Australian researchers have tried to train endangered species to not eat poisonous large toads. It seems to be working.

The challenge, explained Dr Webb, was that the toads have very large toxin glands in their shoulders, primarily containing chemicals called bufadienolides, which can very quickly induce a cardiac arrest.

“The quolls see the toad as a big frog,” he explained.

“It looks good to eat, so they just pounce on it and get a fatal dose of toxin. There’s no chance they can learn from the encounter.”

Now they are being trained by a bad experience from toad-meat that will not kill them. The researchers have worked before with feral cats. Next the question becomes whether this would work for species such as coyotes and wolves.

Tax-time seems like an appropriate time to make note of the IRS Safeguards Program

The Safeguards Program and staff are responsible for ensuring that federal, state and local agencies receiving federal tax information protect it as if the information remained in IRS’s hands.

These agencies and their contractors receiving federal tax information must protect the confidentiality of return information and are periodically reviewed by Safeguards personnel to ensure they meet the safeguarding requirements of IRC 6103(p)(4). These requirements include employee awareness programs, proper disposal, secure storage and computer security among others.

Discussion has been long underway regarding changes for the PCI DSS. It gets a refresh every two years and October 2008 was the last release (version 1.2). Here are two examples of what to expect this coming October:

1) Some have suggested that segmentation will be clarified. I suspect this will not be a significant update.

The problem with segmentation is not that it is difficult to do or understand. The problem has been that some assessors have made mistakes. A firm that shall remain nameless has tried to argue that Active Directory alone, for example, would constitute adequate access control for segmentation. A QSA should know this is not true.

Those responsible for the compliance language simply have to make it clear now that things like directory authentication are not sufficient alone for proper segmentation. Clarification or education of what we already (should) know is necessary but still a minor update. We will continue to do things the way we have been doing them, while some may be caught up to where they should have been.

2) Data discovery changes in October will be more significant.

A hint of what to expect can be found in the April 20, 2010 Visa Security Bulletin: Cardholder Data Security Best Practices for Visanet Processors. Companies who want to be PCI compliant need to be able to find all cardholder data within their storage, processing and network environments. This will become even more strict in that tools to scan and find the data will almost certainly be required. The card brands have always emphasized this but they are about to push the point even harder. Here is an extract of the Visa language that should be considered today:

Create a data matrix detailing all of the business lines and processes that handle cardholder data. Explain the need for such data and note whether the data is being stored, processed and/or transmitted.

Specify all of the resources (including networks, systems, applications, databases, services, components and users) for each business line and process that have access to card data and explain the need for that access.

Adopt data loss prevention (DLP) solutions to actively locate card data in real time across the organization’s resources (including networks, systems, applications, databases and components). Some DLP solutions can alert designated individuals when unauthorized and unprotected card data storage is found, and prevent attempted, unauthorized transmission of card data out of the cardholder data environment.

We are thus already talking with customers about solutions to monitor and find cardholder data in real time and then quickly establish whether it is outside authorized business processes.

The change is significant because few if any organizations have a truly comprehensive grasp of all cardholder data in their environments. This will have to change for compliance.

The change is also significant because the tools to automate the tasks required to give them a grasp do not yet work well enough to be production quality. This also will probably change for compliance. Run spider a few times and you will most likely find yourself resorting back to manual review of directories.

Three researchers at the University of Michigan claim to have found a way to break encryption by lowering the voltage going to a CPU. The processor makes mistakes as explained by the BBC in “Web security attack ‘makes silicon chips more reliable'”

The implications of the research do not stop at security. It is also helping to produce error correction systems that spot when transistors fail and ensure that data is not corrupted as a result.

I would still classify that as security. Data integrity is within scope of a security assessment of the chip, as is data availability.