 |
Sunday, August 25, 2002 |
Bush's Cyber-Security Plan Targets E-Mail: In an effort to bolster the nation's cyber-security, the Bush administration has plans to create a centralized facility for collecting and examining security-related e-mail and data and will push private network operators to expand their own data gathering, according to an unreleased draft of the plan. [SecurityFocus]
23:52
#
| |
Redirect Virus Attacks. Is your site bombarded with viruses and worms? You're not alone - Richard's suffered the virus attacks too. He describes his quick fix solution to reduce wasted bandwidth on your Apache server. [Article Central - Security]
23:25
#
| |
Lifting the covers: Analyzing selected network attacks. With hacker attacks in the news frequently these days, we all know that computer security needs to be taken seriously. While many publications exist about software that can be used to secure computer environments, very few publications exist that explain how hacker attacks are actually performed. If you are responsible for securing your company's computer environment, it's important you understand how attacks work. In this article, Michael Pichler analyzes some interesting network attacks and explains how they work. You'll see how inventive attackers can be, and you'll learn how some features included in your own software can actually be turned against you. This article is aimed at those who have some understanding of networking, but don't necessarily work in the networking field on a daily basis. [IBM Developer Works - Security Articles]
23:16
#
| |
Catching crooks with e-mail evidence. Not since the glory days of letter-writing, before the advent of the telephone, have people committed so much revealing stuff to written form as they do in the age of computers. All those e-mail messages and electronic files are a treasure trove of evidence for law enforcement officers, whether they are targeting terrorists, crooked CEOs or local drug dealers. [Terrorism RealNews]
22:36
#
| |
Former MIT admin gets three year jail term for software piracy. A computer hacker has been sentenced to nearly three years in federal prison for using Massachusetts Institute of Technology computers to distribute stolen software programs, games, movies and music titles. Christopher Tresco, 24, of Boston, who prosecutors said was a ringleader in the international software piracy group DrinkOrDie, pleaded guilty Friday in U.S. District Court for the Eastern District of Virginia. Federal authorities in the Virginia court have prosecuted 13 people targeted in ``Operation Buccaneer,'' a U.S. Customs Service investigation into international copyright violations. [Terrorism RealNews]
22:34
#
| |
Debunking DMCA myths. Should researchers really be so worried about the much-reviled Digital Millennium Copyright Act? If you believe the buzz, you'll conclude that programmers, academics and engineers should be scared witless about being sued under the DMCA. In effect for nearly two years, the law sets protections for the codes that are wrapped around certain copyrighted content such as DVDs and electronic books. [Terrorism RealNews]
22:34
#
| |
The Trouble with Software Patches. Despite the lessons taught by nasty viruses like Code Red and Nimda , experts say software patching continues to lag far behind discovered vulnerabilities. One way companies can wade through the swamp of patches is by considering the business impact of systems that might be vulnerable to attack if left unpatched. [Terrorism RealNews]
22:34
#
| |
As Threat of Cyber Attacks Grows, Security Specialists Blame Faulty Software. Almost a year after Sept. 11, the United States is growing more vulnerable by the hour to cyber attacks. "Between 7,000 and 10,000 computers are being installed to the Internet, with known vulnerabilities, as we speak," said Allan Paller, director of the SANS Institute for Internet security training. "Between 2,000 and 3,000 programs are running 24 hours a day, seven days a week, seeking out computers with vulnerabilities to install Trojan horses for future attacks." One reason for this rises over all others: bad software. [Terrorism RealNews]
22:32
#
| |
Pepper Spray Caused Disruption at Miami Airport. A canister of pepper spray surrendered at a security checkpoint leaked and caused the evacuation of a concourse at Miami International Airport, where 43 people were treated for exposure to the self-defense agent, the U.S. airport security agency said on Thursday. [Terrorism RealNews]
22:25
#
| |
Judge attacks civil servant's excuse for Web site attack. A civil servant was yesterday convicted of hacking into the Labour Department's Web site and littering it with expletives. Labour officer Lee Ka-wo, 34, was found guilty in Eastern Court of defacing the department's home page on two occasions between April and September last year. In convicting Lee, Magistrate William Ng Sing-wai rejected as "unimaginably queer" his claim that he put up foul language on the site because he wanted to test the home page's security. [Terrorism RealNews]
22:22
#
| |
FBI Accused by FSB Of Framing Hackers. Hacking the hackers is a crime, according to an FSB officer who has charged the FBI with using illegal methods to snare two young Russians who were arrested in the United States. Igor Tkach, an officer in the Chelyabinsk branch of the Federal Security Service, has opened a criminal case against FBI Special Agent Michael Schuler, Interfax reported Thursday, citing the FSB press service in Moscow. [Terrorism RealNews]
22:21
#
| |
Misusing Computers for Criminal Purposes. AS Malaysia aspires to be the region's high-tech power-house through its Multimedia Super Corridor, obviously cybercrime is of special interest to the country. Recognising the problem of cybercrime, the Government has taken steps to curtail it by strengthening its information security teams and securing its information system from hackers. [Terrorism RealNews]
22:21
#
| |
FBI Warns About Wireless Craze. Well-meaning wireless activists have caught the attention of the US Federal Bureau of Investigation. One of its agents has issued a warning about the popular practice of using chalk marks to show the location of wireless networks. The marks, or "warchalks", are cropping up in cities and suburbs across the world. The FBI is now telling companies that, if they see the chalk marks outside their offices, they should check the security of wireless networks and ensure they remain closed to outsiders. [Terrorism RealNews]
22:21
#
| |
5,300 Cases of Cyber Crime Reported. The Energy, Communications and Multimedia Ministry has received nearly 5,300 reports on cyber crimes, including 1,400 cases of illegal withdrawal from automated teller machines. Deputy Minister Datuk Tan Chai Ho said these crimes ranged from accessing illicit websites to posting malicious material on the Internet aimed at damaging the integrity of specific parties. "If one is found guilty, that person can face a RM50,000 fine or three years' jail or both under the Communications and Multimedia Commission Act 1998," he added. [Terrorism RealNews]
22:20
#
| |
Library hacker gets jail time. Hacking into the Monroe County Library System's Web site has earned a Philadelphia man 1-to-3-years in state prison. Christopher J. Chinnici pleaded guilty in June to a felony charge of second-degree computer tampering for breaking into the system in December 2001 and leaving behind an obscene image after one attack and an animated cartoon after another. [Terrorism RealNews]
22:20
#
| |
|
Meet the Nigerian E-Mail Grifters: She's a widow, he's a high-ranking government official. They have fallen on hard times and urgently request your assistance to get a large sum of money out of Nigeria. They will reward you handsomely for your help.
Chances are you've seen something like that in your e-mail box. Perhaps in a bored moment you've wondered who sends them and why they bother; after all, no one could be gullible enough to buy into such an obvious con game.
But sources close to some of the so-called Nigerian e-mail scam's perpetrators insist that those overwrought messages fuel a thriving industry, employing thousands of people around the world who successfully manage to extract money from a multitude of Internet pen pals.
A Nigerian student who asked to be identified only as "Taiwo" (the twin), detailed the workings of the business, which he said his family has been involved in for over 15 years. Taiwo is a very large man, with a voice and mannerisms to match. He claims that his recent interest in the traditional religion of the Yoruba people has led him to publicly speak out about his past.
[News via OpenFlows]
22:07
#
| |
|
Electronic Warfare Associates releases 20-page PDF with sensible advice for securing wireless networks using existing technology: they don't claim this methodology is 100 percent secure; rather, they describe a series of sensible, generally inexpensive steps that ensure the best possible results with the least amount of ongoing maintenance and concerns. The paper is available in PDF form from their security white papers page. [80211b News] [Gary Secondino: War]
22:04
#
G!
| |
Fees Threaten College Webcasts. The signal from San Diego State University's KCR station is so weak it can barely be heard on campus - if at all. Yet for the past six years its eclectic programming has reached the entire world.
[AP Tech News]
22:01
#
| |
A bill introduced into Congress gives copyright holders -- that's the RIAA, the MPAA, and similar guys -- the right to break into people's computers if they have a reasonable basis to believe that copyright infringement is going on. Basically, the bill protects organizations from federal and state laws if they disable, block, or otherwise impair a publicly accessible peer-to-peer network.
[News via OpenFlows]
22:00
#
G!
| |
|
This article from Computer World is quite interesting, if initially slightly confusing. The headline seems to mirror the content but it sems to be challenged by the summary:
Recent findings that insiders constitute the primary threat to enterprise security are being challenged by experts who insist the greater threat to security remains external.
The article cites the CSI study and quotes NASA and US Dept. of Labour CIO's as saying that their main threats are external. However as a few security experts later in the article state the problem is probably that the internal threat isn't detected.
"I don't believe that many corporations know that the majority of attacks occur behind the firewall," said Mike Hager, vice president of network security and disaster recovery at OppenheimerFunds Distributor Inc. in New York. "And most still believe the firewall will stop them."
I think this rings particularly true with Financial companies. There might not be many such incidents yet, but when they happen they happen big and hurt alot more than an external attack through the firewall.
In addition I think we will start seeing much smarter hacker groups around, who will build up much greater inside knowledge of financial institutions. Just look at the hackgroups of the 80's who often had greater knowledge of the phone companies internal computer systems, than most people within. [Financial Applications Security Weblog]
21:59
#
| |
Issues with CSI Cybercrime Survey
Jiri (?) from the brand new Security Weblog commented on my issues with the CSI survey and pointed out two great papers by Mich Kabay about the inherent flaws in computer security studies.
Agree. There is an old saying that goes something like statistics is just a sientific way of fooling people. Pelle points out that the interpretataion of CSI survey is dubious. What's more, sampling on which the survey was based is funny as well. Survey is responded to by security professionals from large organisations. This inevitably affects the results (that are then interpreted in the way outlined by Pelle). And BTW, there are two relevant papers on cyber crime surveys from Mich Kabay who happens to be a security professional and at the same time holds PhD in statistics.[Security weblog] [Financial Applications Security Weblog]
21:59
#
| |
|
Many sources have commented on the latest Computer Security Institue (CSI) survey, which was done in cooperation with the FBI. These surveys are quite interesting but I question the methodology used by the various respondents to the survey to get their answers.
For example the survey counts non work related web surfing as a Cyber Crime. It specifies that in the past year the average cost per respondent has gone from $357,160 to $536,000 a year. The survey claims the two main issues here being productivity and liability. While I can definitely see liability as being a potential issue, I'm quite unsure of the methods they use to quantify their loss of productivity. Howabout the increase of productivity of employees who are happy because their employer doesn't chose to treat them like children.
Another area that might raise a few eyebrows is the losses based on theft of proprietary information. The report says that respondents reported a total loss of $170,827,000 last year. Yet only 20% of respondents reported such infractions. Granted these can be serious issues, however the Tech industry has a history of overreporting the value of such crimes. Just remember the Kevin Mitnick case where companies such as Sun, Nokia etc. made outrageous claims on losses caused by him.
Much more serious in my view is Financial Fraud. The survey states that 12% of respondents had a loss on average of $957,384. Most of this from what I can acertain is basically traditional credit card fraud. However I do believe we will see a growth over the next year or two in losses based on investment banking systems. Just imagine how much money could be made if someone managed to create large false trades or spread disinformation on trade/news feeds. Not covered under Financial Fraud but equally an issue would be the cost of DOS attacks targeted at realtime trade feeds. [Financial Applications Security Weblog]
21:59
#
| |
|
Vegas phone hacking vice trial
http://online.securityfocus.com/news/587
"Citing the "compelling, credible testimony" of ex-hacker Kevin Mitnick, state officials urged Nevada regulators to force a series of dramatic security reforms on Las Vegas telephone company Sprint of Nevada last week, as final arguments were filed in the case of an in-room adult entertainment operator who believes he's being driven out of business by phone hackers."
"Challenged to prove his claims, Mitnick used a break in the hearing to visit an old rented storage locker, returning with a list of passwords he said unlocked the CALRS system [a computerized testing system used to monitor phone lines] at the time of his arrest ".
[ Kevin Poulsen, SecurityFocus ]
I'm not sure where to start with commentary on this one, but it'll be interesting to see the judgement in this case - due in the fall.
[Mark O'Neill's Radio Weblog]
21:59
#
| |
|
A week of breaking through corporate firewalls
After Week 1 of my weblog, I'm reminded of two sentences in the Cluetrain Manifesto - "Corporate firewalls have kept smart employees in and smart markets out. It's going to cause real pain to tear those walls down."
This week a security thread found its way from ZDNet story about Richard Clarke to an email by David Reed on Dave Farber's "Interesting People" email list, through Ray Ozzie's blog, into an internal email discussion in Vordel, then to an entry on this blog in which I quoted from our internal email discussion, then onto Juri Ludvik's Security Weblog. The thread essentially passed through the corporate firewall like... um... a SOAP message. And it means that a colleague can talk directly to a smart market. Without blogs, the thread would have stopped in our internal email discussion, and not broken back out through the firewall.
Jon Udell mentions high-tech PR. Sometimes marketing gets a bad name, especially after the dot-bomb years and especially in our sector of information security. But that misses the point that marketing is about addressing the market - if it's done well and efficiently, it's a good thing. Many of the barriers mentioned in the Cluetrain Manifesto still exist between smart employees and smart markets. The word "marketing" has become associated with all the things folks have to do on account of these barriers - techniques like bombarding people with calls and emails, brute force advertising campaigns - and that is a shame. [Mark O'Neill's Radio Weblog]
21:58
#
| |
Security, insurance, and hard realities. Here are some notes from Bruce Schneier's talk. Hard, cold realities. Microsoft and its peers don't care about security, he argues, because it's not rational for them to do so. As businesses, they shouldn't, because they're not liable for their practices. Schneier is running out of options, he says, and what he's left with is a two-pronged strategy. One, require businesses to use insurance to manage risk, just like businesses use it to manage all other risks. Two, beef up prosecution of computer crime. ... [Jon Udell: Security]
21:57
#
| |
|
Counter-intuitive Apache security upgrade pattern
It is recommended that Apache web servers are upgraded to Apache/1.3.26, to fix the recently-found chunked encoding vulnerability. Today, The Register points to a NetCraft study which finds that apache servers serving out plain HTTP sites are twice as likely to have been upgraded than Apache servers serving out SSL-enabled sites. NetCraft speculate that "perhaps because they receive more traffic, or because the http service is the conduit favoured by worm writers". I'd add that at least a small proportion of administrators recall the complicated steps involved in setting up their SSL site, and so the unfounded worry of the upgrade process messing up their hard-earned SSL configuration outweighs the worry of a new vulnerability. [Mark O'Neill's Radio Weblog]
21:47
#
G!
| |
|
Robert Vamosi over at ZDNet provides a great little not too technical introduction to buffer overflow attacks. You might use this to explain buffer overflow attacks to nontech personell etc. [Financial Applications Security Weblog]
21:37
#
| |
Issues with CSI Cybercrime Survey
Jiri (?) from the brand new Security Weblog commented on my issues with the CSI survey and pointed out two great papers by Mich Kabay about the inherent flaws in computer security studies.
Agree. There is an old saying that goes something like statistics is just a sientific way of fooling people. Pelle points out that the interpretataion of CSI survey is dubious. What's more, sampling on which the survey was based is funny as well. Survey is responded to by security professionals from large organisations. This inevitably affects the results (that are then interpreted in the way outlined by Pelle). And BTW, there are two relevant papers on cyber crime surveys from Mich Kabay who happens to be a security professional and at the same time holds PhD in statistics.[Security weblog] [Financial Applications Security Weblog]
21:28
#
| |
|
Many sources have commented on the latest Computer Security Institue (CSI) survey, which was done in cooperation with the FBI. These surveys are quite interesting but I question the methodology used by the various respondents to the survey to get their answers.
For example the survey counts non work related web surfing as a Cyber Crime. It specifies that in the past year the average cost per respondent has gone from $357,160 to $536,000 a year. The survey claims the two main issues here being productivity and liability. While I can definitely see liability as being a potential issue, I'm quite unsure of the methods they use to quantify their loss of productivity. Howabout the increase of productivity of employees who are happy because their employer doesn't chose to treat them like children.
Another area that might raise a few eyebrows is the losses based on theft of proprietary information. The report says that respondents reported a total loss of $170,827,000 last year. Yet only 20% of respondents reported such infractions. Granted these can be serious issues, however the Tech industry has a history of overreporting the value of such crimes. Just remember the Kevin Mitnick case where companies such as Sun, Nokia etc. made outrageous claims on losses caused by him.
Much more serious in my view is Financial Fraud. The survey states that 12% of respondents had a loss on average of $957,384. Most of this from what I can acertain is basically traditional credit card fraud. However I do believe we will see a growth over the next year or two in losses based on investment banking systems. Just imagine how much money could be made if someone managed to create large false trades or spread disinformation on trade/news feeds. Not covered under Financial Fraud but equally an issue would be the cost of DOS attacks targeted at realtime trade feeds. [Financial Applications Security Weblog]
21:28
#
| |
|
This article from Computer World is quite interesting, if initially slightly confusing. The headline seems to mirror the content but it sems to be challenged by the summary:
Recent findings that insiders constitute the primary threat to enterprise security are being challenged by experts who insist the greater threat to security remains external.
The article cites the CSI study and quotes NASA and US Dept. of Labour CIO's as saying that their main threats are external. However as a few security experts later in the article state the problem is probably that the internal threat isn't detected.
"I don't believe that many corporations know that the majority of attacks occur behind the firewall," said Mike Hager, vice president of network security and disaster recovery at OppenheimerFunds Distributor Inc. in New York. "And most still believe the firewall will stop them."
I think this rings particularly true with Financial companies. There might not be many such incidents yet, but when they happen they happen big and hurt alot more than an external attack through the firewall.
In addition I think we will start seeing much smarter hacker groups around, who will build up much greater inside knowledge of financial institutions. Just look at the hackgroups of the 80's who often had greater knowledge of the phone companies internal computer systems, than most people within. [Financial Applications Security Weblog]
21:23
#
G!
| |
[Financial Applications Security Weblog] See also here.
21:12
#
G!
| |
Enterprise IT managers and CIOs, growing impatient with security vulnerabilities, are fighting back with language in contracts that holds software companies liable for breaches and attacks that exploit their products. ... |
... For example, a Fortune 50 company recently wrote a clause into a contract with a major software company that holds the vendor responsible for any security breach connected to its software, according to sources familiar with the deal. [eWeek]
This is definitely a trend we will see continue. Not just for commercial software but also in internal and external agreements for software development or service providing.
For service providers, I would imagine that this would become addendums as part of their existing Quality of Service agreements. Some of these current agreements might already be good enough as they are to cover such events. But ofcourse as the service providers get hit by more and more of these issues, they will naturally want to pass the buck onto the software providers. [Financial Applications Security Weblog]
21:07
#
G!
| |
|
Everyone seems to be quoting Ray Ozzie's article talking the end-end security principle. Mark O'Neill notes that end-end security concept is not panacea. He quotes one of his colleagues:
"Let's not confuse securely designed with securely implemented...the vast bulk of the security issues have been implementation problems. Adding in a whole, complex layer of authentication, encryption and validation would, frankly, have just given software developers more chances to screw up."
I would like to add another perspective to this. I am for application level end-end security as anybody else, unfortunately, in practice it proves to be often too expensive. It needn't be so when there's only one application to be secured and no-to-little crypto is reqired. But as soon cryptography is used on the data level, it gets interesting - one gets whole loads of issues with key management and with other practical issues (eg backups, export of data, key expiration, workflows, etc). If you are developing a new application from scratch, and you have developers with enough crypto skills, chances are you can pull it off.
What's bad is that you won't get much support from off the shelf software. Ozzie's Groove and Notes are probably exception to this, but neither of them is also not the most widespread development platform. So to get crypto working in your COTS environment, you need to consider buying some additional software or add considerable amount of development. Just for illustration, in a case where I investigated these issues, only adding digital signing to the application translated into 25% of extra costs. These costs can be justifiable for a mass market software package. But in bespoke deployments (vertical apps) it is quite a lot of money for a feature that actually doesn't do anything useful (only makes user's life more difficult). This conclusion may sound brutal but that's the approach general public have towards security.
We haven't finished yet. The problem gets even worse.
Single application is more exception rather than rule and more often than not you need to integrate several applications together. If these applications were not developed with single end-end security concept in mind (and you don't venture much saying that they were not) the end-end security will end at the interface of the first application to which users are talking to. And so even if you try to push your e-e dream, you will get security only a bit better than the one you get using traditional approach and more expensive. [Security Weblog]
20:55
#
G!
| |
|
Mark O'Neill, CTO of Irish web services security outlet VordelSecure, I mentioned here some time ago, has a brand new weblog. This is also a reminder that I should read technical papers I downloaded from their website.
In his weblog, Mark talks about legal implications of SAML. Legal issues have quite a significant impact on any security design. In a sense, security does not mean protecting systems, but rather protecting business objectives or people' objectives. To achieve this goal, good security needs to consider an issue of liability. This means that it is not enough to find out what the risks are and how to protect against them, but also to consider who would be held liable should anything go wrong. When security fails (provided the incident is discovered) you can bet that somebody will need to take the blame. Serious incidents can lead to lawsuits. To certain a limit, you can reduce this risk through appropriate use of technology. To a certain extent, you can transfer the risk to other parties through legal means. On some occasions, this can be a better approach than to design unusable or technically difficult technical solution.
Talking about legal issues, some time ago I came across presentations on legal issues and on security from an Object Management Group's workshop on web services. [Security Weblog]
20:51
#
G!
| |
Myanmar Cracks Down on Computer Nets: Myanmar's military government has made it illegal for companies to operate unlicensed private computer networks linked to their overseas offices.
The crackdown appears to be part of a campaign by the military rulers to limit and censor Internet access in Myanmar, also known as Burma.
[The Hacktivist]
20:38
#
G!
| |
|
How can we make law better? - Talking to Dave yesterday got me thinking; something he said made me aware of a fundamental problem with laws. Lawyers tend to solve all social problems through the use of laws. It's the old "when all you have is a hammer, every problem looks like a nail" scenario. Sadly, ordinary people are also starting rely heavily on laws, when ordinary common sense would do just fine. And Congress? Well let's just say that the place is littered with hammers.
So I'm working on a model of changing things in Congress that will help. I'm pretty close to having something I can share with everyone. It will have to be short because I'm not in the whole Kantian tome-writing, super-duper exegisis thing. I've got attention deficit disorder, and I suspect that some of you do too. So it will be short, pithy, and true. The "truth" is the hard part. I'm finding that "truth" requires a mix of strange ingredients. And you've got to get the right proportions with those ingredients. I'm sure I won't get it right, but at least I can say I tried. Hope to have something for you soon. [Ernie the Attorney]
19:56
#
| |
When Dreamcasts Attack: White hat hackers use game consoles, handheld PCs to crack networks from the inside out.
[Security Focus] this was a nice Talk at BlackHat. Nothingunbelivable new but niche somebody actually sits down and implements this stuff. We tried this last Century at the "CCCC" with dedicated hardware but never got it in a runnable state.
17:31
#
G!
| |
Venezuela: Supreme Court Biggest Threat to Chavez Regime. Since it voted Aug. 14 to acquit four senior officers of military rebellion charges, Venezuela's Supreme Court has emerged as the biggest threat to the survival of President Hugo Chavez's regime. Chavez has launched a political and diplomatic offensive to pre-empt an impeachment threat, and he may be willing to resort to violence if political maneuvering and diplomacy fail. [Stratfor]
17:27
#
| |
H2K2 Hackers Say They Want a Revolution: San Francisco hacker and activist "Gweeds" slammed those hackers who traded their anarchistic ethic for jobs in the "military industrial security complex," i.e., the raft of computer security companies that sprang up in the dot-com era.
[Security Focus]
17:22
#
G!
| |
Fugitive DEA Agent Arrested in Mexico: San Francisco hacker and activist "Gweeds" slammed those hackers who traded their anarchistic ethic for jobs in the "military industrial security complex," i.e., the raft of computer security companies that sprang up in the dot-com era.
[Security Focus]
17:22
#
| |
Camera/Shy SourceForge Site up ... Camera/Shy is the only steganographic tool that automatically scans for and delivers decrypted content straight from the Web. It is a stand-alone, Internet Explorer-based browser that leaves no trace on the user's system and has enhanced security. [The Hacktivist]
16:09
#
| |
|
Federal Gov. standards for electronic records. David Fletcher on the National Archives and Records Administration's recent issuance of an RFI regarding electronic records: "The problem is that so many of the issues associated with electronic records are not technological, but political and legal. However, the formating issue still remains a formidable challenge. If NARA can settle on an acceptable format, it should go a long way towards settling on a standardized e-records management format which is really needed."
This is a particularly salient observation for electronic records in the courts, whose recordkeeping practices are governed by overlapping statutes and constitutional duties regarding open access. I suspect that the standards being developed by LegalXML will help shape a framework for archiving court filings, transcripts, contracts, statutes, etc. The NARA standards will be worth watching. [Rory Perry: Legal Information Standards]
15:01
#
| |
|
CRM for the Judiciary ?. Reading about a recent Giga Information Group report predicting a rise in CRM spending by government in the next two years, I was struck by this statement: "the biggest problem for the government is that agencies and regulatory bodies have a mandate -- albeit self-imposed -- to provide electronic services, but actual use of these services varies greatly, depending on the income brackets of the people served." [ Report: CRM To Flourish in Government Sector | CRMDaily.com ]
All government must serve the people, and this mandate applies with particular force to the judicial branches of government, which are often under a constitutional mandate to fulfill their mission in such a way as to maintain open access to the courts. Which gives rise to a question for the legal CRM gurus, (ahem, Rick) out there: what is CRM in the judicial context and why is it helpful? How can CRM help guarantee meaningful open access to the courts? [Rory Perry: Legal Information Standards]
15:01
#
| |
Public information blogs will grow web services.
Enabling Web Services.
Not surprisingly, the State of Utah has a large amount of data and much of it is public. Some of the data that holds the most interest to people is already available on our web site for searching. For example, you can verify the validity of a professional license. My plan is to enable web services by ensuring that anytime we make data available we do it in a way that produces at least XML and that URIs work for all queries (yes, RESTian principals are at play here).
Let's face it, if we're going to build an application that let's someone query a database its a shame not to return XML since we can do it for little additional cost and the potential benefits are huge. With that thought, I've been trying to come up with a set of principals that we can follow in state government to ensure that this happens.
Without further ado, here is a list of principals I have so far. What am I missing?
- RSS should be produced, and the presence of an RSS feed clearly indicated, where applicable. For example, RSS feeds should be produced for events, press releases, chronological data such as rulings, judgments, and other decisions, etc.
- All queries for data from a web server should produce at least XML. If human readability is required, post process the XML with XSLT. As an example, if I go to the professional licensing division and query about doctors, the application should, at a minimum, produce XML.
- Data queries should be accessible as a URI and a URI should be associated with each resource (a resource includes even a single data element). For example, I should be able to query for a professional license using a URI like: http://www.dopl.utah.gov/llv?last_name=windley (this is not a valid URI.) If this query returns a list of results, each of those results should be available individually as XML using a URI reference.
- The API for this URI query language should be clearly documented using WSDL (?) and its location clearly identified.
- Avoid using a POST for queries.
- Use standards for XML where available rather than making up your own. A good example is RSS. Organizations that you belong to may already be developing XML standards for the type of data you have. Still, dive in and keep moving; if you miss a standard its not the end of the world because its likely your data can be translated using XSLT into whatever standards come along later.
- Document whatever XML format you output using a DTD and ensure that the up to date DTD is available online and referenced in the generated XML.
- Consider displaying your data in multiple flavors to serve multiple audiences. At a minimum, most queries will produce at least one flavor of XML and HTML. Once youâre producing the XML, its easy to display the data in multiple flavors by translating the base XML using XSLT.
- Include metadata with your XML. The Dublin Core elements in RDF are endorsed by the state GILS project and the CIOâs office. The GILS project has produced templates and schema specific to the State of Utah for the Dublin Core.
- Use WSIL to advertise the availability of your service. If it becomes viable in the future we will use UDDI, but having everything documented in WSIL will make that step relatively easy.
- Use web authentication and authorization for queries that require it, rather than a homegrown solution, so that single sign on from the statewide directory works and queries can be made using a URI instead of a post.
[Windley's Enterprise Computing Weblog]
Hooray! Phil Wendley's announcement is a very exciting development for open access to government. The longer I work with posting WV Supreme Court decisions using RSS and XML, the more I have realized how the delivery of public information is the perfect place to experiment more broadly with web services. Now that the Court has gone Sine Die, I'll have time to study Windley's principles (and fix my rss feeds, which are currently having whitespace problems).
As a lawyer and public official, rather than a technologist, the bottom line for me is that blogging tools have allowed me, as a single government official with one license for Radio, to deliver public information via html, and RSS/XML to: this public website; to four categories [1, 2, 3, 4] on the Court's public site; and to pages on our judicial intranet. To me, Wendley's announcement shows that the back end for this type of content delivery will become more and more robust, and that public information blogs will grow real web services. [Rory Perry: Legal Information Standards]
15:01
#
| |
Do you have a license for that opinion?.
[From the The Shifted Librarian] Legal eagle friends, please tell me this doesn't mean what I think it means:
Publishers' Licence Bid Gets Boost
"Legal publishers hope they can use a recent federal court ruling to stop law libraries across the country from photocopying and charging fees for parts of law books without a licence agreement.
In a 132-page decision released on Tuesday, the Federal Court of Appeal said the Law Society of Upper Canada -- the governing body of Ontario lawyers -- had infringed copyrights of three legal publishers by selling their work without a licence." [The Globe and the Mail]
Steven found the full decision. Help!
Jenny, I'll defer to the copyright experts on this one, but it should be noted that there are differences between US and Canadian copyright laws, especially in this context, as the opinion indicates:
In addition, there are significant differences between Anglo-Canadian copyright law and the American standard of originality that was applied in Bender v. West, (1998), 158 F.3d 674 (2nd Cir.). Whether or not the Publishers' works are "original" depends upon the meaning of that term in its statutory context, as explained by existing Anglo-Canadian jurisprudential principles. (at Paragraph 27.)
I'd like to hear more about the impact of this decision as well, because it may impact services we provide through our state law library to prisoners and pro se litigants. I author and publish many of the same items covered in the Canadian court's opinion -- summaries of judicial decisions, topical indexes and the like -- all for free, all in the public domain. I've said it before, the Law is Free, and should remain so. To me, Jenny's call for help to the legal blogosphere is itself a watershed event -- will self-selected experts in the blogging world begin to encroach upon (and supplant) the copyrighted "commentary" provided by the big legal publishers? [Rory Perry: Legal Information Standards]
15:00
#
| |
Courts as standard bearers.
The conventional wisdom (at least here in the States) is that the real driving force for technological change in the legal profession is the clients. If the clients demand something, law firms will develop it. I'm not so sure. If I'm a client, I'm less worried about the tools you use so long as you produce the results. The courts, on the other hand, are worried about the tools you use - because those tools directly affect their ability to do their jobs. In this sense, developments like the one Martin mentions are significant.
One thing is certain: courts are getting it. Last week we had Rory getting the West Virginia Supreme Court site set up using Radio, now we've got a court in Germany accepting filings via e-mail. It's hard to believe, but it's already been nearly six years since Schnader Harrison filed a brief with the U.S. Supreme Court on CD-ROM. (Seems almost quaint today, doesn't it?) Maybe Rory has some thoughts on what it will take for the courts to drive more standardization across the profession?
[tins ::: Rick Klau's weblog]
Rick is spot-on: courts are institutional players in the legal information standards game; whether it be functional case management standards, electronic filing standards, or standards for exposing court data. The is a lot of current development going on in this area, and the full story belongs in a longer post, which is a job for another day. [Rory Perry: Legal Information Standards]
14:59
#
| |
|
Hackers beg boring people to stop encrypting email San Jose, Calif. (SatireWire.com) ÷ In an unusual worldwide appeal, the International Brotherhood of Computer Hackers today asked particularly boring people to please stop encrypting their emails.
ÊÊÊCracking messages like this are a waste
ÊÊÊof valuable hacker time, say hackers.
According to IBCH President Bj[ring]rn Haxor, hackers spend thousands of hours intercepting and cracking open encrypted emails ÷ believing it to be "the good stuff" ÷ only to find most contain little more than "Two priests walk into a bar," or "Hi Bob, here's my new email address."
"Maybe you think hacking coded messages is simple, but it's not ÷ well, except for the Microsoft Outlook ones," said Haxor. "The rest of it is a pain in the backdoor. So here's a tip: if you encrypt just because you want to keep your personal information 'secret,' but all you're encrypting is blather about your stupid promotion or a recipe for fruit salad, guess what? Your secret's already out. You're dull." [Privacy Digest] ... keep in mind - no connection to reality!
10:14
#
| |
For Simone, 'Fake' Is Flattery. To create the blonde bombshell in Simone, writer-director Andrew Niccol fed the faces and voices of real actresses into whiz-bang graphics software. But the simulated starlet still has a mind of her own. By Michael Stroud. [Wired News]
10:02
#
| |
Trojan Horse Technology Exploits IE. A new technology could let a Trojan horse disguise itself as Internet Explorer and let hackers steal data from your PC. [Geek News Central] They use IE via OLE to get HTTP out. Nice idea but no reason th give an one hour talk at BlackHat anddevcon, because the idea can be covered in 5 minutes.
9:38
#
| |
BBC: "Millions of people using Microsoft's Office and Internet Explorer programs are at risk from security holes that could allow malicious hackers to change files on their computers." [Scripting News] [dws.]
9:25
#
| |
No Criminal Liability for Printing Trademark on Repackaged Goods. The 5th U.S. Circuit Court of Appeals has held that printing a company's trademark on trays used to ship another company's repackaged products associated with that mark doesn't violate federal criminal trademark or food labeling laws. The decision establishes "a very important precedent" with regard to the interpretations of mislabeling and trademark counterfeiting, says Dallas solo Frank Johnson. [Law.com]
9:20
#
| |
Fear of Fees, Not Terrorists, Put Public Records Act Under Scrutiny. When New Jersey Gov. James McGreevey announced 583 exemptions to the new Open Public Records Act, he stressed they were necessary to guard the state from misuse of information by terrorists. However, internal e-mails and position papers obtained from his office indicate that the initial concerns were the cost of implementation, the threat of lawsuits and the likelihood of having to pay attorney fees if the state lost them. [Law.com]
9:20
#
| |
Tenure, Terrorism and Academic Freedom. Dr. Samuel Al-Arian of the Dept. of Computer Science and Engineering at the University of Southern Florida is of Palestinian descent and has come under criticism for his (alleged) anti-Israeli stance. Recently, the University has sued to remove his tenure. This brings up some concerns about freedom of speech, tenure and academic integrity. While I cannot say if Dr. Al-Arian crossed the line of impropriety, he now has to defend himself at a very difficult time. [kuro5hin.org]
9:19
#
| |
Carnivore bites off too much. The Internet spyware intercepted so much unrelated e-mail that the FBI stopped using it and might have destroyed information it collected related to the terrorists [FCW: Privacy]
9:09
#
| |
Happy Children. Stock market crashes, a wave of bankruptcies, mass unemployment, terror - happy children grow up in such times who value career and achievement, but also diligence and tolerance, who almost all like their parents so much that they wish to rear their own children as they were brought up themselves. No generation gap, not even the usual disenchantment with politics is in fashion. [FAZ: Politics]
9:02
#
| |
Recycling f[florin]r den "Gr[florin]nen Punkt"?. Nach Ansicht des Bundeskartellamts bildet das Duale System ein Nachfragekartell mit marktbeherrschender Stellung. Das soll sich nach den Worten des Kartellamtspr...sidenten Ulf B[ring]ge ab dem Jahre 2006 ...ndern, ohne das deshalb "ein Chaosã ausbreche. [FAZ: Wirtschaft]
8:41
#
| |
Miss Germany Wants to Be Miss No More. Katrin Wrobel, the leggy 24-year-old Berliner crowned Miss Germany last January, now wants out of her contract and crown -- with only a few months left to go before the Miss World contest. [DW-WORLD.DE]
8:41
#
| |
Software as art? - okay, I just got off the phone with Dave Winer. Lot of stuff to digest. One thing I'm coming to believe: software guys really are artists. Why? Well they are really protective about their creations and don't want people messing with them. Especially lawyers. [Ernie the Attorney]
8:23
#
| |
|
Copyright Law - what should it be? I agree with Dave Weinberger's post. And these points in a TechCentral article are also right on the mark.
These viewpoints are not entirely contradictory, at least to me. Weinberger agrees that copyright holders should be paid, and says that we should be very careful in passing legislation that affects the Internet. We shouldn't let the large companies convince us to pass laws that significantly affect the Internet simply because they (supposedly) are not making enough money selling their stuff. There may be good reasons to regulate the Internet (I suppose), but pure corporate profit is not one.
The TechCentral article focuses on the problems that P2P (which is what the Internet is) brings for people who create content that can be distributed digitally (which is just about everything these days). If I were Dave, a creator who wants to have perfect control over his creations, I'd be totally in favor of DRM, and legislation to let content creators disable software that people have illegally stored on their hard drives. And I'd also be in favor of Knight-Ridder locking down its web content and making people pay to link to it, or even to read it. That's just capitalism. No problem with capitalism, as far as I can tell. Dave works hard and he should make as much money as the system will lawfully allow him to make.
But neither article proposes how to solve the problem. Not really. And neither do I. I do make this small observation. It is not a good idea to allow legislation that affects the Internet to be primarily based on economic interests of people who make money off of content. The Internet is about more than making money; it is a communications network. Booksellers would make more money if libraries didn't exist, but we allow for libraries to exist. Why? Because sharing knowledge is perceived to be more important than money. I know. None of this makes any sense, does it? [Ernie the Attorney]
8:23
#
| |
Schill bietet Stoiber Mitarbeit an. "Unsere Programmatik unterscheidet sich nicht so sehr von dem, was Stoiber in Bayern gemacht hat", sagt der Chef der Schill-Partei und will mit der Union paktieren. [Spiegel]
8:12
#
| |
Geschr[ring]pfte Gerichtsvollzieher. Die Justizministerien der Bundesl...nder verlangen von den rund 4500 deutschen Gerichtsvollziehern Geld zur[florin]ck. Den Kuckuck-Klebern, die allein im Jahr 2001 rund drei Milliarden Mark bei s...umigen Schuldnern einzogen, gehen in diesen Tagen Zahlungsaufforderungen [florin]ber je etwa 4000 Euro zu. [Spiegel]
8:12
#
| |
Fink. I finally got my dev tools, so I'm spending all day battling Fink. I realized that the reason why I have so much trouble using it is that I don't understand how it works, and that's because the docs make little attempt to explain it. [Hack the Planet]
8:03
#
| |
Return to Sender -- 55,000 Times. Rogue e-mail sent in the name of pro-Palestinian activists overloads inboxes and stirs up bad feelings among those united for a common cause. Question is, who's to blame? By Noah Shachtman. [Wired News]
1:59
#
| |
New Architect: Wireless, Defenseless. To work, the public mobile Internet has to be open, letting people join and drop out at will. This means that public wireless communication will be vulnerable to sniffing, so there's no longer any excuse for failing to use end-to-end encryption for email, Web, and login protocols. [Tomalak's Realm]
0:02
#
| |
Maximillian Dornseif, 2002.
|
|
|
