Wednesday, May 29, 2013

Confidential report lists U.S. weapons system designs compromised by Chinese cyberspies

Surprise! PLA hackers have stolen weapons plans from the military.

Why does every system have to be Internet facing? I can see commerical enterprises wanting to save money but using public networks, but government and the military? For them, money is merely a way to keep score. It's not real.

Just as two can keep a secret if one of them is dead, if you want a secure system, segregate it; take it offline. While I'm pained to think of the lost information, it's even more painful to know that it could have been prevented.

The Time Machine Investigates the First-sale Doctrine

The Time Machine Investigates the First-sale Doctrine

Talk about being on the horns of a dilemma. As a publisher, I know there are far too many pirated versions of what I publish freely available to anyone who wants to spend a few seconds searching. Do I want to make it even easier to share? On the other hand, as a consumer I want to own, and lend, what I buy. The music industry seems to have resigned itself to this. If I buy music online, I download it and for all intents and purposes own it. I can burn it to a CD, or it send as an email attachment. Movies, too, are like music. Should I buy a DVD, I can lend it like a book, although I'm more likely to rent a movie online than buy and download it.

EBooks, as we know, aren't nearly as consumer friendly. Amazon keeps everyone imprisoned its inaptly named 'walled garden.' And while there's limited sharing within the Amazon and B&N universes, it's not true sharing. And I really don't understand the limitations on library lending. It seems the controls are similar to those for print books; a library can only lend as many copies as it has rights. Once the ebook limit is reached, I go on a waiting list, just as for print books.

Wednesday, May 22, 2013

BitTorrent traffic dropping sharply in US, as VOD wins favor

As reported by,  it seems people are starting to pay for content rather than steal it. As much as I hate Apple, they did get consumers to buy music. While the focus of BitTorret traffic is largely audio and video, I can only hope the decrease applies to books, too. I really hope people will start buying professional books.

I've had authors related tales of 1,000s of downloads of their books from pirate sites. I suspect that most of those downloads don't really represents lost sales. Still, I'm seeing a steady decline in book purchases, in any format. That needs to change.

Monday, May 20, 2013

Drug Companies and Doctors Collaborate to Mine Patient Data

The NY Times reported this story on Friday. Sure, this is a great thing for Big Pharma, but sucks for the rest of us. The article mentions how data in so-called anonymous databases can be matched back to patients.

I saw a presentation by Purdue's Prof. Tiancheng Li on how easily this can be done. Here's an example.

The Massachusetts Group Insurance Commission (GIC), which is responsible for purchasing health insurance for state employees, publishes for each employee zip, dob, sex, diagnosis, procedure, ... A researcher then purchased the Massachusetts Voter registration list, which contained name, party, ..., zip, dob, sex. Using three attributes--dob, sex, zip--the researcher was able to identify the medical record of then Governor William Weld.

This was a fairly benign example. But consider, for example, insurance companies using similar techniques to identify pre-existing conditions, or employers using them to dig into backgrounds of present or potential employees.

We know we can't trust industry to self-regulate, or place PII about its own self-interests.

It just so happens that we have two new books that deal with this problem, should you care to solve it.

Guide to the De-Identification of Personal Health Information by Khaled El Emam and

The Complete Book of Data Anonymization: From Planning to Implementation by Balaji Raghunathan.

Click here to read An Overview of Data Anonymization.

Friday, May 3, 2013

Infosecworld 2013

Last week was Infosecworld. Not surprisingly, as in 2012 the main topics were Big Data, BYOD, mobility and cloud security, and risk. Jeff Crume had several sessions on access control and identity management, including Federated identity management and single sign-on. It’s interesting to think that the big social networking sites—Facebook, Twitter, LinkedIn, Yahoo—use Federated identity. Now, I can log into Yahoo mail using Facebook or Google, not that I want to do it. I’m not sure whether this is good or bad, but it is interesting that while this is being discussed within the enterprise, the social world went ahead and implemented it. Of course, the security and privacy concerns are vastly different between the two worlds.
I heard a lot of talk about cyber espionage, both in sessions and in keynotes. Also, that the defensive focus has changed from cyber crime to cyber espionage and warfare. Of course, APT came into the discussion, although there was some disagreement about what it was. There was even a demo session on hacking SCADA, ICS, programmable controllers, etc.
Jay LaRosa and a colleague from ADP gave an interesting presentation on its next-generation security management platform system. It integrated passive data access network, SIEM, GRC tools, and massively scalable data warehouse; added advanced threat modeling, and provided real-time analysis and reporting. I recall from an earlier presentation about SEIM that between hardware, software, and personnel requirements it was out of reach of most places.  This presentation confirmed that observation, but it is a very impressive system.
BTW, I still need proposal for books on DLP, SEIM, BYOD, APT.