November 16th, 2014

Raj Goel, CISSP
Raj Goel 
Security & Compliance Consulting Practice

Raj’s LinkedIn profile

This article was originally published in INFOSECURITY PROFESSIONAL Magazine July/August 2014 issue.
To read full article, click here: INFOSECURITY PROFESSIONAL Magazine July/August 2014

Magazine article says parents destroying infant privacy at birth


Noted Internet security expert Raj Goel said well-meaning parents are ruining any privacy their children may have, starting at birth. He reports on this in the August-September edition of InfoSecurity Magazine in the article “Life Of A Child (2014).”


Mr. Goel is not referring to children at risk of dropping out of school, rather, children at risk of having someone steal their identity and create lifelong problems with that. He points out a set of very basic information is all that’s needed to impersonate someone online or over the phone:


  • Mother’s maiden name
  • Date of birth
  • City of birth
  • Name
  • Phone


“The problem is this is what people consider to be basic information when making a birth announcement. People look at this as sharing information,” he said. “New parents are justifiably proud about a new baby and they want to share the good news. Unfortunately, these well-meaning and well-intended parents are setting their children up for a lifetime of stolen identity problems.”


Mr. Goel said this is not limited to online and social media. He said parents often turn in birth announcements to the original social media, newspapers. Identity thieves are known to scour newspapers for birth announcements and obituaries. They harvest this information and set up fraudulent accounts based on the name and information gathered.


“We are happy to join you in celebrating the birth of a child, but please, be careful about what information you choose to share,” Mr. Goel said.


Schools are also a major risk. He writes of a technology called InBloom. In short, it collate student data and then makes that data available for purchase by private companies.


“The technology, which as of last year was adopted in nine states, creates a centralized database where student records, from attendance to disciplinary to special needs, are stored,” he wrote. “Civil rights groups took immediate legal action to try and prevent the practice of disseminating student data—a practice that also had been taking place in Colorado, Delaware, Georgia, Illinois, Kentucky, North Carolina, Massachusetts, and Louisiana by the time the New York uproar began.”




Raj Goel is a well-known IT Expert, Author, Keynote Conference Speaker, TV Guru,HIPAA, PCI, SEC Compliance expert and Cyber Civil Rights Advocate. He regularly gives presentations around the world at the leading global conferences. For more information about Mr. Goel and his work, please visit

September 6th, 2014

As I read about the HOME DEPOT breach, follow the commentaries on the TARGET breach and other breaches, it’s clear to me that we need to have a more mature conversation about breaches.
We don’t blame the home owner when a burglary occurs.

We don’t blame patients for getting infected with AIDS, Ebola or becoming afflicted with Cancer, ALS, heart disease.

Even when the cause may be user behavior (smoking, excessive drinking, etc), we have sympathy for the patients.

So, why are we blaming companies, hospitals and other victims of cyber crimes?


Yes, Target, Home Depot, Blue Cross Blue Shield of Tennessee and others could have done better job of protecting their networks.  But you know what, no one’s perfect.


And I assert that the victims were NOT solely responsible for the failures.


IMHO software vendors shoulder at least 50% of the blame.

1) We are working with a client subject to PCI-DSS and their POS vendor requires DISABLING UAC and giving users ADMINISTRATOR privileges.

2) We’re working with construction firms, and a very well known package requires giving all users full administrative rights on the application install and database directories.

3) A leading manufacturer of label printers requires that users have LOCAL ADMINSTRATOR rights just to print labels.

(I have purposefully omitted names of vendors, because they are representative of the norm.  Ignoring the SANS20 Controlled Use Of Administrative Privileges seems to be a job-requirement for commercial developers).

I agree with Dan Geer and other luminaries:

A) We need a CDC or a NTSB for the internet.  We need a dispassionate, independent federal investigator that is authorized and empowered to investigate breaches, determine root causes and make recommendations to fix the infrastructure.  The NTSB has saved millions of lives by investigating each airplane crash, determining flaws or breakdowns in the process and improving manufacturing, maintenance and flight operations.


B) We need a LEMON LAW for software.  Software vendors need to be held liable for shipping shoddy, insecure products.


Finally, I think Microsoft should step up and hold ADOBE and ORACLE accountable for the flaws in Adobe Flash, Adobe Reader and Java.  Wouldn’t it be great if Satya Nadella had a Steve Jobs moment and he banned Flash & Java from Windows?

What are your thoughts?  Let me know.


Topic Articles, CISSP
February 5th, 2014

Article by Raj Goel

I read a moving article on about modern day slavery in Mauritania (see ).

Yes, slavery still exists and 10-20% of the Mauritanian population is currently enslaved. What really hit me hard is that unlike traditional slavery involving chains and physical restraints, modern slavery is primarily mental. The hereditary slaves are born as slaves; they live in villages that have ceremonial fences. Anyone can walk away or run away, and yet very few do. They are so enmeshed in the culture that the thought of walking away doesn’t occur to them.

To quote from the article:

Fences that surround these circular villages are often made of long twigs, stuck vertically into the ground so that they look like the horns of enormous bulls submerged in the sand.
Nothing ties these skeletal posts together. Nothing stops people from running.
But they rarely do.

And a similar form of mental servitude exists in (anti-) social media today. This month, the world celebrates the 10th anniversary of Facebook. What we’re really cerebrating is 10 years of ceaseless onslaught against freedom of speech, freedom of thought and freedom against self-incrimination – also known as the 1st, 4th and 5th amendments of the US constitution.

You could say that I am being hyperbolic in my characterization of Facebook as digital slavery, or that I’m taking poetic license and it’s not really fair to those who suffered, and still suffer, from the shackles of physical and financial servitude. Fair enough.

That said; let’s consider that in traditional slavery, the slave owner claimed ownership over the physical bodies and the output of physical labor from their slaves. Slaves grew cotton, sugarcane, raised cattle, etc and the masters took control of it.

In the modern era, our wealth isn’t generated from our sinews. We don’t break our backs toiling in the fields. Our wealth is intellectual in nature, digital in its form and that is being acquired for free by the lords of the internet.

  • Facebook claims perpetual ownership on your posts, likes, dislikes, photos.
  • Twitter claims perpetual ownership of your tweets, thoughts and stupidities.
  • Instagram, Flickr, etc claim perpetual license on your images.

As Attorney Craig Delsack notes

You grant the social media sites a license to use your photograph anyway they see fit for free AND you grant them the right to let others use you picture as well! This means that not only can Twitter, Twitpic and Facebook make money from the photograph or video (otherwise, a copyright violation), but these sites are making commercial gain by licensing these images, which contains the likeness of the person in the photo or video (otherwise, a violation of their “rights of publicity”).

Amazon controls what you get to read, and has deleted books from kindles remotely. Fittingly enough, the 1st book Amazon stole back from a paying customer was 1984.

Apple claims similar rights on your iPhones, iPads, iTunes and has given itself the right to remotely block or uninstall books, movies, songs, etc.

So what exactly are you buying when you “buy” eBooks from Amazon or Apple? What are you “buying” when you buy songs from Apple, Amazon, and Google? You’re “buying” the temporary right to read that book, watch that movie or listen to that song until the overlords decide that you’ve somehow violated their rights by travelling to a foreign country, visited wrong parts of the internet, etc. And any of these are grounds for them to delete content without reimbursement.

And how does Facebook fit into all of this?

In the 1970s and 1980s, we protested against the Communists and held up East German Stasi as particularly pernicious. At the height of its power, an estimated 10% of the East German population spied on their neighbors.

Today, approximately 128 Million Americans use Facebook.
Every like, dislike, comment is private property of Facebook to be bought and sold like a commodity. Your thoughts, pictures, family photos and privacy are a good sold on the open market.

And what does Facebook provide to its real customers – the corporations and governments?


And that’s just a start…there’s much more that Facebook retains, and makes available to foreign governments.

I hear you. I hear your complaints. Without Facebook, how will you have a social life? How will you go out on dates? Or keep track of family get togethers? Without Facebook, how will you share the family photos?

Scholars find many similarities between modern Mauritanian slavery and that in the United States before the Civil War of the 1800s. But one fundamental difference is this: Slaves in this African nation usually are not held by physical restraints.

Just like the Mauritanian slaves who are held on farms, not by physical shackles, but cultural and mental ones that keep them enslaved. Even though all they have to do is walk away.

No violence, no guns, just put one foot in front of the other.

Will you raise your kids as digital slaves? Or will you walk away…one mouse click at a time?

4th Amendment issues –
1st Amendment Issues –
5th Amendment Issues –
1st, 4th, 5th Amendment issues –
Copyright and IP Ownership –
Amazon erases 1984 from Kindle –

Further Reading:

Topic Articles
January 22nd, 2014

Welcome to the Panopticon.  Or surveillance circle-jerk.

With apologies to Tom Lehrer,

Global Surveillance Week!

Chinese spy on the Japanese
Russians Spy on the Chinese
Indians Spy on the Pakistanis
Aussies spy on the Kiwis
North Koreans spy on Dennis Rodman

The NSA spies on everyone
And EVERYONE spies on the Americans


A new security report confirms that Chinese hackers spied on The New York Times in 2012, as well as attendees of the G20 Summit in St. Petersburg last fall. Iranian hackers spied on dissidents in the lead up to state elections last May. The Syrian Electronic Army is only getting better, and North Korean hackers were behind a destructive cyberattack that wiped data from South Korean banks last year.

via New Security Report Confirms Everyone Is Spying on Everyone –

Topic News
January 22nd, 2014

As WSJ reports, the security guys tried to get chip-and-pin launched in the US 10 years ago.

This is the same technology that has REDUCED UK losses by 70%.


Why did it fail in the US?

VISA & MasterCard Greed.

Long transaction times.

Target’s short-sightedness.

And who pays for it all?  Us.  The consumers, taxpayers and shareholders.

Who doesn’t pay for it?  Executives at Target, VISA and MasterCard.

The US leads the world in credit card fraud.  Not a metric to me proud of.

From WSJ:

Executives in Target’s credit-card division tried to keep the program but lost out to the concerns of executives responsible for store operations and merchandising, a group that included Mr. Steinhafel, who worried the technology slowed checkout speeds and didn’t offer enough marketing benefits, according to a person familiar with the decision.

The risks of big, expensive attacks like Target’s could help spur a consensus on the issue.

“All of us have a common interest in being protected, so this might be a chance for retailers and banks to for once work together, as opposed to sue each other like we’ve been doing the last decade,” James Dimon, CEO of J.P. Morgan Chase JPM -1.00% & Co., said last week on an earnings call.

Mr. Steinhafel, in his first public comments since the breach, said momentum is picking up for mass adoption of chip cards. “I think we’re ready to move,” the Target CEO said in a Jan. 13 interview with CNBC. Target, he said, was “out front of the industry, and the industry didn’t follow.”

via Target Tried an Anti-Theft Credit-Card System Years Ago –

Topic News
August 17th, 2013

Charlie Stross (an awesome writer) wrote an excellent piece on what life will be like for England’s future monarch.

This kid is going to live in the panopticon – maybe Will & Kate should watch this video with him and maybe this


This prince is going to find things a little different because he’s going to be the first designated future British monarch to grow up in a hothouse panopticon, with ubiquitous surveillance and life-logging …

I expect there to be Facebook account-hacking attacks on his friends, teachers, and associates—and that’s just in the near term. He’s going to be the first royal in the line of succession to grow up with the internet: his father, Prince William, was born in 1982 and, judging by his A-level coursework, is unlikely to have had much to do with computer networking in the late 1990s. This kid is going to grow up surrounded by smartphones, smart glasses (think in terms of the ten-years-hence descendants of Google Glass), and everything he does in public can be expected to go viral despite the best efforts of the House of Windsor’s spin doctors.

via Monarchy versus the Panopticon – Charlie’s Diary.

Topic News
August 17th, 2013

The Dutch are smoking something…and it isn’t good.

They are watermarking books and will report buyers, er customers, er, suckers to the anti-piracy mafia on the flimsiest of accusations.

This is an EXCELLENT reason to buy ebooks from authors (Cory Doctorow) and sites (e.g. that do NOT use any watermarking or DRM.

Netherlands, ebook sellers have announced that they will retain full reading records on their customers for at least two years, and will share that information with an “anti-piracy” group called BREIN (a group that already has the power to order Dutch ISPs to censor the Internet, without due process or judicial oversight; and who, ironically, were caught ripping off musicians for their anti-piracy ads).

via Dutch ebook sellers promise to spy on everyone’s reading habits, share them with “anti-piracy” group – Boing Boing.

Topic News
April 2nd, 2013

June 4, 2012, 3 PM


Following on the heels of the critically acclaimed NCSC.NL presentation, we look at how Governments, Corporations and Private Citizens are using Cloud Computing, Social Media and the lack of Civil Rights on the internet to compromise Privacy and Security.


See and


April 2nd, 2013

After the NCSC 2013 presentation, Peter Teffer interviewed me.


Here’s a (very poor) Google translation of his original Dutch article

If we do not ask, we will not get. Facebook, Google, Apple and other Internet and technology companies are only good for our privacy concerns, as consumers make on the barricades stand. “It is time to demand that your data are yours and not others,” said the American consultant Raj Goel, who recently gave a lecture in The Hague on social media and privacy.

Goel earns his money include giving such lectures – he has written a book that he wants to sell and companies hire him because he was known as a computer security expert. But that does not mean he does not believe in the importance of his message. “The battle for privacy is the next step in the civil rights struggle.”

It is not in the interest of Internet to our privacy and actually we do governments do not expect much. Only when consumers require smart phones and social networking really consider privacy, we will not thousands of times per month be spied, argues Goel.

Can we ordinary people large, powerful companies have reason to do what we want? “Yes,” says Goel. “Look at the history. 150 years ago we had no right to clean air or clean water and food. Only when someone like Upton Sinclair in 1905 the unhealthy conditions of the food described, the company said: enough, we want clean and healthy food. “

Cultural change is not impossible, emphasizes Goel. Forty years ago nobody read leaflets for drugs or labels of food. Nowadays. “If you are willing to five or ten minutes to devote to reading your food packaging and ask your doctor why certain medications are needed, then why not five minutes can take time to ask questions about the technology you use? “

Instead of just saying, wow, what a nice phone, we should also look at the privacy concerns of a product. “Make sure you’re more conscious consumer. Twenty years ago you had only eggs. Now you have free range eggs, organic eggs, free range. We have fair clothing and food. It is now time for honest technology. “

Topic Articles
April 2nd, 2013

850 people from 12 countries

NATO personnel, Military lawyers, Europol, Private Sectors, US DHS and FBI…all gathered in the Conference Center at The Hague.

Best conference I’ve been to in over a decade – HIGHLY educational, AMAZING hosts and world class presentations.

(Yes, I spoke on Day 1 – and lots of folks enjoyed it)



(Yes, I had Apple Maps on the brain and referred to Holland and Denmark…and Peter Teffer won’t let me forget it!)


NCSC Conference 2013

We would like to thank all our speakers and guests for making this year’s event an outstanding conference! We worked hard on delivering a high quality programme built on the theme ‘Many partners, one team, one goal’ and we exceeded our expectations.

This first edition of the NCSC Conference has brought two days of inspiring speakers and opportunities to exchange ideas about the latest developments in the field of information security.

The conference was opened by Dutch Minister of Security and Justice Ivo Opstelten, one year after the start of the NCSC, which has now incorporated GOVCERT.NL.

The programme offered something of interest for a wide variety of participants, from technical specialists, decision-makers to researchers, from both the private and the public sector. In plenary and parallel sessions, with leading experts and inspiring speakers, a variety of topics were presented.

via NCSC Conference 2013 | NCSC.