The Security Catalyst

With Into the Breach about to go to print, it is time to start looking at what we can learn from security and privacy breaches. Adam Dodge and I — along with some guests — are going to take a monthly look at a noteable breach or two in an effort to learn and share insights. We plan to keep these episodes short, and peppered with insights that make the breaches real. We will cut through the hype and present useful information.

PS: Hardcover books are scheduled to be available September 16th. Preview copies are available today and I’ll have a stack at Blackhat and during the next Catalyst onTour trip!

Meantime, check out Adam’s excellent site: http://www.adamdodge.com/esi/

If you enjoyed this post, make sure you subscribe to my RSS feed!

By Adam Dodge

Lately, there has been a flurry of activity in the land of security breach reports with organizations such as Debix, Verizon, the Identity Theft Resource Center and the Department of Justice all releasing reports looking at security breaches, breach notification laws and the state of information security in general. As someone who has been in the world of tracking and monitoring breaches for two years now through Educational Security Incidents, I am excited over the increased attention and information that is coming forth and the lessons that can be learned from these breaches. However, it is important to remember that are inherent limitations on the applicability of breach statistics and therefore we all must be cautious about reading too deeply and arriving at conclusions that the information in these reports do not support.

Before we go any further, yes I do develop a similar report each year and yes my report is subject to the same limitations as all of these other reports. My point here is not that all other reports are wrong while the ESI YiR is the shining beacon of truth. The point is that the information delivered in these reports is simply that, information. It is up to the reader to interpret this information in a meaningful way. The problem, then, stems from misinterpretation and this

What do I mean by “misinterpretation”? Well a common problem with the statistics provided in these reports (remember, I’m including my own report as well) is that the numbers are based the sample set and the ability to apply these numbers depends a great deal upon the size of the sample and how randomly the sample was chosen from the total population. Alright, that might not be a good enough answer so allow me to explain further.

The Verizon report has made a big splash in the security world and for good reason. Verizon did an amazing job with this report. If you haven’t read it, go do so now. Seriously, stop reading this and go read the report. It is that good.

However, the report is based around 500 forensic investigations performed by Verzion’s Business RISK team between 2004 and 2007. These 500+ breaches that Verizon has analyzed for this report were not randomly chosen from all breaches that occurred. Instead, the information was mined from the investigations stemming from breaches that were serious enough for a company to reach out and contract with Verizon for assistance. This is a potential point of bias for this survey.

Most companies are not going spend money on investigations for small breaches or those that are easily explainable. Therefore, it is very likely that breaches of data such as information left in public, information accidently placed on a public web site, etc. are underrepresented in the sample Verizon used. It is also likely that smaller companies and non-profit organizations are underrepresented as well since these entities lack the funding that larger, for-profit organizations have at their disposal.

What does this sample bias mean for the validity of the Verizon report? Nothing. Nothing at all. There is no problem with the sample bias of the Verizon report. The simple fact is that all of security breach reports (again, including the ESI YiR) suffer from the same problem. Unfortunately, there is no go way around this problem yet. Everyone that I talk to involved with tracking breaches has the same complaint: There is no centralized reporting of breaches in the United States and those states that do require breach reporting to a central authority have different reporting requirements, litmus tests and public access to breach information.

So I am suggesting that everyone stop reading these reports? Absolutely not. It is not just self-preservation that makes me say this, however much I enjoy my work with ESI. These reports are an excellent way for information security practitioners to track the movement of threats and discover what types of security threats similar organizations are facing. The point of all of these is that each and every one of us (including the media) need to make sure that we are interpreting the data of these reports properly before we remove our firewall because the 2007 ESI YiR said that employee mistakes outnumber hackers as the cause of a breach 2:1 or before we discontinue our security awareness and training programs because the Verizon reports says that 73% of all breaches came from external sources.

How can these reports be so different and yet both be correct? Simple, look to the samples used to compile them.

If you enjoyed this post, make sure you subscribe to my RSS feed!

by Patrick Romero

Health care employers be warned – an unintentional data breach could now cost you much more than you imagined. A New York State Appellate Court has recently upheld a $365,000 jury award against a health care center that mistakenly disclosed information regarding a patient’s medical information.

