Sunday, February 25, 2007

It's not always Identities that are stolen... Would your management notice a sudden increase in download volume?

http://www.informationweek.com/showArticle.jhtml;jsessionid=5V5FI5FBN2U5UQSNDLRCKHSCJUNN2JVN?articleID=197006845&queryText=dupont

DuPont Employee Walked Away With $400 Million In Trade Secrets

Company scientist downloaded 22,000 sensitive documents and accessed 16,000 others as he got ready to take a job with a competitor

By Larry Greenemeier, InformationWeek Feb. 17, 2007

The U.S. Attorney's office in Delaware last week revealed a massive insider data breach at DuPont in which a scientist stole $400 million worth of trade secrets from the chemical company and now faces up to 10 years in prison, a fine of $250,000, and restitution when sentenced in March.

Gary Min, who also goes by the name Yonggang Min, pleaded guilty to stealing from DuPont late last year. He worked as a research chemist at the company for 10 years before signing an employment agreement with Victrex in October 2005 to start working for the DuPont competitor the following January. At DuPont, Min conducted research on high-performance polymer films. Victrex manufactures Peek, a polymer compound that competes with DuPont's Vespel and Kapton.

Min didn't tell DuPont he was leaving until Dec. 12, two months after signing the employment contract with Victrex. From August to Dec. 12, he accessed an unusually high volume of abstracts and PDF documents off of DuPont's electronic data library, prosecutors said. The EDL server, located at DuPont's experimental station in Wilmington, Del., is one of DuPont's primary databases for storing confidential and proprietary information. Min downloaded about 22,000 abstracts and accessed about 16,706 documents--15 times the number of abstracts and reports accessed by the next-highest user during that period.

It's unclear whether Min's frequent access to the database tipped off an automatic alert to DuPont officials or whether his behavior was discovered by studying database access logs. When DuPont discovered Min's EDL usage sometime after he gave notice, it contacted the FBI in Wilmington, which launched a joint investigation with the U.S. Attorney's Office and the Commerce Department.

Min began working at Victrex as planned on Jan. 1, 2006; around Feb. 2, he uploaded about 180 DuPont documents--including some containing confidential, trade-secret information--to his Victrex-assigned laptop computer. The following day, DuPont officials told Victrex officials in London about Min's activities. Victrex seized Min's laptop on Feb. 8 and turned it over to the FBI.

When FBI and Commerce agents searched Min's home in Ohio the following week, [poor coordination. Bob] they found several computers with DuPont documents marked "confidential." A software erasure program was in the process of erasing an external disk drive [Never do this at home, always dispose of at some remote location. Bob] on one of the computers when the agents arrived, prosecutors said. They also found garbage bags filled with shredded DuPont technical documents, as well as remnants of DuPont documents burned in the fireplace. [Ditto Bob]



If you look at the scope of the study, I think you'll agree it does not address the problem. Also amusing, some of their assumptions and their reliance on assurances from the vendor and the folks who ran Florida's election.

http://www.privacydigest.com/2007/02/24.html#a8533

Sarasota Study Report Released.

The technical team commissioned by the State of Florida to study the technology used in the Sarasota election has released its report. http://election.dos.state.fl.us/pdf/FinalAudRepSAIT.pdf



So what else is new?

http://slashdot.org/article.pl?sid=07/02/24/2113211&from=rss

IRS May Ask eBay To Snitch On Sellers

Posted by kdawson on Saturday February 24, @09:34PM from the taxman-cometh dept. The Almighty Buck Businesses United States

Makarand writes "The IRS thinks that many sellers on online auction sites are unaware of their obligation to declare their profits and pay their taxes to the IRS. Tax experts are now asking the IRS to require online auction sites like eBay, Yahoo, and Ubid to report the gross sales numbers for their sellers. Such a requirement will surely send a shock wave across the online trading world because it could drastically reduce the profits a seller would make on these sites. [Only if they had been required to report their profits and had not done so. Bob] The IRS thinks it can collect an extra $2 billion in taxes from this requirement that auctioneers report sellers who complete 100 or transactions a year worth at least $5,000."



There must be something useful in there...

http://www.bespacific.com/mt/archives/014030.html

February 23, 2007

Redacted Versions of Agency Business Cases Posted Online

Federal Computer Week reported that "sixteen agencies complied with the Office of Management and Budget's request to post their information technology business cases online." Direct links to the data by agency, as follows:



We can, therefore we must!

http://www.itbusiness.ca/it/client/en/home/News.asp?id=42416

Employee privacy at risk, research warns

Employees at risk from scope creep as technology implemented for one purpose is used for another

2/23/2007 4:50:00 PM by Laura Eggertson

Researchers at a symposium hosted by Canada's privacy commissioner today called on legislators and employers to strengthen employee privacy guarantees and to anticipate the implications of emerging technologies that threaten privacy rights.

Employers already have access to technologies that range from key-stroke monitoring to closed-circuit television systems, access control systems (magnetic key cards), global position systems, radio frequency identifiers, telephone and e-mail monitoring and drug and genetic testing, conference speakers pointed out. Even if employers initially install the technologies for different purposes, they have surveillance capabilities that can be detrimental to employee privacy, said Avner Levin, coordinator of the law area at Ryerson University's business faculty.

In a recent case in Highlands East, Ont., hidden video cameras installed for security surveillance caught volunteer firefighters drinking beer. The fire station's commander was fired.

“The issue here is the function creep of these technologies as they are introduced for one purpose and used for another,” said Levin.

Levin and three other colleagues at Ryerson surveyed companies representing three per cent of the Canadian workforce, asking employers about their workplace privacy policies.

Fully two-thirds of the representatives at companies the Ryerson researchers contacted would not co-operate with their survey, including CIBC and Wal-Mart, Levin said. Managers responsible for privacy at the 15 firms that did co-operate were often unaware of legislation that governed employee privacy, he said.

In Quebec, privacy legislation requires employers to protect the dignity of their employees. Privacy legislation in Alberta and B.C. stipulates that employers must be governed by a “reasonable” standard of conduct in collecting information about their employees.

In the companies that the Ryerson researchers spoke to, “there was absolutely no awareness that this was the state of affairs,” Levin said. Most thought they had no restrictions on the information they could gather, and none of those surveyed provided privacy policies for their employees.

In all other provinces, including Ontario, there is no legislation specifically governing employee privacy in the workplace, Levin said. He called on the province to amend its Employee Standards Act to put in place at least “minimal” guarantees, as West Virginia has done, that there will be no surveillance in place in restrooms, shower stalls or other personal space.

Employers should also consider the reasons they are collecting employee information, Levin said.

“It means thinking very seriously about what your role is as a corporate citizen in this post-911 world. You know if you create databases governments may want to have access to them,” he said.

In a democracy, said Levin, “It's not always a good thing to create a database simply because you have some new technology that can create a database about your employees.”

Richard Rosenberg, president of the BC Freedom of Information and Privacy Association, also cited the potential for genetic testing to violate employee privacy and, potentially, cost jobs.

“That's of great concern,” Rosenberg said, citing a lack of legislation or public policy debate about the impact of that kind of employer surveillance.

Individuals have the right to seek genetic testing for health reasons, but “that doesn't automatically mean that information should become available for management to make decisions on,” said Rosenberg, also a professor emeritus in computer science at the University of British Columbia.

Currently, most companies don't have policies governing genetic testing, he said, and nor are employees or their union representatives requesting it.

Rosenberg is also worried about the increasing use of RFID technology to track people, not just animals. As of 2004, 40 million Americans were already carrying an RFID tag, or implantable computer chip, Rosenberg said.

One Cincinnati corporation called CityWatch.com, a surveillance company, has already implanted VeriChip tags in some of its employees. The chips permit the employees to access secure data centres.

Both Levin and Rosenberg urged employees to ask their employers for their policies concerning collection of employee information, and where one doesn't exist, to draft one.

Such a request would encourage employers to think through th process and ensuing policies could "leave the employees in a better state,” said Levin.

[I think this is the (June 2006) study they mentioned: http://www.ryerson.ca/faculties/business/news/archive/UnderTheRadar.pdf



Perhaps relocation is next. What country would you recommend?

http://www.theregister.co.uk/2007/02/24/swift_safe_harbour/

SWIFT sides with US in data spat with EU

By Mark Ballard Published Saturday 24th February 2007 23:06 GMT

The Belgian firm stuck in the middle of a transatlantic spat over the US infringement of civil liberties by the agents of its war on terror is throwing its lot in with the Americans.

In open defiance of European privacy officials, the Society for Worldwide Interbank Financial Telecommunication (Swift), has declared that it has applied to the US Federal Trade Commission (FTC) for 'safe harbour' protection for the data it holds on US soil.

Swift had handed data containing the details of private international financial transactions to US terrorist finance investigators under a secret arrangement since late 2001. Since the transfers came to light last June, Europe's data protection authorities have declared that Swift is a data controller and, as such, it should take responsibility for the privacy of the data it administers for its banking clients.

Swift claims it is not a controller, but a mere processor and cannot be held responsible for what European authorities say is the illegal transfer of data to US Treasury agents.

... Another point of contention between Swift and the European authorities is whether it is a financial organisation. Swift maintains that it a mere messaging service, as it only handles messages that facilitate the international transactions of banks. Hence, it can apply for safe harbour. If the FTC has indeed told Swift it is eligible for safe harbour protection, that could imply that it also accepts its assertion that it is a mere messaging service - financial institutions are not eligible for safe harbour. Yet the Europeans maintain that Swift a financial institution.

Accordingly, the spokesman said this was a "really, really complex" legal matter -it's like splitting hairs in four".

... According to European regulators, the only way for Swift to avoid infringing data protection law would be to pull its data out of the US. Meanwhile, both sides insist they want to work together to find a solution and they are pinning their hopes on the US and EU agreeing an overarching (http://www.theregister.co.uk/2007/02/15/eu_grabon_us/) instrument that would satisfy both anti-terror investigators on the West-side of the pond and data protection wonks on the East.

The FTC was not available for comment.



Tools & Techniques (I gotta get me one a dese tings!)

http://www.brickhousesecurity.com/dd9000.html

Watch Big Brother Watch You

* Tap into the wireless video signals all around you

* Watch what the watchers are watching

* Don't get caught in an embarrassing situation [Every Congressman will want two... Bob]

This fearless Wireless Camera Hunter scans commonly used Video Frequencies in less than 5 seconds and detects any video transmissions in the area. Then the Wireless Camera Hunter locks in sources from up to 500 Feet away (depending on power of source transmitter).



Far from perfect, but potentially quite useful.

http://www.nytimes.com/2007/02/25/business/yourmoney/25slip.html?ex=1330059600&en=47495b02af5d67b1&ei=5090&partner=rssuserland&emc=rss

Millions of Videos, and Now a Way to Search Inside Them

By JASON PONTIN February 25, 2007

THE World Wide Web is awash in digital video, but too often we can’t find the videos we want or browse for what we might like.

That’s a loss, because if we could search for Internet videos, they might become the content of a global television station, just as the Web’s hypertext, once it was organized and tamed by search, became the stuff of a universal library.

... But search engines — like Google — that were developed during the first, text-based era of the Web do a poor job of searching through this rising sea of video. That’s because they don’t search the videos themselves, but rather things associated with them, including the text of a Web page, the “metadata” that computers use to display or understand pages (like keywords or the semantic tags that describe different content), video-file suffixes (like .mpeg or .avi), or captions or subtitles.

... Mr. Chandratillake’s solution does not reject any existing video search methods, but supplements them by transcribing the words uttered in a video, and searching them. This is an achievement: effective speech recognition is a “nontrivial problem,” in the language of computer scientists.

... While neural networks and machine learning are not new, their application to video search is unique to Blinkx, and very clever.

How good is blinkx search? When you visit blinkx.com, the first thing you see is the “video wall,” 25 small, shimmering tiles, each displaying a popular video clip, indexed that hour. (The wall provides a powerful sense of the collective mind of our popular culture.)

No comments: