Archive for March, 2006


Monday, March 6th, 2006

Young men have gone to war ever since there have been young men. They leave their mother and father, brother and sister, girlfriend, fiancee, and wife in order to serve and protect something greater than themselves. Sometimes these brave young men do not return home or if they do they are covered in an American flag and an Honor Guard.

These fallen Americans are usually honored in places like Arlington National Cemetery

Arlington National Cemetery

and the Vietnam Memorial in DC:

Families come from far and wide to reflect on the sacrifices of these men and women. For some, a simple piece of paper bearing the name of their fallen soldier, sailor, pilot, or Marine is all they have.

As they rub the paper over the name I have to wonder what is going on on the “Other Side”.

Sad picture. Strong picture. It took us a long time to get the Vietnam Memorial built. Arlington was once a cruel joke on Robert E Lee who called the place his home before he accepted a Commission from the CSA.

A memorial for the unknown or the missing and killed in action where there is nothing left to bury is unspeakably sad. What is sadder still is the grave of a soldier with no marking whatsoever.

Could it be that he was the last of the line? No mother or father? No siblings? No one to pay the small fee to have a free Government stone placed? No. Not in this case. Specialist Casey Sheehan has a mother, father, and siblings. So where are they? Why aren’t they placing the stone themselves? I don’t know about Specialist Sheehan’s father and siblings but I think we all know where Mother Sheehan is.

I need a new Cluebat…mine just broke…

Monday, March 6th, 2006

An article from Thursday’s Computerworld talked about the Breach Notification Laws and when companies need to …well…notify.

“Paul Rubin, a former director at the Federal Trade Commission and a professor of economics and law at Emory University in Atlanta, argued that a more targeted notification standard is required because only about 2% of breach victims actually become victims of fraud and ID theft. In the vast majority of cases, there’s no evidence to show that breached information is being misused, he said.”

Ummm…so the fact the information was BREACHED and most probably GATHERED…it wasn’t MISUSED???テつ Can someone explain to me how that works exactly?テつ If I BREACH the bank’s vault, the money that I find in there would probably be considered MISUSED whether or not I GATHERED it.

Also, what time frame is this guy talking about? Is there a threshold for when that information becomes stale?テつ Let’s take a mythical online learning organization who’s global.asa was “breached” exposing the database’s READONLY password.テつ This mythical organization has no idea if the data was gathered or not.テつ So…how long does it take for the student records held in the database to become “unfit for victimization”?テつ I’m left to wonder if Dr. Rubin’s comment was taken a bit out of context or maybe he is just this clueless.テつ Dr. Rubin, here’s your daily whack from my well worn Cluebat.テつ When someone’s private information is exposed, the “life” of that information is determined by the body temperature of the individual who owns it.テつ As long as said body temp is in the high 90’s and beyond, that information is still viable I don’t care if it’s 2% of what was breached or 100% of what was breached.テつ For the good Professor to claim that “2% of breach victims actually become victims” implies that the “victims” data has since become stale…and that’s hogwash as long as the “victim” is still breathing.

Security Podcasts

Thursday, March 2nd, 2006

One of the most difficult parts of my professional life is staying current with all the various aspects of the Security world. It seems that in the past 5 years or so the industry has gone alittle nuts. When things really got rolling you had a few “Security Consultants” and they were supposed to know everything there was to know…or something. Now there are specialists in Forensics, Incident Handling, Malware Analysis, Intrusion Detection\Analysis, and Penetration Testing among others. Thankfully the difference between PRIVACY and SECURITY has also taken hold everywhere so we have HIPPA, FERPA, and Identity Theft specialists with their own shingles as well. Still, with all these specialties, all of us should have at least a finger in everyone else’s “specialty” pie. It’s been a wild ride and can be impossible to keep track of at times.

So the question becomes, what part of the day can you devote to keeping up with the Security Joneses? How about early in the morning? Yeah, like I can stay awake while reading at 4-friggin-AM. Well, there is lunch right? Sure…let’s see…the last time I actually took a full hour for lunch was….well…there was the time my senior year in College between finals. Surely you could just stay an hour late at the office. It is job related right? Sure it is. I’m sure your wife/husband/significant other is going to be happy to lose another hour of your time…and that is assuming some bonehead doesn’t wander into your office.

Let’s face it, time is tight and what “free” time we come up with has a long list of tasks predestined for it. Except for the time we spend in the car driving to and from the Salt Mine Inc. How many of us have iPods? Most everyone but Bryce. What if you could listen to some other security geeks discuss the news of the day? Paul Asadoorian has a podcast that is just fabulous but tonight he has posted a full list of OTHER security related podcasts that has my mouth watering. Can’t wait to get to a decent network connection to check these guys out.

Thanks Paul for looking out for the rest of us! 沽