Stuart King's Security and Risk Management Blog

Welcome to my Computer Weekly security blog! This is the first post of many and it’s polite to begin with an answer to the who, what, and why questions.

I’m Stuart King and I work for the Reed Elsevier Group in a role that encompasses the online product and risk side of information security. Summing up my role in a few words is no easy feat. In fact, just coming up with a job title that correctly identifies my role to the rest of the world has been the subject of many hours of heated discussion. The problem is that if you tell someone you work in information security they are likely to make an assumption that you are either a) a hacker or b) the techie who configures the firewall. I’m neither of those although I do have a good knowledge of the tricks of the trade of both. My focus is very much on looking at the risks associated with putting increasingly complex products onto the Internet, then deciding how best to address those risks within an organisation that produces literally hundreds of web products as the output of development groups across five continents.

It's nearly Christmas so I'm going to get my soapbox out again and comment on the news that for the national ID system information "will be held on three existing, separate databases" as reported by the BBC in an article that you can read here.

Hands up all of you who are not slightly worried, a little bit cynical, or very concerned about this. I know that David Lacey is: he commented on this story yesterday.

As all of us who have ever worked on developing systems of any sort know, trying to shoe-horn new solutions into an existing product and infrastructure is nearly always an exercise in futility. It wont work and the consultant who has suggested this as a low risk solution should go and actually sit in a development environment for a few days.

The original database and systems were developed for a specific purpose. Modifying them for the national ID card system will be a security nightmare because that is not what the systems were made for. And if a politician tells me that this is not the case then I wont believe him anyway because let's face it, the government does not exactly have a good record when it comes to the development and execution of software systems.

Here are a couple of examples just to push home my point:

http://www.computerworld.com/governmenttopics/government/itgovernment/story/0,10801,97853,00.html

http://www.ft.com/cms/s/d8aca40c-ef49-11da-b435-0000779e2340.html

http://news.independent.co.uk/uk/politics/article271415.ece

For a system such as an ID database, security must be an integral part of the design from the outset. Jury-rigging it up so that it uses existing resources means that security services are bolted on, and, here is my message to the product managers and government in my loudest and most arrogant voice - the security will break!

As to the actual question of whether or not we should have and support a national ID scheme, well, I'm agnostic on the matter. But if we must have this new intrusion on our privacy dictated onto us (ok, maybe not quite so agnostic) then the least the government should do is spend a few quid over and above the cheapest tender on making sure that it is done properly!

Soapbox now safely away. Have a good Christmas.

I came across this gem of advertising here: http://www.cioview.com/products/ISECOM_landing.html

"According to the University of Texas School of Management, security incidents could cost your organization $2.9 million simply in the five minutes it takes to read this page and download SecurityNOW! "

This is very similar in style to another message that I received by email which stated: "A recent University of Michigan study found that 70 percent of corporate theft incidents can be traced to an insider"

Please can some-one find me the reference points here because I've tried locating both with little success. I don't mind vendors quoting statistics but I'm a tenacious bugger and I do like to see the sources.

Anyway, if it could cost my organisation " $2.9 million simply in the five minutes" then whilst writing this blog entry we've probably already gone out of business...so I'm off to put the kettle on.

According to this blog, http://blog.casescontact.org/ , the following is true of a typical information security blog:

..the archetypal information security blog favors:

d) group-think behavior instead of careful analysis before making a decision

I probably, and occassionally, fall into all the above categories but I'm not sure that this is such a bad thing. From my perspective, a blog is more than a professional, dry, commentary on life. It's an opportunity to express opinions, often unstructured, and enable others to comment in a similarly unstructured manner. Too many rules and too much rigidity would make it more of an academic exercise and we'd all quickly lose interest. So, lighten up CyTrap! And by the way, your info on Word metadata is very interesting - I wonder how many people are aware of how much information they might be giving away when they send out Word documents and also that such metadata can also be discoverable in the event of legal action. More food for thought...

