Wednesday, October 12, 2005

That's a crime?!?

http://www.theregister.co.uk/2005/10/11/tsunami_hacker_followup/

It appears that a few members of the UKs legal community have spent too much time at the local pub. The above referenced article finally provides some details into the heinous, illegal actions taken by a security professional against a Tsunamai relief donation site. To quote the article, "Cuthbert put ../../../ into the address line. If the site had been unprotected this would have allowed him to move up three directories".

Egads! Bloody evil old chap! If that's a crime, you'd best not click here. Actually, could I be arrested for inciting a crime by even providing that link?

Seriously, this conviction is a travesty. Given all the real crimes that are ocurring, to convict a true security professional for something that as trivial as a munged URL is unforgivable. It is inconceivable to me how such an action can even be considered criminal, much less inappropriate. It is no more malicious than a port scan, perhaps less so. The only person who should be out of a job in this case is the poor schmucks lawyer.

Tuesday, October 04, 2005

Steal my what?

You may have heard the story about superstitious tribesman who think that a camera can steal their soul. Pretty silly that people could actually believe that. In fact, it's almost as silly as the current buzz around identity theft.

So, explain to me please how somebody can actually steal my identity. If they do, do I cease to exist? Do I cease to be me? Do I wander around like an undead zombie saying, "Hi, I'm nobody"? Is it like the mad scientist on Gilligan's Island swapping voices and personalities between bodies?

OK, enough sarcasm (for now). ID Theft is really just plain old fraud. Unfortunately, the big financial institutions, credit bureaus, and government are either too stupid, or too lazy to properly address the problem. Instead we get silliness like the Notification of Risk to Personal Data Act.

The proposed bill would require notification to individuals if their (ahem) personal information is somehow compromised. Great, so now I know that some 3rd party over whom I have no control has unwittingly allowed some other 3rd party over whom I have no control to obtain said personal information, and that new 3rd party could potentially use that information to fraudulently obtain credit from yet another 3rd (5th) party over whom I have no control.

Gee, I'm glad I'm being notified. Now I can take bold and decisive action like filing a fraud alert with the credit bureaus. Greeeeeeaaaaaaaat. So, if somebody obtains my super secret, super sensitive "personal" information, and if the source through which they obtained it is fortunate enough to discover it, and if they are diligent enough to notify me, and if I am concerned enough to notify the credit bureaus, THEN, people will be a bit more careful about extending credit in my name. Otherwise, it's just the same old foolishness. That makes TONS of sense.

What I can't figure out is why we don't just make it harder to commit fraud in the first place. I'm not the least bit comfortable relying on the best (er, I mean minimally compliant) efforts of multiple organizations who have access to my super secret, super sensitive, "personal" information for the security of my "identity". Why should I bother.

Let's see. There's banks, credit card companies, insurance agencies, mortgage brokers, schools, daycare providers, pharmacies, sports leagues, family members, government agencies, employers, and probably more that all have some of my super secret, super sensitve, "personal" information. Fortunately, no criminals work for any of them, so if they can just succeed in preventing, or at least notifying me of, any unauthorized access, we'll have this ID theft problem licked faster than a 1 cent lollipop. Pass the cotton candy.

-SHP