Abuse of the Canadian Do Not Call List

The Globe and Mail and the CBC each report that Canada’s Do Not Call list is being used by telemarketers both good and bad (where each term is relative).

This is a bit sad for Canada. The US’s DNC list has been very successful, and one of the very few places where the US has leadership in privacy. Before the DNC list, I used to get a dozen or so calls a day. The annoying ones would be the junk faxes coming to our main line between 3am and 6am. The nightly ritual had to include taking the phone off the hook for some time. These days, the only issue we have are the people we affectionately call “The Illegal Carpet Cleaners.”

On the other hand this is an opportunity. There’s a fine of up to $15,000 for violating the DNC list in Canada, and this could easily be a profit center for the privacy commission. If I were a legitimate firm in Canada, I’d be looking closely at my marketing plans now. No one’s going to feel sorry for the company that is found to have been calling people from a stolen DNC list.

Both articles point out that complete fraudsters are an issue, and companies such as “a Caribbean telemarketer selling fake Caribbean cruises” now have more numbers they can use. But those numbers are stolen property of a sort, and toxic. They can be a tool against foreign scammers. After all, the tourist board of said Caribbean island wouldn’t want to seem uncooperative to people trying to stop fraud and dinner interruptions. If I were a scammer, I’d also want to examine the phone numbers I have recently gotten, because those could be dangerous to have as well.

It remains to be seen how Canada will handle it, how they’ll track down the loss, how they’ll recover from it. It will be interesting to watch, because they’re good and they take privacy seriously. There’s the potential for some seriously tasty lemonade to be made from these lemons. I have my fingers crossed.

The New Openness?

This photograph was taken at 11:19 AM on January 20th. It’s very cool that we can get 1 meter resolution photographs from space. What really struck me about this photo was.. well, take a look as you scroll down…

Obama inauguration from space.jpg

What really struck me about this is the open space. What’s up with that? Reports were that people were being turned away. Why all the visible ground? Were those areas still filling in? Did security procedures keep away that many?

You can click through for a much larger version at the Boston Globe. [update: even larger version at GeoEye, purveyors of fine space imagery.]

The New Administration and Security

Quoting first from Obama’s inaugural address:

The question we ask today is not whether our government is too big or too small, but whether it works — whether it helps families find jobs at a decent wage, care they can afford, a retirement that is dignified. Where the answer is yes, we intend to move forward. Where the answer is no, programs will end. Those of us who manage the public’s dollars will be held to account — to spend wisely, reform bad habits, and do our business in the light of day — because only then can we restore the vital trust between a people and their government.

and then from the new Director of National Intelligence:

In an unusual comment from a man who will head the most secret agencies of government, [Dennis Blair] said, “There is a need for transparency and accountability in a mission where most work necessarily remains hidden from public view.” He said that if confirmed, he would “communicate frequently and candidly with the oversight committees, and as much as possible with the American people.” (“Blair Pledges New Approach to Counterterrorism,” NYTimes)

I was struck by Obama’s focus on transparency in his address, and I was struck by how easily we can substitute in ‘information security,’ “those of us who manage information security dollars will be held to account — to spend wisely, reform bad habits, and do our business in the light of day — because only then can we restore the vital trust…”

From the perspective of executives, information security spending is often wasteful. If you can see security problems, the money wasn’t spent well. We have a tendency to move with fads, and we certainly cover up our problems. For these reasons, we’re too often not trusted advisors to our businesses, but rather, we’re seen as obstacles.

The advice of Obama and Blair is something that we can all heed. Everyone knows there are security problems. It’s time, or even past time, to stop with the secrecy around most problems. We can communicate more freely. That’s change you should believe in.

Pinch me…

The Freedom of Information Act should be administered with a
clear presumption: In the face of doubt, openness prevails.
The Government should not keep information confidential merely
because public officials might be embarrassed by disclosure,
because errors and failures might be revealed, or because
of speculative or abstract fears. Nondisclosure should never
be based on an effort to protect the personal interests of
Government officials at the expense of those they are supposed
to serve. In responding to requests under the FOIA, executive
branch agencies (agencies) should act promptly and in a spirit
of cooperation, recognizing that such agencies are servants of
the public.
All agencies should adopt a presumption in favor of disclosure,
in order to renew their commitment to the principles embodied
in FOIA, and to usher in a new era of open Government. The
presumption of disclosure should be applied to all decisions
involving FOIA.

Presidential memorandum, January 21, 2009

A few Heartland links

Well, Mordaxus got the story, but I’ll add some links I found interesting or relevant.

StoreFront BackTalk has From The Heartland Breach To Second Guessing Service Providers. Dave G at Matasano added “Heartland’s PCI certification.” The Emergent Chaos time travel team already covered that angle in “Massachusetts Analyzes its Breach Reports:”

What’s exciting about this is that we’re seeing the PCI standard being tested against empirical data about its effectiveness. Admittedly, the report jumps to conclusions from a single data point, but this is new for security. The idea that we can take a set of “best practices” and subject them to a real test is new.

Rich Mogull points out that:

This was also another case that was discovered by initially detecting fraud in the system that was traced back to the origin, rather than through their own internal security controls.

IDS users, vendors or advocates care to comment on why that’s happening?

Breach Misdirection

While we were all paying attention to the Inauguration and having merry debates about how many Justices can deliver the Oath of Office on a pin, what may be the biggest breach ever tried to tiptoe past.

Heartland Payment Systems may have lost 100 million credit card details, surpassing the 94 million that was lost in the TJX breach.

There aren’t many details, yet. Apparently the hackers were on the network for months, having gotten in through malware.

We will of course hear many more details on this. The USA Today article has some news. AP has the best reporting I’ve read, but they are ambivalent about pixels, so you’ll have to find it on your own.

Rethinking Risk

Now it’s no secret to those of you who know me that I’m a big believer in using risk management in the security space. Iang over at Financial Cryptography think’s it is “a dead duck”:

The only business that does risk management as a core or essence is banking and insurance (and, banking is debatable these days). For all others, risk management is just an ancilliary aspect, a nice-to-have, something that others say is critical to you, but you ignore because you’ve got too much to do. So we have a choice: is security like finance, or is it like “the rest of business?”

I disagree while it’s true that financials and insurance have done a much better job then anyone else of formalizing their risk management practices, every business does risk management to some degree, it’s part of the job of the C-Suite. Arguing that we don’t have data so trying to do it in security is pointless is taking the lazy way out. It’s true we don’t have as much data as we’d like, but as Hubbard said, (more or less) “You don’t need as much data as you think, and you have more data then you think.” or in other words, we have to start somewhere.
On a related note, The Economist ran an article at the beginning of this year, from which I took the title of this post “Rethinking Risk.

What makes the current situation so dire is the way in which so many major risks are converging all at once: a credit crisis, volatile commodity prices, soaring government debt, rising unemployment and its attendant impact on consumer spending — the list goes on.
None of those risks are lost on CFOs, of course, who now have an additional impetus to address them: more pressure from boards. Corporate directors in most industries have gotten risk religion, says Henry Ristuccia, U.S. leader of Deloitte’s governance and risk-management practice in the Northeast. “More external directors are asking senior management: What are the company’s major risk issues? What are the dimensions of governance and risk management? What levers and tools does the company have in place for risk management?

Now, The Economist doesn’t explicitly talk about security but as several companies including Hannaford and TJ Maxx learned, just because you’re not in the finance industry doesn’t mean you don’t face significant financial or security risk. A shame neither of them had real risk management in place.

President for Ten Minutes

During a chat I had this afternoon, someone brought up an interesting situation to contemplate. The Presidency of George Bush fils ended today at noon EST, but Mr. Obama wasn’t sworn in until 12:10. Who then, the question was, President during those ten minutes.

One mildly unsatisfactory answer is Ms. Pelosi. If there is neither a President nor Vice President, then the duty falls to the Speaker of the House.

An even less satisfactory answer is Mr. Biden. The way that was explained, he was sworn in at 11:58. I find it unsatisfactory for two reasons. The most important to me is that after conjuring up this inter-administration gap, this closes it before it started. The second reason follows from what I think the best answer is.

The best answer to my mind is the simplest: no one. The office doesn’t magically fall to the next person in line, they actually have to be sworn in. When Mr. Kennedy was murdered, there was a short gap between his death and Mr. Johnson being sworn in and during that gap, there was no President. It’s the swearing in that makes the President. Similarly, in the event that an election gets thrown into the House and they didn’t decide until the 21st, there’d be no President for that day.

If there was indeed a gap (I could argue there was none), the person to whom the office fell was unequivocally Mr. Obama. He was at the time President-Elect. Even if Mr. Biden were somehow actually Veep, the obvious President-to-be is the President-Elect. Of course, this is also why the answer of Ms. Pelosi is unsatisfying. Even if we’re running the Executive like a Swiss railway, we know who the incumbent executives are.

Nonetheless, it’s fun to muse over. Feel free to spin your own argument for whomever.

The clever reader may also note that I said “today” despite it being past midnight server time. I have a personal rule that it’s still today until one goes to bed; it’s still night until one has breakfast; it’s still morning until one has lunch. And besides, it’s still the 20th in Hawaii, the President’s home state.

Change I Can Believe In

From (the new) Whitehouse.gov:

Except where otherwise noted, third-party content on this site is licensed under a Creative Commons Attribution 3.0 License. Visitors to this website agree to grant a non-exclusive, irrevocable, royalty-free license to the rest of the world for their submissions to Whitehouse.gov under the Creative Commons Attribution 3.0 License.

http://www.whitehouse.gov/copyright/

Three short comments on the Inauguration

The reality that a black man is about to become President of the United States is both momentous and moving. It’s hard to say anything further on the subject that hasn’t been said and re-said, but I am simply proud that the pendulum has swung to someone like Obama.

I’m excited to have an educated, articulate, urban President. When I say urban I mean he lives in a city, not on a ranch, a farm, or in a vacation town. I don’t know what fraction of Americans are urban, but I do feel that we are under-represented by our Presidents.

It’s a sad reality that threats against him are higher than against other Presidents because of his race. Some black friends of mine are stunned that he made it through the campaign, and don’t expect him to make it through his first term. Despite crap like this, I don’t think anyone in the protection business wants to be the one who fails this President. Professional pride. At the same time, I’m with Mark Thompson, who, in Time, wrote “Is a Police State Necessary?” I believe that the answer is no. We don’t need to restrict strollers or thermoses from the broad inauguration zone. If we wish to keep those things from the innermost zones, that might make sense. We can’t allow our institutions and traditions to continue to be driven by fear. It’s a matter of hope.