Wednesday, November 15, 2006

Another recommendation to take humans out of the system?

http://www.infoworld.com/article/06/11/15/HNhumanerror_1.html?source=rss&url=http://www.infoworld.com/article/06/11/15/HNhumanerror_1.html

Security group ranks human error as top security worry

Report shows most people fall for 'spear-phishing' attacks even after hours of computer security instruction

By Robert McMillan, IDG News Service November 15, 2006

The SANS Institute has some controversial advice for computer security professionals looking to lock down their networks: spear-phish your employees.

That's what the U.S. Military Academy at West Point did in 2004 to a group of 512 cadets, selected at random for a test called the Carronade. The cadets were sent a bogus e-mail that looked like it came from a fictional colonel named Robert Melvillle, who claimed to be with the academy's Office of the Commandant (The real Robert Melville helped invent a short range naval cannon called the Carronade nearly 250 years ago).

"There was a problem with your last grade report," Melville wrote, before telling the cadets to click on a Web page and "follow the instructions to make sure your information is correct."

More than 80 percent of the cadets clicked on the link, according to a report on the experiment.

Worse still, even after hours of computer security instruction, 90 percent of freshmen cadets still clicked on the link.

Spear-phishing attacks contain this kind of targeted information in order to seem more credible, but their goal is the same as a regular phish: trick the user into doing something he shouldn't, like giving up sensitive information.

Because these attacks rely on cooperation from their victims, it's hard to prevent them, said Alan Paller, director of research with SANS. "The only defense against spear phishing is to run experiments on your employees and embarrass them," he said.

Paller's organization compiles an annual report on the top to Internet security targets. This year "human vulnerabilities" will make their first appearance on a list that is typically made up of software products like Internet Explorer, databases, and file sharing applications.

That's because the human factor is being exploited in a growing number of targeted attacks as more and more criminals come online in Eastern Europe and Asia, Paller said.



Virtual law is real law?

http://techdirt.com/articles/20061114/181724.shtml

In A World Where Everything Is Digital, Economics Gets Screwy Fast

from the no-surprise-there dept

I'll have another post in my series of posts on economics without scarcity soon, but there's something going on in Second Life that highlights one of the issues when there's no scarcity. We were disappointed a few years ago when the creators of Second Life, Linden Labs, said that virtual goods in Second Life should be treated exactly as if they were real goods outside of the game. While it brought in all the problems with legal systems in the outside world, it also created a new problem involving a lack of scarcity and virtual goods. The problem with any such virtual good is that it isn't really scarce. It's artificially scarce by the design of the game. That's a recipe for trouble, and it seems that said trouble has just introduced itself to Second Life in the form of an automated bot that will automatically copy anything in Second Life. Out in the real world, you'd never have an issue like this with tangible products -- because there would always be a scarcity issue where creating a copy would at least entail a real marginal cost. Not so in the virtual world -- which is upsetting people who were tricked into believing that Second Life really was like the outside world in terms of its economics. The fact that any item can be copied, suggests that the economies of these worlds are a lot less stable than what some folks would have you believe. In the meantime, people are trying to deal with it by bringing those bad real world laws directly into the virtual worlds, with some threatening to use the DMCA to stop the copybot from copying items in Second Life -- a move foreshadowed by the claim of copyright infringement when someone copied a "magical sword" in a different online game. For all the hype virtual worlds like Second Life and their "virtual economies" have gotten, it's worth remembering that the lack of real scarcity in these worlds is going to impact the economics in a big way.



http://www.govtech.net/magazine/story.php?id=102347

Employees Do Not Understand Perils of Computer Use at Work

November 14, 2006 News Release

As we mark e-mail's 25th birthday by exchanging more than 143 billion messages a day, it is not all cause for celebration. A new survey reveals significant misunderstanding among American workers regarding the privacy of their personal e-mail and other computer activities in the workplace. A large percentage do not know that even their most personal messages may be stored electronically and can come back to haunt them or their employer.

The results of a survey entitled Nothing Personal: 2006 Survey of Computer Use at Work, fielded by Kelton Research, asked 1,000 U.S. workers whether they thought their personal computer activities at work remained personal or became business records of their employer. The survey covered personal e-mails, instant messages (IMs), web searches and word-processing files created on computers in the workplace.

Among the survey highlights:

* Overall, more than half of all workers did not know that personal e-mail, IMs and unsent files created on work computers may become business records.

* Over 40 percent of those surveyed did not realize that personal web searches on their work computers could become business records.

