A great resource for learning about security foibles is The Breach Blog. This fellow finds some really good stuff, things like lost USB drives, poorly secured sites, etc.
Here’s a good one: The US Transportation Security Administration is responsible for securing air travelers in the post 9-11 apocalypse. The TSA has a method of allowing innocent travelers to remove their names from their ‘watch list’, thereby avoiding hassles when boarding aircraft in the US. Unfortunately, the web application was poorly secured, resulting in serious problems.
Of course, in many (most?) states in the US, it is the law to report information breaches. Here in Canada, we have to wait for the news services to hear of a investigation or report before such information sees the light of day…
While our Privacy Commissioner has voluntary guidelines available for reporting breaches, the legislation has not been changed to make this reporting mandatory.
There are a few good identity-related blogs that I follow and I thought it would be useful to do a bit of promotion and highlight the reasons for this support. In no particular order, here are three that are worth a plug:
Identity & Privacy Blog — Vikram Kumar’s frequent take on things related to identity management is particularly relevant to my consulting work because he operates in a government setting (New Zealand). Issues related to the political impacts of large-scale identity and access management are unique and often don’t get much attention from either the IT press or the blogosphere. As a sample, here is Mr. Kumar’s take on a recent Canadian story.
Identity 2.0 — Dick Hardt catches our attention with his Identity 2.o Presentation, and holds it with periodic offerings on information cards and identity management. I’m most interested in hearing how the BC government info card project progresses in 2008 — there are bound to be impacts for other Canadian identity management implementations.
Kim Cameron’s Identity Weblog — Everything you need to know about information cards can be found here, plus the Laws of Identity. Mr. Cameron, who works for Microsoft as their Chief Identity Officer, does a good job of presenting information without being Microsoft-centric. And he’s even better in person — and worth your while to attend a conference where he speaks.