Michael Howard's Web Log : Privacy

Kim Cameron on GOOGs single sign on design vulnerability

michael_HOWARD — Mon, 15 Sep 2008 16:25:00 GMT

I spoke with Kim Cameron a few days ago about Google's single sign-on (SSO) design bug. I wanted his take on the bug because he's one of the best in the area of identity, single sign-on etc etc... his response can only be described as scathing.

Reminder: Microsoft Security Intelligence Report - Webcast on Wed 7 Nov

michael_HOWARD — Wed, 07 Nov 2007 02:41:00 GMT

Wednesday, November 07, 2007 10:00 AM Pacific Time

Support WebCast: Microsoft Security Intelligence Report: Latest trends in vulnerabilities, malware, and potentially unwanted software

Privacy Tip o' the Day

michael_HOWARD — Wed, 08 Aug 2007 18:34:00 GMT

I'm stunned at how much private data the average citizen will divulge. I was buying some stuff yesterday, and the clerk at the checkout asked the customer in front of me for her phone #, which she was quite happy to give. Next, I was signing up for gym membership, and the guy in front of me wrote his social security number on the membership form! Why on earth does a gym need your sosh?

So here's what I do.

Check-out clerk: "Can I please have your phone number?"
Me: "It's unlisted"

I have never had a single issue with this line, and it's not as argumentative as, "no, drop dead."

As for SSN.

Gym Membership guy: "You didn't complete the form, I need your SSN."
Me: "How will my SSN be used?"
Gym Membership guy: "I don't know."
Me: "I bet it's not needed."
Gym Membership guy: "You're probably right"
Me: "Ok, let's leave it blank for the time being."

End of story. Again I'm being civil, and leaving it open ended, even though I have no intention of supplying my National Identity Number, oops, I mean social security number.

In the rare case where someone thinks they REALLY need my sosh and I don't think they do, I'll enter my SSN but flip a bunch of numbers around, I take advantage of the fact there's no checksum digit in a SSN! :)

A Chronology of Data Breaches

michael_HOWARD — Fri, 22 Sep 2006 23:14:49 GMT

A fascinating read http://www.privacyrights.org/ar/ChronDataBreaches.htm.

SDL book is shipping!

michael_HOWARD — Fri, 02 Jun 2006 20:28:00 GMT

I have in my paws a copy of the Security Development Lifecycle book... :) And I am told boxes of books are on the way to warehouses right now! It's always great to see the physical bits!

Privacy Breach Impact Calculator

michael_HOWARD — Mon, 08 May 2006 08:17:00 GMT

Cute!

http://searchsecurity.techtarget.com/general/0,295582,sid14_gci1182844,00.html?track=NL-430&ad=551180

MSN Phishing and Scams site

michael_HOWARD — Mon, 20 Dec 2004 21:36:00 GMT

Just gone live, you should point friends and family to this: http://safety.msn.com/phishing/

Finally, a book on Privacy for Developers

michael_HOWARD — Wed, 13 Oct 2004 18:55:00 GMT

My good friend J.C. Cannon has written the book on Privacy aimed squarely at developers, as well as IT folks. While I, and many others, focus on security, J.C. and his team address privacy issues. I think most people consider the two disciplines kinda the same, they are quite different, and I would urge you to get a copy of the book if your application deals in any way with private data.

http://www.amazon.com/exec/obidos/tg/detail/-/0321224094

BTW, J.C.bought me a very nice bottle of Cloudy Bay 2003 Sauvignon Blanc recently. I'll open it in nine months. Yum, yum! And no, I'm not gonna share it with anyone but my wife. So don't ask!

Windows XP SP2 Privacy Statements Released

michael_HOWARD — Mon, 16 Aug 2004 20:01:00 GMT

The Windows Privacy Statement highlights 27 components that have historically been of interest to privacy advocates and customers, and the 6 page IE Privacy Statement highlights some of the new IE features including “Pop up Blocker”, “Untrusted Publishers”, and “Managed Add-ons”.

The statements, along with new Group Policy privacy controls are available at the links below.