************************************************************
**********
The OCSIG Security News Overview - Ottawa, Canada
************************************************************
**********
OCSIG Council :
President : Edward E. Johnson CISSP
Vice President : Carol Sullivan CISSP
Past President : Maynard Hanscom CISSP
Secretary : Peter A. Thomas B.Sc., ACA.,
ACIS.,
Gord Larose CISSP, Ron Chuchryk CA,CISA,CFE
Ernest Chadler PEng,MBA,CMA,
John Hopkinson CISSP, Mervyn Berridge-Sills
M.A.
Alice Sturgeon, Fred Carter CISSP
OCSIG Email : tenovus ncf.ca
gparmsympatico.ca
Tel. : 613 - 829 - 4319
Fax : 613 - 726 - 9134 (24/7)
**********************************************************
Visit < http://www.cccure.org> for OCSIG and CISSP
**********************************************************
OCSIG - SECURITY NEWS LETTER :
Vol 3.Number 2069, March, 2006
**********************************************************
CONTENTS :
***************
OCSIG - Where are the bucks? Drug-related or cyber-crime
activity?
OCSIG - IT Job Universe - A helping Hand to all in Security.
OCSIG - Canada - Interesting Notes from all corners
OCSIG - Ottawa's Own IT Magazine " The Monitor
"
OCSIG - Sachet of 500 Free Tools for Download !!
OCSIG - Available for Download Sarbanes-Oxley Compliance
WhitePaper
OCSIG - Our Dan Swanson - A Must for Researchers
OCSIG - Bernard A. Hodson : Armageddon Thwarted II !
OCSIG - Open Study CISSP Site : Clement Dupuis CD CISSP
OCSIG - The Third ISESTORM - Barcelona Spain
OCSIG - Dr. Urs E.Gattiker - Fighting spam :obstacles we
need to move
OCSIG - Dr. Mich Kabay- Internet links pose image and legal
problems
OCSIG - Frank R Zeitlhofer - Sarbanes Oxley - Historical
review ?
OCSIG - The Foundation
************************************************************
*******************
OCSIG - Where are the bucks? Drug-related or cyber-crime
activity?
************************************************************
******************
Recently quotes based on DATA from December 2005 have stated
:-
'Last year was the first year that proceeds from cybercrime
were greater
than proceeds from the sale of illegal drugs, and that was,
I believe, over
$US105 billion.'
This was a quote mentioned during a presentation at the
German Business
Informatics conference 2006 in Passau, see here for some
cybercrime
presentations:
http://freebies.weburb.org/newsservice/lin
k/3918/http://www.mkwi06.de/
The presentation presented various taxonomies and
categorizations
comparing those provided by the:
- cybercrime convention, as well as those use by
- KOBIT (the Swiss federal police webpage used for Internet
crime
reporting by the public).
An Abstract can be found here:
http://freebies.weburb.org/newsservice/
link/3918/http://casescontact.org/
press_rel_view.php?ID=42
The presentation then proceeded and outlined how these
claims and
estimates lack any theoretical, definitional and statistical
basis for taking
them serious in comparison to these provided by the UN
Office on Drug
and Crime (UNODC).
The presentation then went on and illustrated how the claims
made by
various agencies regarding cybercrime lack:
- content validity,
- reliability,
- basis for generalization
and so on using various examples that you can look at
downloading the
slides here:
<http://freebies.weburb.org/newsservice
/link/3918/http://brief.weburb.dk/fr
ame.php?loc=archive/00000213/>
The above, including the related stories with links to
further documents and
research indicate that we are left with much work before we
will have a
better understanding of this phenomenon- if at all..
RELATED STORIES:
Regulation that Matters - Cybercrime Convention - USA
citizen groups are
balking...
- http:/
/security.weburb.dk/frame/show/news/3841
W3 - Lib 1 - Study reports that Cybercrime and
Cyberterrorism Are Not
Being Reported - Is Special Legislation Based on Flimsy Data
the Answer?
- http:/
/security.weburb.dk/frame/show/news/3248
I think we should lend these "experts" the
services of our Auditor General
for, without such assistance, we may never arrive at the
undisputed facts !
We all live in interesting times - Best wishes
Peter A. Thomas
OCSIG Secretary
************************************************************
*********
OCSIG - IT Job Universe - A helping Hand to all in Security.
************************************************************
*********
This is a new Service being provided to all in Canada -
Coast to '
Coast. It is Free to both Employers and Applicants. The
address
is : <www.itjobuniverse.ca/search>
For more details contact
Robert Chueng at 416.290.0240. Ext 174 or
<Rcheungitworldcanada.com>
************************************************************
**
OCSIG - Canada - Interesting Notes from all corners
************************************************************
**
The proliferation of wireless hotspots could reduce the use
of the
BlackBerry and other handheld devices, a study in the UK
found:
- 13% (2005) ==> 29% (2006) of UK business travellers use
hotspots
- 42% (2005) ==> 40% use handhelds
RELATED STORIES:
Tool - What beats Google Talk and Skype by far?
- http:/
/security.weburb.dk/frame/show/news/3892
*********************************************************
Debunking the myths about PKI or - why it will most likely
never work
properly
- http:/
/security.weburb.dk/frame/show/news/2889
*******************************************************
Gattiker and Kaspersky - Debunking myths about hacking -
outlining the
trends
- http:/
/security.weburb.dk/frame/show/news/3388
*******************************************************
24 Windows XP myths exposed
This is a well researched list that debunks dozens of
commonly held
Windowsbeliefs such as:
1) Periodically cleaning the pre-fetch folder speeds up boot
time.
2) Windows XP requires a high end PC to install and run
3) Deleting the contents of the Prefetch folder improves
performance
4) Setting any Value higher then 3 to EnablePrefetcher will
improve
performance.
5) Enable SuperFetch Tweak improves performance in Windows
XP as it
does in Windows Vista.
6) Disabling the Pagefile improves performance.
7) Disabling System Restore improves performance.
8) The FAT32 file system is better than NTFS.
9) Moving the Pagefile to a different partition on the same
drive improves
performance.
10) Increasing the amount of available RAM improves
performance.
11) Registry Cleaners improve performance.
12) Windows 95/98/ME is as reliable as XP
13) Adjusting the Priority of IRQs especially IRQ 8 improves
system
performance.
14) Limited User Accounts are a realistic security solution
and more here:
<http://freebies.weburb.org/newsservice/lin
k/3938/http://mywebpages.com
cast.net/SupportCD/XPMyths.html>
****************************************
Today's 10 most-read stories
****************************************
1. World's largest Windows error message
<http://www
.networkworld.com/nlsec27032>
2. Researchers: Impact of censorship significant on Google
<http://www
.networkworld.com/nlsec27033>
3. IP telephony deployments struggle with power/heat issues
<http://www
.networkworld.com/nlsec27034>
4. The category breaker: Apple's MacTel
<http://www.networkworld.com/nlsecuritynewsal25666>
5. Cisco blazes trails at sandwich shops
<http://www.networkworld.com/news/2006/031406-
ciscoblaze.html?ts>
6. Bird flu: IT pros planning for worst
<http://www.networkworld.com/nlsecuritynewsal26487>
7. Study: The dirty, naked truth about teleworkers
<http://www.networkworld.com/nlsecuritynewsal26799>
8. Security jobs heat up
<http://www.networkworld.com/careers/2006/031306man
.html?t5>
9. Cisco's Linksys unveils VoIP gear for small businesses
<http://www.networkworld.com/nlsecuritynewsal26796>
10. T-Mobile, Cingular pull Razr due to glitch
<http://www.networkworld.com/nlsecuritynewsal26488>
************************************************************
*****
OCSIG - Ottawa's Own IT Magazine " The Monitor
"
************************************************************
*****
"The Monitor " has an industry news portal the
intention, of which, is to
include the latest developments in the high tech sector with
an Ottawa
focus. Bookmark
<http://www.monito
r.ca/monitor/.>
or <http://www.monitort
oday.com/.>
These are updated three times each working day !! Why not
check them
out !!
Mind, you can also, ask Questions Try the Practice :
Email :-
<ediitormonitor.ca>
Mention "OCSIG " you will get preferential
treatment !!
************************************************************
*****
" Seek and ye shall find ! " So, do not hesitate
to ask !
Assurance is two thirds of success.
************************************************************
*****
OCSIG - Papers and Tools - Available for Download
************************************************************
*****
Papers :
*********
1. "Business Intelligence for the Security Function
"
by Mr Alan Breakspear
2. 12 Important Risk Management Papers
By Mr John P Hopkinson CISSP., ISP., CDRP., a leading
Authority on the Canadian and International Scene in
Systems Security
3. " *GOL Security Requirements, Structure and
Delivery "
Ms. Linda Hunter, IT Security Standards Coordination,
Treasury Board Secretariat of Canada
* - GOL = Government On Line Project "
All the above papers are available by Download -
Free from :
< http://www.cccure.org>
***************************************************
Tools :
********
Do not hesitate to seek your needs from the Sachet of 505
Free Tools
Just try :- <ht
tp://security.weburb.dk/frame/show/news/3543>
************************************************************
***********************
Sarbanes-Oxley Compliance Whitepaper
Get the best practices you require to maintain proper
internal control
frameworks as you strive to meet Sarbanes-Oxley requirements
with
NetIQ's free whitepaper, "Meeting Sarbanes-Oxley IT
Control
Requirements with NetIQ." You'll learn how to
dramatically reduce your
time and effort spent auditing, reporting on, and
controlling essential areas
such as policies, file access rights, provisioning and
change control.
Download this FREE whitepaper now.
http://www.netiq.com/f/form/form.asp?id=25
29&origin=NS_SANS_050405
************************************************************
*************************
OCSIG - Our Dan Swanson - A Lighthouse for those seeking
Knowledge
************************************************************
*************************
Our OCSIG Dan Swanson < Nunquam non paratus > has
decided to
venture out on his own again; forming a new company under
the name -
< Dan Swanson &
Associates>.
Dan, with his Associates, will be devoting his time to
Writing, Research,
Consulting and Lecturing. As subscribers to OCSIG News
Letter will
know Dan has provided the best research paths to all those
Professionals
involved in IT, Audit, Accountancy and Security with all
its singular
facets. By the same token, the results of Dan's research
will still be
available to OCSIG Members via a FREE Subscription (for
details see
below).
Remember, Dan in Research is truly a "viverra
specialis"
Dan Swanson, CMA, CIA,
CISA, CISSP, CAP
President and CEO
Dan Swanson and Associates
Altamonte Springs,
Florida, USA
< dswanson_2005yahoo.com>
____________________________________________________________
Dan Swanson has recently established 2 Yahoo mailing lists
including:
1)
http://finance.groups.yahoo.com/group/Dans_CCCemails
"CCC emails provide online resources in support of
your Governance, Risk
Management, and Internal Audit efforts. Content related to
IT Audit and
IT Security is provided on occasion. Finally, resources
related to
leadership, quality, strategy, and management is frequently
included."
2)
http://finance.groups.yahoo.com/group/Dans_SECemails
"SEC emails provide online resources in support of
your IT Audit and IT
Security efforts. Content related to Governance, Risk
Management, and
Internal Audit is provided on occasion. Finally, resources
related to
leadership and strategy is frequently included."
************************************************************
****************
OCSIG - Bernard A. Hodson : ARMAGEDDON - THWARTED !
************************************************************
****************
This time I want to move away from the security problems
mentioned in
my four Armageddon pieces and move to a related area that
still involves
security, that of spying. Industrial espionage within Canada
is costing our
economy about $1B per year, a figure that to me seems on the
low side, in
view of the fact that our infrastructure is wide open to
economic
exploitation. The cost in the USA is much higher. Espionage
used to be the
realm of spies, traitors and corrupted employees but current
industrial
practices make these people almost redundant. This
particular article will
be trivial to many of you with security expertise but I
want to use it as a
background to my next one or two articles, which I hope will
detail
satisfactorily with the security threats in some detail.
One of the spy areas that seems to be accepted almost
globally is the "Eye
in the Sky" or, as some would have it the "Spy
in the Sky" of satellites
such as Landsat which scan the earth's surface and transmit
images of what
they see.
A few countries object to this surveillance but most
accept the fact that
useful information about their country is received and
available, even
though other countries might use the data for economic
exploitation.
Received data is used to find forest diseases, size
increases in deserts,
flood and fire damage, various crop evaluations and so on.
Data from satellites can of course be intercepted. Many
years ago Sir
Bernard Lovell, of radio astronomy fame and one of my former
professors,
picked up some of the early scans from a Soviet satellite
and the imagery
was made available to the world. Years later a Canadian
scientist built a
receiving dish from chicken wire and an electronics kit. On
one of his test
runs he picked up a beautiful image of the Great Lakes area
that had
obviously been corrected in flight (normally such images
came down in a
distorted form and had to undergo correction at a ground
station). Phoning
his US colleagues he asked them when they had launched the
satellite. The
US did not even know about it and asked him for the
transmission
frequency. It turned out to be a new launch from Russia.
The usual concept of spying is, however, still with us, a
personal story
illustrating the older way of doing things. This story has
also been
published in ComputerWorld Canada. As you know from the
Armageddon
series I have developed an approach to computing which
offers significant
intrusion free benefits to the industry (e.g. see
technonline.com,
< www.genetix.ca> et al). In its more infant days I
received a call from Los
Angeles inviting me to give a presentation on these ideas.
There I met a
group of people who identified themselves as follows: an
investor; a
company Firemen's Fund, (controller of 7,000 micros); and
one who
claimed to have been IBM "Man of the Year. They liked
the presentation
and asked if I could use the software to clone one of
Computer Associates
packages.
I said that such a clone was a rather trivial task but
agreed to return in a
month with a clone (it took 3 days to clone with the
software techniques I
had developed at that tome). On my return I met a couple of
additional
people who claimed to have bought out a segment of EDS, on
whose
computer the demonstration took place. There was no
observable
difference between the CA product and the clone, except the
clone ran
faster. They then discussed investment terms and suggested a
celebration
dinner, placing my luggage in the trunk of their car. The
driver dropped us
off at the restaurant and said he would join us later (no
doubt to try and get
the non existent source code from my luggage).
On my return to Canada I was contacted by a supposed
lawyer who
claimed to be making immigration arrangements, but by this
time I was
becoming suspicious. I have always had excellent relations
with IBM and
asked them about this so called Man of the Year. They said
they had no
such designation and searched fruitlessly their entire
current and past
employees' data base, drawing a blank. I wrote to
Fireman's Fund in LA
and was told they had no such vice president. I wrote to
Ross Perot in
Dallas and got an almost immediate reply from one of his
senior managers
saying the statement about the LA centre was fraudulent. I
was later told
that what had occurred was a typical CIA or KGB operation.
While the old fashioned spying still exists industry
itself is virtually
giving away its secrets and, while the larger companies have
the financial
clout to occasionally do something about it, small and
medium sized
companies (SMB's), find it virtually impossible to prevent
their secrets
from being stolen. If they try to discuss their product
with a larger
company they usually have to sign an agreement which says
that the larger
company may already be developing something along those
lines and, even
if the larger company is untruthful, the SMB will have
little recourse.
Patenting of their secrets is a time consuming and costly
endeavor for most
SMB's and in any case, because of the costs of litigation,
not very
productive. A larger company can cripple an SMB by just
launching a suit.
It is questionable whether it is wise for an SMB to send
demonstration
packages of their product. I have occasionally done this but
wonder
whether sending them to Russia, China, India, Singapore or
even the
United States, is wise. Demos can be reverse engineered and
the ideas
copied, if not the code, as can the saleable product.
All computers generate signals which can be intercepted
(in the early days
we used to broadcast music to external radio receivers by
manipulating
programs to generate musical frequencies). The military
used a variety of
"tempest" terminals, shielding and encryption
to try and get around this
problem, not always successfully. With current wireless
technology such
sophistication is not needed, industry is delivering
signals to anyone with a
radio receiver. Range for most transmissions is not great
but sensitive
equipment can pick up signals from a remote location. By
this means
industry is very vulnerable to loss of valuable data and
application
programs. It is often justified by its "penny
pinching pound foolish"
management structure which saves a few dollars on internal
wiring while
transmitting data for free to competitors or foreign
parties. On occasion
this has led to companies being blackmailed, or to
extortion.
Companies are beginning to use data encryption and it has
some merit but,
given enough incentive, a determined group will eventually
break the code.
During World War II the Germans had a theoretically
unbreakable code
with their ENIGMA units but some of Britain's scientists
broke the code by
exploiting the way that coded messages were generated.
Modern
businesses have nowhere near such sophistication of the
Germans and
blithely offer their data to anyone who cares to exploit the
received
wireless signals. By analyzing the received data and getting
some easily
available company encryption procedures it does not take
long to break the
code, as very few companies will have the knowledge or
sophistication
required to prevent it. The more data intercepted the easier
the task of
decryption. Once it is done then company data can be
routinely collected
and automatically decrypted.
There are also internal sources for espionage. While
employees are still
regarded as a major potential threat in the loss of valuable
company data
being connected to Internet provides the tools for
unauthorized access by
anyone, anywhere in the world, through intrusion software
which gains
access to company records. This is demonstrated by ever
increasing horror
stories of intercepted data, identity theft, spyware and the
like. In many
cases the companies involved do not even know that their
systems and
data have been compromised.
We also have the trend to offshore development, which is
another penny
wise pound foolish business practice that can compromise a
company's
business data. In general, while there are many honest
companies offshore
a business lends itself to all types of nefarious activity
by contracting
offshore, with such development taking place in a foreign
country.
Differing cultural environments, different ideas of honesty,
and different
country objectives all contribute to the insecurity of the
work produced
offshore. It would require a considerable amount of forensic
software
analysis by the home company doing the offshore contracting
to determine
whether the code, even if it does the task contracted for,
does not also
contain malicious code. Trojan horses may be inserted in the
code, data
transfers can be hidden within the code to send crucial
information back to
the offshore developer, false financial transactions can be
introduced.
My next articles will examine in more detail many of these
security threats,
showing what they are, how they have been exploited in many
places
around the world, and how some of the dangers may be
avoided. They will
also discuss some of the aspects of forensic software
analysis.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Bernard A Hodson : <genetixrogers.com>
Bernie is an IT Researcher and Seeker, with a background of
of many years in IT. He is a revolutionary IT thinker. Many
of the
characters who made milestones in IT research and
Development
- Bernie knew, and was on speaking terms with them. Such
Knowledge
will, undoubtedly, be embodied in his future articles as, is
demonstrated,
above. We must wait ....! Warten! Wir mussen !!!
************************************************************
***********************
Canada CISSP - Open Study CISSP Site : Clement Dupuis CD
CISSP
************************************************************
***********************
THE CISSP OPEN STUDY GUIDES(OSG) at
<http://www.cccure.org>
All Security Professional interested in the helping those
who are reading
for the CISSP certification will be welcomed. By the same
token, if you
desire further information concerning the CISSP in your part
of the World
Email :-
Contact cdupuiscccure.org
******** tenovusncf.ca
Register for Clement's News Letter - Now getting serious
- a must !!
Remember - OCSIG and CISSP OSG -- Two great Canadian
products
************************************************************
**********************
OCSIG - The Third ISESTORM - Barcelona Spain
************************************************************
**********************
From April 1 - 8, the third ISESTORM training will be held
in Barcelona
at La Salle-URL University. ISESTORM is the premium security
training
laboratory for ISECOM. And it's provided at cost.
This is a Security Certification Review and training event
which focuses
on the application of knowledge to enable the student to
take what is
learned back into the real world and actually apply it
immediately. Many
training courses focus on certification preparation.
ISESTORM is a
certification application.
Within those 6 days all attendees will work interactively
among other
professionals to learn and practice for the OPSA exam, the
BS 7799/ ISO
27000 Auditor exam and the CISSP exam. The OPST review
and exam
will be made available to all registered students
interested.
