Chaos Program

Once, when I was considering things like blog names and twitter-like user names, I considered calling myself the Security Cynic. I know, that sounds redundant. Anyone who knows much about security is likely to be highly skeptical of much of what is often said about security. And anyone who has worked for a living may be, um, less than impressed by the security practices of a lot of companies or departments, even when their managers claim that security is the most important thing on their minds.

It would be easy at this point to segue into a discussion of the monstrous Heartland data breach but that’s not where I’m going with this today. Still, it’s an interesting object lesson in security cluelessness and should be studied as such. Here are some links:

• Heartland data breach could be bigger than TJX’s
• And the Heartland lawsuits pile on and up
• Heartland Payment Systems Under Informal SEC Inquiry – Another Red Flag

Now that that’s out of the way, back to today’s storyline. I laughed out loud (seriously enough to not even acronymize it!) when I saw this in the Twitter stream of dantheshive:

@pvponline Be sure to save that bad boy. I personally have a mail folder marked simply as “evidence”.

This attitude toward email is a common one, though I don’t think I’ve ever seen it spelled out quite so obviously. Email provides a paper trail. How many of us have known someone who NEVER deletes email, at least in part because they want to be able to present an old message to someone and say, “See! I told you that was what you said!” Or, “See? You DID give me permissions for that!” Or even, “Yes I did deny you permission to do that! You’re fired!”

I once worked for someone who was like that. More than once his vast archive of emails ended an argument over sometimes very important issues.

But that’s not what “evidence” is for. You don’t call something evidence because it might end an argument someday. You call it evidence because you suspect some kind of wrong doing. You call it evidence in case you need to protect yourself FROM someone, or from their behavior. Or you call it evidence when you don’t necessarily have enough to go to the police yet, but think you might soon. This is butt-covering of the most paranoid kind.

I approve.

(Note: Sure, I could be completely misinterpreting it. It was Twitter, after all. So what? It sounds good this way.)

Once, when I was working as a system administrator, we found someone had, let’s say, been sloppy with some files. I burned a CD of the location. It seemed like a prudent way to make sure nothing disappeared before it could be shown to the proper people. In the end it didn’t matter. No one was interested in the evidence anyway, which brings us back to the “security cynic” thought. How about a 2 cent moral: Security takes sustained effort – gathering evidence every day even if you’re not sure you’ll ever be able to use it.

Thinking about security can be a lonely sort of job. It seems like there needs to be a Heartland-style data breach before people figure out there’s a need. Even then, they want someone else to fix it. I guess some people don’t admire constructive paranoia, weird though that sounds.

By the way: Go back and read the Heartland links. If you haven’t had an ATM card canceled because of it yet, you still might.

Tags: Heartland, identity theft, infosec

This entry was posted on Friday, February 27th, 2009 at 6:38 pm and is filed under security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.