Article: http://www.wired.com/politics/security/news/2008/03/epilepsy
Last Easter weekend, when most Americans were spending joyous time with their families, a group of hackers were pulling a vicious prank (if you can really call it a prank) on the Epilepsy Foundation's forums. On Saturday, the hackers posted hundreds of messages embedded with colorful animated gifs. On Easter Sunday, they used a JavaScript code in their posts that redirected users to another page that contained a colorful, flashing image designed to trigger seizures in epileptics. Many people did in fact suffer from seizures after viewing these images, and some just suffered from severe migraines. While the authorities do not know for sure who the culprit is, it is believed to be the group Anonymous, known for their protests against the Church of Scientology.
Ah, the human race never ceases to amaze me. I just can't grasp how anyone would want to do such a horrible thing to innocent people. Epilepsy is not a joke -- it's a serious disease. People can lose consciousness during a seizure. People have even died from seizures.
The bright side of this incident is that it caused the Epilepsy Foundation to increase security on the forums. They also reacted very quickly to the incident, promptly shutting down the forums to remove the messages. Had they not done this, many more people would have suffered.
Happenings like this show that you do not need to be a super-smart hacking whiz to wreak havoc in cyberspace. Someone who knows nothing about hacking could have launched an attack like this. The way I see it, not much could have been done to prevent this attack. All it took was an anonymous user to enter the forum and post a message -- and even if the site requires you to make an account in order to post, the attacker could just use false information to make it harder to track him. Most message boards have moderators that monitor the posts, but the moderator is not online 24/7. Perhaps a good solution would be to implement a system where all posts containing embedded files (like images) must be approved by the moderator before they go public. Otherwise, forum users must proceed at their own risk and hope for the best.
Tuesday, April 1, 2008
Thursday, March 27, 2008
iTunes goes unlimited?
Article: http://arstechnica.com/news.ars/post/20080319-apple-may-bundle-unlimited-itunes-with-ipods.html
iTunes, the popular Apple program used for buying, playing, and managing music on your iPod, may be going through a major change. At the moment, users must pay 99¢ per song, and most albums are priced around $9.99. But Apple wants to offer a subscription service that will allow consumers to purchase an unlimited amount of songs at one price, as long as they still own the iPod the plan is registered under. If the consumer buys a new iPod, they have to pay the fee again to renew the subscription. Apple wants to charge $20, but record labels would rather see somewhere around $80.
The article is unclear as to whether the fee would be a one-time payout, or if you would have to pay it every year. If it is a one-time payout, $20 and even $80 are great deals, considering that buying CDs at the mall will cost you between $10 and $20 each. But if you have to renew your subscription every year by paying the fee again, $80 seems way too high. Paying $20/year is much more reasonable.
There are a few other questions that need to be answered. I love my iPod, and unless something comes out that blows it out of the water, I will never switch brands of mp3 players. What I DON'T like is digital rights management (DRM). When you buy a song from the iTunes store, it is DRM-encrypted, which means you cannot play the song on any device but the iPod (or your computer, of course). Not only that, there's a limit to how many times you can burn the song to a CD. There is a way around that by burning a CD, then ripping the song back off it, which removes the DRM. But that's besides the point. If I pay for my songs, I should be able to use them freely. I should be able to put them on my cell phone, or make ringtones out of them. I should not have to burn them all to audio CDs and rip them back to the computer just to use them freely. So my questions is, if iTunes is going to ask consumers to pay a yearly/monthly/one-time fee in order to download music from their store, are they going to get away from their ridiculous DRM ways? Probably not, since it locks consumers into repeat Apple purchases in order to play their purchased music.
Another question I want answered is, will the entire iTunes database be open to everyone for download? iTunes has separate stores for separate countries -- US, UK, France, Italy, Japan, etc. I love contemporary music from other countries, and sometimes its hard to come by. Imported CDs can cost a fortune, and finding it on the internet isn't always easy. Many times I find music I like on iTunes, but I cannot buy it because you can only buy from the store in the country you're registered in. If this new service allows you to download from any iTunes store, that alone would be a selling point for me. While I still hate DRM, I'd put up with it if it was the only affordable way for me to get my international taste buds satisfied.
iTunes is probably the largest (or one of the largest) music databases out there when you consider how many countries it serves (which means different music for different stores). I think many consumers would be all over this subscription service if launched. As for me, I will wait and see what the answers to my questions are before I decide whether I like it or not.
iTunes, the popular Apple program used for buying, playing, and managing music on your iPod, may be going through a major change. At the moment, users must pay 99¢ per song, and most albums are priced around $9.99. But Apple wants to offer a subscription service that will allow consumers to purchase an unlimited amount of songs at one price, as long as they still own the iPod the plan is registered under. If the consumer buys a new iPod, they have to pay the fee again to renew the subscription. Apple wants to charge $20, but record labels would rather see somewhere around $80.
The article is unclear as to whether the fee would be a one-time payout, or if you would have to pay it every year. If it is a one-time payout, $20 and even $80 are great deals, considering that buying CDs at the mall will cost you between $10 and $20 each. But if you have to renew your subscription every year by paying the fee again, $80 seems way too high. Paying $20/year is much more reasonable.
There are a few other questions that need to be answered. I love my iPod, and unless something comes out that blows it out of the water, I will never switch brands of mp3 players. What I DON'T like is digital rights management (DRM). When you buy a song from the iTunes store, it is DRM-encrypted, which means you cannot play the song on any device but the iPod (or your computer, of course). Not only that, there's a limit to how many times you can burn the song to a CD. There is a way around that by burning a CD, then ripping the song back off it, which removes the DRM. But that's besides the point. If I pay for my songs, I should be able to use them freely. I should be able to put them on my cell phone, or make ringtones out of them. I should not have to burn them all to audio CDs and rip them back to the computer just to use them freely. So my questions is, if iTunes is going to ask consumers to pay a yearly/monthly/one-time fee in order to download music from their store, are they going to get away from their ridiculous DRM ways? Probably not, since it locks consumers into repeat Apple purchases in order to play their purchased music.
Another question I want answered is, will the entire iTunes database be open to everyone for download? iTunes has separate stores for separate countries -- US, UK, France, Italy, Japan, etc. I love contemporary music from other countries, and sometimes its hard to come by. Imported CDs can cost a fortune, and finding it on the internet isn't always easy. Many times I find music I like on iTunes, but I cannot buy it because you can only buy from the store in the country you're registered in. If this new service allows you to download from any iTunes store, that alone would be a selling point for me. While I still hate DRM, I'd put up with it if it was the only affordable way for me to get my international taste buds satisfied.
iTunes is probably the largest (or one of the largest) music databases out there when you consider how many countries it serves (which means different music for different stores). I think many consumers would be all over this subscription service if launched. As for me, I will wait and see what the answers to my questions are before I decide whether I like it or not.
Tuesday, March 25, 2008
Word of the day: Googledorks
Article: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9064238
A hacker group known as The Cult of the Dead Cow (cDc) has released a program called Goolag Scanner which utilizes -- you guessed it -- Google. It is meant for IT workers to scan websites for security holes, but it can also be used maliciously by hackers by allowing them to find vulnerabilities and attack them.
Here is the way it works: Goolag Scanner contains about 1,500 search queries that when run in Google, can reveal website vulnerabilities. These queries are known as Googledorks. By using the program, you can run automated scans instead of copying each query into Google individually and searching.
cDc has tested the program on many government websites and found some pretty bad security holes. It just goes to show you how insecure the Internet really is; even the government can't guarantee data security.
Is Goolag scanner ethical? cDc claims it is, quoted as saying, "What we're trying to do is two things: 1) to provide a very easy and legitimate tool for security professionals to test their own Web sites for vulnerabilities, and 2) to raise awareness about Web security in and of itself." Sure, it sounds good on paper (or in this case, the monitor), but even they admit that Goolag Scanner will undoubtedly be used in harmful ways too.
What's done is done however, the tool is out there and available to the general public. The best thing for website owners to do is use the tool on their own websites to locate any insecure data before the hackers do.
A hacker group known as The Cult of the Dead Cow (cDc) has released a program called Goolag Scanner which utilizes -- you guessed it -- Google. It is meant for IT workers to scan websites for security holes, but it can also be used maliciously by hackers by allowing them to find vulnerabilities and attack them.
Here is the way it works: Goolag Scanner contains about 1,500 search queries that when run in Google, can reveal website vulnerabilities. These queries are known as Googledorks. By using the program, you can run automated scans instead of copying each query into Google individually and searching.
cDc has tested the program on many government websites and found some pretty bad security holes. It just goes to show you how insecure the Internet really is; even the government can't guarantee data security.
Is Goolag scanner ethical? cDc claims it is, quoted as saying, "What we're trying to do is two things: 1) to provide a very easy and legitimate tool for security professionals to test their own Web sites for vulnerabilities, and 2) to raise awareness about Web security in and of itself." Sure, it sounds good on paper (or in this case, the monitor), but even they admit that Goolag Scanner will undoubtedly be used in harmful ways too.
What's done is done however, the tool is out there and available to the general public. The best thing for website owners to do is use the tool on their own websites to locate any insecure data before the hackers do.
