Thursday, April 26, 2018

Fail of the week: Quebec Revenu Agency... but don't worry, they won an award!



I was especially unimpressed by the response to a news investigation performed for an event hosted by the Quebec revenu agency.   

You see, they seem to think it is a good idea to use public, group live chat sessions to interact with their clients that are hosted on Facebook.

It is understandable for them to wish to have a Facebook presence.  No issues with that.

It is understandable to want to do cool and modern things.  Almost no issues with that.

Why almost.  They are tax collectors.  I fail to see the business need to be cool.

That is like when Hydro Quebec says that their image is the most important thing.  Calm down.  Your the only source of electricity we have, no one is getting a dozen hamsters and telling you to F-Off.

As for this genius Facebook idea, I was misquoted (well... partially quoted) in the paper this morning as saying "Why?", my statement was actually two parts and a little bit deeper: 

- "What is the actual business need being addressed?".

- "Why, do they not host the actual group chat session on a private system that they control instead of Facebook?".  You see, the entire public chat session on Facebook remains available for review long after the event.  On a private system, you can clean the information or simply remove all of it.  Not so on Facebook.  You have no control and anything anyone typed is not just accessible to the attendees at the moment of the event, but remain accessible afterwards.

So what motivated me to blog about this is the response from the revenu agencies PR person, which in my view should take an early retirement.

She stated at least two things that are dead wrong.

Stupid rebuttal #1  "We ensure that no private or sensitive information is disclosed"

WRONG:  The journalists that contacted you told you that the group chat session contained numerous private details such as "I'm going bankrupt.  My revenu this year is $x.  I declared $x in RRSP's.  I just had my bank account seized.

So how exactly do you ENSURE that NO PRIVATE INFORMATION IS EXPOSED ?

Stupid rebuttal #2 We even won an award for our excellent public relations.

WHO CARES:  I love any rebuttal that starts with "we even won an award".  Sensitive information is being exposed.  It is a bad idea, and I challenge you to find a security expert that says it isn't.  The fact you won an award just pisses me off because you are using my taxes to boost your ego with bad ideas.  



If a kid in school hands out free Redbull to all his friends, he might win the award for best public relations.... doesn't mean what he is doing is a good idea.  How can you say something this stupid as your rebuttal....

Baffling.

And she goes on to say "you know. we have a code of ethics and we asked our lawyers....".  Another pointless piece of bullshit.

The lawyers protect your interest first.  They told you to advise everyone participating that "we will not answer personal questions".  That certainly doesn't stop someone from asking one, as is proven in the group chat logs. And how exactly do you prevent personal questions on a group chat designed to ask questions with regards to the Quebec Revenu agency !!!!

Are the participants only there to ask what your mailing address is ?????

What kind of crack cocaine are these people smoking.

Your code of ethics is a failure.  You should include a portion that talks about your duty as a higher power to preach good cyber security practices you single celled amoeba inbreed idiots.

In light of all the bad press around Facebook this month, you certainly picked the right time to continue using Facebook as a group chat system, after all, it is not like we know that Facebook uses ALL available data as their business model since the service is free.

Now here is a tip.  If you want to actually have good customer experiences, try answering the phone when someone calls and needs to talk to you.   

I know it is a lot cooler on Facebook, but I hear a lot of people bitching that they can never get any assistance when they need it.



_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies



www.eva-technologies.com



Wednesday, April 25, 2018

GDPR is about to bite us in the ass, and it is going to hurt




Call this a fiction piece.  Or maybe even a conspiracy theory.


This way opinions are better managed and no one's overly sensitive feelings get hurt.

PCI and SOX had been the last culprits to impose security for compliance within the modern digital world.

This started a terrible trend of doing security for the sake of compliance instead of for the sake of security.  Actually nothing is wrong with the essence of PCI or SOX... in fact the rules outlined in both these kinda makes sense across all information systems.  But that is not what happens when a compliance issue comes down the pipe.  All hands on deck to figure out what can be excluded out of scope, and only address the strictest minimums to get someone, anyone, to rubber stamp or compliant state.

Here comes GDPR (due May 25th 2018 for everyone who is late to the party) (GDPR-wikipedia)

The large auditing firms are rubbing their greedy little hands in anticipation of the hell that is about to create.

Lawyers are also right there with saliva dripping from their hungry mouths.

The latest news on the technical front for GDPR is that "whois" domain name data is in scope and must be protected.

This means that criminals can now easily register a .COM domain (or any domain name) such as National-BankOfCanada.com and have the protection of GDPR on their side to hide any information they would have provided.

This isn't a new issue, since you could always through various providers hide the publication of your domain registration information through a proxy service.

Investigations need every little piece of information in order to figure things out when things go bad.  

A typical example:  Your network is getting attacked and it is coming from somewhere on the internet (obviously).  More then likely the system attacking you is only a pawn in a much larger game.  It is a system that has been compromised and is now being used to attack others.

As the security actor in this scenario, you look up the IP address and domain registration information and find out that the system in questions belongs to company XYZ and their technical contact is named John and his email is John@xyz.com and his phone number is 555-1212.  So you email or call John and let him know that his system is attacking yours and that he needs to take action.

This is where it gets really weird.

Talks this week are about web server logs.

According to GDPR, keeping the IP address within your system logs of a website visitor (or any network connection) is a violation.  They recommend that if you REALLY REALLY need to keep this information, it should be for just a few days.

This is absolutely bat shit crazy ass nonsense.




Average breach time detection is currently measured in months not days.  And in fact, sometimes it is more like 6 months not 6 weeks.

This is like saying that you can no longer have a surveillance camera protecting your jewelry store that is able to record.

Entire SIEM solutions would now be crippled and investigations almost impossible unless detected immediately and acted on immediately.  But with the lack of adjacent information, you soon won't be able to tell which country it is coming from, so why bother.

Complete horse shit.

We are once again putting in place laws that are stupid, unenforceable or goes against common sense.

Like the stupid anti-spam law in Canada which will severally punish the legitimate business owner who sent off an email to a potential client and leaves the other 99% of the "enlarge your penis" spams get into my mailbox.   Or is that just me.  Unlike Donald Trump, my hands are normal sized, so no issues there.  

That law did not change the level of spam I get.  In fact I get even more from services that I clearly don't want, from companies in other countries and I get no more from potential business partners that are local to me.

Why is GDPR stupid.... well... the basis of it is fine.  In fact it rests on several laws that are already present in most European countries, it sort of duct tapes it all together.  What is stupid is when it extends to things that we absolutely need to continue having a functional international internet.  

It is like if law makers always forget that criminals do not follow the law.

Making it easier for criminals to hide themselves and conceal themselves is NOT going in the right direction.  And now, we will have another wave that lasts almost 10 years of poorly educated cybersecurity players making a ton of cash fixing your GDPR issues.  The ones you might not even have, or shouldn't even care about.  It is now going to be priority numero uno.  There is an old saying that there is some money in fixing a problem, but way more money in prolonging it.  This applies here.  Focusing on the wrong thing takes away precious ressources from areas that greatly needs these ressources.

The criminals are going to continue getting better, and they are already way better then the majority of cybersecurity entities within enterprises for the simple reason that this is ALL THEY HAVE TO DO in their daily lives.

We have to protect ourselves against every possible attack scenario and they only have to find one way in.

So thank you GDPR for taking tools away from the good guys and making sure the bad guys get more "privacy".

I know what is going to happen over time.  Things are going to get worst.

Just like in airports when some cunning business person wanted to sell full body scanners at the tune of $800k a pop.  Each International airport should have several.  It is for National Security after all!  Lets start a new agency and call it HomeLand Security.

How do we get acceptance.  Easy.  Start taking peoples nail clippers away at the airport, and their water bottles, and having them take out all their food items and candies (this just happened to me in Texas a few months ago).  Because lets face it, we have all seen that video on YouTube where that dude rams a handful of candies into that innocent victims mouth and proceeds to killing him with nail clippers.  It was a long gruelling 5 hour video, a real nail biter.

So as things get worst, society will become more tolerant to government oversight.  Because the government can come in and save us you see.  Clearly you must see the light.

This is why, over the course of a few decades things are going to turn to shit, the government will gain even more "power" (read here spying and controlling abilities).  All in the guise of protecting our privacy.


In the meantime, most companies are now going to be focusing on these "REAL" issues since we must be GDPR ready, yet they can't even manage having quality passwords used by their most senior executives.

People are eager to run to the front with a weapon without any training just because it looks good on paper.

We are going to hell in a hand basket.

This is a certitude.

Another interesting event this week.   The US SEC fines Altaba (formerly Yahoo) $35 million in penalties for not disclosing the breach they had in 2014.   If you are paying attention, you should know that the senior executives don't get a penalty.  It's the shareholders money, who cares, move on.

https://www.sec.gov/news/press-release/2018-71

The ones with the power never get penalties....not REAL penalties, so don't bother writing me telling me some immature sob story about how one senior executive lost his job, because we all know they get a sweet ass golden package and just move on to the next place to screw them up while being payed a shit ton of money to do their thing.

When it comes to power, once you have it, you want to keep it.  And the best way to keep it is to follow these basic rules with your sheep... I mean citizens:

1) Keep em misinformed / uneducated / stupid

2) Keep em under watch (so you can tune your strategy or adopt the right attitude / new laws)

3) Keep em frightened.  Remember, lots more money in FUD and over complicating the problem.

4) Fine the shit out of the small guys because we don't want anymore people sitting at the big boy table.  People in power do not like competition.

And boy oh boy are we on track.

Kim Jong-un, like I said before, is a smart nut job.  He managed to get invited to the big boy table.  But he had to pull some crazy ass shit to get there.

Good luck pulling off anything that will get you at big boy table.  As a regular (yet smart) citizen, your only entitled to pay taxes and fines and licenses to do things that you should be able to do as a basic right.

Hell in a hand basket, but carried across the finish line painfully slowly.

So, for all the enterprises freaking out over GDPR.  Take a deep breath and remember that someone will be ready to take your money and "help you" with all your GDPR compliance issues.

And a long series of commercial products, are being very well marketed to remind you of how all your compliance issues can be resolved by buying this fine high quality piece of software or cloud based service.

Yet in reality no such thing exists.  GDPR like all compliance initiatives will be long, boring, and painful and yield a very limited true gain on the cyber security front.

Hell, we could write a novel on the conflicts between GDPR and SOX alone.   Doesn't Sarbanes Oxley kinda want you to keep everything for 7 years and GDPR doesn't want us to keep IP addresses ?

I'm getting my popcorn out and am going to sit back and enjoy the show.

And since I get to play psychologist / coach to senior executives, I will certainly get to hear my faire share of horror stories to blog about.



_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies



www.eva-technologies.com




Monday, April 23, 2018

Naive, stupid or maliciously negligent..... you decide.

The last few weeks have been a roller coaster ride for security with all the discussions about Facebook being evil and Mark Zuckerberg being the reincarnation of Stalin.



People in general are way too loose on their data sharing and when a FREE service like Facebook makes the news because they are making money on your data..... the surprise that people feel is mind boggling.

I'm not debating that there are abuses.  I'm stunned that people are this stupid and actually thought that Facebook was "free".

How many of your friends have taken one of them silly surveys that pops up and then you get to see the survey results of 'how' they scored an 87% on the hotness scale if you too take the survey!  What exactly do you think happens to all the personal information you are handing out like it's free....  

What is of great frustration to me as a security specialist isn't really Facebook.   It is the sigh of relief that Equifax let out when Facebook news brook out.

Just like the American president who keeps jiggling his left hand with a shinny object of meaningless bullshit to occupy the weak cerebral cortex of the masses while the other hand is firmly jammed into big business and big dollars.

The Equifax story shouldn't be dead.

In fact, if their is a real story of an entire system gone bad, this is it.

The bad partnerships


So the banks give all your information to a third party, who then sells you access to your information online, so you can check your credit and make sure the data collected on you is accurate.

I'm no genius, but I can tell when I'm getting screwed.

The lack of a quality security audit by your banks towards their "partners" is an insult.

There are so many things that surfaced that are wrong with the lack of maturity at Equifax, that it is clear that a quality audit was never performed by their business partners.  Now isn't that alarming, thinking that the banks just hand off your data to a third part without actually checking the state of their security!?

Now I know for a fact that they sent off security questionnaires and that someone at Equifax provided very formal and valid sounding answers.   So the banks feel like they have done their best.  This is complete crap.   Just because you put in place a contract with security requirements does not automatically wash your hands of the responsibility of handing over sensitive data to an incompetent partner.  How respectful is that of our data?  It isn't.


The lack of followup and penalties (reward instead)

Why hasn't a formal plan been produced and made known to the public about how the banks are going to address this with Equifax (and TransUnion, the other very similar third party)?

As a citizen impacted by these issues, we should be demanding that a formal plan be made, be publicly published, and reviewed by a qualified and independent security entity (not one of them business friends scratching each others back).

No real penalties here... in fact, Equifax shares went up!   They are after all selling a lot of them "identity theft" protection packages so the breach actually helped them make more money.

This is purely criminal behaviour.  Just because our laws don't spell it out, and our elected officials don't care (because they are all friends....), does not make it legal.  This is criminally wrong.

Lets take a moment to look up the word CRIME in a dictionary, this is a worthy mission....

crime

http://www.dictionary.com/browse/crime







noun

1.
an action or an instance of negligence that is deemed injurious to the public wel-fare or morals or to the interests of the state and that is legally prohibited.
4.     any offense, serious wrongdoing, or sin.
5.
a foolish, senseless, or shameful act:
Now Item #1 sounds good until the last words that stipulate "is legally prohibited"  but #4 and #5 remain very clear.

What is going on with our personal data within banks and companies like Equifax is a CRIME.

Our privacy commissioner is asleep

I continue to be amazed that we, as a society agree to be spoon fed bullshit about privacy being important by significant entities like the privacy commissioner (constantly bitching about Facebook), but when it comes to fixing a real problem, involving a real failure across the entire system, nothing gets done.  

There will be some bitching at Equifax, yet no one mentions the banks role in criminally mishandling our information, and then life goes on.  Nothing really changes.

So to all the journalists awaiting that next big breach..... how about you finish up on the really important ones instead of hunting for the next mostly insignificant one.   As much as it is fun to watch Facebook get slapped around, we all gave up that data willingly.   What the banks and Equifax are doing is NOT THE SAME THING.  New enterprises get breached every day, but not all of them have the impact that Equifax has. 

It is always easy to blame someone else for your stupidity.   This week, journalists pointed out that an anonymous jury was being identified by Facebook.  NO !   The jury is being identified by completely lax and incompetent security around an anonymous jury.  Who is running these juries!   

No one instructed the jury to leave their cell phones off (or turning data off) prior to arriving at the court house ?

No one instructed the jury to NOT post selfies at the court house?

Big surprise that Facebook is suggesting "New friends" at the court house!

That is what happens when no one cares enough about security.  Don't blame Facebook, blame human ignorance.

Oh my, we can't ask people to turn off "data" on their phones while they are here, it is "their right" to communicate electronically.   

Ok, then it is their decision to expose themselves and potentially no longer be an anonymous jury.

You can't have it both ways.

As a society we are a whiny ass bunch of losers always saying it is someones "right" to do something stupid, and it's always OK to blame someone else for our lack of common sense.

And in doing so, we forget that we have the "right" to impose common sense into certain processes like this case of an anonymous jury.

But hey.... lets just blame Facebook because Mark Zuckerberg has that smug rich look.  It's all his fault.

Now, just to be clear.  We cannot expect normal users to understand that they are being very foolish when posting too much information to Facebook, Instagram, etc.   

Facebook is indeed "Evil" because their position has changed into a global information processing demon.

Doesn't change that we continue to act foolishly.

Doesn't change that Equifax is a major issue that will not get the attention it should because it is protected by big business and we, as a society, get really distracted easily with shinny objects.

Doesn't change that Banks are not handling us like "clients", we are simply their products and they do not actually care.

Doesn't change that our privacy commissioner isn't living up to expectations.


And, until senior executives are held personally accountable, nothing will change.

Big fines that are paid by the corporation are just the cost of doing business.


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies



www.eva-technologies.com



Monday, December 18, 2017

The positive blog entry - Launching 2018 on the right foot.

One of my security guru friends (Robert) challenged me to making a positive blog post as many (most...well... all) of my posts involve some level of aggressiveness towards human stupidity.

I committed to producing a light hearted, positive post before the end of the year.

Here goes.



Many years ago, I stated that just when you feel you have hit the bottom of the human stupidity barrel, you find a false bottom and the rabbit hole goes even deeper.



It took a 30 year carrer to finally cross an entire ecosystem that did not follow the same negative progression of downhill motion that I observed in so many enterprises.

As a security professional, I spend most of my time explaining risks to some level of management and watching the message die at that level.  Rarely are the board members advised of serious issues and senior management usually stays in the dark.  This is mostly based on peoples Ego's with a capital E.  So I spend a lot of time trying to get the message to the right people.  In fact that is why at the start of 2010 I decided to move to senior management coaching almost exclusively.

Enter a new client, circa 2014.

I'm brought in by a friend and told very little on the client.  Aside from the type of business and their yearly revenue.   The numbers being large, I first refuse the client, as I do not want another "traded" company in my client portfolio.   Traded companies are synonymous with cover ups, lies and messages that do not get to the top.

Robert.... wait for it.... this is really positive!

My friend explains that this is a privately owned company, and that the CIO is a really nice guy.

Strike two.  Security reporting to the CIO is a nightmare scenario.   A daily conflict of interest.  The security initiatives essentially critiquing the CIO.  Who wants to live through that.

For some strange reason, I still went to the meeting.  After all, I am an optimist.

Hence started a long term relationship that I qualify as one of the best of my career.

It had to happen at some point, statistically these ingredients had to exist somewhere.

I started working with the CIO and the staff that comprised the IT team, and started seeing the light that was missing for so long in so many places.  The staff is overworked and understaffed, same as in all enterprises, however they are professional, knowledgable and usually pretty reasonable.

You see, this client is fundamentally different.   No one is lying.  if it's blue it's blue, if it's orange with green dots... so be it.

That's right, people just say what they think, and you don't get shot in the face, fired, pushed aside or asked to leave the tribe.

When highlighting some security issues, management wants them fixed.  All of it.   I found myself in a new situation.  One that reversed my roll of 30 years.   You see at this client, you have to do two very important things:

1) Prioritize security issues based on risk 
2) Push back and refuse to address all of them based on the identified risks

Number 2 isn't new, it's the basis of risk management, but REFUSING to allow them to fix something is.  In other words, I actively participate in saying NO we are not going to fix that.

Like many large enterprises, external audits happen.  At one point we get a bunch of enlightened auditors who find some really important findings (sarcasm is positive....)

Here are two examples (classics for auditors who might not have a strong technical background)

a) SNMP using public community strings for hardware that isn't important and isn't manageable through SNMP (only statistics can be accessed).

b) Out dated network hardware managed through HTTP.

So what do you think happened.   It was a priority to fix all issues including these two lame ducks.  The Security teams role was to say NO, we are not wasting (sorry... positive terms.... investing) valuable time in addressing these findings.

The reasoning is simple, (A) cannot be used to reap any benefits, and (B) uses a unique password, over a switched internal network, used less then once a year, on outdated hardware, with no value once compromised.

So we wrote up a derogation stating why we weren't going to fix it, and the CEO signed off on it.    That's right, the CEO wants to see everything and wants to keep informed of our security posture.  And he doesn't just want to sign off on it, he wants to understand it.

This still makes my eyes tear up.  A series of senior managers who accept their current condition, want to be aware and take the best decisions, AND decide to take actions as required and as identified by the experts they have in their teams.

Holy shit.

In fact, perhaps I shouldn't write this part down....

A few weeks ago, I stumbled on something security related, and I immediately (like a high school freshman) fired off an email to inform the CIO that I was investigating XYZ.

Well that genius went and told the CEO immediately !   

My phone rings, it's the CIO.  He says "hey about that thing, the CEO would like an update this afternoon"

Son of a bitch !   An update !   I don't even know what is going on yet and I'm the one who saw it first !

I've never had this issue to manage ! 

For the first time in my life, the entire ecosystem is transparent and I have to take a pause and figure it all out (mostly) before sending a memo if I don't want to be questioned about how we are going to fix it before I know what it is!

This being all said, the security admin and myself now have an agreement that we should hold off for at least an hour and figure things out before we tell anyone.

A long way from the usual attitude of telling senior management years later that most companies seem to have.



Note for my client:  Don't worry.... wink wink...  we will tell you immediately if it seems grave.  But like all emergencies, we will gather a reasonable amount of information to better communicate the actual situation to you before plugging you into a cerebellum.  





So in this holiday season, I count my blessings to have had the chance to cross an enterprise with good family values across all layers.

Are there things that can be improved, of course.  From a security point of view, this is the healthiest attitude I have seen in any enterprise.  

Perhaps as far as attitude is concerned, this company should write a book.

This by far is the most positive experience I have had as acting CSO in any enterprise.

So there you have it Robert, one positive post, with a dabble of sarcasm, a little bit of realism and a lot of hope for other enterprises.


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies



www.eva-technologies.com

'Tis the season.... to fall victim to scams

Friendly reminder that during the holiday period, an increase in scams of all kinds takes place.


I just received this very legitimate looking email from the Canadian Revenue Agency.

Everything looks good except the fact that they do not love me (or any of you) enough to send you a document.

Testing out the document, only 5 of 59 anti-viruses actually detect this document as malicious (based on file signatures).

So over the holiday season, please do not believe emails asking you to do anything, or SMS messages asking you to visit a site, or a phone call, or even traditional mail (yes... I got a real envelope with a real stamp that was a full blown scam).

Essentially, anyone who loves you shouldn't be sending you anything you click on unless you talked before hand and are expecting the link or file.

Trust no one.

When in doubt, contact the sender directly using the phone number you already know or the number from their actual website.






_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies



www.eva-technologies.com


Wednesday, December 13, 2017

Is Tenable pulling an Equifax / Ashley Madison ?


One of the founders tried to appeal to the security crowd with a posting about how these new FEATURES are better for the end user, and in my opinion it is the biggest pile of crap since the last US election (slight exaggeration for effect, but still a pile of dung).

https://www.tenable.com/blog/a-clarification-about-nessus-professional

He started by explaining how he created the product for consultants and penetration testers, etc.

Then goes on to explain that supporting multiple users is complicated and since the users cannot share reports it wasn't worth the effort.

Hey genius, if we migrate or version 6 to 7 any users we have created get ported over and according to Tenable support they will always be there, you just can't create NEW ones and if you install from scratch you are limited to just one.

So who is full of shit here.  If the system can continue to support multiple users, then limiting the addition of NEW users is a marketing game not a technical one.  Aside from the fact that limiting to a single user and forcing enterprise users to share passwords is absurdly nuts.

And this is how he explains it:  "We evaluated this feature and realized it adds confusion".  really... confusion.... each human has their own user account and this is confusing.   

Second issue, the API.

It's complicated to have a secure API and maintaining it is also complicated.
And people used it to aggressively and it could impact the performance of the product.

So we left it there but killed the features that allow you to launch a scan.

WHAT !!!!

So if I use my MacBook too aggressively (like a baseball bat) Apple will start making laptops with no mouse pad.

And all the features still work if you buy the bigger solution and it talks to the scan engines just fine.


  • The reason you removed multi users is marketing.
  • The reason you are crippling the API is marketing.
  • You want people to buy your TENABLE.IO solution and your Cloud based solution.


For the love of all gods please do not try to shovel shit down the throats of the hardcore technical folks who have supported you from the start and made you what you are today.

It's disgusting, insulting and revolting.

Actually, it's disrespectful, but it sure as hell is "Doing Business the American way".

And while we are on that note, please remove from the NEW FEATURES & IMPROVEMENTS section both items which for everyone who reads English, are NOT IMPROVEMENTS OR FEATURES.

I prefer being told the truth and not being filled with bull and then having someone add to it trying to tell us it is for our own good.   If I overload my Nessus scanner through the API, that's my problem, not yours.

And Renaud, as a founder, you have failed.  You've made a lot of money, and built an empire, but you have failed the "community" who supported you for the last 13 years since the fork of 2005.

So why the click bait title mentioning Equifax and Ashley Madison.  Simple, to some extent, they all treat their customers below what I deem acceptable, and the truth is we are not their customer we become their product (think about that), and one thing is for sure, they all lie about their true motives.

Shareholders care about increasing recurring revenue and growing large enterprise user base.  That's how you make your wall street value go up.

In this case we have not only a shareholder, but a founder making up numbers.

He states, and I quote "Less than 2% of users use the remote scan API, and there are only a handful of scanners out there with multiple users.".  These are numbers he has no way of knowing.    A "Handful"..... every scanner I have ever worked with had multiple users.  Must be a Canadian thing.    So the bull sounds just like Equifax and Ashley Madison to me, just write up a press release and make stuff up. 

Speaking of Canadians, and almost every other country.  We have data residency laws and the US has brilliant laws like the US Patriot Act.  What this means is that you can't push us to use a Cloud based solution unless it is hosted in our own country.  And Tenable doesn't offer cloud services in every Country.  So we simply can't use your cloud products.  Not that I would want to.

Sad day in my mind.   And I'm an optimist !


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies



www.eva-technologies.com