A young, unmarried woman who lived with her strict Roman Catholic parents decided to terminate her pregnancy at Long Island Surgi-Center. She gave instructions to Surgi-Center never to call her at home despite providing them with her home telephone number on questionnaire forms. A day after the procedure, a nurse called the number provided to inquire about her condition and to confirm that she had no subsequent medical complications. Unfortunately, the nurse spoke with the woman’s mother and revealed sufficient information to allow the mother to conclude that her daughter had an abortion.

In a 3-2 decision, the Court held that the plaintiff be awarded punitive damages for an unintentional breach of confidential medical information even if there was no malice or malicious behavior by the defendant. As a result, the 2nd Department of New York has expanded the scope of punitive damages to include unintentional medical disclosure regardless of whether the act was done in good-faith.

The case is significant due to the implications for organizations handling medical information. Even though the medical center’s actions were not malicious, intentional or done in bad faith, disclosing the plaintiff’s medical information was grossly negligent and wanton behavior. Based on this interpretation, it appears that it will now be more difficult for healthcare workers to justify disclosure of medical information on mistakes or negligence.

The Court also appeared to have affirmed the jury’s award for punitive damages in order to send a message about the importance of protecting medical information. Punitive damages are seen as a way for the judiciary to espouse a particular public policy and to deter future violations. The Court here is clearly concerned with instances of wrongful medical disclosure and shows itself to be in sync with state and federal legislative efforts to protect confidential information. The opinion does not discuss violations of federal privacy laws such as the Health Insurance Portability and Accountability Act (HIPPA). However, it does mention New York legislation pertaining to the rights of patients in medical facilities like the one visited by the plaintiff.

More and more states are enacting laws regulating the disclosure of private and confidential information. Court cases like this highlight the need for companies to enact strong compliance rules that clearly describe the conditions in which data can be disclosed. These rules need to be properly followed and understood by all employees of an organization. The decision in New York should highlight the fact that even inadvertent medical disclosure can now lead to serious liabilities issues.

If you enjoyed this post, make sure you subscribe to my RSS feed!

By Michael Santarcangelo and Patrick Romero

There are roughly 40 states that have some sort of “data-breach” law or bill being considered that force notification of a company’s security breach (or suspected breach) to their consumers. These laws were enacted as a way to force companies to disclose the possibility that individuals personal information was compromised and that they could potentially become victims of identity theft.

Over the coming months, we’ll spend some time exploring how the different states are handling these statutes. When you peel the layers back a bit, and consider them from different angles, we can learn some interesting elements – useful to us from individual and organizational perspectives.

Even with these new laws in effect, it seems that there is little a person can due to hold a company liable for a data-breach based on their weak security standards. Recently, state governments have begun to change this by imposing liability on the retail business and others, thereby opening the door for consumers to sue companies that do not adequately protect the personal information that they collect.

This is a serious issue that has implications for everyone involved – and ultimately requires clear definitions, mutual understanding and will take years to sort through. In the meantime, we’re going to ignite our series of articles exploring these laws and developments by analyzing some recent events.

Minnesota PCI Legislation
Effective August 1st 2007, Minnesota became the first state to require that all companies handling credit and debit card data comply with the Payment Card Industry (PCI) data security standard (in a future article or podcast, we’ll explore and debate the value of tying the PCI standard to the legislation - Michael).

The state’s new Plastic Card Security Act would prohibit a company from retaining a credit card’s security code data, the PIN verification code number, or the full contents of any track of magnetic strip data. The new legislation is intended to target retailers who continue to store data in violation of PCI standards. The bill also makes it a violation for retailers to a credit card holder’s PIN number longer than 48 hours after authorization of their transaction. Similar bills are pending in Texas, Illinois, Connecticut, and Massachusetts.

The significant of this legislation is important in light of recent ruling by courts that have dismissed class action suits against companies following data-breaches. On August 23, 2007, the US Court of Appeals for the 7th Circuit held that identity-theft monitoring costs paid for by the plaintiffs were not compensable damages under Indian’s security breach notification statute. In Pisciotta v. Old Nat’l Bancorp, the court held that there was no state statute supporting the compensation of incurred costs because “had the Indiana legislature intended that a cause of action should be available against a database owners for failing to protect adequately personal information, we believe it would have made some more definite statement of that intent.” So for the time being, unless you have an actual showing of harm as a victim of identity theft, potential harm will not suffice.

Consequences for the Courts
As more states begin to enact legislation that requires companies to comply with PCI, courts may begin to allow litigants to be compensated as a result of a security break. The argument that courts have made in cases like Pisciotta will clearly be much weaker as states legislatures conspicuously demonstrate their intent to punish companies by enacting specific statutes targeting the security of personal information.

Federal and state courts will feel much more comfortable in their decision to expand their legal theories of liability when supported by statutes that explicitly creates private actions for security breaches. In this context, it is much more likely that Courts will not follow the ruling in Pisciotta until after states pass legislation similar to Minnesota. In other addition, plaintiffs might also receive some relief if a recent bipartisan bill in the U.S. Senate gets passed. The bill, known as the Identity Theft Enforcement and Restitution Act of 2007, was introduced on October 16, 2007 and would give victims the ability to seek restitution for the loss of time and money as a result of identity theft. Such federal legislation could prove to be effective in jurisdictions with no state identity-theft laws.

Consequences for Businesses
Meanwhile, the retail lobby continues to argue against laws that would hold them liable by arguing that these laws would be too costly and burdensome, especially for small businesses. This apparently was the argument that convinced Governor Schwarnenegger to veto a California law that would have mandated the retail industry comply with PCI requirements. While this may be true, legislation in Minnesota limits this burden by exempting businesses with few than 20,000 transactions from their statute. Clearly, there is a way for the legislature of any state to write a statute that can pressure companies to improve their data security standards without crippling small business owners.

While the retail industry will continue to resist such legislation, there is strong support from banks and credit unions, since in the eyes of consumers they often blamed for such breaches. TJX is currently being sued by several banks
who seek compensation for having to re-issue credit cards and credit monitoring to thousands of their customers as a result of a massive security breach earlier this year. Depending on how the case turns out, the burdens and cost of breaches will shift away from consumers, banks, and credit unions but will perhaps be shared by the retailers and others (of course, the consumer pays in the end).

Preparing for the change
As a consequence of new state and federal legislation, the landscape of data security will continue to evolve, sometimes in seemingly dramatic fashion. Individuals and businesses will most likely be able to get their day in court for incurred damages a result of security breaches by a third-party. Industries that have for now been able to get away with having minimum security standards will begin to take notice of their potential liability and hopefully, will improve the way they guard information. While the process is slow, it appears to be inevitable.

This isn’t doom and gloom.

Many of us have already begun to prepare for these changes by improving and writing security policies that make sense and can be understood, improving the process of protecting information and working to involve users in solution through training and awareness. Focus on the fundamentals of information protection and you’ll be less likely to be the test case.

If you enjoyed this post, make sure you subscribe to my RSS feed!

My good friend Andy Willingham today celebrated one year of blogging. Andy, thanks for a year of sharing ideas, insights and your passions! If you’re not currently reading Andy’s Blog - you’re absolutely missing out. To celebrate a year, he pointed out that FaceTime recently experienced an unpleasant situation where customer information was disclosed. I think many of us realize that no one, and therefore no company is perfect. FaceTime has proven that - and I think Andy presented a balanced view of the situation.

I think in life, the measure of a person is how they address and handle mistakes. I think in business, the measure of a company is not whether a mistake/breach happens, but how the company handles an incident when it happens. We can split hairs over whether this constituted a breach or not. Regardless, customer information was at risk; customer information was disclosed. It’s not clear to me why that information would have been stored on the webserver, but I’m also not familiar with their architecture. Without question, on the scale of public outcry, this is and should be almost a non-issue. Almost.

While I suppose this isn’t exactly the type of event you want to incorporate on the front page of your website, the only public response I could find was in the computerworld article. From what I read in the Computerworld article - FaceTime acted quickly and even notified people impacted. Yet, I was bothered by this response:

However, Capri said no sensitive personal data such as credit card numbers, Social Security numbers or dates of birth was exposed because that information is not collected on the FaceTime Web site.

