 |
Tuesday, August 27, 2002 |
|
OECD governments have drawn up new Guidelines for the Security of
Information Systems and Networks in the wake of last year's September 11
attacks in the United States, in order to counter cyberterrorism, computer
viruses, hacking and other threats.
The Guidelines are designed to develop a "culture of security" among
government, business and users in an environment of worldwide expansion of
communications networks, increasing interconnectivity across national
borders, converging technologies and ever more powerful personal
computers. [07. Aug. OECD Press Relase via Mail]
Before I took a very minor part in de development of the guidelines I thought this OECD stuff would be senseless suffeling around of paper but then I had to find out there are smart people trying to get interests from dozends of different stakeholders to meet. A huge part of their work consists of ensuring that people actually have a commen vocabulary to discuss internetional afairs.
Get it at http://www.oecd.org/pdf/M00033000/M00033182.pdf
22:33
#
G!
|  |
|
David Holtzman tells us to get used to Identity theft and has some interesting views how to avoid identity theft. He might be right but to me it strikes out that I never found serious incidents of this kind in Germany. It could be that there is a connection to most of Europe having National-ID cards and laws making citizens to register there place of resistence at the local townhall. While I don't really like this regulations they make 'proofing who you are' a lot easier. I never ever heard that somebody over here had to get a new SSN, and name to restore his reputation damaged by identity theft.
CNET NEWS.COM Perspectives- Identity theft: Get used to it. The real damage is subtler. The substitution of these identification keys for the person, while probably necessary, has created an environment that is conducive to identity theft. It is much easier to find a way to get the identification keys that will unlock an account than it is to break a window and leave with a television set. There's sometimes more at stake here than just money. If you know the right keys to authenticate yourself to a computer system as someone, then for all intents and purposes you are that person in every possible way. Not only can you withdraw money from someone's bank account, trade their stocks or sell their house, you also can lift their professional credentials and establish commitments and relationships under a fraudulent pose. You don't need computers to carry off any of the above scenarios but they make it so much easier. Every new online capability carries the potential for abuse by identity theft if there is an incentive for someone to do so. [ ... ] Identity theft is not about numbers and it's not about money. If it was, we could write laws to protect ourselves. We could easily create a national ID card with biometric identifiers and use it to identify ourselves in public areas, pay for all of our purchases and contain a sample of our DNA and medical history for health care. Every artifact that we have interacted with could know who we were and add what we did to governmental and commercially available transactional databases. The easy way to solve identity theft is to systematically remove any ambiguity of who we are or what we are at any time or place--in the real or virtual world. Anything less provides an opportunity for theft. That is the price for freedom. [Privacy Digest]
22:08
#
G!
| |
|
Irgendwie scheint es eine besondere Gabe von uns zu sein, dass in unserer n...he Termine durcheinander geraten. Heute z.B. hatten wir einen Familien-Termin beim Fotografen um 17:00h. Kathie und Neal hatten hoch und heilig versprochen um 16:30h zur[florin]ck zu sein. So standen wir gebeutelten Eltern mehr oder weniger gestriegelt und geb[florin]gelt bereit und warteten auf die Kinderh[florin]terin samt dem beh[florin]teten Kind, als das Telefon klingelte: Foto Sasse; wir h...tten doch heute einen Termin gehabt? - Ja. ([florin]bles Gef[florin]hl ... hatten wir uns wieder in der Zeit vertan?) - Der Fotograf w...re im Krankenhaus und ein Ersatzmann k[ring]nne nur mit gro§er M[florin]he p[florin]nktlich dasein, ob wir den Termin verschieben k[ring]nnten? - Ja, k[ring]nnten wir.
tztztz. Das waren wir doch wirklich nicht schuld. Troz allem war das aber auch besser so, den Kathie und Neal kamen dann erst um kurz nach f[florin]nf. S[florin]damerikaner und Kinder!
21:01
#
G!
| |
Author: James R. Richards; $79.95 (Pre Order, release date 13 December, 2002
Strange Book. Amazon tells me it will be published in 4 months and is has already raving reviews. I like the last review most:
 A very good choice!
My father wrote this book. Even though I am only eleven years old I already want his job. I love to read and learn and I am very interested in this field. I read his book and I can finally understand what he's talking about at the dinner table! He now tells me about his cases in the car and I love hearing about them. This book helped me learn about things I wouldn't have learned about in college. It really opened my eyes to what was out there. Good work daddy! PS - Your kids books that you wrote for us are just as good! Publish them!
[Amazon Books: cybercrime]
20:10
#
G!
| |
Recording industry executives have bemoaned the negative impact of new technology on profits since the Sony Walkman's arrival in 1979. Despite ups and downs, the music business isn't dead yet. By Brad King. [Wired News] We have the same problem here as with cybercrime statistics: it is very difficult to get numbers in a scientific sound fashion. To my knowledge nobody has proofen a connection between filesharing and decerase of record sales. But there are good indications that there is no relation between the two.
19:52
#
G!
| |
|
Mr. Marco Cappato sent me this press release:
Hackers / EP: Cappato "It is necessary to distinguish between Cybercriminality and Cyber-Nonviolence"
The Cappato report (http://www.europarl.eu.int/meetdocs/committees/itre/20020826/474190en.pdf) on the proposal for a framework decision on attacks against information systems (http://europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg=EN&numdoc=52002PC0173&model=guichett) has been presented today in the Industry Committee of the European Parliament
Ê
During today's meeting of the EP Industry Committee the report by Marco Cappato (Italian Radical, President of the Board of the Transnational Radical Party) on the proposal for a framework decision on attacks against information systems (among which Internet) has been presented. The framework decision has the aim of assuring that the above mentioned attacks are punished with minimum penalties of at least a year of imprisonment, so to allow the functioning of the European instruments on judicial and police co-operation and of the extraterritoriality of the jurisdiction.
Ê
The abstract of Marco Cappato's intervention on his proposals for modification follows. The vote of the Industry Committee will take place on the 11th of September:
Ê
"In the case of such specific measures as these it is necessary to ensure that the approximation of laws does not violate basic legal principles or criminalise individuals' conduct solely by virtue of the use of new technologies.Ê That approach would also make it possible to establish a clear distinction between, on the one hand, forms of 'on-line' political activity, civil disobedience, demonstrations and activities of little or no consequence (some of which might be covered by the term 'hacking') and, on the other hand, 'cracking', violent action directed not only against property, but also against physical persons.Ê It is not acceptable to oblige Member States to impose criminal penalties on activities which are already adequately regulated or which are permissible and tolerated in any democratic country, or indeed which deserved to be recognised as contributing to the public good, even if they involve actions which might be covered by the term 'attacks against information systems'. For example, action to combat censorship and disinformation which involves interference in, or sabotage of, the means used to repress individuals or whole nations. It is consequently essential to include in the proposed framework decision explicit references to fundamental rights and freedoms, and to reaffirm, in line with the subsidiarity principle, that Member States may include in their own legislation exemption clauses which may be applied without thereby infringing the law of the European Union. The draftsman considers that, unless the proposed amendments are adopted, the proposed framework decision could not be regarded as a positive step in terms of extending into the realm of cyberspace the 'area of freedom, security and justice' which is the objective of the European Union's cooperation in the field of justice and home affairs."
I have some problems to understand what exactly separates
'cyber-nonviolence' from 'cyber-violence' but he is certainly right to
point out that we must accept or even endorse that people take
political protest into the digital realm and by doing so sometimes
might cause some troubles to computer systems. While such
trouble making might justify some kind of punishment democracy can only
work if there are effective ways of protest and this has to be taken
into account while considering which punishment is appropriate.
17:24
#
G!
| |
When Feds attack. FBI's Russian hacks a bad precedent [The Register] - a government body attacking computers in an other nation-state ... isn't this what cyberwar is about? See also "reuters: Lawyer to challenge FBI in Russian sting".
12:19
#
G!
| |
abc: UK police warn media over coverage of girl murders. UK police have warned the media to reduce coverage of the murder of Holly Wells and Jessica Chapman, or face possible charges for prejudicing the trial. Police and the Government's top lawyer, Attorney General Lord Goldsmith, have issued warnings in recent days urging the media to tone down their coverage. Under UK law, the press cannot publicise anything which risks a "substantial risk of serious prejudice" after a suspect is arrested. In a statement on Monday,... [bplog]
12:16
#
| |
Where Cheaters Often Prosper. In a trend that should delight amoral entrepreneurs everywhere, sales of online term papers are picking up as the school year approaches. By Joanna Glasner. [Wired News]
12:15
#
| |
|
KoreaTimes : 40 Pct of Workers Report Internet Surveillance. Four out of every 10 employees are concerned about employers' monitoring of their private use of the Internet usage during office hours. About 68.2 percent of respondents claimed that bosses are infringing upon their privacy by tracking the e-mail they exchange. In an online survey of 37,660 employees, leading Korean Internet portal Daum Communications found that 40.3 percent of respondents are subjected to electronic surveillance when using chatting programs and sending e-mails. [ ... ] About 8.7 percent of respondents reported having their access to the Internet confined to specified sites authorized by the company. Another 7.6 percent complained their companies trace the websites they visit through a log file analysis, and 4.1 percent reported that their employers actually check the content of e-mail exchanged at work. About 45.5 percent reported no restrictions on use of their Internet in the workplace. [Privacy Digest]
11:51
#
| |
|
Business News from Wired News - Tech Keeps Tabs on School Kids. To stay vigilant, parents and school administrators are increasingly relying on an arsenal of gadgets that will watch, track and, in a worst-case scenario, identify the remains of their charges. Before little Suzy skips out the door swinging her Powerpuff Girls lunchbox, her parents can lock a Wherify GPS-enabled bracelet on her wrist that works like a personal LoJack, pinpointing her exact location as she walks to class. If she's tardy, her parents can jump on the Internet and check her coordinates using aerial or street maps. And if she runs into a strange man asking for help finding a lost kitty, she can press two buttons on the bulky device to dial 911. The bracelet also notifies the cops if someone tries to forcefully remove it. [ ... ] Once Suzy traipses safely through the doors of Hometown Elementary School, she hands her lunchbox to an attendant and steps through a metal detector to make sure she's not packing heat next to the peanut butter and jelly sandwich. As she jostles her way through crammed corridors to her homeroom, she is followed by a maze of pivoting cameras made by Axis Communications that beam her image over the Internet to the principal's Palm Pilot or the database of an outside security firm. [Privacy Digest]
11:51
#
| |
|
New York Times - free registration required Tracking Bay Area Traffic Creates Concern for Privacy. Drivers who use electronic passes to pay bridge tolls in the San Francisco Bay area will soon find themselves participating in a broad government traffic-watch program, with highway officials tracking their movements throughout the region to gather data on delays and driving times The Metropolitan Transportation Commission is to begin installing about 150 roadside transponders in November for a network that will eventually cover 500 miles of freeway. Philip E. Agre, an expert on electronic surveillance, said he believed it was the first routine government use of the technology for any purpose other than collecting tolls. While privacy advocates have said they are wary of the new system, commission officials insisted that it had many safeguards to ensure the anonymity of drivers and that it would never become a tool of law enforcement or other prying eyes. [ ... ] While several privacy experts praised the initial design of the system as considerate of the privacy of drivers, they said they worried that it could be altered later. Jayashri Srikantiah, a staff lawyer for the American Civil Liberties Union here, said: "In this environment, we're very concerned that a system, which initially installed has some checks for anonymity, would be expanded so that it is used to surveil innocent motorists. All it takes is a small tweak in the system." Beth Givens, founder and director of the Privacy Rights Clearinghouse, an advocacy group in San Diego, said her initial hostility had been dimmed by the way the system planned to encrypt information and to purge it daily. "Given those two things, it's hard for me to be quite so negative," Ms. Givens said. But, she cautioned, "They can always change their policy." Toll collection records have been used by the police in the New York area, Massachusetts and Florida. But tracking devices only on toll highways or at bridges and tunnels offer more limited surveillance than the Bay Area system would without privacy safeguards. [ ... ] He added: "It's hard for me to sit here and prove a negative -- that I'm not going to do what I say I am not going to do. We're not going to change the policies. We're not going to comply with the California Highway Patrol if for some reason they ask us to change the policies." But if such assurances are not enough, he offers one more protection. All FasTrak users will be sent a simple device to keep the transponders from tracking their car: a Mylar bag. A driver can put his FasTrak pass into the bag, and the transponders will never know it is there. [Privacy Digest]
11:51
#
| |
|
Crotch Grabbing OK, Playing CD on PC Not OK
Digital rights activists are angered by evidence that the new Michael Jackson CD "Rock Your World" will not be playable in PC CD-ROM drives. Sony's decision to bend the standard CD format has been branded "dubious" and "underhand" by the UK's Campaign for Digital Rights. The record label's decision to modify the CD singles so that they are only playable by stereo systems risks breaching trading standards, as no warnings are included on the packaging. [Adam Curry: CurryDotCom]
11:50
#
| |
 Washington Post: "the risks associated with our nation's reliance on interconnected computer systems are substantial and varied". There is little excuse for this; it's just human nature to be complacent about security. I've been told time and time again of smart people who fail to press the "Go Secure" button on their STU-III phones, just because it's inconvenient.
It's not the individual's fault! It's up to us - the technology industry - to create systems that are complacency immune - that are designed to be complementary to the way that users and administrators really act. And it's up to IT to realize that it's their responsibility - likely to the point of liability - to broadly deploy technology that is configured to be secure in a complacency-immune fashion.
No, it won't be perfect: this is all about risk management. You can't control how people behave - so create an environment in which they do the "right thing" naturally.
[Ray Ozzie's Weblog]
11:50
#
G!
| |
Shrinkwrap licenses for books. Sometimes husbands, especially ones who work in the computer field and are going to library school, can be helpful. Mine just sent me an e-mail concerning this interesting article from InfoWorld on shrinkwrap licenses for books. The books the author discusses appear to be specialty items, but I think I've seen one or two come into our library. This is another reason to be very wary of UCITA. [Leah's Law Library Weblog]
11:39
#
| |
DoubleClick Changes Ad Policy. In order to ward off an investigation into its privacy practices, online ad provider DoubleClick Inc. agreed Monday to adhere to stiff privacy restrictions - and to pay a $450,000 settlement.
[AP Tech News]
11:38
#
| |
Fees Threaten College Webcasts. The signal from San Diego State University's KCR station is so weak it can barely be heard on campus - if at all. Yet for the past six years its eclectic programming has reached the entire world.
[AP Tech News]
11:37
#
| |
|
Still whe have had no electronic bank robbery since we have no electronic money which can be robbed. Just boring defrauding of electronic accounts. I wan't court cases with trojan horses stealing eCash tokens!
Nevertheless an interesting "incident":
crownegold: The $7 million hack. Transfer and payment company Crowne Gold describes a recent attack on their servers, during which hackers almost managed to steal $7 million in electronic gold accounts. HavenCo gets an unfavourable mention, for failing to have support staff on site. The attack neatly illustrates the folly of relying on post-hoc enforcement instead of proactive security.
Hackers managed to breach part of the Crowne Gold system due to a key-logging program not recognized by the most up-to-date... [bplog]
11:29
#
G!
| |
Admit it, Ev, you were looking at porn. Evan "Ev the Blogger Dude" Williams has found an unexpected benefit to the practice of pair programming.I wonder how I missed this entry of Evan's:I've discovered one reason pair programming is productive: It's a lot more obvious you're spending time surfing blogs and checking your email for messages from girls when there's someone sitting beside you helping you work on a problem (especially when you're paying them out of your pocket). [The Happiest Geek On Earth]
10:59
#
G!
| |
|
Verizon rebuffs RIAA request, citing due process and privacy rights of subscribers. From the RIAA's site describing its request that a federal district court in DC enforce a subpoena [pdf] "that would require Verizon to disclose some limited information [name, address and telephone number] about the identity of a Verizon Internet subscriber who is engaged in significant copyright infringement by making files available for others without the permission of the copyright holder." According to Wired, Verizon has refused to comply with the subpoena, citing due process concerns, and arguing that the DMCA "doesn't give [the RIAA] the right to demand the identity of individual users."
In its motion to enforce, the RIAA argued that: "Compliance with the subpoena will require only a simple and ministerial act by Verizon, putting virtually no burden on them. The Court should order Verizon to comply immediately in order to allow the rightful copyright owners the opportunity to bring a halt to the unlawful dissemination of their copyrighted works."
An article atNewYork.com: " 'We recognize that copyright holders are entitled to protection, but we're also concerned about the privacy rights of our subscribers,' said Eric Rabe, vice president of media relations for Verizon. 'We want to make sure they're protected too,' he added, particularly since this is a somewhat new area of law. Verizon is expected to file a response to the motion within a few days." [Rory Perry's Weblog]
see also:
RIAA Sues Internet Providers for Failing to Censor [LawMeme: Legal Bricolage for a Technological Age]
10:39
#
G!
| |
Spanish judge bans party for ETA links. A Spanish judge banned a Basque political party Monday that was accused of collaborating with the armed separatist group ETA. The ruling came hours before a special session of the Spanish Parliament met to demand that the party be declared illegal. [International Herald Tribune: Europe] For our friends overseas: calling ETA an 'armed separatist group' doesn't really describe them fully. I cant really judge if their goals are worthwhile, but the means they use to get there are plain and simple terror and no 'armed rebellion' or something like this.
10:00
#
G!
| |
|
Protecting public morality
From Ananova:
115 arrested at live sex show -- More than a hundred people have been arrested for watching a live sex show in Atlanta. Police say one woman had sex with up to ten men on stage at Club Zinc. Undercover police officers watched the show for three hours before making 115 arrests. [The LitiGator]
9:50
#
| |
delawareonline: Wilmington police photo policy under fire. Delaware Online reports on a local police practice of detaining, photographing and releasing innocent people, and using their photographs to build a database of "potential suspects". Via TalkLeft . Compare with the Denver police department's database of files on law-abiding citizens. Mayor James M. Baker said criticism of the photographing is "asinine and intellectually bankrupt," and he will not stop the practice. "I don't care what anyone... [bplog]
9:06
#
| |
The VA is tightening its policy on the disposal of old computers following disclosures that PCs containing sensitive veteran info were given away. [FCW: Policy]
9:01
#
G!
| |
|
Research about cybercrime has the same problem as all other research about white-collar crime: we don't now much about what really happens out there. While criminalists are quite confident that they have a reasonable good knowledge about things like murder and robbery we know next to nothing about cybercrime. We don't have statistics who is doing what causing which damage and why is he doing this. There is nearly no data of scientific acceptable quality on cybercrime so people use low quality data like the CSI survey (see
here,
here
and here) and interpret whatever they like into it.
So the US government want's industry to share more data on cybercrime incidents. That certainly would give us a more robust data foundation, research would benefit from it which would result in more secure systems.
One problem remains: Companies have reasons not to report cybercrime to the police, so how do we know that this reasons don't apply to reporting cybercrime to the police, too? We don't know because there has been no research on this subject. But at least we have hints why they don't report cybercrime. Most often people account fear of leaking information to the competition or of being exposed to the public as being incapable of running a "secure shop" for the reluctance to report such incidents. And laws like the FIOA don't help in dicerting this fears.
See: Another View: FOIA and data sharing don't mix÷an industry view [Government Computer News - Security]
1:06
#
G!
| |
The Army is investigating how a San Diego company was able to break into dozens of military computers while conducting routine business. [Government Computer News - DOD Computing] But it seems before investigating what exactly happend, they started harassing the contracotr ("a newly founded security company" - hmm).
0:27
#
G!
| |
[Hideaway.Net] had a link to an article at c|net by Robert Lemos titled "Safety: Assessing the infrastructure risk". Mr. Lemos presents a well balanced view on cyberterror and warnings of a
digital Pearl Harbour. While showing why most reports on "virtual Pearl Harbour" are something between exaggeration
and horror story "FUD" he still keeps in mind that computer security
is in a sorry state and people may use this fact to hurt others.
0:11
#
G!
| |
Maximillian Dornseif, 2002.
|
|
|
