It’s one type of incompetence to keep the personal identifiers and financial data of customers on your laptop and then lose it — twice; It’s an entirely different type of incompetence that allows government data to be compromised through a network. Last year at TechEd, a demo showed how a completely patched network could be compromised using an exploit in a web site. The best part of the exploit was made possible due to turning on more functionality than was necessary. Namely, one issue in the demo was that the router configuration allowed port 80 and port 443 traffic — despite the fact that SSL was not in use on the web site.
Regardless of the platform being used, many of these compromises are possible these days not due to the operating system itself, but due to assumptions made about users, lack of planning, or pure laziness of administrators and developers. This is one major reason why I’m not a big fan of agile. Despite the best arguments I’ve heard for agile software development, I have witnessed too much emphasis on feature completion without regard to overall system security. I would encourage you all to read Michael Howard’s new book on the security development lifecycle (link provided below).
Whatever the case — whatever the cause — I would urge the community to pay attention to the recent news stories, learn to start protecting important data and please stop putting personal and financial information that doesn’t belong to you on your laptop!
For more Microsoft resources on security please check out the following:
General Security Websites: