Michael Gracie

A system processing a million a day in child support payments was infected with a trojan horse, and now the Nebraska Treasurer’s Office is scratching its head. Actually, the head scratching part is just a theory of mine - usually a bureaucrat’s first notion is to downplay the problem.

“A preliminary investigation of the incident suggests that the hacker did not download the information…But the possibility does exist,” noted State Treasurer Ron Ross.

The really sad part of this is a state with a population of a little more than 1.7 million people has 300,000 people and 9,000 employers in a child support database. If it is running on a Windows desktop, as the ZDNet post suggested, then it is just simple lunacy.

Once gone, now recovered.

No word on how it was recovered, but someone mentioned they think the data within might not have been accessed. Gone for over a month. Plenty of publicity. Now a stealth recovery and no breach. Sounds like someone wants to get out of paying many millions for credit monitoring if you ask me.

***UPDATE***

The questions about access remain, but not how it was re-acquired. Someone turned it in after buying it off the back of a truck. The random burglar theory is reconstituting.

***UPDATE 2***

And now they think they have their thief.

Police in Douglas County, Colorado (right down the street from Spamroll) are going to start wardriving for the purpose of warning open wireless device hosts of impending danger.

I wish I could properly spell out what a complete waste of time and money this is, but I guess some bureaucrat thought it was a good idea. The problem with wireless hacks is not the open device, but the devices behind them that lack security of their own. Need it defined further? If you run a wireless computer behind a network in administrator (or root) mode, it really doesn’t matter whether you have WEP (the only really easy wireless encryption that everyday folks employ) running on that hub/router. Someone is going to get you if they want to.
Read more »

First people wondered whether the “enhanced security” of Windows Vista would plunder the multi-billion dollar computer security market. The talk there has quieted, as there is really no telling when the software might be released (and since you need a quad processor with 8 gigs of ram to run it, the uptake won’t be quick when it does).

So lets point the finger at the Microsoft OneCare program, and see if it raises any ire. Can it kill the Symantecs and McAfees of the world?

Alex Eckelberry seems to think so, but not because he is unconfident about his own Sunbelt products. Mr. Eckelberry thinks predatory pricing for Microsoft OneCare is the issue.

My notion is this: as long as folks are running Windows, viruses and spyware are going to run rampant. And as long as pests persist, security firms have a business model. As much as Microsoft wants to be in the security business, the more they push it the more people are going to wonder why the company is selling security protection for their own operating systems. In other words, I think there is going to be some level of rebellion at the notion.

If everyone ran Linux or OS X, security firms would have something to worry about.

***UPDATE***

Victor Godinez of the Dallas Morning News says using Microsoft OneCare is like “asking the fox to guard the henhouse.” I concur.

When you think of blue pills, you imagine tv ads by politicians, people who are bored with their partners, and people who can’t get enough of their partners. You might also think of a lot of spam, due primarily to the previous points. However, you’d likely never think a “blue pill” could hide malware, completely undetectable, on your Windows computer, but that is exactly what a researcher in Singapore has devised. I suspect the name was an afterthought.

I’d say its good to know that such things are possible ahead of time, so someone can devise a way of detecting the undetectable (always happens). I’d also say I’m feeling pretty comfy sitting in at my desk right now - with one computer running OS X and the other running Fedora Core.

It is always cute to see companies attempt to take the high road regarding their promotion. We all know it is all about the greenbacks, so while 888 Casino denounces blog spam, you know someone will keep on trying, because there is money to be made. If they really wanted to stop uncontrolled, unethical promotion, they would simply halt the affiliate or other promotional program that is at the root of the issue, but we know that isn’t going to happen (think 180Solutions).

Everyone is guilty, somewhere, somehow. Unfortunately, the contextually driven nature of the internet makes it diffficult to manage. Case in point: you’re a high-profile political blog who mentions the word Connecticut. There are big casinos in Connecticut. And although online gambling is technically illegal, your sites feeds are bound to grab a casino ad. Whether you throttle that advertiser next time around depends on you (and, of course, whether you are making tons of cash off that ad).

The Bush Administration’s Office of Management and Budget is advising federal agencies to encrypt laptop data, among other measures, following a flurry of data thefts (think VA).

I don’t track my inbound stats at Spamroll all that thoroughly, but I do think I would have remembered if the White House visited. Therefore, I wonder where they came up with that bright idea, since I’ve been pissing and moaning about it for over a year.

Ohio University has struggled as of late with hackers. Actually, struggle isn’t doing the problem justice. The institution has been hacked time and time….uh…..again. And after they ignored warnings over faulty security to boot.

Now they are being sued. Class action status is being pursued, with ongoing credit monitoring and damages for identity theft losses being the bounty.

As John Burns, OU’s legal affairs director noted on the lawsuit:

“We’ll review it and we’ll defend it.”

How do you defend five hacks, and a possible class action lawsuit seeking reasonable assistance with potential problems caused solely by your negligence? Or better, why do you defend against it?

The lack of accountability, as well as the arrogance, in institutions, is astonishing.

I could have put up a sensationalist title like “Harvard says Go Hackers!” but that would have done nothing except ensure the post wound up on the front page of Digg, and I don’t yet understand what all those little votes mean anyway. A student writing for Harvard Law Review thinks that outing vulnerabilities keeps software makers on their toes, so it should be a good thing.

Free markets at work, so to speak. No further comment, as I am biased in that arena (i.e. I tend to agree).

Nobody had to attempt brute force hacks of RSA keys via SSH. Nobody had to implement a cross-site script exploit to foul up the site. Nobody had to break into someone’s home and steal a laptop. Nothing of the sort was needed to get at the data. Someone left spreadsheets full of Navy personnel information on a website, and now 28,000 people have to worry about their credit scores.

The headlines called it a “breach” - I call it a lack of accountability.