In response to an Oct. 1 story: Nevada mandates encrypted personal data:
The Nevada statue does NOT allow for a consumer to bring suit; instead, that right is held by the “data collector” who is breached, or by the state's Attorney General. Also, the definition of encryption in the Nevada law is poorly defined, as they allow “the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant (NRS 205.4742).” Computer contaminants as a protective measure? Now I'm worried.
In response to an Oct. 3 story, Was Forever 21 wrongly certified PCI compliant?:
Being PCI compliant is not the same as being secure. Kudos to [Ken Stasiak, president/CEO, Secure State] for stating this.
Example: PCI section 6.6 says you can be compliant by running an automated external black box application scan. These won't even find all of the OWASP top 10 vulnerabilities, and locate only about one-sixth of the total types (not instances) of exploitable vulnerabilities that may be present.
PCI compliance is a good thing, but no one should believe it equals acceptable levels of security.
In response to an Oct. 8 online story: “Symantec to acquire MessageLabs”:
And then there were three – MX Logic, Google (Postini) and now Symantec with Message Labs. As Scott Crawford asserts, this leaves little doubt about the rapid evolution toward managed security services. We congratulate Symantec and welcome them to the managed services arena.
Pete Khanna, president/COO, MX Logic
In response to an Oct. 21 online story, Scientology website hacker charged:
Well, what kind of “church” goes around picking fights with kids on the internet, anyway? Prolexic [Technologies] even used this cult as a case study on what NOT to do to make yourself a target.
The opinions expressed in these letters are not necessarily those of SC Magazine.