Jeff Northrop

Privacy and security

Page 7


Secureworld Boston Presentation

I had a ton of fun speaking at Secureworld in Boston yesterday. A big thank you to those that attended my presentation and all of the kind words I received. As promised here is a PDF of the presentation. Feel free to contact me with questions.

View →


Upcoming Events

Just a reminder you can now sign up for my BrightTalk presentation on May 22nd, and I hope to see you at my presentation on Wednesday at SecureWorld. You can also find me at the Venture Cafe on Thursday–I’m going to be in the “Advice Booth.” Finally I’m at InfoSec World from April 2-4 representing the IAPP.

I’m a busy boy!

View →


Cryptography: A Primer for the Non-Technical–Part II

If you read last week’s post you should have a baseline understanding of the science cryptography. You should know that the basics of cryptography rely on the input of a secret key along with a message, both of which are fed into a mathematical equation that applies substitution and transposition to encrypt and/or decrypt a message. If you don’t please read last week’s post before continuing.

With an overview of cryptography covered we can move on to some of the basics, and once the basics are spelled out then we can finally cover how cryptography is applied in the real world. My hope is that by the end of this post, you will be able to understand the options and opportunities available to technical staff to help carry out mandates of information protection.

Type of Encryption

There are three basic ways in which cryptographic techniques are applied: symmetric, asymmetric and hashing.

...

Continue reading →


Cryptography: A Primer for the Non-Technical

if you’re a regular reader of this blog you know that I generally write about privacy to those in the IT industry and prattle on about the importance of paying attention to the rapid changes in privacy norms. This time I’m going to reverse that. In my first ever two part post, I’m going to write to the privacy professional about a computer science topic. For the same reasons I think it’s important that infosec professionals have a basic understanding of privacy laws, regulations and best practices, I believe the privacy professional can benefit from some knowledge of information security as well.

Today, and continuing next week, I’m going to cover the basics of cryptography. An understanding of this science will help the privacy pro understand the options, opportunities and complexities of the science of keeping information secret. Cryptography is not one thing–well it is one thing, but...

Continue reading →


Corporate Institutionalization of Privacy in the US by 2016

While talking to the endless trickle of people visiting the IAPP booth at RSA last week, I was able to confirm my belief that corporate attitudes towards privacy are changing—It’s just that they are changing slowly. I thought this week while I was at the Global Privacy Summit, I would ask those with far more knowledge and experience in privacy than I have, what, if anything, they though it would take for the slow changes in corporate awareness of privacy to gain momentum.

I fielded a number of different opinions but most agreed that while there has been a shift in attitudes towards privacy it has been slow, and almost universally I was told that for a real momentum ramp-up in the US companies will require a reason to care.

In other words, it has to hit the company’s bottom line. That could be in the form of a fine or the loss of customers, but it has to cost something significant...

Continue reading →


Upcoming Events

‘m back from the RSA Conference and the IAPP Global Privacy Summit, but I’m not done yet. I’m at InfoSec World from April 2-4 representing the IAPP—Come find me and we can chat about why us IT folks need to be cognizant of privacy laws and regulations. Also, as a reminder I’m speaking at SecureWorld in Boston on March 28th and again for BrightTalk’s Compliance Regulations Webinar on May 22nd.

View →


Notes From the RSA Conference

It was a whirlwind of activity at the RSA Conference – talking non-stop for four days is a workout. The big take-away for me was a notable change from previous years among the conference crowd in their attitude and interest in privacy. I talked to far more infosec professionals who were looking for ways to educate themselves about privacy laws, regulations and best practices than I have in past events. When asked why I was sensing this sudden interest in privacy, it boiled down the pressure from management or outside sources to “figure it out.”

There was a common recognition among this group of the growing pressures to understand the impact of the shifting laws, regulations and cultural norms. Specifically as the EU refines its laws to give more control and protections to individuals, and in the wake of Obama’s Privacy Bill of Rights announcement, people are starting to pay attention...

Continue reading →


Privacy Betrayed as Twitter Sells Archive

I’m still at RSA, and busy so this will be quick. This story cropped up on my news feed this morning: “Privacy betrayed: Twitter sells multi-billion tweet archive”. Some quick thoughts:

  • What a hyperbolic headline! When does selling an archive of public information constitute a betrayal of privacy? This doesn’t put Twitter in a great light but, as far as I can tell from the very thin information in the article, they aren’t selling private data. Nor do I believe their terms of use say they won’t do this type of transaction.
  • They actually quoted The Daily Mail as a source? The “news source” with the current headline “A Royal girls’ day out for Duchess Kate, the Queen and Camilla…” What a joke.

I’ll be interested to see if this story gets picked up elsewhere and spun-up until it ends up on CNN as some large scandalous injustice. Who knows, maybe if it does become a big story it will help...

Continue reading →


White House Focuses on Privacy, My Interest Wanes

I promised back in January to summarize the FTC report on privacy when it came out. Today was the big announcement but it’s getting so much press coverage that I’ll leave the dissection to others. Here is some of the coverage (pick your favorite political slant):

  • The White House
  • Reuters
  • Forbes
  • Electronic Frontier Foundation
  • The New York Times

However I will say that this is getting much more attention then I had anticipated. Mostly because the White House decided to take the report and wrap it up into a call for a “Privacy Bill of Rights” and I’m encouraged to see the White House use it’s bully pulpit to forward this issue. Of course, while the attention is great, the devil will be in the details of the proposed legislation that will surely follow in the coming months.

With that out of the way, if you’ve been following my posts over the past weeks you know I’ve been harping on the...

Continue reading →


Proof That Startups Don’t Care About Privacy

**TL;DR:* Hackers complain angrily when privacy violations occur but ignore it when creating their own stuff. I have proof – albeit thin and unscientific – but proof enough nonetheless. Oh, and wake up and smell the opportunity!*

A confluence of events are driving me to distraction this week. I thought I stumbled onto an idea that was sure to elicit attention. I was so fired up about it in a Hacker News post I stated “I want to shout it from the mountain tops.” If you know me then you know that it must be something spectacular as I am an unassuming introvert by nature. As it turned out, apparently, I’m mistaken in thinking others would share my enthusiasm for my revelation.

Disclaimer: I want to state up front that this isn’t a self-pity post. I don’t take it personally nor do I have any sort of stake in the success or failure of swaying anyone, I’m just mystified, so I thought it was...

Continue reading →