 |
|
 |
|
|
|||
| |||
|
Vannevar Bush
01 Apr, 2008 March marked the 118th anniversary of the birth of Vannevar Bush. Little known outside of “Big Science” circles, Bush was responsible for the development of the federal scientific research system as we now know it. Bush (no relationship to either President) was responsible for putting in place the system of collaboration between civilian scientists and the military that enabled the development of many of the weapons systems that were directly responsible for the Allied victory in World War II including the proximity fuse, sonar, and the Norden bombsite. Continue reading... - Phil Cold Boot Attack Commentary
24 Mar, 2008 It’s been really interesting watching the variety of reactions to the announcement two weeks ago that a Princeton based team had found a way to extract data (including encryption keys) from laptops even when they are supposedly "off". Continue reading... - Phil Metrics that Matter
08 Feb, 2008 Regular readers of this blog know that I rarely use this space to directly promote PGP Corporation, preferring instead to focus on issues relating to public policy and individual privacy. Recently, though, I’ve started to notice a disconcerting trend in the way vendors, particularly in the security space, discuss their accomplishments. I have to admit that I’m grateful I’m not an IT executive these days trying separate the wheat from the chaff. Continue reading... - Phil 2007
The 2007 Seasons Greeting: "We've lost your data. Happy holidays!"
19 Dec, 2007 Back on January 2 of this year, I wrote that 2006 would be remembered as the "Year of the data breach," and expressed my hope that 2007 would be remembered as the "Year of Secure Data." Proving the utter folly of making predictions about the future, 2007 didn't exactly turn out that way. As 2007 draws to a close, it's clear that it was a far worse year for data breaches than 2006. In fact, we didn't even make out of January before T.J. Maxx announced it had lost the personal information of 93 million people, making this the largest loss of personal information in history. The company disclosed last week that it expects to spend at least $500 million dealing with the breach because it now faces 19 separate law suits and investigations by the FTC and 37 state Attorneys General. Continue reading... - Phil Related Links
Privacy Rights Clearinghouse Economist Offline Identity Theft Office of Privacy Protection Do Not Track
28 Nov, 2007 You may have noticed the news out of Washington that the Federal Trade Commission (FTC) held a workshop a few weeks ago on the topic of "behavioral targeting" of Internet advertising. For those of you not familiar with the term, it basically involves presenting advertising based on your specific Web usage patterns. Continue reading... - Phil IBM Keynote
01 Nov, 2007 I had the privilege recently of delivering the keynote address at the 4th Annual IDC Security Forum in New York with Julie Donohue, IBM's VP of Security and Privacy Practices. Those of you who are regular readers of my blog know that I’ve been preaching the need to "Protect the Data" since we re-formed PGP Corporation 5 years ago. What I learned in listening to Julie is that the ideas we were promoting in 2002 have gone mainstream in a big way. Continue reading... - Phil Related Links
Corporate Currency Hotels need to offer data security, not just a nice view
11 Oct, 2007 One of the most fun parts of my job is when my friends tell me how they're using PGP products to protect their personal and professional information. Whether it's preventing their children from inadvertently altering financial records or preventing competitors from accessing new product plans, I always enjoy these stories tremendously. Continue reading... - Phil Corporate Currency
03 August, 2007 Last month, we initiated PGP Corporation's participation in a new program to highlight the risks associated with unsecured corporate data. We believe that data is the new corporate "currency," and we're committed to bringing products and practices into the mainstream that treat it as such. The interesting thing about this particular metaphor is that it’s quite instructive in highlighting just how far we have to go in developing standards of conduct for handling confidential information. Continue reading... - Phil Do You Have the Time?
29 May, 2007 This year marks the 60th anniversary of the creation of the Bulletin of Atomic Scientists' famed Doomsday Clock. The clock was originally conceived as a way to promote the risks associated with the unconstrained proliferation of nuclear weapons. Although it's certainly a morbid metaphor, there's no denying the Doomsday Clock has achieved its primary objective: No nation has chosen to exercise its supposed first-strike capability since the clock first appeared. Continue reading... - Phil H1B Visa Program: If it's broke, please DO fix it!
