The Var Guy is reporting a follow up on VMWare's plans to use Zimbra, the open Source E-mail/Groupware solution they purchased from Yahoo in January. What is being discussed and reported is that VMWare will begin selling and supporting Applicances with the opensource software installed and configured. They will not be starting their own hosting option but instead rely on the over 500 existing VMWare hosting focused companies. The goal of this is go directly after Microsofts E-Mail product Exchange. This should be interesting to watch.
Entries in microsoft (29)
Linux server revenue share grew to 16.8 percent, says IDC, and Linux is now running on 91 percent of the 500 fastest supercomputers."
Very cool to see things moving forward at such steady pace. Check out the article and amaze your friends with a fresh set of stats.
I came across a great story about how one Fast Food chain used Linux to fix the McAfee issue from a few weeks back. The really cool thing about it for me was that it was a Windows Admin talking a walk on the open side of life. The story gives great background and detail on what and how they fixed the problem and also has some of the scripts they used to pull off the rescue. Having been in the opperations side of the house my whole carrier I can really appericate what this team went through. The story is a great example of how a good team with great open and free dialog can always find the best solution for any situation no matter how bad it looks.
Molly Wood from Cnet.com coined one of my favorite phrases when she described the literal.net as people reading anything on the internet and then assuming it's true. I recently faced a literal.net moment when I started receiving a flurry of E-Mail's about concerns raised by this article at SQLmag.com. It's about a new Massachusetts Law that makes it a fine able offense to store even just a persons first and last name without encrypting it. I love it when people write stupid laws so I started digging in expecting to read some really hard to follow legal jargon I could easily misunderstand. So I started tracing back the article and others related to it. The first place I went is to the article that was referenced by SQLmag.com over at InformationWeek.com. After reading it I was still missing where I needed to encrypt even first and last name came from. So I went looking for the law itself with a quick google search.
What I found when I got there has to be one of the easiest to read laws I have ever seen. It's also much less scary once you have read it. Here are some key points I think will help you understand why I am saying this.
Let's start with the purpose of the regulation:
"This regulation implements the provisions of M.G.L. c. 93H relative to the standards to be met
by persons who own or license personal information about a resident of the Commonwealth of
Massachusetts. This regulation establishes minimum standards to be met in connection with
the safeguarding of personal information contained in both paper and electronic records. The
objectives of this regulation are to insure the security and confidentiality of customer
information in a manner fully consistent with industry standards; protect against anticipated
threats or hazards to the security or integrity of such information; and protect against
unauthorized access to or use of such information that may result in substantial harm or
inconvenience to any consumer. "
Sounds pretty normal and generally a great thing for consumers right? I thought so at least. I dug in to find out what "M.G.L. c. 93H" meant and found the really hard to read stuff I thought I would find with the first link. It sounds like this document is the explanation of how to comply with the law. So I kept reading and looking for where it said even a persons first and last name, assuming it is the only information you are keeping, needs to be encrypted. What I found was this in the definitions section:
"Personal information, a Massachusetts resident's first name and last name or first initial and
last name in combination with any one or more of the following data elements that relate to
such resident: (a) Social Security number; (b) driver's license number or state-issued
identification card number; or (c) financial account number, or credit or debit card number,
with or without any required security code, access code, personal identification number or
password, that would permit access to a resident’s financial account; provided, however, that
“Personal information” shall not include information that is lawfully obtained from publicly
available information, or from federal, state or local government records lawfully made
available to the general public. "
So according to this extremely clear statement all of the usual suspects are covered and not just First and Last Name as the sqlmag.com article suggests. All of the rules of what is PI is listed here are consistent with the rules used by almost every industry and Government Agency in the US. So as per usual if you are storing information that a hacker can use to cost a person money you need to at least attempt to encrypt it and reasonably physically protect your assets that hold the data either electronic or paper.
The only thing that is different, though not burdensome, is that you must have a written security plan. If your company has or uses this type of data and doesn't have a plan already written then you should. It's the first thing most auditors will ask you for when doing an audit. It's also going to be in the first discover request if you get hacked and then sued by your customers.
sqlmag.com is a blog focused on, if not funded by, Microsoft SQL Server. Microsoft's latest release now offers what it calls transparent encryption. Sounds really useful in this case right? The Author even points this new feature out in the article.
What's the moral of this story? Before you start getting worried about new rules or laws and how they affect you take a little time to do your homework. With your friend and mine Google, or Yahoo, or even Bing, you could have done the research I did in less than 30 minutes. If I were running a business that this affected I would I would never trust a blogger, not even me, on the internet for Legal Advice unless he was a Lawyer blogging about the law. So run the question past my Legal Council before spending my development or system administration resources time implementing it. Your Legal Council is there to help you protect yourself from exactly this type of threat.
In case you missed it please do not believe that I am an expert in any way. Seek Legal Council if you store any data about your customers and some of the live in MA. They are truly the best source you have about this possible threat.
You have to kind of wonder if the Red Hat CEO is starting to get jealous about all the press Novell is getting over this attempt to by them by the hedge fund. So far I have found good articles on the net this week. Their are several over on the var guy, linux-mag.com has a neat what if MS bought them proposal, and finally the nice folks over at h-online.com update us on the SCO battle. All in all I have to say it's been an exciting week for them.
Check out the articles and let us know what you think.