Monday, September 25, 2006

An official timeline that seems to add very little.

http://www.infoworld.com/article/06/09/25/HNhpblowbyblow_1.html?source=rss&url=http://www.infoworld.com/article/06/09/25/HNhpblowbyblow_1.html

HP lawyer gives blow-by-blow of leak probe

Independent investigator determines Dunn authorized two separate investigations into leaks

By Robert Mullins, IDG News Service September 25, 2006

An attorney hired by Hewlett-Packard to investigate the conduct of HP and outside investigators has provided new details of his firm's investigation of news leaks from the HP board.

Mike Holston, a partner in Morgan, Lewis & Bockius was hired Sept. 8 to conduct an independent investigation of the scandal and reports directly to HP Chief Executive Officer and President Mark Hurd.

Morgan Lewis has reviewed some of the approximately 1 million pages of documents it received from HP and outside investigators hired by HP to trace the news leaks. It determined that HP Board Chairman Patricia Dunn authorized two separate investigations: one to probe leaks in 2005 and a second in 2006.

The Morgan Lewis probe found that HP hired in 2005 Security Outsourcing Services (SOS), of Needham, Massachusetts, a private security firm, to probe the first series of leaks. This is the first official confirmation that HP hired that firm, even though it had been identified in several recent news stories. Two months into SOS's probe, HP's Global Security division also joined the investigation. The investigation concluded in July 2005 without being able to identify the source of those leaks.

When CNet Networks reported Jan 23, 2006, on the details of a private board meeting, HP launched a second investigation with the help of SOS and HP Global Security.

Dunn, Hurd, HP's General Counsel Ann Baskins, and Jim Fairbaugh, chief of Global Security, approved the second investigation. Dunn and Baskins were kept up to date on the course of the investigation over the next three months, Holston said.

"It is now clear that the investigation included tactics that ranged from the review of HP’s internal e-mails and instant messages, to the physical surveillance of an HP Board member and at least one journalist, to the "pretexting" of telephone call information of board members, HP employees, and journalists," he said, adding that SOS's legal counsel informed HP that SOS's investigative techniques were legal. [You can always trust a vendor... Bob]

The investigators presented a draft report to HP in March 2006 identifying the source of the board leaks and detailing some of their investigative methods, including pretexting, which is obtaining access to private phone records under false pretenses.

HP sent a copy of the report to its outside legal counsel and the report was disclosed at a May 18 board meeting. In a separate HP filing Sept. 6 with the U.S. Securities and Exchange Commission, the company disclosed that director George Keyworth was the source. While he acknowledged his role, Keyworth refused to resign at that May board meeting. He eventually resigned Sept. 12.

Holston went on to say that Tony Gentilucci, another member of HP's Global Security division and a member of the investigative team, turned over the Social Security number of an HP employee to SOS. SOS then turned that and other Social Security numbers over to Action Research Group, another private investigative firm, which used the numbers to help gain unauthorized access to private phone records. This is also the first acknowledgement that Action Research, of Melbourne, Florida, was involved, although it had been identified in news reports.

Disclosing personal employee information is a violation of HP policy, and could result in Mr. Gentilucci's dismissal, said a source inside the company who declined to be identified.

Holston also disclosed that investigators attempted to send an e-mail to a CNet reporter from a fictitious disgruntled HP employee that contained a hidden attachment, called a "tracer," that would track who the reporter contacted about the tip so as to identify her sources. HP did not disclose the identity of the reporter Friday, but she was identified in a Sept. 21 Washington Post article as Dawn Kawamoto. But Holston said it could not be determined whether the tracer was ever activated. Hurd acknowledged in his remarks that he approved the fake e-mail scheme but said he did not know it involved use of the tracer.

And although another scheme to send spies into the San Francisco offices of CNet and The Wall Street Journal posing as clerical or janitorial workers was considered, there was no indication it was ever carried out, Holston said.



Does this mean we don't need security any more? or we don't have security any more?

http://www.siliconvalley.com/mld/siliconvalley/15586222.htm

Posted on Fri, Sep. 22, 2006

Cybersecurity chief quits after unusual contract expires

WASHINGTON (AP) - The Bush administration's cybersecurity chief, who worked under an unusual agreement with a private university that does extensive business with the office he manages, is leaving his job.

Donald ``Andy'' Purdy Jr. will step down as acting director of the National Cyber Security Division, part of the Department of Homeland Security. A government spokesman, Jarrod Agen, declined to comment on Purdy's plans, but colleagues circulated an invitation to his farewell party next week.

Purdy worked at Homeland Security under a two-year contract with Carnegie Mellon University that expires Oct. 3. Under the contract, the government paid Purdy $245,481 in salary and benefits each year, not including travel reimbursements; Carnegie Mellon paid him an additional $43,320 a year.

His contract drew congressional scrutiny after The Associated Press reported in June that Purdy's cybersecurity division has paid Carnegie Mellon $19 million in contracts this year, almost one-fifth the unit's total budget.

Purdy, who controlled a budget of about $107 million and as many as 44 full-time federal employees, said at the time he was not involved in discussions over his own office's business deals with the school.

Agen said Purdy's job was being converted to a full-time federal position -- which would pay an annual salary of about $130,000 -- but Agen could not say whether Purdy was a candidate for that job. He said the government was in the final stages of hiring Purdy's replacement.

Earlier this week, the government announced it has selected trade industry executive Greg Garcia as the department's new assistant secretary for cybersecurity and telecommunications. He will oversee the division and the hiring of Purdy's successor. Garcia did not respond to telephone messages from the AP.



It might be possible now to extract the most extreme examples of surveillance or other privacy intrusions and create a sort of “Big Brother Scale” to rate how impactive they are...

http://blog.wired.com/27BStroke6/index.blog?entry_id=1560669

27B Stroke 6 by Ryan Singel and Kevin Poulsen Thursday, 21 September 2006

Digital Rights Legislation Watchlist

Posted by ryansingel at 11:12 AM PDT

The Center for Democracy and Technology has put together a handy list of the various proposals floating around Congress at the end of this session of Congress that they say need to be watched and stopped.

The list includes spying bills, website labeling mandates, social network blocking for kids, the telecom bill without net neutrality, and the broadcast flag.

Many of these bills are highly contentious, but the CDT's list, which includes info on the status of each bill, is as good a place to start as any, even if you think certain bills should be passed.


How would you rate this one?

http://it.slashdot.org/article.pl?sid=06/09/25/0111231&from=rss

Natural Language Processing for State Security

Posted by Zonk on Sunday September 24, @09:39PM from the your-ipod-can-tell-what-you-mean dept. Security United States Technology

Roland Piquepaille writes "Obviously, computers can't have an opinion. What computers are very good at, though, is scanning through text to deduct human opinions from factual information. [Horsefeathers! Perhaps you deduct that I disagree with the conclusion, but in fact I merely disagree with the premise. Bob] This branch of natural-language processing (NLP) is called 'information extraction' and is used for sorting facts and opinions for Homeland Security. Right now, a consortium of three universities is for the U.S. Department of Homeland Security (DHS) which doesn't have enough in-house expertise in NLP. Read more for additional references and a diagram showing how information extraction is used."



Redundant?

http://www.infosecwriters.com/texts.php?op=display&id=497

Pod Slurping – An Easy Technique for Stealing Data

by GFI Software Ltd on 22/09/06

Our dependency on technology has never ceased to grow. Increased portability, ease of use, stylish looks and a good dose of marketing hype are the perfect cocktail to entice the population at large! Suppliers of consumer electronics are registering an ever increasing demand for portable consumer electronics. Apple's iPod launch in 2001, Apple have sold almost 60 million units (CNNMoney.com, 2006). iPod has become a universally appealing source of audio entertainment - the eponym for MP3 players. Projections show that the demand for iPods and other MP3 flash-memory music players continue on a positive trend and will surge to nearly 124 million units in 2009 (Kevorkian, 2005).

