Tuesday, December 12, 2006

Some organizations can't hold the news until Friday...


Major breach of UCLA's computer files

Personal information on 800,000 students, alumni and others is exposed. Attacks lasted a year, the school says.

By Rebecca Trounson Times Staff Writer December 12, 2006

In what appears to be one of the largest computer security breaches ever at an American university, one or more hackers have gained access to a UCLA database containing personal information on about 800,000 of the university's current and former students, faculty and staff members, among others.

UCLA officials said the attack on a central campus database exposed records containing the names, Social Security numbers and birth dates — the key elements of identity theft — for at least some of those affected. The attempts to break into the database began in October 2005 and ended Nov. 21, when the suspicious activity was detected and blocked, the officials said.

... He said the problem was spotted when computer security technicians noticed an unusually high number of suspicious queries to the database. It took several days for investigators to be sure that it was an attack and to learn that Social Security numbers were the target, he said.

Oh, good.


Veterans Affairs CIO: We're more secure

Grant Gross December 11, 2006 (IDG News Service) WASHINGTON --

The U.S. Department of Veterans Affairs is "pretty confident" the agency will not have another large data breach like the one in May that could have exposed the personal records of 26.5 million military veterans and family members, the agency's CIO said today.

The VA has taken several steps to improve its security since the breach, said Robert Howard, who was appointed the VA's assistant secretary for information and technology just days before a VA laptop and hard drive were stolen from an employee's home.

... A major cybersecurity concern is employees "not thinking" about risks, and the VA is working to educate workers, Howard said. "What leaps right out at you is employee carelessness," he said. "We've all been there."

... But the VA has made several changes, including encryption on laptops not directly used for medical procedures, Howard said. The breach "was a real eye-opener, for government and probably for industry as well," he said. "We're encrypting everything in sight."

Towards a “Best Practices” world?


Information Security as a Business Practice

by John Enamait on 11/12/06

This article addresses the role information security plays in an organization. Historically, organizations have deemed information security to be an information technology issue, one that the business as a whole did not need to address. Organizations have also treated information security as an add-on feature, almost an afterthought. Information security must become ingrained into the culture of the organization to ensure security compliance in all facets of the company. Organizations that are beginning to mature with information security may choose to investigate and implement established systems that support information systems. Systems such as ITIL and ISO/IEC 17799 can be used as a foundation for the development of a sound information security process. Regardless of how organizations approach information security, they must begin to envision information security as an overall business problem. If organizations can embrace the cultural change and embrace information security in all aspects of a business, information security will become a well established practice that is followed by all.

This document is in PDF format. To view it click here.

How could one prove that this didn't happen? Could this be used to make everyone look like a terrorist? (see next article)


December 11, 2006

How Pop-Ups Could Brand You a Pervert or Crook

Greetings. A New York Times article today explores the problem of Web-based "pop-up" ads being used to artificially inflate Web traffic.

I'd like to point out a potentially much more serious problem related to pop-ups that can access arbitrary Web sites -- they could be used for purposes that could get innocent Web users into major legal problems.

The issue of sites triggering unsolicited access to other sites is not new. In a message over a year ago ("Google's new feature creates another user privacy problem"), I discussed how Google's triggering of top item "prefetch" in returned search results could result in Firefox browsers visiting the referenced site -- and collecting any associated cookies -- without users' knowledge (I also suggested ways to prevent this behavior).

The essential problem is that Web logs that record users' access to sites would record such visits as if they had been voluntarily initiated by those users. If those destinations happen to be sites with various forms of "illicit" materials that could be the subject of government or other investigations that would go digging through associated access logs... well, you can imagine the possible complications.

Google's prefetch behavior is an example of a well-intended feature with unfortunate negative side effects.

On the other hand, the sorts of nefarious pop-ups described in the NYT piece have much greater potential for intentionally serious sorts of damage, since they can be far more flexible and directed than simple Web prefetches, and so could put innocent consumers at even greater risk. They might not only access pages that could get people arrested (perhaps c-porn?), but also download files that could trigger RIAA and/or MPAA "automatic" lawsuits, or any number of other nightmare scenarios.

It's fair to ask why anyone might want to set loose such technical monsters on innocent victims. The simple answer is that there are quite a few people out there who just want to score a point -- to prove that they can do it -- plus of course the sick minds who enjoy watching other people suffer.

If nothing else, this specter is yet another reason to block all pop-ups routinely and to disable browser prefetch as appropriate. Most of all it is a reminder to authorities that just because particular entries are present in subpoenaed Web logs, does not necessarily mean that they are accurate representations of user intent. In many cases you may actually be looking at victims, not perpetrators.

...but the intelligence agencies are too sophisticated for that kind of red herring to influence their analysis, right?


State Department Googles To Create Banned Iranians List

from the the-Google-spies dept

It appears our government intelligence agencies are still a bit confused about this whole internet thing. A few months ago, we noted that the FBI lost a lawsuit after a judge was shocked that FBI agents didn't do a simple Google search in trying to figure out if someone was still alive. Then, last week, we noted that our intelligence agencies were starting to make use of the tools of social applications, but not necessarily the community of people out there. However, when the CIA turned down a State Department request for names of Iranians who deserve to be sanctioned for their work on Iran's nuclear program, the State Department set up a junior employee to go about Googling things like "Iran and nuclear" to come up with a list. After some cutting down the list, the CIA eventually approved a small list of people, but it still seems bizarre to think that the best way to determine dangerous people is to do a simple Google search. That isn't to say that the intelligence community shouldn't be using tools like Google. Obviously, they should be using them quite a lot -- but that doesn't mean it's right for everything: such as figuring out the best list of people to sanction over a clandestine nuclear weapons program.

Okay, we've seen this survey question answered many times, here's a new question: If you give someone this personal information, what do you expect them to do with it?


Consumers Willing to Trade Privacy for Personalization, Survey Says

Posted Dec 12, 2006

More consumers are willing to provide information about themselves to providers they trust in exchange for a personalized online experience, according to The 2006 ChoiceStream Personalization Survey.

According to the survey, the number of consumers willing to provide demographic information in exchange for a personalized online experience has grown over the past year, increasing 24% to a total of 57% of all respondents. The Survey also finds an increase in the number of consumers willing to allow websites to track their clicks and purchases, increasing 34% from the previous year. However, the results show no significant decline in the number of consumers concerned about the security of their personal data online, with 62% expressing concern in 2006 vs. 63% in 2005.

... The Survey results also find that interest in personalization is spreading beyond the desktop to consumers' television and mobile screens. Overall, 45 % of survey respondents are dissatisfied with their current onscreen TV program guide because it takes too long to scroll through to find programming of interest. Forty-seven percent expressed interest in receiving a personalized guide to solve this problem by helping them find shows and movies that match their tastes and interests.

... A Research Brief providing detailed information on the findings is available at the ChoiceStream website. (www.choicestream.com)

It will eventually occur to (even) politicians that it would be cheaper to keep these people in jail (even cheaper to kill them) rather than monitor their movements, medications, phones, internet usage, etc.


N.Y. Planning Sex Offender Polygraphs

By MICHAEL FELBERBAUM Associated Press Writer December 11, 2006, 8:10 PM EST

RICHMOND, Va. -- Officials in two states proposed unusual plans Monday to tighten oversight of convicted sex offenders: Virginia's attorney general wants them to register their e-mail addresses and online IDs, and New York officials want them to take lie-detector tests.

In New York, the parolees' answers to a computer-based polygraph test about their whereabouts could be used to justify electronic monitoring, prohibit Internet use or restrict travel, said Division of Parole spokesman Scott Steinhardt.


How To Choose Archival CD/DVD Media

Posted by kdawson on Monday December 11, @03:33PM from the 70-years-or-bust dept.

An anonymous reader tips us to an article by Patrick McFarland, the well-known Free Software Magazine author, going into great detail on CD/DVD media. McFarland covers the history of these media from CDs through recordable DVDs, explaining the various formats and their strengths and drawbacks. The heart of the article is an essay on the DVD-R vs. DVD+R recording standards, leading to McFarland's recommendation for which media he buys for archival storage. Spoiler: it's Taiyo Yuden DVD+R all the way.

From the article: "Unlike pressed CDs/DVDs, 'burnt' CDs/DVDs can eventually 'fade,' due to five things that affect the quality of CD media: sealing method, reflective layer, organic dye makeup, where it was manufactured, and your storage practices (please keep all media out of direct sunlight, in a nice cool dry dark place, in acid-free plastic containers; this will triple the lifetime of any media)."

You know, some people just get it... (Remember, this was before most people had even heard of the WWW)


Hyperland 1990 by Douglas Adams

chrisek submitted by chrisek 14 hours 32 minutes ago (via http://video.google.com/videoplay?docid=5579362191486305681&q=hyperland )

Douglas Adams' Prescient Documentary from 1990 [...don't worry, nothing has happened in the last 16 years... Bob] about The Web

When your (boss, client, employee, significant-other) comes to you with a story like this, what do you do?


Scammers take Web mail hostage

December 11, 2006 5:01 PM PST

After visiting a cybercafe, a Hotmail user returned to find the Web mail account empty except for a note demanding payment for the return of the messages and address book, a security firm said Monday.

The affected person had accessed the Hotmail e-mail account from an unspecified Internet cafe in Mexico, said Dan Hubbard, senior director of Websense Security Labs in San Diego.

"When the user came back and logged into Hotmail, all 'sent' and 'received' e-mails were deleted, along with all the online contacts," Hubbard said. The only message that remained was one from the attacker, requesting payment in order to get the data back, he said.

The ransom note was written poorly in Spanish, but translated into English, it stated: "If you want to know where your contacts and your e-mails are then pay us or if you prefer to lose everything then don't write soon!" according to a Websense alert.

Such hostage taking is a new form of cyberextortion. Previous attacks have used malicious software known as ransomware that encrypts certain files on victims' computers and then demands payment for decryption. The blackmailer threatens to delete the files if no payment is received.

"We have only had one report. This very first one that we have found out about," Hubbard said.

The Hotmail user's credentials could also have been compromised through a phishing scam. However, Hubbard said that the unidentified victim believes that's not what happened.

Microsoft did not immediately respond to requests seeking comment. [Will they restore from backups? They can – will they? Bob]

Lesson for the wise: be cautious when traveling and using cybercafes. They appear to be targeted more and more, Websense said. Also, change your password frequently.

Always looking for “the next big thing...”


Battle Brewing Over 'Iconistan'

By Michael Calore 02:00 AM Dec, 12, 2006

There's a turf war heating up over a strip of web real estate called "Iconistan."

You won't find this mythical land on a map, as Iconistan exists only at the bottom of blog posts. It's where that little crowd of icons gathers, begging you to post a bit of news to Digg, Reddit, del.icio.us and various other social news and community sites.

"Those submit buttons present independent publishers with an excellent opportunity to leverage the growing audience for social news sites," says Tony Conrad, CEO and co-founder of Sphere, who coined the term "Iconistan" in a recent blog post.

Social news sites like Digg, Reddit and Newsvine encourage their readers to submit news stories they find online, and the developers of those sites have created these tiny widgets to facilitate the submission process. Disclosure: Reddit is owned by CondéNet, the parent company of Wired News.

These tiny icons encourage readers to discuss an article or blog post on the target site -- thereby enriching the user experience -- but they're also crass tools of promotion. Publishers hope that a link on Digg or Newsvine will drive traffic back to the original story on their site -- which is why bloggers add the buttons to their posts in the first place.

Landing a link on the front door of a hot social news site can drive up site traffic and allow bloggers to reach new audiences. The resulting increase in pageviews also means increased advertising revenue for the publisher.

"It's a win for the user, but it's also a win for the publisher," says Conrad.

Conrad's company, Sphere, creates a widget that helps readers track conversations across multiple sites on the web. It's just one of many companies that have set up shop in Iconistan.

Independent publishers were the first to recognize the power of social news sites to expand readership and generate pageviews, but larger, established publishers are quickly setting up their own Iconistans as well.

This week, The New York Times added social news submission tools to news stories on its website. Readers browsing the newspaper's site can choose to submit a story to Digg, Newsvine or the social network Facebook.

The Times chose only three social networks, but some blogs feature dozens of buttons along the bottom of posts. Conrad warns that the slim slice of web real estate could become a cluttered mess if publishers don't keep users' best interests in mind.

"Publishers need to develop some criteria to follow whenever they want to put another link on the page," he says. "Web publishers should ask themselves what (a 'submit' icon) does for the person who clicks on it. How is it going to impact the user experience? Is there an intersection there with user reality?

"The author probably shouldn't put another link there if it detracts from the user experience," he says.

It is never the same as being there, but it is like having a friend who was and took good notes...


December 11, 2006

KMWorld and Intranets 2006 Presentation Links

KMWorld and Intranets 2006 Presentation Links, October 30 - November 2, 2006.

Is this enough to collapse a government? (Food for thought, Virtual Law experts!)


Chinese Yuan No Longer The Only People's Currency

from the more-effective-than-angry-trade-reps dept

One of the chief policy concerns for the Chinese government, in recent years, has been the value of the national currency, the Yuan. The government is convinced that for the time being, it must artificially manipulate its value, so as to preserve the robust economy. But while it can intervene to affect the Yuan, it has little control over alternative currencies, such as those found online. It's apparently concerned that an online currency called QQ, maintained by a large IM system, could induce unwanted, real-world volatility, as people start using the QQ as a substitute for the Yuan to buy certain goods and services. For the most part, it's hard to imagine that this could be too destabilizing. It's mainly for the purposes of international trade that China wants a stable Yuan, and it's unlikely that too many manufacturers will start accepting payments in QQ. Still, the Chinese government tends to feel threatened anytime people are able to express themeselves spontaneously, in some manner outside of endorsed channels, hence the constant internet censorship. It wouldn't be a surprise to see it take a similarly confrontational stance towards alternative currencies. The legal implications of virtual worlds and currencies are just starting to be debated in the US; it should be very interesting to see how things differ when the anarchic freedom found in them collides with stricter societies and economies.

Now will you believe that TV is changing?


Dutch Pull Plug on Analog Television

Dutch Pull Plug on 'Free-To-Air' Analog Television, Shifting All Signals to Digital

By TOBY STERLING The Associated Press

AMSTERDAM, Netherlands - The Netherlands ended transmission of "free to air" analog television Monday, becoming the first nation to switch completely to digital signals.

Few Dutch consumers noticed, because the overwhelming majority get TV via cable.

... And "when 94 percent of the market is served by cable, more competition is healthy," said Economic Affairs ministry spokeswoman Judith Thompson.

Cable here faces minor but growing competition from satellite and more recently, television via high-speed Internet connections with the service known as IPTV.

... Governments around the world are gradually making the switch to digital, with some Scandinavian countries and Belgium targeting a 2007 switch-off date. The target is 2009 in the United States, and 2011 in Japan.

Free is good!


Mozart's entire musical score now free on Internet

webtickle submitted by webtickle 20 hours 5 minutes ago (via http://today.reuters.com/news/articlenews.aspx?type=entertainmentNews&storyid=2006-12-11T190336Z_01_L11804081_RTRUKOC_0_US-ARTS-MUSIC-MOZART.xml )

Mozart's year-long 250th birthday party is ending on a high note with the musical scores of his complete works available from Monday for the first time free on the Internet.

[http://dme.mozarteum.at Expect delays Bob]

Tools for research...


Librarian's Ultimate Guide to Search Engines

Published on Friday December 8th , 2006

No comments: