Hello,
Security has to be correct 100% of the time. One omission can lead to an
exposure. Count yourself lucky that your vulnerabilities haven't been
exposed (that you know of -- Think Ohio State's exposure
<http://www.ohio.edu/datatheft/alumni/index.cfm>). Many organizations cover
up (do not report to governmental authorizes) every exposure that occurs.
This is the norm.
Consider the following; 10 persons information were known to be stolen.
Everything from address, SSN, account numbers, credit cards, driver lic.,
health ins. forms, employment data, etc.. It goes unreported. Years later
you receive letters for failing to pay your mortgage, credit cards, taxes,
car lease, speeding tickets, you didn't show up for sentencing, and have a
warrant for your arrest.
Things like the above happen. I read how a case of mistaken identity had
some fellow jailed for a few months before it was resolved. Imagine how it
could have went if the perpetrator had stolen his ID.
Once your information is exposed you soon realize that there is nothing you
can do to protect yourself, it's too late. For evermore you, not the
organization, has to check your credit reports, accounts, put flags up in
your accounts over and over again until you die and all at your, not the
organization's, expense. Most organizations don't even offer help to the
people they adversely effected. At the very least an organization should set
up a department to help the customers that have harmed.
Regards,
--
Jason Muskat | GCUX - de VE3TSJ
____________________________
TechDude
e. Jason@TechDude.Ca
m. 416 .414 .9934
http://TechDude.Ca/
From: Saqib Ali <docbook.xml@gmail.com>
Date: Fri, 12 May 2006 21:22:03 -0700
To: Bob Radvanovsky <rsradvan@unixworks.net>
Cc: Jason Muskat <Jason@techdude.ca>, "Sadler, Connie"
<Connie_Sadler@brown.edu>, <email@securityabsurdity.com>,
<security-basics@securityfocus.com>
Subject: Re: Article: "Security Absurdity: The Complete, Unquestionable, And
Total Failure of Information Security."
"Security" is a matter of perception. If the companies don't see it as an
issue, it (quite simply) is *not* an issue.
That is fine for the company in question. But NOT fine for the
customers / other companies interfacing with the company that does not
see INsecurity is an issue. I wouldn't wanna have my credit card info
stolen from an online merchant, neither would you.
One option is that I do not deal with compannies that do take security
seriously. But how do I know which companies do NOT take security
seriously? Maybe they should put a disclaimer on their website????
--
Saqib Ali, CISSP, ISSAP
Support http://www.capital-punishment.net
-----------
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15
-----------
