Monthly Archive

A while back (September) we had elections in Norway. The elections where local municipality elections. 

As part of the pre-election marketing mix in my local community, a couple of the parties (we do have a few here) went door-to-door and talked to the inhabitants. A great service, and a possibility for us normal people to discuss local and national politics with the politicians who pulls the strings.

 One of the parties that knocked on my door, invited me, my family, and our international business guest to a promotional event where they would serve a special, Norwegian dish in a dramatical cultural location. The mix of the culture, and their political agenda was very inviting, and when upon my direct question, I was told that our international guest also would be welcomed, we changed our plan for the weekend and decided to go.

Upon arrival, we decided to be on the outskirts of the speech area so I could translate and explain to my guest. And after the program, we where welcomed and told to go to grab a bite - of a dish called Sour Cream porridge - a special Norwegian Feast dish, traditionally served in weddings and other feasts.

We lined up, and as it happened we where early in the line - number 5 or 6. When it was our turn to get our servings, the clerk told us briskly (tone of voice as old teachers talk to 10-year old bad-boys) that

"You have to walk out of the line and wait until all the others have been served!"

I was surprised, and told her that we where here by invitation, and that we should be treated like any one of the other guests. To no avail. She could not be reasoned with.  

We obeyed, disappointed and with a growing anger (I was pretty hungry, I have to admit, and I just love the sour cream porridge). We decided that we'd better leave the event since they obviously did not want us there. 

----------- 

And therein lays the lesson to learn. 

No matter what you try to achieve - seducing voters, selling hot-dogs, or any other services where you have people representing you, your message and your products/services - it only takes one person, one single error to turn a great message into the opposite.

In this particular case, it was based upon a mistake. The clerk thought me and my guest to be tourists, and not voters (I was, my guest was not). Thus, she decided that we where to be served after all potential voters.

Even though the event was advertised in local media. The municipality is small, but not so small that she would know all inhabitants.

The party did have their internal discussions on this event (actually, they still asks my wife if I am still angry). They recognize the  error, and do all they can to fix it.

What can you do to avoid this? 

The first thing you do is to reccognize the potential price to pay if such a thing happens. Particularly in a small place, one person actually can make a lot of noise. Also keep in mind that the one person you do treat badly, might be a journalist, a potential large client - it is not certain that it is "just a tourist".  

Then you need to prepare your staff - service, service, service. Treat people nicely, and remember your role. If you represent a brand, or a service level - keep with it no matter what you think of it personally.  And as a manager, you need to train your staff accordingly.

When (not if) disaster strikes - get on it right away - solve it. Start at the source, and find out what went wrong. Try to help the client/voter to recognize that this behavior is not part of your brand - it was all an error. Most people will be reasoned with - at least if you let them cool down first. 

As for your source of error - the clerk - make sure that the story is turned from a critic into a learning experience. We all make errors, and unless they are made on purpose - make your staff learn by their mistakes. Forgive, retrain and use the story as a learning story for new people coming on board. 

Also keep the persons (the clerk) feelings in mind. People  do have feelings, and even though they may not show that they take the episode hard - they might. You do not want to loose a great resource, so you should spend some time and effort to make sure the person can turn the negative reaction into a positive learning experience. 

Doing so helps strengthen your brand, and it shows your organization that it is OK to make mistakes as long as you are learning by them.  

Bruce Schneier has a very nice post today which explains one of the challenges of the ever increasing speed of adopting new technology. 

This is a real challenge - behavior is one of the hardest things to change.

It is impossible to be interested in Information security without noticing Richard Bejtlich. He is a successful blogger, author of two books, and co-author of a third. Many have also had the chance to have Richard as a trainer and teacher. And even more have him as an inspiration.

Richard is the Director of Incident Response for General Electric. Before he joined GE, he ran the TaoSecurity LLC – an Information Security consultancy based in the US. His CV includes many other interesting and impressive employers too.

Richard has a background as military intelligence officer, but that is not where he got his interest in information security. It was merely a natural extension. You see, Richard got a Timex Sinclair (ZX80) when he was 8 years old. This sounds like some other people I know. And Richard used BASIC to create Boba Fett. Graphically, of course. And some of us understand that achievement just too well!

So what happened if you where lucky enough to have Boba Fett show up on your screen? Boba would ask you a question (written). “Do you want to see me wave?” You could say yes or no. To Boba it made no difference – he would wave anyway. The reason?

R: “I didn't spend all day rendering that character to not have him wave!”

The ZX was replaced by a Commodore 64, and Richard discovered what a wonderful tool they where to create and edit papers. After his Harvard graduation and his US Air Force intelligence service, he set out to defend enterprises and teach his peers to do the same.

Richard Bejtlich is a very analytic guy. He does not mind telling you what he believes is the truth. As when I ask him about the impact IS has on business, Richard says:

R: "I don't think information security has any real impact on business. On the contrary, business has much more of an impact on information security. No IS department exists to serve its own ends. If it does, it won't last long.

Businesses exist to make money; other organizations exist to meet whatever their goal is. No one exists to "be secure" (which isn't possible, anyway). As a result the history of IS is littered with decisions by business leaders that weakened security infavor of revenue or simply convenience. Nothing changes until a severe, visible, financial- or life-damaging incident occurs."

This is almost as hearing myself speaking, Richard. Perhaps I have spent too much time on your blog…

One of the things that amazes me with Richard Bejtlich is his attention to details. You see it in his blog, you see it in his comments. You see it in his books.

R: “In my first book I defined risk as the probability of suffering harm or loss. I defined security as the process of maintaining an acceptable level of perceived risk.

Digital security applies that concept to information resources, where threats exploit vulnerabilities in assets to violate confidentiality, integrity, or availability via disclosure, alteration, or denial.“

What should a security professional do to improve security?

R: “The role of the security professional is

1) to make it more difficult for information users and resources to do expose themselves to attackers (paraphrasing Nitesh Dhanjani),

2) to increase the amount of time it takes for the threat to accomplish his objective, and

3) to detect and respond as efficiently and effectively as possible when intrusions happen.”

Richard, I have asked all the Security Profiles to comment on the largest challenges in 2007. What are your thoughts on the threats?

R: “The biggest challenge facing all organizations is visibility. A few months ago I wrote a blog post pleading for the creation of Enterprise Visibility Architects.

It's fashionable to talk about "building security in." I say we should "build visibility in" because "security" will never be achieved. It would be an incredible first step to simply know when we are being compromised, because it's going to happen no matter what preventative measures we take."

Thank you kindly, Richard!

To catch up on Richard, visit his blog!

He is the author of the following books:

The Tao of Network security

Extrusion Detection

And co-author of Real Digital forensics

The observant reader of my blog have noticed that I am a member of the Worldwide organization for young leaders and entrepreneurs - JCI.

This weekend, JCI Norway had its National Congress, an event my local chapter JCI Innovation hosted this year. My hats included getting sponsors and marketing, as well as making sure everything went smoothly during the actual event - I was the slave master!

The reason I post this on my security blog is to pinpoint that things do go wrong - and when that happens, you find solutions.

Saturday morning, our program said that Harald Kippenes, a mountain climber and adventurer would tell us how to get up after a crisis - how to motivate yourself to keep walking. 

Friday afternoon, our project group got a phone call from Harald, where he said;

"Hi, yesterday, I fell off a cliff, and broke both my legs. I am currently at the hospital."

We immediately thought we would have to cancel his appearance - you know the feeling - blood turns cold, sweat appears on your forehead.

"But I would love to do the presentation anyway - do you guys know if we can set up a video conference session instead?" 

A long story short - Tandberg, the Hospital, the hotel and the ISP Ice turned the world upside down, and during Friday evening, they made it possible. Working late and long hours, for a project they had no economic interest in. 

They accepted a challenge, they made it possible, and they prove that technology and priority makes things happen.

From a security point of view, this story shows that even when you think all is lost, and you have to give in - creativity, network and a stayer-attitude makes it possible to achieve your goals - even though the solutions you end up with are not the same as you planned!

So the next time you want to give in, be creative, and open minded. Solutions are all around - and everything is possible.  

Can you share a similar experience?  

I promissed you a report from my guest lecture at the Norwegian school of Management BI.

First, thank you to all of you who gave me ideas and input to the workshop! Invaluable! And I thank a great deal of the success to you! You all know who you are!

On to the report then.

I was given the opportunity to host a guest lecture for the third year bachelor students at the Norwegian school of management BI. The study is a bachelor in IT management – i.e. these students are going to be the next generation CIO's, IT-managers and IT-directors out there.

Some of you might scream;

“Oah – what the hang glider – white-collars to be the IT-managers??? What about the nerdy-ness required? What about their technical knowhow? Do they even know how to configure a firewall?”

