Saturday, September 16, 2006

The Friday tradition continues...,1540,2016521,00.asp

Nikon Customer Data Leaks Onto Web

September 15, 2006 By Todd Spangler

Nikon, the $6 billion camera and imaging products manufacturer, on Thursday said that data on 3,235 customers inadvertently became accessible on the Web site of Nikon World, its quarterly customer magazine.

During a nine-hour period, data including customers' names, addresses and credit card numbers could viewed on However, the company said only nine individuals--who were new magazine subscribers--accessed the information and that the only information accessible was that of subscribers who had signed up for the magazine since Jan. 1, according to The Associated Press.

Nikon said the disclosure resulted from a problem with an external vendor, AP reported. Nikon did not respond to Baseline's requests for more information about the incident.

According to AP report, Nikon contacted all the subscribers whose information was revealed as well as the nine new subscribers who were able to view it.

Will they ever find the desktop computer?

Unisys contractor arrested in VA theft

Investigators do not believe 21-year-old suspect sought agency's data

By Robert McMillan, IDG News Service September 15, 2006

Authorities have charged a 21 year-old Unisys Corp. subcontractor with stealing a desktop computer with billing information on as many as 38,000 U.S. Department of Veterans Affairs medical patients.

Khalil Abdulla-Raheem, of Washington, D.C., was charged Wednesday with theft of government property. He is the employee of an unnamed company that "provides temporary labor to Unisys," according to a statement released by the Veterans Affairs (VA) department's Office of Inspector General.

The computer was stolen in late July from Unisys's Reston, Virginia, offices. It contained records on about 16,000 living patients who had received treatment at VA medical centers in Philadelphia and Pittsburgh, as well as information on another 2,000 who are deceased. Data on an additional 20,000 patients may have been stored on the computer, according to the VA.

The VA said that these records may have contained Social Security numbers, addresses, and insurance information. The U.S. Federal Bureau of Investigation (FBI) is now analyzing the computer to determine whether this information has been compromised, but investigators do not believe that Abdulla-Raheem was after the VA data.

This is the second of two major data breaches at the VA this year. In May, personal information on about 26.5 million veterans was compromised when a laptop and external hard drive were stolen from a VA analyst's home. Authorities have arrested two teenagers in connection with that theft and the FBI has concluded that the sensitive information was untouched.

Still, the data in question was unencrypted in both of these incidents, and the VA, which has regularly scored failing grades in the Federal Government's annual computer security scorecard, has been blasted for its handling of the matter.

The department's Inspector General published a report in July citing policy failures and a lack of supervision in the May incident, and called for the VA to adopt a clear policy for safeguarding sensitive data.

With data notification laws pushing data breaches into the public eye, PC encryption has become a priority for many IT departments.

In fact, laptop encryption will top a list of the ten most important security trends for 2007, due to be released on October 1 by the SANS Institute, a computer security training organization.

"Every major organization is moving forward to buy and deploy encryption products," said SANS Director of Research Alan Paller, in an e-mail note sent Thursday. "The reason is that top management is adamant about not facing personal embarrassment because of lost sensitive data." [Imagine how much better it would be if they faced personal jail time! Bob]

Abdulla-Raheem was released on bail Wednesday and is due back in federal court for a preliminary hearing on October 3.

Unisys has offered a US$50,000 reward for information leading to the recovery of the PC. So far, nobody has come forward to claim the money, according to Lisa Meyer, a Unisys spokeswoman.

Unisys had not encrypted the data on the stolen PC because this was not required by the VA, but the company is now taking a second look at this policy, Meyer said. "An event like this caused us to reexamine everything we're doing," she said.

Survey: Data breaches yield few ID thefts

Off-line causes are more likely to result in ID theft and fraud

By Jaikumar Vijayan, Computerworld September 15, 2006

Contrary to popular perception, computer data breaches are less likely to result in identity theft and other fraud than off-line causes such as lost or stolen wallets and checkbooks.

That was the finding of a year-long study of about 5,000 U.S. consumers by Pleasanton, Calif.-based analyst firm Javelin Strategy & Research. Javelin's research showed that despite recent hype, data breaches were responsible for just 6 percent of all known cases of identity theft, compared to 30 percent from incidents like losing one's wallet. [keep in mind that theft of a wallet involves only one potential victim, theft of a laptop can compromise 26 million... Bob] The study also showed that less than 1 percent of all individuals whose data was lost later became victims of ID theft.

Javelin's results are similar to those found by other firms that have looked at the relationship between data breaches and actual instances of ID fraud. In a Gartner study in 2005, for instance, only 18 percent of identity theft victims attributed the cause to computer breaches, while 41 percent cited off-line causes. Similarly, a December 2005 analysis by ID Analytics Inc. of four major online data breaches involving 500,000 customer records showed that less than 1 percent of those affected had their identities stolen.

The numbers are important at a time when a spate of data breach disclosures has heightened consumer concerns and is fueling a debate among lawmakers about the need for more stringent data protection laws, analysts said.

"There is a misperception that there is a one-to-one correlation between a data breach and ID theft," said Thomas Oscherwitz, vice president of government affairs and chief privacy officer at San Diego-based ID Analytics. In reality, "the mere fact that you are part of a data breach doesn't mean that you are a victim of ID theft," he said.

The degree of risk can depend on the type of breach, Oscherwitz said. Data breaches involving a deliberate hacking, for instance, are likely to be much more risky than those involving a lost disk or laptop, he said.

Failing to make such distinctions can push consumers to undertake unnecessary efforts to protect themselves and can impose burdens on corporations, said Mary Monahan, author of the Javelin study.

"Our opinion is that consumers do need to be protected by data breach laws, and we do want to see a federal law to protect all consumers," Monahan said. But given the low risk of ID theft from such breaches, any such law would need to give the breached entity the opportunity to conduct a risk assessment before they are required to disclose it publicly; The absence of such a trigger could result in indiscriminate notifications. [Notice is to alert potential victims of the potential for identity theft, not the certainty. Bob]

"And then all you get is white noise" that few people pay attention to, Monahan said.

Currently, many of the 30-plus states that have breach disclosure laws require companies to notify customers of any data breach involving the potential compromise of personally identifiable information. Several industry groups have been lobbying lawmakers for a preemptive federal law that would add some sort of a breach notification trigger that is based on an assessment of the risk of ID theft or other fraud.

Privacy advocates, on the other hand, have been arguing for broad disclosure, saying that few companies are likely to publicly notify consumers of a breach if they are allowed to make their own risk assessments.

"I think it's always going to be difficult to make a conclusive cause-and-effect relationship between ID theft and data breaches," said Andrew Jacquith, an analyst at Yankee Group Research Inc. in Boston. So the real emphasis of any national legislation has to be on measures that companies need to take to protect sensitive customer data, he said.

Also important is the need to examine issues like the continuing use of Social Security numbers as identifiers by a large number of companies, Jacquith said. "I view nonpublic information as radioactive material that needs to be protected [from leaks]," he said. "It's material that you can use to manufacture identities with."

September 15 2006

Every Web 2.0 Company On One Page

Michael Arrington is a very nicely designed Flash page with logos and basic information for most web 2.0 companies. Click on a logo to see an overview of the company and links from blogs discussing it. It’s also sortable and searchable. Very nice. The only issue I have with it is that it’s loading a little slowly, possibly due to a very heavy page weight.

Orli Yakuel (we find a lot of leads on her blog) and Eyal Shahar designed and built the site. Both live in Tel Aviv, Israel.

Creating something like this is a ton of work. The site is nothing but a reflection of Orli and Eyal’s passion for what’s happening on the web right now…the same passion that is driving the success of this and other blogs dedicated to chronicling this period of web history.,1895,2016606,00.asp

Hacker Discovers Adobe PDF Back Doors

By Ryan Naraine September 15, 2006

A British security researcher has figured out a way to manipulate legitimate features in Adobe PDF files to open back doors for computer attacks.

David Kierznowski, a penetration testing expert specializing in Web application testing, has released proof-of-concept code and rigged PDF files to demonstrate how the Adobe Reader program could be used to launch attacks without any user action.

Overreaction? Perhaps there have been incidents?

Virgin tells travellers to remove Apple, Dell laptop batteries

By Tony Smith 14th September 2006 14:44 GMT

Virgin Atlantic has become the third airline to restrict the use of Apple and Dell laptop batteries on its flights. Passengers who want to take their Inspirons, Lattitudes, iBooks, PowerBooks, MacBooks or MacBook Pros onto the carrier's planes are asked to remove the battery first.

Like Korean Air, which recently instituted its own battery ban, Virgin Atlantic isn't preventing such notebook owners from operating their laptops, but it is limiting them to seat-side power supplies. Flying coach or economy without an in-seat power supply? Then you can't use your Apple or Dell machine.

Should be required viewing at the start of each class...

Don't answer your cell phone is this prof's class

easyfrag submitted by easyfrag 10 hours 25 minutes ago (via )


T.E.D.D.Y. (Draw in 2D - Outputs in 3D)

lazyrussian submitted by lazyrussian 1 day 4 hours ago (via )

Teddy is a Java-Applet Drawing Program that takes the 2D images you draw and renders them in 3D. The alogrithm adds shading according to the strokes and connections between the lines. This is truly a cool program for anyone and everyone! - Video and Software Download Link included in Post.

Hacking 101: Why you should always change the default passwords

Default Password List for Hundred's of WAP's and Routers.

victimofkratina submitted by victimofkratina 16 hours 29 minutes ago (via )

You are entering the lands of packets, brute force and misuse of trust. This is a dark land. Full of problems and choices. Be carefull when you use your knowledge. Be also carefull with your tools and weapons. Never underestimate your enemy. [Never assume you are smarter than a hacker... Bob]

Friday, September 15, 2006

Somehow, they still don't get it.

Sony Says Canadians Are Different Than Americans When It Comes To Rootkits

from the they-can-take-it dept

We were just saying how Sony's rootkit is still causing technical problems for users -- and it turns out it's still causing some legal ones as well. While Sony ended up settling the US-based lawsuit against it concerning the rootkits in the US, it took them a bit longer to work out the details in Canada. You would think that it wouldn't be too hard to knock out a similar settlement, but it turns out that Sony BMG apparently believes Canadians deserve different treatment than those of us in the US. Apparently, among a bunch of odd assertions, Canadians don't need the same settlement terms because they already benefit from the US settlement -- and therefore, it's okay that Sony BMG not have any new copy protections reviewed by independent researchers for security issues (as they agreed to in the US). It's apparently okay for them to install copy protection without telling people in Canada, which again, they cannot do in the US. It's true that many CDs will all be pressed the same way for the North American market -- but that doesn't explain why Canadians don't deserve the same deal as the folks in the US received.

Required Reading for Product Reviewers

September 10, 2006

CDT has published a white paper setting out criteria on which DRM-restricted products and services should be judged. The paper should be required reading for every product reviewer who evaluates digital media products and services, suggesting specific questions that reviewers should be asking when examining DRM-restricted offerings.

September 14, 2006

Transcripts of Supreme Court Oral Arguments Available Free Beginning In October

Supreme Court press release: "Beginning with the October 2006 Term, the Court will make the transcripts of oral arguments available free to the public on its Web site on the same day an argument is heard by the Court...The Court's current contract reporting service, Alderson Reporting Company, will now utilize the services of a court reporter in the Courtroom and high-speed technology to transcribe the oral arguments more quickly. Transcripts can be located by clicking on the "Oral Arguments" prompt on the home page of the Court's Web site and selecting "Argument Transcripts." Transcripts will be listed by case name and the date of oral argument. Transcripts are permanently archived beginning with the 2000 Term on the Court's Web site. Transcripts prior to the 2000 Term are maintained in the Court's Library."

He's probably right.

Headmaster justifies fingerprinting pupils

By Mark Ballard Published Monday 11th September 2006 16:54 GMT

The headmaster of Porth County Comprehensive School in South Wales has defended fingerprinting all 1,400 of his pupils days after their parents were told about the scheme last Wednesday.

Children had their fingers scanned for a system that will replace the old fashioned school register with biometric scanners in every class room.

Parents campaigning against ( having schools take their childrens' fingerprints have complained that it is being done without their consent, and sometimes without their knowledge.

... The system, called Vericool, was developed by Anteon, a subsidiary of General Dynamics, a firm that specialises in developing systems for the military and intelligence services.

It will register children for lessons by scanning their fingers when they enter a classroom at the start of a lesson.

I'm sure someone will sue MySpace over this...

Rage Over MySpace Photo Leads to Arrest

Sep 15, 12:24 AM EDT

MESA, Ariz. (AP) -- A 22-year-old woman was arrested after authorities say she tried to hire someone to kill another woman whose photo appeared on her boyfriend's Web page.

Heather Michelle Kane was booked Tuesday for investigation of conspiracy to commit murder, Mesa Detective Jerry Gissel said.

Kane was arrested after she met with an undercover police detective at a grocery store, authorities said. Court records show Kane offered to pay $1,000 to have the woman killed - $500 up front and $500 after the job was completed.

But the report said Kane gave the undercover officer only $400 at the meeting and planned to pay the rest of the money later.

The records say Kane gave the undercover officer photographs taken from her boyfriend's social networking Web page of the woman she wanted killed. She also requested a photo of the woman's dead body.

It wasn't clear if the boyfriend and the targeted woman were romantically involved, Gissel said.

NY Wants To Make Life Difficult For Blogging Lawyers

from the can't-do-that dept

Greg Beck writes "New York is proposing new "ethics" rules on attorney advertising that would make it difficult for lawyers in New York to blog or in many cases even send an email. The rules are so out of touch with technology that, for example, a blog would have to be printed out and saved for a year (with an extra copy mailed to the state) every time it is updated." This isn't the first time we've seen this. Last year, there was a similar issue in Kentucky. As Greg's post shows, lawyer blogs would also have to include additional info announcing that it was advertising, while listing the names and law firms of any participating lawyers in the largest font found on the page. Funny, that: even lawyers can't seem to understand that the laws they're writing for themselves aren't any good.

What happens if you are sued in Afganistan and don't show up in court (tomorrow) to enter a defense?

Accused Spammer Sues Spamhaus, Wins $11 Million

from the what's-wrong-with-making-a-list? dept

A few years ago, a group of spammers teamed up to sue a bunch of anti-spammers, with the main target being Spamhaus, who keeps what's considered the definitive list of spammers. After their lawyers realized they had little chance of getting anywhere with the case, the spammers withdrew the case. The accused anti-spammers took on the odd move of trying to get the case to continue in order to set a precedent that it's perfectly legal to put together a spam blacklist. However, that didn't work, and you knew it was only a matter of time until someone else sued Spamhaus. That's exactly that one company that's on Spamhaus' list did. What's surprising, though, is that they somehow convinced a judge to order Spamhaus to pay $11 million for listing the company as a spammer. As the article notes, the company, e360insight, is going to have a lot of trouble collecting since Spamhaus is based in the UK and outside the jurisdiction of the Illinois-based court. While part of the reason Spamhaus may have lost was Steve Linford's decision to basically ignore the case and not show up or defend Spamhaus at all, it's still not at all clear how the $11 million was picked as the number -- but the whole thing seems problematic. All Spamhaus does is put together a list of companies or individuals who Spamhaus has collected evidence on suggesting they're spammers. Linford insists that the company in question absolutely is a spammer and he won't remove them -- and he doesn't see why it should cost him millions of dollars for being honest and keeping his list accurate. While it is true that some anti-spam blacklists can be way too aggressive, it should hardly be illegal to put one together -- especially if you have evidence to back up the claims. Spamhaus has always been one of the more respected anti-spam lists out there, and it's difficult to believe it would continue to put a company on the list if it didn't truly believe the company was guilty of spamming.

The Tactical Gaming Index - Descriptions, links, demos, and full free games

Dslyecxi submitted by Dslyecxi 12 hours 11 minutes ago (via )

Created by the author of "Tactical Gaming Done Right", this is a list of games, mods, and websites focused on tactical computer gaming. It highlights a number of games that have made an impact in the tactical genre, to include a few that are actually entirely free to play. It should serve as a solid reference for anyone interested in the genre.

Think anyone will notice?

Thursday, September 14, 2006

AT&T Censoring the Internet?

Okay, so, a friend of mine attempted to visit today, and got instead. Being that he was using firefox and he got the correct IP after running an nslookup we've all but ruled out spyware/adware/malware. I had him run a traceroute to, and it looked like this.

... As it looks, Either Global Crossing (GBLX), AT&T, (or both working together) are censoring requests to

Is this a smart move? Think this might generate some competition? (Do you suppose iPods are manufactured in Asia?)

No iTunes movies for Asia

9/14/2006 9:44:39 AM, by Eric Bangeman

When Apple unveiled the movie section of the iTunes Store on Tuesday, Steve Jobs told the audience that while the movies would only be sold to US residents at first, Apple hoped "to take this international in 2007." Two days later, it looks like "international" really means "everywhere but Asia."

Due to fears of piracy, Apple has decided to keep most of Asia off-limits for its new movie offering as well as its well-established music store. Apple Asia marketing director Tony Li broke the news, saying "We cannot comment on the specifics but it is true that iTunes is not available in Asia. That goes for music and movies."

You get caught 1/57th of the time?

Suspect steals to support family

Brian Indrelunas The Arizona Republic Sept. 14, 2006 12:00 PM

Police put a stop to Steven Rex Larsen's eBay business last week when they arrested the 42-year-old Mesa man on charges of shoplifting and trafficking in stolen property.

Police said Larsen walked into Wal-Mart, 4505 E. McKellips Road, on Sept. 7 with a large cardboard box and headed to the electronics department.

He reportedly put 48 DVDs in the box, sealed it and then shipped it to his business address from a shipping counter inside the store.

"(Larsen) paid for the shipping charge but did not pay for the merchandise," according to a police report.

Larsen was stopped by a store manager and told police he had been selling stolen DVDs on eBay since February to support his family, according to the report.

Store records reportedly showed Larsen had shipped items from the store 56 times since January. Larsen told police he sent more than 30 stolen DVDs in each shipment, and he allowed police to collect stolen discs from his house.

"Hundreds of packaged DVDs were collected from his residence and were confirmed to be the property of Wal-Mart," police reported.

Gee, I never count it. I trust the computer.

ATM reprogrammed to give out 4 times more money

By DUANE BOURNE , The Virginian-Pilot © September 13, 2006 | Last updated 8:07 AM Sep. 13

VIRGINIA BEACH - Police are looking for a man who broke the bank - literally.

Last month, a man reprogrammed an automated teller machine at a gas station on Lynnhaven Parkway to spit out four times as much money as it should.

He then made off with an undisclosed amount of cash. [So he apparently deleted the records, too Bob]

No one noticed [riiiiight... Bob] until nine days later, when a customer told the clerk at a Crown gas station that the machine was disbursing more money than it should. Police are now investigating the incident as fraud.

Police spokeswoman Rene Ball said the first withdrawal occurred at 6:17 p.m. Aug. 19. Surveillance footage documented a man about 5-foot-8 with a thin build walking into the gas station on the 2400 block of Lynnhaven Parkway and swiping an ATM card.

The man then punched a series of numbers on the machine's keypad, breaking the security code. [What idiot allows security overrides from the customer keypad? Bob] The ATM was programmed to disburse $20 bills. The man reprogrammed the machine so it recorded each $20 bill as a $5 debit to his account.

The suspect returned to the gas station a short time later and took more money, but authorities did not say how much. Because the account was pre-paid and the card could be purchased at several places, police are not sure who is behind the theft.

During the crime, the man wore a white T-shirt with writing on the back and a red baseball cap. Police have asked anyone with information to contact Crime Solvers at (888 ) LOCK-U-UP.

Thursday, September 14, 2006

Perhaps they kept her on the board so they could sacrifice her publicly when the rest of the story came out?

Is Anyone Safe From HP's Spies?

from the just-wondering dept

As HP brings on new lawyers to deal with the expected indictments concerning the HP board spying scandal, it's now coming out that the spying went even further than the board and a whole bunch of reporters. Turns out that at least two employees had their phone records obtained via "pretexting" (which used to be called identity theft). It's also worth noting that Patricia Dunn (who has been choosing her words carefully) says that the spying included "a number of individuals outside the company, including journalists." This would at least suggest that some of the people outside of the company were not journalists -- though no such people have been identified yet. Anyone made up "HP spied on my phone records" t-shirts yet? [Perhaps we should send a few to selected Congressmen? Bob]

State: We have evidence to charge HP execs

California Attorney General spokesman says they can indict people within HP as well as outside contractors

By Ben Ames, IDG News Service September 13, 2006

... The state now has enough evidence to indict people both within HP and contractors outside the company, confirmed Thomas Dressler, a spokesman for California Attorney General Bill Lockyer.

... HP hired investigation firm Security Outsourcing Solutions Inc. (SOS), which shares its Boston offices with a law firm called Bonner, Kiernan, Trebach and Crociata, according to a report in The New York Times that cited sources close to the case.

... Ironically, an SOS newsletter posted on the firm's Web site warns corporate executives that their privacy is at risk since their Web surfing and e-mail records can be traced by Internet browsers and cookies. It advises clients to shield their identities by using a Web site called

What the HP affair really says about privacy

By Charles Cooper Story last modified Thu Sep 14 06:54:08 PDT 2006

After what had to be the most hellish week of her professional career, Patricia Dunn finally had enough. Hewlett-Packard's embattled chairman said she will leave the post in January, making the right decision--for all the wrong reasons.

In the only public comment she's made since then, Dunn offered a modest apology for the "inappropriate techniques" HP used to carry out an inquiry into boardroom leaks.

And so now it's back to business, everyone, she seemed to imply. I'm staying put until the start of the new year. Let's move on.

Actually, let's not.

Just to be clear, HP's investigators lied to fool the phone company into supplying private data belonging to company board members and journalists. Yes, I suppose that does qualify as an "inappropriate" technique.

Indeed, if a parliamentary democracy found itself in this sort of mess, the minister in charge of the probe would have immediately drawn the appropriate conclusions and resigned.

Not at HP.

Instead, Dunn still justifies her original decision to discover the source of leaks that she claims "had the potential to affect not only the stock price of HP but also that of other publicly traded companies."

On behalf of the CNET newsroom, I thank her for the compliment, since it was our January story that apparently set her off. But her claim stretches beyond the boundary of credulity. Her real point was to point attention elsewhere.

Dunn's heavily lawyered "non-apology, apology" was an obvious sop to Wall Street. If management let the affair fester, big investors worried it might cause real damage. The board felt pressure not to let things get out of hand. And so a deal was struck: HP would get a new chairman, while Dunn could hang around for the long goodbye.

Maybe we were supposed to conclude that Dunn's judgment wasn't as flawed as the critics--yours truly among them--suggest. But California's attorney general, who is gathering evidence and may indict HP personnel and its hired contractors, apparently thinks this story is not over.

Truth be told, I wasn't hoping for a Tammy Faye moment of teary contrition from Dunn. But this was a moment where she needed to do more than shift blame to some mysterious--and still unidentified--contractor. Wishful thinking on my part, but HP might have seized the moment to make an important statement about protecting peoples' rights to privacy in the cyberage. Instead, HP served up pabulum and hoped that would satisfy the growing chorus of naysayers.

Not everyone agrees this is such a big deal. Since writing an earlier column urging the board to get a new chairman, I've received no shortage of e-mails from readers accusing me of selective outrage. To wit: "You wouldn't give a rat's tootsie if reporters' precious personal data had not been involved."

With all due respect, my interlocutors are missing the bigger point. The HP affair is only the latest in a series of depressingly familiar incidents that underscore a painful truth: When it comes to privacy, expediency too often trumps principle. In the eyes of our best and brightest, it's just not very important. Congress grandstands but does little to give weight to its words. The president cuts corners, saying court-ordered permission to snoop is an encumbrance--and even harmful to national security.

Maybe it was too much to hope for better from the folks running HP. After all, they're just doing what everyone else does.

$500 million for something Google or cell phone companies would do for free. Boy, them poly-ticians is smart!

Northrop to Build NYC Wireless Network

By DAVID B. CARUSO Associated Press Writer Sep 13, 6:03 PM EDT

NEW YORK (AP) -- The city has awarded defense contractor Northrop Grumman Corp. a $500 million contract to build a wireless network that will let police and firefighters plug into city computer systems, even when they are rushing to emergencies.

Plan first.

DHS Publishes Report on Operation Cyberstorm

Posted by ScuttleMonkey on Wednesday September 13, @07:20PM from the blind-leading-the-blind dept. Security United States

uniquebydegrees writes "InfoWorld reports that the Department of Homeland Security has released the findings of Operation Cyber Storm, a large-scale simulation of combined cyber-physical attacks on U.S. critical infrastructure. From the article: 'According to DHS, "observers noted that players had difficulty ascertaining what organizations and whom within those organizations to contact when there was no previously established relationship or pre-determined plans for response coordination and risk assessments/mitigation. There was a general recognition of the difficulties organizations faced when attempting to establish trust with unfamiliar organizations during time of crisis.

Lawmakers, others: U.S. lacks cybersecurity leadership

DHS has still not named an assistant secretary for cybersecurity

By Grant Gross, IDG News Service September 13, 2006

The U.S. Department of Homeland Security (DHS) has failed to take several basic steps to protect the nation's cyber infrastructure, including a year-plus delay in naming an assistant secretary for cybersecurity, lawmakers and other critics said Wednesday.

I like this for a lot of reasons, not least of which is charging students for missing lectures – which we won't be forced to recapitulate for the slackers! (I wonder if I could get the Video Production class to do this as a project?)

Professor Sells Lectures Online

Posted by samzenpus on Wednesday September 13, @08:27PM from the never-go-to-class-again dept.

Media Education

KnightMB writes "Students at NCSU have the option of purchasing the lectures of a professor online. The Professor did this as a way to help those that missed class, didn't take good notes, or from another country and have trouble understanding an English speaking Professor. The reactions on campus were mixed among the students as some saw it as a great way to keep up with things should real life interfere [College isn't real? Bob] and others see it as something to pay for on top of the tuition cost at the university. Each one cost $2.50 for the entire lecture. Some students feel it should be free or cost less. The professor brings up a point that doing this takes extra effort and it's only fair that they should have to pay for that extra time and effort needed to put the lectures online for sale such as editing, recording equipment, etc. No one is forced to purchase the lectures, they are only an additional option that students will have. Quote Dr. Schrag "Your tuition buys you access to the lectures in the classroom. If you want to hear one again, you can buy it. I guess you could see the service as a safety net designed to help the students get the content when life gets in the way of their getting to class."

Open Source App Connects Professors, Students

By Casey Waltz Daily Targum 09/13/06 4:00 AM PT

Rutgers used to use WebCT, a similar piece of course-management software, until a new version of WebCT was developed. The university considered this too expensive, however, hence the switch to Sakai, said University Director for the Office of Instructional and Research Technology Charles Hedrick.

... For Professors and Students Alike

With Sakai -- the program, that is -- a professor can manage a syllabus, organize dissertation research and facilitate international discussion among his students and those of universities abroad.

The program also allows professors to see photographs of their students even before classes begin.

Through the software, students can see the course material their professors post on the site.

... Sakai was created in February 2004 by a consortium of the University of Michigan, Indiana University, Stanford University and Massachusetts Institute of Technology Latest News about Massachusetts Institute of Technology

With a high speed, always-on connection “We don't need no stinking PC to spy on you!”

Software Streams Music With PC Off

By MAY WONG AP Technology Writer Sep 14, 12:23 AM EDT

SAN JOSE, Calif. (AP) -- Music lovers can sample songs over the Internet without turning on a personal computer in a first-of-a-kind offering that could help popularize the concept of streaming music.

... Sonos' ZonePlayer devices already are connected to a home computer network, but new software for the boxes will now let people access a music service directly without the need for a PC.

I'm surprised this isn't hosted by Comedy Central... Clearly this is just a (insert party out of power) plot to embarrass the (insert party in power)

Congress to Open Tax Money Tracking Site

By JIM ABRAMS Associated Press Writer Sep 14, 4:15 AM EDT

WASHINGTON (AP) -- From $500,000 for a teapot museum in North Carolina to $450,000 for plants on the east side of the Capitol, the federal government spends hundreds of billions every year for grants, contracts, earmarks and loans. With creation of a new federal Web site, citizens will at least be able to see where some of their tax money goes.

The House on Wednesday passed by voice vote and sent to President Bush legislation to create a Web site that will give people ready access to information on the $300 billion in grants issued to some 30,000 organizations annually, and the roughly 1 million contracts exceeding a $25,000 threshold.

New technology, new problems – same old story.

No Data Secure With iPods in the Workplace

By Tony Glover The Business 09/13/06 4:00 AM PT

The problem for company security chiefs is that a user can copy a crucial file to an iPod and delete its entry from the device's list of recorded files without wiping the actual file from the iPod's hard drive. An inspection of the device would only reveal music, but once it were taken from the building, the stolen file could easily be accessed by reading it straight from the device's hard drive.

The legal department is trying to recoup all those antitrust fines..

Microsoft wins record amount from spammer

Company wins $84,177 over term violation; U.K. individuals, though, are virtually helpless against spammers, lawyer says.

By David Meyer Special to CNET Published: September 13, 2006, 10:47 AM PDT

Scandal-in-waiting... (There is a video showing how to do it...)

September 13, 2006

Security Analysis of the Diebold AccuVote-TS Voting Machine

Security Analysis of the Diebold AccuVote-TS Voting Machine by Ariel J. Feldman, J. Alex Halderman, and Edward W. Felten

  • Abstract - "This paper presents a fully independent security study of a Diebold AccuVote-TS voting machine, including its hardware and software. We obtained the machine from a private party. Analysis of the machine, in light of real election procedures, shows that it is vulnerable to extremely serious attacks. For example, an attacker who gets physical access to a machine or its removable memory card for as little as one minute could install malicious code; malicious code on a machine could steal votes undetectably, modifying all records, logs, and counters to be consistent with the fraudulent vote count it creates. An attacker could also create malicious code that spreads automatically and silently from machine to machine during normal election activities — a voting-machine virus. We have constructed working demonstrations of these attacks in our lab. Mitigating these threats will require changes to the voting machine's hardware and software and the adoption of more rigorous election procedures."

  • Full research paper [PDF]

Is it vandalism?

Artist Draws 'Clean' Graffiti from Dirty Walls

Some British Officials See Moose's Handiwork as Vandalism

Listen to this story... Alex Coley © Symbollix 2003

Morning Edition, July 15, 2004 · A British street artist known as Moose creates graffiti by cleaning dirt from sidewalks and tunnels -- sometimes for money when the images are used as advertising. But some authorities call it vandalism.

Just an observation, don't you use sting operations to arrest people? This sounds more like a training exercise that points out that NO ONE DETECTED THEM!



September 13, 2006 -- Two undercover NYPD cops in a sting operation used $7,000 and the Internet to build a truck bomb big enough to blow up a skyscraper, officials revealed yesterday.

In what was dubbed "Operation Kaboom," [Humor? PR? Bob] every purchase the cops made was legal - and aroused little suspicion - even driving their simulated truck bomb throughout the city.

Wednesday, September 13, 2006

Is this sufficient? You can't be chairwoman, but we like the way you think so stay on the board?,71767-0.html?tw=rss.index

HP's Dunn Takes the Fall

Associated Press 08:45 AM Sep, 12, 2006

Hewlett-Packard said Tuesday that Patricia Dunn will step down as chairwoman of the computer and printer maker in January amid a widening scandal involving a possibly illegal probe into media leaks. She will be succeeded by CEO Mark Hurd.

Hurd will retain his existing positions as chief executive and president and Dunn will remain as a director after she relinquishes the chair on Jan. 18.

"I am taking action to ensure that inappropriate investigative techniques will not be employed again. [Only the Chair can authorize “Inappropriate techniques?” Bob] They have no place in HP, " Hurd said in a statement.

... Having already concluded HP's probe broke some California laws, state Attorney General Bill Lockyer indicated for the first time that HP insiders are likely to face some criminal charges.

"We currently have sufficient evidence to indict people both within Hewlett-Packard as well as contractors on the outside," Lockyer said in an interview aired late Tuesday on PBS' The NewsHour With Jim Lehrer.

... "Unfortunately, the investigation, which was conducted with [not “by” -- interesting... Bob] third parties, included certain inappropriate techniques. These went beyond what we understood them to be, and I apologize that they were employed," Dunn said in a statement.

... Richard Hackborn, who has served on the board since 1992, will become lead independent director [New title to me Bob] in January.

Still somewhat unclear what is happening here. If this recording (Nixonesque?) was on the Gov's server, but not specifically linked to on the website, is it “private?”

Hacking the Governator

Posted by kdawson on Tuesday September 12, @10:38PM from the call-that-a-hack? Dept. Security Politics

mytrip writes, "The Democratic rival to California Gov. Arnold Schwarzenegger acknowledged that his aides were responsible for obtaining a controversial audio file, in which the Governator was heard disparaging members of other races, in a move that has led to allegations of Web site hacking. A source close to Angelides told CNET that it was possible to 'chop' off the Web links and visit the higher-level '' directory, which had the controversial audio recording publicly viewable. No password was needed, the source said." And jchernia notes, "As an aside, the California Highway Patrol is running the investigation — maybe the Internet is a truck after all."

Governor’s Comments Were Leaked by Foe’s Camp

By JENNIFER STEINHAUER September 13, 2006

LOS ANGELES, Sept. 12 — The campaign of the Democratic candidate for governor, Phil Angelides, said Tuesday that it was the source of audio files containing impolitic remarks by Gov. Arnold Schwarzenegger. Those remarks were the subject of a front page article last week in The Los Angeles Times, which led to an apology by the governor.

Mr. Angelides’s campaign manager, Cathy Calfo, said at a news conference in Sacramento that the files had been culled from a Web site accessible by the public and that campaign staff members had not trespassed into a secure area of the governor’s office.

The California Highway Patrol, at the request of Mr. Schwarzenegger’s office, is investigating whether the files were obtained illegally. Mr. Schwarzenegger’s communications director, Adam Mendelsohn, said Tuesday that while the Web site with the audio files was not as secure as it ought to be, it was not publicly accessible.

That area was password protected,” Mr. Mendelsohn said, “but the administration knows that with enough manipulation, it could be accessed.”

... Thad Kousser, a professor of political science at the University of California, San Diego, said that neither side had emerged particularly well from the episode, but that that could change if it was determined whether the Web site was publicly accessible.

“If it turns out that the tape was hacked,” Mr. Kousser said, “it feeds into the feeling about the Angelides campaign that he is too political and too negative.”

Either way, it is not the stuff of a great policy debate, he said.

This is California politics,” Mr. Kousser added, “so it always seems ridiculous.” [Amen! Bob]

Slick & simple!

Architectural Innovation and Dynamic Competition: The Smaller "Footprint" Strategy

Authors: Carliss Y. Baldwin and Kim B. Clark


We describe a dynamic strategy that can be employed by firms capable of architectural innovation. The strategy involves using knowledge of the bottlenecks in an architecture together with the modular operator "splitting" to shrink the "footprint" of the firm's in-house activities. Modules not in the footprint are outsourced—module boundaries are redrawn and interfaces designed for this purpose. The result is an invested capital advantage, which can be used to drive the returns of competitors below their cost of capital. We explain how this strategy works and model its impact on competition through successive stages of industry evolution. We then show how this strategy was used by Sun Microsystems against Apollo Computer in the 1980s and by Dell against Compaq and other personal computer makers in the 1990s.

Download working paper:


Fingerprinting Wireless Drivers

Posted by kdawson on Tuesday September 12, @07:21PM from the tighten-that-standard dept.

jfleck writes with news that researchers at Sandia National Laboratories have released a paper on a technique they have developed for passively fingerprinting wireless device drivers (PDF). The researchers comment, "This technique is valuable to an attacker wishing to conduct reconnaissance against a potential target so that he may launch a driver-specific exploit." They sketch the loose language in the 802.11 standard describing the way client devices should probe for access points. Because probing is not spelled out in any detail, the authors say, "...implementing active scanning within wireless drivers [is] a poorly guided task. This has led to the development of many drivers that perform probing using slightly different techniques. By characterizing these implementation-dependent probing algorithms, we are able to passively identify the wireless driver employed by a device." This technique beats Wi-Fi Fingerprints by a country mile.

We may need a “Grandma Defense Fund!”

Grannies and Pirated Software

Posted by kdawson on Tuesday September 12, @09:02PM from the oh-dearie-me dept. The Courts

dthomas731 writes, "After reading Ed Foster's blog about how the Embroidery Software Protection Coalition (ESPC) is suing grandmothers over using pirated digitized designs, I thought you might want to call your own grandmothers and tell them they are going to be needing a lawyer. And the ESPC is very serious. On the ESPC faq page they scare these grandmothers by telling them even if they didn't know the software was pirated, that 'Unfortunately, when it comes to copyright violations, ignorance is no defense.'"

How to win friends and drain their bank accounts.

Webloyalty, Fandango named in coupon lawsuit

Mon Sep 11, 2006 4:34 PM ET

NEW YORK (Reuters) - Online marketing company Inc. and online movie ticket seller Fandango Inc. were named in a lawsuit on Monday that accuses them of participating in a scheme where customers' credit cards are billed monthly fees without their knowledge.

The lawsuit in U.S. District Court in Massachusetts, said when customers bought from one of Webloyalty's partners such as Fandango and clicked on a pop-up window offering a $10 coupon on their next purchase, their credit card information was automatically transferred to Webloyalty and they were unwittingly enrolled in its "Reservation Rewards," program.

I'm still betting that voting machines will cause at least one major kerfluffle in November...

September 11, 2006

NIST Report on Voting Audit Trails Released

Association for Computing Machinery, September 11, 2006, National Institute of Standards and Technology Report on Audit Trails Released

  • Independent Verification: Essential Action to Assure Integrity in the Voting Process, by Roy G. Salton (26 pages, PDF)'s one example.

Why You Need Backup Systems For Voting: Something Will Go Wrong

from the again-and-again-and-again dept

The e-voting saga continues. One of the problems is that there are so many different ways things can go wrong with e-voting systems, that it's impossible to think of them all beforehand. That's why it's particularly ridiculous when the e-voting firms try to limit the type of testing that can be done on the machines. Yet, it seems like hardly an election goes by where some problems with the machines aren't reported. The latest is in Montgomery County, Maryland, where apparently someone forgot that the various e-voting machines in use require special voting cards. Without them, you can't vote... and many polling places opened up this morning without them. Now, obviously, this is a human error, not a technical one -- but it just highlights how many possible things can go wrong -- and the importance of a ready and available system for backups, no matter what happens when you're dealing with something like an election. The idea that nothing (on either the human or technical side) would go wrong is ridiculous -- but it's a view championed by the e-voting companies who don't like to admit that errors are possible, if not likely. Update: Avi Rubin, who has written about security issues with e-voting machines, and who also has volunteered in the past as an election judge did so again today. He's written up his account, and it lists many, many, many more problems with the e-voting equipment. Not only that, but he notes that the Diebold rep on site in case things went wrong was really just a contractor who had been hired the day before and knew nothing about the machines and was of no help at all. The only positive note in the piece is that many more voters complained about the use of e-voting machines.

September 12, 2006

Survey of Core Business Reference Sources in Print and Online

From Diane K. Kovacs, an the results of an Essential Reference Tool Survey - Business Reference: includes Print, Free Web-Sites, Govdocs Sites, and Fee-Based Websites.

Let me see if I get this... If Microsoft could make their operating system completely secure, they won't be allowed to because someone with a less secure process might want a piece of the market?

EU Warns Microsoft Against Making Vista Too Secure

from the monopoly dept

There's no doubt that the European Union has taken a much harder line in its anti-trust actions against Microsoft than regulators have in the US. The company is still facing fines in Europe, and arguing about what features are legitimate, whereas Stateside the legal action is basically finished. A few months ago, we asked whether Microsoft's decision to beef up the security features in Vista might get them into legal hot water, in the same way as it has with Internet Explorer and the Windows Media Player. It doesn't seem like it's going to be an issue for US regulators, but again, the EU is concerned. A spokesman warned that Microsoft should not build security features into Vista, as it would shut out third party vendors and hurt consumers. Now, people can disagree about whether Microsoft's actions will make Vista more or less secure, but the idea that it shouldn't address security issues, so as to leave a market for other companies is odd. Shouldn't Vista users be allowed an inherently secure (in theory) operating system, without the need to spend extra on security software, and enjoy the same peace of mind held by Linux and Apple users all these years? Since added security is thought to be one of the main reasons to upgrade to Vista, limitations on what the company can offer could hurt Microsoft in the important European market.

Geek alert!

TCP-IP The ULTIMATE Reference Resource

SearchEngines submitted by SearchEngines 23 hours 46 minutes ago (via )

BOOKMARK this Extremely Thorough and informative reference site - Contains Everthing you could want to know about TCP IP! Hundreds of pages of information

Geek alert!

Web Development Tools for the Power Developer

Ozon submitted by Ozon 19 hours 56 minutes ago (via )

Nice list of tools for web developers.