This site has all the latest information including a FAQ on the recent Veterans Affairs incident. Most interesting, perhaps, is the “what will stop it from happening again” answer:

The Department of Veterans Affairs is working with the President’s Identity Theft Task Force, the Department of Justice and the Federal Trade Commission to investigate this data breach and to develop safeguards against similar incidents. The Department of Veterans Affairs has directed all VA employees complete the “VA Cyber Security Awareness Training Course” and complete the separate “General Employee Privacy Awareness Course” by June 30, 2006. In addition, the Department of Veterans Affairs will immediately be conducting an inventory and review of all current positions requiring access to sensitive VA data and require all employees requiring access to sensitive VA data to undergo an updated National Agency Check and Inquiries (NACI) and/or a Minimum Background Investigation (MBI) depending on the level of access required by the responsibilities associated with their position. Appropriate law enforcement agencies, including the Federal Bureau of Investigation and the Inspector General of the Department of Veterans Affairs, have launched full-scale investigations into this matter.

This is so incredibly strange, I had to post something. A couple who must have one of those weather ball thingies at home (they change color to indicate the forecast) have decided to “design” (nothing particularly new about the shape/size) a color-changing umbrella handle. It apparently uses wi-fi to pickup the forecast and thus if you’re somewhere near a friendly network I guess you have a chance of knowing whether the weather calls for an umbrella, from your umbrella.

I can imagine all sorts of fun sending fake rain signals to the neighborhood umbrellas. That would be funny, watching everyone leave the house saying “hmmm, it looks sunny, but this sophisticated umbrella weather center can’t be wrong”.

Anyone want to make a bet that security wasn’t included in the design?

The thing I really don’t understand is why the umbrella handle has to change color. Once the umbrella is out of range from the WAP, it’s just a regular handle, right? Moreover, you’ve already made the decision to carry the umbrella with you so it’s not like you would put the thing down when the handle calls for clear weather. On the other hand, I don’t think anyone needs a handle to tell them when rain is falling on them. A measure of UV-index perhaps could be useful, but rain? What’s next, wind? When the umbrella handle is gone, you’re in a hurricane.

Alright, I’m thinking about this way too much. I can’t even remember the last time I used an umbrella.

Sci-fi movies seem to always have handheld scanners of one kind or another that tell future doctors everything they need to know about injuries. What better way to solve a health problem than to run a quick scan and look at a detailed color picture of someone’s insides? Spaceships send teams to remote and uncharted locations where medical resources are scarce (no cocoons or caskets that can repair or even completely rebuild a human), so portability is key.

Well, fiction is coming closer to reality again as a USB ultrasound device is waiting for FDA approval. Medical Technology Business Europe has reported the announcement by Direct Medical Systems:

Ppups is a complete ultrasound imaging system built into a small USB-compatible probe for B-mode imaging. The cost of the probe is under $3,700 and it weighs 7.5 ounces. The probe is operational by loading the software and plugging the USB cable into the USB (2.0) port.

I have to say, from my own experience building an Ultrasound network, that this seemed like the most likely medical technology to go portable since most of it already was fairly mobile. Now if they could just get that hand-held MR (or at least home-based) program off the ground, we could all rest a little bit better at night; especially those of us in remote and uncharted territory.

The news last week was that the Payment Card Industry Data Security Standard (PCI DSS) will be changing soon. In particular, a director from MasterCard was quoted at a conference:

this encryption requirement is causing so much trouble for merchants that credit card companies are having trouble dealing with requests for alternative measures, he said. In response, changes to PCI will let companies replace encryption with other types of security technology, such as additional firewalls and access controls, Maxwell said. ‘There will be more-acceptable compensating and mitigating controls,’ he said.

This quote appears to suggest that there will be a significant alteration of the encryption requirement, section 3.4, which today reads:

Render sensitive cardholder data unreadable anywhere it is stored, (including data on portable media, in logs, and data received from or stored by wireless networks) by using any of the following approaches:
– One-way hashes (hashed indexes) such as SHA-1
– Truncation
– Index tokens and PADs, with the PADs being securely stored
– Strong cryptography, such as Triple-DES 128-bit or AES 256-bit with associated key management processes and procedures. The MINIMUM account information that needs to be rendered unreadable is the payment card account number.

However, Visa has communicated that they did not agree to change this requirement and has reiterated that there are already multiple ways that are acceptable to render cardholder data unreadable. Compensating controls for encryption of stored data will be included in an appendix in the next version of the PCI DSS, but it is important to note that compensating controls are only allowed for short-term and they must still sufficiently mitigate the risk associated with the PCI requirement with the same/better preventive force as the original requirement.

The planned changes to the PCI DSS are actually fairly minor, intended to clarify the existing requirements, and not less stringent.