The report was written by a committee whose members include William Perry, a professor at Stanford University; Charles Vest, the former president of MIT; W. Earl Boebert, a retired senior scientist at Sandia National Laboratories; Cynthia Dwork of Microsoft Research; R. Gil Kerlikowske, Seattle's police chief; and Daryl Pregibon, a research scientist at Google.

They admit that far more Americans live their lives online, using everything from VoIP phones to Facebook to RFID tags in automobiles, than a decade ago, and the databases created by those activities are tempting targets for federal agencies. And they draw a distinction between subject-based data mining (starting with one individual and looking for connections) compared with pattern-based data mining (looking for anomalous activities that could show illegal activities).

But the authors conclude the type of data mining that government bureaucrats would like to do--perhaps inspired by watching too many episodes of the Fox series 24--can't work. "If it were possible to automatically find the digital tracks of terrorists and automatically monitor only the communications of terrorists, public policy choices in this domain would be much simpler. But it is not possible to do so."

A summary of the recommendations:

• U.S. government agencies should be required to follow a systematic process to evaluate the effectiveness, lawfulness, and consistency with U.S. values of every information-based program, whether classified or unclassified, for detecting and countering terrorists before it can be deployed, and periodically thereafter.

• Periodically after a program has been operationally deployed, and in particular before a program enters a new phase in its life cycle, policy makers should (carefully review) the program before allowing it to continue operations or to proceed to the next phase.

• To protect the privacy of innocent people, the research and development of any information-based counterterrorism program should be conducted with synthetic population data... At all stages of a phased deployment, data about individuals should be rigorously subjected to the full safeguards of the framework.

• Any information-based counterterrorism program of the U.S. government should be subjected to robust, independent oversight of the operations of that program, a part of which would entail a practice of using the same data mining technologies to "mine the miners and track the trackers."

• Counterterrorism programs should provide meaningful redress to any individuals inappropriately harmed by their operation.

• The U.S. government should periodically review the nation's laws, policies, and procedures that protect individuals' private information for relevance and effectiveness in light of changing technologies and circumstances. In particular, Congress should re-examine existing law to consider how privacy should be protected in the context of information-based programs (e.g., data mining) for counterterrorism.

Here are more news articles on the report. I explained why data mining wouldn't find terrorists back in 2005.

Faith in the (UK) gov’s ability to securely manage personal data is out the window.

From Reuters:

The inquiries followed Britain’s biggest data loss scandal, when two discs containing child benefit records, including names, addresses and bank details, of some 25 million people, went missing after being put in the post by a junior employee.

The reports concluded that it wasn’t individuals who were to blame - some 30 were officials played some role in events leading to the loss of the discs - but institutional and systematic failures at Britain’s tax authority.

But the HMRC is not alone in such security breaches. A separate report into a stolen laptop containing the details of 600,000 potential recruits revealed similar failings at the Ministry of Defence. In all, four MoD computers had been stolen since 2004 and the report said the MoD was probably in breach of several principles set out in the Data Protection Act.

Well, where do you stand? Do you trust your respective government not to punt on data security?

Read on.

Article Link

1. Demand that your vendors segment your confidential information from those of their other clients.
2. Demand encryption of confidential information while in transit and at rest.
   

I am always bemused when Jeff Jones performs in-depth security vulnerability analysis and reports his findings, not because of the content of his findings, but because of the incredible arm-chair commentary that follows.

Jeff and I have seen and heard it all:

• "This is FUD"
• "Yeah, but it's not an apples to apples comparison"
• "How can you believe this guy? He works for Microsoft!"
• "What would Microsoft know about security?"
• "For his next trick..."
• "That chart really hits home the fact that statistics can be used to prove any side of any argument"
• "Of course he says Windows is the best, that's what he's paid to do."
• "Counting vulnerabilities is a natural way to measure security. If you're a retard."
• "The other big reason linux is more secure is many black hats LOVE open source principles"
• "Can someone please slap MSoft in the teeth"
• "I can't actually remember a time when my mac needed a patch to fix a security hole."

You get the picture. I could keep going, but I have a blog post to write!

So let's ignore raw stats for a moment, let's not compare RedHat to Mac OSX to Ubuntu to Windows Vista, because let's face it, no-one can agree on any measurement of security without getting knotted up. So let's just ignore the comparison stuff. Measuring security is a real challenge, and while we may debate the merits of vulnerability counts, right now it's the only concrete metric we have.

When Bill Gates released his Trustworthy Computing Memo in 2002, many people thought it was just a marketing stunt. It was not a marketing stunt: BillG edicts are always taken very seriously inside Microsoft. In fact, I will go one step further; the only way you make big changes in a large software company is when the boss says you have to do so. So why did Bill send the memo to all Microsoft employees? It was simple, he (and the entire senior management team for that matter) recognized Microsoft faced a problem that needed solving; the company needed to shore up the security of its products. So Bill sent his memo to get the ball rolling.

Now let's go back to Jeff's recent analysis. Cover up the Mac OS X and Linux stats for a moment so you can only see the Windows XP SP2 and Windows Vista bars. Windows Vista has had fewer security vulnerabilities than Windows XP SP2. Conventional wisdom (which is often wrong, especially when it becomes urban legend) tends to suggest that the more lines of code you have the more bugs you have. That might very well be true, and Windows Vista is certainly larger than Windows XP SP2; yet right now, we are on track for an approximately 50% reduction in vulnerabilities compared to Windows XP SP2. Think about that figure for a moment: about a 50% reduction (and that does not account for the reduction in vulnerability severity) despite the increase in code size.

So if Windows Vista has more code than Windows XP SP2, why are we seeing a reduction in vulnerabilities? Simple: the SDL! Microsoft decided to change its development practices to enforce greater security discipline. The only way you reduce security vulnerabilities is by focusing on improving code security, design security, reducing attack surface, education, tracking evolving threats, mandatory use of tools, banning known bad functionality, better compilers, better linkers, better libraries etc etc. And that is what the SDL is all about and what our team is laser-focused on.

The reason you're seeing a reduction in vulnerabilities across major Microsoft products is simple:

• Microsoft recognized it needed to improve security.
• Bill said so (as did the rest of senior management)
• Our group swung into action and helped the rest of the company come up to speed on security issues.
• The Microsoft development processes changed to adopt the SDL

You improve security by focusing on security. Not by wishing on a star. Not by believing age-old myths about "given enough eyeballs.... blah blah." If the "eyeballs" mantra were true, we'd have very few open source security bugs. But there are plenty of open source security bugs found after products ship. Hmmm, this would seem to raise some interesting question on the validity of the "enough eyeballs" belief given these hard facts.

Now let's go back to Jeff's chart for a moment. Cover the Windows columns and look at the other columns. However you want to skew or spin it, that's a lot of security vulnerabilities that needed fixing once a product had shipped. Admit it. Come on; admit it, that's a lot of bugs. I don't care how big a Linux distro is, or how many IM clients Ubuntu ships with, or the merits of UAC vs su. That's a lot of security vulnerabilities!

Now ask yourself this question - how many people involved in the development of these other products have you heard say, "Wow, we have a lot of security bugs, we really should do something systematic to fix this problem." I'll be very happy to be proved wrong, but all I hear is crickets. I see no-one else in the industry standing up and saying, "Let's fix this."

I just hear emotion, excuses and dogma.

At Microsoft, BillG's memo was a "we need to fix this" memo, and we are now seeing results, but not perfection. There will be no perfection, because no software is 100 percent secure, but progress is being made across all Microsoft products, not just Windows, because of the SDL.

Let me close with a story. A few years ago I spoke to some senior technical people from a large financial organization about software security. After visiting Microsoft they were off to visit another operating system vendor. I won't name names. The financial company was very interested in our early results, and they were encouraged by what they saw because of the SDL. I asked the most senior guy in the room to ask the other company one very simple question, "What are they doing to improve the security of their product? And by that I mean, what are they doing to reduce the chance security vulnerabilities will creep into the product in the first place? And they cannot use the word ‘Microsoft' in the reply." Two weeks later, the guy phoned me and said his company would buy Microsoft products and nothing from the other company. I asked him why. He said because all they could do was make up excuses (see the list at the start for examples!) rather than admit to having numerous critical security vulnerabilities and no process to reduce their ingress.

Ok, one more comment! I would love to see others in the industry stand up and admit there is a problem that needs solving and start doing something about it. I really, really would, because we need to secure the entire computing ecosystem. Comparing numbers is interesting, but what really matters is this: is progress being made? At Microsoft the answer is "yes" but only because BillG realized there was a problem to be solved and that is what led to the birth of the SDL.