Shostack + Friends Blog Archive


Interesting Posts on HP, Sept 10

HP-board.jpgEric Rescorla ties HP’s use of traffic analysis to that of the NSA in “I told you traffic analysis was useful.” Apparently, HP didn’t just chase down directors and reporters, but also the father of at least one journalist. See “HP Leak Investigation Extended Beyond Reporters, Directors.” (I say HP rather than HP’s investigators because I believe the ultimate responsibility lies with she who gave the orders: Ms. Dunn.)

The update to the Newsweek cover story, “Scandal At HP: The Boss Who Spied on Her Board” is perhaps the most beautifully ironic thing I’ve seen:

Update: A source close to Hewlett-Packard tells Newsweek that HP’s emergency board meeting was adjourned late in the afternoon on Sunday (ET) without any decision being reached on the possible resignation of Patricia Dunn as chairman. The source, who requested anonymity because of the confidentiality of internal board proceedings, said the HP board would reconvene late Monday afternoon.

Which is to say, after all this, the board is confident it can leak with impunity.

Dan Kaminsky has an interesting analysis in “McNealy’s Law,” in which he says it’s as if all of the sudden America’s rich and powerful realize McNealy’s Law applies to them, too.

Finally, I’ll mention that I don’t think I coined the term privacy Chernobyl, but Dan may have first heard it from me. I’ve been down on the term, but think this may actually qualify. Like Chernobyl, many privacy flaws are the result of government policies and actions gone horribly wrong. (Like the creation of the SSN, or the libel exceptions for the credit agencies.) Like moving away from nuclear power, changing systems that depend on private information will be horribly expensive. Some of the benefits will be hard to get from other systems. Nevertheless, if I may overextend a metaphor, as people discover how fragile the nuclear power stations of the personal information world are, they’re gonna want to go green in a serious way.

Someone with more time than me needs to start Patricia Dunn’s Livejournal.

Photo: “Clowns&Elephants” from revraikes.

4 comments on "Interesting Posts on HP, Sept 10"

  • Dan Kaminsky says:

    McNealy’s Law, of course, being “You have no privacy. Get over it.”

  • wpn says:

    Of course, McNealy did backpedal somewhat when it came time for his OWN personal data to get lost:
    Which is to say, after all this, the board is confident it can leak with impunity.
    Oooo, that hit the nail right on the thumb. Great point.

  • David Brodbeck says:

    One thing that’s been sort of nagging at me: Isn’t “pretexting” just another word for what hackers used to call “social engineering?”

  • The term I remember hearing is a “privacy valdez” of some sort. I came across this headline from 2003: “EXXON VALDEZ OF DATA LEAKS MAY HAVE HAPPENED” (Toronto Star D1, 2/17/2003
    Valdez hasn’t had much effect on data protection, so maybe it will take the equivalent of a chernobyl. I think that would involve the widespread *abuse* of a large and sympathetic group. This would not be basic identifier fraud on a small scale, but a set of personal data that is so widely abused that the data subjects essentially lose the ability to generate new breeder documents. It would have to be a concentrated group, tracable to a specific breach.

Comments are closed.