* Two-thirds of all workers did not understand that personal IMs to friends could become business records.

* Younger workers (18-34) tended to be less aware than older ones. More than half of the younger group (55 percent) did not understand that sending an e-mail to a friend created a business record, compared with 39 percent of those over 55.

Concerns about electronically stored information (ESI) are especially high in view of amendments to the Federal Rules of Civil Procedure (FRCP) that are scheduled to take effect December 1, 2006. The amendments establish new procedures for an orderly exchange of ESI early in the litigation process, thus making it all the more likely that inappropriate e-mails, web searches, IMs and other ESI will come to light in pre-trial discovery.



If not, should he be?

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9005041&source=rss_news50

Is the boss reading your e-mail?

Sandra Gittlen

November 14, 2006 (Computerworld) -- Each day, it becomes more apparent that e-mail and instant messages are not private. Employers are worried about liability and lawsuits, so they're monitoring employee e-mail.

Their fears are not unfounded. The "2006 Workplace E-mail, Instant Messaging & Blog Survey" by the American Management Association and the ePolicy Institute found that 24% of responding organizations have had employee e-mail subpoenaed, and 15% have gone to court to battle lawsuits triggered by employee e-mail.

On the other side, 26% of employers have terminated employees for e-mail misuse, and 2% have let employees go for misuse of IM. Even blogs are a cause of dismissal -- 2% of respondents reported firing workers for offensive content -- even if the blogs are not corporate-based.



http://techdirt.com/articles/20061114/105624.shtml

Lessig Challenges The Constitutionality Of An Opt-Out Copyright System

from the fight-for-the-right-to-free-content dept

When professor Larry Lessig lost his Supreme Court challenge ("the Eldred case") concerning the constitutionality of Congress continually extending the length of copyright, he seemed to spend over a year kicking himself for the mistakes that he believes he made in arguing the case. However, it was only a matter of time before he came back fighting, using the results of the Eldred case to his advantage. He's been writing some posts on his blog about his latest case, Kahle vs. Gonzalez, which actually uses the specifics of the ruling in the Eldred case not to focus on copyright extension, but to question the constitutionality of switching to an "opt-out" system of copyright. For years, copyright was an "opt-in" system. If you wanted to get a copyright, you needed to register. However, in 1976, the law changed to make it opt-out. That meant that any new creative work was automatically considered covered by copyright. While you could register it for additional protections, you didn't need to. That flipped the equation, taking a ton of content out of the public domain and covering it by automatic copyright -- something that Lessig and Brewster Kahle are now arguing goes against "the traditional contour of copyright protection." This is important, because the Supreme Court's decision in Eldred focused on that very test. While it may be a while before any final results are in, if the case goes in favor of Kahle and Lessig, it could mean a huge change in copyright law. Some may say it would just shift the law back to what it was 30 years ago, but the changes in technology and the means of publishing would suggest that the impact would be much more far reaching than simply turning back the clock.



Are they developing a competing product?

http://www.techcrunch.com/2006/11/15/huh-youtube-sends-techcrunch-a-cease-desist/

Huh? YouTube Sends TechCrunch A Cease & Desist

Michael Arrington

Buried in my email this evening I found a cease and desist letter from an attorney at Wilson Sonsini Goodrich & Rosati, representing their client YouTube. We’ve been accused of a number of things: violating YouTube’s Terms of Use, of “tortious interference of a business relationship, and in fact, many business relationships,” of committing an “unfair business practice,” and “false advertising.” The attorney goes on to demand that we cease and desist in from engaging in these various actions or face legal remedies.

Well, crap.

The offense we committed was creating a small tool that lets people download YouTube videos to their hard drives. We referenced the tool in a recent post that walked people through the process of moving YouTube Videos to their iPod.

We created the tool only after a careful review of YouTube’s Terms of Use[...]



Bad law AND bad strategy? What you get when the lawyers run the company? Aren't they saying, “Please don't show anyone our ad?”

http://arstechnica.com/news.ars/post/20061114-8218.html

Best Buy tries to copyright sales prices

11/14/2006 12:08:57 PM, by Eric Bangeman

Deal site BlackFriday.info yesterday removed the Best Buy "Black Friday" sales price list after the big box retailer threatened to deliver a DMCA takedown notice to Black Friday's ISP. In a brief posting, Black Friday said, "While we believe that sale prices are facts and not copyrightable, we do not want to risk having this website shut down due to a DMCA take down notice."

No comments: