http://emergentchaos.com/archives/2006/12/lets-look-at-some-data.html The Emergent Chaos Jazz Combo Mon, 15 Mar 2010 15:02:09 +0000 http://wordpress.org/?v=2.9.2 hourly 1 http://emergentchaos.com/archives/2006/12/lets-look-at-some-data.html/comment-page-1#comment-3021 Adam Tue, 02 Jan 2007 14:33:54 +0000 http://emergentchaos.com/?p=2145#comment-3021 That's FUBAR all right. Can't they fix the damned problems? How are you supposed to fix your systems if they have the same problem? That’s FUBAR all right. Can’t they fix the damned problems? How are you supposed to fix your systems if they have the same problem?

]]> http://emergentchaos.com/archives/2006/12/lets-look-at-some-data.html/comment-page-1#comment-3020 fubar Tue, 02 Jan 2007 14:17:15 +0000 http://emergentchaos.com/?p=2145#comment-3020 re: | 2006-12-12 - UCLA | | I haven't seen any discussion of the operating systems | used. My spider sense tells me this was SQL injection, | but this could easily be a case of OS or application | patches not being applied, poor configuration by | sysadmins (or, to turn it around, idiotic out-of-the-box | defaults), etc. Let's say the jury is still out. I do database work involving SSNs/names/etc. for a public university in california, and have not, as of 1/2/07, been able to find any actual facts as to the specific technical vulnerability/flaw that caused the problem at ucla. This may be a good sign. Presumably no one on the IT staff at ucla that actually knows the facts about the technical details of the data breach is authorized to discuss those facts, as doing so would potentially give information to malicious hackers. on the other hand, the lack of detailed public information leaves other database developers/admins in the dark about potential problems with their own data. adeu amics! re:
| 2006-12-12 – UCLA
|
| I haven’t seen any discussion of the operating systems
| used. My spider sense tells me this was SQL injection,
| but this could easily be a case of OS or application
| patches not being applied, poor configuration by
| sysadmins (or, to turn it around, idiotic out-of-the-box
| defaults), etc. Let’s say the jury is still out.
I do database work involving SSNs/names/etc. for a public university in california, and have not, as of 1/2/07, been able to find any actual facts as to the specific technical vulnerability/flaw that caused the problem at ucla. This may be a good sign. Presumably no one on the IT staff at ucla that actually knows the facts about the technical details of the data breach is authorized to discuss those facts, as doing so would potentially give information to malicious hackers. on the other hand, the lack of detailed public information leaves other database developers/admins in the dark about potential problems with their own data.
adeu amics!

]]> http://emergentchaos.com/archives/2006/12/lets-look-at-some-data.html/comment-page-1#comment-3019 Dissent Mon, 01 Jan 2007 14:16:06 +0000 http://emergentchaos.com/?p=2145#comment-3019 Yes, I read about the FDE and mandate. It applies to mobile devices or remote access. It does not seem to apply to the huge databases themselves that are on agency or federal computers that are not intended to leave the premises, which still permits the likelihood of more hacks of govt computers and databases. Then, too, we're talking about the same govt that created a Civil Liberties and Privacy Oversight Board that didn't even have its first meeting for over a year. So maybe the FDE mandate will provide some increased security for federal laptops and mobile devices in the future, but I don't see this mandate as being anywheres near enough to deal with the potential for more massive federal data breaches. And of course, the mandate does not apply to state and local govts who may now be receiving or accessing these huge databases (I'm thinking of the OneDOJ database, for example). So the possibility remains that even with federal laptops supposedly more secured, the data could still be breached by other means. Yes, I know, I know, I'm pessimistic. But frankly, my belief in this govt tanked circa 1970, and it's only been downhill from there. I really would be more hopeful if the 110th Congress actually *did* something to mandate greater security and protection. Yes, I read about the FDE and mandate. It applies to mobile devices or remote access. It does not seem to apply to the huge databases themselves that are on agency or federal computers that are not intended to leave the premises, which still permits the likelihood of more hacks of govt computers and databases.
Then, too, we’re talking about the same govt that created a Civil Liberties and Privacy Oversight Board that didn’t even have its first meeting for over a year.
So maybe the FDE mandate will provide some increased security for federal laptops and mobile devices in the future, but I don’t see this mandate as being anywheres near enough to deal with the potential for more massive federal data breaches.
And of course, the mandate does not apply to state and local govts who may now be receiving or accessing these huge databases (I’m thinking of the OneDOJ database, for example). So the possibility remains that even with federal laptops supposedly more secured, the data could still be breached by other means.
Yes, I know, I know, I’m pessimistic. But frankly, my belief in this govt tanked circa 1970, and it’s only been downhill from there. I really would be more hopeful if the 110th Congress actually *did* something to mandate greater security and protection.

]]> http://emergentchaos.com/archives/2006/12/lets-look-at-some-data.html/comment-page-1#comment-3018 Chris Mon, 01 Jan 2007 13:06:30 +0000 http://emergentchaos.com/?p=2145#comment-3018 I hear you, Dissent. However, the turn of the year brings, if fleetingly, renewed optimism :^) At least regarding your point 2, I think the Feds are looking hard at data at rest encryption. According to <a href="http://www.xml-dev.com/pipermail/fde/2006-December/000087.html" rel="nofollow">mailing list traffic</a>, millions of seats are going to be deployed, with product selction now under way. Not sure what the scope is, since my ability to wade through bureaucratese is minimal, but I am somewhat heartened by <a href="http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf" rel="nofollow">this directive</a> [pdf] from the White House, and the ensuing <a href="http://www.fbo.gov/spg/USAF/AFMC/ESC/FA8771-07-R-0001/Attachments.html" rel="nofollow">acquisitions activity</a>. I hear you, Dissent.
However, the turn of the year brings, if fleetingly, renewed optimism :^)
At least regarding your point 2, I think the Feds are looking hard at data at rest encryption. According to mailing list traffic, millions of seats are going to be deployed, with product selction now under way. Not sure what the scope is, since my ability to wade through bureaucratese is minimal, but I am somewhat heartened by this directive [pdf] from the White House, and the ensuing acquisitions activity.

]]> http://emergentchaos.com/archives/2006/12/lets-look-at-some-data.html/comment-page-1#comment-3017 Tom Mahoney Mon, 01 Jan 2007 12:47:06 +0000 http://emergentchaos.com/?p=2145#comment-3017 I'll be the first to admit that I have no love for MS, but I'll agree that Redmond isn't to blame in most credit card fraud situations. It's the credit card industry in general that's to blame. They don't care. Until the industry tightens up their own house, we're stuck with the situation. Tom Mahoney. Director Merchant911.org Merchants united to protect themselves against fraud I’ll be the first to admit that I have no love for MS, but I’ll agree that Redmond isn’t to blame in most credit card fraud situations.
It’s the credit card industry in general that’s to blame. They don’t care. Until the industry tightens up their own house, we’re stuck with the situation.
Tom Mahoney. Director
Merchant911.org
Merchants united to protect themselves against fraud

]]> http://emergentchaos.com/archives/2006/12/lets-look-at-some-data.html/comment-page-1#comment-3016 Dissent Mon, 01 Jan 2007 12:30:43 +0000 http://emergentchaos.com/?p=2145#comment-3016 Good post, Chris. With respect to your own predictions:<br> 1. I don't think we'll see a lot of voluntary encryption unless Congress passes some tough legislation that makes it worth everyone's while to encrypt, i.e., have tougher notification requirements and penalties for breaches involving unencrypted records; and 2. I don't agree with your prediction that unnecessary information will not be stored as thoughtlessly. Indeed, as we see/hear about more huge govt databases that are being shared with localities, I think we're going to see a worsening of the situation in 2007. I hope you're right and I'm wrong, but I'm just not optimistic about this. Cheers, and HNY, /Dissent</br> Good post, Chris. With respect to your own predictions:
1. I don’t think we’ll see a lot of voluntary encryption unless Congress passes some tough legislation that makes it worth everyone’s while to encrypt, i.e., have tougher notification requirements and penalties for breaches involving unencrypted records; and
2. I don’t agree with your prediction that unnecessary information will not be stored as thoughtlessly. Indeed, as we see/hear about more huge govt databases that are being shared with localities, I think we’re going to see a worsening of the situation in 2007. I hope you’re right and I’m wrong, but I’m just not optimistic about this.
Cheers, and HNY,
/Dissent

]]>