In 2017 my Website was migrated to the clouds and reduced in size.
Hence some links below are broken.
One thing to try if a “www” link is broken is to substitute “faculty” for “www”
For example a broken link http://www.trinity.edu/rjensen/Pictures.htm
can be changed to corrected link http://faculty.trinity.edu/rjensen/Pictures.htm
However in some cases files had to be removed to reduce the size of my Website
Contact me at rjensen@trinity.edu if you really need to file that is missing

Warning 1:  Many of the links were broken when the FASB changed all of its links.  If a link to a FASB site does not work , go to the new FASB link and search for the document.  The FASB home page is at http://www.fasb.org/ 

Warning 2:  In February 2008 the FASB for the first time allowed users free access to its "FASB Accounting Standards Codification" database. Access will be free for at least one year, although registration is required for free access. Much, but not all, information in separate booklets and PDF files may now be accessed much more efficiently as hypertext in one database. The document below has not been updated for the Codification Database. Although the database is off to a great start, there is much information in this document and in the FASB standards that cannot be found in the Codification Database. You can read the following at http://asc.fasb.org/asccontent&trid=2273304&nav_type=left_nav

Welcome to the Financial Accounting Standards Board (FASB) Accounting Standards Codification™ (Codification).

The Codification is the result of a major four-year project involving over 200 people from multiple entities. The Codification structure is significantly different from the structure of existing accounting standards. The Notice to Constituents provides information you should read to obtain a good understanding of the Codification history, content, structure, and future consequences.

Click here to view the Notice to Constituents (Adobe Acrobat format).

Facebook is perhaps the ultimate example of the old, wise saying: If you aren’t paying for a product, then you ARE the product
Comparisons of Antivirus Software ---
http://en.wikipedia.org/wiki/Comparison_of_antivirus_software#Microsoft_Windows

 Bob Jensen's Introduction to e-Business and e-Commerce
http://faculty.trinity.edu/rjensen/ecommerce/000start.htm

Bob Jensen at Trinity University

Top 25 Google e-searches of the month
          Most Popular Web Sites 2006 - 2007 --- http://www.webtrafficstation.com/directory/
          WebbieWorld Picks --- http://www.webbieworld.com/default.asp

How E-commerce Works --- http://money.howstuffworks.com/ecommerce.htm 

Who Really Started the Internet?

Bob,
I see that you’ve shared a Iot information in the past so I wanted to drop you a quick email to tell you about our ‘State of Internet of Things’ graphic which might be of interest -
 http://www.appcessories.co.uk/blog/the-state-of-internet-of-things-in-six-visuals/

Revenue Recognition Accounting Fraud (much of this fraud is in ecommerce) --- http://faculty.trinity.edu/rjensen/ecommerce/eitf01.htm

Electronic Commerce:  The Fastest Growing Phenomenon in World Commerce

Electronic Commerce:  Special Problems Arising for Accountants and Auditors  

Electronic Commerce:  Webledgers  

Electronic Commerce:  Revenue Accounting Problems and Related Financial Accounting Issues --- http://faculty.trinity.edu/rjensen/ecommerce/eitf01.htm 

Electronic Commerce:  Training and Education Issues 

Electronic Commerce:  Assurance Services Opportunities and Risks 

Illustration of Topics in a Continuous Assurance Symposium 

Investor Relations and Internet Reporting  

XBRL Will Change the World of Financial Reporting and Analysis --- 
http://faculty.trinity.edu/rjensen/XBRLandOLAP.htm#XBRLextended 

Education and Online Training Issues  

A Special Section on Computer and Networking Security (including spam fighters)  

Comparisons of Antivirus and AntiMalware Software --- http://en.wikipedia.org/wiki/Comparison_of_antivirus_software#Microsoft_Windows

Cybersecurity Curriculum Resources --- https://niccs.us-cert.gov/education/curriculum-resources

Facebook is perhaps the ultimate example of the old, wise saying: If you aren’t paying for a product, then you ARE the product
Comparisons of Antivirus Software ---
http://en.wikipedia.org/wiki/Comparison_of_antivirus_software#Microsoft_Windows

Introduction (with a personal account of my own problems)

"I challenged hackers to investigate me and what they found out is chilling," by Professor Adam L. Penenberg (NYU)

Hackers Trick Email Systems Into Wiring Them Large Sums

Social Scams

Internet of Things

College Professor: I Lost Tons Of Critical Files Because Of Dropbox

Big Google Becomes Big Brother

How to track a stolen iPhone

Chinese Water Army

Cloud Security

How to make stolen laptop data useless to thieves

Is your data safe? Survey reveals scandal of snooping IT staff

Bad News for Wireless Routers at Home

Protecting security while using public a network in a library, cyber cafe, hotel, or wherever

Viruses, Phishing, Smishing, and Worms and Malware

Spyware  (and SiteAdvisor)

Cell Phone Records are for Sale 

Question
When might you want to run Linux on your Windows computer?
"E-Banking on a Locked Down (Non-Microsoft) PC," by Brian Krebs
http://faculty.trinity.edu/rjensen/FraudReporting.htm#IdentityTheft 

Pretexting

Cookies 

Spam Blocking 

Searching Dangers:  Beware of Search Engines

Hacking Into Systems

Security on Public Wireless Networks

Denial of Service Attacks 

Spy Tools:  How safe are unlisted phone numbers?

Forget Big Brother, Now You Are Being Watched by Almost Anybody

Weapons of Information Warfare  

Threads on Firewalls --- Go to  http://faculty.trinity.edu/rjensen/firewall.htm 

Identity Theft http://faculty.trinity.edu/rjensen/FraudReporting.htm#IdentityTheft 

Encryption

New Tech Tools to Combat Fraud

The Downside: Psychology of Electronic Commerce and Technology 

Intangibles Accounting Issues --- http://faculty.trinity.edu/rjensen//theory/00overview/theory01.htm#TheoryDisputes 

Managerial Accounting Issues --- http://faculty.trinity.edu/rjensen/ecommerce/managerial.htm 

How Can Technology be Used to reduce Fraud? --- http://faculty.trinity.edu/rjensen/ecommerce/managerial.htm#Issue7 

ROI Issues --- http://faculty.trinity.edu/rjensen/roi.htm 

Implications for Auditing and Assurance Services --- 
http://faculty.trinity.edu/rjensen/ecommerce/assurance.htm 

Opportunities of E-Business Assurance & Security:  Risks in Assuring Risk --- http://faculty.trinity.edu/rjensen/ecommerce/assurance.htm 

Accounting Fraud, Forensic Accounting, Securities Fraud, and White Collar Crime

The Controversial Electronic Commerce of Education --- http://faculty.trinity.edu/rjensen/000aaa/0000start.htm

Investor Relations and Internet Reporting   

Education and Training   

Evaluation of Websites 

Search for Internet, e-Commerce, or e-Business Phrases

Top Year 2002 Accounting Technologies 

Bob Jensen's Threads on Electronic Commerce --- 
http://faculty.trinity.edu/rjensen/ecommerce.htm 

Bob Jensen's Threads on Electronic Commerce in College Curricula --- 
http://faculty.trinity.edu/rjensen/ecommerce/curricula.htm 

Accounting Threads

• Bob Jensen's Tutorials on eCommerce, eBusiness, and eEducation
  
  
• Threads on Fees and Choosing Accountants, Financial Advisors, and Consultants
  
  
• FAS 133 Threads (including audio links to experts)
  
  
• Accounting Theory
  
  
• Accounting Information Systems

• Enterprise Resource Planning (ERP) Education Modules
  
• Assigments
  
•   Helpers

• Accounting Fraud, Forensic Accounting, Securities Fraud, and White Collar Crime
  
  
• Opportunities of E-Business Assurance:  Risks in Assuring Risk
  
  
• A Special Section on Computer and Networking Security  
  
  
• Threads on Firewalls
  
  
• Bob Jensen's Technology Glossary
  
  
• Computers in Accounting: Past, Present, and Future
  
  
• Bob Jensen's Threads on the Decline in Accounting Majors in U.S. Colleges 
   
  
• CPA --- Career Passed Away
  
  
• Glossaries
  
  
• Bob Jensen's Threads on Real Options, Option Pricing Theory, and Arbitrage Pricing Theory 
  
  
• Bob Jensen's Threads on Return on Investment (ROI)
  
  

Bob Jensen's Threads on Accounting Fraud, Forensic Accounting, Securities Fraud, and White Collar Crime

Bob Jensen's Technology Glossary

Bob Jensen's threads on computer security are under "Security" (in the S-Terms) at http://faculty.trinity.edu/rjensen/245gloss.htm
Also look under the C-Terms for "Cookies."

Top 25 Google e-searches of the month
          Most Popular Web Sites 2006 - 2007 --- http://www.webtrafficstation.com/directory/
          WebbieWorld Picks --- http://www.webbieworld.com/default.asp

I created a timeline of major happenings (on a timeline) leading up to the eXtensible Business Reporting Language (XBRL) and On LIne Analytical Process (OLAP) systems.  Overviews of XML, VoiceXML, XLink, XHTML, XBRL, XForm, XSLT, RDF and the Semantic Web are also provided --- http://faculty.trinity.edu/rjensen/xmlrdf.htm

This is what Professor Jim Mahar says about ERisk in the March 24, 2003 edition of TheFinanceProfessor (an absolutely fabulous newsletter) --- www.FinanceProfessor.com 

Erisk.com. I simply love the site. I know it has been site of the week before, but it is so good, it earned it again. Try it, you’ll love the case studies and the newsletter! http://www.erisk.com

ERisk --- http://www.erisk.com/ 

ERisk is the leading provider of strategic solutions for risk and capital management. We deliver a unique combination of world-class analytics for risk-based capital, strategic risk management expertise, risk transfer advice and risk information.

You can find out more about our products and services in the Overview section. On this page, you can find out more about the people and ideas that power our company.

The ERisk Report --- http://www.erisk.com/about/about_company.asp?ct=n#report 

The ERisk Report is a concise monthly briefing for senior financial executives. Every month, contributors from ERisk's team of risk management experts address today's most pressing issues in strategic risk and capital management. Sign up today for your personal copy of this cutting-edge publication!

Vol 1.6: Measuring the return on risk management; leveraging the economic benefits of risk management

Vol 1.5: Putting the real value on customer relationships; rolling out risk management

Vol 1.4: Making risk more transparent; fed takes pulse of economic capital practices

Vol 1.3: Credit scoring: robots versus humans; James Lam's three lessons from Enron

Vol 1.2: Weathering credit losses; regulators line up behind economic capital

Vol 1.1: Revamping your credit ratings system; measuring bank profitability

The ERisk Portal --- http://www.erisk.com/portal/home.asp 
Resources for Enterprise Risk Management

ERisk today continues to successfully develop and install its analytics at client sites, conduct high-value consulting engagements, offer unbiased advice on risk transfer alternatives, and attract thousands of readers to the ERisk portal.

"New e-Accounting Advisor Network Debuts," SmartPros, September 29, 2003 --- http://www.smartpros.com/x40720.xml 

Insynq Inc., a provider of Internet-delivered online accounting solutions and services, has launched an online advisor network to assist the accounting professional by supporting back-office processing requirements on a highly cost-efficient basis.

The e-Accounting Advisor Provider Network (http://eaccounting.cpa-asp.com) has created a new cost-effective resource for practices of all sizes to use to expand their practice, or to provide the opportunity of higher gross margins, Insynq announced. Through the use of business process outsourcers -- such as call centers, payroll and HR processing services -- professional practices are able to improve client services, expand their practices, and improve practice profitability.

"These accountants have gained a comprehensive solution that combines our online accounting technology services with business process outsourcing models," said Insynq president John Gorst. "e-Accounting is one of the few providers in the industry with a service model that encompasses online accounting applications, data management, document management and workflow tools."

Insynq will co-sponsor a series of seminars in the top 25 U.S. markets over the next four months for CPAs, accountants and bookkeepers that explain the online accounting model. These seminars will detail the outsourced accounting opportunity, and demonstrate the benefits of using business process outsourcers in support of practice initiatives.

Who Really Started the Internet?

Internet History --- http://en.wikipedia.org/wiki/History_of_the_Internet

Question
Have I been wrong about crediting the ARPANET  in 1969 (and Al Gore) all these years?

By December 5, 1969, a 4-node network was connected by adding the University of Utah and the University of California, Santa Barbara. Building on ideas developed in ALOHAnet, the ARPANET grew rapidly. By 1981, the number of hosts had grown to 213, with a new host being added approximately every twenty days.

"Who Really Invented the Internet? Contrary to legend, it wasn't the federal government, and the Internet had nothing to do with maintaining communications during a war," by Gordon Crovitz, The Wall Street Journal, July 22, 2012 ---
http://professional.wsj.com/article/SB10000872396390444464304577539063008406518.html?mod=djemEditorialPage_t&mg=reno64-wsj

A telling moment in the presidential race came recently when Barack Obama said: "If you've got a business, you didn't build that. Somebody else made that happen." He justified elevating bureaucrats over entrepreneurs by referring to bridges and roads, adding: "The Internet didn't get invented on its own. Government research created the Internet so that all companies could make money off the Internet."

It's an urban legend that the government launched the Internet. The myth is that the Pentagon created the Internet to keep its communications lines up even in a nuclear strike. The truth is a more interesting story about how innovation happens—and about how hard it is to build successful technology companies even once the government gets out of the way.

For many technologists, the idea of the Internet traces to Vannevar Bush, the presidential science adviser during World War II who oversaw the development of radar and the Manhattan Project. In a 1946 article in The Atlantic titled "As We May Think," Bush defined an ambitious peacetime goal for technologists: Build what he called a "memex" through which "wholly new forms of encyclopedias will appear, ready made with a mesh of associative trails running through them, ready to be dropped into the memex and there amplified."

That fired imaginations, and by the 1960s technologists were trying to connect separate physical communications networks into one global network—a "world-wide web." The federal government was involved, modestly, via the Pentagon's Advanced Research Projects Agency Network. Its goal was not maintaining communications during a nuclear attack, and it didn't build the Internet. Robert Taylor, who ran the ARPA program in the 1960s, sent an email to fellow technologists in 2004 setting the record straight: "The creation of the Arpanet was not motivated by considerations of war. The Arpanet was not an Internet. An Internet is a connection between two or more computer networks."

If the government didn't invent the Internet, who did? Vinton Cerf developed the TCP/IP protocol, the Internet's backbone, and Tim Berners-Lee gets credit for hyperlinks.

But full credit goes to the company where Mr. Taylor worked after leaving ARPA: Xerox. It was at the Xerox PARC labs in Silicon Valley in the 1970s that the Ethernet was developed to link different computer networks. Researchers there also developed the first personal computer (the Xerox Alto) and the graphical user interface that still drives computer usage today.

According to a book about Xerox PARC, "Dealers of Lightning" (by Michael Hiltzik), its top researchers realized they couldn't wait for the government to connect different networks, so would have to do it themselves. "We have a more immediate problem than they do," Robert Metcalfe told his colleague John Shoch in 1973. "We have more networks than they do." Mr. Shoch later recalled that ARPA staffers "were working under government funding and university contracts. They had contract administrators . . . and all that slow, lugubrious behavior to contend with."

So having created the Internet, why didn't Xerox become the biggest company in the world? The answer explains the disconnect between a government-led view of business and how innovation actually happens.

Executives at Xerox headquarters in Rochester, N.Y., were focused on selling copiers. From their standpoint, the Ethernet was important only so that people in an office could link computers to share a copier. Then, in 1979, Steve Jobs negotiated an agreement whereby Xerox's venture-capital division invested $1 million in Apple, with the requirement that Jobs get a full briefing on all the Xerox PARC innovations. "They just had no idea what they had," Jobs later said, after launching hugely profitable Apple computers using concepts developed by Xerox.

Xerox's copier business was lucrative for decades, but the company eventually had years of losses during the digital revolution. Xerox managers can console themselves that it's rare for a company to make the transition from one technology era to another.

As for the government's role, the Internet was fully privatized in 1995, when a remaining piece of the network run by the National Science Foundation was closed—just as the commercial Web began to boom. Economist Tyler Cowen wrote in 2005: "The Internet, in fact, reaffirms the basic free market critique of large government. Here for 30 years the government had an immensely useful protocol for transferring information, TCP/IP, but it languished. . . . In less than a decade, private concerns have taken that protocol and created one of the most important technological revolutions of the millennia."

It's important to understand the history of the Internet because it's too often wrongly cited to justify big government. It's also important to recognize that building great technology businesses requires both innovation and the skills to bring innovations to market. As the contrast between Xerox and Apple shows, few business leaders succeed in this challenge. Those who do—not the government—deserve the credit for making it happen.

Personal Computer History
"Forgotten PC history: The true origins of the personal computer --- The PC's back story involves a little-known Texas connection," by Lamont Wood, Computer World, August 8, 2008 --- Click Here

Steve Jobs at the Smithsonian --- http://www.si.edu/Exhibitions/stevejobsputational Science Education Reference Desk --- http://www.shodor.org/refdesk/

Timeline of Computing History --- http://www.computer.org/computer/timeline/ 

Making the Macintosh --- http://library.stanford.edu/mac/index.html

History of Computing
Internet Archive: Computers & Technology --- http://archive.org/details/computersandtechvideos

History of Computing
Internet Archive: Computers & Technology --- http://archive.org/details/computersandtechvideos

The History of Computing --- http://ei.cs.vt.edu/~history/ 

Steve Jobs at the Smithsonian --- http://www.si.edu/Exhibitions/stevejobs

American University Computer History Museum --- http://www.computinghistorymuseum.org/ 

The Apple (Computer) Museum  --- http://www.theapplemuseum.com/ 

A History of Microsoft Windows (slide show from Wired News) --- http://www.wired.com/gadgets/pcs/multimedia/2007/01/wiredphotos31

Oldcomputers.com  --- http://www.old-computers.com/news/default.asp

Aesthetics + Computation Group: MIT Media Laboratory --- http://acg.media.mit.edu/projects/

Digital History - Multimedia --- http://www.digitalhistory.uh.edu/multimedia.cfm

Portland State University Digital Repository --- http://dr.archives.pdx.edu/xmlui/

Dartmouth Digital Collections: Books --- http://www.dartmouth.edu/~library/digital/collections/books.html

The University of Michigan Digital Humanities Series---
 http://www.digitalculture.org/books/book-series/digital-humanities-series/

From SUNY Albany: How to Improve Your Digital Photography
Interactive Media Center: Digital Image Information --- http://library.albany.edu/imc/tutimages.htm

Computational Science Education Reference Desk --- http://www.shodor.org/refdesk/

Digital Forensics and Cyber Security Center at the University of Rhode Island ---
http://www.dfcsc.uri.edu/

Cyberdeterrence and Cyberwar --- http://www.rand.org/pubs/monographs/MG877.html

Bob Jensen's threads on computing and network security ---
http://faculty.trinity.edu/rjensen/ecommerce/000start.htm#SpecialSection

Electronic Commerce

ONLINE SPENDING CLIMBED 25% during the holiday season from a year earlier, a survey found.
Desiree J. Hanford, The Wall Street Journal, January 4, 2005 --- http://online.wsj.com/article/0,,SB110478868075315675,00.html?mod=technology_main_whats_news

Question
What turns Web retailing into eCommerce?

Answer
A special feature about eCommerce is revenue collection over the Internet.  Today that revenue collection typically entails online credit card transacting.  

Bob Jensen's threads on accounting for electronic commerce are at http://faculty.trinity.edu/rjensen/ecommerce.htm 

"E-tailing Comes of Age," by Nick Wingfield, The Wall Street Journal, December 8, 2003 --- http://online.wsj.com/article/0,,SB10708342997640400,00.html?mod=technology%5Ffeatured%5Fstories%5Fhs 

Dot-com retailers had a message for bricks-and-mortar stores at the start of the 1999 holiday season: We're coming after you.

A year or two later, traditional retailers had their revenge, of course, when stock certificates of such companies as Pets.com Inc., eToys Inc. and Webvan Group Inc. were fit for little more than wrapping paper. With some notable exceptions -- including Amazon.com Inc. and eBay Inc. -- established stores and catalog companies ended up snaring most of the online sales.

But something surprising happened: Some small Web-only retailers refused to die. A handful in unlikely categories such as jewelry, shoes and luggage are profitable and growing far more quickly than their offline counterparts.

These specialty online retailers are prospering at a time when overall online sales are booming. Consumers are expected to spend $12.2 billion online this year in the Thanksgiving-to-Christmas period, up 42% from last year, according to Forrester Research of Cambridge, Mass. The growth reflects a steady shift of retail spending to the online world, as consumers grow more comfortable with the Internet and the spread of high-speed home connections makes browsing and ordering simpler. Online shopping also tends to be more weather-proof; many snowbound Northeasterners ventured out into cyberspace instead of the elements to continue their holiday shopping this past weekend.

Still, a mere 4.5% of total retail spending is expected online this year, compared with 3.6% in 2002. But even the small shift in retail sales represents a combined billions of dollars for Internet retailers.

Traditional retailers are doing their best to keep holiday customers clicking on their sites by offering good deals. Some are discounting heavily; free-shipping offers are commonplace. Gap Inc., for instance, is waiving standard delivery fees on orders of $100 or more until Dec. 15.

Continued in the article

There were 50 global online users of the new World Wide Web in 1990.  The worldwide growth is connected consumers, businesses, and other types of organizations is staggering.  A study conducted by IDC (2001) estimates the following at http://www.filmsoho.com/marketing/marketing_internet.html 

 Use of the Internet continues to grow rapidly worldwide. This growth is fuelling e-commerce transactions which are one barometer of the commercial success of the medium. Almost 1 billion people (about 15 percent of the world's population) are forecast by research firm International Data Corp to be using the Internet by 2005. IDC foresee a spending of more than $5 trillion in Internet commerce representing a staggering 70 percent compound annual growth rate from last year's Internet spending of $354 billion in 2000.

The adoption of the Internet as a communications tool is still undergoing explosive growth. In the developed world the proliferation of mobile phones and other Internet access devices will maintain these growth rates even once PC penetration has reached saturation.

Growth statistics are provided the following sites:

Electronic Commerce - A Leading Definition --- http://www-cec.buseco.monash.edu.au/links/ec_def.html 

A broad definition of 'electronic commerce' is provided by Electronic Commerce Australia (ECA, formerly EDICA) in its 1994 Annual Report as:

The process of electronically conducting all forms of business between entities in order to achieve the organisation's objectives.

The term 'electronic commerce' embraces electronic trading, electronic messaging, EDI, EFT, electronic mail (e-mail), facsimile, computer-to-fax (C-fax), electronic catalogues and bulletin board services (BBS), shared databases and directories, continuous acquisition and lifecycle support (CALS), electronic news and information services, electronic payroll, electronic forms (E-forms), online access to services such as the Internet (discussed later), and any other form of electronic data transmission.

For example, medical and clinical data, data related to taxation, insurance, vehicle registration, case information involving legal proceedings, immigration and customs data, data transmitted for remote interactive teaching, video-conferencing, home shopping and banking, EDI purchase orders and remittance advices - are all applications of electronic commerce.

The term 'electronic commerce' is sometimes incorrectly used as an alternative to EDI. EDI, a subset of electronic commerce, refers specifically to the inter-company or intra-company transmission of business data in a standard, highly structured format. Electronic commerce, however, includes structured business data and unstructured messages or data, such as electronic memos sent via e-mail.

Another term, 'electronic trading', is commonly used to refer to electronic transactions which occur in the procurement of goods and services. Electronic trading uses structured and/or free-form messages. Electronic trading can also be considered a sub-set of electronic commerce.

Small Business Administration: Free Online Courses (video) ---  http://www.sba.gov/services/training/onlinecourses/index.html

"Amazon Finally Clicks:  Ten years old and profitable at last, it offers a textbook lesson on how to be both focused and flexible," by Russ Banham, CFO Magazine, Spring 2004 Special Issue, pp. 20-22 --- http://www.cfo.com/article/1,5309,12598||M|846,00.html 

The foosball tables are still there, as are the desks made from sawhorses, plywood, and old doors. And no one wears a tie, not even CFO Thomas J. Szkutak. But if some E-commerce trappings are alive and well at Amazon.com headquarters, others are not. Red ink, for example, has disappeared—at least for now. The company posted its first indisputably (that is, GAAP-based) profitable year in 2003, propelled by strong holiday sales and a weakened dollar, which boosted overseas results.

That has prompted plenty of backslapping in the halls of Amazon's headquarters, a former hospital with an improbable Art Deco design and a postcard view of downtown Seattle and Puget Sound. As it prepares to celebrate its 10th anniversary, Amazon.com is a very different company from the so-called E-tailer that, at the time of its initial public offering in 1997, had to caution would-be investors not to confuse it with Amazon Natural Treasures, a retailer and E-tailer of rain-forest products.

Few would make that mistake today. While still sometimes referred to as an online bookstore, Amazon now boasts a product line that staggers the imagination, from apparel, sporting goods, and jewelry to new services including a feature that lets customers make "1-Click" Presidential campaign contributions.

Behind Amazon's breadth of products and services are myriad business arrangements: some products the company owns, inventories, sells, and ships; others it sells on behalf of third-party retailers. Some of these third-party products Amazon ships and fulfills; others are shipped and fulfilled by the third parties themselves. Among those third parties are thousands of mom-and-pop E-tailers that collectively make Amazon's Marketplace division a perpetual online garage sale surpassed only by E-bay.

With 39 million active customer accounts (based on the number of E-mail addresses from which orders originated in 2003), Amazon seems to be making good on its promise to offer the "Earth's biggest selection of products," or as Szkutak puts it, "to build a place where people can find, discover, and buy anything they want online." To do that, he says, the company has learned—sometimes the hard way—to "start with the customer and work backward."

Working backward has changed Amazon from an online retailer to an E-commerce platform. Today, it is not a store so much as a channel, a place where brand-name third-party retailers, smaller businesses, and just plain folks can hawk their goods to a worldwide clientele. This past holiday season, shoppers traipsed through Amazon to buy products from Gap, Toys "R" Us, True Value Hardware, and Kitchen Etc.—and maybe some kid in Idaho who was trying to unload his slightly dog-eared Harry Potter library. Assembling such a vast collection of partners and building the systems that allow customers to buy from an individual as easily as they buy from a retail giant has not been easy, and analysts praise Amazon's achievements. "Amazon has knocked 10 steps down to 1," says Adam Sarner, a research analyst at Stamford, Connecticut-based technology research firm Gartner Inc. "This is what they mean by 'customer convenience.'"

Jonathan Gaw, a research manager at technology research firm IDC, says, "No one else has this kind of expertise, because no one else has invested the capital to build this kind of infrastructure."

Amazon.com was once viewed as a leading member of the E-commerce vanguard, but most of the followers have fallen by the wayside. True, the survivors—E-bay, MSN, AOL, Yahoo, and Google—have become household names, but success remains precarious and depends on, among other things, the ability to be nimble. Amazon built its brand initially on low-priced books and waited for customers to come bargain-hunting. Today it pulls out all the stops to get people to visit, from "never-before-seen" Bruce Springsteen concert footage to a "secret message" from Madonna. If that sounds like the sort of pop-culture gimmickry one might expect from, say, AOL, there's good reason: the E-commerce giants are out to eat one another's lunch. When Google, for example, announced Froogle, a new service that allows users to search for a product name and be directed only to sites that sell that product, Amazon launched a new subsidiary, A9, devoted to Web searching, and even located its offices close to Google in Silicon Valley. Similarly, the boundaries between the business models of E-bay, Yahoo, and even Microsoft can be hard to discern, as all of these companies seek to protect themselves and to copy whatever seems to work.

Continued in the article

Yahoo's Links to Electronic Commerce Sites

The U.S. Government Knows How to Sell Online (e-Commerce)
From InformationWeek Online May 30, 2001

Uncle Sam Rings Up $3.6B In Online Sales

Look out, Jeff Bezos. Amazon.com Inc.'s $2.8 billion in annual revenue has been eclipsed by another E-commerce contender--a purveyor of flame throwers, burros, and Lamborghini Diablos that generated $3.6 billion in sales last year. The mastermind behind this E-retailing juggernaut? Uncle Sam.

That revelation comes from a recent study by the Pew Internet & American Life Project and Federal Computer Week magazine, which tracked the government's E-commerce activity. Of course, straight revenue comparisons may not be fair. After all, it's not exactly a level playing field for Amazon since the government's $3.6 billion came from 164 sites. That was a bit of a shock for Allan Holmes, editor-in-chief of Federal Computer Week. "When we first started, I had no idea how many sites we would find. I thought maybe a few dozen." Plus, that revenue figure would be significantly lower without the Treasury Department, which generated $3.3 billion from the sale of bonds and notes.

But the remaining $300 million in sales is still a significant achievement, considering the government hasn't done much to promote its efforts. Looking to bid on luxury items such as helicopters or sports cars? Try Bid4Assets, which sells property seized by the U.S. Marshals Service in criminal raids. "The federal government has always had surplus property and auctioned off property seized in drug busts. Now they're able to do it more efficiently and reach more people," Holmes says.

While so many others are still struggling to make the Web pay, Walt Disney's Internet ventures are thriving --- http://www.wired.com/news/business/0,1367,56314,00.html 

LOS ANGELES, November 11, 2002 -- Last year, the Walt Disney Co. surrendered in the Internet portal wars after spending hundreds of millions of dollars to compete against Yahoo!, America Online and others.

But it didn't give up entirely. In a strategic retreat, the company refocused on Web projects that highlighted its core brands, such as ABC News and ESPN, which is the exclusive provider of sports on the MSN service.

That strategy has started to pay off. Last week, Disney announced a modest milestone -- its Internet properties are profitable.

The company doesn't report the results of its Internet properties as a group, so Disney did not provide any profit figure when it reported fourth-quarter earnings. But the company said profits from individual sites, led by ESPN and Disney's online store; from licensing content to other Internet sites; and from advertising and subscriptions pushed online operations into the black.

Disney's Internet ventures contribute only about several hundred million dollars to the company's $25 billion in annual revenue. Nonetheless, Disney can say it is profiting online while so many others are still struggling to make the Internet pay.

"I feel good that we've been able to sort of figure it out," said Steve Wadsworth, president of the Walt Disney Internet Group.

What Disney learned and other companies are discovering is that it's best to abandon a one-size-fits-all approach to the Web.

"There is not one single formula that is going to work," said Charlene Li, principal analyst for Forrester Research, a technology consulting firm based in Cambridge, Mass. "What works for Disney.com and its characters isn't the same thing that will work for ESPN. Even The New York Times and The Boston Globe are completely different. They're owned by the same company, but they use completely different approaches."

Disney's announcement of its modest profit is a victory of sorts for chairman and CEO Michael Eisner. During the heyday of e-commerce, he resisted pressure to merge with Yahoo or Microsoft, even after AOL merged with Time Warner.

Today, AOL is struggling, weighed down by declining advertising revenue and a government investigation into its accounting practices. Chairman Steve Case reportedly has considered separating the companies.

Continued at http://www.wired.com/news/business/0,1367,56314,00.html 

Webledger alternatives are becoming a much bigger deal in accounting information systems.  I suspect that many accounting educators are not really keeping up to date with the phenomenal growth in vendor services.

I am a strong advocate of Webledger accounting and information systems.  
In my viewpoint they are the wave of the future for small and even medium-sized business and other organizations.  The main obstacle is overcoming the natural tendency to fret over having data stored with a Webledger vendor.  But the advantages of cost savings (e.g., savings not having to employ technical database and IT specialists. savings in hardware costs, and savings in software costs), advantages of worldwide access over the Internet, and advantages of security (due to the millions invested by vendors to ensure security) far outweigh the disadvantages until organization size becomes so overwhelming that Webledgers are no longer feasible for accounting ledgers, inventory controls, payroll processing, billings, etc.

Webledger software and databases offer accounting, bookkeeping, inventory control, billings, payrolls, and information systems that can be accessed interactively around the globe.  Companies and other organizations do not maintain the accounting systems on their own computers.  Instead, the data are stored and processed on vendor systems such as the Oracle database systems used by NetLedger.

NetLedger is part of the NetSuite described at http://www.netledger.com/portal/home.shtml

Click on the "See One System in Action" Link

NetSuite's all-in-one business management application allows each user to work off the same, real-time information, but with a user interface and functionality appropriate to them. Watch the role-based demo

As a project in Fall of 2000, a team of my students set up an accounting system on Netledger.  This team's project report is available at http://faculty.trinity.edu/rjensen/acct5342/projects/Netledger.pdf

Bob Jensen’s threads on Webledgers can be found at http://faculty.trinity.edu/rjensen/webledger.htm 

A Guide to E-Commerce at http://e-comm.internet.com/

An Electronic Encyclopedia  at http://e-comm.internet.com/library/glossary.html
A longer listing of this and similar glossaries can be found at http://faculty.trinity.edu/rjensen/245gloss.htm

U.S. Policy on E-Commerce at http://www.ecommerce.gov/

Electronic Books Directory (U. Mn.)

Electronic Commerce World: On-line journal for electronic commerce - Articles, Resource Directory, Discussions

Electronic Commerce:  Special Problems Arising for Accountants and Auditors  

Question
Were accountants responsible for the dotcom bubble and burst at the turn of the Century?

Jensen Answer
The article below fails to directly mention where auditors contributed the most to the 1990's bubble. The auditors were allowing clients to get away with murder in terms of recognizing revenue that should never have been recognized. The dotcom companies were not yet making profits but were full of promise as the bubble filled with hot air. In financial reporting (especially in pro forma reporting) dotcom companies shifted the attention from profit growth to revenue growth. But much of the revenue growth they got away with reporting was due to bad judgment on the part of their auditors. Corrections finally began to appear after the EITF belatedly made some bright line decisions --- http://faculty.trinity.edu/rjensen/ecommerce/eitf01.htm

I give auditors F grades when auditing the hot air balloons of dotcom companies. This shows what can happen when we let judgment overtake some of the bright line rules in accounting standards. Auditors were supposed to have "principles" when they had no bright lines to follow. The auditing firms demonstrated their lack of professional principles in the 1990s.
 

"Were accountants responsible for the dotcom bubble and burst?" AccountingWeb's U.K. Site, March 11, 2008 ---
http://www.accountingweb.com/cgi-bin/item.cgi?id=104768

"Were accountants responsible for the dotcom bubble and burst?" This worrying allegation emerged from a question two weeks ago at the ICAEW IT Faculty annual lecture.

During a thought-provoking talk on Second Life and related issues, Clive Holtham mentioned the dotcom bubble, which prompted the pointed follow-up question from one audience member.

The answer was that they weren't - which accorded with the general audience reaction. The reason? Accountants, Holtham argued, had not made the investment and business decisions that fuelled the boom and led to the bust.

Some would argue that this is exactly why accountancy, perhaps more than accountants, was responsible. Why weren't accountants more involved in these decisions? We would surely expect accountants to have been stressing the need to temper the wild enthusiasm with a bit of solid business analysis. It's hard to escape the conclusion that accountants either didn't put forward the right arguments, or were not sufficiently influential. Accountants either lacked the confidence to participate forcefully enough in the debate, or were viewed as not knowing enough about IT.

Either way, it suggests that the main accountancy bodies had allowed a major change in business to occur without preparing their members to deal competently and confidently with it. If technology had been seen as a natural competency of an accountant, accountants might have been more able to fight their corner over the excesses of the dotcom era.

Anyway, that was years ago. Surely things have changed. The recent AccountingWEB/National B2B Centre survey on accountants' involvement in ebusiness was introduced in the following terms: "In spirit accountants would like to get involved with ebusiness, but the reality of their current knowledge and workload means that only a small minority are able to help clients take advantage of new technology opportunities."

It's unfair to blame the accountants themselves. Their workload is a significant factor. Government has been piling regulation after regulation upon them and it must be a struggle to keep up with just what they consider their core skills and knowledge. Ethically, you would not expect accountants to offer advice in areas in which they do not consider themselves adequately qualified. Technology is such a vast and rapidly moving area that it's pretty hard for most full time IT professionals to keep up, let alone accountants with their myriad other responsibilities. Yet the need, and opportunity, certainly seems to be there. Various government initiatives in the past have sought to identify sources of competent advice to help companies succeed in ebusiness.

Usually, articles about accountants doing more in the field of IT elicit comments about "leaving it to the IT professionals". The worry is that accountants may not know enough to be able to do so confidently and therefore they withdraw from any involvement - this is what the AccountingWeb/NB2BC survey seems to suggest is happening. This is in nobody's interest. Businesses may fail to exploit key opportunities, accountants will lose out on income and probably credibility, and IT specialists will have fewer clients. A more ebusiness-confident accountancy profession should be able not only to offer advice itself, but also to recommend, trust and work with specialists where required.

To achieve this it's vital that the professional bodies help their members more than they are doing currently. What seems to be missing is a set of boundaries. What exactly do accountants need to know about IT and ebusiness in order to be able to confidently and competently advise their clients? How can you, as an accountant, assess your competence in this vital area?

It's not as if this is anything new, The International Federation of Accountants (IFAC) has been working on a revised Education Practice Statement regarding 'Information Technology for Professional Accountants' for years and in October 2007 released International Education Practice Statement 2 (IEPS 2) after consultation with accountancy bodies worldwide. This sets out "IT knowledge and competency requirements" for the qualification process, but also for continuing professional development.

So should accountants be more active in advising on ebusiness? Should they do it themselves or work with specialists? And are the professional bodies doing enough to help their members in this, and other IT related, areas? We look forward to hearing the views of AccountingWEB members so that we can carry this debate forward.

March 12, 2008 reply from Bob Jensen

With all due respects to Ed and Jagdish, I still think that inflated revenue reporting and other creative accounting ploys led to a bubble of artificially inflated stock prices of dotcom companies. It was more than the "premature revenue recognition" that Ed mentions. It was reporting of questionable revenues that would never be realized in cash. For example dotcomA contracts with dotcomB, dotcomC, ..., dotcomZ to trade advertising space on Websites and vice versa for all combinations of contracting dotcom companies. Each company counts the trade at estimated value as revenue and expense even though there will never be any cash flows for these advertising trades.

The dotcom companies did not inflate profits with this move but they dramatically inflated revenues which was all they cared about since the investing public never expected them to show a profit early on. You can read about how bad this bartering scam became --- http://faculty.trinity.edu/rjensen/ecommerce/eitf01.htm#Issue02
And auditors let the dotcom companies get away with this scam until EITF 99-17 made auditors finally recognize the errors of their ways.

Other revenue inflation scams and questions raised in the following issues resolved by by various EITF pronouncements --- http://faculty.trinity.edu/rjensen/ecommerce/eitf01.htm

Revenue Issue: Gross versus Net

Issue 01: Should a company that acts as a distributor or reseller of products or services record revenues as gross or net?
Examples of Creatively Reporting at Gross:

Priceline.com brokered airline tickets online and included the full price of the ticket as Priceline.com revenues. This greatly inflated revenues relative to traditional ticket brokers and travel agents who only included commissions as revenue.

eBay.com included the entire price of auctioned items into its revenue even though it had no ownership or credit risk for items auctioned online.

Land's End issued discount coupons (e.g., 20% off the price), recorded sales at the full price, and then charged the price discount to marketing expense.

Issue 02: Should a company that swaps website advertising with another company record advertising revenue and expense?

Issue 03: Should discounts or rebates offered to purchasers of personal computers in combination with Internet service contracts be treated as a reduction of revenues or as a marketing expense?

Issue 04: Should shipping and handling fees collected from customers be included in revenues or netted against shipping expense?

Discounts and rebates are traditionally deducted from gross revenues to arrive at a net revenue figure that is the basis of revenue reporting. Internet companies, however, did not always follow this treatment. Discounts and rebates have been reflected as operating expenses rather than as reductions of revenue.

Handling fees and pricing rebates throughout accounting history could not be included in revenues since the writing of the first accounting textbook. Auditors knew this very well from the history of accounting, but it took EITF 00-14 in Year 2000 to remind auditors that this bit of history applied to dotcom companies as well as mainstream clients.

Definition of Software

Issue 07: Should the accounting for products distributed via the Internet, such as music, follow pronouncements regarding software development or those of the music industry?

Issue 08: Should the costs of website development be expensed similar to software developed for internal use in accordance with SOP 98-1?

Revenue Recognition

Issue 9: How should an Internet auction site account for up-front and back-end fees?

Issue 10: How should arrangements that include the right to use software stored on another company’s hardware be accounted for?

Issue 11: How should revenues associated with providing access to, or maintenance of, a website, or publishing information on a website, be accounted for?

Issue 12: How should advertising revenue contingent upon “hits,” “viewings,” or “click-throughs” be accounted for?

Issue 13: How should “point” and other loyalty programs be accounted for?

Prepaid/Intangible Assets vs. Period Costs

Issue 14: How should a company assess the impairment of capitalized Internet distribution costs?

Issue 15: How should up-front payments made in exchange for certain advertising services provided over a period of time be accounted for?

Issue 16: How should investments in building up a customer or membership base be accounted for?

Miscellaneous Issues

Issue 17: Does the accounting by holders for financial instruments with exercisability terms that are variable-based future events, such an IPO, fall under the provisions of SFAS 133?

Issue 18: Should Internet operations be treated as a separate operating segment in accordance with SFAS 131?

Issue 19: Should there be more comparability between Internet companies in the classification of expenses by category?

Issue 20: How should companies account for on-line coupons?

In nearly every instance dotcom companies were inflating the promise of their new companies with creative accounting blessed by their auditors until the EITF and other FASB pronouncements set some bright lines that auditors had to stand behind. The investing public was nearly always misled by both the audited financial statements and the pro forma statements of dotcom companies in the 1990s. Then the bubble burst, in part, by bright line setting by the EITF and the FASB.

Bob Jensen

Especially note the revenue recognition issues at http://faculty.trinity.edu/rjensen/ecommerce/eitf01.htm 

You must be very careful when viewing a corporate Website that you think is authentic but is a total fraud.  One such site is http://www.dowethics.com/  which spoofs the genuine http://www.dow.com 

The site at dowethics.com is a very clever spoof site that mirrors the real corporate site but runs it with stories against the company.  It is interesting because it appears to be very authentic and illustrates how companies really do need authentication seals such as Verisign, the Better Business Bureau BBB seal, or the WebTrust Seal --- http://faculty.trinity.edu/rjensen/ecommerce/000start.htm#SpecialProblems 

Electronic Commerce:  Revenue Accounting Problems and Related Financial Accounting Issues --- http://faculty.trinity.edu/rjensen/ecommerce/eitf01.htm 

• What company was voted the 1996 Internet Company of the year and how did this company later drastically revise the electronic business model.?  

  Answer:  
  General Electric in 1996 had a separate part of GE for electronic commerce.  Several years later, GE did away with the electronic commerce unit and elected to build electronic commerce into virtually all divisions of the company.

  
  

• Increased interdependency between organizations.  
  Under the agreement, P&G has access to certain portions of Wal-Mart's inventory data.   When Wall-Mart's inventory of P&G goods reaches a certain level, P&G automatically arranges for shipment of additional inventory.
  
  
• Impact on business models
  
  • value-added chains broken and reformed (e.g., closing down of physical stores and opening of virtual stores)
  • new marketing, transportation, and supply channels (e,g., FedEx "Supply Chain Services")
  • increasing value of  knowledge assets
  • changing infrastructure of factories and warehouses (e.g., Amazon.com discovered it had to build new warehouses)
  • decentralization of employees and services such as virtual on-site service of computer hardware using technicians anywhere in the world)
    
    
• Type of network (EDI, LAN, WAN, Internet, etc.)
  
  
• Audit trail
  
  
• Security and privacy, including newer types of assurance services such as WebTrust and SysTrust
  
  
• Accounting issues such as new types of business ventures and transactions that were not envisioned in existing GAAP
  
  
• Declining value of items accounted for under GAAP and rising value of items not accounted for under GAAP
  
  
• The breakdown of traditional decision aids such as ROI estimates
  
  
• The rise of gimmicks such as "Pro Forma" and "core"not covered under GAAP
  

• Taxation issues such as how to replace sales taxes on declining in-store purchases and lost taxes on foreign transactions
  
  
• Financing issues, especially how to finance an e-Commerce business like Amazon.com for years of phenomenal growth during which there are accounting losses every year
  
  
• The future of the dot.com companies after their fall from grace
  
  
• Impact on financial reporting and analysis, especially XBRL
  See http://faculty.trinity.edu/rjensen/xmlrdf.htm 

Whatever happened to the AICPA's SysTrust initiative for expanding CPA firm revenues and services?
http://en.wikipedia.org/wiki/Certified_Information_Technology_Professional

"Compliance et al," by Jerry Trites, IS Assurance Blog, July 16, 2011 ---
http://uwcisa-assurance.blogspot.com/

Recently, ISACA conducted a survey of the top business issues facing enterprise It technology. The list is of course directed primarily to the concerns of IT Assurance providers and contains the following issues:

• Regulatory compliance (Score: 4.6)
• Enterprise-based IT management and governance (Score: 4.4)
• Information security management (Score: 4.1)
• Disaster recovery/business continuity (Score: 3.1)
• Challenges of managing IT risks (Score: 2.5)
• Vulnerability management (Score: 2.1)
• Continuous process improvement and business agility (Score: 2.0)

Compliance has been a big issue since the SOX days, but shows no sign of abating. Assurance providers can expect to spend more of their time in this area for the foreseeable future. Nothing really new or startling in the list, but it does provide a good high level overview of where we are in the world of IT Assurance. See the press release here and the survey here.

Bob Jensen's badly neglected threads on Assurance and Security Services
http://faculty.trinity.edu/rjensen/assurance.htm

Bob Jensen's threads on computer and networking security are are at
http://uwcisa-assurance.blogspot.com/

Electronic Commerce:  Revenue Accounting Problems and Related Financial Accounting Issues --- http://faculty.trinity.edu/rjensen/ecommerce/eitf01.htm 

Accounting Issues Addressed by the SEC and FASB

• EITF Issues --- Click Here
  
• FASB's Proposal for a New Agenda Project  --- http://accounting.rutgers.edu/raw/fasb/project/intangibles.pdf
  DISCLOSURE OF INFORMATION ABOUT INTANGIBLE ASSETS NOT RECOGNIZED IN FINANCIAL STATEMENTS
  

• Denny Beresford's Terry Breakfast Lecture
  Subtitle:  Does Accounting Still Matter in the "New Economy" 

  Every accounting educator and practitioner should read Professor Beresford's Lecture at http://faculty.trinity.edu/rjensen/beresford01.htm

  ---

  Corporate America's New Math:  Investors Now Face Two Sets of Numbers In Figuring a Company's Bottom Line
  By Justin Gillis
  The Washington Post
  Sunday, July 22, 2001; Page H01 
  http://www.washingtonpost.com/wp-adv/archives/front.htm   

  Cisco Systems Inc., a bellwether of the "new economy," prepared its books for the first three months of this year by slicing and dicing its financial results in the old ways mandated by the rules of Washington regulators and the accounting profession.

  Result: a quarterly loss of $2.7 billion.

  Cisco did more, though. It sliced and diced the same underlying numbers in ways preferred by Cisco, offering an alternative interpretation of its results to the investing public.

  Result: a quarterly profit of $230 million.

  That's an unusually large swing in a company's bottom line, but there's nothing unusual these days about the strategy Cisco employed. Across corporate America, companies are emphasizing something called "pro forma" earnings statements. Because there are no rules for how to prepare such statements, businesses have wide latitude to ignore various expenses in their pro forma results that have to be included under traditional accounting rules.

  Most of the time, the new numbers make companies look better than they would under standard accounting, and some evidence suggests investors are using the massaged numbers more and more to decide what value to attach to stocks. The pro forma results are often strongly emphasized in news releases announcing a corporation's earnings; sometimes the results computed under traditional accounting techniques are not disclosed until weeks later, when the companies file the official results with the Securities and Exchange Commission, as required by law.

  Cisco includes its results under both the pro forma and the traditional accounting methods in its news releases. People skeptical of the practice of using pro forma results worry that investors are being deceived. Karen Nelson, assistant professor of accounting at Stanford University, said some companies were "verging on fraudulent behavior" in their presentation of financial results.

  Companies that use these techniques say they are trying to help investors by giving them numbers that more accurately reflect the core operations of their businesses, in part because they exclude unusual expenses. Cisco's technique "gives readers of financial statements a clearer picture of the results of Cisco's normal business activities," the company said in a statement issued in response to questions about its accounting.

  Until recently, pro forma results had a well-understood and limited use. Most companies used pro forma accounting only to adjust previously reported financial statements so they could be directly compared with current results. This most frequently happened after a merger, when a company would adjust past results to reflect what they would have been had the merger been in effect earlier. Pro forma, Latin for "matter of form," refers to statements "where certain amounts are hypothetical," according to Barron's Dictionary of Finance and Investment Terms.

  What's changed in recent years is that many companies now using the technique also apply it to the current quarter. They include some of the leading names of the Internet age, including Amazon.com Inc., Yahoo Inc. and JDS Uniphase Corp. These companies have received enthusiastic support from many Wall Street analysts for their use of pro forma results. The companies' arguments have also been bolstered by a broader attack on standard accounting launched by some academic researchers and accountants. They believe the nation's financial reporting system, rooted in the securities law reforms of the New Deal, is inadequate to modern needs. In testimony before Congress last year, Michael R. Young, a securities lawyer, called it a "creaky, sputtering, 1930s-vintage financial reporting system."

  The dispute over earnings statements has grown in intensity during the recent economic slide. To skeptics, more and more companies appear to be coping with bad news on their financial statements by redefining the concept of earnings. SEC staffers are worried about the trend and are weighing a crackdown.

  "People are using the pro forma earnings to present a tilted, biased picture to investors that I don't believe necessarily reflects the reality of what's going on with the business," said Lynn Turner, the SEC's chief accountant.

  For the rest of the article (and it is a long article), go to 
  http://www.washingtonpost.com/wp-adv/archives/front.htm 
  The full article is salted with quotes from accounting professors and Bob Elliott (KMPG and Chairman of the AICPA)

  ---

  BARUCH LEV'S NEW BOOK Brookings Institution Press has just issued Baruch's new book, Intangibles: Management, Measurement and Reporting. Regardless of the "dot com" collapse, this subject continues to be high on the corporate executive's agenda. Baruch foresees increasing attention being paid to intangibles by both managers and investors. He feels there is an urgent need to improve both the management reporting and external disclosure about intellectual capital. He proposes that we seriously consider revamping our accounting model and significantly broaden the recognition of intangible assets on the balance sheet. The book can be ordered at https://www.brookings.edu/press/books/intangibles_book.htm 

  Professor Lev's free documents on this topic can be downloaded from  http://www.stern.nyu.edu/~blev/newnew.html 

  ---

  FASB REPORT - BUSINESS AND FINANCIAL REPORTING, CHALLENGES FROM THE NEW ECONOMY NO. 219-A April 2001 Author: Wayne S. Upton, Jr. Source: Financial Accounting Standards Board --- http://accounting.rutgers.edu/raw/fasb/new_economy.html 
  Upton's book challenges Lev's contention that the existing standards are enormously inadequate for the "New Economy."

  ---

  The Garten SEC Report: A press release and an executive summary are available at http://www.mba.yale.edu  
  The Garten SEC Report supports Lev's contention that the existing standards are enormously inadequate for the "New Economy."
  (You can request a copy of the full report using an email address provided at the above URL)

  Trinity University students may access this report at J:\courses\acct5341\readings\sec\garten.doc 

Dear Professor Jensen:

As you may know, Greenstein and Vasarhelyi's ELECTRONIC COMMERCE was the first book to combine accounting risk management and control issues with systems issues--in other words, the first book to really combine accounting and electronic commerce.  But it's not enough to be first once--you need to be first every time. And with ELECTRONIC COMMERCE 2/E, once again you get the newest and most up-to-date coverage available.

Just published this summer, ELECTRONIC COMMERCE, 2/E covers the hottest topics in e-commerce, including e-business strategy, XML and XBRL, and emerging supply chain e-commerce and e-revenue models. And a constantly updated Website will insure your course has access to the very latest developments.

To learn more about ELECTRONIC COMMERCE, 2/E or to request a complimentary copy, contact, Ray Lesikar, your McGraw-Hill/Irwin representative, at ray_lesikar_jr@mcgraw-hill.com. You may also visit the book's Website at this address: http://www.mhhe.com/webmaster/redirector.pl?p=1000001004457&c=938&a=4&s=1 .

Thank you for your time.

Regards,
Rich Kolasa
Marketing Manager, Accounting, McGraw-Hill/Irwin

 

How to Build Customer Relationships Online Marketing is not just about getting an order, it's about getting a customer and keeping them. Nurture your customer relationships with regular e-mails. With regular e-mails you can build relationships and gather market intelligence. http://www.newmedia.com/default.asp?articleID=3275 

Bob Jensen's small business links are at http://faculty.trinity.edu/rjensen/bookbob1.htm#SmallBusiness 

Top Year 2002 Technologies as Rated by the AICPA --- http://www.cpa2biz.com/ResourceCenters/Information+Technology/Top+10+Techs/default.htm 

Top 10 Techs

Top 10 Techs Categories

Applications Emerging Technologies Issues Technologies Top Technologies for 2002   TopTechs provide information about cutting edge technologies that could impact your ability to compete effectively in the e-world.   TopTechs are presented in four categories: Issues -- situations that result from technology  implementation Applications -- business opportunities/objectives using  one or more technologies Technologies -- end products (hardware, software, or   standard) Emerging Technologies -- new developments currently under review

Certainly database technology has been around for a while. It made the list of top ten technologies ... [ Article ] Full Story

Technologies: Security Technologies

In the past year, nine out of 10 organizations experienced security breaches, according to a recent ... [ Article ] Full Story

Technologies: XML (Extensible Markup Language)

"Your tax dollars at work" could be the subtitle for this section, assuming you waited 20 years and ... [ Article ] Full Story

	Technologies: Communications Technologies - Bandwidth
	Here's a riddle for you: What doubles in demand every three to four months, but drops in price over ... [ Article ] Full Story
	Technologies: Mobile Technologies
	Convenience, Efficiencies are Hallmarks of Mobile Technologies What would Benjamin Franklin think o ... [ Article ] Full Story
	Technologies: Wireless Technologies (includes wireless networks)
	Are you on the cutting edge of wireless technology? If your first thoughts were of your beloved PDA ... [ Article ] Full Story
	Technologies: Electronic Authorization
	In a workflow system, documents move from one user to another as they are electronically processed. ... [ Article ] Full Story
	Technologies: Encryption
	We've come a long way from the "magical" times of the 17th century where works about ciphers and cry ... [ Article ] Full Story
	Technologies: Remote Connectivity Tools
	The information you need is in one place; you are in another place. Traditional solutions to remote ... [ Article ] Full Story
	Technologies: Electronic Authentication
	Are you who you say you are? That is, in fact, the question of authentication, which is one aspect o ... [ Article ] Full Story

Investor Relations and Internet Reporting

Jerry Trites from Canada and I conducted two workshops on electronic reporting and electronic commerce.  The first of these is for August 14 in San Antonio (AAA Annual Meetings) and November 23 in Los Angeles (Asian Pacific Conference).  I received the following message from Jerry on February 14, 2002:

Hi Bob,

Following is the URL for the website for my new e-business textbook. Thought you might be interested.

http://www.pearsoned.ca/trites/ 

Jerry,

p.s. When will we hear back from AAA re the San Antonio conference? 

Gerald Trites, CA*CISA, FCA 
Gerald Schwartz School of Business and Information Systems, 
St Francis Xavier University, 
Antigonish, Nova Scotia 
Phone: (902) 867-5410 Fax: (902) 867-3352 Cell: (902) 867-0977 
Home page: http://iago.stfx.ca/people/gtrites/index.html 

August 8, 2002 message from Miklos

I have posted on the Web pieces of my e-commerce course about hr + of clips,, .... be my guest to use them

http://raw.rutgers.edu/miklos/baxtermovies/baxter.html 

they can be used (not tightly coupled) with my e-commerce slides

http://raw.rutgers.edu/ecommerce2 

Miklos A. Vasarhelyi 
KPMG Professor of AIS
Rutgers University Director, Rutgers Accounting Research Center 
315 Ackerson Hall, 180 University Ave. Newark, NJ 07102 
tel: 973-353 5002 fax 973-353 1283 miklosv@andromeda.rutgers.edu 

Bob Jensen's related assurance services threads are at http://faculty.trinity.edu/rjensen/ecommerce/assurance.htm 

This appeared in one of my older documents that is no longer updated --- http://faculty.trinity.edu/rjensen/99aaa/updatefr.htm 

Online Financial Reporting

Ross A Kaplan, "Identity Crisis for Online Annual Reporting," Financial Executive, Jul/Aug 1999, 38-39.

• More that 70 publicly traded companies now make their quarterly conference calls available using streaming audio or video.

• The number of companies using the web to make their annual shareholders meetings available is likely to treble to about 100 this annual-meeting season.

• Four of the top 25 investor-relations web sites are based outside the United States, according to Ross Kaplan; 13 of these offer at least some investor-relations content in more than one language.

• Five of the top sites present financial information in more than one currency.

• As the underlying technology improves, good investor-relations web sites will go beyond simply informing shareholders and increasingly let them do things -- for example, calculate ROI and other ratios, vote their shares, enroll in a dividend reinvestment plan and generate graphics showing trends in operating results.

• Increasing "customizability" means that shareholders will be able to configure web sties to show only the information they're interested in -- bypassing the vast majority of web content (sales material, technical support, etc.) aimed at other audiences.

Have traditional accounting and finance measures of corporate wealth "lost their Utility?"
http://www.zdnet.com/pcweek/stories/columns/0,4351,407222,00.html

However, I will provide some updates below:

Top Investor Relations and Internet Reporting Sites --- http://ids.csom.umn.edu/faculty/kauffman/courses/8420/Projects/POlson/page5.htm 

According to Ross Kaplan of the Off-line website, six attributes of a good IR web site are:

• Timeliness - Investors expect current data with twenty-four hour access.  The site should contain only valid and current hypertext links.
• Content - Comprehensive content covering current financial information, historical data, press releases, SEC filings and corporate profiles is essential to a public company's site.
• Design - The IR site should be easy to navigate and clearly accessible from the company's home page.  It should use graphics, text, and video to detail the company's financial position.  The design should be tested for readability in all types of web browsers.
• Interactivity - E-mail, forums, and chatting allow shareholder's to request information and use web sites as a communication tool.
• Horsepower -  Investors are increasingly expecting to be able to search for, manipulate, and analyze online information.  The visitor should feel that the server responds quickly and is consistently available for access.
• Mutability - Sites need to be flexible by allowing visitors to customize the information according to their interests.  Two important customizations are language and currency.

Investor Relations Magazine  provides the following advice on adding value to a corporate web site:

• Investors are becoming more sophisticated and expect to be able to add their names to a mailing list and be kept updated on press releases.
• The IR site should have different design considerations than the rest of a corporate web site.  Investors want detailed information and fast downloads, forget the spinning logos.
• Make sure your server is adequate for traffic requirements.
• Keep the IR web site  content and corporate values consistent with other communication with shareholders (annual reports, brochures, etc.).

In March, 1998 Investor Relations Magazine named Microsoft as the winner of its "Best World Wide Web Site" award.  The magazine holds an annual awards ceremony to recognize exellence in investor relations.  The Microsoft IR web site is a standard of excellence in using technology to promote investor relations.  Attributes of the web site include:

• Basic offerings such as stock quotes, Frequently Asked Questions (FAQs), annual reports, and press releases
• A daily update on the antitrust trial brought against it by the U.S. Department of Justice
• Transcripts of speeches by company executives
• Live internet broadcasts of its conference calls
• Detailed historical data and analysis tools which allow an investor to analyze income statement line items dating back to 1985 or analyze revenue by product group
• Stock information such as price and volume history, investment growth history, five year comparison to the S&P 500, history of stock splits and dividend information
• The annual report is available in eleven languages
• Its income statements can be viewed in accordance with accounting standards and in the local currencies of Australia, Canada, Germany, France, Japan, and the U.K.

Companies such as Intel, 3com,  Xerox, Dell computer, and IBM are also frequently discussed as having exceptional IR web sites.

XBRL Will Change the World of Financial Reporting and Analysis --- http://faculty.trinity.edu/rjensen/XBRLandOLAP.htm#XBRLextended 

Data Binding

Data Binding as defined at http://searchwebservices.techtarget.com/sDefinition/0,,sid26_gci991121,00.html

Data binding is a process that allows an Internet user to manipulate Web page elements using a Web browser. It employs dynamic HTML (hypertext markup language) and does not require complex scripting or programming. Data binding first became available with Microsoft Internet Explorer (MSIE) version 4. It can be used in conjunction with that and all subsequent versions of MSIE to create and view interactive Web sites with a minimum demand on authoring time, subscriber effort, server drive space, and server processing resources. The data binding architecture consists of data source objects (DSOs) that supply the information to viewed pages, data consumers that display the DSO information, and agents that ensure that the data is synchronized between the DSOs and the consumers. Data binding is used in Web pages that contain interactive components such as forms, calculators, tutorials, and games. Pages are displayed incrementally so that portions of a page can be used even before the entire page has finished downloading. This makes data binding convenient when pages contain large amounts of data and bandwidth is limited. Data binding has been used by hackers in attempts to gain access to the hard drives of Internet users. This is known as a DSO exploit.

XML Data Binding --- http://www.rpbourret.com/xml/XMLDataBinding.htm 

Data Binding for Java --- http://www-106.ibm.com/developerworks/xml/library/x-bindcastor/ 

From Builder.com --- http://builder.com.com/5100-6387-1058862.html?tag=grid 

Data binding 101: DataSets
In its simplest form, data binding involves attaching an ASP.NET Web control, say a ListBox, to a DataSet containing some database data. The ListBox.DataSource property lets you specify the DataSet to which the control should bind, and the DataBind method actually fills the control with data. Because a DataSet can contain multiple fields, Web controls with a single column (ListBox, DropDownList, etc.) all expose DataTextField and DataKeyField properties to let you specify the name of the field the control will display as text and use as a value, respectively.

Listing A contains a simple example that binds a ListBox to the Categories table of the Northwind sample database. After creating the DataSet, I bind it to ListBox1 using the DataSource property. I then set the DataTextField property to CategoryName, the field that ListBox1 should display (it will be used as SelectedItem.Text), and the DataKeyField property to CategoryId so that ListBox1 will use it as the key. (It will be returned as SelectedItem.Value.).

Data binding 201: Arrays and collections
Okay, so binding to a DataSet is child’s play. But what if the data you want isn’t contained in a database? What if you would like to allow the user to choose from an array of objects? Sure, you could manually create a DataSet containing the data, but that's kind of like building a mansion when all you need is a tool shed. Wouldn’t it be nice if you could just bind directly to the array?


Continued at  http://builder.com.com/5100-6387-1058862.html?tag=grid  
 

Education and Training Outlines

Electronic business education and training programs in various major universities are outlined at 
http://www.ehrlichorg.com/ibp/Undergraduate%20E%20BusE%20Com-0825.doc 

Note the sheer size of this operation --- "more than 1.5 million people already use its 15 e-Learning modules in three topic areas of leadership, strategy and general management."

From Syllabus News on October 2, 2001

Harvard B-School Expands Business Courses Via the Web

Harvard Business School Publishing said last week it would use the Internet to make available its electronic learning programs in best management and business practices to corporate groups and enterprises. HBSP said more than 1.5 million people already use its 15 e-Learning modules in three topic areas of leadership, strategy and general management. HBSP will now offer support for companies that wanted to make the modules available to company groups via the Internet.

For more information, contact Nancy O'Leary at Harvard Business School Publishing http://noleary@hbsp.harvard.edu 

Electronic commerce courses, including accounting courses, have been added to the curricula of many business schools.  As a sample, the courses at the University of Scranton are shown below --- http://matrix.scranton.edu/academics/ac_courses_electronic_commerce.shtml 

Course Descriptions — Electronic Commerce

EC 251 —  Introduction to Electronic Business — 3 credits

(Prerequisite: C/IL 104) This introductory course in electronic business explores how the Internet has revolutionized the buying and selling of goods and services in the marketplace. Topics covered include: business-to-business and business-to-consumer electronic commerce, electronic commerce infrastructure, designing and managing online storefronts, payment acceptance and security issues, and the legal and ethical challenges of electronic commerce. Students will also gain hands-on experience in creating, editing, and enhancing a web site using an HTML editor.

