Monthly Archives: August 2008

Virginia Goose Sauce

This story quite interesting:

A federal judge has ruled that the First Amendment protects the right of Virginia privacy activist Betty Ostergren to publish the Social Security numbers of public officials on her website. She posted the numbers to protest the Virginia government’s policy of posting public real estate records online that included people’s Social Security numbers. The decision-and the associated publicity for Ostergren’s website-may prompt Virginia politicians to hurry up and fix their own website.  

For several years, Virginia has been making the real estate records available for a nominal fee from a commonwealth website. Ostergren, wanting to give public officials a taste of their own medicine, began reproducing the records of legislators and court clerks-Social Security numbers and all-on her website.

I have my own solution for the SSN mess that we have found ourselves in. Make ALL SSNs public.

Crazy? Why? Stop and think outside the box for a moment. The SSN is, at its fundamental roots, nothing more than a Primary Key. Your SSN is really nothing more than your position in a giant spreadsheet.

It’s the semi-private nature of the SSN themselves that has caused this problem. If they had been published openly from day 1 they would never have evolved into a shared-secret means of authentication.

This madness could end. All that needs to happen is the federal government pass a law that starting 2 years from now all SSNs will be published on a government web site. That would give business two years to stop using SSNs as a shared-secret, which is something that they should already be doing.

Pamela’s Laws

Pamela Dingle has created her own simplification of Kim Cameron’s Law’s of Identity. Both of these efforts are good sources to use if you need to educate someone outside of the identity field (and some inside).

IE 8 Porn Mode

IE 8 has an interesting new privacy option called InPrivate that pundits have labeled ‘Porn Mode’ where the browser erases all traces of what you browsed after your session is over. This article suggests that most enterprises will disallow this option, which I think is a mistake.

First it’s really telling that so many people believe that there are no legitimate reasons to use this feature. Even the person quoted as defending it seems half-hearted in his defense:

Ziegler suggested the need for such privacy is completely on the up-and-up. “Maybe you need to buy a gift for a loved one without ruining the surprise,” he wrote. “Maybe you’re at an Internet kiosk and don’t want the next person using it to know at which Web site you bank.”

Lame. How about this; maybe you think what you are browsing, no matter how innocuous, is your business and no one else’s. To have to invent legitimate (i.e. non-pornographic) uses is equivalent to saying “If you don’t have anything to hide, why do you object to us searching our house?”

Which brings us back to the enterprise. Should enterprises disallow this feature when they deploy IE 8? I believe that the answer is no for a host of very practical reasons. First, this is nothing that a knowledgeable user couldn’t do already, either manually or with the aid of third-party software. The bad guys already know how to do this.

Second, there is the matter of trust. By disallowing this feature you are basically saying you don’t trust your employees. Is that really the message you want to send to your employees? Disallowing this option is a very in-your-face action to take, for very little real benefit.

This WILL go into your permanent record

The “permanent record” bit is a long running joke in the US. Every kid at some point figures out that there really isn’t a permanent record of childhood transgressions that will haunt them for the rest of their lives.

It turns out, according to this, that children in the UK may not be so fortunate (hat tip to

ContactPoint will include the names, ages and addresses of all 11 million under-18s in England as well as information on their parents, GPs, schools and support services such as social workers.

The £224 million computer system was announced in the wake of the death of Victoria Climbié, who was abused and then murdered after a string of missed opportunities to intervene by the authorities, as a way to connect the different services dealing with children.

It has always been portrayed as a way for professionals to find out which other agencies are working with a particular child, to make their work easier and provide a better service for young people.

However, it has now emerged that police officers, council staff, head teachers, doctors and care workers will use the records to search for evidence of criminality and wrongdoing to help them launch prosecutions against those on the database – even long after they have reached adulthood.

It is ironic that in the country that gave us George Orwell this would be tolerated. The words “search for criminality and wrongdoing” should send shudders down the spine of anyone who would think these things through. But it will probably be met with a collective shrug of indifference. After all, once you have meekly accepted so many intrusions, what’s one more?

Britain has more CCTV cameras than any other country, and its local authorities are increasingly using powers designed to prevent terrorism to spy on people suspected of petty crimes such as littering and failing to pick up dog mess. Ministers are also pressing ahead with a £20 billion scheme to issue all UK residents over the age of 16 with ID cards.

Those concerned about access control for such sensitive information will be relieved to know that a mere 330,000 people will have access to the database:

An estimated 330,000 people will have access to the data stored on ContactPoint, which is due to launch this autumn despite fears the Government’s poor record on data security will mean it puts children at risk from paedophiles.

The records will be updated until children turn 18 then kept in an archive for six years before being destroyed, meaning they can be accessed until a young person reaches 24. Those who have learning difficulties or who are in care will remain on the live system until they turn 25, so their archived records will be available into their 30s.

Another week, another high profile data loss in the UK

The bad news just keeps on coming in the UK where that was another big data loss, this time a lost thumb drive:

The British government is to data protection as Hurricane Katrina was to New Orleans property values. In the past we have covered the loss of data, including bank details, for 25 million people, and government intelligence documents seem to repeatedly get left on trains or in bars. Now, Home Secretary Jacqui Smith has announced that a memory stick containing information on thousands of individuals in the criminal justice system has also gone walkabout.

I’d be lying if I said the UK has a good record when it comes to government IT projects. Each time a minister gets a bright idea about using technology to help streamline bureaucracy, the end result is a multibillion-pound transfer of wealth from taxpayers to management consultants, who then spend years overspending, overpromising, and under-delivering.

