Thursday, August 31, 2006

Why you should ALWAYS listen to your employees.

http://abcnews.go.com/Technology/story?id=2371149&page=1

Desperate Whistleblower Turns to YouTube

Former Engineer Accuses the World's Biggest Defense Contractor of Knowingly Jeopardizing National Security

By JONATHAN SILVERSTEIN Aug. 29, 2006 — -

"What I am going to tell you is going to seem preposterous and unbelievable."

Those are a few of the first words of a video posted on YouTube by former Lockheed Martin engineer Michael De Kort, claiming that the defense contractor had built and the Coast Guard had accepted a number of boats that fall far short of government standards and leave our national security in question.

De Kort had tried going through the chain of command at Lockheed, and had contacted the government, the Coast Guard and various members of Congress, but no one seemed willing or able to help.

"YouTube was my last best shot -- I never wanted to do this publicly," he explained. "I had gone there to look at entertaining videos and saw that hundreds of thousands of people were visiting the site, and I thought that if there was something that was novel ... maybe just the fact that I was doing it would be the story."

... And although De Kort's video has been viewed only a little more than 8,000 times since he posted it on Aug. 3, his story has appeared in print, on radio and TV -- further evidence that the Internet has given the average person a way to be heard.



Why would PDAs be any different than computer hard drives?

http://www.vnunet.com/vnunet/news/2163176/pdas-sold-ebay-loaded-sensitive

PDAs sold on eBay 'loaded with sensitive data'

Security firm recovers 27,000 pages of personal data

Robert Jaques, vnunet.com 30 Aug 2006

Most used smartphones and PDAs for sale online are loaded with sensitive data ranging from banking records to corporate emails that can easily be retrieved by hackers and data thieves, it was alleged today.

According to a sampling by mobile security software provider Trust Digital, much of this sensitive information is retained in the Flash memory of the devices because of a widespread failure to perform the advanced hard reset required to delete data.

Trust Digital claimed that its engineers were able to recover nearly 27,000 pages of personal, corporate and device data from nine out of 10 mobile devices purchased through eBay for the project.



This will scare politicians. It's like conducting business in the open! (Open Source government?)

http://politics.slashdot.org/article.pl?sid=06/08/30/194231&from=rss

Bloggers 1, Smoke-Filled Room 0

Posted by kdawson on Wednesday August 30, @05:01PM from the mister-can-i-have-some-pork dept. Censorship Politics

MarkusQ writes "A few days ago a bi-partisan bill (PDF) to create a searchable on-line database of government contracts, grants, insurance, loans, financial assistance, earmarks and other such pork was put on 'secret hold' using a procedure that does not appear to be mentioned in the Constitution or in the Senate bylaws. This raised the ire of bloggers left and right and started an all out bi-partisan effort to expose the culprit by process of elimination. As it turns out it was our old friend the right honorable Senator from Alaska, Mr. 'Series of Tubes', Ted 'Bridge to Nowhere' Stevens."



Does anyone have a good article on “E-mail manners?”

http://slashdot.org/article.pl?sid=06/08/30/2010257&from=rss

When Can I Expect an Email Response?

Posted by ScuttleMonkey on Wednesday August 30, @05:53PM from the turnabout-is-fair-play dept. Communications The Internet

An anonymous reader writes "Ever sit there waiting for an email response and wonder what's going on? Did they get it? Did it get filtered? A study looks at the responding habits of a large group of corporate users. They find, among other things, that users would try to 'project a responsiveness image. For example, sending a short reply if a complete reply might take longer than usual, intentionally delaying a reply to make themselves seem busy, or planning out timing strategies for email with read receipts.' Tit-for-tat, 'Users would try to reciprocate email behaviors -- responding quickly to people who responded quickly to them, and lowering their responsiveness to people who responded slowly to them in the past.'"



So why don't managers secure their systems? See next article...

http://www.eetimes.com/news/latest/showArticle.jhtml?articleID=192500557

Survey says security issues can be fixed

Luc Hatlestad (08/30/2006 7:57 AM EDT)

A pair of security surveys released this week shows that protecting corporate and consumer data is sometimes easier than people might think, but the broader problem still is confounding far too many organizations.

The first study, entitled "Network Attacks: Analysis of Department of Justice Prosecutions 1999-2006," shows most network attacks tracked by the DOJ used stolen IDs and passwords. Those attacks resulted in far more extensive damages than what had been assumed -- an average of more than $1.5 million per incident, with $10 million being the most damage incurred in one incident. The study, commissioned by Phoenix Technologies and conducted by research and advisory firm Trusted Strategies, analyzed data from all cases prosecuted and publicly disclosed by the DOJ between March 1999 and February 2006.

The report also maintains that a whopping 84 percent of these attacks could have been thwarted if, after checking the user ID and password, the organization had simply verified the identity of the invasive computer connecting to its network and accounts via device authentication policies and solutions.



We don't think we can, so we don't have to try.” (Think of this study as a guide for class action lawyers...)

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9002834&source=rss_topic84

Study: Many believe data thefts can't be prevented

Todd Weiss August 29, 2006 (Computerworld)

Fresh on the heels of a string of highly publicized, corporate data breaches, 63% of respondents to a new data security study said they don't believe they can prevent such breaches.

"This group came out much, much more negative than I ever expected," said Larry Ponemon, the founder and chairman of the Ponemon Institute LLC, an Elk Rapids, Mich.-based firm that looks at information and privacy management practices in business and government. "They said they're bad at detecting [breaches], but even worse at preventing [breaches]."

The 11-page study (PDF format), "National Survey on the Detection and Prevention of Data Breaches," which was released yesterday, is based on responses from 853 IT professionals, including senior executives, information security managers and others. The study was sponsored by PortAuthority Technologies Inc., a Palo Alto, Calif.-based vendor of information leak prevention software.

The study also found that 41% of respondents said their companies are not effective in enforcing data security policies because of a lack of corporate resources.

... About 66% of the respondents said their companies use hardware or software to help detect or prevent data breaches, but the remaining respondents said their companies don't use such tools because of their high costs. [Not even the free tools? Bob]

Some 16% said their companies believe that their manual security procedures are enough and that their company is not vulnerable to a data breach. [Fire these idiots immediately! Bob]

... 59% of those surveyed said they believe they can effectively detect a data breach using available IT tools and procedures.

Respondents reported a 68% probability of detecting a large data breach (of more than 10,000 data files), while they said small data breaches (fewer than 100 files) are likely to be detected only 51% of the time.

... Monitoring a company's data use policies is important, he said, but that's difficult to do because of employee training needs, turnover and other issues. "No one does that kind of stuff," he said.



http://www.infoworld.com/article/06/08/30/HNwebfootprints_1.html?source=rss&url=http://www.infoworld.com/article/06/08/30/HNwebfootprints_1.html

Web browser leaves no footprints

Browzar deletes Internet caches, histories, cookies to protect user privacy

By China Martens, IDG News Service August 30, 2006

The latest entrant to the crowded Internet browser market is the appropriately named Browzar, a tool specifically designed to protect users' privacy by not retaining details of the Web sites they've searched.

,,, Browzar is being officially launched Thursday but can already be run or downloaded from its Web site. Users don't have to register to use the free browser.



If this is a data analysis tool they should be able to demonstrate data analysis – not a simple search for names.

http://www.washingtonpost.com/wp-dyn/content/article/2006/08/29/AR2006082901520.html

FBI Shows Off Counterterrorism Database

By Ellen Nakashima Washington Post Staff Writer Wednesday, August 30, 2006; A06

The FBI has built a database with more than 659 million records [Modest by data warehousing standards Bob]-- including terrorist watch lists, intelligence cables and financial transactions -- culled from more than 50 FBI and other government agency sources. The system is one of the most powerful data analysis tools available to law enforcement and counterterrorism agents, FBI officials said yesterday.

The FBI demonstrated the database to reporters yesterday in part to address criticism that its technology was failing and outdated [We never said that. We said they don't have the technology they need. Still don't apparently. Bob] as the fifth anniversary of the Sept. 11, 2001, terrorist attacks nears.

... In a demonstration, Grigg sat at a computer and typed in the name "Mohammad Atta," one of the 19 hijackers in 2001. The system can handle variants of names and up to 29 variants on birth dates. He typed "flight training" in the query box and pulled up 250 articles relating to Atta.

The system, designed by Chiliad Inc. of Amherst, Mass., can be programmed to send alerts to agents [Oh boy! E-mail! Bob] on new information, Grigg said. Names, Social Security numbers and driver's license details can be linked and cross-matched across hundreds of millions of records.

... Grigg said that before 2002, it would take 32,222 hours to run 1,000 names and birth dates across 50 databases. Now agents can make such a search in 30 minutes or less, he said. [In a real data warehouse, the system would have already produced that information. Bob]

... David Sobel, senior counsel of the Electronic Frontier Foundation, said the Federal Register has no record of the creation of such a system, a basic requirement of the Privacy Act. He also said the FBI's use of an internal privacy assessment undercuts the intent of the privacy law.


http://techdirt.com/articles/20060830/194817.shtml

FBI Shows Off Big Database... Just As UK Shows Why Big Databases Are Bad

from the great-timing dept

Remember all the trouble the FBI has been having getting its big new computer system working? They must be feeling a bit embarrassed about all that. That might explain why they were so proud to show off their big new counter-terrorism database. However, as the article notes, there are legitimate fears about peoples' privacy when such huge databases are put together by governments. In fact, across the Atlantic Ocean a story is coming out about a similar big database, as it's been revealed that government office workers have been hacking into the database to check out the profiles of people they know. With any of these big databases, it's only a matter of time before that data is abused in some manner -- no matter how carefully government officials claim that the data is only used for legitimate reasons.



