Sunday, October 30, 2005

Web Threats Do Keep Users Away

According to Matt Hines, reporting a study by Consumer Reports WebWatch in eWeek on October 26, "U.S. Internet users are cutting back on the hours they spend online, shunning e-commerce and refusing to give out personal information as a result of the rising tide of Web-based crimes related to identity theft...As a result of those concerns, at least 30 percent of the 1,500 people interviewed for the survey said they have reduced the amount of time they access the Internet." See Web Threats Keep Users Away

And we are not surprised. We have predicted this for several years, and will go on predicting it until there is a major improvement in standards of conduct on the Internet. Of course, that is unlikely to happen unless there is an improvement in standards of conduct in society in general, which is unlikely to happen while so many public figures continue to act in such a shameless way (think Martha Stewart, Richard Scrushy, Bernie Ebbers, the Rigas, Dennis Kozlowski and Mark Swartz, sixteen Enron executives and counting). It's not just the crimes these people have committed, it's the way so many of them have tried to shrug off their misdeeds, or deflect punishment by professions of faith, or cheerfully gone on with their lives, with no apology to the millions of people whose lives they damaged.

Anyone who thinks this behaviour has no effect on the moral standards of today's children, who are the Internet miscreants of tomorrow, probably hasn't tried raising kids recently.


Monday, October 24, 2005

An "Activist Judge" Gets Security Right

I don't know if U.S. District Judge Royce Lamberth fits the current definition of "activist judge" but he recently acted in what I consider to be an admirable way by pro-actively preventing computer security problems. On October 20 he ordered the U.S. Interior Department "to disconnect from the Internet all computer equipment holding data related to trust accounts it manages for American Indians, a decision that could cripple large sections of the agency's computer network."

While this is only the latest in a long saga of actions and responses between Judge Lamberth and the Interior Department, it is a timely reminder of what life would be like if networks were not allowed to be connected to the Internet unless they could prove, to the satisfaction of independent experts, that there were secure. In the latest security review "investigators testified they would give the department's computer security an 'F' grade or "one notch lower than an 'F' ... a 'G.'"

But that is not the most alarming fact in this story. The failing grade came after the department had spent $100 million on security improvements.

And for those who think government agencies are, by their nature, wasteful and incompetent, I am willing to bet there are Fortune 500 companies out there that would fail the same test.


Friday, October 07, 2005

Dataflation Column Published

Okay, I took two months off (that's why I called it a non-blog).

Finally, Information Security Magazine published my column on dataflation (in the Perspectives column in the October 2005 issue). An expanded version is also available online here.

Hopefully it will spark some debate about how we cope with the steady unravelling of our secrets and the security they provide.


Monday, August 01, 2005

Holey Internet, Michael Lynn and Cisco

I think this story will prove significant in the long run:

LAS VEGAS -- 02:00 AM Aug. 01, 2005 PT -- Security researcher Mike Lynn roiled the Black Hat conference Wednesday when he resigned from his job at Internet Security Systems to deliver a talk about a serious vulnerability in Cisco IOS, the operating system powering its routers, defying efforts by the router manufacturer and his former employer to block the presentation. Wired

Commentary on the incident in Network World is here and includes some of my opinions. More of my comments are reported here.

I have used dire words before and I stand by them. Check out our column from January, 2003.


Sunday, July 31, 2005

U2, Amsterdam, Smart Cards, and Dataflation

I blame the long gap between posts on U2. A trip to see the band in concert, in Amsterdam, was my present to my wife on her birthday this year.

(Marital Bliss Tip #39: To experience "multiple gratitude" give your partner a trip for his or her birthday and get four stages of pleasure: one, the gift giving day; two, the days between the giving of the gift and the taking of the trip; three, the trip itself; four, the after-glow of telling other people about the trip when you get back).

We thought Amsterdam was a very cool city, even though they were experiencing something of a heat wave. Talk about a civilized, tolerant place! I'm not just talking about a sensible attitude to public transportation, herbal remedies, ethnic diversity, and sexual orientationz. You can take your dog most places, smoke tobacco if you feel like it, and get a good cup of coffee on just about every street. And you can use smartcards (read this if you are not sure what they are).

When you land at Amsterdam airport you can buy a smartcard with which you can then purchase train tickets to get into the city (a very easy and inexpensive way to make the journey). Then buy soft drinks at the station store, tram tickets to travel around the city, and so on. No need for bank notes and coins. When we got to the Amsterdam Arena for the concert we found that all the vendors there took Arena smartcards. Buy one and you can get beer or ice cream or whatever else in a flash. For example, the beer vendors (who stroll through the crowd wearing a keg in a backpack) can squirt you out a glass of beer while you pay by inserting card, hitting Ja, and removing card. No hassle with change means a much more efficient liquid refreshment delivery system.

So, the coolest smartcard has to be the specially minted U2 Vertigo Tour Smartcard that we bought that evening at The Arena. It will go into the commemorative picture frame, along with the tickets and the blurry cell-phone photos of the massive stage with the tiny stick figures of Bono and Edge blown up on the giant projection screen.

But what does this have to do with dataflation? Well, the trip did not prevent me from polishing off a column on the topic that should appear in an upcoming print issue of Information Security Magazine. There may also be an expanded online version where I go further into the practical and legal implications for ID theft victims.

And the widespread use of smartcards reminded me that deploying new data infrastructures is possible. Which means that, if someone comes up with a way to rein in dataflation that requires a new data infrastructure, opponents won't be able to use that requirement as an excuse not to implement it.


Sunday, July 03, 2005

Dataflation Defined

I came up with the term dataflation to describe an emerging phenomenon, one that could have some fairly serious implications for the future of many things (e-commerce and personal security to name a few). As the inventor of this term, I reserve the right to tweak the definition at some later date, but here is my first stab at it:
  • Dataflation: the tendency of data to rapidly lose value due to factors such as large-scale unauthorized access, excessive abuse and loss of confidentiality.
I do not claim to understand all of the implications of dataflation, I don't think anyone can at this stage. But dataflation is real and it is going to cause problems. Consider the fact that, in the first six months of 2005, the media has reported the exposure of 66 million personal data records belonging to Americans. (I have listed the cases here.) According to the 2000 census there are 210 million Americans age 18 or older. Given the big security breaches that occurred in 2004, it is possible that data relating to one in three American adults is now "out there," meaning it is available to be abused.

This is personal data that cannot easily be sucked back or reflated. To paraphrase the definition of inflation, we are talking about a persistent increase in the open availability of previously confidential consumer data or a persistent decline in the value of that data, caused by an inability to adequately control unauthorized access.

You cannot change your date of birth or your mother's maiden name. Your Security number is hard to change. Moving to a new address is a pain. Changing banks or switching jobs is not always practical. Yet these are the pieces of information out of which an identity thief can fashion your likeness so as to incur debts and acquire goods and services in your name.

And what if that happens? The personal cost can be enormous. Even if you can avoid paying fraudulent debts, the amount of time and stress it costs you can take a heavy personal toll. So who will pay that toll? The company that exposed your data? I don't think so. For a start, how are you going to prove that an identity thief got your data from Company A versus Company B? The first company that finds itself facing negligence claims pertaining to the exposure of your data will defend itself with the very fact of dataflation, i.e. tens of millions of records were compromised by dozens of companies in the first six months of 2005 alone.

Ironically, the aggregation of industry-wide gross negligence means that for John Doe to pin the blame on the donkeys that were supposed to be protecting his data is now an all but impossible task, unless he can get a signed confession from the identity thief himself that says, "Yes, I got Mr. Doe's data from a Citigroup computer tape that I stole from a UPS truck."

Do you see what I'm saying? There is a one in three chance your data is out there already. I'd say there is a 50/50 chance that basic personal data on half of all Americans will have been exposed by the end of the year. At that rate everyone's data is going to be compromised within a frighteningly short span of time.

There are plenty of studies that show the rampant insecurity of personal data is holding back the growth of e-commerce. One indication of dataflation is that growth in electronic trust and e-commerce cannot happen without more and more personal data. More user names, more passwords, more secret questions and answers, more unique identifiers. But at the current rate of data exposure, electronic trust will continue to decline as dataflation increases. That, along with all the fraudulent charge write-offs, could hurt the economy just as much as traditional monetary inflation .


Saturday, July 02, 2005

IBM v. MSFT, Good News At Last?

We interrupt a series of postings about the abysmal state of affairs in the world of information security to bring you this heartening bulletin: Convicted monopolist Microsoft must pay IBM almost $800 million "to resolve claims it bullied the big computer maker during the 1990s."

It is good to see justice meted out in a manner that Microsoft might understand, cash leaving its bank accounts. I am particularly pleased because Microsoft has never, to my knowledge, apologized to us poor sods who lost money in the fruitless struggle to make non-Microsoft applications run on a Microsoft OS that we later learned was intentionally rigged to foil us.

But consider the words: "resolve claims it bullied the big computer maker." This is how John Boudreau of the Mercury News described the news, and he is one of the better hi-tech journalists. Yet I'm tempted to take issue with the word "claims." After all, Microsoft was found guilty. Microsoft bullied other companies. That's a fact, not a claim.

The Solid Insider Threat

I just got back from Nebraska and man are my arms tired (sorry, very old joke) but seriously, my brain did get tired. I took a very challenging creative writing course on the campus of the University of Nebraska at Lincoln. There will be more about the course, and the campus, in a later post...

Right now I'm going to have to talk about the latest round of data/ID theft/abuse. Seems like the year I decided to step back from the privacy/security/fraud beat that has been my life for the last 25 years, boom! The world has woken up to just how big a mess its data are in. Consider a couple of recent articles that awaited my return from the prairie.

First, a useful reminder from Paul Nowell of the AP, that insiders at data-rich companies are a major threat to privacy. This was very timely and Paul talked to some good people, including the man who should be this nation's IT-czar, Peter G. Neumann. Howell also talked to a vice president of marketing at San Francisco-based Vontu, a firm specializing in data loss prevention. Now, I don't know Vontu or the man in question, Steve Roop, but he got it right when he said "About 70 to 80 percent of the risk is from insiders, although not all of them are malicious..."

This had been the received wisdom about risks to information security for decades until, during the last five years or so, more and more people who were surveyed ranked outsiders, notably outside attackers using the Internet, as being more serious. Big mistake! There's no way--having read and understood the history of how humans abuse trust, technology, and information--you can believe the outsider is more of a threat to the security of your information than the insider. Sure, it might seem that way when you're trying to stop a bunch of zombies from DDoS'ing your web farm into submission, or you're trying to rid your network of some particular nasty virus. But the trusted employee who turns heel and walks across the street to the competition with an SD card full of your customer data in his shoe, that's still the biggest threat, partly because it is the toughest to mitigate.

And let's not forget 'the number of people surveyed' factor. If you ask 250 people who work in computer security to name the biggest threat to that security, what you get is an opinion, not a fact. Like I say, those folks may sure as heck feel more pain from outsiders. But them thinking it is so does not make it so. Furthermore, computer security is not information security, as the award-winning Chief Security Officer of Choicepoint has hopefully learned by now. I will make that point in my next post, tackling the IRS, Choicepoint and something I call data-flation.

Thursday, June 09, 2005

Not As Reassuring As They Might Think

So now we hear CitiFinancial is dropping backup tapes after data loss. Perhaps they're thinking that this announcement, together with the repeated statement that it was UPS that lost the tapes, will somehow show they care: "CitiFinancial plans to begin encrypting data and sending it to credit bureaus electronically after data tapes containing the personal information of 3.9 million customers were lost by UPS." This report actually does three things.
  1. Confirms that the lost tapes were not encrypted.
  2. Confirms that Citi knows that the data really should have been encrypted in the first place.
  3. Suggests that sending the data electronically is somehow safer than using a courier.
Try telling #3 to U.S. spy agenices that routinely use couriers versus networks for really sensitive data transfers. And don't forget that one of the largest holders of data about you, dear reader, has suffered several "losses" despite using electronic transfer instead of tapes:
And don't miss the really scary part of Citi's statement: "We and other lenders provide this information each month to credit bureaus...via nationally recognized couriers and require them to use enhanced security procedures to transport the tapes from our data center to the bureaus."

So, like I said in my last posting, large numbers of unencrypted tapes full of your financial details have been flying around the country for years. Untold numbers have likely gone missing, after all, if this was an isolated incident, Citi would be the first to defend their practice of using UPS by saying "This is the first time this has ever happened." It is only the new notification laws that are finally shedding light on this sad state of affairs.


Tuesday, June 07, 2005

3 Things (The Cool and The Crap)

Middle Aged White Guys have a reputation for complaining about things and I'm no exception. Ask me to name 3 things that suck and I would have no problem naming 9:
  1. Credit scores
  2. The Dish Network 921 DVR
  3. The AC system on 1996 Jeep Grand Cherokees
  4. The Windows OS
  5. Prescription drug prices
  6. Prescription drug advertisements
  7. Prescription drug profits
  8. Ratio of drug company research dollars to advertising dollars
  9. Banks
I hope to complain at length about these subjects, and more, in future posts. However, by the time one gets to Middle Age it is clear that doing nothing but complain is not healthy, so here are 3 products that I have found to be very cool, meaning, in this case, they manage to work very well while breaking new ground:
  1. Treo 600 and 650 (the photo in the upper right of this page was taken with a Tree 600)
  2. Apple iPod (the real ones--not the Shuffles--make CD players seem so limited)
  3. Firefox web browser (tabbed browsing's now the only way for me to work the web)
Note: I am not employed by any of the makers of the above products. Come to think of it, I'm not employed by anyone but myself.


Reasons to Believe

This week we 'welcome' a division of Citigroup to the ranks of major companies that have fessed up this year to 'losing' customer data (i.e. allowing copies of data about people--such as their names, addresses, phone numbers, Social Security numbers and other information that could be used to rip them off--to go missing).

This particular data, covering 3.9 million people, was on tapes being shipped via UPS. Citigroup said the tapes were lost by UPS Inc. "in transit to a credit bureau." So, three things to note:
  1. Misplacing data is nothing new--it's been happening for years--but the public has rarely heard about it before now. The fact that they are hearing about it now is mainly due to California's groundbreaking SB1386 notification law.
  2. Misplacing data tapes should not be a problem. All data tapes that leave the secure environment of the data center should be encrypted by default. That so many big companies are apparently shipping unencrypted tapes via ordinary shipping services is a disgrace, and definitely a failure to meet a reasonable standard of due care.
  3. Until one of these companies gets sued big time, this needless exposure of consumers to the risk of identity theft will continue.
Of course, in this case, as in others, the company was quick to say, "We have no reason to believe that this information has been used inappropriately." This sort of statement never fails to make me smile. Why? Think about it. A company that is so clueless about the value of customer data it hands millions of unencrypted records to a random delivery person is now claiming to be able to detect inappropriate use of said data. Yeah right.

The reality is that IT has delivered massive gains in productivity and profits over the last ten years. The nature of businesses and humans is that the true cost of achieving these gains lags behind the gain curve. It is time for corporate America to accept that data about customers requires way more protection than it has so far been afforded. Smart companies will maintain their edge by increasing security in smart ways. It doesn't have to cost the earth, but it does cost, therefore some will cut corners and lose customers (if I had a Citi account right now I'd be closing it).


Thursday, June 02, 2005

Obligatory First Posting

Herewith, the obligatory first posting to Scobb's Non-Blog. So let me explain the title of this blog, which arises from three factors:
  1. Non-Blog? I don't plan on writing regularly.
    1. My schedule is unpredictable.
    2. Some days I don't have much to say.
    3. Some days I have a lot to say but lack the energy to say it.
  2. Non-Blog? I'm not writing in order to spark dialogue.
    1. I'm happy to hear what you have to say about what you see here.
    2. I'm not promising to respond to comments.
    3. If in doubt, see points 1.1, 1.2, and 1.3.
  3. Scobb?
    1. First name = Stephen.
    2. Last name = Cobb.
    3. Default email name at last three companies = scobb.
Now I am going to test the "Publish Post" button. If you can read this, it worked. Next time I post I will see if I can get the spell check to work.


p.s. Some free advice: Whenever you are asked to explain something--by the press, your boss, your partner--it is safe to assume there are three reasons, so start with that.