I've received queries from friends and colleagues expressing surprise that I have not written more about the OPM data breach.
I have, in my career, been on the receiving end of situations similar to this. When you are in the middle of such a situation, it is REMARKABLY UNHELPFUL to have people who do not have full visibility into the situation (like me) conduct pre-mature post-mortems based on incomplete data.
I also know that the people on the front lines of this will not be breathlessly feted as heroes who have "parachuted in" to effect a rescue.
They are the anonymous bricklayers who work in the basement to drain the septic tank of past choices and neglect, before laying the brick and mortar to repair this and prevent future breaches.
As such, I have no desire to distract them while they are doing a critical, but thankless job.
So yeah, right now I can add no value, so am simply going to keep quiet.
A technical description of the EINSTEIN and Continuous Diagnostics and Mitigation (CDM) programs, and what they are designed to do
Breaches of this magnitude expose fault lines in "... how we define [privacy] harm and the types of remediation available to individuals"
Stakeholders bearing gifts
Knowledgeable, insightful, and constructive feedback from users and stakeholders is a precious gift that should never be squandered!
And that is the category into which I would put the recent paper (PDF) that analyzes the Connect.gov (FCCX) and GOV.UK Verify Hub infrastructures.
The privacy and security of FCCX [Connect.gov] and GOV.UK Verify rely on a fully honest and uncompromisable hub. In contrast, we argue that a good solution should be resilient even when the hub is curious (about what it sees) and/or malicious (about the actions it takes).
A good protocol should also be resilient against malicious collusion, e.g., between RPs, or between RP(s) and the hub. However, to satisfy forensic requirements, certain special cases of collusions (e.g., hub+IDP, or hub+IDP+RP) may be legitimately allowed to reverse certain privacy properties, e.g., unlinkability, under very well-defined circumstances such as a specific court order targeting a given individual.Toward mending two nation scale brokered identity systems
I very much agree that the paper contributes to the "... developing pool of knowledge and ideas about digital identity assurance".
cyberforge: random and relevant
IETF Officially Deprecates SSLv3. “SSLv3 MUST NOT be used. Negotiation of SSLv3 from any version of TLS MUST NOT be permitted. Any version of TLS is more secure than SSLv3, though the highest version available is preferable.”
NIST has removed the Dual_EC_DRBG from its list of recommended algorithms for generating random numbers. "This algorithm has spawned controversy because of concerns that it might contain a weakness that attackers could exploit to predict the outcome of random number generation"
The Secure ID Coalition, "an affiliation of companies providing digital security solutions for identification documents, including contactless smart cards", released a ranking of U.S States based on their identity efforts and policies. Full report in PDF format here.
Amazon is making NOAA's Next Generation Weather Radar (NEXRAD) data freely available. NEXRAD is a network of 160 high-resolution Doppler radar sites throughout the United States and select overseas locations that detects precipitation and atmospheric movement and disseminates it in 5 minute intervals.