Earlier this week SC Magazine published my comments on mobile malware: why I believe there will not be mobile malware pandemic any time soon, and probably not ever. My reply exceeded their length limit, so some of the context was lost. Here are my comments in their entirety.

Security software vendors like to bleat about how mobile phones will be the next big target for malware writers. There’s a sense of inevitability about this, and the story goes like this: Mobile operating systems are becoming a lot like PCs. PCs have lots of malware. Therefore smartphones will have lots of malware — any day now. Security vendors are hoping this will become true so they can sell mobile security software. This idea has at least three problems:

Ambrose Bierce’s The Devil’s Dictionary is a wickedly witty piece of work (and website). It slyly redefines common words and phrases, usually with a bitter, contrarian, or comic touch. But why should Mr. Bierce (or more correctly, his estate) have all the fun? It is time for one in the information security field. Here are a few nominations. Most of these are original, but a few were gleefully filched from others:

ALE: an intoxicating liquor that gives imbibers perceived omniscience and discernment, but with one unfortunate side effect: it causes their pants to spontaneously fall down

Advanced persistent threat: a security product manager hyping new categories

Blended threat: a hemlock smoothie

Claims: a more expensive form of assertions, officially sanctioned with George Orwell’s posthumous blessing. cf “flatbread” v. “pizza”

Collective intelligence: the dawning epiphany that the cyber-villains have already won

Data leak prevention: adult undergarments for stopping electronic incontinence

Device control: using Super Glue to plug holes in the sides of laptops

Full disclosure debate: a ritualistic Kabuki performance that ends with a fist-fight amongst members of the audience

Actionable: providing information of sufficient detail and clarity to enable one party to sue another* 

Full disk encryption: spray-on auditor repellent

According to my friend Pete Lindstrom, the Information Systems Security Association (ISSA) is surveying its members for suggestions on three 2009 stories that, in retrospect, were the "most" of something. I'm not a member of the ISSA, but awards are fun, right? Here are my nominations:

Most significant breach of 2009: Heartland Payment Systems

Yes, this breach happened in 2008. But the story broke in 2009, so I'm counting it.The significance of the breach wasn't just the size (130 million credit card numbers). The story that surrounded the breach provoked some interesting debates about the role of PCI, the effectiveness of auditors, and the willingness of clients to QSA-shop, ignore advice, and blame third parties for their own failures.

Most overhyped story: "The cloud is insecure, m'kay?"

It is easy and appropriate -- today -- to discuss the risks assoociated with putting applications and data on semi-public devices you don't own. Criticizing is easy, but the fixing is more interesting. I predict that in time "the cloud" will be the best thing that has ever happened to information security, because it focuses attention on the data, not the infrastructure. Or to put it differently, it puts the "information" back into Information Security. This is exactly the discussion we need to have.

Much breathless prose has been written about the Ikee malware circulating amongst iPhone owners. Described as the first iPhone worm, Ikee does something fairly funny: it replaces the user’s lock screen with a picture of Rick Astley, of 1980s “Never Gonna Give You Up” fame. In other words, it RickRolls your phone. According to the author, the worm circulates by scanning the phone’s local IP address range for other iPhones running the SSH daemon, and if it finds any, attempts to log in using the default root password. It then copies a JPEG file of the sainted Mssr Astley to the location where the picture is stored.

After seven years, my colleague Natalie Lambert is leaving Forrester. In the year that I have been at Forrester, she has been a good team-mate, sounding board for ideas, gleeful mischief-maker, and collaborator on shared research topics. I will miss her insights and energy, and I wish her the best as she begins her next adventure.