Thursday, April 29, 2010

Motivational Moment

Thought for the Day

April 29, 2010


It is a curious fact of nature that somehow our minds find a way to transform into physical reality the things we think about most. If you expect to fail, you can be sure that you will, and if you find something negative in every opportunity, nothing will ever work out positively for you. Fortunately, the reverse is also true. If you are a happy, positive person, you will attract positive things. You can keep your mindset positive by eliminating negative thoughts the moment they begin to creep into your conscious mind. If you dwell on the negative aspects of every opportunity, you will never accomplish anything worthwhile. Be prudent about the risks you take, but don’t be paralyzed by fear of failure.

This positive message is brought to you by the Napoleon Hill Foundation. Visit us at W

Tuesday, April 27, 2010

Peppermint: A New Linux Flavor for the Cloud

Peppermint: A New Linux Flavor for the Cloud

Monday, April 26, 2010

NASA wants public to join in Hubble Telescope's 20th anniversary extravaganza

NASA wants public to join in Hubble Telescope's 20th anniversary extravaganza

NASA Hubble shotThe Hubble Space Telescope [1] has taking snapshots of the universe for 20 years this week and as part of that anniversary, the space agency is looking to crowdsource new galaxy images and promote social network celebrations.

Specifically, NASA's Space Telescope Science Institute and the online astronomy project Galaxy Zoo are making almost 200,000 Hubble images of galaxies available to the public at Galaxy Zoo: Hubble [2]. What they want are volunteers from around the world to help astronomers classify these photos by answering simple questions [3] about what they are seeing -- for example, identifying the number of spiral arms visible, shape of galaxy, or spotting galaxies in the process of merging, according to NASA.

More than 250,000 people have contributed to Galaxy Zoo [2] since its launch in 2007, but so far they have been looking only at the local Universe, the group stated. The original Galaxy Zoo and Galaxy Zoo 2 both used data from the Sloan Digital Sky Survey and recently, after reaching 60,000,000 classifications those projects began to wind down, the group stated.

"The large surveys that Hubble has completed allow us to trace the Universe's evolution better than ever before,' said University of Nottingham astronomer and Galaxy Zoo team member Dr. Steven Bamford in a statement. 'The vast majority of these galaxies will never have been viewed by anyone, and yet we need human intuition to make the most of what they are telling us'.

The Galaxy Zoo project isn't the only activity NASA wants the public to participate in. Hubble fans worldwide are being invited to take an interactive journey with Hubble by visiting NASA - Celebrating the 20th Anniversary of the Hubble Telescope [5]. They can also visit HubbleSite -- Out of the ordinary...out of this world. [6]To share the ways the telescope has affected them. Follow the "Messages to Hubble" link to send an e-mail, post a Facebook message, or send a cell phone text message. Fan messages will be stored in the Hubble data archive along with the telescope's science data. For those who use Twitter, you can follow @HubbleTelescope or post tweets using the Twitter hashtag #hst20.

According to NASA Hubble has become the best-recognized, longest-lived and most prolific space observatory since the space agency launched it April 24, 1990.

Over the years, Hubble has suffered broken equipment, a bleary-eyed primary mirror, and the cancellation of a planned shuttle servicing mission. Still, the telescope's crisp vision continues to challenge scientists and the public with new discoveries and evocative images, NASA stated.

To date, Hubble has observed more than 30,000 celestial targets and amassed more than a half-million pictures in its archive. The last astronaut servicing mission to Hubble in May 2009 made the telescope 100 times more powerful than when it was launched.

Recently astronomers broke the distance limit for galaxies [7] by uncovering a primordial population of compact galaxies that have never been seen before. Pictures from NASA's Hubble showed the galaxies to be from 13 billion years ago, just 600 to 800 million years after the Big Bang. The space telescope images could show the newly found objects are crucial to understanding the evolutionary link between the birth of the first stars, the formation of the first galaxies, and the sequence of evolutionary events that resulted in the assembly of our Milky Way, NASA stated.

New tool makes end users responsible for data loss prevention

New tool makes end users responsible for data loss prevention

IT Best Practices Alert By Linda Musthaler

Check Point just entered the market with its first data-loss prevention product, and the approach that Check Point took with this solution is quite different from other DLP products. If you are an overworked IT professional or security specialist, you are going to like how Check Point DLP works. That's because this product takes the burden off IT and puts the onus on end users to get involved in protecting sensitive data.

Like every other DLP product, Check Point DLP uses a set of rules and policies to determine what information should not be allowed to go outside the company or even outside a specific workgroup. But unlike other products, Check Point sends the alert for a rule or policy violation to the worker who triggered it with his inappropriate actions. This user-based approach makes the individual more aware of what he is doing and teaches him to be a better steward of the organization's important information. And, it relieves the IT department from having to view the content in question and make a decision about whether it's OK to send it.

When a worker violates a data-handling rule, he gets a pop-up on his screen that prompts him with several options: continue to send the data, discard the inappropriate activity (i.e., don't send), or review the action to make sure he really wants to send this data. When the worker clicks on one of these choices, Check Point DLP immediately remediates the situation as directed.

Over time, both the worker and the system learn what is and isn't appropriate to send via e-mail or file transfer, or copy to a removable medium, and so on. The worker comes to understand company policies and observes them by not performing an activity that is going to trigger an alert. Eventually the number of alerts decrease as the worker becomes more efficient in his job as well as more observant of company policies.

What happens if a worker deliberately violates a policy and remediates the alert by sending the data anyway? Or, in a rushed moment, he mindlessly clicks "send" instead of "discard." Yes, these are possibilities. However, every alert is logged so that company authorities can go back and review what actions took place. This audit trail will show if a particular worker is a repeat offender when it comes to data policies.

The system also has self-learning capabilities that can be turned on if you choose. You create rules to tell the system not to prompt with alerts on the same things over and over. For example, perhaps there is a document with sensitive information that needs to be shared with an outside party every month. Ordinarily Check Point DLP would question the action, but you can tell it to ignore this document. Coming in a future release of the software, you'll be able to create granular "earning" rules based on specific users in your directory system.

The heart of this product is the DLP MultiSpect Correlation Engine. This engine allows you to correlate more types of information in a single rule so you get more granularity. The MultiSpect engine draws from more than 600 file formats out of the box; more than 250 pre-defined data types; internal and proprietary templates and forms; several hundred pre-defined policies; and of course, your own custom rules and policies. This engine helps to reduce false-positives and deliver better accuracy in the alerts.

If you use a Check Point management dashboard now for other Check Point security products, the DLP product just becomes another tab on the dashboard. This lowers the learning curve for managing the DLP service.

There are several deployment options. Check Point DLP can be installed: as a software blade on any Check Point Power-1 or UTM-1 gateway; on any open server from HP, Dell or other vendors; or as a dedicated appliance. All configurations can be deployed in-line for prevention mode. Check Point has a product that it believes will get companies up and running quickly and into prevention mode in very little time.

Friday, April 23, 2010

Motivational Moment

Thought for the Day

April 23, 2010


The ability to evaluate yourself and your performance objectively is critical to your relationships with others and will have an enormous impact upon the level of success you achieve during your lifetime. Unless you can honestly evaluate your strengths and weaknesses, how can you ever expect to improve your performance? You must determine where you are before you can develop a plan to get you where you would like to be. If you were an independent, dispassionate observer, what advice would you give to yourself to improve your skills, your work habits, your interaction with others, and your contribution to the organization? Honesty about yourself is the first step toward self-improvement.

This positive message is brought to you by the Napoleon Hill Foundation. Visit us at

Thursday, April 22, 2010

Learn how to put AppLocker, BitLocker to Go, security accounts, and other key Windows 7 security improvements to good use

The ultimate guide to Windows 7 security

Learn how to put AppLocker, BitLocker to Go, security accounts, and other key Windows 7 security improvements to good use
By Roger A. Grimes,

Windows 7 has been warmly received and swiftly adopted by businesses, with the result that many IT admins are now struggling with the platform's new security features. In addition to changes to User Account Control, BitLocker, and other features inherited from Windows Vista, Windows 7 introduces a slew of security capabilities that businesses will want to take advantage of.

Windows 7 improves on Vista with a friendlier UAC mechanism, the ability to encrypt removable media and hard drive volumes, broader support for strong cryptographic ciphers, hassle-free secure remote access, and sophisticated protection against Trojan malware in the form of AppLocker, to name just a few.

In this guide, I'll run through these and other significant security enhancements in Windows 7, and provide my recommendations for configuring and using them. I'll pay especially close attention to the new AppLocker application-control feature, which may be a Windows shop's most practical and affordable way to combat socially engineered Trojan malware.

New and improvedWindows 7 has literally hundreds of security changes and additions, far too many to cover in one fell swoop. While this guide focuses on the ones that most organizations will be interested in, keep in mind that plenty of others may deserve your attention. A few the biggies not discussed here are built-in support for smart cards and biometrics, the ability to force the use of Kerberos in a feature called Restrict NTLM, and support for the new DNSSec standards, which are becoming essential to prevent DNS exploitation attacks. Also noteworthy is a new feature called Extended Protection for Authentication, which prevents many sophisticated man-in-the-middle attacks that can strike at some of our most trusted security protocols (such as SSL and TLS).

User Account Control. A Windows Vista feature that users loved to hate, User Account Control has been significantly improved to be both less intrusive and smarter at distinguishing between legitimate and potentially malicious activities in Windows 7. However, depending on whether you are logged on as administrator or a standard user, some installs of Windows 7 may have a default UAC security setting that's one level lower than some experts (including yours truly) recommend. Standard users have UAC security default to the most secure setting, while administrator accounts reside a notch below the highest setting, which is potentially riskier.

Note too that, although UAC provides a much-needed mechanism to prevent the misuse of administrator privileges, it can be bypassed. If you need high security, users should not log on with an elevated user account until they need it.

Your domain environment should already be at the highest and most secure level ("Always notify"). If it isn't, make it so. That way, users will be prompted to input their passwords to perform high-risk administrative actions. No matter what else, UAC should be enabled.

BitLocker Drive Encryption. In Windows 7, BitLocker Drive Encryption technology is extended from OS drives and fixed data drives to include removable storage devices such as portable hard drives and USB flash drives. This new capability is called BitLocker to Go.

In Windows Vista SP1, Microsoft added official support for encrypting fixed data drives, but it could only be done using command-line tools. Now you can encrypt operating system volumes, fixed data drives, and USB flash drives with a simple right-click, via the Windows Explorer GUI. Moreover, you can use smart cards to protect data volumes, and you can set up data recovery agents to automatically back up BitLocker keys. If you're using a Trusted Platform Module (TPM) chip, you can enforce a minimum PIN length; five characters should suffice for most environments.

In Windows 7, there is no need to create separate partitions before turning on BitLocker. The system partition is automatically created and does not have a drive letter, so it is not visible in Windows Explorer and data files will not be written to it inadvertently. The system partition is smaller in Windows 7 than in Windows Vista, requiring only 100MB of space.

With BitLocker to go, you can encrypt removable drives one at a time or require that all removable media be encrypted by default. Further, encrypted removable media can be decrypted and reencrypted on any Windows 7 computers -- not just the one it was originally encrypted on.

BitLocker to Go Reader (bitlockertogo.exe) is a program that works on computers running Windows Vista or Windows XP, allowing you to open and view the content of removable drives that have been encrypted with BitLocker in Windows 7.

You should enable BitLocker (preferably with TPM and another factor) on portable computers if you do not use another data encryption product. Store the BitLocker PINs and recovery information in Active Directory or configure a domain-wide public key called a data recovery agent that will permit an administrator to unlock any drive encrypted with BitLocker. Require BitLocker to Go on all possible removable media drives.

Easily encrypted page file. Users who cannot utilize BitLocker but still want to prevent the memory swap page file from being analyzed in an offline sector editing attack no longer need to erase the page file on shutdown. Windows XP and earlier versions had a setting that allowed the page file to be erased on shutdown and rebuilt on each startup. It's a great security feature, but it often caused delayed shutdowns and startups -- sometimes adding as much as 10 minutes to the process.

In Windows 7 (and Vista), you can enable page file encryption. Even better: There is no key management. Windows creates and deletes the encryption keys as needed, so there is no chance the user can "lose" the key or require a recovery. It's crypto security at its best.

Better cryptography. Windows 7 includes all the latest industry-accepted ciphers, such as AES (Advanced Encryption Standard), ECC (Elliptical Curve Cryptography), and the SHA-2 hash family. In fact, Windows 7 implements all of the ciphers in Suite B, a group of cryptographic algorithms approved by the National Security Agency and National Institute of Standards and Technology for use in general-purpose encryption software.

While Microsoft added support for Suite B cryptographic algorithms (AES, ECDSA, ECDH, SHA2) to Windows Vista, Windows 7 allows Suite B ciphers to be used with Transport Layer Security (referred to as TLS v.1.2) and Encrypting File System (EFS). Suite B ciphers should be used whenever possible. However, it's important to note that Suite B ciphers are not usually compatible with versions of Windows prior to Windows Vista.

By default, all current technologies in Windows will use industry standard ciphers. No more legacy, proprietary ciphers are used. Those legacy ciphers that still exist are included only for backward-compatibility purposes. Microsoft has shared the new ciphers in detail with the crypto world for analysis and evaluation. Key and hash sizes are increased by default.

EFS (Encrypting File System) has been improved in many ways beyond using more modern ciphers. For one, you can use a smart card to protect your EFS keys. This not only makes EFS keys more secure, but allows them to be portable between computers.

Administrators will be happy to know that they can prevent users from creating self-signed EFS keys. Previously, users could easily turn on EFS, which generated a self-signed EFS digital certificate if a compatible PKI server could not be found. Too often, these users encrypted files but did not back up their self-signed digital certificates, which frequently led to unrecoverable data loss.

With Windows 7, administrators can still allow self-signed EFS keys, while mandating ciphers and minimum key lengths. Windows 7 will prod users to back up their EFS digital certificates to some other removable media or network drive share -- and keep prodding them until they do it. A Microsoft Web page details the EFS changes.

Safer browsing with IE 8. Users don't need Windows 7 to run IE 8, and if they're running an older version of IE on an older operating system, they should upgrade to IE 8 as soon as possible. Even better, from a security standpoint, is running IE 8 on Windows 7.

Not only is IE 8 more secure by default than previous versions of the browser, but IE 8 is more secure on Windows 7 than on Windows XP. The recent Chinese Google zero-day hacking attack demonstrates this more effectively than anything I could come up with. The Chinese attacks work most effectively on IE 6 and not very well on IE 8 (see the relative risk ratings). Microsoft tested a number of related exploits and found that they were significantly harder to accomplish in IE 8, and harder still in IE 8 on Windows 7.

Naturally, application and Website compatibility issues will guide how quickly Windows shops can move to the new browser -- but run some tests. I have no shortage of clients who are still clinging to IE 6 and haven't conducted any compatibility testing in over a year. Often when I goad them into retesting their troublesome application with IE 8, it works.

Multiple active firewall policies
. Prior to Windows 7, when a user had multiple network interfaces active, only one Windows Firewall profile (i.e. Home, Domain, Work, or Public) could be used. This created potential security vulnerabilities, such as when a computer was both wired to the local network domain and connected to a less restricted wireless network. Windows 7 can now detect multiple networks and apply the appropriate firewall profile to the right interface.

Improved System Restore. System Restore now includes the user's personal content files. Older versions backed up and protected only the Windows system files. System Restore also allows you to see what files would be restored in each version of the System Restore files. It's not perfect, but it's nice to see what will occur if you were to choose a particular restoration point.

Smooth remote access
. DirectAccess allows remote users to securely access enterprise resources (such as shares, Websites, applications, and so on) without connecting to traditional types of VPNs. DirectAccess establishes bidirectional connectivity with a user's enterprise network every time a user's DirectAccess-enabled portable computer connects to the Internet, even before the user logs on. The advantage here is that users never have to think about connecting to the enterprise network, and IT administrators can manage remote computers even when the computers are not connected to the VPN.

Once DirectAccess is enabled, when a user's computer connects to the Internet, it's as though he or she is on the organization's local network. Group policies work, remote management tools work, and automatic push patching works.

Unfortunately, DirectAccess has fairly involved requirements, including Windows Server 2008 R2 (to act as the RAS server), Windows 7 Enterprise or Ultimate clients, PKI, IPv6, and IPSec. But as companies put the necessary pieces into place, they should look into using DirectAccess as their default VPN technology for Windows 7 and later clients.

Managed Service Accounts
. Service accounts are often highly privileged, but difficult to manage. Best-practice recommendations dictate changing service account passwords frequently, so as to avoid the risk of password attacks. However, Windows service accounts often require two or more coordinated, synchronized password changes in order for the service to continue running without interruption; prior to Windows 7 and Windows Server 2008 R2, service accounts were not easy to manage. If a service account is enabled as a Managed Service Account, Windows will take over the password management and simplify management of Kerberos SPN (Service Principal Names).

Like DirectAccess, Managed Service Accounts have a lot of requirements, including a schema update and mandatory use of PowerShell 2. Still, if service accounts are a hassle in your environment -- and you know they are -- consider enabling this new feature when your infrastructure is prepared.

Virtual Service Accounts
. Virtual Service Accounts (VSAs) are related to Managed Service Accounts in that Windows takes over the password management. However, VSAs are for local service accounts and don't require a schema update or nearly the amount of effort to configure and use.

When a VSA controls a service, the service accesses the network with the computer's identity (in a domain environment), which is much like what the built-in LocalSystem and Network Service accounts do, except that VSAs allow each service to have its own separate security domain and corresponding isolation.

Creating a Virtual Service Account is pretty easy. Open the Services console (services.msc) and modify the service's logon account name so that it's the same as the service's short name, such as ex. NT SERVICE\ServiceName$. Then restart the service. That's it.

When the infrastructure can support it, consider using Managed and Virtual Service Accounts functionality to manage service account password security.

AppLocker application controlThe leading cause of malware infections may surprise you. Most machines aren't exploited due to missing patches (although this is the second biggest cause), unpatched zero days (almost never a factor), drive-by downloads, or misconfigurations. Nope, most systems are infected because users are duped into intentionally installing programs that a Website or email says they need. These socially engineered Trojans come in the guise of antivirus scanners, codecs required for a media player, fake patches, and just about any other bait the bad guys can concoct to lure end-users into installing their Trojan executable.

The most effective means of thwarting these threats in an enterprise environment is preventing end-users from installing unapproved programs. If you leave the decision up to end-users, they will almost always make the wrong choice. If they didn't, malware wouldn't be nearly as common as it is today.

Microsoft's most sophisticated solution to the problem is AppLocker, an application-control feature included in Windows 7 (Ultimate and Enterprise editions) and Windows Server 2008 R2. AppLocker is an improvement on the Software Restriction Policies (SRP) introduced with Windows XP Professional. AppLocker allows you to define application execution rules and exceptions based on file attributes such as path, publisher, product name, file name, file version, and so on. You can then assign policies to computers, users, security groups, and organizational units via Active Directory.

Configuring AppLocker. You can configure AppLocker locally using the Local Computer Policy object (gpedit.msc) or via Active Directory and Group Policy Objects (GPOs). AppLocker relies on the built-in Application Identity service, which is normally set to manual startup type by default. Administrators should configure the service to start automatically.

Within the local or group policy object, AppLocker is enabled and configured under the \Computer Configuration\Windows Settings\Security Settings\Application Control Policies container.

By default, AppLocker rules do not allow users to open or run any files that are not specifically permitted. First-time testers will benefit by allowing AppLocker to create a default set of "safe rules" using the Create Default Rules option. The default rules authorize all files in Windows and Program Files to run, along with letting members of the Administrators group run anything.

One of the most notable improvements over SRP is the ability to run AppLocker against any computer using the Automatically Generate Rules option to quickly create a baseline set of rules. In a few minutes, dozens to hundreds of rules can be produced against a known clean image, saving administrators anywhere from hours to days of work.

Running by the rules. AppLocker supports four types of rule collections: Executable, DLL, Windows Installer, and Script. SRP administrators will notice that Microsoft no longer has the registry rules or Internet zones options. Each rule collection covers a limited set of file types. For example, executable rules cover 32- and 64-bit .EXEs and .COMs; all 16-bit applications can be blocked by preventing the ntdvm.exe process from executing. Script rules cover .VBS, .JS, .PS1, .CMD, and .BAT file types. The DLL rule collection covers .DLLs (including statically linked libraries) and OCXs.

If no AppLocker rules for a specific rule collection exist, all files that share the same format are permitted to run. However, once a rule for a specific collection is created, only the files explicitly allowed in the rule can execute. For example, if you create an executable rule that allows .EXE files in %SystemDrive%\FilePath to run, only executable files located in that path are permitted to run.

AppLocker supports three types of rule conditions for each rule collection: Path Rules, File Hash Rules, and Publisher Rules. Any rule condition can be used to allow or deny execution, and it can be defined for a particular user or group. Path and File hash rules are self-explanatory; both accept wild card symbols. The Publisher rules are fairly flexible and allow several fields of any digitally signed file to be matched with specific values or wild cards. By using a convenient slider bar in the AppLocker GUI, you can quickly replace the specific values with wild cards. Each new rule conveniently allows one or more exceptions to be made. By default, Publisher rules will treat updated versions of files the same as the originals, or you can enforce an exact match.

Rules for exceptions. If you need to make a rule for a file type that is not defined in AppLocker's policy table, you'll have to use some creativity to get the desired effect. For example, to prevent Perl script files with the .PL extension from executing, you would have to create an executable rule that blocked the Perl.exe script interpreter instead. This would block or allow all Perl scripts and require some resourcefulness to gain finer-grained control. This is not a unique issue, as many other application control products have the same sort of limitation.

AppLocker's configuration and rules can easily be imported and exported as readable XML files. Plus, the rules can be quickly cleared in an emergency, and everything can be managed using Windows PowerShell. Reporting and alerting are limited to what can be pulled from the normal event logs. But even with the limitations, AppLocker gives up-to-date Microsoft shops an effective way to prevent users' missteps from compromising their machines -- not to mention the company network.

Software makers routinely sacrifice some security for the sake of usability, and Microsoft is no exception. I've built a career on teaching people how to harden Microsoft Windows over its default state. But with Windows 7, most of that old advice is no longer necessary. Microsoft now delivers a product that is significantly more secure out of the box. Administrators don't have to download NSA security templates or modify the system in any way to make users fairly secure from the start. In most cases, they simply need to know what security capabilities Microsoft provides and how to put them to work.

More Windows goodness:

Tuesday, April 20, 2010

Pa. school district snapped 'thousands' of student images, claims lawyer

Pa. school district snapped 'thousands' of student images, claims lawyer

District staffers called the photos taken by laptop software a 'little soap opera'
By Gregg Keizer

The suburban Philadelphia school district accused of spying on students using school-issued laptops snapped thousands of images of teenagers in their homes, including shots of a boy asleep in his bed, documents filed in a lawsuit claimed Thursday.

In a motion filed April 15 by Michael and Holly Robbins, and their teenage son Blake, the family's attorney said Lower Merion School District personnel remotely activated Blake's MacBook over 400 times in a 15-day stretch last fall, taking photos using the notebook's camera and snapping images of the computer's screen.

"There were numerous webcam pictures of Blake and other members of his family, including pictures of Blake partially undressed and of Blake sleeping," alleged the motion. Screenshots of Blake's conversations with friends using instant messaging were also taken, said his lawyer.

The motion claimed that the LANRev software Lower Merion used to track stolen, lost or missing MacBooks took "thousands of webcam and screen shots ... of numerous other students in their homes, many of which never reported their laptops lost of missing." Among the photographs were some of a student who had a name similar to another student's who had reported a missing notebook.

Lower Merion, of Ardmore, Pa., was first sued by the Robbins family in mid-February, when they alleged that the district spied on Blake Robbins using his laptop. Later, Robbins said, a Harriton High School assistant principal accused him of selling drugs and taking pills, and used a snapshot taken by the computer as evidence. Robbins claimed the pictures showed him eating candy.

The motion filed on Thursday asked U.S. District Court Judge Jan DuBois to grant the Robbins' attorney access to the home of Carol Cafiero, information systems coordinator for the district, to seize any computers found in her home. Cafiero is one of two district employees who were put on paid administrative leave by Lower Merion in late February pending the ongoing investigation. According to her attorney, Cafiero only triggered the remote monitoring feature on school officials' orders.

Cafiero's computers' hard drives will be imaged, and the machines returned to her within 48 hours, the motion said. "There is reason to believe that evidence may be found on her personal home computer of the downloading of the pictures obtained from the LANRev 'peeping tom' technology," the Robbins' attorney argued.

The motion noted that Cafiero cited her right under the Fifth Amendment to not answer questions during a recent deposition, which she had earlier contested. "Unlike any of the witnesses asked to testify, [Cafiero] invokes the Fifth Amendment to every question asked of her, including a question asked as to whether she had ever downloading [sic] pictures to her personal computer, including pictures of students who were naked while in their home."

Watching the high school students at home via their computers' cameras was like "a little [Lower Merion School District] soap opera," a staffer said in an e-mail to Cafiero obtained by Robbins' lawyer during discovery.

"I know, I love it!" Cafiero said in a reply, the motion asserted.

In a statement Friday, David Ebby, the president of the Lower Merion school board, countered the Robbins' newest allegations. "A Motion filed yesterday by the plaintiffs ostensibly was against Carol Cafiero, but instead appears to be a vehicle to attack the District," said Ebby. "We do not feel it is appropriate for anyone other than the investigators to dictate the timing of the investigation and the release of complete findings." The district has hired a Philadelphia law firm to oversee the investigation.

But Ebby conceded that the school-issued laptops had taken a "substantial number of webcam photos," and said it had proposed to Judge DuBois that families of students who appear in those photographs be notified and given the chance to view the images.

Ebby also obliquely addressed the motion's charge that Cafiero or others used the district's technology to spy on students. "While we deeply regret the mistakes and misguided actions that have led us to this situation, at this late stage of the investigation we are not aware of any evidence that District employees used any LANRev webcam photographs or screenshots for such inappropriate purposes," said Ebby.

Earlier last week, DuBois ordered that only lawyers for the school district would have access to camera images and screenshots of students besides those taken of Blake Robbins and his sister Paige, who also attends Harriton High School. DuBois' order also said that the district would wrap up its investigation by May 4.

"We are committed to disclosing fully what happened, correcting our mistakes, and making sure that they do not happen again," said Ebby in the April 16 statement.

Neither the school district or Cafiero's attorney immediately replied to requests made Saturday seeking comment.

Your BlackBerry's dirty little security secret

Your BlackBerry's dirty little security secret

By Bill Brenner, CSO

Tyler Shields, senior member of the Veracode Research Lab, spends a lot of time picking apart those BlackBerry devices that are ubiquitous across the enterprise. What he's found may disappoint those who thought they were secure.

At this week's SOURCE Boston conference, Shields will present his findings in a talk called "BlackBerry Mobile Spyware -- The Monkey Steals the Berries.

He'll explain how the bad guys can plant spyware on the device and make off with your sensitive data, and offer some advice on how users can defend themselves.

He'll talk about an application called FlexiSpy, which allows users to get copies of SMS, call logs, e-mails, locations and listen to conversations within minutes of purchase. He quotes the FlexiSpy website as saying, "Catch cheating wives or cheating husbands, stop employee espionage, protect children, make automatic backups, bug meetings rooms, etc." Then there's Mobile Spy, which will "allow you to see exactly what they do while you are away," according to the website. "Are your kids texting while driving or using the phone in all hours of the night? Are your employees sending company secrets? Do they erase their phone logs?"

To be fair, some could view these as security-enhancing programs, particularly the part about catching employees sending out data that's restricted. But spyware has always been a double-edged sword. IT administrators have long used variations of it to access remote company machines that need repair, for instance.

But Shields will focus on the dark side of smart phone spyware.

"Mobile spyware is trivial to write and the security model of mobile platforms is too loose," Shields said. "There's no easy or automated way to confirm for ourselves what the applications are actually doing and we're trusting the vendor application store provider for the majority of our mobile device security."

The talk will be similar to one Shields gave at the ShmooCon conference in February. Another talk at that gathering focused on the variety of ways attackers could exploit the iPhone.

In that presentation, Trevor Hawthorn, founder and managing principal at Stratum Security, discussed security holes (since fixed) found in AT&T's network, which Apple's iPhone uses, and how an epidemic of "jailbreaking" is disabling critical security controls on the device.

Jailbreaking is a process iPhone and iPod Touch users can exploit to run whatever code they want on the device, whether it's authorized by Apple or not. Jailbreaking the phone allows you to download a variety of apps you couldn't get in the Apple App Store.

For those who hate Apple's heavy hand and welcome any method to thumb a nose at the company's decrees, jailbreaking is very attractive. But there's a problem, Hawthorn said. A big one.

"Jailbreaking wipes away 80 percent of the iPhone's security controls," he said at the time. "Since nearly 7 percent of all iPhones are jailbroken," the bad guys have plenty of targets to choose from.

Wednesday, April 14, 2010

Gmail spam uses fake addresses to spread malware

Gmail spam uses fake addresses to spread malware

Only 1% of Gmail spam comes from genuine accounts
By Jon Brodkin,

Gmail spam is on the rise. Spammers are using fake Gmail accounts to clog up inboxes, making "" the most abused domain name, according to Commtouch's quarterly Internet Threats Trend Report, released Wednesday.

Only 1% of spam e-mails sent from Gmail addresses are actually from real Gmail accounts, and "this small percentage is likely to represent a mix of spammers and compromised Gmail accounts," Commtouch says.

Gmail now warns users of suspicious account activity

Overall, "between 5 to 10% of all spam appears to originate from Gmail accounts," Commtouch says. "Addresses are typically faked in order to fool anti-spam systems and to give the impression of a reputable, genuine source."

Spammers are becoming more skilled at using familiar domain names to fool users, and the trend is not just limited to Gmail. "Gmail's message style, as well as those of PayPal and Facebook, is frequently used by spammers and phishers as standard templates to prompt action by targets of spam and phishing," Commtouch says.

Throughout the first three months of 2010, 83% of all e-mail traffic was spam, "peaking at nearly 92% near the end of March and bottoming out at 75% at the start of the year." On a daily basis, 305,000 zombie computers – devices taken over by hackers and joined to a botnet – are used to "inflict malicious activity," Commtouch said. Brazil produces the most zombie computers, 14% of the global total.

Not surprisingly, pornographic Web sites are the most likely to be infected with malware. What may be surprising to some Internet users is that porn wasn't the most frequently infected category before last quarter.

"'Pornography' has replaced 'business’ as the Web site category most infected with malware," Commtouch said.

Pharmacy spam, advertising Viagra and other types of medications, represented 81% of all spam messages, about the same average as from the previous quarter.

NASA: Humanoid robot slated to live on space station

NASA: Humanoid robot slated to live on space station

Discovery set to deliver 300-pound Robonaut 2, jointly built by NASA and GM, this fall
By Sharon Gaudin

Astronauts aboard the International Space Station are slated to get an interesting new roommate later this year.

A 300-pound humanoid robot, dubbed Robonaut 2 (R2), will be transported to the space station aboard the NASA space shuttle Discovery in September -- one of the final scheduled shuttle missions. Jointly developed by NASA and General Motors Corp., the robot will become a permanent resident on the orbiting station.

Robonaut 2, Courtesy General Motors and Wieck Media Services Inc.

"The use of R2 on the space station is just the beginning of a quickening pace between human and robotic exploration of space," said John Olson, director of NASA's Exploration Systems Integration Office, in a statement. "The partnership of humans and robots will be critical to opening up the solar system and will allow us to go farther and achieve more than we can probably even imagine today."

Robonaut 2 consists of a helmeted head, a torso, two arms and two hands, and wheels to transport itself. GM noted that the robot's hands are designed to use tools already aboard the station for use by the astronauts there.

The robot will first be confined to a limited space inside the station. However, GM said that it could later be adapted to work throughout the station, as well as outside it to assist astronauts during spacewalks.

The R2 device is just the latest robot to be used as part of NASA's space exploration projects.

A robotic arm on NASA's Phoenix Mars Lander craft has made significant discoveries on the surface of Mars, such as finding that there is water ice on Mars.

Each of NASA's space shuttles has a robotic arm and there is one onboard on the space station. The arms are used to lift massive objects out of the shuttle's cargo bay and transfer them to to the space station. The arms can even be used to transport NASA astronauts across the space station during spacewalks.

In an interview late in 2008, a NASA official told Computerworld that future of space exploration will depend on humans and robots working together as manned and unmanned missions head back to the moon, to Mars and beyond.

Robonaut 2 will be the first humanoid robot that will stay at the space station. NASA hopes the effort will provide better insight into how robots and humans can work hand-in-hand on future space missions.

Tuesday, April 13, 2010

BDPA Education and Technology Foundation Announces New Board Leadership

BDPA Education and Technology Foundation

Announces New Board Leadership

COLLEGE PARK MD (April 12, 2010)BDPA Education and Technology Foundation (BETF), a nonprofit organization made up of racially diverse CEOs and executive level management who promote educational programs for students of color in the information technology industry, today announced new officers and members of its board of directors.

BETF members re-elected Earl A. Pace, Jr., President/CEO for Pace Data Systems as the new board chairman. John Eckenrode, CEO for CPSI Inc. elected to serve as the board secretary. Ron Branch, President/CEO for Silverback Business Group was elected as a new board member.

“I am delighted to join the BETF board and I believe that Information Technology is an exciting industry which holds great rewards for young minorities who embrace both the constant change and challenge,” said newly-elected board member Ron Branch.

The new board will set the direction for BETF as it helps raise funds needed to advance the careers of African Americans and others in the information technology industry from the classroom to the boardroom. This year, BETF will continue to provide dozens of scholarships to high school and college students at the upcoming National BDPA Technology Conference in Philadelphia on July 28-31, 2010.

“It is truly a pleasure to welcome Ron Branch to the board of BETF. Ron has a wide background in the IT industry which has enabled him to build relationships with IT Professionals and thought leaders at all levels and throughout the United States,” said BETF Board Chairperson Earl Pace. “We look forward to his participation to both introduce BETF and its very important programs to a different group of professionals but also to his insights as BETF attempts to aggressively fund its Endowment Fund and increase the assistance we provide to High School and College students and the career building educational programs we fund for current IT professionals. I am certain BETF and BDPA will benefit from having Ron on our team.”

The new board leadership takes the helm at a time when unemployment is growing to painfully high levels for African American IT professionals and there is a dwindling numbers of African American students in college computer science programs. BETF works closely with the leadership of National BDPA and its 45 local chapters to put in place programs, scholarships and other services to impact on these dismal industry statistics.

"I am excited to work with Ron in his new role as a Board member to continue delivering value to BETF stakeholders, students and sponsors,” said Wayne Hicks, BETF executive director. "He comes to us highly recommended by his peers in the industry. Ron’s executive experiences with IBM and Oracle over the past 30 years as well as his current entrepreneurial efforts make him uniquely qualified to assist BETF. BETF is fortunate to have him in this leadership role."

About BETF -- Founded in 1992, BETF is a 501(c)(3) foundation with a mission to locate the funding necessary to support educational and technology programs for BDPA and others across the country.

Thursday, April 01, 2010

The New Google

A different kind of company name

4/01/2010 12:01:00 AM
Early last month the mayor of Topeka, Kansas stunned the world by announcing that his city was changing its name to Google. We’ve been wondering ever since how best to honor that moving gesture. Today we are pleased to announce that as of 1AM (Central Daylight Time) April 1st, Google has officially changed our name to Topeka.

We didn’t reach this decision lightly; after all, we had a fair amount of brand equity tied up in our old name. But the more we surfed around (the former) Topeka’s municipal website, the more kinship we felt with this fine city at the edge of the Great Plains.

In fact, Topeka Google Mayor Bill Bunten expressed it best: “Don’t be fooled. Even Google recognizes that all roads lead to Kansas, not just yellow brick ones.”

For 150 years, its fortuitous location at the confluence of the Kansas River and the Oregon Trail has made the city formerly known as Topeka a key jumping-off point to the new world of the West, just as for 150 months the company formerly known as Google has been a key jumping-off point to the new world of the web. When in 1858 a crucial bridge built across the Kansas River was destroyed by flooding mere months later, it was promptly rebuilt — and we too are accustomed to releasing 2.0 versions of software after stormy feedback on our ‘beta’ releases. And just as the town's nickname is "Top City," and the word “topeka” itself derives from a term used by the Kansa and Ioway tribes to refer to “a good place to dig for potatoes,” we’d like to think that our website is one of the web's top places to dig for information.

In the early 20th century, the former Topeka enjoyed a remarkable run of political prominence, gracing the nation with Margaret Hill McCarter, the first woman to address a national political convention (1920, Republican); Charles Curtis, the only Native American ever to serve as vice president (’29 to ‘33, under Herbert Hoover); Carrie Nation, leader of the old temperance movement (and wielder of American history’s most famous hatchet); and, most important,Alfred E. Neuman, arguably the most influential figure to an entire generation of Americans. We couldn’t be happier to add our own chapter to this storied history.

A change this dramatic won’t happen without consequences, perhaps even some disruptions. Here are a few of the thorny issues that we hope everyone in the broader Topeka communitywill bear in mind as we begin one of the most important transitions in our company’s history:
  • Correspondence to both our corporate headquarters and offices around the world should now be addressed to Topeka Inc., but otherwise can be addressed normally.
  • Google employees once known as “Googlers” should now be referred to as either “Topekers” or “Topekans,” depending on the result of a board meeting that’s ongoing at this hour. Whatever the outcome, the conclusion is clear: we aren’t in Google anymore.
  • Our new product names will take some getting used to. For instance, we’ll have to assure users of Topeka News and Topeka Maps that these services will continue to offer news and local information from across the globe. Topeka Talk, similarly, is an instant messaging product, not, say, a folksy midwestern morning show. And Project Virgle, our co-venture with Richard Branson and Virgin to launch the first permanent human colony on Mars, will henceforth be known as Project Vireka.
  • We don’t really know what to tell Oliver Google Kai’s parents, except that, if you ask us, Oliver Topeka Kai would be a charming name for their little boy.
  • As our lawyers remind us, branded product names can achieve such popularity as to risk losing their trademark status (see cellophane, zippers, trampolines, et al). So we hope all of you will do your best to remember our new name’s proper usage:
Finally, we want to be clear that this initiative is a one-shot deal that will have no bearing on which municipalities are chosen to participate in our experimental ultra-high-speed broadband project, to which Google, Kansas has been just one of many communities to apply.