EC 361 — Electronic Business Communication Networks — 3 credits

(Prerequisite: EC 251) The course is designed to provide students with networking and telecommunications fundamentals necessary to develop enterprise networks to conduct business on the Internet. Topics covered include: communication network media; processors and protocols; multimedia transmission; wireless networks; network design, management and security; and present capabilities and future trends in communication. Discussion of the technology is focused on business applications within and among organizations. Hands-on experience and case studies will be used to illustrate concepts and business use of enterprise networks.

EC 362 — Database Management for Electronic Business — 3 credits

(Prerequisites: EC 251, OIM 471) The course deals with database design, implementation and use of Database Management Systems to support Electronic Business. Topics covered include: database design and implementation; data modeling and structured query language (SQL); distributed data base management system, open data base connectivity, integration of web server and backend database server; data warehousing and mining; on-line analytical processing; and database application and management. Cases and DBMS software will be used to illustrate concepts and to gain hands-on experience.

EC 370 — Interactive Marketing — 3 credits

(Prerequisite: MKT 351, junior standing) This course focuses on the integration of state-of-the-art interactive technologies in the design and implementation of marketing programs for the new millenium. The functions of market identification through customer analysis, and the planning and implementation of conception, pricing, promotion and distribution of ideas, goods and services to satisfy the market benefit immensely from the capabilities of the rapidly developing information technology (IT) infrastructure.

EC 371 — Investments — 3 credits

(Prerequisite: FIN 351, junior standing) This course will provide students with an overview of the fundamentals of investing, with specific emphasis on the use of information technology tools. Topics will broadly cover the areas of stock selection and valuation, bond valuation, and the use of options and futures to hedge risk. Students will be taught to use resources available on the Internet in order to develop security selection rules and valuation models. For example Quicken.com and Hoovers have web sites that enable an investor to retrieve current financial data and build stock screens. Students will also learn to build a financial web site that contains features found in many professional web sites.

EC 372 — Accounting for Electronic Business — 3 credits

(Prerequisite: ACC 252 or ACC 254, junior standing) This course is intended to introduce E-Commerce students to the role of accounting in today’s business environment. Students will examine how technology has impacted the techniques of accounting and reporting. Computerized models of accounting will be used to explore the tools available to compile data for management decisions and reporting. Internet business and traditional business transactions will be evaluated in light of global markets. Thus students will see the effects of control features built into software systems and understand the role such systems play in running the company.

EC 461 — Internet Applications Development — 3 credits

(Prerequisites: EC 361, EC 362) The course introduces the student to existing and evolving Internet technologies needed for electronic commerce site development and management. Topics covered include: Windows NT, Internet information server, index and transaction servers, object-oriented paradigm, client and server side scripting, active server page, enterprise data access, domain name service, and trends in web development tools. The course emphasizes applications of the technology and provides hands-on experience by having students develop a working electronic business site. Cases will be used to illustrate concept and the role of each technology used to conduct business on the web.

EC 462 — Projects in Electronic Business — 3 credits

(Prerequisite: EC 461) In this course, students will develop an electronic commerce project that will be used to conduct online business. The purpose of this course is to synthesize the Internet related technologies and the business knowledge acquired in different courses to develop a working electronic commerce site. Students will work in a team-oriented environment under the guidance of the instructor. Students will design, develop, implement, and operate a secure content-rich electronic commerce web site to attract and retain customers.

EC 470 — Supply Chain Management — 3 credits

(Prerequisites: EC 361, EC 362) This course integrates two powerful trends that are critical management imperatives for the new millennium: Supply Chain Management & Electronic Business. The students will learn how the principles of supply chain management integrate into the “real-time” environment of e-business and examine case studies of such implementations. Latest software and technology will be discussed and examples demonstrated on the SAP R/3 platform available at KSOM.

EC 471 — Electronic Business Security Controls and Ethics — 3 credits

(Prerequisites: EC 361, EC 362) The course is designed to provide students with an understanding of the technical, managerial, legal and ethical issues to build, operate and manage e-commerce solutions. Topics covered include: web server and client security; secure transactions and payments; information security; digital certificates and practices; civil and criminal legal issues; morality and ethical issues; intellectual property and patents; governmental regulations and policies; and emerging technologies and standards. Appropriate cases will be used to illustrate the above concepts.

EC 472 — Electronic Business and Entrepreneurship — 3 credits

(Prerequisites: EC 361, EC 362) This course links electronic commerce with entrepreneurship. The convergence of information and communication technologies has created numerous opportunities to entrepreneurs to start new and innovative businesses based on electronic commerce. The course will examine the issues related to the starting and establishment of new businesses based on electronic commerce. The course comprises three parts. The focus of the first part is on issues related to the establishment of a new business and entrepreneurship. The second part examines the business issues related to electronic commerce including the development of business models and plans. The last part is a practical part where groups of students will develop and establish small electronic commerce businesses from start to finish. The learning will occur through study and discussion of conceptual reading material, analysis and discussion of cases, and through the development and implementation of an e-commerce business.

Question
What are the CERIAS programs in assurance services?

Answer
Certified Public Accountants over the past decade have be actively promoting the branching out of financial attestation services (especially auditing) into wider ranging "assurance services."  Especially noteworthy is the new service SysTrust where pubic accountants in the U.S. and Canada have partnered to extend assurance services into the areas of computing services and information systems.  For details and links, see http://faculty.trinity.edu/rjensen/ecommerce/000start.htm#AssuranceServices 

I mention this because, unlike auditing services by public accountants, where there is an SEC-mandated monopoly under SEC rules, there is no such monopoly on extended assurance services.  In assurance services other than auditing, CPAs face increasing competition from other professional bodies.  One such area is in the entire area of Information Assurance and Security.  I mention this, because an education and training center at Purdue University is generating courses and graduates in a program that is not a part of the Accounting Department or the School of Business.  I will now briefly summarize the CERIAS Center at Purdue University --- http://www.cerias.purdue.edu/ 

What I found interesting is the extent to which students can get both MS and PhD degrees in Information Assurance and Security.

The Center for Education and Research in Information Assurance and Security, or CERIAS, is the world's foremost University center for multidisciplinary research and education in areas of information security. Our areas of research include computer, network, and communications security as well as information assurance.

Mission Statement 
To establish an ongoing center of excellence which will promote and enable world class leadership in multidisciplinary approaches to information assurance and security research and education. This collaboration will advance the state and practice of information security and assurance. The synergy from key members of academia, government, and industry will promote and support programs of research, education, and community service.

Vision Statement 
The Center for Education and Research in Information Assurance and Security will be internationally recognized as the leader in information security and assurance research, education, and community service.

Internal Vision 
Build a well-supported community of scholars actively involved in: Evolution and offering of educational programs in information assurance and security. Solving fundamental questions of science, engineering and management as they relate to information security and assurance. Transfer of expertise and technology to organizations with real world needs. Assuming leadership roles in appropriate community and government organizations. Activities to enhance the public's understanding and acceptance of information protection. To accomplish this, the Center promotes research, education and community service programs in conjunction with various key groups. It also brings synergy to these diverse groups (consisting of members from academia, government agencies and industrial partners) to advance the philosophy of information security and assurance.

Education

• K-12
  We have compiled resources for students, parents, and teachers on a host of topics including copyright, safe surfing, acceptable use, cryptography, and much more; we also offer teacher and student workshops on a variety of security topics, at a variety of levels.

   

• Graduate Program
  Information about our graduate studies, including the Scholarship for Service program.
  

   

• Post-Secondary Education
  The post-secondary education site contains information about formal and informal information security and assurance educational initiatives, including workshops, multimedia product offerings, certification and faculty development efforts, and awareness activities.

   

• Indiana Information Security Web
  A site created by CERIAS and several partners to raise awareness of Information Security in the state. Includes information for K-12, Home Computing, and Business and Industry.
  

Infosec Graduate Program --- http://www.cerias.purdue.edu/education/graduate_program/ 

Introduction to CERIAS

So, you are interested in graduate studies in Information Security at Purdue University? That's great! You can take advantage of the infosec expertise present at Purdue and associated with CERIAS, but you can't actually get your degree from there. CERIAS is a research center, and not an academic department. However, there are other ways to get your degree and be associated with CERIAS.

There are currently 3 different approaches to graduate study in infosec here:

1. The interdisciplinary MS specialization
2. A standard MS in one of the involved departments, with a focus on infosec topics
3. A PhD course of study in one of the involved departments, with a dissertation topic in infosec

Interdisciplinary MS

We are currently offering an interdisciplinary Master's specialization in InfoSec. This is offered as an MS through a participating department, not CERIAS. While the program is multidisciplinary and requires (and recommends) courses in Computer Sciences as well as other fields, admission to the program is handled administratively by a participating department. The specialization on your diploma will, however, read "Information Security," independently of what department handles the admission. As of September 2000, the only department ready to admit students to the program is Philosophy. Computer Sciences, Education, and Electrical & Computer Engineering are all in the midst of the administrative process to join the program.

You can apply for the Program electronically for future sessions. Please select "Philosophy" on the application and indicate "Information Security" as your area of interest. Your default contact professor in the next field of the application is Eugene H. Spafford, Director of CERIAS and of the Program. Feel free to mention in that field any other professor in information security that you would like to work with if you have established such a contact already. You will eventually be contacted by the graduate school about your admission status.

 

Standard Grad Programs

Students can also receive graduate degrees in existing programs with a specialization in infosec areas. To do this, the students enroll in a traditional major, take a core of common courses, and then are able to take electives related to their interests. Masters students may choose to research and write a Master's thesis that involves further study in a particular area of interest, or they may simply take 30 or more credit hours of coursework. PhD students must choose a specialized topic for their dissertation research. The most common major for students interested in information security is Computer Sciences, but degrees are also associated with Electrical & Computer Engineering, Management, Philosophy, Political Science, and many other departments associated with CERIAS.

Note that specific requirements for individual department degrees are given in the course catalogs and on some departmental WWW pages. What follows is a summary of the requirements for a CS graduate degree, serving as an example of what is expected. You need to consult one of the definitive references to get the whole picture. (CS graduate degree requirements are available on the WWW; information on other graduate programs can be found by starting at the main Purdue WWW page.)

 

MS in CS Program

MS students are required to take a course in operating systems or networks (CS 503 or CS 536), one in programming language design or compilers (CS 565 or CS 502), and algorithm analysis (CS 580), plus another 7 courses of electives, or 5 courses and the thesis option. Normally, for infosec study, MS (and PhD) students would take CS 502 and CS 503, plus the courses in computer security (CS 526) and cryptography (CS 555) as electives, and consider taking the advanced security (CS 626) and cryptanalysis courses (CS 655), too.

There are many electives available to graduate students, including graphics, databases, numerical methods and distributed systems. Each year, several faculty also offer special topic courses in their areas of interest. Opportunities for directed reading or research courses are also available. In the last few years, we will have had seminars in Intrusion Detection and Incident Response, Penetration Analysis, Firewalls, Electronic Commerce, Network Security, and Security Tools. Additionally, we have had seminar courses in Wireless Networks, Advanced Operating Systems, and Internetworking.

 

PhD in CS Program

Normally, a PhD program starts with 2 years of graduate study and passing a series of general exams in the area of study (the "qualifier exams"). The candidate then decides on an area of study, chooses an advisor, and takes an in-depth exam in the area of specialization (the "preliminary exam"). Next, the candidate performs in-depth research under the guidance of the advisor for a period of time ranging from 6 months to as many as 5 years. Finally, the candidate writes a detailed scientific account of his or her research (the dissertation) and defends it in a public exam before a committee of faculty, visitors, and members of the community. The average time to complete a PhD in CS at Purdue (assuming the student already has a good undergraduate background in CS) is 5 years.

Required courses for PhD students in CS include courses in operating systems, algorithm analysis, compilers and programming languages, numerical analysis, and theory of computation; this is a superset of the courses required for the MS degree, and almost all PhD candidates obtain their MS degree during their candidacy for the PhD.

 

MS & PhD Research

Currently, there is a large range of projects being conducted in information security at Purdue. We have almost 40 projects involving over 30 faculty in a dozen different academic departments. You can get a more complete picture of the faculty and research projects via the CERIAS WWW pages. These projects are normally open to graduate students and can be used to satisfy research requirements towards MS and PhD thesis work. Not all infosec projects are offered through CERIAS, either, and there is no requirement that students work on a CERIAS project to get an infosec-related degree.

 

Special Notes for CS

Students coming in to the graduate program are expected to be ready to pursue the degree upon arrival. There are limits as to how many semesters may be spent in residence before completing each of the steps towards the degree.

In particular, students are expected to:

• have strong, basic skills in mathematics, including working knowledge of statistics, calculus and linear algebra
• know how to write programs in some advanced computer language (C/C++/Java are languages of choice; Perl is also encouraged)
• have mastery of spoken English sufficient to understand lectures and presentations, and to discuss assignments with faculty and TAs
• have mastery of written English sufficient to document programs and write grammatical research papers. This is especially critical for MS and PhD
• students who need to write a thesis and research papers

Students without adequate preparation, or who fall behind in assignments, may be tempted to take "shortcuts" on assignments to keep up. Cheating, plagiarism, and falsifying work are severe violations of both the student code of conduct and academic honesty, and discovered incidents are dealt with particularly harshly by faculty in the infosec arena. Graduate students in violation of these rules are routinely recommended to the dean of students for expulsion from the university; foreign students in this situation will lose their visas. Thus, it is strongly recommended that applicants be sure they have mastery of these basic skills prior to applying to graduate school at Purdue.

Financial Aid

Financial aid for graduate students is based on both scholarship and need. Some fellowships are available to exceptional incoming students. Others are supported by the departments or by research projects. It is unusual that a new student will get support from a faculty member's research funding; indeed, most faculty do not support students prior to their completion of some of the qualifying exams. Some incoming students qualify for selection as teaching assistants, however. Other information about financial aid is in the graduate student information documents.

For financial aid, contact the admitting department and not individual faculty members.

• Purdue Graduate School Admissions --- http://www.purdue.edu/GradSchool/Admissions/admissions.html 

Disclaimer

The above is not an official document of Purdue University, but Professor Spafford's interpretation of Purdue policy. Interested parties should consult official University documents, available through the graduate school.

 

 

From Syllabus News on December 10, 2002

Compsec Firm Funds Purdue Info Assurance Degree

Internet security firm Symantec Corp. has endowed a fellowship for a student pursuing a degree at Purdue University’s Center for Education and Research in Information Assurance and Security (CERIAS. The Symantec Fellowship will provide up to $50,000 to cover the full tuition costs for two years and a stipend for a degree-seeking student enrolled at Purdue and working with CERIAS, a center for multidisciplinary research and education in information security. Applications will be accepted immediately with a deadline of March 1, 2003. The Fellowship recipient will be announced April 8, 2003 at the annual CERIAS Spring Symposium held on the West Lafayette, Ind., campus of Purdue University. The Fellowship will begin during the 2003-2004 school year and will be expanded to include a second student beginning the Fall of 2004.

December 11, 2002 reply from J. S. Gangolly [gangolly@CSC.ALBANY.EDU] 

Bob,

I wanted to brief AECMers on the happenings, with respect to Information Assurance in Albany.

The Department of Accounting & Law at SUNY ALbany is starting with the Fall semester 2003 an MBA track on Information Assurance (IA) based on our earlier efforts in AIS in the MS program in Accounting with an emphasis in AIS. When we have prepared the materials about the program, I'll post them on this listserv.

We have re-engineered all courses in AIS to have security/assurance permeate throughout the curriculum. This is now receiving the last review by us to ensure compliance with the curriculum recommendations of the National Security Agency.

The above is a part of our campus-wide forensics initiative (Departments of Accounting & Law, Management Science & Informatrion Systems, Department of Computer Science, School of Information Science & Policy, and in the future hopefully our very well regarded School of Criminal Justice) which has already received funding from the US Department of Education and is in partnership with the New York State Police, and CERIAS is also our partner in the efforts.

We are hoping to apply and receive next year the designation of Center of Excellence in Information Assurance Education. We hope more Accounting Departments will be hospitable to this "diversion" from our perceived central mission of educating future CPAs (currently there is no curriculum on IA in any Accounting Department that I am aware of).

It is important for me to brief the AECMers on the issue of "accountingness" of the curriculum in this respect, particularly since it became quite an issue even at Albany where our Department has traditionally been hospitable to off-the-wall curricular innovations. 'Accounting content' in much of the Information assurance curriculum usually is (and probably should be) expected to be very meager even though the assertions-based philosophy is rather similar.

I had a quite difficult time convincing my dyed-in-the-wool accounting colleagues (specially in Financial Accounting) that Information Assurance education can coexist peacefully in our Department. (Many Financial Accounting colleagues rightfully asked: since accounting content is minimal, why not have it in the MSIS or some other Department? My arguments were: 1. Such other departments do not have the tradition of scepticism that we in accounting/auditing have, and 2. we were better poised to offer a computationally intensive Information Assurance curriculum in the department because of the sophistication of our existing AIS curriculum). Ultimately, we did win the confidence of the department faculty, though in some instances it might have been grudging acceptance because of what we would lose in the long run if we chose to not have the program.

Jagdish S. Gangolly, 
Associate Professor (j.gangolly@albany.edu)  
Accounting & Law and Management Science & Information Systems 
State University of New York at Albany, Albany, NY 12222. 
Phone: (518) 442-4949 Fax: (707) 897-0601 
URL: http://www.albany.edu/acc/gangolly 

December 11, 2002 reply from Bob Jensen

Hi Jagdish,

I appreciate your informative reply. It appears that Albany has avoided the vexing problem that Notre Dame and the University of Virginia faced with their Masters of Assurance Services Programs for Ernst & Young employees --- http://faculty.trinity.edu/rjensen/255wp.htm#ErnstandYoung 

The vexing problem arises when one of the goals is to have the graduates of the assurance services program also be eligible to sit for the CPA examination. It appears that assurance services masters programs at Albany and Purdue have no CPA examination goal. Hence there can be very little accounting, tax, and auditing in those programs. This was not the case for Notre Dame and the University of Virginia where a major goal is for the graduates to be eligible to sit for the CPA examination in most states.

This begs the question about what career paths students will take after graduating from assurance services programs. It would seem that Albany and Purdue University are envisioning graduates joining consulting firms, computer systems companies, etc. Graduates of the Notre Dame and UVA programs already work for the accountancy divisions of Ernst & Young.

It seems to me that for a career path in the accountancy divisions of a public accounting firm, there is very little future without becoming a CPA.

Hence, I anticipate two types of assurance services degree programs. One type is more focused on computer science and information systems. The other type is more focused on accountancy and accounting information systems.

I think there's room for both types of emerging programs.

Bob Jensen

December 12, 2002 reply from Calderon,Thomas G [tcalder@uakron.edu] 

Our entire grad program (at the University of Akron) is built around an IT security and assurance theme. Each course taught by acct dept faculty has security and assurance content and we attempt to tie everything together in our capstone IS Audit & Control Project (a hands-on project organized as a mini-internship and supervised by a faculty member and a "competent" professional in the field.)

Courses, 3 hrs each, in the program are: 1. Business Application Development (taught by MIS) 2. Applications Development for Financial Systems (taught by accounting -- uses skills learned in BAP to address assurance type problems) 3. Enterprise Resource Planning & Financial Systems (uses Oracle 11i to expose students to architecture, business process issues, & security and assurance issues in ERP environments) 4. Financial Data Communications & Enterprise Integration (focus on XML, XBRL, and security/assurance issues associated with enterprise integration) 5. Advanced Information Systems (database/data warehouse design/assurance issues; use Oracle 8i) 6. e-business foundations (general management issues in a distributed network environment--taught by MIS) 7. e-business technologies (exposure to networks, internet technologies, and application development for a web environment; use Windows OS, Cold Fusion, Oracle--taught by MIS) 8. e-business risk, control & assurance (business risk assessment, security, & assurance for entities that use distributed networks such as the Internet for business critical activities) 9. Assurance Services with Data Warehousing & Data Mining (a hands-on course that uses Classification & Regression Trees (CART), Multivariate Adaptive Regression Splines (MARS), neural networks, and ACL to identify red flags in quantitative data). 10. IS Audit & Control Project (the capstone hands-on project, structured as a mini-internship with a very specific deliverable).

All students admitted into the program must take the following courses if not taken in their undergrad program: 3 hrs of accounting information systems 3 hrs of intermediate accounting 3 hours of auditing 3 hours of cost & management accounting (beyond principles)

We encourage students to prepare for and take the CISA exams and CITP. The program does not attempt to prepare students for any specific professional examination.

Electronic Commerce:  Assurance Services Opportunities and Risks

Possible new assurance service clients for CPA firms
A number of major international charities are opening their doors for the first time to outside inspectors, allowing them to certify that donations are spent as advertised.  The charities say they hope thorough inspections and a new industry seal of approval will assuage public fears of donations being misused. The nonprofits are also trying to keep ahead of a movement in Congress to impose regulations on the fast-growing but largely unsupervised world of nongovernmental organizations.
Michael M. Phillips, "Big Charities Pursue Certification To Quell Fears of Funding Abuses," The Wall Street Journal, March 9, 2005; Page A1 --- http://online.wsj.com/article/0,,SB111033202546074217,00.html?mod=todays_us_page_one 
Bob Jensen's threads on charity frauds are at http://faculty.trinity.edu/rjensen/FraudReporting.htm#CharityFrauds 

Nobody has been more influential in moving the auditing profession toward expansion of scope of services than the former KPMG partner and former Past Chairman of the AICPA than Robert K. Elliott.  In the mid-1990s, Bob Elliott chaired the AICPA Special Committee on Assurance Services.  His basic argument was that the future auditing was becoming increasingly bleak without expansion into a broader scope of services that did not impair professional reputation for CPA integrity and independence.

First he argued that the traditional audited financial statements rooted in standards for industrial companies are rapidly becoming obsolete in terms of usefulness and timeliness to investors.  He stated the following in a November 2, 1998 Saxe Lecture at Baruch College: --- http://newman.baruch.cuny.edu/digital/saxe/saxe_1998/elliott_98.htm 

Now let's focus, in this new environment, on the financial statements that we prepare under generally accepted accounting principles. These financial statements have been designed by the FASB and its predecessors to describe the industrial-era enterprise, the enterprise that creates value by physically manipulating tangible property like raw materials and turning them, by the application of energy and labor, into finished goods, then pushing the finished goods down the line to customers physically. What you see on those financial statements are the very tangible assets of that process. You see the raw material, the work in process, the finished goods. You see machinery and equipment. You see the buildings and the land.

That's what's on the financial statements, but post-industrial enterprises run on a different set of assets. They basically run on intangible assets, such as the capacity of innovation, research and development, human resources, information and know-how, brand equity, relations with customers and vendors, and relations with employees. These intangible assets drive the post-industrial firm, and none of them are on the balance sheet at all. We don't account for them.

Post-industrial enterprises run on intangible assets... Information Research and development Capacity for innovation Human resources ...which are not in the financial statements

Now you're thinking, "Okay, but those are just the post-industrial enterprises. Most of American economy is still making things-automobiles, steel, food." Well, let me tell you, two percent of the American work force is involved in growing things on farms, and ten percent of the American work force is involved in making things in factories. The rest of the work force is doing something else. Seventy percent are involved in the creation, distribution, or use of information. The economy has basically become information-oriented. Even industrial enterprises are no longer strictly tangible-goods companies.

Let me give you an example: Motorola. It's a manufacturing company, so it should be described by an industrial accounting model. Let's look into that. Say you go down to the store and buy a Motorola cellular phone that costs $100. How much of the $100 was for the physical content of the phone? There is less than a penny's worth of sand, turned into silicon. There is less than two cents worth of copper, to make the wires to connect things. There is less than a nickel's worth of oil, turned into a plastic box. What is the rest of the $100? Software, research and development, innovation, brand equity, information. Manufacturing companies are putting out more and more products that are post-industrial. They too run on assets that are not in the financial statements.

Let's took at it graphically, on this slide. In the past, a company's value-producing assets were largely tangible. There were intangible assets, but tangible assets dominated. So at this end of the spectrum, think of United States Steel. You've got steel mills, blast furnaces, land, piles of coal. But the emergent economy is basically working on intangible assets.

At the other end of the spectrum, think Microsoft and think of Microsoft's balance sheet. I guarantee you, Microsoft's balance sheet has nothing of interest on it whatsoever. What are the assets of Microsoft that comprise the balance sheet? A couple of diskettes, probably not even much land. Where is the some $300 billion of Microsoft's market value? It's between the ears of Microsoft's people, not on the balance sheet.

Don't get me wrong; I'm not saying that we should take these intangible assets and turn them into debit and credit entries, but I am saying that ignoring them in the accounting model is a fatal mistake, because what we're doing with these grand financial statements is producing what's in the left-hand column. We're producing periodic historical cost basis financial statements, five terms to describe what we provide as accountants, but look at the right-hand column and you will see the way in which people are used to getting information in every other information domain besides accounting.

Periodic? No. People don't want periodic information. They want to log on and get the information they want on demand. They want up-to-the-minute, if not forward-looking, cost bases. I'm not saying they want to know the current value of the assets as much as I'm saying they want to know the capacity of this basket of assets to make customers better off, to create value for customers.

Sure they want financial information, but they want much more than that: They want to be able to look behind it and see the operating data that lie behind those numbers, see the leading indicators, see the non-financial performance indicators that management itself is using increasingly to run the enterprise, things like customer satisfaction, product and process quality, measures of innovation-those types of things.

Then, the last word in this five-part set is the word statements." We're referring to general purpose financial statements. General purpose financial statements means the information is not exactly what the investors need, not exactly what the creditors need, not exactly what the managers need, not exactly what the regulators need, not exactly what the tax man needs. It's not exactly what anybody needs. It's a compromise.

But today, we actually have the capacity to go in and find out what we want on demand. This trick of summarizing a complex enterprise in two pages, a balance sheet and an income statement, is a neat trick we learned as accountants 500 years ago or so. It was a pretty good trick when people could hardly come into the enterprise, thumb through the journals and ledgers, and form their own impression of the enterprise.

But today, we actually have the capacity to go in and find out what we want on demand. This trick of summarizing a complex enterprise in two pages, a balance sheet and an income statement, is a neat trick we learned as accountants 500 years ago or so. It was a pretty good trick when people could hardly come into the enterprise, thumb through the journals and ledgers, and form their own impression of the enterprise.

But today, users can literally come in and thumb through the journals and ledgers themselves. I don't mean with their thumbs, but with their software. They have the ability to come in and express their information demands and get them met in the format that they need, drill down, and get whatever they want when they want it.

What I am saying is that this left-hand column is not a formula for success in the future. In fact, it leads to something we might call a loss of decision-information market share.

On this graph, what I show, over the extent of the 20th century, is the information content of financial statements available to decision makers. It has been going up somewhat during the century as a result of higher standards, better accounting, better practice, and so forth. Actually, those show a tailing off at the end of the century. That's what I was talking about earlier. These financial statements don't describe the Microsofts and the other post-industrial enterprises.

Looked at this way, the information content of financial statements is declining. At the same time, we have other information. At the beginning of the century, you would certainly need information outside the financial statements to decide whether to commit money to the enterprise as either an investor or a creditor, but a relatively large percent of what we needed could come from the financial statements. You always need some other information, but the financial statements supply a relatively large part of what is needed.

As the century goes on, though, low-tech information intermediaries emerged, people like Moodys, Standard & Poors, and Dun & Bradstreet. Later in the century, you get an explosion of other sources of information because of electronic databases now on line. So while the total information that creditors and investors have is exploding, the piece that we as accountants are involved in preparing and auditing is flat at best, perhaps even declining, but either way, it's a loss of relative market share.

That's why I say we're facing a parlous present. Yet, I have the temerity to tell you there is a great future in front of us. How so? How do I get there?

First, there are some enormous megatrends in our favor. One megatrend is the change from an industrial to an information or post-industrial economy. We as the information people should be able to figure out how to take advantage of the shift to an information economy. Unless we're foolish or lack creativity, that megatrend actually operates in our favor. A second megatrend is that all around the world, people of every type are expressing less and less trust in institutions, businesses, governments, and people. More and more, they want accountability for the money they are investing or contributing, for resources managed by others, and for relationships. They want to be told about what's happening with their trusted inputs.

These demands for accountability express themselves in many ways, but we as the accountability people should be able to figure out how to take advantage of the trend. That's what we supply. If people are demanding more of it, that's good for us.

The third megatrend is that information technology is making markets so much more competitive. You have probably heard this comparison: an Internet year to a regular year is like a dog year to a human year. This enormously speedy change creates turmoil everywhere. That should be good for us. We should be able to step in and help resolve the turmoil by bringing some information discipline to it. What we have to do is figure out how to harness these megatrends.

Continued at http://newman.baruch.cuny.edu/digital/saxe/saxe_1998/elliott_98.htm 

The Special Committee under Elliott's leadership contacted a random sample of CPAs in all 50 states and concluded the following four bullet points as listed on pp. 11-12 of the above document:

Combining insight with integrity, CPAs deliver value. They listed four bullets: 

1. One is communicating a total picture with clarity and objectivity. 
   
2. Second is translating complex information into critical knowledge. 
   
3. Third is anticipating and creating opportunities. That sounds a little more creative than what most people think of when they think of accountants. 
   
4. And fourth is designing pathways that transform vision into reality.

Let me take those four bullets and recast them a bit for you. I want to start here with the information value chain. You have probably seen this in some form or another, but here's the idea. At the left end of this chain, we've got business events and transactions taking place, but we don't know anything about them yet, so the first thing we do is record them. Now we have data about them, and we can begin to take a look at what happened. We take the data, refine and combine it with other information, and we have more than data -- we have information, information from the outside and so forth. That turns into knowledge, and we use that knowledge in order to make wise decisions -- consumption decisions or welfare, political, and social decisions. Any type of decision.

So as you move up the information value chain, you get to higher and higher value activity. The person who sits there at shipping, taking down and recording things going in and out, creating data, is earning what? Perhaps ten dollars an hour. That's what you get for actually creating data. Then you move up to the 30 people who get $100 an hour because they are transforming data into information and refining information into knowledge.

Now let's take those four bullets that I showed you here and locate them on this value chain. The first was communicating the picture with clarity and objectivity. That's down here at this level. The conversion of data and information -- good work, pays decent, but a lot of that is being made redundant by technology. It's not going to be great work too far into the future. The next bullet is translating information into knowledge. That falls right here; that's higher value. People who do that get paid more.

The third bullet is creating opportunities. That lies even further up the value chain, and those people get paid even more. The fourth is designing the pathways that permit people to achieve their vision, and that's where you're up at the top of the value chain. So 3,000 members told us they aspire to move their practice up the information value chain. We also asked, "What do you think are the core values of the accounting profession?" These were the top five that they listed: First, a commitment to continuing education and lifelong learning. Second, competence. They think that whatever they are doing, they must be highly competent at it. Third, integrity -- stands to reason. The reputation of the accounting profession rests on people believing that we have integrity, and that rests on CPAs having integrity. Fourth, they list attunement to broad business issues, not just narrow green-eye shade focus on the numbers, but a holistic view of the enterprise. Fifth, objectivity, which is different from integrity. You can have one or the other or both, but objectivity is the neutrality, trustworthiness. So these are the top five values.

Now look at what our numbers showed as the services with the highest potential in the future. The first one was assurance and information integrity services. They extend the historical audit function, taking in a much broader domain. The second is technology. They see technology services as something that's really going to be high value-added and demanded well into the future. Third, management consulting and performance management. Obvious, right? The fourth is financial planning, helping people to achieve their financial objectives. And fifth, they see the world economy as global and see in that enormous opportunities for international services, much more than we have exploited in the past.

Our members also identified the capabilities that CPAs would need to have in order to succeed in taking advantage of the opportunities they identified. Number one was communications and leadership skills. Number two, strategic and critical thinking skills. You can't get up the value chain if you're just thinking about the production of debits and credits; you have to think strategically, the way the management of the enterprise thinks.

The third needed competency is a focus on customer, client, and market. We talked earlier about mass production, where the producer tries to drive down the price and isn't too concerned whether the product meets specific customer needs. Demassification is where you turn around and face every problem from the customer's perspective. You have to turn around and face the whole thing from the customer's perspective or you won't get the right answer.

