The Environmental Working Group has posted a Sunscreen Hall of Shame based on analysis of ingredients in popular products.

The box’s directions tell users to “apply to eye area.” But read the fine print. It carries a warning that advises, “keep out of eyes.”

Why do sunscreen makers formulate products for use around the eyes that aren’t safe for eyes?

Because they can. There are no regulations to ensure that sunscreens are truly gentle to eyes.

I love news stories like the one in the NYT called “A Russian A.T.M. With an Ear for the Truth”

The machine scans a passport, records fingerprints and takes a three-dimensional scan for facial recognition. And it uses voice-analysis software to help assess whether the person is truthfully answering questions that include “Are you employed?” and “At this moment, do you have any other outstanding loans?”

Only an ear for truth? Now if they could add eyes to tell if a person is talking or just playing back a recording. How random are the questions? Would they prevent someone from using a replay of a stored voice signature?

Sberbank says that to comply with the part of the privacy law that would prohibit a company from keeping a database of customers’ voice signatures, the bank plans to store customers’ voice prints on chips contained in their credit cards.

Stored how, and for how long, and how do you update it?

And how would this work with someone who is mute?

Another interesting case would be for a relative or other accomplice to answer the voice tests on behalf of the applicant. Can the system detect a woman’s voice for a male applicant, an old voice for a young applicant…?

Perhaps the most startling aspect to the story is how the company working on the technology does not understand the privacy implications.

“We are not violating a client’s privacy,” [Mr. Orlovsky, the Sberbank executive] said. “We are not climbing into the client’s brain. We aren’t invading their personal lives. We are just trying to find out if they are telling the truth. I don’t see any reason to be alarmed.”

Privacy violations do not require “climbing into the client’s brain” and they do not require “invading their personal lives”. Those are bogus tests. They involve collecting personal information (i.e. a voice signature) and failing to protect it from unauthorized disclosure.

Eddie Schwartz, CSO at a part of RSA (NetWitness), will take on the title of CSO at RSA. This confirms both that NetWitness was involved in the response to the recent RSA breach and that Mel Brooks is a comic genius.

The large and looming issues ahead for Schwartz do not appear to be related to an advanced or a persistent threat (APT), although that is obviously a good topic to drum up sales of security products.

Instead he will have to address the usual, routine and mundane security problems revealed by RSA’s breach blog entry:

• Role Based Access Controls (RBAC): whether and where low-authority and therefore less-secure systems and users have access to high-value assets
• Egress Filtering: why outbound file transfers are allowed to unknown or known hostile addresses (e.g. application-level inspection of traffic for RAT in reverse-connect mode)
• Application sandboxing: why binaries (i.e. flash) are not stripped from Excel using Microsoft Office Isolated Conversion Environment (MOICE) or similar
• Awareness: if “certain groups” are targeted from the outside, then surely they can be even more easily targeted on the inside for training…like why they shouldn’t execute large email attachments in their spam folder

Zero-day exploits alone do not consitute advanced attacks, not least of all because the definition of what constitutes a zero-day is up for debate. A targeted email list alone does not constitute persistance. But whether or not the breach should get a popular label, congrats goes to RSA for giving me this opportunity to include a Spaceballs reference in my blog.