linking INTEGRITY

Rolling WiFi hotspots

2008-06-24T06:34:00.000-04:00

iTWire
Chrysler is set to unveil the UConnect Web System on Thursday, and rolled into production vehicles next year. Turning a car into a moving broadband WiFi hotspot it will enable Internet access direct from the dash. With support from Microsoft, the system could see speedy success.

OK, so in car technology is a hot potato at the moment and it's easy to get over excited about relatively straightforward developments. The Microsoft powered Sync system which brings voice activated iPod and mobile phone integration into new Fords being one such over hyped example.

However, with the forthcoming announcement from Chrysler we may have a 21st Century automotive technological advance worth shouting about. The UConnect Web System promises to deliver instant Internet access on the move courtesy of combined 3G mobile and standard WiFi connectivity.

Expected to be available on 2009 Chrysler, Jeep and Dodge models, the in-vehicle wireless Internet connectivity is as advanced as they come. In effect it will provide all the convenience of a fully functional WiFi hotspot wherever you want it, wherever your car happens to be.

With broadband in the dash, it will be possible to make high speed data transfers while driving at high speed. In theory at least. How the system copes with connectivity stability remains to be seen, but considering that trains here in the UK can provide a stable Internet connection at speeds of up to 125mph it should be perfectly possible.

Chrysler reckons that its rolling WiFi hotspot technology will bring the ability for your passengers to check email, download music and even play games on the move. The driver can join in, of course, when the vehicle has parked up safely.

Does Being Ethical Pay?

2008-05-20T07:48:00.005-04:00

Wall Street Journal

Companies spend huge amounts of money to be 'socially responsible.' Do consumers reward them for it? And how much?

By REMI TRUDEL AND JUNE COTTE May 12, 2008

For corporations, social responsibility has become a big business. Companies spend billions of dollars doing good works -- everything from boosting diversity in their ranks to developing eco-friendly technology -- and then trumpeting those efforts to the public.
But does it pay off?

Do companies need to tread carefully to avoid a backlash from overhyping their ethical credentials? June Cotte speaks with the Journal's Erin White.

Many companies hope consumers will pay a premium for products made with higher ethical standards. But most companies plunge in without testing that assumption or some other crucial questions. Will buyers actually reward good corporate behavior by paying more for products -- and will they punish irresponsible behavior by paying less? If so, how much? And just how far does a company really need to go to win people over?

To find out, we conducted a series of experiments. We showed consumers the same products -- coffee and T-shirts -- but told one group the items had been made using high ethical standards and another group that low standards had been used. A control group got no information.

In all of our tests, consumers were willing to pay a slight premium for the ethically made goods. But they went much further in the other direction: They would buy unethically made products only at a steep discount.

What's more, consumer attitudes played a big part in shaping those results. People with high standards for corporate behavior rewarded the ethical companies with bigger premiums and punished the unethical ones with bigger discounts.

Finally, we discovered that companies don't necessarily need to go all-out with social responsibility to win over consumers. If a company invests in even a small degree of ethical production, buyers will reward it just as much as a company that goes much further in its efforts.

Below, we'll look at these tests in more detail. But first, a definition -- and a caveat.
For our purposes, "ethically produced" goods are those manufactured under three conditions. First, the company is considered to have progressive stakeholder relations, such as a commitment to diversity in hiring and consumer safety. Second, it must follow progressive environmental practices, such as using eco-friendly technology. Finally, it must be seen to demonstrate respect for human rights -- no child labor or forced labor in overseas factories, for instance.

GOOD BUSINESS?

• The Question: Companies spend billions of dollars doing good works -- such as developing eco-friendly technology -- and then trumpeting them to the public. But does it pay off?
• The Test: In a series of experiments, consumers were shown the same products -- coffee and T-shirts -- but one group was told the items had been made using high ethical standards and another group that low standards had been used.
• The Result: Consumers are willing to pay a small premium for ethically produced goods. But they'll punish an unethically made product even more harshly, by buying it only at a steep discount.

Now the warning, which may not come as much of a surprise. Even though we think ethical production can lead to higher sales, not all consumers will be won over by the efforts. Some may prefer a lower price even if they know a product is made unethically.

With that in mind, here's a closer look at our results.

HOW MUCH ARE ETHICS WORTH?
Our first experiment asked two questions. How much more will people pay for an ethically produced product? And how much less are they willing to spend for one they think is unethical?

To test these questions, we gathered a random group of 97 adult coffee drinkers and asked them how much they would pay for a pound of beans from a certain company. We used a brand that's not available in North America, so none of the participants would be familiar with it.

But before the people answered, we asked them to read some information about the company's production standards. One group got positive ethical information, and one group negative; the control group got neutral information, similar to what shoppers would typically know in a store.
After reading about the company and its coffee, the people told us the price they were willing to pay on an 11-point scale, from $5 to $15. The results? The mean price for the ethical group ($9.71 per pound) was significantly higher than that of the control group ($8.31) or the unethical group ($5.89).

Meanwhile, as the numbers show, the unethical group was demanding to pay significantly less for the product than the control group. In fact, the unethical group punished the coffee company's bad behavior more than the ethical group rewarded its good behavior. The unethical group's mean price was $2.42 below the control group's, while the ethical group's mean price was $1.40 above. So, negative information had almost twice the impact of positive information on the participants' willingness to pay.

For companies, the implications of this study -- albeit limited -- are apparent. Efforts to move toward ethical production, and promote that behavior, appear to be a wise investment. In other words, if you act in a socially responsible manner, and advertise that fact, you may be able to charge slightly more for your products.

On the other hand, it appears to be even more important to stay away from goods that are unethically produced. Consumers may still purchase your products, but only at a substantial discount.

REWARD AND PUNISHMENT
What consumers were willing to pay for a pound of coffee based on what they were told about the company's production standards

Ethical standards . . . . . . . . . . . $9.71
Unethical standards . . . . . . . . . $5.89
Control (no information) . . . . . $8.31

Source: Remi Trudel and June Cotte

A MATTER OF DEGREE

How much consumers were willing to pay for all-cotton T-shirts based on what they were told about the proportion of ethical production

100% organic cotton . . . . . . . $21.21
50% organic cotton . . . . . . . . .$20.44
25% organic cotton . . . . . . . . .$20.72
Unethical behavior* . . . . . . . . $17.33
Control (no information) . . . . $20.04

*Production harms environment

ATTITUDE ADJUSTMENT

Consumers with high ethical expectations of companies doled out bigger rewards and punishments than consumers with low expectations. What each group was willing to pay for a pound of coffee based on production standards:

Consumers with high expectations:

Ethical standards . . . . . . . . . . $11.59
Unethical standards . . . . . . . $6.92

Consumers with low expectations:

Ethical standards . . . . . . . . . . $9.90
Unethical standards . . . . . . . .$8.44

HOW ETHICAL DO YOU NEED TO BE?

Our next test looked at degrees of ethical behavior. For instance, are consumers willing to pay more for a product that is 100% ethically produced versus one that is 50% or 25% ethically produced?

To find out, we tested consumers' responses to T-shirts from a fictitious manufacturer. We divided 218 people into five groups and presented them with information about the company and its product. One group was told the shirts were 100% organic cotton, one group 50% and one group 25%. Another group -- the "unethical" one -- was told there was no organic component. The control group got no information.

In addition, all the groups but the control were shown a short paragraph detailing the detrimental effects of nonorganic cotton production on the environment.

Then the participants were asked how much they were willing to pay for the shirts on a 16-point scale, ranging from $15 to $30. As in the first test, we found that people were willing to pay a premium for all levels of ethical production, and they would discount an unethical product more deeply than they would reward an ethical one.

But consumers didn't reward increasing levels of ethical production with increasing price premiums. The 25% organic shirts got a mean price of $20.72 -- not much different from the 50% ($20.44) and 100% ($21.21).

It seems that once companies hit a certain ethical threshold, consumers will reward them by paying higher prices for their products. Any ethical acts past that point might reinforce the company's image, but don't make people willing to pay more. (Of course, if 100% ethical becomes expected among consumers, anything less may be punished.)

WHAT EFFECT DO CONSUMER ATTITUDES HAVE?
In our final experiment, we looked at the attitudes people bring to the table. If consumers expect that companies will behave ethically, will that change how much they reward and punish behavior? What if they expect that companies are just in it for the money, maximizing profits and not taking ethics into account?

Once again, we tested coffee drinkers -- 84 this time -- and split them into groups that received positive, negative and no ethical information about the manufacturer and its methods. But first we measured the people's attitudes toward corporations and labeled them high-expectation or low-expectation.

Once again we found that -- regardless of their expectations -- consumers were willing to pay more for ethical goods than unethical ones, or ones about which they had no information. Likewise, negative information had a much bigger bearing on consumer response than positive information. People punished unethical goods with a bigger discount (about $2 below the control group) than they rewarded ethical ones with premiums (about $1 above the control group).

So, what effect did consumer attitudes have? People with high expectations doled out bigger rewards and punishments than those with low expectations. Those with high expectations were willing to pay a mean of $11.59 per pound for the ethical coffee, versus $9.90 for those with low expectations. And the high-expectations group punished the unethical coffee with a price of $6.92, versus $8.44 for low-expectations consumers.

The lessons are clear. Companies should segment their market and make a particular effort to reach out to buyers with high ethical standards, because those are the customers who can deliver the biggest potential profits on ethically produced goods.

--Mr. Trudel is a doctoral candidate in marketing at the University of Western Ontario's Ivey School of Business. Dr. Cotte is the George and Mary Turnbull faculty fellow and associate professor of marketing at the Ivey School. They can be reached at reports@wsj.com.

Aligning Form and Substance to Create an Ethical Business Culture

2008-05-01T06:58:00.001-04:00

by Bradley Preber

Published: April 09, 2008 in Knowledge@W.P. Carey

Bradley Preber’s recent talk on business ethics and culture could not have been more relevant or timely. The partner-in-charge of Grant Thornton's Forensic Accounting and Investigative Services practice spoke before a group of W. P. Carey MBA Executive students the same day that an independent report commissioned by the U.S. Department of Justice found that the auditing firm KPMG is allegedly linked to fraud at New Century Financial Corp, a subprime mortgage lender. KPMG denies any wrongdoing, but the incident raised some interesting ethical questions during the discussion, part of the school’s Thought Leadership Series.

The New York Times reported that "New Century Financial … engaged in 'significant improper and imprudent practices' that were condoned and enabled by auditors at the accounting firm KPMG, according to an independent report commissioned by the Justice Department." The report also pointed out that some auditors raised concerns about New Century, but were ignored because of fear that the firm would lose an important client.

Preber would not speak specifically about the auditing company, adding that he thought this would be unethical because they are a competitor of his firm. But when the news was raised by students and other speakers he noted that any company that continues having pervasive and systematic behavior problems with its employees must look at its culture to see if it could be partly what drives that unethical behavior. And if the recurring problem stems from upper management then this will have repercussions for the rest of the company.

Preber added that culture is a factor that can be used to predict fraud and evaluate a company's ethics. He asked his audience to consider some companies that have been in the news for ethical situations and to free associate:

Prompted with Enron they offered "greed," "putting profits before people," "arrogance."

When asked about Microsoft, they said "competence," "market dominance," even "innovation."

PetSmart, the pet specialty retailer, fared well with the group. PetSmart had recalled contaminated pet food and replaced their customer's purchases, Preber said. "This tells customers that the company is there to look after their pets and will rectify any errors made."

Culture played an important role in forming the students' impressions.

Form of culture and substance of culture must align

When companies take quick action, as PetSmart did, they foster an ethical business culture. But fast and appropriate reflexes are not enough.

Preber argued that the form of a company's culture must align with the substance of the culture. Form, Preber said, includes standards and values that can be verbalized or written down. He stated examples such as policies and procedures, compliance officers, industry norms and laws and regulations. Substance, however, is the action that grows out of acceptance of the form, by the company, its managers and its employees. Actions could include the way employees talk about their bosses, establishment of an anonymous complaint line for employees and rewards for good behavior.

If substance and form align, Preber explained, then desirable and acceptable workplace behaviors are more probable. When unethical behavior surfaces and is tolerated, it is because form and substance of culture are unaligned.

"This is when attitudes deteriorate and the incentives for unethical behavior rise," Preber said.

Ethics wane, the accountant thinks, when form is placed over substance. Form over substance results in rationalization, living with bad decisions, cheating and fudging the system. When asked how to avoid unethical clients, Preber suggested operating only with those that share your ethics.

"It's not my job to correct clients' ethics. If their ethics don't mesh with yours, always walk away."

Avoiding the gray area

Marianne Jennings, a professor of legal and ethical studies in business at W. P. Carey School of Business, frets about stories like KPMG. Author of "The Seven Signs of Ethical Collapse: How to Spot Moral Meltdowns in Companies … Before It's Too Late," Jennings noted that previously, scandals only surfaced every decade.

"Enron and the Sarbanes-Oxley Act of 2002 -- which tried to reform American business practices -- were only five years ago, so we are seeing scandals more frequently and the same pattern over and over," she said.

Jennings pointed out that KPMG settled tax shelter fraud allegations with a fine, and just a few weeks ago paid to settle for its role in the Xerox accounting fraud. The New Century Financial issues came after these two problems.

"The pattern seems to suggest that KPMG needs that exercise of seeing whether the client's values are the same as their values, or they have not yet come to grips with the importance of ethics and values over the retention of clients and keeping the revenues," Jennings commented.

In her book, Jennings writes that "all unethical organizations are alike; their cultures are identical and their collapses become predictable." She identifies seven warning signs that a company culture is unethical: pressure to maintain numbers; fear and silence in the ranks and leadership; young and inexperienced executives and a bigger-than-life CEO; a weak board; conflict; pressure to produce constant innovation; and a penchant for philanthropy that assuages guilt for questionable decisions.

When a sufficient number of the seven signs have infected the culture, Jennings writes, intelligent and otherwise upstanding people may do things that are at least unethical, and often illegal.

Things start to become slippery, Jennings said, because that gray area can include unethical actions that are not technically illegal. "If we want change, then it is the ethics within this gray area that must be studied more."

To keep out of trouble, Jennings suggested asking oneself: "Why is this area gray to you? If you are there, then you are probably already in trouble, looking for a way around a rule."

Asked what professors and mentors can do to help prevent poor business behavior, Jennings said that teaching ethics has never been more important. Giving business students continual case studies showing the risks and costs of living in that gray area, and giving them the gumption to act when they feel uncomfortable is essential, she said.

"Creating change means driving this home."

Bottom Line:

Brad Preber, an accountant dealing with fraud and litigation cases, says that we can learn a great deal about a company's ethics through its culture.
He also thinks that when the form and substance of a company are out of whack, attitudes deteriorate and incentives for ethical behavior wane.
Jennings' seven warning signs that a company culture is unethical: pressure to maintain numbers; fear and silence in the ranks and leadership; young and inexperienced executives and a bigger-than-life CEO; a weak board; conflict; pressure to produce constant innovation; and a penchant for philanthropy that assuages guilt for questionable decisions.
If you find yourself in a gray area, you are probably already in trouble, Jennings says.

Additional Reading: "Executive Role Models Crucial in Building Ethical Workplace Culture"

Ethics in IT: Dark secrets, ugly truths -- and little guidance

2007-10-29T17:21:00.000-04:00

Computer World

What Bryan found on an executive’s computer six years ago still weighs heavily on his mind. He’s particularly troubled that the man he discovered using a company PC to view pornography of Asian women and of children was subsequently promoted and moved to China to run a manufacturing plant.

“To this day, I regret not taking that stuff to the FBI,” says Bryan.

It happened when Bryan, who asked that his last name not be published, was IT director at the U.S. division of a $500 million multinational corporation based in Germany.

The company’s Internet usage policy, which Bryan helped develop with input from senior management, prohibited the use of company computers to access pornographic or adult-content Web sites. One of Bryan’s duties was to monitor employee Web surfing using products from SurfControl PLC and report any violations to management.

Bryan knew that the executive, who was a level above him in another department, was popular within both the U.S. division and the German parent. But when the tools turned up dozens of pornographic Web sites visited by the exec’s computer, Bryan followed the policy. “That’s what it’s there for. I wasn’t going to get into trouble for following the policy,” he reasoned.

So he went to his manager with copies of the Web logs (which he still has in his possession and made available to Computerworld for verification).

Power and Responsibility

Bryan’s case is a good example of the ethical dilemmas that IT workers may encounter on the job. IT employees have privileged access to digital information, both personal and professional, throughout the company, and they have the technical prowess to manipulate that information.

That gives them both the power and responsibility to monitor and report employees who break company rules. IT professionals may also uncover evidence that a co-worker is, say, embezzling funds, or they could be tempted to peek at private salary information or personal e-mails. But there’s little guidance on what to do in these uncomfortable situations.

In the case of the porn-viewing executive, Bryan didn’t get into trouble, but neither did the executive, who came up with “a pretty outlandish explanation” that the company accepted, Bryan says. He considered going to the FBI, but the Internet bubble had just burst, and jobs were hard to come by. “It was a tough choice,” Bryan says. “[But] I had a family to feed.”

In theory, ethical behavior is governed by laws, corporate policy, professional ethics and personal judgment.

When ethics and IT collide

2007-09-14T15:21:00.000-04:00

ComputerWorld

It still weighs heavily on Bryan's mind, what he found on that executive's computer, especially when he thinks of his own daughters. He's particularly troubled that the man he discovered using a company computer to view pornography of Asian women and of children was subsequently promoted and moved to China to run a manufacturing plant.

"To this day, I regret not taking that stuff to the FBI," says Bryan.

It happened six years ago, when Bryan, who asked that his last name not be published, was IT director for the U.S. division of a $500 million multinational corporation based in Germany.

The company's Internet usage policy, which Bryan helped develop with input from senior management, specifically prohibited the use of company computers to access pornographic or adult-content Web sites. One of Bryan's duties was to monitor employee Web surfing using SurfControl and report any violations to management.

Bryan knew that the executive, who was a level above him in another department, was popular both within the U.S. division and the German parent. So when SurfControl turned up dozens of pornographic Web sites visited by the exec's computer, Bryan figured "my best course of action was to follow the policy."

"That's what it's there for," he reasoned. "I wasn't going to get into trouble for following the policy." He went to his manager with copies of the Web logs in question (which he still has in his possession and made available to Computerworld for verification).

Continue reading the article on ComputerWorld. The article is long and intensive, followed by a strong discussion forum.

Hacker / security expert charged with massive credit card theft

2007-09-13T18:00:00.000-04:00

Computer World

A California man who served jail time for hacking hundreds of military and government computers nine years ago was charged yesterday with new computer crimes: stealing tens of thousands of credit card accounts by breaking into bank and card processing networks.

Max Ray Butler, 35 of San Francisco, a.k.a Max Vision, and also known by his online nicknames of Iceman, Digits and Aphex, was indicted Tuesday by a federal grand jury in Pittsburgh on three counts of wire fraud and two counts of transferring stolen identity information. Arrested last week in California, where he remains, Butler could face up to 40 years in prison and a $1.5 million fine if he is convicted on all five counts.

According to the indictment, Butler hacked multiple computer networks of financial institutions and card processing firms, sold the account and identity information he stole from those systems, and even received a percentage of the money that others made selling merchandise they'd purchased with the stolen card numbers. The U.S. Secret Service ran the investigation into the hacks and resulting scams, which took place between June 2005 and September of this year.

Butler was charged in Pittsburgh because he'd sold data on 103 credit card accounts to a Pennsylvanian who was cooperating with authorities.

He and others also operated a Web site used as a meeting place for criminals who bought and sold credit card and personal identity information. "As of September 5, 2007, Cardsmarket had thousands of members worldwide," the indictment read. Although the site was still online as of Wednesday morning, the forums had been deleted. A message posted by a forum administrator identified as achilous said he had erased the threads when news of Butler's arrest broke.

"Everybody who hasn't already done so, I would strongly advise that you delete all PMs you have saved," achilous advised. "Also, any unsecured data you have, now would be the time to make sure it is very strongly encrypted. These precautions seemed justified given the severity of the situation. It may only be a matter of time before a government agency takes over this forum, and I did not want them to get the raw SQL database containing all the threads and posts."

Although some documents in the case remain sealed, including one or more affidavits, news reports cited grand jury witnesses who had told of Butler selling tens of thousands of stolen credit card accounts. A former partner who had been arrested in May reportedly claimed that Butler supplied him with a thousand numbers each month for more than two years, according to the Pittsburgh Tribune-Review.

Achilous called Christopher Aragon, 47, the Californian named in the Tribune-Review story, a "rat" for fingering Butler. Aragon was arrested with another man, Guy Shitrit, 23, in Newport Beach, Calif. on May 12 at a local shopping mall after buying more than $13,000 worth of Coach handbags using counterfeited American Express, credit cards at Bloomingdales. Police found more than 70 bogus credit cards on the pair.

After he was arrested, Aragon was banned from the Cardsmarket forums, said achilous, for "security" reasons.

Prosecutors in Pittsburgh said that Butler used high-powered antenna in "war-driving" style attacks to hack wireless access to computer networks at organizations that included the Pentagon Federal Credit Union and Citibank.

Butler is no stranger to the judicial system. In 2000, he pleaded guilty to charges that he hacked military and other government computers three years prior, including those belonging to the U.S. Air Force, U.S. Navy, and NASA. He was also accused of breaching the network of id Software, developers of the PC games "Doom" and "Quake," and stealing several hundred access passwords to a California Internet service provider.

Butler pleaded guilty to one felony count, even though he continued to proclaim his innocence, saying that he had found an unpatched vulnerability in government networks then written software to scan for the hole and close it. Prosecutors at the time, however, said Butler also added a "back door" to every system his software penetrated, giving him secret access to the networks.

Ironically, Butler, then 28, was a well-known security researcher before his arrest, frequently posting to security mailing lists. He had also created arachNIDS, a once-popular open source collection of attack signatures used intrusion detection systems. During court hearings in 2000, it also came to light that he had been an FBI informant for at least two years, and perhaps as many as five years, before his arrest.

Butler was sentenced in May 2001 and served 18 months in federal prison and three years' probation.

Why We Aren't as Ethical as We Think We Are

2007-09-10T11:57:00.000-04:00

HBS (pdf)

People commonly predict they will behave more ethically in the future than they actually do. When evaluating past (un)ethical behavior, they also believe they behaved more ethically than they actually did. New research discusses why.

Flash mob DDOS

2007-08-14T08:00:00.000-04:00

CNET

Flash mobs may have been responsible for those denial-of-service (DoS) attacks in Estonia last May. So says Gadi Evron, security evangelist for Beyond Security, who gave a thorough presentation last week at Black Hat and then again at Defcon, recounting in detail the events surrounding the attack, some of which he experienced first-hand, surrounding the attack. Although he originally joked that the KGB was to blame--and quickly explained that the KGB no longer existed--Evron said could not prove conclusively that the Russians were behind the events. Yet he did call it the first true cyberwar, if only that the commerce and day-to-day functions of one country were interrupted significantly. Evron said we can all learn by what was done. Unlike the United States and many other countries, Estonia's 1.4 million people are among the most wired populations in the world, so for several days, ordinary people were unable to pump gas, buy bread, or pay their bills because of a nationalistic dispute with another country. And remember, this was just a small attack, a taste of what's to come.

[...] there was some forensic evidence that suggested a part of this attack was organized. For example, the initial inciting spam. There was also at least one bot agent written specifically to wreak havoc [...]

[...] What's significant is that the denial of service attacks affected the Estonian economy. This wasn't just an attack on the government; it affected the average person on the street. Many Estonians rely on the Internet for basic services such as paying for food, water, and gas. By shutting down access to banks, these services could not be paid. "The more technology there is within a country, the more dependent the country is on technology" he said, "and therefore, the more vulnerable." He said the same applies to the Internet. What happened in Estonia, Evron said, could happen somewhere else, perhaps on a larger scale, in the future.

Evron said we also need to rethink what we consider our critical assets our in light of this. "The critical infrastructure was not what we expected; it was (not the government, but) the private and business sectors." Evron said ISPs, banks, and even the media need to be protected against such attacks. The media, he said, are necessary to get information out in a time of crises.

[read the full article]

On preventing DDOS attacks -- CERT

Social strategy helps break through ad clutter

2007-08-14T07:18:00.000-04:00

Nova Scotia News - TheChronicleHerald.ca

Social strategy helps break through ad clutter KAREN BLOTNICKY 7:35 AM ADVERTISEMENT THERE IS a lot of advertising on the street. Consumers are subjected to literally thousands of cues on a daily basis. Advertisers are all seeking the same thing: the consumer’s attention. With so much advertising it is becoming tougher to break through the clutter.

Social strategy is an innovative business strategy that goes beyond advertising and into the heart of the business. Social strategy requires that businesses focus on the impact they have on society as a whole, with the goal of making positive contributions in a proactive and ethical way.

At first glance, social strategy sounds more like a company mission than a marketing strategy, but the two are intricately connected. Research shows that today’s consumers expect businesses to deliver the entire package: a brand that is both ecological and ethical, and that is based in a company whose primary motives are just as pure.

Today’s marketers must be more than creative minds with the ability to create a performance surrounding a product: they must be an integral part of the organization and they must play an important role in pulling together the soul of the company and its public persona.

Today’s shoppers are much more cynical than their parents and grandparents were. They do not trust most of the promotional messages that they hear. Social strategy is the key to success that helps honest firms get their point across.

A recent study of 1,200 Canadians revealed that the majority of consumers are willing to pay a premium for products that are environmentally friendly: not just in their application, but also in their manufacturing. Women were more strongly inclined to support such products than were men.

Women also demonstrated stronger leanings towards social responsibility as they grew older, while men tended to remain consistent in their attitudes towards social responsibility. These are important considerations when dealing with an aging population.

The majority of both male and female shoppers were more likely to support brands that contributed something back to the community. They were also more willing to support companies that were socially responsible, and that were making real contributions to the betterment of society and community.

Women were more strongly supportive than were men and there were stronger pockets of support in different age groups. For example, 90 per cent of women between the ages of 35 and 54 years were more likely to purchase a brand that contributed to the community. These trends are important when considering that the female head of household controls most of the family budget.

Promotional messages featuring such products and firms were more likely to impact consumers. The study also indicated that support was higher among consumers who were higher educated, or had higher incomes.

Consumers appear to be linking trust and meaning to broad social activism and then equating that activism back to individual brands, and companies. The core value behind the company must be as strongly targeted and as relentlessly pursued as the personality attached to individual company brands.

The most successful brands are able to link corporate mission and motive to the values of customers in a highly impactful and transparent way.

Many of these companies are quite large, but they have grown as a result of their socially responsible core values. Examples of such firms include The Body Shop, Mountain Equipment Co-op, and Vancouver-based Vancity Credit Union.

Vancity is somewhat unusual when compared to other socially responsible firms, which tend to deal with consumer package goods. As a service provider, Vancity has the added complication of having to make a complex service easier to understand and purchase. However, Vancity has created a social strategy based on a triple bottom line based on financial, social and environmental returns.

Making core values actionable can be a challenge for some firms. Vancity makes its triple bottom line real to consumers by contributing one million dollars annually to organizations that support projects that contribute to the economy, society or community.

They also offer interest rate breaks for hybrid car loans and environmentally friendly home mortgages.

Small businesses need to seriously examine their strategy to see if a social strategy can work for them. This process must start with examining the firm’s environmental impact, and determining how social goals will resonate with customers. No firm is too small to consider a triple bottom line approach.

Finally, the business must be able to effectively communicate its social strategy, as well act on it.

Using a social strategy involves a level of commitment that goes far beyond the marketing campaign, and it is a win-win approach for the business, its customers and community.

Karen Blotnicky is president of TMC The Marketing Clinic and a professor at Mount Saint Vincent University.

Creating an Ethics Curriculum

2007-07-19T17:20:00.000-04:00

Working Values

Companies can dramatically improve their ability to effect behavior change when they develop an ethics training curriculum aimed at building ethical leadership and culture building skills throughout the organization. The training should focus on developing ethical decision-making skills, promoting open communication, encouraging role modeling and communicating with respect.

Recent Ethics Resource Center (ERC) data shows that an increasing number of companies have ethics programs and provide training:

Written standards of conduct are up by 19 percent.
Training on ethics has increased by 32 percent.
Mechanisms to seek ethics advice or information are being instituted at an increase of 15 percent.
Means to report misconduct anonymously is up by 7 percent.
Discipline of employees who violate ethical standards is up by 4 percent.

However, the ERC reports that this increase in training has not improved outcomes:

In 2005, 52 percent of employees observed at least one type of misconduct taking place.
Employee willingness to report misconduct declined in 2005. Of employees who observed misconduct at work in 2005, just over one half (55 percent) reported it to management. This represents a 10 percentage point decrease since 2003 and demonstrates backsliding to levels similar to those in 2000.
There is little change in pressure to compromise standards in 2005 -- 10 percent of employees feel this pressure always or fairly often, a level similar to that reported in the earlier year.

Source: Ethics Resource Center, National Business Ethics Survey

The data suggests that while incidences of misconduct persist, employees are less apt to report them, despite an increase in ethics training and reporting mechanisms in the workplace. Why is there so little correlation between the implementation of ethics programs and an employee's willingness to speak up when they observe or suspect a violation?

For most companies, ethics training is still predominantly a "check the box" program focusing on compliance with the law. It's crucial that companies ensure compliance, but making sure that employees know the rules is no guarantee they will follow them. Building a culture that institutes, promotes and helps employees maintain ethical behavior in the workplace necessitates a different method of training – a differentiated curriculum targeted at specific audiences within the organization and training on specific skill sets for these audiences.

This kind of training demonstrates that ethics is valued at all levels of the organization. Senior leaders can be trained in five-minute increments or modules to facilitate ease of use and the efficient use of time for learners who are chronically short of time. Skills should include open communication and specific behaviors for modeling tone at the top.

Managers need to be trained in open communication and skills and competencies to support a culture of ethics within their departments and teams. They need to learn how to demonstrate specific behaviors for modeling ethical behavior in the workplace.

Employees can be trained to use a company-wide decision making process or model to help them remember and practice where and how to provide feedback to managers or supervisors. The model can also direct employees on where and how to report workplace issues. Training in specific listening and communication skills help to promote open communication with managers, supervisors and peers.

A company-wide discovery process should be undertaken to understand the specific culture within the organization and articulate its business objectives in relation to ethical behavior. After the discovery process, the findings can be woven into the ethics training curriculum to meet the particular needs of that organization.

Organizations can build an ethics curriculum that will:

Build ethical leadership skills and at all levels of the organization -- not just teach policies and procedures;
Reflect the culture of the organization;
Be engaging and immediately applicable to learners;
Connect business objectives to ethics training;
Promote open communication and teach the skills necessary to achieve it; and
Provide tools for integrating learning into the workplace.

U.K. commissioner blames CEOs for data breaches

2007-07-11T19:24:00.000-04:00

CNET News.com

The United Kingdom's information commissioner is calling on chief executives to take the security of customer and staff information more seriously.

'The roll call of banks, retailers, government departments, public bodies and other organizations which have admitted serious security lapses is frankly horrifying,' Richard Thomas wrote in a report. 'How can laptops holding details of customer accounts be used away from the office without strong encryption? How can millions of store card transactions fall into the wrong hands?'

The Information Commissioner's Office (ICO) received almost 24,000 inquiries and complaints concerning personal information, and it prosecuted 16 individuals and organizations in the past 12 months, according to its annual report for 2006 and 2007.

'Be sure you are not the business or political leader who failed to take information rights seriously.'

Richard Thomas, information commissioner, United Kingdom: 'My message to those at the top of organizations is to respect the privacy of individuals and the integrity of the information held about them, to embrace data protection positively, and to be sure you are not the business or political leader who failed to take information rights seriously.'

The ICO received complaints under both the Data Protection Act and the Freedom of Information Act.

More than half of Data Protection Act cases required the ICO to simply provide advice and guidance, while a breach was likely to have happened in more than a third of cases, of which a further 77 percent resulted in remedial actions such as correcting an individual's record or training staff.

The ICO received almost 6,000 complaints under the Freedom of Information Act and has closed more than three-fourths of those.

Public awareness of data protection rights has increased to 82 percent, with more people understanding that personal information must be handled appropriately, according to the report.

The information commissioner's plea follows a number of security breaches over the last year, including 12 U.K. banks found to be in breach of the Data Protection Act, following complaints about the disposal of customer information.

U.K. bank Barclays is facing an ICO investigation over allegations of customer privacy breaches, and telecommunications provider Orange and retailer Littlewoods were also found to be in breach of the Data Protection Act by the ICO this year.

2006 Operating System Vulnerability Summary

2007-04-15T07:19:00.000-04:00

OmniNerd

Overview

Computer security is a precarious business both from a product development and administrative standpoint. Operating system vendors are forced to constantly patch their software to keep consumers protected from the latest digital threats. But which operating systems are the most secure? A recent report by Symantec hints that Windows currently presents fewer security holes than its commercial competitors.1 To that, a typical consultant would respond "well, that depends," as security auditors generally take such statements with a grain of salt. It depends on the configurations of the hosts, the breadth of the included binaries and the scope of what "commercial competitors" entails. Differing opinions on this interpretation lead to different conclusions. SecurityFocus, for instance, shows that various overall vulnerabilities surged in 2006 while ISS (Internet Security Systems) reports that operating system specific exploits declined.2,3

The summarized coverage of 2006 vulnerabilities by SANS showed the most prevalent attack vectors were not directly against the operating systems themselves.4 However, this article approaches the operating system as an entity in and of itself for analysis of only the vulnerabilities of core features. As such, vulnerability scans were conducted against 2006's flagship operating systems in various configurations to determine weakness from the moment of installation throughout the patching procedure. From Microsoft, testing included Windows XP, Server 2003 and Vista Ultimate. Examinations against Apple included Mac OS9, OSX Tiger and OSX Tiger server.5 Augmenting Apple's UNIX representation, security tests were also performed on FreeBSD 6.2 and Solaris 10. Rounding up the market share, Linux security testing included Fedora Core 6, Slackware 11, SuSE Enterprise 10 and Ubuntu 6.10. Before delving into the specifics of the vulnerabilities, it is helpful to understand the security scene of 2006.

read full report

Control and track your car from the net

2007-04-15T06:58:00.000-04:00

Autoblog

YOU are big brother

The world is certainly not lacking devices that allow you to track and control your vehicle from afar. The newest breed of these systems was developed by Inilex, which allows a subscriber/user to do everything from unlock their doors, start their vehicle, sound the alarm, disable the engine or give the location of their ride. The system can be used by logging on to Inilex's website via a PC, calling a toll-free number or using a PDA with access to the internet.

Aside from providing a bit more convenience and protection, the major draw for some users, namely parents, is the ability to not only track the movements of the vehicle, but also be alerted via text message or email if the kiddies stray from set boundaries or operate the vehicle during certain times of the day or night (no more ditching school or sneaking into the love interest's window at 3 AM).

Inilex demo.

Network Security Is Top of Mind for Executives

2007-03-25T09:43:00.000-04:00

(EIU research white paper entitled "Network Security: Protecting Productivity".)

AT&T Inc. announced today that network security is regarded by executives as the single most important attribute of their network, according to the results of a global survey conducted by the Economist Intelligence Unit (EIU) for AT&T. The research reveals that a majority of executives (52 percent) now believe that having a converged network gives their companies better deference against IT security breaches. Furthermore, nearly 70 percent feel that IP helps ensure business continuity following an emergency.

The survey of 395 senior executives called 'Network Security: Protecting Productivity' also shows that, at the same time, network security concerns remain at the top of the list of barriers to implementing a converged IP network. IP convergence, although it may increase vulnerability in some ways, promises to take the network defences to new levels of sophistication and reliability, and today organizations are equipped with incomparably better tools to protect the network than they were even in the late 1990s.

The EIU white paper shows that, increasingly, executives feel especially concerned about the growing volumes of customer data they hold and manipulate, and 45 percent say that the holding of sensitive customer data on their network makes them feel "extremely" vulnerable from an electronic security perspective. Another 41 percent say the process of analyzing and acting upon detailed customer data also significantly increases their vulnerability.

Among the worst security threats cited by nearly half (49 percent) of executives is hackers. Protecting against viruses and worms also remains top of mind for companies but emerging as one of the most feared threats is identity theft -- mentioned by one-third of executives -- and their concerns are set to rise over the next three years.

The EIU research has also highlighted the importance of the chief security officer (CSO), and although typically the CEO remains the primary decision- maker for electronic security decision (with the exception in Europe where the CIO is more likely to hold this role), the role of the CSO is rising, with 12 percent of companies confirming this as the main decision-maker.

"Security is becoming more and more important in today's collaborative environment", comments Lloyd Salvage, AT&T's vice president in the U.K. "We are constantly talking to our customers and helping them to re-evaluate their requirements to ensure that their businesses are adequately protected at all times."

The white paper is the second of a series of thought-leadership papers in the Network Convergence series written by AT&T in co-operation with the Economist Intelligence Unit. Subsequent papers in the series will explore how companies are addressing the challenges of managing applications integration and enterprise mobility.

Survey and Research Methodology

As part of the research for the paper, the Economist Intelligence Unit conducted an online worldwide survey of 395 senior executives across 51 countries and over 20 industries. The majority of respondents came from Western Europe (32%), Asia Pacific (30%), and North America (30%). Other respondents came from Eastern Europe, Latin America, the Middle East, and Africa. 63% of those polled hailed from large firms with annual revenue of more than US$500 million. The top five industry sectors represented by the survey respondents were professional services, financial services, manufacturing, IT and technology, and healthcare, biotechnology and pharmaceuticals. In addition to the survey research, the EIU conducted a series of one-to-one in-depth interviews with senior executives and analysts.

Outrunning the Regulators

2007-02-19T10:55:00.000-05:00

Strategy + Business
In banking, as in other heavily regulated industries such as utilities and health care, keeping abreast of federal regulatory requirements is of paramount importance. To avoid an endless cycle of reacting to new regulations, banks [and business in other regulated industries] must anticipate the regulatory fallout from problems such as identify theft, and implement solutions that address existing and longer-term security issues. Leaders should consider decentralized security structures to enable a faster response to new rules. Making customers aware of new security measures is also vital and can help mitigate risk.

. . .

[...] Companies in heavily regulated industries, a group that includes pharmaceuticals, health care, and utilities, often act as though the regulations that besiege them are irritating trivialities. However, new requirements can offer companies an opportunity to escape the cycle. For instance, instead of maintaining an ad hoc approach to foiling invasions and complying with regulations, banks should craft an overall public-facing security strategy. Although it can be difficult to persuade senior management to invest in long-range plans, there’s no better time to do it than when they are in the shadow of an imminent regulatory deadline — especially one that is disrupting the entire organization as the company marshals its resources to deal with it.

For example, in aiming to go beyond regulatory compliance and achieve security excellence, banks can institute a mechanism for self-analysis and self-improvement that allows them to anticipate their future security needs. In doing so, they will meet their current burden of compliance, lessen the impact of any future regulatory guidance, reduce their risk exposure, and address customers’ concerns about the security of online banking.

[...] The second element is an effective organizational structure to manage the initiative. A common roadblock to implementing new security standards is a decentralized company, which can lead to inconsistent approaches to IT security across the enterprise, along with incomplete monitoring and accountability. However, piecemeal fixes will not work. Grafting a centralized security program onto a decentralized organization often results in the corporate equivalent of organ rejection.

How might banks address this issue? They can create a hybrid centralized–decentralized model, in which critical compliance activities and governance oversight are centrally managed, while less critical functions remain with the business units. Alternatively, banks can construct enforcement mechanisms that shift the burden of compliance to the heads of the business units, rather than keep it centralized at corporate headquarters. Regardless of the specific solution, banks can manage risk exposure and regulatory compliance in a uniform fashion only if they have the requisite organizational structures in place.

The final element of a robust risk-mitigation program, customer awareness, can be a key component of a company’s defense against fraud and identity theft. A well-educated bank customer can more easily spot phony come-ons, like phishing e-mails, and avoid being deceived. In fact, many banks are finding that educated consumers are their front line of defense in reporting phishing and other fraud attempts. One basic but effective measure is to advise customers to always type the bank’s Web address into their Internet browser rather than click on a link in an e-mail, because the e-mail may be fraudulent.

Furthermore, making customers aware of enhanced online security is a key differentiator in the marketplace. In a 2005 survey by Deutsche Bank Research, “security offering” was far and away the most important feature to prospective online banking customers, with 87 percent calling it their top priority. A well-publicized security program could prove a significant lure to new customers in the highly competitive banking environment.

Any highly regulated industry will face similar vicious cycles of its own and should be thinking about approaches for leaping ahead of regulatory requirements. The common thread is that simply responding to regulatory guidance will never be enough. Anticipatory thinking is the only way to avoid being caught in the middle of an endless series of provocation and regulation.

Hackers Attack Key Net Traffic Computers

2007-02-07T08:08:00.000-05:00

SFGate.com based on an AP feed

Hackers briefly overwhelmed at least three of the 13 computers that help manage global computer traffic Tuesday in one of the most significant attacks against the Internet since 2002.

Experts said the unusually powerful attacks lasted as long as 12 hours but passed largely unnoticed by most computer users, a testament to the resiliency of the Internet. Behind the scenes, computer scientists worldwide raced to cope with enormous volumes of data that threatened to saturate some of the Internet's most vital pipelines.

The Homeland Security Department confirmed it was monitoring what it called 'anomalous' Internet traffic.

"There is no credible intelligence to suggest an imminent threat to the homeland or our computing systems at this time," the department said in a statement.

The motive for the attacks was unclear, said Duane Wessels, a researcher at the Cooperative Association for Internet Data Analysis at the San Diego Supercomputing Center. "Maybe to show off or just be disruptive; it doesn't seem to be extortion or anything like that," Wessels said.

Other experts said the hackers appeared to disguise their origin, but vast amounts of rogue data in the attacks were traced to South Korea.

The attacks appeared to target UltraDNS, the company that operates servers managing traffic for Web sites ending in "org" and some other suffixes, experts said. Officials with NeuStar Inc., which owns UltraDNS, confirmed only that it had observed an unusual increase in traffic.

Among the targeted "root" servers that manage global Internet traffic were ones operated by the Defense Department and the Internet's primary oversight body.

"There was what appears to be some form of attack during the night hours here in California and into the morning," said John Crain, chief technical officer for the Internet Corporation for Assigned Names and Numbers. He said the attack was continuing and so was the hunt for its origin.

"I don't think anybody has the full picture," Crain said. "We're looking at the data."

Crain said Tuesday's attack was less serious than attacks against the same 13 "root" servers in October 2002 because technology innovations in recent years have increasingly distributed their workloads to other computers around the globe.

Phisher Convicted, Faces 101 Years In Prison

2007-01-18T06:00:00.000-05:00

TechWeb

In the first jury conviction under the Can-Spam Act of 2003, a California man has been found guilty of operating a sophisticated phishing scheme that attempted to dupe thousands of AOL users.

Jeffrey Brett Goodin, 45, of Azusa, Calif., was found guilty of sending thousands of e-mails set up to appear to be from AOL's billing department to the company's users, prompting them to reply with personal and credit card information. He then used the information to make unauthorized purchases, according to the U.S. Attorney's Office in Los Angeles.

Goodin is scheduled to be sentenced by U.S. District Court Judge Christina A. Snyder on June 11. He faces a maximum sentence of 101 years in federal prison.

The evidence presented during the week-long trial showed that Goodin used several compromised Earthlink accounts to send the fraudulent spam. Users were urged to update their AOL billing information or risk losing service. The e-mails, according to the U.S. Attorney's Office, referred people to one of a list of Web pages where they were directed to input their personal and financial information. Prosecutors contend that Goodin controlled the Web pages, and he subsequently collected the information and then made charges on people's credit or debit cards.

Goodin also was found guilty of 10 other counts, including wire fraud, aiding and abetting the unauthorized use of an access device (a credit card in this case), possession of more than 15 unauthorized access devices, misuse of the AOL trademark, attempted witness harassment, and failure to appear in court.

Five-step check for nano safety

2006-11-16T18:12:00.000-05:00

BBC NEWS

A team of experts has drawn up five 'grand challenges' in order to evaluate the safety of nanotechnology.

The field's potential could be compromised unless the scientific community can implement a programme of systematic risk research, they warn.

Writing in Nature journal, the team says that fears about nanotechnology's possible dangers may be exaggerated, but not necessarily unfounded.

The five challenges are designed to be completed over the next 15 years.

"The threat of possible harm - whether real or imagined - is threatening to slow the development of nanotechnology unless sound, independent and authoritative information is developed on what the risks are and how to avoid them," author Andrew Maynard and his colleagues write in Nature.

The five grand challenges include developing instruments to evaluate exposure to engineered nanomaterials in air and water and developing methods for assessing their toxicity.

The group of experts says that if the global research community can take advantage of the safety infrastructure already in place for biotechnology and computing, then nanotechnology has a rosy future.

But Dr Maynard, from the Woodrow Wilson International Center for Scholars in Washington DC, and colleagues say that the way science is carried out means it is ill-equipped to address novel risks from emerging technologies.

Research into understanding and preventing risk often has a low priority in the world of technology development, research funding and intellectual property, they say.

NANOTECH'S FIVE CHALLENGES

Develop instruments to assess exposure to engineered nanomaterials in air and water within next 3-10 years

Create and test ways of evaluating the toxicity of nanomaterials in 5-15 years

Generate models to predict their possible impact on the environment and human health over the next 10 years

Develop ways to assess the health and environmental impact of nanomaterials over their entire lifetime, within the next five years

Organise programmes to enable risk-focused research into nanomaterials, within the next 12 months

"Without strategic and targeted risk research, people producing and using nanomaterials could develop unanticipated illness arising from their exposure," the authors warn in Nature.

"Public confidence in nanotechnologies could be reduced through real or perceived dangers and fears of litigation may make nanotechnologies less attractive to investors and the insurance industry."

Safety studies

Recent studies on nanoparticles in cell cultures and animals show that a variety of factors influence their potential to cause harm. These include their size, surface area, surface chemistry and ability to dissolve in water.

This should come as no surprise. Inhaled dust has been known to cause disease for many years. Small particles of inhaled quartz can lead to lung damage, with the potential for progressive lung disease. But the same particles with a thin coating of clay are less harmful.

Long, thin fibres of asbestos can also lead to lung disease if inhaled, but grinding the fibres down to shorter particles reduces their harmfulness.

In May, the UK's Royal Society called on industry to disclose how it tests products containing nanoparticles.

A joint report by the Royal Society and Royal Academy of Engineering two years ago said there was no need to ban nanoparticle production.

But it said tighter UK and European regulation over some aspects of nanotechnology - manipulation of molecules - was needed to ensure its long-term safety.

Nearly half of Canadians find security laws intrusive: study

2006-11-14T05:53:00.000-05:00

CBC
Americans are more likely than Canadians to be concerned about the intrusiveness of new laws aimed at protecting national security in the wake of the Sept. 11, 2001, attacks, new Canadian research suggests.

In what is believed to be the first cross-cultural study of its kind, Queen's University researchers surveyed 9,000 people around the world about their experiences with surveillance and privacy. The study was released Monday.

'We are seeing a high level of concern in many parts of the world about the intrusiveness of these post-9/11 laws. Fifty-seven per cent of Americans and 47 per cent of Canadians said that these laws are intrusive,' Elia Zureik, lead researcher, said in a news release.

"These findings resonate with the recent Ontario Supreme Court ruling about the unconstitutionality of parts of Bill C-36, the anti-terrorism legislation in Canada."

Researchers examined attitudes toward data collection by governments and employers, and via technologies such as personal computers, biometrics and global-positioning systems. They wanted to better understand how much people trust corporations and governments to handle personal information.

Highlights from the study include the percentage of respondents who:

Believe surveillance laws are intrusive (U.S. 57 per cent, Canada 48 per cent, Spain 53 per cent, Mexico 46 per cent, Brazil 41 per cent and France 40 per cent).
Worry about providing personal information on websites (China 54 per cent, Canada 66 per cent, Brazil 70 per cent, Spain 62 per cent and U.S. 60 per cent).
Believe the use of closed circuit television deters in-store crime (Mexico 88 per cent, U.S. 80 per cent, Canada 79 per cent and France 73 per cent).
Rejected outright the premise that airport authorities should give extra security checks to visible minority passengers. About 60 per cent of Chinese, Hungarians, Brazilians, and Canadians but only a third of Americans found such practices unacceptable.

The survey also found some striking cultural differences. In China, 63 per cent of respondents said they trust the government to protect their personal information. That compares to 48 per cent of Canadians and 20 per cent of Brazilians.

About 30 per cent of Canadians, Americans, Spaniards and Hungarians felt they had complete or a lot of say in what happens to their personal information. But Chinese and French respondents felt differently, with 67 per cent and 60 per cent, respectively, reporting they felt in control of the use their information.

The survey was funded by the Social Sciences and Humanities Research Council of Canada and included nearly 50 questions on participants' attitudes toward consumer surveillance, racial profiling at airports, national ID cards, media coverage of surveillance issues, workplace privacy, knowledge of privacy regulations, control over personal data and public trust in government.

A Security Disconnect

2006-11-02T13:43:00.000-05:00

Conference Board
There’s a serious security disconnect going on at our nation’s largest and most vulnerable companies: "The most supportive executives [such as CIOs] were not the most influential, and the most influential executives (senior C-suite managers) were not the most supportive." That’s the key finding from a new Conference Board report on security entitled “Navigating Risk—The Business Case for Security.”

The study measures the influence of security managers among senior executives; the Board surveyed 213 senior corporate executives not specifically responsible for security or risk matters and not CIOs, at companies at especially high risk: “critical infrastructure industries (including energy and utilities, chemicals, and transportation), large corporations, multinationals with global operations, and publicly-traded companies.”

The study found:

there is a strong disconnect between the level of support for security
initiatives and the level of influence over security policy within the companies
surveyed. “Security directors appear to be politically isolated within their
companies,” says Thomas Cavanagh, Senior Research Associate in Global Corporate
Citizenship at The Conference Board and author of the report. “They face a
challenging search for allies when they need to gain support from upper
management for new security initiatives.”

It also found that while security is seen as aligned with operational risk, it’s not viewed as well-aligned with company strategy:

Companies reported less alignment of security with long-range strategic
objectives of the firm. For example, among senior executives, 56% see their
company’s security operation as effectively aligned with the need to keep pace
with competitors, and half of the sample believe security has been effective in
reducing insurance premiums. Much lower proportions saw security as contributing
toward enhancing the value of the brand (44%), managing the supply chain (36%),
or pursuing new business opportunities (35%).” The results “suggest that
security remains a function that is mired in operations in the eyes of senior
executives,” says Cavanagh.”

Measures of the effectiveness of corporate security are less sophisticated than even the measures for IT or HR effectiveness. The focused on how much a problem costs, not on contribution to strategy:
The most helpful measures were the cost of business interruption, (cited by 64%); vulnerability assessments (60%); and benchmarking against industry standards (49%). Another group of helpful metrics was explicitly related to insurance costs, such as the value of facilities (44%), the level of insurance premiums (39%), and the cost of previous security incidents (34%). The choice of metrics varies widely across industries.

Our own security survey has also found that management support for security is a problem (Finding 1.2). But while our survey finds there is a trend toward greater integration of IT security with risk management (Findings 6.1 and 6.2), the Conference Board study suggests that IT security's part in the overall risk picture is not as well-understood or supported as IT executives think. It helps explain why so many IT executives complain that their company takes too tactical an approach to security (Finding 6.3). CIOs can't take support for security for granted. Maybe they should enlist the help of those anxious chief marketing officers who were surveyed in the CMO Council's study on security.

Ethical Advocates Can Build Significant Goodwill For Companies

2006-11-02T08:35:00.000-05:00

Based on its research, Ipsos has developed a Corporate Responsibility Roadmap with eight model behaviors that can help companies stand out and appeal to Ethical Advocates. These behaviors are:

The company provides quality products and services at a reasonable price, i.e., it doesn’t come across as making excessive profits at the expense of the consumer;
The company provides universal access to its products and services, i.e., it doesn’t discriminate against sections of society because of their wealth, age or geography. This is especially pertinent for financial service, telecommunications and pharmaceutical providers;
The company treats its employees well (both at home and abroad);
The company’s activities are not detrimental to the environment;
The company communicates clearly about its business, products and services so the consumer is able to make an informed choice. Companies with an overarching corporate brand, especially those in consumer goods, are expected to create awareness of their product portfolio;
The company is smart and respectful in its sales, marketing and advertising, i.e., it doesn't adopt aggressive sales techniques, excessive mailings or irresponsible advertising that targets children;
The company supports the local economy by sourcing US products and labor (especially so for the retail and automotive sectors);
The company is committed to innovation (particularly if it is in technology or pharmaceuticals).

Annabel Evans a Vice President with Ipsos Public Affairs and author of a study exploring the corporate reputation of 30 major U.S. businesses from a variety of sectors published the results in a special issue of the magazine, Ipsos Ideas . “Companies that are perceived to be socially and environmentally responsible, and good communicators, are highly regarded,” says Evans. “The opposite is true for companies that don’t perform well in these areas.”"

Ethical Advocates regularly choose products that have some social or environmental benefit, such as those made with recycled content or produced via a fair trade arrangement. They also take personal steps to be more environmental and socially responsible. Most Ethical Advocates, for example, recycle, donate money to charity and make efforts to be energy-efficient.

Among the behaviors Ethical Advocates consider when judging companies are: quality products and services at a reasonable price, fair treatment of employees at home and abroad, support of the local economy, respect for the environment and the ability of consumers to make an informed choice.

The Quiet Leader—and How to Be One

2006-10-30T11:56:00.000-05:00

HBS Working Knowledge
Lagace: You write that one inspiration for your new book was the unusual course you've been teaching for MBA students on moral leadership in organizations. What is a quiet leader? Is quiet leadership a topic you had been thinking about prior to the MBA course?

Badaracco: I don't think I really started thinking about it until just a few years ago. There were two things that prompted me to do so. One is that I had written a book called Defining Moments: When Managers Must Choose Between Right and Right (HBS Press, 1997) which is about big deal, high-stake, traumatic decisions. And there was a natural question: 'Is this all there is to writing about difficult ethical decisions?' Or put differently, what happens in between the big decisions—which don't come along very often? For some people they come along very, very infrequently. Does this mean these people are on vacation the rest of the time?

There's the age-old myth of Icarus trying to fly too close to the sun, and there is the suggestion that there is something dangerous about the pursuit of greatness. And at the same time while you read books and plays—Death of a Salesman is such a clear example, where Willy wants to be a great salesman and he wants his sons to be leaders of men. He pushes so hard he ends up committing suicide, is very disappointed in his kids—there are other characters, I noticed, who were what I came to call quiet leaders.

You also end up defining quiet leaders almost through a series of negatives. They're not making high-stakes decisions. They're often not at the top of organizations. They don't have the spotlight and publicity on them. They think of themselves modestly; they often don't even think of themselves as leaders. But they are acting quietly, effectively, with political astuteness, to basically make things somewhat better, sometimes much better than they would otherwise be.

Sometimes a few people were aware of what they did; sometimes nobody is aware of what they did. There aren't medal ceremonies and often the people involved don't think they would deserve one if the medals were being given out. But often they're people, I found…in the cases I looked at carefully, who find that some situation or problem or difficulty affecting a person, affecting an organization, is really bothering them; it gets under their skin. While other people would say, "Hey, why are you getting carried away about this?", they care about it. They commit themselves and keep working tenaciously, so that over a period of time they find some ways to get stuff done.

If you look behind lots of great heroic leaders, you find them doing lots of quiet, patient work themselves. —Joseph L. Badaracco Jr.

Fearful of Feds, Companies Investigate Themselves

2006-10-27T08:27:00.000-04:00

CFO.com

More than half of companies surveyed hired independent counsel in the past year to help with internal investigations, a move widely believed to reduce any punishment regulators might later mete out.

A majority of companies have hired outside counsel to help with an internal investigation in the past year – a sign that companies are concerned about how their handling of problems will be perceived by regulators and the public.

About 63 percent of over 400 U.S. and international companies surveyed by law firm Fulbright & Jaworski undertook at least one internal investigation with the help of outside counsel.

The act of engaging outside counsel at least makes the investigation appear more rigorous. "[If] there is a concern that you appear as credible as possible, hire outside counsel to conduct [an investigation] so they can discuss their results with the Department of Justice or others and tell them what the corporation itself has found," explained Layne Kruse, a senior litigation partner at Fulbright & Jaworski. Layne says the current number of outside counsel engagements is much higher than usual.

All regulatory agencies have their own list of factors to consider when determining what type of penalty to give the company, notes William McLucas, former head of the SEC's enforcement division, and now a partner at Wilmer Cutler Pickering Hale & Dorr. Both the Department of Justice's "Thomson Memo" and the Securities and Exchange Commission's "Seaboard Report" outline the credit given to public companies when they cooperate with the government. Both of those documents "include the extent to which companies self-report and self-investigate," explains McLucas. (For CFO's analysis of the SEC's Seaboard Report, see "The Limits of Mercy."

Additionally, in this Sarbanes-Oxley era, companies are hiring outside, independent counsel to investigate all types of business issues from accounting to disclosure, observes McLucas. "The issue relates to the increased responsibility that audit committees have under Sarbanes-Oxley," he said. It also underscores the "overall heightened sensitivity of board members to the company's exposure to harsh government enforcement proceedings as well as the risk that the board itself could be subject to enforcement proceedings," added McLucas.

[CLB: Somehow this implies that the old-fashioned role of an external auditor wasn't sufficient, or that it is reborn anew. After Arthur Anderson, has anything actually changed?]

Corporate America’s Pay Pal

2006-10-15T03:58:00.000-04:00

New York Times

"For more than 20 years, Frederic W. Cook has developed innovative methods for creating lottery-size pay increases for top company executives.