The fourth competency is the interpretation of convergent information, by which they mean the ability to interpret both financial and non-financial information. If you only see one side of the picture, you don't have the full story. Fifth, you have to have high technology skills to succeed in this environment. When vision-project participants talk technology skills, they are not talking about the ability to run a PC, do a spreadsheet, and make a Powerpoint presentation; they're talking about a fundamental understanding of how technology reshapes organizations, products, services, and markets, and about the risks of employing technology and the ways in which to control those risks. They are talking about business implications of technology, not just the ability to run applications or deploy software. Those are necessary, but not sufficient in order to succeed.

The vision-project participants mentioned obstacles to achieving this vision-problems we have to solve and issues we have to deal with. One is that we can't get anywhere if the customers don't believe we can do it. So they held that future success would be based on public perceptions of our ability and roles. The second issue is that we've got to become as a profession much more market-driven than we are. Third, we have to be less dependent on traditional accounting and auditing services and focus more on high-value services like consulting. Fourth, you can't face this marketplace as a generalist very well in the future. You've got to specialize in some area. You need the breadth to see problems as a whole, but you also have to have the skills to be able to solve problems in some specialized domain. Fifth, these CPAs are saying that as a profession, they don't think we're sufficiently global in our perspective and outlook. That's an issue as well.

So these are the things that our members are telling us. This is not the leadership of the AICPA telling us what to do; it's the members of the AICPA telling the leaders what to do. That doesn't mean that if the AICPA does those things, the game is won, because other actions are necessary as well. Some actions have to be taken at the level of firms, both industrial firms and CPA practice firms. Since I am in practice and I'm familiar with what we have to do in our firm and firms like it, I'll focus on them.

The first thing that firms have to do in order to realize these opportunities is to adopt a customer focus for the auditing product. The customers are not only the clients, but the investors and creditors out there who are the end users of the information. If we're not making those people better off, we're not going to have much of a job in the future. The second thing is that firms have to build competencies, particularly in the technology area but in some others as well. The third thing is that we have to take our existing product offerings and invest them with higher and higher value. We have to make them more valuable to the customers, and we have to show our customers and clients our capacity to create value.

When they think of CPAs, we don't want them to think only of people who prepare the financial statements and tax returns; we want them to think of CPAs as the people who help them shape their future. Those firms that don't have a research and development arm oriented to finding out customer needs and creating service opportunities to fulfill those needs will have to create one.

It should be stressed that Elliott and the Special Committee viewed assurance services to extend well beyond attestation services.  Attestation is usually associated with verification of past transactions such as attesting to a golfer's score or attesting to the fairness of a contest drawing outcome.  Assurances can be more forward looking in terms of design of systems that are "assured" to perform within specified tolerances.  For example, one type of assurance service proposed by the Special Committee is called WebTrust.  It is intended not so much as an "attestation" that a company in the past did not violate its data privacy policy with customers as it is intended to "assure" customers that the company will abide by its promises in the future.

I greatly admire Bob Elliott and the Special Committee for both giving us a vision for the future and for the boldness in the plan.  The disappointment, at least in the short-run, has been in the inability of CPA firms to undertake many new assurance service experiments.  And some of the experiments like WebTrust that have taken place have been largely disappointing in terms of perceived value in the eyes of potential customers.  

Then came the implosion of Enron and the explosion of the auditing firm, Andersen, that transpired in 2002.  Public respect for the independence and integrity of CPAs plummeted along with short-term prospects that the world was ready for a new type of professional.  Members of the AICPA resoundingly defeated the AICPA proposal that a new professional designation be developed such as the failed XYZ (unspecified) and Cognitor proposed designations.

Rather than focus more and more on expanded services, large CPA firms in the post-Enron era had to divest themselves of large chunks of the consulting practice in concerted effort to restore public confidence in CPAs and in their audit services.  The momentum for expanded assurance services has temporarily slowed, but it will come booming back over the longer term.

Virtually all colleges with accounting programs have added assurance service modules and/or complete courses.

The future of assurance services is so promising, that some major universities have initiated assurance service degree programs apart from traditional accounting and tax degree programs.  Several examples are listed below:

• University of Notre Dame masters degree in Financial Reporting and Assurance Services --- 
  http://www.nd.edu/~msacct/010510/financial_reporting.html 
  
  
• University of Virginia (McIntire School) assurance service masters degree for Ernst & Young employees --- http://www.commerce.virginia.edu/academic_programs/E&Y/E&Yoverview.htm 
  
  
• University of Tennessee Assurance Services Concentration --- http://bus.utk.edu/acct/macc/concentrations_new.htm 

Assurance Services Updates

January 19, 2003 message from Lawrence Gordon [LGordon@rhsmith.umd.edu] 

Dear Bob:

The Journal of Accounting and Public Policy has initiated a new sub-section called "Accounting and Information Assurance Letters." The sub-section publishes short papers (not to exceed 6 printed pages, or approximately 2400 words) that link timely accounting (broadly defined) and information assurance issues to public policy and/or corporate governance. Papers submitted to this subsection of the journal will be reviewed within four weeks of receipt and revisions will be limited to one. Papers accepted for this subsection will be published within four months of acceptance.

We believe that this new section of the journal will help define the relationship between accounting and information assurance, and would be especially pleased to publish papers on this topic from members of the journal's Editorial Board. Accordingly, if you are working on research papers that seem to fit the new section of the Journal of Accounting and Public Policy ,we hope you will consider submitting it to the journal. More information about the new section can be found at: http://www.elsevier.com/inca/publications/store/5/0/5/7/2/1/ . We also hope you will bring this new section of the journal to the attention of your colleagues.

Sincerely,

Larry and Marty

Lawrence A. Gordon, Ph.D. Ernst & Young Alumni Professor of Managerial Accounting and Information Assurance Director, Ph.D. Program The Robert H. Smith School of Business University of Maryland - College Park College Park, Maryland 20742 Phone: (301) 405-2255 Fax: (301) 314-9611 E-mail:lgordon@rhsmith.umd.edu       http://www.rhsmith.umd.edu/accounting/lgordon/ 

Martin P. Loeb Professor of Accounting and Information Assurance Deloitte & Touche Faculty Fellow The Robert H. Smith School of Business University of Maryland, College Park College Park, MD 20742-1815 e-mail: mloeb@rhsmith.umd.edu  phone: 301-405-2209 fax: 301-405-0359

The AICPA's main site of interest --- http://www.aicpa.org/assurance/index.htm 

Assurance Services are defined as "independent professional services that improve the quality or context of information for decision makers." Today's business environment is marked by increased competition and the need for quicker and better information for decisions. In addition, the complexity of systems and the anonymity of the Internet present barriers to growth. Businesses and their customers need independent assurance that the information on which decisions are based is reliable. By virtue of their training, experience and reputation for integrity, CPAs are the logical choice to provide this assurance.

The AICPA's movement into developing additional Assurance Services began with the 1993 Audit/Assurance Conference. The Conference had been concerned with the decline in the demand for audits and other attest services and that the users of Assurance Services had expressed dissatisfaction with their scope and utility. It analyzed why the audit and assurance function had come to this juncture and developed a broad plan for shaping the future of assurance to enhance its value.

The AICPA authorized the Special Committee on Assurance Services ("SCAS") to investigate the issues and what could be done to reposition CPAs for the future. The SCAS's report, The Report of the Special Committee on Assurance Services, was issued in 1997. The report called for the development of additional services to serve the needs of clients. For a complete understanding of the history of Assurance Services, follow the links under About Assurance Services.

The first four services that were developed are: ElderCare Services, Performance View, SysTrust Services, and WebTrust. This section of the AICPA's Web site provides information on each of these services, including: what the service encompasses; the necessary skills; information on developing a practice; and FAQs. In addition, links to the people to contact to request additional information are also provided.

Risk Advisory Services by CPA Firms --- http://www.aicpa.org/assurance/risk/index.htm 

What are Risk Advisory Services and Why Should I Get Involved?

Risk Advisory Services Task Force
Learn about the Task Force's mission, its members and highlights of meetings.

How to obtain a free copy of the new thought leadership document on Risk,
MANAGING RISK IN THE NEW ECONOMY  

Download URL --- http://ftp.aicpa.org/public/download/Managing%20Risk.pdf 

Update on SysTrust --- http://www.aicpa.org/assurance/systrust/index.htm 

The AICPA/CICA Trust Services principles and criteria will be released January 1, 2003. The effective date of the new Trust Services principles and criteria will be effective for engagements beginning on or after January 2003. Earlier implementation is encouraged.

What are SysTrust Services and Why Should I Get Involved? A Brief Introduction on SysTrust Services SysTrust Principles & Criteria What Skills Do I Need to Provide SysTrust Services? Find out what skills are necessary and what resources are available to enable you to offer SysTrust Services. Getting Started Learn about SysTrust licensing agreement and training opportunities. Marketing and Managing a SysTrust Practice Tips on Marketing and Managing Your SysTrust Practice. What's New with SysTrust Services? New standards, product developments, etc. Systems Reliability Assurance Services Task Force Learn about the Task Force's mission and its members. Frequently Asked Questions about SysTrust Press Room Press Releases, Product News, Fact Sheets, Q&As, Case Studies, Spokesperson Biographies, etc. Contact the AICPA

Give feedback on assurance services.

One of the most significant and controversial professional practice areas where Bob Elliott led accounting profession into its new Song of SysTrust.  I don't know if all accountants have noticed the monumental and highly controversial change in attestation services being proposed by the AICPA and the CICA for the public accounting profession.  Most certainly the lyrics are not familiar to non-accountants other than attorneys who, while dancing in their briefs, have difficulty containing their enthusiasm for this new Anthem of the Auditors.  This is the first major shift of the accounting profession into the attestation of complete information services.  Financial audits may eventually be but a small part of the total attestation and assurance service symphony of services.  The proposed new "accounting"-firm service is called SysTrust at http://www.aicpa.org/assurance/systrust/index.htm  .  

Probably the best summary of SysTrust to date is "Reporting on Systems Reliability," by Efrim Boritz, Erin Mackler, and Doug McPhie in the Journal of Accountancy, November 1999, pp. 75-87.  The online version is at http://www.aicpa.org/pubs/jofa/nov1999/boritz.html.  (It might be noted that both Boritz and McPhie are from Canada --- SysTrust is a joint venture with the Canadian Institute of Chartered Accountants and the AICPA in the U.S.)  

How can you protect confidential documents at your Website?

Answer:  See http://www.w3.org/Security/Faq/wwwsf5.html#Q14 

Privacy in eCommerce

Playboy says hacker stole customer info," by Greg Sandoval and Robert Lemos, C|Net News Com, November 20, 2001 --- http://news.cnet.com/news/0-1007-200-7932825.html?tag=mn_hd 

Playboy.com has alerted customers that an intruder broke into its Web site and obtained some customer information, including credit card numbers.

The online unit of the nearly 50-year-old men's magazine said in an e-mail to customers that it believed a hacker accessed "a portion" of Playboy.com's computer systems. In the e-mail, a copy of which was reviewed by CNET News.com, Playboy.com President Larry Lux did not disclose how many customers might have been affected.

Playboy.com encouraged customers to contact their credit card companies to check for unauthorized charges. New York-based Playboy.com also said it reported the incident to law enforcement officials and hired a security expert to audit its computer systems and analyze the incident.

Continued at http://news.cnet.com/news/0-1007-200-7932825.html?tag=mn_hd 

For a brief period, Ziff Davis published the personal information -- including credit card numbers -- of thousands of its subscribers on the Web. --- http://www.wired.com/news/ebiz/0,1272,48525,1162b6a.html 
"A Tell-All ZD Would Rather Ignore," by Declan McCullagh, Wired News, November 20, 2001

Because Ziff Davis' 1.3-MB text file included names, mailing addresses, e-mail addresses and in some cases credit card numbers, a thief who downloaded it would have enough information to make fraudulent mail-order purchases. An executive at one New York magazine firm called the error "a bush-league mistake for a major online publisher."

Zane said Ziff Davis relies on EDS and Omeda database technology to protect subscriber information. He refused to provide details, except to say that "we were doing a promotion not using the EDS and Omeda products."

In interviews, two people who appeared on the Ziff Davis list said they had typed in their information when responding to a promotion for Electronic Gaming Monthly.

"I went to the site and signed up for the free year, but did not sign up for the second year, which was not free," said Jerry Leon of Spokane, Washington, whose Visa number and expiration date appeared in the file. "I get the feeling that this was one huge scam, but that card is now dead, and any charges made on it will be refused."

"If it was just a stupid accident, they are going to regret failing a community that worries about this stuff ever happening, but if something less innocent has occurred, they may as well fold the tents," said Leon, who signed up through AnandTech's hot deals forum.

Rob Robinson, whose address information -- but not credit card number -- was on display, says he subscribed to Electronic Gaming Monthly through a promotion on ebgames.com.

"I'm annoyed that my home info as well as a valid e-mail is available to anyone. That's quite a valuable list of gamers' personal data up for grabs. I feel really bad for the poor folks who are going to have to cancel their credit cards," Robinson said.

It's not clear whether Electronic Gaming Monthly subscribers were the only ones affected by the security snafu, and Ziff Davis refused to provide details. The file appeared at the address http://www.zdmcirc.com/formcollect/ebxbegamfile.dat until around noon EST on Monday.

That address began circulating around Home Theater Forum discussion groups over the weekend, and Ziff Davis at first erased the contents of the database at around 9 a.m. EST Monday. But its system continued to add new subscribers to the public file until Ziff Davis administrators blocked access to that address around midday Monday.

"Every week we learn of new cases where companies used insecure technology or unsecure servers to handle business that utilizes financial information or customer information," says Jericho, who edits the security news site attrition.org. "In the rush to be e-appealing for e-business they e-screw up time and time again."

Jericho has compiled a list of miscreant firms whose shoddy security practices have exposed customer information. The hall of shame includes notables such as Amazon, Gateway, Hotmail and Verizon.

Ziff Davis Media publishes 11 print magazines. It is a separate company from ZDNet, which is owned by CNET Networks.

See also:
HQ for Exposed Credit Numbers
Students Expose Bank ATM Hole
E-Commerce Fears? Good Reasons

Privacy in eCommerce:  Personal Certificates

For discussion of cookies and how to Surf the Web anonymously, see Cookies.

For a general discussion of personal certificates, see http://www.w3.org/Security/Faq/wwwsf5.html#CON-Q12 

What is WebTrust?  What are its major competitors?  

Hint: See the following:

• http://www.aicpa.org/assurance/webtrust/princip.htm 
• http://dir.yahoo.com/Computers_and_Internet/Internet/Issues/Privacy/Privacy_Seal_Programs/ 
• http://www.truste.org/ 
• http://www.bbbonline.org/ 
• http://dir.yahoo.com/Computers_and_Internet/Internet/Issues/Privacy/ 

Question:  
What makes WebTrust more "trusted" vis-a-vis its competitors (aside from being CPA or CICA firms)?

Answer:  
WebTrust is the only service that requires random site visits by independent CPA firms to spot check if privacy policies are being adhered to by the WebTrust client.

Truste Network Authenication Security in Question

Even one of the originators of the Internet's wannabe consumer seal -- ubiquitous technologist Esther Dyson -- is disappointed in the way the service has panned out.

"Just How Trusty Is Truste?," by Paul Boutin, Wired News, April 10, 2002 --- http://www.wired.com/news/exec/0,1370,51624,00.html 

Enron had Arthur Andersen. Yahoo has Truste, the nonprofit privacy organization whose seal of approval is designed to assuage consumer fears about giving personal information to websites.

But Yahoo's recent announcement of sweeping changes in the way it will use customer data collected under previous policies has many calling Truste's seal as meaningless as an Andersen audit.

Even Esther Dyson, the high-profile technologist who played a major role in Truste's launch five years ago, says she is "disappointed in what ended up becoming of it."

By its own account, Truste was conceived at Dyson's industry-leading PC Forum conference in 1996. Dyson credits others with the concept, but she pushed both publicly and privately for the establishment of the nonprofit company and adoption of its "trustmark," which certifies that online companies comply with their own stated privacy policies.

Truste makes no attempt to set privacy policies. It merely ensures that companies clearly state their own rules for handling customer data, and then adhere to them.

"We thought disclosure would be enough," Dyson said.

Web surfers, her reasoning went, would read the various companies' policies themselves and make their own choices, letting companies use privacy policies as a competitive differentiator. Truste's seal would simply ensure that the policy was being followed, so that "between two sites I've never heard of, I'd rather pick the one that has the Truste logo," she explained.

But over the years, a series of Truste clients have managed to violate the spirit, if not the letter, of their Truste-approved policies.

Rather than revoking seals left and right, Truste officials often seemed to be covering for their clients -– explaining, in one case, that a Real Networks media player which reported users' video selections back to Real headquarters in Seattle was "outside of the scope of Truste's current privacy seal."

Their reasoning: The program uploaded data not to Real's website, but to a nearby set of servers.

"That symbol is meaningless, because of the number of institutions it has been associated with and the things they've gotten away with," said Yahoo user Jenifer Jenkins, who claims she stopped using Yahoo mail and other services last week after learning of the company's policy changes. "If (Yahoo) wants to be the first place people go on the Internet, they need to clean up their act."

Dyson agreed that, despite being co-founded by outspoken privacy advocates the Electronic Frontier Foundation, Truste's image has slipped from consumer advocate to corporate apologist. "The board ended up being a little too corporate, and didn't have any moral courage," she said.

"Clearly, if you're hostile all the time you're not very effective. But you have to have the moral courage to say, 'This is wrong, even if it's not in our contract.'"

Truste executive director Fran Maier argued that in Yahoo's case, critics don't recognize how much work her organization did to keep the megaportal in line -- not only with its own policy, but with generally acceptable behavior. "I can't tell you all the things they wanted to do, but believe me, we were there," she said.

"We reviewed a number of proposed changes, some of which were made, some weren't," she added. "It went through the highest level of oversight at Truste. Before they can launch or relaunch something with our seal on it, they have to deal with our review."

Continued at  http://www.wired.com/news/exec/0,1370,51624,00.html 

---

You must be when viewing a corporate Website that you think is authentic but is a total fraud.  One such site is http://www.dowethics.com/  which spoofs the genuine http://www.dow.com 

The site at dowethics.com is a very clever spoof site that mirrors the real corporate site but runs it with stories against the company.  It is interesting because it appears to be very authentic and illustrates how companies really do need authentication seals such as Verisign, the Better Business Bureau BBB seal, or the WebTrust Seal --- http://faculty.trinity.edu/rjensen/ecommerce/000start.htm#SpecialProblems 

 

Question:  What is the most popular and less costly privacy seal alternative relative to WebTrust?

Answer:  The Better Business Bureau --- http://www.bbbonline.org/privacy/index.asp 

 Of the many challenges facing the Internet, privacy has risen above them all as the number one concern (and barrier) voiced by web users when going online. Participants in the BBBOnLine Privacy Program are addressing this concern head-on with responsive and effective self-regulation. By subscribing to responsible information practices, BBBOnLine Privacy participants are promoting the vital trust and confidence necessary for their own and future success of the Internet.

Taking advantage of the significant expertise the Council of Better Business Bureaus wields in self-regulation and dispute resolution, the BBBOnLine Privacy Program features verification, monitoring and review, consumer dispute resolution, a compliance seal, enforcement mechanisms and an educational component. The BBBOnLine Privacy Program offers consumers a user-friendly tool that helps increase their comfort while on the Internet and is a reasonably priced and a simple, one-stop, non-intrusive way for business to demonstrate compliance with credible online privacy

Question on Website (Provider) Authentication
How can you find out that you are not at a phony site that pretends to be legitimate?

Answer:
Look for a logo verification seal on at the site.  Although the AICPA's WebTrust seal is primarily a Web privacy seal (credit card information, medical information, etc.), the WebTrust seal is also a seal that assures users that the site is not a phony imitation of a real site --- http://www.aicpa.org/assurance/webtrust/princip.htm 
The WebTrust privacy and logo verification seal contains the following image on a document (the image below is for illustration only and is not valid on Bob Jensen's Web documents).

A less costly  logo verification seal is the VeriSign seal if it appears on a document (the image below is for illustration only and is not valid on Bob Jensen's Web documents).

"VeriSign Delivers Protections for Digital CPA Documents," by Wayne Harding, Journal of Accountancy, May 2002 ---  http://www.aicpa.org/pubs/jofa/may2002/cpa2biz.htm 

CPA2Biz, the AICPA, and VeriSign are now offering Authentic Document Service to CPAs. Through the use of Authentic Document IDs CPAs can notarize electronic documents. This notarization prevents any changes— a paragraph being deleted, a sentence added, even a space changed.

VeriSign --- http://www.verisign.com/ 
Get VeriSign's free white paper at https://www.verisign.com/cgi-bin/clearsales_cgi/leadgen.htm?form_id=0714&toc=w093325300714000&email= .

Learn From the Experts VeriSign's Training Courses cover all areas of enterprise security including Firewalls, PKI, VPNs, Applied Hacking, and Web Security. Our small classes, hands-on labs, and world-class instructors ensure the highest level of security for your networks. Download our FREE White Paper, "VeriSign Internet Security Education: E-Commerce Survival Training" outlining the benefits of security education.

Retail Services   SSL Certificates   Payment Services   Domain Names     Web Site Services     Secure E-Mail Certificates     Authentic Document IDs     Code Signing IDs     Wireless Server Certificates    Enterprise Services   SSL ID Management for Multiple Servers     Authentication and PKI   Authorization Services     Payment Services   Online Brand Protection Services   Managed DNS Services

Professional Services   Consulting     Training  Solutions   Financial Services   Government   Healthcare   Wireless   B2B   Smart Card   Cable Modem

The Better Business Bureau (BBB):  Another Source of Website (Provider) Authentication --- http://www.bbb.org/ 

Although the BBB is best known as a place where consumers and businesses can file complaints about unethical, deceptive, and illegal commerce and charitable practices, the BBB also provides an Internet seal of Website (Provider) Authentication.  

For a general discussion of personal certificates, see http://www.w3.org/Security/Faq/wwwsf5.html#CON-Q12 

Advantages of and risks of cookies --- see Cookies.

What is user authentication?

Answer See Question 4 at http://www.w3.org/Security/Faq/wwwsf5.html#Q14 

User verification is any system that for determining, and verifying, the identity of a remote user. User name and password is a simple form of user authentication. Public key cryptographic systems, described below, provide a more sophisticated form authentication that uses an unforgettable electronic signature.

Continued at at http://www.w3.org/Security/Faq/wwwsf5.html#Q14  

What Dollar Rental Car Company now requires from persons who rent cars might be extended to people who conduct transactions on Websites.  Dollar Rent A Car is currently making customers give a thumbprint before they give them the keys, another example of biometrics being used for ID purposes.

"No Thumbprint, No Rental Car," by Julia Scheeres, Wired News, November 21, 2001 --- http://www.wired.com/news/privacy/0,1848,48552,00.html 

My other electronic Business links are at http://faculty.trinity.edu/rjensen/ecommerce.htm 

Crime and Justice Data Online --- BJS http://149.101.22.40/dataonline/ 

"Conquering the Security Silos," by Jerry Trites, IS Assurance Blog, April 5, 2011 ---
http://uwcisa-assurance.blogspot.com/

Ten Ways to Reduce Chargebacks and Fraud Merchants' concern about online credit card fraud and chargebacks is rising at a significant rate. According to the 2001 Online Fraud Report conducted by Mindwave Research, 41 percent of merchants say the issue of online credit card fraud is "very serious" to their business. http://www.newmedia.com/default.asp?articleID=3443 

Bob Jensen's threads on fraud are at http://faculty.trinity.edu/rjensen/fraud.htm 

Bob Jensen's e-Commerce threads are at http://faculty.trinity.edu/rjensen/ecommerce.htm

A Special Section on Computer and Networking Security

Comparisons of Antivirus and AntiMalware Software --- http://en.wikipedia.org/wiki/Comparison_of_antivirus_software#Microsoft_Windows

Facebook is perhaps the ultimate example of the old, wise saying: If you aren’t paying for a product, then you ARE the product
Comparisons of Antivirus Software ---
http://en.wikipedia.org/wiki/Comparison_of_antivirus_software#Microsoft_Windows

Introduction --- See Below

Top Security Threats of 2013 ---
https://mail.google.com/mail/u/1/?shva=1#inbox/143347ddcfff49f5

Social Scams

Big Google Becomes Big Brother

How to track a stolen iPhone

Chinese Water Army

Cloud Security

Cybersecurity Curriculum Resources --- https://niccs.us-cert.gov/education/curriculum-resources

How to make stolen laptop data useless to thieves

Is your data safe? Survey reveals scandal of snooping IT staff

Protecting security while using public a network in a library, cyber cafe, hotel, or wherever

Viruses and Worms and Malware

Spyware  (and SiteAdvisor)

Cell Phone Records are for Sale 

Identity Theft:  Phishing , Pharming, Vishing, Slurping, and Spoofing
Question
When might you want to run Linux on your Windows computer?
"E-Banking on a Locked Down (Non-Microsoft) PC," by Brian Krebs
http://faculty.trinity.edu/rjensen/FraudReporting.htm#IdentityTheft 

Pretexting

Cookies 

Spam Blocking 

Searching Dangers:  Beware of Search Engines

Hacking Into Systems

Security on Public Wireless Networks

Denial of Service Attacks 

Spy Tools:  How safe are unlisted phone numbers?

Forget Big Brother, Now You Are Being Watched by Almost Anybody

Weapons of Information Warfare  

Threads on Firewalls --- Go to  http://faculty.trinity.edu/rjensen/firewall.htm 

Identity Theft http://faculty.trinity.edu/rjensen/FraudReporting.htm#IdentityTheft 

Encryption

New Tech Tools to Combat Fraud

2012 Internet Crime Report
IC3 via FBI, May 14, 2013
http://www.fbi.gov/news/stories/2013/may/internet-crime-in-2012/internet-crime-in-2012

Bob Jensen's Fraud Updates ---
http://faculty.trinity.edu/rjensen/FraudUpdates.htm

 

The Downside: Psychology of Electronic Commerce and Technology 

Intangibles Accounting Issues --- http://faculty.trinity.edu/rjensen//theory/00overview/theory01.htm#TheoryDisputes 

Managerial Accounting Issues --- http://faculty.trinity.edu/rjensen/ecommerce/managerial.htm 

How Can Technology be Used to reduce Fraud? --- http://faculty.trinity.edu/rjensen/ecommerce/managerial.htm#Issue7 

ROI Issues --- http://faculty.trinity.edu/rjensen/roi.htm 

Implications for Auditing and Assurance Services --- 
http://faculty.trinity.edu/rjensen/ecommerce/assurance.htm 

Opportunities of E-Business Assurance & Security:  Risks in Assuring Risk --- http://faculty.trinity.edu/rjensen/ecommerce/assurance.htm 

Accounting Fraud, Forensic Accounting, Securities Fraud, and White Collar Crime

The Controversial Electronic Commerce of Education --- http://faculty.trinity.edu/rjensen/000aaa/0000start.htm

Investor Relations and Internet Reporting   

Education and Training   

Evaluation of Websites 

Search for Internet, e-Commerce, or e-Business Phrases

Top Year 2002 Accounting Technologies 

Bob Jensen's Threads on Electronic Commerce --- 
http://faculty.trinity.edu/rjensen/ecommerce.htm 

Bob Jensen's Threads on Electronic Commerce in College Curricula --- 
http://faculty.trinity.edu/rjensen/ecommerce/curricula.htm 

Accounting Threads

• Bob Jensen's Tutorials on eCommerce, eBusiness, and eEducation
  
  
• Threads on Fees and Choosing Accountants, Financial Advisors, and Consultants
  
  
• FAS 133 Threads (including audio links to experts)
  
  
• Accounting Theory
  
  
• Accounting Information Systems

• Enterprise Resource Planning (ERP) Education Modules
  
• Assigments
  
•   Helpers

• Accounting Fraud, Forensic Accounting, Securities Fraud, and White Collar Crime
  
  
• Opportunities of E-Business Assurance:  Risks in Assuring Risk
  
  
• A Special Section on Computer and Networking Security  
  
  
• Threads on Firewalls
  
  
• Bob Jensen's Technology Glossary
  
  
• Computers in Accounting: Past, Present, and Future
  
  
• Bob Jensen's Threads on the Decline in Accounting Majors in U.S. Colleges 
   
  
• CPA --- Career Passed Away
  
  
• Glossaries
  
  
• Bob Jensen's Threads on Real Options, Option Pricing Theory, and Arbitrage Pricing Theory 
  
  
• Bob Jensen's Threads on Return on Investment (ROI)
  
  

MIT:  The 20 Most Infamous Cyberattacks of the 21st Century (Part I) --- Click Here
http://www.technologyreview.com/view/540786/the-20-most-infamous-cyberattacks-of-the-21st-century-part-i/?utm_campaign=newsletters&utm_source=newsletter-daily-all&utm_medium=email&utm_content=20150825

Comparisons of Antivirus and AntiMalware Software --- http://en.wikipedia.org/wiki/Comparison_of_antivirus_software#Microsoft_Windows

iKeepSafe: Educators --- http://www.ikeepsafe.org/educators/

Infosecurity Magazine --- http://www.infosecurity-magazine.com

May 20, 2013 Message from Dennis Huber

Read about security research as it happens. Obtain in-depth security information including, research & statistics, white papers, presentations and the latest threat maps that display the most recent data collected by Websense Security Labs.

http://www.antiphishing.org/apwg-news-center/crimeware-map/

How to Protect Yourself Against Online Spying ---
http://getitdone.quickanddirtytips.com/how-to-protect-yourself-against-online-spying.aspx

Big Brother is Watching Your Kid
"Texas Schools Win Right To Track Students With Creepy, Invasive RFID Locators," by Adam Popescu, ReadWriteWeb, January 10, 2013
http://readwrite.com/2013/01/10/texas-schools-win-right-to-track-students-with-creepy-invasive-rfid-locators 

Jensen Comment
I wonder if similar devices will one day be implanted in every child at birth. Think of the good and bad possibilities.

"Java Is No Longer Needed. Pull The Plug-In," by Antone Gonsalves, ReadWriteWeb, September 5, 2012 ---
http://www.readwriteweb.com/hack/2012/09/java-is-no-longer-needed-pull-the-plug-in.php

For nearly everyone, it’s time to dump Java. Once promising, it has outlived its usefulness in the browser, and has become a nightmare that delights cyber-criminals at the expense of computer users.

 Java Today

Sun Microsystems released Java in 1995 as a technology for building applications that could run on any platform, including Windows, Macintosh and Linux. In its heyday, major browsers embraced Java for running applets within pages. All anyone needed was a browser plug-in for executing programs.

Today, that plug-in has become a top security risk, along with Adobe Flash. Partly to blame for the problem is Oracle, which acquired Sun and its invention in 2009. The database vendor has heightened the risk by failing to launch timely patches.

The latest security meltdown is a case in point. Despite being warned in April of critical vulnerabilities, Oracle did not get around to releasing an emergency patch until last week, after reports that cyber-criminals were exploiting the flaws. Security Explorations, the Polish firm that first reported the vulnerabilities to Oracle, later said the patch contained a flaw that could be used to circumvent the fix.

The Latest Threats

In the meantime, criminals are having a field day. Atif Mushtaq, security researcher at FireEye, says the number of computers infected with malware exploiting the flaws is growing. As of Tuesday, up to a quarter-million computers had been infected. Hackers are at an advantage because computers users are laggards when it comes to applying Java patches. Up to 60 percent of Java installations are never updated to the latest version, according to security vendor Rapid7.

Over the just-past Labor Day weekend, the SANS Institute’s Internet Storm Center and Websense reported finding separate phishing campaigns trying to lure people to malicious sites capable of exploiting the vulnerabilities. SANS discovered link-carrying emails that copied a recent Microsoft message about service agreement changes. Websense found emails disguised as order verification messages from Amazon.

Security experts rate the latest flaws as critical, because hackers can use them to commandeer a computer and take whatever data they want. Risking that kind of damage for a technology with little purpose makes no sense.

What Security Experts Advise

Security experts are hard pressed to say what Java does for most people. While some online games and business applications need a Java plug-in to run, nearly all modern sites, including Facebook and Twitter, use JavaScript, XML and HTML 5, which run natively in the browser. Therefore, people could happily surf the Web for years without ever running Java.

Those who are using a Java application, should run it in a dedicated browser that’s used for nothing else, Patrik Runald, director of security research at Websense, says. Another browser should be used for daily Web surfing. “I’ve run a browser with Java disabled for years,” he said.

Supporters once believed that Java would play a significant role in running Web applications. That never happened. Instead, browsers became the operating system for the Web. “(Java) never took off the way it was anticipated,” Runald said.

