Thursday, September 28, 2006

The hearings start today, so there will be lots of articles – and perhaps some facts?

http://today.reuters.com/news/articlenews.aspx?type=businessNews&storyid=2006-09-27T163455Z_01_WAT006303_RTRUKOC_0_US-HEWLETTPACKARD-CONGRESS.xml&src=rss

Panel subpoenas 5 investigators for HP hearing

Wed Sep 27, 2006 12:35 PM ET

WASHINGTON (Reuters) - The U.S. House Energy and Commerce Committee said on Wednesday that it subpoenaed five private investigators to testify at the Hewlett-Packard Co. data privacy hearing on Thursday.

The five investigators were identified as Bryan Wagner of Littleton, Colorado; Charles Kelly of CAS Agency in Villa Rica, Georgia; Cassandra Selvage, Eye in the Sky Investigations in Dade City, Florida; Darren Brost of Austin, Texas; and Valerie Preston of InSearchOfInc. of Cooper City, Florida, according to a statement issued by the committee.

The statement did not say if the investigators were involved in HP's efforts to obtain confidential telephone records of some board members and journalists by impersonating them, a practice known as "pretexting."


http://techdirt.com/articles/20060927/181054.shtml

HP Execs Were Warned About Risks Of Spying Methods

from the hear-no-evil,-see-no-evil? dept

The HP spying saga continues. While various people have all said that they never would have moved forward with the "rogue" spying program if they had realized that it was illegal, it's now coming to light that an HP security official warned those in charge of the project that it was "very unethical at the least and probably illegal." On top of that, the employee (prophetically) stated: "If it is not illegal, then it is leaving HP in a position of (sic) that could damage our reputation or worse," followed by the recommendation "that we cease this phone number gathering method immediately and discount any of its information." While Patricia Dunn continues to pretend she wasn't that involved, it increasingly looks like a case of where it may have been more about what she didn't want to know -- so that there was some plausible deniability there. Certainly, people involved with what was going on sensed that it was illegal, and tried to warn those above them. Whether or not Dunn knew the specifics of how things were done, she didn't seem too bothered by it once she did find out, and only seemed to feel bad about it after it became public.


I don't see the logic...

http://news.com.com/2100-1014_3-6120551.html?part=rss&tag=6120551&subj=news

HP's top lawyer leaves

By Margaret Kane Story last modified Thu Sep 28 05:31:39 PDT 2006

Hewlett-Packard General Counsel Ann Baskins has resigned, the company announced Thursday.

The move comes hours before Baskins, among other HP executives, is scheduled to testify before a U.S. House of Representatives subcommittee in an investigation into a spying campaign to probe leaks to the media.

Baskins, who spent much of her legal career with the company, also served as secretary for its board of directors. She has come under scrutiny for her role in HP's leak investigation, which allegedly involved "pretexting," or using fraudulent means to obtain someone else's personal records.

"She has admirably supported our business needs across the globe and will be missed," CEO Mark Hurd said in a press release regarding Baskins. "Stepping down was a very hard decision for her, but by doing so, she has put the interests of HP above her own, and that is to be commended."

HP has acknowledged that it accessed phone records of board members and journalists, including CNET News.com reporters, as part of its leak probe. The company has also followed reporters and tried to trace e-mails in an effort to track down the source of leaks from the board of directors.

The scandal has already cost the jobs of Chairman Patricia Dunn and two other employees.


Uh oh! Is this the kiss of death?

http://www.eweek.com/article2/0,1759,2021446,00.asp?kc=EWRSS03119TX1K0000594

HP Director Says CEO Has Full Support of Board

September 27, 2006 By Reuters

SAN FRANCISCO (Reuters)—A Hewlett-Packard Co. director said on Wednesday Chief Executive Mark Hurd has the full support of the board and that there have been no discussions whether Hurd might resign amid the controversy over the company's investigation into boardroom leaks.

"Mark has just got tremendous support from the board," Robert Ryan, an HP director since 2004 and former chief financial officer of medical device maker Medtronic Inc., said in a telephone interview. "There have been absolutely no discussions about Mark's resignation." [I bet there have been discussions about firing him! Bob]

Ryan's comments come a day ahead of expected testimony from Hurd, former Chairman Patricia Dunn, and Ann Baskins, HP's general counsel, before a U.S. House of Representatives subcommittee investigating HP's use of private phone records and other tactics to ferret out the source of board leaks to the media in 2005 and 2006.

Ryan, who said the board room leak scandal investigation had actually brought directors closer together, [to ensure their stories agree... Bob] said that the board and the directors know mistakes were made.

"The company and the board want to acknowledge they made a mistake," Ryan said. "It's not in anybody's interest to rationalize it."

Former Chairman Dunn had undertaken an investigation into board room leaks that began in 2005, and tactics used by firms hired by HP included tailing a director and a journalist, going through individuals' trash and impersonating journalists and directors to gain access to private phone records.

Dunn resigned from the board last week and Hurd assumed the additional title of chairman. He had approved a plan for HP investigators to send an e-mail from a fictitious senior HP executive to a reporter in an effort to find out the source of board leaks, but has said he was unaware that tracer technology would be attached to it.

"I think Mark is exactly the right CEO," Ryan said.


http://www.infoworld.com/article/06/09/28/HNhprogue_1.html?source=rss&url=http://www.infoworld.com/article/06/09/28/HNhprogue_1.html

HP CEO: Pretexting probe a 'rogue'

In an advance copy of his testimony, Hurd said the end came to justify the means

By Robert Mullins, IDG News Service September 28, 2006

Hewlett-Packard chief executive officer Mark Hurd blamed the scandal that has besieged his company on "a rogue investigation" [as in “investigating a rogue” not as in “unauthorized,” since the board initiated and approved it. Bob] that got out of hand, in an advance copy of his Congressional testimony released by a House Subcommittee on Wednesday.

"How did such an abuse of privacy occur in a company renowned for its privacy? The end came to justify the means," Hurd wrote. "The investigation team became so focused on finding the source of the leaks that they lost sight of the privacy of reporters and others. They lost sight of the values HP has always represented."

Former HP Chairman Patricia Dunn, forced to resign Sept. 21 because of the scandal, defended in her testimony her decision to investigate the leaks of confidential board discussions to the news media.

In her testimony, Dunn wrote that she knew investigators were obtaining the phone records of people it was investigating. Lawyers for HP and for an investigation firm carrying out the probe assured her the tactics were legal, she wrote.

"I was fully convinced that HP would never engage in anything illegal," she wrote. "Given that attorneys were unambiguously overseeing the investigation ... reinforced my understanding that the investigations were being handled appropriately."

Both are among several witnesses expected at a hearing before the Oversight and Investigations Subcommittee of the House Energy and Commerce Committee on Thursday in Washington. The committee is looking into the practice of "pretexting," or using false pretenses to gain access to confidential records. Investigators hired by HP to find the source of leaks engaged in pretexting to get hold of the phone records of directors, HP employees and reporters who cover the Palo Alto, California, technology company.

Hurd, echoing comments he made in a news conference last Friday at HP's headquarters, said he was determined to get to the bottom of this episode and to try to restore HP's image.

"I pledge that HP will take whatever steps are necessary to make sure nothing like this ever happens again," he wrote, "and that this company will regain not just its reputation ... but its pride."

Although much of the criticism of the scandal surrounds the tactics used by the investigators, Dunn wrote in her testimony that equal consideration should be given to the leaks from within the company that damaged HP.

HP's board was notorious for its leaks to news media and such disclosures made it difficult for the board to deal with important issues candidly, she wrote.

Dunn explained that board deliberations on the selection of a replacement for former CEO Carly Fiorina in 2005 were leaked. She cited a BusinessWeek magazine story "disclosing opinions about various candidates and revealing details about ... the search process."

"If you were a top CEO candidate, would you want to work for a company whose board could not be trusted to keep such information confidential? HP is very lucky to have been able to recruit Mark Hurd under such circumstances," Dunn wrote. [Did she answer her own question? Bob]

"I wish fervently that none of this had ever happened," Dunn continued. "But boards have an unquestionable obligation to take steps to prevent [leaks]. That certain steps taken during the investigation went well beyond what was appropriate does not undermine the importance of the board's mission in this matter."

Hurd also outlined several steps the company is taking internally to clarify its privacy policy for employees and to emphasize it in employee training programs.




Why doesn't this give me a warm fuzzy feeling? Because they have this reputation for accurate programming? Because they couldn't recognize that the systems lacked security?

http://cbs4denver.com/local/local_story_269160336.html

Sep 26, 2006 1:53 pm US/Mountain

Election Commission To Manually Program Machines

(CBS4) DENVER The Denver Election Commission has decided not to use part of its controversial new voting system for the November election.

In the August primary election many voters were given wrong ballots. Election judges also complained the training on the machines was confusing.

As a result, 50 card activators which produce cards that are programmed to load the voting machines with the correct ballot for each voter, will not be used in November.

Instead, the election commission will manually program the machines.



http://books.slashdot.org/article.pl?sid=06/09/27/137201&from=rss

How to Cheat at Managing Information Security

Posted by samzenpus on Wednesday September 27, @03:47PM from the keep-it-secure dept. Security

Ben Rothke writes "Mark Osborne doesn't like auditors. In fact, after reading this book, one gets the feeling he despises them. Perhaps he should have titled this book 'How I learned to stop worrying and hate auditors'. Of course, that is not the main theme of How to Cheat at Managing Information Security, but Osborne never hides his feeling about auditors, which is not necessarily a bad thing. In fact, the auditor jokes start in the preface, and continue throughout the book."

Read the rest of Ben's review.



http://yro.slashdot.org/article.pl?sid=06/09/28/0152255&from=rss

Judge Refuses To Convict Hacker

Posted by samzenpus on Wednesday September 27, @11:45PM from the he-said-he-was-sorry dept. The Courts Security

Jake96 writes "A judge in Wellington, New Zealand, declined to convict a man who ran an unrequested security audit on a bank's phone systems and was charged with 'intentionally accessing a computer system knowing he was not authorized to,' according to an article in the New Zealand Herald."

[From the article:

Macridis has a significant number of previous fraud convictions and it appeared he was trying to obtain money through virtue of his technical knowledge, Mr McGilivray said.

In his defence, Macridis told the court he had worked as a security consultant on a casual basis for the past 11 years. He said he had previously done extensive work for Telecom and completed assignments for the Police and the Department of Internal Affairs.

... He said Macridis used his talents to identify security risks and he had identified a grave risk to the Reserve Bank and its customers.

He did not pass the information on to others and did not use it for personal gain. "In my view his intentions were honourable."

Judge Mill said conviction would be out of proportion with Macridis' actions and he discharged him without conviction.



What's a First Amendment? (read the comments!)

http://yro.slashdot.org/article.pl?sid=06/09/28/0355208&from=rss

Traveler Detained for Anti-TSA Message

Posted by samzenpus on Thursday September 28, @05:42AM from the don't-screw-around-at-the-airport dept. Privacy United States

scifience writes "A traveler frustrated with recent changes to airport security procedures found himself detained in Milwaukee after writing a message critical of the TSA's leader on a plastic bag presented for screening. The message, which read "Kip Hawley is an Idiot," resulted in a confrontation with law enforcement, the traveler being told that his right to freedom of speech applied only "out there (pointing past the id checkers) not while in here [the checkpoint]." The story, which is detailed in a rapidly-growing thread on a discussion forum catering to frequent flyers, has attracted the interest of the ACLU, an AP reporter, and many others. The incident raises a number of interesting questions and concerns regarding just where our rights end."



http://www.infoworld.com/article/06/09/28/HNaolidentitytheft_1.html?source=rss&url=http://www.infoworld.com/article/06/09/28/HNaolidentitytheft_1.html

Six charged in breakup of AOL identity theft ring

Men are accused of harvesting AOL e-mail addresses and infecting victims' PCs with malicious software

By Robert McMillan, IDG News Service September 28, 2006

Six men have been charged with orchestrating a phishing scheme that targeted AOL users, the U.S. Department of Justice said Wednesday.

The men are accused of harvesting thousands of AOL e-mail addresses and then infecting victims' PCs with malicious software that would prevent them from logging on to AOL without entering their credit card numbers, bank account numbers, and other personal information.



http://www.eweek.com/article2/0,1759,2021228,00.asp?kc=EWRSS03119TX1K0000594

IBM Goes for SCO KO

September 27, 2006 By Steven J. Vaughan-Nichols

IBM swung a haymaker at SCO on Sept. 25. The corporate giant asked the U.S. District Court in Salt Lake City for summary judgment against all of SCO's claims.

The SCO vs. IBM case is more than three years old. Although The SCO Group has had little success in persuading the court or the buying public that IBM did indeed take SCO's Unix intellectual property and place it within Linux, the company has stayed its course.

In the last year, however, SCO has suffered more than just reverses in the court of public opinion. On June 28, Magistrate Judge Brooke Wells ruled largely in favor of an IBM motion and threw out the vast majority of SCO's claims against IBM.

Now, SCO, in turn, has also filed at least one motion for partial summary judgment.

Will these attempts to knock each other out of the ring before the court date of Feb. 26, 2007, come to anything? While those who wish SCO and its Linux legal cases would just skulk off into the darkness hope that this will spell the end of the IBM/SCO case, the experts don't see it happening that way.

Read the full story on Linux-Watch: IBM goes for an SCO KO



http://www.infoworld.com/article/06/09/27/HNpowerpointbugattack_1.html

Update: Attackers targeting new PowerPoint bug

Trojan found in Microsoft's presentation software, says McAfee

By Robert McMillan, IDG News Service September 27, 2006

One day after patching a widely exploited flaw in its Internet Explorer browser, Microsoft Corp. has a new bug to worry about, this time in PowerPoint.

... Schmugar has blogged about the issue .

Microsoft issued a security advisory on the matter Wednesday, saying that the issue affects users of Microsoft Office 2000, Microsoft Office 2003, and Microsoft Office XP, as well as Microsoft PowerPoint 2004 for Mac. Microsoft's advisory can be found here.

As a workaround, Microsoft suggests that users open and view files using PowerPoint Viewer 2003. This software "does not contain the vulnerable code and is not susceptible to this attack," the advisory states. The PowerPoint viewer can be downloaded here.



http://www.bespacific.com/mt/archives/012627.html

September 26, 2006

DOJ's Privacy Technology Focus Group Publish Privacy Technology Recommendations

Press release: "In 2005, the Bureau of Justice Assistance (BJA), Office of Justice Programs (OJP), U.S. Department of Justice (DOJ), in partnership with DOJ's Global Justice Information Sharing Initiative (Global), and the IJIS Institute (IJIS), chartered a group of public and private sector specialists to focus on privacy technology, charging the group to examine the use and exchange of personally identifiable information (PII) in the context of justice information systems and in the dissemination and aggregation of justice and public safety data. The focus group identified prominent issues in privacy policy and technology, narrowed issues to readily addressable areas, outlined tangible, targeted technology solutions, and developed specific recommendations for action. The results of their recommendations were published in a formal report, Privacy Technology Focus Group: Final Report and Recommendations, and a companion Executive Summary addressing access and authentication, data aggregation and dissemination, identity theft, and personal safety and protection."



http://www.bespacific.com/mt/archives/012630.html

September 27, 2006

New on LLRX.com

  • The Government Domain - Information Checks and Balances, by Peggy Garvin



Not again! (Post hoc, ergo propter hoc?)

http://techdirt.com/articles/20060927/214638.shtml

Judge Agrees With RIAA; Says Illegal Activity On Morpheus Meant It Induced Infringement

from the not-that-surprising dept

While it's often referred to as the "Grokster" case, the lawsuit actually involved a few different companies, including Streamcast, the maker of Morpheus. Last year, when the Supreme Court ruled in the case, they did not (contrary to what the entertainment industry will tell you) outlaw file sharing apps. All the court did was say that if the maker of the app could be shown to have induced the infringement, then a court could find them liable for copyright infringement. Then, it sent the case back to the lower court to review its original decision (which had said that the software makers were not liable for the actions of their users). While Grokster ended up "settling," Streamcast was unable to reach a settlement and decided that it would go back to the lower court and make the case that they did not induce infringement.

It appears, however, that the judge didn't buy it. He's granted summary judgment to the record labels, saying that there's "overwhelming" evidence of Streamcast's intent. Given the market in the days when Morpheus was popular, it wouldn't be surprising to find some evidence that could be construed as "inducing" infringement. However, from the quotes in the Associated Press article (and, perhaps there's more in the actual ruling), it sounds like the judge felt that the evidence of "massive infringement" on the system was evidence of inducement. While the RIAA must love that, it's very troublesome. Just because a tool is widely misused, that's hardly evidence that the maker of the tool intended for it to be used illegally, or that it actively "induced" illegal behavior. And, even then, inducement should be a higher standard than just intent. There may very well be evidence that Streamcast induced illegal behavior, but the presence of illegal usage (even lots of it) using their tool is not the same as inducement. It will be interesting to see how Streamcast responds, but it seems likely that it will end up shutting down completely (though it has its other lawsuits to deal with as well). However, if judges start ruling that the presence of noticeable illegal activity is enough evidence to suggest inducement, that's a dangerous view, and completely rolls back the Supreme Court's Betamax decision that showed VCRs were legal if they had substantial non-infringing uses.



Sounds like the data stream is being controlled by a computer. I wonder why AT&T didn't thing of that in the 1950s... Oh wait, they were busy proving that the Internet wouldn't work!

http://www.lifehacker.com/software/telephone/one-phone-number-to-rule-them-all-203629.php

One phone number to rule them all

Wed 27 Sep 2006

GrandCentral is a brilliant new web app that lets you consolidate all of your phone numbers into one number, meaning someone can call you on your GrandCentral phone number and all of your phones (cell phone, work phone, home phone) will ring. And then it gets interesting.

If you don't want every one of your phones ringing each time someone calls your free GrandCentral number, you can set rules by friends, family, work, and others, defining where the calls should be directed. When a user leaves a message, you can listen to it online or directly on your phone. The remaining set of features on GrandCentral are a little mind-blowing, in that "I'd never thought of that, but how am I now living without it?" sort of way.

When you pick up a call that's been forwarded with GrandCentral, you can choose to answer it, send it to voicemail (which will be done automatically if you don't answer), or send it to voicemail and listen in on the message as it's being left in real time (just like you're listening to someone leave a message on an answering machine). You can interrupt a "ListenIn" message at any time and join the conversation by pressing star (*).

If you're on a call and you decide that you want to record your conversation, just hit 4 at any time. You can also record personalized greetings based on contact groups and upload your own MP3s to be played in place of your ring.

All of this can be done with GrandCentral's free account, though there are a few limitations to the free account (none of which severely hinders the service). As you can tell, after spending the morning playing around with it, I'm pretty impressed with this service. The only problem I've had with GrandCentral so far is that making calls from the online interface (which, similar to Jajah, connects to your phone, then the phone of the person you're calling); it seems like a simple part of the functionality, but who knows - maybe I'm doing something wrong (I'm not).

I'm not ready to tell all of my contacts to start calling my GrandCentral number just yet, but I may in time. If you give it a try, let us know what you think about it in the comments.



I'm not sure I buy it, but then I keep telling people video is BIG.

http://news.yahoo.com/s/ap/20060927/ap_on_hi_te/techbits_online_video;_ylt=AsXQJZ155uruUrQA1UsLHXes0NUE;_ylu=X3oDMTA3cjE0b2MwBHNlYwM3Mzg-

Study: 107M viewed online video in July

Wed Sep 27, 7:34 PM ET

NEW YORK - More than 100 million Americans, or three out of every five Internet users, viewed video online in July, a new study finds.



Toward ubiquitous surveillance... Technology for spying on your neighbors?

http://www.simplehelp.net/2006/09/27/how-to-use-your-pc-and-webcam-as-a-motion-detecting-and-recording-security-camera/

September 27, 2006

How to use your PC and Webcam as a motion-detecting and recording security camera

Windows Security

This tutorial will take you step-by-step through setting up your PC and Webcam to act as a motion-detecting and recording security camera system. And the software required to do this is open source (free).

No comments: