August 2006 Archives

Consumer confidence in online commerce took another hit this week when AT&T revealed that hackers hit one of its Web sites last weekend, obtaining records and credit card information of up to 19,000 buyers.

Clint Boulton of internetnews.com reported that AT&T said it would pay for credit monitoring services to customers whose data could be compromised after hackers broke into the system.

AT&T quickly identified the breach. But it’s hard to fathom a company of AT&T's size and power not making sure their sites are secure. The hack comes on the heels of AOL’s user data debacle and will give consumers another reason to be concerned about e-commerce.

Security measures at many companies are clearly falling short, some experts are saying. Shlomo Kramer, CEO of security appliance maker Imperva, told Boulon that:

“… there is a greater than 50 percent chance the attack was internal, perhaps by an employee. … Regardless of who probed the network, Kramer said the breach is indicative of how traditional security measures, such as firewalls and intrusion prevention systems (IPS), can't totally shore up a network's defenses, especially if the attack comes from within.

‘If AT&T has lots of traditional security solutions like firewalls, intrusion prevention systems, and authentication/authorization systems, very likely all of that didn't help in preventing the attack,’ Kramer said.”

Whatever the reason for the breach, companies like AT&T have to be more diligent about protecting consumer data.

Over at Slashdot.org, posters are having a field day with news about Windows Vista. Prices and the release date for Microsoft’s new operating system have been leaked online. January 30th looks like it may be the release date, but I wouldn't be surprised if the final version of the long-delayed and much-ballyhooed OS goes out later than that.

Slashdotters linked to a ZDNet article that linked to a Joe Wilcox blog about the pre-order prices listed on Amazon.



In the wake of the news, much sarcasm ensues from the Slashdotters. A poster called vmcto writes: "The 30th is a Tuesday. ... Is it going to come bundled with the first security patch or will I have to download it separately?"



If you're like me, you can get lost in these Slashdot threads. (Hey, it’s research. I’m working here.) Then you'll burst out laughing when a responder to vmcto writes, "Thanks, Rainman!" for vmcto's "the 30th is a Tuesday" line.

There's also a lively discussion about the Christmas season. Posters to Slashdot are speculating that if you buy a new PC in December, Microsoft will offer some way -- a coupon or media or something -- that allows a free upgrade to Vista once it's released in 2007.

Vista pricing also sparks its share of snarky remarks. Spidereyes expects this pricing scheme:

”Windows Vista Ultimate 1 leg 1 arm
Windows Vista Business 1 leg 1 ear
Windows Vista Home Premium 1 arm 3 toes
Windows Vista Home Basic 1 eye 1 ear (you won't be getting Aero anyway)
Windows Vista Ultimate Upgrade 1 arm 4 toes
Windows Vista Business Upgrade 1 arm

Windows Vista Home Premium Upgrade 1 ear 3 toes 2 fingers

Windows Vista Home Basic Upgrade 1 eye

All prices include your soul.”

Wireless hotspots (define) are getting much press lately, with many cities establishing, or attempting to establish, widespread public Wi-Fi networks.

Along with all the hype is a growing concern over the safety of the data in all those wirelessly connected machines.

With that in mind, Eric Geier of Wi-Fi Planet has written an excellent tutorial, "Wi-Fi Hotspot Security: Solutions for Admins." As Geier writes,

"offering public wireless access also creates a few security concerns for the admins and providers themselves. However, Wi-Fi hotspots can still be safe and secure for both the users and the businesses or organizations hosting them if the issues are properly addressed."

If you have concerns about wireless security, either as a user, provider, or an admin, check these articles out.

Over at internetnews.com, Andy Patrizio puts voice to a thought that's crossed my mind more than once in recent years: Are we all beta testers now? ...

Gone are the days when we didn't see a product, save for maybe a screen shot in PC Magazine, until it appeared on store shelves.

Can you think of a major product under development at Microsoft right now that is not in some form of beta? Vista, Office, Internet Explorer, a host of servers, the next Visual Studio, .Net framework 3.0... the list goes on and on.

Fortunately, said one analyst interviewed by Patrizio, the notion of public beta-testing has benefits beyond a vendor dumping its development work on customers:

"If you have a sophisticated user set, the user set's probably more qualified than any of your marketing guys to decide which features should be in the next version of the product. So there are a number of advantages to the vendor of having an open cycle," said Jim Duggan, a researcher at Gartner.

Further, Duggan tells Patrizio, beta isn't necessarily spelled B-A-D:

"Beta means they don't know what's wrong with it, it doesn't mean it's worse than production. They don't have the knowledge to say we guarantee this works well for you, but that doesn't mean they haven't done a good job designing it or testing it."

So next you're bothered by your vendor-imposed beta-testing burdens, remember: The rest of us are counting on you.

It seems that a Web site belonging to celebrity hacker Kevin Mitnick has been defaced by some potty-mouthed cyber-miscreants.

According to this story on CNET News.com:

Online vandals, apparently operating from Pakistan, broke into the computer hosting Mitnick's Web site on Sunday and replaced his front page with one of their own. As a result, four Web addresses belonging to Mitnick, including KevinMitnick.com and MitnickSecurity.com, displayed an explicit message on Mitnick and hacking.

The message placed on Mitnick's Web site started with: "ZMOG!! THE MITNICK GOTZ OWNED!!" and continues with expletives and a picture of Mitnick with some modifications. Security Web site Zone-H first reported the hack on Monday and has screenshots of the replaced Web pages.

My initial thought was that this was bound to happen sooner or later. But according to the story on Zone-H, Mitnick has been a frequent target of hacks. Not surprising, I suppose, given the geek code-slinger mentality.

Indeed, Mitnick has become like the retired killer in an old Clint Eastwood western, challenged and stalked by younger guns looking to make a name for themselves.

My advice to Mitnick: You're a sodbuster now, my friend. Stay on the farm and don't let them goad you into strapping on the iron. No good can come of it!

AOL's disclosure earlier this month that it had accidentally exposed user search data may no longer be front-page news, surely not in the wake of YouTube's first unplanned site outage.

But Internet users would be wise to remember the larger implications of AOL's blunder, says eSecurity Planet columnist Ray Everett-Church in this sobering piece.

AOL’s real sin was buying into the B.S. that it and other major Internet companies have been peddling for years about how anonymizing search data could insulate the data subjects – folks like you and me – from any privacy risks.

AOL "anonymizes" search data by replacing an AOL user's name with a random ID number. But as the New York Times demonstrated, many individuals using AOL search could be identified by analyzing the search terms they used.

More importantly, Everett-Church writes:

[T]he AOL search data incident reminded us all that our privacy is continuously at the mercy of those who run the tools (such as search engines) that we depend upon every day of our Internet-connected lives. Our privacy is only as assured as the products and services on whose goodwill we depend, and in that regard the record isn’t encouraging.

I told you it was sobering.

Update: Heads roll at AOL.

Sean Michael Kerner of internetnews.com continued his stellar reporting this week on the Linux World trade show in San Francisco.

His piece Friday covered a free-wheeling panel discussion on why Linux has been successful, where other renegade operating systems have faltered.



One panel expert, Dirk Hohndel, said there were several factors that led to the rise of Linux: "386 chips, which provided enough power; rise of the Internet, which permitted the collaboration necessary to build Linux; and the GNU toolchain, without which none of Linux would have happened. … Hohndel also cited the IPO of Red Hat as a critical tipping point.”

For other panelists, it was more about the charm of Linus Torvalds, the enigmatic founder and leader of the Linux movement. Jon Maddog Hall of Linux International said the success of Linux had a lot to do with the marketing of Torvalds.

"Here's this nice young man wearing sandals and with a funny accent, as opposed to other people that weren't quite as nice," Hall said.

Finally, Kerner reported that Chris DiBona of Google got in a zinger that probably warmed the hearts of many frustrated computer users:

“(DiBona) also noted the deficiencies of other competitive platforms to Linux. 'If Mac and Windows didn't suck, people would've used them,’ DiBona said.”

There's a sitcom on British TV about IT workers that is shaping up as a cult hit.

Britain's Channel 4 has green-lighted a second season of "The IT Crowd" following the success of its initial six episodes, which aired earlier this year. Further success for the show, of course, means U.S. viewers can look forward to an inferior copycat version.

I haven't seen any of the episodes, though users in the U.K. can watch highlights on the show's official web site. Basically it's about a dysfunctional group of IT workers in a London office setting. From the show's site:

A kleptomaniac, fast food junkie addicted to computer games, a dysfunctional social outcast who is still dressed by his mother, and a woman who knows absolutely nothing about computers - meet the IT Crowd

The geek sitcom does appear to be getting some good buzz:

"A British TV show has taken the best and worst of IT administrator stereotypes and packed them into a clever, side-splitting comedy." -- Jeremy Kirk, IDG News Service.

"It’s alright. You know, in a Black Books sort of way. If you like that sort of thing. And Chris Morris is pretty funny." -- heckler spray

"I saw parts of 'Aunt Irma visits' over the weekend and laughed so hard that I spit my coffee out. Too bad it is not available in the United States. When it is available I would purchase it. -- Jerry Cheng, Amazon.com reviewer, Newark, N.J.

Fortunately for Jerry and others seeking quality coffee-spitting entertainment, the first six episodes of The IT Crowd on DVD are scheduled to go on sale Oct. 9 on Play.com and Amazon.co.uk.

One byproduct of summer's sleepy news cycle is that print and online publications resort to gimmicks such as contests, giveaways, more coverage of Brad and Angelina and, of course, lists.

The thing is, that stuff works. Not all of it on everyone, of course. For example, I don't care for contests and giveaways, but I just can't get enough of Brangelina and I love lists, especially the "best of" genre.

This week Time rolled out its annual August gimmick, announcing the magazine's choices for the 50 "coolest websites."

The entire list is here. Check it out and see how many of your favorites made it, or even how many sites you recognize.

I have to admit the vast majority -- Accoona (optimized search), TMZ (celebrity gossip -- good Brangelina coverage!), Meebo (multi-client IM interface), etc. -- were unfamiliar to me. I suppose that leaves me out of Time's cool club. Such is the cruelty of life.

Still, this list is a good bookmark if you want to check out some popular sites on your own schedule.

Linux enters a new era this week, as the LinuxWorld trade show kicks off at Moscone Center in San Francisco.

The 15th anniversary of Linux will be celebrated at what is now the LinuxWorld event, as internetnews.com reported. Conference organizers have elected to mothball the full east coast show last held in Boston in April.



There will be much news at the show, which will feature topics such as virtualization, mobility, grid computing, and collaboration apps. As internetnews.com's Sean Michael Kerner writes:

"Collaboration applications, old and new, are coming to Linux desktops and servers en masse.

Among the vendors lining up to the Linux and open source trough are IBM, Zimbra, Scalix and OpenXchange. The offerings may well also help to dissuade some from using proprietary alternatives, such as Microsoft's Exchange."

IBM also announced today that its Sametime instant messaging and Web conferencing software will expand its support for Linux.

Check Kerner's stories this week for the full scoop on LinuxWorld. He already pulled out this little nugget, which reminds me why I love PR folks so much:

"This LinuxWorld is also expected to have at least two party crashers. In Boston, Microsoft was an active participant in the event with Bill Hilf, general manager of Microsoft Platform Strategy, delivering the final-day keynote.

This time around Microsoft is hosting an event outside of the convention. 'At LinuxWorld, Microsoft will be showcasing the biggest selection of apps outside of Moscone Center -- appetizers, that is!' Microsoft's press pitch states."

Google CEO Eric Schmidt asserts here that the company's customers need not fear an incident similar to AOL's accidental release of search histories for more than 650,000 users.

Not only does Google have procedures and controls designed to prevent such a data leak, Schmidt assures us, the search giant doesn't use or release personal demographic information without permission.

That's all very comforting, but I still would recommend you read this primer on CNET News.com about protecting yourself from search engines. It contains some interesting information. For example:

No law requires search companies to delete your search terms, and there are some business justifications for keeping them around at least a little while.

The article steers readers toward a search engine that doesn't store user search records. Based in the Netherlands, Ixquick.com also boasts of providing the world's most powerful metasearch.

For those who prefer their usual brand of search engine, the article offers sensible cookie maintenance and awareness advice. Although, for some reason, the author details cookie removal steps for Firefox, but not Internet Explorer, which has more than 80 percent market share.

Here's how you adjust the cookie settings on IE: Go to Tools in the pulldown menu, then choose Internet Options and then Privacy. You'll see a security slider for cookies, with settings ranging from "accept all cookies" to "block all cookies." As with Firefox, you also can elect to block cookies from specific sites.

AOL's accidental leaking of 21 million search queries by more than 650,000 users is yet another reminder that, when data is stored, strange things can happen.

Stranger still, and in many cases disturbing, are the types of personal information people reveal about themselves through their Internet searches. A fascinating article on CNET News.com offers a glimpse into the psyches of web searchers. It's not always pretty:

From that massive list of search terms, for instance, it's possible to guess that AOL user 710794 is an overweight golfer, owner of a 1986 Porsche 944 and 1998 Cadillac SLS, and a fan of the University of Tennessee Volunteers Men's Basketball team.

That's pretty normal. What's not is that user 710794 also regularly searches for "lolitas," a term commonly used to describe photographs and videos of minors who are nude or engaged in sexual acts.

Here's another:

AOL user 311045 apparently owns a Scion XB automobile in need of new brake pads that is in the process of being upgraded with performance oil filters. User 311045, possibly a Florida resident, is preoccupied with (other topics) as well:

how to change brake pads on scion xb

2005 us open cup florida state champions

how to get revenge on a ex

how to get revenge on a ex girlfriend

how to get revenge on a friend who f---ed you over

replacement bumper for scion xb

florida department of law enforcement

crime stoppers florida

One more:

One poor sap, AOL user 11574916, appears to have been preoccupied with two things: finding a mail order bride and avoiding a drunken driving court date in Florida. There's some indication that user 11574916 might have landed in New Orleans:

cocaine in urine
asian mail order brides
states reciprocity with florida
florida dui laws
extradtion from new york to florida
mail order brides from largos
will one be extradited for a dui

cooking jobs in french quarter new orleans

will i be extradited from ny to fl on a dui charge

There's lots more in the piece by Declan McCullagh. It makes for revealing, if not troubling, reading.

James Maguire's article below about compliance makes an often-overlooked point: For all the extra hassle caused by the federal reporting requirements, they've forced a lot of IT shops to tighten up their control measures.

But according to a new survey, the weak spot in compliance efforts remains electronic information. The Enterprise Content Management Association (whose acronym, for some reason, is AIIM) reports that most organizations surveyed expressed high confidence in their management of paper-based information. However:

For ELECTRONIC information, the results are far more sobering. A majority (over 50%) of end users report very weak efforts relative to: 1) Information on individual computer hard drives; 2) Information on individual portable devices (phones, PDAs, Blackberrys, etc.); and 3) e-mail. Clearly, the decentralization of information is getting more profound and more baffling by the day for those concerned about compliance, with 41.5% describing their handling of information on individual portable devices as "complete chaos."

Complete chaos? That doesn't sound good!

The full survey, Compliance: It's Real, and It's Spectacular It's Relevant, and It's More Than Just Records, will be released Aug. 15.

There's a new article over at internetnews.com that offers a good rundown of the top trends in network and computing security.

Let's see how many sound familiar to you:

Locating the Endpoint: If you and your colleagues can't agree on where your network ends, you've got a problem. You can't defend a network if you don't know where it ends.

Precision Phishing: The phishers are evolving beyond mass-mailing, targeting specific end-users for their scam game. It's called spear-phishing.

Spam Gets Graphic: Something called "image-based spam" is on the rise and slipping past enterprise filters that fail to recognize the payload hidden inside a graphic.

These topics and more are sure to come up this week in Las Vegas at Black Hat USA 2006, the annual hackers' conference. Indeed, if a glimpse of the conference schedule is a glimpse of our networked future, prepare for a dangerous and lawless cyberworld, my friends.

Cheap scare tactics, you say? How about this?...

Jeremiah Grossman, founder WhiteHat Security Inc., will give a presentation demonstrating how invisible JavaScript exploit code can be used to spy on Web site visits, hijack cookies and record keyboard strokes.

And this...

Joanna Rutkowska, a security researcher for IT security firm COSEINC, will give a presentation on "Blue Pill," technology she said could be used to create "100% undetectable malware."

And this...

Lukas Grunwald, CTO of DN-Systems Enterprise Internet Solutions GmbH of Germany, will reveal new attacks to RFID systems, their middleware and backends.

Scared yet?