Bruce Schneier recommends a good cleaning and PGP (or TrueCrypt).

More on PGP here. I also use Cache Out X for clearing internet and system caches, as well as system logs.

Bruce Schneier, cryptography king, keeps his home network open. And despite what Tim Lee wrote in support of the idea, please don’t listen.

The justification is that the risk of someone using your network for illegal means is very low, while the risk of you getting hacked at the local coffee shop is potentially higher. Hence, worry about your machine, not your home connection.

I say BLAH! This piss poor argument ignores two significant points:

1) There is little or no benefit to you from opening your network; and

2) It takes minimal effort to secure your network with a password.

The risks may be low, but meanwhile you have nothing to gain. Meanwhile, the effort necessary to provide that little extra layer of protection likely outweighs the cost of that single long tail incident - one that could potential cause you tons of legal hassles.

If you are hell bent on providing web access to home visitors, I’ll take for granted that you trust them. Give them the key, like I do. Or if you’re wearing a tinfoil hat as you hand them their coffee, ask them to allow you to type it in yourself.

UPDATE: Being open can cause hassles (unless you don’t consider having your computer confiscated by less than technology savvy law enforcement officers a hassle).

According to Bruce Schneier, spam is going nowhere (except in your inbox).

I’m still waiting for some spam to hit my Blackberry. Maybe those Blackberry guys took all the embedded cryptography in it from Bruce, and he somehow holds the keys to stopping spam (we know Bill Gates doesn’t), or maybe the fact that I have 70 different spam filters I run all my mail through is the reason why I don’t get any email at all!

BT acquired Counterpane Systems, noting…

“Counterpane is a welcome addition to BT’s global professional services community. As more and more of our customers seek to exploit the opportunities of globalisation, we are finding that increasingly business critical applications are dependent upon the resilience and security of their infrastructure. “

In separate news, Bruce Schneier, former CEO of Counterpane, will be blogging from Fiji, until April.

Bruce Schneier comments on data theft disclosure law, stating emphatically that the Data Accountability and Theft Act is too “watered down” to do much good.

I guess my intuition engine is still running.

If the ecommerce site you frequent suddenly announces their database was cracked, and thieves took off with you credit card information, you can keep the warm fuzzies because you are not alone. Huh?

Bruce Schneier suggests that way too many pieces of identifying information are being stolen already, and the chances of you actually getting hit with a financial fraud are about 1 in 1000.

I am not going to argue with Bruce on the point - he is a better at math than I’ll ever be. But it does tell me this:

1) Once you get notice of such a breach, taking quick action by changing account numbers should reduce your chances to 0 in 1000;

2) Notices of such breaches when they happen, not weeks or months later, should be the law of the land; and

3) If you Social Security number is snatched, government bureaucracy assures that there is nothing you can do. Sorry.

Most of you have never heard of him. But Bruce Schneier is one of my geek heroes. He doesn’t know it, but this co-founder and CTO of Counterpane Internet Security is the one who introduced me to the concept of public key encryption. My email has never been the same since (mostly because my friends can’t read my 4096 bit scrambled messages)!

No seriously…Bruce was the author of Applied Cryptography, which was one of the first books on encryption that didn’t require a PhD in astrophysics to understand. You could also send away for the source code associated with the book - I did, and six weeks later I had a floppy loaded with algorithms. I never compiled any of that source, but it led me to grab PGP, so it was worth the trip.

The reason I say all this is because Mr. Schneier is a guy who knows security. And by that I mean not only the code, but the processes behind them, and how they can affect users in our data driven world.

Now Bruce has commented on “identity theft,” and again it is worth listening to.

In this contribution over at CNET News.com, Bruce questions the very concept called “identity theft,” and expounds upon some of the reasons why the pursuits of legislation to fix the problems will miss the boat.

Bruce’s first contention is that “identity theft” is a bit of a misnomer - identities are never actually stolen - what is stolen is the data that acts as tags for peoples’ identity. It is the fraudulent transaction perpetrated as a result of that data acquisition that is the real crime. He goes on to suggest that if traditional financial institutions (such as banks) bore some liability for those fraudulent transactions, much the same way credit card companies do, that they would be apt to approach the fraud in a different way.

Credit card companies, through the use of sophisticated pattern recognition technology, are able to stop transactions that don’t fit the cardholders’ historical charge composition. It works well enough that they don’t mind bearing some liability for what fraud does happen. If banks utilized similar measures, as Bruce suggests, much of the data that is stolen could be rendered useless.

While I don’t know how quickly banks and brokerages will adopt such measures, if ever, I do know that they are already subject to a number of regulations designed to “know the customer.” The Bank Secrecy Act, the NASD Manual, and even the Patriot Act outline compliance measures that cost financial institutions a bundle to comply with. Taking it one step further, to “know the transaction,” seems like a logical next move.

If Bruce’s presumptions are correct, the presently pending legislation that is designed to stop the data mishaps will be ineffective, as the fraudulent transactions can co-exist in that environment. But, if the transaction can be stopped by some computer algorithm, why steal the data in the first place? Some additional measures are taken at the transaction level, and “identity theft” simply dies as a result of technological obsolescence. Interesting.

***UPDATE***

Schneier has not let up on the message, and others are picking up on it too.