The WiKID Blog

The WiKID Blog, musings on two-factor authentication, information security and some other stuff.

google-does-saml-but-has-anyone-done-it-plus

Posted by: admin 16 years, 3 months ago

I see that Google is allowing SAML for Apps for Domains. Anybody test this yet? I hope to get a chance to soon.

focusing-on-things-you-can-control

Posted by: admin 16 years, 3 months ago

The blogosphere is alive with talk about the FFEIC's guidance requiring stronger authentication for online banking. Inevitablty, someone says how useless better authentication is when PCs are so insecure.

google-looks-to-protect-its-business-with

Posted by: admin 16 years, 3 months ago

I think Google's purchase of GreenBorder is very intersting. It shows that they see the threat that malware has to the online commerce and that they intend to do something about it. What's not clear is whether this acquisition was done with the goal of protecting payment processing (Google CheckOut) or whether it is meant to shore up security around their office application suite and their new offline access system Google Gears. Perhaps, Google is smart enough to know that both need additional security and is organized in such a way to make it happen.

does-mandatory-disclosure-provide-an-incentive-to

Posted by: admin 16 years, 3 months ago

I was googling around when I came across an interesting paper Information as regulation : the effect of Community Right to Know laws on toxic emissions. I think that this paper has interesting similarities to the current state of affairs for breach notification laws. Consider the background:

In 1986, the American Congress voted the Emergency Planning and Community Right to Know Act. This law requires manufacturing companies in the United States with 10 or more employees to publicly disclose the quantity and type of toxic chemicals released into the environment. In July 1988, the Environmental Protection Agency published the first reports for toxic emissions in the calendar year 1987. Data from these reports have constituted the Toxic Release Inventory (TRI). And finally, in June 1989, the TRI was disclosed to the public for the first time. As a result, publicly traded firms whose TRI releases were first reported had to cope with negative abnormal market returns, i.e. a significant drop of their stock price. The paper examines how firms responded to this negative stock price information.

I also liked the reasoning for examining stock price changes:

Actually, there are two main reasons explaining why TRI announcements reduce firm value. First, a high and unexpected TRI announcement can be considered by investors as a warning of poor management practices and increased risk of spills or accidents. Second, TRI emissions disclosures can create a form of pressure from sensitive stakeholders : “green” consumers who may decide to boycott products of high polluting companies, ecologist groups who can sue the firm and, last but not least, the government who might target these firms for wider inspections. All of these mean high pollution-related expenditures (e.g. for penalties or new abatement equipment and methods) that will reduce the firm future profits. Consequently, investors get rid of their shares and the stock price decreases. This stock price hit is a strong incentive for the company executives to improve environmental performance and strengthen firm value in following years.

And I thought the conclusions were

On the average, the 130 firms mentioned in the media had a -0.299 % negative abnormal return on the day of the TRI disclosure, while it was -0.019 % the day before. The 40 firms with the largest negative stock price effects following announcement of their TRI emissions were found :

• to be among the top 1/3 of polluting firms (per dollar revenue) in their industries.
• not to be the largest absolute TRI emitters, which is consistent with the hypothesis that the market reacted more to unexpected TRI disclosures than to those that were already expected to be very large.
• to subsequently reduce their TRI emissions more than other firms in their industry (including those firms with the largest TRI/ $ revenue prior to the disclosure of TRI levels).
• to also make other significant attempts at improving their environmental performance by reducing the number and severity of oil and chemical spills.
• to have a lower chance of receiving higher fines from the government in subsequent years.

These results clearly show that new and unanticipated information concerning a firm’s toxic emissions that has a significant impact on market valuation is a strong incentive for that firm to reduce subsequent emissions and to otherwise improve its environmental performance. From this point of view, providing information to the public may therefore be an effective remedy to reduce environmental externalities beyond a regulatory standard.

google-research-on-strong-authentication

Posted by: admin 16 years, 3 months ago

Ben Laurie and Eric Sachs from Google's security team have published an article on the Usability of Stronger Authentication Options. This is a very interesting document and it's great to see the large internet players focus on security. Unfortunately, in their list of strong authentication methods they do not include software tokens, which seems to me to be a pretty big oversight. Of course, I'm a bit biased. Here are my thoughts on Ben & Eric's concerns:

• Page 85 of 135
• ←
• 78
• 79
• 80
• 81
• 82
• 83
• 84
• 85
• 86
• 87
• 88
• 89
• 90
• 91
• 92
• →