You may not know Frederic W. Cook, but if you are a shareholder or employee who has watched executive pay rocket in recent years, you are likely to be acquainted with his work.

[CLB: This is a fascinating editorial, and recommended.]

Spy games and a lack of ethical guidance

2006-10-05T08:50:00.000-04:00

globeandmail.com

Former Hewlett-Packard Co. chairwoman Patricia Dunn and four others are facing criminal charges in California, including identity theft and conspiracy, for their role in a covert hunt for a boardroom mole.

The charges, filed Wednesday by California Attorney-General Bill Lockyer, mark the latest blow for the venerable computer maker, which is also facing investigations by the U.S. Justice Department, the Securities and Exchange Commission and Congress.

“One of our state's most venerable corporate institutions lost its way as its board sought to find out who leaked confidential company information to the press,” Mr. Lockyer told a press conference last night. “In this misguided effort, people inside and outside HP violated privacy rights and broke state law.... Those who crossed the legal line must be held accountable.”

In addition to Ms. Dunn, who ordered the search for a director suspected of leaking secrets to reporters, California has also charged HP lawyer Kevin Hunsaker, the company's ousted chief ethics officer, and three outside private eyes — Ronald DeLia of Boston, Joseph DePante of Melbourne, Fla., and Bryan Wagner of Littleton, Colo.

The legality and ethics of corporate espionage has become a hot-button issue in both Canada and the United States in recent weeks.

Recently released court documents show that executives of WestJet Airlines Ltd. engaged in electronic spying in 2003-04 to get an edge on rival Air Canada.

The five defendants are each facing four charges: use of false or fraudulent pretenses to obtain confidential information from a public utility; unauthorized access to computer data; identity theft; and conspiracy to commit those crimes.

All four counts carry a maximum prison sentence of three years. The maximum fine for each of the three underlying felonies is $10,000 (U.S.). A conviction for conspiracy to fraudulently obtain phone records, or conspiracy to unlawfully access and use computer data, carries a maximum fine of $10,000.

Conspiracy to commit identity theft can bring a maximum fine of $25,000.

HP has admitted that its investigators impersonated board members to get their telephone records — a practice known as “pretexting” — spied on them, dug through their trash and planted spyware on reporters' computers during a covert operation to find the source of several boardroom leaks.

Last week, Ms. Dunn, 53, told a congressional committee that while she ordered the probe in 2005, she assumed investigators were acting within the law and didn't know what pretexting was until the scandal broke.

Appearing before the investigations subcommittee of the U.S. House of Representatives energy and commerce panel, Ms. Dunn said she's sorry for what happened, but denied responsibility for any of the tactics used by HP investigators.

It's been rough week for Ms. Dunn.

Her lawyer disclosed Wednesday that Ms. Dunn, who has survived breast cancer and melanoma, will begin chemotherapy treatments for advanced ovarian cancer Friday at the University of California, San Francisco.

Two other key figures in the corporate spy scandal have so far escaped legal jeopardy — chief executive officer Mark Hurd and Ann Baskins, HP's general counsel.

HP eventually identified director George Keyworth as the source of a leak to a CNET Networks Inc. reporter.

Mr. Keyworth resigned after the scandal broke in early September.

[CLB: For Ms. Dunn and others interested in pretexting, here is a 1999 article published by Rick Johnson Private Investigators: Pretext Investigations - Deception for Profit . In my search for a graphic to add to this captured article, 99% of the images pulled from the Google images engine were of HP. Perhaps the word has taken on new meaning with this debacle.]

Keeping mobile workers safe from highway robbery

2006-10-02T13:04:00.000-04:00

IT World

Last year, laptop theft cost U.S. organizations over US$4.1 million, according to the 2005 Computer Crime and Security Survey, a joint study by the Federal Bureau of Investigation and the Computer Security Institute.

Despite these compelling statistics, many Canadian organizations don’t seem to view mobile and wireless devices as a real threat to enterprise security. This is what IDC Canada found in its recent survey of medium and large-sized organizations in Canada, where 54.4 per cent of mid-sized firms and 35.4 per cent of large organizations tagged mobile and wireless tools as “no real threat” to corporate security.

[...] According to IDC’s Enterprise Security Survey: Threats and Issues, over 35 per cent of large organizations believe wireless and mobile devices pose “no real threat” to IT security, while only 27.3 per cent view these devices as a significant threat.

The discrepancy is even greater among medium-sized firms, where more than 54 per cent said these devices are not a real threat and only 14.7 per cent said they pose security risks.

Mitigating solutions (PAPPP):

Review security policies - policy and audit
User awareness strategies - people
Centralize management - product and process

You can't scare people into getting fit or going green or being secure

2006-09-27T10:45:00.000-04:00

Economic and Social Research Council

New research published today by the Economic and Social Research Council shows that positive, informative strategies which help people set specific health and environmental goals are far more effective when it comes to encouraging behaviour change than negatives strategies which employ messages of fear, guilt or regret.

Recent years have seen increasing efforts to encourage people to do more for their health and for the environment, for example by recycling more, using cars less and taking more exercise. But what messages have been successful, and why?

Theories have long suggested that by changing attitude, social rules and peoples own ability to reach their goals, people's intentions or decisions to act in a particular fashion will be changed, which in turn determines the extent of change in behaviour. But the supporting evidence for these widely accepted ideas was weak; there was a need to take a closer look at experiments that changed attitudes, norms and self-efficacy in order to measure the true extent of any changes in subsequent intentions and behaviour.

The research project, 'Does changing attitudes, norms or self-efficacy change intentions and behaviour?', led by Professor Paschal Sheeran of Sheffield University, provides the crucial missing evidence about the role of these three factors in behaviour change by reviewing all the successful experiments in the past 25 years and quantifying their effects on decisions and actions.

The team identified 33 distinct strategies for changing intentions and behaviour across the 129 different studies. The most frequently used strategies provided general information, details of consequences and opportunities for comparison. Yet the most effective strategies were to prompt practice, set specific goals, generate self-talk, agree a behavioural contract and prompt review of behavioural goals. The two least effective strategies involved arousing fear and causing people to regret if they acted in a particular fashion.

They also examined whether the characteristics of a particular study influenced how well changes in attitude, social norm and self-efficacy influenced intentions and behaviour. There was little evidence that the way factors were measured influenced the findings, though studies that used students or had short follow-up had stronger effect on intentions.

The team's findings show that changing attitude, social norms and behaviour succeeds in making a statistically noticeable difference in people's intentions and behaviour about 60 per cent of the time. The team found the amount of change in intentions and behaviour to be 'meaningful' and of 'medium' size according to standard procedures for describing effect sizes.

[CLB: You also can't scare people into buying security or in using good security tools or practices. You can't scare people into complying. Good governance is a choise, and needs to be enabled with useful tools and procedures.]

Worldwide Governance Indicators: 1996-2005

2006-09-22T08:47:00.000-04:00

WBI Governance & Anti-Corruption

This page presents the updated aggregate governance research indicators for 213 countries for 1996–2005, for six dimensions of governance:

Voice and Accountability
Political Stability and Absence of Violence
Government Effectiveness
Regulatory Quality
Rule of Law
Control of Corruption

The data and methodology used to construct the indicators are described in 'Governance Matters V: Governance Indicators for 1996–2005.' The aggregate indicators as well as for the first time virtually all of the underlying data can be accessed interactively through the following links:

Quick Access
1. Interactive governance indicators: charts & tables
2. Excel-based comparative graphs
3. Governance world map navigation & country stats
4. Download data in Excel format
5. Methodological papers on Governance
6. FAQ on indicators
The Worldwide Governance Indicators are based on a longstanding research program of the World Bank Institute and the Research Department of the World Bank, initiated in the late 1990s by Daniel Kaufmann and Aart Kraay, with the assistance of Pablo Zoido-Lobatón and Massimo Mastruzzi.

Canada:

Insider Threats Tied to Lack of Executive Awareness: Ponemon Institute Study

2006-09-16T07:38:00.000-04:00

Wire services: Ponemon Institute Study

New Study Links Inadequate Resources and Leadership to Increased Insider Threats

Privacy and information management research firm the Ponemon Institute andArcSight, Inc., a global leader in Enterprise Security Management (ESM) software, today released a new study showing that IT security professionals believe poor leadership at the executive level, coupled with a lack of accountability, is a major contributor to the breakdown in corporate data integrity. The study, National Survey on Managing the Insider Threats, is drawn from the responses of more than 450 U.S.-based IT security professionals, and points to resource and leadership failures as a primary cause of employee complacency, negligence and malicious behaviour resulting in both intentional and inadvertent compromise of business and personal information.

The study, sponsored by ArcSight, examines experienced IT security professionals' opinions related to the causes, responses and solutions to the insider threat to data integrity. For the purposes of the study, "insider threat" is defined as the misuse or destruction of sensitive or confidential information, as well as IT infrastructure that houses this data, by employees, contractors and others with access to sensitive or confidential information. The National Survey on Managing the Insider Threats found that:

More than 78% of respondents reported one or more unreported insider-related security breaches within their company.
93% of respondents attributed lack of resources and 81% of respondents cited lack of accountability as two primary contributing factors to poor data security.
Respondents ranked the top three threats to data integrity as:

Missed or failed security patches on critical applications
Accidental or malicious insider misuse of sensitive or confidential data
Virus, malware, and spyware infections

89% view insider threats as serious, yet only 49% think CEOs have the same perception.

Copies of Survey on Managing the Insider Threat are available through the Ponemon Institute and through ArcSight.

Study: Compliance still a struggle for most corporations

2006-09-06T10:18:00.000-04:00

SC Magazine

Most large corporations are not sure whether they're in line with federal regulations and some are not taking adequate steps to address compliance regulations, according to a survey released this week.

Seventy-two percent of large corporations are not confident that they are complying with applicable regulations, according to a survey released by ControlPath.

Compliance is also affecting corporate bottom lines, according to the poll. When asked the most challenging aspect of compliance, the cost of managing governance was chosen by 51 percent of respondents.

The survey polled 132 senior executives earlier this month.

The vast majority of corporations are under numerous federal regulations, with about 70 percent of all respondents using a compartmentalized compliance strategy, according to the survey.

According to the survey's findings, many corporations may be unaware of technological advantages for compliance issues. Forty-five percent of respondents said they want better technology to deal with regulatory issues, but only 27 percent are using some form of compliance management tools.

Forty-eight percent of companies reached said their processes for compliance regulations were entirely automated, while 23 percent said they use manual processes.

Jim Hitela, director of product marketing for ControlPath, said today that compliance only becomes easier for corporations once they automate the process.

"Most companies are still not automated in how they (ensure compliance). They are still treating compliance as kind of individual silos," he said. "We do expect that to change. The initial shock of Sarbanes-Oxley has passed. So some that have to (comply with multiple regulations) are realizing there is some affiance to automating the process."

Dutch researchers develop anti-RFID device

2006-08-15T12:01:00.000-04:00

Elektor Electronics

Researchers in Amsterdam say they have built a device that prevents radio frequency identification tags from being read. The project supervisor, Prof. Andrew Tanenbaum of the Vrije Universiteit Amsterdam, said the goal was to protect people from a technology that is gaining wide acceptance but threatens to compromise consumer privacy. The PDA-sized device, dubbed 'RFID Guardian', beeps when a nearby RFID scanner tries to read a chip the user is carrying, for instance in his or her clothing.

According to Tanenbaum, industry has no compunctions about invading personal privacy. For instance, he said that European banks plan to put RFID tags in large-denomination banknotes. That means a robber could walk down the street with a scanner to find out how much money you are carrying and see who would make the best target.

The RFID Guardian uses a 550-MHz XScale 32-bit processor with 64 MB of RAM. The protocol stack was written in C and runs under eCos, an open-source operating system. The project team plans to refine the software and hopes to commercialise the device.

Other companies are also developing similar products. RSA Security Inc., which protects online identities and digital assets, has created an RFID blocker that is intended to prevent RFID readers from scanning personal or private tags. According to an industry watcher, the challenge for RSA was to define which tags were private and who could access them.

An industry analyst who follows RFID issues in the retail industry said these types of devices point to a need for consumer privacy, but he doubted they would find mainstream acceptance.

Security as enabler, not insurance!

2006-06-29T17:49:00.000-04:00

IT Business

When it comes to implementing a security policy, Ricky Mehra, director of IT security and internal controls at Indigo, said businesses have to align IT with corporate objectives.

“Don’t evangelize security as insurance,” said Mehra, who was one of five panelists at a Microsoft-sponsored roundtable Thursday. “Try to show an environment in security as a strategic enabler.”

Likewise, Pat Kewin, director of Trend Micro, said businesses need to think about aligning security requirements with business goals.

“Until that happens, organizations will have trouble getting funding,” said Kewin.

Steve Lloyd, chief security advisor at Microsoft Canada, said security needs to be thought of as part of doing your day to day business.

“Stop looking for ROI,” said Lloyd. “Security should be a part of your business plan . . . As soon as you start losing account numbers and passwords, you lose your customer’s trust.”

RFID in Ontario - New Guidelines

2006-06-20T05:49:00.000-04:00

IT Business

The Information and Privacy Commissioner of Ontario Monday introduced RFID guidelines(PDF) to separate fact from fiction and prepare consumers for the day when they may have to deal with the technology on a daily basis.

Ann Cavoukian’s five-page report calls for businesses that are considering the use of radio frequency identification (RFID) technology to take several factors into account. Among them are:

An individual at the company should be appointed to ensure that privacy measures are in place
Companies must seek consent from individuals before collecting personal information via RFID technology
Collection should be limited to the minimum amount of information necessary
Employees that may have access to the personal information be trained in its appropriate use
Safeguards should be put in place to prevent the loss or theft of information that is stored on an RFID tag

The Guidelines are based on three overarching principles, including:

Focus on RFID information systems, not technologies: The problem does not lie with RFID technologies themselves, but rather, the way in which they are deployed that can have privacy implications. The Guidelines should be applied to RFID information systems as a whole, rather than to any single technology component or function;
Build in privacy and security from the outset – at the design stage: Just as privacy concerns must be identified in a broad and systemic manner, so, too, must the technological solutions be addressed systemically. A thorough privacy impact assessment is critical. Users of RFID technologies and information systems should address the privacy and security issues early in the design stages, with a particular emphasis on data minimization. This means that wherever possible, efforts should be made to minimize the identifiability, observability and linkability of RFID data; and
Maximize individual participation and consent : Use of RFID information systems should be as open and transparent as possible, and afford individuals with as much opportunity as possible to participate and make informed decisions.

RFID Journal
Spy Chips
The Magic of RFID

Connecting the Corporate Dots: Social Networks Reveal How Employees and Companies Operate

2006-06-15T06:04:00.000-04:00

Knowledge@Wharton

What do Wharton faculty members and the workers who spy for the National Security Agency have in common? More than you might think. The Wharton scholars aren't analyzing links among billions of telephone calls to identify terrorists, a controversial NSA activity that caused a stir after it was disclosed recently in news reports. But they, too, are interested in mapping social networks.

Social networking is a hot topic. Ordinary Internet users take advantage of networks when they turn to well-known websites like MySpace and Friendster to link up with other people. But more serious interest in social networks can be found among academics, consultants and corporations seeking to deepen their knowledge of how companies operate; how employees and board members interact; how key employees can be identified; and how relationships can be better understood to improve productivity and the dissemination of ideas.

Technically, social network research is an offshoot of graph theory in mathematics. Graphs -- a set of dots connected by links -- are used to map relationships. At its most basic, research on social networks underscores the veracity of some of the truisms one hears all the time: 'It's a small world.' 'It's not what you know, it's who you know.' 'Birds of a feather flock together.'

[...] Mapping social networks can be useful in many ways, but Rosenkopf says there are at least two reasons why corporate interest in the subject is growing: Companies want to be able to identify key performers and get a better understanding of the nature of the interaction among employees.

[...] Network maps may also unearth what are known as "cosmopolitans" -- the employees who are most critical to information flow in the company. "The formal organizational structure [in companies] does not necessarily describe who talks to whom," says Valery Yakubovich, a University of Chicago professor who will join Wharton's management department this summer. "Even if some jobs in an organization are designed to coordinate across different functional areas, it's difficult to figure out who coordinates where in reality. So you ask people directly whom they go to for advice and who gives them the most valuable information to get things done. Then you map the whole network. Often you find that people you might not even think of as very valuable turn out to be important links in the structure of the organization."

[CLB: Fascinating article on how to best make use of these networks and mapping them. I you find social network research interesting, I recommend following through to the citations listed. Are most of the so-called discoveries really just stating the obvious? Yes. But the obvious has been easy to know in theory previously, and now we have tools to find the information in practice. And if the NSA et al can do it, so can you.]

CALEA and VoIP: Study Finds Wiretaps in Cyberspace Problematic

2006-06-14T07:24:00.000-04:00

ITAA

(PDF) A new ITAA study by Internet gurus Vint Cerf, Whit Diffie and other experts warns that extending CALEA wiretap measures to Voice over Internet Protocol communications could stall innovation and introduce major security problems.

Summary: Security Implications of Applying the Communications Assistance to Law Enforcement Act to Voice over IP

Steven Bellovin, Columbia University
Matt Blaze, University of Pennsylvania
Ernest Brickell, Intel Corporation
Clinton Brooks, NSA (retired)
Vinton Cerf, Google
Whitfield Diffie, Sun Microsystems
Susan Landau, Sun Microsystems
Jon Peterson, NeuStar
John Treichler, Applied Signal Technology

Executive Summary

For many people, Voice over Internet Protocol (VoIP) looks like a nimble way of using a computer to make phone calls. Download the software, pick an identifier and then wherever there is an Internet connection, you can make a phone call. From this perspective, it makes perfect sense that anything that can be done with a telephone, including the graceful accommodation of wiretapping, should be able to be done readily with VoIP as well.

The FCC has issued an order for all ``interconnected'' and all broadband access VoIP services to comply with Communications Assistance for Law Enforcement Act (CALEA) --- without specific regulations on what compliance would mean. The FBI has suggested that CALEA should apply to all forms of VoIP, regardless of the technology involved in the VoIP implementation.

Intercept against a VoIP call made from a fixed location with a fixed IP address directly to a big internet provider's access router is equivalent to wiretapping a normal phone call, and classical PSTN-style CALEA concepts can be applied directly. In fact, these intercept capabilities can be
exactly the same in the VoIP case if the ISP properly secures its infrastructure and wiretap control process as the PSTN's central offices are assumed to do.

However, the network architectures of the Internet and the Public Switched Telephone Network (PSTN) are substantially different, and these differences lead to security risks in applying the CALEA to VoIP. VoIP, like most Internet communications, are communications for a mobile environment. The feasibility of applying CALEA to more decentralized VoIP services is
quite problematic. Neither the manageability of such a wiretapping regime nor whether it can be made secure against subversion seem clear. The real danger is that a CALEA-type regimen is likely to introduce serious vulnerabilities through its ``architected security breach.''

Potential problems include the difficulty of determining where the traffic is coming from (the VoIP provider enables the connection but may not provide the services for the actual conversation), the difficulty of ensuring safe transport of the signals to the law-enforcement facility, the risk of introducing new vulnerabilities into Internet communications, and the difficulty of ensuring proper minimization. VOIP implementations vary substantially across the Internet making it impossible to implement CALEA uniformly. Mobility and the ease of creating new identities on the Internet exacerbate the problem.

