HOME WHAT'S HEADFRY? CONTACT
Security week in review
FUD
Hot topics
Tip of the week
Home users
Security in the movies
Week of May 16, 2005

Articles from last posting

NYC Citibank customers ripped off by Indian call centre employees

Ukrainian IT worker fined for revealing management wages

Polo Ralph Lauren; DSW Shoe Warehouse; LexisNexis; Ameritrade: No end in sight to bad news

And backup tapes continue to fall off the back of lorries..

Retailers storing sensitive 3 digit code- against Visa rules- and update on BJ's story

Credit card companies mandate security for companies handling cardholder data

Microsoft's security strategy finally unveiled

Microsoft has nailed its mast to the wall, and made it clear that it will go head to head with existing software security vendors. Sometime later this year, it will offer US consumers (price as yet unknown) a trial version of its new Windows OneCare service - bundling a firewall, anti- spyware, anti-virus, storage, backup and PC health scanning services into one mighty package- with a cute sounding traffic light style warning system built in.

Ryan Hamlin, general manager for Microsoft's technology, care and safety team was quoted as saying OneCare will include unlimited phone, e-mail and chat support. If correct, this would be a very shrewd move by Redmond, as many of the traditional security vendors charge hefty fees for support- a gap I have frequently derided, as it is inevitably when something goes horribly wrong, that you most need their much heralded expertize. And you shouldn't have to put your hand in your pocket- again -to get it.

The security vendors have predictably responded by disparaging the new offering, suggesting that security is not 'core' to Microsoft, and that they have no credibility in the space with customers.

A long shot.......

Frankly I believe this to be wishful thinking- MS has the cash reserves to become 'expert' in almost anything - given a commitment from on high to do so. And there can be little doubt that such a commitment exists. It would be madness - a form of corporate kamikaze- for MS not to slay the security dragon to allow it concentrate on selling more operating systems and edging its way into the increasingly wired home.

Relief in sight for headfried consumers?

Consumers, in turn, are so headfried by the whole security issue, and so unsure what to do about it - that they will - I predict- embrace wholeheartedly a one stop shopping approach to ending their collective misery. The average PC user has not one iota of knowledge that MS is the evil anti-security demon in many circles- and frankly does not care a toss. If the net effect of one annual - not too hefty payment to MS - is to lighten their load- count them in.

Do or die

In any event, MS had little choice. It could continue to take abuse for selling insecure products, or enter the fray and suffer the slings and arrows of suggestions that it profits off its own shortcomings- selling fixes for flaws that shouldn't exist in the first place, and so on.

But the threat of more anti- trust problems down the line looms near - the security vendors will not take the new, most unwelcome competition lying down. However, all is not lost for MS in this regard. It can argue that regulators cannot have it every which way- and it is only doing what it has been asked to do all along- make the operating system more secure and create a better user experience.

MS has also released a new, free risk assessment tool - geared to businesses with under 1000 employees, as well as a new Security Guide for Small Businesses, which was written by Microsoft's U.S. Small Business team- clearly a series of good faith gestures, and possibly a sign of more movement into the enterprise security market?

Changing the tune

As it is also sidling up to Sun Microsystems and one time arch enemy Scott McNealy to try to drive IBM out of town, and treating genius game developers to many free lunches to try to slay Sony - it seems MS may be on a new charm offensive.

Now if only the current ghastly MS Office dinosaur ad. campaign would go away?

But who does Bill Gates really fear?

Me thinks it is not the incumbent security vendors, such as Symantec, McAfee et al. An entertaining article in Fortune Magazine suggests Google is keeping Gates awake nights, afeared that he will wake up one fair morning to read of the birth of GoogleOffice, or some equally shocking Google foray into deep MS terrain.

Google beat MS to desktop search - despite MS haemorrhaging vast wads of cash on a similar initiative. GoogleFear may be one more compelling reason for MS to suck up to Sun- to avoid the hideous possibility- as the Fortune article points out- of Google buying Sun's Star Office.

The halo effect, anyone?

Meanwhile, Bill Gates continues his laudable philantropic activities, announcing a further $250 million donation to the Grand Challenges in Global Health initiative at the World Health Assembly, an annual gathering of the world's top health officials. Apparently, he mentioned similarities between his vision for world health and his MS duties.....

More US security breach (reporting) laws

Several US states are following the lead of California and its SB 1386 Act - the law that mandates the reporting of certain security breaches to consumers, provided the data is unencrypted. Both Georgia (SB 230) and Arkansas (SB 1167) have enacted similar laws.

The Georgia law is arguably tougher, and more closely tracks SB 1386. The Arkansas legislation leaves liberal room for interpretation by allowing corporations avoid the need to provide notice, if they assess - 'after a reasonable investigation'... that there is 'no reasonable likelihood of harm to customers'.

HSBC blames banking customers- and passes liability

HSBC is notifying possible victims (in the RL case) and advising them to replace cards- a costy affair for the banks, and something they do not do lightly. The Wall Street Journal recently identified Ralph Lauren as the retailer responsible for the breach.

Note: A senior HSBC executive was recently quoted pinning most of its- and the industry's woes - on the poor user. Indeed, HSBC, apparently considerably rattled, prefers to hold -or at least will try to hold (consumer protection laws often have something to say about self serving legalese) the consumer liable for sundry security lapses.

A reading of the 'HSBC WEBSITE USE AGREEMENT FOR THE HSBC CANADA PREMIER WEBSITE' -especially clauses 10 and 13 is particularly telling. They do, to their credit provide a bunch of advise and counsel to users (superior to that on many similar Canadian banking sites), but there is no explicit mention of the key logger threat. In addition, while their 'recommendations' are stated to be 'discretionary', the terms of the Website Use Agreement are decidedly not.

But one cannot assume that HSBC customers will read their cardholder or site usage agreements. Or understand them if they did.

 
 

So what's headfry?

Headfry is a common, much used and loved expression in Ireland, the UK and Australia. read more...

 
 

Week of Oct 11, 04

Week of Oct 24, 04

Week of Nov 1, 04

Week of Nov 8, 04

Week of Nov 26,04

Week of Dec 31, 04

Week of Jan 4, 05

Week of Jan 14, 05

Week of Feb 21, 05

Week of Feb 28,05

Week of March 12,05

Week of March 22 05

Week of April 4, 05

Week of May 10, 05

 
   

 

.



   
   
 
   
Home |  Security Week in Review |  FUD |  Hot Topics |  Tip of the Week |  Home Users |  Security in the Movies Copyright ©
Disclaimer Headfry Inc. 2004