Long delayed discovery


A September 2005 security breach that remained undetected until “recently” may have compromised the names, addresses and credit card details of roughly 27,000 on-line customers of computer memory vendor Kingston Technology Company Inc.

One wonders how many more ‘undiscovered breaches’ there are out there.
One might suppose that the quality of a breach is a measure of how long it goes undiscovered.

The corollary is, of course that you can never prove that you haven’t been breached.

I’m reminded of the advert for the disinfectant that “kills 99% of all known germs”.
Well Whoopee-dee! We’ve co-evolved over the last few million years with microbes – which, by the way, make up most of the biomass of this planet and which can swap genes and evolve at a rate that makes swapping genes via sexual reproduction look like its working on a geological time-scale. Our immune system, which unlike computer AV does an ‘is this me or not me‘ check rather that a comparison with a known list or database of malware ‘genotypes’ deals with a lot more than the said disinfectant. There’s a lot of ‘germs’ floating around in the air, water, on your skin … Our obsession with cleaning and disinfecting may even be dangerous since it means out immune system might not get a proper work-out by exposure to sub-lethal amounts of new ‘germs’. How do you think the human race survived before we developed disinfectants and antibiotics?

Microbes – lets stop calling them ‘germs’ – are useful. They cause decay of dead stuff. The are an essential part of the ecology, clearing up dead plant and animal material, sewerage and much else. Perhaps we need the equivalent in the computer world to clear out dead files. Or selective ones that attack pornography and hate literature …

In an e-mailed statement, the company said it has taken “aggressive steps” to minimize any potential risk to those affected by the illegal access.

Oh yes? When? And why not years ago?
Its not difficult to show that its cheaper to take preventative measures so you don’t have to pay for the clean-up and for any follow-up litigation and loss of business arising from bad publicity.

I note that the press release has a lot more weasel-words.

About the author

Security Evangelist