For more details, see http://www.isestorm.org.
--
Pete Herzog - Managing Director - peteisecom.org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.isestorm.org
------------------------------------------------------------
-------
ISECOM is the OSSTMM Professional Security Tester (OPST),
OSSTMM Professional Security Analyst (OPSA), and Hacker
Highschool
Teacher certification authority !!!!.
Rumour has it ! Clement will be there !!!
************************************************************
***********************
OCSIG - Dr. Urs E.Gattiker - Fighting spam :obstacles we
need to move
************************************************************
***********************
< www.ISNM.de - Luebeck>
Just a few Notes, re Big Bother, from my Desk for OCSIG :-
Fighting spam - some obstacles we need to move out of the
way
Spam is a menace and we have yet to resolve this challenge
because we
have various obstacles in front of us:
1)Over 90% of spam is coming from less than 5 countries and
the U.S. is
one of them (1st related story). However, blacklists (ISP
ranges from
which no e-mail is being accepted) may raise ethical and
economical
concerns, whereby some if not many may have to suffer
because of some
misdeeds of a few.
2) Even if we have regulation that should work (e.g.,
Australia, 2nd related
story), black lists are not advisable because in some
countries they may
violate local regulation (see 3rd related story).
3) Having regulation that works on paper requires
collaboration and
coordination across national boundaries to make it work in
practice, as the
EU is trying to accomplish. However, as the Danish Consumer
Ombudgsman pointed out (4th related story) a while back,
coordination
requires that similar agencies enforce the rules in various
countries.
Unfortunately, this is not the case NOW in the EU and it is
making things
quite difficult (this comes from a country's overseer of
spam who has been
quite successful in court fighting the menace with huge
fines for the
corporate violators - 5th related story). So what about the
technical
solution?
4) Remember the talk about Sender ID versus DNS
(DomainKeys) for
authentication of email? Well a new draft (3rd one in fact)
is out regarding
DNS authentication (valid until March 2006) describing this
approach and
its rational. The sender ID approach might die because of
some patent
issues that were raised a while back by the open source
community
<http://freebies.weburb.org/newsservice/
link/3916/http://www.ietf.org/inte
rnet-drafts/draft-delany
-domainkeys-base-03.txt>
In the next posting we explain how it works regarding
Domain-based Email
Authentication Using Public-Keys Advertised in the DNS
(DomainKeys)
RELATED STORIES:
Where Does Most Spam come From? - Survey Says... 99% From 5
Countries
- http:/
/security.weburb.dk/frame/show/news/3413
Value-Centered Computing to Bridge the Social-Technical Gap
- The
Effective EC Approach to Fight Spam
- http:/
/security.weburb.dk/frame/show/news/3500
Regulation that Matters - Case Law - Germany / Karlsruhe --
Court Ruling
Telecommunciations Act (TKG) - Section 88
- http:/
/security.weburb.dk/frame/show/news/3761
Regulation - European Union (EU) - Contact Network of
Spam-Enforcing
Authorities (CNSA)
- http:/
/security.weburb.dk/frame/show/news/3546
Debitel gets Record Fine for Mobile Spam in Denmark
- http:/
/security.weburb.dk/frame/show/news/3613
Sender ID versus DNS (DomainKeys) based Authentication for
EMails -
Winner
is?.
- http:/
/security.weburb.dk/frame/show/news/3451
** End of My Missal but, await further developments !
By the Way - I do Sleep, so comments on that point; can be
closed !
Best Wishes from Dr. Urs E. Gattiker : <http://www.ISNM.de.Lue
beck>
QUESTIONS, comments, ideas? Cheer me up at:
<SecurityNews.WebUrb.org>
EU-IST News (ISSN:1600-1869)from CyTRAP.org/training'
************************************************************
*********************
OCSIG - Dr. Mich Kabay Internet links pose image and legal
problems
************************************************************
*********************
In my last column, I discussed a reader's question about
links
from an intranet server to pages on Internet servers. This
second article of three looks at a related question: the
risks
of pointing to external non-organizational Web sites from a
corporate Internet server.
In addition to the issues of integrity and availability
mentioned in the previous article, there's always the
problem of
lack of control over where users - especially customers or
potential customers - will end up when they follow a link
from a
corporate site into the greater Internet. What may have been
an
inoffensive, useful page or document last week may be a
salacious, tendentious, pornographic, libelous or otherwise
embarrassing destination this week. The public relations
department will surely be concerned about the implications
of
external linkages on any corporate Web page.
Does linking to another site imply approval or endorsement
of
whatever is on that site? In 1997, the German government
filed
charges against Angela Marquardt, the 25-year-old,
blue-and-purple-haired deputy leader of the communist Party
of
Democratic Socialism, for linking from her Web page to a
banned
issue magazine called _Radikal_. The issue of _Radikal_ was
banned because it included detailed instructions on how to
sabotage railway lines.
According to the public prosecutor, "It has nothing
to do with
censorship. Criminally relevant materials are subject to
classification by the district attorney or criminal
prosecutors."
In early June, the court hearing opened and adjourned
after an
hour so the magistrates could arrange for expert testimony
to
explain the 'Net and the Web when the case reconvened
toward the
end of June. On June 30, the court ruled that maintaining a
hyperlink to objectionable material is not tantamount to
publication of that material.
Linking to another organization's Web pages can open one
to a
lawsuit. In a startling display of cluelessness about the
history and even the definition of the World Wide Web,
Ticketmaster Group sued Microsoft in April 1997 for
including a
hot link from Microsoft Web pages to Ticketmaster Web pages
without a formal agreement granting permission for such
links (a
practice now known as "deep linking"). The
problem apparently
stemmed from Ticketmaster's perceptions that Microsoft was
deriving benefit from the linkage but bypassing
Ticketmaster's
advertising.
A few weeks later, Ticketmaster programmed its Web pages
to lead
all Sidewalk users trying to follow unauthorized links to a
dead
end, where they were confronted with the statement,
"This is an
unauthorized link and a dead end for Sidewalk. Ticketmaster
does
not have a business relationship with Sidewalk and you do
not
need them to visit us. They want to traffic on our good name
and
your desire for information on live entertainment events to
sell
advertising for their sole benefit while offering nothing in
return."
In another case, Hollywood photographer Gary Bernstein
sued
several Web operators in September 1998 for having links -
even
indirect links - to a site that contained pirated copies of
his
works. In other words, his lawyers argued that the
contamination
spread along Web links: from the bad site to all those who
linked to it and then to all the sites that linked to the
sites
that linked to the copyright infringer. By this reasoning
presumably every owner of a Web site on the planet should be
liable. Luckily, Los Angeles Federal District Court Judge
Manuel
Real dismissed the indirect linkage, and Bernstein withdrew
his
entire suit.
In my next and last article in this short series, I will
discuss
policies about external links.
The top 5: Today's most-read stories
1. SETIHome project ends
<http://www.networkworld.com/nlsecuritynewsal13917>
2. Review: SSL VPNs dissected
<http://www.networkworld.com/nlsecuritynewsal14003>
3. Test assesses Skype's network impact
<http://www.networkworld.com/nlsecuritynewsal13624>
4. Is BellSouth next for Whitacre, AT&T?
<http://www.networkworld.com/nlsecuritynewsal14004>
5. SSL VPN interoperability across applications proves
tricky
<http://www.networkworld.com/nlsecuritynewsal14005>
************************************************************
****************
[Michel E. Kabay] Dr. M.E. Kabay is Associate Professor of
Information Assurance at Norwich University in Northfield,
VT
and is also Program Director for the Norwich M.Sc. in
Information
Assurance < http://www3.norwich.edu/
msia > , an 18-month-long
online distance-education degree focusing on Information
Assurance management.
**************************************************
Mich can be reached by e-mail at mail to :<mkabaynorwich.edu>
and his Web site at <http://w
ww2.norwich.edu/mkabay/index.htm>
*************************
Do not miss - Norwich University Journal of Information
Assurance
aka (NUJIA) ! ! !
. See : <http://nujia.norwich.ed
u/>
************************************************************
****************
OCSIG - Frank R Zeitlhofer - Sarbanes Oxley - Historical
review ?
************************************************************
****************
Section 404 of the Act requires management to assess the
effectiveness of
the companies' controls and procedures and present a
written assessment to
their auditors. The outside auditors are then required to
attest to their
assertions.
I have restated the SOX statement above to even remind
myself of the base
of a discussion I had with a very much retired Chartered
Accountant.
My friend was of the opinion that SOX was a natural result
of years of
" self rule " now proven to be of no avail and
now the State has
intervened.
In 1931, Spicer and Pegler, great stalwarts of the
accountancy profession
defined the treatment of Work in Process in the Balance
Sheet as being
stated always at cost. Again, A sale is made when a company
has received
an Order made delivery and sent an invoice for the goods or
services.
Inventory related to those goods/ materiels on site and for
which invoices
has been received. Inventory without invoices were to be
costed and the
sum entered as an accrued liability.
Similar points were made by such as Dr Abs ( Deutches Bank
) Directors
of Public Companies should hold company shares equal in
value to the total
of their (Annual Salary and Expenses ) and that such total
be adjusted and
verified each year and be included and scheduled in the
annual report to
shareholders.(1960)
In the matter of bonuses to directors, probably the
remarks of the GM of
The Discount Bank ( Overseas) Ltd Harry .Reconnati was
probably the
most erudite. < Bonuses intended to be paid to Directors
of Public
Companies should be calculated on an annual basis - provided
for; yet, held
for two years in reserve - in other words paid two years in
arrear > (1964)
One must wonder why such advice was not acted upon and
included in the
various acts of company legislation prior to SOX.
One item has emerged namely, the realization of the all
embracing facets of
SOX - more thoughts to follow .
********************************************************
Frank R. Zeitlhofer is Vice President of Staslog Limited
Contact Frank at 613-831-0536 or email at
<staslogsympatico.ca>
<http://www.staslog.com>
********************************************************
Mr Frank Zeitlhofer is a professional with over thirty years
experience in
Transportation relative to Sea, Air and Land. Mr Zeitlhofer
completed
his Canadian Institute of Traffic and Transportation with
the University of
Toronto. The American Society of Transportation and
Logistics with the
University of Baltimore and qualified with the Chartered
Institute of
Transport and Logistics in the United Kingdom.
Mr Zeitlhofer holds the professional designations :-
CITT, (Can), CTL, ( USA ) MCIT, (UK) P.Log, (Can) PMM
(Can)
***************************************************
OCSIG - The Foundation
**********************************************************
The OCSIG started in 1987 with express intention of bringing
together
Security Professionals for the purpose of discussing common
security
work problems. At that time, there was very little
interchange of ideas
relating to security in Ottawa. In those days most security
problems
related to Physical Security - IT Security was still classed
as an EDP
Audit problem. The Security Professionals who formed SIG
were
dedicated. They believed that a society could be formed from
professionals
for professionals. In so doing, such a society should be
FREE of annual
fees for all members. Time should be freely given by each
professional for
the benefit of the new entrants. In other words the society
was intended to
be not only a forum but educative in its endeavours.
Educative because the
professionals realized that this was, to some degree, a new
profession
and much needed to be done. OCSIG News Lettter based on
these
principles now circulates to over 1400 members across the
World..
************************************************************
***********************
Your opinion really does count :-.
Please feel free to share this with interested parties via
Email (not
on bulletin boards). For a free subscription, e-mail
<tenovusncf.ca>
subject: Subscribe
You may also Email <tenovusncf.ca> with complete
instructions for
subscribe, un-subscribe, change address, or any other
comments.
End
************************************************************
***********************
---------------------------------
Yahoo! Mail
Bring photos to life! New PhotoMail makes sharing a breeze.
---------------------------------
Yahoo! Mail
Use Photomail to share photos without annoying attachments.
[Non-text portions of this message have been removed]
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://gr
oups.yahoo.com/group/securityplus/
<*> To unsubscribe from this group, send an email to:
securityplus-unsubscribe@yahoogroups.com
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.c
om/info/terms/
|