Thursday, March 20, 2008
Supermarket sweep
Article: http://www.businessweek.com/ap/financialnews/D8VG4BGG0.htm
When you use a credit card while you're shopping, you like to think that your card information is safe. But a recent supermarket data breach proves that this is not always the case. Hannaford Supermarkets has suffered one of the largest security breaches on record. Between Dec. 7 and March 10, 4.2 million credit and debit card numbers were exposed and at least 1,800 were stolen. The company still doesn't know how it happened; last February, their transaction system was found to meet the latest standards for data security. Little did they know that while their system was being verified to have the latest security, it was being hacked at the same time.
This is certainly not the first time this kind of thing has happened. TJ Maxx and Marshalls, run under the TJX Co., suffered an even larger data breach of tens of millions of credit cards. It just goes to show you how difficult it is to protect data. No matter what measures you use, a database is never 100% safe. There will always be someone clever enough to infiltrate it. It seems to me that when you're a professional dealing with data security, being well-informed is probably your best bet for preventing security breaches. 1) Keep your system up-to-date with security. Install any needed software, patches, etc. to protect your data. 2) Keep yourself informed with trends in the IT security world. Read up on problems other companies/people have had, so that you know what to look for and what to arm yourself against. 3) Education. Keep current with things you need to know to do your job well. Whether that be by taking classes or self-teaching.
And if you're on the other end of the database, that is, you are the client, you need to stay informed as well. Always check your credit card statements, get regular credit reports, maybe invest in a service like LifeLock. In today's world where none of your personal data is 100% safe, being ignorant of how your data is used is probably the most dangerous thing of all.
When you use a credit card while you're shopping, you like to think that your card information is safe. But a recent supermarket data breach proves that this is not always the case. Hannaford Supermarkets has suffered one of the largest security breaches on record. Between Dec. 7 and March 10, 4.2 million credit and debit card numbers were exposed and at least 1,800 were stolen. The company still doesn't know how it happened; last February, their transaction system was found to meet the latest standards for data security. Little did they know that while their system was being verified to have the latest security, it was being hacked at the same time.
This is certainly not the first time this kind of thing has happened. TJ Maxx and Marshalls, run under the TJX Co., suffered an even larger data breach of tens of millions of credit cards. It just goes to show you how difficult it is to protect data. No matter what measures you use, a database is never 100% safe. There will always be someone clever enough to infiltrate it. It seems to me that when you're a professional dealing with data security, being well-informed is probably your best bet for preventing security breaches. 1) Keep your system up-to-date with security. Install any needed software, patches, etc. to protect your data. 2) Keep yourself informed with trends in the IT security world. Read up on problems other companies/people have had, so that you know what to look for and what to arm yourself against. 3) Education. Keep current with things you need to know to do your job well. Whether that be by taking classes or self-teaching.
And if you're on the other end of the database, that is, you are the client, you need to stay informed as well. Always check your credit card statements, get regular credit reports, maybe invest in a service like LifeLock. In today's world where none of your personal data is 100% safe, being ignorant of how your data is used is probably the most dangerous thing of all.
Wednesday, March 19, 2008
Data privacy
Article: http://www.informationweek.com/blog/main/archives/2008/03/hospital_worker.html
In late January/early February, popstar Britney Spears visited UCLA Medical Center for treatment. Seeing as she is a prime target of the media nowadays, it was almost inevitable that something would go wrong with her visit. And sure enough, something did go wrong. Not one, not two, but thirteen employees were recently fired for violating Spears' privacy. Six more were suspended.
The medical center did everything it could to prevent the situation. Because all medical workers are granted access to patient records so that they can do their job, avoiding violation of patients' privacy pretty much relies on the Honor Code and on warnings issued by UCLA. UCLA officials warned employees not to access the medical record of a patient unless they were directly caring for that patient. They also warned that violation of patients' privacy would result in disciplinary action and possibly termination. But you know what they say, the more you tell someone not to do something, the more they will want to do it. Luckily, the medical center was monitoring access to Spears' records, trying to catch unauthorized personnel in the act.
This is the problem when you have a database that can be accessed by any personnel in a certain department. All the personnel have access because they need the information to do their jobs...however, they have access to all records, when they only need access to a few records at any given time. This problem is not only at the UCLA Medical Center...many organizations suffer as well.
Let's face it, we can't always rely on people to do the right thing. There will always be bad seeds who are going to break the rules. For that reason, there needs to be better controls on databases in these types of environments. True, all medical workers, such as nurses, doctors, and interns, need access to patient records. They need this information in order to treat their patients. However, can't there be a control that only allows access to records of patients currently being treated by that worker?
Let's say Nurse Betty is treating 5 patients. She would only be granted access to those 5 records. Now let's say two of her patients are released and she accepts one more. She has now gained access to one more record, but lost access to the records of the two released patients. Basically, when a patient is accepted to the hospital, all relationships to the correct personnel would be established and unless the patient is assigned a new doctor, nurse, etc. at some point, those personnel would be the only ones able to access their records.
I do not know if this is a realistic solution, it may require too many resources to implement a control like this, and money doesn't grow on trees. But idealistically, it sounds like a good solution so that people like Britney Spears, who already has enough problems, do not have to worry about Joe Schmo posting private medical records all over the internet.
In late January/early February, popstar Britney Spears visited UCLA Medical Center for treatment. Seeing as she is a prime target of the media nowadays, it was almost inevitable that something would go wrong with her visit. And sure enough, something did go wrong. Not one, not two, but thirteen employees were recently fired for violating Spears' privacy. Six more were suspended.
The medical center did everything it could to prevent the situation. Because all medical workers are granted access to patient records so that they can do their job, avoiding violation of patients' privacy pretty much relies on the Honor Code and on warnings issued by UCLA. UCLA officials warned employees not to access the medical record of a patient unless they were directly caring for that patient. They also warned that violation of patients' privacy would result in disciplinary action and possibly termination. But you know what they say, the more you tell someone not to do something, the more they will want to do it. Luckily, the medical center was monitoring access to Spears' records, trying to catch unauthorized personnel in the act.
This is the problem when you have a database that can be accessed by any personnel in a certain department. All the personnel have access because they need the information to do their jobs...however, they have access to all records, when they only need access to a few records at any given time. This problem is not only at the UCLA Medical Center...many organizations suffer as well.
Let's face it, we can't always rely on people to do the right thing. There will always be bad seeds who are going to break the rules. For that reason, there needs to be better controls on databases in these types of environments. True, all medical workers, such as nurses, doctors, and interns, need access to patient records. They need this information in order to treat their patients. However, can't there be a control that only allows access to records of patients currently being treated by that worker?
Let's say Nurse Betty is treating 5 patients. She would only be granted access to those 5 records. Now let's say two of her patients are released and she accepts one more. She has now gained access to one more record, but lost access to the records of the two released patients. Basically, when a patient is accepted to the hospital, all relationships to the correct personnel would be established and unless the patient is assigned a new doctor, nurse, etc. at some point, those personnel would be the only ones able to access their records.
I do not know if this is a realistic solution, it may require too many resources to implement a control like this, and money doesn't grow on trees. But idealistically, it sounds like a good solution so that people like Britney Spears, who already has enough problems, do not have to worry about Joe Schmo posting private medical records all over the internet.
Tuesday, March 18, 2008
A new kind of benefits package
Article: http://www.avuetech.com/avue-and-lifelock-move-protect-federal-agencies-identity-theft-liability
Most companies provide their full-time employees with some kind of benefits package, though some packages are better than others. This article introduces something new to employee benefits, at least something I have not seen before.
A company called Avue, a provider of "human capital technology solutions", is the leading provider of these services to the federal government. Another company called LifeLock is the leading provider of identity theft protection services. These two companies have decided to merge their services for any federal agencies who subscribe to "Avue’s human capital automation platform." So if you work for for one of these agencies, you can opt-in for protection against credit and identity theft at no extra charge. LifeLock guarantees that they will reimburse you up to $1 million in financial losses if your identity is stolen while covered by LifeLock.
I think this is a great free service, and I wish it were offered through other employers in addition to the federal government. Though I can see why identity theft protection is critical in the government sector. Stealing the identity of a government worker can be very serious, considering that many government workers have access to classified information. One single data breach can cost the government hundreds of millions of dollars.
LifeLock is definitely a service for anyone to look into, even if your company doesn't pay for it. I personally know someone who has had his identity stolen several times. If someone steals your identity and ruins your credit, you may never be able to recover from it. Forget about buying a house, a car, or getting that loan you need. If you ask me, a small $10/month fee definitely gets you more than your money's worth.
Most companies provide their full-time employees with some kind of benefits package, though some packages are better than others. This article introduces something new to employee benefits, at least something I have not seen before.
A company called Avue, a provider of "human capital technology solutions", is the leading provider of these services to the federal government. Another company called LifeLock is the leading provider of identity theft protection services. These two companies have decided to merge their services for any federal agencies who subscribe to "Avue’s human capital automation platform." So if you work for for one of these agencies, you can opt-in for protection against credit and identity theft at no extra charge. LifeLock guarantees that they will reimburse you up to $1 million in financial losses if your identity is stolen while covered by LifeLock.
I think this is a great free service, and I wish it were offered through other employers in addition to the federal government. Though I can see why identity theft protection is critical in the government sector. Stealing the identity of a government worker can be very serious, considering that many government workers have access to classified information. One single data breach can cost the government hundreds of millions of dollars.
LifeLock is definitely a service for anyone to look into, even if your company doesn't pay for it. I personally know someone who has had his identity stolen several times. If someone steals your identity and ruins your credit, you may never be able to recover from it. Forget about buying a house, a car, or getting that loan you need. If you ask me, a small $10/month fee definitely gets you more than your money's worth.
Wednesday, March 5, 2008
A different kind of Radar
Article: http://www.informationweek.com/showArticle.jhtml;jsessionid=MBLVKEBRUMC4SQSNDLRSKH0CJUNN2JVN?articleID=206900039&queryText=photo+sharing+startup
Cell phones are becoming more and more advanced as time progresses. Now many people have internet service on their phones so that they can access the web anytime, anywhere (as long as you are in a service area, anyway). Cameras are another fun feature that come on most phones today. One company has created an application to put those cameras to use -- or maybe more use. The program is called Radar, and it allows users to take pictures and record videos on their phones and then upload them to the internet-based photo sharing service directly from their phones. This service, of course, utilizes a database to store users' photos.
Photobucket is a similar service on the internet where people can upload photos and essentially make electronic photo albums for family and friends to view. You can upload pictures to Photobucket from your phone too, but Photobucket does not enable comments on photos. It also differs in that it was mainly designed for use on a computer, while Radar was designed primarily for mobile phone use. Myspace and Facebook offer mobile service for certain wireless carriers and phones as well, but it's not quite the same since these sites utilize user profiles that share more personal information. Some people hate Myspace and/or Facebook, and others may use these sites but still just want a photo-sharing account that does nothing but that -- share photos.
Radar actually brings the best of both worlds together -- you can keep a Photobucket-like account to share with friends who have Radar accounts, or you can use Radar's Myspace and Facebook utilities to share your Radar-hosted photos on these sites, so that people who do not use Radar can still see them. I have several friends who hate Myspace, but signed up anyway because it was the only way to view their friends' photos (you're required to login to view photos). With Radar, you are given the freedom to either view/comment on photos with their program, or on Myspace/Facebook, whichever you prefer.
Cell phones are becoming more and more advanced as time progresses. Now many people have internet service on their phones so that they can access the web anytime, anywhere (as long as you are in a service area, anyway). Cameras are another fun feature that come on most phones today. One company has created an application to put those cameras to use -- or maybe more use. The program is called Radar, and it allows users to take pictures and record videos on their phones and then upload them to the internet-based photo sharing service directly from their phones. This service, of course, utilizes a database to store users' photos.
Photobucket is a similar service on the internet where people can upload photos and essentially make electronic photo albums for family and friends to view. You can upload pictures to Photobucket from your phone too, but Photobucket does not enable comments on photos. It also differs in that it was mainly designed for use on a computer, while Radar was designed primarily for mobile phone use. Myspace and Facebook offer mobile service for certain wireless carriers and phones as well, but it's not quite the same since these sites utilize user profiles that share more personal information. Some people hate Myspace and/or Facebook, and others may use these sites but still just want a photo-sharing account that does nothing but that -- share photos.
Radar actually brings the best of both worlds together -- you can keep a Photobucket-like account to share with friends who have Radar accounts, or you can use Radar's Myspace and Facebook utilities to share your Radar-hosted photos on these sites, so that people who do not use Radar can still see them. I have several friends who hate Myspace, but signed up anyway because it was the only way to view their friends' photos (you're required to login to view photos). With Radar, you are given the freedom to either view/comment on photos with their program, or on Myspace/Facebook, whichever you prefer.
Tuesday, March 4, 2008
Gun control
Article: http://www.usatoday.com/news/nation/2008-02-18-state-gun-laws_N.htm
With so many campus shootings occurring throughout the United States, the federal government is taking steps to prevent it. The FBI currently keeps a database called the National Instant Criminal Background Check System, or NICS, which all gun dealers must check before selling a firearm. This database keeps records of people who are not allowed to buy firearms, including criminals and the mentally ill. The problem is that most of the states are not doing their part to contribute to the database, which is a serious problem since most of the information in the database comes from state court systems. The federal government is not allowed to force states to submit records, so they must take other measures. President Bush signed a new law on Jan. 8 that will give grants to states that agree to submit names of their mentally ill residents to the NICS. States that don't comply may actually lose money used for fighting crime.
I have mixed feelings on this. Seung Hui Cho, the shooter in the Virginia Tech massacre, was declared to be dangerously mentally ill by the court, yet his record never made it from the state to the federal database. The shooting may have never happened had he not been able to purchase the firearms. But then there's the point that someone who really want to murder will find a way to do it, regardless of the law. Had Cho's record been included in the database and the dealer did not sell him the firearms, he may have acquired a gun illegally instead, or taken one from a relative.
People commit murders, weapons are only a means of doing it. Even with states contributing to the database, it more than likely won't help much with preventing crime, because criminals with the intent to murder will simply acquire guns by other means. The government needs to focus more on hunting down criminals and punishing them and less on preventative measures that don't really prevent much.
With so many campus shootings occurring throughout the United States, the federal government is taking steps to prevent it. The FBI currently keeps a database called the National Instant Criminal Background Check System, or NICS, which all gun dealers must check before selling a firearm. This database keeps records of people who are not allowed to buy firearms, including criminals and the mentally ill. The problem is that most of the states are not doing their part to contribute to the database, which is a serious problem since most of the information in the database comes from state court systems. The federal government is not allowed to force states to submit records, so they must take other measures. President Bush signed a new law on Jan. 8 that will give grants to states that agree to submit names of their mentally ill residents to the NICS. States that don't comply may actually lose money used for fighting crime.
I have mixed feelings on this. Seung Hui Cho, the shooter in the Virginia Tech massacre, was declared to be dangerously mentally ill by the court, yet his record never made it from the state to the federal database. The shooting may have never happened had he not been able to purchase the firearms. But then there's the point that someone who really want to murder will find a way to do it, regardless of the law. Had Cho's record been included in the database and the dealer did not sell him the firearms, he may have acquired a gun illegally instead, or taken one from a relative.
People commit murders, weapons are only a means of doing it. Even with states contributing to the database, it more than likely won't help much with preventing crime, because criminals with the intent to murder will simply acquire guns by other means. The government needs to focus more on hunting down criminals and punishing them and less on preventative measures that don't really prevent much.
Friday, February 29, 2008
Saving a billion...maybe
Article: http://www.engadget.com/2005/06/14/rfid-prevents-power-tool-theft/
Bosch Power Tools has decided to take a step towards preventing power tools from being stolen from constructions sites: they're placing RFID chips in their tools. This is a smart move, seeing as how last year alone the construction industry lost between $300 million and $1 billion to equipment theft.
Construction managers will use a device to scan all the tools at their site, and the tools' tracking information will be transmitted to a database. This is supposed to keep track of a site's equipment and prevent theft. However, I fail to see how this accomplishes the latter. I suppose at the end of each work day, scanning the entire site with a RFID reader would verify that all the equipment is there -- if something is missing, the database will show it because its RFID tag wasn't detected during scanning. So while this system may tell the manager that something was stolen, how does it actually prevent it?
I only see three ways to make this plan work. The first entails a RFID-reading entrance/exit to the construction site, so that if an employee walks off with a tool, an alarm will go off. The second is to have a RFID-reading security camera system that will detect a tool leaving the site and will take a photo of the perpetrator. The third way is to just have the manager scan everyone with a RFID reader as they leave to make sure they don't have any company property on them.
Simply having a database of company assets will not prevent theft -- there needs to be some sort of detection system.
Bosch Power Tools has decided to take a step towards preventing power tools from being stolen from constructions sites: they're placing RFID chips in their tools. This is a smart move, seeing as how last year alone the construction industry lost between $300 million and $1 billion to equipment theft.
Construction managers will use a device to scan all the tools at their site, and the tools' tracking information will be transmitted to a database. This is supposed to keep track of a site's equipment and prevent theft. However, I fail to see how this accomplishes the latter. I suppose at the end of each work day, scanning the entire site with a RFID reader would verify that all the equipment is there -- if something is missing, the database will show it because its RFID tag wasn't detected during scanning. So while this system may tell the manager that something was stolen, how does it actually prevent it?
I only see three ways to make this plan work. The first entails a RFID-reading entrance/exit to the construction site, so that if an employee walks off with a tool, an alarm will go off. The second is to have a RFID-reading security camera system that will detect a tool leaving the site and will take a photo of the perpetrator. The third way is to just have the manager scan everyone with a RFID reader as they leave to make sure they don't have any company property on them.
Simply having a database of company assets will not prevent theft -- there needs to be some sort of detection system.
Thursday, February 28, 2008
Putting the students at stake
Article: http://www.news.com/U.K.-student-records-to-sit-in-accessible-database/2100-1029_3-6230380.html?tag=cd.top
The British have developed a database which, starting in September 2008, will hold students' personal data and schooling information, such as exam results. This project applies to students aged 14-19, and the database will be available to schools and employers. The idea is to make it easy for schools and companies to pull up an applicant's records without needing the applicant to go through the trouble of acquiring transcripts, filling out educational information on applications, etc.
I can see how the new system will benefit British students, schools, and employers. As stated before, it will be more convenient for all involved parties. When applying to colleges, for example, the student must currently send copies of his or her transcript as well as applicable exam results. With this new system, that will no longer be necessary because all of those records will be electronically accessible.
However, with convenience comes a price. Is it really ethical to keep all this information in an easily accessible database? There would have to be a control that would prohibit schools and employers from accessing records of students that are not applying to their institution. Also, the U.K.'s record for keeping personal data secure is not all the great. As stated in the article, "In December, nine NHS trusts lost 168,000 patient records. A month before, the details of 25 million child benefit claimants went missing. And information on 3 million learner drivers disappeared during that time." Imagine if the database is the only place where a student's records are stored. If I were one of those students and all my educational records were lost forever, I would more than upset -- acceptance to college depends on that information afterall. Plus, there's the potential of a hacker breaking in and stealing or changing information. A hacker could steal a student's identity, or a student could have a hacker change an exam score to make him look better to a college.
I see where the UK is going with this project, but I don't see how convenience outweighs all the dangers. What's wrong with filling out those few extra lines on an application and requesting a few transcripts to be mailed?
The British have developed a database which, starting in September 2008, will hold students' personal data and schooling information, such as exam results. This project applies to students aged 14-19, and the database will be available to schools and employers. The idea is to make it easy for schools and companies to pull up an applicant's records without needing the applicant to go through the trouble of acquiring transcripts, filling out educational information on applications, etc.
I can see how the new system will benefit British students, schools, and employers. As stated before, it will be more convenient for all involved parties. When applying to colleges, for example, the student must currently send copies of his or her transcript as well as applicable exam results. With this new system, that will no longer be necessary because all of those records will be electronically accessible.
However, with convenience comes a price. Is it really ethical to keep all this information in an easily accessible database? There would have to be a control that would prohibit schools and employers from accessing records of students that are not applying to their institution. Also, the U.K.'s record for keeping personal data secure is not all the great. As stated in the article, "In December, nine NHS trusts lost 168,000 patient records. A month before, the details of 25 million child benefit claimants went missing. And information on 3 million learner drivers disappeared during that time." Imagine if the database is the only place where a student's records are stored. If I were one of those students and all my educational records were lost forever, I would more than upset -- acceptance to college depends on that information afterall. Plus, there's the potential of a hacker breaking in and stealing or changing information. A hacker could steal a student's identity, or a student could have a hacker change an exam score to make him look better to a college.
I see where the UK is going with this project, but I don't see how convenience outweighs all the dangers. What's wrong with filling out those few extra lines on an application and requesting a few transcripts to be mailed?
Wednesday, February 27, 2008
Mac security glitch
Article: http://www.news.com/8301-10784_3-9881870-7.html
As much as I love Apple, even they have their problems...the latest being a security glitch on Mac OS X 10.5 (Leopard) that gives unauthorized users access to the password of the active user account on a Mac. The problem is that once a user logs in, the account password is stored in memory too long (rather than being erased immediately after login is complete), which enables it to be retrieved by an unauthorized person. For example: I could sit in class, log on to my computer, get up to go to the restroom, and someone could retrieve my password from my computer while I'm gone. Then if that person were left alone with my computer, they could log on under my name and do all sorts of damage.
As an owner of a PowerBook, I see this as a serious problem for several reasons. The most obvious reason is that someone can steal a user's password and log in under their user name and impersonate that user. The impersonator would have access to the user's files, some of which may be confidential. But secondly, and perhaps more importantly, if an unauthorized person logs in under that user name, they have access to that user's Keychain, the Mac utility that stores passwords to web sites, wireless networks, and the like. This means that the hacker not only has access to files on the user's computer, but may also be able to access remote information hosted elsewhere. This can be very dangerous.
A programmer in California was the one who reported the problem to Apple, and Apple responded that they would not release a security update just for this issue. So far, Leopard has been Apple's most problematic OS release...and the fact that they will not include a fix to this problem in a timely update surprises me.
As much as I love Apple, even they have their problems...the latest being a security glitch on Mac OS X 10.5 (Leopard) that gives unauthorized users access to the password of the active user account on a Mac. The problem is that once a user logs in, the account password is stored in memory too long (rather than being erased immediately after login is complete), which enables it to be retrieved by an unauthorized person. For example: I could sit in class, log on to my computer, get up to go to the restroom, and someone could retrieve my password from my computer while I'm gone. Then if that person were left alone with my computer, they could log on under my name and do all sorts of damage.
As an owner of a PowerBook, I see this as a serious problem for several reasons. The most obvious reason is that someone can steal a user's password and log in under their user name and impersonate that user. The impersonator would have access to the user's files, some of which may be confidential. But secondly, and perhaps more importantly, if an unauthorized person logs in under that user name, they have access to that user's Keychain, the Mac utility that stores passwords to web sites, wireless networks, and the like. This means that the hacker not only has access to files on the user's computer, but may also be able to access remote information hosted elsewhere. This can be very dangerous.
A programmer in California was the one who reported the problem to Apple, and Apple responded that they would not release a security update just for this issue. So far, Leopard has been Apple's most problematic OS release...and the fact that they will not include a fix to this problem in a timely update surprises me.
Monday, February 25, 2008
You're being watched...
Article: http://www.washingtonpost.com/wp-dyn/content/article/2007/12/21/AR2007122102544_pf.html
A lot of people criticize the government for becoming more and more invasive of American citizens' privacy. Now the government is taking it to another level. The FBI is expanding their criminal database to hold a wider variety of biometric data -- fingerprints, palm prints, iris patterns, face shapes, scars, and even people's ways of walking and talking. The government claims that this will make it easier to identify criminals.
The Defense Department has already been using a database of fingerprints, irises, and faces of Iraqis and foreigners with access to U.S. military bases for the past 2 years. The Department of Homeland Security also has a database of fingerprints and has been performing iris scans at select airports. The FBI's venture is called "Next Generation Identification." It will basically be a one-stop shop for the government's identification needs. All sorts of biometric data will be held in one single database.
This is a touchy subject. On the one hand, it could be a good thing. I'm all for nailing criminals quickly and efficiently. Having such an advanced database of biometric data could also deter crime if criminals know that there is little chance they can get away with it. As the article stated, it would be useful for the military to identify terrorists from afar.
On the other hand, this database can be considered an invasion of privacy. According to one official, "A traveler may walk down an airport corridor and allow his face and iris images to be captured without ever stepping up to a kiosk and looking into a camera." Many people would see this as a "Big Brother" type of act and a severe invasion of privacy, like you're always being watched. However, an argument can be made that as long as you are an upstanding citizen, uninvolved in crime, you have no reason to fear such technology. The face- and iris-scanning is only meant to catch criminals who are walking among us.
An interesting point made in the article concerns data security. If someone steals your credit card, you can cancel it and get a new one with a new number. But with biometric data, you can't simply change it. A Silicon Valley technology forecaster brings up the point, "If someone steals and spoofs your iris image, you can't just get a new eyeball." There's also the fact that the identification technology hasn't been perfected and it is very possible to falsely identify people as criminals. If the government wants to implement this system, it has a lot more work to be done on it first.
Tuesday, February 19, 2008
This gives a whole new meaning to the word 'manicure'
Article: http://optics.org/cws/article/research/22612
Japan has done it again. Always ahead of the curve when it comes to emerging technology, Japanese scientists have developed a femtosecond laser system that can write data on to a human fingernail. An "optical microscope containing a filtered xenon arc lamp" is then used to read the data. It has only been tested on small pieces of fingernail, so now they are perfecting a system that will work effectively on a fingernail that is still attached to a finger.
This is a pretty cool technology. At the moment, I can only see it being used for identification purposes. Right now we use fingerprint readers, but maybe in a few years they will be swapped out for fingernail readers. This would be quite an upgrade in technology, because fingerprint readers are not nearly as advanced as their newer counterparts. A person's fingerprint must be stored in a database somewhere in order for the reader to recognize it. It looks in the database for a match and allows the person access based on what it finds in the database. But with this new fingernail technology, a database would actually be stored on the nail itself. The reader would simply read the identity stored on the fingernail, look up this person in the database, and determine access privileges.
In the more distant future, I can see everyone walking around with flash drives embedded in their fingernails. Hey, at least you would never have to worry about forgetting it at home. There are a couple of issues that need addressing, however. Are the lasers used with this new technology really safe to use on humans? And what about cost effectiveness...fingernails completely replace themselves every six months, which means someone who uses this technology on a regular basis has to have it redone every six months. It seems this could be pretty costly. Plus, it could just be another Big Brother technology used to invade people's privacy. But regardless, the idea that someone has developed a database technology so advanced is fascinating.
Japan has done it again. Always ahead of the curve when it comes to emerging technology, Japanese scientists have developed a femtosecond laser system that can write data on to a human fingernail. An "optical microscope containing a filtered xenon arc lamp" is then used to read the data. It has only been tested on small pieces of fingernail, so now they are perfecting a system that will work effectively on a fingernail that is still attached to a finger.
This is a pretty cool technology. At the moment, I can only see it being used for identification purposes. Right now we use fingerprint readers, but maybe in a few years they will be swapped out for fingernail readers. This would be quite an upgrade in technology, because fingerprint readers are not nearly as advanced as their newer counterparts. A person's fingerprint must be stored in a database somewhere in order for the reader to recognize it. It looks in the database for a match and allows the person access based on what it finds in the database. But with this new fingernail technology, a database would actually be stored on the nail itself. The reader would simply read the identity stored on the fingernail, look up this person in the database, and determine access privileges.
In the more distant future, I can see everyone walking around with flash drives embedded in their fingernails. Hey, at least you would never have to worry about forgetting it at home. There are a couple of issues that need addressing, however. Are the lasers used with this new technology really safe to use on humans? And what about cost effectiveness...fingernails completely replace themselves every six months, which means someone who uses this technology on a regular basis has to have it redone every six months. It seems this could be pretty costly. Plus, it could just be another Big Brother technology used to invade people's privacy. But regardless, the idea that someone has developed a database technology so advanced is fascinating.
Thursday, February 14, 2008
Like we really need more bad drivers in this world...
Article: http://www.navigadget.com/index.php/2007/05/16/gps-enabled-rear-view-mirrow-knows-where-speed-cameras-are/
Radar detectors are illegal in Virginia (and surprisingly, VA and D.C. are the only ones that outlaw them), but I'm sure that doesn't stop people from using them. The scary thing about them is that they can make it easier for people who drive bad anyway, to drive worse. And by bad I mean "in a life threatening manner." To make matters worse, now there is a GPS enabled rear-view mirror that checks your vehicle's position against a database of traffic cameras, so now bad drivers will know which lights are "safe" to run. You can connect it to a radar detector and be the ultimate road demon.
This has got to be one of the most unethical uses of a database. There are some good things about it, however. The database also stores known "accident black spots," areas where accidents frequently occur. When you approach one, the mirror warns you so you can be extra careful. The mirror also helps eliminate blind spots and is coated in a way that enhances night vision, two great safety features. But these safety features don't save the mirror from being classified as unethical or unsafe. The idea of a traffic camera is to deter red light-runners. Red light-runners cause thousands of accidents and deaths every year. But if a mirror can use a database of these cameras (which should not be publicly available) to warn a driver that they are approaching one and should therefore not attempt to run the light, traffic cameras are suddenly rendered useless. Drivers once deterred may now run red lights more often because they won't have to worry about being unexpectedly caught by cameras.
Just imagine if someone used this mirror along with a radar detector. Not only would they avoid being caught by safety cameras, they would also be able to speed without fear of being pulled over. All the dangerous drivers out there would feel invincible and drive even more dangerously. I imagine that Virginia will eventually outlaw these GPS mirrors...as for the other states, if they haven't outlawed radar detectors yet, I doubt they will outlaw the mirror -- the radar detector is more dangerous, in my opinion.
Radar detectors are illegal in Virginia (and surprisingly, VA and D.C. are the only ones that outlaw them), but I'm sure that doesn't stop people from using them. The scary thing about them is that they can make it easier for people who drive bad anyway, to drive worse. And by bad I mean "in a life threatening manner." To make matters worse, now there is a GPS enabled rear-view mirror that checks your vehicle's position against a database of traffic cameras, so now bad drivers will know which lights are "safe" to run. You can connect it to a radar detector and be the ultimate road demon.
This has got to be one of the most unethical uses of a database. There are some good things about it, however. The database also stores known "accident black spots," areas where accidents frequently occur. When you approach one, the mirror warns you so you can be extra careful. The mirror also helps eliminate blind spots and is coated in a way that enhances night vision, two great safety features. But these safety features don't save the mirror from being classified as unethical or unsafe. The idea of a traffic camera is to deter red light-runners. Red light-runners cause thousands of accidents and deaths every year. But if a mirror can use a database of these cameras (which should not be publicly available) to warn a driver that they are approaching one and should therefore not attempt to run the light, traffic cameras are suddenly rendered useless. Drivers once deterred may now run red lights more often because they won't have to worry about being unexpectedly caught by cameras.
Just imagine if someone used this mirror along with a radar detector. Not only would they avoid being caught by safety cameras, they would also be able to speed without fear of being pulled over. All the dangerous drivers out there would feel invincible and drive even more dangerously. I imagine that Virginia will eventually outlaw these GPS mirrors...as for the other states, if they haven't outlawed radar detectors yet, I doubt they will outlaw the mirror -- the radar detector is more dangerous, in my opinion.
Tuesday, February 12, 2008
Automated gas
Article: http://www.news.com/Dutch-unveil-robot-to-fill-car-gas-tank/2100-11394_3-6229060.html
The Dutch have created a robot called the "TankPitstop." It is a robotic arm attached to a gas pump that fills your gas tank the same way an attendant would, back in the day of full-service gas stations. In order for it to operate correctly, it uses sensors and a database that stores vehicle dimensions and contours, as well as gas cap designs and fuel types. It must register the car on arrival and match it to its database in order to fuel it.
This is quite an interesting application of a database. While the robot has sensors, they are useless if there is no database to match the sensor readings against. I imagine it works like this: the vehicle pulls up to the pump, and the robot first uses the sensors to determine the make, model, and year of the car so it can find it in the database. Then it determines what fuel type to use. Then it looks up the gas cap design. Finally, using the vehicle's stored dimensions and contours, it removes the gas cap and begins fueling the tank.
There are a few important issues to consider here. Even though the robot stores vehicle dimensions in the database so it can avoid scratching or dinging the car while fueling, there is always room for mistakes. I would be a little weary of letting it fuel the tank of my brand new BMW (this is a scenario in my very VERY distant future, ha) if there's a chance it could malfunction and put a bunch of dings and scratches on my new car.
Another big issue is with customized cars. Many people buy cars and customize them by adding body skits, spoilers, and the like. I would think that if one of these cars pulled up to a robotic gas pump, the sensors would not be able to find a match in the database due to the specs of the car being different from the registered factory specs. Even if it was able to detect it, there would be a bigger chance of the robotic arm scratching the back of the car during fueling due to the car's modifications. I guess these people would just have to make due with getting out of the car and fueling it themselves.
Gas is also becoming more and more expensive and our supply is diminishing quickly. Many experts say that we will run out of gas in as little as 10 years. If this is the case, would it really be economical to implement these costly robots at gas stations, only to become obsolete a few years later? I think not.
Technologically speaking, this is a neat idea...but I don't foresee it ever becoming widespread. Realistically speaking, are we really THAT busy or lazy that we can't even get out of our cars for 2 minutes to pump our own gas?
The Dutch have created a robot called the "TankPitstop." It is a robotic arm attached to a gas pump that fills your gas tank the same way an attendant would, back in the day of full-service gas stations. In order for it to operate correctly, it uses sensors and a database that stores vehicle dimensions and contours, as well as gas cap designs and fuel types. It must register the car on arrival and match it to its database in order to fuel it.
This is quite an interesting application of a database. While the robot has sensors, they are useless if there is no database to match the sensor readings against. I imagine it works like this: the vehicle pulls up to the pump, and the robot first uses the sensors to determine the make, model, and year of the car so it can find it in the database. Then it determines what fuel type to use. Then it looks up the gas cap design. Finally, using the vehicle's stored dimensions and contours, it removes the gas cap and begins fueling the tank.
There are a few important issues to consider here. Even though the robot stores vehicle dimensions in the database so it can avoid scratching or dinging the car while fueling, there is always room for mistakes. I would be a little weary of letting it fuel the tank of my brand new BMW (this is a scenario in my very VERY distant future, ha) if there's a chance it could malfunction and put a bunch of dings and scratches on my new car.
Another big issue is with customized cars. Many people buy cars and customize them by adding body skits, spoilers, and the like. I would think that if one of these cars pulled up to a robotic gas pump, the sensors would not be able to find a match in the database due to the specs of the car being different from the registered factory specs. Even if it was able to detect it, there would be a bigger chance of the robotic arm scratching the back of the car during fueling due to the car's modifications. I guess these people would just have to make due with getting out of the car and fueling it themselves.
Gas is also becoming more and more expensive and our supply is diminishing quickly. Many experts say that we will run out of gas in as little as 10 years. If this is the case, would it really be economical to implement these costly robots at gas stations, only to become obsolete a few years later? I think not.
Technologically speaking, this is a neat idea...but I don't foresee it ever becoming widespread. Realistically speaking, are we really THAT busy or lazy that we can't even get out of our cars for 2 minutes to pump our own gas?
Friday, February 8, 2008
Skyhook gives power to the people
Article: http://www.intomobile.com/2008/01/22/help-skyhook-map-wifi-hotspots-make-iphone-google-maps-my-location-more-accurate.html
Last week I did a journal entry based on Skyhook Wireless’ Wi-Fi-based navigation for the iPhone and iPod Touch. This week, I found another article pertaining to the same topic, but this article brings up a new discussion. Now, people now have the opportunity to help Skyhook add hotspots to their database by submitting their own data.
As I brought up before in my last article about Skyhook, Wi-Fi navigation is not as reliable as GPS navigation because it only works if you are located near a hotspot that is in the company’s database. While the company has mapped 70% of the country’s hotspots, that still leaves a lot of areas out of the loop. I experimented with the navigation feature on the iPod Touch that is on display at the Best Buy I work at. When I clicked the button to find my location, it found Best Buy’s hotspot right away…but when I tried getting directions from Best Buy to several different locations, including ODU, it came up with nothing. Obviously, the Hampton Roads area has not been sufficiently mapped. This is where the users come in – we can now send our own hotspot information to Skyhook so they can add it to their database, which in turn makes the service more accurate and usable.
It takes a little time to gather the information they need. You have to find the MAC address of your wireless access point, and you have to find the latitude and longitude of the street address where the access point is located. This requires a little tweaking in Google Maps.
As it stands now, you pretty much have to live in a big city like New York or Boston to get ideal use out of the Wi-Fi navigation feature. So this plan sounds like a great idea to make Wi-Fi navigation more accurate and useful to everybody. But it brings up the question of data integrity…if just anyone can submit hotspot data to the database, couldn’t they send false information? If many people sent incorrect data, the navigation service would be rendered useless. Hopefully Skyhook will not just blindly accept submissions. But on the other hand, I highly doubt they’ll be able to verify all submissions either. I’m curious to see how long this idea will carry on and how successful it will be.
Last week I did a journal entry based on Skyhook Wireless’ Wi-Fi-based navigation for the iPhone and iPod Touch. This week, I found another article pertaining to the same topic, but this article brings up a new discussion. Now, people now have the opportunity to help Skyhook add hotspots to their database by submitting their own data.
As I brought up before in my last article about Skyhook, Wi-Fi navigation is not as reliable as GPS navigation because it only works if you are located near a hotspot that is in the company’s database. While the company has mapped 70% of the country’s hotspots, that still leaves a lot of areas out of the loop. I experimented with the navigation feature on the iPod Touch that is on display at the Best Buy I work at. When I clicked the button to find my location, it found Best Buy’s hotspot right away…but when I tried getting directions from Best Buy to several different locations, including ODU, it came up with nothing. Obviously, the Hampton Roads area has not been sufficiently mapped. This is where the users come in – we can now send our own hotspot information to Skyhook so they can add it to their database, which in turn makes the service more accurate and usable.
It takes a little time to gather the information they need. You have to find the MAC address of your wireless access point, and you have to find the latitude and longitude of the street address where the access point is located. This requires a little tweaking in Google Maps.
As it stands now, you pretty much have to live in a big city like New York or Boston to get ideal use out of the Wi-Fi navigation feature. So this plan sounds like a great idea to make Wi-Fi navigation more accurate and useful to everybody. But it brings up the question of data integrity…if just anyone can submit hotspot data to the database, couldn’t they send false information? If many people sent incorrect data, the navigation service would be rendered useless. Hopefully Skyhook will not just blindly accept submissions. But on the other hand, I highly doubt they’ll be able to verify all submissions either. I’m curious to see how long this idea will carry on and how successful it will be.
Thursday, February 7, 2008
Oracle patches: more harm than good?
Article: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9057226&pageNumber=2
You would think that with all the security issues there are when it comes to the Internet and networks, everyone would want to keep their systems up-to-date with the latest security patches. I know I always install them, on both my PC and my Mac. But suprisingly, a survey has found that two-thirds of Oracle DBAs do not install any Oracle security patches--EVER--no matter how critical the update may be. Some of them are even explicitly told by the security department to install the patches, and they STILL don't do it. Why would DBAs not want to fix vulnerabilities in their databases? The first thing that came to my mind was, "Are they just being lazy?" Here are the reasons that the DBAs themselves give:
1. Fear of a negative outcome on the system as a whole
2. Some vendors do not certify Oracle patches to work with their applications
3. Updates have to be done in chronological order; you cannot install a new patch until you install the previous one
The first reason is plausible I suppose. In my Systems Design class, we learned about client-server systems. In these systems (especially two-tier systems), the applications are often programmed for that specific database. If any changes are made to the database structure, it can negatively affect application performance. To install a security patch, it would first need to be tested against the applications that use that database. In many organizations there are a large number of applications and databases, and testing the patch on all of them would take months and cause downtime. For most companies, downtime is not an option.
The second reason is also valid. If a vendor does not certify a patch to work with their application, they can deny the company technical support. It would be the equivalent of voiding the warranty on your new car stereo installation because when it started having problems later on, you let your friend try to fix it instead of taking your car back to the company who installed it.
The third reason really shouldn't have even been mentioned. It's true that you can't install a patch without installing the ones before it, so if you fall behind, you're stuck. But does that even matter in this case? The DBA wouldn't install the update anyway for the two reasons discussed above. If anything, citing this "reason" makes the surveyed DBAs seem lazy or slow. At least the other two make it seem like they've got reasonable cause to avoid security updates.
While I can understand why DBAs would want to avoid system complications and "voiding warranties", I do not feel it is ethical to bypass Oracle security updates. They are there for a reason. What if confidential data gets out due to a vulnerability that could have been fixed, had the DBA installed the patch? What if a system crash resulted from not installing a patch? I think that while installing these updates may be time consuming and inconvenient, they need to be done--period.
You would think that with all the security issues there are when it comes to the Internet and networks, everyone would want to keep their systems up-to-date with the latest security patches. I know I always install them, on both my PC and my Mac. But suprisingly, a survey has found that two-thirds of Oracle DBAs do not install any Oracle security patches--EVER--no matter how critical the update may be. Some of them are even explicitly told by the security department to install the patches, and they STILL don't do it. Why would DBAs not want to fix vulnerabilities in their databases? The first thing that came to my mind was, "Are they just being lazy?" Here are the reasons that the DBAs themselves give:
1. Fear of a negative outcome on the system as a whole
2. Some vendors do not certify Oracle patches to work with their applications
3. Updates have to be done in chronological order; you cannot install a new patch until you install the previous one
The first reason is plausible I suppose. In my Systems Design class, we learned about client-server systems. In these systems (especially two-tier systems), the applications are often programmed for that specific database. If any changes are made to the database structure, it can negatively affect application performance. To install a security patch, it would first need to be tested against the applications that use that database. In many organizations there are a large number of applications and databases, and testing the patch on all of them would take months and cause downtime. For most companies, downtime is not an option.
The second reason is also valid. If a vendor does not certify a patch to work with their application, they can deny the company technical support. It would be the equivalent of voiding the warranty on your new car stereo installation because when it started having problems later on, you let your friend try to fix it instead of taking your car back to the company who installed it.
The third reason really shouldn't have even been mentioned. It's true that you can't install a patch without installing the ones before it, so if you fall behind, you're stuck. But does that even matter in this case? The DBA wouldn't install the update anyway for the two reasons discussed above. If anything, citing this "reason" makes the surveyed DBAs seem lazy or slow. At least the other two make it seem like they've got reasonable cause to avoid security updates.
While I can understand why DBAs would want to avoid system complications and "voiding warranties", I do not feel it is ethical to bypass Oracle security updates. They are there for a reason. What if confidential data gets out due to a vulnerability that could have been fixed, had the DBA installed the patch? What if a system crash resulted from not installing a patch? I think that while installing these updates may be time consuming and inconvenient, they need to be done--period.
Wednesday, February 6, 2008
Myspace tries to save itself
Article: http://www.foxbusiness.com/markets/industries/media/article/myspace-launches-platform-developers_465016_15.html
The Myspace vs. Facebook war has been going on for some time now. I believe Facebook was around first, then Myspace came along and its popularity skyrocketed. Nowadays, however, Myspace is declining in popularity and Facebook seems to be taking over. I know many people who have accounts at both sites, and many that have deleted their Myspace altogether and switched to Facebook.
Some say this is partly due to Facebook's application feature that allows users to develop and share custom applications for use on their profiles. Applications range from quizzes (e.g. "Which celebrity are you most like?") to games (e.g. Oregon Trail) to personal databases of movies you've recently seen, which you can share with friends and review together.
Now Myspace is trying to get in on the action in attempts to gain back its market share. It has launched a platform for developers to create applications similar to those on Facebook.
Will applications save Myspace? Probably not. Myspace has gotten a bad rep for all the child abductions or harassment it has brought on, as well as annoying spam in mailboxes, hackers that steal users' passwords and leave malicious comments on their friends' pages, and malicious pages that put viruses on your computer. Facebook has not had much of a problem with any of these things. Myspace apps will also open the door for more security threats, as the apps are allowed access to your profile information. I could see a skilled hacker developing some application that looks innocent, but collects personal information from anyone who uses it. Or even worse, an application that allows the developer to hack into Myspace's database and steal even more confidential information.
I myself do not use many applications on Facebook. I find that they clutter your page when you have too many, which gets annoying. Also, many applications require you to forward a message to your friends (soliciting them to also sign up for the application) in order to "install" it on your page. Getting 10 of these requests per day in my Facebook mailbox gets rather annoying, and I usually end up rejecting all of them not because I'm uninterested in the app, but mostly because I'm annoyed by all the requests. It's technically not spam, since you can only receive them from your friends, but it's annoying nevertheless.
In my opinion, applications are not the real cause for Facebook's rising popularity and Myspace's gradual demise. I can't quite put my finger on a particular reason, maybe it's a combo of many things. All I know is, Myspace needs to do much more than this if it wants to win the war.
The Myspace vs. Facebook war has been going on for some time now. I believe Facebook was around first, then Myspace came along and its popularity skyrocketed. Nowadays, however, Myspace is declining in popularity and Facebook seems to be taking over. I know many people who have accounts at both sites, and many that have deleted their Myspace altogether and switched to Facebook.
Some say this is partly due to Facebook's application feature that allows users to develop and share custom applications for use on their profiles. Applications range from quizzes (e.g. "Which celebrity are you most like?") to games (e.g. Oregon Trail) to personal databases of movies you've recently seen, which you can share with friends and review together.
Now Myspace is trying to get in on the action in attempts to gain back its market share. It has launched a platform for developers to create applications similar to those on Facebook.
Will applications save Myspace? Probably not. Myspace has gotten a bad rep for all the child abductions or harassment it has brought on, as well as annoying spam in mailboxes, hackers that steal users' passwords and leave malicious comments on their friends' pages, and malicious pages that put viruses on your computer. Facebook has not had much of a problem with any of these things. Myspace apps will also open the door for more security threats, as the apps are allowed access to your profile information. I could see a skilled hacker developing some application that looks innocent, but collects personal information from anyone who uses it. Or even worse, an application that allows the developer to hack into Myspace's database and steal even more confidential information.
I myself do not use many applications on Facebook. I find that they clutter your page when you have too many, which gets annoying. Also, many applications require you to forward a message to your friends (soliciting them to also sign up for the application) in order to "install" it on your page. Getting 10 of these requests per day in my Facebook mailbox gets rather annoying, and I usually end up rejecting all of them not because I'm uninterested in the app, but mostly because I'm annoyed by all the requests. It's technically not spam, since you can only receive them from your friends, but it's annoying nevertheless.
In my opinion, applications are not the real cause for Facebook's rising popularity and Myspace's gradual demise. I can't quite put my finger on a particular reason, maybe it's a combo of many things. All I know is, Myspace needs to do much more than this if it wants to win the war.
Thursday, January 31, 2008
The future of GPS?
Article: http://www.usatoday.com/money/industries/technology/2008-01-22-skyhook_N.htm
GPS is all the rage these days. People pay extra monthly fees for GPS navigation on their cell phones. Many cars now come equipped with a built-in GPS system. These devices use GPS chips that receive signals from satellites. But now that Wi-Fi is popping up everywhere (homes, schools, restaurants, malls, etc.), why not take it a step further and use Wi-Fi signals instead of satellite signals for location-mapping? That's exactly what
GPS is all the rage these days. People pay extra monthly fees for GPS navigation on their cell phones. Many cars now come equipped with a built-in GPS system. These devices use GPS chips that receive signals from satellites. But now that Wi-Fi is popping up everywhere (homes, schools, restaurants, malls, etc.), why not take it a step further and use Wi-Fi signals instead of satellite signals for location-mapping? That's exactly what
Tuesday, January 29, 2008
Online databases
Article: http://www.nwinnovation.com/story/0013397.html
I found this article very interesting. I know several people who keep a "database" (if you can call it that) using Microsoft Excel. I've seen it in action, and it is not very efficient. Blist is targeting these people with an easy-to-use web-based database.
Excel is just not meant to be used as a database. It is really meant to manage numbers. My uncle is a self-employed jeweler, and I remember helping him do inventory for some extra cash when I was younger. The company whose jewelry he was selling had given him an Excel spreadsheet with the ID #s, prices, and quantities of each piece. I had to go through all the jewelry and record the quantities he had into a new column, and then add the prices together to get the total value of his inventory. Excel was useful for this purpose because I could easily plug in the numbers, then use Excel's sum and multiplication functions to do the math for me in a matter of seconds.
But for people who say, keep a spreadsheet of their movie or comic book collection, Blist will great for them. Microsoft Access can be intimidating or confusing for non-technical people, which is why they use Excel. But web applications are generally made to be very user-friendly. They can also be more secure. I know several people who are not computer-savvy at all, and the words "maintenance," "firewall," and "security" mean nothing to them. Their computers end up having all sorts of problems or their hard drives crash and they lose all their data. For people like this, maintaining an online database is great because if the computer goes, at least all the hard work they put into their database isn't lost.
For people who like to mail around their "spreadsheet databases," everytime they make a change they have to resend it to everyone. If they don't, all the recipients will have outdated or inaccurate information. But you can share a link to your online database and no matter how many changes you make to your information, the link will still be the same. That means a recipient of the link can visit the database whenever they want and see the lastest information you've posted. That leaves the recipients with more accurate data and more mailbox space, and more time for the database creator (now that they are sending less email).
I have already signed up to be notified when the Blist beta releases. I think it is a great idea that will surely become a hit in the web community.
I found this article very interesting. I know several people who keep a "database" (if you can call it that) using Microsoft Excel. I've seen it in action, and it is not very efficient. Blist is targeting these people with an easy-to-use web-based database.
Excel is just not meant to be used as a database. It is really meant to manage numbers. My uncle is a self-employed jeweler, and I remember helping him do inventory for some extra cash when I was younger. The company whose jewelry he was selling had given him an Excel spreadsheet with the ID #s, prices, and quantities of each piece. I had to go through all the jewelry and record the quantities he had into a new column, and then add the prices together to get the total value of his inventory. Excel was useful for this purpose because I could easily plug in the numbers, then use Excel's sum and multiplication functions to do the math for me in a matter of seconds.
But for people who say, keep a spreadsheet of their movie or comic book collection, Blist will great for them. Microsoft Access can be intimidating or confusing for non-technical people, which is why they use Excel. But web applications are generally made to be very user-friendly. They can also be more secure. I know several people who are not computer-savvy at all, and the words "maintenance," "firewall," and "security" mean nothing to them. Their computers end up having all sorts of problems or their hard drives crash and they lose all their data. For people like this, maintaining an online database is great because if the computer goes, at least all the hard work they put into their database isn't lost.
For people who like to mail around their "spreadsheet databases," everytime they make a change they have to resend it to everyone. If they don't, all the recipients will have outdated or inaccurate information. But you can share a link to your online database and no matter how many changes you make to your information, the link will still be the same. That means a recipient of the link can visit the database whenever they want and see the lastest information you've posted. That leaves the recipients with more accurate data and more mailbox space, and more time for the database creator (now that they are sending less email).
I have already signed up to be notified when the Blist beta releases. I think it is a great idea that will surely become a hit in the web community.
Thursday, January 24, 2008
Data is an asset!
Article: http://findarticles.com/p/articles/mi_qa3937/is_200709/ai_n21100516
As Ms. Copeland has said, "databases are everywhere." I never stopped to think about if before, but now I realize how true this is. You can't use the internet without interacting with a database. All that information has to be stored somehow. I have been working at Best Buy since July, and we use a company intranet for everything...to clock in/out, to check our daily task list, to view direct deposit electronic paystubs, to view benefit information, to send emails within the company, etc. We also use it to manage customer information, such as issuing and managing rainchecks. We even use electronic pinpads so that signatures are stored digitally. The point is, the company heavily relies on data stored within the system; we hardly ever use paper, and when we do it's usually being used to print data that's already stored in the system. This is the case with many companies nowadays. But despite the importance and omnipresence of data management, this article brings to light the reality that many companies are not managing their data effectively.
A study mentioned in the article revealed that less than 10% of the companies they studied used documented processes to manage data. And "according to the 2006 InformationWeek article, the amount of data created and maintained by organizations doubles every 12 to 18 months" (Swartz, Nikki). If organizations want to keep up, they need to learn to better manage their data.
I think a big problem is that people do not understand the importance of properly storing data. Many see it as just another bureaucratic task that does not play a huge role in the big picture.
On the contrary, data has many uses in an organization; its use for streamlining processes is one. For example, what if Amazon.com required you to input all of your contact and shipping information everytime you placed an order? This would get very annoying for the customer. Luckily, Amazon.com lets you make an account that stores all your information in their database so that you don't need to reenter it everytime you want to order something. Data is also very useful for helping a company adapt to its customers' needs, which is essential to stay afloat in the business world. If an internet retailer keeps records of the products its customers buy, this serves as an invaluable tool for determining what kinds of products the company should focus on to bring in more revenue.
If every employee was effectively trained in data management in order to fully understand its importance, they would very likely manage data much more efficiently.
As Ms. Copeland has said, "databases are everywhere." I never stopped to think about if before, but now I realize how true this is. You can't use the internet without interacting with a database. All that information has to be stored somehow. I have been working at Best Buy since July, and we use a company intranet for everything...to clock in/out, to check our daily task list, to view direct deposit electronic paystubs, to view benefit information, to send emails within the company, etc. We also use it to manage customer information, such as issuing and managing rainchecks. We even use electronic pinpads so that signatures are stored digitally. The point is, the company heavily relies on data stored within the system; we hardly ever use paper, and when we do it's usually being used to print data that's already stored in the system. This is the case with many companies nowadays. But despite the importance and omnipresence of data management, this article brings to light the reality that many companies are not managing their data effectively.
A study mentioned in the article revealed that less than 10% of the companies they studied used documented processes to manage data. And "according to the 2006 InformationWeek article, the amount of data created and maintained by organizations doubles every 12 to 18 months" (Swartz, Nikki). If organizations want to keep up, they need to learn to better manage their data.
I think a big problem is that people do not understand the importance of properly storing data. Many see it as just another bureaucratic task that does not play a huge role in the big picture.
On the contrary, data has many uses in an organization; its use for streamlining processes is one. For example, what if Amazon.com required you to input all of your contact and shipping information everytime you placed an order? This would get very annoying for the customer. Luckily, Amazon.com lets you make an account that stores all your information in their database so that you don't need to reenter it everytime you want to order something. Data is also very useful for helping a company adapt to its customers' needs, which is essential to stay afloat in the business world. If an internet retailer keeps records of the products its customers buy, this serves as an invaluable tool for determining what kinds of products the company should focus on to bring in more revenue.
If every employee was effectively trained in data management in order to fully understand its importance, they would very likely manage data much more efficiently.
Wednesday, January 23, 2008
The Social Music Revolution
Article: http://blog.last.fm/2008/01/23/free-the-music
Unless you've been hiding under a rock, everyone knows how acquisition of music has been a hot legal topic for the past several years. In the "old days," people had to buy CDs. I hated forking over $15+ for a CD, only to find that there were only 3 songs I liked on the whole thing. Then Napster came along and my world changed. But the downloading phenomenon spun out of control as CD sales declined. The RIAA had to butt in and start slapping people with lawsuits and fines to discourage illegal downloading, but that really didn't do too much good. Then the user-friendly, inexpensive iTunes store was launched, which helped decrease illegal downloading but still left people unsatisfied. iTunes only offers 30 second previews of songs, and sometimes a short preview just doesn't cut it. Some songs sound totally different in their entirety. Other services similar to iTunes have the same problem. This problem has led many audiophiles to bypass iTunes and continue to download music illegally.
Last.fm's announcement is certainly pleasing to the ears. Now people will be able to stream tracks in full for free. Free accounts have a 3-play limit, meaning you cannot stream a track more than 3 times, so they can't just leech off the site whenever they want to hear a song. Not only that, but artists get paid for each time someone streams a song. Which means that independent artists trying to break into the music scene can make some money off their music as well. This leaves artists, record companies, and music-lovers happy. Sure, there will still be some people who will preview the song on Last.fm and then go download it for free somewhere else. But there will be many who will go purchase that song or CD after hearing a full preview.
Last.fm has a large database as it is, but they will certainly expand it even more with this new program. I imagine it will hold even more music than before. It must also store information about each artist, each user, how many times a user plays a particular song, etc. The new program will require a more advanced database now that artists will be paid per stream. Independent artists could easily make multiple accounts, maybe with slightly different names, so as to avoid the 3-play limit (users could play the same song 3 times on each account, which cheats more money into the artist's pocket). This brings us to security. If Last.fm wants to make sure fraudulent accounts are not made, they will need to have a tracking system, perhaps utilizing cookies or IP tracking. If they see more than one account on the same IP address, it will put up a red flag for them to investigate.
Last.fm has made a revolution in the music industry. Not only with the full streams, but with the concept of paying the artists for each time someone listens to their music.
Unless you've been hiding under a rock, everyone knows how acquisition of music has been a hot legal topic for the past several years. In the "old days," people had to buy CDs. I hated forking over $15+ for a CD, only to find that there were only 3 songs I liked on the whole thing. Then Napster came along and my world changed. But the downloading phenomenon spun out of control as CD sales declined. The RIAA had to butt in and start slapping people with lawsuits and fines to discourage illegal downloading, but that really didn't do too much good. Then the user-friendly, inexpensive iTunes store was launched, which helped decrease illegal downloading but still left people unsatisfied. iTunes only offers 30 second previews of songs, and sometimes a short preview just doesn't cut it. Some songs sound totally different in their entirety. Other services similar to iTunes have the same problem. This problem has led many audiophiles to bypass iTunes and continue to download music illegally.
Last.fm's announcement is certainly pleasing to the ears. Now people will be able to stream tracks in full for free. Free accounts have a 3-play limit, meaning you cannot stream a track more than 3 times, so they can't just leech off the site whenever they want to hear a song. Not only that, but artists get paid for each time someone streams a song. Which means that independent artists trying to break into the music scene can make some money off their music as well. This leaves artists, record companies, and music-lovers happy. Sure, there will still be some people who will preview the song on Last.fm and then go download it for free somewhere else. But there will be many who will go purchase that song or CD after hearing a full preview.
Last.fm has a large database as it is, but they will certainly expand it even more with this new program. I imagine it will hold even more music than before. It must also store information about each artist, each user, how many times a user plays a particular song, etc. The new program will require a more advanced database now that artists will be paid per stream. Independent artists could easily make multiple accounts, maybe with slightly different names, so as to avoid the 3-play limit (users could play the same song 3 times on each account, which cheats more money into the artist's pocket). This brings us to security. If Last.fm wants to make sure fraudulent accounts are not made, they will need to have a tracking system, perhaps utilizing cookies or IP tracking. If they see more than one account on the same IP address, it will put up a red flag for them to investigate.
Last.fm has made a revolution in the music industry. Not only with the full streams, but with the concept of paying the artists for each time someone listens to their music.
Saturday, January 19, 2008
Wikipedia, not the most trustworthy database
Article: http://www.news.com/2100-1038_3-6108495.html
This article brings up a very interesting topic -- data integrity of wikis, databases that can be edited by the general public. Wikipedia is the most popular wiki on the web and also one of my favorite websites. You can look up almost anything and find information about it. In most cases the information is very accurate. I think it is a great concept to give those who are interested in a specific topic the ability to share their knowledge with other interested people. Often times you can really tell that the people who wrote or edited the article are passionate about the topic, just by the amount of detail there is.
However, the best thing about wikis is also the worst thing about wikis. If anyone can edit an article, there is always the possibility of inaccurate information. And there are always going to be bad people who vandalize articles by posting obscene pictures or information.
This article discusses how the German Wikipedia site is going to make it so a user cannot edit an article until they have been registered on Wikipedia for a specified amount of time. This is supposed to deter vandalism...but will it really? My question is, if someone really wants to wreck havoc on Wikipedia, won't they just make an account, wait the specified amount of time, and then vandalize? This system may help cut down vandalism, but I don't foresee it cutting down a significant amount. This system is a good start, but it needs to be expanded on.
If Wikipedia really wants to eliminate vandalism, there needs to be a waiting period between when a user submits an update and when the update goes live. During this period, Wikipedia staff need to look at each submitted edit and approve it so that it can go live. This method would eliminate vandalism, because if anyone tried to post obscene pictures for example, staff would simply not approve the edit, it would never go live, and the user would be banned. Data inaccuracy would still slip by however, because no one person knows everything about everything. It would still be mainly up to fellow users to spot data inaccuracy and report it so it can be fixed.
The reality with Wikipedia is that it will probably never be fool-proof. Wikis give average people the power to publish information without a certification or Ph.D. If Wikipedia was to restrict the freedom of its users too much, it would defeat the purpose of the website. So ultimately, I think the best thing is for people to turn to Wikipedia for fun...heaven forbid using a real encyclopedia for that term paper. :)
This article brings up a very interesting topic -- data integrity of wikis, databases that can be edited by the general public. Wikipedia is the most popular wiki on the web and also one of my favorite websites. You can look up almost anything and find information about it. In most cases the information is very accurate. I think it is a great concept to give those who are interested in a specific topic the ability to share their knowledge with other interested people. Often times you can really tell that the people who wrote or edited the article are passionate about the topic, just by the amount of detail there is.
However, the best thing about wikis is also the worst thing about wikis. If anyone can edit an article, there is always the possibility of inaccurate information. And there are always going to be bad people who vandalize articles by posting obscene pictures or information.
This article discusses how the German Wikipedia site is going to make it so a user cannot edit an article until they have been registered on Wikipedia for a specified amount of time. This is supposed to deter vandalism...but will it really? My question is, if someone really wants to wreck havoc on Wikipedia, won't they just make an account, wait the specified amount of time, and then vandalize? This system may help cut down vandalism, but I don't foresee it cutting down a significant amount. This system is a good start, but it needs to be expanded on.
If Wikipedia really wants to eliminate vandalism, there needs to be a waiting period between when a user submits an update and when the update goes live. During this period, Wikipedia staff need to look at each submitted edit and approve it so that it can go live. This method would eliminate vandalism, because if anyone tried to post obscene pictures for example, staff would simply not approve the edit, it would never go live, and the user would be banned. Data inaccuracy would still slip by however, because no one person knows everything about everything. It would still be mainly up to fellow users to spot data inaccuracy and report it so it can be fixed.
The reality with Wikipedia is that it will probably never be fool-proof. Wikis give average people the power to publish information without a certification or Ph.D. If Wikipedia was to restrict the freedom of its users too much, it would defeat the purpose of the website. So ultimately, I think the best thing is for people to turn to Wikipedia for fun...heaven forbid using a real encyclopedia for that term paper. :)
Subscribe to:
Posts (Atom)
