Last Security Week in Review articles
EU top court denies Microsoft a stay
Symantec to acquire Veritas
Linux code has least bugs
Mandatory reporting of security breaches under Ontario’s Personal Health Information Protection Act, 2004 (PHIPA)
Who is in charge of the IT henhouse?
Florida sunshine could prove hazardous
Technology narrows casino odds
People willing to barter privacy (and security?) away
US banks phishing for help
The elusive US Cybersecurity Tsar
UPDATE ON MICROSOFT EU DECISION
According to a recent story in Internetnews, and various doom-sayers, Microsoft is in dire straits, and licking its near fatal wounds after the recent EU court decision against it.
The general hypothesis is that having to unbundle Media Player from Windows prevents them from bundling anything else with it in the future, thus destroying their business model for all time.
Besides the fact that I did not read this dire conclusion as inevitable from the decision, I cannot imagine that the Redmond Mothership does not have a viable 'Plan B'.
Let's see: MS had (a wild guess) swarms of lobbyists and lawyers swanning around Brussels before the boom was lowered, trying to drum up positive press, and a warm and fuzzy feeling towards them amongst EU movers and shakers. All standard fare when the stakes are high.
But although hope dies eternal, is there a real likelihood that such seasoned scrappers (used to knock down fights with competitors since day 1) never considered the possibility they might loose?
Au contraire, they will undoubtedly produce the gummy Media Playerless OS in January 05, as promised, and soldier on making billions. They will also re-double their efforts to pump up Media Player as the best of breed player on a pure standalone basis - and develop various channels to market that work around the decision.
As for the notion that they are now prohibited from seeking to bundle a security/anti- spyware product (a credible scenario with the recent Giant Software purchase) with Windows, as a direct result of this decison - off the cuff I can think of a raft of decent legal arguments that defy such a conclusion. So (I can only assume) will their fleets of lawyers.
Cultural sensitivity lacking
That being said, one lesson that MS and other monolithic US companies seem unable to learn, is how not to really tick off the natives on their home turf - with pompous, supercilious, and generally ignorant comments about the EU citizenry, in particular.
If I read one more 'broken record' article in the US media (the WSJ is relentless on this theme - it seems to be established dogma in the newsroom) about how Europeans are lazy as dogs, hideously unproductive, wine swilling neanderthals, who gaze longingly across the ocean at their worked to the bone US peers, I will surely turn purple, and spontaneously combust. Not a pretty sight, I can assure you.
Besides the fact that the numbers used to support this dodgy premise are usually wrong, and heavily massaged to support the very cathartic 'superiority complex' messaging - the fact remains that most Europeans do not aspire to a life with no health care, no vacations, no pensions, no child care......they really, really don't.
Steve Ballmer (CEO of MS) was recently quoted in an interview in the UK (when discussing the regulatory environment in Europe) as musing- "if only they (the EU authorities) were more like us Americans". Indeed. If only.
But with EU enlargement inevitable, and opportunites for growth at home finite, a little bit of respect for the locals might go a long, long way.
AMD called to task for overhyping security technology
AMD was recently called to task by Dutch regulators for wishful thinking - advertising a new chip (with 'NX'- 'no -execute' technology) as a way to prevent all forms of virus outbreaks in the Netherlands. A complaint was made to the Dutch consumer commission (by a competitor per chance?) that the AMD advertising was misleading.
An AMD advert, in Holland apparently stated: "Because I have an AMD64 processor, I no longer have to worry about viruses."
According to a report in The Register, AMD is currently the only company offering what it calls 'Enhanced Virus Protection Technology' - it assists in preventing buffer overflow attacks. However, as it works with Windows XP Service Pack 2 only, the Dutch regulators considered the claims made about its virus busting properties to be over reaching.
Security companies are frequently guilty of two fold sinning - overhyping security risks (see FUD section), and overstating the value of their technologies to solve real world security problems.
This case is an example of the pitfalls of over selling. Customers are increasingly wise to it, and jaded about 'silver bullet' technology solutions. Biometric companies have been particularly guilty on this front over the past few years- especially post 911 - when opportunity (unsavoury as it might seem) appeared to knock - after many frustrating years on the fringes.
They have been successful on many fronts, but I predict that biometric solution vendors that come clean about the limitations of the promising technology (in all its many forms), will ultimately endure over the more shameless spin meisters.
Watch public claims about security practices ("when Mum really is the word")
It is also important to note that making public claims about the strength of your security practices (e.g. "your information is secure/completely safe with us"; etc) can be particulary injurious to your health, especially in the US, if not in fact true.
indeed, it is highly inadvisable - as a matter of common sense - to overstate (however well intentioned) your ability to protect against any and all threats. Security breaches will occur, despite your best efforts. There is no complete security.
In the US, in the absence of privacy laws that mandate security across the board, as is the case in Europe (although the legal situation can vary in the US from state to state and sector) - you are better off saying nothing, than risking falling foul of the FTC (Federal trade Commission) for misleading advertising/ deceptive trade practices - as Microsoft, Tower Records, Guess and Petco found out to their cost.
In an FTC press release (August 8 2002) in the settlement of a case against Microsoft , the following statement made by the FTC encapsulates their position nicely:
"Good security is fundamental to protecting consumer privacy," said Timothy J. Muris, Chairman of the Federal Trade Commission. "Companies that promise to keep personal information secure must follow reasonable and appropriate measures to do so. It's not only good business, it's the law. Even absent known security breaches, we will not wait to act."
Note emphasis on the word 'promise'. It is not bad if you 'promise' to do nothing - just bad if you 'promise' too much.
Unfortunately, while the FTC stance on these issues may seem to protect the consumer, the opposite may in fact be the result:
Companies that make good faith (albeit misguided) efforts to at least have a security policy, will be slammed when they do not follow through on impossible representations - and more wordly wise entities (where were the MS lawyers?) will promise nothing at all. In fact they are highly incentivized to stay Mum.
How, therefore is a befuddled consumer supposed to tell the wheat from the chaff?
To my mind- the need for privacy/security laws in the US is crystal clear - at least from the consumers' perspective, with sensible exemptions for companies that make reasonable efforts to do the right thing.
E-Banking in Korea less risky for consumers?
The Korean government recently adopted a financial e-transaction bill. The bill must still be discussed at a Cabinet meeting scheduled for Jan. 4, and than submitted to the National Assembly.
A report in Chosen.com states that the bill provides protection for consumers who incur loss or damage while conducting e-banking - where the loss results from an external event such a hacking attack, or computer malfunction. It apparently will make financial institutions/ e-banking service providers liable in such instances.
However, if consumers cause the problem deliberately or through negligence, they will be held accountable. In addition, the report states that 'consumers' identification number, secret code and certified document, all of which are essential prerequisites for e-banking, should be issued only when consumers apply for them and after their identity has been confirmed'. more on this story
Thief who stole cancer patient's identity convicted under US HIPPA law
This story is actually old news, but we haven't run it before, and worth a gander as it sets a useful precedent, and proves that the US HIPPA law (the Health Insurance Portability and Accountability Act of 1996) has teeth. It marks the first HIPAA criminal penalty imposed by a US court.
In November 2004 in Seattle, a District Court Judge sentenced 42-year-old Richard Gibson to 16 months in jail, plus a substantial fine - four months longer than prosecutors had sought in this sorry case.
The 37 year-old victim was a mortgage banker from the Silicon Valley area. When he was in hospital at the Seattle Cancer Care Alliance receiving chemotherapy treatment, he started to receive mail regarding new credit card accounts he had not opened. He had to spend a lot of time and money (when he presumably should have been recovering) putting his financial house and life back in order.
Gibson worked at the alliance as a phlebotomist and laboratory technician from November 2001 until he was fired in February 2003. He stole information about his victim from his employer, and used it to falsely obtain credit cards. He charged more than $9,000 on four credit cards to the patient's name.
Prosecutors could have elected to use identity theft laws to prosecute Gibson, but opted to take the newly minted criminal law provisions under HIPPA out for a successful spin. They also succeeded in getting a conviction despite the fact that Gibson was not a "covered entity" under HIPAA, but rather the employee of such an entity.
This case can serve as a warning to all US health care workers that stealing and abusing sensitive medical data for personal gain will not sit well with the courts, and will likely result in time behind bars.
|
