This is from Sourcemedia’s
Financial IT Security Intelligencer:
During a year’s worth of bank and credit union security audits, audit firm Redspin found that 30 percent of firewall configurations evaluated violated the institution’s own security policy. Not surprisingly, Redspin offers a tool that can detect and remedy these inadvertent holes. The company pins the industry-wide problem on the fact that most IT administrators have wide-ranging responsibilities rather than network engineering focus. To highlight the issue, the vendor is offering free use of an online version of its analysis tool for the next 90 days, available at www.redspin.com/tools
I don’t have any way to verify this report, but it’s also about what I would expect.
Administrators are too busy cleaning the CEO’s laptop of its latest viruses to be ensuring their firewalls work.
Gunnar Peterson compiles some realizations by several people that there is no such thing
as a unique identity, and people ought to get over that idea and think in terms of attributes.
He concludes with:
Hunter S. Thompson said “buy the ticket, take the ride.” But don’t conflate yourself the ticket and the ride.
Openly IDentify your attributes with Open ID,
15 March 2007
Don’t confuse the map for the territory; there may be multiple maps, and none of them completely describe the territory.
Don’t confuse the sign with the signifier or the signified.
Information security needs to work itself forward historically from logical positivism at least to semiotics and postmodernism.
Understanding what we don’t know and stopping pretending that there is such a thing as an absolute identifier
would be good risk management.
Spire Security Viewpoint lists some salient points about social security numbers (SSNs), among them this one:
There are over 150,000 people (my estimate) with “defendable” access to your SSN right now. They aren’t secret.
8 March 2007
And you’re ten times more likely, he says, to be victimized with identity fraud by one of these authorized people
than by somebody else.
And his main point is that the problem with SSNs is not their use as identifiers, rather their use as authenticators.
After all, if everybody knew SSNs as readily as names, credit card companies and the like would have to stop
using them as authenticators.
Then they’d have to use something better for authentication.
That would be better risk management.
Valdis Krebs celebrates twenty years of
practical social networking analysis
and says that Degrees, Closeness, and Betweenness remain the winners among metrics.
Such metrics and Valdis’ work continues to be very useful in estimating and managing risk.
Chander Howell about a fiance wasn’t happy about his fiancee requiring him to undergo a background check before dating:
’ll bet he wasn’t, given that in the United States, the SSN is still the golden key to access someone’s potential lines of credit. Someone has probably already figured out that they can use a demand for this information as the source of inputs to commit full-fledged identity fraud. It’s an emotionally loaded demand, so it will probably work. Then, the scammer can break off the relationship for something that was allegedly found in the check. It’s the worst security of all: Insecurity in the name of security.
Beware the Dating Security Complex,
by Chandler Howell,
Not Bad For a Cubicle,
March 9th, 2007
I bet it’s already worked.
How long before some dating service that does background checks and reveals them to members before dating gets sued bigtime?
Bruce Schneier says he’s tired of headlines like one that says
a new autopilot will prevent any more 9/11s, and says:
Why are people so narrowly focused? The goal isn’t to protect against
another 9/11. The goal is to protect against another horrific terrorist
Making Another 9/11 Impossible,
Schneier on Security,
March 15, 2007
66-74% of the U.S. population have detail-oriented personalities,
good at seeing details, not good at seeing the big picture.
Other populations probably aren’t much different.
In the previous post I mentioned reputation systems.
The flip side of that is reputation management,
so that companies can react to reputation systems
and proactively manage their own reputations.
It turns out that Harold Burson, “the century’s most influential PR figure”,
and Jon Harmon are thinking along similar lines:
The key is in reputation management. When company leaders come to
understand that reputation is the company’s most valuable asset,
they will increasingly value those who can actively and successfully
Reputational momentum defines the art of the possible of nearly
every other goal of the business or organization – sales, profits,
retention, recruitment or fund-raising. If your reputation is on the
rise, achieving your other goals is so much easier. Conversely, a poorly
managed crisis leading to a significant drop in reputation can capsize
even the company’s most valiant efforts to achieve its other goals.
An Open Letter to Harold Burson: Reputation Management Fulfills PR’s Highest Calling,
Force for Good,
15 March 2007
Harmon’s specific suggestion has to do with a chief-level PR officer,
with potential for being on CEO track.
On the one hand, every profession seems to want this.
On the other hand, after the big reputation botches at Intel
it’s hard to argue that corporations could use reputation advice
at the highest levels,
preferably before they shoot themselves in the foot.
So a PR consigliere sounds good to me.
Brian Krebs has used google maps to plot the locations of victims
of identity theft:
I based the story in part on a cache of stolen data I found online
(more on how I obtained it in a bit). The data was being compiled by a
password-stealing virus that had infected many thousands of computers
worldwide; the particular text file that I found included personal
information on 3,221 victims scattered across all 50 U.S. states.
Tracking the Password Thieves,
He didn’t have to look up the locations of the victims to map them;
the virus had already done that for him, sometimes accurately, sometimes not.
The virus cared because banks flag transactions that are from unexpected
Warren Buffett notes that neither he nor anyone else knows whether the
many big hurricanes of 2004 and 2005 were an aberration or the beginning
of a trend, but super catastrophe bonds are the likely insurance response.
Don’t think, however, that we have lost our taste for risk. We remain
prepared to lose $6 billion in a single event, if we have been paid
appropriately for assuming that risk. We are not willing, though, to
take on even very small exposures at prices that don’t reflect our
evaluation of loss probabilities. Appropriate prices don’t guarantee
profits in any given year, but inappropriate prices most certainly
guarantee eventual losses. Rates have recently fallen because a flood
of capital has entered the super-cat field. We have therefore sharply
reduced our wind exposures. Our behavior here parallels that which we
employ in financial markets: Be fearful when others are greedy, and be
greedy when others are fearful.
To the Shareholders of Berkshire Hathaway Inc,
28 Feb 2007
So the current super-cat market is unsure because a lot of capital
has entered, yet not as many events happened last year as expected.
Warren Buffett on Risk Management,
2 March 2007.
Carl Malamud has not only
started archiving and indexing Congressional committee hearings
he’s spent two years studying the problem of using the Internet to make Congress accessible, and has concluded:
By the end of the 110th Congress, the U.S. House of Representatives could achieve the goal
of providing broadcast-quality video of all hearings and the floor for download on the Internet.
Report to Congress,
Carl Malamud to Nancy Pelosi, Speaker of the House,
13 March 2007
Sounds doable to me.
See his report for copious details.