When my consulting team did security stuff (note technical terminology) at Lotus, we found that the biggest risk from passwords is the Post-It note: users write down their passwords because security policies mandate ones that aren’t readily remembered. Try wandering around your office environment and see how many of these you can find 1) attached to monitors, 2) under keyboards, or 3) on office desk calendars / blotters. Far too much security protocol relies on conventional wisdom and accepted practice rather than empirical data.

Google uses industry-standard Hypertext Transfer Protocol Secure (HTTPS) encryption technology to protect customers’ login information. However, encryption is not enabled by default to protect other information transmitted by users of Google Mail, Docs or Calendar. As a result, Google customers who compose email, documents, spreadsheets, presentations and calendar plans from a public connection (such as open wireless networks in coffee shops, libraries, and schools) face a very real risk of data theft and snooping, even by unsophisticated attackers. Tools to steal information are widely available on the Internet.

Thanks to Chris Soghoian for his leadership on this one!

Not too well, according to Wired magazine.   Wired gives the new administration a “D” on copyright policy, a “C” on cyber security, and a “D minus” on privacy.  Speaking just to the copyright question, the Administration has done a lot to justify Wired’s unfavorable assessment thus far.  The Administration has courted controversy by appointing a large number of content-industry lawyers to key law enforcement posts, a practice that the Vice President has promised to continue as the Administration prepares to appoint the first-ever IP czar.  You don’t need to look any further than the listing of amicus curiae briefs filed in MGM v. Grokster to see the conflict between strengthening copyright and strengthening innovation: as participants on both sides of that case well understood, more of one means less of the other.

According to Wired, EFF’s Fred von Lohmann thinks it’s still too early to give the administration a grade on innovation.  The new President has had a great deal on his plate, to be sure, from war to a variety of economic crises to a new public-health scare.  But as I suggested during the campaign, those things don’t displace technology policy, they just crowd it out of the headlines and push it into the back rooms.  The new administration has a technology policy that is revealed by its actions to date, and it’s neither unfair nor premature to evaluate those actions according to their likely effects on innovation.

We will soon have a new data point to add to the mix.  In January, the Supreme Court invited the Solicitor General to file a brief expressing the views of the United States concerning the pending cert petition in CNN, Inc. v. CSC Holdings, no. 08-448 (better known as the Cablevision case).  The Court’s rules don’t oblige the SG to file by any particular date, but it’s highly likely that they will do so before the end of the current Term of the Court this summer.  The SG’s recommendations have historically carried a great deal of weight with the Court, and Dean Kagan’s decision may reveal a great deal about which way the wind is blowing in Washington.  As they used to say, stay tuned!

UPDATE: In a very nicely done brief, the SG has recommended against cert in Cablevision.

Heartland does not know how long the malicious software was in place, how it got there or how many accounts may have been compromised. The stolen data includes names, credit and debit card numbers and expiration dates.

“The transactional data crossing our platform, in terms of magnitude… is about 100 million transactions a month,” [the company's president] said. “At this point, though, we don’t know the magnitude of what was grabbed.”

Wow. (The company hastens to add that, because the bad guys didn’t get addresses, they would need to make counterfeit cards to exploit this data. Small comfort if you’ve read stories like this one.)

This disclosure reminded me of a speech I attended recently: an important DC lawyer who represents companies in privacy disputes was complaining about data breach notification laws. He pointed out, correctly I think, that the expense of disclosing a breach often dwarfs the real risk of harms like identity theft. But then he said the better response would be regulatory rules that set the requirements for data security. Not so sure about that.

I am skeptical about the effectiveness of some federal agency (the FTC?) supposedly auditing data security compliance at big firms across the country. It has not worked very well for health care privacy under HIPAA. One thing that moves data security up a company’s priority list is the reality that mistakes will be made public. But for states’ data breach notification requirements, we might never have found out about the Heartland breach (never mind the many, many others revealed through these laws). True, there could be some better standards as to when a breach creates enough risk that the costs of notification are worthwhile. But the basic technique of using the disclosure of errors as deterrence to force better precautions seems sound to me in this setting. How far would we be toward improving data security if these breaches had remained secret?

Spam’s basic problem is the same: our social norms of trust are at odds with the insecure foundations of e-mail. Put another way, both we and our e-mail systems are too trusting, and thus easily duped. Spam exploits the credulous (”If my friend forwarded this link, it must be OK!”) and the opportunistic (”Hey, free Anna Kournikova pictures!).

I still think we should do three things. First, e-mail just doesn’t work for communications that need security and the ability to authenticate senders. I proposed “safe mail” a few years back, and as with most academic ideas, it’s garnered almost as many supporters as Blagojevich for President. But it’s still a good approach. Second, ISPs need to think about rather paternalistic approaches (=URL blocking) in some cases, with opt-out for those willing to take informed risks. Think of this as mandatory StopBadware – when you try to connect to a spoofed or phishing site, you can’t. Finally, we need better defenses on our computers. Microsoft Vista tried for this, but its constant security warnings annoyed everyone without increasing security, leading to defensive ad campaigns rather than defensive computing.

Spam will always be around. It worries me, though, that our perception of its threat seems to be inversely proportional to the harm its payload carries…

The New York Times reports on some terrific research done by my former ONI colleague Nart Villeneuve – he found that the TOM-Skype text messaging service in China not only scans messages for sensitive keywords, it also stores copies of offending messages along with information identifying the sender and receiver. This raises a host of scary issues. First, these messages are clearly stored for a purpose. It might be to help TOM-Skype kick people who send sensitive messages off the service; more sinister (and more likely) is that it might help the Chinese government keep tabs on those users (and, probably, analyze traffic data for trends in what’s discussed or to detect new keywords to block). Second, the surveillance is insecure: Nart’s hax0r skills are rare, but there are other skilled folks out there, too, who might find (or have found) uses for this information. Third, Skype has consistently denied doing this sort of thing. Oops. Finally, eBay (which has thus far eluded the scrutiny that Microsoft, Google, and others have faced over operations in China) has responded by saying they’ll have TOM-Skype fix the “security breach.” No, not the one that stores all these messages – the one that let Nart access them. This is like spotting a sewage leak like by the flies above it, and vowing to do something about those flies.

This research also elucidates the link between censorship and surveillance: the former can enable the latter to be better-targeted. Indeed, Nart’s work suggests that TOM-Skype messages were stored not simply because of content, but because the service identified certain users as more likely to send texts with sensitive keywords. That’s scary. And it moves (or should move) the debate about corporate complicity with authoritarian states’ actions up a notch: this is more like Yahoo! selling out Shi Tao than Google censoring search results. We’ll see what, if anything, eBay does in response.

I remain a huge Lotus Notes fan – primarily for its security and reliability. Of course, I use Notes at a school with an Exchange infrastructure, and root for the Red Sox in a city split between the Yankees and Mets. Up next: I endorse Ralph Nader for the iconoclast trifecta.