Software Bugs Threaten Toyota Hybrids

[...]

Embedded software now controls some of a car's most critical operations, including engine performance, air bags, steering, anti-lock braking systems and stability control systems.

If Toyota, which consistently tops vehicle quality surveys, can't get it right, how bad is the rest of the industry?

(0) comments

NewScientist.com

Most published scientific research papers are wrong, according to a new analysis. Assuming that the new paper is itself correct, problems with experimental and statistical methods mean that there is less than a 50% chance that the results of any randomly chosen scientific paper are true.

John Ioannidis, an epidemiologist at the University of Ioannina School of Medicine in Greece, says that small sample sizes, poor study design, researcher bias, and selective reporting and other problems combine to make most research findings false. But even large, well-designed studies are not always right, meaning that scientists and the public have to be wary of reported findings.

"We should accept that most research findings will be refuted. Some will be replicated and validated. The replication process is more important than the first discovery," Ioannidis says.

In the paper, Ioannidis does not show that any particular findings are false. Instead, he shows statistically how the many obstacles to getting research findings right combine to make most published research wrong.

[...] [CLB: The targeted readership, other researchers, understand this point generally. Publishing reserach results is expected to lead to discussion, further research on the hypothesis, and often refutation, with improved or modified hypotheses emerging. The problem arises from the media and laypersons use of published research. Media is likely to publish startling, 'newsworthy' results to make headlines. They don't include the rest of the scientific process. What's missing in the popular press: repeating the results, relating the results to other findings, systematic analysis and synthesis of the results, and taking sample-based results in a reliable way into an understanding of how these actually relate to the more general population.]

(0) comments

Business Wire

Regulatory compliance, internal attacks, and the vulnerability of electronic communications - especially instant messaging and e-mail - are among the key factors reshaping data security systems, according to the U.S. results of the 8th annual Global Information Security Survey by InformationWeek Magazine and Accenture.

At the same time, the U.S. Information Security Survey uncovered indications that companies and organizations are failing to provide rigorous protection of customer and client data. The survey, which was conducted over the Web this summer, received responses from more than 2,500 U.S. information technology and security professionals.

Highlights:

Compliance is reshaping corporate security practices.

Security attacks are becoming increasingly more sophisticated, yet basic passwords continue to be the most common line of defense.

Security breaches are increasingly coming from within, forcing companies to keep tabs on their employees.

Vulnerabilities in operating systems and applications - including the use of instant messaging - continue to be common points of entry.

Concern continues to grow over privacy and identity theft, yet organizations are failing to provide rigorous protection of customer data.

"Companies are taking a more structured approach to information security and making it more of a priority," said Alastair MacWillson, partner in charge of Accenture's security practice. "Many companies are beginning to see the benefits in leveraging new technologies to proactively assess and manage threats and vulnerabilities, and are consolidating, integrating and securing applications to improve integrity and productivity."

Regulatory Impact

There are indications that compliance requirements like Sarbanes-Oxley, HIPAA, the U.S. Home Security Act and the U.S. Patriot Act are reshaping corporate security practices. According to the survey:

60 percent view regulatory compliance as more of a governance issue than a technology problem.

Over half of the survey respondents report that government regulations have pressured their company to adopt a more structured approach to information security.

About two in five say the threat of government penalties has made achieving regulatory compliance an information security priority.

While only a third say achieving compliance is a main catalyst of security-related purchases, over half say it has made their company more cautious about their use of security hardware, applications and services.

Threat Perception and Attacks

Security attacks are constantly evolving, making it difficult for companies to stay one step ahead. For example:

Malicious intent is a concern for 45 percent of respondents. Yet few tie their firm's vulnerability to the lack of a well-defined information security strategy or managerial involvement in security practices and policies.

One third of respondents blame budget constraints for their firm's susceptibility to security breaches.

Significant damages attributed to actual attacks - financial losses, security incursions and identity theft - are uncommon.

Planted spyware code, however, has caused slowdowns in network performance and employee productivity in three quarters of the companies.

Viruses affected two-thirds of surveyed sites last year.

E-mail is proving to be the launching point of assaults, with falsified information in an e-mail attachment reported as the primary method of attack at 35 percent of surveyed sites.

Minor financial losses were confirmed at one in five sites.

Security Tactics

As a result of the vulnerabilities with instant messaging and E-mail, electronic communication has become a major focus of employee monitoring with attachments and content of outbound messages carefully scrutinized. Basic-user passwords still remain the most prevalent method used by companies to protect themselves against security breaches. Informing employees of privacy or behavior standards, posting privacy policies online and using secure Web transactions are the steps taken to safeguard the privacy of customer data. In addition, the survey reveals that:

Only a quarter of respondents report no monitoring of workers.

The monitoring of instant messaging has jumped from 25 percent to 34 percent since last year's survey.

Only 15 percent of sites have created the position of chief privacy officer and less than 30 percent have conducted privacy policy audits to ensure there are adequate guidelines. In fact, practices concerning the security of customer data are categorized as only fairly rigorous at half of the sites.

Security Costs

A majority of U.S. companies spend below $500,000 on security expenses, with half anticipating increased spending in 2005 over the previous year, and only 3 percent expecting spending to decline. Performance and return on investment count the most when purchasing security products.

"Despite the fact that information security professionals are adopting many state-of-the-art security practices, certain lapses still exist that can result in serious financial losses for corporations or a violation of customer trust," said Rusty Weston editor, InformationWeek Research. "Security professionals lack the ability to control every point of entry, but worse, they have too much faith in technology that claims to automate network defenses."

__posted by Carolyn L Burke @ 8:50 a.m.
subscribe to Integrity

(0) comments

Network World

When screening large numbers of people, linking identification to real-world identity (that is, authentication) is a tough problem. As readers probably know, there are four basic methods for authentication:

What you know that others don't (e.g., passwords).

What you have that others don't (e.g., tokens such as keys or smart cards).

What you do that others can't (e.g., the way you sign your name or the phrase on a keyboard).

What you are that others aren't (e.g., your fingerprints, retinal patterns, iris characteristics, or face).

Passwords don't work very well for crowds. Tokens are used all the time - consider airline tickets and passports - but in today's digital scanning and printing world, they are easy to counterfeit.

[... more on advanced ways to make each method work.]

__posted by Carolyn L Burke @ 12:47 p.m.
subscribe to Integrity

(0) comments

Computerworld

If your car murmurs 'hello there,' your Bluetooth system has been hijacked

If you happen to hear a disembodied computer voice tell you to 'drive carefully' the next time you're behind the wheel, you've probably met the Car Whisperer.

Released late last week at the What the Hack computer security conference in Liempde, Netherlands, Car Whisperer is software that tricks the hands-free Bluetooth systems installed in some cars into connecting with a Linux computer.

Car Whisperer was developed by a group of European wireless security experts, called the Trifinite Group, as a way of illustrating the shortcomings of some Bluetooth systems, said Martin Herfurt, an independent security consultant based in Salzburg, Austria, and a founder of Trifinite.

The software takes advantage of the fact that many of these hands-free systems require only a very simple four-digit security key -- often a number such as 1234 or 0000 -- in order to grant a device access to the system. Many car manufacturers use the same code for all of their Bluetooth systems, making it easy for Car Whisperer to send and receive audio from the car.

Using a special directional antenna that allowed him to extend the normally short range of his Bluetooth connections to about a mile, Herfurt was able to listen and send audio to about 10 cars over a one-hour period recently.

(0) comments

[CLB] Following the news this morning. There are a larger than normal number of 'spy' articles. And the topics are fascinating. We are watching the roll-out of ubiquitous watchware. It's time that each of makes the assumption that every action, every purchasing choice, every movement you make is being monitored somehow.

The techniques used rely on technologies that have been around for years. They are being used more systemic to monitor, collect, analysis, and react more effectively.

Where was I?

The other night at my local bar, a friend had his computer running Google Earth. We zoomed around the neighbourhood, looking at satellite data less than a year old in some cases. Where were you on the night of ...? Although civilian data does not provide face-recognizing resolution, we know there is better out there. Some military and government organizations can tell you exactly where you were, and where you went. They could confirm how long I stayed at the pub, and who I walked home with.

MORE: Google Earth

Parking Meters

"Technology is taking much of the fun out of finding a place to park
the car.

In Pacific Grove, Calif., parking meters know when a car pulls out of
the spot and quickly reset to zero -- eliminating drivers' little joy
of parking for free on someone else's quarters. In Montreal, when cars stay past their time limit, meters send
real-time alerts to an enforcement officer's hand-held device,
reducing the number of people needed to monitor parking spaces -- not
to mention drivers' chances of getting away with violations.
Meanwhile, in Aspen, Colo., wireless "in-car" meters may eliminate
the need for curbside parking meters altogether: They dangle from the
rear-view mirror inside the car, ticking off prepaid time."

MORE: THE WALL STREET JOURNAL

Colour Printers
"Secret codes embedded into pages printed by some colour laser printers pose a risk to personal privacy, according to the Electronic Frontier Foundation. The US privacy group warns the approach - ostensibly only designed to identify counterfeiters - has become a tool for government surveillance, unchecked by laws to prevent abuse."

MORE: The Register

What did you wear today?

I purchased a few summer clothing items last month from a brand name store. This pretty teal silk skirt had caught my eye, and I've worn it to a few parties and meeting. Yesterday, when checking the washing instructions, I noticed the RFID tag sewn into the seam. The tag is passive, and can be scanned easily, allowing anyone to determine where I purchased my skirt, and even what size I wear. And with a few improvements, this technology will allow the store to track when and where I wore the skirt, and when it remained in my closet. Eventually, I'll be able to scan my closet, create an inventory, and reorder online based on my personal preferences. And a clothing supplier will be able to collect that data and make recommendations such as, "We have a beautiful shirt in you size, made out of the same fabric and colour," or "You haven't worn these 19 items in 3 years. Would you like the local charity to pick them up for you?"

If all these organizations were to share data, they'd know which movie ticket I printed out, how long I parked and where to see theshow, and what I wore. And hopefuly they'd offer some advice about my date, and perhaps even who else he is seeing. How much do you rely on being anonymous in your activities?

[CLB]

(0) comments