Wednesday, 09 August 2006

Proof that cyber-crime is real, Consumer Reports is out with their State of the Net survey. It's pretty much as bad as we all know. From MSNBC:

"...American consumers lost more than $8 billion over the last two years to viruses, spyware and various schemes.

" Additionally, it shows consumers face a 1-in-3 chance of becoming a cybervictim -about the same as last year."

Thing is, prevention is much less costly than reactively paying for damage already done. You want to prevent the guy from getting into your place? Or do you prefer to let him in but then keep him from walking out the door with your money? Or are you like most people, who are resigned to watching him walk out the door with the prize, throwing your hands up in the air, and blaming someone (anyone, really) else?

How do we convince people, and what will it take?



Add/Read: Comments [0]
IT Security | Safe Computing | Tech | Things that Suck
Wednesday, 09 August 2006 13:57:19 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Tuesday, 08 August 2006

Commenting on his motorcycle helmet, a friend of mine incriminates himself. Name changed to protect the innocent. Only 80?? Heh.

Joe Smith says:
I got rid of that halo thing I had on my helmet and put on retro reflective vinyl stickers

Greg Hughes says:
why?

Joe Smith says:
It didn't stay on above 80

Greg Hughes says:
oh hehehe

Greg Hughes says:
maybe you should put it back on then?

Greg Hughes says:
hahah

Joe Smith says:
Ummm, hehe

Joe Smith says:
and 80 is where it started to come off



Add/Read: Comments [1]
Random Stuff
Tuesday, 08 August 2006 19:24:20 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Monday, 07 August 2006


UPDATE - AOL apologizes (not as if it makes a difference at this point, though):

"This was a screw-up, and we're angry and upset about it. It was an innocent enough attempt to reach out to the academic community with new research tools, but it was obviously not appropriately vetted, and if it had been, it would have been stopped in an instant," AOL, a unit of Time Warner, said in a statement. "Although there was no personally identifiable data linked to these accounts, we're absolutely not defending this. It was a mistake, and we apologize. We've launched an internal investigation into what happened, and we are taking steps to ensure that this type of thing never happens again."


AOL, over on their research wiki site, on Sunday posted an article describing their release of search data collected for more than a half million AOL users over a three month period. They claimed the data was made "anonymous," and that it was being released for research reasons. Problem is, it's not anonymous enough. Each unique user was replaced with a unique random identifier. That means you can see everything that user 336072 searched for. What if someone examined everything you searched for over three months? Even without knowing your name explicitly, do you think they might be able to find out some interesting things? Have you ever done a "vanity" search?

It's just not anonymous enough. I have a copy of the data that I downloaded before it was taken offline, and I've poked around in it a bit, so I know. Not only that, but spammers and search engine "optimizers" out there are going to have a field-freakin-day with this data. No, I won't share it with anyone else. It never should have been released in the first place, so I am not going to add fuel to the fire.

Michael Arrington at TechCrunch wrote about it in his blog entry entitled "AOL Proudly Releases Massive Amounts of Private Data," and updated his post a couple times as AOL mysteriously removed the data file from the web, as well as the page announcing the availability.

Arrington: "AOL must have missed the uproar over the DOJ's demand for "anonymized" search data last year that caused all sorts of pain for Microsoft and Google. That's the only way to explain their release of data that includes 20 million web queries from 650,000 AOL users."

When you consider that AOL search is - get this one - actually Google's search with a different face on it, you can imagine what the emails and phone calls that went flying around between the two companies on Sunday afternoon might have sounded like. Ouch.

Yeah, and so much for the privacy of AOL's users. If you're an AOL user, is that what you signed up for, to be a guinea pig in AOL's poorly-planned foray into academia? I think not. This is identity theft just waiting to happen, that's what this is. Again from Arrington:

"The data includes personal names, addresses, social security numbers and everything else someone might type into a search box. The most serious problem is the fact that many people often search on their own name, or those of their friends and family, to see what information is available about them on the net. Combine these ego searches with porn queries and you have a serious embarrassment. Combine them with "buy ecstasy" and you have evidence of a crime. Combine it with an address, social security number, etc., and you have an identity theft waiting to happen. The possibilities are endless. "

Google says "do no evil" and keeps this kind of data under wraps when challenged in federal court. AOL? Not so much.

Any would-be AOL boycotters better be prepared, though. Last we checked, you can't even cancel your account at AOL without being put through the ringer. Several years ago when I canceled mine it was a several-months-long experience before I was able to decipher enough to get the billing truly stopped. Coming and going, that's how they get ya in Dulles... There's a reason PC Magazine ranked AOL "Number One" in a list of things you'd really rather not be on...

Technorati : , , ,



Add/Read: Comments [1]
IT Security | Safe Computing | Tech | Things that Suck
Monday, 07 August 2006 02:25:00 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Saturday, 05 August 2006

The U.S. Senate on Thursday ratified the first and only international treaty designed exclusively to combat computer crime. You can read the full text of the Council of Europe Convention on Cybercrime here.

What does this mean? Well, a lot of things. But all told, it means law enforcement officials from around the world will have a more agile, speedier, and more capable framework for cooperating in combating bad guys that are out to hurt others on the Internet. For those of us working to stop bad guys, it makes doing so more possible and can help remove some barriers that tend to get in the way. For those of us in the United States, the provisions are not really anything new. But for other countries that ratify, it means a much enhanced ability to work together.

The Senate did not consider an optional provision of the convention that deals with combating Internet hate speech, which would likely have run afoul of the First Amendment to the U.S. Constitution.

Summary of the Senate activity is in an article at news.com.

Technorati : , ,



Add/Read: Comments [0]
IT Security | Safe Computing | Tech
Saturday, 05 August 2006 13:57:00 (Pacific Standard Time, UTC-08:00)
#  Trackback

A new spoof video on YouTube take a different direction (as in, levity used to make a point rather than get a laugh) on making fun of the Apple marketing TV campaign and, well... just watch it. Not sure how accurate it is (but I bet someone will research this and let me know).

"That's iLife!" OUCH...

Click to watch:

(via MacSpoofs)

Technorati : , , ,



Add/Read: Comments [0]
Random Stuff
Saturday, 05 August 2006 12:45:00 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Friday, 04 August 2006

There are a couple interesting security-related headlines on ZDNet this morning, coming out of the Black Hat event. The first discusses how Microsoft's handing out a beta version of Vista to Black Hat attendees and says their security testing of Vista is the largest commercial penetration vulnerability test in history. In the other article, SPI Dynamics points out that many potential threats and gaps exist today in the use and consumption of RSS and ATOM feeds, and that many feed readers don't do security checks to ensure a feed is not malicious before - for example - running script that is delivered in an entry. A large number of common feed aggregators/readers (including the one I use) are on the list. This is something for the authors of those programs to address, for sure.

Microsoft issues Vista challenge
News Focus: Software giant wins over the Black Hat crowd by stressing its commitment to Vista security--and asking for help.

Blog feeds may carry security risk
Popular RSS and Atom feeds could carry malicious JavaScript code that would compromise a PC, an expert warned.

Technorati : , , , ,



Add/Read: Comments [0]
Friday, 04 August 2006 13:41:30 (Pacific Standard Time, UTC-08:00)
#  Trackback