Jeff Northrop

Privacy and security

Page 3

Privacy Jobs

If you think privacy is just the domain of lawyers and compliance professionals think again. As I’ve argued often on this blog, and as a speaker at dozens of various technology conferences, privacy is marching inexorably into the responsibilities of technologists. Yesterday I found real-world examples illustrating this point.

Hacker News, the social news site focused on hackers and startups, is a great place to read about disruptive companies and technologies on the cutting edge. One recurring feature on the site is a monthly post dedicated to current job offerings targeted towards the site’s readers (generally developers and other technologists working on their own projects or for other startups).

For the first time – at least as far as I can tell – in this month’s “who is hiring” post, privacy skills made it’s appearance in a big way. I was shocked to find a number of listings that...

Continue reading →

Motorola, Google and Others Are Missing the Boat

Continuing on the theme of a blog post from a couple weeks back I noticed this week a burst of news of internet enabled personal devices. First up, and the biggest news, was the announcement of the Moto 360, the smart watch from Motorola. Accompanying that announcement was one from Google of a flavor of Android purpose built for wearables as is used in the Moto 360.

This was preceded by rumors earlier in the week of an Apple built health-tracking application. And, below the radar but germane to the conversation, was the launch of an app that can help with the rhythm method of birth control.

What do all of these things have in common? They all will expose even more personal information to the world than we already divulge. What they also have in common is that none of these announcements mention anything significant about privacy. In our post-Snowden glow where people are...

Continue reading →

WhatsApp Blunder

I spend much of my effort on this blog discussing how privacy is something more than just security. That it involves respecting cultural norms, ensuring appropriate uses of data, encouraging transparency and other things that aren’t strictly technical, but all of that is meaningless if you are sloppy with your security. WhatsApp is about to find that out.

There is speculation circulating that WhatsApp used the same AES symmetric key, for all clients, to encrypt all of its chats. The news originated from a Tweet by Nadim Kobeissi of Diaspora revealing the key and calling out WhatsApp. If what Nadim alleges is the case, that is going to be a big bummer for the WhatsApp team as well as Facebook who are in the processes of acquiring them.

The story will unfold, or won’t, over the coming days and it could get interesting. It is worth remembering that cryptography is one of those things that...

Continue reading →

IoT is Going to Result in Privacy Troubles

Someone asked me the other day, what I meant when I said the Internet of Things was going to shake up privacy as an issue. I thought I would share my answer. The short answer is, “Dude, there are going to be billions of these things tracking us all the time. Of course there are going to be massive privacy issues.” But a more complete answer is nuanced.

First, when I say there are going to be billions of these devices, that is not hyperbole. Gartner predicts there will be 30 billion IoT devices in the marketplace by 2020. To put that into perspective there are currently just a couple of billion computers in operation. It is clear that IoT devices will be everywhere doing all sorts of tasks for us.

Secondly, it is the services they will provide that are the significant consideration. Think about all of the Jetsons-like devices the IoT promises. From the current reality of smart TVs...

Continue reading →

Privacy Fails, the Public Revolts – Companies Lack Response

I’m just back from the RSA conference where “privacy” was the hot topic. The kerfuffle over privacy at RSA is outlined nicely in a blog piece in the New York Times, so I won’t rehash that, but it is worth revisiting the whole “privacy is dead” mantra that seems to be given new life.

Note: Check out coverage of my RSA session

Privacy is big news these days and the news is full of fear, speculation and conspiracy. It is setting the public on edge and there is no shortage of coverage validating this statement, but that is only one side of the coin. Few are discussing how companies need to respond in this new era, one where the old mechanisms for protecting the public are no longer effective but regulators are still acting to protect the public.

In the late 1960’s and into the 1970’s, with the advent of computers, maintaining privacy was suddenly no longer about the ability to doing...

Continue reading →

LastPass Offers EU Only Service

LastPass is my tool of choice for managing my passwords. Today, my LastPass Chrome plug-in updated and displayed the newest release notes. Among the minor changes I noticed this:

New: BETA feature - Premium users can choose to host their site data in Europe and utilize instead of

I guess I can count this among the growing number of vendors who, in response to “The Great NSA Data Breach of 2013,” are satisfying the call of a growing market. Particularly in Europe there is a growing chorus of customers who want to avoid any potential intrusion from US security agencies and utilize services hosted in Europe.

While this type of service has existed for some time, for similar reasons, prior to Snowden I never would have thought there would be any significant market for it. It fascinates me to watch just how effective his breach has proven to be in creating markets...

Continue reading →

Calls from EU Will Fall On Deaf Ears

The European Commission published a press release today expressing its desire to begin negotiating for more international representation on the functions that governs the Internet. I think the intent of the release is something worth addressing: It calls for more diverse representation on the Internet governing bodies, which currently it is very US-centric. However, while the intent is good, I don’t see this going anywhere.

Firstly, it sounds like they perceive the role of these bodies (ICANN and IANA specifically) as central controllers of the Internet whose job it is to protect citizens. I don’t know if anyone wants that sort of control. In fact, much of the public momentum is the exact opposite. People generally want to minimize the possibility that any government could control the Internet.

Secondly, what people ultimately want is to be able to take advantage of all of the...

Continue reading →

Google the Big Brother

This morning my mind was turning as I was reading the latest post by Jason Calacanis on his LAUNCH blog. It’s a very thought provoking and detailed piece on how Google is going to take over the world. I suggest reading it, but there was one item in particular that caught my attention:

Google will know every single piece of data you send and receive on a packet level because, hey, they’re throwing the party! If you want free connectivity on a global basis, you give up all your privacy and data. If you want to pay, you give up most of it to AT&T et. al.

While most of the arguments in the post are somewhat science fiction-esq – although I don’t doubt there veracity – the quote above almost seems like a certainty to me. Given the current state of the telecommunications market in the US it’s hard to imagine that any of the big telecomm providers would be able to compete with a “free” (or...

Continue reading →

Target and PCI Compliance

Krebs on Security is reporting today that the Target breach was perpetrated by their HVAC contractors:

Last week, Target told reporters at The Wall Street Journal and Reuters that the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor. Sources now tell KrebsOnSecurity that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers.

If this is the case, this is a humongous PCI compliance failure. PCI requires strict controls on who can access card holder data and I’m pretty sure HVAC contractors do not have a legitimate “need to know.”

It’s not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network.


Continue reading →

Salesforce, Dreamforce and Data Stewardship

This year’s Dreamforce was all about the release of Salesforce 1. This new integrated platform is Salesforce’s attempt at becoming the dominant enterprise platform for the Internet of Things. Combine the power of Salesforce with the data produced from all manner of devices such as smart watches, wifi enabled toasters, and host of other Jetsons-like devices, and you attain the ability to really “know” your customers at a deep level.

With that understanding comes the opportunity to market and sell like never before, but with that new found power comes a responsibility. The responsibility of stewardship of your customers’ personal information.

Fumble that stewardship and you risk violating someone’s privacy which can not only damage the reputation of your brand but could possibly find you in regulatory hot water. While the current risk is relatively small for all but the largest...

Continue reading →