Checks on Checks, or Shipping and Shipping Software

Paul Graham points out that big company checks on purchasing usually have costs, such as purchasing checks increase the costs of purchased items because the vendors have to factor in their costs of passing the checks.

Such things happen constantly to the biggest organizations of all, governments. But checks instituted by governments can cause much worse problems than merely overpaying. Checks instituted by governments can cripple a country's whole economy. Up till about 1400, China was richer and more technologically advanced than Europe. One reason Europe pulled ahead was that the Chinese government restricted long trading voyages. So it was left to the Europeans to explore and eventually to dominate the rest of the world, including China.

— The Other Half of "Artists Ship", by Paul Graham, November 2008

I would say western governments (especially the U.S.) subsidizing petroleum production and not renewable energy is one of the biggest source of current world economic, political, and military problems. Of course, lack of checks can also have adverse effects as we've just seen with the fancy derivatives the shadow banking system sold in a pyramid scheme throughout the world. It's like there should be a balance on checks. Which I suppose is Graham's point: without taking into account the costs of checks (and I would argue also the risks of not having checks), how can you strike such a balance?

He doesn't neglect to apply his hypothesis to SOX:

Loopholes Closed by FTC in CAN-SPAM Act Rules

The U.S. FTC has updated its regulations regarding the CAN-SPAM Act (PDF) to require:

(1) an e-mail recipient cannot be required to pay a fee, provide information other than his or her e-mail address and opt-out preferences, or take any steps other than sending a reply e-mail message or visiting a single Internet Web page to opt out of receiving future e-mail from a sender;

(2) the definition of “sender” was modified to make it easier to determine which of multiple parties advertising in a single e-mail message is responsible for complying with the Act’s opt-out requirements;

(3) a “sender” of commercial e-mail can include an accurately-registered post office box or private mailbox established under United States Postal Service regulations to satisfy the Act’s requirement that a commercial e-mail display a “valid physical postal address”; and

(4) a definition of the term “person” was added to clarify that CAN-SPAM’s obligations are not limited to natural persons.

— FTC Approves New Rule Provision Under The CAN-SPAM Act, Press Release, FTC, May 12, 2008

These changes appear to tighten up what is required of marketers; they have to say who they are and they can't weasel out by claiming a corporation is not a person.

However, it's not clear to me why it's opt-out that's required; why not opt-in? I never trust a spammer to process an opt-out; I assume they're just collecting more addresses. Plus the spammer still has ten days to process opt-out requests.

-jsq

Auditing Georgia Government Security

Georgia's governor wants to standardize information security reporting across the entire state government:

The Executive Order calls for a single set of information security reporting standards for all agencies to follow. Currently, state agencies use a variety of reporting standards, making it difficult to measure information security across state government or to track progress from year to year.

Governor Perdue has directed the Georgia Technology Authority (GTA) to work with the Georgia Department of Audits and Accounts and the Governor's Office of Planning and Budget to develop a reporting format and required content for agency information security reports. Each agency will be responsible for reporting to GTA at the end of the fiscal year. GTA will compile agency reports into a single Enterprise Information Security Report, available by October 31 of each year.

— Gov. Perdue Signs Executive Order Strengthening Georgia's Information Technology Security, News Report, Government Technology, Mar 20, 2008

I think this is a good move. Now how about monthly reporting in a publicly visible web page.

-jsq

Phishing Verified

Or is it really phishing when the victim first broadcasts his bank account details?

BTop Gear presenter Jeremy Clarkson has admitted he was wrong to brand the scandal of lost CDs containing the personal data of millions of Britons a "storm in a teacup" after falling victim to an internet scam.

The outspoken star printed his bank details in a newspaper to try and make the point that his money would be safe and that the spectre of identity theft was a sham.

He also gave instructions on how to find his address on the electoral roll and details about the car he drives.

However, in a rare moment of humility Clarkson has now revealed the stunt backfired and his details were used to set up a £500 direct debit payable from his account to the British Diabetic Association.

The charity is one of many organisations that do not need a signature to set up a direct debit.

— Clarkson stung by fraud stunt, Guardian Unlimited, Monday January 7 2008

He admits he was wrong, but nonetheless tries to pin the blame partly on a privacy law:

"The bank cannot find out who did this because of the Data Protection Act and they cannot stop it from happening again," he said. "I was wrong and I have been punished for my mistake."

At least he doesn't call for revoking that Act; he does call for going after the perpetrators.

-jsq

PS: Seen on BoingBoing.

Hammers to be Outlawed in UK

What can you expect when public, press, and government think "hacker" means criminal?

The UK government has published guidelines for the application of a law that makes it illegal to create or distribute so-called "hacking tools".

...

A revamp of the UK's outdated computer crime laws is long overdue. However, provisions to ban the development, ownership and distribution of so-called "hacker tools" draw sharp criticism from industry. Critics point out that many of these tools are used by system administrators and security consultants quite legitimately to probe for vulnerabilities in corporate systems.

The distinctions between, for example, a password cracker and a password recovery tool, or a utility designed to run denial of service attacks and one designed to stress-test a network, are subtle. The problem is that anything from nmap through wireshark to perl can be used for both legitimate and illicit purposes, in much the same way that a hammer can be used for putting up shelving or breaking into a car.

— UK gov sets rules for hacker tool ban, Consultants in frame? Definitely Maybe By John Leyden, The Guardian, Published Wednesday 2nd January 2008 15:54 GMT

How long will it be before a simple traceroute gets you not only disconnected from your ISP but also clapped in jail for "hacking"?

It gets better:

Better Products Bootstrap

Gunnnar notes the formation of a software vendor security best practices consortium and asks:

Why not bootstrap a Fortune 500 Secure Coding Initiative to drive better products, services and share best practices in the software security space?

— Secure Coding Advocacy Group, Gunnar Peterson, 1 Raindrop, 23 October 2007

Yes, if the customers demanded it, that might make some difference, and the vendors do pay the most attention to the biggest customers. Of course the biggest customer is the U.S. government, and they seem more interested in CYA than in actual security. And I'm a bit jaded on "best practices" due to reading Black Swans. But regardless of the specific form of better such a group demanded, demanding better security might make some difference.

Maybe they could also demand risk management, which would including having watchers watching ipsos custodes. Not just in the circular never-ending hamster wheel of death style, but for actual improvemment.

-jsq

Web Panopticons: China and U.S.

Fergie points out a university project investigating censorship:

The "Great Firewall of China," used by the government of the People's Republic of China to block users from reaching content it finds objectionable, is actually a "panopticon" that encourages self-censorship through the perception that users are being watched, rather than a true firewall, according to researchers at UC Davis and the University of New Mexico.

The researchers are developing an automated tool, called ConceptDoppler, to act as a weather report on changes in Internet censorship in China. ConceptDoppler uses mathematical techniques to cluster words by meaning and identify keywords that are likely to be blacklisted.

— University Researchers Analyze China's Internet Censorship System, News Report, Government Technology News, Sep 11, 2007

So the Great Firewall of China watches what users are doing by actively intercepting their traffic. Meanwhile, back in the U.S. of A., how about a passive web panopticon?

FISMA Failing

Shades of SOX complaints: the U.S. GAO reports that the Federal Information Security Management Act (FISMA) is failing:

When we go out and conduct our security control reviews at federal agencies, we often find serious and significant vulnerabilities in systems that have been certified and accredited. Part of it, I think, is just that agencies may be focusing on just trying to get the systems certified and accredited but not effectively implementing the processes that the certification and accreditation is supposed to reflect.

— Q&A: Federal info security isn't just about FISMA compliance, auditor says, Most agencies still have security gaps, according to Gregory Wilshusen, by Jaikumar Vijayan Computerworld, June 14, 2007

Sounds like they haven't implemented numerous simple security measures that were known before FISMA, they don't have processes to do so, and they don't adequately report what they're doing, even with FISMA. What to do?

Real ID? No, Say DHS's Advisors

The U.S. Government is proposing to implement a national identification scheme, yet the department that is supposed to implement it can't get its own advisors to agree:

The Department of Homeland Security's outside privacy advisors explicitly refused to bless proposed federal rules to standardize states' driver's licenses Monday, saying the Department's proposed rules for standardized driver's licenses -- known as Real IDs -- do not adequately address concerns about privacy, price, information security, redress, "mission creep", and national security protections.

— Homeland Security's Own Privacy Panel Declines to Endorse License Rules, Ryan Singel, Threat Level, Wired Blog Network, 7 May 2007

The committee says REAL ID is not "workable" or "appropriate".

This doesn't mean DHS won't implement REAL ID, however, with is approx. $21 billion cost to taxpayers and greatly increased paperwork required of all citizens, increased likelihood of identity theft, not to mention the obvious surveillance state implications.

Today, 8 May 2007, until 5PM EST, is the last chance to comment to DHS about REAL ID.

-jsq

Should a Breach be Unreported if It Wasn't Really Lost?

Adam has some ruminations on what should happen when a data loss has been reported, and it turns out the data wasn't really lost (the tape was found, the laptop was in the closet, etc.). While I can understand the temptation to strike out that entry in wherever it was logged, I think it's important to keep both the original report and a new report of the data being found. Why don't we see statistics on data that wasn't really lost, anyway? Is it because lost data is almost never found? Or just nobody thought to compile such statistics?

-jsq