Tuesday, October 03, 2006

Nothing says security experts know anything about the law...


Report shows HP sought expert to help find leak

By Damon Darlin Story last modified Mon Oct 02 22:30:28 PDT 2006

Hewlett-Packard sought the advice of a well-known intelligence specialist, Brian Jenkins of the RAND Corporation, on how to find the source of a boardroom leak, according to a report compiled by HP's law firm and provided to a House subcommittee.

Jenkins, formerly a top investigator with Kroll, the nation's largest detective agency and a firm used by many large corporations, advised HP to use pretexting to obtain private telephone records, according to the report by the law firm, Wilson Sonsini Goodrich & Rosati.

Pretexting is a practice of using questionable methods to obtain private phone records.

... The Wilson Sonsini report is notable for the attempts by the firm's lawyers, Bahram Seyedin-Noor and Bryan Ketroser, to establish when particular company executives had knowledge of pretexting. The method may not be illegal, but the company has acknowledged that it is unethical and should not have been used.

The Wilson Sonsini lawyers were particularly interested in the use of Social Security numbers in the efforts to obtain phone records, but they uncovered no evidence that the company had provided them to private detectives.

The report also shed light on the legal opinion the company sought to verify the legality of using pretexting to obtain phone records.

The Wilson Sonsini report found that HP lawyers relied on a legal opinion prepared by a law clerk, not a lawyer, at a firm associated with Ronald DeLia, the private detective the company had hired to find the source of the leaks.


Corporate leak probes walk a fine line

Debate swirls about the ethics of pretexting, investigating leaks

By Robert Mullins, IDG News Service October 02, 2006

In one telling moment during the recent Congressional hearings on the Hewlett-Packard Co. board scandal, ousted chairman Patricia Dunn offered the "everybody does it" defense. [Ah, the sophistication of the average teenager! Bob]

Asked by one legislator about HP’s hiring private investigators who obtained phone records under false pretenses, a practice called pretexting, to identify who’d leaked confidential information, Dunn replied, "I believe these [pretexting] methods may be quite common at companies around the country."

If so, that is chilling to business ethicist Kirk Hanson.

"As an ethicist I’m horrified that HP’s managers relied on the assertion that it was borderline, but legal, and never asked whether it was ethical," [Don't ask questions if you won't like the answers Bob] says Hanson, executive director of the Markkula Center for Applied Ethics at Santa Clara University, in Santa Clara, California.

If HP adopted what Hanson called "black ops" as standard investigative practices, he wonders how many other companies have done it.

HP, some of its employees and companies it hired to investigate boardroom leaks to news media still face potential civil and criminal liability for their actions. Other companies find themselves in a dilemma over how to control information within the law.

Companies may have a moral or legal responsibility to respect people’s privacy, but they also have a legal and fiduciary responsibility to protect confidential business information. And under the federal Sarbanes-Oxley Act in effect the last four years, they have obligations to investigate certain leaks, Hanson says.

Companies have a right to investigate their own employees if they’re suspected of leaking information. Employees should presume no right to privacy in their use of company computers, e-mail programs or telephones.

One commonly used tactic to probe security breaches doesn’t even involve electronic snooping. Companies exclusively give suspected leakers seemingly important but relatively benign information. If it turns up in the media, the company has identified the leaker.

But Hanson sees a bright line separating how a company can investigate its own employees and how it can investigate outsiders.

The HP reaction to leaks to reporters contrasts with the recent practice of Apple Computer Inc. when proprietary information got out.

Although Apple is known for its devotion to secrecy, it went to court rather than to private eyes when confidential information leaked in 2004. Apple, of Cupertino, California, sued in state court to force two Web sites to reveal sources for stories they posted about a possible new Apple product. A state appellate court ruled May 26 that the writers on those Web sites enjoy the same First Amendment rights as mainstream journalists and, thus, were protected by California’s shield law from having to reveal their sources. Apple dropped the case. It did not reply to a request for comment on this story.

The Sarbanes-Oxley Act requires companies to develop a whistle-blowing reporting system so employees can raise issues about improper behavior within the company, said Hanson. That has prompted companies to develop an investigative capability in the event improper or illegal activity is alleged. "So (under SOX), companies have developed much enhanced investigative capability," he said.

Companies also have to keep confidential information safe because disclosure could be a criminal act or a breach of fiduciary responsibility, said Rob Enderle, senior analyst at Enderle Group, a technology market research firm.

If word leaks that a board is contemplating an acquisition, for instance, the company or people in it could be prosecuted for insider trading if people used that knowledge to make stock trades.

Given the potential liabilities, corporate investigations of leaks are "common," said Enderle. "The stuff with the pretexting goes to the extreme, but looking at company phone records or e-mails, that is very common. Hiring an outside contractor is also common."

In fact, leak investigations enjoy broad support among corporate directors.

In a September telephone survey of 226 board members at publicly traded companies in the U.S., 73 percent said a company's chairman should be empowered to use any legally available means to identify a board-level leaker, according to Ponemon Institute LLC.

About 71 percent of the respondents said it would be okay for a board chairman to review the e-mail messages of other members, in addition to other types of confidential data stored on company computers. Fifty percent said that reviewing telephone records of individuals obtained via pretexting is proper as long as that approach hasn't been outlawed.

But HP’s tactics of tailing reporters, attempting to install a tracer on a reporter’s e-mail program, pretexting numbers of people outside the company and even considering planting spies in newsrooms as janitors or clerical workers is "bizarre" to Rick Belluzzo.

"The reaction by HP was totally out of proportion with the situation," said Belluzzo, chairman and CEO of Quantum Corp., a network storage equipment maker. His résumé includes president of Microsoft Corp. and a 23-year stint at HP, where he rose to the position of executive vice president of its computer division.

While he understands the importance of keeping certain information confidential and making employees and directors sign confidentiality agreements, HP overreacted to information leaks that are sometimes going to happen anyway.

"It’s an impossible task to control information flow. Some leaks are inevitable," Belluzzo said.

Tools & Techniques No reason these tools wouldn't work on board members too


Rethinking IM Privacy For Kids

Posted by kdawson on Monday October 02, @04:29PM from the extra-safe-society dept. Security

mackles writes, "Now that the world has read the despicable instant messages from Rep. Foley, should parents take a second look at monitoring their kids' IMs? After all, it was IM logging that exposed the scandal; would we have found out otherwise? Cost is not an issue, there are free monitoring tools. Should parents tell their kids before they monitor? Parents and their tech-savvy kids are at odds on the topic. From the article: 'As many as 94 percent of parents polled this summer by the research firm Harris Interactive said they've turned to Web content filters, monitoring software, or advice from an adult friend to keep electronic tabs on their children.' The article quotes one 18-year-old as saying, 'A lot of kids are smarter than adults think.'" [Just what we want you to think, sonny. Bob]

It's not (just) stupidity! I'm not sure that's a relief...


Looking Behind Bad Decisions

Q&A with: Max Bazerman Published: January 30, 2006 Author: Manda Sall

Executive Summary:

In a recent HBS Working Paper, HBS professor Max Bazerman and colleagues explore how biases and human psychology impede policy-making efforts that could vastly improve people's lives.

So does the previous article explain this one?


To Protect Our Ports, We've Now Banned Online Gambling

from the say-what? dept

A bunch of politicians have been pushing for this for quite some time, but this weekend, it surprised many people when the Senate was able to squeeze in an anti-gambling bill with an unrelated bill on port security. While the administration has long claimed that online gambling was already illegal, it wasn't entirely clear from the language of existing legislation what was covered and what could be done about it. This new law helps clarify it and tacks on punishment. Of course, it seems reasonable to ask what online gambling has to do with port security. [What are the odds a terrorist can sneak a nuc past Customs? Bob] It also seems reasonable to ask why an activity that millions of adults choose to engage in, and which can easily be regulated (and taxed) should be outright banned. What will be really interesting is seeing what comes next. While all the big online gambling sites have said stuff about stopping bets from folks in the US, it's unlikely they'll really be able (or all that willing) to do so. People will still be online. At the same time, the WTO has already pointed out that the US's attitude towards online gambling is in violation of various agreements -- but it's not like the US is going to bother listening to an organization like the WTO. Still, this ban seems unlikely to work, and only likely to infuriate a bunch of Americans who don't see anything wrong with playing an occasional hand of poker online. And, of course, it's not even worth looking at the various exceptions for the types of gambling (state lotteries and horses) that politicians think are just dandy.

Think of this feature being activated in error (like the alarm on your car) in the middle of a concert/classroom/funeral, etc


Screaming Cell Phones Plan to Cut Down Theft

October 2, 2006 By Marc Jones, Reuters

LONDON (Reuters)—A UK firm is hoping a cell phones security system it has developed which sets off a high pitch scream, permanently locks the handset and wipes all data if stolen, will halt the spiraling rise in phone theft.

... "We also then set a small bomb off, [Logic bomb I hope... Bob] if you like, that completely wipes the data...if it has genuinely been stolen then it renders the phone useless to the thief," he added.

... The system also automatically backs up data held on a device once a day, [so it can be reviewed by MI5 Bob] meaning users can re-load their information onto a replacement handset.

According to the latest UK government statistics, mobile phone theft has risen 190 per cent in recent years, with one third of all UK robberies now solely involving mobile phones.

Insurer Halifax estimates a mobile handset is stolen every 12 seconds in Britain costing UK consumers around 390 million pounds ($735 million) every year.

Competition for e-Bay?


Ugly ads no more: vFlyer makes pretty classifieds

October 2, 2006 9:38 PM PDT

Here's a useful new Web utility: vFlyer, a site that builds nice classified ads for you, and then posts them on classifieds sites, like Oodle. Ads go to the right services: For Sale items get put on classifieds services in the correct zipcode, and job postings show up on job aggregators like SimplyHired.

VFlyer can't auto-post into the two most important person-to-person markets, eBay and CraigsList, but it does have a browser bookmarklet to easily create a CraigsList ad (like this one), and it creates HTML that you can paste into any other site.

The service makes it easy to create a good-looking ad, which appears the same wherever you post it. But there's more to vFlyer than the nice formatting. For example, the service attaches a response page to each ad, which buffers your real email address from potential buyers. (The company makes money by running its own advertisements on the response pages.) You can also track the performance of your ad on the various sites where it's posted.

I guess I don't see the problem.



N.Y. Proposal Would Designate Lawyer Blogs as Advertising

BY STEPHANIE FRANCIS WARD Friday, September 29, 2006

The legal blogs are boiling:

  • "We go around passing rules that make us look like idiots."

  • "We continue to handicap and bring everyone into the trenches."

  • "The small firm can’t afford [this]."

The storm was set off by a proposal that "computer-accessed communications" such as blogs be included in New York’s definition of legal advertising, and therefore require state scrutiny. The proposal, by a committee created by the state’s Administrative Board of Courts, also suggests the state code of professional responsibility extend court jurisdiction to out-of-state legal advertising that appears in New York.

"Could I be disciplined by New York state because there are pay-per-click adverts on my weblog or seminars, and these are interpreted as acts which ‘solicit legal services’?" asked Justin Patten, a solicitor in England who posts at his blog, Human Law.

Who'd a think it? (Definition of commodity: A product or resource that is traded primarily on the basis of price, and not on differences in quality or features.)


Supermarket Giant Now A Microsoft Competitor

from the add-'em-to-the-list dept

There's no doubt that Microsoft is under assault from a variety of attackers including Google, web-based software, and open source. As if it needed any more competition, it now has to do battle against a supermarket chain. Tesco, the UK's largest grocer, is planning on selling its own, private-label software for cheap. The store will offer a range of products including an office suite, an anti-virus tool, personal finance software, a CD/DVD burner, and a photo editing product. The company has also launched a site to sell and support the offering. Of course, Tesco isn't likely to carve a huge stake of the software industry, but the move is indicative of the fact that many of the basic consumer applications are rapidly commoditizing. Microsoft is obviously well aware of the changes going on, and is looking for new ways of distributing its consumer software, but it's hard to see the company coming upon anything that will adequately replace some of its most lucrative cash cows.

Don't you just love a good trouble maker? Esp. one who points out that the Emperor has no clothes...


In A Twist, Now DVD Jon Wants To Give You More DRM

from the still-no-friends-in-Hollywood dept

Back in June, we noted that "DVD Jon" Lech Johansen had quit working with Michael Robertson (of MP3.com fame), and had joined a new company to reverse-engineer DRM schemes that companies refused to license. He's not wasted much time in starting at the top, as his new company is already offering Apple's FairPlay DRM technology for companies to license. Apple's famously refused to let anybody else put their DRM'ed content on iPods outside a very small circle -- leading some companies like RealNetworks to try and reverse-engineer FairPlay on their own to make iPods compatible with their music services -- while it also refuses to license the technology to hardware manufacturers so it can control what devices consumers use to play back media it sells. Apple's steadfast refusal to license FairPlay creates a nice little lock-in for the company; but it also limits the usefulness of iPods and media purchased from the iTunes Music Store. For instance, the idea of selling TV shows seems to be working well for Apple, but by limiting the devices on which they can be played back, in particular making it somewhat difficult for people to watch the shows on their televisions, they're limiting their audience. Meanwhile, the value of an iPod gets held down since it can't access any media stores, apart from iTMS, selling content with DRM. The obivous solution is to scrap DRM, since it really doesn't help anyone (not to mention it doesn't really work, either), but that doesn't seem like something that will happen anytime soon. In the meantime, DVD Jon's approach, of making proprietary DRM technologies available for license to all comers, is a reasonable replacement. While it seems slightly ironic that DVD Jon's now working to spread DRM, he still shows a better understanding of how to create useful products than many manufacturers and content providers.

No comments: