I’ve just learned that I’ll be presenting at SecureWorld in Boston on March 23rd. To follow is the abstract I submitted for the call for papers. Now all I have to do is put together the presentation… I know many people who read this blog are a good target for this type of topic. Feel free to send ideas, anecdotes, etc. that might help me focus the presentation.

As a 20-year IT veteran currently at the center of the privacy profession I have a unique perspective into the rapid growth of privacy and what it’ll mean to IT professionals in the near future. In this presentation I will discuss the gray line between the information security profession and the privacy profession, the current state of privacy laws and regulations around the world, and how the IT professional should integrate these into business decision as well as policy and software development.

It took more than a decade of...

I’ve been meaning to get my hands dirty with Python for a while and finally found the motivation to go through Learn Python the Hard Way over the holidays. I knew going into it that it wasn’t necessarily the he best way to ramp up on the language for someone with years of development experience, but it was a vacation week and I didn’t want anything too intense. Plus, the simple rote exercises allowed me the excuse to break some bad typing habits.

In the end I found it enjoyable. The writing style is very easy to read and straight to the point. Zed Shaw doesn’t waste any words pontificating on useless topics nor does he pull any punches against some of the nonsensical entrenched beliefs spouted in many Python forums and FAQs.

With that in mind I think my favorite exercise of the bunch was 44 where he discusses style, formatting and the importance of comments. Sage advice but not so...

On the first day of Christmas MIT gave to me… oh, whatever. MIT did give us all something though. The school recently announced MITx, which will start offering free online courses, and for a fee a certificate of completion.

There’s a lot of action in the online/higher-ed space at the moment with many major universities putting up courses for free, including MIT. These are fantastic offerings and while the quality varies—with Stanford’s offerings being the best of the bunch—none offer any sort of validation that you’ve learned something from these fine institutions. For that you need to attend the university and earn a degree.

MITx is changing that paradigm. While they don’t plan on offering a full degree through the program, you will be able to get some sort of certificate of completion for the courses you take. Would an HR manager consider an MITx certificate equal, alongside...

I woke up at 5:30 am yesterday to get ready for my two hour drive to Norwood, MA — the closest location (ISC)2 offers for sitting for the CISSP exam. I had to be there by 8:00 am. Check-in at 8:00 am; receive instructions at 8:30 am; and then start the exam 9:00 am. Six exhausted hours later I was done and ready for my two hour drive home. Why did I sign up for this again?

This was probably the most intense exam experience of my life. I’ve spent many evenings over the last twelve weeks studying up for the exam yesterday, and now that it is over, I can’t relax. I get to sit and wait four weeks to find out if I passed, and, frustratingly, I don’t have significant confidence that I passed.

I knew the subject matter outlined in the body of knowledge well enough, and came across only a handful of questions where I just, flat-out, didn’t know the answer, but on the remaining questions so...

We’ve experience over 30 million records breached already this year in the US alone. That’s an incredible number. Sloppy security is usually the culprit and this is well known and documented as evidenced by executives all around the world are throwing money at the problem.

However, there is a kissing-cousin to this problem that seems to be getting the governments attention but doesn’t have the apparent visibility in the board room: Privacy rights violations.

Google’s missteps with Buzz landed them a n order from the FTC to audit their privacy practices for the next 20 years. Facebook dodged a bullet recently by settling with the FTC over their privacy violations as well. The big story this week has been the revelations of CarrierIQ.

These are only a small sample of the privacy violations that could have easily been avoided if someone was just paying attention to privacy rights when...

I just finished watching a 2006 Tech Talk by Rik Farrow on computer security models. It’s worth watching. He spends roughly 45 minutes discussing how our current computer security models are broken and finishes with a proposed solution.

He starts by talking about the most prevalent attacks today including SQL injection, XSS and buffer overflows and how weak our current operating systems are at providing adequate protection. He then moves through the history of the mainframe leading up to our current operating systems to present where their flawed foundation originated.

He does give proper credit to more secures system like SELinux and Minux with their microkernel models, but also discusses how the complexity and/or performance of these systems prevents their widespread adoption. He also briefly touches on the failure of things like Linux and OSX to stay as true microkernels.

All of...

The IAPP uses Avectra’s netFORUM AMS to manage our membership information. I’ve never been all that happy with the netFOURM software and certainly not Avectra’s horrific support, but last week they did something that makes we want to scream.

They launched an online community. To kick-start this community they decided it would be a good idea to take every user of their system and set up a profile. These profiles contain the user’s full name name, email, business address, phone number and the organization they work for (which they have on file to manage netFORUM access). That’s fine, I guess, but they took it one step farther. Not only did they set up the profiles without seeking consent, but they decided to opt everyone in to displaying all of their information to every other user of the system.

What marketing and/or IT professional in 2011 decides that this appropriate? Do they not...

The W3C published the first draft specification for “Do Not Track” (DNT) in an attempt to addresses online privacy. The document proposes an official specification for a mechanism that allows users (via browsers) to broadcast tracking preferences to websites.

The intent of DNT is fantastic. Users should be empowered with the ability to opt-in or -out of being tracked on a website, or across sites, and this specification would achieve exactly that. However, it’ll never catch on. One of two things need to be in place for something like this to take hold.

1) Both Sides Benefit

In this case “both sides” are the users and the advertisers who collect tracking data. The benefit to users is obvious: They gain control over their privacy. But what do the advertisers gain? According to the draft:

Since advertisers desire an audience that is receptive to whatever they happen to be advertising, a...

I’ve had this idea bouncing around inside my head for a long while and I’ve come to the realization that I’m never going to see it to fruition. Instead of letting it just rot on my computer, I thought I’d give it away instead. If you want it, take it. If you want to chat about it feel free to contact me.

Note: I’m trying to write out this idea as clearly as possible but since it isn’t a fully formed idea in and of itself I may not make complete sense — proceed with caution.

The Problem

Quantifying the output of a workout is hard for many of us. If you’re a runner or cyclist then you can use distance, speed and even heart rate easily enough. But what if you do CrossFit, P90x or lift weights. Well, you can record weights lifted and time it took but, as this style of workout is designed to do, it changes so often that measuring your performance over any significant length of time is not...

I don’t know why I’m shocked every time this happens to me, but it is happening again, and I am at my desk this morning shocked. Yesterday I posted an ad for a job opening in my department. I’m not looking for a proven “rock star” as I can’t really afford one but I’m hoping to find someone sharp and willing to learn with a bit of experience developing software.

Given that I intentionally don’t mention specific technologies or years of experience in the job description. As a result I expect to get a bunch of thin resumes from recent grads and four pagers from those with 20+ years experience that are looking for a career shift. That’s not the shocking part. In fact, all of those are great and I give serious consideration to them all.

What I find shocking is how many people send me resumes in .doc format. Most of them, in fact! What IT professional in 2011, still thinks that is the best...