City jobs require surender of logins and passwords

As part of their job application process the city of Bozeman Montana requires applicants to surrender login names and passwords to all social networking sites they are involved with. The list of sites includes Google, Yahoo, MySpace and Facebook. Supposedly this is so that the city can do a background check and determine that “the people that we hire have the highest moral character.” Read the article for full details but here is my favorite quote:

“You know, I can understand that concern. One thing that’s important for folks to understand about what we look for is none of the things that the federal constitution lists as protected things, we don’t use those. We’re not putting out this broad brush stroke of trying to find out all kinds of information about the person that we’re not able to use or shouldn’t use in the hiring process,” Sullivan said.

Update: Bozeman has decided to change their hiring practices and has apologized for the “honest mistake.”

Update: Looks like North Carolina does the same thing.

Analysis of security breaches

Interhack has a study of security breaches by industry and type. The authors categorized 925 security incidents using a taxonomy they developed. They then analyze the incidents by industry and type of incident. Two interesting points were that the Financial industry had the highest percentage of insider attacks and that incidents caused by insiders were more common than those caused by outsiders.

While the bulk of media attention on threats to private information is given to the activity of outside attackers, these breaches account for only approximately 22% of the instances in our data set. More significant is the number and type of breaches caused by people within an organization. Poor procedures, human errors by staff (Processing and Disposal), and the malicious activities of people on the inside of an organization account for greater than 35% of our observations.

Handing laptops to friends

Slashdot has a request for information from an art student who wants to know how to let other people briefly use their laptop while still protecting the laptop from infection and the data from snooping. After glancing at the slashdot comments the answers can be roughly grouped into these categories.

  • Setup a guest account and use quick user switching. This solution works on both Windows and Linux.
  • Use VMWare or equivalent software. Start the VMWare and run all your questionable things including other people’s logins in it.
  • Say “NO.” Don’t ever loan out your laptop, its yours not theirs and lending it is an necessary risk from the point of physical and data damage.