Shostack + Friends Blog Archive


"No Evidence" and Breach Notice

According to ZDNet, “Coleman donor data breached in January, but donors alerted by Wikileaks not campaign:”

Donors to Minnesota Senator Norm Coleman’s campaign got a rude awakening this week, thanks to an email from Wikileaks. Coleman’s campaign was keeping donor information in an unprotected database that contained names, addresses, emails, credit card numbers and those three-digit codes on the back of cards, Wikileaks told donors in an email.


We contacted federal authorities at that time, and they reviewed logs from the server in question as well as additional firewall logs. They indicated that, after reviewing those logs, they did not find evidence that our database was downloaded by any unauthorized party.

I wanted to bring this up, not to laugh at Coleman (that’s Franken’s job, after all), but because we frequently see assertions that “there’s no evidence that…”

As anyone trained in any science knows, absence of evidence is not evidence of absence. At the same time, sometimes there really is sufficient evidence, properly protected, that allows that claim to be made. We need public, documented and debated standards of how such decisions should be made. With such standards, organizations could better make decisions about risk. Additionaly, both regulators and the public could be more comfortable that those piping up about risk were not allowing the payers to call the tune.

4 comments on ""No Evidence" and Breach Notice"

  • tim says:

    Living in MN I’ve been following this with amusement.
    In this type of simple absurd case when there is a statement of “no evidence…” – the automatic assumption that should be made is that frak’n data been breached. But most cases aren’t as clear cut or as simple as this and quality of records is all across the board.
    (didn’t vote for either franken or coleman so I am extra amused by all this)

  • Dan Weber says:

    As anyone trained in any science knows, absence of evidence is not evidence of absence.
    I disagree. Absence of evidence is most assuredly evidence of absence.
    However, absence of proof is not proof of absence.
    Evidence isn’t absolute. Each side in a court case can have evidence and one piece evidence can directly contradict another piece.
    If I look in my backyard for a silver dollar and don’t find one, that is evidence towards the fact that one isn’t there. It’s not proof, of course.

  • Pete says:

    Here is more on “absence of evidence” in support of Dan’s comment:

  • Bill Bartmann says:

    Excellent site, keep up the good work

Comments are closed.