Criminalizing Modern Security Research

My high school physics teacher quietly taught me that all locks have vulnerabilities. He was an “amatuer locksmith,” and while I never learned exactly how to pick a lock from him, he explained enough about how locks work that I figured it out. I took this skill to college where, with other like minded individuals, I become a minor part of a like-minded community of students called hackers. With our skills, we were free to roam just about anywhere. My favorite destination was the roofs of various campus buildings. It was a liberating experience.

If I had caused physical harm or damage as part of our “hacker” activities, who would be to blame? Based on the proposed updated law enforcement guidelines, then you may very well hold my high school physics teacher partially responsible for helping me understand the vulnerabilities in standard locks, how I could massage the internal tumblers of a lock until I found the correct sequence that would allow me to turn the cylinder to disengage the lock. When translated to cybersecurity, that same teacher, indeed any security researcher, could face 20 years in prison for disclosing a technology vulnerability due to changes that President Obama is proposing in cybersecurity law.

Personal Financial Health Season

As we approach Thanksgiving and get inundated with pleas to spend a lot of money for the upcoming holidays, I declare this the beginning of Personal Financial Health Season. Why? Because this is the time that fraudsters, identity thieves, and other miscreants target our wallets hoping that we we’ll be spending too much money and be too wary to be diligent about our finances. Remember the Target breach of 2013 and use it as a reminder that we as consumers are easy targets this time of year.

US: Please Come Down Hard on JPMorgan

The U.S. Government needs to come down hard on JPMorgan Chase for its woeful performance in disclosing and responding to a privacy data breach that reportedly affects 76 million customers.

Free market principles can, eventually, affect cybersecurity change. When data breaches like the 40 million record breach at Target in late 2013 and the 56 million record breach at Home Depot earlier this year, customers can effectively respond with their feet. That reportedly happened with Target, and anecdotally, I’ve become a much more frequent patron of both my local town hardware store and Lowes. By withholding business from organizations that suffer a breach of your personal and financial information, customers can punish the company financially. It may take a lot of customers to really have an effect on the bottom line, but when they act in unison, customers are an economic force to be reckoned with.

Microsoft, Please Open Source Windows XP

The day is now upon us. After a nearly 13 year affair, marked by manic periods of love and hate, we now face the inevitable conclusion of our relationship with Windows XP. We knew that our time together was only temporary, and many are applauding the end of an era that was probably several years past its prime. As much as I appreciated the time that Microsoft granted us, I recognize that it’s time to move on.

My acceptance aside, I believe that many others are forced to remain in denial. Consider that some reports continue to pin XP usage at anywhere from 10% to nearly 30% of all desktop systems. Combine these statistics with reports that 95% of all ATMs, many medical devices and cash registers run Windows XP. I’m not one to succumb to FUD (Fear, Uncertainty, and Doubt), but the numbers imply that we face a potentially catastrophic security condition once Microsoft ceases its support for the operating system. How many vulnerabilities are hiding out there, their hacker benefactors giddy as they wait for Microsoft to cease providing security patches for XP computers? I suspect that we’ll find out soon.

Microsoft can help by making the XP operating system core available as open source software. I think that it should.

The Mobile Security Failure

Mobile has substantially changed the security update landscape, driven in part by evolving consumer expectations that champion frequent, minor enhancements over stability and security. I first discussed the defect acceptance trend in 2012 as a way to explain how software companies have been able distribute flawed software while also handing responsibility for maintaining that software to the consumer. In the two years since, accelerated use of mobile, and by extension cloud, applications has worsened the trend by limiting end-user control and forcing the consumer to accept unwanted feature changes to receive security updates. Not only must consumers accept flawed software, they must now also trade flexibility for some semblance of protection.

I’ve recently had three operating system software updates that each provide new perspective on how software maintenance has changed over the last decade. I’ll take a look at how those changes reflect new cost to consumers.

Identity Theft: Be Prepared for the Long Haul

Nearly a month after first detecting a potential identity theft when reviewing my credit reports, I’m frustrated by the lack of progress despite my efforts. A recent email from Experian, the credit bureau that seems to be the source of my problems, highlighted the company’s refusal to remove what I believe is the root cause record on my report. Just when I thought I was entering the final phase of cleaning up my credit report, I came to realize that I’m probably just getting through an early chapter in what will be a much longer story.

Identity Theft: Proof that Life is not Fair

I spent a weekend fuming over the fact that my credit reports from two bureaus showed a fraudulent collection from Dish Network and several personal information entries that listed names, addresses, and phone numbers on my report that were not mine. There were several possibilities for the entries: 1) The bureaus screwed up; 2) Someone fat-fingered my social security number when providing credit for Dish Network service; 3) Someone had fraudulently used my social security number. No matter how little control I had over the initial event, if I wanted clean credit reports, I knew that no one was going to help me out.