Saturday, March 29, 2008

New Blog URL

It's encouraging to see that, according to Feedburner, we still have a few loyal subscribers out there. Sorry for being silent for so long! But we've started our own blog over at http://livebolt.com/blog/ --- so please update your bookmarks and your readers, and join us over there for what should prove to be some great discussions!

Cheers,
LiveBolt Identity

Friday, July 6, 2007

Marketplace or extortion?

I recently read about WabiSabiLabi where exploits are for sale to the highest bidder. At the moment, you can bid on security exploits in Linux, Yahoo Messenger and a couple web-applications. Here's a link to the article on c|net.

Owners of the site insist that it provides that researchers are funded and compensated for their efforts, and likens it to funding the fire department so they know how to put out a fire.

Opponents argue that this doesn't improve the current private, back-alley transactions -- it just puts them front-and-center.

Marketplace or extortion? Your thoughts?

Monday, July 2, 2007

Stolen identity? $6... Using someone else's MasterCard for that plasma TV? Priceless...

According to a recent article, it looks like stolen identity information, from accounts and passwords, to social security numbers and full credit card numbers are available for $6 to $18 a pop.

A few posts ago I talked about the concept of pay-to-protect. With stolen identity information being offered so cheap, is it only a matter of time before people DO start to pay-to-protect?

Some businesses offer services -- such as ID theft insurance, credit monitoring, credit restoration and credit card insurance -- but most experts agree that with careful planning and organization, you can get the same results for free.

An interesting follow up article talks about how to better protect yourself from identity theft for free. Some very good pointers.

I followed the advice of an article in the News a few months ago to stop getting those pesky "pre-approved" financing offers and credit card applications. While the News archive has the article offline now, here's what we did to stop the mailings.

Contact the credit bureaus to opt out of receiving preapproved credit offers for two years. Just call the toll-free number 1-888-5-OPTOUT (567-8688). You'll be asked for your personal information, including your name and Social Security number. The article states, "Don't worry - it's completely confidential and safe."

You should also notify the three major credit bureaus - Equifax, Experian and TransUnion - directly. Let them know that you don't want your name or other personal information shared with others for promotional purposes.

You can also opt out of direct-mail marketing from many national companies for five years by registering with the Direct Marketing Association (DMA) at www.dmaconsumers.org/offmailinglist.html.

Taking these steps had an IMMEDIATE and DRAMATIC effect on the amount of junk mail we got at home. I have to think that it improves my odds of being a little bit safer (and maybe save a few trees in the process? ;-) )

Thursday, June 28, 2007

New Zealand Banking Law Shifts Security Responsibility to Customer

An article in Computerworld ( Link ) notes that New Zealand has shifted the burder of security responsibilty, and the burden of proof, to the customer, from the bank, in cases of alleged on-line theft or fraud.

There has been some debate on the concept. It certainly makes some sense to say that if you don't protect your access methods, then why should the bank be liable for your financial losses.
But there's also the issue of customer service. The whole point of online access is to provide additional/better customer service. Shouldn't the bank also provide adequate tools to allow their customers to operate in safety?And, what about the role of NAC and end point security in this scenario. Doesn't it make sense to check the customer's PC before the transaction is allowed?

What other issues should be considered, before this shows up in the US Congress?

Wednesday, June 27, 2007

Privacy isn't free?

So Charles sent out a link to a few of us on an article, "Price of Privacy," from Bob Sullivan at MSNBC.com's Red Tape Chronicles site.

The article discussed individual privacy looking at the concepts of "pay to allow" and "pay to protect."

The article proves the point that people value certain personal identity "attributes" (and their values) more than others, depicted through the divergence of the dollar-values when asked to "allow" or "protect" access.

No kidding. :-)

But from a "you-and-me" perspective, I just don't see the concept of an individual pay-to-allow or pay-to-protect becoming a part of everyday life.

As the author notes in his examples, "avoiding store loyalty cards can be very expensive." No kidding. :-)

Pay-to-allow or pay-to-protect is a fun way to look back. I sometimes have a hard time distinguishing between the two.

Using the loyalty card example at, let's say, a grocery store -- And since we love bananas, I have to buy a pound of bananas every week regardless. Let's say they cost $3. If I use my Shoppers Club card, I save $.50 and pay only $2.50 for bananas. If I don't use my loyalty card, it costs me $3 for bananas.

As the concept goes, my grocery store is paying me $.50 for giving them information on my love of bananas.

But aren't I paying them an extra $.50 if I decide that I don't want them to track my purchases?


I understand the importance of the exercise, especially from the perspective of an individual who has been harmed by a breach of privacy and, from a legal perspective, and is seeking compensatory damages.

But as long as we're talking legalese -- let's think about the punitive side of the issue.

Businesses are governed, among other things, through legislation, regulation and policy, but also behave based on the risk (real or perceived) of legal action resulting in the payment of punitive damages, or bad press.

These two areas -- policy and legal -- are what will shape the face of individual privacy (not the individual themselves) in the months and years to come.

Patient information was freely shared before HIPAA.

Businesses did very little to notify individuals of data breaches until California Senate Bill 1386.

TJX's significant data loss (theft) resulted in... lawsuits. No fines that I could find. I wonder if they still qualify for VISA PCI Incentives?

The bottom line is, individuals aren't capable of managing their privacy. Not for lack of intelligence, and not for lack of trying, but for lack of the "giant centralized LDAP in the sky." The de-centralized nature of all that personal data mean the only practical solution is for those businesses (and individuals) using and storing the data to be responsible for proper handling and disclosure.

Reveal business or trade "secrets" --- go directly to jail.

Revel your customers' "secrets" --- maybe get some bad press? A few civil suits?

The only way to ensure proper handling of our data is to apply a strong "visible hand" (sorry Adam Smith) to businesses -- regulations and public policy, that have stiff penalties for data breaches.

And as a side effect, that generates more need for IT Security guys like me. :-)


...in my humble opinion.......