An article in yesterdays Wall Street Journal [Jacob Gershman, Delaware Eases Access to Digital Data of Dead] prompts us to think about what happens to that stuff we have been saving when we die. Delaware, which is not known for its innovation in legislation, has decided to be the first to take this on. The bill signed by the governor gives authority to estate attorneys, and a few others, to deal with e-mail, cloud accounts and data, and social media. Anyone who has gotten a birthday announcement for a relative that died a year ago, knows why we need such things.
It is not surprising that the industry most affected would fight this law by bringing up a 1986 law that says electronic communications companies cannot disclose digital content without the owner's consent. The fact that the owner is dead, according to this argument, is not material to the issue. I'm wondering why they don't just do it, and stop this kind of spurious chatter that makes them look like they are just being bad. Other states need to get involved the same way and pass their own, or we can get Congress to pass a similar law for the whole country.
I have a suspended account from Google that I still haven't been able to get rid of and I am still alive. If I died, my wife would have no chance of ever getting that account closed. There may be nothing in it of any importance, but I would never know because I haven't been able to get into it for 5 years.
When my favorite aunt died a few years ago, we wanted to get some of her e-mail so we could stop automated payments she set up for some charities. We didn't know where some of them were and it takes time to close accounts that they were paid from. The executor and his attorney couldn't get much of anything. The bank closed the accounts, only after getting a death certificate which takes time to get, but never did say where all of these things were being paid, or for how long after her death. By the time it gets ironed out, it isn't worth the legal fees.
So, I wonder why places like Facebook and Google want to hire a law firm to fight this, when they know that when a person dies, somebody needs to know what records they might have that are important to settling the estate and terminating those accounts. Delaware may not be the most innovative legislatures, but they sure got this one right.
Friday, August 22, 2014
Wednesday, August 20, 2014
Hold Security
In one of Bruce's most interesting posts, he goes into detail on the discovery of hacks done to steal passwords and accounts noted by a company called Hold Security. I must admit to having doubts about this whole thing, but Bruce, as usual writes his down. Worth the read.
https://www.schneier.com/blog/archives/2014/08/over_a_billion_.html#c6676010
https://www.schneier.com/blog/archives/2014/08/over_a_billion_.html#c6676010
Monday, August 11, 2014
China's Press Guidance
A story from BBC today, "China detains Xinjiang man for 'online rumours'"shows what happens to you when you don't follow the guidance given by Chinese censors. The incident is worth noting. A group armed with knives and axes attacked a police station. Thirty-seven civilians were killed and the police shot dead 59. To anyone outside China, this sounds like a major happening that could make the evening news in any country. The Attorney Generals would be out in force in a country where the police shot that many people in one day.
The individual arrested in the lead to this story, "circumvented censors and put his comments on websites outside the country". One of his claims is the riots in that followed shootings that occurred at the end of Ramadan, involved 3-5000 people. Only in China is this a crime. He has confessed to inflating the numbers to get more attention for his articles. Considering they have admitted to almost 100 people being killed, we have to wonder which numbers they are talking about.
In case you haven't noticed, the numbers of dead are increasing in Xinjiang. The Chinese have managed to keep a lid on it by controlling the reports of injuries. It sounds like their tactics are apt to create more martyrs than anything else. That is going to be hard to keep quiet. Amazon books:
The individual arrested in the lead to this story, "circumvented censors and put his comments on websites outside the country". One of his claims is the riots in that followed shootings that occurred at the end of Ramadan, involved 3-5000 people. Only in China is this a crime. He has confessed to inflating the numbers to get more attention for his articles. Considering they have admitted to almost 100 people being killed, we have to wonder which numbers they are talking about.
In case you haven't noticed, the numbers of dead are increasing in Xinjiang. The Chinese have managed to keep a lid on it by controlling the reports of injuries. It sounds like their tactics are apt to create more martyrs than anything else. That is going to be hard to keep quiet. Amazon books:
Sunday, August 10, 2014
China Clamps Audits
A story in the Wall Street Journal on Saturday [ http://online.wsj.com/articles/china-using-antimonopoly-law-to-pressure-foreign-businesses-1407154916?tesla=y&mg=reno64-wsj ] tells the tale of an arrest and conviction of people who do what hundreds of business intelligence people do all around the world - collect information for due diligence decisions made by every business partner. The Chinese are calling this stealing state secrets. The fact that it is retroactively named a state secret seems to not bother them.
They are hiding something. They are hiding the ownership of some of their major businesses. They are hiding the involvement of government leadership in business dealings that make them rich. They are hiding the ability of anyone outside of China to audit their businesses. They are trying to stop any company that looks at ownership closely, because they don't want it to be found out. What makes this a state secret? Corruption. It runs deep in government and the military sectors. Just how deep is something they really want to prevent others from knowing. Amazon books:
They are hiding something. They are hiding the ownership of some of their major businesses. They are hiding the involvement of government leadership in business dealings that make them rich. They are hiding the ability of anyone outside of China to audit their businesses. They are trying to stop any company that looks at ownership closely, because they don't want it to be found out. What makes this a state secret? Corruption. It runs deep in government and the military sectors. Just how deep is something they really want to prevent others from knowing. Amazon books:
Thursday, August 7, 2014
USIS Hacked, OPM hacked
It is obvious the data on security clearance investigations is a target, but it should have been obvious before the breaches at OPM and USIS. Putting OPM in charge of E-Qip or anything that requires security is always a mistake, but this is way beyond anything we could have thought about. Security clearance info has employment history, social security, telephone numbers of you and all your employers, arrests, financial reports, and investigators notes.
I have never been happy about the security protection that anyone gave to this information, but Defense did a better job over the years than OPM has done in the short time they have had responsibility. We had to give our information to hackers for the average employee or cleared contractor to figure this out, but it is not going to get better until somebody else is put in charge of the security clearance process. OPM has screwed up the investigative process more than DoD ever did, and it is now almost impossible to get, and keep, a security clearance. I'm glad I don't have to rely on them anymore for my livelihood. They seem to be oblivious to the damage they do to the workforce of the Intel and Defense communities by their lack of responsiveness to adjudications and bring-up investigations. My Congressional office says "We are aware that they have had some difficulties with the process" which is not descriptive of how bad it is. If this doesn't get Congressional hearings started, I don't know what will. How much more of this can we take?
I have never been happy about the security protection that anyone gave to this information, but Defense did a better job over the years than OPM has done in the short time they have had responsibility. We had to give our information to hackers for the average employee or cleared contractor to figure this out, but it is not going to get better until somebody else is put in charge of the security clearance process. OPM has screwed up the investigative process more than DoD ever did, and it is now almost impossible to get, and keep, a security clearance. I'm glad I don't have to rely on them anymore for my livelihood. They seem to be oblivious to the damage they do to the workforce of the Intel and Defense communities by their lack of responsiveness to adjudications and bring-up investigations. My Congressional office says "We are aware that they have had some difficulties with the process" which is not descriptive of how bad it is. If this doesn't get Congressional hearings started, I don't know what will. How much more of this can we take?
Wednesday, August 6, 2014
China Whacks Microsoft when they are down
A story in Reuters today [ China anti-trust regulator conducts new raids on Microsoft and Accenture LINK ] says some things we have all heard before about the way China does business, but one of them is interesting.
The State Administration for Industry and Commerce, has been raiding U.S. companies for a variety of bogus reasons for as long as there has been trade between us. But something else caught my attention in this article. Microsoft has been having disruptions in their OneDrive system in China. OneDrive is a lot like Google's Google Drive, for those who might not have seen it.
Microsoft is down because its business in China is down. The Obama Administration has complained many times about the amount of counterfeit software sold in China, but the Central Government has decided not to use Windows 8 in their enterprises, a bigger setback. Microsoft spent years working an arrangement where they knew software was being counterfeited, but didn't make a fuss because the Central government would buy enough to keep them happy. That seems to have turned sour, and now their OneDrive is being disrupted. As anyone knows, that could happen through any one of naturally occurring events.
