Virtualization, Cloud, Infrastructure and all that stuff in-between
My ramblings on the stuff that holds it all together
Daily Archives: January 24, 2008
Where There’s Blame, There’s a ….
Posted by on January 24, 2008
Argh, I hate this kind of thing .. give us £5.99 and we’ll send you some PDFs to allow you to claim compensation from the govt. for identity fraud arising from the loss of confidential data, if you read around a little bit I doubt they’ll be paying much out unless something serious really does happen but the ambulance chasers with the website will have made a few quid. And even then if they did get forced to pay some kind of compensation – don’t you people get it? if you sue the Govt. where do you think the money comes from? that’s right – your own pocket, we fund the govt. they don’t really “earn” money; they are not Comet, or Sofa Warehouse, we are the share-holders – you might as well take an extra £10 out of your monthly salary and put it in the bank as compensation; as if the govt. have to pay the entire nation compensation they’ll pay for it one way or another via via your tax money, or by shutting down a hospital etc; it’s like fining police forces and the NHS for not performing.. by doing so you reduce their capacity to pay for improving things and give them a further excuse to grumble about how they don’t get enough funds.
I think it would be better for the govt. to do some kind of deal with Equifax’s identity watch scheme to give people a cheap/free subscription to their service for ID fraud detection.
This would be a good thing to do on a national level as the trouble with ID fraud is that it goes un-noticed for so long, it might also be better for the people that seem totally incapable of working out their monthly finances and don’t realise what impact missing payments/defaulting really has on their future pans to buy a house, TV, car “bling” etc. on finance. All those ad’s for sub-prime loans etc. are not cheap money and lenders don’t really just “write off” your debts just because you say you can’t pay them back and say “never mind… don’t worry about it”.
Seeing your credit report really makes it plain to see what criteria lenders use to assess your credit-worthiness, rather than making it such a dark secret; I guess the other side of the argument is that it gives people some scope to “game” the system; but this information is already available on request from the credit scoring agencies (£10 IIRC) so anyone wishing to do so already has the tools available.
Anyway, rant over.. must get back to the paracetemol, this cold is making me cranky!
Encrypting Documents in-Transit – is WinZip Enough?
Posted by on January 24, 2008
I’ve looked at this topic a number of times as we often have requirements to send sensitive files around – lots of customers send them to me via email/FTP or on CD within encrypted WinZip files as this is what they find easiest as it’s pretty ubiquitous rather than having to agree a compatible encryption app/protocol and have it “blessed” by a security dept/PC build team – Dave Whitelegg has posted a useful article here outlining the practical limits of this approach and suggested password lengths.
Obviously if you have information that is worth an attacker spending several weeks brute-forcing then I would suggest maybe you shouldn’t be sending it electronically or even holding it at all; as I’m sure there would be quicker ways for an attacker to find this information once its in it’s unencrypted form at either end, social engineering/bribery etc.
And of course – if you do have to persist in the encrypted WinZip approach maybe rename the files held within for a bit of security by obscurity – “Board of directors – salary review.xls” is probably a lot more tantalizing to an attacker than “Photocopier Toner Audit.xls” or “AACD12323.DAT” or place a .zip file within another .zip file as you can see the table of contents with in the .zip regardless of its encryption state.
Our very own marvelous HMRC could do with reading this article being as it seems to be data breach disclosure month!
keep up the good work Dave!
Virtualization, Cloud, Infrastructure and all that stuff in-between 