Building a comprehensive VoIP intercept capability into the Internet appears to require the cooperation of a very large portion of the routing infrastructure, and the fact that packets are carrying voice is largely irrelevant. Indeed, most of the provisions of the wiretap law do not distinguish among different types of electronic communications. Currently the FBI is focused on applying CALEA's design mandates to VoIP, but there is nothing in wiretapping law that would argue against the extension of intercept design mandates to all types of Internet communications. Indeed, the changes necessary to meet CALEA requirements for VoIP would likely have to be implemented in a way that covered all forms of Internet communication.

In order to extend authorized interception much beyond the easy scenario, it is necessary either to eliminate the flexibility that Internet communications allow, or else introduce serious security risks to domestic VoIP implementations. The former would have significant negative effects on U.S. ability to innovate, while the latter is simply dangerous. The current FBI and FCC direction on CALEA applied to VoIP carries great risks.

Linking: Privacy as Contextual Integrity

2006-06-13T07:01:00.000-04:00

Schneier on Security

Interesting law review article (PDF) by Helen Nissenbaum:

Abstract: The practices of public surveillance, which include the monitoring of individuals in public through a variety of media (e.g., video, data, online), are among the least understood and controversial challenges to privacy in an age of information technologies. The fragmentary nature of privacy policy in the United States reflects not only the oppositional pulls of diverse vested interests, but also the ambivalence of unsettled intuitions on mundane phenomena such as shopper cards, closed-circuit television, and biometrics. This Article, which extends earlier work on the problem of privacy in public, explains why some of the prominent theoretical approaches to privacy, which were developed over time to meet traditional privacy challenges, yield unsatisfactory conclusions in the case of public surveillance. It posits a new construct, 'contextual integrity' as an alternative benchmark for privacy, to capture the nature of challenges posed by information technologies. Contextual integrity ties adequate protection for privacy to norms of specific contexts, demanding that information gathering and dissemination be appropriate to that context and obey the governing norms of distribution within it. Building on the idea of 'spheres of justice' developed by political philosopher Michael Walzer, this Article argues that public surveillance violates a right to privacy because it violates contextual integrity; as such, it constitutes injustice and even tyranny.

The Myths Of Information Security Reporting

2006-06-07T22:26:00.000-04:00

CSO Analyst Reports
By Khalid Kark with Laurie M. Orlov and Samuel Bright

The two most common complaints that security managers relate are: 1) They don’t have senior management support, and 2) it’s tough to quantify the costs and benefits of security. Security managers lack senior management support because they are not able to quantify their program’s benefits in a language that management understands. The result? A disconnect between the security managers and senior executives within the organization. Security managers today must not only manage and measure the information security program, but they must also translate those measurements into meaningful reports for senior executives. The number of spam messages stopped at the email gateway means nothing unless that metric can relay the resulting increase in the amount of productive hours for employees.

Myth No. 1: Executives only care about their own firm’s security.
Myth No. 2: Stories and anecdotes waste executives’ time.
Myth No. 3: Executives always want to see numeric evidence.
Myth No. 4: Executives hate auditors.
Myth No. 5: Executives always want ROI.

KEY CONSIDERATIONS FOR REPORTING TO MANAGEMENT

To provide meaningful reports that top executives can understand and use, successful information security managers underscored that it is critical to:

Align with corporate goals. Security managers must be able to map their reporting to corporate goals and objectives, making it easy for the executives to grasp the context of the reports and see their value. For example, if the corporate goal is to increase profitability, then linking the increase in system availability to the need for better protection against denial of service will make sense to top executives.

Communicate in their language. Senior executives do not care about the number of vulnerabilities you have patched or the amount of spam you have blocked. They want to know how these actions affect their organizations or business. So instead of reporting status, report on the business impact of these measures, and instead of providing operational metrics, give business-centric metrics.

Report residual risk. Information security is primarily a business problem, not a technology one. When an organization goes through an assessment and identifies risks, management has the choice of mitigating, transferring, or accepting the risks. It is then the responsibility of the security management to ensure that top execs are periodically made aware of the residual risks — i.e., those that have not been completely mitigated and those that have been accepted as tolerable.

Highlight significant trends and events. Management reporting must also include significant events and trends in the information security industry to help senior leaders make strategic security decisions. For example, management must be made aware of the proliferation of mobile devices in the enterprise and the risks that they pose. Any significant events, such as the security breaches in your industry, may also be helpful in crystallizing the security risks for management. The trends and news don’t always have to be negative: A new technology, product, or service that may have significant impact on the security industry may also be of interest.

Read the complete article: CSO Analyst Reports

Cast no shadows

2006-05-26T07:59:00.000-04:00

Economist.com
How to weave a cloak that makes you invisible

IN NORSE mythology, a magic cloak granted invisibility to Sigurd, a demi-god and skilled warrior with superhuman strength. Millennia later, a similar garment bestowed invisibility on Harry Potter, a schoolboy wizard. In the mortal (or Muggle) realm, engineers have for years tried with varying degrees of success to build such a device. This week a team of physicists and materials scientists announced it had devised a pattern for a potentially perfect invisibility cloak.

Light is an electromagnetic wave, with a longer wavelength than X-rays and ultraviolet, and a shorter wavelength than infra-red, microwaves and radio waves. All these electromagnetic waves are governed by four mathematical expressions established almost 150 years ago by James Clerk Maxwell. These equations represent one of the most elegant and concise ways to state the behaviour of electric and magnetic fields and how they interact with matter. However, because they are so concise, they also embody a high level of mathematical sophistication.

The team—Sir John Pendry of Imperial College London with David Schurig and David Smith of Duke University in North Carolina—used the equations to devise a way to cloak an object with a material that would deflect the rays that would have struck it, guide them around it and return them to their original trajectory. Maxwell's equations conserve certain properties—the magnetic field intensity, the electric displacement field and the Poynting vector that describes the electric flux of an electromagnetic field. These properties remain the same when others are altered. The team showed how these fields could be manipulated to flow around objects like a fluid, returning undisturbed to their original paths. The findings were published online this week by Science.

Light wave basics:

Light can be emitted, absorbed, transmitted or reflected by matter. Metamatter alters the shall we say 'traditional' ray paths!

'Fly-by-wireless' plane takes to the air

2006-05-18T12:07:00.000-04:00

New Scientist Tech

A plane with no wires or mechanical connections between its engine, navigation system and onboard computers – only a wireless network – has been built and flown by engineers in Portugal.

The 3-metre-long uncrewed plane 'AIVA' relies entirely upon a Bluetooth wireless network to relay messages back and forth between critical systems – a technique dubbed 'fly-by-wireless'.

Tests flights carried out in Portugal have shown that the system works well. Cristina Santos, at Minho University in Portugal, who developed the plane, says the aim is primarily to reduce weight and power requirements. 'Also, if you do not have the cables then the system is much more flexible to changes,' she says.

Many modern planes already use electronic wires, instead of the mechanical links and cables found in older planes, to connect components. This is a lighter and more compact way to control these systems. Some planes, such as the Boeing 777 even use optical fibres, which can carry multiple signals through a single cable.

Radio jamming

Replacing wires with wireless radio links is a logical next step says Peter Mellor from the Centre for Software Reliability at City University in London, UK, who was not involved with the project. But he adds that it raises completely new safety issues.

Such wireless links could be susceptible to electromagnetic interference or even jamming, Mellor suggests. And it could be more difficult to build in back-up wireless connections, he says. "If you jam one link you would jam both," he warns.

But Santos and colleagues are working on this. She says Bluetooth is already fairly resistant to disruption as it is designed to guarantee a certain minimum data stream will always get through. "It has mechanisms for dealing with interference," she says.

In-car radio

Even so, Santos says the system would need extensive testing before she would be willing to ride in a fly-by-wireless plane. She also admits that stringent aviation regulations may mean the technology first appears in cars rather than planes.

"Cables are already a problem in cars," Santos says, because many manufacturers cram ever more electronic gadgetry into each new model.

She admits the idea of having no physical connections may seem scary at first but believes ultimately it will become an accepted way to control brakes and even steering mechanisms in road vehicles.

The findings were presented on Tuesday at the International Conference of Robotics and Autonomous Systems in Florida, US.

[CLB: Here we go. I've been watching the auto industry for signs of serious comittment to drive-by-wirelessm and to the lack or presence of a security strategy.]

Web Links

Cristina Santos

Peter Mellor, City University

International Conference of Robotics and Autonomous Systems

While searching for a picture of the AIVA unscuessfully, I came across this Swiss flying bot:

Swiss researchers have demonstrated a flying bot with an 31-inch wingspan and a weight of just 1 ounce, that can fly indoors, avoiding walls and other objects via its onboard cameras. The robot plane has gyroscopic stabilizers and a Bluetooth transmitter to send data back to a nearby computer.

One phish, two phish - Harvard / UCBerkeley results

2006-05-01T07:23:00.000-04:00

Security Watch: CNET reviews

Researchers at Harvard and the University of California at Berkeley found that the best fraudulent sites could still fool more than 90 percent of the survey's highly educated participants.
[Read more of this fabulous review]

Why Phishing Works

[(PDF) Excerpt of and from the paper's introduction]

INTRODUCTION

What makes a web site credible? This question has been addressed extensively by researchers in computer-human interaction. This paper examines a twist on this question: what makes a bogus website credible? In the last two years, Internet users have seen the rapid expansion of a scourge on the Internet: phishing, the practice of directing users to fraudulent web sites. This question raises fascinating questions for user interface designers, because both phishers and anti-phishers do battle in user interface space. Successful phishers must not only present a highcredibility web presence to their victims; they must create a presence that is so impressive that it causes the victim to fail to recognize security measures installed in web browsers.

Data suggest that some phishing attacks have convinced up to 5% of their recipients to provide sensitive information to spoofed websites [21]. About two million users gave information to spoofed websites resulting in direct losses of $1.2 billion for U.S. banks and card issuers in 2003 [20]. [Over 16,000 unique phishing attack websites were reported to the Anti-Phishing Working Group in November 2005 [2].]

If we hope to design web browsers, websites, and other tools to shield users from such attacks, we need to understand which attack strategies are successful, and what proportion of users they fool. However, the literature is sparse on this topic.

This paper addresses the question of why phishing works. We analyzed a set of phishing attacks and developed a set of hypotheses about how users are deceived. We tested these hypotheses in a usability study: we showed 22 participants 20 web sites and asked them to determine which ones were fraudulent, and why. Our key findings are:
• Good phishing websites fooled 90% of participants.
• Existing anti-phishing browsing cues are ineffective. 23% of participants in our study did not look at the address bar, status bar, or the security indicators.
• On average, our participant group made mistakes on our test set 40% of the time.
[Read the paper]

Security Starter Kit - Protection First

2006-04-25T13:44:00.000-04:00

Download.com

by Jason Parker (4/27/06)

Viruses, spyware, and hackers--oh my! These days, it seems as soon as we connect our computers to the Internet, a whole gang of bad guys is waiting to infiltrate our systems and steal our personal information. To help you set up your computer with a basic security system, we've put together some must-have programs that will act like a fortified castle for your PC.

Whether you have a new machine or simply want to bolster the security on your old one, take a look at our list of safety categories to see which areas you have covered. If there are holes in your defense, download one of our suggestions or look at our software library in your particular area of need. If you have security suggestions for Download.com users, please add them to our Security Discussions.

One thing to always remember is that while these free or cheap programs are all high quality, no system is 100 percent safe. That caveat aside, these programs will lower the chances of an attack considerably. Also, ignoring any of these security categories can be extremely dangerous to your data and personal information.
[Read further to establish good security as soon as you contect to the Internet.]

RFID DOS attacks

2006-04-14T09:33:00.000-04:00

SCISSEC - Security Research Group

RFID Vulnerabilities Uncovered in new UHF tags - Update
The research efforts of the SCISSEC group have uncovered, documented and tested a range of attacks on the newer UHF RFID tags.
Vulnerabilities in the newer UHF style of RFID tags have been found and are of concern for anyone trying to implement a RFID system that would have mission critical or human life issues involved in it.

[read more]

[research more]

McAfee Threat Center

2006-04-12T06:08:00.000-04:00

McAfee Threat Center

AVERT® Labs helps you maintain the highest possible level of security. 100 researchers in 14 countries continuously monitor the latest threats and provide remediation, so that you can stay ahead of the latest threats and respond quickly to emergencies.

The threat dashboard list the latest:

Top Malware

Current Vulnerabilities

Top Potentially Unwanted Programs

Latest Spam Activity

Top Phish Scams

Live Hacker Activity Map

Global Threat Condition (sample to the right)

Top 10 Spam Subject Lines:

Emergency and Information Service

2006-04-05T08:08:00.000-04:00

RSOE HAVARIA

Disaster events in the last 24 hours on a real time world map. I.e. Major accidents: (Plains, Trains & Ferries etc), Disease Outbreaks (Bird flu & Cholera etc), Earthquakes WX events and related evacuations.

Corporate Reputation: Connecting Fantasies with Reality

2006-04-05T07:48:00.000-04:00

Ipsos

How can corporations increase the concordance between their projected image and the real one, thus strengthening the corporation’s credibility at a time when brands suffer from a legitimacy crisis? Ipsos measures corporations’ reputation and image among their stakeholders: shareholders, consumer-clients,media, and employees.

Download the complete issue in English, French or Spanish

ISM3

2006-04-03T07:36:00.000-04:00

ISM3, a standard for advanced information security management

The Information Security Management Maturity Model (ISM3, or ISM-cubed) offers a practical and efficient approach for specifying, implementing and evaluating process-oriented information security management (ISM) systems.

ISM3 aims to:

Enable the creation of ISM systems that are fully aligned with the business mission.
Be applicable to any organization regardless of size, context and resources.
Enable organisations to prioritize and optimize their investment in information security.
Enable continuous improvement of ISM systems.
Support the outsourcing of security processes.

ISM3 is compatible with the implementation and use of ITIL, ISO9001, Cobit and ISO27001. This compatibility protects the existing investment in ISM systems when they are enhanced using ISM3. ISM3 based ISM systems are themselves accreditable, giving organisations an objective means of measuring and advertising their progress with information security management.

The management discipline and internal control framework required by ISM3 assists compliance with corporate governance law.

The significant features of ISM3 are

“What you can't measure, you can't manage, and what you can't manage, you can't improve” - ISM3 v1.20 makes information security a “measurable” process by using metrics for every process, making it probably the first information security standard to do so. This allows for a continuous improvement of the processes, as there are criterion to measure the efficiency and performance of the informations security management system.
Maturity Levels
With this standard it is possible to create ISMS (Information Security Management Systems) for small and big organizations. ISM3 has 5 maturity levels, each level tailored to the security objectives of the organization and available resources. This makes it a standard for small organizations to behemoths.
Process Based
ISM3 v1.20 is process based, which makes it specially attractive for organizations familiar with ISO9001 or those that use ITIL for as the IT management model. Using ISM3 fosters the collaboration between information security clients and providers, as the outsourcing of security processes is enable by explicit mechanisms for outsourcing.
Adopts best practices
ISM3 implementation enjoys of advantages like the extensive reference to established standards for every process, and the explicit distribution of responsibilities in the organization between leaders, managers and technical personnel using the concept of “Strategic, Tactical and Operational Management” for Information Security.
Accreditation
ISMS based in ISM3 are Accreditable under ISO9001 or ISO27001 schemes, which means that you can use ISM3 to implement an ISO 27001 based ISMS. This will be attractive as well to organizations that are already quality certified and have experience and infrastructure for ISO9001.
Business Friendly
A key advantage of using ISM3 for ISMS is that Senior Managers and Stake Holders are able to clearly see Information Security as a business investment and measure ROSI ( Return on Security Investment).

The Next Sustainability Wave

2006-03-26T07:20:00.000-05:00

ACM Ubiquity

book excerpt from and by Bob Willard

In The Next Sustainability Wave: Building Boardroom Buy-in (New Society Publishers, 2005), I explore why the idea of sustainability has been embraced enthusiastically by some businesses and rejected by others. The first wave of corporate converts to sustainability was driven by a PR crisis, regulatory pressures, or the founder's personal passion. The next wave, however, requires different drivers if it is to build a critical mass for corporate responsibility in the business community. I focus on two emerging drivers that promise to spur corporate commitment to sustainability strategies:

a compelling quantification of potential business opportunities, and

a 'perfect storm' of threatening market force risks on the horizon that range from climate change to the rising demands of stakeholders.

An effective carrot-and-stick duo, these two drivers are both triggering the need for change and providing a vision of business success if the transition to sustainable operations, products, and services is smartly managed. Emphasizing the importance of how sustainability is presented to corporate leaders & using the right language, and avoiding threats to the status quo that provoke habitual corporate defense mechanisms — the book applies effective selling techniques to reposition sustainability strategies as a means to achieving existing corporate ends, rather than as a separate priority to worry about. It sells sustainability as a solution, a business strategy, and a catalyst for business transformation.

The following excerpts position the drivers against the stages that companies go through on their sustainability journeys.

Bob Willard, Author

Regulatory Pressure
PR Crisis

———›

Regulatory Threat
Business Case
———›

"Perfect Storm"
Business Value
———›

Passionate CEO

———›

Stage 1: Pre-Compliance

Stage 2: Compliance

Stage 3: Beyond Compliance

Stage 4: Integrated Strategy

Stage 5: Purpose & Passion

CIRA withdraws from ICANN

2006-03-24T13:20:00.000-05:00

CIRA.ca
Open letter to the Internet Corporation for Assigned Names and Numbers (ICANN) from the Canadian Internet Registration Authority (CIRA)

CIRA is a respected and influential player in global Internet governance. This has been especially true when it comes to ICANN, where CIRA's involvement has included: participating actively in events leading to the creation of ICANN; helping create the Country Code Names Supporting Organization (ccNSO); chairing the ccNSO working group on IANA; voluntarily contributing funds to ICANN; hosting the ICANN Montreal meeting; supporting the ICANN Vancouver meeting in many ways including being its main sponsor; and generally promoting the value and benefits of ICANN to the world community.

CIRA remains committed to global Internet governance. Notwithstanding this commitment, CIRA, including its Board of Directors, has grown increasingly concerned with ICANN's departure from a number of its core values. The process by which ICANN renewed its dot-com agreement with VeriSign is illustrative of this departure.

It is in this context that CIRA, wishing to see ICANN succeed, and expecting ICANN to follow accountable, transparent and fair processes, makes the following recommendations to the ICANN Board: [read further]

VeriSign details massive denial-of-service attacks - Computerworld

2006-03-16T18:55:00.000-05:00

Computerworld

A sudden increase in a particularly dangerous type of distributed denial-of-service (DDoS) attack could portend big trouble for companies, according to VeriSign Inc.

The Mountain View, Calif.-based company said that about 1,500 organizations worldwide were attacked earlier this year by unknown hackers who employed botnets and Domain Name System (DNS) servers to swamp networks with unmanageable torrents of data.

The attacks, which started on Jan. 3 and ended in mid-February, were notable because they employed an especially devastating kind of DDoS attack, said Ken Silva, VeriSign's chief security officer.

Such an attack typically involves thousands of compromised zombie systems sending torrents of useless data or requests for data to targeted servers or networks -- rendering them inaccessible for legitimate use.

In this case, attackers sent spoofed domain-name requests from botnets to DNS servers, which processed the requests and then sent replies to the spoofed victims, according to Silva.

“When the number of requests is in the thousands, the attacker could potentially generate a multigigabit flood of DNS replies” directed at the spoofed server, according to a description of such attacks on US-CERT Web site (download PDF).

“This is known as an amplifier attack because this method takes advantage of misconfigured DNS servers to reflect the attack onto a target, while amplifying the volume of packets,” the CERT description said.

Unlike typical DDoS attacks, the volume of data generated by amplifer attacks is greater by several orders of magnitude, Silva said. Though this type of attack is not especially new, the latest wave demonstrates how good hackers are getting at launching them, he said.

“It really demonstrates how much horsepower these people have developed and how efficient they are at developing it,” he said.

PC Pro: News: McAfee falls foul of faulty virus detection update

2006-03-14T07:23:00.000-05:00

PC Pro

Security firm McAfee has a great deal of egg on its face after it inadvertently released a new set of virus signature files that falsely identified dozens of ordinary programs as malware. The company now has to face complaints from angry users who may have deleted their files.

The problem started last Friday when the company released the 4715 DATs which contained an incorrect identification for the W95/CTX virus. As a result, a long list of ordinary files, including Microsoft's Excel, the Google Toolbar installer, Java and the Macromedia Flash Player, were marked as hostile and users were prompted to either quarantine or delete them.

[...]

[CLB: This is a great example of how friendly intervention software can go astray. There are arguments that we should release friendly counter-virii onto the net to protect, prevent, and repair. But even with good intention and design, mistakes can occur, as the above illustrates.]

Worm targets Macs via Bluetooth

2006-02-21T18:29:00.000-05:00

CNN.com

A new computer worm targeting Apple Computer Inc.'s Macintosh computers has been identified for the second time in one week, security experts said.

The new worm, called OSX.Inqtana.A, spreads through a vulnerability in Apple's OS X operating system via Bluetooth wireless connections, antivirus company Symantec said.

'We have speculated that attackers would turn their attention to other platforms, and two back-to-back examples of malicious code targeting Macintosh OS X ... illustrate this emerging trend,' said Vincent Weafer, senior director at Symantec Security Response.

The latest virus follows OSX/Leap-A, which was identified last week and believed to be the first such virus targeting the Mac platform.

That worm attempts to spread via Apple's iChat instant messaging program, which is compatible with America Online's popular AIM instant messaging program. (Full story)

Symantec said the latest worm attempts to use Bluetooth connections to spread by searching for other Bluetooth-using devices that will accept requests for a connection when the computer is restarted.

Bluetooth is a wireless technology used to transmit data among devices at short distances.

The worm spreads via a vulnerability in the OS X operating system called the Apple Mac OS X BlueTooth Directory Traversal Vulnerability.

If a Bluetooth connection is made, the worm attempts to send itself to those remote computers. However, the worm itself does not appear to pose an immediate threat.

"While this particular worm is not fully functional, the source code could be easily modified by a future attacker to do damage," Weafer said, adding that Mac users should install available software patches to their operating systems to prevent such attacks.

The latest worm was identified Friday. Both worms are ranked a Level 1 threat on a scale of 1 to 5, with 5 being the most severe, Symantec said.

Notes on DriveBlue

DriveBlue+ Bluetooth Hands-Free Car Kit -
Bluetooth allows electronic devices to "talk" to each other without wires, and DriveBlue+ is an inexpensive way to make any car a hands-free Bluetooth environment.

It plugs into a car's cigarette lighter and detects any Bluetooth-enabled phone within 33 feet, establishing a voice-activated wireless connection. Simply tell the phone to turn on and which number to call and DriveBlue+ does the rest, even if the phone is hidden away in a briefcase. An integrated speaker with background noise and echo cancellation technology allows the driver to concentrate on driving and keeps the person on the other end from being inundated with speaker phone static. DriveBlue+ is available now at most major cell phone accessory stores for about $100.

[CLB: I realize this means drive with both hands while using your bluetooth enabled cell hands free. But take a little step with me. Couldn't related technology allow the steering wheel to remotely control the car's steering? Hand the wheel to your backseat driver, literally.]

U.S. concludes 'Cyber Storm' mock attacks

2006-02-14T09:51:00.000-05:00

The [US] government concluded its 'Cyber Storm' wargame Friday, its biggest-ever exercise to test how it would respond to devastating attacks over the Internet from anti-globalization activists, underground hackers and bloggers.

Bloggers?

Participants confirmed parts of the worldwide simulation challenged government officials and industry executives to respond to deliberate misinformation campaigns and activist calls by Internet bloggers, online diarists whose 'Web logs' include political rantings and musings about current events.

[CLB: And this is the number one reason why a communications strategy needs to be part of the security strategy for any organization.]

The Internet survived, even against fictional abuses against the world's computers on a scale typical for Fox's popular '24' television series. Experts depicted hackers who shut down electricity in 10 states, failures in vital systems for online banking and retail sales, infected discs mistakenly distributed by commercial software companies and critical flaws discovered in core Internet technology.

[...]

Celebrity CEOs vs. Visionary Administrator CEOs

2006-02-08T12:06:00.000-05:00

globeandmail.com, By SHAWN MCCARTHY

A year after Fiorina's exit, Hurd makes his mark at HP

Reputation: Celebrity female CEO
Leadership style: Jetsetter; bought two Gulfstream corporate jets while the company was in the midst of layoffs
Accolades: Fortune magazine's most powerful woman in business six years running.

Reputation: Boring operations guy
Leadership style: Laser-like focus on execution; announced 15,500 in job cuts at HP within months of taking over.
Accolades: Investors sold off NCR shares, sending them 12.7 per cent lower, on news he was leaving the company.

After the splashy appearances of his high-profile predecessor Carly Fiorina, Hewlett-Packard Co. chief executive officer Mark Hurd created his own buzz at last month's Consumer Electronics Show in Las Vegas -- by not showing up.

The message couldn't have been clearer.

After six years with a celebrity CEO at the helm, Hewlett-Packard is now in the hands of a no-frills executive, who focuses like a laser on executing the company's business plan in a challenging, rapidly changing technology market.

Last year, Ms. Fiorina, flanked by stars Matt Damon and Gwen Stefani, had dazzled the gadget-happy conference by pledging to plow ahead with production of a digital entertainment hub that would merge the functions of a television, personal computer, stereo and other entertainment devices.

Five weeks later, a year ago tomorrow, the HP board ousted her amid a noisy campaign from investors who were unhappy with HP's erratic earnings performance and underperforming stock.

Mr. Hurd, who came to HP 10 months ago after turning around NCR Corp., is already winning kudos from Wall Street, in spite of some nagging concerns about the growth trajectory that he has outlined for the company.

He has not ushered in a startling new strategic vision, or spun off the personal computer division as some analysts had urged. But he has provided a sense of operational competence that critics -- and ultimately the board -- felt was missing in Ms. Fiorina.

'Carly knew where she was going; she didn't know how to get there,' said Rob Enderle, an industry analyst and consultant.

"Because they now have an executive that knows where he is going and how to get there, morale is up; HP is better able to execute, and the analysts are much more comfortable because it doesn't sound like somebody is trying to pull the wool over their eyes."

Critics argue that Ms. Fiorina had fumbled the $25-billion (U.S.) acquisition of Compaq Computer Corp. by failing to manage the integration of the two giants.

In his first year on the job, Mr. Hurd has launched a restructuring program that will eliminate 15,300 jobs and shave $2-billion in costs by 2007, reorganized the operating divisions to give more authority and responsibility to managers, and begun the mammoth task of retooling HP's own information technology to drive down costs, improve its functioning and make it a showcase for HP products and services.

He has also cancelled some of the higher-profile, lower-return ventures approved by Ms. Fiorina, including a digital entertainment hub that she unveiled at last year's Consumer Electronic Show and a project to marry HP technology with Apple Computer Inc.'s wildly successful iPod.

[...] [CLB: Now let's see if a visionary administrator can produce more reliable, less flashy results.]

Will Google help navigate your Jetta?

2006-02-06T09:55:00.000-05:00

CNET News.com

The American unit of Germany's Volkswagen said on Friday that it is working on a prototype vehicle that features Google's satellite-mapping software to give drivers a bird's-eye view of the road ahead.

The two companies are working with graphics chipmaker Nvidia to build an in-car navigation system and a three-dimensional display so passengers can recognize where they are in relation to the surrounding topography.

Volkswagen of America, working through its Electronics Research Laboratory in Palo Alto, Calif., is working on other advancements, including automatic personalized information updates for the navigation systems.

The car manufacturer showed off the prototype car at the Consumer Electronics Show in Las Vegas in January.

A spokesman for the automaker said there were no definite plans to use the technology inside cars. But the collaboration between the automaker and Google shows the progress the Web search leader is making in expanding beyond the computer realm.

Google introduced Google Earth last June as a free satellite imagery-based mapping product based on technology from Keyhole, a company Google bought in October 2004.

[CLB: A hackable system isn't being used for actually controlling the car, but thta is only a step away. Still, hacking a driver's driving instructions could lead to problems. How do we ensure the data sent from a pblically accessible system is reliable?]

RFID-tagged driverless cars on roads

2006-01-30T10:39:00.000-05:00

silicon.com

[...]The Foresight report said: 'In the longer term, artificial control systems, with control algorithms tuned over millions of hours of simulated and real driving, will have the advantage over humans. Eventually we may come to prefer automated rather than human control.'

RFID tags, sensors, GPS technology, 4G networks, wi-fi and artificial intelligence will be embedded into vehicles and the transport network to create an 'intelligent infrastructure', according to the report. This would inevitably be central to the government's already announced road-user charging strategy.

The report said: 'Vehicles will incorporate hundreds of network nodes to manage fuel efficiency, security, passenger monitoring and passenger comfort, as well as inter-vehicle distances and optimal vehicle speeds.'

FTC imposes $10M fine against ChoicePoint for data breach

2006-01-26T12:48:00.000-05:00

Computerworld

The U.S. Federal Trade Commission (FTC) has imposed a $10 million civil penalty against data aggregator ChoicePoint Inc. for a massive data security breach that resulted in the compromise of nearly 140,000 consumer records last year (see 'ChoicePoint to tighten data access after ID theft').

In addition to the penalty, which FTC Chairman Deborah Platt Majoras described as the largest ever levied by the agency, ChoicePoint has been asked to set up a $5 million trust fund for individuals who might have become victims of identity theft as a result of the breach.

As part of its agreement with the FTC, Alpharetta, Ga.-based ChoicePoint will also have to submit to comprehensive security audits every two years for the next 20 years.

[...]

Link to Privacy at ChoicePoint.

Carolyn Burke BioDoc Podcast

2006-01-16T11:38:00.000-05:00

Anything But Ordinary, by Michael McCleary

Episode 108

Implants turn humans into cyborgs

2006-01-16T11:27:00.000-05:00

Vancouver Sun

[...]

Graafstra's experiments piqued the interest of geeks around the world and he estimates there are perhaps more than 20 people who have implanted the RFID tags. There's even an online group, the 'Tagged' RFID implant forum, where members share their implant stories and photos and vigorously debate the merits and risks of putting computer chips under their skin.

While the ogre of Big Brother, (or George Bush as some forum participants fret) looms large in the debates, the RFID experts say users have little to worry about, since the technology transmits no more than a few inches. And Graafstra said his implant has encryption so even if someone were two inches away with a reader, they would learn little.

'There aren't a lot of people doing implants, because there aren't a lot of doctors willing to do the implants,' said Dan Henne, vice-president of Calgary's Phidgets Inc. 'And there is always the unfounded fear that somehow government is going to use this to track people.

'But the technology has its limitations. If you had an entire research group you might be able to read a person's tag a couple of metres away. It takes an awful lot of science to do that.

'I'm sure the CIA would love it but it won't work.'

Aside from the Big Brother and privacy concerns, Dr. Morris VanAndel, registrar of the British Columbia College of Physicians and Surgeons said there are no ethical considerations that would prevent a doctor from implanting the chips.

So if your boss tells your doctor to implant your company pass card info into your arm, the answer would be no. But if you're tired of being locked out of the house, or your gym club is threatening to bar you if you forget your pass one more time, an implant could be the answer.

[...]

[CLB: Makes me wonder what form of security model protects both access and information on these implants.]

Stem cell experts seek rabbit-human cell hybrid

2006-01-15T08:34:00.000-05:00

The Guardian

[...]

To make a hybrid embryo, a human skin cell would be taken from a person with motor neurone disease and injected into a hollowed-out rabbit egg. The resulting embryo would contain only a tiny amount of rabbit DNA in a microscopic structure that generates energy in the cell. The rest of the DNA would be human. If the experiment is successful, within a week, the egg will have divided to form a tiny ball of a 200 or so cells, from which stem cells could be extracted.

The embryos could not legally be implanted into a woman's womb and the stem cells would not be safe to implant because they would be rejected by the immune system. 'They will never grow beyond the 200 cell stage and they will have no human features,' said Prof Shaw.

The proposal exposes a grey area in British regulation, however, as officials at the HFEA admitted it was questionable whether the resulting embryo was human. 'That's the question and it's for the government, the HFEA and lawyers to work out,' said Prof Shaw.

Josephine Quintavalle of the lobby group Comment on Reproductive Ethics said: 'There is a lot of innate wisdom in the yuk factor, or repugnance as it is also known. My question is: what will they actually create? It is simplistic or deliberately deceptive to say they are simply making stem cells. In order to obtain stem cells they surely have to go through the blastocyst stage; they have to create a 'something' from which to derive the new cells. What is this something? It must be human to be of any use to researchers.'

Professor Sir John Gurdon, a Cambridge University researcher, already uses similar technology to investigate how eggs appear to be capable of converting adult cells into stem cells that can potentially grow into any tissue in the body. His experiments have so far focused on injecting DNA from human cells into frog eggs.

He said: "I don't see there's any ethical problem with what they are proposing. I don't see it as a human embryo, but it all comes back to the question of when you think life begins. Scientifically, though, I'm not persuaded it will work. If you put cells from one species into the egg of another, the egg may divide, but you could get a lot of genetic abnormality that won't lead to good quality stem cells."

Math Will Rock Your World

2006-01-15T08:30:00.000-05:00

BusinessWeek Online

A generation ago, quants turned finance upside down. Now they're mapping out ad campaigns and building new businesses from mountains of personal data.

[CLB: Interesting editorial on the new elite - mathematicians.]

Phishing and Crimeware Map

2005-12-20T08:59:00.000-05:00

Anti-Phishing Working Group Phishing and eCrime Newswire

The Phishing and Crimeware map displays the most recent data collected by Websense Security Labs (WS Labs) and provides a historical look into where Phishing and Crimeware related websites are hosted on the Internet. Upon discovery, each site is looked up via its IP Address to track the country of origin through the appropriate IP registrars and plotted on the map. The data is updated approximately 15 minutes after discovery.

Click here to view the live MAP.

Word of the Year

2005-12-16T13:46:00.000-05:00

Merriam-Webster Online

Merriam-Webster's Words of the Year 2005

Based on your online lookups, the #1 Word of the Year for 2005 was:

1. integrity

Pronunciation: in-'te-gr&-tE

Function: noun

Etymology: Middle English integrite, from Middle French & Latin; Middle French integrite from Latin integritat-, integritas, from integr-, integer entire

1 : firm adherence to a code of especially moral or artistic values : INCORRUPTIBILITY

2 : an unimpaired condition : SOUNDNESS

3 : the quality or state of being complete or undivided : COMPLETENESS

synonym see HONESTY

Reputation Is the Last Defense

2005-12-16T13:36:00.000-05:00

SmartPros

At some point every organization will face an incident that could unravel into a public ethics scandal or become the grounds for regulatory investigation or prosecution. While organizations strive to prevent such issues, the key to maintaining the integrity of the company is in how the issue is handled, and to some extent, what level of response is generated by internal and external stakeholders.

Internal controls as well systems and processes consistent with the Federal Sentencing Guidelines will help define how to handle the issue. But companies that have spent time and energy nurturing and guarding their corporate reputation will always have an easier time managing an ethics problem. Why? They will usually be given more time and more leeway to respond to the crisis, and they will usually face more forgiving audiences, from employees to customers, to consumers and the public.

Two recent news stories highlight the challenges for companies in dealing with their reputation. Reputation Quotient recently released the results of its annual reputation ranking.

Overall the situation is not very positive. According to The Wall Street Journal, "the overall reputation of American corporations, already weak, slipped further this year. Despite corporate-governance reforms and a growing commitment to ethics and social responsibility, companies haven't redeemed themselves with the public. This year, 71% of respondents rated American businesses' reputation as "not good" or "terrible," compared with 68% in 2004.

[...]

'Integrity' Tops Web Dictionary's Lookups

2005-12-12T16:54:00.000-05:00

Yahoo

The noun, formally defined as a "firm adherence to a code" and "incorruptibility" has always been a popular one on the Springfield-based company's Web site, said Merriam-Webster president John Morse. But this year, the true meaning of integrity seemed to be of extraordinary concern. About 200,000 people sought its definition online.

[...]

[CLB: Integrity: "The use of values and principles to guide one's action in situations at hand."]

Survey: Regulatory compliance biggest driver of information security initiatives

2005-11-04T13:44:00.000-05:00

Computerworld

Regulatory compliance has emerged as the biggest driver of information security initiatives, trumping concerns such as worms and viruses for the first time, according to the results of a survey released Wednesday by Ernst & Young. [Download a copy of the Global Information Security Survey 2005. (pdf, 320kb) ]

At the same time, the survey said, IT organizations and information security groups are failing to take advantage of compliance-related concerns to rearchitect their security organizations.

"The sheer number of regulations and the consequences of not complying have brought information security into the boardroom," the report said. "Yet many organizations are missing the rare investment opportunities that compliance offers to promote information security as an integral part of their business."

In Ernst & Young's survey of 1,300 organizations worldwide, nearly two-thirds of respondents said compliance is the primary driver of information security at their businesses, followed by worms and viruses and meeting business objectives.

The results are surprising, given that 2005 has been an especially busy year for worms and viruses, said Rudy Bakalov, senior manager of security and technology solutions at Ernst & Young. "We are very happy that compliance with regulations has become such a high priority," Bakalov said. Even so, most information security organizations are continuing to focus on tactical issues rather than strategic ones, he said.

For example, nearly 90% of those implementing security measures to comply with regulations are focusing on issues such as policies, procedures training and awareness campaigns, he said. Only 41% are also reorganizing their information security function and their architectures as part of the compliance process, he said.

[...]

Culture Matters

2005-10-25T11:28:00.000-04:00

SmartPros.com

The Ethics Resource Center's recently released 2005 National Business Ethics Survey is welcome confirmation of the trends we have been seeing: if an organization wants to reduce the risk of unethical conduct, it must focus more effort on building the culture than on building a compliance infrastructure.

Based on interviews with over 3,000 employees and managers nationwide, the survey disclosed that despite the increase in the number of ethics and compliance program elements being implemented, desired outcomes, such as reduced levels of observed misconduct, have not changed since 1994. Even more striking is the revelation that while formal ethics and compliance programs have some impact, it is the organizational culture that has greater influence in determining program outcomes.

Only lagging companies still measure the success of their ethics and compliance programs only by tallying the percentage of employees that have certified reading the Code and attended ethics and compliance training. The true indicator of success is whether the company has made significant progress in achieving key program outcomes. The NBES listed several key outcomes that can be used to determine the success of a program:

Reduced misconduct observed by employees;

Reduction of pressure to engage in unethical conduct;

Increased willingness of employees to report misconduct;

Greater satisfaction with organizational response to reports of misconduct.

