Feeds:
Posts
Comments

Posts Tagged ‘LinkedIn’

While the US government has never been very good at protecting our personal information against cyber attacks, the Obama Administration has set records for incompetence in the area of data security. The current score: F.

Here are just some of the breaches that have occurred under the current administration. I am sure I have missed some.

  • Individual rogue employees and contractors, including Edward Snowden, have made public information on more than 2.4 million government personnel available to the media.
  • Tricare, the US military health program, had 4.9 million records stolen from unencrypted backup tapes (Sept. 2011).
  • Stratfor, a global intelligence firm serving the US Government, had 860,000 records stolen by the hacktivist group AntiSec (Oct. 2011).
  • The US Navy Criminal Investigative Service had a breach involving 220,000 military personnel from the database that managers transfers of service members for all branches of the US military (June 2012).
  • The National Oceanic and Atmospheric Administration (NOAA) had a data breach in 2013 that they have not investigated because the data was stolen through a contractor’s personal computer. As of a July 2014 report, NOAA does not know what data was stolen and whether it involves any personal information.
  • The Department of Energy had 104,000 records from their Employee Data Repository database (July 2013).
  • USIS, a company that conducts background checks for the Department of Homeland Security, reported a cyber-attack that impacted 25,000 people (Aug 2014).
  • The U.S. Postal Service had a breach involving the loss of names, Social Security numbers, and addresses that impacted more than 800,000 personnel (Nov. 2014).
  • The State Department has shut down its unclassified email system (Mar. 2015) because of a cyber-attack linked to a breach at the White House (Oct. 2014). This on top of the illegal actions of Hilary Clinton and her staff while she was Secretary of State and after she resigned.
  • The Internal Revenue Service had a data breach that involved the detailed tax-return information on 104,000 taxpayers (May 2015).
  • The Office of Personnel Management, which keeps track of every US government employee and contractors, has had two breaches since July 2014 involving at least 21.5 million individuals. Also potentially impacted are job applicants for federal jobs. Because this database was used for background checks for individuals, spouses and co-habitants, immediate family, close contacts and references could also be impacted. If you may be impacted by this OPM data breach, there is more information here.

Many of these attacks appear to be “practice” attacks. Cybercriminals started by seeing what they could attack and what data they could access. It was only after their success at that stage did they advance to turning a profit from these activities. It did not take them very long to go from “well, that worked” to full-scale general attacks and, more recently, to more focused attacks.

But the larger concern is that stealing the data may not be the real objective. The access to our government’s sensitive data that our enemies have demonstrated with these attacks also gives our attackers the ability to change or remove the data. Image the impact of an attacker deleting around 100 million individual and company records from the IRS databases. Such an attack would be quickly identified, but the fix would not be quick. Even worse would be the impact of making random changes to the data, for example changing filing dates or the amount of tax paid. Those changes would be exceedingly difficult to identify and correct. Image the damage such unauthorized changes could make to FBI, Department of Defense, or other security-dependent databases.

These attacks are not isolated and unusual events. Many of them appear to be organized attacks by other governments, especially China. As such they are acts of war. Our current administration has demonstrated a complete lack of concern and ignorance of the implications of these attacks. President Obama consistently appoints people to high positions who are either totally ignorant of data security or do not care about the welfare of the citizens of the United States, or both. OPM was not monitoring the security of their networks and data and were not encrypting data as required by federal regulations. These people, like Katherine Archuleta, the formal director of the Office of Personnel Management, should not be allowed to simply resign and seek another government job. They should be immediately fired and lose all government pensions, medical coverage, termination bonuses or any other government benefit. In some cases, and Ms. Archuleta is one such case, these so-called leaders should be tried for violating federal data security laws and fined or jailed as specified by those laws if convicted. It is past time for Congress to act to make the punishment fit the crimes these “leaders” commit.

The last word:

What do you do if you believe your personal data has been stolen or, worse modified? You are pretty much on your own. Unlike companies, government organizations do not have to provide any support or even notify you that your data has been compromised. OPM has stated they have notified impacted individuals, and you can request a suite of services including free credit reports. As always, you should be checking all of your financial accounts frequently, more often than once a month since in some cases you only have 30 days to report a problem. Consider using one of the “identity theft prevention” services. I use LifeLock Ultimate Plus, which monitors financial accounts. I get notification of a financial transaction that meets criterion I specify within 48 hours.

At the first hint of a problem, notify the government organization involved. If you do that online or over the phone, make sure you get a “claim number” so you can prove that you did notify them. If you do not get quick resolution, consult your financial advisor or lawyer and notify your Congressional representatives.

Comments solicited.

Keep your sense of humor.

Walt.

Advertisements

Read Full Post »

A few weeks ago my wife and I went to the Clark Art Institute in Williamstown in the northwest corner of Massachusetts. This is a fabulous, small art gallery with many of the paintings you learned about in your Art Appreciation or Art History course. But from September 6 through November 2 it also has one of the four original copies of the 1215 Magna Carta. For the first time, one of these original copies was in the US – the copy in the National Archive in Washington DC is from 1297.

The document was copied by hand with very small letters made with a quill pen and dipped ink. The letters have faded and the cotton “paper” has discolored, and while my Medieval Latin is rusty making my ability to comprehend the script limited, the document is readable 799 years later.

In another case of amazing longevity for saved data, a friend of mine was able to get data from computer tapes from the 1960s. The story of finding the tapes, finding a tape drive that would read them, and a company that had the technology and process to make it all work makes that data recovery remarkable. If you have data on floppy disks (remember them?), try to figure out how you would access it.

Is it even possible to save today’s data for 800 years? Maybe, but not easily.

You need four things in order to save data for the long term:

  1. A digital copy of the data.
    For digital data, that is fairly easy; just copy it. For analog data, like vinyl records, magnetic tape, or paper, you need to first get it into a digital electronic form. In the case of the 1215 Magna Carta, the four existing copies are not identical. Since it was copied by hand, sometimes by monks who could not read, there are accidental differences among the copies. The same thing happens with analog data – every time you read it you damage it, and any copy is modified from the original.
  2. A media that will last for the time period you want.
    CDs and DVDs are probably good for up to 20 years, thumb drives for probably longer. The more critical factor is how many times you write to the thumb drive, not how often you read it or even how you treat it while stored. Even an inexpensive thumb drive will support 3,000 to 5,000 erase / write cycles. Potentially the weakest part is the physical connector that you plug into your computer: they are only specified to withstand about 1,500 insert / removal cycles. For the purpose of archive, these limitations are not significant.
  3. A device to read the media later.
    The latest Macintosh desktop I have has no optical drive. While I could still purchase one, it is likely that ten years from now it will be difficult to find a drive to read CDs or DVDs. At some point, USB ports will also disappear, to be replaced by some newer better faster cheaper connection mechanism. For a while there will be gadgets that will still accept that thumb drive, but quicker than you can image it will be very difficult, and expensive, to read a thumb drive.
  4. A program to read the data.
    Perhaps the most significant long-term risk is having some program that can interpret the data on the media. With the 1215 Magna Carta, all I would need is my eyes, a magnifying glass, plus a refresher course in old Latin. Try to find a program that can read a Microsoft Word document created in 1982, or worse a document created by a program published by a company that does not exist. I lost some drawings I had created in an extinct Macintosh program that does not run on existing hardware and operating systems. Fortunately, I didn’t really care, but it was annoying. For long term storage, I suggest not using the native program format (e.g., .docx) but create PDF files. I expect that PDF, standard picture formats like .jpg, and using iTunes compatible formats for music will still be readable for decades, or at least give you time to convert the file formats. If you do need to keep the native formats, plan on running a test before you completely move to a new version of a program, a new platform (e.g., Macintosh to Windows or vice versa), or a new major operating system release. If it looks like it may be a problem, convert to a newer or different native format before you make the jump. A good rule of thumb is to update the native format files at least every five years anyway.

In general, you should not expect to successfully get data from stored electronic media after ten years, and you should plan to refresh your long-term data storage every five years or so. So you could endow an organization to do the refresh every five years and have some expectation that your data would still be accessible in 800 years.

Or you could print a dozen copies on cotton paper and give one to each of a dozen monasteries or cathedrals in England.

The last word:

That monk who copied the Magna Carta would, other than language, be pretty much at home in England for the first 600 years of the document’s existence. After that, with the changes including the indoor plumbing that first appeared in England around 1890 in London, he would be more and more lost. He would however have to find a different line of work, maybe typesetting, after about 225 years.

He, like many of us, would be baffled by a world where almost everything changes every 20 years.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

Healthcare CIOs have some real problems today. The Affordable Care Act (ACA) is having a big impact on the industry. The rules themselves are changing as the US President makes changes to the law, and depending on the outcome of the November congressional elections in the US we may have a congress that makes additional changes. The behavior of insurance companies is transforming as a result of the ACA, and health care customers, like you and me, are changing the way we access health care as we learn, usually the hard way, what is and is not covered and how much it will cost us. Just adding millions of new customers can have a destabilizing impact to the industry.

On top of that, factor in the government mandated migration from paper records to electronic medical record (EMR) systems. While the end results are probably beneficial, the migration is nothing but pain over many months or years for most organizations.

If that wasn’t enough, a combination of factors, including the ACA, is leading to massive mergers of hospitals and medical practices into larger and larger enterprises. A decade ago dozens of hospitals in my area are now just a couple of mega-medical companies. These mergers and acquisitions offer the CIO the opportunity to reconcile and merge a number of totally different hardware and software medical systems into one, or figure out how to run a business with multiple billing systems and keeping patients records accurate across multiple EMR systems.

No wonder that most of these CIOs do not have the time to be very interested in data security. There are millions of dollars of government rewards for moving to EMR and enabling Meaningful Use. Meaningful Use has the potential to provide significant benefits in health care and could lead to quicker approval of new uses for existing treatments, along with a significant increase in the potential for the government and insurance companies to misuse data about individuals. There are millions to be saved by quickly moving to a single software environment in these growing amalgamations of separate health care organizations. Besides, what’s the worse that can happen if a few records are stolen? It happens every day with doctors and file clerks accidentally leaving patient records out on an unattended desktop or similar sloppy behavior at labs, pharmacies and hospitals.

To a large extent, that is a reasonable response. Even in the desired end state of complete integrated EMR and billing systems plus a fully functional nationwide Meaningful Use infrastructure will not prevent these kinds of small errors. The loss of one person’s information is not a big problem for the medical institution.

However, the loss of thousands or millions of people’s medical records is a big problem for a medical organization. In my February 2014 posting The Cost of a HIPAA Breach I show that for significant breaches the cost in fines alone can start at $150,000 and easily rise to over a million dollars per incident. This does not include the approximately $200 for each lost record that it costs an organization on average to deal with a data breach.

A major data breach at your hospital or medical practice can cost million of dollars in fines, plus risks the loss of accreditation of your organization. It also often causes the CIO, or even the CEO, to seek employment elsewhere. If you think you have never had a breach, you would be better to think instead that you don’t know that you have had a data breach. Health care data accounted for 43% of major data breaches in 2013, and the Washington Post reported that over 30 million patients have been impacted by health care data breaches. Over 80% of data breaches are discovered by a third party.

For a longer look at these issues, check out Daniel Berger’s June 2014 What Healthcare CEO’s Need to Know about IT Security Risk paper. Mr. Berger is President and CEO of Redspin, Inc. Based in Santa Barbara, California, Redspin has become a leader in healthcare IT security and provides HIPAA security risk analysis and compliance, including meaningful use.

As your organization advertises its new treatment options, new care centers and new growth, a front page article that you have just lost thousands of patients’ data can negatively impact its reputation.

Next time I plan to talk about a way to protect the crown jewels of your IT infrastructure: the databases that contain your critical health care and financial data.

The last word:

In addition to the financial risks, hacking into health care records can kill people. Changing prescriptions, diagnosis, or test results, or modifying instructions to network-connected imaging, drug dispensing, and operating room equipment can kill or seriously harm a patient. Or a thousand patients.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

The Russians have stolen 1.2 billion Internet passwords! We are all doomed!

Probably not.

You can’t have missed the recent flurry from NBC News, The New York Times, USA Today, and almost every other news media about how a Russian crime ring has stolen 1.2 billion user name / password combinations plus over 500 million email addresses. These credentials were stolen from 420,000 different websites spanning everything from Fortune 500 companies to small companies across almost every line of business and all around the world.

The attack uses an old but still effective mechanism: introduce malware into the company’s network that looks for SQL databases, then use a technique called “SQL Injection” to steal data. SQL Injection takes advantage of bad code in application programs. When you sign into a website and enter your account number to get information such as your personal profile, the web site sends the request to an application program which then queries a database. Many of these databases are based on SQL, Structured Query Language, originally developed by IBM over 40 years ago. These databases now run on every kind of computer and are extensively used because of their reliability, scalability and relatively low cost. The application program sends an easy to understand query to the database. For example, it would send something like “give me the account information for account number 123.” The database returns the requested data to the application. If you ask “give me the account information for account number > 1” the database will return all of the account information for all of the accounts. If the programmer was not careful and testing was woefully lacking, you can fool the database into giving you a lot more information then intended or appropriate.

How serious is this particular attack? We don’t really know. The 420,000 hacked companies have not been identified. We don’t know how old the passwords are. Many critical systems require that you change your password periodically; many of the hacked user name password combinations may be months or years old. These attacks have apparently been going on for years, so it is not clear that this is really something new.

Surprisingly, and contrary to standard practice, Hold Security, who reported the breach, has not provided the victim companies sufficient information to verify the problem and identify specific individuals impacted. Hold Security has also announced a new service ($10/month) that will monitor your email address if it is one of the stolen emails. However, you must provide Hold Security with your email addresses and account passwords.

What should you do?

  1. Don’t panic.
  2. Monitor your financial activity frequently looking for unusual transactions. Especially look for small, often less than $10, transactions that you do not recognize. Many criminals use one or two small transactions to validate the information they have before they move to bigger transactions, and many are satisfied to pick up a few dollars from thousands of accounts and hopefully stay below the threshold to get government authorities interested in their activities. Some financial organizations, including Chase, actually monitor for these small transactions and will notify you to determine whether they are valid.
  3. Identify your important financial and medical web sites. While you probably have dozens of different accounts you access online, most of them would have little impact on you if they were compromised. Note which accounts are linked to a bank account or credit/debit card. For example, if you use Amazon one-click to make purchases, then Amazon is an important account
  4. Change your passwords frequently on those important web sites. To me, frequently means at least four times a year.
  5. Do not use the same password for more than one account.
  6. Do not use a simple password. Your password should be at least eight characters long, and contain at least one lowercase letter, one uppercase letter, one digit, and, if the site allows, one special character like $ # % !.

The top five passwords actually used in 2013 were 123456, password, 12345678, qwerty, and abc123. For a bad password, I prefer “what,” as in “what is the password.” You should not use anything remotely like these.

If you have trouble remembering dozens of strong passwords and would like to have help doing that, check out Sreenivas Angara’s Kickstarter project. He is working on a smart phone and tablet game called Drongzer to teach you to how to create and remember strong passwords by using procedural memory instead of declarative memory. Procedural memory guides the processes we perform, like driving a car. We know what to do while driving when we come to an intersection, even if we have never been there before. Procedural memory usually resides below the level of conscious awareness and tends to be automatically retrieved and utilized. Declarative memories must be consciously recalled. We use it for things like dates (1492, your significant other’s birthday, your address, …). There is no pattern to them; you just have to memorize them.

The last word:

Many if not most of the 420,000 companies are still vulnerable. Is yours? Meet with your IT and security managers and review your current security and audit practices. Most companies concentrate on protecting data coming into their site, looking for malware and denial of service attacks. These are all important. But also look at the data leaving your site; this is where you are really vulnerable to losing protected information. Are you looking for unusual patterns, like outgoing transactions that are thousands or millions of bytes instead of a few hundred, or large data transfers in the middle of the night? Do not forget to include non-electronic loss opportunities like storing unencrypted files on laptops, CDs or thumb drives.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

I started blogging about Cloud Computing over four years ago. At that point it was relatively new. A lot of CIOs were talking about it, but relatively few were actually spending money moving to it. The “experts” were mostly predicting great growth for the Cloud; as just one example, Novell predicted that the workloads running in the Cloud would grow from 2% in 2010 to 20% in 2015. Of course, most of these experts were in the Cloud industry and possibly with an inclination to hype the concept.

Four years later, how is Cloud Computing adoption doing?

As is almost always the case, not as well as predicted but better than you might have expected. Everest Group recently released its 2014 Enterprise Cloud Adoption Survey. Founded in 1991 and headquartered in Dallas, Texas, Everest Group is an advisor to business leaders on the next generation of global services with a worldwide reputation for helping Global 1000 firms dramatically improve their performance by optimizing their front-, mid-, and back-office business services.

Their most recent Cloud Adoption Survey shows that 56% of enterprises consider the Cloud as a strategic differentiator. These companies are putting their money on the Cloud, with 58% of the surveyed organizations spending more than 10% of their annual IT budget on Cloud solutions and services. These enterprises are no longer just experimenting with the Cloud, but are investing significantly in moving to the Cloud.

The survey also points out two continuing concerns about the Cloud: security and ease of migration.

Security concerns still exist, but the security picture of the Cloud is improving every year. Cloud Service Providers (CSPs) are gaining more expertise and making that expertise and the resulting best practices available to their customers. One impact is that many companies are going to private cloud implementations, and thus foregoing many of the cost savings and weakening the “pay for use” advantages of the Cloud. I have several posts specifically on Cloud Security, including a three-part introduction starting here, Secure Public Cloud, and most recently here.

The other continuing concern is ease of migration. CSPs will still tout how easy it is to move to their Cloud and most will offer you services to help you move at little or no cost. Your reality may be different. It is important to carefully plan your move, test the actual migration so you know how long it will really take, and then execute the move. As always, no matter what kind of an upgrade you are doing, have a fallback plan.

Your workloads are not all the same: their security, performance and availability requirements vary. Likewise, it is unlikely that a single Cloud solution will be the correct choice for your organization. Like with any product, if you only talk to one vendor you are likely to learn how that vendor’s product is best for you. You will usually be better off if you look at multiple vendors and match each application to the solution that best preserves your individual applications’ important security, performance and availability requirements. Most companies are likely to end up with a combination of different cloud models called a Hybrid Cloud.

As always, moving to the Cloud must be a business decision, not a technical decision. You should go to the Cloud because it makes good business sense for the reasons we have discussed earlier.

The last word:

Comments solicited.

Sometimes the biggest objections to moving to the Cloud will come from your own IT shop. They have provided you with a solution that is working at a predictable cost. Like in any outsourcing conversation, your IT team is probably concerned about what may happen to them. Your CIO may be worried that he or she will become irrelevant. They should be concerned, because it will change their world.

Because moving to the Cloud is a business decision, the key stakeholders in a Cloud implementation are likely to be the business owners within the company. However, the IT organization will remain critical to provide the leadership and overall management of your ever-changing Cloud environment. The Everest Group report indicates that over 75% of the surveyed organizations believe that the role of IT is increasing or is unchanged as they move to the Cloud. The focus of the CIO and the whole IT team needs to change from the day-to-day handling of the IT infrastructure to a more business-oriented approach of providing the IT services the business stakeholders require.

Keep your sense of humor.

Walt.

Read Full Post »

This has been an interesting couple of weeks. The IRS admits to “loosing” millions of emails, coincidentally the subject of an on-going investigation. If your company tried that trick, several of your executives would be in jail and the company would have a huge fine. There are several federal and state laws that require retention of any information relevant to an ongoing investigation. In addition, there are even more stringent laws on data retention specifically for US government entities. In legal terms, “spoliation of evidence” is the intentional or negligent withholding, hiding, altering or destroying evidence relevant to a legal proceeding. This kind of activity, in addition to being illegal, usually leads to “spoliation inference.” That is when a party destroys evidence, it is reasonable to infer in a court that the evidence was damaging to the party.

On the flip side, the IRS has inappropriately released protected personal information to third parties. This includes information provided to Congress as part of their inquiry into the lost emails. In reality, it is illegal for Congress to even open the files provided from the IRS because Congress was told that those files contained protected information on individual taxpayers.

On top of this, and in spite of the assurances from NSA, NSA has been collecting the content of emails from US citizens who are not under any suspicion of any connection to terrorism.

The implications to your company’s ability to respond to Discovery Orders could be serious. Even if you have an excellent Life-Cycle Management policy which defines exactly how long you retain different categories of documents, the US government may be working to make those policies ineffective.

When you receive a court order asking for all of the documentation on a particular subject, you must deliver all and only the appropriate documents. These documents may include emails, text messages, tweets, and standard documents, spreadsheets and presentations. Most organizations don’t do a good job of responding to these court orders. The possibility, or in some industries, the high probability of receipt of a discovery order is one of the drivers to implementing a data life-cycle management system. Most organizations give far more than they should, and fail to give everything they must because they don’t know where all of the data is. Like data life-cycle management, if you have existing policies, systems and procedures in place, it is well worth the effort to make sure that your Cloud Service Provider can interface with them.

My recommendation is to make sure you have a well documented life-cycle management policy and that you carefully document a complete audit of those procedures at least once a year. The legality of the government introducing in a court case documents it has illegally obtained has not yet been tested. But if you can show that you made every effort to appropriately destroy information according to your reasonable data life-cycle management policy then the court may look favorably on your attorney’s objection to the introduction of government-obtained data.

Whatever you do, do not emulate the IRS. Do not destroy information after the issuance of a discovery order or the reasonable expectation that one may be issued. And do not include protected privacy information in response to any discovery order unless that information is specifically listed in the discovery order.

The last word:

The Philadelphia Inquirer reported Monday that the Veterans Administration Philadelphia Regional Office had once again demonstrated the importance of management bonuses over providing services to our veterans. In this case they changed the dates on hundreds of thousands of claims, some filed as early as 2011, so that they were no older than 125 days in order to meet guidelines.

The VA is a fine example of federal government bureaucracy, where management works very hard to destroy the reputation of the organization and the thousands of dedicated medical personnel who are working to protect and serve our veterans. What are the implications of Obamacare as it inexorably moves health care under the federal government bureaucracy?

But don’t worry, the IRS is watching over the implementation of the Affordable Care Act. The IRS is even working with the union of IRS employees to rewrite their agreement so that employees who have failed to pay their federal taxes will no longer get bonuses from the IRS. Not funny. Over 1,100 IRS employees received bonuses within a year of substantiated federal tax compliance infractions.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

In spite of the significant service and financial advantages of the Cloud, many companies and governments are increasingly reluctant to adopt it for their critical processing. This reluctance is not caused by security considerations regarding the basic technology of the Cloud; those issues have been largely resolved. Companies following best security practices with experienced Cloud Service Providers (CSPs) can have Cloud solutions with security matching or exceeding anything they could do internally.

