Rossander’s Security Reader

Today’s post has nothing to do directly with information security but the article so caught my eye that I had to share it. Feel free to skip today’s post if it doesn’t interest you.

The U.S. Chamber Institute for Legal Reform recently released a report on the disproportionate share of U.S. litigation cost borne by small businesses. The full report is about 25 pages and well worth reading. The short version is:

• Small businesses generate 64 percent of all new jobs and over half of non-farm GDP
• Small businesses bore 81 percent of business litigation cost, yet represented only 22 percent of US business revenue
• Small businesses pay more of their tort costs out-of-pocket rather than through insurance
• More than one-third of surveyed small businesses had been sued – To put that number in perspective, think of any three local small businesses that you use, maybe your barber, hardware store and local laundry. Do you really think that one of every three is so evil that the only way to resolve the complaint was to go to court?
• 62% reported making business decisions in order to avoid lawsuits and that these decisions made their products and services more expensive. 45% pulled a product or service off the market just out of fear of lawsuits and 11% have had to lay off employees as a result of lawsuits
• For medical businesses, it’s even worse. Tort liability is 94 percent of all medical malpractice litigation for small medical practices and small medical labs. This is driving the medical profession away from small practices and toward large hospital-based and health system-based groups. In just three years, from 2005-2008, small groups dropped from two-thirds of all practices to less than half.
• 66% of the general public agreed with this statement: “The fear of being sued is changing American society for the worse because it’s often having the effect of discouraging people from doing the right things.”

Statistically, some few of those small businesses are bad apples who should be sued, maybe even into bankruptcy. Sometimes, that is your only recourse. But I do not believe that all businesses are inherently evil and am deeply suspicious of the way the legal profession has morphed into a legal industry over the past few decades. The more I read, the more convinced I become that tort reform is desperately needed. Some form of “loser pays” like they have in Europe would be a good first step.

This post isn’t directly related to security but if you’ve never been out to workforce.com before, I recommend them. The site uses buzzwords like they’re just for HR professionals but it’s good reading for any businessperson.

This post titled The Five Biggest Lies in HR by Kris Dunn was fascinating, if a bit cynical. It’s a painfully realistic view of where we really fit in the workforce.

I read an article this morning on a non-profit called the American Widows Project and thought it sounded like a very worthy cause. In addition to helping them directly, I’d like to do my little part to get them some more publicity.

That reminded me of another recent article on allowable links on your website. That article specifically talks about the problems faced by public entities like school districts and whether they must allow links to private companies on their webpages. It’s a difficult question for any governmental organization. Under US law, they have an obligation to protect free speech but at the same time can not create the appearance of an unfair endorsement of a private opinion.

For a public entity, it depends on the exact nature of the page – if your township hosts a “forum” where citizens are allowed to express opinions and air grievances, there are very few allowable limits that can be placed on the free speech rights of the people participating in the forum. On the other hand, even public entities have non-public forums – places where completely free speech would get in the way of the very mission that the agency is supposed to carry out. Limits in those forums are more acceptable. Regardless, any limits should be

1. clearly stated ahead of time
2. based on reasonable protections of other rights (for example, ‘no hate speech’ or ‘stay on topic’) and
3. be enforced with ruthless consistency.

If you work with a public entity with any online presence, I strongly urge you to read the eDiscoTech article.

As a private citizen, the calculations are different. First, you have no obligation to allow others to say anything. You are not required to let someone to take over your backyard to make their political rant even if the same speech would be strongly protected in the village square. But you want to allow interaction and linking on your personal website. That social contact is most of what makes the website valuable and brings in readers. The challenge is that your credibility is directly linked to all those outsiders. Anything you include or allow on your own website carries an implied endorsement. If there’s bad content on the other side of a link, it reflects back on you. So if you host a blog (whether Twitter or a more conventional blog like this one), you probably want to allow comments but you probably also want to keep some rights to control them if only to filter out the spam and other worthless content. And you should be fairly conservative about who you link to. Be sure they are the kind of people you want your reputation associated with.

Corporations have it hardest of all. They are private and have no legal obligation to allow their site to be used for the free speech of others but attempts to suppress or censor negative comments almost always create more backlash and ill-will than the original complaint. Corporations generally do best by enforcing clear rules (especially the “off-topic comments will be removed” rule) but otherwise allowing users to post whatever they really feel about the company’s products or services.

Ultimately, I decided to include a link to the American Widows Project – you can see it now in the blogroll on the right of the website. Deciding who you should link to is an interesting question, though.

How many times have you seen someone talking to a reporter and ask “did he really just say that?” What was he possibly thinking? Sometimes people do say stupid things but sometimes they just get caught because they are not used to speaking to reporters. This is especially true when you are responding to a crisis. Remember that the reporter has one set of goals – and they are not your goals.

When you get into a crisis, it’s too late to be deciding who and how to talk to the media. Have a plan and practice it before the crisis hits so you don’t get caught off guard. The list below has some helpful thoughts about dealing with reporters. It was originally developed at a crisis communications workshop at a Florida Beekeepers meeting in 1992 in response to scaremongering about africanized honey bees. These rules are still relevant today and apply no matter what your crisis is.

1. Individual Rights – No one from the press has the right to violate your individual rights.
2. Honesty – Never mislead or lie to a reporter. If the situation is under litigation, say this is so; if there is a question about profits, dollars or proprietary information, you can defer/refuse answering based on not informing competitors in the marketplace.
3. Buzz Words – Never repeat an expression or inflammatory statement made by a reporter. As an example, if you are asked to what do you attribute this catastrophe, do not repeat the word “catastrophe.” It then becomes attributable to you and you alone; you will “own” it.
4. Hostility – Never get angry; keep cool and remember the reporter always has the last word.
5. Off the Record – There is no such thing; if you don’t want it reported, don’t say it.
6. Estimates – Never make numerical estimates in time or dollars. Say that the incident is under investigation and you will provide accurate information when it becomes available.
7. Reporter Verification – Ask for identification, the purpose of a reporter’s activities, media affiliation and telephone number.
8. Bridging – Try to bridge the gap between a reporter’s wish to be negative and providing a positive statement about your activity.
9. Statistics – If you are not aware of statistics provided by a reporter, say so and ask for them in writing before commenting.
10. Deadlines – All reporters are on deadlines, but you are not. Take all the time necessary to avoid hasty comments. The fact that a microphone is stuck in your face doesn’t mean you have to say something. Dead air time is not likely to appear on television.

This was originally posted on 13 Sep 2009. I accidentally deleted the post the next week. Here it is again “for the record”.

These days, security is a Red Queen’s race where “it takes all the running you can do, to keep in the same place.” Hackers are constantly raising the bar and making old protections worth less than they were the day before.

The company that hosts this blog recently posted a very good article on the problem. They recommend (and I strongly agree) that you need to keep your software fully up-to-date and patched. You might not be perfectly protected from every hacker attack but you’ll be protected from most and often that can be enough.

There’s an old essay by Mike Pilgrim comparing computer security to the Club and to Lojack. If you remember the club, it was a lock that fit on the steering wheel of the car, making it almost impossible for a thief to steer as he’s trying to get away. It wasn’t perfect security – a really determined thief who specifically wanted your car could drill the lock or just cut a section from the steering wheel. But it was pretty good protection from a thief who just wanted a car. As long as easier pickings are available, the thief will follow the path of least resistance.

A more grizzly way to say it is in the old joke about the two hikers who surprise a bear in the woods. They start running and the bear chases. One of them stops to change into sneakers and the other says “You’re crazy – even in sneakers you’ll never outrun a bear.” The other replies “I don’t have to be faster than the bear … I only have to be faster than you!”

That “faster than you” attitude can be enough to deflect the hacker to an easier target. On the other hand, if you don’t keep your software patched, you’re choosing to be the guy still in boots – the easy meat. Patch your software and keep it current. If you can, use a tool such as Secunia to help stay current. It’s a lot of work but it’s better than joining the bear for dinner.