Wow. The bullshit detector has been way up the dial this week. So, when I read this article today I was floored. Apparently California lawmakers racked up over $2 million in travel over a two and a half years. That’s not the big problem. The fact that they claimed that the travel was protected for security reasons…um, I says pardon?
From San Francisco Chronicle:
The AP requested lawmakers’ air travel itineraries and the associated cost to taxpayers as part of an ongoing examination of legislative spending and disclosure requirements. The Legislature said it would not provide original documentation of lawmakers’ air travel, meaning there is no way to independently determine where they flew or for what purpose.
When pressed for records that would give lawmakers’ destinations and prove that all flights were for business related to state government, the Legislature refused to provide them.
So, the people’s representation eh? Well, that certainly goes a long way to explaining some things…like the debt.
(Image used under CC bredgur)
There are good ideas and there are bad ideas. Then, there are the very bad ideas.
From USA Today:
Prisons in eight states let convicts work in jobs that give them access to Social Security numbers and other personal information for the public, despite years of warnings that the practice should end, a federal audit finds.
Most of the prisoners hold jobs processing public records for federal, state and local governments, according to the audit released this month by the Social Security Administration’s Office of Inspector General. The work often involves entering and processing data on documents such as student transcripts, tax files, and health care and labor claims forms.
Wow, someone really put some thought into that one now didn’t they?
So, does this mean that the Federal audits are completely toothless exercises? Apparently. The eight states in eight states include Alabama, Arkansas, Kansas, Nebraska, Oklahoma, South Dakota, Tennessee and West Virginia. Now this begs the question. Are there any penalties that can be leveraged against these offending states? Maybe. But, I doubt that it will ever amount to anything more than a blip on the radar screen.
In order for anything to come of this it would require a data breach. Pure and simple. Not something to wish on anyone.
(Image used under CC from Don Solo)
How stupid is this? Last week Robert Maley was the CISO for the Commonwealth of Pennsylvania giving a presentation at the RSA conference. He was speaking about a hacking incident at PennDOT from last year.
This week? He’s on the pavement. It would appear that someone in PA overreacted.
From Patriot News/Penn Live:
Danielle Klinger, a spokeswoman for the state Department of Transportation, said the agency is not aware of any hacking or breach that occurred involving scheduling system for its driving test. However, she said that a few weeks ago, “we did discover an anomaly and we have actually turned that over to [the state police] for further investigation. We’re not sure what that anomaly is, but it is being investigated. Unfortunately, I can’t provide any more details on it.”
Maybe Maley didn’t have leave to speak publicly about this incident in question. Which is something that PennDOT appears to have developed an Ostrich complex over. Some myopic nitwit thought it merited removing Maley from his post? They claim however that his talk had nothing to do with his dismissal. I’m not sure I believe that. Timing seems rather odd.
So, what of the alleged hacking incident?
Maley is reported to have said the hacker was later found to be someone with a driving school in Philadelphia who exploited a vulnerability in PennDOT’s system to schedule more driving tests than there were allotted slots.
This situation seems muddy at best. For more on this story read the article at Penn Live from this morning.
(Image used under CC from Olivander)
UPDATE (Mar 19, 2010): Today things are made a little clearer with respects to Maley’s dismissal after speaking at RSA. He provides ComputerWorld with an interview to add some clarity to the story.
What exactly happened? They terminated me. I was specifically asked not to talk about anything in Pennsylvania without explicit permission and to have everything that I would say to be completely reviewed before I said it. So yeah, they told me that, and, yup, I was wrong ultimately doing that. As far as the official reason, that’s why.
A hard lesson learned. Don’t have permission to discuss your day job from a conference podium? Remember this story.
This is the second time in recent memory where a bank has put the burden of proof on the victim.
From CBS MoneyWatch:
It’s every technophobe’s nightmare, but this time its true. Some $50,000 was stolen from Fan Bao’s online bank account by Croatian computer hackers and the bank told him that the loss is not their problem.
Could it happen to you? Here’s the back story to help fill in who is at risk.
Seven years ago, Fan Bao opened a checking account at Bank of America to facilitate his small import-export business called ZICO USA.
Scary story. For the full article read on.
You know, I have always been bothered by the Amercian Express website password limitations but, I admittedly never ran this one to ground. Well, someone ran with it. The password has always been limited to an 8 character maximum and no special characters.
I never imagined something quite this daft.
From Twice Refried News:
Thank you for your email regarding your online password.
I would like to inform you that our website has a 128 bit encryption. With this base, passwords that comprise only of letters and alphabets create an algorithm that is difficult to crack. We discourage the use of special characters because hacking softwares can recognize them very easily.
The length of the password is limited to 8 characters to reduce keyboard contact. Some softwares can decipher a password based on the information of “most common keys pressed”.
Therefore, lesser keys punched in a given frame of time lessen the possibility of the password being cracked.
*facepalm*
For the full email response, read on.
(Imaged used under CC from fireflythegreat Flickr feed)
How to win friends. I’ve decided that every time I get something like this I will post it from now on.
Dear Dave
Thank you for your interest in “Lowering Costs of IT Security and Compliance,” produced by Network World and CSO Magazine and hosted by Oracle.
Unfortunately, upon further review of the information that you submitted, we determined that at this time, we are not able to confirm your seat for this event. We have established an audience qualification process to ensure that our target audience goals are being met. And, as this is a custom program for Oracle, we are committed to meeting their target audience goals and requirements.
We apologize for any inconvenience this may have caused you.
Please note that due to space limitations, walk-ins or ineligible applicants arriving at the meeting venue will NOT be admitted on the day of the event.
Thank you,
IDG Enterprise Events
I should note that this was an open event. Nothing like a form letter f*ck you to an Oracle enterprise customer.
(Image used under CC from s8 Flickr feed)
Surreal. Here’s a story that pushes the edges of…well, common sense. The real problem is what could potentially happen if the bank wins in this case.
From Krebs On Security:
A machine equipment company in Texas is tussling with its bank after organized crooks swiped more than $800,000 in a 48-hour cyber heist late last year. While many companies similarly victimized over the past year have sued their banks for having inadequate security protection, this case is unusual because the bank is preemptively suing the victim.
Read on for the full article.
On a side note be sure to subscribe to Brian’s RSS feed. He’s a must read writer in the security space.
(Image used under CC from peggyarcher’s Flickr feed)
This was an email that was sent by Adobe to one of the readership just yesterday. Too funny. Especially when you take into mind this and of course these. Not to mention the fun with TSA just a little while ago.
Enjoy your Friday.
Thanks to hvnsnt for sharing that one. Here is a larger copy of the image. Just click on the thumbnail.
UFC 1337: Google vs. China
To the surprise of most everybody who read this, Google has grown a pair in the fight for free speech and against internet censorship. Well.. at least they say they are..
…the attempts over the past year to further limit free speech on the web–have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.
This comes after the apparent attack upon Google and other American organizations originating from China.
In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident–albeit a significant one–was something quite different.
As of the time I wrote this post Google.cn is still up, so no preemptive praise just yet. I’m going to be interested to hear what else pops up about this story in the near future.
Some other insight so far:
RSnake
Rep. Eshoo Responds to Attack on Google
Cheers,
Matt
While I am a huge proponent of security education, I loath the phrase “cyber”. And to make things worse…
From New York Times:
Banks, military contractors and software companies, along with federal agencies, are looking for “cyber ninjas” to fend off a sophisticated array of hackers, from criminals stealing credit card numbers to potential military adversaries.
“cyber ninjas”???
*facepalm*
But, on the positive side there are many more schools weighing in with their own security program offerings.
“There is a huge demand, and a lot more schools have created programs,” says Nasir Memon, a professor at the Polytechnic Institute of New York University in Brooklyn. “But to be honest, we’re still not producing enough students.”
Mr. Memon’s school created a master’s degree in cybersecurity last fall. So did Indiana University, whose security degree is in “informatics,” an academic field in which students find new uses for information technology. Starting in the fall, Georgia Tech will offer a master’s degree in information security online; the program is aimed at computer professionals who want to learn to deal with computer threats.
Cyberdouchery notwithstanding, I am very interested to see what the community thinks of these programs. For the full article read on.
Image credit: funky64