No doubt law students will analyze these to determine where they will find the most clients...

http://www.bespacific.com/mt/archives/012301.html

August 30, 2006

Report Documents Federal Criminal Justice Trends from 1994-2003

Bureau of Justice Statistics press release: "The number of suspects and defendants processed in the federal criminal justice system grew substantially during the 10-year period of 1994 to 2003, the Justice Department's Bureau of Justice Statistics (BJS) announced today. U.S. federal prosecutors investigated more than 130,000 suspects during 2003 (a new record), up from 99,000 men and women in 1994."

  • "The report, Federal Criminal Justice Trends, 2003 (NCJ- 205331), is the first in a new series to track changes in the federal criminal justice system. It employed data from eight federal agencies to describe the enforcement of several thousand statutes in the U.S. Criminal Code. The report was written by BJS statistician Mark Motivans."



http://www.bespacific.com/mt/archives/012312.html

August 30, 2006

Presentation on 3 Must-Use Online Tools for Journalists

3 Must-Use Online Tools for Journalists, Amy Gahran's handout [HTML and PDF] from the annual conference of the Society of Professional Journalists (SPJ). [via Center for Media and Democracy]



Pass this to your Security guys...

http://www.f-secure.com/weblog/#00000961

Got Java?

Posted by Sean @ 14:45 GMT

Java Runtime Environment (JRE) 5.0 Update 8 is available. That being so, we attempted to update via the Java Control Panel applet. The result was a prompt informing us that we had the latest version.

You Already Have The Latest Java - Image

That seemed odd so we searched for details and discovered that Brian Krebs has written a very interesting article on the matter.

To sum it up: Installing a JRE Update doesn't remove the older versions of JRE that are installed. So, any older security issues remain installed as well. You'll want to manually uninstall the old version(s) before "updating".



Is a virtual “Pink Slip” legal?

http://techdirt.com/articles/20060830/113659.shtml

Radio Shack's New Commitment To The Internet Includes Firing People Via Email

from the seems-a-bit-harsh dept

In the last few years, there have been a bunch of stories, usually out of the UK, of companies firing people via text message. Text messaging just isn't as popular in the US yet, so it seems that Radio Shack decided to go in a different direction and fire 400 people via email. The company is defending the decision by saying that employees had been told that they would be notified electronically, so they don't see what all the fuss is about. I guess that beats the excuse another company used recently, that being fired electronically was just a part of youth culture. Of course, over in the UK, some of the people who were fired by text message later won additional compensation for being cynically manipulated. Speaking of which, if being cynically manipulated deserves extra compensation, I'm sure there are plenty of people who are probably owed a lot of extra cash.



In Con-Law, students are intimidated by a requirement to re-write the constitution in their own words. “It's not written in English, so it's hard to understand what they mean!” Obviously not everyone finds that dificult.

http://techdirt.com/articles/20060830/125628.shtml

Culver City Gets Around Pesky First Amendment With Terms Of Service

from the read-closely dept

Last week, we learned that Culver City, California was installing filters on its muni-WiFi network, in an attempt to block content it (or the MPAA) didn't like. Ignoring the facts that filters don't really work and they weren't aware of any real problem until a vendor pointed it out to them with a sales pitch, a local government deciding to put roadblocks up to undesirable, though not illegal, activities (surfing porn or using P2P, in this instance) is more than a little sketchy. But it gets a little more interesting: when logging on to the service, the city's terms of service says users must agree to "waive any First Amendment claims" stemming from the service. That seems like a slightly less nasty way to tell people their First Amendment rights simply don't apply -- but since users are "voluntarily" waiving them, it's somehow okay. Plenty of companies use things like end user license agreements to make it okay for them to do things like install spyware on your computer, and some have argued that EULAs can trump certain laws. But a city using a similar terms of service -- which most users aren't likely to read -- to make an end run around the Constitution seems like a silly measure that's destined to end up in court.



I bet we could come up with a bunch of other examples...

http://techdirt.com/articles/20060830/192345.shtml

Fire-The-Coach Domain Squatting The Next Big Thing

from the just-can't-stop dept

Apparently, domain squatting involves being a bit more creative these days. You can't just pick up the names of companies too shortsighted to register their own names. Instead, you need to look for ways to predict what people will be interested in down the road. That could be hurricane names, or it could be cashing in on the inevitability of fans hating their coaches. One guy has apparently gone around registering "fireyourcoachhere.com" domain names for a variety of famous sports coaches -- knowing that upset fans will make them valuable at some point. Consider it the human equivalent of companies who discover someone owns "thiscompanysucks.com" domain names. Of course, in that case, many companies sue to get those names back, claiming trademark infringement. How long until an angry coach sues to get back a website demanding he be fired?



Looks like a great strategy to me!

http://blogs.zdnet.com/Ratcliffe/?p=172

Amazon's Everywhere Strategy

Posted by Mitch Ratcliffe @ 8:34 am August 30, 2006

Amazon introduced the "aStore" this morning, in an email to associates. The service creates a dedicated retail environment that anyone can use to sell stuff in the Amazon catalog. I spent about 20 minutes setting up a store, which you can see here, and have a few thoughts. Here's what Amazon has to say about it:



Can you see them light the fuse? Can you hear the theme music?

http://online.wsj.com/public/article/SB115698239989350052-UVfk3ol8fkMATSzIQbYJuJ3P9Po_20060929.html?mod=tff_main_tff_top

This Email Will Self-Destruct

New Services Help Safeguard Outbound Messages Against Forwarding and Tampering

By ANDREW LAVALLEE August 31, 2006; Page D1

People who want to open email from patent attorney Andrew Currier have to know the drill. First, they must answer a predetermined question, such as "Where did we first meet?" If they answer correctly, they will then be allowed to view the contents of the email -- but they can't alter it or forward it to anyone else.

Concerned about privacy, the Toronto-based lawyer has begun using a new service that encrypts his emails and tries to keep unintended recipients from reading the contents. The tool, developed by Echoworx Corp., adds a "send secure" button to his Microsoft Outlook email program. Unlike other email-security systems Mr. Currier has tried, this one doesn't require recipients of his emails to download any software or use the same email program.

"I really need it to be easy for the client on the other end," says Mr. Currier, who says that leaked information could be disastrous for one of their patent applications. "People don't appreciate just how vulnerable email is."

Amid heightened privacy concerns, a handful of technology companies are touting new services designed to make existing email programs, such as Microsoft Corp.'s Outlook, more secure, with features ranging from emails that can't be forwarded to self-destructing messages that can be viewed only for a limited time. While most email programs by themselves guard against inbound attacks such as viruses and spam, they give computer users little control over the messages that are sent. So these third-party developers, which aren't working directly with Microsoft or other email companies, aim to fill that hole.

The new outbound-email services focus on safeguarding data and protecting the sender from legal liability, says Richi Jennings, an email-security analyst at Ferris Research in San Francisco. "The state of the art of the technology, though, for some time has just made it really difficult to deploy," he says. "That seems to be changing."

... Another new service, Kablooey Mail, allows consumers to send "self-destructing" emails that can be viewed for only a limited time, which may appeal to people who don't want a record of their correspondence. The free service, which made its debut in July, lets individuals log on to Kablooey's site to compose a message and set an expiration time, which can range from 10 seconds to two weeks after the message is opened. (Senders can also elect to have the message not expire.) A copy of the message is saved in the sender's account, where it can be reviewed by the sender later, or deleted altogether for extra security.

... A recipient is instructed to use only the up/down arrow keys or scroll bar to read the message; any other keystroke causes the message to expire instantly, which removes the message from the screen and prevents the recipient from accessing it again.

... Email is increasingly called on as evidence in court, says Dana Henry, a consultant for RPost International Ltd., a Los Angeles-based provider of "registered email" services. It is relatively easy to change the contents of a message or say it was never delivered, says Ms. Henry, a former Los Angeles County Superior Court judge. "There is such incredible deniability on the part of the other party who is the recipient."

The RPost service, which also works with Outlook, is designed to ensure the authenticity of messages so that they can be used in legal disputes, if necessary. The program adds a unique digital seal to each registered email. A few minutes after sending the message, the sender receives an email receipt that includes when the message was delivered and opened. RPost will also verify whether the original message's content was changed. The sender can choose whether or not the email tells the recipient that the message is registered.

The RPost service, which charges senders 59 cents for each registered email, added a new feature in July that checks for "risky" content, such as Social Security numbers or key words that senders -- or the senders' employer -- have flagged, before delivering the message. Customers, especially lawyers and technology professionals, are interested in using the service to protect senders from email-related liability, says RPost CEO Zafar Khan. "That can often cost the company quite a bit more, especially in this country, in litigation and litigation-discovery costs," he says.

No comments: