Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security."

[Jason Muskat <Jason () TechDude Ca>]

Hello,

Security has to be correct 100% of the time. One omission can lead to an
exposure. Count yourself lucky that your vulnerabilities haven't been
exposed (that you know of -- Think Ohio State's exposure
<http://www.ohio.edu/datatheft/alumni/index.cfm>). Many organizations cover
up (do not report to governmental authorizes) every exposure that occurs.
This is the norm. 

Consider the following; 10 persons information were known to be stolen.
Everything from address, SSN, account numbers, credit cards, driver lic.,
health ins. forms, employment data, etc.. It goes unreported. Years later
you receive letters for failing to pay your mortgage, credit cards, taxes,
car lease, speeding tickets, you didn't show up for sentencing, and have a
warrant for your arrest.

Things like the above happen. I read how a case of mistaken identity had
some fellow jailed for a few months before it was resolved. Imagine how it
could have went if the perpetrator had stolen his ID.

Once your information is exposed you soon realize that there is nothing you
can do to protect yourself, it's too late. For evermore you, not the
organization, has to check your credit reports, accounts, put flags up in
your accounts over and over again until you die and all at your, not the
organization's, expense. Most organizations don't even offer help to the
people they adversely effected. At the very least an organization should set
up a department to help the customers that have harmed.


Regards,

-- 
Jason Muskat  | GCUX - de VE3TSJ
____________________________
TechDude
e. Jason () TechDude Ca
m. 416 .414 .9934

http://TechDude.Ca/


> From: Saqib Ali <docbook.xml () gmail com>
> Date: Fri, 12 May 2006 21:22:03 -0700
> To: Bob Radvanovsky <rsradvan () unixworks net>
> Cc: Jason Muskat <Jason () techdude ca>, "Sadler, Connie"
> <Connie_Sadler () brown edu>, <email () securityabsurdity com>,
> <security-basics () securityfocus com>
> Subject: Re: Article: "Security Absurdity: The Complete, Unquestionable, And
> Total Failure of Information Security."
>
> > "Security" is a matter of perception.  If the companies don't see it as an
> > issue, it (quite simply) is *not* an issue.
>
> That is fine for the company in question. But NOT fine for the
> customers / other companies interfacing with the company that does not
> see INsecurity is an issue. I wouldn't wanna have my credit card info
> stolen from an online merchant, neither would you.
>
> One option is that I do not deal with compannies that do take security
> seriously. But how do I know which companies do NOT take security
> seriously? Maybe they should put a disclaimer on their website????
>
> -- 
> Saqib Ali, CISSP, ISSAP
> Support http://www.capital-punishment.net
> -----------
> "I fear, if I rebel against my Lord, the retribution of an Awful Day
> (The Day of Resurrection)" Al-Quran 6:15
> -----------