As individual datasets appear on the public Internet, they add to the ability for interested parties to identify individuals through correlation with other datasets. As more and more information becomes accessible, anonymity quickly degrades and actionable intelligence about an individual increases. But correlation of this information is a major challenge, and one that is quickly being filled by data brokers that aim to solve this challenge for their customers. As our culture dives deeper into social media and how it can enrich user experiences, the value of this correlation effort increases.

Can the law keep up with the personal information that is aggregated at sites like Spokeo.com? This is one glaring side effect of the ability to extract intelligence from such a dataset. Technology has outpaced existing laws and failure to balance legal protection with technological advancement could do harm to both consumers and those who seek to use this information to make better decisions.

Read More »

DNS Security Extensions, or DNSSEC for short, is something most people working with DNS have heard about. In fact, the first working documents in the IETF were posted in September 1994, and now almost 16 years later, the root zone has finally been signed. In fact, the root zone is being signed today, July 15, 2010. This marks the end of a process that started on the 27th of January, 2010, when the first key material was made available in the root zone.

But what does “signing the root zone” imply? And what is this DNSSEC anyway? Most people have heard about PKI or Public Key Infrastructure. It is a special kind of system using asymmetric keys — asymmetric because one party encrypts with one key and another party decrypts with the other in a key pair. What is special is that the public keys (or rather, a hash of them) are all signed with the key of a parent node in a strict hierarchy, except for the key that is in the root node. That key is where all trust is bootstrapped from, and that root key is known and trusted by anyone. Because of the strict hierarchy of signatures on the keys, it is possible to, from the trusted root key, derive trust with any other key in the hierarchy.

Many PKIs have been deployed in the world, and the most well known are the keys used for SSL or TLS, specifically when using it for web access, or to be more specific, when using it to secure the HTTP protocol. But all of the initiatives so far have had the problem that people have not had the ability to really select one root, but instead have had to choose from a list of many root keys. If you look in the list of trusted CAs in a web browser for example, you will see that it is a very long list. In order to secure one’s website it is necessary to utilize a certificate from this list of trusted CAs.

Read More »

As discussed in this week’s Cyber Risk Report, Blizzard Entertainment, developers of the popular Warcraft, StarCraft, and World of Warcraft video game franchises, proposed a potential plan for certain areas on their Battle.Net bulletin board forums. The plan stated that user posts in the selected areas would be accompanied by the real name of the owner of the online profile. The scheme would have been part of the newly available Real ID service offered by Blizzard, tying real names to online accounts. According to Blizzard, the reason behind the proposed change was to remove the veil of anonymity on the boards that allows some forum posters to hide their identity and post hateful, racist, or deliberately inflammatory comments. However, since the announcement, many users within the community voiced their concerns, and Blizzard has canceled the proposed changes. Even if the plan will not go into effect, it is worth examining the potential dangers in associating real names with online profiles.

Read More »

On June 25, the US Government released the National Strategy for Trusted Identities in Cyberspace (NSTIC, pronounced “N-stick”) for public review and comment. NSTIC is a recognition of the need for a secure identity infrastructure to address the current fraud on the Internet, and the need to support additional applications that are not well supported by current identity systems.

While in many countries it is natural to think of the Government as the manager for one’s online identity, this makes many Americans, and indeed the US Government, very uncomfortable. NSTIC addresses this concern through an Identity Ecosystem, an accredited community of Identity Providers supporting authentication and Attribute Providers providing trustable information about users. The concept is to provide users with freedom of choice on what identity provider(s) to trust with their authentication credentials, and what attribute providers should be trusted to provide reliable information about the user.

The NSTIC comments website currently has about 300 feedback and idea items about the draft, with votes and comments on many of these ideas. It appears from many of the comments and from some press coverage that there are some misconceptions about NSTIC and what it is trying to do. Here are a few of them:

Read More »

One of the first lessons I learned about business came from my first boss, Bill, the sole proprietor of a small retail shop where I worked after high school a few days a week: the customer is always right. Bill always told me that word-of-mouth advertising was much more valuable than paying for print or radio ads, because when a satisfied customer tells a friend about a good experience it makes a lasting impression. Even more-so the negative impression — if a customer goes away unsatisfied, they’ll tell even more people than if they were pleased with their shopping experience. So it was very important to smile (even when answering the phone), be courteous, helpful, and always look for an opportunity to make a bad experience a good one, or at least neutral, before the customer left.

Bill’s shop was a small-town business, and he knew that word travels fast in a small town, for better or worse. With social media, online customer reviews, and ubiquitous smartphones, shoppers are lured instantly to the best deals and away from the worst experiences. Now for even the largest businesses, much of that small-town atmosphere now applies to a global customer base, and handling this hyper-connected community can require great care. As we saw for one local contractor, sometimes an indelicate response to a customer’s bad experience can mean even greater negative publicity than before.

Customer service, public relations, and brand protection are disciplines in their own right, and I don’t presume to cover their concerns here. But each overlaps organizational security in key areas, including: protecting the organization, insuring adherence to defined policies, and communicating the customer’s or end user’s hardship back to the organization.

Read More »