Later, after RSA described how it was attacked, the defense contractor Lockheed-Martin found its systems under attack. EMC admitted that its technology was breached in the Lockheed incident, and has since offered to replace the tokens of affected customers. Long a lynchpin of computer security at many companies and agencies doing sensitive work, there’s no question that the reputation of the SecurID system has been hurt.

Since the first attacks against RSA were disclosed, many of those organizations that have relied on the tokens have been trying to figure out what to do, and whether or not they can still trust them. One of those organizations was the National Security Agency, the super-secret spy agency who sets IT security policies throughout the U.S. government’s intelligence and defense establishments.

The unclassified document below is an internal advisory from the NSA’s Information Assurance Directorate concerning its recommendations. If your company is among those coping with the headaches that are arising as a result of all this, I thought at the very least it would make for interesting and hopefully useful reading. Granted, this document was issued in March, which was before RSA came clean on the details of the attack, but it may prove useful nevertheless.

NSA RSA Advisory

Apple has tapped security expert and author David Rice to be its director of global security, several sources have confirmed to me. He’s expected to start at Apple in March.

Apple hasn’t returned calls seeking comment.

There’s no word yet about what precisely Rice’s job will entail, and knowing secrecy-obsessed Apple, there likely won’t be. But it’s not hard to make a reasonable guess.

With iPhones and iPads penetrating the enterprise in ever more impressive numbers, companies want to know they’re secure.

Late last year Apple started working with Unisys to help it sell Apple products to corporations and government agencies, all of which are concerned about the security implications of iPhones and iPads running on their networks.

Those who know Rice describe him as a deeply respected name in IT security circles who not only can speak the kind of language that makes CIOs comfortable, but can also back up that language with the skills and knowledge to match.

Rice hasn’t yet responded to my messages seeking comment, but his bio is fascinating. He’s a 1994 graduate of the U.S. Naval Academy and has a master’s degree in Information Warfare and Systems Engineering from the Naval Postgraduate School. He served as a Global Network Vulnerability analyst for the National Security Agency and as a Special Duty Cryptologic officer for the Navy.

His LinkedIn profile says he’s executive director of the Monterey Group, a cybersecurity consulting firm. He’s also on the faculty of IANS, an information security research company.

He also works with the U.S. Cyber Consequences Unit, a nonprofit organization that researches the potential for cyber attacks and their impact. Before that he worked for the security firm Neohapsis.

His 2007 book, “Geekonomics,” has been described as the software industry’s equivalent of Ralph Nader’s “Unsafe at Any Speed.” In it he argues that software is modern infrastructure–just like a bridge (hence, the picture on the cover)– and if it’s poorly made or insecure, it constitutes a public hazard.

Those who buy software–consumers, corporations and governments–end up being “crash test dummies” for an industry with no accountability for losses incurred by their customers, he argues.

He goes on to peg the costs of patching faulty software at $180 billion a year, and says that’s probably conservative. Patching software for security weaknesses takes capital that might be used for other, more productive, things.

His solution? Taxes. In a 2008 interview with Forbes, he compared security vulnerabilities in software to the unavoidable pollution emitted by factories. Since software can never be perfect, a “bug tax” keyed to the number and severity of software bugs discovered would create an incentive for better quality control.

Rice would be the latest in a string of high-profile security hires at Apple.

Last March, it hired Window Snyder, the former security chief at Mozilla, as its senior product manager for security, and in 2009 it hired Ivan Krsti?, the former head of security for the One Laptop Per Child project, to work on core security for Mac OS X. Jon Callas, the former CTO of encryption software maker PGP, now a unit of Symantec, joined Apple last year.

In an interview on CNN’s “State of the Union,” the former vice president said that he owns an Amazon (AMZN) Kindle and used it to read James McPherson’s “Tried by War: Abraham Lincoln as Commander in Chief.” He said he also uses a BlackBerry, made by Research In Motion (RIMM), to keep up with the news now that he’s no longer in office.

Mr. Cheney follows in the footsteps of an increasingly wired crew of politicians. President Barack Obama fought to hang on to his BlackBerry before his inauguration, stoking speculation that he might have received a National Security Agency-approved device. Congressmen might as well declare themselves dinosaurs if they don’t create their own YouTube channels and Twitter constantly.

Read the rest of this post

Yesterday Dodd, along with Sen. Russ Feingold (D., Wis.) said they plan to take steps to block FISA as long as it grants retroactive immunity to telecoms complicit in the Bush administration’s warrantless surveillance program. “No one seriously wants to financially cripple our telecommunications industry,” Dodd said in remarks before the Senate last night. “The point is to bring checks and balances back to domestic spying. Setting that precedent would hardly require a crippling judgment. It’s much more troubling, though, that our director of National Intelligence even bothers to speak to ‘liability protection for private-sector entities.’ This isn’t the Secretary of Commerce we’re talking about, but the head of our nation’s intelligence efforts. For that matter, how does that even begin to be relevant to letting this case go forward? Since when did we throw entire suits out because the defendant stood to lose too much? It astounds me that some can speak in the same breath about national security and bottom lines. Approve immunity, and Congress will state clearly: The richer you are, the more successful you are, the more lawless you are entitled to be. A suit against you is a danger to the Republic! And so, at the rock-bottom of its justifications, the telecoms’ advocates are essentially arguing that immunity can be bought.”

And, according to MAPlight’s analysis of PAC campaign contributions from Verizon (VZ), AT&T (T) and Sprint (S), it can.

To prevail, Dodd’s filibuster must be supported by 41 of the 100 senators. If its opponents can muster 60 votes–a distinct possibility given the number of Democrat’s who’ve compromised with the Republican White House on this issue–it will fail. And the 40 or so lawsuits over civil-liberties violations arising from the Bush administration’s controversial domestic wiretap program will be dismissed.

That’s a good question to ask in light of FBI Director Robert Mueller’s call for “omnibus” Internet surveillance. In testimony to the Judiciary Committee of the House of Representatives on Wednesday, Mueller suggested legislation be passed that would give the bureau the right to monitor the Internet at the backbone level.

Said Mueller: “I think legislation has to be developed that balances on one hand, the privacy rights of the individual who are receiving the information, but on the other hand, given the technology, the necessity of having some omnibus search capability utilizing filters that would identify the illegal activity as it comes through and give us the ability to preempt that illegal activity where it comes through a choke point as opposed to the point where it is diffuse on the Internet.”

Shades of Carnivore, right? The “choke point” to which Mueller alludes is presumably the National Security Agency, which has been probing the data passing through the Internet backbone like some Orwellian spinal surgeon. Which is a little frightening. Because the packets of data being passed back and forth over the Internet don’t come prelabeled. There’s no “ILLEGAL ACTIVITY” designation. It’s just activity, and Mueller would apparently like permission to survey it all.

While respecting the privacy rights of the individual, of course. Thoughtful.

That’s a good question to ask in light of FBI Director Robert Mueller’s call for “omnibus” Internet surveillance. In testimony to the Judiciary Committee of the House of Representatives on Wednesday, Mueller suggested legislation be passed that would give the bureau the right to monitor the Internet at the backbone level.

Said Mueller: “I think legislation has to be developed that balances on one hand, the privacy rights of the individual who are receiving the information, but on the other hand, given the technology, the necessity of having some omnibus search capability utilizing filters that would identify the illegal activity as it comes through and give us the ability to preempt that illegal activity where it comes through a choke point as opposed to the point where it is diffuse on the Internet.”

Shades of Carnivore, right? The “choke point” to which Mueller alludes is presumably the National Security Agency, which has been probing the data passing through the Internet backbone like some Orwellian spinal surgeon. Which is a little frightening. Because the packets of data being passed back and forth over the Internet don’t come prelabeled. There’s no “ILLEGAL ACTIVITY” designation. It’s just activity, and Mueller would apparently like permission to survey it all.

While respecting the privacy rights of the individual, of course. Thoughtful.

The U.S. Senate approved espionage legislation yesterday that would not only grant the National Security Agency sweeping new powers to intercept international phone calls and emails, but it would also grant retroactive immunity to the telecom companies that participated in the government’s post-9/11 warrantless domestic spying program.

With a 68-29 vote, the Senate passed the revision to the 30-year-old Foreign Intelligence Surveillance Act along to the House of Representatives, which has already taken issue with its telecom-immunity provision. Said Sen. Chris Dodd (D., Conn.), “[The Senate has] just sanctioned … the single largest invasion of privacy in the history of the country.“

Sen. Russell Feingold (D., Wis.) was equally incredulous. “It is inconceivable that any telephone companies that allegedly cooperated with the administration’s warrantless wiretapping program did not know what their obligations were,” he said. “And it is just as implausible that those companies believed they were entitled to simply assume the lawfulness of a government request for assistance.”

Ah. And that being the case, it follows that we shouldn’t simply assume the lawfulness of a government request for broader clandestine surveillance powers. Right?

Said Michael Sussmann, a former Justice Department intelligence lawyer who represents several telecommunication companies: “This is a dramatic restructuring of surveillance law. And the thing that’s so dramatic about this is that you’ve removed the court review. There may be some checks after the fact, but the administration is picking the targets.”

Welcome to Oceania …

Today the NSA-preferred telecom announced AT&T Remote Monitor, a package of IP video cameras and environmental sensors with which to surveil business locations and the employees who work in them. “It’s a unique and affordable option for a small business that wants to keep in touch with various locations,” Steve Loop, executive director for business development at AT&T, told the New York Times. “It saves them a lot of time in their day from having to physically go to all of their locations.”

Bet that’s exactly how the NSA felt when AT&T provided it with access to millions of email messages, Web-browsing sessions and phone calls. Anyway … AT&T’s touting the service as an easy way to monitor employees, customers and operations, which folks like restaurateur Beaux Roby says is a necessity. “It is Big Brother,” Roby said, “but in this day and age, you need these type of tools.”

And AT&T is, of course, ready and willing to provide them–whether it’s busting time-wasting employees, filtering the Internet for widespread copyright infringement or building that massive database of Americans’ phone calls.

Anyway, together with NBC and Disney, AT&T has invested a combined $10 million in Vobile, a company whose VideoDNA is rumored to be the gold standard of video content recognition systems and is considering deploying it at the network level.

The mechanics of the initiative haven’t all been sorted out, but sources tell BusinessWeek that one scenario involves traffic on AT&T’s network being routed through racks of Vobile servers that would scan it for NBC Universal and Disney content. And perhaps child pornography as well, you know, just to make the idea of network-level monitoring a bit more palatable to the masses.

Such a strategy, if AT&T were to pursue it, would make the company the first major Internet carrier to implement a network solution to copyright enforcement. And it would beg a number of questions: Will AT&T police the Internet traffic of its customers alone? Or will it police traffic over all its backbones and peering points (IE: traffic from other ISPs)? The answers could be troubling.

Suffice to say privacy advocates who’ve been railing against AT&T over the NSA debacle and issues of Net neutrality aren’t exactly thrilled with the company’s latest move. “They better be very careful,” warned Lee Tien, a staff attorney with the Electronic Frontier Foundation. “This is serious, serious stuff, to basically invade the privacy of all of your subscribers.”