« July 30, 2006 - August 5, 2006 | Main | August 13, 2006 - August 19, 2006 »

August 11, 2006

AOL Data Breach Content Details

As Count Floyd would say, scary stuff boys and girls.  CNET has published a short sample and analysis of the material that was part of the AOL data breach.  It's both scary and amusing, depending on which end of the data stream one happens to be on.

Examples:

2005 us open cup florida state champions
how to get revenge on a ex
how to get revenge on a ex girlfriend
how to get revenge on a friend who f---ed you over
replacement bumper for scion xb
florida department of law enforcement
crime stoppers florida

and

how to tell your family you're a victim of incest
pottery barn
curtains
surgical help for depression
oakland raiders comforter set
can you adopt after a suicide attempt
who is not allowed to adopt
i hate men
medication to enhance female desire
jobs in denver colorado
teaching positions in denver colorado
how long will the swelling last after my tummy tuck
divorce laws in ohio
free remote keyloggers

And while the damage is done by the breach, the dataset is on the web available for download.  No, I'm not going to tell you where.  I found it after one query in a major online search service through a link on the first page of results.  Sad. 

The story is here.

August 11, 2006 | Permalink | Comments (0) | TrackBack

Free Vista Upgrade Coupons Coming?

The sting of missing out on holiday sales over Vista delays may lessened for manufacturers.  Rumors are starting to pop up that manufacturers will give out coupons to consumers for a Vista upgrade on machines bought in the fourth quarter.  Something like this happened when XP was released, and before that, for sales of Office 95 just before the release of Office 97.

Read about it in CIO, Digitimes Systems,PC World, and the Seattle Post-Intelligencer.

August 11, 2006 | Permalink | Comments (0) | TrackBack

August 10, 2006

Patch Tuesday More Critical Than Usual

Patch Tuesday came and went yesterday with 19 high priority updates, if you include the Windows Genuine Advantage Notification tool among them.  One patch, however, was critical enough that the Department of Homeland Security issued a warning of its own that it patched a vulnerability that could put the nation's critical infrastructure at risk.  The patch is described in Security Bulletin MS06-040 and is listed as highly critical in Windows Update.  Essentially, the vulnerability can allow an attacker to take control of a machine, install programs, view, change, or delete data, and create new accounts with full user rights.  The flaw is in Windows Server Services and is already being exploited in the wild.

Without being critical of DHS and the warning, haven't we heard this before about Windows?  And given the unusual step taken by DHS, please patch your systems as quickly as possible, especially if you run a government computer.

Check out the details in ComputerWorld.

August 10, 2006 | Permalink | Comments (0) | TrackBack

Google Says Company Protects Against Accidental Data Disclosure

Google's CEO Eric Schmidt said yesterday at the Search Engines Strategies conference that Google has systems in place that prevent a data breach similar to the one that recently occurred at AOL.  Google owns a 5% stake in AOL so the comments were straightforward but not critical.  Schmidt said that the greater threat was from governments, not just the U.S. government, seeking access to the oodles of data Google and other search companies amass.

Google forced the issue to some extent earlier this year when it resisted the government's request to supply search data as part of the defense of COPA.  A federal judge did grant the request but in a substantially lesser form than the government had wanted.  Google was widely praised in standing up to the Justice Department over the case.  AOL, Microsoft, and Yahoo sheepishly caved in before Google said no. 

Google is concerned about privacy because the company's success hinges on the trust its users place in the company.  Many services offered by the company--from email, shopping, entertainment, and others--require users to provide detailed personal information about themselves that is easily correlated to their online activities.  It's not very different from customers of the other major online services but there is the perception that Google values customer privacy more so than the others.  The company even argued that point in the hearing over the COPA data.  This is another reason why the company generates so much traffic aside from the quality of their product. 

Look at Microsoft.  That company is heavily criticized for its aggressive business practices and the insecurity of Windows.  Whether Windows Live can actually compete with Google on quality is one matter, but there is all the baggage associated with Microsoft as Microsoft in that offering. 

Yahoo affiliates itself with AT&T (formerly SBC) for DSL services.  AT&T is a company that is embroiled in a lawsuit for surreptitiously giving away customer data to the government, and who has rewritten its privacy policy to convert customer data into company assets to avoid liability in the future.  To be fair, Yahoo has an independent privacy policy for its own services that are not tied to AT&T.  Still, in the aggregate, some customers must worry about how the affiliation affects their privacy.

AOL is trying hard to reform its image as a stodgy Internet provider.  It took the company a long time to get out of its walled-garden mentality to online access.  AOL is a little more imaginative these days by dropping subscription fees for broadband users and offering free online storage space (5 gigs!) to attract customers and the accompanying advertising revenue.  The recent data gaffe has got to be minimized as a one time thing or it will hurt those efforts bigtime.

The worst Google has done is cooperate with the Chinese government on censorship.  But all three major U.S. players in the Chinese market got hammered on that one.  It's not always how good your product is, but that combined with how the public perceives it.  If anything, Google has run circles around the competition in that category.   

Stories about Eric Schmidt's comments are in CNET, the Washington Post, and the San Jose Mercury News

Update:  You can read a nice summary of the session at the Search Engine Rountable page here.

August 10, 2006 | Permalink | Comments (0) | TrackBack

Original Moon Walk Tapes Missing

And not the Michael Jackson ones either, unfortunately.  Word from the press is that NASA has lost the original magnetic tapes containing the video of the first moon landing.  It gets a little worse, as reports show that missing tapes include the first five moon landings.  The first moon landing took place on July 29, 1969 and was broadcast over conventional television by placing TV cameras in front of monitors at tracking stations.  The original tapes were high quality and the transmission standard was not compatible with television standards at the time.  Hence the blurry pictures that are iconic in museums, planetariums, and MTV promo spots.  NASA is in a hunt to track the original tapes down so as to create a high quality archival copy of the event.

It gets a little worse even beyond this.  There's only one machine that can play the tapes, if they still exist, and if they are in a condition to be played.  It's located at the Goddard Space Center which is scheduled to close in October.  One would think that given the importance of the tapes that it would be wise to preserve the machine.  Human nature being what it is suggests that without this piece of equipment there may be no point in recovering the tapes.  Take this to heart, NASA, if you're listening.

I can suggest one alternative to NASA on behalf of all the conspiracy theorists out there.  Recreate them.  Some people actually believe that the whole moon landing was faked anyway.  Go with that one if you can't find the originals.  We have better technology now, and much better special effects.  Go into a studio, get George Lucas, or for the fun of it, maybe David Lynch, and just film the whole thing over.  And while you're at it, see if you can do something about those missing Doctor Who episodes from the 1960s as well.

Stories are in the Sydney Morning Herald, and the Hampton Union.

August 10, 2006 | Permalink | Comments (0) | TrackBack

August 9, 2006

U. California Libraries to Join Google Digitization Project

The University of California has agreed to let Google digitize the contents of the 100 or so libraries in the University of California system.  This decision comes in spite of copyright suits filed against the search company for similar digitization projects.  Other contributors to the digitization project include Stanford, Michigan, and Harvard.

Stories are in the San Jose Business Journal, CNN International, the Library Journal, and the San Francisco Chronicle.

August 9, 2006 | Permalink | Comments (0) | TrackBack

More Government Laptop/Data Follies

The Department of Transportation announced that a laptop containing personal data, including social security numbers, of 133,000 Florida residents has been stolen.  The information represents Florida residents who hold pilots licenses, people in the Miami-Dade area with commercial licenses, and others who either took driver's tests or received licenses from an examination facility in the Tampa area. 

This comes on the heels of a major theft of a laptop from the Department of Veterans Affairs which has since been recovered.  Two men were recently arrested in conjunction with that theft.  After all the breast-beating over that incident, a desktop system with personal information on 38,000 patients at Pennsylvania hospitals is missing.  News reports indicate that other data was compromised in incidents at the Departments of Energy, Agriculture, Navy, Social Security Administration, and the Internal Revenue Service.

In another odd little story, Naval Petty Officer 3rd Class Ariel J. Weinmann is being held in the Norfolk brig for stealing a government laptop with classified defense information and delivering copies of the information to a foreign government.  The Navy has been tight-lipped about this particular case.

It makes one wonder how seriously the government takes preventative measures to protect sensitive data.

Stories are in the Washington Post, CNET News, Computerworld, and the Virginia Pilot.

August 9, 2006 | Permalink | Comments (0) | TrackBack

August 8, 2006

AOL: One Step Forward, Two Steps Back

AOL is under fire for posting samples of user searches to a web site.  Not just a few searches either, but 19,000,000 of them from 650,000 users.  These were recorded during March 1 to May 31 of this year.  The searches appeared in a single compressed file (440 megabytes) on a website called research.aol.com.  This is part of a project that involved academic research on searches.  The file contained no personal identification, substituting serial numbers for names.  The searches, however, contained all kinds of personally identifying information such as names, phone numbers, addresses, social security numbers amid all the other random searches.  News reports indicate this data set is similar to the type of information AOL and others released to the government as part of the COPA litigation.

AOL has removed the data from the web while executives are blasting the fact that it even happened.  Yup, it's a mistake all right.  In the end, though, some of the responsibility still lies with the person initiating the search.  Why put in social security numbers and other personal information in an insecure search?  While this instance focused on AOL, it could just as easily been Google, Microsoft, Yahoo, or any of the other search sites.  Be careful what you search unless you don't care who may see it.

Stories are in Forbes, the Baltimore Sun, Time, and the BBC.

August 8, 2006 | Permalink | Comments (0) | TrackBack

ePassports Coming to the U.S.

On the heels of word that German ePassports containing RFID chips can be cloned, ComputerWorld is reporting that the State Department will begin to issue U.S. ePassports.  These will feature RFID chips that must come within 4 inches of a scanner to be read.  Security experts disagree that a contactless chip is secure, even at such a short distance for reading.  The Denver Passport Office will start distributing ePassports this week with the program spreading out to the other passport offices across the country.

August 8, 2006 | Permalink | Comments (0) | TrackBack

August 7, 2006

Google Will Warn Users on Some Malware

Google is taking steps to warn users if a page they are about to access is known to harbor spyware or adware.  The search engine is working with the Stop Badware Coalition to identify sites that come up in search results.  There will be an intervening screen identifying the site and asking the user to continue on or return to search results.  As the definition of spyware and adware are malleable, especially in the eyes of promoters, the possibility of a defamation suit is all too likely.  Google should be congratulated for taking the risk anyway.  Between warnings from Google and Vista, when it finally does appear, the unwary should become a little more wary about letting malware on their machines.  At least that's the theory.

The BBC has the story, as does Ars Technica, and Tech News World.

August 7, 2006 | Permalink | Comments (0) | TrackBack

Black Hat Conference Yields Hacked ePassports, Vista Security Breaks

The Black Hat Conference took place in Las Vegas last week.  This is where security experts, law enforcement agents, and hackers good and bad get together to talk about computer security.  Microsoft showed off security features in Vista and challenged anyone to crack security.  Polish researcher Joanna Rutkowska demonstrated a breach with an unsigned driver.  The good news is the hack requires a user to click through security warnings to install the insecure driver.  The installation then takes place with administrative privileges.  The bad news is that with so many warnings that could pop up, a user may develop click fatigue and just let the malware slip right on through.  Reactions to Microsoft's focus on security were still positive in spite of this demonstration.

The German ePassport was hacked as well.  German security expert showed how he could clone the RFID chip in his passport to create a second copy.  The data remained encrypted but would still be recognized by a reader as a legitimate passport.  There were other reports of individuals cracking the encryption and altering the data contained on a chip.  I guess it's back to the drawing board on that one.

The (London) Times Online, ITWire, and Techtree.com have the story.

August 7, 2006 | Permalink | Comments (0) | TrackBack