When Will They Ever Learn?

Well, folks, don't say I didn't warn you. In July of 2006, when the Fedabobble Gummint started work on anti-spyware legislation, I expressed my usual curmudgeonly cynicism over the likely results. Among other things, I noted that the FTC had already told Congress it didn't need any additional legislation (a fact reinforced by recent successful actions against spyware offenders) and that at least one major spyware vendor was backing the effort, making it all of questionable value at best.

Comes now blogger Ed Foster at InfoWorld with evidence that my crystal ball was, at least in this case, in good working order. H.R. 964, the so-called Spy Act, carves out major exceptions for ISPs, software vendors, and pretty much anybody else who can claim you're doing business with them. Worse yet, the bill preempts stricter state laws and states that "no person other than the Attorney General of a State may bring a civil action" in such cases.

Had this bill been law when Sony installed its infamous rootkit on the PCs of unsuspecting consumers, there would have been no legal remedy available to individuals. Only a state AG could have taken action, and s/he wouldn't have in any case because the law would have made that rootkit legal.

Time to notify your Congresscritters that they should be spending more time cleaning up Bush Jr'.s mess in Iraq and less time pushing special interest legislation for their corporate cronies.

Chinese Rock

When it comes to technology issues, does this country's right hand know what the left hand is doing? Reading the on-line IT trade journals, the only possible answer I can come up with is a resounding “no”.

The latest example: a U.S. House of Representatives probe into hack attacks on government servers that appear to have originated in China.

To anyone following computer security issues, this is about as surprising as the discovery that the sun appeared to rise in the East this morning.

In America's corporate board rooms, however, the sun must be rising somewhere else, because, by an amazing coincidence, the hot new place to which corporate America is shipping IT jobs and company data as fast as it can is - China.

Maybe I'm just old-fashioned, but it strikes me as just a wee bit suicidal to be cheerfully sending confidential data to a country which:

• Is run by an autocracy that hasn't changed its hostility toward human rights since the Tiananmen Square massacre
• Has an attitude towards intellectual property protection that is (to say the least) indifferent, and
• Now appears to be hosting criminal attacks against our infrastructure.

But, hey: why let a little thing like homeland security stand in the way of a quick boost in corporate profits and the resulting hike in executive bonuses? We need to keep our priorities straight, after all!

Of course, the fact that attacks have originated from servers that appear to be in China doesn't necessarily mean that those attacks are orchestrated or condoned by the Chinese government. Indeed, why bother to attack American assets at all when American corporations are giving them away in return for cheap, obedient labor and a political system that makes independent trade unions impossible?

Spies in the Night

In my last post, I went on at some length about that alarming tools available to criminal hackers as revealed at the March 2007 Black Hat Conference.

Shortly after that, I came across something even more alarming, if that's possible: a pre-publication draft of a study by Phil Howard and Kris Erickson of the University of Washington entitled A Case of Mistaken Identity? News Accounts of Hacker and Organizational Responsibility for Compromised Digital Records, 1980–2006. The paper reviews major media reports of 550 security breaches that took place during the period in question and it seems that 60% of them were the result of corporate incompetence. To quote from their abstract: "in terms of incidents, 9 percent were an unspecified type of breach, 31 percent of the incidents involved hackers, and 60 percent of the incidents involved organizational mismanagement: personally identifiable information accidentally placed online, missing equipment, lost backup tapes, or other administrative errors."

So it turns out that, even if you do implement my 10-point security check, your personal information could still end up in the hands of the Russian Mafia because corporations simply don't adequately safeguard their customers' data.

That's no reason to give up the security fight, but it's a darned good reason to insist on more accountability by the companies that hold our personal information. So far, most legislation and public policy has been driven by the companies themselves, and we can see where that has gotten us.

"I think", said Howard in an interview for Computerworld, " it is easier when your company loses a lot of client data to put an immediate spin on it and blame it on a hacker or some external guy using some ingenious hacking technique."

Besides, that money you saved by not investing in proper safeguards in the first place has been earning you some nice interest in the meantime. It's always easier to shell out for PR and spin afterwards.