Superconductor

It looks like the President's Challenge web site has been hacked and users' data stolen. Here's what the email to users of the site said:

We are writing to inform you about a security issue involving the President’s Challenge website [www.presidentschallenge.org]. 

Hackers recently accessed our database, which included personal information such as your username, password, security question and answer, email address, date of birth, city and state, and, if you provided it, your name. The hackers were also able to access data such as your logged activities, your nutrition goals, what groups you are in, and messages you had sent and received within the online tracker. 

After we learned about the attack, we quickly took down the President’s Challenge website on January 11 and began the process of determining what information the hackers accessed and how it may affect you. We also contacted law enforcement to alert them to the hackers’ illegal activity.

Please note that we do not keep credit card numbers or Social Security numbers for users of our online tracker and shop. Regardless, we are alerting you so you can change your login information on any website where you might have used the same or similar username and/or password, and so you can generally monitor your personal and financial information.

We are in the process of securing the President’s Challenge website, and we expect to bring it back online within the next few days. Before you log in, you will be prompted to reset your password. You will then be able to log your activities and, for PALA+ users, your nutrition goals for the past three weeks. All of your previously logged activities and nutrition goals are still stored in the database.

We are sincerely sorry for this situation and any inconvenience or concern it causes you. We take your privacy very seriously. Before the attack, our website was routinely reviewed for security flaws. We are currently reviewing our security practices to make them even stronger and to reduce the probability of a future breach.

I haven't heard how many users were affected by this breach. The President's Challenge is somewhat popular with Boy Scouts, who can get some sort of recognition for completing it, so there may actually be lots of people affected by this breach, including lots of children.

It looks like a Maryland law firm has already filed a class-action suit (Virginia E. Gaffney , J.G. , E.G.  and Adrienne Taylor v. TRICARE Management Activity, United States Department of Defense and Leon E. Panetta, or Gaffney v. TRICARE for short) that tries to recover damages of $1,000 per person affected by the recent data breach that exposed the personal information of roughly 4.9 million TRICARE members. That's a total of $4.9 billion in damages, of which the lawyers will no doubt try to keep a significant fraction.

But courts have been very reluctant to award anything to victims of data breaches who can't show that actual financial damages resulted from a breach. Just saying that your risk of damage has increased usually isn't enough. So unless some judge somehow discovers a new interpretation of the law that applies to this particular breach, I expect to see this suit eventually dismissed.

According to a recent report (PDF) from the US Government Accountability Office, the number of security incidents reported by government agencies has increased dramatically over the past few years. Here's a graph from this report that shows the recent trend.

Some of this trend can probably be explained as being caused by better reporting of incidents, but I doubt that all of it can. It certainly looks to me like the government needs to learn a lesson or two from the private sector when it comes to information security.

At the J.P. Morgan Technology Innovation Symposium, yesterday afternoon, JPMorgan Chase inducted Voltage Security into its Innovation Hall of Fame in front of hundreds of Silicon Valley executives. 

Only two vendors were selected in this year's awards which recognize top emerging technology vendors for business impact, measured in terms of driving value for the firm, disruptiveness of technology and the overall quality of the partnership. Voltage was selected by top IT executives at JPMorgan Chase for its innovative data-centric encryption approach for protecting structured and unstructured data across datacenters, the cloud and mobile devices.

Verizon's recent 2011 Data Breach Investigations Report (PDF) seems to show that very few records were exposed by data breaches in 2010. The report says that all of the breaches that Verizon investigated in 2010 only added up to about 3.9 million records that were exposed.

That doesn't mean that only 3.9 million records were exposed in 2010. 

The Open Security Foundation's data breach database lists breaches in that year that exposed over 28 million records. So although the amount of data that was exposed through data breaches was lower in 2010 than it was in the previous few years, there was still a significant amount of data exposed. Much more that the 3.9 million that Verizon's investigators looked at.

A breach that exposes 5 million records doesn't really look that big when it's compared to other recent breaches. Here's a graph that I created with IBM's Many Eyes data visualization tool. It shows the relative size of recent data breaches (from the Open Security Foundation's data breach database), with a single breach of 5 million records highlighted. 

This seems to tell us that a breach that exposes 5 million records really isn't very notable.

If a breach that exposes 5 million records really isn't that notable, that's a sure sign that we're losing way too much data.

Data breaches that expose 1 million or more records aren't really that rare. There have been over 50 of these since 2006, or almost one per month. And if you look at how much data has been exposed by data breaches, 1 million records doesn't really look like that many. Here's a graph that shows this. The single highlighted breach exposed 1 million records.

Excerpted from recent posts about data breaches by Luther Martin

I just read Chief Excutive magazine's annual Best/Worst States for Business survey and learned that for the seventh year in a row, California placed dead last - 50 out of 50. You can find details on the rankings of the states here.

Silicon Valley has managed to create lots of game-changing innovations over the past few decades. What sort of innovations have we missed out on because it's become more difficult to do business in the Valley since the dot-com boom?

According to the New York Times, the US Congress is considering a law that will require making it easier for law enforcement to decrypt encrypted communications. Here's what the NYT claims are likely provisions of this law:

• Communications services that encrypt messages must have a way to unscramble them.
• Foreign-based providers that do business inside the United States must install a domestic office capable of performing intercepts.
• Developers of software that enables peer-to-peer communication must redesign their service to allow interception.

I certainloy hope that the US government learned a thing or two from when they tried to mandate key escrow back in the '90s. If they didn't, this could easily escalate into Crypto Wars 2.0, which wouldn't really benefit anyone.

It took the US Postal Service quite a while to admit that email was affecting their First Class Mail business. It looks like publishers are admitting that e-books are affecting their business much faster.

If you walk into any of the big bookstores these days you'll see a fair number of horror books, but that won't be the case for long. The Leisure Books imprint of Dorchester Publishing, the only line of horror books from a US publisher, is officially moving to an e-book model. They'll no longer be publishing mass-market paperbacks. That particular niche of the publishing market is essentially gone and it's unlikely to return any time soon.

It's hard enough to make a living by being a fiction writer. It looks like it's going to get even harder in the future.

Interesting news article by industry reporter Rob Westervelt who has been following business and technology trends in the payments sector:

	PCI tokenization guidance could benefit payment processors By Robert Westervelt, News Editor 27 May 2010 | SearchSecurity.com