So the verdict is clear. Disable Java plug-ins in all browsers, whether Firefox, Chrome or Internet Explorer. Java’s glory days are over and it’s time to pull the plug.

Bob Jensen's threads on computer and networking security ---
http://faculty.trinity.edu/rjensen/ecommerce/000start.htm#SpecialSection

"How Cybersleuths Took Down Spam King Grum," by Dan Rowinski, ReadWriteWeb, July 20, 2012 ---
http://www.readwriteweb.com/archives/how-cybersleuths-took-down-spam-king-grum.php

Governments, researchers and private companies are working overtime to root out spam from the Internet. Today brings good news: Grum, a botnet responsible for 18% of all spam, is no more. Here's how a team of crack cybersleuths took down the world's third-largest spammer.

The search-and-destroy stories that surface when a spam botnet is taken down are some of the juiciest to be found in any medium. Botnet takedowns have all the elements of a great plot: a global villain, exotic locales, despicable offenses, dedicated heroes who strive for the good of humanity, and a mystery that takes many steps to uncover. It is "Dick Tracy" meets "Hackers."

Grum was a devious mist of a network with no obvious central structure. The face of a botnet like Grum is a distributed sub-network of command-and-control (CnC) servers. These machines direct an army of zombie underlings, ordinary personal computers that have been infected with malware that takes orders from CnC to churn out spam. Grum marshaled at least 120,000 spam-spewing zombies, according to Spamhaus. The actual number of zombies in the network could have been a lot more.

Grum has been in existence for at least four years, an impressive lifespan for a botnet, according to Atif Mushtaq, senior staff scientist at security company FireEye. Mushtaq, along with Carel van Straten and Thomas Morrison from Spamhaus and Alex Kuzmin from CERT-GIB, tracked down the botnet. An anonymous security researcher who goes by the name Nova7 also helped track down the spammers. Their mission was to discover the CnC servers and systematically take them offline. 

By tracking IP addresses, FireEye and other researchers were able to track Grum to a central CnC location in the Netherlands. The team sent abuse notifications to the Dutch authorities telling them to cut off access to the servers through its Internet Service Provider (ISP). Authorities in the Netherlands acted fairly quickly and Grum's primary hub was taken down.

But Grum was not so easily stopped. Like Hercules battling the Lernaean Hydra, the team cut off one head only to watch two grow in its place. Its Dutch head having been decapitated, the botnet moved its resources to secondary servers in Panama and Ukraine. These servers were more difficult to deal with because ISPs in those countries often look the other way, making them notorious safe havens for botnets. “Shutting down any servers there has never been easy," Mushtaq said.

The sleuths applied pressure until the ISP hosting Grum in Panama shut off access to the botnet. It was a big success for the research team, but the battle was not yet over. 

“After seeing the Panamanian server had been shut down, the bot herders moved quickly and started pointing the rest of the CnCs to new secondary servers in Ukraine," Mushtaq wrote. "I was thinking that all we needed was to take down one Russian server, but right in front of my eyes, the bot herders started pointing their botnet to new destinations. I must say, for a moment, I was stunned. The bot herders replaced the two Dutch servers with six new servers located in Ukraine."

Mushtaq passed this information to the other researchers who then pressured their contacts in Ukraine and Russia to take down these servers. By 11:00 a.m. PST on July 18th, the servers had been taken offline and the battle to destroy Grum was won.

The Battle Against Botnets

For a long while, the primary agents against botnets were governments. These entities could use their power to force ISPs to sever access to CnCs that control the zombie armies. But governments are often not well equipped to do so. Moreover, they act slowly and do not always prioritize campaigns against botnets.

That has changed. In the last several years, the fighting of botnets has become a private-sector effort, with researchers such as those at FireEye leading the charge. Microsoft has also entered the fray. In July 2011, Microsoft offered $250,000 for information leading to the capture and conviction of the individuals responsible for Rustock. This makes sense: Microsoft’s Windows operating system is the most installed computer software in the world. Malicious hackers who launch botnet malware have historically focused on Windows for this reason. It behooves Microsoft to be as proactive as possible in helping track down the people responsible.

Continued in article

September 13, 2012 reply from Jagdish Gangolly

Bob,

It is true that the use of java applets never did take-off as expected. Many started developing swing applications and server-side scripting instead, to avoid incompatibility problems with applets. Development of languages such as PHP also was a factor. Another factor was the reluctance of companies to relegate any aspect of computing to the browser, coupled with the decreases in hardware costs.

Java remains the language of choice to date, Gonsalves notwithstanding. It is a very safe language, safer than all others I know and have programmed in. It is nowadays the first language that most students study. It is also the language of choice in teaching and in developing industrial applications.

I have taught AIS courses using prolog, C, C++, as well as Java. Java was the language that gave me and the students least headaches. I also have worked with research labs in industry, and Java is the language of choice, and the only language that comes even close is C++.

Mr Gonsalves is mixing up java as a language and java applets as a browser plug-in.

Regards,

Jagdish

"Technology 2012 Preview: Part 2 Experts explore hot topics in software, hardware, security, social media and video," by Jeff Drew,  Journal of Accountancy, December 2011 ---
http://www.journalofaccountancy.com/Issues/2011/Dec/20114544.htm

"Technology 2012 Preview: Part 1 Experts explain what should be at the top of your tech wish list for the new year,"  by Jeff Drew,  Journal of Accountancy, November 2011 ---
http://www.journalofaccountancy.com/Issues/2011/Nov/20114310.htm

Bob Jensen's neglected threads on accounting software ---
http://faculty.trinity.edu/rjensen/Bookbob1.htm#AccountingSoftware

Digital Forensics and Cyber Security Center at the University of Rhode Island ---
http://www.dfcsc.uri.edu/

Stay Safe Online --- http://www.staysafeonline.info/ 

"Endpoint Security is Changing Fast," by Richi Jennings, Computer World, December 14, 2011 ---
http://blogs.computerworld.com/19426/the_endpoint_protection_you_need_in_2012
Thank you Jerry Trites for the heads up ---
http://uwcisa-assurance.blogspot.com/

Sophisticated social engineering techniques for hacking are becoming the norm. And it is moving fast, such that traditional tools don't do the job any more. Advanced Persistent Threat (APT) is one of the manifestations of this trend. It involves sending malware to people disguised in something that is likely to appear to them and to fool them. APT messages are very customized, based on knowledge of a person that is obtained from information available in the internet, through such social media as Facebook and perhaps other sources.They can even follow shortly after a person performs some action, such as paying bills on their bank website. In such a case, they might receive a message that their transaction has failed, or that their account has gone into an overdraft and they should log in (to a bogus account) and verify it. There are countless variations.

Most of us are aware of many of these messages and don't get fooled by them. However, there is a possibility that one variation might be sufficiently relevant that we are fooled, and it might only take once to cause a lot of damage.

Companies are exposed because all of their employees are exposed, and might inadvertently expose corporate assets to theft or damage.

Various solutions are available, many cloud based, that are particularly designed to keep up with the rapidly changing trends in this area. It is imperative to keep up with these tools. Such knee jerk reactions as prohibiting employees from using Facebook and the like just won't work. But some clearly defined and carefully designed policies around the use of corporate computers, resources and IDs are badly needed.

Continued in article

Databuse: Digital Privacy and the Mosaic --- http://www.brookings.edu/papers/2011/0401_databuse_wittes.aspx

"Social Networking Threats to Security," by Jerry Trites, IS Assurance Blog, August 25, 2011 ---
http://uwcisa-assurance.blogspot.com/

This article links to
"Social networking security threats by the numbers," IT World of Canada, August 15, 2011 --- Click Here
http://www.itworldcanada.com/news/social-networking-security-threats-by-the-numbers/143741?sub=1520550&utm_source=1520550&utm_medium=top5&utm_campaign=TD+

Question
Don't you wish Microsoft Autorun would've run aground in 1995?

As a feature first introduced way back in Windows 95, Autorun had...well, a pretty good run, particularly considering how long malware has used it as a propagation method. Frankly, I'm surprised that Microsoft kept Autorun as the default option for as long as it did, given the company's Trustworthy Computing security initiative, launched in January 2002 with a memo from Chairman Bill Gates that memorably stated, "When we face a choice between adding features and resolving security issues, we need to choose security."

"What Windows Autorun Has Wrought," by Brian Krebs, The Washington Post, November 3, 2009 ---
http://voices.washingtonpost.com/securityfix/2009/11/what_windows_autorun_hath_wrou.html?wprss=securityfix

In its latest "Security Intelligence Report," Microsoft counted the number of threats detected by its anti-malware desktop products, and found that the Conficker worm, along with a Trojan horse program called Taterf which steals passwords and license keys for popular computer games, were detected on 5.21 million and 4.91 million Windows computers, respectively.

The original version of Conficker emerged nearly a year ago, and initially it spread by exploiting a networking vulnerability in Windows. But Conficker infections soared by the millions in January with the arrival of Conficker B, which introduced the ability to spread via the Autorun capability in Windows. Taterf spreads exclusively via Autorun.

Together, these two threats accounted for more than 35 percent of the top 10 malicious software infections in first six months of this year, Microsoft found (click the chart below for a breakdown of those threats). According to the previous Security Intelligence Report, more than 17 percent of infections in the second half of 2008 were by malware that can spread via AutoRun.

In April, after the third version of Conficker became front-page news and even fodder for feature story on 60 Minutes, Microsoft announced that its AutoPlay function would no longer support AutoRun for USB drives. Autorun is disabled for USB drives in Windows 7 (the new OS still automatically plays any inserted CDs and DVDs). In late August, Microsoft released a patch that similarly disables Autorun on Windows XP, Vista, Windows Server 2003 and Server 2008 systems.

However, this patch does not appear to have been pushed out through Microsoft's Automatic Updates or Windows Update, so if you'd like to install it, you'll need to visit this link and download the appropriate version for your operating system. Users who install this update will no longer receive a setup message that prompts them to install programs that are delivered by USB thumb drives. Wilders Security Forum has a nice writeup on this patch, and offers some harmless sample code to test whether your Windows box has this feature enabled.

As a feature first introduced way back in Windows 95, Autorun had...well, a pretty good run, particularly considering how long malware has used it as a propagation method. Frankly, I'm surprised that Microsoft kept Autorun as the default option for as long as it did, given the company's Trustworthy Computing security initiative, launched in January 2002 with a memo from Chairman Bill Gates that memorably stated, "When we face a choice between adding features and resolving security issues, we need to choose security."

On a more positive note, Microsoft found that the number of infections associated with rogue security software fell to 13.4 million in the first six months of this year, down from 16.8 million in the latter half of 2008. Microsoft also tracked a tenfold decrease in infections from Zlob, a Trojan that masquerades as a video player plug-in. Redmond said Zlob infections fell from 21.1 million at its peak in 2007 to 2.3 million in the first half of 2009.

The key findings from Microsoft's Security Intelligence Report Version 7 are available here (PDF).

Questions that have stumped the experts at Snopes --- http://www.snopes.com/humor/question/requests.asp

Apple is Slow When Patching Security Flaws

Six months may seem like a long time to address a particularly dangerous vulnerability, but it's about par for the course with Apple and its record on patching Java flaws. I have reviewed the last three Java updates that Apple shipped during the past 18 months, and found that Apple patched Java flaws on average about 166 days after Sun had shipped its own patch to fix the same vulnerabilities.
Brian Krebs, "Apple Slow To Fix Java Flaws," The Washington Post, May 22, 2009 --- Click Here

Internet Fraud Prevention Helpers from the Federal Trade Commission
OnGuard Online --- http://www.onguardonline.gov/default.aspx

Federal Trade Commission (Then and Now) --- http://www.ftc.gov/index.html

Bob Jensen's fraud prevention helpers --- http://faculty.trinity.edu/rjensen/FraudReporting.htm

Introduction to Security Edition 7, by Robert J. Fischer and Gion Green (Elsevier, 2004)
Note that this link provides a very generous preview --- Click Here
Parts could be used by students for free and other readers gainfully for no charge.

Putting a condom around the computer also does not help!

Learn the fundamentals of the game and stick to them. Band-aid remedies never last.
Jack Nicklaus as quoted by Mark Shapiro at http://irascibleprofessor.com/comments-01-12-09.htm

My Recent Saga With Malware
Since viruses vary in terms of how difficult they are to disinfect from your computer, some of the remedies that failed for my deep-seated infections may not fail in all instances. In my case I had to give up and rebuild the hard drive, which is tantamount to getting a new computer.

I tried a number of different software downloads (some free and some fee-based) to rid my computer of infections that kept returning even when my main computer was disconnected from any network. Some of the disinfectants worked, but they also created more problems than the malware itself.

In the end I gave up and had the hard drive cleaned and started over with the same hardware and re-installed software. I suspect the problem is that I just don't know enough fundamentals of the game when it comes to disinfecting malware from the system, although the pros tell me that some malware just cannot be disinfected without cleaning out (called rebuilding) the entire hard drive and starting over. That's like killing the patient to rid her of chronic headaches. Sometimes the bad guys win. Sigh!

In my case I think I got the infection from a site that pretends to improve computer efficiency and security. Since I can't be certain, the site will remain anonymous. I'm told the most dangerous sites to visit include gambling sites, porn sites, and computer protection sites from sources other than trusted sources. Except when a computer-protection site is recommended by a trusted magazine like PC Magazine, a trusted newspaper like the tech section of The Washington Post, or trusted friends like your employer's tech support team, don't go there and most certainly don't download anything from that site even though it promises improved computer security and efficiency. Remember that some bad guys put up Web documents claiming some downloads are safe when in fact they are not at all safe. Don't trust all Google or Yahoo hits in this regard. The bad guys have Web documents and YouTube videos that lie big time.

Google searches can be hazardous to your computer's health. Of course there's a gray zone where I think taking chances are necessary to scholarship. Be more cautious about downloading files than merely visiting a site. Also some types of download files are more dangerous than others.

Don't be led into complacency that your anti-virus shields stop all the serious bad stuff. Wikipedia has a pretty good module on computer security --- http://en.wikipedia.org/wiki/Computer_security

I think my next new computer will be a Mac where computer and networking security is enormously better than PCs operating under Windows, but certainly Mac security is not perfect. The most popular Mac browser, Safari, had had some known security problems in the past. Before buying a Mac I will further investigate the current Safari risks. Fortunately Firefox makes a browser version for Mac computers. Unfortunately I will still mostly use a Windows machine since my Web servers, LAN servers, and email server are all at Trinity University. The Trinity University network service is only Windows-friendly. And I can only get Trinity's free and excellent tech support for a Windows computer.

In my case it's not the cost of a new computer that frustrates me. What frustrates me is that all the installed software must be dug out of my barn or repurchased. Training a new computer is even more frustrating than training a new puppy.

By Comparison, My Malware Problems are Rather Insignificant
Tens of millions of credit cards could be at risk of fraudulent use thanks to a serious computer-security breach at financial-transactions company Heartland Payment Systems. Earlier this week, Heartland revealed that a piece of malicious software, apparently installed inside the company's transaction-processing system last year, had compromised credit-card data as it crossed the network. The breach was announced on Tuesday--the day of the U.S. presidential inauguration--and, according to some experts, it shows that attackers are successfully defeating the financial industry's tough computer-security rules. "The potential is certainly there for this to be one of the biggest, if not the biggest breach we've seen," says Rich Mogull, founder of computer-security consulting company Securosis. "Something huge had to have gone wrong here." It's not clear precisely what kind of malicious software was used, or how many credit-card accounts were compromised. But company president Robert Baldwin has said that Heartland handles as many as 100 million transactions per month.
John Borland, "Malware Swipes Millions of Credit Cards A security breach shows failings in security rules," MIT's Technology Review, January 22, 2009 --- http://www.technologyreview.com/computing/22007/?nlid=1714&a=f

Engaging Privacy and Information Technology in a Digital Age --- http://books.nap.edu/catalog.php?record_id=11896 

Remember those trackers who rode ahead of the posses of the wild west

"How Do I Track My Kid's Surfing? Tammy Setzer wants a way to keep her children from deleting their Web browsing history," by Lincoln Spector, PC World via The Washington Post, May 5, 2009 --- Click Here

The browsers, like Internet Explorer and Firefox, won't let you do that. In fact, they're going in the opposite direction. They're adding features to help users cover their tracks. (I discuss these tools in Selectively Delete Some of Your Browsing History.) That's wonderful for adults, but it's problematic if you need to protect your children.

What you need is child protection software--a program that will operate in the background, keeping track of what your kids are doing, blocking stuff you want blocked, and reporting back to you.

Before I recommend a program, I want to discuss the best way to use such software. I'm writing this not as a technical expert, but as a father with a grown son and two teenage daughters.

If you tell your children that you're going to monitor their Internet access, they're going to hate you for it (at least temporarily). But if you don't tell them, it will be far, far worse when they finally find out. It's best to be open with them, weather the storm, and seriously listen to their objections. Let them be part of the decision-making process about what will and will not be allowed, even though you, of course, must retain the last word.

And tracking their surfing habits makes more sense than blocking sites. If they know that you can see every site they visit, they'll learn to make wise choices, and isn't that what this is all about?

I recommend a brand-new program from Symantec called OnlineFamily.Norton, in large part because it encourages feedback between parents and children. It won't even let you hide the fact that you're spying on them. If they visit a site that falls into a category you object to (last I counted there were 47 categories), they will be told why they can't visit that site, and they'll get an opportunity to write you about it. You can block sites in the undesirable categories, merely monitor them, or have Online.Family warn the kids then allow them to proceed.

Online.Family can also block certain searches, monitor instant messaging, and control how much time your children spend on their computers. That last one is important. Too much time on a computer can be worse for a child than what they do on it.

The actual program is quite small, and runs in the background on your child's PC. You can monitor their activity from the Online.Family Web site, or be alerted to problems via e-mail.

OnlineFamily.Norton is free through the end of the year. Symantec isn't saying what it will cost after that. I suspect they'll charge for it as an ongoing service, rather than a one-time purchase.

Bob Jensen's technology bookmarks are at http://faculty.trinity.edu/rjensen/Bookbob4.htm

Also see Also see http://www.google.com/search?hl=en&lr=&q=parental+control+software

"Keeping Kids Safe Online," by Johanna Ambrosio, InformationWeek Newsletter, March 15, 2006

I'm no expert, but I am a parent of three teenagers who, thankfully, have been safe so far. My reaction to the news about Microsoft jumping into the monitoring space with a free tool to be available this summer is that it sounds great, but I hope parents realize that the use of any monitoring software isn't by itself enough to guarantee kids' safety.

I think anyone in the computer industry already knows this and certainly understands the dangers that lurk. But I worry there may be some parents who too readily trust a tool to take the place of their (human) care and concern. Parents must still be parents, and older teens especially must be made aware of their responsibility in this, too. With great freedom comes great personal responsibility, both online and offline, and kids need the adults in their lives to both explain and model this.

We've certainly been lucky, and we've done some things to help. (For the fuller story, please check out my blog entry.)

"Laptop Security, Part 2:  Tips on protecting your data, should fate--or a criminal--separate you and your notebook," by James A. Martin, PC World via The Washington Post, June 9. 2006 --- Click Here

My guess is that your notebook is worth several thousand dollars. I'd also guess that the data stored on it is worth much, much more--and that you'd be entering a world of woe if your notebook were stolen or lost.

Last week I offered tips on how to protect and physically secure your notebook when you're out of the office. This week, I've got tips on protecting your data, should fate--or a criminal--separate you and your notebook.

Windows XP gives you the option of requiring a user password to log on. Though certainly far from bulletproof, a relatively complex password provides more protection than none at all.

A complex password includes upper- and lowercase letters, numbers, and one or more special characters. For example, suppose your name is Pat. You wouldn't use "Pat" as your password, would you? (You would? My, aren't we feeling lucky?) A better password would be something not easily identified with you.

The more complex your password, the more difficult it is to crack--and, potentially, for you to remember. Don't make your password so complex you can't remember it. Or, if you must store your passwords, keep them somewhere safe. Some software programs for PCs and PDAs give you the ability to manage and secure passwords. One example: DataViz's Passwords Plus ($30), which lets you manage and secure passwords on your notebook as well as your Palm OS PDA.

To create a password for your account in Windows XP, go into Control Panel, then open User Accounts. Select the account you want to protect with a password and click the "Create a password" button.

For more about passwords, read Scott Dunn's June " Windows Tips ."

Some laptops now come equipped with biometric fingerprint scanners, as an alternative or enhancement to Windows password-protection. For more on this, see number 3, below.

Another option is to encrypt any files on your notebook that contain sensitive data, such as customer Social Security numbers. (Of course, as I said last week, it's best not to place any sensitive data on a mobile system.)

In essence, encryption scrambles data into code that only an authorized user can access. However, encrypting files, or your entire drive, can be time-consuming, slow system performance, and increase the likelihood you'll lose access to the data.

Windows XP Professional (but not XP Home) includes an option that lets you encrypt files on an NTFS-formatted hard drive. After encrypting a file, you can open it just as you would any file or folder. However, someone who gains unauthorized access to your computer cannot open any encrypted files or folders.

To encrypt a folder in Windows XP Professional, right-click it in Windows Explorer, choose Properties, click Advanced, select the "Encrypt contents to secure data" check box, and click OK twice. In the Confirm Attribute Changes dialog box, do one of the following: To encrypt only the folder, click "Apply changes to this folder only," and click OK; to encrypt the folder contents as well as the folder, click "Apply changes to this folder, subfolders, and files," and click OK.

Continued in article

"First-Ever Virus Hits Mac OS X:  There are many signs that Apple computers are finally becoming vulnerable to Internet-based viruses and other attacks," MIT's Technology Review, May 2, 2006 --- http://www.technologyreview.com/read_article.aspx?id=16758

Benjamin Daines was browsing the Web when he clicked on a series of links that promised pictures of an unreleased update to his computer's operating system.

Instead, a window opened on the screen and strange commands ran as if the machine was under the control of someone else. Daines was the victim of a computer virus.

Such headaches are hardly unusual on PCs running Microsoft Corp.'s Windows operating system. Daines, however, was using a Mac -- an Apple Computer Inc. machine often touted as being immune to such risks.

He and at least one other person who clicked on the links were infected by what security experts call the first-ever virus for Mac OS X, the operating system that has shipped with every Mac sold since 2001 and has survived virtually unscathed from the onslaught of malware unleashed on the Internet in recent years.

''It just shows people that no matter what kind of computer you use you are still open to some level of attack,'' said Daines, a 29-year-old British chemical engineer who once considered Macs invulnerable to such attacks.

Apple's iconic status, growing market share and adoption of same microprocessors used in machines running Windows are making Macs a bigger target, some experts warn.

Apple's most recent wake-up call came last week, as a Southern California researcher reported seven new vulnerabilities. Tom Ferris said malicious Web sites can exploit the holes without a user's knowledge, potentially allowing a criminal to execute code remotely and gain access to passwords and other sensitive information.

Ferris said he warned Apple of the vulnerabilities in January and February and that the company has yet to patch the holes, prompting him to compare the computer maker to Microsoft three years ago, when the world's largest software company was criticized for being slow to respond to weaknesses in its products.

''They didn't know how to deal with security, and I think Apple is in the same situation now,'' said Ferris, himself a Mac user.

Apple officials point to the company's virtually unvarnished security track record and disputed claims that Mac OS X is more susceptible to attack now than in the past.

Apple plans to patch the holes reported by Ferris in the next automatic update of Mac OS X, and there have been no reports of them being exploited, spokeswoman Natalie Kerris said. She disagreed that the vulnerabilities make it possible for a criminal to run code on a targeted machine.

In Daines' infection, a bug in the virus' code prevented it from doing much damage. Still, several of his operating system files were deleted, several new files were created and several applications, including a program for recording audio, were crippled.

Behind the scenes, the virus also managed to hijack his instant messaging program so the rogue file was blasted to 10 people on his buddy list.

''A lot of Mac users are in denial and have blinders on that say, 'Nothing is ever going to get to us,''' said Neil Fryer, a computer security consultant who works for an international financial institution in Britain. ''I can't say I agree with them.''

Continued in article

Video Tutorials

Protecting Your PC --- Digital Duo --- http://www.pcworld.com/digitalduo/video/0,segid,35,00.asp

---

A ray of hope for the new Internet Explorer
Firefox may still be better at repelling spyware

"Internet Explorer 7.0 makes waves," PhysOrg, March 1, 2006 --- http://www.physorg.com/news11306.html

After winning the browser wars and vanquishing its chief competitor, Netscape, the folks at Microsoft decided it was time to take a break from improving its industry standard browser. Without competition the company felt that there was no need to release any new updates. But an upstart open-source group funded in part by Mozilla (the same folks who originally created Netscape) created a new browser called "Firefox" that sparked the brand-new browser wars. While the folks at MS won't admit that Firefox spurred them into action, it's hard to deny that the new beta release of Internet Explorer 7.0 doesn't have more than a passing resemblance to the Firefox browser.

"Microsoft welcomes competition because it drives innovation which benefits customers. That's a good thing," said a spokesperson for Microsoft. "Ultimately, customers will choose the browser that best meets their needs, and we are confident that most will continue to use Internet Explorer when they evaluate factors such as end-user functionality, site and application compatibility, developer extensibility, enterprise manageability, and security backed by the processes and engineering discipline employed by Microsoft."

Maybe it's the new interface, or the fact that it's been over three years since the last major release of I.E., but the new version just "feels" different and fresh. It could be the idea that MS has finally added tabbed browsing to Explorer -- one of the key features that made me go with and stick with Firefox -- I always felt Explorer was the better browser, but I became addicted to my precious tabs. Another nice addition to I.E. 7.0 is it now handles bookmarks (or as I.E. calls it "favorites") the same way as Firefox does. Instead of exporting all of your bookmarks as individual folders, I.E. now places everything into a single html index file. Which can be imported into Firefox, and you can now import Firefox bookmarks into I.E., which makes moving between both browsers painfully simple.

"I.E. 7.0 is the right product, though late in the market. This demonstrates Microsoft's approach to the Internet browser market as being more laid back and reactionary rather than leading the development of new features," said Razvan Neagu, president and chief executive officer of KOMOTION Inc., developer of Web Gallery Wizard.

One of the major complaints about I.E. has been its lack of compliance with Web standards, part of the problem is, as stated before, it's been three or four years since there was a major release of I.E. And in that time Web development standards have progressed exponentially. While playing around with I.E., I noticed that some Web sites didn't display properly in the new release, while they displayed perfectly fine in the current version. I'm hoping against hope that these are isolated incidents and not a sign of the future, and an indication that 7.0 still has a way to go to be completely standards based.

A spokesperson for Microsoft said "The IE7 beta 2 preview for Windows XP, which was released to Windows XP testers on 1/31, is considered feature complete. We do however expect to continue development work based on tester feedback and expect to do additional design work and enhancements to application compatibility and fit and finish. At this point we are targeting to release the final product in the second half of 2006."

Another main draw of the new version of I.E. is all of the new built in security features, starting with its new anti "phishing" filter. The new trend in e-mail spam is for scam artists to create fake websites that resemble popular sites like eBay, PayPal, etc. in attempt to get users to submit their personal account information. I.E. 7.0 anti-phishing filter successfully warned and blocked these sites from showing up. While this is a fantastic new feature, it has a major drawback, the validity of Web sites appears based on whether or not a site has a valid SSL Certificate or not, and you would be surprised at the number of websites that don't have these certifications. Eventually, I had to deactivate the filter, although you can change the settings in the tools menu.

"IE's top priority is security. While we made great progress with support for CSS 2.0, we knew that we would have to trade off full compatibility with CSS 2.0 for additional work on security," added the Microsoft spokesperson. "We will not pass CSS 2.0, but certainly will evaluate doing that in the future."

Other new security features include ActiveX Opt-In. This is a malware protection feature that disables nearly all pre-installed ActiveX Controls, and helps prevent potentially vulnerable controls from being exposed to attack. Users can easily enable or disable ActiveX Controls as needed through the Information Bar and the Add-on Manager. Cross-domain script barriers. This feature limits the ability of Web page script to interact with content from other domains or windows to help users keep their personal information out of potentially malicious hands. This new safeguard further protects users against malware by limiting the potential for malicious Web sites to manipulate flaws in other Web sites, or cause users to download undesired content or software onto their PCs.

International Domain Name Anti-Spoofing. In addition to adding support for International Domain Names in URLs, Internet Explorer 7.0 also notifies the user when similar characters in the URL are not expressed in the same language -- even when the characters look similar across several languages -- thus helping protect the user against sites that would otherwise appear as a known trustworthy site.

When a new version of I.E. is released everyone has to take notice, it's impact on Web development and business owners can't be underestimated.

"Business strategy always needs to take into account market forces and competitive threats; so, the direction that Microsoft takes is very important," said Neagu. "Unless you're a 100-pound gorilla yourself, you don't want to compete directly with Microsoft. So, there are really two strategies. You can either add value to the marketplace by working with their products, or you must make sure you're in a space that is either small enough or removed enough from Microsoft's strategic interests so that you minimize the possibility of conflict.

"With our product, Web Gallery Wizard, we maximized both of these strategies. We took advantage of Microsoft's solid .Net framework for rapid development, and we targeted digital photo enthusiasts offering functionality which is underserved by the big players in the market."

Continued in article

---

Video Guide To Securing Your Computer

I wanted to call attention to a new resource on washingtonpost.com for people who need a little help getting started in securing their computers. We produced a series of "screencasts" or video guides demonstrating some of the basic steps users need to take to stay safe online, including brief primers on choosing and using firewall and anti-virus software, downloading and installing the latest Microsoft Windows patches, and taking advantage of free anti-spyware tools.

These videos are by no means definitive guides, but I hope they will be of some use to those who find themselves completely intimidated by computer security.
Brian Krebs, "ideo Guide To Securing Your Computer," The Washington Post --- http://blogs.washingtonpost.com/securityfix/2005/05/video_guide_to_.html?referrer=email

---

 

---

Video Tips of the Week for Windows XP

Enabling the Internet Firewall --- http://channels.lockergnome.com/windows/videotips/1/
Customizing the Window Taskbar --- http://channels.lockergnome.com/windows/videotips/2/
Disabling Windows Messenger Service (to reduce spyware) ---
                    http://channels.lockergnome.com/windows/videotips/3/
Sending E-mail from a Different Address --- http://channels.lockergnome.com/windows/videotips/4/
Managing Windows Updates --- http://channels.lockergnome.com/windows/videotips/5/
Selecting a Different Image Viewer --- http://channels.lockergnome.com/windows/videotips/6/
Logging Security Events --- http://channels.lockergnome.com/windows/videotips/7/
Using Remote Desktop --- http://channels.lockergnome.com/windows/videotips/8/
Exploring With Process Explorer --- http://channels.lockergnome.com/windows/videotips/9/
Defragging With Task Scheduler --- http://channels.lockergnome.com/windows/videotips/10/
Killing Spyware With Spybot --- http://channels.lockergnome.com/windows/videotips/11/
   Also see (you can change the video number at the end to go to video1, video2, etc.)
   http://www.homenetworkhelp.info/popup.php?popup=podcast-2005-06-11-spyware-video1
Managing .Net Passports With Windows XP ---
                    http://channels.lockergnome.com/windows/videotips/12/
Managing E-mail With Outlook Rules (guard against spam) ---
                    http://channels.lockergnome.com/windows/videotips/13/
Exploring Windows XP Security Center ---              
                    http://channels.lockergnome.com/windows/videotips/14/
Windows XP Firewall Helper Video --- http://channels.lockergnome.com/windows/videotips/15/
Internet Explorer's Add-On Manager --- http://channels.lockergnome.com/windows/videotips/16/
Internet Explorer's Popup Blocker --- http://channels.lockergnome.com/windows/videotips/17/

The FBI's Internet Fraud and Complaint Center (IFCC FBI) --- Report Internet frauds and crimes here.
To thwart fraud on the Internet and terror in general, check in and/or report to http://www1.ifccfbi.gov/index.asp

National Infrastructure Protection Center (NIPC) --- Report infrastructure security incidents here.
Located in the FBI's headquarters building in Washington, D.C., the NIPC brings together representatives from U.S. government agencies, state and local governments, and the private sector in a partnership to protect our nation's critical infrastructures.
http://www.nipc.gov/ 

Computer Emergency Response Team (CERT) --- Report computer invasions and viruses here.
The CERT® Coordination Center (CERT/CC) is a center of Internet security expertise, at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University. We study Internet security vulnerabilities, handle computer security incidents, publish security alerts, research long-term changes in networked systems, and develop information and training to help you improve security at your site.  http://www.cert.org/

Center for Systems Security and Information Assurance ---] http://www.cssia.org/

Stay Safe Online http://www.staysafeonline.info /

Bob Jensen's threads on Identity Theft --- http://faculty.trinity.edu/rjensen/FraudReporting.htm#IdentityTheft 

Pop Up Blocker --- http://www.synergeticsoft.com/

Recommended Reading:  Getting Smart About Information Security
Bruce Schneier, founder and chief technical officer of Counterpane Internet Security Inc., has spent much of his career educating people about digital security. His book, Secrets and Lies: Digital Security in a Networked World, serves as a non-technical introduction to the full, messy complexity of digital security.
"Recommended Reading:  Getting Smart About Information Security," The Wall Street Journal,   July 18, 2005; Page R2 --- http://online.wsj.com/article/0,,SB112060620712177906,00.html?mod=todays_us_the_journal_report

Information Warfare Weapons --- http://faculty.trinity.edu/rjensen/acct5342/infowar.pdf

The World Wide Web Security FAQ ---  http://www.w3.org/Security/Faq/www-security-faq.html

Trinity students may access this at
J:\courses\ACCT5342\readings\WWWsecurity\The WWW Security FAQ.htm

CIAC Notes

http://www.alw.nih.gov/Security/CIAC-Notes/CIAC-Notes-01.html
 
http://www.alw.nih.gov/Security/CIAC-Notes/CIAC-Notes-02.html

2005 Anti-Virus product comparison guide ---
http://www.tips-it.com/product.php?x_user_number=305788&pid=13&smb=1&emailid=WNN081605

"What I find bizarre is that there's still all this focus on the WMF [Windows Metafile] bug," said Mark Litchfield, the director of NGS Software, a U.K.-based security company, and one of the two researchers credited by Microsoft with the discovery of the TNEF (Transport Neutral Encapsulation Format) vulnerability. "This one has massive financial implications if someone exploits it," Litchfield said. The TNEF vulnerability, which Microsoft spelled out in the MS06-003 security bulletin, is a flaw in how Microsoft's Outlook client and older versions of its Exchange server software decode the TNEF MIME attachment. TNEF is used by Exchange and Outlook when sending and processing messages formatted as Rich Text Format (RTF), one of the formatting choices available to Outlook users. "All that's required to exploit this is an e-mail message," said Litchfield. No user interaction is needed to compromise an Exchange 5.0, 5.5, or 2000 server; all that's necessary is to deliver a maliciously-crafted e-mail to the server. It's that characteristic, as well as the ease with which an attack could spread, that has Litchfield so worried. "You could take over an Exchange server with a single, simple e-mail," he said. "From there you could target all the clients accessing that server. You would 'own' any Outlook client that connects to that server. Then an attacker could grab the Outlook users' address books. Continued in article

"Unknown Attacks: A Clear and Growing Danger,"  by Secure Computing, InformationWeek, January 2006 --- http://snipurl.com/UnknownAttacks 

More on security threats and hoaxes --- http://faculty.trinity.edu/its/virus/

"Everyone Wants to 'Own' Your PC," by Bruce Schneier, Wired News, May 4, 2006 --- http://www.wired.com/news/columns/0,70802-0.html?tw=wn_index_4

You own your computer, of course. You bought it. You paid for it. But how much control do you really have over what happens on your machine? Technically you might have bought the hardware and software, but you have less control over what it's doing behind the scenes.

Using the hacker sense of the term, your computer is "owned" by other people. 

It used to be that only malicious hackers were trying to own your computers. Whether through worms, viruses, Trojans or other means, they would try to install some kind of remote-control program onto your system. Then they'd use your computers to sniff passwords, make fraudulent bank transactions, send spam, initiate phishing attacks and so on. Estimates are that somewhere between hundreds of thousands and millions of computers are members of remotely controlled "bot" networks. Owned.

Now, things are not so simple. There are all sorts of interests vying for control of your computer. There are media companies that want to control what you can do with the music and videos they sell you. There are companies that use software as a conduit to collect marketing information, deliver advertising or do whatever it is their real owners require. And there are software companies that are trying to make money by pleasing not only their customers, but other companies they ally themselves with. All these companies want to own your computer.

Some examples:

• Entertainment software: In October 2005, it emerged that Sony had distributed a rootkit with several music CDs -- the same kind of software that crackers use to own people's computers. This rootkit secretly installed itself when the music CD was played on a computer. Its purpose was to prevent people from doing things with the music that Sony didn't approve of: It was a DRM system. If the exact same piece of software had been installed secretly by a hacker, this would have been an illegal act. But Sony believed that it had legitimate reasons for wanting to own its customers’ machines.

   

• Antivirus: You might have expected your antivirus software to detect Sony's rootkit. After all, that's why you bought it. But initially, the security programs sold by Symantec and others did not detect it, because Sony had asked them not to. You might have thought that the software you bought was working for you, but you would have been wrong.

   

• Internet services: Hotmail allows you to blacklist certain e-mail addresses, so that mail from them automatically goes into your spam trap. Have you ever tried blocking all that incessant marketing e-mail from Microsoft? You can't.

   

• Application software: Internet Explorer users might have expected the program to incorporate easy-to-use cookie handling and pop-up blockers. After all, other browsers do, and users have found them useful in defending against internet annoyances. But Microsoft isn't just selling software to you; it sells internet advertising as well. It isn't in the company's best interest to offer users features that would adversely affect its business partners.

Business-Technology: Security Threats Galore, But No Worries Here
Taken together, you begin to get the full, unsettling picture of information security today. Automated bot attacks, Windows bulletins by the dozen, a new breed of business worms, risk of heap overflow in Cisco's IOS, the underground's new fascination with unpatched holes in 20 types of applications and devices. And that doesn't even include problems caused by spyware or phishing, or customer-data breaches, or the complications of wireless networks and devices, or CDs with hidden rootkits, or the Sober worm variants spreading again. With all of this going on, how do you explain the fact that so few security and IT professionals feel things have gotten worse? It's possible they have systems in place to ward off ill-intended probes, keep software patched, and protect customer records. Maybe the bullets are bouncing off. That, or maybe security at their companies isn't as good as it seems.
John Foley, "Business-Technology: Security Threats Galore, But No Worries Here," InformationWeek Newsletter, November 29, 2005

"Two More Ways to Fight Viruses, for Free," by Rob Pegoraro, The Washington Post, November 28, 2005 --- http://snipurl.com/PegoraroNov28

But you don't have to. For several years, two Czech software developers have offered free versions of their anti-virus programs to home users. These no-charge downloads don't offer every feature provided by McAfee Inc. and Symantec Corp., the two security developers whose programs come pre-installed on most Windows PCs. But when put to the same tests as software from the Big Two, they did the job almost as well and with less fuss.

Both of these freebies -- Avast 4 Home Edition, from Prague's Alwil Software, and AVG Free Edition, from Brno-based Grisoft Inc. -- can be installed only on home computers that aren't put to any business or commercial use. (Income from sales to businesses and organizations covers the cost of this exercise in Internet charity.)

These two programs share a few welcome traits. Both are relatively small downloads -- almost 10 megabytes for Avast, just under 15 for AVG -- that tout compatibility with systems as old as Windows 95. And both automatically download updates every day and allow quick manual updates.

With Avast ( http://www.avast.com/eng/free_virus_protectio.html ), the major selling point is a greater sense of security. After a refreshingly fast install, Avast automatically scans your computer for trouble before allowing Windows to boot up -- a helpful precaution if the computer may already be infected.

Continued in article

Auntie Spam's Net Patrol ---
http://www.aunty-spam.com/deleting-email-leads-to-145billion-judgement-against-company/

Cagey Consumer --- http://cc.edumacation.com

Latest security threats and hoaxes --- http://faculty.trinity.edu/its/virus/

25 Hottest Urban Legends (hoaxes) --- http://www.snopes.com/info/top25uls.as

JUNKBUSTERS Anti-Telemarketing Script http://www.junkbusters.com/script.html 

From the Scout Report on July 14, 2005

Powerful Cookies 1.0.7
http://www.freewebs.com/powerfulcookies/

For those people who are concerned about erasing evidence of their Internet activity stored in their browser, Powerful Cookies 1.0.7 may be worth taking a look at. Visitors can use this program to delete cookies, clean index.dat files, clean the cache, remove temporary files, and erase typed URLs. This application is compatible with Windows 95 or newer.

The Sorry State of ID Theft
One of the most popular stories on our site over the last two weeks was PIN Scandal 'Worst Hack Ever'; Citibank Only The Start, followed closely by International Citibank Customers Shaken By Data Breach. Day after day, one or both made our list of the five most popular headlines.I'm guessing another story, about two large botnets hacking into users' online shopping carts to steal credit card numbers, bank account details, and log-on passwords, will grab similar reader interest.Little wonder. The banks involved in the first story were huge, with huge IT budgets and even bigger data stores. We all bank and use ATMs, and many use debit cards. And regards the second story, most of us shop, to varying degrees, online. It just isn't hard to imagine yourself as one of the current--or future--victims of these scams or dubious security policies.
Patricia Keefe, "Securing A Solution To Data Theft," InformationWeek Daily, March 21, 2006

The High Cost Of Data Loss
Sensitive personal data has been misplaced, lost, printed on mailing labels, posted online, and just left around for anyone to see. The situation has become untenable. Here's the ugly truth about how it keeps happening, who's been affected, and what's being done about it.
Elena Malykhina et al., InformationWeek, March 20, 2006

How many ways are there to expose sensitive personal data? One company misplaces a backup tape; another puts customers' Social Security numbers onto mailing labels for anyone to see. Others lose laptops, inadvertently post private information online, or leave documents exposed to prying eyes. The possibilities are endless-- as we're learning with every new revelation of a data breach or hack or inexcusable lapse in secure business practices. By one estimate, 53 million people--including consumers, employees, students, and patients--have had data about themselves exposed over the past 13 months.

This sorry state of affairs is taking its toll: fines, lawsuits, firings, damaged reputations, spooked customers, credit card fraud, a regulatory crackdown, and the expense of fixing what's broken. The situation has become untenable. Here's the ugly truth about how it keeps happening, who's been affected, and what's being done about

Continued in a long article

In parts to follow, I will define and elaborate on various terminologies of computer and networking security.  For help in preventing and overcoming invasions, I especially recommend the links provided by Yahoo below:

Microsoft to Bundle Anti-Spyware App With Windows
Microsoft said Friday that it plans to bundle its "Windows Anti-Spyware" tool with Windows Vista, the chronically delayed next version of the company's operating system. Microsoft also decided to rename the program "Windows Defender," in part to give it "a more positive name." The announcement, like others of late, was posted on one of the numerous blogs on Microsoft's site that catalog the daily doings of the software giant's many technical divisions. But this news -- for me, anyway -- was more than just a press release issued via a breezy blog post. It offered a glimpse of something Redmond hinted it was going to do years ago, but which has only recently become more of a reality: ship antivirus and anti-spyware updates to hundreds of millions of Windows computers every day through its Windows/Microsoft Update feature.
Brian Krebs, "Microsoft to Bundle Anti-Spyware App With Windows," The Washington Post, November 7, 2005 --- http://blogs.washingtonpost.com/securityfix/2005/11/microsoft_to_bu.html?referrer=email

This module may seem a little off topic.  But it fits nicely into past AECM threads about Big Brotherism in the age of technology.  David Fordham expressed it well by stating that almost anything about a person is either available for free or for sale.  It is in the spirit of those threads that I forward the following tidbit.  Those of you with liberal arts backgrounds may especially like this tidbit.  My threads on this are at http://faculty.trinity.edu/rjensen/ecommerce/000start.htm#Cellphones

Bob

"Making Ideas Beautiful:  Do art and ideas mix? It depends on who's stirring the pot," by Terry Teachout, The Wall Street Journal, December 10, 2005; Page P15 ---
 http://online.wsj.com/article/SB113416176976318692.html?mod=todays_us_pursuits

Sometimes a heartfelt compliment can blow up in the recipient's face, as when T.S. Eliot said of Henry James that he had "a mind so fine that no idea could violate it," thus making him sound like a plot-spinning idiot savant. What Eliot really meant was that James understood how an artist who dabbles in ideas can lose sight of the true purpose of art, which is (as Renoir said) to "make everything more beautiful." You can't paint a picture of E = mc2, or compose a symphony about the law of supply and demand. Nevertheless, art is so effective at swaying men's minds that there have always been cultural commissars prepared to enlist it in the service of ideas by any means necessary -- including brute force.

To see what happens when politicians ram ideas down artists' throats, take a trip to "Russia!" This once-in-a-lifetime blockbuster show of Russian art from the 12th century to the present, on display at the Guggenheim Museum through Jan. 11, is billed as "the most comprehensive and significant exhibition of Russian art outside Russia since the end of the Cold War." It's that, for sure, but it's also an object lesson in the power of ideas to hijack a great culture.

In the '30s and '40s, Russian artists were expected not merely to toe the Marxist line, but to embody it in their work. Unless you wanted to end up in the Gulag -- or worse -- you did what Stalin said. The deliberately anti-modern style that resulted, known as "socialist realism," was a crude burlesque of 19th-century realism in which the Soviet Union was portrayed as a proletarian paradise. Visual artists had an especially tough time of it, for the once-thriving Russian avant-garde was replaced overnight by a school of simple-minded poster artists who specialized in cheery canvases with titles like "Collective Farm Worker on a Bicycle." To stroll through "Russia!" is to be stupefied by the sheer banality of the assembly-line art these brush-wielding apparatchiks cranked out.

That's one kind of idea-driven art in which the artist illustrates ideas, often with the intention of bludgeoning others into embracing them. But there's another kind, in which an idea is so radically transformed by the artist that the resulting work of art floats free from its initial inspiration, taking on the haze of ambiguity that is part and parcel of beauty.

I saw a wonderful example of the latter kind of art last week at Brooklyn's BAM Harvey Theater. "Super Vision" is an evening-long piece of performance art created by the Builders Association, a New York-based touring experimental theater troupe, in collaboration with dbox, the multidisciplinary design studio. On paper it sounds like a "Nineteen Eighty-Four"-style documentary about how governments and corporations misuse the mountains of personal data they collect from private citizens. In the theater, though, "Super Vision" blossoms into something completely different, a computer-enhanced visual poem about the pitfalls and promise of life in the information age.

"Super Vision," which is being performed this weekend at Montclair State University in Montclair, N.J. (for a tour itinerary, go to www.superv.org ), consists of three interwoven stories in which six actors move through a breathtakingly complex series of digitally generated three-dimensional projections. In one story line, a computer-savvy swindler named John steals his young son's identity, uses it to run up $400,000 in debt, then vanishes. John and his wife are played by real-life actors, but John Jr. exists only as a video image, while the suburban house in which they live is entirely animated.

Again, this bald description makes "Super Vision" sound like a technical tour de force -- which it is. Yet it's far more than that. "I think of the stories in 'Super Vision' as the emotional side of data," explains Marianne Weems, the show's director. "The point is to bring visceral sensation and visual impact to these stories -- and as we move more deeply into interpreting the factual material on which they're based, we move away from the literal."

This is what lifts "Super Vision" out of the pedestrian realm of the purely factual. Yes, Ms. Weems and her collaborators are rightly disturbed by what she calls "this new form of surveillance and its constant incursions into the realm of our selves." But instead of preaching a strident sermon about how "dataveillance" threatens the right to privacy, they've transformed their fears into a fast-flowing stream of nonliteral images that stick in your mind like the swirling colors of an abstract painting. Just when John, the identity thief, thinks he's gotten away clean, you see in the distance what looks like a flock of birds. Then, as it draws nearer, you realize that it's actually a cloud of computer-generated data points hurtling through the air to chase him down. That's not politics -- it's poetry. And it's the quintessence of "Super Vision," a work of theatrical alchemy in which ideas are turned into art by making them more beautiful.

"Viral cure could 'immunise' the internet," Kurt Kleiner, NewScientist, December 1, 2005 --- http://www.newscientist.com/article.ns?id=dn8403

Some researchers have developed artificial "immune systems" that automatically analyse a virus meaning a fix can be sent out more rapidly. In practise, however, computer viruses still tend to spread too quickly.

Now Eran Shir, and colleagues at Tel-Aviv University in Israeli, have applied network theory to the problem, and believe they have come up with a more effective solution.

Part of the problem, the researchers say, is that countermeasures sent from a central server over the same network as the virus it is pursuing will always be playing catch-up.

They propose developing a network of "honeypot" computers, distributed across the internet and dedicated to the task of combating viruses. To a virus, these machines would seem like ordinary vulnerable computers. But the honeypots would attract a virus, analyse it automatically, and then distribute a countermeasure

Healing hubs But the honeypots would be linked to one another via a dedicated and secure network. This way, once one has captured a virus, all the others will quickly know about the infection immediately. Each honeypot then acts as a hub of healing code which is disseminated to computers connected to it. The countermeasure then spreads out across the broader network.

Simulations show that the larger the network grows, the more efficient this scheme should be. For example, if a network has 50,000 nodes (computers), and just 0.4% of those are honeypots, just 5% of the network will be infected before the immune system halts the virus, assuming the fix works properly. But, a 200-million-node network – with the same proportion of honeypots – should see just 0.001% of machines get infected.

Security measures, such as encryption, would be needed to prevent viruses from exploiting the honeypot network.

"They've shown it is possible to use this epidemically spreading immune agent to good advantage," says Jeff Kephart, a computer scientist at IBM in Hawthorne, New York, US. "The next step would be to look more carefully at the benefits and costs of this approach. I see promise in it."

The paper only discusses the mathematical model, and there is no effective implementation as yet. But Shir plans to release a simple example program soon and hopes that volunteers or a company will eventually implement the real thing across the internet.

Journal reference: Nature Physics (DOI: 10.1038/nphys177).

Walt's Warnings About File Sharing

"The Practical Case Against File Sharing," by Walter Mossberg, The Wall Street Journal, October 20, 2005 --- http://online.wsj.com/article/SB112976373382173735.html?mod=todays_us_marketplace 

Q:
Are there problems with using file-swapping sites like Kazaa, as long as you have a good antivirus protection program? I don't mind paying for individual songs, but other sites like iTunes or Rhapsody often don't have the songs I want.

A:
Yes, there are problems. The first are the ethical and legal issues arising from obtaining somebody else's copyrighted intellectual property without paying for it, from a person who isn't licensed or authorized to distribute it. The other sites you mention, iTunes and Rhapsody, are legally licensed to distribute music. Kazaa and its ilk aren't, nor are the people who make music available through them. Your argument is like rationalizing buying stolen TVs because your local Best Buy didn't have the model you wanted.

If your conscience can get past that, there are practical issues. These sites are major transmitters not only of viruses, but of spyware, which your antivirus program can't stop. Even if your PC has a full, up-to-date security suite, with antispyware software, you are asking for trouble by downloading from "file swapping" sites. Many of the people I hear from who have had to take drastic, costly steps to save heavily infected PCs attribute their problems to the fact that their kids were frequenting file-sharing sites.

Bob Jensen's threads on file sharing are at http://faculty.trinity.edu/rjensen/napster.htm

Telling Computers How to Keep Secrets
The home version of Windows XP (unlike Apple's two most recent Mac OS X releases) can't lock up your important data, but other developers have come up with tools for this task. You just have to decide which of these three qualities is most important to you: simplicity, price or capabilities.  The easiest data-protection software we tested was Steganos Safe 8 (Win 2000 or newer, $30 at http://www.steganos.com/  ). It creates a "secure drive," an encrypted, password-protected file that houses whatever files you choose to put in it. When the secure drive is unlocked, it works just like a regular drive, but when locked, it turns into a single file filled with encrypted gibberish.
Kevin Savetz, "Telling Computers How to Keep Secrets," The Washington Post, July 3, 2005 --- http://www.washingtonpost.com/wp-dyn/content/article/2005/07/02/AR2005070200116.html?referrer=email

Kim Zetter. "ID Theft: What You Need to Know," Wired News, June 29, 2005 --- http://www.wired.com/news/privacy/0,1848,68032,00.html?tw=wn_tophead_8

What should I do if my wallet or purse is lost or stolen?

Immediately contact all three credit reporting agencies -- Equifax, Experian and TransUnion -- and have them place a fraud alert on your account. This means that companies issuing new credit accounts in your name will have to call you to obtain permission first. The alert will last for 90 days only. You can extend the alert to seven years, but only if you've been a victim of identity theft and can provide a police report.

Equifax: 1.800.525.6285

Experian: 1.888.397.3742

TransUnion: 1.800.680.7289

In addition to contacting the credit reporting agencies, you should file a police report if your property was stolen. Close any accounts that you think may have been compromised by the loss or theft. The FTC provides more information and a chart to tick off steps you should take.

What can I do to prevent myself from becoming a victim?

There isn't really anything you can do to prevent identity theft. As long as Social Security numbers are used for purposes other than Social Security, you are at risk of having your identity stolen any time someone has access to documents that carry your number and other personal data. There are, however, things you can do to lower your risk of becoming a victim.

• Review monthly financial statements carefully for fraudulent activity.
• Request a free copy of your credit report from a credit-reporting agency once a year to examine it for fraudulent activity. A new law requiring credit reporting agencies to provide a free annual report goes into effect nationwide in September. Until then, it's in effect only in western and Midwestern states. The credit report will show who requested access to your credit record. Look for requests from companies you haven't done business with and tell credit-reporting agencies if you see credit accounts that you didn't open or debts you didn't incur. Check to see that your name and address are correct.
• Don't give your Social Security number to any business that doesn't really need it.
• Cross shred sensitive documents. Thieves have been known to piece together strips of paper that are shredded only once. Cross-shredders double-shred documents.
• Shred pre-approved credit-card offers before tossing them in the garbage.
• Don't store sensitive personal information, such as bank account numbers and passwords, on home computers or handheld devices.
• Install a firewall and anti-virus software on your computer and keep the virus definitions up to date to prevent viruses and Trojan horses from infecting your computer and feeding personal information back to hackers.
• Don't fall for phishing scams. Phishing occurs when someone sends you an e-mail purporting to be from your bank or other company you do business with and requesting you to update your account information.
• Use specially designed software programs to clean data from your computer before you sell or discard it. Simply deleting files will not remove data from the memory.
• Don't carry any documents in your wallet that have your Social Security number on them, including your medical card or military ID, on days when you don't need the card.
• Opt-out when your bank or other financial institution requests permission to share information about you with other businesses.
• Close all credit-card accounts except the one or two that you really need.
• If you are an identity theft victim and live in one of ten states, including California, Colorado, Louisiana, Maine, Texas, Vermont or Washington, consider placing a "freeze" on your credit report so that no one can access it without your permission. More than 20 additional states are considering passing similar legislation. Creditors need to look at your report before granting you credit. By freezing your report, it will prevent unauthorized people from seeing your personal data and it will prevent creditors from opening a new credit account in your name for an impostor. Some states only let victims of identity theft freeze their records. Other states allow anyone to freeze their record. The State Public Interest Research Groups maintains a list of states with freeze laws.

Bob Jensen's guides on how to report fraud --- http://faculty.trinity.edu/rjensen/FraudReporting.htm

Bob Jensen's helpers on identity theft --- http://faculty.trinity.edu/rjensen/FraudReporting.htm#IdentityTheft

A government Website on Cybercrime --- http://www.usdoj.gov/criminal/cybercrime/

FCC Posts Lists of Sites That Send Spam to Cell Phones --- http://www.technologyreview.com/articles/05/02/ap/ap_2020805.asp?trk=nl 

"Blocking Cellphone Spam," by Debra Goldschmidt, The Wall Street Journal,  January 3, 2006; Page D1 --- http://online.wsj.com/article/SB113625263355436073.html?mod=todays_us_personal_journal

The Problem: You're paying for all the unwanted text messages you get on your cellphone. The Solution: Unwanted text messages usually come from two sources: telemarketers or friends who do more typing than talking. The first is called cell spam -- illegal solicitations. Most service providers use anti-spam programs but nothing is foolproof. If you receive cell spam, ask your cellphone company to deduct the cost of that message from your next bill. You can also file a complaint with the Federal Communications Commission at www.fcc.gov. So-called friendly fire text messages are those from people you know -- such as your teenager's friends who inadvertently run up your bill. To combat these, most service providers allow you to log onto their Web site to block a limited number of phone numbers from sending you messages. If you have Cingular or Verizon, you can ask to disable the text messaging function on your phone -- or your teenager's phone.

"Adobe PDF Patch Plugs Data Leak Threat," by Brian Krebs, The Washington Post, June 20, 2005 --- http://blogs.washingtonpost.com/securityfix/2005/06/adobe_pdf_patch.html?referrer=email

According to Adobe, the latest version gets rid of a fairly serious security flaw. By convincing a target to download a specially crafted PDF document, attackers could "discover the existence of local files," -- i.e., read documents on the victim's computer. Adobe says that threat is minimized because the attacker would have to know the exact name and location of the files he was searching for to be able to leverage the security flaw.

Anyway, you can update using the automatic updater bundled with Adobe, or visit Adobe's download site to install the fix manually. Adobe says it is working on a fix for Mac users. If any Mac users are concerned about this vulnerability, this page has instructions on how to disable Javascript in Adobe.

By the way, if you browse the Web using Mozilla's Firefox Web browser and have always had trouble loading PDF documents, you might consider following the advice here to fix the problem. Just scroll down to the question in the FAQ that reads "Why do Adobe pdf files load slowly in Windows?" For the longest time I put off researching a tweak for this problem. Mozilla says it's because Adobe Reader for Windows loads lots of unused plugins on startup.

"The State Of Internet Security," by Fahmida Y. Rashid, Forbes, June 14, 2005 --- http://www.forbes.com/technology/2005/06/14/verisign-internet-security-cx_fr_0614verisign.html

E-mails from Nigeria asking for your help in transferring money. Important information about compromised bank accounts.

While the scams that daily flood our e-mail in-boxes show no signs of abating, there is some good news for the users who have to sort through them all. So says VeriSign (nasdaq: VRSN - news - people ), in its latest "State of Internet Security" address covering the first three months of 2005.

Phishing attacks--the attempted theft of information such as user names, passwords or credit-card numbers--are increasingly more sophisticated, VeriSign said. But the company, which lives by the sale of computer security software, says phishing attacks are less profitable than they used to be, and of shorter duration, since affected companies work with Internet service providers to shut down sites capturing the information.

Pharming, also known as DNS spoofing because it fools the domain-name system, is an alternative technique that tries to direct users to a fake Web site even when the correct address is entered into a browser. "It's as if you looked up a number in the phone book," says Phillip Hallam-Baker, a Web security expert at Verisign, "but someone somehow changed the number, managed to swap the phone book on you."

VeriSign's report lists ways to lock down DNS infrastructure to shut down pharming. It encourages administrators to upgrade their DNS software and to install cryptography solutions. Hallam-Baker feels that pharming attacks that depend on cached information could be eliminated fairly easily. Pharming attacks infrastructure, so the company in charge of that segment could prevent further attacks by upgrading necessary components.

Continued in article

Links to the ISIB report are given at
http://www.verisign.com/verisign-inc/news-and-events/news-archive/us-news-2005/page_030922.html

Tired of Computer Viruses, Spyware, and all the Other Microsoft Diseases?
Switch to a Mac

If you switch to a  Mac, a must book is Mac OS X: The Missing Manual by David Pogue http://www.amazon.com/exec/obidos/tg/detail/-/0596000820/002-3743809-1628824?v=glance 

This book explains how to translate what you liked to do in Windows into how to do the same things on a Mac.

It's been proven, there is life after death
Identity theft isn't among the risks of medical treatment -- such as infection -- listed on the standard release form that patients sign. But there's evidence that identity thieves are starting to target medical patients. 
Kevin Helliker, "A New Medical Worry: Identity Thieves Find Ways To Target Hospital Patients," The Wall Street Journal, February 22, 2005, Page D1 --- http://online.wsj.com/article/0,,SB110902598126260237,00.html?mod=todays_us_personal_journal 

Just this weekend, the University of Chicago Hospitals reported that a former employee had stolen identity information from as many as 85 patients. In recent years, rings of thieves stole the identities of more than 15 such patients in Iowa, 30 in Minnesota and nearly 50 in Indiana. During the past two years, the state of Michigan has prosecuted more than 20 cases involving medical-patient identity theft, many involving multiple victims, Michigan Attorney General Mike Cox says.

Hospital patients are vulnerable in part because they are unlikely to detect anything amiss. Some may never leave the hospital. A team of alleged identity thieves arrested in 2003 in New Jersey were targeting the terminally ill, according to police.

Continued in article

Hackers are turning digital rights management features of Microsoft's Windows Media Player against users by fooling them into downloading massive amounts of spyware, adware, and viruses.  A year after it went into effect, the federal CAN-SPAM Act is a "miserable" failure, a messaging security firm that monitors compliance with the anti-spam legislation says.  The United States was the 800-pound spam-spewing gorilla throughout 2004, a spot it held from wire to wire throughout the year, an anti-virus firm says.  Federal judge grants restraining order shutting down six porn purveyors.
Information Week's Updates on Spam (including how spyware burglars and spammers stay ahead all efforts to stop it) --- http://snipurl.com/spamJan19 

"Beware Web Hitchhikers," CBS News, December 31, 2004 --- http://www.cbsnews.com/stories/2004/12/31/eveningnews/consumer/main664185.shtml 

One of the big-sellers this holiday season is the wireless router, which lets you link your computer to the Internet from any room in the house.

But as CBS News Correspondent Vince Gonzales reports, the problem is that strangers on the street can also hook up to the net -- through your router.

It's called "war-driving" -- prowling neighborhoods, searching for open wireless networks that offer a free ride onto the Internet.

Surprise, Surprise!
In terms of features, especially security protection, Microsoft's Internet Explorer is well behind the times in terms of alternatives.

Meanwhile, other people have been building much better browsers, just as Microsoft itself did in the 1990s, when it challenged and eventually bested the then-dominant browser, Netscape Navigator. The most significant of these challengers is Firefox, a free product of an open-source organization called Mozilla, available for download at www.mozilla.org. Firefox is both more secure and more modern than IE, and it comes packed with user-friendly features the Microsoft browser can't touch.

"Security, Cool Features Of Firefox Web Browser Beat Microsoft's IE," Walter Mossberg, The Wall Street Journal, December 30, 2004, Page B1 --- http://online.wsj.com/article/0,,SB110435917184512320,00.html?mod=todays_us_marketplace 

Microsoft's Internet Explorer Web browser is one of the most important, and most often used, programs on the world's personal computers, relied upon by more than 90% of Windows users. But Microsoft hasn't made any important functional improvements in Internet Explorer for years.

The software giant has folded IE into the Windows operating system, and the browser only receives updates as part of the "Windows update" process. In recent years, most upgrades to IE have been under-the-hood patches to plug the many security holes that have made IE a major conduit for hackers, virus writers and spyware purveyors. The only visible feature added to IE recently: a pop-up ad blocker, which arrived long after other browsers had one.

Meanwhile, other people have been building much better browsers, just as Microsoft itself did in the 1990s, when it challenged and eventually bested the then-dominant browser, Netscape Navigator. The most significant of these challengers is Firefox, a free product of an open-source organization called Mozilla, available for download at www.mozilla.org. Firefox is both more secure and more modern than IE, and it comes packed with user-friendly features the Microsoft browser can't touch.

Firefox still has a tiny market share. But millions of people have downloaded it recently. I've been using it for months, and I recommended back in September that users switch to it from IE as a security measure. It's available in nearly identical versions for Windows, the Apple Macintosh, and the Linux operating system.

There are some other browsers that put IE to shame. Apple's elegant Safari browser, included free on every Mac, is one. But it isn't available for Windows. The Opera browser is loaded with bells and whistles, but I find it pretty complicated. And NetCaptor, my former favorite, is very nice. But since it's based on the IE Web-browsing engine, it's vulnerable to most of IE's security problems.

Firefox, which uses a different underlying browsing engine called "Gecko," also has a couple of close cousins based on the same engine. One is Netscape, now owned by America Online. The other is a browser called Mozilla, from the same group that created Firefox. But Firefox is smaller, sleeker and newer than either of its relatives, although a new Netscape version is in the works.

Firefox isn't totally secure -- no browser can be, especially if it runs on Windows, which has major security problems and is the world's top digital target. But Firefox has better security and privacy than IE. One big reason is that it won't run programs called "ActiveX controls," a Microsoft technology used in IE. These programs are used for many good things, but they have become such powerful tools for criminals and hackers that their potential for harm outweighs their benefits.

Firefox also has easier, quicker and clearer methods than IE does for covering your online tracks, if you so choose. And it has a better built-in pop-up ad blocker than IE.

But my favorite aspect of Firefox is tabbed browsing, a Web-surfing revolution that is shared by all the major new browsers but is absent from IE. With tabbed browsing, you can open many Web pages at once in the same browser window. Each is accessed by a tab.

The benefits of tabbed browsing hit home when you create folders of related bookmarks. For instance, on my computer I have a folder of a dozen technology-news bookmarks and another 20 or so bookmarks pointing to political Web sites. A third folder contains 15 or so bookmarks for sites devoted to the World Champion Boston Red Sox. With one click, I can open the entire contents of these folders in tabs, in the same single window, allowing me to survey entire fields of interest.

And Firefox can recognize and use Web sites that employ a new technology called "RSS" to create and update summaries of their contents. When Firefox encounters an RSS site, it displays a special icon that allows you to create a "live" bookmark to the site. These bookmarks then display updated headlines of stories on the sites.

Firefox also includes a permanent, handy search box that can be used to type in searches on Google, Yahoo, Amazon or other search sites without installing a special toolbar.

And it has a cool feature called "Extensions." These are small add-on modules, easy to download and install, that give the browser new features. Among the extensions I use are one that automatically fills out forms and another that tests the speed of my Web connection. You can also download "themes," which change the browser's looks.

There is only one significant downside to Firefox. Some Web sites, especially financial ones, have chosen to tailor themselves specifically for Internet Explorer. They rely on features only present in IE, and either won't work or work poorly in Firefox and other browsers.

Luckily, even if you switch to Firefox, you can still keep IE around to view just these incompatible sites. (In fact, Microsoft makes it impossible to fully uninstall IE.) There's even an extension for Firefox that adds an option called "View This Page in IE."

"Barbarians at the Digital Gate," by Timothy L. O'Brien and Saul Hansell, The New York Times, September 19, 2004 --- http://www.nytimes.com/2004/09/19/business/yourmoney/19gator.html 

KARSTEN M. SELF, who oversees a children's computer lab at a youth center in Napa, Calif., spends about a half-hour each morning electronically scanning 10 PC's. He is searching for files and traces of code that threaten to hijack the computers by silently monitoring the children's online activities or by plastering their screens with dizzying - and nearly unstoppable - onslaughts of pop-up advertisements.

To safeguard the children's computers, Mr. Self has installed a battery of protective software products and new Web browsers. That has kept some - but by no means all - of the youth center's digital intruders at bay. "You would expect that you could use these systems in a safe and sane way, but the fact of the matter is that you can't unless you have a fair amount of knowledge, time to fix the problems and paranoia," he said.

The parasitic files that have beset Mr. Self and other frustrated computer users are known, in tech argot, as spyware and adware. The rapid proliferation of such programs has brought Internet use to a stark crossroads, as many consumers now see the Web as a battlefield strewn with land mines.

At the same time, major advertisers and big Internet sites are increasingly tempted by adware's singular ability to display pop-up ads exactly when a user has shown interest in a particular service or product.

"Adware has its place, but to grab market share I think a lot of companies are doing things that make consumers feel betrayed," said Wayne Porter, co-founder of Spyware-Guide.com, a Web site that tracks adware and spyware abuses. "I think we're at a very important inflection point that is going to decide how the Internet operates."

Continued in the article

The link below was forwarded by Helen Terry
"Digital mafia hitting Web sites in protection racket," by Joseph Menn, Los Angeles Times, October 26, 2004 --- http://www.chron.com/cs/CDA/ssistory.mpl/front/2867289 

To an old-time bookie like Mickey Richardson, $500 in protection money was chump change.

So when he got an e-mail from gangsters threatening to bring his online sports betting operation to its knees, he paid up.

Before long, though, the thugs wanted $40,000. And that ticked him off.

"I'm stubborn," said Richardson, who runs Costa Rica-based BetCRIS.com. "I wanted to be the guy that says, 'I didn't pay, and I beat them.'"

Richardson couldn't figure the odds, but he was determined to fight what's fast becoming the scourge of Internet-based businesses: high-tech protection rackets in which gangs of computer hackers choke off traffic to Web sites whose operators refuse their demands.

Rather than brass knuckles and baseball bats, the weapons of choice for these digital extortionists are thousands of computers. They use them to launch coordinated attacks that knock targeted Web sites off-line for days, or even weeks, at a time.

The shakedowns generate millions of dollars. Many Internet operators would rather pay protection money than risk even greater losses if their Web sites go down.

After more than a year perfecting their techniques on gambling and pornographic Web sites, the gangs are starting to turn their talents to mainstream e-commerce operations.

"It's pretty much a daily occurrence that one of our customers is under attack, and the sophistication of the attacks is getting better," said Ken Silva, a vice president at VeriSign Inc., the company that maintains the ".com" and ".net" domain name servers and provides security to many firms.

• Last month, Authorize.net, one of the biggest credit-card-services processors for online merchants, was hit repeatedly over two weeks, leaving thousands of businesses without a means to charge their customers.

• In April, hackers silenced Card Solutions International, a Kentucky company that sells credit card software over the Web, for a week after its owner refused to pay $10,000 to a group of Latvians. Only after switching Internet service providers could the company come back online.

• In August, a Massachusetts businessman was indicted on charges of orchestrating attacks on three television-services companies -- costing one more than $200,000. The case against Saad Echouafni is one of the rare instances in which alleged attackers have been identified and charged. Echouafni skipped bail.

Many more attacks go unreported. "You're just seeing the tip of the iceberg," said Peter Rendall, chief executive of the Internet filter maker Top Layer Networks.

Richardson was intent on keeping his ship afloat.

BetCRIS, short for Bet Costa Rica International Sportsbook, takes about $2 billion in bets every year from gamblers around the world. Most are placed online. After customers complained early last year that the Web site seemed sluggish, Richardson felt a little relieved when an anonymous hacker e-mailed an admission that he had launched a denial-of-service attack against BetCRIS.

The hacker wanted $500, via the Internet payment service e-Gold.

That seemed like a bargain to Richardson. He paid up and promptly spent thousands more on hardware designed to weed out unfriendly Web traffic. "I was thinking if this ever happens again," he said, "we won't have a problem."

The Saturday before Thanksgiving, Richardson found out how wrong he was. An e-mail demanded $40,000 by the following noon. It was the start of one of the biggest betting weeks of the year, with pro and college football as well as basketball.

Richardson didn't respond.

The next day, BetCRIS crashed hard.

About the same time, other betting sites were getting hit too. The threats came in mangled English: "In a case if you refuse our offer, your site will be attacked still long time." Some sites were shut down for weeks.

Costa Rican law enforcement was ill-equipped to deal with computer hackers thousands of miles away. Given the shaky legality of offshore betting, seeking help from U.S. authorities wasn't an attractive option.

So the bookie in Costa Rica turned to Barrett Lyon, a spiky-haired philosophy major from Sacramento.

Continued in the article

Bottom Line Solution --- Change to a Mac

"How to Protect Yourself From Vandals, Viruses If You Use Windows," by Walter Mossberg, The Wall Street Journal, 
September 16, 2004; Page B1 --- http://online.wsj.com/article/0,,personal_technology,00.html 

If you use a Windows personal computer to access the Internet, your personal files, your privacy and your security are all in jeopardy. An international criminal class of virus writers, hackers, digital vandals and sleazy businesspeople wakes up every day planning to attack your PC.

And the company that controls the Windows platform, Microsoft, has made this too easy to do by carelessly opening numerous security holes in the operating system and its Web browser. Even if you install the recent Service Pack 2 update to Windows XP, you will still be vulnerable.

As I have said before, I believe Microsoft and the computer makers should be taking care of all these problems with a unified, managed approach that would free users from having to learn about all the threats and constantly manage security. They should take responsibility for shielding users from hackers, spammers, viruses and spyware -- the malicious software that hijacks your browsing and searching, pushes ads into your face, and secretly logs your activities.

But until that happens, you will have to fend for yourself. So here's a quick, rudimentary guide to protecting yourself in the digital world.

Opting out: The single most effective way to avoid viruses and spyware is to simply chuck Windows altogether and buy an Apple Macintosh. Apple's operating system, Mac OS X, is harder for the criminals to infect, and the Mac's market share is so small that hackers, virus writers and spies get little thrill, financial gain or publicity from attacking the platform.

There has never been a successful virus written for Mac OS X, and there is almost no spyware that targets the Mac. Plus, the Mac is invulnerable to viruses and spyware written for Windows. Not only is it more secure, but the Mac operating system is more capable, more modern and more attractive than Windows XP, and just as stable.

Macs are as good as, and often better than, Windows PCs at doing the most common computing tasks: Web browsing, e-mail, word processing, spreadsheets, presentations, photos, music and video. The Mac version of Microsoft Office can handle Windows Office files with ease, and it produces files that Office for Windows handles effortlessly. Apple's computers are also gorgeous.

But switching platforms is expensive, and scary to people. So if you're sticking with Windows, read on.

Halting hackers: Buy a software firewall program, one that won't only stop hackers trying to get in but will also halt suspicious programs already on your PC from trying to send information out over the Internet. The one I recommend is ZoneAlarm, a free utility from Zone Labs, available at www.zonelabs.com. Use it instead of the wimpier built-in firewall Microsoft supplies.

If you have a broadband connection or a home network, make sure your modem or router (a common piece of networking gear) is equipped with a feature called NAT, or Network Address Translation. This technology makes it harder for criminals on the Internet to find your computers. Even if you have NAT, however, I still recommend you have a software firewall program, because NAT doesn't block every attack.

Curing viruses: You must run a strong antivirus program, and keep it updated, even if updates cost money. I recommend Norton AntiVirus (the stand-alone program, not the cumbersome security suite). It's very effective, and its automatic update system is the best I've ever tested. It costs $50, including a year of updates.

Stopping spyware: Since antivirus programs don't attack spyware, you will need to run, and keep updating, a separate piece of software called an antispyware program. I recommend Spy Sweeper from Webroot software, at www.webroot.com . It costs $30, including a year of updates. Like an antivirus program, it not only detects and removes spyware already on your PC, but also watches for, and blocks, new spyware.

Stuffing spam: Buy a decent antispam program. I know of none that is close to perfect, but the best is probably MailFrontier Desktop, available for $30 at www.mailfrontier.com . If you're really fed up, you can turn on the "challenge" feature in this program, which forces unknown senders to pass a simple test that baffles the mass-mailing software spammers use.

Browsing safely: I suggest dumping Microsoft's Internet Explorer Web browser, which has a history of security breaches. I recommend instead Mozilla Firefox, which is free at www.mozilla.org    It's not only more secure but also more modern and advanced, with tabbed browsing, which allows multiple pages to be open on one screen, and a better pop-up ad blocker than the belated one Microsoft recently added to IE.

Being careful: Never download software from the Web unless you are certain you know what it is and that you want and need it. If a Web site says you need some special plug-in to view things, be very wary. Common viewer software, like that from Real Networks, Apple or Macromedia, should be obtained from those companies' official sites.

Staying current: You should probably install Microsoft's new SP2 update, which does improve Windows security -- although it has caused serious problems for a minority of Windows users. And you should install all the "critical updates" Microsoft issues for Windows.

Bottom line: If you use Windows, you're asking for trouble. But you can mitigate the risk by taking precautions.

It's the Best Solution, But It's No Longer Perfect

From Technology Review on October 28, 2004 
Apple's Got a Virus? Congratulations!
Whenever Windows users grouse about the latest virus or spyware attack, Macintosh devotees good-naturedly tease that they don't have worry about such nonsense. Well, the Apple-heads can't say that anymore. Last week, astute Mac users discovered a program dubbed "Opener"--a nefarious piece of code embeds itself onto Macs using OS X, disables the computer's firewall, and collects any password information it can find. The Apple community should not be upset about this malware news, writes Eric Hellweg, but celebrating it. Finally, a virus writer thinks Macs matter enough to merit attack!
http://www.technologyreview.com/articles/04/10/wo_hellweg102804.asp?trk=nl

Changes in Microsoft Windows XP Service Pack 2 --- http://www.macromedia.com/devnet/logged_in/wanbar_sp2.html 

On Friday, August 6, 2004 Microsoft announced the release of a significant update to the Windows XP operating system: Microsoft Windows XP Service Pack 2 (SP2). This security-focused update includes numerous changes, many of them transparent to end users, which aim to reduce the operating system's exposure to attacks from the Internet and protect users from predatory software like adware, spyware, and malware. The Windows XP operating system is installed on nearly 50% of net-connected computers worldwide—almost 250 million PCs, according to the Flash Player survey Macromedia conducts quarterly through NPD.

While targeted at abusers of the current Windows security model, the changes in SP2 also peripherally affect many safe and useful technologies, including, in some instances, Macromedia software. Microsoft and Macromedia have worked closely throughout the development of SP2 to ensure the best possible experience for customers of Macromedia Flash Player.

In this article I'll talk about areas of the service pack that web designers and developers, website owners, IT and MIS personnel, and Flash Player users might be concerned about, with the goal of outlining the impact SP2 will have on the user experience and the development process.

To get the most comprehensive and detailed information about the service pack, visit the Microsoft website, which includes the following:

• Windows XP Service Pack 2 (SP2) Support Center (all users)
• Changes to Functionality in Microsoft Windows XP Service Pack 2 (all users)
• Windows XP Service Pack 2 Resources for IT Professionals (IT professionals)
• Windows XP Service Pack 2 (SP2) for Developers (designers and developers)
• Fine-Tune Your Web Site for Windows XP Service Pack 2 (designers and developers)

What's New in Windows XP Service Pack 2

Microsoft Windows Service Pack 2 users will experience some changes in the way software behaves, including some minor changes when launching some Macromedia products. The most visible change is the presence of a new security warning dialog box, which asks users to confirm that they want to install or launch software.

Many of the new security dialog boxes appear if a particular piece of software does not have a digital signature. Digital signatures verify the authenticity of the software download. As software publishers get busy creating and filing their digital signatures, there will be a transitional period in which many reliable software applications will not yet have them. Even without a digital signature, users are able to click to confirm that they want to install their software and proceed with the installation. To find out more about the digital signatures, see the Enhanced Browser Security section of the Microsoft TechNet article, Changes to Functionality in Microsoft Windows XP Service Pack 2.

"Free Security Update To Windows XP Has Value but Falls Short," by Walter Mossberg, The Wall Street Journal, August 19, 2004, Page B1 --- http://online.wsj.com/article/0,,personal_technology,00.html 

Microsoft has paid so little attention to security over the years that consumers who use Windows have been forced to spend more and more of their time and money fending off viruses, hackers, spyware and spam. For this reason, the burden of using a Windows computer has grown immeasurably recently.

Now, under pressure from its customers and critics, the software giant is making a move toward undoing that damage. Over the next few weeks, Microsoft will be rolling out a major, free security update to Windows XP. It's called "Service Pack 2," or simply "SP2."

I've been testing SP2 on two Windows computers, and it seems to work fine. I recommend installing it, if only because of the under-the-hood security improvements Microsoft claims it contains.

But SP2 falls way short of what Microsoft could have done to fix the miserable state of security in Windows. While the update will make it harder for malicious software to enter your PC, SP2 doesn't detect or remove viruses or spyware or spam.

What's more, some of the key features of SP2 are inferior to those in third-party security software. In fact, even after you install SP2, you will still have to use add-on security programs, if you want to be reasonably safe.

Over the next month, SP2 will arrive at many PCs, unbidden, via the built-in Windows Update feature in Windows XP. It will also be available for downloading from Microsoft's Windows Update Web site. And Microsoft plans to mail it out, by request, on a free CD.

On my two test machines, an IBM laptop and a Dell desktop, installation went very smoothly. All my programs and data remained intact and functional. Microsoft concedes that SP2 does interfere with about 50 known programs. Most are corporate products, but the list also includes a few games and consumer utilities.

In addition to the under-the-hood changes, which are aimed at stopping several common intrusion techniques, SP2's main features are a new firewall, a new "Security Center" and new protections built into Microsoft's Internet Explorer Web browser. SP2 also turns on the automatic-update feature in Windows, which allows Microsoft to transmit and install future patches without user intervention.

The firewall, which is designed to shield your PC from attacks over the Internet, is now turned on by default. Formerly, it was off by default. (You can still turn it off manually, along with the automatic update feature.) And it has a few new features, including one that warns you if a program running on your PC is seeking to open a "port" -- a conduit to the Internet -- so it can receive incoming data.

But the new firewall lacks a crucial component present in some third-party firewalls, like ZoneAlarm. It doesn't prevent rogue programs already on your PC from using the Internet to make outbound data transfers, such as the secret reports that spyware programs make on your activities, or instructions that Trojan horse programs send out to attack other computers.

Also, Microsoft has made it easy for other software programs to turn off the new firewall. This was done so competing firewalls like ZoneAlarm could turn off the Windows firewall during installation, to avoid having duplicate firewalls running. But Microsoft concedes that hackers can use the technique to shut down the firewall as well. So I recommend buying, or sticking with, a superior third-party firewall.

The Security Center is where you can determine whether your firewall, your automatic-update settings and your antivirus program are on or off. It doesn't actually add a layer of protection to your PC. It's just an information device.

Even in that role, it falls short. In my tests, it couldn't tell whether Symantec's Norton AntiVirus program was on or off, and it warned me that my PC might not be protected against viruses, even though my antivirus protection was definitely on. This is apparently because Symantec needs to patch its product so it can talk to the Security Center. And the center made no effort to monitor my antispyware or antispam programs.

The changes to the Internet Explorer browser include a long-overdue pop-up ad blocker, which many other browsers now include, and additional warnings and controls on software downloads, so users will think twice about installing programs that might be malicious. An "Information Bar" at the top of the browser screen warns about downloads and notes that pop-ups have been blocked.

Microsoft still hasn't devised a quick, easy way to thoroughly erase your browsing tracks in Explorer or added an antispam feature to its Outlook Express e-mail program. The company says that SP2 was all about security, and these things weren't viewed as core security features. But it somehow still managed to use this security update to jam an unsolicited new "Favorites" link into the browser, one that points to a Microsoft site where it wants to sell you software and hardware.

Overall, SP2 is worth installing and will definitely improve Windows security. But it's limited. You'll still need to look beyond Microsoft to really secure your Windows PC.

It's almost the same thing as robbing the jewelry in your house and then asking $300 for the map to where it's buried --- only this time Ole would say "the yoke's on yew."

But I have to admit that it is a clever password.

"New Trojan Ransoms Files, Demands $300:  The Trojan archives 44 file types with a ZIP library, then password-protects the files and deletes the originals. But some have discovered the password needed to free the files," by Gregg Keizer, Information Week, March 16, 2006 --- http://www.informationweek.com/news/showArticle.jhtml?articleID=183700241

A Trojan is loose that locks up files and then demands a $300 ransom to return access, several security firms said Thursday, but at least two have discovered the password needed to free the files.

Dubbed "Cryzip" by some anti-virus vendors and "Zippo.a" by others, the Trojan archives 44 file types -- including .doc (Microsoft Word), .pdf (Adobe Acrobat), and .jpg (images) -- with a ZIP library, then password-protects the files and deletes the originals.

A "ransom note" is left on the machine, and reads in part: "Do not try to search for a program what encrypted your information - it is simply do not exists in your hard disk anymore. If you really care about documents and information in encrypted files you can pay using electonic [sic] currency $300.

"Reporting to police about a case will not help you, they do not know password."

At least two security firms, however, have dug up the password, which was left in plain view within one of the DLL files dropped by the Trojan. According to both Sophos and LURHQ, the password is:

C:\Program Files\Microsoft Visual Studio\VC98

"Because this string often appears inside projects compiled with Visual C++ 6, the author likely figured anyone who found the infecting DLL and examined its strings looking for the password would simply overlook it," LURHQ wrote in its Cryzip advisory.

"There should be no need for anyone to pay the reward," said Graham Cluley, a senior technology consultant with Sophos, in a separate statement. "It looks like this password was deliberately chosen by the author in an attempt to fool analysts into thinking it was a directory path instead."

Victims can use any ZIP utility to unlock the files with the password.

Ransom-like attacks, labeled "ransomware," are rare. The last full-fledged attack was in May 2005 when another security company, California-based Websense, spotted a Trojan that demanded $200 for a decryption key.

Other, and more common, forms of ransomware-style attacks are used by bogus spyware vendors, who claim that users' PCs harbor massive amounts of adware and spyware, and try to sell their phony products to spooked consumers.

Bob Jensen's threads on reporting computer frauds are at http://faculty.trinity.edu/rjensen/FraudReporting.htm

Leading Anti-Virus, Anti-Spyware, and Anti-Spam Alternatives
I trust Consumer Reports rankings more than virtually all other ranking sources mainly because Consumer Reports accepts no advertising or has other links to the vendors of products rated in Consumer Reports' labs.

The Consumer Reports home page is at http://www.consumerreports.org/cro/index.htm  

Spyware Dectector and Remover
January 2004 message from Richard Campbell [campbell@RIO.EDU] 

This product gets my 5 star rating - I was lulled into a false sense of security with Norton Security suite on my new computer.

http://www.sunbeltsoftware.com/product.cfm?page=benefits&id=410 

Richard J. Campbell mailto:campbell@rio.edu 

What a Great Idea in the War on Spam:  Unfortunately, Make Love, not Spam only covers Italy, France, Germany, The Netherlands, Spain, Sweden and the UK to Date
Internet users fed up with spam can go on the offensive by downloading a screensaver aimed at hitting junkmailers in the pocket.  The screensaver, called Make Love Not Spam and launched by search engine Lycos, requests data from websites that are mentioned in bulk mailings.  Lycos Europe spokesman Frank Legerland says if thousands of users sign up, the websites' servers will run at nearly full tilt.  The demand will slow the websites' response and hike their bandwidth bills, yet derive no income for the accesses.  He says those costs may discourage the sites from hiring email spammers to advertise their wares.
ABC News, November 30, 2004 --- http://www.abc.net.au/news/newsitems/200411/s1254988.htm 
You can read reviews at http://www.macupdate.com/info.php/id/16592 
Also see http://www.eweek.com/article2/0,1759,1733446,00.asp 

"Microsoft, Amazon Unite to Battle E-Mail Scammers," by Judy Lam, The Wall Street Journal, September 29, 2004, Page D3 --- http://online.wsj.com/article/0,,SB109639503163330213,00.html?mod=technology_main_whats_news 

Amazon.com Inc. and Microsoft Corp. have joined forces to combat online fraud and find the people behind e-mail scams that send millions of forged messages to consumers.

Yesterday, the two companies said they filed suits against Canadian company Gold Disk Canada Inc. and three individuals for allegedly sending millions of unsolicited e-mails using Microsoft's Hotmail services and forging the name of Amazon.com. The suits were filed in Superior Court of the State of Washington and the U.S. District Court in Seattle.

Amazon and Microsoft said they are working to identify offenders and are collaborating to test technical solutions that would make it more difficult to send unwanted messages to consumers.

Over the past year, Microsoft has stepped up its efforts to fight spam and e-mail scams as part of a broader move to stem a range of attacks on its software. The company has had to respond to growing customer complaints about the security of Microsoft applications, prompting the company to release a host of new security software, sign new partnerships, and begin taking more legal action to thwart hackers and senders of spam.

Continued in the article

Microsoft to Bundle Anti-Spyware App With Windows
Microsoft said Friday that it plans to bundle its "Windows Anti-Spyware" tool with Windows Vista, the chronically delayed next version of the company's operating system. Microsoft also decided to rename the program "Windows Defender," in part to give it "a more positive name." The announcement, like others of late, was posted on one of the numerous blogs on Microsoft's site that catalog the daily doings of the software giant's many technical divisions. But this news -- for me, anyway -- was more than just a press release issued via a breezy blog post. It offered a glimpse of something Redmond hinted it was going to do years ago, but which has only recently become more of a reality: ship antivirus and anti-spyware updates to hundreds of millions of Windows computers every day through its Windows/Microsoft Update feature.
Brian Krebs, "Microsoft to Bundle Anti-Spyware App With Windows," The Washington Post, November 7, 2005 --- http://blogs.washingtonpost.com/securityfix/2005/11/microsoft_to_bu.html?referrer=email

The 10 best tools to keep viruses, spyware and bad guys away
"Defensive Perimeter," by Gary Berline, PC Magazine, July 9, 2004  --- http://www.pcmag.com/article2/0,1759,1621759,00.asp 

Detailed Checklist 
"Keep Your PC Safe," PC Magazine, August 3, 2004 --- http://www.pcmag.com/article2/0,1759,1618797,00.asp 

Toolkit of Free Products
"Keep Your Friends Safe," by Neil J. Rubenking, PC Magazine, August 3, 2004 --- http://www.pcmag.com/article2/0,1759,1618804,00.asp 

Security Watch Special Report --- http://www.pcmag.com/category2/0,1738,12,00.asp 

My good friend Amy Dunbar at the University of Connecticut recommends the following spam blocker ---  http://spambayes.sourceforge.net/ 
Bob Jensen's threads on spam blocking are at http://faculty.trinity.edu/rjensen/ecommerce/000start.htm#SpecialSection

Eileen Taylor from the University of South Florida recommends Cloudmark's SpamNet spam protection --- http://www.cloudmark.com/ 

Puala Ward sent this link to a listing of spam fighters --- http://email.about.com/od/windowsspamfightingtools/ 

Spam and Spyware Blocker Software
All-in-One- Secretmaker (Free) --- http://www.secretmaker.com/ 

All-in-One SECRETMAKER is designed for users who wish to:

● Keep their email box free of spam
● Avoid irritating pop-up and banner interruptions
● Protect their privacy and avoids profiling
● Use the Internet efficiently for private or business use

Spam Blocking

January 25, 2006 Update

Bill Gates prediction of spam elimination widely misses his expectation
Two years ago, Gates said the spam problem would be "solved" by now. We're not even close, experts say, and for many reasons that don't have anything to do with Microsoft.
Gregg Keiser, "Bill Gates' Spam Prediction Misses Target," Information Week, January 24, 2006 --- http://www.informationweek.com/story/showArticle.jhtml?articleID=177103434
Also see http://www.internetweek.cmp.com/showArticle.jhtml?articleId=177103508

Damn Spam: The Losing War on Junk E-Mail, by Michael Specter, The New Yorker, August 6, 2007 --- 
http://www.newyorker.com/reporting/2007/08/06/070806fa_fact_specter 

Leading Anti-Virus, Anti-Spyware, and Anti-Spam Alternatives
I trust Consumer Reports rankings more than virtually all other ranking sources mainly because Consumer Reports accepts no advertising or has other links to the vendors of products rated in Consumer Reports' labs.

The Consumer Reports home page is at http://www.consumerreports.org/cro/index.htm  

Those phony emails pretending to be from banks and PayPal

"Revealing Fraud in E-Mail Addresses," by J.D. Biersdorfer, The New York Times, August 10, 2006 --- http://www.nytimes.com/2006/08/10/technology/10askk.html

Q. I get a ton of e-mail messages purporting to be from banks and Web sites that are obviously not from those institutions even though the return address looks real. Is there a way to find out where these messages actually came from?

A. Although you probably won’t be able to trace the fraudulent message directly back to its human sender, you can usually poke around inside the message’s full header field to see where it might have come from electronically. Check your particular e-mail program’s settings for displaying “full” or “long” message headers — in Outlook Express, for example, you can see the full header by right-clicking on a message in your mailbox window, selecting Properties and clicking the Details button.

The full header shows the path that message took across the Internet from sender to recipient. Even if the return address is forged with something like admin@irs.gov, if you look closely, odds are you’ll see other addresses in the “Received:” lines in the header that give some indication of the message’s origin. A detailed explanation of how to read e-mail headers is at spamlinks.net/track-trace-headers.htm.

If you receive spam that solicits your personal information, the consumer safety site OnGuardOnline.gov suggests forwarding it to the bank or institution used in the forged address and to spam@uce.gov.

Bob Jensen's threads on ID theft are at http://faculty.trinity.edu/rjensen/FraudReporting.htm#IdentityTheft

"Retail Fraud Rates Plummeted the Night McColo Went Offline," by Brian Krebs, The Washington Post, December 2008 --- http://voices.washingtonpost.com/securityfix/2008/12/mccolo_shutdown_killed_retaile.html?wpisrc=newsletter&wpisrc=newsletter

One month after the shutdown of hosting provider McColo Corp., spam volumes are nearly back to the levels seen prior to the company's take down by its upstream Internet providers. But according to one noted fraud expert, spam wasn't the only thing that may have been routed through the Silicon Valley based host: New evidence found that retail fraud dropped significantly on the same day.

It is unclear whether the decrease in retail fraud is related to the McColo situation, but in speaking with Ori Eisen, founder of 41st Parameter, he said close to a quarter of a million dollars worth of fraudulent charges that his customers battle every day came to a halt.

Eisen, whose company provides anti-fraud consulting to a number of big retailers and banks, told me at least two of the largest retailers his company serves reported massive declines in fraud rates directly following McColo's termination.

"It stopped completely that night," Eisen said, referring to a drop in fraudulent activity linked to purchases of high-value merchandise with stolen credit and debit cards on Nov. 11, the day McColo was shut down. "Yet, it will come back after [the scammers] erect their new infrastructure."

Eisen's testimony suggests that a great many fraudsters may have been using McColo to funnel their Internet connections when attempting to purchase goods from retailer sites.

In a follow-up blog post about the casualties of the McColo disconnection, Security Fix called attention to a Web site called "fraudcrew.com," a Web service that offered paying customers the ability to hide their identities online by routing their traffic through computers controlled by others. Fraudcrew.com was hosted on McColo's servers.

From that piece:

There are a number of services like those offered by Fraudcrew (Security Fix profiled another one earlier this year) that not only aid in hiding one's identity online, but could also defeat security measures put in place by financial institutions. Many online banks will check to see whether the customer's Internet address is coming from a location already associated with the customer's user name and password, or at least from a geographic location that is close to where the customer lives.

These masking services provide a software program that allows the user to pick from a drop down list of Internet addresses to proxy through. For example, if a user in Ukraine, has stolen the user name and password that Joe from St. Louis uses to access his bank online, that user can simply select a node in the proxy list that's in St. Louis, and the bank site will be none the wiser that the person logging in is not actually in St. Louis.

It is impossible to say whether the same individuals who were funneling their spam operations through McColo have moved elsewhere. For its part, Fraudcrew appears to have found a new host, a provider in Luxembourg.

Spam volumes have since risen almost to pre-McColo levels in the past month. Some of this resurgence has been sporadic, thanks in no small part to the efforts of FireEye, a Milpitas, Calif., based security startup, which has kept pressure on Internet service providers not to associate themselves with the spam gangs that have been trying to regain control over their herds of spam spewing zombie PCs. Interested readers can learn more about these efforts by visiting the always-interesting FireEye blog, at this link here

Question
What are two of the shocking developments in spyware and spam?

July 14, 2006 message from Richard Campbell [campbell@RIO.EDU]

This is from a newsletter from sunbelt software - developers of Counterspy, a spyware detection software.

CSN: What do you see as the latest trends in spam?

AM: I see four main trends. The first is that most spam now comes from zombie machines so even if you are able to track the spam back to the machine that sent it, there is nothing you can do about it as the person that owns the machine most likely doesn't even know that his machine is being used as a zombie and even if he did, he wouldn't know what to do about it. This zombie phenomenon also leads to individualized spam as the zombie code can access the address book and send legitimate looking email to the zombie machine owner's friends.

The second trend I see is the increase in the amount of image spam. That is spam that contains an image instead of text. The spammer's message is contained in the image as a graphic image instead of text so that there is no practical way to try and detect spam by looking at the contents of the email. It's easy for the human eye to look at the picture and read the text that it contains but it is very difficult for a computer to do the same thing. Since it is so easy to change a bit or two in the image, it is not easy to come up with a hashing algorithm (a way to create a "signature" that can be used to determine if another image is the same as the original one). There is a lot of work being done to try to come up with ways of comparing images to see how "similar" they are but nobody has come up with a workable solution so far. Currently, I'd guess the amount of image spam is around 5% - 10% of the total amount of spam. I expect to see this increase to 20% - 30% in the next year or two.

The third trend is the scariest and that is phishing. I monitor the spam reported by our users so I get to see a pretty good cross section and it scares me to see how good the phishing sites are. They are so good that you have to be pretty savvy to detect some of them. I feel sorry for all the non-computer types out there that will fall victim to these. I have seen a dramatic rise in the amount of phish email in the past 6 months and expect to see that increase continue because there is so much money to be made with very little effort or risk.

The fourth trend and is "returned email" I have noticed a marked increase but I haven't had time to investigate. I suspect that the bulk of it is spam/malware, especially those that have attachments. It is particularly nasty because an attachment on a returned email doesn't seem out of the norm. In fact, you kind of expect to see your original email attached. Some of the undelivered email that I've looked at with attachments doesn't have the original email there. Instead it contains spam or a link to a malware site. You have to be real careful and make sure that the "bounce" (rejected email) is actually something that you sent. Many times it is the result of a rootkit having taken over your machine, turning it into a zombie. If you see email bounced that you never sent, it is very likely that you machine is infected.

CSN: What about image spam, what is it, and why so dangerous or such a pain to get ride of?

AM: The primary use for image spam is to advertise penny stocks. Most of this type of spam is part of a 'pump-n-dump' scheme where the spammer buys a lot of a particular stock and then starts promoting it via spam that describes what a great buy the stock is or giving the impression that the company is on the verge of some major expansion or discovery in order to get gullible investors to buy the stock. Once the price goes up, and it can go up as much as 500%, the spammer sells his shares and makes a huge profit. Since there was no real reason for the stock to increase, it usually falls back to its original level or lower. Most of the time, the company whose stock is being hyped is not involved in the spamming so they end up being a victim of the spammer as well as there is very little that they can do to keep their stock from being manipulated.

Image spam is only useful in situations where the user doesn't have to communicate with the spammer. With normal spam, there is a phone number to call or a button to click to order pills or whatever the spammer is hawking but with image spam, there is no information that links the email to the spammer as the typical stock add mentions the company but not the spammer. This is what makes it so different from the run of the mill spam.

I'm sure that it won't be too long before some creative spammer comes up with another type of situation where one way communication can be used to somehow flow money to them.

Richard J. Campbell
mailto:campbell@rio.edu

July 25, 2004 Update

Mozilla can help defend against some spyware invasions on your computer!

Forwarded by Jagdish Gangolly [JGangolly@UAMAIL.ALBANY.EDU] 

According to Rist (who is sitting behind me while I write this, just to make sure I don’t misquote him), the biggest problem is with Microsoft’s continued use of ActiveX, but that's by no means the only problem. In fact, it looks as if IE can’t be successfully patched, and what’s needed is a whole new version.

But what are you going to do if you don’t use IE? For most, IE is the default browser; they don’t have another choice that’s easy to implement. Does that mean that you should just grit your teeth and hope for the best? Not necessarily.

There are other browsers out there without IE’s security holes, most notably Mozilla. Getting Mozilla isn’t a problem -- just download it from the Web site <http://newsletter.infoworld.com/t?ctl=7ABD7D:1F5397F>

. The real problem is that you have to be sure that moving to Mozilla doesn’t introduce a new set of problems.

My own experience with Mozilla indicates that it works at least as well as IE and appears to be somewhat faster. I’ve already moved to Mozilla as my default browser because of the security issues with IE. As it happens, I'm also finding that I like it better than IE.

Unfortunately, the only way to know for sure whether Mozilla will work with the apps that require a browser is to test it. Download it to a few machines and see if anything breaks.

Testing Mozilla might be the first step on the path to IE separation, but the journey isn't over yet. Many companies who run Web sites tend to be kind of lazy and code their sites only for IE, because it’s the dominant browser. Sometimes they take shortcuts that keep other browsers from working properly.

The only way to know for sure if these shortcuts will shortcircuit a non-IE browser is to try potential replacement browsers to see if they work with the Web sites you absolutely depend on. If they do, you won’t need to worry as much about adopting them, although you’ll still have to install the new browser on every machine, and that’s not the world’s easiest task in a large enterprise.

But there’s another task you have to worry about. What are you using for your own Web server? Internet Information Server has its own set of vulnerabilities, after all. And what about the code running on your Web site? Have you avoided those programming practices that will lock your visitors into IE? After all, a lot of companies are now using machines that don’t run Windows (and therefore not IE), and a growing number are trying to avoid IE even if they do run Windows because of the security issues. You don’t want to discourage them from visiting your site, do you? I didn’t think so.

Unfortunately, you can’t drop IE from your Windows machines completely. You still need it for Windows Update alerts. But it is possible to use it sparingly, and until Microsoft issues a new release, that would be a good idea.

<mailto:wayne_rash@infoworld.com;letters@infoworld.com> Wayne Rash is a senior analyst at the InfoWorld Test Center.

• More of Wayne Rash's column <http://newsletter.infoworld.com/t?ctl=7ABD7B:1F5397F>

• Wayne Rash's forum <http://newsletter.infoworld.com/t?ctl=7ABD7A:1F5397F>

July 25, 2005 reply from Schatzel, John [JSchatzel@STONEHILL.EDU] 

I also read this past week (I believe it was in eWeek) that CERT (Computer Emergency Readiness Team) and the Department of Homeland Security have also declared IE to be unsafe.  There are apparently so many security flaws with IE that they can not be reliably patched.  For example, IE's ability to use ActiveX allows it to access low level features of your operating sytem that can allow trojans and key loggers to be placed on your computer.  These programs can and have collected personal bank account and credit card passwords that have led to significant losses recently.  This whole new Phishing scam used by hackers who exploit weaknesses in IE to get your personal information without you knowing it is the most dangerous thing I have ever seen.  They target your machine by sending you a regular email message (i.e., no attachments are involved) which drops an IE helper object on your computer which then downloads additional software to your computer capable of collecting and sending your personal information.

IE also has another feature called Adodb.stream (among too many other problems to list in this message), which allows your computer to be compromised.  “Adodb.stream provides a method for reading and writing files on a hard drive,” according to Microsoft. “This by-design functionality is sometimes used by web applications. However, when combined with known security vulnerabilities in Microsoft Internet Explorer, it could allow an Internet web site to execute script from the Local Machine Zone (LMZ).” This is dangerous folks and allows hackers to really have a field day with your personal information.

To reduce your risk, security experts recommend using Mozilla (http://mozilla.org) or Opera (http://www.opera.com).  I have used both of them and can say that they are both better featured browsers than IE (the experts say that they are safer).  The latest version of Mozilla (1.7.1) is open source; so it is free.  The basic version of Opera is free, but it displays ads. The no ad version costs $39 and was selected best browser of 2004 by PC World (and it really is the fastest). 

Wishing you all a safer browser,

John Schatzel

July 25, 2004 reply from David Fordham, James Madison University [fordhadr@JMU.EDU] 

The primary drawback I've encountered with alternate browsers (and I've tried about half a dozen over the past few months and years) is that they aren't prepared to deal with all the various file extensions and file types today which IE handles so transparently.

I consider myself a "power web user", and I conduct a lot of business on-line, which means that my banks, credit card companies, hotels, vendors, university webmail, university tech-tools, etc. are sending me a lot of scripts, image/sound files, and executable code. For example, in the past hour, I've been sitting here in a hotel room in Charlotte looking for Fuddrucker, Krystals', Boston Markets, double-checking my next hotel reservation as well as my rewards points, checking the status of my on-line class recording in Centra, checking webmail, and checking the status of my shipment from the Palm store. All of this requires executable code, map images, animated logos, etc. on my computer. (And yes, before you hit the flame button, I realize that using IE for all this stuff exposes me to all kinds of hazards in spite of my plethora of antiadware, antispyware, antivirusware, high security settings, etc....)

But at least all the apps work in IE! When I get messages saying "this website is trying to execute something, do you trust them?" and when I hit "yes", the site runs and my transaction is completed.

When I use the alternate browsers, they were forever choking and giving me error messages saying "Unknown file type" and "Unknown file extension" and "unable to process such-and- such-a script" and so forth, and the transaction chokes and dies. Depending on the alternate browser, anywhere from 10% to 80% of my web attempts would not display or run. Mapquest, Citibank, Switchboard.com, UPS, and even Google's advanced searches sometimes tripped on these. And our school uses Centra, Blackcboard, Tegrity, and a host of other tech tools which are certified and warrantied to run on IE, but not on most of the others. (And, surprise, they DON'T! Not reliably, not 100% of the time! I know. I tried! And yes, I spent hours tinkering with settings and security configurations and with tech-support people. The usual answer from the browser support people WHEN I COULD GET THEM TO RESPOND was "our product doesn't support that".)

Ergo, as is usually the case, security is a trade-off with convenience. (Been through an airport since 9/11/01?) If all you do is surf the web for pleasure (bikini.com or something) or if you are in the habit of inhabiting questionable websites, then perhaps one of the other browsers might work and be more secure. Or if you are the government security agency and your people are doing limited stuff on the government account, you can probabably find an alternate browser much more secure that will run your apps.

But as for me and my house, I sure hate getting 90% of the way into an on-line transaction, and the browser bombs out and says it encountered a problem processing, even if it only happens once every 10 times. (If your car failed to start once every 10 or so times, wouldn't it get irritating, especially if you had come to rely on your car for your day- to-day operations?)

So once again, until the rest of the world recognizes the emperor's lack of clothes, I'm afraid I'll have to avoid the little tailor shops, too. At least until they can handle the content a little more transparently. (pun intended)

Another devils-advocate contrarigram from you-know-who, although this time I'm sincere in my beliefs, having actually truly, been there and done that. Several times.

David Fordham 
James Madison University

Hi Paula,

I live with whatever Trinity University is providing for spam protection on our email system.  I still get a lot of unwanted messages for dates, lower mortgage rates, Viagra, larger breasts, and manhood the size of Kentucky Derby winners.  

My good friend Amy Dunbar at the University of Connecticut recommends the following spam blocker ---  http://spambayes.sourceforge.net/

There’s a nice article that came out two days ago reviewing some of the major alternatives for protection against “spam, viruses and directed attacks.”

"Appliances Ease E-Mail Security," by Michael Caton, eWeek, June 28, 2004 --- http://www.eweek.com/article2/0,,1616472,00.asp 

Spam, viruses and directed attacks have made managing e-mail security an increasingly complex and difficult job. eWEEK Labs recently reviewed three appliances that will reduce the burden on IT managers by consolidating messaging security applications in a single box.

Appliances from BorderWare Technologies Inc., CipherTrust Inc. and IronPort Systems Inc. give companies a new way to solve the problem of securing e-mail without investing in numerous point applications—from messaging gateways to anti-spam software—and the hardware needed to run those applications. We reviewed the $7,995 BorderWare MXtreme Mail Firewall MX 200, the $44,000 CipherTrust IronMail 305 and the $54,950 IronPort C60.

All three appliances include a mail transfer agent, policy management capabilities, and virus- and spam-filtering features. However, the systems also have a number of differences—both big and small.

We found that the CipherTrust appliance provides the best all-around solution, including a Web mail proxy.

The BorderWare MXtreme appliance likewise covers all the bases, but we'd like to see better reporting and consolidated management for administering multiple boxes. These capabilities are coming in the next release of the appliance's software.

eWEEK Labs evaluated a late-beta version of Version 4.0 of the Mxtreme software. Click here to read the review.

The IronPort appliance will be a good fit for companies that already have a firewall and proxy in place for managing access to Web mail but need a way to handle large volumes of inbound and outbound e-mail while filtering spam and viruses.

The appliances we tested give companies a way to eliminate what are often dedicated boxes running messaging gateways and anti-virus and anti-spam systems. Furthermore, they simplify management of all these applications by providing unified management and reporting capabilities.

However, these appliances won't necessarily reduce messaging costs. All the appliances we tested rely on third-party anti-virus tools, so companies will still need to pay an annual renewal fee to keep virus definition files up-to-date. The cost can range from $1.50 to $5 per user per year, depending on volume. The BorderWare and IronPort appliances also offer third-party anti-spam software, whose annual cost can run from $3 to $7 per user. In the case of the anti-spam engines developed by CipherTrust and BorderWare, the yearly maintenance and support fees will cover updates to those engines.

All three appliances provide policy management capabilities, but none of the systems' features was as complete as we'd like.

In addition, none of the systems provides the flexibility of point solutions.

For example, the appliances can search only messages and attachments for content that may be confidential or objectionable. In contrast, a point solution that runs in close conjunction with a groupware application, such as Omniva Inc.'s Policy Manager, will give companies the ability to create policies to filter internal and external communications, as well as provide a means to encrypt outbound messages.

Groupware-based solutions can also give companies a way to more readily manage the workflow associated with auditing messages, as well as either distribute keys or provide Web-based access for opening encrypted messages.

• Review: MXtreme Mail Firewall MX 200
  
• Review: IronMail 305
  
• Review: IronPort C60

Bob Jensen's threads on computer and network security are at http://faculty.trinity.edu/rjensen/ecommerce/000start.htm#SpecialSection 

June 29, 2004 message from Paula Ward

Bob, 

What anti-SPAM software do you recommend? 

Paula Kelley Ward

"Pop-Up Program Snatches Banking Passwords," by Dennis Fisher, eWeek, June 29, 2004 --- http://www.eweek.com/article2/0,1759,1618458,00.asp?kc=ewnws063004dtx1k0000599 

Customers who use a number of the top online banking sites are at risk of falling prey to a new Web-based attack that snatches user IDs and passwords for these sites.

Among the sites targeted by the attack are some owned by Citibank, Deutsche Bank and Barclays Bank.

The attack is rather complex and appears to use a known flaw in Internet Explorer (IE) to drop a Trojan horse program on vulnerable machines. The Trojan is delivered through a malicious pop-up ad that loads a file called "img1big.gif" onto the machine. The file is in fact a compressed Win32 executable that contains the Trojan and a DLL.

The DLL is installed on the PC as a BHO (Browser Helper Object), a type of DLL that normally is used to let developers control IE in certain circumstances.

When IE runs on a machine infected with the malicious BHO, the file monitors IE's activities for any HTTPS sessions with URLs that have any of a large number of banking-related strings in them.

Click here to read about malicious code that has been affecting some Windows machines.

Once IE establishes an outgoing HTTPS connection—which is secured using SSL encryption—to one of these URLs, the BHO collects all of the outbound POST or GET data before it is encrypted, according to an analysis of the attack done by researchers at The SANS Institute's Internet Storm Center. The attack affects IE 4.x and later.

Continued in the article

Question
Is it legal for your employer or your landlord to open your first class mail?

Answer
I'm not certain about first class mail, but people with access to your email system have just received added legal green lights to view your email.

"E-Mail Snooping Ruled Permissible," by Kim Zetter, Wired News, June 30, 2004 --- http://www.wired.com/news/politics/0,1283,64043,00.html?tw=newsletter_topstories_html 

E-mail privacy suffered a serious setback on Tuesday when a court of appeals ruled that an e-mail provider did not break the law in reading his customers' communications without their consent.

The First Court of Appeals in Massachusetts ruled that Bradford C. Councilman did not violate criminal wiretap laws when he surreptitiously copied and read the mail of his customers in order to monitor their transactions.

Councilman, owner of a website selling rare and out-of-print books, offered book dealer customers e-mail accounts through his site. But unknown to those customers, Councilman installed code that intercepted and copied any e-mail that came to them from his competitor, Amazon.com. Although Councilman did not prevent the mail from reaching recipients, he read thousands of copied messages in order to know what books customers were seeking and gain a commercial advantage over Amazon.

Authorities charged Councilman with violating the Wiretap Act, which governs unauthorized interception of communication. But the court found that because the e-mails were already in the random access memory, or RAM, of the defendant's computer system when he copied them, he did not intercept them while they were in transit over wires and therefore did not violate the Wiretap Act, even though he copied the messages before the intended recipients read them. The court ruled that the messages were in storage rather than transit.

The court acknowledged in its decision (PDF) that the Wiretap Act, written before the advent of the Internet, was perhaps inadequate to address modern communication methods.

But critics said the decision represented a huge privacy setback for e-mail users.

"By interpreting the Wiretap Act's privacy protections very narrowly, this court has effectively given Internet communications providers free rein to invade the privacy of their users for any reason and at any time," says Kevin Bankston, an attorney with the Electronic Frontier Foundation. "This decision makes clear that the law has failed to adapt to the realities of Internet communications and must be updated to protect online privacy."

In his dissenting opinion, which contained a detailed description of how e-mail works, Justice Kermit V. Lipez wrote that Congress never intended for e-mail temporarily stored in the transmission process to have less privacy than messages in transit. And he acknowledged that "the line that we draw in this case will have far-reaching effects on personal privacy and security."

In my AIS course, I sometimes have an invited speaker from the consulting division of Ernst & Young.  His full time job is trying to hack into client computer systems.

What is the certification credential called CEH?

Answer
Certified Ethical Hacker

"Ethical Hacking Is No Oxymoron," Reuters, Wired News, June 27, 2004 --- http://www.wired.com/news/infostructure/0,1377,64008,00.html?tw=newsletter_topstories_html 

Sporting long sideburns, a bushy goatee and black baseball cap, instructor Ralph Echemendia has a class of 15 buttoned-down corporate, academic and military leaders spellbound. The lesson: hacking.

The students huddled over laptops at a Los Angeles-area college have paid nearly $4,000 to attend “hacker college," a computer boot camp designed to show how people will try to break into network systems -- and how they will succeed.

"It's an amazing thing how insecure the big corporations are," Echemendia said during a break in the weeklong seminar. "It's just amazing how easy it is."

Hackers are believed to cost global businesses billions of dollars every year, and the costs to defend against them are soaring. One study by Good Harbor Consulting showed that security now accounts for up to 12 percent of corporate technology budgets, up from 3 percent five years ago.

"This is definitely bleeding edge -- so bleeding edge in fact, sometimes, that it's frightening," said Loren Shirk, a student in the class at Mt. Sierra College who owns a small-business computer consulting company.

The course prepares students for an exam offered by the International Council of E-Commerce Consultants, or EC-Council. If they pass that test, they get the ultimate seal of approval: Certified Ethical Hacker.

The class is by no means easy. Instructors race through topics like symmetric versus asymmetric key cryptography (symmetric is faster), war dialing (hackers will always call late at night) and well-known TCP ports and services (be wary of any activity on Port 0).

"I can definitely say it's not for everyone," said Ben Sookying, director of network security services for the California State University's 23-campus system and another student in this week's class. "If you don't have discipline, you won't make it through this course."

But the work is practical, too. On the first day, students were taught basic free and legal research methods, mostly involving search engines and securities databases, so they could learn as much information as possible about companies, their executives and systems.

With relatively little effort, they found out that the chief executive of one public company maintained his own website dedicated to guitars, while another public company still uses a number of systems known to be easily exploited by hackers.

Intense School, the Florida-based company that runs the hacking boot camp, started in 1997 with a $35,000 investment, teaching Microsoft and Cisco software to systems engineers.

But after the Sept. 11, 2001, attacks on the World Trade Center and the Pentagon, the company expanded its focus to information security courses. It now offers around 200 classes a year, generating about $15 million in annual revenue.

"What we attempt to do in our classes is teach how the hackers think," said Dave Kaufman, president of Intense School. The only way to keep hackers out of major corporate systems, he said, is to know how they will be attacked in the first place.

Continued in the article

Bob Jensen's threads on computer and network security are at http://faculty.trinity.edu/rjensen/ecommerce/000start.htm#SpecialSection 

"Who's Seeding the Net With Spyware?  Young surfers pick up paychecks for posting misleading pitches armed with invasive programs.," by Emily Kumler, PC World , June 15, 2004 --- http://www.pcworld.com/news/article/0,aid,116512,00.asp 

It's tough enough sometimes to figure out where you picked up that spyware, but have you ever wondered who planted that digital parasite?

It's likely a young man, maybe a college student, just making a few bucks spreading pop-up ads that contain a package unwelcome by many. And it's a growing cottage industry

How It Works Spyware follows your Internet surfing habits and serves up advertisements. You typically pick up spyware by clicking on links, which may not make it clear that you're downloading a "bonus" program when you read an ad or download a program you want.

The Federal Trade Commission defines spyware as "software that aids in gathering information about a person or organization without their knowledge and which may send such information to another entity without the consumer's consent, or asserts control over a computer without the consumer's knowledge." The federal government and several states are considering antispyware laws, and Utah recently enacted one.

FTC and industry leaders have urged Congress to resist spyware legislation, instead pushing for the industry to adopt self-regulatory practices. They fear that proposed laws define the practice too vaguely, and would prohibit other marketing practices that benefit consumers. But some lawmakers worry that the tech industry will not regulate spyware aggressively enough to protect consumers.

Meanwhile, computer users continue to face the side effects of spyware on their systems: bogged-down Internet connections, identity theft, lost documents, system problems, and potential loss of privacy.

Who's Behind It The people distributing the links for spyware downloads are paid about 15 cents every time an unsuspecting surfer clicks on their misleading bait.

"Friends signed me up one night, after we'd been drinking," says one twenty-something man, who plants spyware for pay. "They said it was an easy way to make some money."

"All I had to do was sign up and post fake ads, saying things like 'to see my picture click here.' Then when they clicked, it told them they had to download software to see the pictures."

But the user downloaded no pictures; instead, they got the greeting, "Come back later to see my photo." The ad is bogus, but the contamination of the computer is real.

He says open forums and other unregulated sites are the best places to post ads, because large numbers of people are likely to click on the phony links.

"You have to move around," he says, noting that if users complain, he'll be kicked off a site, or a section of a site. For example, he will just move to a different part of a classified advertisement site, he says. "It's really easy, so reposting your ad is not a big deal."

At 15 cents per hit, he got checks every two weeks for a few hundred dollars each.

"I could have made a lot more," he says, adding that he really isn't doing it anymore. "All I had to do was put more ads up and I would have doubled or tripled my profits."

What's the Risk? The foot soldiers who spread spyware may also become victims of the companies behind the software.

Many companies paying individuals to spread spyware post a disclaimer on their own Web site. It often contains a clause telling readers that if they commit fraud the company has the right to pull their paycheck.

However, the new Utah Spyware Control Act and other privacy laws sometimes invoked to combat spyware consider posting spyware to be fraud.

The spyware spreaders may not be reading the disclaimer themselves. But they do understand the company is paying them to trick people into downloading software, the young man says.

Does he feel any remorse for contaminating the computers of naive users? "Look, they're perverts if they click on my ads," he says, noting that the ads imply pornographic pictures await. "I say some nasty stuff, so, no, I don't feel bad." Anyone online should have a spyware blocker, spam blocker, and a firewall anyway, he said. "If they don't, they're just stupid."

A Challenging Battle Placing ads online can be a tempting and easy way to make money from home, notes Ray Everette-Church, chief privacy officer for antispam product vendor Turn Tide.

"It is very successful," Everette-Church says. "Hundreds of thousands of dollars a month is generated in this tiered structural referral." He is serving as an expert witness for the plaintiffs in an ongoing adware case arguing against pop-up ads.

Millions of Americans online haven't protected their PCs, and pursuing perpetrators of spyware is more complicated than in other criminal investigations, according to Mozelle Thompson, an FTC commissioner.

"It's hard to identify how many companies are engaged in dangerous spyware, or spyware in general," Thompson says. "The definition of spyware is too broad."

The surreptitious nature of spyware makes it more difficult to track who, where, and how the spyware is disseminated, Thompson told a House subcommittee at a recent hearing.

"Consumer complaints, for instance, are less likely to lead directly to targets than in other law enforcement investigations, because consumers often do not know that spyware has caused the problems or, even if they do, they may not know the source of the spyware," he said at the April hearing.

How to Protect Against Spyware

Question
Why should we all look into installing software like AdWare Remover Gold? --- http://www.tucows.com/webbrowser_adwarecleaner_default.html

Answer
Known as bot software, the remote attack tools can seek out and place themselves on vulnerable computers, then run silently in the background, letting an attacker send commands to the system while its owner works away, oblivious. The latest versions of the software created by the security underground let attackers control compromised computers through chat servers and peer-to-peer networks, command the software to attack other computers and steal information from infected systems.
Robert Lemos , CNET News.com, April 30, 2004 --- http://news.com.com/2100-7349_3-5202236.html?tag=nefd.lede 

Question
How can hidden data be removed from WORD doc files?

Answer from Richard Campbell

Here is the link to a free Microsoft utility:

http://tinyurl.com/2qaax 

Richard J. Campbell 
mailto:campbell@rio.edu 

Malicious programs called browser hijackers install a lot of nasty stuff on people's computers -- primarily hard-core, borderline-illegal pornography. Some victims are facing firings, divorces and even criminal prosecution.

"Browser Hijackers Ruining Lives," vy Michelle Delio, Wired News, May 11, 2004 --- http://www.wired.com/news/infostructure/0,1377,63391,00.html?tw=newsletter_topstories_html 

Browser hijackers are doing more than just changing homepages. They are also changing some peoples' lives for the worse.

Browser hijackers are malicious programs that change browser settings, usually altering designated default start and search pages. But some, such as CWS, also produce pop-up ads for pornography, add dozens of bookmarks -- some for extremely hard-core pornography websites -- to Internet Explorer's Favorites folder, and can redirect users to porn websites when they mistype URLs.

Traces of browsed sites can remain on computers, and it's difficult to tell from those traces whether a user willingly or mistakenly viewed a website. When those traces connect to borderline-criminal websites, people may have a hard time believing that their employee or significant other hasn't been spending an awful lot of time cruising adult sites.

In response to a recent Wired News story about the CWS browser hijacker, famed for peddling porn, several dozen readers sent e-mails in which they claimed to have lost or almost lost jobs, relationships and their good reputations when their computers were found to harbor traces of pornography that they insist were placed on their computers by a browser hijacker.

In one case a man claims that a browser hijacker sent him to jail after compromising images of children were found on his work computer by an employer, who then reported him to law enforcement authorities.

"The police raided my house on Sept. 17, 2002," said "Jack," who came to the United States from the former Soviet Union as a political refugee, and has requested that his name not be published. "Nobody gave me a chance to explain. I was told by judge and prosecutor that I will get years in prison if I go to trial. After negotiations through my lawyer I got 180 days in an adult correctional facility. I was imprisoned for 20 days and then released under the Electronic Home Monitoring scheme. I now have a felony sex-criminal record, and the court ordered me to register as a predatory sex offender for 10 years."

Jack originally believed that the images found on his computer were from a previous owner -- he'd bought the machine on an eBay auction. But he now thinks a browser hijacker may have been responsible.

"When I used search engines, sometimes I got a lot of porn pop-ups," Jack said. "Sometimes I was sent to illegal porn sites. When I tried to close one, another five would be opened without my will. They changed my start page, wrote a lot of illegal porn links in favorites. The only way to stop this was turn the (computer's) power off. But when I dialed up to my server again, I started with illegal site, then got the same pop-ups. There were illegal pictures in pop-ups."

Several of the URLs that CWS injects into Internet Explorer's favorites list also appear in the arrest warrant and other materials from Jack's hearing. CWS works as Jack described -- changing start pages, adding to favorites, popping up porn. But CWS was first spotted several months after Jack's arrest, so it seems unlikely that this particular hijacker is the cause of his problems.

Security experts who were asked to review Jack's claims said it is possible that a browser hijacker could have been the reason porn images were found on Jack's computer. But they also pointed out some discrepancies in the story.

Some of the images were found in unallocated file space, and would have to have been placed there deliberately since cached images from browsing sessions wouldn't have been stored in unallocated space.

May 3, 2004 reply from Andrew Priest [a.priest@ECU.EDU.AU] 

There are numerous software tools around to combat this sort problem. Personally I use Ad-aware but there are others. For example you will find a range at http://www.tucows.com/webbrowser_adwarecleaner_default.html .

Cheers Andrew

Notes from Bob Jensen:  

Although you can download the Ad-aware scanner noted above for free, I recommend that you purchase the professional version that will wipe out the problems from http://lavasoft.element5.com/purch

I also recommend that you download and run the free CWShredder from http://www.majorgeeks.com/download4086.html 

"What's That Sneaking Into Your Computer?" by David Bank, The Wall Street Journal, April 26, 2004

New types of insidious programs called "spyware" are burrowing into PCs, wreaking all sorts of problems. These small programs that install themselves on computers to serve up advertising, monitor Web surfing and other computer activities, and carry out other orders are quickly replacing spam as the online annoyance computer users most complain about. Here's what's being done to combat them.

John Gosbee was sitting up in bed on a cold night, surfing the Internet with his laptop on his knees. Suddenly, the computer's CD-ROM tray popped open, seemingly on its own.

"What on earth is going on?" Mr. Gosbee, of Mandan, N.D., said to himself. "It was like it was possessed," he recalls.

His laptop emitted a high-pitched "Uh-oh."

Uh-oh is right. The pranks were a setup for the message that appeared on his screen: "Dangerous computer programs can control your computer hardware if you fail to protect your computer right at this moment!" That was followed by a plug for a program called Spy-Wiper that promised to clean out any rogue software.

As if that wasn't alarming and annoying enough, the very next day the computer at Mr. Gosbee's one-man law office was similarly hijacked. The CD and DVD trays both opened; only one closed. Then came the same ad for Spy-Wiper, which kept popping up on both machines.

"I was getting ticked," Mr. Gosbee says.

As Mr. Gosbee and countless other computer users have discovered: It's a war out there. While malicious hackers are spreading viruses all over the global computer network, advertisers and scam artists are propagating other pests that are arguably even more annoying. They're called spyware -- and the implications for consumers are only beginning to be felt.

Indeed, spyware -- small programs that install themselves on computers to serve up advertising, monitor Web surfing and other computer activities, and carry out other orders -- is quickly replacing spam as the online annoyance computer users most com- plain about. The outrage has grown to the point that politicians are threatening legislative controls on the tactic. But in their most benign form these programs have a powerful appeal to advertisers, and some marketers are banking on the idea that people eventually will grow accustomed to some use of such invasive software.

"Snoops and spies are really trying to set up base camp in millions of computers across the country," said Sen. Ron Wyden, an Oregon Democrat, at a March hearing on proposed legislation he is co-sponsoring to tackle the problem. A Republican co-sponsor, Sen. Conrad Burns of Montana, said at the hearing: "I'm convinced that spyware is potentially an even greater concern than junk e-mail, given its invasive nature."

Continued in the article

May 3, 2004 reply from Andrew Priest [a.priest@ECU.EDU.AU] 

There are numerous software tools around to combat this sort problem. Personally I use Ad-aware but there are others. For example you will find a range at http://www.tucows.com/webbrowser_adwarecleaner_default.html .

Cheers Andrew

You can also download free from http://download.com.com/3001-8022-10214379.html 
Other options, including patches, are available at http://www.lavasoft.de/ 

May 11, 2004 reply from Richard Campbell [campbell@RIO.EDU] 

"Six Steps to Greater Computer Security"  (with audio)

See http://www.virtualpublishing.net/compswf/step1.html 

Richard J. Campbell 
mailto:campbell@rio.edu 

This following reply from Paula may be of interest to some of you. She tells how she protects her computer. Paula retired from Trinity's development office and now lives online almost as much as I live online. You can thank her for much of the humor in New Bookmarks.

I must warn you, however, that my security site she refers to is not kept up to date very well. Please do not rely on this for the latest and greatest news.

Bob

-----Original Message----- 
From: Paula 
Sent: Tuesday, May 11, 2004 4:48 PM 
Subject: FW: How Nasty Stuff Gets Into Your Computer

How does nasty stuff get into your computer? How can you protect your computer from "browser hijackers," spyware, Cookies that collect your personal information, etc.? Also, learn how to "opt out" of DoubleClick's cookies and how to send e-mail anonymously. This website was created by Bob Jensen, who is a distinguished professor at Trinity University in San Antonio: A Special Section on Computer and Networking Security http://faculty.trinity.edu/rjensen/ecommerce/000start.htm#SpecialSection  Yes, there is a lot of information here! 

What I do personally to protect my computer: I have Norton Anti-Virus, BlackIce Firewall, and Ad-Aware installed. Norton and Ad-Aware can be scheduled to run daily, weekly, etc. 

In addition, my ISP provides a firewall, spam blocker, and pop-up blocker. If you have any questions about computer security, you should be able to find answers on Bob's website. 

Paula 
"Kwitchyerbellyakin." - Irish saying