Hey folks... The last day of the year begins with an early roundup of some interesting bits from around the internets:

• If you think you're safer using your credit card at a restaurant than over the Internet, you're very, very wrong. You need to read this one.
• How exactly does 14,800 pounds of ground beef go missing? (Brings new meaning to "Where's the beef?")
• Maybe the DHS should stop oppressing the average folks and take a look inward instead.

When NPR decides to delve into the murky waters of security and technology, professionals should probably take some notice:

• Marketplace reported (wait a bit for the audio associated with that blurb to be posted) on the increased dangers of identity theft predicted for 2008.
• NPR's Morning Edition also covered identify theft and gave a brief nod to Netscape Navigator's demise.
• At the peak, Amazon was selling 17 Wii's per second this Christmas. That's quite a bit of Wii.

It's a gorgeous day out here and the posts may be few and far between for the rest of the day. Mary & I will be taking some time alone at Monsoon tonight and I'll be sure to post some comments on the cuisine.

One last note is that EVE Online looks amazing on a 46" Sony Bravia LCD HDTV. Booted Windows XP on the MacBook Pro and hooked it up with a DVI-to-HDMI cable, piped the stereo out to the receiver and worked the controls with Apple's Bluetooth keyboard (old school) and a Logitech wireless mouse. The Trinity expansion with the enhanced graphics make it look like you're watching a movie. Great fun!

Happy new year everyone!

My review of the Shure MPA-3C headset adapter is up on TAB.

A teaser for you:

One of the issues I’ve had with with Apple’s iPods is the inclusion of those annoying ear-bud headphones. From sound quality to comfort, they are without a doubt the worst part of the package. When Apple released the iPhone they did manage to enhance the wretched, white audible tether with a decent microphone and control mechanism that wound up being useless to folks like me who cannot use the earbuds. It drove some to hardware hacks (YouTube link warning) and others, like Shure to the design room and manufacturing line.

It's been a tough day so far, and I'm still recovering from the MacBook Pro open heart surgery (new 320GB HD + Leopard install + BootCamp/WindowsXP/EVE Online Trinity Premium Content install last night), but here are some odds-and-ends from this morning:

• The Kindle is cooler than I thought (but Amazon is as lame as I expected)
• These two discs are not even gold plated and they still cost $500,000,000.00USD
• It's the end of the world as we know it [for Netscape Navigator]
• Warner music just decimated Zune, Rhapsody, Napster, et al (the subscription model was never all that intelligent to begin with so these folks deserve to have their business model crushed)
• I hear they killed Kennedy and Lincoln, too

Finally, is anyone else thinking that Google may have to re-issue their 2007 Zeitgeist in light of the Bhutto assassination?

The Citizen of Laconia reports that a new law -- HB227/RSA359 -- goes into effect on January 1, 2008 which will help victims of identity theft seek monetary relief from the criminal offender. From the paper:

"in addition to any other remedies provided by law, a victim may bring an action in his or her county of residence or any county which any part of the act took place, regardless of whether the person who committed the violation was ever actually present in that county, against the person who violated this chapter."

This new statute also allows victims to recoup either $5,000 per incident of identity theft or three times the actual damages. The remedy that is allowed to be sought depends on whichever is greater.

There is also a provision to allow for the reimbursement of attorneys fees and court costs.

Prior to this law, New Hampshire citizens had no local, legal recourse for seeking damages/justice when falling prey to this potentially very devastating crime.

While many categorize identity theft as a computer-related offense, it is much easier for a thief to resort to more pedestrian tactics, such as stealing postal mail. Even if you never do anything online, you should still keep a close eye on your financial statements to ensure there are no inconsistencies.

You can find out more information on identify theft at 101-IdentityTheft.com.

Marketplace aired a story that was reported by the Boston Globe on the prevalence of cheating in certification exams.

To get anywhere in the IT security field, you pretty much have to earn your CISSP certification from the ISC. Given the abuse of certifications back in the days when Novell was king and MCSEs were even worse than they are now (the engineers who were certified knew nothing while the good ones refused to shell out money for the worthless letters), I had a great deal of trouble justifying getting my CISSP. The CISSP test is horribly written and covers far too much material to be a true gauge of one's abilities, but if you can pass it without cheating, you're either a good test taker or probably have at least a modicum of innate infosec worth.

It is now sad to see that the key site mentioned in the article (I will not link to it) does have CISSP tests for sale, thus reducing this certification to a mere tick mark on a resume checklist. I don't have any answers as to how to fix the system, but relying on the veracity of the grouping of letters after the name of a candidate is now a sketchy prospect at best. It's going to definitely increase the amount of time I spend when interviewing prospects and I will be thinking twice before I bother to waste any capital on further certifications.

If you don't think this is important to you, read the article or listen to the story. That person up on the tall building right next to your office operating that huge crane may be one of the many workers who took the cheater's way out and is really not qualified to be doing what he/she is doing.

There's a great, somewhat-new tool on the internets for you avid readers out there: LibraryThing. While on the surface it appears to be just another place to catalog your libary, LibraryThing adopts the social-network principles of sites like Facebook and gives you the tools to connect with readers that have similar interests, share reviews and ratings and find new reading material. It's free if you only want to catalog 100 books and is reasonably priced at $25 for a lifetime membership with limitless catalog entries.

You can search for books to enter from within the site (it scans Amazon, the Library of Congress and almost 200 other sources for you), enter tags/keywords, link to authors and find others who have read what you have. If you're interested in reading a new book you can search the reviews of others who have already read it or poke around what others are currently reading to get some ideas on what you might like to read. The site has hooks for other social networking sites (though it's not fully baked yet) and has provided a mechanism for your local bookstore to get in on the action as well.

The site also provides RSS feeds, blog widgets and sports an API of its own, so take advantage of the holiday down-time, enter your catalog and get busy building your own mashups!

I haven't seen any episodes yet, but Court TV's seems to be tapping information security geeks with their new show Tiger Team. From the site:

This vérité action series follows Tiger Team – a group of elite professionals hired to infiltrate major business and corporate interests with the objective of exposing weaknesses in the world’s most sophisticated security systems, defeating criminals at their own game. Tiger Team is comprised of Security Audit Specialists Chris Nickerson, Luke McOmie and Ryan Jones who employ a variety of covert techniques – electronic, psychological and tactical - as they take on a new assignment in each episode.

I find it interesting that they are so afraid of the "reality TV" moniker that they've resorted to using French. I'll reserve judgement until I've actually seen an episode but my Spider-sense is already warning me on this one.

If you're one of the few who managed to get a new Wii for Christmas (we got ours back in late September), this thread is a good one to bookmark and go back to on occasion. The replies are just coming in, but there are some good suggestions for getting even more enjoyment than beating the pants off your kids in Wii bowling *:^)

Not to be counted among the slackers, ActiveState busts out the Christmas presents early with a discount on their pro bundles and a 5.10 Perl release for all the major platforms.

Well done and good news for those that need a supported version of the best scripting language out there (sorry Python, PHP & Lua, Perl still rocks).

Well, we're back.

RDN Corp (RDNI) in EVE has re-established a corp HQ and we're once again hunting rats, mining 'roids and system-hopping in the largest virtual gaming universe there is.

If you already play EVE, be sure to say "Ho!" to us in-game. If you don't play, go see what you're missing!

We're mostly back due to the Mac OS X client (it's not perfect yet, tho). Linux users can also now enjoy the game since the same tech enables compatibility with that OS as well, so there's no excuse not to give it a try!

The first release from Cinematic Titanic (most of the crew from MST3K) - The Oozing Skull - is out tonight @ midnight (EST). Catch trailer and head on over to the main site to order. It looks deliciously horrible!

If Huckabee was sincere in his desire to spread Christianity via the presidency, he would have used real, Christian candy canes instead of these pagan ones on his campaign Christmas pamphlets. (Note the lack of just three small, red stripes)

If a candidate is going to shill his faith to get the votes he/she needs to get it right completely. This just proves how insincere he and his followers really are.

Full disclosure: I'm a Christian who wants a moral, sane, intelligent person in the White House (haven't had one of those since 1^st term - and only the 1^st term - Reagan). I do not care what the personal religion of a candidate might be since I certainly do not want them using the way they interpret the principles of their faith as their sole means of governing.

The odds are good that we will have a Muslim or outspoken atheist (that's a religion even though they won't admit it) as president some day. Just taking what we've seen as to how seriously bad the Koran can be interpreted by followers, there's no way I want to set a precedent now.

(Photo brought to you by Yahoo! News/Reuters)

The House introduced H.R. 4791 this week (these things have a way of cascading into the private sector, so it's good to watch what they're up to). Some "highlights" include:

• expands the definition of PII
• formalizes data breach/loss reporting requirements
• mandates encryption and/or obfuscation of records containing PII data
• requires keeping an accurate & current list of systems with PII data at rest or in transit
• outlines notification requirements
• forces protection on mobile devices
• ensures remediation plans are followed when gaps are identified
• *requires a yearly PII audit*
• extends the requirements to contractors that host or process PII data for the govt
• establishes many, many rules with data brokers

If made into a law and applied to private companies, this could generate a slew of additional work for anyone who isn't already doing all they can to protect our personal information.

From their site:

Intel IT developed a model for measuring Return on Security Investment (ROSI) in our manufacturing environments that produces a much higher level of accuracy than other methods currently available. Our model has enabled us to make business-driven decisions about security programs, resulting in savings in excess of USD 18 million per year in avoided losses.

Key points:

• Use real, historical data to feed the predictive model
• Know what you are protecting, including the inherent value (impact & loss) - good 'ol ALE¹ (that no one seems to use outside of the CISSP exam)
• Make sure to reset baselines for the next trending cycle!
• Report both number of incidents and days between incidents
• Start small, targeting environments with the greatest potential benefit

Download [PDF] via IT@ Intel blog

F-Secure is accepting volunteers for two new technology preview programs:

• The F-Secure Health Check Technology Preview (Health Check lets you evaluate the security status of your computer, letting you know if you are safe or not, and help you fix security issues, if any.)
  
  
• F-Secure Internet Security Technology Preview [IISTP] (that provides you with a preview of the upcoming features of F-Secure's consumer products)

It looks to be a good opportunity to get a sneak peek of upcoming client security tools and and potentially influence the development of the products.