Anytime a company sides with making money than doing what is right, well let’s face it you can trust them to make a buck. What about saying you’ll do something, and not doing it? That is the position Google may find themselves. Remember when a handshake clenched the deal. Or when it was important to keep a good name?  Sign a contract to suppress free speech? Google, what were you thinking?

Let’s see, we buy cheaper until we find lead in the products destined for our kids.  We are now finding Cadmium in the products destined for our kids from the same source. We trusted the Consumer Product Safety Council. Who knew they didn’t perform tests on all products. (Fool me once) But wait, we still buy from the same source? When I heard about drywall used in Louisiana homes with toxic levels of sulfuric compounds, how surprised was I? Consumer Product Safety Council PLEASE test ALL products from China that either I or my children will use! I know it will cost more, but both my children and I will live longer to use them!

Let’s see if we can figure this out. If an organization that sells toothpicks, advertises “we sell only fake toothpicks”. An anti-wood organization is protesting the business. Instead of opening up their books and allowing independent auditing, they target the protestors, hacking their websites, putting them in jail, forcing companies that want to do business with them to block all anti-wood lovers from being able to browse to anti-wood websites. What could be happening? Who would you trust?

There is one difference; we are talking about life and death. Not toothpicks and wood. Human rights mean Human life.  Part of the preamble from United Nations states:

Whereas disregard and contempt for human rights have resulted in barbarous acts which have outraged the conscience of mankind, and the advent of a world in which human beings shall enjoy freedom of speech and belief and freedom from fear and want has been proclaimed as the highest aspiration of the common people,

Whereas it is essential, if man is not to be compelled to have recourse, as a last resort, to rebellion against tyranny and oppression, that human rights should be protected by the rule of law, ..

http://www.un.org/en/documents/udhr/

Google pulling out of China will be a gong heard around the world. We are sick of becoming sick from your products. We are sick of your hardball to coerce contracts. We are sick of you not just allowing the hacking of our companies, but organizing and funding them. Call it what you will, I’ll pay more. I’ll choose companies by their ethics, not what they publish, but what they practice.

Google, it’s time to teach the master some yin yang. Yahoo blew it;

http://www.charlescorcoran.com/post/2008/07/30/Information-Highway-A-privilege-or-right.aspx

Who will you trust?  Proverbs 3:5

An interesting but annoying twist has Bloggers targeted for Spam. People found Google is indexing Blog posts. Posting your positive comment almost guarantees it will be included in the Blog (moderated) comments. The result is the links that are imbedded receive another inclusion in the URL indexer rating system. I have listed a post example below:

Notice when I highlight KIM above, notice what the URL is below "her" name.

This is another annoyance that moderators have to deal with. I will be implementing the CAPTCHA, or some other logic based system to make moderating a little easier. Some simple rules to get your negative post to show on my Blog you wonder?

1. Don't link to other sites to increase your Google rating or sell your wares.
2. Don't use profane language.
3. Expound on a compelling argument, don’t dis the Blogger for Blogging the issue.
4. No automated responses.

I would consider it a blessing to receive constructive criticism that is well thought out. I welcome all opinions.

We’re upset every time we hear about a security breach involving thousands of names and social security numbers or credit cards. In many cases we have no choice to give the information to doctors, etc. I was recently at a medical clinic (ERLANGER PEDIATRICS OF DALTON) on January 22nd, and saw a young lady surfing her MySpace account on the same computer my information was entered. I had a sick feeling in my stomach. In short order I expect my personal information to be on the Internet for sale to the highest bidder. It might fetch up to $50.

Part of the problem is there isn't an understanding of WHAT needs to be done to protect data and fight cyber crime. Law enforcement is helping there, but they can go overboard, case in point the new federal laws being presented that would require all Internet providers and operators of millions of Wi-Fi access points to keep logs for two years. That means you, the homeowner, the businessman, the coffee shop, hotels, etc etc. http://www.cnn.com/2009/TECH/02/20/internet.records.bill/index.html?eref=rss_tech

Most of you have never seen a log, now you will have to preserve them. When that guy pulls up to your neighbor's house and surfs YOUR unprotected access point he/she may be downloading child porn, and it will be up to you to assist law enforcement to catch them.

So yes, YOU will be responsible for maintaining logs if this law is passed. It's not that it is a bad law, there are many good components. But like I said, there isn't an understanding of WHAT needs to be done, let's start there.

First, secure your access point. Force manufacturers to enforce encryption and authentication on their products. Second, know who you're giving access to. Third, place the burden on the ISP to maintain the logs for you as part of their service (Another law). THEY should know WHO is on their network at all times. I can hear the shouting now, rights issues. But let's face it, it's out of control. Who needs to hide when there are open access points all over the world. Fourth, let's get real, these things will stop an amateur, but it's the pro's committing the big crimes. Let’s give government the flexibility they need to catch these "pro's". Fifth - ask the government to create real standards and hold business AND government agencies accountable, punishable by law. (Please don't let people surf the Internet on the same network as my SSN)

There is no magic bullet. But it will be up to us, WE THE PEOPLE, not business, not government, but a collaboration, starting with us requiring our government and business to work toward a common goal: Securing our networks. 

It’s a disappointing day for the security information professionals. When a man elected by the people sides with business concerns, we all lose. According to http://idtheftcenter.org/workplace_facts.html claims “One study said that identity theft cost U.S. businesses and consumers $56.6 billion in 2005” and “According to the U.S.  Department of Justice Statistics, identity theft is now passing up drug trafficking as the number one crime in the nation”.

On October 5^th, 2008 I read a report from SANS that detailed how California Governor Arnold Schwarzenegger vetoed the Consumer Data Protection Act again on October the 2^nd. His comments regarding his reasoning included "by requiring notification even where no information was obtained improperly, this bill would likely result in significant costs to businesses and to the state."

Identity theft is life changing. Imagine for a moment, opening your credit card bills one month and seeing that all the interest rates raised to 24%, and the payments doubling. If you are trying to finance a home, forget about it because your ratio will change significantly, and your credit rating will be in the toilet. After you pull a credit report, you realize someone has opened a credit card account in your name, charged $20K, and to boot, they are late on the payment! Correction, YOU are late on the payment! That is why all of your credit card companies have revised their terms with you. Even if you get the card company convinced it wasn’t you and the charges are removed from your credit file, you are responsible for the increased payments on all the other cards, and getting the terms revised, well, ask anyone who is in that position, you can pretty much forget it.

Three months later, you’re considering bankruptcy, you’re savings account depleted, and you are considering cashing out your 401K to pay off the credit cards. You have no budget because you can’t meet the payments as they are. Now all it takes is a car repair, an increase in gas price, well, you get the picture. The most the “company” responsible is going to offer you is a free credit report.

According to http://ag.ca.gov/idtheft/ there were 45,175 victims reported from California in 2005. This will increase. As a security specialist I have a few observations. Businesses as a rule are lazy, doing only what they have to. (This is not a reflection of any company I have worked for who hired me to improve their security.) If only the businesses treated the personal information like how they HAVE to treat VISA credit card information (That still doesn’t mean they will, case in point TJX), we would be much better off. The credit card industry has come together and produced a simple list of requirements; (https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml), the first of which is “Build and Maintain a Secure Network”. Wait, you mean this is a requirement? Wouldn’t you think that is a given? Don’t fool yourself. If you have ever found a company that took credit cards but doesn’t take VISA credit, think again about doing business with them because most likely they can’t (or won’t ) meet these simple standards.

Unless business HAS to meet certain standards (AND IS AUDITED BY A THIRD PARTY), your data is in jeopardy. You would be very surprised what I have seen as a security professional.

So back to Arnold. He is in a position to make change to affect people’s lives, not only in California, but possibly worldwide. Many states follow California, and let’s face it, many countries follow the US. I have always seen Arnold as the underdog, man against the bad world. My favorite movie of all time is Total Recall, where he saves the planet Mars. If I could speak to him, I would only say I wished you could see the blatant disregard of personal data I have seen, not with the companies I was/am with, but the companies they do business with, and shared information from other security professionals.

Laws don’t fix everything, but they do cause change. It would be a shame to think that every company would have to make the headlines before they made the changes required to secure personal information. Without laws, this is what will happen. Meanwhile, your information is not only in your state, but in every home office of every company you do business with. A little multiplication, and the 45K people for just one state for one year, now think of the odds of your information being exposed. If you do business on the Internet, use a credit card in a restaurant or retailer, your odds are not good. Someone will use that card, your information, or otherwise get at the data because of the fact there are weak controls, or for the smaller companies, no controls in place since they won’t fall under any of the other control standards such as SOX, HIPPA, or PCI. That's where a law comes in to play. It gives security professionals like myself the grease to make internal changes.

Arnold, you have shown us that the sword is mightier than the pen.

I get excited when I see my 2 year old daughter smile. When I come home from work, when I tell her I want to take a hike with her, when I tell her I want to read a story to her. Even if it's the same old book she wants me to read, I'll do it with enthusiasm. This past weekend while we were hiking in our yard, she asked me if she could hug a tree. I thought if that tree only knew how lucky it was to get an unsolicited hug from such a beautiful little girl.

I say that because although she isn't the most generous hugger, she will give you one if you ask. Every once in a while she will walk up to me and hug my leg. I'll get down on the floor and give her a hug back, and I'll ask what the hug was for. There doesn't seem to be any reason, and that's a good thing. I wrote this to remind me when she might get on my nerves, or I’m too busy to spend time with her, or she gets mad because she doesn’t want to go to bed. Nurture that love, it’s more important than me. Just ask a tree.