What's going to move these outcomes in the right direction? Not the mere presence of codes of conduct, reporting systems, and compliance training.

What the NBES uncovered is that only by influencing key elements of the culture will the organization see positive movement in program outcomes.

[Read on for more on relating Ethics-Related Actions to your compliance programme.]

Say good-bye to choice

2005-10-10T08:20:00.000-04:00

Security Watch: CNET reviews:

You know when an industry has matured; that's when companies begin purchasing one another at a rapid clip. This happened back in the 1980s when fledgling security supercompanies Symantec and McAfee went on a purchasing spree; and, it's happening again, only the players are slightly different. Within the last two years, Symantec purchased six security-related companies, Computer Associates bought six, Microsoft four, and McAfee and Trend Micro picked up two each. Some of the swallowed-up company names should be familiar: Groove, Qurb, PestPatrol, PowerQuest, and Tiny Personal Firewall. But here's the amazing thing: 11 of the 20 purchases occurred within 2005 alone. What does all this mean to you and me? Well, for one thing, less choice when it comes to security software. [..]

Here's a chart of who's who in the security space today.

(Alphabetical order)	Symantec	Computer Associates	Microsoft	McAfee	Trend Micro
@Stake (security auditing)	Bought in 2004
BrightMail (e-mail)	Bought in 2004
BindView (security)	Bought in 2005
Concord Communications (wireless, VoIP)		Bought in 2005
Foundstone (security auditing)				Bought in 2004
FrontBridge (network security)			Bought in 2005
Giant Software (antispyware)			Bought in 2004
GeCAD (antivirus)			Bought in 2003
Groove (P2P)			Bought in 2005
Intermute (antispyware)					Bought in 2005
Kelkea (IP filtering)					Bought in 2005
Netegrity (security)		Bought in 2004
PestPatrol (antispyware)		Bought 2004
PowerQuest (drive utilities)	Bought in 2003
Qurb (antispam)		Bought in 2005
Sybari (antivirus, antispam)			Bought in 2005
Sygate (firewall)	Bought in 2005
Tiny Personal FireWall (firewall)		Bought 2005
Veritas (backup)	Bought in 2004
Wireless Security Group (wireless)				Bought in 2005
Totals	Bought 6	Bought 6	Bought 4	Bought 2	Bought 2

[...]

Improvisation and Technology - A Discussion

2005-10-03T22:09:00.000-04:00

Applied Improvisation Network

Hi Tech and Improv

At the recent AIN conference, I convened an Open Space session to explore how hi tech 'things' and improv 'things' could enhance each other. Scribed and blogged here are some of the results and resource links.

Security vendors ready CVSS vulnerability scoring system

2005-10-03T08:00:00.000-04:00

Computer Business Review

The proposed new scoring system for IT security vulnerabilities known as CVSS has reached a stage that several vendors are planning ways of promoting enterprise adoption of the Common Vulnerability Scoring System. [Guide (ppt pdf)]

CVSS has said to have been tested by about 30 companies since February, and now Assuria, CERT/CC, Cisco Systems, IBM, Internet Security Systems, JPCERT/CC, netForensics, Pentest, Qualys, Sintelli, Skybox Security and Unisys have all agreed to test the system and look into applicable usage.

The CVSS system promises to transform the way in which network threats are evaluated and dealt with, in the way that the common rating system it provides should make for a framework against which enterprises can start to prioritize their patch routines and better manage risk, Ed Cooper, VP of marketing for Skybox the vendor of security risk management software said.

He explained that the system uses a scale of 1 to 10 to rate the severity of vulnerabilities. It also lets organizations input site specific information that will provide them with a risk score which is customized to their operating environment.

Different systems for scoring vulnerabilities are in use today, and these systems use different metrics. CVSS weighs various criteria in a formula that includes measures of the impact of a vulnerability on system availability, data confidentiality and integrity, as well as the potential for collateral damage.

[T]the group is working together to build on the first-generation framework that has already been developed, in order to come up with a system that is usable and accepted across the industry.

CVSS has three components and includes a baseline vulnerability severity, which is then adjusted with temporal and environmental modifiers, so that any given bug has a different score depending on the time and the enterprise's own network. As such, it provides a scoring mechanism that rates how secure a network is and stands as a basis for comparison against comparable peer network.

The new rating system is being backed by the Forum of Incident Response and Security Teams, and the body will encourage IT executives to start testing the index as one way to address the issues caused by the numerous incompatible scoring systems currently in place.

Have you got Integrity? Subscribe now!

2005-09-26T08:37:00.000-04:00

Compass, Integrity Incorporated's Online Newsletter

Educate your inbox with Compass: The Compliance Newsletter from Integrity Incorporated.

Be assured you are up on the latest legislation, summary of current issues and news stories related to security, governance and integrity. Plus:

Case studies by company and industry

Compliance questions submitted by readers and answered by our security and integrity experts

Upcoming events related to privacy and integrity

Links, cautionary tales, resources and more!

Dial-toney sunglasses over the top

2005-09-26T08:28:00.000-04:00

Toronto Star

You see someone walking down the street speaking aimlessly into mid-air, conducting what appears to be a strange, one-sided conversation with no one in particular. Not long ago, you might have assumed some kind of mental instability.

In the age of mobile communications, you now look for an earpiece with a wire snaking down to a cellphone in their pocket.

Modern technology has created the new breed of air talker -- cellphone users who converse using small earpieces and tiny microphones that let them speak and listen without ever holding a phone to their ear.

It's a peculiar form of communication that blurs the line between public and private conversation. And it's getting more peculiar all the time. [...]

With some adjustments, the bud tucks into your ear and a tiny embedded microphone in the device picks up and transmits your voice from its perch at the side of your head — all with no wires.

Wireless Bluetooth technology has advanced the evolution of the air talking phenomenon by linking devices such as phones and earpieces together invisibly using wireless communication. [...]

Experts warn that misconceptions about "grey goo" could harm the opportunities of the poor in developing countries

2005-09-20T07:33:00.000-04:00

Institute of Physics

Dr Peter Singer, Director of the University of Toronto Joint Centre for Bioethics and Dr Erin Court, the lead author of this report, argue that concerns over the legitimate risks of nanotechnology should be addressed through a new international process and not by resorting to a moratorium on research that promises vast improvement in the lives of five billion people in developing countries.

This report outlines for the first time the health, environmental and economic benefits for developing countries of nanotechnology (NT). These include:

improved detection of cancer and HIV/AIDS by tagging biological molecules with nanometer-sized markers, avoiding in the process many drawbacks associated with organic dyes conventionally used to mark cells;

improved detection of tuberculosis with quantum dot optical biosensors. Development plans for a nanotech-based diagnostic kit to reduce the cost, time and the amount of blood required for TB tests was recently announced in India;

inexpensive miniaturized medical diagnostic devices easily used in remote regions;

more controlled and targeted administration of vaccinations using nanoparticle delivery systems;

the ability to repair skeletal tissue damaged by traffic accidents, the so-called "unseen epidemic" of developing countries, using nanotech-based bone scaffolds;

better monitoring of soil and crop toxicity levels through enzyme biosensors;

improved water purification technologies;

more effective clean-up of large oil spills.

[...] The authors highlight the following concerns:

How long will nanomaterials remain in the environment?

How readily will nanomaterials bind to environmental contaminants?

Will these particles move up through the food chain and what will be their effect on humans?

How will the incorporation of artificial materials into human systems affect health, security and privacy?

Who will control the means of production and who will get to debate the risks and benefits

? What will be the effects of military and corporate control over NT?

There are also potential risk management issues specific to developing countries:

displacement of traditional markets,

the imposition of foreign values,

the fear that technological advances will be extraneous to development needs, and

the lack of resources to establish, monitor and enforce safety regulations.

Nanotechnology and Public Attitudes Public Welcomes Potential Advances; Seeks Effective Management of Possible Risks

2005-09-12T10:25:00.000-04:00

Wilson Center

Americans welcome new potential life-saving and -enhancing applications promised by nanotechnology. But at the same time, they voice concern over a lack of research into nanotechnology's potential long-term human health and environmental effects and want to ensure that the government and private sectors are equipped and willing to effectively manage any would-be risks.

These are some of the findings in a new study released today by The Project on Emerging Nanotechnologies: PDF: Informed Public Perceptions of Nanotechnology and Trust in Government. The Project on Emerging Nanotechnologies at the Woodrow Wilson International Center for Scholars was created in partnership with The Pew Charitable Trusts in April 2005.

[...] results show that the public is clearly interested in and excited about the potential of nanotechnology, which exploits the unique behavior of materials and devices when engineered at a scale of roughly between 1 and 100 nanometers (a nanometer is one billionth of a meter, or about 1/100,000 the thickness of a human hair).

But people are concerned about the lack of consumer awareness of nanotechnology and of the estimated 500-700 nanotechnology products already on the market. The public also is troubled by potential unknown human health and environmental consequences, and by possible unintended uses.

[...] “If this industry is to grow to its promise of one trillion dollars by 2015, the federal government and industry need to put as much energy into building public trust as they do into developing new nano applications,” said David Rejeski, director of the Project on Emerging Nanotechnologies. “In the end, the kinds of safety measures and disclosure the public wants make sense in terms of both long-term corporate strategy and good public policy.”

Software Bugs Threaten Toyota Hybrids

2005-08-31T08:13:00.000-04:00

Software Bugs Threaten Toyota Hybrids

[...]

Embedded software now controls some of a car's most critical operations, including engine performance, air bags, steering, anti-lock braking systems and stability control systems.

If Toyota, which consistently tops vehicle quality surveys, can't get it right, how bad is the rest of the industry?

Most scientific papers are probably wrong (and I think they should be)

2005-08-30T12:23:00.000-04:00

NewScientist.com

Most published scientific research papers are wrong, according to a new analysis. Assuming that the new paper is itself correct, problems with experimental and statistical methods mean that there is less than a 50% chance that the results of any randomly chosen scientific paper are true.

John Ioannidis, an epidemiologist at the University of Ioannina School of Medicine in Greece, says that small sample sizes, poor study design, researcher bias, and selective reporting and other problems combine to make most research findings false. But even large, well-designed studies are not always right, meaning that scientists and the public have to be wary of reported findings.

"We should accept that most research findings will be refuted. Some will be replicated and validated. The replication process is more important than the first discovery," Ioannidis says.

In the paper, Ioannidis does not show that any particular findings are false. Instead, he shows statistically how the many obstacles to getting research findings right combine to make most published research wrong.

[...] [CLB: The targeted readership, other researchers, understand this point generally. Publishing reserach results is expected to lead to discussion, further research on the hypothesis, and often refutation, with improved or modified hypotheses emerging. The problem arises from the media and laypersons use of published research. Media is likely to publish startling, 'newsworthy' results to make headlines. They don't include the rest of the scientific process. What's missing in the popular press: repeating the results, relating the results to other findings, systematic analysis and synthesis of the results, and taking sample-based results in a reliable way into an understanding of how these actually relate to the more general population.]

Concern over Compliance, Instant Messaging and Internal Attacks Spurring Changes

2005-08-29T08:50:00.000-04:00

Business Wire

Regulatory compliance, internal attacks, and the vulnerability of electronic communications - especially instant messaging and e-mail - are among the key factors reshaping data security systems, according to the U.S. results of the 8th annual Global Information Security Survey by InformationWeek Magazine and Accenture.

At the same time, the U.S. Information Security Survey uncovered indications that companies and organizations are failing to provide rigorous protection of customer and client data. The survey, which was conducted over the Web this summer, received responses from more than 2,500 U.S. information technology and security professionals.

Highlights:

Compliance is reshaping corporate security practices.

Security attacks are becoming increasingly more sophisticated, yet basic passwords continue to be the most common line of defense.

Security breaches are increasingly coming from within, forcing companies to keep tabs on their employees.

Vulnerabilities in operating systems and applications - including the use of instant messaging - continue to be common points of entry.

Concern continues to grow over privacy and identity theft, yet organizations are failing to provide rigorous protection of customer data.

"Companies are taking a more structured approach to information security and making it more of a priority," said Alastair MacWillson, partner in charge of Accenture's security practice. "Many companies are beginning to see the benefits in leveraging new technologies to proactively assess and manage threats and vulnerabilities, and are consolidating, integrating and securing applications to improve integrity and productivity."

Regulatory Impact

There are indications that compliance requirements like Sarbanes-Oxley, HIPAA, the U.S. Home Security Act and the U.S. Patriot Act are reshaping corporate security practices. According to the survey:

60 percent view regulatory compliance as more of a governance issue than a technology problem.

Over half of the survey respondents report that government regulations have pressured their company to adopt a more structured approach to information security.

About two in five say the threat of government penalties has made achieving regulatory compliance an information security priority.

While only a third say achieving compliance is a main catalyst of security-related purchases, over half say it has made their company more cautious about their use of security hardware, applications and services.

Threat Perception and Attacks

Security attacks are constantly evolving, making it difficult for companies to stay one step ahead. For example:

Malicious intent is a concern for 45 percent of respondents. Yet few tie their firm's vulnerability to the lack of a well-defined information security strategy or managerial involvement in security practices and policies.

One third of respondents blame budget constraints for their firm's susceptibility to security breaches.

Significant damages attributed to actual attacks - financial losses, security incursions and identity theft - are uncommon.

Planted spyware code, however, has caused slowdowns in network performance and employee productivity in three quarters of the companies.

Viruses affected two-thirds of surveyed sites last year.

E-mail is proving to be the launching point of assaults, with falsified information in an e-mail attachment reported as the primary method of attack at 35 percent of surveyed sites.

Minor financial losses were confirmed at one in five sites.

Security Tactics

As a result of the vulnerabilities with instant messaging and E-mail, electronic communication has become a major focus of employee monitoring with attachments and content of outbound messages carefully scrutinized. Basic-user passwords still remain the most prevalent method used by companies to protect themselves against security breaches. Informing employees of privacy or behavior standards, posting privacy policies online and using secure Web transactions are the steps taken to safeguard the privacy of customer data. In addition, the survey reveals that:

Only a quarter of respondents report no monitoring of workers.

The monitoring of instant messaging has jumped from 25 percent to 34 percent since last year's survey.

Only 15 percent of sites have created the position of chief privacy officer and less than 30 percent have conducted privacy policy audits to ensure there are adequate guidelines. In fact, practices concerning the security of customer data are categorized as only fairly rigorous at half of the sites.

Security Costs

A majority of U.S. companies spend below $500,000 on security expenses, with half anticipating increased spending in 2005 over the previous year, and only 3 percent expecting spending to decline. Performance and return on investment count the most when purchasing security products.

"Despite the fact that information security professionals are adopting many state-of-the-art security practices, certain lapses still exist that can result in serious financial losses for corporations or a violation of customer trust," said Rusty Weston editor, InformationWeek Research. "Security professionals lack the ability to control every point of entry, but worse, they have too much faith in technology that claims to automate network defenses."

Methods for authentication

2005-08-12T12:47:00.000-04:00

Network World

When screening large numbers of people, linking identification to real-world identity (that is, authentication) is a tough problem. As readers probably know, there are four basic methods for authentication:

What you know that others don't (e.g., passwords).

What you have that others don't (e.g., tokens such as keys or smart cards).

What you do that others can't (e.g., the way you sign your name or the phrase on a keyboard).

What you are that others aren't (e.g., your fingerprints, retinal patterns, iris characteristics, or face).

Passwords don't work very well for crowds. Tokens are used all the time - consider airline tickets and passports - but in today's digital scanning and printing world, they are easy to counterfeit.

[... more on advanced ways to make each method work.]

'Car Whisperer' puts hackers in the driver's seat

2005-08-04T13:55:00.000-04:00

Computerworld

If your car murmurs 'hello there,' your Bluetooth system has been hijacked

If you happen to hear a disembodied computer voice tell you to 'drive carefully' the next time you're behind the wheel, you've probably met the Car Whisperer.

Released late last week at the What the Hack computer security conference in Liempde, Netherlands, Car Whisperer is software that tricks the hands-free Bluetooth systems installed in some cars into connecting with a Linux computer.

Car Whisperer was developed by a group of European wireless security experts, called the Trifinite Group, as a way of illustrating the shortcomings of some Bluetooth systems, said Martin Herfurt, an independent security consultant based in Salzburg, Austria, and a founder of Trifinite.

The software takes advantage of the fact that many of these hands-free systems require only a very simple four-digit security key -- often a number such as 1234 or 0000 -- in order to grant a device access to the system. Many car manufacturers use the same code for all of their Bluetooth systems, making it easy for Car Whisperer to send and receive audio from the car.

Using a special directional antenna that allowed him to extend the normally short range of his Bluetooth connections to about a mile, Herfurt was able to listen and send audio to about 10 cars over a one-hour period recently.

The modern spy...

2005-08-01T11:30:00.000-04:00

[CLB] Following the news this morning. There are a larger than normal number of 'spy' articles. And the topics are fascinating. We are watching the roll-out of ubiquitous watchware. It's time that each of makes the assumption that every action, every purchasing choice, every movement you make is being monitored somehow.

The techniques used rely on technologies that have been around for years. They are being used more systemic to monitor, collect, analysis, and react more effectively.

Where was I?

The other night at my local bar, a friend had his computer running Google Earth. We zoomed around the neighbourhood, looking at satellite data less than a year old in some cases. Where were you on the night of ...? Although civilian data does not provide face-recognizing resolution, we know there is better out there. Some military and government organizations can tell you exactly where you were, and where you went. They could confirm how long I stayed at the pub, and who I walked home with.

MORE: Google Earth

Parking Meters

"Technology is taking much of the fun out of finding a place to park
the car.

In Pacific Grove, Calif., parking meters know when a car pulls out of
the spot and quickly reset to zero -- eliminating drivers' little joy
of parking for free on someone else's quarters. In Montreal, when cars stay past their time limit, meters send
real-time alerts to an enforcement officer's hand-held device,
reducing the number of people needed to monitor parking spaces -- not
to mention drivers' chances of getting away with violations.
Meanwhile, in Aspen, Colo., wireless "in-car" meters may eliminate
the need for curbside parking meters altogether: They dangle from the
rear-view mirror inside the car, ticking off prepaid time."

MORE: THE WALL STREET JOURNAL

Colour Printers
"Secret codes embedded into pages printed by some colour laser printers pose a risk to personal privacy, according to the Electronic Frontier Foundation. The US privacy group warns the approach - ostensibly only designed to identify counterfeiters - has become a tool for government surveillance, unchecked by laws to prevent abuse."

MORE: The Register

What did you wear today?

I purchased a few summer clothing items last month from a brand name store. This pretty teal silk skirt had caught my eye, and I've worn it to a few parties and meeting. Yesterday, when checking the washing instructions, I noticed the RFID tag sewn into the seam. The tag is passive, and can be scanned easily, allowing anyone to determine where I purchased my skirt, and even what size I wear. And with a few improvements, this technology will allow the store to track when and where I wore the skirt, and when it remained in my closet. Eventually, I'll be able to scan my closet, create an inventory, and reorder online based on my personal preferences. And a clothing supplier will be able to collect that data and make recommendations such as, "We have a beautiful shirt in you size, made out of the same fabric and colour," or "You haven't worn these 19 items in 3 years. Would you like the local charity to pick them up for you?"

If all these organizations were to share data, they'd know which movie ticket I printed out, how long I parked and where to see theshow, and what I wore. And hopefuly they'd offer some advice about my date, and perhaps even who else he is seeing. How much do you rely on being anonymous in your activities?

[CLB]

The CEO's Tech Toolbox

2005-07-26T09:18:00.000-04:00

The CEO's Tech Toolbox

Here are some tech trends for the CEO to stay abreast of:

Mapping Strategic Direction

"Ritz-Carlton" Service

And A Key List for the CEO:

Uber-Personal Assistant

Next-Generation Collaboration

Podcasting

Seamless Wireless

TiVoToGo

Mesh Networks

Radio Frequency Identification (RFID)

Business Activity Monitoring (BAM) Software

Real-Time Identity Theft Notification

Prediction Markets

Watchdog: 2 or 1 best?

2005-07-26T08:44:00.000-04:00

TheStar.com

A former Supreme Court justice will help the federal government weigh the benefits of merging the offices of the information and privacy commissioners..

The Liberals have asked Gerard La Forest to assess the strengths and weaknesses of the current model, with each portfolio handled by a separate commissioner. He also will review practices in other jurisdictions.

Tory MP David Chatters said the government should not talk of a merger when Parliament has not been consulted

Back story from The Star

Complying with breach notification laws

2005-07-25T13:49:00.000-04:00

TechTarget

[...]

Strategies for compliance

Identify systems containing personal information and enhance mechanisms to detect unauthorized conduct on networks. Because breach notification statutes are triggered when personal information is compromised, organizations should identify the systems on which such data is stored and enhance the means used, such as logging capabilities, to detect when a breach has occurred.
Encrypt personal information. The majority of the state statutes only require notification if a breach compromises unencrypted personal information. Organizations that encrypt personal information will not only better protect consumers but also avoid onerous notification obligations.
Amend incident response plan to require that key decision-makers are immediately alerted when breaches are detected. Because the statutes are likely triggered as soon as an intrusion has been detected by the IT department, organizations should ensure that incident response plans provide for timely reporting of incidents to those responsible for making notification decisions.
Adopt a corporate incident response policy that provides for notification. As noted, the statutes are modeled on California's law and generally provide more flexibility when 'a person or business maintains its own notification procedures as part of an information security policy for the treatment of personal information.' Companies now have significant incentive to develop their own form of incident response plans.

Ensure that third-party contracts involving the transfer of personal data include appropriate information security provisions. Breach notification laws provide no exception for when data within the possession of a third-party is compromised. Organizations should ensure that their contracts contain provisions requiring that vendors or subcontractors provide immediate notification of suspected breaches, and allowing the organization both to participate in the investigation of incidents and exercise control over decisions regarding external reporting.

CEOs are faking it, Stanford professor says

2005-07-25T13:08:00.000-04:00

Computerworld

Your company's CEO might be a pretender, and that may be a good thing, according to Robert Sutton, professor of management science and engineering at Stanford University.

CEOs are secretly aware of their own fallibility while also realizing that any sign of indecisiveness could be fatal to their careers

Sutton, the author of a 2001 study of corporate innovation, 'Weird Ideas that Work,' says that a close look at the evidence shows that CEOs probably deserve less credit for their company's fortunes than they receive and that the best of them manage a tough balancing act: secretly aware of their own fallibility while also realizing that any sign of indecisiveness could be fatal to their careers.

'In just about every study I've ever seen ... the amount of control a leader has over the company is exaggerated,' Sutton said during a keynote address at the AO05 Innovation Summit at Stanford yesterday. Although top executives of the largest companies are often considered uniquely powerful, their effectiveness actually dwindles as companies get larger, he said.

the CEO as a captain, steering the corporate ship, isn't so much a fallacy as it is a 'half truth,'

'If you look at these Fortune 500 companies where they get paid a fortune, they have the least impact,' Sutton said.

The notion of the CEO as a captain, steering the corporate ship, isn't so much a fallacy as it is a 'half truth,' according to Sutton, who has devoted a chapter to the topic in his upcoming book, Hard Facts, Dangerous Half Truths, and Total Nonsense.

In fact, leaders -- even great ones -- often have no clear idea where they are going, he said. And they make mistakes.

The best executives, like Intel Corp.'s former CEO Andy Grove, will admit that they face a dilemma in needing to appear decisive while at the same time being conscious of their limitations. 'You have to pretend,' Sutton said. 'It's sort of a dilemma, but if you want to accept a leadership job, you've got to accept the hypocrisy of it."

In a 2003 interview with the Harvard Business School, Grove acknowledged that no business leader has "a real understanding of where we are heading."

When you plant a seed in the ground, you don't dig it up every week to see how it works.

In the interview, Grove added that it is important not to be weighed down by the burden of making important decisions without a clear picture of things. "Try not to get too depressed in the journey, because there's a professional responsibility. If you are depressed, you can't motivate your staff," he said.

The interview illustrated that Grove was "getting even more honest" as his involvement in the day-to-day management of Intel lessened, Sutton said.

Sutton and co-author Jeffrey Pfeffer have tackled other "half truths" in their book, which is to be published next year. Their aim is to shine the light of empirical research on a number of widely held management beliefs, including the idea that leaders should always keep a close eye on their workers, Sutton said.

Sometimes the best managers are the ones who do the least, Sutton said, quoting an aphorism he attributed to 3M Co.'s retired senior vice president of research and development, Bill Coyne: "When you plant a seed in the ground, you don't dig it up every week to see how it works."

7S Strategy Model: hard S's and soft S's

2005-07-18T08:19:00.000-04:00

Chimera Consulting

7S Framework

It's all very well devising a strategy, but you have to be able to implement it if it's to do any good. The Seven S Framework first appeared in 'The Art Of Japanese Management' by Richard Pascale and Anthony Athos in 1981. They had been looking at how Japanese industry had been so successful, at around the same time that Tom Peters and Robert Waterman were exploring what made a company excellent. The Seven S model was born at a meeting of the four authors in 1978. It went on to appear in 'In Search of Excellence' by Peters and Waterman, and was taken up as a basic tool by the global management consultancy McKinsey: it's sometimes known as the McKinsey 7S model.

Managers, they said, need to take account of all seven of the factors to be sure of successful implementation of a strategy - large or small. They're all interdependent, so if you fail to pay proper attention to one of them, it can bring the others crashing down around you. Oh, and the relative importance of each factor will vary over time, and you can't always tell how that's changing. Like a lot of these models, there's a good dose of common sense in here, but the 7S Framework is useful way of checking that you've covered all the bases.

The 7S's

Strategy A set of actions that you start with and must maintain

Structure How people and tasks / work are organised

Systems All the processes and information flows that link the organisation together

Style How managers behave

Staff How you develop managers (current and future)

Superordinate Goals Longer-term vision, and all that values stuff, that shapes the destiny of the organisation

Skills Dominant attributes or capabilities that exist in the organisation

If you want more on the 7S model, read Richard Pascale's subsequent "Managing on the Edge" (1990).

CIOs Have A Role To Play On Corporate Boards

2005-07-14T07:35:00.000-04:00

InformationWeek

The perception of CIOs is evolving from managers of back-office systems to executives with knowledge of business processes.

While very few CIOs sit on the boards of directors of the world's largest companies, 75% of global executives believe CIOs have a role to play on those boards, according to a new study released this week by executive search firm Korn/Ferry International.

The online survey of more than 2,000 executives, in a number of top-level positions from a variety of industries, found that 46% believe CIOs 'absolutely' have a role to play on a company's board of directors, and 29% say they 'somewhat' believe CIOs have a role to play on such boards. Only 3% say 'not at all' when asked whether they believe CIOs have a role to play on the board.

[...]

It's likely that more CIOs will be seriously considered for board membership as the perception of their role evolves from that of managers focused primarily on regulatory compliance, back-end operations like E-mail and document storage, and administration, to that of executives who understand business processes and the competitive environment and who provide companies with a competitive advantage, says Richard Spitz, global managing director of Korn/Ferry's Technology Market.

In the Korn/Ferry online survey,

96% of executives say they believe technology has improved efficiency at their companies.

34% of executives say they're "highly likely" to consider working for a technology company in their next job, and 33% say they're "likely" to.

51% of the executives say they thought technology spending in the current economy was beginning to improve, while twenty-eight percent think it appears to be relatively stable.

62% of the executives believe the technology industry is fully recovered from the dot-com recession "somewhat," 9% believe it "fully," 13% are "neutral" on the question, 14% don't believe it "much," and 2% don't believe it "at all.

C Y B E R C R I M E

2005-07-11T06:27:00.000-04:00

C Y B E R C R I M E

1st Annual Workshop on Geoethical Nanotechnology

2005-07-08T08:39:00.000-04:00

The Terasem Movement

"Geoethical" means widely agreed-upon principles for guiding the application of curative technologies that can have a general environmental (including people) impact, much like bioethical principles (autonomy, beneficence, nonfeasance, justice) guide the application of curative technologies that specifically impact one or more patients. Nanotechnology raises geoethical issues because the nanomedical treatment of individuals may have a wide socio-environmental impact.

GRAIN stands for Genomics, Robotics, Artificial Intelligence and Nanotechnology.

Terasem: Life faces three types of risks -- from disease, from society and from natural catastrophes. The Terasem Movement is based upon the belief that each of these risks can and should be substantially ameliorated. We believe that nanotechnology developed geoethically, cyberconsciousness developed with personhood, and an overriding commitment to diversity and unity are the tools needed to ameliorate the risks to life.

With regard to risks from disease, the Terasem Movement is premised upon the belief that nanomedicine is the key to eliminating human suffering and greatly extending human lifetimes. Nanomedicine is also the key to recovery from cryopreservation for individuals who die before their illnesses can be technologically cured.

The Terasem Movement believes that social causes of suffering and death, such as wars, pollution and anomie, arise due to inadequate attention paid to the overriding importance of diversity and unity. In addition, nanotechnology can create adequate clean wealth to remove many scarcity-based causes for conflict.

Natural catastrophes run the gamut from tsunamis to collisions with space objects. The Terasem Movement believes that our conscious life is precious and unique in the universe. Consequently, we believe it is essential to propagate our consciousness far beyond earth and that self-replicating nanotechnology is currently the only practical means of doing so.

Report on the Evolution of Cybercrime

2005-07-06T08:09:00.000-04:00

McAfee

McAfee, Inc. released the McAfee® Virtual Criminology Report, which examines how a new class of criminals are using the Internet in new, systematic and professional ways to commit illegal acts. According to the findings, information theft is the most damaging category of Internet crime, while viruses have been the most costly for businesses.

The report, commissioned by McAfee, discusses how organized crime and cybercrime are developing, and looks at the future threat this activity could pose to home computers, government computer networks, and to computer systems in the business sector. The report reveals a hierarchy of cybercriminals, discussing the recent evolution of the amateur cyber delinquent to the professional cyber gang.

'As companies and consumers continue to move towards a networked and information economy, more opportunity exists for cybercriminals to take advantage of vulnerabilities on networks and computers,' said Chris Christiansen, program vice president, IDC. 'Understanding who these criminals are and how they attack provide great insight into implementing and practicing good security hygiene.'

Prior to 2000, cybercriminals acting alone committed the majority of cybercrimes, usually in an attempt to attain notoriety within the cyber world. However, in recent years, a shift has occurred as criminals and not just amateurs are committing cybercrimes. This is due in large part to the potentially huge financial gains that can be made from the Internet with relatively little risk. The report goes on to examine the different tactics and tools used by these cybercriminals, and future areas of attack.

Some of the report's most compelling highlights include:

The FBI estimates that cybercrime cost about $400 billion in 2004.

In an investigation, codenamed "Operation Firewall," U.S. and Canadian authorities announced the arrest of 28 people from six countries involved in a global organized cybercrime ring. They operated Websites to buy and sell credit card information and false identities. They bought and sold almost 1.7 million stolen credit card numbers. Of these stolen credit cards, financial institutions have estimated their losses to be $4.3 million.

The use of pseudonyms or online identities provides an anonymity that is attractive to criminals. Sources estimate that perhaps only 5% of cybercriminals are ever caught or convicted.

The full report is available AS A PDF at: McAfee® Virtual Criminology Report

After a privacy breach, how should you break the news?

2005-07-06T07:36:00.000-04:00

Computerworld

Based on a recent study conducted by Ponemon Institute, we can provide some insight on what customers' expectations are when they receive notification. Here are key issues companies should consider in order to maintain the trust and confidence of their customers or employees in the event of a data security breach.

Timeliness is important. Notify the victims as quickly as possible. A few days of delay can cause a significant drop in confidence in your organization.

Talk to your customers, employees and contractors. Individuals were much more likely to view communication as truthful when a company representative contacted them by telephone. Written communication was viewed with a higher degree of skepticism and concern.

Document the issue. Individuals want to know as much as possible about the incident. While companies may be unable to share all the details about a breach at the time of notification, it is important to provide enough information so that an individual can take appropriate action.

Don't sugarcoat the message. A spoonful of sugar won't make the bad news go down easily. People expect the notice to be truthful, clear and concise.

Provide support. People expect the organization to help them with problems created by the breach. Specifically, companies should have trained personnel to help if a data breach ultimately results in identity theft or other related crimes.

Show me the money. Consumers expect to receive financial compensation in the event that they experience monetary or productivity losses as a result of the company's breach.

Personalization creates trust. Make sure the notification has accurate information about how the breach may affect the customer. Above all, don't misspell a customer's name or have an incorrect address on a notification.

Adjust the message to fit the severity of the breach. Not all breaches are the same. Make sure your notification communicates the necessary actions that are relevant to the type of breach that occurs. Again, make sure individuals have help in resolving any problems created by the breach.

It is also important to notify all potential victims. Some companies have made the mistake of not informing customers in states without a notification law. The media, government agencies and lawmakers will not view such practices favorably.

For more information, please contact research@ponemon.org. Larry Ponemon is chairman of Ponemon Institute, a think tank dedicated to ethical information management practices and research. He is an adjunct professor of ethics and privacy at Carnegie Mellon University's CIO Institute and is a CyLab faculty member. Ponemon can be reached at larry@ponemon.org.

The state of sustainability reporting in Canada

2005-07-01T10:42:00.000-04:00

GRI News

In one of the most comprehensive national-level survey's of reporting practices ever published, the Certified General Accountants Association of Canada finds that 'reporting issuers, their boards, and senior management will be duty-bound to pay greater attention to the social and environmental issues and risks.'

It was revealed that 61% of large cap companies were aware of GRI, but that only 15.0% of micro cap companies and 22.2% of small companies had heard of GRI. Of the respondents that had heard of GRI, 77% were supportive of GRI. Only 8% said that they find the 2002 Guidelines too onerous, but 22% said they found the Guidelines 'too vague'. The authors stated that the most valuable aspects of the GRI Guidelines are the multi-stakeholder process that underpins their development, and the ability of reporters to use them incrementally.

Follow this link to download the full report.

Multiple finger sequence becomes your unique biometric pin

2005-06-30T07:25:00.000-04:00

Senselect
BiometricPIN™

[CLB: Interesting. I'm trying to determine if finger-push timing effects the pin accuracy, if partial prints are an issue, and how long authentication takes. I'm not yet convinced that the security of this model is currently viable. I'm also curious about a person's ability to recall multiple finger sequences - one sequence for each type of transaction.]

BANs and PANs (Body Area Networks)

2005-06-23T09:00:00.000-04:00

Electronic Design Europe

In the long term electronics will give people a personal body area network (BAN) that will be used to gather vital body information into a central intelligent node. This, in turn, will communicate wirelessly with a basestation. BANs will be built on a number of small low-power sensor/actuator nodes with sufficient computing power, wireless capabilities, and integrated antenna. Each node will have enough intelligence to carry out its task. These could range from storing and forwarding algorithms to complex, nonlinear data analysis. These nodes will be able to communicate with other sensor nodes or with a central node worn on the body. The central node will communicate using standard telecommunication infrastructure, such as a WiFi or mobile phone network.

The network will also be able to deliver services to the owner of the BAN, including the management of chronic disease, medical diagnostic, home monitoring, biometrics, and sports and fitness tracking.

The realisation of BANs largely depends on extending the capabilities of existing devices; a number of medical and technological obstacles need to be removed. For example, the lifetime of battery-powered devices is limited at present and must be extended if it is to power many of these applications. Likewise, the interaction between sensors and actuators needs to be enlarged to support new applications such as multi-parameter biometrics. Also, devices need intelligence built-in so they can store, process and transfer data.

[...]

PDF: European Group on Ethics in Science and New Technologies: Opening the discussion on safe, ethical use of ICT technologies embedded within the human body.

Software Advance Helps Computers Act Logically

2005-06-17T08:40:00.000-04:00

physorg.com

Computers just respond to commands, never 'thinking' about the consequences. A new software language, however, promises to enable computers to reason much more precisely and thus better reflect subtleties intended by commands of human operators. Developed by National Institute of Standards and Technology (NIST) researchers and colleagues in France, Germany, Japan and the United Kingdom, the process specification language software, known as ISO 18629, should make computers much more useful in manufacturing.

ISO 18629 uses artificial intelligence (AI) and language analysis to represent computer commands in the context of a manufacturing plan. Researchers have incorporated approximately 300 concepts, such as “duration” and “sequence,” into its software structure. Computers using software with this expanded, though still primitive AI capacity, can act on a word’s “meaning,” interpreting a command almost like a person.

For instance, a person who hears the commands “paint it, before shipping it” and “turn on the coolant, before milling” understands that the word "before" has slightly different meanings in these two different contexts. In the first command, it is understood that painting and drying must be completed prior to the next action, shipping. In the second command, however, the first action, turning on the coolant, continues after the milling starts. ISO 18629 supports computer systems with this type of rudimentary understanding of context-specific language.

The ISO 18629 language is especially suited for the exchange of process planning, validation, production scheduling and control information for guiding manufacturing processes. The International Organization for Standardization (ISO), which already has approved six sections of the fledging standard, is currently reviewing the last of its three sections. Once the expected ISO approval is given, software vendors will begin building a variety of manufacturing systems that conform to ISO 18629.

Source: NIST

Liberty Alliance Project - Trust and Security - It's all about privacy!

2005-06-16T15:14:00.000-04:00

ProjectLiberty.org

The Liberty Specifications were built with privacy in mind.

The decisions made in developing technology were all made to enhance privacy and make it easier to implement good privacy practices.

Non Technical Privacy Features

Consumer consent

All of the relevant specifications include the reference to the need of consumer consent for relevant transactions.

Consumer choice of Identity Providers

Federated architecture allows consumer to choose an Identity Provider independent of the used network or service.
Selection is only constrained by laws, regulations and business models, not the Liberty specifications

Decentralized or federated storage of PII or other information related to your identity

Federated architecture allows the information related to a specific identity to be stored in relevant locations defined by the consumer, government or business relationship between the consumer and certain Service Provider
Storage of PII or other identity related information is only constrained by laws, regulations and business models, not the Liberty specifications
Simplified password management

Technical Privacy Features

XML Signature - XMLDSig allow a proper verification of the transaction parties, and if messages are signed and stored, allows for later auditing

Pseudonymous access - Identity Federation in Liberty creates a pseudonym, constructed of a random set of characters and being unique in the context of a specific Identity Provider and Service Provider

Anonymous Access - Liberty specs provide means for a Service Provider to access Identity Services without a need to know who the consumer they are providing services to really is.

Usage Directives - Allows for indication of associated privacy policy in both a request and reply for principal attributes

Consent header block - SOAP header block used to explicitly assert that the Principal consented to the present interaction

Interaction Service - The Interaction Service specification defines schemas and profiles that enable an Identity Service to interact with the owner of the information exposed by that Identity Service