Stories by: Frank Hayes

Security is a people problem. OK, you already knew that. But recently the SANS Institute finally recognized it too, in its list of the top 20 Internet security risks of 2007. Topping the chart of new, hard-to-defend-against risks were vulnerabilities in custom Web applications and (drum roll, please) "gullible, busy, accommodating computer users, including executives, IT staff and others with privileged access."

What have we learned from the current stampede of Windows-infecting worms with names like Zotob, Esbot, Bobax and Spybot? First lesson: If you want to raise public awareness about a tired old subject like computer worms, just gore the oxes of reporters and editors at CNN, The New York Times, The Associated Press and ABC News. There's nothing like personal pain to freshen up a story. In CNN's case, there's nothing like having it happen on live TV.

Why didn't this happen sooner? Seagate Technology has just announced a hard disk drive for laptops and other mobile devices that automatically encrypts all data as it goes into and comes out of the drive. Result: Nothing on the drive is accessible unless you know the password. If you lose your laptop with a drive like this installed, that's all you lose. The data is safe from prying eyes -- a thief can't even boot it up.

Is Sybase's management well intentioned and dumb, or a crowd of control freaks who want to dictate to everyone -- including Sybase customers -- exactly what they're allowed to say about security? The question comes up after Sybase threatened to sue Next Generation Security Software, a security research company in England. Last year, NGS found a batch of vulnerabilities in Sybase Adaptive Server and notified Sybase. Sybase issued patches for the holes. So far, so good.

What do you do about someone like Adrian Lamo? Last week, Lamo turned himself in to U.S. marshals at the federal courthouse in Sacramento, California and was charged with hacking his way into the internal network of The New York Times and running up a US$300,000 bill on the newspaper's LexisNexis database account. At that price, you can understand why the Times wasn't as forgiving as WorldCom, Yahoo and other companies that praised Lamo after he found security holes in their networks and then helped to fix them for free.