(Image used under: Creative Commons 4.0 [SRC][Mod])

Maybe now I can stop referring to myself as "paranoid" and just use the term "Security Professional" instead. In a Wired.com essay, Bruce Schneier writes how security professionals just think differently. While engineers try to figure out how to make things work, Security Professionals think about how to break them.

For example:

SmartWater is a liquid with a unique identifier linked to a particular owner. "The idea is for me to paint this stuff on my valuables as proof of ownership," I wrote when I first learned about the idea. "I think a better idea would be for me to paint it on your valuables, and then call the police."

And it's simply thinking in this way that would prevent a lot of bad products (like smart water) from ever being developed in the first place.

(Image is in the Public Domain)

Another breach. Who'd have guessed?

The company is aware of about 1,800 cases of fraud reported so far relating to the breach.

(Image is in the Public Domain)

Data breaches are common, but shouldn't be. They could easily stem the flow by putting better security in place, taking personal data offline, stop sending employees home with laptops that have personal data on them, and, above all stop storing our data once you no longer have need of it (you can't lose my credit card number if you don't have it).

Anyway, class action suits don't often work so one man decided to take a company to small claims court instead (and won!). A $700 settlement might not seem like much, but as he says:

...it was likely more than most consumers who filed class-action lawsuits ever received (after attorney fees are paid) and it would be received much more quickly.

(Image is in the Public Domain)

Another data breach, blah, blah, blah. Remember to freeze your credit and never have to worry about this stuff again.

(Image used under: Creative Commons 2.0 [SRC])

So not only was Diebold dumb enough to use a universal key for all their voting machines, and not only did they sell those keys off their website (though supposedly only to "authorized people" as if we could trust them to handle who's authorized or not), but they posted a picture of the keys on the Internet which allowed at least one researcher to make a perfect working copy at home with a key blank bought from the store and a file.

This story came to light a while ago, but there's been some updates such as:

In a classic Diebold bury-the-evidence move, they've now replaced the entire page in their online store featuring the mechanical, copyable key with a page featuring a "Smart Card, Security Key Card." A digital key card. Same link, different key entirely. Which can only be done, given the database they use for their online store, quite deliberately in order to try to fool folks again. Par for the course. And, of course, shameless.

Whee.

(Image is in the Public Domain)

Well good.

Make your car less attractive to theives

(Image is in the Public Domain)

I have always said the best defense against theft is to have a lousy car. Now I might want a nice car someday, but there must be a way to make it at least look bad…. Well here's a good example: stickers that make your car look rusted.

It would be simple enough to scrape away paint and let it rust for real or bang in the metal here and there, but real damage affects resale and could end up causing need of repairs. This solution is far more elegant.

(Image used under: Creative Commons 2.0 [SRC][Mod])

If you've been following this breach, the key problem here is two part:

1) TJX is the parent company of several other companies including TJ Maxx. Each of those companies shared data with TJX creating a massive database (and a single target for the hackers).

2) TJX (and others) shouldn't have stored the credit card data in the first place and when they did, they should have used better security.

Though they'll blame "clever hackers" for the breach, the fault instead lies squarely with TJX who's business practice of storing credit cards against people's will along with negligent use of outdated wireless encryption (WEP) first created a giant target and then then left a gaping hole for the bad guys to be able to go and get it.

Apple Corp.

(Image used under: Creative Commons 2.0 [SRC])

Not surprisingly, a class-action lawsuit has begun against Apple and AT&T becuase of their firmware update that some claim was intentionally designed to break any iPhone that someone had unlocked.

The real problem here is that people really like the iPhone. As soon as it came out, busy hackers got to work unlocking it so it could be used with another cell provider's service and have 3rd party programs installed on it. Apple and AT&T didn't like that and soon issued a new update to the phone which caused many of the ones that had been "hacked" to break. There are some who think it was done intentionally.

While I can certainly imagine it, you would think that they would have anticipated the legal and customer backlash. You would think… but companies have made these kinds of mistakes before.

George W. Bush

(Image used under: Fair Use doctrine)

No I'm not talking about the illegal spying, but the case of the Al-Queda video that was discovered before it was publicly released. The problem is that the disclosure of the video alerted Al-Queda that their networks had been compromised. While I read about this news yesterday, what I didn't know was that it was the Bush administration who is responsible for the leak.