Category: "Security Policies"

About the Security Policies category

  23:04, by Hagai Bar-El   , 40 words
Categories: Security Policies

This category contains articles that discuss security policy issues, both at the corporate level and at the national and international levels. This domain contains security guidelines and procedures, as well as national policy considerations addressing national security, privacy, and more.

Pages: 1 3 4

  2009-07-24

Companies collect data on us --- so what?

  22:22, by Hagai Bar-El   , 865 words
Categories: Security Policies, Counter-media

It is very common among security people to take privacy issues seriously. When we hear that a particular service collects personal data on us, we get extremely anxious. We will not use services that collect personal data that are not necessary to render the service. Sometimes we will forgo using a useful service, just because it requires that we feed in personal data, or because we do not like the wording of the privacy policy, of its lack of...

To us, security people, having a company collect personal information on our shopping habits, surfing habits, reading habits, or eating habits, is just wrong. Technologists like Cory Doctorow call to treat personal data like weapons-grade plutonium, because data that is collected never vanishes. Others, like Bruce Schneier, write essays on why the average (that is, non-criminal) citizen should not agree to being watched, although he did nothing wrong. All is true, and having governments collect too much data on individuals is risky. Such data, if available, is likely to be abused at some point in time, a point which is probably closer than it appears.

It is easy to explain why one would not like the government to have too much data on himself. I would like to discuss another type of data: the commercial data that privately held companies such as Amazon, Google (on Google apps users), and Facebook, collect. Why should I care about having my personal data on-line?

Full story »

  2009-04-04

On the Purpose of Security Standards

  22:21, by Hagai Bar-El   , 960 words
Categories: Security Policies, Counter-media

An interesting article was published in Information Security Resources, titled: “Payment Card Industry Swallows Its Own Tail”.

The author seems to claim that PCI DSS may not survive for long, because the various stakeholders are too busy blaming each other for security breaches instead of trying to make the ecosystem more secure. Also, organizations that are PCI DSS compliant still suffer from security breaches, what seems to indicate that the standard is ineffective.

There are two questions that need to be asked:

Full story »

  2008-10-26

Twitter Terrorists -- Come On...

  02:00, by Hagai Bar-El   , 184 words
Categories: Security Policies

I could not miss this one in Wired.com.

Then the presentation launches into an even-more theoretical discussion of how militants might pair some of these mobile applications with Twitter, to magnify their impact. After all, “Twitter was recently used as a countersurveillance, command and control, and movement tool by activists at the Republican National Convention,” the report notes. “The activists would Tweet each other and their Twitter pages to add information on what was happening with Law Enforcement near real time.”

It seems as people are making an effort to ring the bell on just about anything. Twitter? Twitter is merely an application that facilitates instant messaging, like tons of others. Whatever can be done with Twitter can also be done with IRC, Web chat rooms, shout boxes (those little frames on websites that display whatever is written by guests to the website), and what not.

Yes, someone evil can use Twitter to pass messages to other evil people in the field, but the ability to pass instant messages along is a “problem” of ubiquitous network technologies, not of this or that particular product.

  2008-01-26

The TSA Does Not Get It Completely Wrong

  22:09, by Hagai Bar-El   , 537 words
Categories: Security Policies, Counter-media

Many homeland security experts preach against the approach to airport security taken by the TSA. The TSA's mitigation efforts focus primarily on specific tactics that terrorists may use, rather than on more generalized, more effective, measures, such as intelligence. Airline security, according to the ones opposing the TSA's acts, shall be in effect long before the terrorist reaches the airport. All existing mechanisms, such as scanning shoes, banning liquids, etc., are a waste of time and money and punish only the innocent.

I generally agree, but I do so with mixed emotions.

Full story »

  2008-01-12

Airport Security: Israel vs. the United States

  22:04, by Hagai Bar-El   , 381 words
Categories: Security Policies

Last July, an interesting post appeared in Bruce Schneier's blog. It's called: Airport Security: Israel vs. the United States. It discusses the difference between airport security in Israel and in the U.S. The post quotes evidence showing that the airport security in Israel is based more on interrogation and less on mechanical scanning. Mr. Schneier commented:

Regularly I hear people talking about Israeli airport security, and asking why we can't do the same in the U.S. The short answer is: scale. Israel has 11 million airline passengers a year; there are close to 700 million in the U.S. Israel has seven airports; the U.S. has over 400 “primary” airports — and who knows how many others. Things that can work there just don't scale to the U.S.



I do not generally buy this.

Full story »

  2008-01-09

Last Major Label Plans to Ditch DRM Restrictions

  22:00, by Hagai Bar-El   , 240 words
Categories: Security Policies

No one who follows on DRM news could have missed this: Report: RIP DRM, as Last Major Label Plans to Ditch Restrictions:

In a move certain to rock the distribution of digital music, Sony BMG is in the midst of finalizing plans to begin offering at least part of its downloadable music catalog DRM-free, according to BusinessWeek.com. This makes Sony BMG the last of the Big Four record labels to cave on digital rights management schemes designed to restrict the distribution of music via peer-to-peer networks.


I was asked more than once: What can prevail, if DRM cannot?

Full story »

  2007-11-08

Making Standardization Committees Build More Secure Products

  21:58, by Hagai Bar-El   , 976 words
Categories: Security Policies

Lately I have been occupied once again with the specification of a security system as part of a standards committee. The identity of this standards body really does not matter. What does matter is that the process, just like its outcome, never improved.

There is a problem with security systems that are standardized by committees. Perhaps not every committee, but those committees that are democratic in nature. Democracy is good, all in all, but it doesn't serve the design of security products well; at least not when it comes to design done by many individuals with different agendas.

It is easy to see why.

Full story »

1 3 4