20 Apr, 2007 Newspapers from coast to coast covered last week’s announcement by the U.S. Citizenship and Immigration Service that they had received more than 150,000 applications for the 65,000 H1B visas available this year. The more startling aspect of the announcement was that it was made the same day the program opened for the year. Continue reading... - Phil Psychology of Security & Privacy
19 Mar, 2007 One of the most interesting and under-reported events at the recent RSA® Conference 2007 was the release of a paper by Bruce Schneier. Entitled "The Psychology of Security", the paper focuses not on how to make systems more secure, but on the plethora of variables that determine whether or not we feel secure as individuals. The paper is available at www.schneier.com/essay-155.html, and I encourage anyone with an interest in computer or any other kind of security to review it. Continue reading... - Phil Protecting Information: In the Zoo or Out in the Jungle?
14 Feb, 2007 As it does every winter, the information security industry gathered last week in San Francisco for the annual RSA Conference. More than 300 vendors and 15,000 security professionals focused on one thing: making companies more secure. And there was one obvious and I think very positive development this year: For the first time, there was a real focus on protecting not just the network infrastructure, but also the data that resides therein. Continue reading... - Phil Related Links
RSA Conference 2007 The Perfect Wave
12 Jan, 2007 At this time of year, the world's best professional surfers gather just south of San Francisco at a beach called "Mavericks". They gather and they pray for the the giant storms to form 2,000 miles to the north in the Gulf of Alaska. When the weather and currents all cooperate, the result is some of the largest perfect waves on earth. In 1994, the leading big-wave surfer in the world caught one of these forces of nature at Mavericks and died surfing it. This is not a game for the faint of heart. Continue reading... - Phil Related Links
PGP Products 2007: The Year of Secure Data
02 Jan, 2007 One clinical definition of insanity is doing the same thing over and over while expecting a different outcome. When it comes to information security, 2006 proved this maxim. Based on the number of reported data breaches, it's clear that the classic methods of protecting confidential information aren't working as intended. From simple laptop theft to the kind of socially engineered breach experienced by ChoicePoint, the "bad guys" appear to be winning the war—and nearly all the battles. Continue reading... - Phil Related Links
2006 CSI/FBI report 2006
Celebrating 15 Years of PGP Encryption
14 Nov, 2006 We are celebrating a number of anniversaries this quarter in the cryptography community. Today, PGP Corporation acknowledged the 15-year anniversary of Phil Zimmermann's first release of PGP® encryption. As Phil noted in today's press release, back then, cryptography was considered a criminal act in some quarters and today it's being legally mandated in many parts of the world. Yes, we have come a long way, but we still have a long way to go. Continue reading... - Phil Offline Identity Theft
30 Oct, 2006 Last week, we covered the myriad ways your identity can be stolen using simple offline techniques. This week, we’ll look at the slightly more sophisticated and no less criminal approaches being used by online crooks. Let me make one observation before I dive into this topic. In the computer business, we’re prone to giving things cute names to indicate they’re new or somehow important. I think we can credit Steve Jobs with starting this phenomenon when he began naming products after fruit. Just as there were apples long before there were computers, there were also offline versions of things like phishing and pharming long before there was an Internet. And make no mistake about it: All of these are crimes, regardless of what they’re called or how they’re perpetrated, and should be treated as such by both consumers and the criminal justice system. Continue reading... - Phil Offline Identity Theft
23 Oct, 2006 I’d like to spend the next 2 weeks discussing identity theft. Why? First, because it’s the fastest-growing crime in North America. Second, because we’re all vulnerable. If you don’t think it can happen to you, read the story of how the District Attorney of Harris County, Texas, who prosecutes dozens of identity theft cases each year, became a victim. Third, it’s relatively easy to make yourself an unappealing target for identity thieves. Although it’s nearly impossible to protect yourself completely from this pernicious crime, you can make it so hard to steal your identity (and hence your money) that most thieves will move on to an easier target. Although PGP products can help protect you in some very specific ways, that’s not why I’m writing these columns. As we’ll see, the main weapons in preventing identity theft are common sense and diligence. Continue reading... - Phil Encryption: Myths and Urban Legends
27 Sep, 2006 PGP Corporation recently commissioned a study that, among other things, measured common beliefs about encryption. I continue to be surprised by the myths and misconceptions that surround this subject. Because I'm assuming that most readers of my blog have an interest in both understanding and propagating the facts about encryption, I've summarized below some of the more common "urban myths" this research has uncovered. Most of you will recognize the following list as legacy problems associated with first-generation PKI systems. Continue reading... - Phil Related Links
PGP Additional Decryption Key (ADK) Phil Dunkelberger, CEO of PGP Corporation speaks at the Commonwealth Club of California - September 13, 2006. Download the PowerPoint presentation. [258KB] Know Thine Enemy and Thine Customers
04 Aug, 2006 Last week, I wrote about how important it was to have a comprehensive understanding of both front- and back-office threat models when you design security systems. This week, we have a classic example of what happens when you build a point security product without a broad understanding of the environment into which it will be deployed. Continue reading... - Phil EMC-RSA: Why Protecting Just the Back Office Isn't Enough
26 July, 2006 It's been interesting watching the financial and industry analysts dissect the EMC acquisition of RSA and the announcement that Secure Computing would acquire CipherTrust. The latter deal has taken its lumps from Wall Street based on its structure (Secure Computing will assume significant debt to complete the transaction) while EMC continues to try to reassure industry analysts there is material product line synergy between the two organizations. Continue reading... - Phil Buying into a Culture of Security
30 June, 2006 The merger wave of 2006 hit the IT security sector yesterday with the announcement that EMC would acquire RSA Security for $2.1 billion. Although it was a notable deal in terms of the price paid, it's even more important for what it says about the way the IT industry is evolving. As Joe Tucci, EMC's CEO stated when he announced the acquisition; this is a space that is "incredibly hot. There were other companies that noticed this." Tucci also noted that it was, "a very competitive situation." Continue reading... - Phil Security issues? What security issues?
20 June, 2006 It's been interesting watching the IT analyst community "rediscover" the encryption market recently. Having nearly ignored the space since the collapse of the PKI market 5 years ago, a number of analysts have started to cover the content security market again. Much of what's been written recently, however, seems to fall into the category of "a good look in the rearview mirror". Continue reading... - Phil Quantum Cryptography Breakthrough?
17 Apr, 2006 Three or four times per year, I read reports about a new "breakthrough" in cryptography. Typically, these announcements are made by small companies and include assertions that the new "secret algorithm" is far more secure, faster, cheaper (pick one) than everything that's preceded it. As any good cryptographer will tell you, any algorithm that needs to be kept secret probably isn't very good crypto - and even if it is, there's no way to prove it. (This is the primary reason why we've always published PGP source code.) Continue reading... - Phil Password Recovery: Fact or Fiction?
05 Apr, 2006 I suppose it's a sign of just how ubiquitous PGP encryption has become that we now have companies developing products to allow for the "recovery" of lost passwords. These types of products have been around a long time, but we are just now seeing the companies that publish them claim "PGP compatibility"...meaning you could conceivably decrypt a PGP-encrypted message with them. Continue reading... - Phil PGP Extensions to OpenPGP
01 Mar, 2006 Occasionally, someone asks me if other vendors supporting OpenPGP isn't bad for PGP Corporation. The logic of the query typically runs along the lines of, "If I can get 'PGP' from other vendors, doesn't that limit your addressable market?" Fortunately, for us, nothing could be further from the truth. When other vendors support PGP, in most cases, it expands our total market opportunity because it ensures interoperability between PGP solutions and whatever else might already be installed. Continue reading... - Phil Related Links
OpenPGP OpenPGP
23 Feb, 2006 In the last few months, a number of email security vendors have announced support for OpenPGP, the encoding scheme used in all PGP products. I tend to find these announcements somewhat ironic because they typically follow years of denial by the vendor involved that support for OpenPGP is a requirement of their target customers. The widespread adoption of OpenPGP is just one more indication that it has become a de facto standard in most enterprises. Continue reading... - Phil Related Links
OpenPGP Protecting Your Personal Financial Data
27 Jan, 2006 I mentioned 2 weeks ago that the real threat to individual privacy in the U.S. today comes from the dual threats of identity theft and the large-scale collection and dissemination of personal financial, medical, and other information. I dealt in that piece with ways to prevent identity theft. Today, I'll deal with how to prevent the financial institutions with which you do business from sharing the details of your financial life with other firms. I consider limiting the distribution of such information to be a key step for any consumer wishing to retain some semblance of personal privacy. Continue reading... - Phil Perceptions of Encryption Yet to Catch Up with the Reality
19 Jan, 2006 A recent survey by The Ponemon Institute© proves just how long it can take perception to catch up to reality in fields as complex as data security. Larry Ponemon is one of the better researchers currently practicing in this space. So, when he publishes a new report, it's worth paying attention. The latest report is nicely summarized in an op-ed piece Larry wrote for Computerworld. Continue reading... -Phil Preventing Identity Theft
04 Jan, 2006 It's been interesting watching Congress debate whether or not the President broke the law in ordering wire taps on certain phone calls by suspected terrorists. If you'd like to read two very well thought out, beautifully written, and diametrically opposed opinions on this issue, check out the lead editorials in the New York Times and Wall Street Journal on December 20th. However important this issue is, I think what's really disturbing most Americans is the realization that the era when one could expect privacy in most areas of life is over. While the debate in Washington has highlighted one of the ways in which our privacy might be infringed, I think the real threat to personal privacy does not come from the actions of government, but from businesses both legitimate and not. Continue reading... - Phil Microsoft Joins the Privacy Bandwagon
21 Nov, 2005 It was heartening to see Microsoft get on the privacy bandwagon so enthusiastically this month. As I"ve stated here repeatedly, it is long past time for congress to deliver a unified privacy statute that would protect consumers and rationalize the hodgepodge of state and industry -specific privacy regulations now in effect. At a speech in Washington , D.C. , earlier this month, Microsoft"s Senior Vice President and General Counsel, Brad Smith, called for “comprehensive” privacy legislation at the federal level. Continue reading... - Phil Europeans Lead Data Privacy Movement
02 Nov, 2005 One of the great ironies of the advent of the Information Age is that our personal information is less secure from prying eyes than ever. At no point in history has information about how you spend your time and money, where and when you seek medical care, or what causes you support been more public. The Privacy Rights Clearinghouse has documented the loss of personal information of more than 50 million people since February. Although both public and private institutions have drawn up lists of best practices to minimize the risk of losing control of personal information, it's clear there need to be changes in the regulatory environment as well. The harsh reality, however, is that the U.S. lags behind our European counterparts by more than a decade in formulating laws to protect our private financial, health care, and other records. Continue reading... - Phil PGP Encryption for BlackBerry Devices
11 Oct, 2005 As promised, PGP made big news yesterday. PGP Corporation and Research in Motion (RIM) announced the PGP® Support Package for BlackBerry®. Now, for the first time, companies that use the BlackBerry Enterprise Server and have installed PGP® Universal to encrypt email on the wired Internet can use that same infrastructure to encrypt email destined for wireless BlackBerry devices. Although the BlackBerry has always been a secure device, until now there has been no way to read and create PGP-encrypted email directly on the BlackBerry. Continue reading... - Phil Whole Disk Encryption Extends PGP Universal
05 Oct, 2005 There has been great excitement this week as we announced PGP's first stand-alone full disk encryption product line, PGP Whole Disk Encryption. I've been asked by a number of people if this doesn't represent a bit of a departure from PGP's traditional focus on encrypting email and files transfers. Nothing could be further from the truth. Since we began to design PGP Universal more than 3 years ago, our vision has been to leverage this new infrastructure and administrative features to encrypt all data in motion and at rest. Continue reading... - Phil Oracle Sees Need for Persistent Encryption
23 Sept, 2005 The big news in San Francisco this week is that Oracle OpenWorld is in town. OpenWorld is a once-a-year opportunity for Oracle's customers to hear directly from the company on its strategy and vision. One of the hot topics this year, of course, is the impact Oracle's recent acquisitions will have on the company and its customers. In his keynote on Wednesday, CEO Larry Ellison indicated Oracle might take a break from acquisitions to integrate PeopleSoft, Siebel, and the other seven companies it has acquired this year. Oracle then turned around later in the day and announced it had acquired G-Log, a provider of logistics and transportation management software. Larry also mentioned in his keynote that Oracle intends to build encryption and intrusion-prevention features directly into its product line. Continue reading... - Phil | |||
| |||
