Rich from Taosecurity sent this link. Business Week examines your right to know about computer break-ins.

This lapse sparked what may mark a dramatic shift in legal policy toward cybersecurity. Over strenuous objections from the business lobby, on Sept. 26 California enacted a sweeping measure that mandates public disclosure of computer-security breaches in which confidential information may have been compromised. The law covers not just state agencies but private enterprises doing business in California. Come July 1, 2003, those who fail to disclose that a breach has occurred could be liable for civil damages or face class actions (click here for more information on the legislation, bill number SB 1386).

posted by mt at 10:26

I'll believe it when I see it. But couldn't someone teach Mundie some PR skills?

Craig Mundie, who oversees the company's Trustworthy Computing initiative, told an audience Wednesday that in response to the threat of terrorist cyberattacks, Microsoft would deploy security fixes to its installed base of hundreds of millions of computers worldwide in the coming year -- even if those fixes break applications in use by customers.
"We're going to tell people that even if (it) means we're going to break some of your apps, we're going to make these things more secure. You're just going to have to go back and fix it," said Mundie in a public presentation at the company's Silicon Valley campus in Mountain View, California.

"We're all going to have to collectively spend more, both in the development and maintenance of these machines, if were going to be more secure."

I'm certain the legion of MS customers with custom apps ($$$) will be thrilled with that approach.

posted by mt at 09:43

The English military cracker will attempt to fight extradition to the US.

McKinnon, known on the Internet as ``SOLO,'' remains free although he was briefly held by British authorities, U.S. Attorney Paul McNulty said. He said the Justice Department will seek to extradite McKinnon, a rare move in international hacking cases.

posted by mt at 08:37

Fantastic NYTimes editorial on the proposed Homeland Security Act. This is an important piece for everyone - privacy zealouts, computer security professionals, tech enthusiasts.

Every purchase you make with a credit card, every magazine subscription you buy and medical prescription you fill, every Web site you visit and e-mail you send or receive, every academic grade you receive, every bank deposit you make, every trip you book and every event you attend — all these transactions and communications will go into what the Defense Department describes as "a virtual, centralized grand database."

To this computerized dossier on your private life from commercial sources, add every piece of information that government has about you — passport application, driver's license and bridge toll records, judicial and divorce records, complaints from nosy neighbors to the F.B.I., your lifetime paper trail plus the latest hidden camera surveillance — and you have the supersnoop's dream: a "Total Information Awareness" about every U.S. citizen.

posted by mt at 08:32

The Wall Street Journal discusses email - and how it can haunt you.

The e-mail-fueled investigations into Wall Street brokerage firms, including former Merrill Lynch analyst Henry Blodget and more recently, former Citigroup's Salomon Smith Barney analyst Jack Grubman, has prompted many office workers and consumers to wonder: How do you safely purge your electronic communications?

While the longtime rule of thumb is don't put anything in e-mail that you don't want coming back to haunt you, apparently few people pay attention to it. Joan Feldman, a computer-forensics expert, recalls a client that was investigating two former employees. After searching their computers, her firm found not only e-mails regarding stolen trade secrets, but also lurid personal e-mails revealing that the pair was having an affair.

posted by mt at 08:25

Eugene Spafford has an article in InfoSec mag on the future of computer security. Several interesting predictions - take a look.

Will the future really be as bleak as these predictions suggest? Perhaps. One of the ground rules of prediction is that we have choices to make that can change the future.

posted by mt at 08:16

Some more info on the English cracker:

US investigators say one break-in shut down navy systems immediately after the September 11 terror attacks.

Authorities say two of the computer systems were at the Pentagon. The intrusions also made inoperable the network that serves the military district for Washington.

Authorities have disclosed indictments in northern Virginia and New Jersey against Gary McKinnon, 36, of Hornsey, north London.

posted by mt at 08:08

Slashdot referenced this story on an English cracker who hit more than 100 unclassified military networks. First that I've heard of this and the article is sketchy - but it sounds interesting.

Federal authorities have cracked the case of an international hacker who broke into roughly 100 unclassified U.S. military networks over the past year, officials said Monday.

And this snippet caught my eye, perhaps implying how serious/sophisticated the attacks were?

Officials said U.S. authorities were weighing whether to seek the hacker's extradition from England, a move that would be exceedingly rare among international computer crime investigations.

posted by mt at 08:11

The Wall Street Journal has a fascinating piece on how al Qaeda used the Internet. Pick up a copy and take a look if you can. I can't post everything here, but a good excerpt follows.

The Milestones of Holy War site signals much more modest cyber-skills. Al Qaeda operatives struggled with some of the same tech headaches as ordinary people: servers that crashed, outdated software and files that wouldn't open. Their Web venture followed a classic dot-com trajectory. It began with excitement, faced a cash crunch, had trouble with accountants and ultimately fizzled.

But the project also illuminates the elusive contours of al Qaeda's strengths: far-flung outposts of support, a talent for camouflage and a knack for staying in touch using tools both sophisticated and simple. Though driven from Afghanistan, al Qaeda still has many hiding places, many channels of communication and -- boasts Mr. bin Laden's senior lieutenant, Egyptian Islamic Jihad chief Ayman al-Zawahri -- many means of attack.

Al Qaeda chiefs communicate mainly by courier, say U.S. officials. But their underlings make wide use of computers: sending e-mail, joining chat rooms and surfing the Web to scout out targets and keep up with events. Since late last year, U.S. intelligence agencies have gathered about eight terabytes of data on captured computers, a volume that, if printed out, would make a pile of paper over a mile high. The rise and eventual demise of maalemaljihad.com -- pieced together from interviews, registration documents and messages stored on an al Qaeda computer The Wall Street Journal obtained in Kabul -- provides an inside glimpse of this scattered, sometimes fumbling, but highly versatile fraternity.

posted by mt at 11:28

From the NYTimes:

The Pentagon is constructing a computer system that could create a vast electronic dragnet, searching for personal information as part of the hunt for terrorists around the globe — including the United States.

Why is this significant - and scary?

Historically, military and intelligence agencies have not been permitted to spy on Americans without extraordinary legal authorization. But Admiral Poindexter, the former national security adviser in the Reagan administration, has argued that the government needs broad new powers to process, store and mine billions of minute details of electronic life in the United States.

posted by mt at 09:30