What’s interesting about this is that the action that preceded the loss, the copying of the information to the thumb drive, was not allowed under the policies that governed the data’s use. But as one would expect, policies are often ignored for expediency.

Policies without access control are useless for preventing data loss.

Is Plaxo Malware?

The IT Skeptic thinks so:

Who else thinks Plaxo is an unethically intrusive piece of malware?

Recently I started using this thing again after ripping it out years ago as a dangerously intrusive invasion of my privacy. Plaxo apologised back then for being worms.

It is no better now. As far as I am aware I gave no permission to Plaxo to upload my email contacts, nor to email them all inviting them to Plaxo. But it did. Including my dead father.

I don’t doubt that Plaxo has successfully socially engineered me into doing this and that they would be able to point to something I clicked to make it happen.

But guess how easy it is to unravel this stuff. not. Every single one of my Outlook contacts needs to be manually deleted, one by one.

I haven’t ever used Plaxo, so it could be that these complaints are unjustified. I did find it interesting that the one time I tried to look at the service it was forbidden by the BMC firewall.

I would be curious to hear from people that have had a positive experience using this service.

That has got to hurt

Identity Theft strikes the head of HBOS (from the Register):

Identity fraudsters have claimed the prize scalp of the chief exec of HBOS bank.

Accounts belonging to Andy Hornby, 41, who earns an estimated £1m a year, were frozen after unauthorised withdrawals of at least £7,000 from his accounts. UK tabloid The Sun reports that crooks used an old bank statement from Hornby to pose as the bank chief.

So what makes this identity theft interesting? Perhaps this:

Last year HBOS and Barclays were among 11 UK banks warned by the Information Commissioners Office to stop the then widespread practice of dumping documents related to customer accounts in bins outside their stores. Each of the banks signed undertakings to discontinue the behaviour.

The ICO later audited HBOS after it emerged it may have been in breach of its promise to clean up its act. The follow-up action was triggered after BBC Watchdog discovered torn up bank statements that revealed customer names and account numbers and a untorn cheque for nearly £1,700 in a bin outside a HBOS branch weeks after the ICO’s initial warning.


How to lose 25,000 customers

There is an old joke in software:

If it wasn’t for those pesky customers, this job would be easy!

Now the UK entertainment industry plans to make that joke a reality by planning to sue 25,000 alleged file sharers:

A government-backed deal was struck last month between Britain’s six biggest Internet service providers and the entertainment industry under which file-sharers would be sent warning letters.

Taking direct action against file-sharers will become an “important and effective” weapon to tackle online piracy, Gore added.

The number of people prosecuted by Davenport Lyons for sharing games could reach 25,000, according to a report in the Times on Wednesday. They would be offered the chance to pay 300 pounds each to settle out of court, the report added.

The first 500 who ignored the letters would face immediate legal action brought on behalf of five games developers, including Atari, Techland and Codemasters, it said.

They must be inspired by how well this strategy is working in the US. Which is to say, not very well at all.

Anytime your business strategy depends on suing your customers in mass, your business is not long for this world. I would suggest they invest that 300 pounds/customer wisely. It may have to last for a while.

When obscurity fails

Frank Pasquale has this interesting take on what happens when security through obscurity fails (hat tip to Instapundit) :

Two recent stories illustrate the web’s disruptive potential. Farhad Manjoo of Slate covers the recent uptick in lockpicking fan sites, and Jeffrey R. Young of the Chron describes a new test clearinghouse. Both raise tough questions about what happens when “security via obscurity” starts breaking down.

With the internet, when security through obscurity fails, it fails in a big noisy way. In a way these two examples (locks and tests) are example of areas where obscurity failed in small ways many years ago, but now is failing in a much larger fashion because of the information amplification of the internet.

Thinking the unthinkable

I thought my latest unthinkable thought recently when reading this in an article about what the law demands on IT security:

For most IT organizations, securing corporate data against compromise is priority No. 1. Girding the enterprise against breaches is a constant, thankless task requiring foresight, vigilance, and much in the way of IT expenditures. Keep up with the latest threats, or find your company in the headlines — and your job on the line.

Such is the shift in attitude toward security in IT. In the Wild West, when Jesse James and Butch Cassidy robbed banks, we felt sorry for the banks and hunted down the outlaws. Today, when someone breaks into a company’s computer system, our response is totally different: We blame the company for failing to provide adequate security.

It does seem strange. While it’s reasonable to hold companies responsible for failing to provide adequate security there seems to be an attitude that nothing can be done against the criminals themselves. If the attacks originate (as most seem to) from a handful of countries run by kleptocratic governments the criminals are viewed as untouchable. It’s as if the money was stolen by martians.

But this is nothing but a failure of will on the part of the civilized world.

So here is my unthinkable though for the day: How much less security risk worldwide would there be if Russia was given a year to crack down on the cyber criminals there or be disconnected from the internet at large?

Kind of like a reverse firewall. The point is not to prevent the crimes themselves but to establish a penalty against the countries that provide safe harbor to the criminals.

I only point out Russia because they are one of the worst offenders and their recent behavior in Georgia calls into question their willingness to be a civil part of the global community. But there are also other countries could likewise be sanctioned with the Internet Death Penalty.

Unthinkable? Perhaps. Impossible? No. All it takes is the will to do something about.