Privacy violations

As I mentioned in this morning's TDI, Dark Reading put a stake in the ground by defining the "Top 10 Myths of IT Security." The link to the entire article is here. Having no pride, I figure I may as well jump on their coattails, add my two sense, and initiate some good discussion about some topics that I'm sure will create some passionate discourse. So without further ado, let's jump right in:

Myth #1: Epidemic Data Losses (link here)

"Let's all take a breath together: There is no data loss epidemic."

So the Dark Reading guys start off with a bang, that's for sure. They make this statement and then go on to reference the CSI/FBI survey to validate that security risks are going down. WRONG! Let me say that again WRONG!

Attacks are more targeted, so we are seeing less of the massive outbreaks, but I posit that more attacks are successful. We just don't know about most of them. And let's debunk the debunking of this myth: THERE IS A DATA LOSS ISSUE. The fact that is isn't a major, catastrophic issue is just by pure luck.

Millions of customers have had enough information compromised to be potential victims of Identity Theft. Has it happened yet? I don't know. Lots of folks have an issue, but it's hard to point back to one lost laptop, so to speak. And the idea that we've been losing stuff for years and now it's an issue because the Feds make us report it is just asinine. Because the status quo is to screw up doesn't mean we can/should accept it.

So, I give their first myth-buster an C. They are wrong, but the impact has not been felt or correlated back to these data losses.

Myth #2: Anything but Microsoft (link here)

"Nothing is bulletproof these days."

This one is better. Clearly Microsoft is a much bigger target, but that doesn't mean you should just buy a Mac (or use Linux) and not worry about anything. You still have other devices (servers, etc.) and data that can be compromised. Yes, I use a Mac when traveling. I think it is safer and definitely easier to use. It also gives me street cred with the Gen X crowd. OK, not so much. But what it isn't is bulletproof. Everyone should think layers and ensure that your network security posture is strong.

This one is better. B+

I'll be back next week to address a couple more of the myth-busters.

This week I'm getting the pipe because NetworkWorld doesn't publish due to the July 4th holiday here in the US. 125,000 readers will be in search of their Rothman fix, but alas they'll get two weeks of Kevin Tolly instead. Can you hear the cries of despair from around the world?

I wrote a column anyway and they were kind enough to highlight it on the home page (with the wrong link, of course - but that will be fixed in an hour or two).

In this column I go after all of you, basically pointing the finger at ourselves for many of these privacy breaches. Everyone always wants a silver bullet to stop these privacy breaches and get employees to consistently do the right thing, but get over it - there is none. But there are things we can do both in the short term and longer term to help alleviate the problem. Note I said alleviate, as opposed to eliminate.

So, check it out and let me know what you think.

http://www.networkworld.com/columnists/2006/070306rothman.html?page=1

This week a new organization called "StopBadware.org" launched. The initiative is driven by some educational heavyweights like the Berkman Center at Harvard and Oxford's Internet Institute, with some Consumer Reports fairy dust thrown in for good measure. These folks aim to basically provide a Consumer Reports like function to report software that contains bad stuff (spyware, trojans, etc.) embedded and should thus be avoided.

If consumers go check out this site, they can find out if the application is on the "bad list" and should thus be avoided. This is a very good concept, but the likelihood of success is minimal at this point.

Gosh, being a party pooper again and it's not even happy hour yet (actually it's about 2:45 in ATL). That's right, I don't think a Consumer Reports type of function is the answer to stopping badware. Why? Because the people that really need to check out StopBadware.org won't. Most consumers are not educated enough to know they shouldn't download stuff. How on earth are they going to know to visit a website before they download the bad stuff?

The most likely targets for all this spyware/adware, etc. are not the folks that run anti-spyware software or AV or have a personal firewall activated (like me and you, if you are reading this blog). So this web site is not going to have much impact.

What could possibly change this? If Microsoft and Apple added a check to StopBadware.org as part of the software install process, that would help. At this point, my trusty iBook (yes, I switched over to a Mac when I left corporate life) tells me that I'm loading an application, but it doesn't tell me whether that application is known to be a festering cesspool of malware. If I knew that information ahead of time, potential problems can be avoided.

Maybe StopBadware.org will also integrate some type of "reputation" capability so that users could vote on each software. Not unlike spam, sometimes spyware/adware is in the eye of the beholder. Because someone reported an application onto this web site doesn't make that application "badware." This organization needs to make sure there is a clean and quick process to dispute a rating. What you don't want is another email blacklist system that ends up penalizing good companies because some moron decides they didn't really mean to opt-in to a message list.

So, I like the idea of a public service to track bad applications that should be avoided, and maybe StopBadware.org will get there. Let me say I hope these folks get there, but they'll need to mature quickly to gain relevance.