Thursday, September 25, 2003


Privacy concerns over who has access to electronic information and what they use it for continue to be an issue to our society. ddv

From: NewsScan Daily: September 24, 2003

by Chey and Stephen Cobb
We had several interesting responses to our last column, concerning the blue TSA (Transportation Security Administration) tags that are appearing on airline baggage. So we stick with the travel theme this week. We even use the same color scheme: the story we want to cover concerns the airline known as Jet Blue.
Whether you read this story as it broke on, or saw the Associated Press piece in your local newspaper, alarm bells had to be going off. Here was a U.S. airline giving its passenger records to a Defense Department contractor (Torch Concepts) working with the TSA to test the feasibility of combining such records with other commercially available data (like credit bureau records) to single out passengers for additional security screening, all documented in a set of PowerPoint slides titled 'Homeland Security -- Airline Passenger Risk Assessment,' presented at a public conference in February of this year and subsequently posted on the Internet.
If alarm bells did not go off, it may be because the media is now an irony-free zone. Tom Brokaw mentioned the Jet Blue story on NBC right before a "special report" on the insurance company practice of denying automobile coverage to people based on their credit records. NBC apparently missed the fact that the "Jet Blue project" could mean people getting frisked at airports, or even kicked off airplanes, based in part upon those same records.
So let's spell out what happened. At the end of 2001, Torch Concepts made initial overtures to airlines asking for passenger data, namely who flew what flights. We may take some comfort in the fact that American and Delta appear to have said no. In March of 2002 the DoD funded the Torch Concepts research and in April the company started meeting with the DoT and, via "Congressional Liaison," with TSA. In June of 2002 a DOT-TSA meeting addressed the Torch Concepts project and in July told the company it would soon receive "the necessary database being used by CAPPS II contractors."
Heavens knows what's in the CAPPS II database, currently the target of several lawsuits, but apparently Torch Concepts didn't get that database. What it got, in September, sounds like a consolation prize: the Jet Blue database. Torch Concepts complained that this was very limited in terms of the goals of the research, but went ahead with the project anyway. In October, Torch Concepts purchased additional demographic data from Acxiom, a company that sells a lot of interesting data, such as your social security number. That's right, you are probably among the 700 million individuals and companies on whom Acxiom keeps records, somewhere in its seven acres of computers.
What kind of records? For a start there's name, birth date, social security number, plus current and former address. There's a good chance that Acxiom also knows who you work for, the names of the people who live with you, and whether you own or rent.
What does Acxiom do with this information? It sells it, often in the form of data appending and verification services. Suppose I have some of the above pieces of information about a list of people, my customers perhaps, but I don't have all that information. Acxiom can provide the missing data (even if my customers declined to provide it when I asked for it). That's appending. Acxiom can also verify that the data I have on my customers is correct, by checking it against data on the same people held by other companies. In the wake of 9/11 and the Patriot Act, Acxiom has been keen to show that its database can also be used to fight terrorism, but the Arkansas-based company suffered an embarrassing setback last month when a flaw in its security led to a hacker accessing data being uploaded to Acxiom by a customer, something Acxiom only found out about when contacted by an Ohio law enforcement agency.
Anyway, back in 2002, Torch Concepts used Acxiom to increase the amount of information it had on the people who flew Jet Blue; then analyzed everything to see what could be learned. Here are some of the conclusions presented at the conference:
* Known airline terrorists appear readily distinguishable from the normal Jet Blue passenger patterns (that's a relief)
* The "Passenger Stability Indicators" that distinguish normal Jet Blue passengers from past terrorists include social security number, length-of-residence, income, and home ownership (terrorists tend not to be homeowners with social security numbers?)
These are hardly stunning revelations; we don't know how may taxpayer dollars it cost to reach them, but we are inclined to think it was too many. As for Jet Blue, which appears to have violated its own privacy policy when it handed over the data, the cost could also be too much. The Federal Trade Commission is apt to file suit when companies who do that, as in the cases of drug maker Eli Lilly and jeans maker Guess, Inc. Privacy advocates and state attorneys general are apt to follow suit, so to speak.
As we see it, even if amassing and analyzing huge databases is a reliable way to spot terrorists, which frankly we doubt, it wouldn't be a good idea. Apart from the very serious privacy concerns, as Acxiom demonstrated last month, you put the data itself at risk. The day when computer security practices are as good as they should be is a long way off. We should use that time to address the reasons why people commit acts of terror, not hunt for needles in haystacks.
[Chey Cobb, CISSP, the author of Network Security for Dummies, is an independent consultant ( and a former senior technical security advisor to the NRO. She can be emailed as chey at patriot dot net. Stephen Cobb, CISSP, wrote his first computer security book twelve years ago. He can be emailed as scobb at cobb dot com.] "

Wednesday, September 24, 2003

InfoWorld: Expect the unexpected when it comes to security: September 19, 2003: By Chad Dickerson: Security

InforWorld columnist comment on security. ddv

InfoWorld: Expect the unexpected when it comes to security - Vigilance is the key to keeping your enterprise out of the security waste land: September 19, 2003: By Chad Dickerson: Security: "August was the cruelest month, breeding MS Blaster and Sobig out of moribund security policies, mixing buffer overflows with SMTP-based viruses, stirring vacation-focused minds with new worms. Winter had kept us warm, as our 1U Linux servers blanketed the datacenter with forgetful uptime, feeding us our e-mail through twisted cables. Summer surprised us …"

Monday, September 22, 2003

Gadwin PrintScreen - Screen capture software

Another option in the screen capture race! Also offers the abiltiy to capture a specific window. ddv

Gadwin PrintScreen - Screen capture software: "Want to create a screenshot suitable for saving or printing? Then just hit a key on your keyboard. Oh yeah, you'll have to download this program first.
There are several hotkey combos to choose from (PrintScreen is the default). Once you've chosen your favorite combo, head to the Destination tab and have the screen print out instantly, copy the capture to the clipboard, save it to a specific folder, or even send it through e-mail. You can perform full screen captures, or only capture a specific window.
There are also six different image formats to choose from, and each one can be resized. With all the customization capabilities, what more could you ask for? "

GrabClipSave - freeware

I need a better solution for pasting together help screens for an ACL tutorial. Looks interesting as it creates JPG's -- vs needing to compress the bitmaps that the Windows clipboard generates. ddv

GCS: "A freeware screen capture tool. As easy as this:
Start GCS
Press PrtSc
Done. Repeat at will.
GCS will save the screens to the directory you want, either in Windows .bmp or in .jpg format. You can grab standard applications, Direct3D or OpenGL games.
GrabClipSave makes use of standard Windows features: as soon as you press the PrtSc-key, the current screen is copied to the clipboard. GCS just sits in the background and waits for a bitmap in the clipboard. When there is a new one, it just saves it to disk; where You want and the way You want. So no more Alt-Tabbing out of your favorite game or fiddling with .tgas or stuff, just let GCS save it for you in .jpg!"

Friday, September 19, 2003

The Hauser Center for Nonprofit Organizations

Check out the publications link for fairly recent articles relating to NFP Form 990 and audited financial statements. ddv

The Hauser Center for Nonprofit Organizations: "The Hauser Center for Nonprofit Organizations is an interdisciplinary research center at the John F. Kennedy School of Government at Harvard University. The Center aims to illuminate the vital role that the nonprofit sector and nongovernmental organizations play in aiding societies to discover and accomplish important public purposes. "

Wednesday, September 17, 2003

Plagiarism Detection Services

Plagiarism continues to be a major issue in a connected world. Just as the WWW can be used to easily cut and paste content - the Web can also be used to examine documents for the same. OrCheck jumps out as a very creative Java tool which interfaces with Google to examine text for possible plagiarism. Interesting approach in a very visible interface. ddv

JISCPAS - External Resources - Detection Services: "Detection Services

A number of systems are currently available providing electronic detection facilities by a variety of means. Links to companies providing these services are given here"

Tuesday, September 16, 2003

Flawed Routers Flood University of Wisconsin Internet Time Server

Interesting security issues that is simply related to products communicating (router and Internet time server). This is a very written article that can be used to understand Internet connectivity. ddv

Flawed Routers Flood University of Wisconsin Internet Time Server: "In May 2003, the University of Wisconsin - Madison found that it was the recipient of a continuous large scale flood of inbound Internet traffic destined for one of the campus' public Network Time Protocol (NTP) servers. The flood traffic rate was hundreds-of-thousands of packets-per-second, and hundreds of megabits-per-second.
Subsequently, we have determined the sources of this flooding to be literally hundreds of thousands of real Internet hosts throughout the world. However, rather than having originated as a malicious distributed denial-of-service (DDoS) attack, the root cause is actually a serious flaw in the design of hundreds of thousands of one vendor's low-cost Internet products targeted for residential use. The unexpected behavior of these products presents a significant operational problem for UW-Madison for years to come.
This document includes the initial public disclosure of details of these products' serious design flaw. Furthermore, it discusses our ongoing, multifaceted approach toward the solution which involves the University, the products' manufacturer, the relevant Internet standards (RFCs), and the public Internet service and user communities. "

Saturday, September 13, 2003

Process Mapping and Flow Charting

A select group of resources with information on both process mapping and flowcharting. Process mapping is becoming more common particularly in conjunction with ERP systems and their variants (CRM, ...). ddv

Process Mapping and Flow Charting: "Process Mapping and Flow Charting"

Barron's Online Stock Charts

Now that many "paper" investment sources have begun truncating their listings - here is the traditional paper version of Barron's charts including earnings information for the current year and estimates for the next year. Plus the company/fund is linked to the WSJ Briefing book if you really want more company information. Interesting to see the "traditional" information online in a paper format, but including some online advantages. ddv

Barron's Online: "Barron's Online now includes full weekly listings for stocks traded on the New York and American Stock Exchanges and the Nasdaq National Market. These listings are presented in the same format formerly used in Barron's printed edition, which has begun carrying modified versions of this information. Similarly, Barron's Online now offers comprehensive weekly mutual-fund data, again in the format formerly employed in the printed edition. The funds in these listings have at least 1,000 shareholders or $25 million in assets. "

Thursday, September 11, 2003 - Made to Measure: Invisible Supplier Has Penney's Shirts All Buttoned Up

Excellent example of effective use of information technology in the supply chain. - Made to Measure: Invisible Supplier Has Penney's Shirts All Buttoned Up: "Made to Measure: Invisible Supplier
Has Penney's Shirts All Buttoned Up
From Hong Kong, It Tracks Sales, Restocks
Shelves and Ships Shirts Straight to the Store

On a Saturday afternoon in August, Carolyn Thurmond walked into a J.C. Penney store in Atlanta's Northlake Mall and bought a white Stafford wrinkle-free dress shirt for her husband, size 17 neck, 34/35 sleeve.
On Monday morning, a computer technician in Hong Kong downloaded a record of the sale. By Wednesday afternoon, a factory worker in Taiwan had packed an identical replacement shirt into a bundle to be shipped back to the Atlanta store.
This speedy process, part of a streamlined supply chain and production system for dress shirts that was years in the making, has put Penney at the forefront of the continuing revolution in U.S. retailing. In an industry where the goal is speedy turnaround of merchandise, Penney stores now hold almost no extra inventory of house-brand dress shirts. Less than a decade ago, Penney would have had thousands of them warehoused across the U.S., tying up capital and slowly going out of style."

Wednesday, September 03, 2003

O'Reilly Network: Dispelling the Myth of Wireless Security [Aug. 14, 2003]

O'Reilly Network: Dispelling the Myth of Wireless Security [Aug. 14, 2003]: "Dispelling the Myth of Wireless Security"

"Editor's note: In this first excerpt from Wireless Hacks, author Rob Flickenger shows how to find out just how "secure" your standard wireless network really is.

Related Reading

Wireless Hacks
100 Industrial-Strength Tips & Tools
By Rob Flickenger

Table of Contents

Despite a few good online articles and countless alarmist news items decrying parasitic War Drivers and War Chalkers contributing to the moral decay of the country, a surprising number of people still install wireless equipment with all of the defaults enabled. There are a huge number of access points in use today that unintentionally advertise a default SSID, bridge directly to an Ethernet network, and use no encryption whatsoever (or a WEP key left on the factory setting, and therefore easily deduced).

But even if all standard precautions are in place, how much "security" do wireless access points actually provide? Having heard all sorts of widely varying estimates and assumptions from people who should be able to make an educated guess, I finally decided to see for myself what it would take to circumvent the security of my own standard 802.11b network"