September 2011 Archives

Verizon PCI Compliance Report

Verizon has published their 2011 Payment Card Industry Compliance Report (PDF). Good reading for those in the security industry.

USMC Social Media Handbook

The United States Marine Corps has released a social media handbook (PDF) outlining acceptable uses of social media for Marines across the globe. "The social media principles provided in this handbook are intended to outline how our core values should be demonstrated, to guide Marines through the use of social media whether personally involved or when acting on behalf of the Marine Corps."

This is one of the more comprehensive social media handbooks I have come across. The Marines did a great job covering the uses of social media and the behavior the Corps expects in personal, family, and professional uses. It also, importantly, covers operational security (OPSEC), using social media for crisis communication, and provides safety tips.

This is a big step forward for the Marine Corps, which, in August of 2009, caused a controversy by outright "banning" social media on their unclassified, war fighting, network. This ban was smart; the media in their coverage of the ban, however, was not. The media took an overly dramatic viewpoint that the order, MARADMIN 458-09, would prevent Marines from using social media services to contact their families and friends, cutting off deployed Marines worldwide. This was far from the fact or intent of the order. The order sought a default-to-secure posture and offered a waiver process that would allow commands and units to engage on social media while also gathering data on legitimate uses throughout the Corps to make more informed decisions down the road (hence the one-year time frame). The ban affected operational networks, not the networks used for morale and welfare (USO, internet cafes, etc) -- a critical distinction missed by the press. Nonetheless, it started a ground swell within the DoD community that ended with the use of social media being green-lit by the DepSecDef in February of 2010. Full disclosure, I had a hand in the creation of the referenced maradmin as noted within the document.

Kudos to the Marine Corps for this excellent handbook and for embracing a new style of engagement for Marines, their families, their friends, and the world.

My one criticism is the section on facebook privacy and tracking. My assumption is that the handbook will not be updated as often as facebook, so the information will quickly become stale. A general overview or perhaps a common sense approach to privacy concerns on social networking sites would have been better suited in the document with a more expansive, and more easily updated, website showing Marines the specific steps needed to protect themselves.

My two favorite parts of the manual are the introduction of the term "social media Marine" and a motto found on the last page of text in the handbook that reads:

"Engage the Community   •   Maintain Operations Security   •   Be Smart - Set the Example: In Life and Online"

A great message and motto for all DoD/Government social media engagements.

This is a great template/starting point for other DoD components and government agencies currently without a social media handbook/policy. I'd also urge the Marine Corps to embrace new media to deliver the content of this handbook. For example, using video to disseminate the policy.

Mozilla Secure Coding Guidelines

Mozilla has a great resource for webapp and website developers: The Mozilla Secure Coding Guidelines.

These guidelines will help create a more secure app/site. However, they will not, by themselves, decrease privacy risks. Design your app/site to be privacy-conscious.

Facebook cookies and sharing

They are never tasty and now they leave a potentially never ending after taste. Nik Cubrilovic (@nikcub) has a intriguing write up on his blog about a potential for expanded tracking by facebook through their social plugins (comments, likes, APIs, etc) even after a user has logged out. Facebook has denied the potential threat. Interesting discussions in the comments (disqus platform, no less) section of his blog, including facebook's response, and on his twitter page.

I love seeing research like this surface and I give Nik credit for approaching facebook multiple times before publishing. His post is fairly technical but his intro boils it down nicely into layman's terms.

It seems Dave Winer's (@davewiner) post titled "Facebook is scaring me" may have prompted Nik's post after sitting on the data for more than a year. And all of this, of course, after the recent announcements at F8, which prompted renewed privacy concerns regarding facebook's new timeline profile and frictionless sharing features.

It amazes me how often the privacy pot gets stirred, even with pending legislation looming over a largely unregulated industry. You'd think they might lay low on making these drastic and norm-challenging changes.

I'm back

After a brief hiatus, including a trip to New Zealand for the Rugby World Cup and a new job, I am back and will be posting regularly.