What is causing this crisis of confidence is the US National Security Agency (NSA). We have seen almost weekly revelations about the unconstitutional collection of personal and corporate data by the NSA, accompanied by their lack of internal security that has allowed thousands of documents to be “lost,” including those released by Ed Snowden.

It is not just NSA. The British GCHQ (Government Communications Headquarters) is also tapping Internet communication. One British MP, Chi Onwurah, in “reluctantly and unhappily moving to the Cloud.” One reason is the US Patriot Act which essentially means that any data stored in the Cloud that ends up on American servers can be compromised by the US Government at any time without notice. Some countries have privacy laws requiring information be stored within the country. Companies in those countries have a problem with public cloud providers that have servers in multiple countries. That flexibility is great for reliability and business continuance, but a nightmare to establish and verify compliance.

All of this impacts revenue opportunities for American CSPs and the growth of the Cloud in general. But there is more.

from Glen Greenwald’s "No Place to Hide"

from Glen Greenwald’s “No Place to Hide”

In a letter on May 15, John Chambers, the CEO of Cisco Systems, asked President Obama to restrict the surveillance activities of the NSA. Cisco Systems is one of the major suppliers of the network hardware that creates and manages the infrastructure that is the Internet, with over 50% of the worldwide market by revenue. The cause of this letter was newly released revelations allegedly showing that NSA intercepted, en-route, equipment from Cisco and other manufacturers to their customers worldwide and installed NSA surveillance software. Mr. Chambers indicated that Cisco did not cooperate with NSA in this activity nor was Cisco aware of NSA interceptions.

If the allegation of NSA interference is true, or even believed to be true, it will impact the ability of Cisco and other US manufacturers to sell their equipment in the US or anywhere in the world.

NSA has been fairly consistent: anytime they have denied doing something it turns out later that they in fact were doing it. I’m not sure how President Obama can convince companies that he has “fixed the problem.”

What should you do? The Cloud still does provide significant value, but you need to control the security of your own data yourself. Use state-of-the-art encryption for both data-in-motion (data moving through the Internet) and data-at-rest (data stored in the Cloud), and make sure you control the encryption keys for the data-at-rest. I discuss one way to get a Secure Public Cloud in an earlier post.

The last word:

Depending on which version is more accurate, Abu Bakr al-Baghdadi was in US custody at Camp Bucca, a US-controlled detention facility in Iraq, for most of 2004 or from 2005-2009. In any case, he was given an “unconditional release” into Iraq under President George W. Bush. You may have recently heard of him: he is now the leader of ISIS, the Islamic State in Iraq and Syria, which is running rampant over northern Syria and threatening the existence of Iraq. In hindsight, it was probably a mistake to release him.

More recently, President Obama decided to release five senior Taliban commanders from Guantanamo prison to a life of luxury in Qatar, with full freedom of movement within the country, and able to go anywhere after one year. The manner of the release was in stark violation to a law President Obama signed requiring that he notify Congress at least 30 days prior to any such release; he notified a few members of Congress five hours before the transfer. Noorullah Noori, one of the five, has already vowed to continue fighting Americans.

In return, he obtained the release of Army Sergeant Bowe Bergdahl. As President Obama said, we do have an obligation to not leave our military personnel behind. The controversy, mostly in the press, that Sgt. Bergdahl may have deserted his post back in 2009 is irrelevant to the requirement to bring him home. If there is significant evidence, Sgt. Bergdahl will be court marshaled and, if found guilty, punished. That trial and punishment, if appropriate, must happen under US control, not Taliban control.

In a few years, will we wonder about the wisdom of President Obama’s method of getting Sgt. Bergdahl free?

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

Older Posts »