Has anyone else read this article on "safecount.org" wanting to encourage people to not delete cookies?  While I understand that the advertisers have a difficult task, it makes me crazy that sites such as TechWeb just take press releases and post them without providing any context or value-add.  In fact, they become a value-subtract, since some less discriminating readers will look to TechWeb for factual news articles and perhaps actually believe what they're reading.

I don't mean to pick on TechWeb; it's just that I read this piece this morning and it just pissed me off.  If you want to get your news from the 'net, you have very few places to choose from.  Most sites do the sam ething -- get a flurry of press releases, have someone reword them into a semblance of an objective article, and publish.  This particular article is great -- the position of safecount.org is that you shouldn't delete your cookies because it makes life harder on their advertiser members.  The writer makes no comment regarding privacy, and quotes "analysts" (which ones, I wonder) to make the story more believable.

Please take everything you read with a grain of salt, particularly if it comes from a news source that you didn't pay for.  Remember, they have to get their expenses by someone...

Sorry, I just can't get behind this: Battle brews over unlocking PC secrets.  The PC industry has suffered for not having trusted mechanisms for identifying computers and locking down digital rights.  I read the article and I still don't see Stallman's point.  Then I read his manifesto and I really don't get it.  GNU has come up with some good stuff in the past, and in a previous life I used to use and contribute to that effort.  But this seems to be ideology taken to the extreme.  Since the typical modern mobo allows users to flash their BIOS rather than remove and replace the chip, suddenly it should be treated differently?  Presumably this includes video cards as well, that have extensive (and flash-able) code on the card. 

It's not really a battle, more of a tempest in a teapot.

Ahh, the wonderful world of information security in the United States, where the threat of litigation can keep holes open and spyware active.  eWeek has had a couple of articles this week on this topic.  In The Chaotic World of Defining Spyware they discuss issues that CA has with companies that are fighting being labeled as spyware.  In Big Security Guns Should Aim Carefully at Adware, Spyware there's a discussion of Symantec's scoring system versus Microsoft's behavior-based approach documented in a recent white paper.

There is money to be made in spyware and the bottom-feeders that are using spyware and "adware" are going to be very aggressive at resisting being labeled as such.  You can see this in the Microsoft white paper, where the targets are labeled "potentially unwanted software" rather than spyware. 

It's all just semantics.  When you install something on my PC that I don't explicitly want and ask for, you're a bad person and need to be dealt with harshly. 

If you're wondering how Microsoft bakes security into its software development practices, this paper (by one of the co-authors of "Writing Secure Code") takes you through the process.  This is far more than a guide for individual developers; it goes through the organization stucture and processes necessary to make this work for large software development projects. 

Link: MSDN Security Developer Center: The Trustworthy Computing Security Development Lifecycle

My team just released a new security guide:  Server & Domain Isolation Using IPSec and Group Policy.  This soluton, aimed at enterprise IT Pros, is focused on how you can use IPSec and Group Policy to secure the data connections between systems.  One of the key threats that this can mitigate is the rogue computer, infected with a worm, that gets connected to a corporate wired network and, even without authentication, receives an IP address and attempts to find an infect other systems. 

Please let me know what you think!

It's great that even the BBC understands the basic concepts behind identity management (BBC NEWS | Technology | Solutions to net security fears) and the problems associated with multiple identities.  The token approach (as promulgated by RSA, Activcard and others) is pretty good.  But of course this all comes down to trust; specifically, the ability of any issuiing body to be able to tie a real, live person to a single digital identity. 

Issuing bodies that can do that are few and far between, and in North America have yet to to step up to the challenge for more than just their own needs.  Banks have that ability.  So does the motor vehicle licensing bureau in each state/province, although I think that the level of consumer trust in the license bureau is probably lower than it is in a bank. 

But the bottom line is that this is going to be expensive, and anyone who does it is going to have to balance business goals against customer convenience.  If I get a single ID from Washington Mutual here in Seattle, are they going to willingly allow me to use the same ID to replenish my Starbucks account?  Perhaps.  What about to log on to my Schwab brokerage account.  Perhaps, but there are issues of liability as well as competition.  Now what about my Bank of America account?  And will BofA accept a WaMu identity? 

