The the BBC article, Assurances over US biometric data, "Mr [Thomas] Bush told the BBC that innocent people would have nothing to fear from the database". Yeah, and I have a bridge to sell you too! How can they say that with a straight face after all the recent corporate and governmental data loss.
I don't want to say that it is easy to implement security that prevents the misuse of such data, but it can be done to a degree, but I doubt that it is happening.
So, we are going to risk our data over a pretty dubious undertaking. Sigh.

Master Data Management

I used to secretly make fun of the problems large companies have in keeping their data under control. They would have these databases full of customer data - all of unknown and at best dubious quality. Surely, these large companies would have their master data management under control.
I guess this is where we in research just assume things that are just not true in reality. I got involved with the Data Quality issues as a part of my study of Data Centric Security which had led us in the direction of Master Data Management. If you can't trust the quality of your data, then Data Centric Security would be of limited use, so Master Data Management became important to us, and not only for that reason.
The whole thing hit home with me when I was compiling my xmas card list. My own very limited address book is a total mess. Why? For the same reasons that large databases become a mess over time: I've been merging data in from various sources, synchronizing with my Nokia E61i that gets updated in the field. Each source has its own semantics (and syntax, too!) which means that the brute force, just-shovel-it-all-in-there, method just makes a mess of it. So, now I have my own Master Data Management problem to deal with. I guess I should apply the DCS principles to this problem...

Spam like a pirate

Ok, usually I don't read my spam, but this caught my eye:

Subject: in waiting

Ooh u, bonny varmint. ya do have eyes for a gratis French stuff, I know it. But damn, who do not. Visit me and ball off on my pictures, my dear.

and then the web site, replacing the dots with spaces to foil spam filters and some very unusual junk words. I'm not sure how it got through the filters (and I'm not really that concerned. But, at least it was kind of poetic.

[Picture credits: http://flickr.com/photos/earlg/ used under the creative commons license]

Going shopping with someone else' fingerprint

From Germany, Heise reports on an experiment that the German TV station ARD did with the Chaos Computer Club to see if someone could use another's fingerprints to go shopping in the Edeka supermarket chains that have implemented payment by fingerprint ID. Next time I'm over in Germany I'll have to look at the setup, but it sounds like they are using the fingerprint for both identification as well as authentication. With this sort of set up, even using the fingerprint just for authentication would be a mistake, but this would be criminal if it is the case. Fingerprints are at best indicative of an individual and this fact has been made to good (and usually correct use) in criminal investigations where other evidence already exists to narrow down the suspects. However a lot of the recent applications are trying to misuse fingerprints for identification and that is a big mistake born of a lack of understanding of the technology.

Security software quality and a more complete solution

This article is mainly critical about the quality of existing security software, which may or may not be justified. People have a higher expectation of quality when it comes to security software and there have been a number of incidents recently that have been very disillusioning. OTOH, at least AV software tends to mutate fairly rapidly compared with regular software and that reduces the usable attack surface somewhat.

More relevant to me would be that the concept of these pieces of security software being isolated solutions is becoming problematic. While I cant see any meaningful movement in this direction, I do believe that security software will have to become an ecology: each component piece will have to work with the other pieces in a concerted way to defend the network in a far more autonomous fashion than currently is the case.