ITNews are running the following, rather interesting story:

Protecting customer records is a magnitude less expensive than paying for cleanup after a data breach or massive records loss, a research company said Tuesday.

Gartner analyst Avivah Litan said in a research note that data protection is cheaper than a data breach. She recently testified on identity theft at a Senate hearing held after the Department of Veterans Affairs lost 26.5 million vet identities.

"A company with at least 10,000 accounts to protect can spend, in the first year, as little as $US6 per customer account for just data encryption, or as much as $US16 per customer account for data encryption, host-based intrusion prevention, and strong security audits combined," Litan said in an accompanying statement. advertisement

The Seattle Times are running a priceless story about the FBI:

A government consultant, using computer programs easily found on the Internet, managed to crack the FBI's classified computer system and gain the passwords of 38,000 employees, including that of FBI Director Robert Mueller.

The consultant used a program downloaded from the Internet to extract "hashes" — user names, encrypted passwords and other information — from the FBI's database. Then he used another program to crack the passwords by using dictionary word comparisons, lists of common passwords and character substitutions to figure out the plain text passwords.

I realize that this is a case of the blindingly obvious, but many of us may not have considered that InfoSEC applies to your car too

From: LeftLaneNews - "High-tech thieves are becoming increasingly savvy when it comes to stealing automobiles equipped with keyless entry and ignition systems."

"While automakers and locksmiths are supposed to be the only groups that know where and how security information is stored in a car, the information eventually falls into the wrong hands."

In an unusual turn of events* there is a rather informative discussion on VPN solutions at Slashdot.

*Toung planted firmply in cheek.

FindLaw.com have the following story:
"In a legal decision that could have broad implications for financial institutions, a court has ruled recently that a student loan company was not negligent and did not have a duty under the Gramm-Leach-Bliley statute to encrypt a customer database on a laptop computer that fell into the wrong hands."

SecurityFocus.com's Mark Rash has an excellent article about this decision[PFD].

Scott Granneman at SecurityFocus.com has published a rather lucid article on why DRM is a bad idea. While DRM is somewhat of a niche of the InfoSEC world, the choices we make today will likely have lasting effects on our industry, our liberties and the nature of personal property. Two of his more eloquent quotes follow:

"Digital Rights Managements hurts paying customers, destroys Fair Use rights, renders customers' investments worthless, and can always be defeated. Why are consumers and publishers being forced to use DRM?"

"When I realized that I couldn't copy text out of The Complete New Yorker, I felt like a sucker - a sucker that had been conned by the same people to whom I willingly gave my money. As a college instructor, I especially thought of the loss to my students..."

[NB: Yes. I'm on my soapbox. Time to get off of it again.]

According to this vulnerability report "it is possible for an attacker to take any signed message and inject extra arbitrary data." All versions of gnupg prior to 1.4.2.2 are affected.

GPG is the GNU Privacy Guard, a tool similar to PGP.