After a bit of xml display snafu, my report "Breaking Down Entropy And Passwords" is finally live on the Forrester website. 

This report was inspired by a number of customer inquiries that I had recently on mobile password policies. It struck me that few IT organizations actually understood the fundamental rationale behind password policies - length and complexity of passwords, number of password retries, and password lifetime. This is perhaps because we take user passwords, one of the most basic security controls, for granted, and hence don't think about it too deeply. Because it is such a prevalent security control, and because many organizations don't have much beyond user passwords, it is high time we understand why we set a particular password policy and whether that works for our particular risk profile.

So I set out to write this report - trying to describe the theoretical underpinnings of password properties. For example, if you require that your mobile users use a 6-digit PIN to access their mobile phones, do you know how many PIN fail-retries you should permit but still achieve NIST level one authentication?  What about a 6-character alphanumeric password? 

The security group at Forrester has been handling a steady stream of client inquiries regarding EU data privacy laws, from both EU and North America clients. While there are many good legal sources out there, we thought it'd be a good idea to compile a list of common Q&A questions about EU privacy laws into a report, to serve as a definitive information source for Forrester clients.

The report, titled: “Q&A: EU Privacy Regulations,” is now live on Forrester's website. It is not our intention, by writing this report, to give legal advice. Rather, we envisioned this report to be a repository of the most important information regarding EU privacy laws, updated every 18 months or so. The report has a wealth of information, including links to actual information sources – be that EU's data protection directive web site or interesting studies/analysis done by external parties. For example, one noteworthy study on US Safe Harbor  is by Chris Connelly from Galexia consulting. He looked at 2,170 US companies that claimed to be Safe Harbor compliant. Out of these, 940 do not provide information on how to enforce individuals' rights; 388 were not even registered with the US Department of Commerce.

The report also contained information on Model Clauses and Binding Corporate Rules, for which we are beginning to see increased interest. We also discussed new and pending privacy laws in the report, including the EU “cookies” directive and EU's view on geo-location privacy.

It was revealed yesterday that iPhones/iPads (with iOS 4.0 or later) have been logging the location information of the device and storing that in a hidden file on the phone or the iPad.

This discovery, presented by researchers Alasdair Allan and Pete Warden, at the O’Reilly Where 2.0 conference this week, has sent shock waves through the high tech community. “What? This file contains my whereabouts for the past year? WTF?” was most people’s first reaction when the news broke.

Many iPhone/iPad apps have access to the geolocation of the device, but most only access it at a given point of time and do not attempt to log or create a history file of this information. The discovery that such logs exist begs the question why Apple was logging this data and whether it has any intention of utilizing the information.

I can imagine a number of reasons why Apple would want to collect this data and how they might use it. Device tracking, for instance, is a popular parental control feature that users want. Think your teenager lied to you about his/her whereabouts yesterday? No problem, just log into MobileMe and verify the location tracking information. Similarly, a credit-protection app can be instructed to report the phone’s general location at the time of a suspicious credit card transaction— if the card is used in England and the credit card owner’s phone is in Alabama, hmm… something could be amiss here.

Updated: December 13, 2010

Michael Brzozowski, the creator of Watercooler, the internal social media system for HP, recently left HP for Google.

Talents move around all the time, especially in the bay area where the industry is rife with interesting opportunities. However, in this case, the departure of Mr. Brzozowski has put the fate of the Watercooler system in question.

To understand why this is worth blogging, we need to first understand what the Watercooler system is about. Many of you may not know this, but Watercooler is a social media system that currently has 100,000 users! Brzozowski originally started Watercooler aggregate RSS feeds from across the company. Over time, it has morphed into a social media aggregation platform that aggregates content from  HP’s internal wikis, microblogs, various discussion forums, and social bookmarks. The system has a documented set of open APIs and supports a powerful and expressive set of content filters across different social media systems. It is also integrated with HP’s user directories.   

Brzozowski wrote a nice paper on a study he conducted with Watercooler data. Published in Group 2009, the study revealed some interesting facts about social media usage inside HP. Perhaps one of the most concrete statistics arguing for the value of enterprise social networks to date, Brzozowski’s paper points out that 69% of all Watercooler blog users subscribe to content generated by someone outside their business unit. This kind of cross-company instant collaboration is a huge benefit as a social media system because it provides a user community.  

Many of you may already know, but Forrester’s Security Forum 2010 is coming up in September. This year, the theme is “Building The High-Performance Security Organization.” Indeed, as the global economy begins to recover, Security & Risk professionals must transform from a reactive silo of technical security expertise to a true partner of the business and an enabler of forward-thinking business strategies.

This forum is all about technical, tactical, and strategic information to increase the maturity and performance of your IT security organization in this fast-changing economic climate. In the two-day forum, we will explore the principles of:

• Aligning your objectives and measures of success with the business.
• Giving business the tools to perform risk management.
• Preparing for the adoption of cloud services, the consumerization of IT, the proliferation of social technologies, and an ever-changing threat landscape.

I will be running three sessions at the forum this year: