Here’s a good one, it looks like an agency in the UK has lost two computer discs containing “…the personal details of all families in the UK with a child under 16 have gone missing. The Child Benefit data on them includes name, address, date of birth, National Insurance number and, where relevant, bank details of 25m people. Chancellor Alistair Darling said there was no evidence the data had gone to criminals - but urged people to monitor bank accounts “for unusual activity.” The Conservatives described the incident as a “catastrophic” failure. In an emergency statement to MPs, Mr Darling apologized for what he described as an “extremely serious failure on the part of HMRC to protect sensitive personal data entrusted to it in breach of its own guidelines.” MPs gasped as Mr Darling told them: “The missing information contains details of all Child Benefit recipients: records for 25 million individuals and 7.25 million families.” So that’s a government agency we’re talking about, someone you’d normally trust (perhaps more with your personal information) than companies, since you’d think a government would take extraordinary measures to protect data on its citizens. It’s just so random there’s no way to truly protect yourself from the mistakes of the countless Dilbert’s out there failing to safeguard your data.

Hushmail was always known as a secure, private webmail company that markets itself by saying that “…not even a Hushmail employee with access to our servers can read your encrypted e-mail, since each message is uniquely encoded before it leaves your computer.” But it turns out that statement seems not to apply to individuals targeted by government agencies that are able to convince a Canadian court to serve a court order on the company.” So while the stored email is protected by the user’s passphrase, if this passphrase is authorized serverside by the user logging in via SSL the user is not using the more secure method with the Java Applet that they provide to have the passphrase encrypted (and I suspect hashed) before it’s sent over the wire. The advantage of the later approach is that the server never has the chance to see the ‘real’ password, but the user(s) gave up the ghost when they used the the SSL practice, which I suspect they never thought would lead to their downfall, especially when you look at how Hushmail markets themselves. So while not having to install that Java Applet is more convenient, it’s clearly less secure, “The rub of that option is that Hushmail has — even if only for a brief moment — a copy of your pass phrase. As they disclose in the technical comparison of the two options, this means that an attacker with access to Hushmail’s servers can get at the passphrase and thus all of the messages.” Continue reading →

During a hearing to review the Foreign Surveillance Intelligence Act, Congress was told by intelligence official Donald Kerr that, “…it is time people in the United States changed their definition of privacy. Privacy no longer can mean anonymity, says Donald Kerr, the principal deputy director of national intelligence. Instead, it should mean that government and businesses properly safeguards people’s private communications and financial information.” Right, because we all know what a great job businesses are doing keeping our data safe! It is unacceptable for an official to declare that our rights need to be usurped and then have us rely on businesses to keep our records safe; they’ve been failing to do that for years, why would there be any difference now? In fact, if Mr. Kerr’s plan went through, these companies would be bigger targets for exploitation as they’d hold a bigger payout for would be attackers. Come on, no more ‘give up your rights to survive’ rhetoric, we’ve had enough.  There’s more good coverage on this at Wired.

Two years ago, when a wiretapping proposal similar to the FISA expansion, California Senator Dianne Feinstein said that the proposal, “calls into question the integrity and credibility of our nation’s commitment to the rule of law.” Then last week, just days after stating, “There is a suspicion that the administration wants to move too boldly. And once you sacrifice rights, it’s hard to get those rights protected again“, she went and voted for the FISA expansion (S. 1927)! She’s not alone, 15 other Senate Democrats also voted to give the government even more power to wiretap. What am I missing here Dianne?