Friday, August 24, 2007

The mess

Computerworld has a good update by Gregg Keizer on this developing story.
The last thing you need when you're unemployed is a bank account that's suddenly emptied. But that's exactly what some unwary users of employment search site faced after identity thieves made off with the personal information of more than a million people looking for jobs.

This still-developing story has enough nooks and crannies to confuse a gumshoe, but some facts are clear: Monster's resume database was looted, and the personal information taken was used to forge convincing messages that deposited password-stealing Trojans and ransomware on users' PCs.

Calculated and ambitious, the attack is striking for how it blended several elements -- stolen credentials of legitimate users, phishing e-mails, Trojan horses, money mules and more -- into a slick assault. Here's what we know so far.

Labels: , , ,


Wednesday, August 22, 2007

Worst Data Breaches Ever

Collected and summarized by

The oldest of the 17 breaches they "honor" happened in February 2005. It is difficult to separate the effects of stricter reporting requirements and escalation of both criminal activities and organizational negligence, but it seems clear that the situation is not getting any better.

Beware of assuming that your data is not at risk if you don't go online, or only practice safe e-commerce. We are all at the mercy of every organization that has collected data on us, whether we know about it or not.

Updated to add: Computerworld adds "Your data's less safe today than two years ago."

Labels: , , , ,


Tuesday, August 21, 2007

New ACM / Infosys Foundation Award

ACM and Infosys have announced the creation of a new annual award that recognizes young scientists and system developers whose contemporary innovations are having a dramatic impact on the computing field. The prize will be $150,000.

If you know someone who deserves such recognition, please check the nomination procedures--and then follow them. Much of my advice on making the case for an ACM Fellow is also applicable to this new prize.

By the way, Intel and Google have jontly raised the prize associated with the Turing Award to $250,000, comensurate with its status as computing's highest professional honor.

Labels: ,


Monday, August 20, 2007

Privacy is not simple.

In 2002 and 2003 I participated in a Study Committee on "Privacy in the Information Age," sponsored by the Computer Science and Telecommunications Board (CSTB) of the National Research Council (NRC). The committee was very diverse, and I learned a whole lot from trying to relate other members' legal, law enforcement, medical, sociological, economic, and philosophic perspectives to my own, primarily technical, perspective.

The result of the committee's study (and considerable further review, in accord with NRC policy) was the book, Engaging Privacy and Information Technology in a Digital Age, edited by the committee Vice Chair, Jim Waldo, and two NRC staffers, Herb Lin and Lynette Millett. This book is now available from the National Academies Press for free online browsing, as a PDF file, or in hardcopy.

I think it is safe to say that everyone has something that they would like to keep private from someone else. Anyone who seriously cares about privacy should read this book. They are likely to find that even the definition of privacy is more complex than they thought, let alone the trade-offs involved in privacy principles, practices, and policies.

Rather than trying to summarize a 400+ page book in a blog posting, I will quote one sentence, and then list the committee's summary recommendations. You'll have to read the book (or at least it's Executive Summary) for the background.
When privacy is at issue, the committee found that bland assurances that privacy will not be harmed offered by policy makers can do more to raise skepticism than honest presentation and assessment of tradeoffs.
  • If policy choices require that individuals shoulder the burden of protecting their own privacy, law and regulation should support the individual in doing so.
  • Organizations with self-regulatory privacy policies should take both technical and administrative measures to ensure their enforcement, routinely test whether their stated privacy policies are being fully implemented, produce privacy impact assessments when they are appropriate, strengthen their privacy policy by establishing a mechanism for recourse if an individual or a group believes that they have been treated in a manner inconsistent with an organization's stated policy, and establish an institutional advocate for privacy.
  • The U.S. government should undertake a broad systematic review of national privacy laws and regulations.
  • Government policy makers should respect the spirit of privacy-related law.
  • Principles of fair information practice should be extended as far as reasonably feasible to apply to private sector organizations that collect and use personal information.
  • To support greater trasparency into the decision-making process regarding repurposing, guidelines should be established for informing individuals that repurposing of their personal information might occur, and also what the nature of such repurposing would be, and what factors would be taken into account in making any such decision.
  • The principle of choice and consent should be implemented so that individual choices and consent are genuinely informed and so that its implementation accounts fairly for demonstrated human tendencies to accept without change choices made by default.
  • The U.S. Congress should pay special attention to and provide special oversight regarding the government use of private sector organizations to obtain personal information about individuals.
  • Governments at various levels should establish formal mechanisms for the institutional advocacy of privacy within government.
  • A national privacy commissioner or standing privacy commission should be established to provide ongoing and periodic assessments of privacy developments.
  • Governments at all levels should take action to establish the availability of appropriate individual recourse for recognized violations of privacy.

Labels: ,