In the case of CarrierIQ, the software maker denied that it collected any information, and then backtracked saying that it was the service providers that were the actual data recipients. This law would require consumers to receive clear disclosures and give explicit consent before any monitoring takes place. The proposed law would also require notifications and consent if monitoring software is installed after the phone is purchased.

The MDPA also requires that anyone that receives and stores monitoring data must establish and implement policies for protecting the security of the data. The proposed law give the FTC and the FCC power to enforce the law, as well as gives consumers a private right of action. A consumer may sue in state or district court for $1000 per violation plus court costs. Willful violations may result in triple damages. The monitoring agreements must be filed with the FTC and FCC.

In Rep. Markey’s press release, he stated “Consumers have the right to know and to say no to the presence of software on their mobile devices that can collect and transmit their personal and sensitive information.”

Opponents of the legislation fear the once passed copyright holders will be able to take down legitimate websites without any judicial oversight. For example, Monster Cable could theoretically use the law to take down websites they claim to be unauthorized resellers. While their list now just lists unauthorized sellers on eBay.com and Craigslist.com, a previous version of the list included the two domains without exceptions. Department store Sears sells Monster Cable products on their site, and the sears.com domain is included in the list. Curiously buy.com is listed in both the unauthorized seller list and the list of authorized home theater dealers.

In the martial arts world, there is a concept called zanshin. It’s defined as a state of readiness and alertness to meet an opposing attack. How does this apply to the IT world? While physical attacks are rare in the IT environment, other opposing forces such as economics, resource availability, competition, and hackers do come into play and need to be addressed. An IT organization that is fully aware of its environment and processes is better prepared to meet challenges when they arise. The three major facets of IT zanshin are configuration and change management, service monitoring and metrics, and business continuity and disaster recovery. Each of these by itself is a major work effort to be done correctly, but well worth the investment.

Configuration and change management are the foundation for the other aspects of IT zanshin. Configuration management involves taking inventory, documenting configurations, and identifying relationships. Extending beyond a simple inventory of hardware, software, and processes, the configuration management system must tracks relationships between each of the items. All of this takes time and is often ignored. When new hardware arrives on the dock, everyone’s first instinct is to unbox and start building systems. An IT organization that utilizes configuration management can reap the benefits of standardization and streamlined deployments.

Implementing change management processes of creates grumbles and mutterings from system administrators and developers who are forced to work with the newly established procedures. They’ll claim that collecting their approvals will actually slow them down, and they won’t be able to make those already aggressive release dates. Change management is not implemented to stop an organization from moving forward. It’s meant to capture changes in the environment, make sure that they are properly vetted, and ensure that the outcomes are expected. A successful change management process will also help communications to staff and customers. Why are we suddenly getting helpdesk calls about application X? Who authorized the shutdown of that server? It’s all in the change management system. There should be no surprises. After all, key people are involved in the process.

Recommendation: Implementing configuration and change management systems does always high dollar expenses. IT needs vary greatly between organizations. Start by building documentation repositories and implementing an open source tool like iTop or i-doit. With simple open source tools, IT organizations can gain exposure to the concepts without the license costs.

Data from configuration and change management systems are the building blocks of service monitoring and metrics. It’s very difficult to properly monitor and measure services without know what all the component pieces are and how they are related. While not very glamorous, the benefits to an IT organization well outweigh the cost and time to create such critical foundation.

So far no such replacement system has been made public; however, Twitter does appear to still be verifying accounts. The site does state that some trusted sources are still being verified.

From Twitter’s Why Wasn’t My Account Verified:
In the meantime, we’re still verifying some trusted sources, such as our advertisers and partners. If you’re one of our partners or advertisers, please follow up with your account manager for details.

Are those verified accounts really trustworthy? Recent news of the faked Wendi_Deng account on Twitter does raise concerns. The account was marked as verified without the account holder or the real Wendi Deng’s knowledge. The account holder has sent a tweet to Twitter wondering how this happened. The account is no longer flagged as verified, but it does raise a question. How many other spoofed and faked accounts are quietly holding onto a verification badge?

According to a Pastebin post by A GUEST, the attack is not the work of Anonymous.

Stratfor has been purposefully misrepresented by these so-called Anons and portrayed in false light as a company which engages in activity similar to HBGary. Sabu and his crew are nothing more than opportunistic attention whores who are possibly agent provocateurs. As a media source, Stratfor’s work is protected by the freedom of press, a principle which Anonymous values greatly.

This hack is most definitely not the work of Anonymous.

The news has also drawn the attention of some government officials. Senator Al Franken has sent a letter to Carrier IQ requesting more information about the extent of the data logging. Trevor Eckart has released a followup video demonstrating the phone interactions appearing in the debugging logs. Carrier IQ has also released a clarification to their previous letter. In effect, the end of the letter states that Carrier IQ does not collect the information, but instead it is collected by the phone operators that purchase the software.

From the letter:
Carrier IQ acts as an agent for the operators. Each implementation is different and the
diagnostic information actually gathered is determined by our customers – the mobile
operators. Carrier IQ does not gather any other data from devices.