Cryptosmith

ARE THEY KIDDING ME? DON’T THEY HAVE ANY REMOTELY INTELLIGENT ADVISORS IN THE WHITE HOUSE THESE DAYS? I THOUGHT PRESIDENT OBAMA WAS TECH SAVVY!

Okay, I got that off my chest. [see later post]

For those who came late to the party, here’s how to think of the “Internet Kill Switch.” Substitute “Internet” for any of these:

• National highway system
• National airspace
• Nationwide broadcast system
• Starbucks

You can’t have an “Internet Kill Switch” for the same reason you can’t have a “Starbucks Kill Switch.” The things being controlled are thoroughly distributed and they operate independently.

Yes, the President can always declare a “Starbucks Emergency” and demand shutdown of all Starbucks (and Caribou and Dunn Brothers and other caffiene chains, to be fair). But there’s no real control over such things. Someone won’t get the word, or they’ll ignore it.

Continue Reading »

Posted under Security | No Comments »

Tam Harbert has posted a fairly even-handed discussion of employee monitoring in Computerworld. This is a difficult topic to address, since it treads on the fine line between employee privacy and a company’s obligation to ensure efficient use of their resources. When Secure Computing bought Webster Webtrack, a web filtering product, back in the 1990s, the developers said that they’d see drops of 70% in web traffic when users knew they were being monitored.

It’s a well known fact – people are more likely to behave if they think they’re being watched. And it’s easy to waste time surfing the web.

Continue Reading »

Posted under Security | No Comments »

Jeremy Epstein reported this terrific report to Peter Neumann’s Risks List: a school kid logged in as superintendent of schools. This was in Fairfax County, where I grew up. They use Blackboard, just like the college where I teach.

And yes, we’re talking about a nine-year-old. It turned out to be a security policy problem. A teacher can add a student to a class, and a teacher has the power to change a student’s password.

The kid found out his teacher’s Blackboard password. They don’t say how in the news, but it may have been written on a post-it, or some other piece of paper, or it may be the same as a password the kid watched the teacher use somewhere else, or it could just be an easy-to-guess choice.

Continue Reading »

Posted under Security & Tech Teaching | No Comments »

Forrester Research and RSA have published an interesting report on corporate security priorities and compliance programs. The bottom line is no real surprise: companies spend more money on compliance with external requirements like PCI-DSS or HIPAA than they do on protecting their own secrets. These compliance requirements are tied to obvious business needs – you can’t do much retail work unless you take credit cards – so it’s hard to argue against such expenses. Forrester and RSA show statistics arguing that companies lose more money through lost company secrets. Yet a lot of companies focus their security efforts exclusively on compliance and really don’t make a special effort to protect company-specific assets.

Kapersky Labs posted a reasonable summary of the report.

Slashdot’s title writers dramatically misread the report, summarizing it under the title “Compliance is Wasted Money.” I tend to think of Slashdot as being edgy in a digital native sort of way, so I’m surprised they spun it that way.

I think the report reflects two things. First, companies don’t want to spend money to assess their losses from leaked company data, unless they’re already inclined to be a secrecy-oriented company. If a company is more inclined towards openness and information sharing, then they don’t want to collect such information: bad news makes management look bad, and there’s no countervailing data to show a measurable benefit to being a more open company.

Continue Reading »

Posted under Security | No Comments »