According to ZDNet, “Coleman donor data breached in January, but donors alerted by Wikileaks not campaign:”
Donors to Minnesota Senator Norm Coleman’s campaign got a rude awakening this week, thanks to an email from Wikileaks. Coleman’s campaign was keeping donor information in an unprotected database that contained names, addresses, emails, credit card numbers and those three-digit codes on the back of cards, Wikileaks told donors in an email.
We contacted federal authorities at that time, and they reviewed logs from the server in question as well as additional firewall logs. They indicated that, after reviewing those logs, they did not find evidence that our database was downloaded by any unauthorized party.
I wanted to bring this up, not to laugh at Coleman (that’s Franken’s job, after all), but because we frequently see assertions that “there’s no evidence that…”
As anyone trained in any science knows, absence of evidence is not evidence of absence. At the same time, sometimes there really is sufficient evidence, properly protected, that allows that claim to be made. We need public, documented and debated standards of how such decisions should be made. With such standards, organizations could better make decisions about risk. Additionaly, both regulators and the public could be more comfortable that those piping up about risk were not allowing the payers to call the tune.
So last week I asked what people wanted to get out of RSA, and the answer was mostly silence and snark. There are some good summaries of RSA at securosis and Stiennon’s network world blog, so I won’t try to do that.
But I did I promise to tell you what I wanted to get out of it. My goals, ordered:
- A successful Research Revealed track. I think we had some great talks, a panel I’m not qualified to judge (since I was on it), and at least a couple of sell-out sessions. But you tell me. Did it work for you?
- See interesting new technology. I saw three things: Garner’s hard driver crusher (they have a “destroy” button!), Camouflage‘s database masking and some very cool credit card form factor crypto devices from Emue. (I’d add Verizon’s DBIR, but I saw that before the show.) Four interesting bits? Counts as success. Ooh, plus saw the Aptera car.
- Announce our new blog at Newschoolsecurity.com. Done!
- See friends and make five new ones. It turns out that the most successful part of this was my Open Security Foundation t-shirt. I urge you all to donate and get this highly effective networking tool.
- Connect five pairs of people who previously didn’t know each other. I counted seven, which makes me really happy.
What I didn’t want: a hangover. Only had one, Friday morning.
I received some excellent comments on my previous breach visualization post, which I wanted to highlight for EC readers and take a stab at addressing.
I took the latest DataLossDB.org breach database and extracted all breaches involving a third party, omitting all columns other than the reporting entity and the third party. I then ran the resulting two-column CSV file through afterglow, and finally made pretty (3MB) picture with graphviz.
This was done more for fun than for insight, but I thought others might be interested.
At one point during the RSA party hopping last week, Adam, Alex and I ended up at the Executive Women’s Forum event. I was feelng pretty punchy and decided that all three of us should have name tags that read “Adam Shostack”. If anyone asked, I just explained that we were promoting the new blog. Eventually I wandered off to another party and some other folks decided that this was a really good idea as well. By the time I got back to the W, there was a whole slew of Adam’s floating around. Those who subscribe to the “Pictures or It Didn’t Happen” school of thought can find all the evidence over on fickr photostream.
In 1999 Syse Data was converted to a limited liability company, and has since been trading under the name Syse Data AS. As the names are so similar, searches for our company in the official Norwegian registry of just-about-anything (Brønnøysundregistrene) often resulted in potential customers looking up the wrong company. To prevent this confusion we recently changed the name of the old (non-LLC) company, and figured we’d use the opportunity for some harmless – or so we thought – fun.
The old company was renamed to:
';UPDATE TAXRATE SET RATE = 0 WHERE NAME = 'EDVIN SYSE'
Apparently, the tax authorities noticed. You’ll need to read their page for more details. (Scroll down for English.)
As did Justin Mason.
In no particular order, your friendly neighborhood Dept. of Pre-blogging hereby predictively reports on:
Increased speculation, coupled with a spike in Twitter activity.
Politicization of the event from the Right (blame Mexico and/or Big Government), the Left (if we spent money in the right places, this would not happen), and out in left field (this is actually the result of an experiment by the CIA/NSA/World Bank/Freemasons/etc).
Rapid adoption of irrational coping mechanisms, perhaps including a run on N95 respirators and surface disinfectants.
Reassuring releases from the Pork Council that in addition to being the Other White Meat(tm), yummy bacon cannot transmit influenza unless it has previously been used as a handkerchief.
An upcoming Schneier blog item on swine flu hysteria being related to confirmation bias.
A huge congratulations to the winners of the Social Security Awards [on Wednesday] PaulDotCom won the Best Podcast Award, the crew at the SANS Internet Storm Center won the best Technical Blog award, the best Non-Technical Blog went to Richard Bejtlich of the TaoSecurity Blog, Sunbelt Security won the Best Corporate Blog and Mike Rothman from Security Incite won the Most Entertaining blog. Now we just need to get Mr. Rothman to start posting again.
See Martin McKeay’s post for more details of a great meetup.
Registration for The Eighth Workshop on the Economics of Information Security (WEIS 2009) is now open.
The deadline for the Early Bird registration is 1 June 2009.
We’ve written here often (and favorably) about WEIS, and about papers delivered there.
So I’m getting ready to head over to RSA, and I’m curious. If you believe that “security is about outcomes, not about process,” what outcomes do you want from RSA? How will you judge if the conference was worthwhile?