Operational risk management today takes me to Dayton, Ohio. I'm there to give a presentation on eProduct risk management as well as to make personal acquiantance with a number of people I usually only correspond with via email.

The last couple of days have been mostly taken up with sorting out the implementation of our new online risk assessment software. The new version is up and running but as with any new custom-built solution there is going to be a "bedding-in" period. Anyway, I take my hat off to the developer at Aldex Software who has been dealing with the bulk of my many requests for change, and for the great solution that they have delivered to us.

Sitting in my in-box this morning is an interesting email thread regarding one of our data vendors who accidentally sent an email to one of my colleagues. My colleague picked up on the carelessness of this fact and has suggested we take a closer look at their security processes. We have a very indepth and diligent process in place for assessing our vendors - I'll discuss it here sometime.

Accidental emails can sometimes cost vendors business. One well remembered incident here involved a vendor commenting by email to one of his colleagues on the lack of hair follicles of a senior manager within my organisation. Unfortunately he hit the send button a bit too hastily and before he'd realized said hairless-person's address was auto-filled in. Needless to say, the vendor wasn't considered for further consideration. It's a lesson I think we have all learnt the hard way in the past. I mitigate this particular risk by putting all my email into the outbox first and then having to manually send it. Some might say I mitigate the risk by never replying to email but I couldn't possibly comment on that....

I've been reading an interesting article, linked from Bruce Schneiers blog, about Internet usage entitled "Kids, the Internet, and the End of Privacy: The Greatest Generation Gap Since Rock and Roll" by Emily Nussbaum. If you have kids and they have MySpace or similar accounts then you'll find this enlightening.

I was browsing through job listings looking for examples of advertised jobs within information security. A number of adverts had me scratching my head. Read this one then ask yourself: What is the agency really looking for?

Are you a Security Specialist? Are you CISSP qualified or have commercial experience to that level? [agency] client require a Security Specialist (CISSP) with excellent understanding and practical use of security principles (CIA, AAA etc). As the Security Specialist you will be the lead in the design and implementation of 3rd party clients Security solutions - you will be required to have extensive experience of Solaris, AIX, Cisco devices, Networks and Microsoft Windows. As the Security Specialist you will be responsible for creating and maintaining a 2-year security technology roadmap and define projects to deliver the roadmap - therefore you must possess a strong understanding of the software development life cycle and development languages including C++, Java and .NET. Apply now for immediate consideration!!!

A change of employment and a relocation to warmer climes means that entries on this blog may become sporadic over the next few weeks.

Change can be positive and I'm a strong believer in the importance of not stagnating within a role. New challenges bring new experience and I'm looking forward to making a difference for a new employer.

Thanks to everyone I've worked with over the past few years for making my work such a positive experience.

Blogging business as usual shall be resumed shortly - let me know if you have any specific topics you'd like me to cover.

I've noticed that no-one reads this blog on a Saturday which begs the question of why I'm writing anything. However, given the technology I could have actually written this last Tuesday and scheduled it to be published on Saturday. In fact, right now I'm sipping coffee in Starbucks reading this blog so that the stats will show at least one person read it today....

I have subscribed to a new, free service from an online organisation called Garlik. In fact I note that David Lacey also mentioned this service some months ago on his blog. As well as providing a view of your credit file it also looks for associations that you have based on your name, location, and Internet presence. Take a look for yourself because, like me, you might get one or two little surprises.

Enough comment already about the whole TJ Maxx credit card affair. We can all snort our indignation at how such a thing could happen over such an extended period of time but the focus of effort must now be to learn the lessons and for everyone who manages valuable data to make sure the same thing isn't happening or about to happen to you. It would be a benefit for everyone in the industry to learn exactly how this incident happened and remained undetected for so long. Fair enough? I notice that one, obviously morally and intellectually superior, commenter on this story stated "I trust the security manager has been sacked." (http://technology.timesonline.co.uk/tol/news/tech_and_web/the_web/article1536335.ece). Hmmm, maybe, maybe not. If we sacked all the good people everytime something went wrong within their area of responsibility then we'd never have the chance to benefit from their experience.

I shared this story about the "world's first hacker proof encryption technology" with a colleague.

Quick as a flash he emailed me back: "I wonder if it is criminal and idiot proof also ;)"

Touché!

Salesforce.com ushers in a new era of on-demand success with the industry’s first platform as a service (PaaS). With the Force.com platform, you can build any application, any database, any logic, and run it all on demand on our trusted, secure infrastructure. Now salesforce.com allows customers to create and run any application and even any user interface imaginable—all entirely on Force.com.

If you do not already know, Salesforce.com is the worldwide leader in on-demand customer relationship management (CRM) services. I'm not going to go into detail here and recommend that you spend some time browsing their website.

PaaS, and SaaS (Software as a Service) are exciting concepts. For an example of SaaS, look no further than Google Docs, a fully featured suite of office applications that allow you to create, edit and store your documents and spreadsheets without having to install any software packages on your own desktop. Now imagine if it was easy to build your own applications that also run on the Google platform. Potentially you could run everything you need for your business to function off of somebody elses resources. This is where Salesforce are heading, wanting to create a platform that anyone can build on, making it easy to integrate on-demand services and messaging features, create mash-ups, and develop custom applications to do just about anything.

Kendall Colins of Salesforce says "You can be anywhere in the world, log in, write code that saves on our servers, tests and runs on our servers, and share that anywhere in the world."

It's exciting stuff and I reckon it'll catch on because, face it, where's the fun in purchasing a disk-space and resource intensive operating system only to install onto it more diskspace and memory intensive applications that most people only use a small fraction of the functionaility of, when we could all be using zippy, lightweight systems that connect to online platforms where all the weight of the processing and storage requirements are taken care of?

So, what of security in the future business world where we no longer store our own data and rely totally on external service providers for availability of all our business functions? Will there ever be a time when we could move all our eggs to the PaaS basket.

If you're familiar with the Infosec Europe show, held annually at Olympia, then you'll know that it always attracts an impressive line-up of expert speakers over the course of the three days. It's always seemed a shame that there hasn't been anything between events to engage the interest of those who attend the show. So I'm pleased to see that the organisers are now presenting a monthly podcast that you can download from the event website at www.infosec.co.uk.

The first in the series is on the subject of Wireless Security – Top Tips to Mitigating Threats and is presented by Paul Lawrence, VP & General Manager, EMEA, AirTight Networks Inc.

An excellent article on the perils of social networking with LinkedIn in the latest edition of [in]secure magazine.

Good read on Apple's update strategy for the iPhone here: http://www.emergentchaos.com/archives/2007/10/apples_update_strategy_is_1.html

And so what Apple is doing has an important side effect: creating a fear of their patches. That fear will last long after a reasonable resolution of this incident.

Forget BS7799 and ISO27001, the one we really need to know about is BS6008: "Tea — Preparation of liquor for use in sensory tests." This is a six page, 5000 word guide to how to make a cup of tea. Section 7.2.1 states:

Preparation without milk
Fill the pot containing the tea with freshly boiling
water1) to within 4 to 6 mm of the brim
(i.e. corresponding approximately to 285 ml in the
case of the large pot and 140 ml in the case of the
small pot described in the Annex) and put on the lid.
Allow the tea to brew for 6 min....

The document does not identify what type of tea to use, nor the colour of the pot. I'm not sure if these are considered important. Although if they are going to go to the trouble of producing the document you'd have thought that someone would also have considered other aspects such as whether to slurp or sip...

I'm all for a nice cup of tea, so I'll be printing out this standard and putting it on display next to my latest security awareness poster.... :-)

An interesting resource that I read about here: http://www.vnunet.com/vnunet/news/2199328/security-experts-launch-tool

Threat Expert is an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode.

After nearly a year of on and off blogging, I have been shown how to add an image to my blog (thanks James...) ! So, I wanted to share with you the following picture, which I shot whilst driving around the Texan countryside early last year:

Some-one should give a prize for the best security related caption to go with this picture...any takers?

I wrote a short while ago (Sep 22) about SalesForce.com (SFDC) and their Force.com PaaS service offering. I believe that this is the way that enterprise development is heading and I wouldn't be at all surprised if, in a few short years, it's the norm rather than the exception.

SFDC are not the only players. Amazon have also entered the PaaS market with their EC2 (Elastic Compute Cloud) PaaS. The advantage of Amazon's model is that they charge per CPU time. You only pay for capacity used and there are no fixed costs. Therefore, if you have a service offering where there are spikes in traffic at key points of the year and it's relatively quiet at other times, this model would appear to well serve your interests. This allows full freedom to compete on ideas rather than resources.

EC2 appears to offer more flexibility for developers than Force.com. In the article "The Perils of Platform as a Server" Robert Warfield writes that "the beauty of Amazon’s approach is they get to tap into any ecosystem (say open source components, for example) that runs on Linux. That’s powerful!"

However, all is not perfect in paradise. If you're putting data onto the EC2 platform, what happens to it within a particular instance of a server when it is no longer required? It's true that you can get a new server allocated in minutes, but are the hard drives wiped every time the server is requested? I read a comment somewhere that said it's the equivalent of "throwing away a hard drive full of data (into a dumpster) and assuming that the data will never again see the light of day."

EC2 is also suffering some teething problems.A recent outage in the service resulted in lost data.

"We lost almost all our data due to the erroneous instance termination from Amazon, and we are in a very bad shape as a company," wrote one unhappy EC2 user, who wanted compensation from Amazon.

Regardless, virtual data centers and flexable pay-per-CPU computing models make great business sense. Service providers must give assurances around data security. There's a lot of experimentation going on right now and that's not a good environment for confidential or high loss impact data. I don't however, have any doubts that we'll all be looking at how to take advantage of this model.

.

Congratulations to linkedIn who have achieved one million UK members on their social engineering...I mean, social networking site.

I think LinkedIn will persist and grow. The forthcoming API will enable other companies to tap into the service and I can see the potential for organisations such as Salesforce.com to add LinkedIn functionality or vice-versa. Businesses will also be able to integrate LinkedIn with their own CRM or business development systems. Powerful stuff.

Security and privacy will remain a concern and it would be great to see LinkedIn - or whatever the next, next best thing is - being innovative in addressing this. The opportunity is there...

Dayton, Ohio, has a couple of things to recommend it: it is home to one of the best steak restuarants that I have ever been to, (The Pine Club). Actually, that's about it. However, it is also home to the Daycon Hacking/Security Conference. This might not be the best known event in the calendar, but it certainly attracts some very talented speakers, including my good friend Angus Blitter (he and I gave a presentation together at InfoSec Europe at couple of years ago). I wasn't able to attend however, there is some content available to download including:

There's an interesting interview with ex-fraudster Frank Abignale online here. Frank's message is that it's far easier today to commit the sort of crimes that he became famous for.

A world of too much information and the technology make it very easy to do today what I did 40 years ago.

A panel session at the RSA conference has suggested that "it is just as important to recruit on the basis of personality as it is to find someone with the right technical qualifications" for information security jobs (See article in Computer Weekly here)

Some might argue that if this were the case then I'd have ended up in marketing. Joking aside, I think that the panel is making a good point. Never has it been more important to understand and appreciate how the business works, the management, objectives, strategy, culture and financing. Having the security team working in a silo, issuing edicts is a thing of the past - or it should be. Let's, for example, take a business that has decided on a strategy of utilising a PaaS (being my current favorite subject) for managing essential data. It's no good trying to shoe-horn existing policies based on traditional systems and processes into this. That is not being agile and it's not serving the needs of the organisation.

To get there, we need to have a good understanding of what management is trying to accomplish, ensure that appropriate risks are understand and managed whilst also ensuring that in doing so we're not putting unnecessary barriers in the way. It's a tough trade-off and achieving success requires character and personality as well as traditional security skills and knowledge.

A similar point was made on this blog here earlier in the year. Dan Morrill says that we need to

1. Hire for technical ability, creativity, and socialization skills. I am well aware that this will cause problems in the ability to find these people, they are rare

2. In the interview ask "how would you solve this problem" and see what their responses are, is it purely technical, is it part technical part social, does the solution make sense to the company, how well do they communicate the solution?

Personality alone wont win the job. Qualifications and experience are important. In my case I worked my way through an MBA and can't recommend highly enough the value of going down that particular path. My CISSP certification was useful years ago when I was starting out but probably less so now that my career has become established. The new Institute of Information Security Professionals (IISP) is also looking to play a part in validating the professionalism of individuals within the industry.

So, bottom line: personality is important, so too is training and education.

In Futurama, Fry wakes up in the year 3000 and finds himself in a strange new world where the technology is baffling, yet exciting. That's sort of how I felt wandering around the Microsoft campus today as a guest of Mark Curphey. There are gadgets galore, gaming machines, nice coffee and great merengues. If Carlsberg did work environments then this one is pretty close to how it would look.

Most impressive of all is Mark's vision for the Oxygen Security Platform. He describes this as "ERP for Information Security, the security management equivalent of what Visual Studio Team System is to software development or in more general terms an information security specific Governance Risk and Compliance platform." It's a unique and exciting venture and I for one am looking forward to seeing it come to life - so good luck to Mark on making it happen.

Anyway, I'm back off to my own third-world-in-comparison office. Boss, can we have a games room please?

I've heard some words of indignation expressed at the invitation of Frank Abagnale to speak at this years RSA conference. I understand the point of view - why should this convicted fraudster be able to make a living off the noteriety of his crimes? Mind you, there are worse ways to find fame. Mr Abagnale has yet to appear on Celebrity Big Brother, and neither has he stepped out of a limosine wearing a short skirt and no pants. Therefore he still retains some credibility in my book - at least until he declares himself a supporter of the Labour party, at which point I'd immediately demand that they stick him back in prison.

I also think that we can learn a lot from his words of wisdom because people are still falling for the old scams - just in new ways. This one's a good'un!

Red-faced accountants from one of the biggest supermarket chains in the US are frantically trying to regain control of more than $10m lost after falling victim to online fraudsters.

Evidently, no one at Minnesota-based Supervalu bothered to confirm the authenticity of emails sent in late February. Purporting to come from two of the company's suppliers, the messages instructed Supervalu to wire all future payments to new bank accounts. One email purported to come from representatives of Frito-Lay and the other from American Greetings. Both suppliers have established relationships with the grocery chain.

The emails were phony, but within two days, Supervalu began moving money into the accounts. Over the course of a week, the company transferred $10,128,941.94 in nine separate payments

Infosecurity Europe are compiling a list of who they "consider to be the brilliant minds in the history of the information security industry. " Read the details online here: https://www.infosec.co.uk/page.cfm/Action=Form/FormID=9/t=m

I think it's a compelling list and I was wondering who you would nominate and why....

It was my privilege to be invited to chair this years Infosec Europe Steering Committee meeting yesterday. The event team presented lots of plans and ideas that suggest next years show will be the best yet.

What surprised me was the range of key information security related issues identified by the committee (which included senior representatives from financial, industrial, pharmaceutical and government sectors) as being of current importance within their own organisations. Surprising because I recall the focus of discussion at the previous years meetings were on compliance and malware. This time around, nearly everyone brought a different subject to the table. These included identity management, content management, wireless security, risk management, social networking, compliance, outsourcing, and data classification.

Nobody mentioned malware as their number one issue. Does this indicate that we've beaten the threat or that we no longer perceive malware as being such a high priority? That's a subject I'll focus on for this blog shortly!

“ Crime pays, and it also has an excellent benefits package. ”

So went the signature of John K Schiefer, the security consultant who has just "admitted to using massive botnets to illegally install software on at least 250,000 machines and steal the online banking identities of Windows users by eavesdropping on them while they made financial transactions. " (See SecurityFocus at http://www.securityfocus.com/news/11495).

Apparently, most of the bot programs were spread using using AOL Instant Messenger. In order to spread, the victims would have to first click on a link that would have been messaged to them. Anyone who took the bait had a Trojan program downloaded to their machine.

"I don't think anyone should feel sorry for me," Schiefer said. "What I was doing was wrong [and] stupid, and I got caught." (see http://blog.washingtonpost.com/securityfix/2007/11/security_pro_admits_to_hijacki.html?nav=rss_blog)

From the US Department of Justice:

John Schiefer, 26, of Los Angeles (90011), has agreed to plead guilty to four felony counts: accessing protected computers to conduct fraud, disclosing illegally intercepted electronic communications, wire fraud and bank fraud....Once he pleads guilty to the four counts, Schiefer will face a statutory maximum sentence of 60 years in federal prison and a fine of $1.75 million.

I've been looking back at the recent history of data breaches. This resource at http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm shows that of 126 private sector incidents, 40% were the result of laptop theft, and a further 30% alluding to human incompetence or insider "Malfeasance."

For further statistical analysis of data breaches, this web site has some good data: http://etiolated.org/. The top two incidents listed in terms of number of compromised records, CardSystems and TJX were apparently the result of vulnerabilities in systems used for hosting the data. Of the rest, five out of eight had fraud or theft as the cause.

More detailed data can be found here: http://attrition.org/dataloss/dataloss.csv. If this is accurate then since records began being collated 7 years ago, more than 300million individual personal and private records may have been comprimised. That, incidentally is equal to the population of America. Of the 832 incidents catalogued,

- 42 were the result of data disposal processes
- 11 were through email
- 53 were the result of fraud
- 168 were the result of hacking
- 75 were because of lost laptops, documents, or disk drives
- 304 were because of stolen computers, stolen tapes or other media
- 125 were because of web based attacks

Only 2 incidents resulted from malware, affecting fewer than 3000 records. Nearly a quarter of all incidents are listed as being the result of "accidental" causes rather than being deliberate.

This data tells us a lot. The fact that the majority of data breaches are the result of malign causes rather than malicious intent shows us that we must tighten up technical controls over access to data, management processes around handling and access, and education around what to do with and how to dispose of data. Still, more than a quarter of breaches were the result of hacking so web security and perimeter device security remains incredibly important.

What about malware? We spend a fortune on anti-malware controls so is this data an indication that a) the controls are working and valid or b) we're not at as much risk of having our systems compromised through malware as we think we are? Or is there a c) the extent of malware related compromise simply isn't known?

Back to the list of incidents, in only 37 (4%) is the data known to have been recovered with a resulting criminal prosecution. That's only 6% of the data records supposedly compromised leaving a whopping 280million records still at large...

This is the 200th entry on this blog! I'm certainly not in any danger of running out of things to talk about. We're in a very dynamic environment where the risk equation must be continually reviewed for each of the bad outcomes that we are concerned about.

My prediction for the next 200 blogs? Probably more of the same because the same old topics keep on cropping up. We seem to have ever more ingenious ways of relearning common mistakes. 10 years ago we talked about change control and process and moaned that we needed to tighten up. Today we still moan about both. Only now, you're far more likely to find yourself on the front pages when it all goes wrong.

More reliance on platform based services such as Salesforce.com means that controls around data access, integrity and availability become more important than ever. Reliance on strategic web products and associated web 2.0 services raises further issues. PCI compliance is being gradually tightened up, as too are European data protection regulations.

Anyway, as we're getting towards to the end of year, I'm going to join in the old game of trying to predict what's coming up next year. That's coming later...

The FBI are continuing their fight against the botnets. They have announced the second phase of Operation Bot Roast together with good news about successful indictments against a number of online criminals.

You can read more about it at http://www.fbi.gov/pressrel/pressrel07/botroast112907.htm.

An interview with Lord Erroll entitled "The Politics of Security" caught my eye in the latest edition of Information Age. Erroll was behind the recent House of Lords Scientific and Technology Committee report on “Personal Internet Security." In this latest interview, he adds some further context to the conclusions of said report.

It is illegitimate, says Erroll, for titanic software houses to sell a product to small businesses on the basis “that it’s a wonderful solution that will protect their business, and then when it doesn’t say, ‘Oh, I’m terribly sorry but it was your decision to buy it’”. Equally, he continues, a small provider offering downloadable freeware cannot be expected to compensate users if the product has flaws.

Eroding Microsoft’s dominance on the desktop would help improve the dynamics of security software development and delivery, he argues. If there were a large number of competing operating systems, the user could choose between high- and low-risk options. The point, he says, is that users do not have that choice and as a result are unable – and indeed offered no incentive – to make a risk assessment for themselves. “We’re just beyond the Model T Ford stage where IT security is concerned,” he adds.

We don't buy a car and then expect the manufacturer to pay up when it gets broken into.

I agree with Erroll: vendors have a duty of care and I, for one, support the outcomes of the report.

Last week, the US "State Department approved technology that will allow passport cards, which can be used by U.S. citizens instead of a passport when traveling to other countries in the western hemisphere, to be read from up to 20 feet away. "

You can read more about it here.

News about the likely introduction of RFID passwords is nothing new and Bruce Schneier expressed his thoughts on this subject over three years ago here.

Unfortunately, RFID chips can be read by any reader, not just the ones at passport control. The upshot of this is that travelers carrying around RFID passports are broadcasting their identity.

There is more detail on the concerns posed by the "US Center for Democracy & Technology" that you can download in pdf format here. Here are some of the best bits...

Long-range RFID technology like that used in the GEN-2 protocol was never meant for human identification. Rather, it was designed for the tracking of things...security of the UHF RFID system, while important, was not a top priority....a technology meant to track products cannot be retrofitted with the level of security that is necessary for identifying people.

It sounds so good that I'm surprised our own Government haven't proposed something similar yet..oh, they have?

Do you find this blog to be "seductively immediate, vividly worded and apparently candid"? If so, then according to Gartner, you should exercise "care and caution" before using it as a reference.

Gartner have published a report entitled "Use Care and Caution to Qualify Insights From the Internet" (3 Jan 2008 by Whit Andrews and Carol Rozwell) which I think serves to highlight the fact that many people seem very willing to grab information from any and all online sources and quote it back as bona fide fact with little regard for the credentials and credibility of their sources.

Anyone with even an infrequent experience on the Internet knows three essential truths:

1. Having access to more information does not make that information inherently more valuable.
2. Multiple instances of a piece of information do not vouch for its veracity.
3. Information is made generally available often without regard for its persistence or potential impact.

I have committed a careless act and put lives at risk. Yes, apparently it's true. The voice on the telephone that broke the news to me couldn't have been more serious. It may only have been an Alpen Snack Bar (with chocolate and orange) but it's very presence in my daughters lunch box had the headmistress at the infant school concerned almost in a state of fury!

You see, there are individuals at the school who suffer from a nut alergy. I do not want to in any way play down the effects of this affliction because I fully appreciate the potential consequences. So, was I, through giving the offending snack to my daughter, who for the past three months has avoided the food police removing similar items from her lunch box, putting others at risk?

I assess risk on a daily basis, I've got equations and worksheets, knowledge of the environment, and a good degree of common sense. But what I don't have to deal with is life-threatening consequences because let's be honest, no one is going to die from a computer virus. If we were to add the potential for loss of life into the mix then you can bet that we'd suddenly become a good deal more risk averse. So I fully understand the head-teacher's point of view even though I don't concur with her assessment of the risk.

As it stands, my daughter lost her snack bar and had to make do with a banana instead. Healthier for sure, but not really a treat.