Friday, November 30, 2007

NASA Requires JPL Scientists To Give Up Right to Privacy

Slashdot notes an article in WIRED magazine's Science blog about 28 NASA scientists at the Jet Propulsion Lab going to court to fight for their right to privacy. The fight is against Homeland Security Presidential Directive 12 (HSPD-12), issued by President Bush in August 2004, wherein all federal amployees and contractors must "voluntarily" sign a form that allows the government to investigate them "without limit" for two years - even if they leave government work altogether during that time. JPL employees would be terminated immediately if they don't sign the form.

The Union for Concerned Scientists has submitted briefs in support of the plaintiffs, e.g.,

UCS [Union of Concerned Scientists] is concerned that the background investigations proposed by NASA are wide-ranging, highly personal, and unwarranted in light of the unclassified and non-sensitive nature of the Plaintiffs' work. While the investigations purportedly are intended to verify the Plaintiff's identities...in fact the subjects covered by the investigations include a host of irrelevant and personal issues, including credit history, "personality conflict," physical and mental health and sexual orientation.

See complete article in WIRED .

Thursday, November 29, 2007

America Is Already in a CyberWar

In a posting in ACM TechNews, Andrew Palowitch, formerly of the CIA, and now an industry consultant to the commander of the U.S. Strategic Command, is reported to have disclosed that the United States in the midst of an active cyber war and is already developing a blueprint for protection as part of a secret national cyber-security initiative.

"America is under widespread attack in cyberspace", Palowitch says while citing statistics about 37,000 break-ins of government and private systems in fiscal 2007, including 13,000 direct assaults on federal agencies. Some of the assaults "reduced U.S. military operational capabilities", he said, without divulging who committed the assaults.

The Defense and Homeland Security departments will be responsible for the new initative, which is slowly being implemented.

The full article is published in Government Executive.

Wednesday, November 28, 2007

Standards Suggested for Writing Secure Java

ACM Technews notes an article about documents produced by the Secure Programming Council that outline skills coders need to write web applications more able to withstand attacks. The Council is issuing Essential Skills for Secure Programmers Using Java /JavaEE, with planned followups for other languages.

Allen Paller, director of research for the SANS Institute, says "It's a common body of what people need to know, benchmarks for employers and teachers".

See full article in NETWORKWORLD

Tuesday, November 27, 2007

Internet Users Give Up Privacy in Exchange For Trust

ACM TechNews reports that, according to research funded by the Economic and Social Research Council, Internet users are likely to provide personal information if they believe they can trust the organization that requests it.

"Even people who have previously demonstrated a high level of caution regarding online privacy will accept losses to their privacy if they trust the recipient of their personal infomation", says head of the Privacy and Self-Disclosure Online project Dr. Adam Joinson.

The full article was published November 26th in ScienceDaily.

Monday, November 26, 2007

Facebook Users Complain of New Ad Based Tracking

A post on Slashdot yesterday references a story published by the Associated Press on Facebook's practice of sharing their users' shopping habits with their friends as if it were product endorsement. Of course, users can opt out - if they click on a "No thanks" box that disappears in 20 seconds.

While Facebook may have long claimed a practice of guarding its users' privacy, the claim is gradually diminishing. For example, Facebook's "news feeds" feature backfired when it was denounced by many users in 2006 as stalking. The feature allowed users to track changes friends made to profiles. Facebook quickly reacted by apologizing and permitted users to turn off this feature.

This news feeds program allows companies to access ongoing conversations among users by alerting them to activities through the feeds. The concept is that if users see friends either purchase or take an action (e.g., see a band or movie) they will interpret them as endorsements.

But it also raises issues about privacy. Liberal advocacy group MoveOn.org formed a protest group on Tuesday and had over 6,000 members within one day.

"We want Facebook to realize that their users are rightly concerned that private information is being made public," MoveOn spokesman Adam Green said.

See the full story published by the Associated Press.

Tuesday, November 20, 2007

California suing Nebraska voting machine manufacturer

The San Francisco Chronicle's article, "California suing Nebraska voting machine maker for $15 million," discusses how the Debra Bowen, Secretary of State of California is suing ES&S about uncertified voting machines being used in California.

"ES&S ignored the law over and over and over again, and it got caught," Bowen said in a statement after filing suit against the company. "I am not going to stand on the sidelines and watch a voting system vendor come into the state, ignore the laws and make millions of dollars from California's taxpayers in the process."

Monday, November 19, 2007

Hushmail Passing PGP Keys to the US Government

In an article noted in Slashdot, a court document shows that the private email service Hushmail has been cooperating with the police by turning over user email.

Although claiming to offer unreadable email because it uses PGP encryption technology and a proprietary key management system that is supposed to ensure that only the sender and receiver and read email, Canadian company Hushmail has apparently actually been disclosing keys to American authorities.

The full article, dated November 16th, appears in iTnews.

Thursday, November 15, 2007

More security education needed to avoid a cybersecurity disaster, experts warn

ACM Technews mentions a security news bulletin that warns the there needs to be even more awareness about cybersecurity issues. This was the conclusion of a panel of renowned security experts at a recent Information Security Decisions conference.

One panelist, Eugene Spafford, executive director of Purdue University's Center for Education and Research in Information Assurance and Security (CERIAS), states flatly that "We need to provide resources for future problems. Patching the latest problem isn't getting us anywhere."

For the full article, see SearchSecurity.com

Wednesday, November 14, 2007

Half a Million Databases 'Have no Firewall'

"Major Security risk is enough to sustain another mass worm outbreak", writes Robert McMillan in COMPUTERWORLDUK.

According to UK-based security researcher David Litchfield, there are nearly half a million database servers exposed on the Internet without firewall protection. Litchfield looked at slightly more than 1 million randomly generated Internet Protocol (IP) addresses to see if he could access them on ports reserved for Microsoft SQL Server or Oracle's database. He found 157 Sql servers and 53 Oracle servers.

Litchfield plans to publish the 2007 version of the Database Exposure Survey next Monday on his Website at Databasesecurity.com.


From a Slashdot article posted this a.m.

Tuesday, November 13, 2007

FBI Director Targets the Internet's Top Dangers

ACM TechNews cites Robert Mueller, Director of the FBI, who spoke of the "growing threat of nefarious attack via the 'Net" at Pennsylvania State University last week. Mueller used the example of al Qaeda Web master Younis Tsouli to show how infiltrated servers can be used to finance or aid terrorists.

Further, Mueller pointed out that the Internet could also be used as a means of launching attacks as well as being the target of attacks, as happened to Estonia's federal and infrastructure-related Web sites in April 2007.

See the the full article published by Network World.

Thursday, November 08, 2007

National Security Letter Plaintiff Speaks

According to an article in newsday.com the U.S. Government decided yesterday to appeal a September ruling striking down a controversial provision of the Patriot Act. The provision permits the FBI to send secret demands, called "National Security Letters", to internet service providers (ISPs) without obtaining a judge's approval first.

One such ISP, identified only as 'John Doe' because of a gag order, has challenged the law. The plaintiff states that the gag provision make it "impossible for people...to discuss their specific concerns with the public, the press and Congress."

Additional details appear in a slashdot posting.

Wednesday, November 07, 2007

Can Privacy Exist on the Internet?

Switched.com examines the gradual disappearance of personal privacy at the hands of such media sites as MySpace and Facebook, whose own employees can monitor what Facebook profiles you look at.

The article includes a link to a provocative video interview with social media guru Clay Shirky.

Source: Posting on Slashdot

Tuesday, November 06, 2007

Voting out E-Voting Machines

ACM TechNews reports a new bill introduced in Congress this week by Senators Bill Nelson (Florida) and Sheldon Whitehouse (Rhode Island) that would ban touch screen voting in federal elections in 2012, marking a complete reversal of the path toward electronic voting machines 7 years ago.

Voters lost trust in the accuracy of the new system early on, exacerbated by the 2004 accusation that the primary touch-screen supplier (Diebold) had ties to the Republican party.

Senator Nelson told TIME "We have to start setting a goal on this. Voters have to feel confident that their ballot will count as intended."

See the full article in TIME

Monday, November 05, 2007

Cross-Selling Online Scams and Security Issues

A recently published discussion of an online scam called 'cross-selling' describes a devious online marketing strategy to cleverly trap consumers into committing to more than their intended online purchase.

This occurs when an after-sale business has made an agreement with an online retailer to link to their site for yet another sale without actually leaving the retailer's site. The retailer then gets a percentage of whatever the after-sale business manages to also 'sell' to the unwitting consumer.

The method used involves an easily ignored 'opt-out' box buried in text and is perfectly legal.

For a description of how the scam works, see Caveat Emptor - Use of Credit Cards On-Line, linked from a slashdot article posted on Saturday November 3.

Friday, November 02, 2007

ICANN punts on WHOIS Privacy Proposal

The Internet Corporation for Assigned Names and Numbers (ICANN) has postponed approval of a change to the WHOIS database of Web site name registrants proposed by privacy advocates until further studies are undertaken.

According to Brian Krebs' article in the Washington Post,
The changes would have given Web site owners the ability to shield their identities online and, indirectly, cut spammers off from an easy-to-mine database of legitimate e-mail addresses.


See Slashdot article.

Thursday, November 01, 2007

AT&T Invents Programming Language for Mass Surveillance

AT&T Researchers have developed 'Hancock', a C language-based programming language designed for mining the company's telephone and internet records for surveillance purposes. The initial purpose was to develop marketing leads by determining what AT&T calls "communities of interest", an analysis of who is talking to whom.

Wired Blog Network says
...it's of interest because of recent revelations that the FBI has been requesting "communities of interest" records from phone companies under the USA PATRIOT Act without a warrant.


See ACM Tech News for more information.

US Voting Machines Standards Open To Public

The second version of the federal voting system standards have been published for 190 days of public comment, according to Online Voting.

More information about the new standards can be found in this FAQ.

See Slashdot article.