Will We Fiddle while the Internet Burns?

You would think that after all the problems we’ve had with security since 9/11, and the continuing abject failure of the Bush administration to even start to address our exposure to various kinds of terrorists, you’ld think it would be a no-brainer to appoint somebody to DHS’s Cyber Security post who actually had experience in cyber security. But no, we get another flunky, and a grossly-overpaid one at that. MIT’s Technology Review, printing an AP feed, says:

WASHINGTON (AP) — Lawmakers who oversee the Homeland Security Department have been questioning the Bush administration’s choice of acting cybersecurity chief. Donald ”Andy” Purdy Jr. is being paid $577,000 (euro 459,140) under a two-year agreement with the university that employs him and also does extensive business with the federal office he manages.

He has been acting director of the Homeland Security Department’s National Cyber Security Division for 21 months. His contract, which has drawn attention from members of Congress, is paying him more than the $175,000 (euro 139,250) annual salary that Homeland Security Secretary Michael Chertoff earns.

[snip]

Some lawmakers who oversee the Homeland Security Department questioned the decision to hire Purdy. They noted enduring criticism by industry experts and congressional investigators over the department’s performance on cybersecurity matters.

Purdy’s contract ”raises questions about whether the American people are getting their money’s worth,” Democratic Reps. Bennie Thompson of Mississippi and Loretta Sanchez and Zoe Lofgren, both of California, wrote in a letter to Republicans.

Purdy, a longtime attorney who has held a number of state and federal legal and managerial jobs, has no formal, technical background in computer security.

Hello? No actual experience in computer security? So, when the Internet backbones fail under some determined terrorist-hacker’s attack, they will say, as they did in New Orleans, “We were taken by surprise!” And they will have been, and this is why.

Read Full Post »

And the Government loses data yet again

Our government, which is supposedly protecting us from the ravages of cyber-terrorists, can't even protect its own data on us from casual hacking (from the AP):

A hacker broke into the Agriculture Department's computer system and may have obtained names, Social Security numbers and photos of 26,000 Washington-area employees and contractors, the department said Wednesday . . . The break-in happened during the first weekend in June, the department said. Technology staff learned of the breach on June 5 and told Johanns the following day but believed personal information was protected by security software, the department said. However, on further analysis, staff concluded that data on current or former employees might have been accessed and informed Johanns on Wednesday, according to the department.

This isn't just a one-time mistake, to remind you we have suffered the following data losses at the hands of these geniuses:

As many as 26.5 million people may have been affected by the theft of a laptop computer containing Veterans Affairs information including Social Security numbers and birth dates. The computer was taken from the home of a VA employee, and officials waited nearly three weeks before notifying veterans on May 22 of the theft.

Earlier this month, the Health and Human Services Department discovered that personal information for nearly 17,000 Medicare beneficiaries may have been compromised when an insurance company employee called up the data through a hotel computer and then failed to delete the file.

Social Security numbers and other information for nearly 1,500 people working for the National Nuclear Security Administration may have been compromised when a hacker gained entry to an Energy Department computer system last fall. Officials said June 12 they had learned only recently of the breach.

This, while our legislators are spending their time focused on the definition of marriage and passing laws to prevent flag-burning, and the Administration is spending IT'S time attemptiing to peel away our privacy in the name of Counter-Terrorism. I don't know which is worse, incompetence or venal power-mongering. But why do we have to make that choice?  Why can't we just do it right?

Read Full Post »

Yet Another Laptop Stolen, Thanks ING . . .

Will it never end? Will these fools never actually learn? Will ING, the huge insurance and financial services corporation never learn? This is, after all, their third data loss this year. In case you missed the news, click here, read it, and weep. There is less than no excuse for this.

The solution, of course, is to treat individual data as belonging to the individual who shared it with the company, and loss of control of that data should be punishable by jail time — not fines, but jail. It's not as if there are no solutions to seamlessly encrypt data, see my post below on personal encryption. Its only a matter of taking it seriously, which obviously ING and many other companies and governmental agencies just don't do yet.

So, to be ever-positive, the solution:

• Get the software (TrueCrypt) and install it on all laptops in the company / agency;
• Designate corporate data that contains personal information as "protected;"
• Write procedures to govern the downloading of this data into an encrypted disk;
• Write a procedure that requires the firing of any individual, and their manager, who carries any "protected" data off-premises unless it is so encrypted;
• Write a procedure to "clear" the data download instance and delete the encrypted container.

Simple! What is the matter with these people? Is this really so hard?

Read Full Post »

Ages of the Internet, Part 2: Coevolution

Humans and our technology generally form a kind of ecosystem: we create a technology, then the technology enables different behaviors in us, we change the technology, and it changes us right back. This has been true since the stone age and its just as true today.

Our technology du jour is the Internet and it continues to be in a state of significant change. People are starting to try to name the “next age of the Internet” which is a sign of – well – of something. One name they're using is “Web 2.0,” almost a trademark of the publishing house O’Reilly, another is “Next Web,” and there are others. But all of these names fail to grab me because so much of this is not necessarily about the World Wide Web, but more about the Internet itself.

We can characterize the current state of the Internet as marked by:

• Pervasiveness of access – I recently found a Perkins Pancake Palace in Coeur d’Alene, Idaho, that provided its patrons with free WiFi-based Internet access, and I used it to make a motel reservation at our day’s destination. So, you can get the Internet almost anywhere;
• Many different devices with Internet connectivity, including cell phones, cellular routers, PDFs, and desktop widgets that carry out some specific task;
• A user expectation of utility and ease of use – that Internet will actually do things for them in their daily lives, things that they need doing, and it will be an engaging experience for them.

Two years ago, reality was dramatically different! For instance, there was a mindless push to display web pages on almost anything with a screen on it, which was nonsense – most websites won’t effectively display on a PDA or a wristwatch at all. But often you don't need the web. For example, with an Internet-enabled cell phone and camera, a person can take a picture in Times Square, tell the phone to transmit it to their Flickr account, text-message their friends, and 2 minutes later their friends can see where they are. THAT is effective device integration.

An evolutionary biologist would say that the Internet is in a state of ‘punctuated equilibrium,’ where things proceed in the direction they have been going for a while, then – poof – comes a period of dizzingly discontinuous innovation that changes all the rules. So for the immediate future, I believe we will see:

• Lots of interesting new services that, like the cell-phone-camera-to-Flickr example above, will be characterized by useful integration of existing services and capabilities;
• Some very straightforward Internet-mediated applications (see 37 Signals' Basecamp, for example) that challenge the feature-bloat of current desktop applications and are provided on a subscription model;
• Increasing engagement by ordinary people in interactive activities such as blogs, wikis, and other social functions, and an expansion of these facilities into businesses for both internal and external use;
• A continually-expanding flood of data at our fingertips, which will further increase the perceived value of search and increase the value of authoritativeness – in other words, is this thing I’m reading true and valuable, or just somebody's rant? Print publishers used to provide some of this vetting based just on the cost of printing a work;
• Much more involvement and especially transacting, even by people who may not even realize they are "connecting to a website" or "buying over the Internet;"
• Major stress on some businesses and indeed whole industries, as their economic model changes; good examples include newspapers and broadcast radio.

What an exciting time to be alive and engaged in this evolution! When I think of technological change, I think of my grandparents, who were born at a time when horses were the only way to get around, and died having travelled in jets. Perhaps our children will look at our time the same way and wonder how we coped with it all!

 

 

Read Full Post »

Privacy and Personal Cryptography

As the Administration continues to demand more and more personal data from wiretaps, phone records, and the like, I quote from Bruce Schneier in a recent essay:

Too many wrongly characterize the debate as "security versus privacy." The real choice is liberty versus control. Tyranny, whether it arises under threat of foreign physical attack or under constant domestic authoritative scrutiny, is still tyranny. Liberty requires security without intrusion, security plus privacy. Widespread police surveillance is the very definition of a police state. And that's why we should champion privacy even when we have nothing to hide.

I'm a big fan of privacy — personal, business, and yes even governmental privacy. I think whoever violates this privacy should be punished, for example the morons who continue to lose corporate or government data when their laptops are stolen. The most recent, of course, was the Veteran's Administration, but this is only the latest, everybody's in the act. Is it too much to ask that critical data be encrypted when it goes out of the building? Man alive, what's wrong with these people?

Well, part of what's wrong is that there haven't been good tools to provide truly secure encryption to the average non-technician, but now that's changed. A relatively new open-source product called TrueCrypt allows anyone to define an encrypted container for their files, and the files in the container are read / written on the fly by any ordinary programs, e.g. Word or Excel, without any steps or fussing. And the encryption is top-of-the-line stuff: AES, Blowfish, Serpent, Twofish, etc. And it IS easy to set up and use. And it is free.

Check it out: TrueCrypt website.

Read Full Post »