They should talk to Google about this kind of thing. When Google and the Trade people in China were going toe-to-toe in a debate over what Google should censor, Google started having "power problems" in some of their data centers. The Chinese laid that to the kinds of trouble any growing central city would have. The Chinese have new excuses for almost anything that can occur.
If it doesn't look coincidental, don't make a coincidence out of it. The Chinese are more than willing to disrupt operations if they don't like something you are doing, dirty as that is. Intimidation isn't the way to do international business. It is one thing to stop buying a commercial product, but quite another to intentionally disrupt business operations. Amazon books:
The State Administration for Industry and Commerce, has been raiding U.S. companies for a variety of bogus reasons for as long as there has been trade between us. But something else caught my attention in this article. Microsoft has been having disruptions in their OneDrive system in China. OneDrive is a lot like Google's Google Drive, for those who might not have seen it.
Microsoft is down because its business in China is down. The Obama Administration has complained many times about the amount of counterfeit software sold in China, but the Central Government has decided not to use Windows 8 in their enterprises, a bigger setback. Microsoft spent years working an arrangement where they knew software was being counterfeited, but didn't make a fuss because the Central government would buy enough to keep them happy. That seems to have turned sour, and now their OneDrive is being disrupted. As anyone knows, that could happen through any one of naturally occurring events.
They should talk to Google about this kind of thing. When Google and the Trade people in China were going toe-to-toe in a debate over what Google should censor, Google started having "power problems" in some of their data centers. The Chinese laid that to the kinds of trouble any growing central city would have. The Chinese have new excuses for almost anything that can occur.
If it doesn't look coincidental, don't make a coincidence out of it. The Chinese are more than willing to disrupt operations if they don't like something you are doing, dirty as that is. Intimidation isn't the way to do international business. It is one thing to stop buying a commercial product, but quite another to intentionally disrupt business operations. Amazon books:
Giganto Account Theft, 4.5 billion stolen
A number of articles today note a company, Hold Security [ http://www.holdsecurity.com/news/cybervor-breach/ ] says it was tracking some other stolen credentials with it came upon this larger group, stolen using mostly SQL injection on around 420,000 sites. Yes, I know there are trillions of websites, but you have to work at finding that many vulnerable to SQL-injection attacks. They have been around forever. These guys used a botnet to scan websites for the vulnerability.
The total number of accounts they got off with is around 4.5 billion, 1.2 billion of which are unique. Most of us use the same e-mail for these external site registrations, so they have a lot of duplicates.
The answer for most of the affected sites is for users to change their passwords. This is absolutely unbelievable. I don't know about you, but I don't even have a list of all those sites that require "registration" so they can send out ads, and sell mailing lists. We have no way of knowing who they sold those lists to. Yes, I can change them again, the last was when Heartbleed was on the rampage, but it is putting all the responsibility on users who aren't the ones at fault here.
The obvious answer is the get the administrators of those websites to take something like the SANS Top Twenty and run checks for those vulnerabilities. It is more than just SQL-injection. [ http://www.sans.org/critical-security-controls ]
And, while they are about it, how about all those other patches and updates that keep coming out and get ignored. Maybe someone needs to start naming names of the places that don't have enough sense to secure our data to basic industry standards.
The total number of accounts they got off with is around 4.5 billion, 1.2 billion of which are unique. Most of us use the same e-mail for these external site registrations, so they have a lot of duplicates.
The answer for most of the affected sites is for users to change their passwords. This is absolutely unbelievable. I don't know about you, but I don't even have a list of all those sites that require "registration" so they can send out ads, and sell mailing lists. We have no way of knowing who they sold those lists to. Yes, I can change them again, the last was when Heartbleed was on the rampage, but it is putting all the responsibility on users who aren't the ones at fault here.
The obvious answer is the get the administrators of those websites to take something like the SANS Top Twenty and run checks for those vulnerabilities. It is more than just SQL-injection. [ http://www.sans.org/critical-security-controls ]
And, while they are about it, how about all those other patches and updates that keep coming out and get ignored. Maybe someone needs to start naming names of the places that don't have enough sense to secure our data to basic industry standards.
Subscribe to:
Posts (Atom)