Apple Google #locationgate: breaches EU Data Protection Directive

The story over the last week has been the royal wedding Apple and Google collecting location information including GPS and closest cell phone towers on their iOs and Android devices and transmitting these back to big brother. In the case of Apple the file containing this information was stored un-encrypted on the device, backed-up also in the clear to any machine the device was synchronised with and  contained far more historic location information that was required. At least Apple annonimized and sent this information every 12 hours (reducing real time tracking ability) and technically did ask for "permission" because everyone reads through those privacy and terms and conditions policies. Google asked for permission in a little bit less opaque way but transmits location information back in near real time. Microsoft has also joined the party admitting they collect location data but do not store it on the device. Symbian or WebOS anyone for a complete set?

Federated authentication: security that makes you money

Federated authentication: using the same login details across multiple organizations and services; it is one of the few security technologies that can actually be revenue generating for end-user (non security vendor) businesses. There seems to be so many reasons to adopt it, but it is still a hard sell and does not have widespread implementation. However we maybe reaching a tipping point where this may all change.

Agile: Most security guys are useless

The return of king Larry to his rightful throne at Google with his nerds engineers rule edict and Jason Fried of 37 Signals talking about the culture of a flat company got me thinking whether in an Agile development world are most security guys useless? The short rationale is that in Agile and really any lean, successful company, you want "everyone to touch the product". Security guys need to code, those that don't (the majority) are not required. But is this the whole story...

RSA APT hack - blogger tells all

So an RSA employee released a blog post with some more details of the "Advanced Persistent Threat" attack that involved the theft of information related to SecurID. RSA should be praised for this, as I like many others, had been disappointed with them for less than responsible disclosure. Although this post does not provide details of what was stolen (maybe they don't know?) that would enable smaller organizations and individuals without direct contact with RSA to perform a risk assessment, it does at least provide opportunities for lessons learnt. It also raises questions on why a security company did not have appropriate controls to mitigate these risks.


Written by