First of all – the CIO, the IT-director and the IT-manager – those are managerial jobs. Those are there to handle the business side of ICT. Those are there to execute the business strategy of ICT. The sooner you realize that, the better.

Secondly – the study is very interesting indeed. Agreed, they do not dwelve deeply into firewall administration – but they do dig into technology, ICT and the students are genuinely interested in the geeky side of things.

Thirdly – they bring business understanding and value to the table. They have been thought budgeting, reporting and economical analysis. They understand the relation between business goals, and the relevance those has to ICT.

So IMO, this study is very important and relevant. It provides the market with IT-managers with a sound combination of business understanding AND ICT-interest. These boys and girls can set up a network, while discussing implementation of business strategy with the CEO.

Now that is out of the hat, and I can move on :)

I got approval from Renny – the lecturer of the class – to run my guest lecture as a workshop. The purpose was simple – to actually have the students working instead of just listening or surfing.

I based the workshop upon the TJX case. I took some of the facts, without telling them that this was a true case of course. The facts I gave them included the size and time frame of the breach, and then I asked them to discuss the possibility of this being true or not.

As expected, discussion was on.

I then added some more details, and they where to role play being the the company, and decide what they should have done to prevent this to happen. They had to incorporate some theory that they where supposed to have studied too. This exercise was in groups of 4, and they spent some time finding the answers. A healthy discussion and plenum summary followed. Many great ideas and they realized the complexity of such a case.

Their last task was given them after I told the truth, and some more details. The task was to be the upper management, in the days after the breach was publicly known. They would have to decide what to do now – and the focus is of course to make the best business possible.

Taking into consideration that they where students, with no or little knowledge of running such huge operations as TJX are, they did very well indeed. Most importantly, I think they learned that business is about making a profit, while reducing risks.

According to the feedback after the session, the students enjoyed the workshop.

I know I loved the opportunity, and had great fun.

Ever considered security to incorporate application uptime? Or do you just consider any downtime of your applications as a break for you? Time for your cup of coffee?

 When you consider enterprise wide application like banking applications, CRM, ERP, or look at controlling applications for your SCADA or CNC machine, it is easy to spot the cost and risk. But what about other applications - perhaps only used occasionally? Or by a small group of users only?

 If you only use your computer to write letters and check your email, you experience this when you do not find letters you wrote earlier, and when you are not able to check you email. Usually, you just call IT-support and gives it no more thought.  Perhaps you should give it some thoughts next time it happens?

Just take the time spent (10 minutes perhaps?),  multiply by the times it happens each year (12 - once a month?), and adjust for the hourly cost (insert relevant number here). For you - the result is 2xrelevant number above (10x12=120 minutes, divided by 60mins per hours = 2 hours).

Obviously, you need to adjust all the numbers above.

Then, you take the number you got and multiply by numbers of employees in your company. The number that shows up is usually quite stunning.

The reason I bring this topic to your mind is the very fact that I myself experienced a down-time in a service. The service is a Cron-service, running to automatically publish blog posts on my blog (yes, I just blew my cover... - I do plan ahead, and I do prepare some posts perhaps weeks ahead - I do it in order to have at least some posts arriving even when I am traveling).

The Cron what? It is a special services running on servers using *nix OS. The purpose of it is simply to schedule tasks so that a human do not have to do all the tasks the computer can do just as well by itself. Usually, such tasks runs and runs and runs and runs. So I tend to forget it being there at all. 

So when the server itself decides to fall over and die (yes, these things do happen - and usually at the most inconvenient of times too). Luckily, the dying of this particular server did not affect me nor my business. Or so I thought.

It took me one week (yes, yes, yes, I know...) to realize no posts arrived at my blog, and then I needed a few more hours to remember that the Cron job I run to run the update script on my blog was on the particular server that went to Computer Heaven last week.

Thus - today you get the weekend laugh that was supposed to be yours last Friday.

On the upside - I got to write this post :)

The moral is simple - computers are not reliable. Make sure you prepare yourself and your company for downtime. And have a plan to get back up.

As always - feel free to share your experiences :)  

This weekend you can enjoy this cartoon!

(click here to view)

Ed Stein Rocky Mountain News Oct 13, 2007 EditorialCartoonists.com

This profile is of a lovely lady. And being a professional blogger – making her living out of blogging – she stands out as well. Arieanna Schweber takes care of the Laptop Security blog on behalf of Absolute Software.

I first noticed her when I read some of the stories at her blog. They where to-the-point, relevant and obviously not targeting a very technical audience. This blog did stand out amongst the Security Bloggers.

Arieanna is a marketing consultant and professional blogger (blogaholics.ca). Background includes a bachelor of Business Administration from Simon Fraser University, and then she landed a marketing specialist job. There, she helped start a blog, and from then on – she was caught.

She says:

“After some months, I decided to pursue this area as my career. This was almost three years ago. Right now, I write a number of personal blogs, and also work with a new media network called b5media (b5media.com) where I am an Editor. I decide on strategy in my specific area (Entertainment), hire and train new writers, and work on building community. Currently I manage approximately 60 sites in this way. “

60 blogs. Wow. Fulltime work, no question!

She has become a known resource in the blogging field, giving speeches at conferences and also consulting.

A: “I help companies understand how to leverage blogs for community building, and what specifically to do. In some cases, I will take on a contract to write the blog. “

Arieanna came to blogging about security from a contract perspective. Through this work, she as developed an interest in the topic. This sounds like at least a few security pros I know!

A: “For me, it's about simplification. If I can't understand it, it is not accessible information. I think that this is one of the barriers to effective security policies. “

Oh yes, I see that point. Unfortunately, too many security pros use the complete opposite strategy – obscure, make things hard to understand, confuse. How do you go about?

A: “So, my aim is always to simplify. To remove language that is unnecessarily technical. To sum things up into bullet points, whenever possible. I want to make the information accessible to anyone, regardless of their backgrounds. It is not just IT Security professionals who need to know about security - people in all ranks of business, government or the education field need resources as well. To understand and make decisions, or to be responsible employees. “

But without a strong IT background, how will you succeed?

A: “I am not an expert in IT. I could never set up security for a company. My experience and my knowledge are not about the technical aspects of password security or encryption technology or anything of the sort. And I think, to most people, this information is not really needed. It is not actionable information. It does not provide an example of what to do, or what not to do, to be secure.

I also try to provide resources that are complimentary to security; for example, talking about education technology in general. Providing information on changing technologies and policies that affect educators.

Since Arieanna offers a different view and background, she may offer insights and points of view that we normally do not see in the Security world.

A: “I believe that information security is primarily a simple concept, made more difficult and convoluted than it needs to be. I believe that companies need to understand the threats, identify solutions, set up a simple policy, and enforce training. My key belief is that the security policy is one of the most valuable assets a company can develop. “

We can all fully agree with that. But are policies enough?

A: “Based on the reports of the past several months, it's clear that most data breaches are not caused by hackers or malicious attacks. They are caused by mistakes that could have been avoided. In many cases, data is not protected. Employees are not trained on the importance of protecting data, or how to do so. Data devices are not properly secured. Companies simply are not aware of what data they have, where it is, and who has access to it. This is dangerous, and can all be avoided. “

How can we go about to reduce or remove this ignorance?

A: “Unfortunately, what seems to come about is not just complacency, but confusion. Although there are some amazing IT & Security professionals, there are also many grey areas. Governments make mistakes - despite strong security departments & consulting firms. Areas are being overlooked. I think a lack of education is a part of this - but I believe that information is not as accessible as it should be to help companies shore up. “

So knowledge is important. How can we help educating the crowd?

A: “Businesses must be aware of many facets of IS, at all levels. C-levels need to understand its importance, to allocate resources. IT security must keep on top of its data as well as technology. Employees need to understand their role. And shareholders & stakeholders need to feel confident these things are taken care of. “

Can we have a bullet point list? J

A: Sure - companies must be aware of:

· being compliant with data breach / privacy laws

· identifying weaknesses, on an ongoing basis

· finding technical solutions

· universally implementing said solutions

· limiting collection of, and access to, confidential information

· tracking data & equipment

· training employees

I think the areas where companies seem to falter are: staying on top of new threats, universally applying security technology, and training. “

One of the challenges many security and CIOs have is how to get the attention from the management – to get the required attention and budgets. How can they get the required attention?

A: “Poor IS is dangerous. It can lead to data breaches, and significant fiscal loss in damages and in consumer confidence. I think the media is making it more and more clear that IS is not cutting it for many companies, and that the outcome is quite a costly one. IS will, and is, be given a higher priority, but I think that companies will continue to falter in certain areas. I think it will take many more data breaches to compel companies to tighten up the gaps in their policies.

In particular, when it comes to these issues and the Absolute blog, I try to write about the "people" component of security policies, to highlight the importance of not just technology, but also training. I see this as an overlooked area in IS. “

What makes training so important?

A: “In many cases, the technologies are simple. Encryption. Laptop recovery software. Things people can understand and do. But if not universally applied, and if not reinforced with employee training, much of this effort can go to waste. The products and services to make your data secure exist - Absolute Software being a provider of some of the solutions. These companies make things easy on the technology side. I guess it's my interest to back that up with other resources. “

Arieanna, all the Security profiles are asked this question: In your opinion, what are the three main challenges businesses meet regarding IS in 2007?

A: “

1. Securing off-site data devices. Knowing what information leaves the office, and on what device.
2. Training. Shoring up the "people" problem.
3. Limiting information. Companies need to cut back on the personal information they collect, where they store it, and who has access to it. But it is an issue that only scales with the size of the company, and will prove difficult for many. “

Thank you kindly, Arieanna! It has been a true pleasure.

You can contact Arieanna at these resources:

Arieanna Schweber
Arieanna@blogaholics.ca

The Laptop Security blog: http://blog.absolute.com

RFID is gaining popularity. It is easy to use and adopt, and its versatility is great. Applications varies from passports, price tagging, transportation tracking, and now - track your clothes! 

Fujitsu has developed an RFID chip to be sewed into cloths. It is washable, and you can even iron it. The value proposition is easy handling of clothes at industrial dry cleaners.  By tagging the batch of work, you reduce the need for human aid, and reduces errors.

The tag can be read from over four feet away.

Many other application comes to my mind. Now I can track my wife and son - and they will never know. "Why did you take your sweater of at xyz, today, Honey?" Or, "Go to John and fetch your jacket, my son". (I would have to add sensors at all likely and unlikely places, but hey - I am paranoid...)

Yet again, we see marketing potentials winning over security.  This application is another wet dream coming trough for the marketing guys. A Magicmirror reads the RFID tag in the clothes, and presents information to the customer while trying the clothes. Read the passport at the same time (or add the RFID to customer reward cards), and the marketeer can tap into not only the stuff you buy - but the stuff you consider. 

They will of course give you the impression that this is another value adding service - serving you. While in fact it is a self-servicing solution stripping you for privacy.  

The other day, I received an email from one of my connections. The email is of the kind we all know: 

"Hanna is missing - please forward to all your friends" 

Unlike most of such emails and stories, this one was based on a true story. Only, time was long past due.

The background is a teenage girl, leaving her family. She decided she needed some time off, I guess. Not uncommon for teenagers, but a heavy burden on the parents.  The parents go to the police, and asks around if anyone knows where she might be hiding. Expecting the worst, I would guess. 

Thanks to the media coverage, she is found (actually, she turns herself in) after a couple of days. She is fine, just need a few days off.

So - that is the background. The story is similar to many. And they tend to create email campaigns that runs for years.

What amazes me is that people never learn. Instead of taking 10 seconds of their own time to check the reality and necessity of the story, they hit the FORWARD button and send to any and all connections. Some may have the minimum of decency to add a note like

"I hope it is OK that I forward this to you"

Well, yes it is. IF - and only IF you did a quality control. If you did spend those 10 seconds to check if this is hoax, or a true story. Or as in this case - a closed case!

All I had to do was type (actually, I am lazy, so I cut'n'pasted) the name of the poor girl into Google. And I get instant response. The girl is found. Long time ago. She is fine. No need to worry. No need to spend any more time on this case.

I urge you (you know who you are) to actually care a little bit about your connections, and a lot about the family and the persons involved in such stories the next time you choose to forward it. Take 10 seconds - or if necessary - 10 minutes - to check the story.

If not for the sake of your network - for the sake of the poor people involved.

Imagine it is you in the story. And 5 years down the line, you get the email, where people asking for your help to find you. And this goes on and on and on. Haunts you for your life.  

I will not publish her name here. I know you understand my sentiment.  

Larko pointed me to this global rating about freedom of press. It seems I live in a country where we have the de facto standard. Which is nice of course. But turning attention to the other end of the list is not fun reading.

List includes:

• Norway & Iceland - 1. place, with 0,75 points

• USA at place 48. with 14.5 points

A large amount of my readers are located there, as are many bloggers. I bet you guys will work to raise the US on the list. Particular events like these:

"There were slightly fewer press freedom violations in the United States (48th) and blogger Josh Wolf was freed after 224 days in prison. But the detention of Al-Jazeera’s Sudanese cameraman, Sami Al-Haj, since 13 June 2002 at the military base of Guantanamo and the murder of Chauncey Bailey in Oakland in August mean the United States is still unable to join the lead group."

will hopefully put your focus on working against censorship.

• It seems there are more freedom of press in Europe & Australia than anywhere else in the world

• China & Burma is almost at the bottom of the list, together with Iran, Eritrea and North Korea(No surprise there)

TJX have turned a potential fatal breech into a profitable venture. A quick recap:

• In January 2007, the news broke loose that hackers had gained access to TJX sentrally stored customer data, resulting in the theft of 47 million credit card numbers (amongst other privacy data). Everyone can see that has to be bad for business.
• Then it turns out that the hackers had been doing this for over a year. Ouch. That gotta hurt real bad too.
• After a while, we learn that the hackers gained access through a (unprotected – using WEP) wireless network at one of the shops. Did I say unprotected? Oh. That hurts again. Then again, this was back in the stone age – aka summer of 2005.

We should be expecting TJX to suffer big time. Media has been all over this case. Bloggers too. I have been no better.

It would be reasonable to expect TJX to suffer lower revenue stream. A weaker company would have fallen over. And consumers would turn their backs to the shops.

But only some of this happened. Lets see the status per october 2007 (from Yahoo Finance):

• TJX has a revenue stream of $4.1B and $4.3B the first two quarters 2007, and $5.1 Q4 2006. If they continue to increase the revenue in Q3, and do a strong Q4 – as you will expect as it is the xmass and end-of-year – they will do as good as 2006, or even exceed those $17.44Billion revenue from 2006. Not a huge loss, nothing near the expected anger from the consumers.
• What if we look at growth rate? The past three years, TJX has grew with aprox. one US$billion per year. They risk not to grow with that amount this year – but as we saw above, they look to target or exceed revenue from 2006. It seems TJX will ride the storm well.
• Lets take a look at the profit, then. Even if the consumers don’t seem to abandone TJX, surely there must be expenses? And surely there are – some will show up this year, most will not (see next bullet). Profit. (in thousands)
  Q3 2006: 1.114,316
  Q4 2006 (ends jan. 27): 1.159,153
  Q1 2007 (ends apr. 28): 990,866 – so there is 170 million drop in the first quarter after the breech go public. And considering this is the first quarter of the year, this is not a dramatic drop.
  Q2 2007 (ends jul. 28): 1.035,601
  It seems to me that profit is not affected in the dramatical way we should be expecting.
• Risk can be transferred. It is called insurance. Someone else will pay a large amount of the bill.
• What about the law suits, I hear you ask. TJX is quick there too – they have offered a check of $20 and a gift voucher to all affected customers. They initially tried to be a bit more dirty – a $50 gift voucher and no check, but that was too obvious. What happens with a gift voucher? You go to the store and spend it. Along with some other cash – there is plenty of stuff to buy, and when you are in the shop in the first place, why not do some spendings. TJX know. After all, they are in the consumer market space!
• Market value? Well, the consumers don’t seem to care much.
• The share holders? Surely they must have run away? Hah, no, 2007 is their best year ever. TJX shows a steady growth of value, and the bad news in January could not take the shares down to June 2006 values. TJX is nothing but a money machine.
• What about the breech in the first place? Well, this was in 2005, a WEP protected WIFI point was hacked. Most of my readers would know how to do that themselves – and in less than 10 minutes. If you don’t, take my word for it. WEP does give you protection against those who do not know how to hack it, though.

You may do a risk assessment, and determine that the risk of a hacker hacking you is so small, you will risk it. If you do, that is exactly what you are supposed to do – evaluate the risk at hand, and treat it accordingly.

I suspect that TJX did evaluate the risk, and did make a valid decision. After all, they did start to implement WPA only a few months after the initial breech.

I have to admit - they seem to be doing all the right things. From a business point of view, they are. They are analysing the situation, evaluating options, and choosing the road to minimize risk and maximize profit.

And it seems like they are pulling it off too! Congratulations to TJX!

A while back, I needed an antispam tool for my blog comments. I decided to go with Akismet.

A few months down the line, my antispam solution have caught over 2 500 spams. 2 500 spam comments on my blog alone. I think that is a wast number - and can only assume what more popular blogs must handle.

According to Akismet, their service has caught more than 3 billion (as in 3,043,731,975) spam messages since they started. Their complete stats are available.

Thanks to Akismet, I am able to concentrate on doing the writing, and leaving the comments almost to itself. (So far, I have decided to approve all comments - I am now testing full automatic. You will soon discover if it works or not!)

Oh, the TJX. No, I guess I never get tired of it!

This time, I will just point you to this important message from the president and CEO they made oct. 11.

There, Carol Meyrowitz, the President and CEO, says:

"To learn more about steps you can take to protect your credit and debit card information, I encourage you to access the information we are providing on this website or to contact our special customer helplines listed below."

Sorry Carol, I do not think I trust TJX enough for your advices about CC information. At least not MY CC information.

Need I remind you that it never was your CUSTOMERS who messed up? Your customers decided to TRUST you and your companies to handle the CC information. I bet the customers did take necessary precautions and common sense - how could they be expected to be prepared for YOUR breach?

I advice you to do the right things - learn from your own mistakes and fix them - not divert the attention by teaching your customers how to do things they do much better than you ever did.

------------------------------------------------------------------------

Due to the nature of the document, I have pasted the text below too:

LETTER FROM TJX’S PRESIDENT AND CEO October 11, 2007 To Our Valued Customers: At TJX, our first priority always has been and continues to be, our customers. I want each of you to know how much I personally and, on behalf of the Company, regret any difficulties you may have experienced as a result of the criminal attacks on our computer systems announced earlier this year. Importantly, we truly appreciate that you have continued to place your trust in us with your loyalty and patronage. We remain committed to providing our customers a safe shopping environment as you shop for great values, fashion and brands. TJX has been working diligently with some of the world’s best computer security firms to further enhance our computer security. We have also continued to work with law enforcement and government agencies and very much want to see that the sophisticated cyber criminals who attacked our computer systems are brought to justice. We have worked diligently to reach a settlement, which we believe would offer an excellent resolution for our customers, addressing the different ways that they have told us that they have been impacted by the computer intrusion(s). (Like all class action settlements, our settlement is subject to Court approval and other conditions, and therefore, customers cannot yet seek benefits.) We have provided a separate link, below, to additional information regarding the proposed settlement. To learn more about steps you can take to protect your credit and debit card information, I encourage you to access the information we are providing on this website or to contact our special customer helplines listed below. Once again, we sincerely regret any inconvenience you may have experienced as a result of the attacks on our computer system. We are deeply grateful for your continued trust and patronage. Respectfully, Carol Meyrowitz President and Chief Executive Officer     INFORMATION ABOUT PROPOSED CUSTOMER CLASS ACTION SETTLEMENT Click here to view Additional Information about Proposed Customer Class Action Settlement; Subject to Court Approval and Other Conditions. INFORMATION ABOUT INTRUSION(S) View Frequently Asked Questions (FAQs) Click here to view the 2/21/07 Press Release Click here to view the 1/17/07 Press Release Helpful Information for Customers: TJX has special, toll-free helpline numbers in the U.S., Canada, the U.K., and Ireland, to assist customers with concerns about the computer intrusion(s) and to answer questions about the proposed customer class action settlement, which is subject to court approval and other conditions. In the United States: Toll-free help line: 866-484-6978 Available Monday through Friday from 8:00 am to 8:00 pm and Saturday from 9:00 am to 5:00 pm Eastern time. Click here to view Recommended Steps Click here to view Other Resources Haga clic aquí para obtener información en español. In Canada: Toll-free help line: 866-903-1408 Available Monday through Friday from 8:00 am to 8:00 pm and Saturday from 9:00 am to 5:00 pm Eastern time. Click here to view Recommended Steps and Other Resources Cliquez ici pour des renseignements en français. In the United Kingdom and Ireland: Toll-free help line: Callers in the UK* should call 0800 779015 Callers in the Republic of Ireland should call 00 44 800 779015 * (England, Wales, Scotland, N Ireland) Available Monday through Friday from 8:00 am to 8:00 pm and Saturday from 9:00 am to 5:00 pm Eastern time. Click here to view Recommended Steps and Other Resources Any customers who would like to contact TJX Customer Service: Please email TJX Customer Service at: customerservice@tjx.com