Diebold source code leaked again
Maryland state legislator receives anonymous disks containing code for electronic voting machines
By Robert McMillan, IDG News Service October 20, 2006
... This is not the first time that Diebold source code has been leaked. In early 2003, Diebold critic Bev Harris uncovered similar source code while conducting research using Google Inc.'s search engine.
Soon after, researchers at Johns Hopkins University and Rice University published a damning critique of Diebold's products, based on an analysis of the software.
They found, for example, that it would be easy to program a counterfeit voting card to work with the machines and then use it to cast multiple votes inside the voting booth.
http://www.baltimoresun.com/news/local/bal-md.voting21oct21,0,946289.story?coll=bal-local-headlines
Diebold declares machines secure
Release of code raises concerns among critics of electronic vote system
By Sumathi Reddy Sun reporter October 21, 2006
... "You have the software because you are a credible person who can save the state from itself," the note said. "You must alert the media and save democracy."
... Goldstein said the board was never aware of missing disks. [If they were copied, the originals wouldn't be missing, would they? Bob] He said there is no internal investigation [Why investigate ourselves? Bob] and that all information is being referred to the FBI.
The fight to own your computer begins!
http://it.slashdot.org/article.pl?sid=06/10/21/079200&from=rss
Trojan Installs Anti-Virus, Removes Other Malware
Posted by Zonk on Saturday October 21, @07:25AM from the clever-little-monkey dept. Security Programming
An anonymous reader writes "SpamThru takes the game to a new level. The new virus uses an anti-virus engine to remove potential 'rival' infectious code." From the article: "At start-up, the Trojan requests and loads a DLL from the author's command-and-control server. This then downloads a pirated copy of Kaspersky AntiVirus for WinGate into a concealed directory on the infected system. It patches the license signature check in-memory in the Kaspersky DLL to avoid having Kaspersky refuse to run due to an invalid or expired license, Stewart said. Ten minutes after the download of the DLL, it begins to scan the system for malware, skipping files which it detects are part of its own installation."
[From the comments: Any system that is badly protected enough to get infected is probably already bogging down and in danger of the user getting it fixed. This is probably a very good strategy to improve the usefulness of the machine to the hijacker, and reduce the chances of the user doing anything about the infection. I'm surprised this hasn't happened before.
... Actually, I am waiting for the BSA to come in and sue the people whose machines were "infected" with this pirated version of Kaspersky AV software. The BSA poses a greater threat than the spywear that was removed.
User: "I didn't install it! I swear!"
BSA: "Yea right, it just installed itself...."
http://www.officer.com/article/article.jsp?siteSection=1&id=33166
North Carolina Law Helps Police Target Online Predators
Posted: October 20th, 2006 04:14 PM EDT Story by wral.com
The Internet can be a dangerous place for children without supervision. A new state law allows law enforcement to crack down on online solicitation.
... The Child Exploitation Act that went into effect 10 months ago in North Carolina makes it a felony for someone to solicit an officer online. [Why is this needed? Isn't it a crime to solicit a minor? Bob]
http://blog.wired.com/27bstroke6/2006/10/fbi_pairs_with_.html
27B Stroke 6
by Ryan Singel and Kevin Poulsen Friday, 20 October 2006
FBI Pairs With Website Violating Law To Make Kids Safer
The FBI has set up a masterful site called Safe Online Surfing to help kids learn how to use the internet safely. Via a scavenger hunt, children get to learn that it's okay to talk about Disney characters online, get online safety tips from the Miami Dolphins website and take an Internet test at the Common Knowledge Scholarship Foundation.
Now, what's great isn't that the final Internet quiz actually tests you on whether you know how to become an FBI Special Agent (Sample question: What do you say to a female applicant who says she's not strong enough to bust down doors?)
What's great is that the Common Knowledge site violates the Children's Online Privacy Protection Act, which mandates that any site collecting personal information on a child under the age of 13 must get verifiable consent from a parent. While Common Knowledge claims to be in compliance with COPPA, I was able to register as a 12 year-old (First name: Vulnerable, Last name: Child Address:123 TouchMe Way). Registration requires a name, an address, a phone number, a date of birth, an email address, your school name, and your extra-curricular interests just to take an online quiz. While I was required to add my parent's email address, the site never sent an email to that address, let alone complied with the law requiring the site to get a parent's verifiable consent. The site's legitimacy is only burnished by having its domain registered to a post office box and running Yahoo! ads on the front page.
This is brilliant since any child going through the scavenger hunt should have learned never to give any of this information out, so the way to finish the scavenger hunt is not to finish it. Pretty sneaky, FBI. Schools that do really good on the test get a visit from a professional football player, which makes sense, because nothing says online smarts like a 6', 230lb linebacker sitting in your school's cafeteria.
Since video is exploding onto the Internet, this will have to change – quickly!
http://www.lessig.org/blog/archives/003572.shtml
Can you find Murphy Brown engaging Dan Quayle?
In Free Culture, chapter 9, I wrote the following:
In addition to the Internet Archive, Kahle has been constructing the Television Archive. Television, it turns out, is even more ephemeral than the Internet. While much of twentieth- century culture was constructed through television, only a tiny proportion of that culture is available for anyone to see today. Three hours of news are recorded each evening by Vanderbilt University - thanks to a specific exemption in the copyright law. That content is indexed, and is available to scholars for a very low fee. “But other than that, [television] is almost unavailable,” Kahle told me. “If you were Barbara Walters you could get access to [the archives], but if you are just a graduate student?”
As Kahle put it,”Do you remember when Dan Quayle was interacting with Murphy Brown? Remember that back and forth surreal experience of a politician interacting with a fictional television character? If you were a graduate student wanting to study that, and you wanted to get those original back and forth exchanges between the two, the 60 Minutes episode that came out after it … it would be almost impossible. … Those materials are almost unfindable. …”
Jeff Ubois has just published a paper about his effort to find out whether Brewster was right. His conclusion: Brewster’s right. As he writes:
I searched for footage of the Quayle/Brown interaction with an eye towards making some general assessments of the accessibility of historic broadcasts, and detailed the results in a paper called Finding Murphy Brown: How Accessible are Historic Television Broadcasts? It’s finally out this week in the peer reviewed Journal of Digital Information….
Copyright restrictions ultimately made it impossible to get the original Dan Quayle speech, or the Murphy Brown episodes in question. In an odd coda to this project, one digital library journal (from which I withdrew this paper) insisted that the correspondence detailing refusals by various organizations to allow access to or use of the Quayle/Brown footage was itself copyrighted, and therefore unsuitable for publication. Those excerpts are included in the current piece. It was disturbing how one effect of copyright law is to chill academic discussions of copyright law.
You can read the paper by linking from the blog entry.
Records retention and Disaster Recovery tools
http://www.eweek.com/article2/0,1759,2034378,00.asp?kc=EWRSS03119TX1K0000594
BridgeHead Makes Disaster Recovery, Archiving Play
October 20, 2006 By Karen D. Schwartz
BridgeHead Software has integrated its policy-based data lifecycle management software with EMC's Centera CAS, offering users more options for disaster recovery and data archiving.
By integrating BridgeHead's HT ISM (Integrated Storage Management) software platform with EMC's Centera CAS content-addressed storage solution, EMC users now have an advanced rules-based system for finding data around the network and writing it in an efficient manner to Centera, said Patrick Dowling, BridgeHead's senior vice president of product management.
With the integration, users now can use BridgeHead software to search both content and metadata, [Content: Contains the phrase “attack America” Metadata: Document was written on September 12th Bob] which makes Centera easier to populate with data while keeping that data within easy view and access. And because HT ISM offers the ability to write to multiple copies in multiple places, archives can now be simultaneously maintained for better protection and multiple business purposes, such as compliance and disaster recovery, Dowling said.
... "If you're going to play in this ecosystem, you have to continue to evolve," he said. [Well, DUH! Bob]
What is security worth?
http://www.eweek.com/article2/0,1759,2034667,00.asp?kc=EWRSS03119TX1K0000594
Cost of Data Breaches Rises Sharply
By Matt Hines October 20, 2006
Leaks of sensitive customer information and other corporate data are costing companies in the United States substantially more in related financial and business losses in 2006, according to a new study published by the Ponemon Institute.
Based on the findings of the Ponemon Data Breach Study, to be published on Oct. 23, information losses cost U.S. companies an average of $182 per compromised record in 2006, compared to an average loss of $138 per record in 2005, for an increase of about 31 percent.
The report, which is based on interviews held with 56 individual companies known to have experienced a data loss in the last year, maintains that roughly $128 of the 2006 figure is related to indirect fallout from information leaks, such as higher-than-normal customer turnover.
Other associated costs spurred by data mishandlings or thefts were an average price tag of $660,000 per company in expenses related to notifying customers, business partners and regulators about data leaks.
Ponemon contends that each company surveyed sacrificed roughly $2.5 million in lost business, based on their incidents.
To arrive at the figure, researchers combined costs from legal, investigative and administrative expenses with information related to affected companies' stock performance and customer defections, among other indicators.
Each company interviewed has parted with an average of $4.7 million in payouts and lost business in total, related to the incidents.
Companies in the study paid almost $300,000 on average to investigate their data leaks and spent just over $1.24 million on average for other efforts aimed at responding to records losses, such as setting up customer support hotlines or offering credit monitoring services to help protect against related fraud.
... The greatest leap was measured in lost business, which cost companies an average of $22 per record more in 2006 than it did in 2005. Firms lost an average of $98 in business per record this year, compared to $75 per record in 2005.
... "The burden companies must bear as a result of a data breach are significant, making a strong case for more strategic investments in preventative measures such as encryption and data loss prevention," said Dr. Larry Ponemon, chairman of Ponemon Institute, which is based in Elk Rapids, Mich.
"Tough laws and intense public scrutiny mean the consequences of poor security are steep—and growing steeper for companies entrusted with managing stores of consumer data."
In charting the most common sources of data leaks, researchers found that lost or stolen laptops remain the top culprit, accounting for 45 percent of all the incidents studied.
Records lost by third party-business partners or outsourcing companies represented the second most popular type of event, representing 29 percent of all the reported leaks.
Misplaced or stolen backup files, such as those stored on magnetic tapes, accounted for 26 percent of the incidents, while the much-publicized usage of malware programs that steal data were reported in only 10 percent of the losses.