Well, I can’t say I agree entirely with this strip. The common sense and experience of one developer isn’t equivalent to a solid risk management system, but it’s still funny. The reality is that you can’t get an objective, comprehensive view from the biased perspectives of individuals. Knowing that you yourself are a biased individual is an important step towards solving many problems.
Great study says “The study does not prove cause-and-effect, the researchers point out.” http://www.msnbc.msn.com/id/29681075/
Tagged tweet
Senator(?) Norm Coleman
Here’s a post over at the nCircle blog about the Coleman campaign and a leak of donor data, including credit card information.
Tagged normcoleman, pci, politics
A while back I wrote a post on the subtle homogenization of privacy. The point was that social networking isn’t eroding privacy, but homogenizing it. And here’s an example of how this can become problematic. This police officer drew a mental analogy of facebook status to locker room talk.
“You have your Internet persona, and you have what you actually do on the street,” Officer Ettienne said on Tuesday. “What you say on the Internet is all bravado talk, like what you say in a locker room.”
This is a very normal thing for human beings to do. In fact, culturally, we’re all about analysis by analogy. When you don’t understand a situation, you look for analogous situations from which you can glean rules of behavior. The problem is that social networking sites like Facebook and MySpace don’t fit. The lines between public and private are hard, and not always dependent on your perception (if you post a staus on Facebook and no one reads it, is it public?). Let’s all pay attention to Officer Ettienne and learn the lesson. Unless you’re very sure, better treat the forum as public information.
Sensible advice on changing FISA: http://tinyurl.com/cugon9
Tagged tweetNext Step for Data Breach Laws: http://tinyurl.com/d4aq7m
Tagged tweetQSAs put on remediation by PCI SSC: http://tinyurl.com/ct4h3y
Tagged tweetSnarky posts lose some effect when there are grammatical errors in them.
Tagged tweetSurvey: Most Oracle Shops Don’t Mandate Security Patches
Heads up criminals with technical skills: Oracle products are wide open in most places! While 32% of these survey respondents are doing their cost-benefit analysis on patching their Oracle DBs, you could be stealing their data. A full 11% haven’t ever installed an Oracle patch. So get on the ball and get cracking…oh, you already have.
” ‘I think the feeling in those organizations is that since databases are a little more isolated than the desktop, there’s less of a [security] concern,’ said [Ian] Abramson, director of the enterprise data group at Thoughtcorp, an IT services firm in Toronto.”
No, Ian Abramson, it’s actually not the enterprises’ fault for mis-calculating the risk. They may have done so, but that’s not why these patches aren’t applied. Your aptly named cohort at the IOUG has it right:
“Patching databases in particular is a complex task that can require months of lab or and significant system downtime.” said Ian Abramson, the Independent Oracle Users Group’s president.
To recap, patches aren’t applied because it’s really hard to do so. Who makes it hard to apply the patches? The vendor does. Best thing Oracle could do for security would be to make applying patches easy…really easy.
Tagged database, oracle, patching, security