Shostack + Friends Blog Archive

 
 

It’s not all about "identity theft"

There’s a fascinating conversation going on between Chris and Andy Steingruebl in the comments to Data on Data Breaches. In it, Chris writes: If what we care about is reducing ID theft, then maybe all this effort about analyzing breach reports is a sideshow, since for all we know 80% of the revealed PII never […]

 

Data on Data Breaches

At the FIRST conference in Seville, Spain, I delivered a presentation about “Data on Data Breaches” that Adam and I put together. The slides, with the notes I made to act as “cue cards” for me, are available as a large PDF file on a slow web server. The main points I tried to make […]

 

Doctors want more study on overuse of books

(Adds psychiatrist interview, industry comment, paragraphs 4, 7-17) CHICAGO, June 27 (EmergentChaos)- The American Medical Association called for more research into the public health risks of books and reading on Wednesday but stopped short of declaring them addictive. The AMA, which recommended a review of the current publishing system, also said it would leave it […]

 

Stop Real ID, again

Apparently, the forces of evil have inserted themselves a national ID clause into the immigration bill (two bad bills, risen from the dead together?) Please go to Unreal ID’s action page to send a fax. It only takes a minute.

 

My Privacy Enhancing Technologies talk

At the Privacy Enhancing Technologies workshop, there is a ‘rump’ session, designed for work that’s not of sufficient quality to make it into the workshop. (And given that the workshop now has a 20% acceptance rate, there’s some pretty interesting stuff that doesn’t make it in.) I didn’t use it for that, I used it […]

 

Maybe things are different (maybe they're the same)

The article to which Adam linked in his post about Dark Side of the Moon mentioned derivative versions of the album as performed by other artists. That got me thinking of memorable covers, such as Senor Coconut’s classic renditions of Kraftwerk tunes (like The Robots and Autobahn). Ultimately, I just gotta throw in a quick […]

 

Security Tradeoffs

This is from Non Sequitur by Wiley. Since I’ve shrunk it to fit, the guard says to the other: Accept the security breach, or clean a litter box. Take your pick. Click the picture for the full-size one.

 

All That You Buy, Beg, Borrow or Steal

Let’s face it. There hasn’t been a better pressing of Dark Side (with the possible exception of the original vinyl, which I haven’t heard) than the Mobile Fidelity gold disk. Which doesn’t prevent EMI from releasing it over and over again. That makes perfect sense, it keeps selling like mad. As bbum points out in […]

 
 

Awareness

Last Friday, Amrit again said that no wars are won through awareness and although he repeatedly claims that he’s not against user awareness training, he doesn’t really tell us where he thinks it should fit in. Instead he shows his bias as a former product manager and Gartner analyst and focuses purely on tools by […]

 

Defending Metrics

Yesterday, I attacked metrics claiming that the way they are being used today, they were useless to upper management and didn’t relate the value of the InfoSec team to the business. While I stand behind that claim, also believe that a lot of metrics being performed today are very useful to technical management especially those […]

 

Attacking Metrics

Last week I had the pleasure of having lunch with Alex Hutton from RMI and we got to talking about metrics. Specifically, we talked about how most metrics that we security folks come up with are well boring are effectively useless to upper management. At best they are focused on technical management such as the […]

 

One Company Gets The Privacy Thing

I currently love my mortgage company. Those that know me in real life, know that I recently bought a house. Yesterday, I received a privacy notice in the mail from them. I figured it was the standard template that everyone uses saying that if I didn’t want my information shared, I should call them up/email […]

 

The 'Gay Marriage' of Computer Security?

Reading Dale Carpenter’s post on Volokh,”Big win for SSM in Massachusetts,” I was struck by how similar his narrative is to my thinking around breach notice. He writes (and I emphasize): What’s so striking about the vote today is how dramatically support for SSM has grown in the legislature (and in state public opinion polls) […]

 

On Privacy Law: HIPPA, Library

At Law.com, “Hospitals Fear Privacy Claims Over Medical Records:” The Health Insurance Portability and Accountability Act is raising new legal fears for health care providers in light of tougher government enforcement and recent court rulings that could trigger private lawsuits. Labor and employment attorneys who represent health care providers are especially concerned about the prospect […]

 

Flower Power Sucks

Having the unfortunate luck to be in National Public Radio’s target demographic, I occasionally wind up hearing stories that clearly are pandering to what I will with all due sarcasm refer to as “my generation”. Actually, I’m in the one after that, but I recognize the pandering. Lately, not just on NPR but on my […]

 

