The University of Kansas attempted to notify 119 students that their failure to pass even a single class may make them inelligible for continued financial aid. Unfortunately the person in charge of the project gave each student on the list the names of all other failing students. As a result, Kansas will have to undergo an investigation of the privacy breach it created or itself risk loosing federal government aid.

The list reportedly included one woman who asserts she failed exactly one class, after receiving 200 hours of passing grades and a masters degree, according to USA Today. Her excuse is a good one, her daughter contracted pneumonia so she had to divert her attention.

This however raises several issues regarding email. We need to be very careful with addressing, the reply all button, getting a similiar name from our address book, etc.

I one single slip by a third party processor, one in each seven US Mastercard Accounts was exposed to possible identity theft as detailed at Security Focus. Fortunately the amount actually compromised will be much less. What makes this different than many other similiar glitches is that it exposed information for multiple branded cards issues on different financial institutions and organizations. Issues like this will continue to grow.

The day is coming where greater checks, perhaps pin numbers confirmed via independant routing for example will have to become common-place on purchases. Likewise with the advent of automated fingerprinting identification, I think prints or other equivalents must soon be required for the issuing of credit. Merely having my personal information and card numbers cannot be sufficient to allow access to my accounts or the granting of new credit.

A Microsoft event called “Blue Hat” was held between Microsoft, their software engineers and the hacker community for the purpose of testing the security of their Windows Operating System. Apparently only minutes after allowing hackers onto the network, a Windows laptop was caused to join a malicious wireless network to the apparent dismay and anger of the Microsoft engineers. This is the story detailed by ZDnet’s Ina Fried.

It should be noted that the “hackers” that would respond to a request from Microsoft would be classed as “white hat” hackers, meaning they don’t use their power to the detriment of others and are usually called security researches. Black hat hackers, the bad sort, would not want to draw attention to themselves by revealing themselves to a company that would be quiet happy to sue them for past transgressions.

Microsoft managers are said to be happy at the shock and anger of their engineers, mostly because they have been trying to engender that response themselves with limited success. They didn’t say however, whether they were happy that their security measures failed in so short a period of time. It is also interesting to note that Microsoft hasn’t publicised their “Blue Hat” meeting. One wonders if they would have sang it from the rooftops had the result had gone the way they probably expected.

According to this article at TheRegister. The US Navy is looking to standardize the second biggest network (after the Internet itself) on a Linux distribution. Apparently that amounts to 250,000 local servers and approximately the same number of remote servers. If a deal like that was to go to Novell or Redhat, it could single handedly make that distributor the biggest Linux distributor in the world (a place currently occupied by Redhat). Apparently Chris Christopher of the Navy’s Program Executive Office for Information Technology told ComputerWorld that they already have a significant Linux presence on their network along with most every other Operating System released in the last 15 years. Hence the need to standardize.

If the Navy standardizes on an Open Source Linux distribution, it would alleviate the worry about vendor lock-in which it seems is one of their more significant concerns. This concern is lessened somewhat by Linux because of the openness of the data formats in that one vendors distribution could take the place of another with minimal effort. The same cannot be said for companies like Microsoft who appear to have based their business on being hard to migrate away from, all the while touting interoperability in the press. That difficulty to migrate away from has resulted in much press from Microsoft’s “get the facts” campaign as being another reason why it’s better to stay with Windows. Obviously they never mention the fact that they themselves are the reason it is more difficult to migrate to another non-Microsoft platform.

Microsoft has long received criticism for using proprietary undisclosed file formats to lock your data away where you can’t get it without Microsoft’s products or licenses. The problem with that approach is that the data belongs to you, you should not have to rely on an outside party for access to your own property. Anyway, to try to address this concern, Microsoft released the specification schemas for Office 2003 which will be the default file format for the version of Office due out next year. The release is “royalty free” meaning that you need not pay Microsoft for the use of the schemas. The problem is that the license is designed to exclude Microsoft’s biggest competitor GPL licensed Open Source programs. In short Microsoft requires that any software that is able to read/write to their format attribute that code to Microsoft, it seems that even if it doesn’t contain any of their code and is instead just an implementation of the bare essentials required to access them it must still attribute to Microsoft in the code.

There are some in the Open Source community that believe that there may be no enforcable rights that Microsoft can claim in the new license and that licences may not be required in this instance, but that is an issue probably best decided by lawyers. The fact is that if the license is required, it is not compatible with the GPL, which is the licence that the vast majority of true Open Source software is released under.

The fact that Microsoft is trying to lock out GPL developers is hardly surprising as they are doing something very similar in the EU as part of their punishment for being found guilty of anti-competitive practises in the European Union. They were told that they must make their server protocols available to competitors so as to improve interoperability but have again done so in a manner that locks out their biggest competitor, GPL licensed software.

The only truly open document standard at this time appears to be the OASIS XML OpenDocument format used by StarOffice/OpenOffice. This file format is completely open and can be adopted by anybody with a desire to do so, including Microsoft. But don’t expect them to support it any time soon as to do so would lessen the impact of their own less open format and make it easier for people to swap to competitive Office suites and Microsoft would apparently prefer not to compete on price and features if they don’t have to. It should be noted that Microsoft’s XML based file format is NOT currently approved by OASIS (Organization for the Advancement of Structured Information Standards).

I dream of a world where any text document/spreadsheet/presentation/database can be opened and saved by any Office application suite and that the only reason to choose one over another is the feature set and price of that Office suite. I suspect however, that Microsoft will be one of the last to join that party and will only do so when they are forced to by declining market share. Governments have become much more aware recently of the need to keep their information in non proprietary formats, so Microsoft may be pressured (by sales or the lack thereof) to comply sooner then expected. Governments make up a fairly significant portion of Microsoft Office sales.

You can get a more detailed look at the issue by reading Eweek’s write-up of the problem.

According to ComputerWorld, which has it from the IDG news service, Mastercard has revealed that up to forty million (40,000,000) credit card numbers may have been acquired by a malicious hacker attacking CardSystems Solutions Inc, a company that provides back end services for card companies. Of those 40 million, roughly 13.9 million may have been Mastercards so Mastercard are not the only company affected, they are just the only one thus far to warn the public about it.

The point of the article, seems to be that if you have a credit card, you should check your statements regularly either online or via your bank statements and be sure contest or charge back any payments you didn’t make if there are any. (But you’re doing that already right?)

In Mid April I wrote about the problem of security products actually hurting your security rather then helping as they are supposed to. BusinessWeekOline have an article that talks about a forthcoming report from the Yankee Group detailing how Anti-Virus/Spyware products together with other security products like Firewalls have had more flaws found in recent times then Microsoft’s own products. To even compete with Microsoft with regard to security flaws is amazing in itself, but when you consider that these products are actually supposed to protect you from external compromise it becomes a horrendous problem.

Security experts have long suggested to clients, that being protected by a current and actively updating Anti-Virus, Anti-Spyware and firewall product is part and parcel of staying secure online (for Windows users anyway, since Mac and Linux are mostly unaffected by such problems), but those very products themselves are in some instances being used as the attack vector used to get into your computers. A very dangerous state of affairs that requires an immediate response from the security vendors. It can’t be long before a company finds themselves beset by malicious software which was caused by a failure from a security product and that security company may find themselves in court being asked to explain themselves and pay damages.