It’s a fair and valid statement to make. I supposed I would advise a client to make a similar statement, save one exception: I’d leave out the aspect of tying personal information to a limited set of data. I’m troubled by the concept that if it wasn’t a social security number, credit card number or something of the same that no personal information was disclosed. Information of any kind has value - and while this was probably a mistake, I would expect a security company to have taken a different attitude.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Lately, it seems like the days are just flying by. As the different initiatives I have been focusing on are getting completed and being launched, I’m turning my time back to blogging, podcasting and working to help support organizations committed to changing the way people protect information (of course, the different solutions I’ve been developing are designed to make that a bit easier for everyone). Along those lines, if you live in or will happen to be in the Albany, NY area this coming Thursday, I wanted to let you know that I will be presenting a version of the Into the Breach keynote on Thursday. I’m really excited to have the opportunity start to share the research that has gone into creating Into the Breach and offer some simple tips to how you can prepare your organization and make a difference.

More details on the meeting are here: http://www.nysica.com/meetings.htm

Based on the request, I’m also going to discuss the approach and research that went into the Information Protect Assessment Toolkit (IPAT). It won’t be a sales pitch. Instead, I’m going to focus on why I created the IPAT and how you can apply the principles to your work. I have a few more “pending” speaking dates coming up, and I’ll try to post up information about the public dates so that you’ll be able to attend. If you want more information about the keynote and workshops, please send me an email at securitycatalyst@gmail.com. We can set a time to talk and explore if the keynote or workshop would be right for your organization and could help you engage people to change the way they protect information. I’m always up for a fun discussion - with no strings attached and no pressure. If you need someone to help, give me shout. You can also check out Into the Breach (sssshhhh, I’m going to tell you more about that tomorrow).

Baltimore
I’m planning to head to Baltimore on Thursday night to attend the CSO Breakfast Club on Friday morning. In fact, we’re planning an exciting announcement while we’re there for those who attend the events. You can learn all about the awesome CSO Breakfast club here: http://www.csobreakfastclub.com/.

I have some meetings planned for the afternoon, but I purposely booked a later flight back to Albany to have some time to catch up with a few friends. If you’re in the area and want to catch up, I’d love to hear from you. If you don’t mind venturing near the Airport, we can start the holiday weekend off in a happy way. I’m looking forward to being back in the area.

Keep making a difference!

If you enjoyed this post, make sure you subscribe to my RSS feed!

Please confirm your participation by June 12th

You probably thought I decided to stay in Key West. But, in fact, over the last few weeks I have focused on bringing the Information Protect Assessment Toolkit (IPAT) from testing to reality.
It’s ready and I’m ready to help you protect your organization by taking important steps to gain control of your information and reduce the likelihood of a breach.

What is IPAT?
The Information Protection Assessment Toolkit is a process that helps you identify security issues and develop an information protection plan. It is the first step in protecting your organization from a breach. The launch program begins June 19th.

IPAT is unique in that it includes every member of your organization in the process of protecting information. Many of us already understand that we need to do this but struggle as to how. IPAT shows you how. Through the IPAT process you will more accurately identify key details about your information and clarify where it exists in your organization. It involves every person and prepares them to be more receptive to awareness training. The results are transformative. I’ll share a story with you next week.

Who is IPAT for?

IPAT can be scaled for any size organization. We initially designed IPAT for smaller organizations – the so-called “one man shops” - with lots of work, little budget and the need for a supported process that works. In development we realized that IPAT is flexible and scalable. We mentioned it to others and we are now in discussions to implement this approach in Fortune 50 organizations. We’ll be sharing more details next week. In the meantime, I’ll quickly explain a few details

The IPAT System
IPAT is a system - not a one-time event - that takes a multi-disciplinary approach to protecting information. It guides you through an assessment and planning process in five weeks and then supports your protection efforts for the entire year. It includes:

• a set-up session where we review the elements with your facilitator(s) - to make sure that IPAT is clearly matched to your needs
• a toolkit (templates, guides, presentations, audio and other support resources) designed for the dominant learning styles.
• four coaching sessions (3 seats). We encourage you to spread them out over the course of a year - but they are yours to use without restriction.
• Most importantly, the Security Salon! With the Salon, you receive monthly teleseminars, weekly “office hours” with text-based chatting, a repository of more information, resources and ways to improve how you assess and protect information.

Five weeks of Roll-out coaching
IPAT Roll-out Coaching is a series of 75 minute teleseminars delivered over five weeks to keep you on track with the IPAT program. This is normally an option with an additional cost. I’m including it for free for the June 19th program.

This is a proven program already in practice
We tested the individual pieces of the system over 18 months then rolled it all into a simple, but effective program. IPAT is now ready - and we’re rolling it out for you. Those who join us for our launch will receive the optional, Roll-out Coaching, free.

Investment
While hiring us to perform an information protection assessment can easily cost tens of thousands of dollars, we have designed IPAT so that you have the tools and guidance to do the assessment yourself with our support for $5000. This solution is affordable for organizations of all sizes.

This is a program, designed from the ground up, to get you the information you need, when you need it; it supports you when you need support; and lets you focus on the business of your organization.

The Benefits of Starting Now
The materials and process of IPAT are proven. I’m now looking for a few organizations that are ready to get serious about protecting information. I am ready to support you with the Information Protection Assessment Toolkit. As a thanks for helping me tweak the program before full implementation, I’m offering the Roll-out Coaching for free. Space is limited to the first 25 people - and we will begin on June 19th.

I’ll have more details available next week.

If you enjoyed this post, make sure you subscribe to my RSS feed!

It seems that this year has been dominated by negativity: we have focused on month’s of bugs, slammed colleagues and users and even tried to prove through science that people don’t understand risk. In fact, many in our industry seem quick to point out that everything is wrong, nothing works…. and that’s not very comforting.

As I have traveled around the country, hosted some informal gatherings and met with friends and clients, I’ve been struck by how people, in general, look and act. Most of the people I have met in security seem “down”, rushed, angry and lacking hope.

So we start a year where we feel down trodden, upset, dejected and hopeless?

Open Culture (http://www.oculture.com/weblog/2007/03/famous_stanford.html) recently ran a story about the (in)famous Stanford Prison Experiment. After reading it, I remembered back to the first day of my new job after college. My first boss sat me down and told me, “Don’t F*** up, because if you do, the whole world will crush you. If you do a good job, no one will notice, and that’s okay.” In my experience, those words have sometimes been accurate. Since I “got my start,” I have always remembered that first conversation - mainly in the context of watching how many people in technology have been treated and how they chose to treat others.

Practicing Security Today is like the Famous Stanford Prison Experiment

The Stanford prison experiment was a psychological study of the human response to captivity, in particular to the real world circumstances of prison life and the effects of imposed social roles on behaviour. It was conducted in 1971 by a team of researchers led by Philip Zimbardo of Stanford University. Undergraduate volunteers played the roles of guards and prisoners living in a mock prison that was constructed in the basement of the Stanford psychology building.
– Wikipedia entry (http://en.wikipedia.org/wiki/Stanford_prison_experiment)

In the experiment, the behaviors of both the guards and the prisoners escalated quite quickly as each took on characteristics of their role — to the point where the experiment was ended early.

You can learn more here:

Wikipedia: http://en.wikipedia.org/wiki/Stanford_prison_experiment
The Official Website: http://www.prisonexp.org/
interesting overview: http://www.holah.karoo.net/zimbardostudy.htm

Some of you are probably reading this, recalling the experiment from your college days and wondering… do I think that we are the prisoners or the guards? Short answer is: “yes.”

Reading about and remembering my cursory study of the Stanford prison experiment also made me realize that as “protecting information” has grown in importance, many people in the field of security have been given an opportunity they have never held - a chance to influence and sometimes to enforce. After years of receiving abuse, they find themselves in positions of power - and sometimes without guidance. So we take a reactive and negative approach to those around us. Perhaps some of our colleagues “assume the position” too much and get a bit carried away?

In some cases, we have folks that act like the guards; some act like prisoners and some, I believe, *were* prisoners that now have the role of guard - and they have a lot of memories guiding their actions.

Now, let me be clear - with all the plight in the world today, I’m not suggesting that we, collectively, take our practice of security to the extremes of the prison experiment. In fact, I’m not suggesting a direct comparison. I just happened to review an article on the topic a few weeks back and it has stuck with me that our practice of security might be allowing people to embellish their roles.

Regardless, this is a situation we cannot accept. Period.

We cannot accept this approach: reboot the industry

What happens when your computer doesn’t respond as you would like? Many of us check for run away processes and consult the logs. If you’ve ever worked with windows or supported windows users, a more common answer is: reboot the system.

In security today, I suspect we could “check the logs” and look for runaway processes, but I feel like we need a reboot. We have to flush from memory the bad blood and old experiences and get started with a clean(er) slate. We need a fresh start (or a least a fresh approach).

I believe that the better way to practice the protection of information protection is through a positive approach that stresses inclusion and builds partnerships. In the last year, I have watched people in our industry alienate the very people that have helped them. I have coached organizations away from taking a punitive approach to security. I have confessed that I love to learn, love to teach and truly enjoy working to simplify security and relate our concepts to people in a language they understand.

In Speaking About Security, we explore the power of the narrative. We learn through story (you can really see this in children). On a recent flight home, I was treated to “Night at the Museum” (http://www.imdb.com/title/tt0477347/). While it might not have been a movie I would have normally selected, I was amazed by the story. Without revealing details, the success came after abandoning a process of restriction and following a path of inclusion.

I’m not suggesting that Hollywood holds the answers, but we cannot ignore the fact that the “story” of this movie and the movie itself were both successful. They are natural to the human experience and something we need to strive for in our practice of security (and the protection of information).

After reboot: It’s time to get grounded and follow a new vision for security

I believe in a new vision. I see a way to practice security that minds the past while focusing on the basics. The future for us focuses on protecting information - and everyone has a role. Protecting information is dialogue; it cannot be simply a directive. The current strategy of relying solely on technology is not working, and it’s time to follow a better way. I believe that means we have to follow an inclusive strategy.

We have to foster a sense of trust among each other and our users. We have to reintroduce the concept of accountability and foster a culture that embraces and expects personal responsibility.

I tend to be the sort of person who prefers action to words. This approach influenced me to share more of my ideas through the blog and podcast this year and led me to create the inclusive and supportive Security Catalyst Community (http://community.securitycatalyst.com/forums/index.php). As that community continues to grow and thrive, I have met many other passionate professionals that have challenged and supported my growth - reinforcing to me that collaborating with others can be truly powerful.

I have decided to spend some time focusing on three key areas:

1. Architecting a shared new vision for approaching how we can protect information (security). It’s not *my* vision - it’s *our* vision and I invite you to join in the conversation and practice a new way.

2. Help security professionals find their voice. As a parent, I have watched my children struggle with communication and sometimes resort to hitting, tantrums or what we generally call “melt-downs.” I believe that our success in security is tied to our ability to successfully communicate in speaking, writing and presentations.

3. Providing organizations and security professionals the support needed to be successful at our jobs.

I have decided that for our profession to effectively protect information, I want to help each of you become more successful in what you do.

Supporting Your Growth and Development

Through a lot of conversations with clients, friends and even ISSA and Infragard chapters, it was revealed to me that I was already offering some of what people were looking for. As a result, I have improved some programs we already developed and accelerated the development of some new ones.

To help people get grounded, focused and be able to “do more with less” without burning out, we have updated “Are you making a living or making a life?” - which is now available in a keynote, workshop and private workshop session. It’s an approach that shares how we can break the cycle, lead more “integrated lives” - as opposed to seeking “balance” - and build more effective relationships with those around us. Rather than acting out the Prison Experiment, it allows us to pursue a strategy of inclusion, to work together to protect information.

In March, we launched “Speaking About Security” to improve the ability of security professionals to communicate more effectively, inspiring their colleagues to take action.

Mike Rothman and I just announced the formation of the Security Education Network (SEN), which includes the Security Salons I have been forming, as a method to provide the information, insights and support needed to bring your performance to a new level. I’ll be writing more about that in the coming days.

This summer I launch my book, “Into the Breach: Why Corporations Fail to Protect Sensitive Information - and What Can be Done About It” — where we explore breaches and propose an approach to protecting information that allows business leaders to shift their culture away from the “security diet” to a “mindset of protecting information.” I look forward to sharing this with you.

We’re currently working on some different ways to get some needed information, resources and training to you. As soon as some plans firm up, I’ll make some announcements.

I am excited about this journey. I am passionate about my focus and my ability to help guide you and your organization. I firmly believe we need to learn from the past and work toward a better way. I offer up my approach of positive reinforcement, inclusion and education. I look forward to blending my passion, insights and approach with yours and with those of others. It’s time for a change, and I’m excited!

We plant plants…

We show you how to improve your gardening skills…

You grow gardens.

PS: I think I have finally fixed the formatting issues. - Santa 11:19a

If you enjoyed this post, make sure you subscribe to my RSS feed!