, from here your honor:

…and I quoteth:

We use layers of security to ensure the security of the traveling public and the Nation’s transportation system.

Each one of these layers alone is capable of stopping a terrorist attack. In combination their security value is multiplied, creating a much stronger, formidable system.  A terrorist who has to overcome multiple security layers in order to carry out an attack is more likely to be pre-empted, deterred, or to fail during the attempt.

Yeah!  Get some! It’s just like firewalls, IPS, and AV, bitches!  Mo’ is betta!

It’s patently clear that Ptacek simply doesn’t layer enough, is all.  See, Rothman, you don’t need to give up!

"Twenty is the number and the number shall be twenty!"

How’s that for a metric?

That is all.

/Hoff