What is Toluu?
Toluu is a free service for sharing the feeds you read and discovering new ones.		 Get Invite

Emergent Chaos

The Emergent Chaos Jazz Combo of the Blogosphere


Gary McGraw and Steve LipnerYesterday
Gary McGraw has a new podcast, "Reality Check" about software security practitioners. The first episode features Steve Lipner. It's some good insight into how Microsoft is approaching software security.

I'd say more, but as Steve says two or three good things about my threat modeling tool, you might think it some form of conspiracy.

You should go listen.

Reboot the FCC? No, debug the problemYesterday
Larry Lessig has a very interesting article in Newsweek, "Reboot the FCC." The essence is that the FCC is inevitably bound by regulatory capture. He proposes a new agency with three tasks:
  1. "The iEPA's first task would thus be to reverse the unrestrained growth of these monopolies."
  2. "The iEPA's second task should be to assure that the nation's basic communications infrastructure spectrum— the wires, cables and cellular towers that serve as the highways of the information economy—remain open to new innovation, no matter who owns them."
  3. "Beyond these two tasks, what's most needed from the iEPA is benign neglect."
The EPA is an interesting choice as a model. They are responsible for a couple of major laws, including the endangered species act and the clean air act. The clean air act, from 1970 to 1990, froze in place specific emissions control technology. It was clear by the late 1980s, when I was studying environmental science, that the act was compelling businesses to spend more money than they needed to. It took another decade to revise the act. The endangered species act centers around the "taking" of members of listed species. The act defines "take" as "to harass, harm, pursue, hunt, shoot, wound, kill, trap, capture, or collect" a species. I believe it was the Fish and Wildlife Service that we
No FunJanuary 6

Stooges guitarist Ron Asheton, dead at 60.

ITRC Year End Report for 2008January 6
The Identity Theft Resource Center (ITRC) released their year-end breach report:

Reports of data breaches increased dramatically in 2008. The Identity Theft Resource Center’s 2008 breach report reached 656 reported breaches at the end of 2008, reflecting an increase of 47% over last year’s total of 446.

Dissent of PogoWasRight has some analysis. I'll take a look at the full report shortly.
Maine Breach StudyJanuary 6
Maine Data Breach Study 2009.jpg

The [Maine] Bureau of Financial Institutions has issued a report on the costs of data security breaches to Maine banks and credit unions. The study found that of the 75 financial institutions that responded, 71 were affected by a data breach since Jan. 1, 2007, incurring combined expenses totaling more than $2 million, according to a state press release.

Together, the breaches resulted in unauthorized or fraudulent transfers at 25 institutions, including 265 accounts and $75,000 at one institution. (" State: Data breaches tally $2M," Mainebiz)

So let's see..71 of 75 institutions in Maine were affected, although 53 of those were the Hannaford incident. (pdf page 19, printed page 13) One in three breaches resulted in fraudulent transfers. The Maine Data Breach Study can be found here. The report includes a clear summary of the state of the law in Maine, and comparisons with elsewhere. There's really interesting data analysis, along with a copy of the survey used. I'm going to have to study this more.

It also includes (pdf 24, printed 18) an interesting cost summary, with 243,000 accounts impacted b