This is becoming old hat but another huge privacy exposure was revealed over a week ago. Apparently, 63,000 SSNs of individuals who received Department of Agriculture grants have been out in public view since 1996. The offending website was FedSpending.org and the problem has since been corrected. It's hard to blame FedSpending, a group created by OMB Watch to keep an eye on government spending, since it essentially publishes government contracts and legal documents in a free, searchable database.
The real problem is that privacy info in government related documents like loans and grants are passed around indiscriminately. It makes one question if more blatant privacy breaches are out there.

Here's how it was discovered. Marsha Bergmeier, president of Mohr Family Farms found the breach when she googled her farm name. To her surprise, the details of her land loan including her SSN came up. She immediately notified the Department of Agriculture, her congressman and the website concerned and the problem was quickly corrected. Of course, Ms Bergmeier understands that her privacy info may not ever be private again.

"If somebody downloaded it, it's still out there in the world," she said. "That will never be a private number again."

The Agriculture Department's response?

"There is no evidence that this information has been misused...However, due to the potential that this information was downloaded prior to being removed, USDA will provide the additional monitoring service."

That's comforting, I guess.

Posted by andreyee in Privacy/Information Theft | Permalink | Comments (0) | TrackBacks (0)

Security expert, Bruce Schneier says - no! Schneier was speaking at InfoSec Europe this week when he voiced his opinion that the very existence of the security industry is not a good thing. Here's what he said at his keynote -

"The fact this show even exists is a problem. You should not have to come to this show ever. "We shouldn't have to come and find a company to secure our email. Email should already be secure. We shouldn't have to buy from somebody to secure our network or servers. Our networks and servers should already be secure."

You can read a report on what he said here.

His point actually makes sense at some level - security isn't a capability. The security industry has developed because of a really big security problem. Yet, security should really be part of any operating environment or perhaps more accurately stated, every operating environment should be inherently secure.

Of course, some may view that as the utopian viewpoint but in fact, we are moving toward that point. I'm not suggesting that security products will go away anytime soon but the fact that security is now mainstream, means that it will eventually be embedded into the fabric of the network and operating system.

Posted by andreyee in Odds and Ends | Permalink | Comments (0) | TrackBacks (0)

Feel any safer, at least on the cyber security front? Well, the Department of Homeland Security scored it's first ever non failing grade on cyber-security. Not that it's anything to write home about. The DHS who has received an F for cyber-security, improved to a staggering D in this year's report from the U.S. House of Representatives Committee on Government Oversight.

There were overall signs of optimism as a number of departments improved. At the head of the class were the DOJ, improving from D to A and HUD, going to A+ from D+, the prior year. Unfortunately, NASA scores went down (B- to D-) while Department of Education received an F.

These scores are predicated on agency compliance with the federal law known as the Federal Information Security Management Act of 2002 (FISMA). FISMA established a broad framework of requirements, related to establishing information security programs, security product certification and training.

In my opinion, FISMA isn't necessarily the best indicator of security compliance. I think that it has become a little unwieldy and ill defined when applied to security products certification. But it's certainly one indicator and the fact that some agencies have declined in their security score makes you wonder if they are taking it seriously enough.

Unfortunately, there is little consequence except the public embarrassment that accompanies a low score.

Posted by andreyee in Odds and Ends | Permalink | Comments (0) | TrackBacks (0)

This has nothing to do with security and it's hardly breaking news at this point since happened at the end of last week, but since I have some familiarity with Software AG, I thought I'd take a couple of minutes to comment on this.

I think it's a bold move by Software AG and it's the kind of move they need to make if they want to be a player in the SOA/BPM market. Notwithstanding Beth Gold-Bernstein's comments about SAGA (late 90s - 2001) as a prior Software AG foray into the US market, it actually was not. SAGA was a wholly independent, public company traded on the NYSE. Software AG had no notable operating interest in the company.

This is a completely different play - Webmethods is a leading player in SOA/BPM. This is Software AG staking a claim on the SOA/BPM US market by buying up one of the leaders in the space. It provides a base platform upon which they can add other complementary acquisitions. Webmethods brings some customer mass, brand recognition and a footprint in North America from which they can continue building a sizeable business. On all her other points, Beth is absolutely right - this is exciting movement in the BPM/SOA market.

Posted by andreyee in M&A | Permalink | Comments (0) | TrackBacks (1)

The One Laptop Per Child (OLPC) project is one of the more socially redeeming initiatives from the high tech industry. If you're not familiar with it, OLPC is a non profit initiative to provide laptops to children in the developing world. It's not a new initiative by any means but since 2005, it's gained significant momentum around its immediate goal to create and deliver a $100 laptop to the children of developing nations. It's gained support from industry luminaries like AMD's CEO Hector Ruiz.

Now what does this have to do with security? As you might imagine, potentially placing inexpensive laptops in the hands of hundreds of millions of children and then protecting them from all kinds of malware might pose a significant challenge. Students need to be able to download and use software as needed but be free from the threat of viruses, worms and Trojans.

Ivan Krstić, Director of Security for OLPC, has developed a security model called BitFrost that is very interesting and highly workable. He released the security model at the RSA Data Security Conference earlier this year. The premise for the security model is that programs should execute with a minimal, necessary set of privileges rather than the default privileges of the user. As an example, this means that the built-in calculator program in Windows should not be able to access the Internet or delete files. Instead of taking the traditional security approach of "looking for the bad stuff and eliminating it", BitFrost constrains the privileges of any application to a minimal set necessary for its basic operation, essentially creating a safe sandbox in which to operate.

This approach is by no means unique to BitFrost but I believe it's a key step toward safer operating environments. Let's hope this innovative approach isn't just limited to students in developing countries but will find its way to laptops running Windows in corporate America as well.

Posted by andreyee in Odds and Ends | Permalink | Comments (0) | TrackBacks (0)