Natural Beauty

Sometimes I find nature more beautiful than any art.

This is the view down the trail from my house right now. Layla, our Springer Spaniel, is looking back at me, encouraging me to take a walk.

The snow on the branches of the birch trees and maples creates a sort of cathedral over the trail. The silence is wonderful and the air is fresh and clear.

A walk down this trail seldom fails to cheer me up. Layla ventures off to the left and the right, bouncing through snow cover, following deer tracks and turkey tracks, but looking back every fifty feet or so to get my nod to continue or return.

I now have a wider shot of this scene as the wallpaper on my laptop (1280x800). That way I can see it long after the snow melts. If you'd like to try it you can download it here (it is free, licensed under Creative Commons Share Alike 3.0, attribute: Stephen Cobb).

Data Exposure Stats Exposed

When I picked the top three privacy/security stories of 2007, the annual toll of privacy breaches was not included. My intention was not to belittle the ongoing plague of personal data exposures. However, this is a plague in progress and in that sense it is not new, thus arguably less newsworthy than some other developments.

That said, the year-on-year increase in exposures is worth noting, as Mark Jewell, did recently, writing for the Associated Press. He cites Linda Foley of the San Diego-based Identity Theft Resource Center who says "more than 79 million records" were reported compromised in the United States through Dec. 18 2007. That is almost a fourfold increase from the nearly 20 million records reported compromised in all of 2006.

Another source is Attrition.org, which reckons more than 162 million records were compromised through Dec. 21 of 2007, but that was worldwide and not just the US. The comparable 2006 figure from Attrition was 49 million, so they are suggesting a year-on-year increase of more than 3X.

Jewell points out that the biggest difference between the record-loss counts of the two organizations is Attrition’s estimate that 94 million records were exposed in the TJX case (T.J. Maxx, Marshalls, etc.). Attrition’s figure is based on estimates from Visa and MasterCard officials who were deposed in a lawsuit banks filed against TJX whereas the Identity Theft Resource Center counts about 46 million, which is the number of records TJX acknowledged in March were potentially compromised.

Strangely, Jewell states that Attrition.org and the Identity Theft Resource Center are the only groups, government included, maintaining databases on breaches and trends each year. That's a [hopefully unintentional] slight to the Privacy Rights Clearinghouse where Beth Givens has been keeping track of numbers for several years. The PRC site documents 217,118,526 records exposed from 2005 through 2007. I think a lot of the PRC data is sourced from Attrition, but PRC reviews it and sometimes modifies it. David Shettler has developed a Web site that provides statistical analysis of security breach data, at www.etiolated.org.

When you consider this chart, based on Attrition numbers, the scale of the problem is apparent. While some of the steepness of the curve is probably due to increased reporting of incidents following disclosure laws passed in California and other states, those laws are not creating the exposures, which are all real, real people, for whom exposure causes real problems. Clearly, companies and governments need to do a much better job.

Firewalls 1996 to 2008

January is aptly named after the two-faced god of gates and doors. It's a good month for looking both forwards and backwards. For example, if you look back 12 years in network security you might notice FireWallCon '96, an event orchestrated by the National Computer Security Association (NCSA later became ISCA Labs, was bought by Cybertrust, and is now part of Verizon, so ncsa.com no longer exists; but here is the conference listing in Risks Digest).

It is fairly safe to say that this was the first full-scale, commercial conference dedicated to firewalls and Internet security. Heck, it even had t-shirts, darned good ones at that; after 12 years I'm still wearing mine, shown at left.

And it is amazing to think it was that long ago. These days a sizable percentage of the population has at least an inkling of what the term firewall means in a computer context (as opposed to a building code context). Blockbuster movies and popular TV dramas use the phrase "getting through the firewall" in the expectation that most of the audience will know what it means.

Yet 12 years ago it was not unusual for IT professionals from big companies to be asking "What is a firewall?" and "Do we need one?" The buzz about firewalls built very rapidly from 1995 through 1996 and sales were brisk. I met several people at FireWallCon '96 who had bought a firewall for their company but weren't yet sure where they should put it.

Some organizations took a long time to figure that one out. I recall my colleagues and I putting on a firewall seminar for a very secret government agency three years later, during which it became clear that many of their IT people thought a router with access control lists was the same thing as a firewall. This was somewhat worrying, and puzzling when you consider the fact that one of the best early documents on firewalls was written by two gifted federal employees, John Wack and Lisa Carnahan (NIST Special Publication 800-10: Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls, December 1994). We drew on that document to create the NCSA Firewall Policy Guide, which enjoyed extensive world-wide distribution (NIST SP800-10 does not seem to appear anywhere in its original form, partly because it was superseded by the more complete SP800-41).

We now have firewalls everywhere, even on our personal computers. They haven't made us as comfortably secure as we'd like, but when properly configured and managed they are considerably more difficult to get through than some movies would have you believe.

Blog Beats Beeb on Boeing Blooper?

Sorry about the overly alliterative headline, but I couldn't help myself: My blog post about security "issues" related to the Boeing 787's airborne network apparently appeared three days before the story was reported by BBC News. (As far as the whacky headlines go, I am still trying to beat a London Sunday Times headline from back in the sixties, over a story about Japanese zipper manufacturers beating UK rivals: Jap Zips Zap Brits.)

And it was not really my blog post over the weekend that "beat" today's BBC News web site coverage of the Boeing 787, it was the Wired web site, which picked up the story very quickly, namely Kim Zetter on 01.04.08 stamped 7:30 PM. I blogged that story on 01.06.08 so I was a little slow. However, the BBC says the story was first reported by trade magazine Flight International (which is not one of those magazines that publishes its stories on the web, so I am not sure about that claim, although it could well be true--my father-in-law, a battle-tested Navy pilot from the days of prop planes--used to read FI religiously).

As to the blooper, I just got an email from a fellow CISSP containing just the kind of comment I predicted. He saw the story and said, with some sadness: "not surprised." He added: "If aerospace is integrating everything, then rational thought and consideration is failing even in that industry."

Not Surprising? Boeing 787 flight controls vulnerable to hacking (FAA)

You don't have to be a computer security expert to see the problem presented in this revelation, reported by Wired. Heck, your average Internet-using consumer can see the flaw in this:
"The computer network in the Dreamliner's passenger compartment, designed to give passengers in-flight internet access, is connected to the plane's control, navigation and communication systems, an FAA report reveals."

Shot of Boeing 787 via WikipediaLet us all take a moment to digest the staggering clue-less-ness of such a design.

But while this design flaw may come as a shock to consumers who know--from their own home networking and web surfing--that putting actual flight controls for a real airplane on, or anywhere near, the Internet is a really BAD idea, Boeing's decision to do so will not surprise seasoned security professionals. Why? Because we have learned that large organizations have a peculiar way of keeping their collective intelligence from being collective.

Consider the two very nice Boeing people I met in Paris in 2004...

Recommended Reading for Mark Zuckerberg: A free privacy primer

In yesterday's post about 2007 I made a somewhat light-hearted reference to the need for a 'back-to-basics' education in privacy. I also suggested that the Facebook Beacon privacy snafu might not be something other than a privacy ignorance indicator, namely, a calculated attempt to push the limits of user-acceptance of commercial of private data.

Well, the more I read about Facebook Ads, like the use of personal images by commercial advertisers, the more I wonder whether some people really did skip Privacy for Business Owners 101.  On the face of it, pun intended, Facebook Ads comes close to violating several of these fundamental data privacy principles:

  1. There must be no personal data record keeping systems whose existence is secret.

  2. There must be a way for an individual to find out what information about him is in a record and how it is used.

  3. There must be a way for an individual to prevent information about him that was obtained for one purpose being used or made available for other purposes without his consent.

  4. There must be a way for an individual to correct or amend a record of identifiable information about him.

  5. Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuse of the data.


And where did these principles come from? Some avant-garde, privacy-obsessed Scandanavian country? No, these are the basic privacy principles that were laid out by the U.S. government ten years before Mr. Zuckerman was born.


And if Mr. Zuckerman had taken Privacy 101 he would already know that the first U.S. legislation to consider privacy in the context of computers appeared after Elliot Richardson, who was Richard Nixon’s Secretary for Health, Education and Welfare, commissioned a study of record-keeping practices in the computer age. The resulting report, commonly known as the “HEW Report,” recommended the enactment of a federal “Code of Fair Information Practice” for all automated personal data systems. The code envisioned by HEW contained the above five principles that would be given legal effect as “safeguard requirements” for automated personal data systems. The Privacy Act of 1974 is embodied HEW principles in law, establishing protections for personal data held by the federal government.


Fortunately, both Mr. Zuckerman, and you, dear reader, can learn these and other fascinating facts about privacy for free. Just download the free electronic version of Privacy for Business available at www.privacyforbusiness.com. Who knows, they might just keep the FTC off your back and the feds out of your IT department.

So Long 2007! Reflections on computer security and data privacy

Well, it’s January 2008 and I’m a little late with my end-of-the-year reflections on information security and data privacy in 2007. Nevertheless, here’s my take on what I think were the three top trends/stories/developments. I think 2007 was the year:

  • of the criminal hack

  • of a new shift in privacy concern

  • of important new tools for data security


Happy New Year!

I'm phoning this in from the snow covered hills of mid-state New York, where the joys [and necessity] of snow-plowing with an ATV are being discovered. I hope everyone out there has a great oh eight!

(With a special thanks to Dana and Clem at the Rose & Kettle for crafting another great New Year's Eve event.)

Huckabee Versus Budweiser: Where's the media when you need them?

How many journalists are covering the Republican presidential candidates right now? Probably thousands. But how many have read what front-runner Mike Huckabee hath written? Apparently very few. For example I can't find anyone looking into his attack on Budweiser.

No, I'm not talking about dredging the distant past for lost sermons but a text he published last year: Character Makes a Difference: Where I'm From, Where I've Been, and What I Believe (Paperback, June, 2007).

The problem that Huckabee has with Budweiser is the way the company's advertisements play to the selfish nature of man, for according to Huckabee, "We are not basically good; rather, we are basically self-centered, look to ourselves first, and preserve ourselves first at all costs."

Amazing Audio Assistant: Free content in convenient format, no fees required

A lot of the Christmas shopping buzz this year has been about digital this and i-that. Unfortunately, a lot of these digital gizmos cost at least $100. Consider iphone and PSP and Wii and digital cameras, pdas, smart phones, and various mp3 players. Not much in this category for the under $50 crowd. But wait, what is that cool silhouette in the corner?

This is a very cool palm-size, hand-held gizmo that I found for under$30. It delivers a non-stop music stream or current news, for weeks on just 2 AA batteries, with no subscription fees. It has a built-in clock and an alarm and operates in multiple languages. It comes with cool ear buds plus a speaker that is actually built into the device, no external pieces or cables required. And the whole thing is totally wireless.