Re: [Clips] Storm Brews Over Encryption 'Safe Harbor' in Data Breach Bills
Adam Shostack wrote: No. If I get your database with SQL injection, all conditions are met, and I have your plaintext. But, the data is in an encrypted form, and you're saved. I'm not familiar with SQL injection vulnerabilities. Perhaps the issue is misrepresentation by the SQL provider that the database is encrypted using proper algorithms and key management. I guess that if a database access application using SQL injections has cleartext access to the data, this data is either not appropriately encrypted or the control of the encryption key escaped the legitimate user when the SQL injections were leaked to the adversary. One issue with rulemaking/lawmaking is that consequences of a rule are sometimes unexpected because words (e.g. properly encrypted) are smetimes corrupted by diverted usage e.g. public relations aspects of e-commerce security. So, even if your statement was technically wrong, if *you* are convinced that a database vulnerable to SQL injection tampering threat is nonetheless encrypted, then a judge might be so convinced. Consequently, the lawmaking exercise must be more specific than above, e.g. using reference to by-laws which define acceptable encryption technology and key management techniques ... which is no longer a simple solution. Thanks for highlighting the limits of the original post, either on a technical basis or on issues of lawmaking strategy. -- - Thierry Moreau CONNOTECH Experts-conseils inc. 9130 Place de Montgolfier Montreal, Qc Canada H2M 2A1 Tel.: (514)385-5691 Fax: (514)385-5900 web site: http://www.connotech.com e-mail: [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Clips] Storm Brews Over Encryption 'Safe Harbor' in Data Breach Bills
At 00:48 2005-06-03 +0100, Ian G wrote: Just to make it more interesting, the AG of New York, Elliot Spitzer has introduced a package of legislation intended to rein in identity theft including: Facilitating prosecutions against computer hackers by creating specific criminal penalties for the use of encryption to conceal a crime, to conceal the identity of another person who commits a crime, or to disrupt the normal operation of a computer; Ah, imagine the beautiful circularity of the Justice Department using encryption to protect their criminal identity database from disclosure... or not. Greg. Greg RoseINTERNET: [EMAIL PROTECTED] Qualcomm Incorporated VOICE: +1-858-651-5733 FAX: +1-858-651-5766 5775 Morehouse Drivehttp://people.qualcomm.com/ggr/ San Diego, CA 92121 232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Clips] Storm Brews Over Encryption 'Safe Harbor' in Data Breach Bills
On Friday 03 June 2005 14:38, Greg Rose wrote: At 00:48 2005-06-03 +0100, Ian G wrote: Just to make it more interesting, the AG of New York, Elliot Spitzer has introduced a package of legislation intended to rein in identity theft including: Facilitating prosecutions against computer hackers by creating specific criminal penalties for the use of encryption to conceal a crime, to conceal the identity of another person who commits a crime, or to disrupt the normal operation of a computer; Ah, imagine the beautiful circularity of the Justice Department using encryption to protect their criminal identity database from disclosure... or not. They might have a problem with meeting the legal requirements for disclosure if the alleged criminals were not as yet behind bars... I wonder if bin Laden would have an action against the Justice Department if his file was stolen? Anyway... FBI Probes Theft of Justice Dept. Data http://www.washingtonpost.com/wp-dyn/content/article/2005/05/31/AR2005053101379.html The FBI is investigating the theft of a laptop computer containing travel account information for as many as 80,000 Justice Department employees, but it is unclear how much personal data are at risk of falling into the wrong hands. Authorities think the computer was stolen between May 7 and May 9 from Omega World Travel of Fairfax, which is one of the largest travel companies in the Washington area and does extensive business with government agencies. Justice Department spokeswoman Gina Talamona said the data included names and account numbers from travel account credit cards issued to government employees by J.P Morgan Chase Co. and its subsidiary Bank One Corp. She said the information did not include Social Security numbers or home addresses that often are used by identity thieves to establish credit or to purchase goods in other people's names. In addition, she said the account information was protected by passwords, although sophisticated hackers often can break into stored databases. Omega World Travel officials declined to comment on how the laptop was stolen or other elements of the case, as did the FBI, which is investigating. The theft is one of a spate of incidents over the past several months that have resulted in sensitive data on millions of U.S. consumers being stolen or exposed. In December, Bank of America Corp. lost computer tapes containing records on 1.2 million federal workers, including several U.S. senators. Talamona said that no Justice Department worker has reported suspicious activity on his or her financial accounts since the incident. The banks issuing the travel cards have placed alerts on the workers' accounts, Talamona said. She added that Omega World Travel has agreed to several changes to its security practices, including beefing up physical security at its offices, conducting a computer security review and ensuring that the stolen computer cannot be reconnected to the firm's network. The travel cards have not been canceled, Talamona said. -- Advances in Financial Cryptography: https://www.financialcryptography.com/mt/archives/000458.html - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[Clips] Storm Brews Over Encryption 'Safe Harbor' in Data Breach Bills
--- begin forwarded text Date: Thu, 2 Jun 2005 14:18:42 -0400 To: Philodox Clips List [EMAIL PROTECTED] From: R.A. Hettinga [EMAIL PROTECTED] Subject: [Clips] Storm Brews Over Encryption 'Safe Harbor' in Data Breach Bills Reply-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] http://www.eweek.com/print_article2/0,2533,a=153008,00.asp EWeek Storm Brews Over Encryption 'Safe Harbor' in Data Breach Bills May 31, 2005 By Caron Carlson Spurred by the ongoing flood of sensitive data breaches this spring, nearly a dozen states may have breach notification laws on their books by summer. In turn, makers of security software and companies in several other industries are pressuring Capitol Hill for a federal law pre-empting the states' measures. In Congress, more than a half-dozen bills requiring a range of data security measures and breach notification rules are pending, and at least two more are slated for introduction in coming months. These measures-including one under consideration by Rep. Cliff Stearns, R-Fla., and one in the draft stages by Rep. Deborah Pryce, R-Ohio-illustrate one of the most contentious questions in the debate: Should there be a notification exemption for businesses that encrypt their data? Not surprisingly, industries for the most part are pushing for an encryption exemption to notification, a safe harbor that is included in California SB (Senate Bill) 1386, a notification law that went into effect in July 2003. The growing security software industry, a major ally in this effort, is trying to convince lawmakers that when encrypted data is stolen, the theft poses no meaningful harm to consumers. If the data is encrypted, it's gibberish. They don't know what it is. They can't use it, said Dan Burton, vice president of government affairs for Entrust Inc. Read more here about the theft of MCI data and its effect on the debate over encryption. Some data security experts contend, however, that an encryption safe harbor could reduce data holders' incentives to implement strong protective measures in the first place. Criticizing the California notification law, Bruce Schneier, chief technology officer at Counterpane Internet Security Inc., of Mountain View, Calif., said it lets data holders bypass disclosure without necessarily protecting the data. You can encrypt the data with a trivial algorithm and get around [the law], Schneier said. If you can get around a law by doing something stupid, it's a badly written law. Entrust supports an encryption exemption to notification but not without other security requirements, said Chris Voice, CTO at the Addison, Texas, company. Like any technological approach, it's going to require more than just encrypting the data, Voice said. I think security controls will have to be in place regardless. Click here to read about anti-spyware bills moving to the Senate. Even strong encryption theoretically can be broken, but it requires resources and effort that thieves are highly unlikely to expend, advocates of the safe harbor argue. That argument does not appease consumer representatives. We may not be comfortable having our information out there, even in gibberish format, said Susanna Montezemolo, policy analyst at the Consumers Union, in Washington. Encryption shouldn't be the issue. We shouldn't have to define potential harm and risk. Acknowledging the political influence of the industries lobbying for the safe harbor, however, Montezemolo said that a breach notification law with a safe harbor is better than no law at all but that the safe harbor must be narrowly tailored so as not to be an excuse for shoddy security. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' ___ Clips mailing list [EMAIL PROTECTED] http://www.philodox.com/mailman/listinfo/clips --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Clips] Storm Brews Over Encryption 'Safe Harbor' in Data Breach Bills
On Thursday 02 June 2005 19:28, R.A. Hettinga wrote: http://www.eweek.com/print_article2/0,2533,a=153008,00.asp Storm Brews Over Encryption 'Safe Harbor' in Data Breach Bills May 31, 2005 Just to make it more interesting, the AG of New York, Elliot Spitzer has introduced a package of legislation intended to rein in identity theft including: Facilitating prosecutions against computer hackers by creating specific criminal penalties for the use of encryption to conceal a crime, to conceal the identity of another person who commits a crime, or to disrupt the normal operation of a computer; Full PR is here: https://www.financialcryptography.com/mt/archives/000449.html I'm hoping this was a trial balloon. iang -- Advances in Financial Cryptography: https://www.financialcryptography.com/mt/archives/000458.html - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]