Security Breach at Unique Vintage

There is news that women’s clothing website Unique Vintage has sent notifications to the customers that the site has been breached and the customer information was exposed. What is interesting is that the website is fully PCI compliant, i.e. it follows all rules for security set forth by the credit card industry. And still, it appears, the credit card numbers, among other information, were stolen. And this went on for more than a year and a half before being detected.

There is no substitute for proper design and security diligence. Following the rules set in a book will only get you so far. The attackers do not follow any book strictly, so you should not.

User Data Manifesto

Having a confirmation that the governments spy on people on the Internet and have access to the private data they should not sparked some interesting initiatives. One of such interesting initiatives is the User Data Manifesto:

1. Own the data
The data that someone directly or indirectly creates belongs to the person who created it.

2. Know where the data is stored
Everybody should be able to know: where their personal data is physically stored, how long, on which server, in what country, and what laws apply.

3. Choose the storage location
Everybody should always be able to migrate their personal data to a different provider, server or their own machine at any time without being locked in to a specific vendor.

4. Control access
Everybody should be able to know, choose and control who has access to their own data to see or modify it.

5. Choose the conditions
If someone chooses to share their own data, then the owner of the data selects the sharing license and conditions.

6. Invulnerability of data
Everybody should be able to protect their own data against surveillance and to federate their own data for backups to prevent data loss or for any other reason.

7. Use it optimally
Everybody should be able to access and use their own data at all times with any device they choose and in the most convenient and easiest way for them.

8. Server software transparency
Server software should be free and open source software so that the source code of the software can be inspected to confirm that it works as specified.

In the news

I do not often want to comment the news so today is a special day.

The first piece is an article on the popular subject of NSA Web Surveillance quoting some well-known people starts off on a good direction but gets derailed somehow into recommending obscurity for security. Strange as it is we really should consider anonymizing our access to the Internet. The problem is though that we cannot anonymize the most important part of our Internet access where we real need our real identity and that is the part that delivers most information about us. Sorry, it is not going to work.

I was wondering earlier what the situation of Canada is in relation to the NSA scandal and the article on Canada’s part in NSA plan revealed that we cannot count on Canada to be impartial in the matter. They are in on it and quite likely Blackberry is no better choice than other U.S. controlled mobile phones.

I cannot remember when was the first time I heard that “passwords are dead”, it must have been years and years ago but this same mantra is repeated over and over again every year. Now the passwords are dead at Google. Well, tell you what, long live passwords!

And suddenly Vint Cerf, one of the guys at the beginnings of the Internet, is preaching for the devil. He is working for Google, of course, so his opinion that we all should “give up a degree of privacy in order to be protected” is likely Google’s, not his own. On the other hand, if you ask me I would say he should watch what he says, people believe him more or less unconditionally and his moral obligation is to not peddle the loss of privacy for all of us.

Here you go. I seem to disagree with nearly all of the news today. Which is good news!

Nokia is gone. So is mobile security.

The recent acquisition of Nokia by Microsoft stirred up investors and Nokia fans. But, the question goes, what does it have to do with security? (Not) Surprisingly, a lot.

Working in security makes people slightly paranoid over time, that is a fact. On the one hand, without being suspicious of everything and checking all strangeness you would not get far, so that makes you extra attentive to possible security issues. On the other hand, witnessing how everything around us turns from impenetrable walls into a Swiss cheese variety when poked makes you doubt every security statement on the planet. Looking at Microsoft buying Nokia, I cannot resist putting my security hat on.

So what does the acquisition of Nokia by Microsoft bring us on a large scale of things? You remember, of course, that some governments, and in particular USA, listen to all our conversations on the Internet and collect all possible information about us, right? Okay, for those who forgot, I will remind that Microsoft, Google and Apple are on the list of companies sharing information with NSA. Just keep in mind it is likely not limited to NSA and USA, other governments are not likely to refuse the temptation.

lock-nokia-transpNokia was not on the list. And I will hazard a guess that the Finnish company refused cooperation with NSA. That means people who have the good old Nokia phones are probably more safe from surveillance compared to people with those Microsoft, Google and Apple phones. We can probably assume that it was not exciting for NSA and the like to know that (5 years ago) half of the people with mobile phones will not be under surveillance. I can imagine they were rather disappointed. I would not be surprised if they lent a hand to Microsoft in the plan to acquire Nokia or even orchestrated the whole thing.

Now, Nokia is Microsoft. What does it mean? There is no phone any longer that is not under surveillance. Think of any mobile phone, it is going to be Microsoft, Google or Apple, committed to collaborating with NSA on surveillance. There is no alternative.

We still can use our good old mobile phones, of course (and I do). Telephone networks change though, new protocols come into play, old ones are phased out. In time, the good old phones will simply stop working. And this process can be accelerated if desired. There will be no choice.

I really wonder about Blackberry now …