Despite the slings and arrows that we endured originally when we came up with Patch Tuesday, it looks like this is gaining momentum.  This article from eWeek talks about other companies starting to release patches on Tuesday as well.  Of course there is always a dissenting opinion.

Now if only we could come up with a single auto-update mechanism that supported multiple vendors -- but that is a hairy legal as well as practical issue.

Just a really cool little hardware hack -- use a 9V battery to emergency charge your USB-charged devices (like my GPS, my other GPS, my smartphone, ...). 

how-to make a ‘usb battery’ - hack a day - www.hackaday.com

It's great that even the BBC understands the basic concepts behind identity management (BBC NEWS | Technology | Solutions to net security fears) and the problems associated with multiple identities.  The token approach (as promulgated by RSA, Activcard and others) is pretty good.  But of course this all comes down to trust; specifically, the ability of any issuiing body to be able to tie a real, live person to a single digital identity. 

Issuing bodies that can do that are few and far between, and in North America have yet to to step up to the challenge for more than just their own needs.  Banks have that ability.  So does the motor vehicle licensing bureau in each state/province, although I think that the level of consumer trust in the license bureau is probably lower than it is in a bank. 

But the bottom line is that this is going to be expensive, and anyone who does it is going to have to balance business goals against customer convenience.  If I get a single ID from Washington Mutual here in Seattle, are they going to willingly allow me to use the same ID to replenish my Starbucks account?  Perhaps.  What about to log on to my Schwab brokerage account.  Perhaps, but there are issues of liability as well as competition.  Now what about my Bank of America account?  And will BofA accept a WaMu identity? 

Bottom line:  This needs to happen from a central issuing authority that doesn't have these competition issues.  Only two come to mind:  the Feds, and the credit-card companies.  If Visa (I mean the whole Visa association, not any one bank) could implement this it would be a home run.  Guaranteed MasterCard and Amex would follow suit.  But if I end up with three identities instead of the 40 or 50 I have now, that would be progress. 

What would YOU pay for this?  $10 a year?  $50? 

I love how news reporting can subtly (or not so subtly) slant interpretations while professing to still be reporting facts.  CNet's reporting of the Microsoft Security Cooperation Program is a great example.  When I heard about this program I thought it was great -- a mechanism for getting governments the security info that they need for national security, but with less stringent retrictions than the existing Government Security Program.

Of course, I am probably biased as well...

Microsoft to confide security woes to governments | CNET News.com

DRM is one of those fascinating areas where we really haven't explored the implications of our decisions.  I have seen a lot of complaints about Napster's requiring you to be a mamber of their service in order to continue to listen to music that you downloaded under their subscription.  So, your license is somewhat transient, even though it feels like you're buying the music. 

This working document from the European Union is another great example of that.  This working team feels that "digital watermarking" -- the process of putting a unique identifier into a file so that you can track who downloaded it and where it came from -- could be somehow be used to obtain personally identifiable information (PII) and combine it with music listening habits to somehow use the resultant info for nefarious marketing purposes.

Quote:  "...where information is exchanged over the internet, more and more digital watermarks tags are being used to track users and their preferences - for example, when a music track is purchased online, the purchaser has to enter their account information and unique identifier. "

What isn't clear to me is how they think that this will happen, and why the existing laws aren't good enough.  Something has to read the tag and then somehow report that info (and anything else it can vacuum up) back to another agency.  What is that "something"?  Is it a media player?  The operating system?  Presumably the creator of that software is already covered by the EU's Data Protection Directive.  Perhaps it is spyware... but if there is spyware on my PC looking at the metadata within individual files it already has access to a large amount of PII about me.

Sorry, I don't buy it.  Yes, the authors are correct in saying that watermarking files is propagating PII, but any chance to read it will happen in a space that already has access to a lot (probably far too much) PII.  I really need to worry about more substantive issues, and so should they.

Digital rights management 'could threaten privacy' - silicon.com

Ouch -- 92 million screen names and email addresses stolen from AOL.  The guy netted $28k, and will have to pay $200-400k in restitution.  Not exactly a lucrative business, was it? 

Once again we see privacy compromised from the inside -- nothing that the individual account holder could have done would have prevented this.

MSNBC - Former AOL employee pleads guilty in spam case

Interesting -- According to a UK study, demograpghics are skewing for home users, with older people buying a larger percentage of home infosec products (AV, etc.) and younger people being the ones that naively assume they're OK.  Without the data it's hard to analyze further.  I hope that the shift is due to more existing home PC users taking security seriously, as opposed to merely a shift in who is buying PCs. 

BBC NEWS | Technology | More women turn to net security

A paper from Microsoft Research (MSR), first published last summer, is getting new interest after MSR's internal TechFest last week.  The idea is that hosts would analyze traffic hitting them and automatically broadcast alerts.  While false negatives can mean that many hosts will not detect the worm, doing this across a large group of machines means that some hosts will detect it and start broadcasting the self-certifying alerts.  Of course there are a ton of issues with this approach but the authors have done a good job of going through the threats and countermeasures.  It's a really interesting idea and I hope that they continue with the research.

According to the Better Business Bureau's "2005 Identity Fraud Survey Report" the most common source of identity theft is a lost wallet or check book.  Only 11.6% of identity fraud came from access to online records. 

Here's an interesting observation:  customers who regularly monitor their bank accounts online detected fraud far earlier than those who review paper statements, and their average loss was $551 versus $4,543 for paper statement.  It didn't say how "regularly" you should check but I recommend 1/week.

Paper continues to plague us.  Get a home shredder, and shred everything with an account number on it before you throw it out.  I also shred every credit card solicitation, since they contain way too much PII.  Shred all of your credit card receipts when you throw them out. If you lose your checkbook, get your account number changed and alert your bank to watch for activity.  Yeah, you'll have to let your mortgage company know but that's better than having to fix your credit rating for the next 3 years.

Online -- the usual still applies.  Buy from people you trust.  Don't save your credit card info on anyone's site.  Don't save your account numbers or credit card info anywhere on your PC, even encrypted.  It's only 16 numbers, they're not that hard to type!

My team just released a new security guide:  Server & Domain Isolation Using IPSec and Group Policy.  This soluton, aimed at enterprise IT Pros, is focused on how you can use IPSec and Group Policy to secure the data connections between systems.  One of the key threats that this can mitigate is the rogue computer, infected with a worm, that gets connected to a corporate wired network and, even without authentication, receives an IP address and attempts to find an infect other systems. 

Please let me know what you think!

Interesting -- a way to "ask" phonecams not to take your picture.  Problem is, it's probably omnidirectional and so will impact everyone trying to take a picture of anything in the vicinity.

I don't agree that this is paparazzi-proofing anyone -- how long will it take some entrepeneur to hack the controls and have a jam-free camera -- but it may well be a solution for areas that you shouldn't be using your phone cams in.  The locker room at my gym, for example, where cell phones are banned because of this.  I'd like to see this get out there commercially.

HP focuses on paparazzi-proof cameras | CNET News.com

If you're wondering how Microsoft bakes security into its software development practices, this paper (by one of the co-authors of "Writing Secure Code") takes you through the process.  This is far more than a guide for individual developers; it goes through the organization stucture and processes necessary to make this work for large software development projects. 

Link: MSDN Security Developer Center: The Trustworthy Computing Security Development Lifecycle

There is a new series of webcasts from Microsoft aimed at developers who want to know more about how to write secure code.  Here's a link.  This looks good although I haven't had a chance to preview the content. 

Digital Blackbelt Series: Defend Your Code from Attacks