Tuesday, April 11, 2006

Microsoft helped write Oklahoma computer law The law is amazing, not only because it is probably the first written overtly by a major company without bothering with the tedious problem of lobbying, but because... well it is written by Microsoft, what do you think could go wrong? Under the law, people could be fined a million dollars for using viruses or surreptitious computer techniques to break into someone's computer without that person's knowledge and acceptance. OK so far. Now because Microsoft knows that it sometimes need to get information from their users for upgrades, it has put in a clause to allow software companies to do this. Basically the Vole law demands that a software company licence agreement tells you the sort of data they are taking. The problem is that if you agree, you give the company you bought upgradable software the freedom to come onto your computer for "detection or prevention of the unauthorized use of or fraudulent or other illegal activities in connection with a network, service, or computer software, including scanning for and removing computer software prescribed under this act." In other words if you install Vista, Microsoft can come in, snoop around your computer see if you are doing anything illegal and delete it. 3:34:34 PM  PermaLink   / trackback []

Oklahoma Gazette - Get ready for Microsoft, cable and phone companies, and quite a few other people to know a lot more about what you do on your computer, thanks to House Bill 2083. It's supposed to protect you from predators spying on your computer habits, but a bill Microsoft Corp. helped write for Oklahoma will open your personal information to warrantless searches, according to a computer privacy expert and a state representative. Called the "Computer Spyware Protection Act," House Bill 2083 would create fines of up to a million dollars for anyone using viruses or surreptitious computer techniques to break on to someone's computer without that person's knowledge and acceptance, according to the bill's state Senate author, Clark Jolley. "The bill has a clear prohibition on anything going in without your permission. You have to grant permission," said Jolley, R-Edmond. "You can look at your license agreement. It will say whether they have the ability to take that information or not." But therein lies the catch. If you click that "accept" button on the routine user's agreement, the proposed law would allow any company from whom you bought upgradable software the freedom to come onto your computer for "detection or prevention of the unauthorized use of or fraudulent or other illegal activities in connection with a network, service, or computer software, including scanning for and removing computer software prescribed under this act." That means that Microsoft (or another company with such software) can erase spyware or viruses. But if you have, say, a pirated copy of Excel -- Microsoft (or companies with similar software) can erase it, or anything else they want to erase, and not be held liable for it. Additionally, that phrase "fraudulent or other illegal activities" means they can: --Let the local district attorney know that you wrote a hot check last month. --Let the attorney general know that you play online poker. --Let the tax commission know you bought cartons of cigarettes and didn't pay the state tax on them. --Read anything on your hard drive, such as your name, home address, personal identification code, passwords, Social Security number ... etc., etc., etc. "I think in broad terms that is still a form of spying," said Marc Rotenberg, attorney and executive director of the Electronic Privacy Information Center in Washington, D.C. "Some people say, 'Well, it's justified.' I'm not so clear that should be the case. Particularly if the reason you are passing legislation is to cover that activity." The bill is scheduled to go back before the House for another vote. Will the Oklahoma House, on behalf of all computer users in the state of Oklahoma, click "accept"? 3:31:01 PM  PermaLink   / trackback []

Microsoft Helps Write Oklahoma's Anti-Spyware Law. ( includes a secret sauce ? ) Microsoft Helps Write Oklahoma's Anti-Spyware Law.  groovy.ambuj writes  "The Inquirer reports that Microsoft has developed Oklahoma's 'Computer Spyware protection Act'. The law will supposedly protect people from unwarranted hackers or virus attacks and can fine individuals up to $1M who are found guilty of breaking into a computer without the owners knowledge. At the same time, it also allows some of the better known capable companies to 'look' into your computer for possible virus/spyware and fix the problem without informing you. And, while these friends are doing their job, they can also take the moment to do other things. " [Slashdot: Your Rights Online] 3:23:43 PM  PermaLink   / trackback []

IBM Hardwires Encryption Into Chips. IBM Hardwires Encryption Into Chips. zenwarrior writes "Reported by CNET, a new chip technology termed Secure Blue by IBM will keep users' data encrypted and secured at virtually every moment on essentially anything in which the chip can be used. Data is even encrypted in RAM, leaving display for users' viewing as almost the last place it isn't encrypted. This has to be considered decidedly anti-Homeland Defense by the current administration. If so, when will we see it if ever?"  [Slashdot: Your Rights Online] 2:58:44 PM  PermaLink   / trackback []

Government-Aided Phishing Government-Aided Phishing. Anonymous writes "A Florida county is posting the Social Security numbers, bank account info and other sensitive data of hundreds of thousands of current and former residents on its public Web site, Computerworld is reporting. A county official says there's no problem, since the postings are in compliance with state law requiring public availability of records." From the article: "The breach stems from the county's failure to redact or remove sensitive data from images of public documents such as property records and family court documents, Hogman said. Included in the documents that are publicly available are dates of birth and Social Security numbers of minors, images of signatures. passport numbers, green card details and bank account information." [Slashdot: Your Rights Online] 2:45:03 PM  PermaLink   / trackback []

Taiwan President pans Google, Yahoo on free speech. Taiwan President pans Google, Yahoo on free speech. In a speech commemorating a local human-rights activist, Taiwan President Chen Shui-bian accused Yahoo Inc. and Google Inc. of allowing the prospect of corporate profits to lure them into compromising free speech in China. [Computerworld Privacy News] 2:41:54 PM  PermaLink   / trackback []

ACLU raises concerns about information-sharing system ALBUQUERQUE (AP) - The American Civil Liberties Union says people should keep an eye on how police use a statewide computer system designed to let law enforcement agencies share information faster. Linx _ for the Law Enforcement Information Exchange _ is expected to go online late this summer in Bernalillo, Sandoval and Dona Ana counties. Five other states use such a database, and it's possible they could link in the future, said Mike Dorsey, special agent in charge of the program through the U.S. Naval Criminal Investigative Service in Washington, D.C. The database will help law enforcement agencies, but Peter Simonson, executive director of the ACLU in New Mexico, said it also will contain information about innocent people, crime victims, witnesses and minor traffic violations. "It is going to make available that information to every police department participating," he said. "We think that represents a significant threat to personal privacy." 2:39:25 PM  PermaLink   / trackback []

Pennsylvania Hospitals to Share Patient Data Community hospitals and family physicians in rural and suburban Pennsylvania have taken up a plan to make sure a patient's general practitioner knows what treatment the patient received in the hospital, and vice versa. Medical errors often occur during handoffs, when a patient moves from one site of care to another but patient information does not. The lost information also costs time and money because health care providers schedule unnecessary and expensive tests. As a result, this week, Geisinger Health Systems announced that it has contracted with enterprise content management company Vignette to create a portal that lets doctors at one site see details of care at another site. Geisinger and two other unaffiliated community hospitals have agreed to share information as part of the Geisinger RHIO (regional health information organization), which covers more than 3 million patients. Up to eight other health systems are slated to join the RHIO over the next three years. 2:34:52 PM  PermaLink   / trackback []

Health Info-Sharing Tech Specs Include Web Standards Initial system architecture and policy recommendations for regional health information exchanges were released recently by a public-private cooperative group. In an effort to standardize the exchange of health information, Connecting for Health, a public-private collaborative of more than 100 organizations, recently released technical specifications and policy guidelines. Dubbed the "Common Framework," the set of specifications is intended to provide the initial elements of a comprehensive approach to secure, authorized and private health information sharing. It includes 16 technical and policy components, which were developed by experts in IT, health privacy law and policy. The elements of the framework being released include technical documents and specifications, testing interfaces and code, as well as a companion set of privacy and security policies and model contractual language to help organizations interested in information exchange move quickly towards the necessary legal agreements for private and secure health information sharing. 2:32:46 PM  PermaLink   / trackback []

IRS plan a violation of privacy rights - The Olympian - Olympia, Washington The fact that both Democrats and Republicans are ridiculing an Internal Revenue Service plan to change privacy rules indicates just how far off base this proposal is. Leaders from both political parties seldom see eye to eye on anything. But both Democrats and Republicans are taking potshots at a plan that would let the tax preparers give out information about their clients -- information such as income figures, bank account and Social Security numbers, stock information and other private information. 2:30:14 PM  PermaLink   / trackback []

HP: Enterprises struggling with privacy management. HP: Enterprises struggling with privacy management. Consumers and governments want greater control over how personal data is retained and managed, but the complexity of the task is making it difficult to meet higher expectations, a Hewlett-Packard Co. project manager said today. [Computerworld Privacy News] 2:27:19 PM  PermaLink   / trackback []

Update: Fla. residents' data exposure a statewide issue. Update: Fla. residents' data exposure a statewide issue. A Florida statute that requires county officials to post images of certain official documents online has led to the public exposure of sensitive data on potentially millions of current and former residents of the state. [Computerworld Privacy News] 2:25:51 PM  PermaLink   / trackback []

Computerworld-AU | Researcher: Web services security risks largely ignored n their rush to implement Web services, some companies may be exposing themselves to new security risks that they may not fully understand, a security researcher said at the CanSecWest/core06 conference here in Vancouver on Thursday. During a conference presentation, researcher Alex Stamos outlined how a number of Web services technologies, including the AJAX (Asynchronous JavaScript and XML) and the XQuery query language could be exploited by hackers to dig up secret information and attack systems. Web services is a catch-all expression used to describe a form of distributed computing that uses standards based on XML (Extensible Markup Language) to simplify the job of programming software. One of its key tenets is that Web services applications are extremely portable and can easily interact with different types of software. While this cross-platform capability can simplify programming, it can also create security risks by creating situations that may not have been anticipated by software developers, said Stamos, a founding partner of Information Security Partners, based in San Francisco. During his talk, he described an attack where a user could enter malicious code in a Web form and then get that code to run by calling up the company's customer service number and tricking a representative into inadvertently executing it. 2:23:01 PM  PermaLink   / trackback []

RFDump RFDump. RFDump is a backend GPL tool to directly interoperate with any RFID ISO-Reader to make the contents stored on RFID tags accessible. This makes the following types of audits possible: Test robustness of data-structures on the reader and the backend-application; Proof-of-concept manipulations of RFID tag contents; Clone / copy & paste User-Data stored on RFID tags; Audit tag-security features. [LinuxSecurity.com] 2:17:03 PM  PermaLink   / trackback []

New Zealand sites vulnerable to Google hacking. New Zealand sites vulnerable to Google hacking. Online attacks that use search engines to look for vulnerabilities are on the rise, and a new study shows that sites in some nations are particularly vulnerable to such "Google hacking." [Computerworld Data Mining News] 2:13:12 PM  PermaLink   / trackback []

Strengthen Security with an Effective Security Awareness Program. Strengthen Security with an Effective Security Awareness Program. In this paper, Tom Olzak defines security awareness, list the objectives of an effective awareness program, and steps through a process to build, implement, and manage on-going support of the program. By Tom Olzak. [Infosec Writers Latest Security Papers] 2:11:25 PM  PermaLink   / trackback []