Bruce Schneier hits the nail on the head:
If privacy and security really were a zero-sum game, we would have seen mass im
migration into the former East Germany and modern-day China. While it’s true th
at police states like those have less street crime, no one argues that their ci
tizens are fundamentally more secure.
We’ve been told we have to trade off security and privacy so often — in debate
s on security versus privacy, writing contests, polls, reasoned essays and poli
tical rhetoric — that most of us don’t even question the fundamental dichotomy
But it’s a false one.
Security and privacy are not opposite ends of a seesaw; you don’t have to accep
t less of one to get more of the other. Think of a door lock, a burglar alarm a
nd a tall fence.
What Our Top Spy Doesn’t Get: Security and Privacy Aren’t Opposites,
Bruce Schneier, Wired, 01.24.08 | 12:00 PM
There’s more, all well worth reading.
Here’s the gist:
The debate isn’t security versus privacy. It’s liberty versus control.
You can see it in comments by government officials: “Privacy no longer can mean
anonymity,” says Donald Kerr, principal deputy director of national intelligen
ce. “Instead, it should mean that government and businesses properly safeguard
people’s private communications and financial information.” Did you catch that?
You’re expected to give up control of your privacy to others, who — presumabl
y — get to decide how much of it you deserve. That’s what loss of liberty look
Haven’t we lost enough already?
HMRC lost data on 25 million taxpayers last year, and now:
HM Revenue and Customs (HMRC) admitted “high profile” individuals must submit forms by post because they are judged to require extra protection.
But critics said equal treatment should apply to all 3m self-assessment users.
‘Double standard’ on data safety,
Saturday, 26 January 2008, 17:35 GMT
I wonder if what the high profile individuals get actually is any more secure?
For some time I’ve been noting Dan Geer’s point that Microsoft
faces a dilemma: stick to backward compatibility including
many security vulnerabilities, or fix the holes and lose
Looks like they’ve done the latter with Office:
Most of the whining comes because Office 2008 does not include Visual
Basic. In some respects, this is welcome change because Office
never should have had Visual Basic. VBA is what enabled the Macro
Virus. Furthermore, Office 2009 (for Windows) is not going to have VBA,
However, not shipping VBA in Office 2008 means that people who want to
have cross-platorm documents that are pseudo-applications have to deal
with it in 2008, not 2009. That’s worth complaining about.
Microsoft Has Trouble Programming the Intel Architecture,
16 Jan 2008
The poster immediately goes on to sneer at OpenOffice for allegedly not
being able to do things Office can do (without ever mentioning specifics)
and at Keynote because everybody uses PowerPoint (while acknowledging that
“Keynote rocks — it got Al Gore both an Oscar and the Nobel Prize”).
When Microsoft can manage to annoy even slavish users like that
by breaking backwards compatibility, MSFT has a problem.
No doubt no VBA in Office isn’t the last straw, but it isn’t the first, either.
I’d wondered when the feds would think of this:
"Google has records that could help in a cyber-investigation, he said,"
Wright adds. "Giorgio warned me, ‘We have a saying in this business:
`Privacy and security are a zero-sum game.’"
A New Internet Wiretapping Plan?
15 January 2008
Their saying is wrong, as Bellovin points out:
The risks are quite similar to those posed by CALEA: this is an
intentional vulnerability which can be exploited by the wrong
people. (That’s what happeed to the Greek cellphone network.)
But some people believe the saying anyway, and will act on it,
unless they are stopped.
Adam is rightly
pleased as punch
are trying to estimate breach trends
that’s really hard to do when you just don’t have reliable breach reports.
The bottom line is that if we want to make any sense out of data, we
need more transparency and mandatory disclosure so that we can get ALL
of the numbers on ALL of the incidents.
Congress, are you listening yet?
Second look: What kind of year was 2007 in terms of data breaches?
Chronicles of Dissent,
3 Jan 2008
EU, are you listening?
Each thing we are trying to push for in secure coding these days
requires mastery, Cardspace, static analysis, threat modeling, web
service security, and friends are very deep individual domains, and when
applied to an enterprise they get wide as well. Let me underline that –
to deploy any of the current cutting edge stuff in software security at
scale, requires technical depth and deployment width. This automatically
limits your resource pool of who can deliver this stuff.
So what I have seen work well is using a decentralized, specialist team
approach with a very specific agenda and goals. Note the team can be
very small, 2 or 3 people even if they are empowered.
Go Wide and Deep, Incrementally,
10 JJan 2008
Not only can’t you make a late project on time by throwing people at it,
you can’t really make a project secure by throwing people at it.
Michael Geist’s top tech law issue for Canada for 2008 is:
Breach Reporting Rules Are Introduced.
Scarcely a week went by last year without a report of a security
breach that placed the personal data of thousands of Canadians at risk.
Last spring, a House of Commons committee acknowledged that the country
needs mandatory security breach disclosure legislation that would require
organizations to advise Canadians when they have been victimized by
a breach. A public consultation on the issue concludes next week and
new regulations will be introduced before the summer.
Eight Tech Law Issues To Watch in 2008,
Tuesday January 08, 2008
That would be a good thing.
Or is it really phishing when the victim first broadcasts his bank
BTop Gear presenter Jeremy Clarkson has admitted he was wrong to brand the
scandal of lost CDs containing the personal data of millions of Britons a
“storm in a teacup” after falling victim to an internet scam.
The outspoken star printed his bank details in a newspaper to try and
make the point that his money would be safe and that the spectre of
identity theft was a sham.
He also gave instructions on how to find his address on the electoral
roll and details about the car he drives.
However, in a rare moment of humility Clarkson has now revealed the
stunt backfired and his details were used to set up a £500 direct debit
payable from his account to the British Diabetic Association.
The charity is one of many organisations that do not need a signature to set up a direct debit.
Clarkson stung by fraud stunt,
Monday January 7 2008
He admits he was wrong, but nonetheless tries to pin the blame partly
on a privacy law:
“The bank cannot find out who did this because of the Data Protection
Act and they cannot stop it from happening again,” he said. “I was wrong
and I have been punished for my mistake.”
At least he doesn’t call for revoking that Act; he does call for
going after the perpetrators.
PS: Seen on
What can you expect when public, press, and government think “hacker”
The UK government has published guidelines for the application of a law
that makes it illegal to create or distribute so-called “hacking tools”.
A revamp of the UK’s outdated computer crime laws is long
overdue. However, provisions to ban the development, ownership and
distribution of so-called “hacker tools” draw sharp criticism from
industry. Critics point out that many of these tools are used by system
administrators and security consultants quite legitimately to probe for
vulnerabilities in corporate systems.
The distinctions between, for example, a password cracker and a password
recovery tool, or a utility designed to run denial of service attacks
and one designed to stress-test a network, are subtle. The problem is
that anything from nmap through wireshark to perl can be used for both
legitimate and illicit purposes, in much the same way that a hammer can
be used for putting up shelving or breaking into a car.
UK gov sets rules for hacker tool ban,
Consultants in frame? Definitely Maybe
By John Leyden, The Guardian,
Published Wednesday 2nd January 2008 15:54 GMT
How long will it be before a simple traceroute gets you not only
disconnected from your ISP but also clapped in jail for “hacking”?
It gets better: