Monday, June 11, 2012
Security looks too expensive until you find out what it costs to skimp...
Lax Security at LinkedIn Is Laid Bare
Last week, hackers breached the site and stole more than six million of its customers’ passwords, which had been only lightly encrypted. They were posted to a Russian hacker forum for all to see.
That LinkedIn was attacked did not surprise anyone.
… What has surprised customers and security experts alike is that a company that collects and profits from vast amounts of data had taken a bare-bones approach to protecting it. The breach highlights a disturbing truth about LinkedIn’s computer security: there isn’t much. Companies with customer data continue to gamble on their own computer security, even as the break-ins increase.
How long ago did the Last.fm security breach happen?
Last.fm's security breach that left user passwords open on a Russian hacker site last week might have shown its ugly face months ago, according to a new report.
Back in May, several Last.fm users took to the company's forums, saying that they had been receiving massive amounts of spam on e-mail addresses they created solely for Last.fm. Soon after, Last.fm customer support manager Matt Knapman said that his company was "investigating this matter urgently, running a security audit, and looking at alternative ways the spamming of Last.fm users might have occurred." [Translation: Looking for an excuse... Bob]
According to GigaOm, reporting today on that event, the audit apparently yielded no evidence of a major security breach.
… However, GigaOm's Bobbie Johnson also said today, citing a source, that the security breach that left Last.fm passwords open occurred in February or March. That followed a claim made by a Reddit poster, named "mingaminga," who said over the weekend that the password list "has been out there for a long time," adding that there were discussions about it at Defcon last year. So, Johnson argues, if a security audit was, in fact, conducted, it failed to discover a breach that had already occurred.
Is this a criminal prosecution or “sending a message to anyone who uses a service that MPAA doesn't like?”
DOJ tries to block return of data to MegaUpload user
Returning videos to Kyle Goodwin, a former MegaUpload user, would set a bad precedent, [Translation: There might be legal uses of this service... Bob] the U.S. said in documents, copies of which were obtained by CNET.
The fate of "legitimate" user data that was locked up following the shut down of MegaUpload, one of the world's most popular cloud-storage services, continues to vex the court overseeing the case. Negotiations between the stakeholders involved, including MegaUpload, the Motion Picture Association of America, the Electronic Frontier Foundation (the advocacy group representing Goodwin) and the U.S. Attorney's office, can't agree on what should be done with the information former users stored on MegaUpload's servers.
… "Mr. Goodwin's proposed solution is to have the government bear the financial cost of restoring his data," the U.S. Attorney's office wrote in its filing, "even if that means releasing assets of the defendants which are subject to mandatory forfeiture. Twenty-three years ago, the Supreme Court made clear that a criminal defendant does not have a right to use someone else's money to finance his defense." [No clue what this means. Goodwin is not charged (presumed innocent?) If MegaUpload was holding stolen goods, would they be returned to the victims? Bob]
(Related) The DA “didn't know” the deadline had passed? Doesn't care if the guy is innocent?
Oregon judge orders Google searches by alleged rape victim turned over to accused man
June 10, 2012 by Dissent
Aimee Green reports on a case in Oregon that got complicated in a hurry when a prosecutor failed to appeal a judge’s order in a timely fashion:
In a first of its kind ruling in Oregon, a Deschutes County judge has ordered that a young woman’s Google searches must be turned over to the man accused of beating and raping her.
The Oregon Supreme Court this week refused to rule on the constitutionality of the order, saying the alleged victim waited too long to appeal Circuit Judge A. Michael Adler’s decision.
And so Adler’s order stands — though the district attorney says he can’t comply with it.
In brief, the defense wants the records of her searches before and after the alleged rape. They also wanted her emails and her hard drive. The judge refused to order her to turn over her hard drive, and when the defense attorney subpoenaed Google for her search records and emails, Google refused to comply without a warrant, citing ECPA. So the defense counsel went back to the judge, who ordered the prosecutor to obtain the search records from Google and turn them over to the defense.
The prosecutor refused to do that, saying that he would need a warrant and couldn’t justify seeking a warrant as the records were not necessary to his prosecution. Unfortunately, he didn’t appeal the judge’s order within the 7-day period allowed to file appeals.
Why the judge didn’t order Google directly to produce the records to the court is unclear to me, and maybe some kind lawyer can explain whether that is even an option.
In any event, Google won’t produce the records without a warrant, the prosecutor says it’s problematic and he can’t seek a warrant, and I have no idea where this will go.
You can read more about the case on The Oregonian.
[From the article:
The judge's broad ruling is "hugely disturbing" -- unprecedented in Oregon and extremely rare in the nation, said Meg Garvin, director of the National Crime Victim Law Institute.
Victim advocates worry about the standard it could set. Such orders, they said, could discourage rape victims from pressing charges out of fear that their attackers will gain an invasive window into their thoughts via all the information they've queried on their personal computers.
… Deschutes County District Attorney Patrick Flaherty said he can't legally abide by the judge's order. He said he would need a search warrant to do so, and he can do that only if he believes it would further his office's criminal investigation into the case. He doesn't.
Do you suppose people even recognize this as surveillance?
"GeekWire reports on a newly-surfaced Microsoft patent application for 'Targeting Advertisements Based on Emotion', [I'm angry! Show me gun ads! Bob] which describes how information gleaned from Kinects, webcams, online games, IMs, email, searches, webpage content, and browsers could be used to build an 'Emotional State Database' of individuals' emotions over time for advertisers to tap into. From the patent application: 'Weight-loss product advertisers may not want their advertisement to appear to users that are very happy. Because, a person that is really happy, is less likely to purchase a self-investment product that leverages on his or her shortcomings. But a really happy person may purchase electronic products or vacation packages. No club or party advertisers want to appear when the user is sad or crying. When the user is emotionally sad, advertisements about club parties would not be appropriate and may seem annoying or negative to the user. Online help or technical support advertisers want their advertisements to appear when the user is demonstrating a confused or frustrated emotional state.'"
No doubt they are shocked to finally discover that this has been going on since the time of the founding fathers. I doubt it will cause them to stop.
Pelosi to McCain: ‘Really sad’ to say security leaks were ‘politically motivated’ by White House [VIDEO]
House Minority Leader Nancy Pelosi fired back at Arizona Republican Sen. John McCain for claiming that the “highest levels” of the Obama administration leaked sensitive national security information.
“The fact that this administration would aggressively pursue leaks by a 22-year-old Army private in the Wikileaks matter and former CIA employees in other leaks cases, but apparently sanction leaks made by senior administration officials for political purposes is simply unacceptable,” McCain said on Wednesday.
Because they've always been smarter?
Parent company Conde Nast may still think the web is not that important, but The New Yorker does.
The 87-year-old magazine decided to make a “big investment” in its website six to eight months ago, Nicholas Thompson, editor of newyorker.com, says.
… Within the last year, newyorker.com has streamlined its navigation and launched a politics vertical, a “healthcare hub” and Page-Turner, a blog for literary criticism. The latest addition, Jonah Lerer’s Frontal Cortex blog, was imported from sister website wired.com earlier this week.
Traffic has grown as a result. The website brought in 5 million unique visitors in May, up “about 50% from last year,” says Thompson, who pulled the numbers from Omniture. Between 12 and 15 pieces of original content are posted per day on average. About a quarter to a third of the magazine’s content is made available freely on the website each week.
There have also been efforts to boost traction on social networks. The publication offered access to a Jonathan Franzen story in exchange for Facebook Likes in April 2011. Its Tumblr, one of the first to be launched by a major media brand, is updated several times per day during the week. More recently, the magazine tweeted a short sequel to Jennifer Egan’s Pulitzer Prize-winning novel, A Visit from the Goon Squad, through 140-character installments on Twitter.
The trick will be to find a politician willing to look past re-election...
"While the official target of NASA's space exploration program remains exploring Earth approaching asteroids, the case for a return to the moon has been made from a variety of quarters. The most recent attempt to make a case for the moon is in a paper, titled Back to the Moon: The Scientific Rationale for Resuming Lunar Surface Exploration, soon to be published in the journal Planetary and Space Science."