[Dataloss] Suggestion for changing status quo on data losses

Adam Shostack adam at homeport.org
Fri Aug 1 21:01:42 UTC 2008


Two very quick comments about this idea:

1) When approaching Congress, it's useful to have some idea what you
want them to do.  Getting consensus around this is difficult.

2) King Log, King Stork.

Adam

On Fri, Aug 01, 2008 at 08:48:15PM +0000, security curmudgeon wrote:
| 
| : In light of the exemplary work the people behind this listserv do, and 
| : the educational service they provide, I would like to suggest taking 
| : this a step further so we can stem this deluge of data losses we are 
| : subjected to every day.
| 
| While we certainly appreciate the compliments and like to think we do good 
| work, please remember that we're volunteers and do this in our spare time. 
| There is also a big difference between 'hobbyists' and 'lobbyists'.
| 
| : I propose that attrition.org make up a dedicated list of every US 
| : Senator and Congressman, and email them every single data- loss 
| : announcement.
| 
| The list of Congress critters and their e-mail addresses is easy to get, 
| there would be no need for us to maintain or research such a list.
| 
| http://www.senate.gov/general/contact_information/senators_cfm.cfm
| http://www.webslingerz.com/jhoffman/congress-email.html
| 
| : However, if this listserv notifies every US Senator & Congress person 
| : about every breach that we see, then they/their staffers can hardly 
| : claim they didn't realize how bad the situation is.  The once a year 
| : report put out by the FTC is good for soundbites, but the daily reports 
| : of the losses ought to shake them up.  If not, I suggest letting them 
| : know with your vote this November. (I intend to).
| 
| Voluntarily subscribing every Congress person to our mail list would 
| violate the spirit of attrition.org and move dangerously close to the 
| world of unsolicited spam. While the mails would be related to current 
| issues and just the type of thing you write your represenation about, 
| flooding them with this list and the discussions that occur would likely 
| piss them off, not endear them to caring about dataloss issues.
| 
| In my opinion, to do this correctly would involve someone drafting a 
| well-written form letter that list subscribers could use to send to their 
| own representative. One page, cite the issue, quote some statistics, say 
| it affects them (faster way to make them care) and then to 'fix it'. Of 
| course, 'fixing it' is generally a myth as there isn't a simple to 
| implement solution to stop dataloss.
| 
| Again, thank you for the praise, but please remember that we're stretched 
| thin between attrition.org, datalossdb.org and osvdb.org and those pesky 
| day jobs and significant others. It would be extremely helpful if more 
| people would spend fifteen minutes a week updating those sites with us, or 
| contributing to new ideas like this one.
| 
| Jericho
| attrition.org staff
| 
| _______________________________________________
| Dataloss Mailing List (dataloss at attrition.org)
| http://attrition.org/dataloss
| 
| Tenable Network Security offers data leakage and compliance monitoring
| solutions for large and small networks. Scan your network and monitor your
| traffic to find the data needing protection before it leaks out!
| http://www.tenablesecurity.com/products/compliance.shtml



More information about the Dataloss mailing list