This document is in PDF format. To view it click here.



Try to use each one in a sentence other than: “What the hell does _____ mean?”

http://www.researchbuzz.org/wp/2006/09/25/oed-announces-newly-added-words/

OED Announces Newly-Added Words

Filed under: Reference

The Oxford English Dictionary last week announced their latest update, which includes entries like pod person, bling, scooch (they just got around to adding scooch?) and Wi-Fi. You can get a more extensive list of the words added at http://dictionary.oed.com/help/updates/pleb-Pomak.html#oos .

I must confess I was surprised at how quickly some were have been integrated (microbrowser) and how quickly some.. um, haven’t. (For example, bippy. Pardon me but weren’t we betting bippies on Laugh-In, oh, about 35 years ago?? Unless there’s some nefarious definition of bippy I don’t know about…)



http://blog.wired.com/27BStroke6/index.blog?entry_id=1561429

27B Stroke 6 by Ryan Singel and Kevin Poulsen Friday, 22 September 2006

Students Flashily Mine Gov Data Mining

Posted by ryansingel at 4:13 PM PDT

Summer is typically slow-going in the journalism world, but a team of journalism students at Northwestern's Medill School of Journalism was hard at work, researching and building out a package of stories on data privacy that included two interactive pieces.

One Flash piece is a interactive video-based time line that follows a woman named Brook Alexander through her daily routine in D.C., where she checks her email, drives, takes the Metro, goes shopping and works out. Along the way, she leaves breadcrumbs of data that make their way into corporate and government databases. You get to watch her quotidian activities then read where that data goes, what the privacy policy is, and how the federal government can access the data. You might also learn that Safeway uses web bugs in its promotional emails.

The other asks you a series of questions about your life then shows you where you data lands in government databases. Through a very elegant and visually pleasing interface, you can then expand a government agency to see what kinds of data-mining is going on, largely based on a GAO study from 2004. The journalists augmented that with research on what each program does, whether there's a publicly accessible Privacy Notice or Privacy Impact Assessment.

My only complaints are that the navigation isn't always clear and you have to drag, not click on the slider bars (something that took me embarrassingly long to figure out) and that the interactive sites should have an HTML companion so you can search the information.

But it's a very nice demonstration of how to take rather dry data -- a list of 199 data mining programs -- and turn it into a compelling and accessible experience.

Kudos to these folks and their advisor, Professor Rich Gordon who is the Director of Digital Technology in Education at Medill (who kindly alerted us to the package.

All the stories can be found here.



Are these felonies because they pretended to be her or because of what they said? Sounds to me like they should have invented a fictional third-party and called the whole thing a satire...

http://www.law.com/jsp/article.jsp?id=1158915934614

Assistant Principal Sues Students Over MySpace.com Page

The Associated Press September 25, 2006

A high school assistant principal in San Antonio is suing two students and their parents, alleging the teens set up a Web page on MySpace.com in her name and posted obscene comments and pictures.

Anna Draker, an assistant principal at Clark High School, is claiming defamation, libel, negligence and negligent supervision over the page on the popular free-access Web site.

Draker claims two 16-year-olds, a junior and a sophomore, created the page using her name and picture and wrote it as though Draker herself had posted the information, according to Draker's attorney, Murphy Klasing.

Draker found out in April that someone had created a page on MySpace. It had been up about a month before she discovered it.

The site falsely identified Draker as a lesbian. Klasing said Draker, who is married and has small children, was "devastated."

MySpace.com removed the page when Draker told them it wasn't hers.

One of the students also is facing criminal felony charges.

Bexar County Assistant District Attorney Jill Mata would not release information about the case, but confirmed that juvenile charges are pending against a local high school student involving retaliation and fraudulent use of identifying information. Both are third-degree felonies.

Draker is suing for an unspecified amount for damages for emotional distress, mental anguish, lost wages and court costs.

No comments: