At this point, most everyone is familiar with Skype, a nifty VoIP/IM/Video/Etc client from the makers of Kazaa, now owned by eBay. Skype is pretty cool, and not just because of their supported operating systems. Skype is also a pain for security folks at most enterprises. If you're interested in the Skype protocol, read this doc. Turns out, though, that Skype is also a pain for Skype. Because of the evasion techniques that it implements, which make it hard to detect on a network, Skype has cut itself largely out of the enterprise business market. Businesses are hesitant, quite understandably, to endorse a tool they can't secure, and that allows for the unfettered transit of data out of their network. This leaves Skype with no path up-market.

Those who make these kinds of decisions have seen the light, it seems. Skype has "just appointed someone to oversee the creation of security guides that would set out how to use and manage it securely." It will be interesting to see if they can make this transition.

Normally, I really try to avoid reposting things from Slashdot here. I figure, if it's on Slashdot, this community has probably already seen it or doesn't want to. Occasionally, something seems like it could use a few additional comments. This article walks through a pen test, starting with physical security:

"Without having an "official" magnetic access card to duplicate, I pulled every card with a magnetic stripe from my wallet, including my bank ATM card, a credit card, and a shopping card from a major grocery store. To my surprise, the first swipe from the shopping card opened the door."

So it seems that this magnetic swipe system simply accepts *any* magnetic stripe? Or maybe there's something about this particular frequent shopper card that works with this particular system. In any case, it's a nice simple reminder why *two* factor authentication is still relevant.

As a side note, this sort of article reminds me of the narrative of a DDoS against grc.com from Steve Gibson back in 2001. Note not only the use of language, but also the use of color, font, size and indentation.

I was at the gym this morning and a fellow gym-goer left his bag sitting atop the lockers while he went to work out. This is a common occurence, despite the fact there are signs warning about theft in the locker rooms and the fact that there are, in fact, lockers readily available. I started thinking about what might be in his bag for which the risk of theft was more acceptable than the $.25 for a locker. "Probably nothing of value, maybe his gym ID card," I thought to myself. The gym ID card contains a magnetic strip, your name, your membership number, and a rather blurry 'funhouse mirror' kind of image of you. I can only assume the image that appears on the monitor when the staff swipe the card is somewhat more recognizable as a person.

I imagine that many people would happily make the same tradeoff. The information on their gym card isn't worth a quarter, given the perceived risk of theft. But it got me thinking about what one *could* do with such information. Identity theft is not about the wholesale usurping of someone's life, but the subtle use of their external identity for financial gain. I wonder if I could call up the gym, give them a name and account number and ask them to verify 'my' bank details or home address or social security number. With those pieces of information, I could probably do quite a bit more damage, maybe open a line of credit.

This kind of targeted identity theft is pretty rare, I'm guessing. It's tedious, requires work for each person, and the profit is likely minimal. I'm not saying it doesn't happen, but that it's not prevalent. It does, however, illustrate a point about how identity theft is about starting with minimally valuable information and escalating it to profit. It's like the one red paperclip guy, only with information.

The issue here is that large scale commerce makes large scale identity theft possible. If I steal 10000 social security numbers, then find an automated way to open 10000 lines of credit, then use online banking to draw on all of them to fill up a numbered Swiss account, the profit potential escalates significantly. What if I steal those SSNs from the gym? I'm guessing their computer systems aren't that well protected.

Data theft and data loss are fairly commonplace events at this point. We probably don't go a month without some company reporting the disclosure or loss of customer's or employee's data. There are a lot of places one could put the blame for the rise of the incidents (alternatively arguing that the rise is in reporting, not actual incidents): companies themselves, government for not regulating them, the criminals who actually steal the data. When it comes down to it, however, the blame, or rather the responsbility, should lie squarely on the shoulders of the consumer. The more we put our data out there for commerce, the more connections there are by which this sort of data escalation can take place. Right now, your SSN is a key to more data that you can imagine, given an access path. At the same time, it's not easy to avoid giving it out.

Next time someone asks for your SSN, or your zip code, or your home address, try saying 'is that necessary?' The answer is likely going to be yes, but asking the question is just one way to communicate that you're aware of just what information you're giving out.