New Hampshire, North Carolina overlap

New Hampshire’s requirement to clue in the AG’s office or your primary regulator took effect 1/31/2007. I have info from NH and NC (but not NY, yet) covering the period since 1/17, so we can see how much overlap there is: NewHampshire NorthCarolina New Hampshire 40 11 North Carolina 11 41 I am eager to […]

 

Disclosures where they're not required by law

It’s the new normal in the English speaking world. See: “Hard drive stolen from Concordia” hospital in Winnipeg. The Bank of Scotland lost a DVD or DC in the mail, “Bank loses details on 62,000 customers in post.” “Personal banking info goes missing” regarding 120,000 Coastal Community Credit Union in Nanaimo, British Columbia. “Personal information […]

 

Emergent Downtime

We had some downtime after a failure at our hosting facility. We would like to address the power loss which occurred in our Virginia Datacenter on Wednesday, June 13th. We are still investigating the root cause, but in the interest of full disclosure, here are the facts as we know them today. A more complete […]

 

New Hampshire gets it

Via Lyger at Attrition.org, comes word that New Hampshire, one of a handful of U.S. states that require breaches involving personal information to be reported to the state as well as to affected individuals, has made at least some breach notices it has received available on the net. I haven’t had any time to read […]

 

"Whatever happened to Zero-Knowledge Systems?"

Zero-Knowledge Systems was one of the hottest startups of the internet bubble. Unlike internet companies selling pet food or delivering snacks to stoners, Zero-Knowledge was focused on bringing privacy to all internet users. We had some fantastic technology which was years ahead of its time. And people often ask me “whatever happened to them?” The […]

 

Global Biometrics Database, Coming to Soon to You

Raiders News Network quotes an Interpol press release, “G8 Give Green Light For Global Biometric Database:” MUNICH, Germany – G8 Justice and Interior Ministers today endorsed a range of vital policing tools proposed by Interpol Secretary General Ronald K. Noble aimed at enhancing global security. Secretary General Noble exposed the global problem of prison escapes […]

 

Joe Strummer interview, book

There was a great interview on the local NPR station yesterday with Chris Salewicz, who has a new biography out. It’s “Redemption Song: The Ballad of Joe Strummer.” The interview was really well done–the music was well and cleverly integrated into the conversation. If you’re taking it easy, why not listen to the KUOW Weekday […]

 

Dear FBI: Fusion requires critical mass

The FBI runs what they call “Fusion Centers” for intelligence sharing. There’s a fascinating quote in the Washington Technology article, “Boeing to staff FBI Fusion Center:” “As a police chief of the 19th largest city in the nation, and in possession of a top secret clearance, by law I cannot set foot unescorted in the […]

 

Fascinating breach detail: Illinois Department of Financial and Professional Regulation

Here’s detail from a InformationWeek story, “Hackers Blamed For Data Breach That Compromised 300,000:” A hacker broke into the computer network at the Illinois Department of Financial and Professional Regulation this past January and accessed a server that held information on about 1,200,000 people who have licenses or applied for licenses with the department. Susan […]

 

Laurie, Cameron and Brands (Oh My!)

There’s a fascinating exchange going on between Ben Laurie, Kim Cameron, and Stefan Brands. This is utterly fascinating if you have any interest at all in online identity, but haven’t had the time to compare systems. I’d try to contribute, but I’ve been in the midst of a large project at work. Archival links: Stefan: […]

 

Wanted: iPod organ donor.

I’m not throwing out a whole iPod just because the headphone jack is hosed. If you have a dead mini iPod (maybe with a smashed display, say?), and you don’t want to take up precious landfill space, leave a comment or send me an email.

 

Federal Computer Week on SSN Purges

There’s an article in Federal Computer Week explaining that “Agencies face SSN scrubdown.” We mentioned this last week in “White House Data Breach Prevention Guidelines.” I am pleasantly surprised to learn that some data actually will be be declared ‘unnecessary:’ Agencies can eliminate some SSN uses by asking employees not to write their SSNs on […]

 

I don't know much about art…

…but encasing a skull in millions of bucks worth of diamonds and thinking you’ve made some kind of statement strikes me as uninspired in the extreme. Of course, this matters not, because this is “the work with the highest intrinsic value in modern and contemporary art” according to a guy who works for an insurance […]

 

DVD Player

[Substantially more than] a week ago, I asked what DVD player I should get. I didn’t get the answer, but I did get a lot of “I’d like to know.” I wanted to share that I ended up with a Philips DVP-5140. It was cheap, there’s an easy fix for the region bug explained in […]