Security Pie

Our Google ranking must be higher now. Otherwise, I can’t explain the increase in the amount of spam (via comments) that Securitypie.com is receiving. It might be Assaf’s recent rant on Google and Windows or maybe that we are now running a newer version of WordPress.

Whatever the reason is, we are getting much more spam. Some of it is lame, other (though few) is more sophisticated. In the future we should publish the best spam messages….

So it is becoming an epidemic: Youngsters around the world, who have access to highly classified documents, share them.

In Israel, we had a well publicized case of Anat Kam, now 23, an army secretary who had decided, on her own accord, to release classified documents to a reporter. http://www.nytimes.com/2010/04/09/world/middleeast/09israel.html

And, as AB loves to say, what happens in Israel will always happens elsewhere. So the US now has an information “spy” of it’s own, one specialist Bradley Manning, 22, who released to secret documents on Wikileaks. See http://www.theregister.co.uk/2010/06/07/wikileaks_arrest/.

Both were young, both were not “spies” in the sense that they were not “operatives” of a state, but were still at an age where “correctness of action” and “ideology” and “duty” are mixed up. IMHO, these immature individuals were unable to identify the severity of their action. Sure, they intentionally released data they thought warrented public scrutiny; they wanted to promote transparency since they were brought up on the notion that sunlight disinfects; and they believed that their democracy was strong. They thought they were “doing the right thing”.

They were unable, however, to fathom the risk that their actions would create. What does a secretary know about international diplomacy and politics? What does she know about combat operations? Can she anticipate how many deaths would she directly cause by the disclosure of the data? Having sat through some complex classification exercises, I can safely say that she had no clue. As for Bradley Manning, the fact that he boasted of his “accomplishments” to fellow hackers and over Facebook reveals his lack of understanding of the severity of what he did.

So we expect youngsters to handle confidential data. Data they are severly ill equipped to fully grasp and understand the consequences of a data exposure. We assume it is their sense of duty: It worked in the past. But now these youngsters have laptops, smartphones, USB keys and other devices.

Now governance controls are important. Neither of these occurences were detected via some sort of data governance scheme, but some time after the leaks had occured. Really, shame on our security forces!

However, even governance controls, while important, are not enough. It is now even more important for HR to step up to the plate and seperate the mature, responsible adults (even at age 18) from the rest. The easy access to distribution mechanisms make silly leaks possible, and likely. Immature individuals, like mssrs Anat Kam and Bradley Manning should never have been allowed near sensitive data.

/al

Google has decided that “due to security concerns” it will phase out Windows on its endpoints. See http://www.ft.com/cms/s/2/d2f3f04e-6ccf-11df-91c8-00144feab49a.html.

A few thoughts:
1. Understandably Google is repositioning it’s own Chrome OS and Mac OS as an alternative to Windows as part of their competitive struggle with Microsoft.
2. Google’s CIO is attempting to sweep Google’s proven incompetence in securing the email accounts of Chinese activists as a byproduct of Microsoft’s OS. This method was used 12 month earlier by bank executives claiming “we weren’t at fault; it was those damn credit default swaps and collateralized debt obligations”. Google is incompetent. Microsoft might also be also be incompetant, but it is beside the point.
3. Google is implying that replacing all endpoints is a security strategy. It is not. Google should invest in understanding security: an endpoint should not be the only line of defense. I recommend developing a comprehensive security strategy based on risks to their (and my) data and executing against that strategy. As part of their security strategy, a broken endpoint should NEVER be allowed to poke holes in their infrastructure.
4. If there was a culprit, it was Explorer. Perhaps Google should use a different browser? Also, Google CIO should read about Windows 7. It has a much better security model.
5. Mac is being more successful in the workspace anyway. Anyone who has gone to a meeting and counted the number of Mac’s knows this, and it started long before Aurora came along (in fact, I think it happened when Apple moved away from silly white plastic to the me-too Sony VAIO Aluminium/Magnesium look).
6. Is Bing crawling under Google’s skin?
7. Google should keep at least a few endpoints of Microsoft for the sake of product quality. At least to do compatibility and QA for Google products running on Explorer and Microsoft OS. I can foresee Google’s CIO being busy for the next few years signing waivers for Microsoft OS. I suggest e-signatures.

/al

So email bites. Today an associate sent an email they shouldn’t. Not to worry, will be taken care of. just one extra recipient to call and ameliorate.

Facebook bites. Not in privacy. CEO Zuckerberg told us all that we don’t expect privacy and he is probably correct. Now I don’t think that we all necessarily want to voluntarily give up our right to privacy, but that we all put our status up on Facebook, pictures of spouse, kids, etc. Pretty soon we become an open book.

The recent debacle over privacy settings and the “turn Facebook off” day reminded me of the scene in Monty Python’ Life of Bryan when Stan wants to have a baby, so I paraphrase:
Judith: Why do you want to be Loretta, Stan?
Stan:I want to have privacy.
Reg: You want to have privacy?!?!?!
Stan: It’s every man’s right to have privacy if he wants them.
Reg: But you can’t have privacy.
Stan: Don’t you oppress me.
Reg: I’m not oppressing you, Stan — you haven’t got a womb. Where’s the privacy going to gestate? You going to keep it in a box?
(Stan starts crying.)
Judith: Here! I’ve got an idea. Suppose you agree that he can’t actually have privacy, not having a womb, which is nobody’s fault, not even the Romans’, but that he can have the *right* to have privacy.
Francis: Good idea, Judith. We shall fight the oppressors for your right to have privacy, brother. Sister, sorry.
Reg: (pissed) What’s the *point*?
Francis: What?
Reg: What’s the point of fighting for his right to have privacy, when he can’t have privacy?
Francis: It is symbolic of our struggle against oppression.
Reg: It’s symbolic of his struggle against reality.

So assume the right to have privacy is there, while privacy, well, is nigh dead. Nada, Kaput. Gone. To paraphrase the famous Python Dead Parrot sketch:
‘E’s not pinin’! ‘E’s passed on! This privacy is no more! He has ceased to be! ‘E’s expired and gone to meet ‘is maker! ‘E’s a stiff! Bereft of life, ‘e
rests in peace! If you hadn’t nailed ‘im to the perch ‘e’d be pushing up the daisies! ‘Is metabolic processes are now ‘istory! ‘E’s off the twig! ‘E’s kicked the
bucket, ‘e’s shuffled off ‘is mortal coil, run down the curtain and joined the bleedin’ choir invisibile!! THIS IS AN EX-PRIVACY!!

Where Facebook should be investing is teaching youngsters how to position themselves for the future. An elephant never forgets. But elephants do die. Databases never forget and never die. (or perhaps it is their backups that live forever.).

Indiscretions, pictures with a bung, proclivities, all live forever. Get used to it. Children must learn to manage their online image if they are to have a chance in their 20′s.

What is Facebook doing to teach them how to manage their online presence?