Kim Cameron has posted seven very sensible Laws of Identity.
Numbers 2 and 3 add up to more or less Need to Know:
2. Limited Disclosure for Limited Use
The solution which discloses the least identifying information and best limits its use is the most stable, long-term solution.
3. The Law of Fewest Parties
Digital identity systems must limit disclosure of identifying information to parties having a necessary and justifiable place in a given identity relationship.
Kim Cameron’s Laws of Identity
But user identities have aspects that go beyond traditional spook security.
It’s IT vs. Big Pharma in the patent arena:
Canada-based KSR manufactures gas pedals for General Motors Corp. It made a pedal that can be adjusted for the height of the driver and uses electronic signals rather than a mechanical cable to accelerate when the pedal is pushed.
Both features were developed separately _ the adjustable pedal over 25 years ago _ but Teleflex, a manufacturer based in Limerick, Pa., sued KSR in 2002, claiming that KSR’s combination of the two features infringed on a patent it was issued in May 2001.
KSR argued that the patent should be invalidated because the combination of the two features is obvious.
Businesses Split on Patent Case,
By Christopher S. Rugaber,
The Associated Press,
Friday, November 24, 2006; 8:29 PM
In the patent reform corner, Microsoft, Cisco, Intel and others.
In the no-reform corner: Johnson & Johnson, GE, DuPont, etc.
This case is expected by many parties to produce some sort of landmark ruling,
probably with some sort of change to existing patent law.
PS: Thanks, Johnny.
After outsourcing call centers, rote financial work, and programming,
why not comment spam?
This reporter’s blog comment filter was working, yet:
…so far it’s stopped 10,000 spams while allowing 377 human comments. So why had this got through? The electronic trail explained: the “captcha” (Completely Automated Public Turing test to tell Computers and Humans Apart) had been filled in.
The captcha is the junk filter’s last resort. Because it’s easy and cheap
to program machines to post any sort of junk on blogs, a captcha (which
puts numbers or letters in an image, which a machine in theory can’t
read) shows whether you’ve got a real live person giving their thoughts,
or just a dumb machine trying to up some spammer’s search-engine ranking.
If the captcha was filled in, it must have been done by a person; if it
had been done by a machine, the spammers would have cracked the problem of
solving captchas and would be busily spamming every blog they could find.
The price of humans who’ll spam blogs is falling to zero,
Thursday November 23, 2006
Gunnar has a good post about
A small startup company has high business risk (easy to fail)
and low security risk (not much to steal),
while a big successful company has low business risk
and high security risk.
Pretending those different kinds of risk don’t change,
or that they change in the same direction, leads to problems:
When the business reality is dynamic and the security model is static, then errors creep in.
Paul Madsen on Evolving Risk,
Gunnar Peterson, 1 Raindrop, 20 Nov 2006
What do U.S. Treasury Secretary Henry Paulson and Barney Frank,
D-Mass., the incoming chair of the House Financial Services Committee
U.S. Treasury Secretary Henry Paulson said the implementation of
Sarbanes-Oxley corporate-governance regulations may pose a risk to
the U.S. economy, advocating changes that fall short of introducing
"While necessary," the Sarbanes-Oxley accounting rules "are being
implemented in a way that may be creating unnecessary costs and
introducing new risks to our economy," Paulson, former head of Goldman
Sachs Group Inc., said in a speech Monday to the Economic Club of
Share sales have declined since the introduction of the law in 2002,
and a "significant" amount of the time and cost taken complying with
Sarbanes-Oxley might better have been spent creating jobs and rewarding
shareholders, Paulson said.
Sarbanes-Oxley costs of compliance may threaten economy, official says
Paulson seems to be saying many euphemisms.
About the new UK RFID passports:
Fatally, however, the ICAO suggested that the key needed to access
the data on the chips should be comprised of, in the following order,
the passport number, the holder’s date of birth and the passport expiry
date, all of which are contained on the printed page of the passport on a
“machine readable zone.”
Friday November 17, 2006
The UK Home Office says not to worry.
Kevin Hogan of Symantec says:
“If Windows CE is taken up in a big way in a large market we may see some increased malware activity,” he warned.
“There is not a lot of functionality built in that will stop attacks on that platform, so there could be a problem if it takes off. As for other operating systems there has been very little new activity.”
Windows use could boost mobile malware
Increasing use of Windows CE could leave mobile users vulnerable,
Iain Thomson, vnunet.com 15 Nov 2006
Thursday and Friday I spent at the
APWG 2006 eCrime Researchers Summit
National Center for Forensic Science, Orlando, Florida.
It was a fascinating mix of law enforcement from a local sheriff
to the National Institute of Justice,
of researchers from academic grant-funded to big-company in-house,
and of commercial from tiny startups to the biggest banks.
Phishers aren’t netting as many phish, but they’re getting five times as much from those they do,
says a Gartner report, described by Brian Krebs
And it’s become harder for victims to get their money back.
Bruce Schneier reports on a report:
Most C-level executives view security as an operational issue — kind of like facilities management — and not as a strategic review. As such, they don’t have direct responsibility for security
Why Management Doesn’t Get IT Security,
Bruce Schneier, 8 Nov 2006
Such attitudes about security have caused many organizations to distance their security teams from other parts of the business as well. “Security directors appear to be politically isolated within their companies,” Cavanagh says. Security pros often do not talk to business managers or other departments, he notes, so they don’t have many allies in getting their message across to upper management.
Kicking Some Brass,
NOVEMBER 2, 2006
Why should executives get involved with directly managing a bunch of clerks over a bunch of stuff?