Jeff's InfoSec Blog : Privacy

The Trustworthy Computing Security Development Lifecycle

jeffnew — Mon, 28 Mar 2005 18:31:00 GMT

If you're wondering how Microsoft bakes security into its software development practices, this paper (by one of the co-authors of "Writing Secure Code") takes you through the process. This is far more than a guide for individual developers; it goes through the organization stucture and processes necessary to make this work for large software development projects.

Link: MSDN Security Developer Center: The Trustworthy Computing Security Development Lifecycle

DRM is anti-privacy???

jeffnew — Thu, 10 Feb 2005 00:38:00 GMT

DRM is one of those fascinating areas where we really haven't explored the implications of our decisions. I have seen a lot of complaints about Napster's requiring you to be a mamber of their service in order to continue to listen to music that you downloaded under their subscription. So, your license is somewhat transient, even though it feels like you're buying the music.

This working document from the European Union is another great example of that. This working team feels that "digital watermarking" -- the process of putting a unique identifier into a file so that you can track who downloaded it and where it came from -- could be somehow be used to obtain personally identifiable information (PII) and combine it with music listening habits to somehow use the resultant info for nefarious marketing purposes.

Quote: "...where information is exchanged over the internet, more and more digital watermarks tags are being used to track users and their preferences - for example, when a music track is purchased online, the purchaser has to enter their account information and unique identifier. "

What isn't clear to me is how they think that this will happen, and why the existing laws aren't good enough. Something has to read the tag and then somehow report that info (and anything else it can vacuum up) back to another agency. What is that "something"? Is it a media player? The operating system? Presumably the creator of that software is already covered by the EU's Data Protection Directive. Perhaps it is spyware... but if there is spyware on my PC looking at the metadata within individual files it already has access to a large amount of PII about me.

Sorry, I don't buy it. Yes, the authors are correct in saying that watermarking files is propagating PII, but any chance to read it will happen in a space that already has access to a lot (probably far too much) PII. I really need to worry about more substantive issues, and so should they.

Digital rights management 'could threaten privacy' - silicon.com

Former AOL employee pleads guilty in spam case

jeffnew — Mon, 07 Feb 2005 19:00:00 GMT

Ouch -- 92 million screen names and email addresses stolen from AOL. The guy netted $28k, and will have to pay $200-400k in restitution. Not exactly a lucrative business, was it?

Once again we see privacy compromised from the inside -- nothing that the individual account holder could have done would have prevented this.

MSNBC - Former AOL employee pleads guilty in spam case

Identity theft -- keep buying online, but shred your receipts!

jeffnew — Wed, 26 Jan 2005 19:25:00 GMT

According to the Better Business Bureau's "2005 Identity Fraud Survey Report" the most common source of identity theft is a lost wallet or check book. Only 11.6% of identity fraud came from access to online records.

Here's an interesting observation: customers who regularly monitor their bank accounts online detected fraud far earlier than those who review paper statements, and their average loss was $551 versus $4,543 for paper statement. It didn't say how "regularly" you should check but I recommend 1/week.

Paper continues to plague us. Get a home shredder, and shred everything with an account number on it before you throw it out. I also shred every credit card solicitation, since they contain way too much PII. Shred all of your credit card receipts when you throw them out. If you lose your checkbook, get your account number changed and alert your bank to watch for activity. Yeah, you'll have to let your mortgage company know but that's better than having to fix your credit rating for the next 3 years.

Online -- the usual still applies. Buy from people you trust. Don't save your credit card info on anyone's site. Don't save your account numbers or credit card info anywhere on your PC, even encrypted. It's only 16 numbers, they're not that hard to type!

Paparazzi-proof cameras

jeffnew — Wed, 26 Jan 2005 19:14:00 GMT

Interesting -- a way to "ask" phonecams not to take your picture. Problem is, it's probably omnidirectional and so will impact everyone trying to take a picture of anything in the vicinity.

I don't agree that this is paparazzi-proofing anyone -- how long will it take some entrepeneur to hack the controls and have a jam-free camera -- but it may well be a solution for areas that you shouldn't be using your phone cams in. The locker room at my gym, for example, where cell phones are banned because of this. I'd like to see this get out there commercially.

HP focuses on paparazzi-proof cameras | CNET News.com