I’m a stressed mess right now. In addition to life’s normal level of stresses, I’m studying for the CISSP exam (which it is turning out to be much more intense than I anticipated) and I’m I short handed at work (if you are an entry-level developer in the NH Seacoast area contact me!). I’ve been here before though, so the occasional sleepless night and general grumpiness is expected. What’s apparent to me for the first time though is how this is clearly effecting me physically.

I’m a consistent gym-goer. I work out at a local CrossFit gym, which means my workouts are somewhat random. This makes an accurate measure of my performance over time difficult. However, I work out with the same group most mornings and measuring how I do against them is a fair enough measure and it is clear my performance has been declining.

It’s well documented that exercise is a good tool to help manage...

Looks like PayPal is offering a new identity service. Gaining access to over a 100 million users who trust the brand seems like a pretty good opportunity. However reading through the benefits of using this service made me a feel a little queasy. This service is abusing the privacy of their customers, badly. If you don’t believe me take a look at what information they are offering to developers on the people who use their service:

• Transaction Recency (Bustling, Active, Engaged, Operative & Passive): Describes how recently a buyer has transacted on PayPal

• Transaction Frequency (Engaged, Habituated & Casual): Tells how frequently the buyer has used PayPal for online transactions over the last 12 months

• Activity Class (Super Engaged, Engaged, Light Engaged, Functional, Habituated, Casual, Sustaining & Passive): Combines recency and frequency to tell how active this buyer is over the last...

I just receive an email from the Indextank team that they were purchased by LinkedIn. As soon as I read it a four-letter expletive left my lips. I’ve just spent the last couple of months redoing the search engine for the IAPP website to work with Indextank.

As you may have heard, LinkedIn has acquired IndexTank. We at IndexTank are very excited and look forward to joining LinkedIn. Our team is working to make the transition smooth and transparent for all of our current customers.
I’m glad they’re excited (really) but the timing couldn’t be worse for me. Just yesterday I finished writing the documentation of my integration and was working with the marketing department on minor copy and look-and-feel decisions to put the final polish on it. Everything was tested (and working beautifully I might add) and I was ready to launch! Now I don’t know what to do.

Should I put my faith that the...

The other day I was asked to help a colleague at the IAPP determine the profile of a typical candidate for a CIPP/IT certification. It started out with a simple question, “Help me understand the different classifications of IT professionals?” I thought this would be an easy exercise.

However, once I sat down and started to give it some thought, I was surprised to recognize the breadth and complexity of the IT profession. It was one of those seminal moments where the collection of everything you know on a topic suddenly comes together as one—and it made me shudder.

I used to consider myself a “jack of all trades” when it came to information technology and I meant it. My first job out of school included both software development (in Pascal) and network administration (Novell Netware 2.12) and I continued on that dual path off and on through a handful of jobs. Having done both...

Our privacy is slowing eroding, at least in the sense that what we do is less private then it used to be. We’ve all know for some time that the phone company tracks all of our phone calls and that ISPs know something about our internet traffic. We accept that web servers record what pages we visit and when we visited them.

In the last couple of months we’ve learned that Facebook can track your habits across sites even after you log out, and mobile phone companies can track not only who you call but where you were. And it wasn’t secret that the OnStar system can track your vehicle’s location, speed and even whether you are wearing your seat belt, but only after complaints did they reverse part of the decision to sell that data to the highest bidder. At least you have to agree to their terms of service to be sold out.

Another chip out of our privacy was buried in the announcement of the...

Today I came across the most useless terms of use statement I’ve ever seen, and I’ve seen a lot of them. I try to make it a habit of reading terms, licenses and agreements whenever I come across them. As a practicing Privacy Professional I feel obligated to review them, and occasionally I’ll even learn something along the way. So imagine my surprise when I came across this:

These Terms of Use set forth the terms and restrictions regarding the use of the Logical Security, Inc. (“Logical Security”) web site (www.logicalsecurity.com), by you, a user of logicalsecurity.com, and the entity you represent (hereinafter collectively “you” or “your”). By using logicalsecurity.com in any manner, you agree to all terms and conditions contained or referenced in these Terms of Use. These Terms of Use apply only to your use of logicalsecurity.com and do not change or alter any other agreement between...

Have you heard about the BEAST? Juliano Rizzo and Thai Duong presented their Browser Exploit Against SSL/TLS tool, a.k.a the BEAST, at the Ekoparty security conference a week ago. This tool has the potential to launch one of those seminal moments in computer history. It exploits a weakness in virtually every website that uses secure certificates to protect transactions (SSL/TLS). In other words, if it is successful in the wild, it could lead to people losing trust in e-commerce and secure transactions as a whole (which our current economy is heavily reliant on).

The researchers used PayPal as the example in the demonstration of the tool but just about everyone including banks, credit card processors, virtual private networks, instant messenger services, etc. are vulnerable. If the website, service or application relies on the “s” in “https” to encrypt the data transmitted between two...

I’m just back from the [(ISC)2 Security Congress](http//www.isc2.org/sc2011/Default.aspx) and I’m scared. I’m scared for two reasons. First, I feel self-pressured to get CISSP certified. From what I understand, the exam is intense and should require a large time commitment to master all ten domains — and I don’t have that kind of time (although I will find the time!). However, what really sent my blood pressure to dangerous levels is the feelings of vulnerability the event instilled in me.

This event was combined with the annual ASIS event, which means the exhibit floor was crowded with all sort of paramilitary type equipment and personnel. That, in-and-of itself, is intimidating but what really ratcheted up the fear were the sessions filled with stories and anecdotes of all manner of security breaches. If the FBI, U.S. Senate, Visa and other Fortune 500 multinationals can suffer from...

I swear I’m going to scream if I hear to one more person describing search engine optimization as something complex and mystical. It’s not — it’s actually pretty simple. I’ll prove it. Here’s all you need to know, all on one double-sided sheet of paper.

If you can understand and implement what’s on that cheat sheet you’ve already won 90% of the battle. If that sheet confuses you then you probably didn’t build your website to begin with but the person who did will help you.

You’re probably thinking, “90% is great, but what about the last 10%?” First, understand that perfection should never be the goal of a task — if you solved that last 10% then you’ve likely wasted a ton of time and effort. Work beyond the basics and the return on effort diminishes very quickly so approach perfection carefully.

Some of the things I see suggested that really get my goat include rewriting content and...

Most large companies have a strict information security policies. They do it to comply with legal obligations and to minimize liability concerns (e.g. HIPAA, GLB, PCI, etc). The smart executive knows that a data breach can be expensive and damaging, just ask Heartland Payment Systems, the Veteran’s Administration or TJ Maxx. Start-ups also should understand that compliance and liability concerns aren’t just for large companies. Everyone, big and small, should be worried about this stuff.

A lawyer would probably advise that a company need only meet the minimum requirements to mitigate risks and comply with the law. However, I’m suggesting you do the opposite. Go out and get the most challenging, restrictive and detailed policy you can find (a.k.a. “a bad-ass information security policy”™). Start from there and work your way back to whatever is manageable (and hopefully more than the...