The spokesman for BART is known for phony astroturf campaigns and a failure to respond to criticism. That might seem normal for a spokesman of a service with ongoing and highly visible service issues. Yet recent reports show he might be taking things to an extreme with an inability to tell the truth about security decisions.

“We struggled with that decision,” spokesman Linton Johnson said at an Aug. 16 press conference. “That was a gut-wrenching decision. This agency takes free speech seriously.”

No one has any confidence in what Johnson says, which spurred a reporter in search of evidence to call his bluff. Here’s some excellent investigative reporting by the Bay Citizen:

But emails that BART released to The Bay Citizen this week show the decision was made on the spur of the moment with little discussion of the possible consequences. Officials approved one of the most controversial proposals in BART’s history just hours after it landed in their inboxes.

The final sign-off came from then-Interim General Manager Sherwood Wakeman between 8:30 and 8:45 a.m. at a meeting of top BART staff that began at 8:15 a.m., according to Jim Allison, a BART spokesman. The discussion of the idea lasted between 15 and 30 minutes.

Lynette Sweet, a BART board member who has criticized the shutdown, said the short timeline showed that “not a whole lot of thought went into it.”

Johnson just keeps digging a bigger hole for BART to fall into. The best quote in the email thread comes from BART deputy police chief, who shows just how “wrenched” the BART leadership guts were:

I like this idea. Can anyone think of a downside?

Anyone? Anyone? Can anyone who received this email think of a downside to shutting down communication?

Sony has created a public service announcement after their latest breach. They encourage users to choose a strong password.

We want to take this opportunity to remind our consumers about the increasingly common threat of fraudulent activity online, as well as the importance of having a strong password and having a username/password combination that is not associated with other online services or sites. We encourage you to choose unique, hard-to-guess passwords and always look for unusual activity in your account.

That’s because they are watching an increase in unauthorized access attempts to user accounts

We want to let you know that we have detected attempts on Sony Entertainment Network, PlayStation Network and Sony Online Entertainment (“Networks”) services to test a massive set of sign-in IDs and passwords against our network database.

[…]

Less than one tenth of one percent (0.1%) of our PSN, SEN and SOE audience may have been affected. There were approximately 93,000 accounts globally (PSN/SEN: approximately 60,000 accounts; SOE: approximately 33,000) where the attempts succeeded in verifying those accounts’ valid sign-in IDs and passwords, and we have temporarily locked these accounts. Only a small fraction of these 93,000 accounts showed additional activity prior to being locked.

At this point you might, like me, be thinking that someone is using a database of user accounts that was stolen in an earlier breach from Sony. Users who logged in after the last breach had to change their passwords. The accounts that had no “additional activity” must have been the ones that were enabled again but never used again — dormant with an old password.

But that’s not what Sony says in their announcement. They seem to suggest that passwords are changed so infrequently a bad password match from an attacker proves that the user IDs were not stolen from Sony.

These attempts appear to include a large amount of data obtained from one or more compromised lists from other companies, sites or other sources. In this case, given that the data tested against our network consisted of sign-in ID-password pairs, and that the overwhelming majority of the pairs resulted in failed matching attempts, it is likely the data came from another source and not from our Networks

This happens far too often. I’ve had to investigate other auditors many times in my career. Both insiders and outsiders can be a problem. Once it was a team of young auditors who bought a wireless router on their way to the client site and connected it into their client network so they could share audit files more easily…audit files that said no one could connect a wireless router into the network without being detected. That was a fun one.

Another time I found auditors who dumped sensitive files into public folders for review. I got the usual “how did you find that?”

It begs the question of what enforcement there is to reduce the number of auditors who put their customers at risk. We also could discuss whether auditors should follow their own advice, but that is actually a logical fallacy. Just as doctors do not have to take the medicine they prescribe, auditors are under no obligation to use controls not relevant to their work. It is the issue of malpractice rather than hypocrisy.

The largest firms seem to be the ones most prone to hire large numbers of inexperienced staff, which means they have the highest likelihood for rudimentary failures. To be fair, they are being asked to perform a giant assessment that requires a lot of moving parts and people gathering data, but that still is no excuse for basic operational weaknesses based on very well-known vulnerabilities.

KPMG, which won OCR’s $9.2 million contract for HITECH-required HIPAA audits in June 2011, told the Saint Barnabas Health Care System of West Orange, NJ, in June 2010 that a KPMG employee lost an unencrypted flash drive that may have contained a list with some patient names and information about their care, Saint Barnabas reported on its website.

The potential breach affected individuals at two facilities—3,630 patients at Saint Barnabas Medical Center in Livingston, NJ, and 956 patients at Newark Beth Israel Medical Center in Newark, NJ—according to a report on the OCR breach notification website. The website lists entities reporting breaches affecting 500 or more individuals, a HITECH requirement that went live in February 2010.

At the end of the day I see failure from an audit firm to use caution and care in their treatment of a client. Automation is a common argument to resolve errors like this during the data collection phase, but that is a dangerous practice on its own. Process and procedures have to be understood better and fixed prior to accelerating or formalizing them.