Shostack + Friends Blog Archive


New breach blog


Evan Francen is maintaining a breach blog with more structure and commentary [link to no longer works] than either PogoWasRight or Attrition.

As I looked at it, I had a couple of thoughts.

  1. The first is that he doesn’t reference Attrition DLDOS numbers. (Then again, Pogo doesn’t either.) I think this is a mistake. When we founded CVE, it was because there were lots of independently maintained data sets like this, and correlation had become a problem. It feels like this is the same sort of data, and so getting coordination around cross-referencing would be great.
  2. My second thought is that in posts like his “The Breach Blog Month in Review November, 2007,” [link to no longer works] he attempts to derive cost information from the Ponemon Institute’s $197 number and multiplying it by the number affected. I think it’s possible to do better in several ways:
    • The numbers are broken out in the reports, and some of them are per-individual, and others are per breach. People deriving numbers should use the detailed information that the Institute offers.
    • There’s also the cost of lost business. Of the 5 organizations reporting a second (or later) breach, 4 were governments or government agencies: HMRC, Montana State University, the US Department of Veterans Affairs, and the Commonwealth of Massachusetts. It’s quite difficult for someone to stop interacting with HMRC or Massachusetts. It’s not possible to lose veteran status. It may be possible to get Montana State to destroy all personal data about you, but I doubt it. The fifth, Capital Health, is likely one or one of a very few health care options available to their customers. Given that the 2007 Ponemon report [link to no longer works] states:

      The cost of lost business continued to increase at more than
      30 percent, averaging $4.1 million or $128 per record compromised. Lost business now accounts for 65 percent of data breach cost

      For those organizations, the cost of a breach could justifiably be counted as no more than $69. ($197-$128=$69)

Anyway, it’s great for a wide spectrum of breach analysis to emerge. That chaos and competition will lead to better analysis and better security for us all.

Image: “The Breaking Dam,” by ReubenInStt

2 comments on "New breach blog"

  • Lyger says:

    Good post, and a couple of points to consider:
    1. While we agree that breach analysis and more data are good things, I’m personally tired of the perception of “competition” between the various entities that gather data on breaches. Many months ago, I was frustrated about the fact that Attrition’s data was being used and quoted in the media without credit or attribution. That frustration is generally gone; Privacy Rights Clearinghouse, ITRC, and others have been very open in crediting as a source of their datasets. For that, we thank them. In general, it’s the *media* that gets things wrong when citing sources, which is an age-old problem that won’t disappear (at least within our lifetimes). A recent AP article about data breaches claims that Attrition and ITRC are the “only groups, government included, maintaining databases on breaches and trends each year”. We know that statement isn’t true, and we should question how and why such a conclusion was drawn by the journalist who wrote the story. ITRC does their thing, PRC does their thing, PogoWasRight does their thing, and everyone else can too. Attrition doesn’t want to be the “CNN Breaking News” of breach data, nor can we be an analysis and statistics factory covering every aspect of data breaches. To be honest, sometimes we have to take a break for OSVDB, Playstation, and [redacted].
    2. If other entities want to x-ref to DLDOS numbers, that would be great. Other than a handful of entries sent in by Chris Walsh, we have little to x-ref back to other than ITRC entry/DB numbers, which I would actually like to get done… someday. However, only once or twice has anyone actually offered to backfill or add entries to DLDOS; the last good effort was made by Dave Shettler, who created If anyone reading this comment would like to take the initiative and help us backfill data (i.e. total affected, ITRC x-refs, etc), PLEASE contact us. We won’t be jerks once you get past the obligatory drug test (you MUST test positive), promise. It’s not a job, it’s an adventure… AND THE PAY SUCKS. 😉

  • Dennis Thorp says:

    As a member of The Sons of the American Revolution,with a strong and proud military family,I feel Our government has been playing games with our veterans ever since the Oneida Indian Nation fought in the Revolutionary War. They were among our first American Solders and took up arms against the British to help our nation earn its independence.after our Revolution, Our new government used seized British land to compensate our veterans,and the Oneida veterans, were stripped of much of their original territory,by taking 10 million acres of land away from them. Look how they have been treated by our government ever since. The Oneidas are one of the areas largest employer and every time the they to better this area economically, They need to fight State and the Federal Government to do so .You know that they have two citizenships,one for being a veteran of the Revolutionary war ,and one from their mothers blood. Now our service members have had Repeated and extended deployments to war zones have driven a rise in post-traumatic stress among troops. It may be good to support your troops That are serving our interest, but it is better to demand a accountability from those responsible for the lack of their care.the fact that VA hospitals are turning away those most in needs is utterly disgusting. Those in charge of VA hospitals need to take responsibility for their lack actions. I think the whole VA system needs a overhaul and very soon. With more and more wounded troops coming home the need is there for both physical and mental healthcare. Our troops only deserve the best of all aspects of care! Wake up, America! We do not take care of our veterans like we should.Nobody who has ever encountered the VA medical system will be surprised by this. The entire operation is a horror show run mostly by lazy, self-important, arrogant and self satisfied bureaucrats.This kind of treatment has been going on for years and years and years. VA hospitals are in a hop less situations. For those who are closely associated with regular active duty military, this type of treatment is the rule and not the exception Sad, but true.If certain serves cannot be provided for a veteran or military patient then they are suppose to be referred to a civilian facility , and there is suppose to be no cost to the service member or veteran.Many of our own go without and This shouldn’t be a surprise for the VA system when it comes to treating any service related condition. In this situation, the Iraq veteran is in the same boat as the Vietnam veteran was in the 1970’s. At least now, they have a name for it, PTSD,and agent orange has been proven, but the VA doesn’t take it seriously! It’s terrible that our country is ignoring the cries of our vets. It’s no surprise what is happening with Syracuse Veterans Hospital if similar acts are occurring around the country.I’ve have made many attempts in the last four years to talk with Mr Cody, Who is self-important, arrogant, don’t call me I’ll call you,is the head of the VA hospital in Syracuse NY about these conditions and, as stands theres been no dialog. I, believe that Mr. Jim Cody should tendered his resignation for the good of our veterans. Dennis Thorp is a native of Frankfort and served as a U.S. Army medic during the Vietnam War. He is co-founder of Agent Orange Victims International. Doctho@roadrunner

Comments are closed.