Tag Archives: infosec

Quoth the Raven: “It’s a Match!”

Years ago, when I first heard about online DNA match ser­vices, my reac­tion was some­thing to the effect of, “Stuff you put online lives for­ev­er, you no longer have con­trol of it, so what hap­pens when pri­va­cy breach­es happen?”

 The recent high-pro­file US case of the alleged Gold­en State Killer was one exam­ple of the off-label use of DNA match­ing ser­vices that’s cap­tured the nation’s imagination.

While many peo­ple have a pre­con­ceived notion of DNA being unique, deci­sive, and absolute­ly air­tight, the real­i­ty is a touch more hum­bling, as mul­ti­ple news out­lets and law enforce­ment offi­cials have warned of the per­ils, error rates, and num­bers of false pos­i­tives involved in fam­i­ly match­ing. If any­thing, it rein­forces a need to fol­low the usu­al rules of inves­ti­ga­tion: strive to be more thor­ough, and always tread carefully.

While this par­tic­u­lar legal case has raised a lot of eye­brows, to me it seems to be more about the unmask­ing of a killer than the means by which the lat­est set of leads was gen­er­at­ed. This isn’t a new tech­nol­o­gy, it’s been around for quite some time. Police have used these ser­vices before, but those instances haven’t grabbed head­lines in the same way as the case of the Gold­en State Killer.

To the offi­cers involved, I salute your cre­ativ­i­ty and per­se­ver­ance. Hope­ful­ly, once jus­tice has tak­en its course and the case has been tried, you’ll have been able to give some much-need­ed clo­sure to the fam­i­lies of the victims.

But that’s not why I’m writing.

What’s prob­lem­at­ic about the main­stream­ing of genet­ic sequenc­ing and the sub­se­quent break­down of taboos sur­round­ing our most sen­si­tive per­son­al pos­ses­sion — the DNA code — is not the risk of false pos­i­tives or acci­den­tal misiden­ti­fi­ca­tion in a police inves­ti­ga­tion. It’s the line of oppor­tunists who are eager to acquire that data and bend it to their will for all man­ner of com­mer­cial, insur­ance, med­ical, and oth­er mis­us­es as peo­ple relax their guard and invite more and more strangers to the par­ty to play gate­keep­er to this extreme­ly sen­si­tive information.

If you’ve ever been a vic­tim of iden­ti­ty theft, or if you’ve ever had some­one run up a bunch of unau­tho­rized charges on your cred­it card, you already have a glimpse of how it feels.

Your bank can issue a new cred­it card num­ber, but you don’t get a mul­li­gan once your DNA code makes it into the wild.

Con­tin­ue read­ing

Adobe Has Been Hacked!

It’s much worse than any­one could have imagined.

Ini­tial­ly esti­mat­ed at a data breach of 3 mil­lion com­pro­mised cus­tomer accounts, includ­ing cred­it card data and order records, the total has since risen over the past month to 38 mil­lion cus­tomer accounts, and more recent­ly, an updat­ed esti­mate has pegged the num­ber of com­pro­mised accounts at 150 mil­lion. The hack­ers were also able to make off with some of Adobe’s clos­est-guard­ed secrets, includ­ing the source code for Pho­to­shop and sev­er­al oth­er major projects.

Con­tin­ue read­ing

Infosec: When in Doubt, Leave it Out

Allow me to intro­duce one of my biggest peren­ni­al pet peeves: the act of shar­ing way too much infor­ma­tion.

Call it pro­fes­sion­al­ism, para­noia, or com­mon sense, when it comes to the abil­i­ty to share infor­ma­tion about each oth­er and our­selves online, the old adage applies: “With great pow­er comes great responsibility.”

At the low end of the spec­trum, giv­ing the world too much of your­self may be mild­ly enter­tain­ing (or in oth­er cas­es annoy­ing) to the oth­er users who stum­ble across your Face­book page and can sud­den­ly fig­ure out how many times in a day you go to the wash­room or re-blog embar­rass­ing pho­tos. On the oth­er side of things, if you’re not care­ful it’s fright­en­ing­ly easy to end up shar­ing infor­ma­tion that could cause direct and seri­ous harm to rep­u­ta­tion, finances, and fam­i­ly mem­bers. A com­mon phe­nom­e­non to all parts of this is the per­sis­tence of data, where hurt­ful com­ments and regret­table dis­clo­sures can come embar­rass­ing­ly home to roost at a much lat­er time, some­times years or decades down the road thanks to today’s per­fect storm of auto­mat­ed archiv­ing ser­vices and unpre­dictable human interfaces.

Con­tin­ue read­ing