Bottom line:  This needs to happen from a central issuing authority that doesn't have these competition issues.  Only two come to mind:  the Feds, and the credit-card companies.  If Visa (I mean the whole Visa association, not any one bank) could implement this it would be a home run.  Guaranteed MasterCard and Amex would follow suit.  But if I end up with three identities instead of the 40 or 50 I have now, that would be progress. 

What would YOU pay for this?  $10 a year?  $50? 

I love how news reporting can subtly (or not so subtly) slant interpretations while professing to still be reporting facts.  CNet's reporting of the Microsoft Security Cooperation Program is a great example.  When I heard about this program I thought it was great -- a mechanism for getting governments the security info that they need for national security, but with less stringent retrictions than the existing Government Security Program.

Of course, I am probably biased as well...

Microsoft to confide security woes to governments | CNET News.com

Ouch -- 92 million screen names and email addresses stolen from AOL.  The guy netted $28k, and will have to pay $200-400k in restitution.  Not exactly a lucrative business, was it? 

Once again we see privacy compromised from the inside -- nothing that the individual account holder could have done would have prevented this.

MSNBC - Former AOL employee pleads guilty in spam case

Interesting -- According to a UK study, demograpghics are skewing for home users, with older people buying a larger percentage of home infosec products (AV, etc.) and younger people being the ones that naively assume they're OK.  Without the data it's hard to analyze further.  I hope that the shift is due to more existing home PC users taking security seriously, as opposed to merely a shift in who is buying PCs. 

BBC NEWS | Technology | More women turn to net security

DRM is one of those fascinating areas where we really haven't explored the implications of our decisions.  I have seen a lot of complaints about Napster's requiring you to be a mamber of their service in order to continue to listen to music that you downloaded under their subscription.  So, your license is somewhat transient, even though it feels like you're buying the music. 

This working document from the European Union is another great example of that.  This working team feels that "digital watermarking" -- the process of putting a unique identifier into a file so that you can track who downloaded it and where it came from -- could be somehow be used to obtain personally identifiable information (PII) and combine it with music listening habits to somehow use the resultant info for nefarious marketing purposes.

Quote:  "...where information is exchanged over the internet, more and more digital watermarks tags are being used to track users and their preferences - for example, when a music track is purchased online, the purchaser has to enter their account information and unique identifier. "

What isn't clear to me is how they think that this will happen, and why the existing laws aren't good enough.  Something has to read the tag and then somehow report that info (and anything else it can vacuum up) back to another agency.  What is that "something"?  Is it a media player?  The operating system?  Presumably the creator of that software is already covered by the EU's Data Protection Directive.  Perhaps it is spyware... but if there is spyware on my PC looking at the metadata within individual files it already has access to a large amount of PII about me.

Sorry, I don't buy it.  Yes, the authors are correct in saying that watermarking files is propagating PII, but any chance to read it will happen in a space that already has access to a lot (probably far too much) PII.  I really need to worry about more substantive issues, and so should they.

Digital rights management 'could threaten privacy' - silicon.com

Interesting -- a way to "ask" phonecams not to take your picture.  Problem is, it's probably omnidirectional and so will impact everyone trying to take a picture of anything in the vicinity.

I don't agree that this is paparazzi-proofing anyone -- how long will it take some entrepeneur to hack the controls and have a jam-free camera -- but it may well be a solution for areas that you shouldn't be using your phone cams in.  The locker room at my gym, for example, where cell phones are banned because of this.  I'd like to see this get out there commercially.

HP focuses on paparazzi-proof cameras | CNET News.com

There is a new series of webcasts from Microsoft aimed at developers who want to know more about how to write secure code.  Here's a link.  This looks good although I haven't had a chance to preview the content. 

Digital Blackbelt Series: Defend Your Code from Attacks