Fond farewell
I would like to thank you for taking the time and effort to write about Bill Hancock ["Bill Hancock, convivial information security pioneer – and amateur stand-up comic – dead at 49," scmagazine.com, Jan. 4]. Although I didn't know him well, I admired his contributions in information security and had the opportunity to see him at conferences.

Peter Thermos,
CTO,
Palindrome Technologies

Give or take
I just read your article regarding the United States reaching the 100 million mark in exposed records ["A dubious milestone," scmagazine.com, Dec. 14]. You say: "That means roughly one in three Americans has been exposed to the risk of identity theft since the Alpharetta, Ga.-based data broker revealed thieves gained illegal access to 163,000 customer records in Feb. 2005."

This is false. Consider the fact that the 40 million records stolen were transaction records from cardsystems and from BOA. That does NOT equate to one per person. That means that if I had 35 transactions on one of my credit cards then all 35 of those transactions were exposed leading to a tally of 35. So the total exposure is a LOT less than the one in three that you claim.

Lastly, consider the fact that most Americans have more than one credit/debit card and that would bring the number to even lesser proportions.

Tapan Trivedi
via email

MySpace, or not
I find it interesting that the MySpace story ["MySpace releases temporary QuickTime flaw fix," scmagazine.com, Dec. 7] is being spun as a flaw in QuickTime.

Maybe it is, but MySpace has already admitted that the flaw was with their site, and it's simply Javascript support in QuickTime that was being exploited. Which is it? Spinning it as a flaw in QuickTime is easy.

Ted Wood
via email

Reporter Dan Kaplan responds: Both MySpace.com and Apple are at fault. Even F-Secure dubbed the worm "Quickspace." The worm appears to have fed on a cross-site scripting weakness in MySpace. At the same time, MySpace also relies on the security of its partners to ensure they are providing the most secure third-party software. Ultimately, though, this should serve as a wake-up call to MySpace that the days of innocent worms (i.e. Samy) are over – financially motivated attacks are here to stay.