Article: http://www.wired.com/politics/security/news/2008/03/epilepsy
Last Easter weekend, when most Americans were spending joyous time with their families, a group of hackers were pulling a vicious prank (if you can really call it a prank) on the Epilepsy Foundation's forums. On Saturday, the hackers posted hundreds of messages embedded with colorful animated gifs. On Easter Sunday, they used a JavaScript code in their posts that redirected users to another page that contained a colorful, flashing image designed to trigger seizures in epileptics. Many people did in fact suffer from seizures after viewing these images, and some just suffered from severe migraines. While the authorities do not know for sure who the culprit is, it is believed to be the group Anonymous, known for their protests against the Church of Scientology.
Ah, the human race never ceases to amaze me. I just can't grasp how anyone would want to do such a horrible thing to innocent people. Epilepsy is not a joke -- it's a serious disease. People can lose consciousness during a seizure. People have even died from seizures.
The bright side of this incident is that it caused the Epilepsy Foundation to increase security on the forums. They also reacted very quickly to the incident, promptly shutting down the forums to remove the messages. Had they not done this, many more people would have suffered.
Happenings like this show that you do not need to be a super-smart hacking whiz to wreak havoc in cyberspace. Someone who knows nothing about hacking could have launched an attack like this. The way I see it, not much could have been done to prevent this attack. All it took was an anonymous user to enter the forum and post a message -- and even if the site requires you to make an account in order to post, the attacker could just use false information to make it harder to track him. Most message boards have moderators that monitor the posts, but the moderator is not online 24/7. Perhaps a good solution would be to implement a system where all posts containing embedded files (like images) must be approved by the moderator before they go public. Otherwise, forum users must proceed at their own risk and hope for the best.
Tuesday, April 1, 2008
Thursday, March 27, 2008
iTunes goes unlimited?
Article: http://arstechnica.com/news.ars/post/20080319-apple-may-bundle-unlimited-itunes-with-ipods.html
iTunes, the popular Apple program used for buying, playing, and managing music on your iPod, may be going through a major change. At the moment, users must pay 99¢ per song, and most albums are priced around $9.99. But Apple wants to offer a subscription service that will allow consumers to purchase an unlimited amount of songs at one price, as long as they still own the iPod the plan is registered under. If the consumer buys a new iPod, they have to pay the fee again to renew the subscription. Apple wants to charge $20, but record labels would rather see somewhere around $80.
The article is unclear as to whether the fee would be a one-time payout, or if you would have to pay it every year. If it is a one-time payout, $20 and even $80 are great deals, considering that buying CDs at the mall will cost you between $10 and $20 each. But if you have to renew your subscription every year by paying the fee again, $80 seems way too high. Paying $20/year is much more reasonable.
There are a few other questions that need to be answered. I love my iPod, and unless something comes out that blows it out of the water, I will never switch brands of mp3 players. What I DON'T like is digital rights management (DRM). When you buy a song from the iTunes store, it is DRM-encrypted, which means you cannot play the song on any device but the iPod (or your computer, of course). Not only that, there's a limit to how many times you can burn the song to a CD. There is a way around that by burning a CD, then ripping the song back off it, which removes the DRM. But that's besides the point. If I pay for my songs, I should be able to use them freely. I should be able to put them on my cell phone, or make ringtones out of them. I should not have to burn them all to audio CDs and rip them back to the computer just to use them freely. So my questions is, if iTunes is going to ask consumers to pay a yearly/monthly/one-time fee in order to download music from their store, are they going to get away from their ridiculous DRM ways? Probably not, since it locks consumers into repeat Apple purchases in order to play their purchased music.
Another question I want answered is, will the entire iTunes database be open to everyone for download? iTunes has separate stores for separate countries -- US, UK, France, Italy, Japan, etc. I love contemporary music from other countries, and sometimes its hard to come by. Imported CDs can cost a fortune, and finding it on the internet isn't always easy. Many times I find music I like on iTunes, but I cannot buy it because you can only buy from the store in the country you're registered in. If this new service allows you to download from any iTunes store, that alone would be a selling point for me. While I still hate DRM, I'd put up with it if it was the only affordable way for me to get my international taste buds satisfied.
iTunes is probably the largest (or one of the largest) music databases out there when you consider how many countries it serves (which means different music for different stores). I think many consumers would be all over this subscription service if launched. As for me, I will wait and see what the answers to my questions are before I decide whether I like it or not.
iTunes, the popular Apple program used for buying, playing, and managing music on your iPod, may be going through a major change. At the moment, users must pay 99¢ per song, and most albums are priced around $9.99. But Apple wants to offer a subscription service that will allow consumers to purchase an unlimited amount of songs at one price, as long as they still own the iPod the plan is registered under. If the consumer buys a new iPod, they have to pay the fee again to renew the subscription. Apple wants to charge $20, but record labels would rather see somewhere around $80.
The article is unclear as to whether the fee would be a one-time payout, or if you would have to pay it every year. If it is a one-time payout, $20 and even $80 are great deals, considering that buying CDs at the mall will cost you between $10 and $20 each. But if you have to renew your subscription every year by paying the fee again, $80 seems way too high. Paying $20/year is much more reasonable.
There are a few other questions that need to be answered. I love my iPod, and unless something comes out that blows it out of the water, I will never switch brands of mp3 players. What I DON'T like is digital rights management (DRM). When you buy a song from the iTunes store, it is DRM-encrypted, which means you cannot play the song on any device but the iPod (or your computer, of course). Not only that, there's a limit to how many times you can burn the song to a CD. There is a way around that by burning a CD, then ripping the song back off it, which removes the DRM. But that's besides the point. If I pay for my songs, I should be able to use them freely. I should be able to put them on my cell phone, or make ringtones out of them. I should not have to burn them all to audio CDs and rip them back to the computer just to use them freely. So my questions is, if iTunes is going to ask consumers to pay a yearly/monthly/one-time fee in order to download music from their store, are they going to get away from their ridiculous DRM ways? Probably not, since it locks consumers into repeat Apple purchases in order to play their purchased music.
Another question I want answered is, will the entire iTunes database be open to everyone for download? iTunes has separate stores for separate countries -- US, UK, France, Italy, Japan, etc. I love contemporary music from other countries, and sometimes its hard to come by. Imported CDs can cost a fortune, and finding it on the internet isn't always easy. Many times I find music I like on iTunes, but I cannot buy it because you can only buy from the store in the country you're registered in. If this new service allows you to download from any iTunes store, that alone would be a selling point for me. While I still hate DRM, I'd put up with it if it was the only affordable way for me to get my international taste buds satisfied.
iTunes is probably the largest (or one of the largest) music databases out there when you consider how many countries it serves (which means different music for different stores). I think many consumers would be all over this subscription service if launched. As for me, I will wait and see what the answers to my questions are before I decide whether I like it or not.
Tuesday, March 25, 2008
Word of the day: Googledorks
Article: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9064238
A hacker group known as The Cult of the Dead Cow (cDc) has released a program called Goolag Scanner which utilizes -- you guessed it -- Google. It is meant for IT workers to scan websites for security holes, but it can also be used maliciously by hackers by allowing them to find vulnerabilities and attack them.
Here is the way it works: Goolag Scanner contains about 1,500 search queries that when run in Google, can reveal website vulnerabilities. These queries are known as Googledorks. By using the program, you can run automated scans instead of copying each query into Google individually and searching.
cDc has tested the program on many government websites and found some pretty bad security holes. It just goes to show you how insecure the Internet really is; even the government can't guarantee data security.
Is Goolag scanner ethical? cDc claims it is, quoted as saying, "What we're trying to do is two things: 1) to provide a very easy and legitimate tool for security professionals to test their own Web sites for vulnerabilities, and 2) to raise awareness about Web security in and of itself." Sure, it sounds good on paper (or in this case, the monitor), but even they admit that Goolag Scanner will undoubtedly be used in harmful ways too.
What's done is done however, the tool is out there and available to the general public. The best thing for website owners to do is use the tool on their own websites to locate any insecure data before the hackers do.
A hacker group known as The Cult of the Dead Cow (cDc) has released a program called Goolag Scanner which utilizes -- you guessed it -- Google. It is meant for IT workers to scan websites for security holes, but it can also be used maliciously by hackers by allowing them to find vulnerabilities and attack them.
Here is the way it works: Goolag Scanner contains about 1,500 search queries that when run in Google, can reveal website vulnerabilities. These queries are known as Googledorks. By using the program, you can run automated scans instead of copying each query into Google individually and searching.
cDc has tested the program on many government websites and found some pretty bad security holes. It just goes to show you how insecure the Internet really is; even the government can't guarantee data security.
Is Goolag scanner ethical? cDc claims it is, quoted as saying, "What we're trying to do is two things: 1) to provide a very easy and legitimate tool for security professionals to test their own Web sites for vulnerabilities, and 2) to raise awareness about Web security in and of itself." Sure, it sounds good on paper (or in this case, the monitor), but even they admit that Goolag Scanner will undoubtedly be used in harmful ways too.
What's done is done however, the tool is out there and available to the general public. The best thing for website owners to do is use the tool on their own websites to locate any insecure data before the hackers do.
Thursday, March 20, 2008
Supermarket sweep
Article: http://www.businessweek.com/ap/financialnews/D8VG4BGG0.htm
When you use a credit card while you're shopping, you like to think that your card information is safe. But a recent supermarket data breach proves that this is not always the case. Hannaford Supermarkets has suffered one of the largest security breaches on record. Between Dec. 7 and March 10, 4.2 million credit and debit card numbers were exposed and at least 1,800 were stolen. The company still doesn't know how it happened; last February, their transaction system was found to meet the latest standards for data security. Little did they know that while their system was being verified to have the latest security, it was being hacked at the same time.
This is certainly not the first time this kind of thing has happened. TJ Maxx and Marshalls, run under the TJX Co., suffered an even larger data breach of tens of millions of credit cards. It just goes to show you how difficult it is to protect data. No matter what measures you use, a database is never 100% safe. There will always be someone clever enough to infiltrate it. It seems to me that when you're a professional dealing with data security, being well-informed is probably your best bet for preventing security breaches. 1) Keep your system up-to-date with security. Install any needed software, patches, etc. to protect your data. 2) Keep yourself informed with trends in the IT security world. Read up on problems other companies/people have had, so that you know what to look for and what to arm yourself against. 3) Education. Keep current with things you need to know to do your job well. Whether that be by taking classes or self-teaching.
And if you're on the other end of the database, that is, you are the client, you need to stay informed as well. Always check your credit card statements, get regular credit reports, maybe invest in a service like LifeLock. In today's world where none of your personal data is 100% safe, being ignorant of how your data is used is probably the most dangerous thing of all.
When you use a credit card while you're shopping, you like to think that your card information is safe. But a recent supermarket data breach proves that this is not always the case. Hannaford Supermarkets has suffered one of the largest security breaches on record. Between Dec. 7 and March 10, 4.2 million credit and debit card numbers were exposed and at least 1,800 were stolen. The company still doesn't know how it happened; last February, their transaction system was found to meet the latest standards for data security. Little did they know that while their system was being verified to have the latest security, it was being hacked at the same time.
This is certainly not the first time this kind of thing has happened. TJ Maxx and Marshalls, run under the TJX Co., suffered an even larger data breach of tens of millions of credit cards. It just goes to show you how difficult it is to protect data. No matter what measures you use, a database is never 100% safe. There will always be someone clever enough to infiltrate it. It seems to me that when you're a professional dealing with data security, being well-informed is probably your best bet for preventing security breaches. 1) Keep your system up-to-date with security. Install any needed software, patches, etc. to protect your data. 2) Keep yourself informed with trends in the IT security world. Read up on problems other companies/people have had, so that you know what to look for and what to arm yourself against. 3) Education. Keep current with things you need to know to do your job well. Whether that be by taking classes or self-teaching.
And if you're on the other end of the database, that is, you are the client, you need to stay informed as well. Always check your credit card statements, get regular credit reports, maybe invest in a service like LifeLock. In today's world where none of your personal data is 100% safe, being ignorant of how your data is used is probably the most dangerous thing of all.
Wednesday, March 19, 2008
Data privacy
Article: http://www.informationweek.com/blog/main/archives/2008/03/hospital_worker.html
In late January/early February, popstar Britney Spears visited UCLA Medical Center for treatment. Seeing as she is a prime target of the media nowadays, it was almost inevitable that something would go wrong with her visit. And sure enough, something did go wrong. Not one, not two, but thirteen employees were recently fired for violating Spears' privacy. Six more were suspended.
The medical center did everything it could to prevent the situation. Because all medical workers are granted access to patient records so that they can do their job, avoiding violation of patients' privacy pretty much relies on the Honor Code and on warnings issued by UCLA. UCLA officials warned employees not to access the medical record of a patient unless they were directly caring for that patient. They also warned that violation of patients' privacy would result in disciplinary action and possibly termination. But you know what they say, the more you tell someone not to do something, the more they will want to do it. Luckily, the medical center was monitoring access to Spears' records, trying to catch unauthorized personnel in the act.
This is the problem when you have a database that can be accessed by any personnel in a certain department. All the personnel have access because they need the information to do their jobs...however, they have access to all records, when they only need access to a few records at any given time. This problem is not only at the UCLA Medical Center...many organizations suffer as well.
Let's face it, we can't always rely on people to do the right thing. There will always be bad seeds who are going to break the rules. For that reason, there needs to be better controls on databases in these types of environments. True, all medical workers, such as nurses, doctors, and interns, need access to patient records. They need this information in order to treat their patients. However, can't there be a control that only allows access to records of patients currently being treated by that worker?
Let's say Nurse Betty is treating 5 patients. She would only be granted access to those 5 records. Now let's say two of her patients are released and she accepts one more. She has now gained access to one more record, but lost access to the records of the two released patients. Basically, when a patient is accepted to the hospital, all relationships to the correct personnel would be established and unless the patient is assigned a new doctor, nurse, etc. at some point, those personnel would be the only ones able to access their records.
I do not know if this is a realistic solution, it may require too many resources to implement a control like this, and money doesn't grow on trees. But idealistically, it sounds like a good solution so that people like Britney Spears, who already has enough problems, do not have to worry about Joe Schmo posting private medical records all over the internet.
In late January/early February, popstar Britney Spears visited UCLA Medical Center for treatment. Seeing as she is a prime target of the media nowadays, it was almost inevitable that something would go wrong with her visit. And sure enough, something did go wrong. Not one, not two, but thirteen employees were recently fired for violating Spears' privacy. Six more were suspended.
The medical center did everything it could to prevent the situation. Because all medical workers are granted access to patient records so that they can do their job, avoiding violation of patients' privacy pretty much relies on the Honor Code and on warnings issued by UCLA. UCLA officials warned employees not to access the medical record of a patient unless they were directly caring for that patient. They also warned that violation of patients' privacy would result in disciplinary action and possibly termination. But you know what they say, the more you tell someone not to do something, the more they will want to do it. Luckily, the medical center was monitoring access to Spears' records, trying to catch unauthorized personnel in the act.
This is the problem when you have a database that can be accessed by any personnel in a certain department. All the personnel have access because they need the information to do their jobs...however, they have access to all records, when they only need access to a few records at any given time. This problem is not only at the UCLA Medical Center...many organizations suffer as well.
Let's face it, we can't always rely on people to do the right thing. There will always be bad seeds who are going to break the rules. For that reason, there needs to be better controls on databases in these types of environments. True, all medical workers, such as nurses, doctors, and interns, need access to patient records. They need this information in order to treat their patients. However, can't there be a control that only allows access to records of patients currently being treated by that worker?
Let's say Nurse Betty is treating 5 patients. She would only be granted access to those 5 records. Now let's say two of her patients are released and she accepts one more. She has now gained access to one more record, but lost access to the records of the two released patients. Basically, when a patient is accepted to the hospital, all relationships to the correct personnel would be established and unless the patient is assigned a new doctor, nurse, etc. at some point, those personnel would be the only ones able to access their records.
I do not know if this is a realistic solution, it may require too many resources to implement a control like this, and money doesn't grow on trees. But idealistically, it sounds like a good solution so that people like Britney Spears, who already has enough problems, do not have to worry about Joe Schmo posting private medical records all over the internet.
Tuesday, March 18, 2008
A new kind of benefits package
Article: http://www.avuetech.com/avue-and-lifelock-move-protect-federal-agencies-identity-theft-liability
Most companies provide their full-time employees with some kind of benefits package, though some packages are better than others. This article introduces something new to employee benefits, at least something I have not seen before.
A company called Avue, a provider of "human capital technology solutions", is the leading provider of these services to the federal government. Another company called LifeLock is the leading provider of identity theft protection services. These two companies have decided to merge their services for any federal agencies who subscribe to "Avue’s human capital automation platform." So if you work for for one of these agencies, you can opt-in for protection against credit and identity theft at no extra charge. LifeLock guarantees that they will reimburse you up to $1 million in financial losses if your identity is stolen while covered by LifeLock.
I think this is a great free service, and I wish it were offered through other employers in addition to the federal government. Though I can see why identity theft protection is critical in the government sector. Stealing the identity of a government worker can be very serious, considering that many government workers have access to classified information. One single data breach can cost the government hundreds of millions of dollars.
LifeLock is definitely a service for anyone to look into, even if your company doesn't pay for it. I personally know someone who has had his identity stolen several times. If someone steals your identity and ruins your credit, you may never be able to recover from it. Forget about buying a house, a car, or getting that loan you need. If you ask me, a small $10/month fee definitely gets you more than your money's worth.
Most companies provide their full-time employees with some kind of benefits package, though some packages are better than others. This article introduces something new to employee benefits, at least something I have not seen before.
A company called Avue, a provider of "human capital technology solutions", is the leading provider of these services to the federal government. Another company called LifeLock is the leading provider of identity theft protection services. These two companies have decided to merge their services for any federal agencies who subscribe to "Avue’s human capital automation platform." So if you work for for one of these agencies, you can opt-in for protection against credit and identity theft at no extra charge. LifeLock guarantees that they will reimburse you up to $1 million in financial losses if your identity is stolen while covered by LifeLock.
I think this is a great free service, and I wish it were offered through other employers in addition to the federal government. Though I can see why identity theft protection is critical in the government sector. Stealing the identity of a government worker can be very serious, considering that many government workers have access to classified information. One single data breach can cost the government hundreds of millions of dollars.
LifeLock is definitely a service for anyone to look into, even if your company doesn't pay for it. I personally know someone who has had his identity stolen several times. If someone steals your identity and ruins your credit, you may never be able to recover from it. Forget about buying a house, a car, or getting that loan you need. If you ask me, a small $10/month fee definitely gets you more than your money's worth.
Wednesday, March 5, 2008
A different kind of Radar
Article: http://www.informationweek.com/showArticle.jhtml;jsessionid=MBLVKEBRUMC4SQSNDLRSKH0CJUNN2JVN?articleID=206900039&queryText=photo+sharing+startup
Cell phones are becoming more and more advanced as time progresses. Now many people have internet service on their phones so that they can access the web anytime, anywhere (as long as you are in a service area, anyway). Cameras are another fun feature that come on most phones today. One company has created an application to put those cameras to use -- or maybe more use. The program is called Radar, and it allows users to take pictures and record videos on their phones and then upload them to the internet-based photo sharing service directly from their phones. This service, of course, utilizes a database to store users' photos.
Photobucket is a similar service on the internet where people can upload photos and essentially make electronic photo albums for family and friends to view. You can upload pictures to Photobucket from your phone too, but Photobucket does not enable comments on photos. It also differs in that it was mainly designed for use on a computer, while Radar was designed primarily for mobile phone use. Myspace and Facebook offer mobile service for certain wireless carriers and phones as well, but it's not quite the same since these sites utilize user profiles that share more personal information. Some people hate Myspace and/or Facebook, and others may use these sites but still just want a photo-sharing account that does nothing but that -- share photos.
Radar actually brings the best of both worlds together -- you can keep a Photobucket-like account to share with friends who have Radar accounts, or you can use Radar's Myspace and Facebook utilities to share your Radar-hosted photos on these sites, so that people who do not use Radar can still see them. I have several friends who hate Myspace, but signed up anyway because it was the only way to view their friends' photos (you're required to login to view photos). With Radar, you are given the freedom to either view/comment on photos with their program, or on Myspace/Facebook, whichever you prefer.
Cell phones are becoming more and more advanced as time progresses. Now many people have internet service on their phones so that they can access the web anytime, anywhere (as long as you are in a service area, anyway). Cameras are another fun feature that come on most phones today. One company has created an application to put those cameras to use -- or maybe more use. The program is called Radar, and it allows users to take pictures and record videos on their phones and then upload them to the internet-based photo sharing service directly from their phones. This service, of course, utilizes a database to store users' photos.
Photobucket is a similar service on the internet where people can upload photos and essentially make electronic photo albums for family and friends to view. You can upload pictures to Photobucket from your phone too, but Photobucket does not enable comments on photos. It also differs in that it was mainly designed for use on a computer, while Radar was designed primarily for mobile phone use. Myspace and Facebook offer mobile service for certain wireless carriers and phones as well, but it's not quite the same since these sites utilize user profiles that share more personal information. Some people hate Myspace and/or Facebook, and others may use these sites but still just want a photo-sharing account that does nothing but that -- share photos.
Radar actually brings the best of both worlds together -- you can keep a Photobucket-like account to share with friends who have Radar accounts, or you can use Radar's Myspace and Facebook utilities to share your Radar-hosted photos on these sites, so that people who do not use Radar can still see them. I have several friends who hate Myspace, but signed up anyway because it was the only way to view their friends' photos (you're required to login to view photos). With Radar, you are given the freedom to either view/comment on photos with their program, or on Myspace/Facebook, whichever you prefer.
Subscribe to:
Posts (Atom)