Deutsche Bank, according to a recent report by the Senate Permanent Subcommittee on Investigations, sold its clients subprime mortgage bonds that one of its own traders at the time described as “pigs.” Goldman Sachs took unseemly advantage of unsuspecting clients to offload its most toxic assets in 2007 and 2008. During the subprime bubble, this kind of behavior was par for the course.

It still is, apparently. On Thursday, LinkedIn, an Internet company that connects business professionals, became the first major American social media company to go public. The company had hired Morgan Stanley and Bank of America’s Merrill Lynch division to manage the I.P.O. process. After gauging market demand — which is what they’re paid to do — the investment bankers priced the shares at $45. The 7.84 million shares it sold raised $352 million for the company. For this, the bankers were paid 7 percent of the deal as their fee.

For a small company with less than $16 million in profits last year, $352 million in the bank sounds pretty wonderful, doesn’t it? But it really wasn’t wonderful at all. When LinkedIn’s shares started trading on the New York Stock Exchange, they opened not at $45, or anywhere near it. The opening price was $83 a share, some 84 percent higher than the I.P.O. price. By the time the clock had struck noon, the stock had vaulted to more than $120 a share, before settling down to $94.25 at the market’s close. The first-day gain was close to 110 percent.

I have no doubt that most everyone at LinkedIn was thrilled to see the run-up; most executives at start-ups usually are. An I.P.O. is an important marker for any company. And, of course, the executives themselves are suddenly rich. But, in reality, LinkedIn was scammed by its bankers.

The fact that the stock more than doubled on its first day of trading — something the investment bankers, with their fingers on the pulse of the market, absolutely must have known would happen — means that hundreds of millions of additional dollars that should have gone to LinkedIn wound up in the hands of investors that Morgan Stanley and Merrill Lynch wanted to do favors for. Most of those investors, I guarantee, sold the stock during the morning run-up. It’s the easiest money you can make on Wall Street.

As Eric Tilenius, the general manager of Zynga, wrote on Facebook: “A huge opening-day pop is not a sign of a successful I.P.O., but rather a massively mispriced one. Bankers are rewarding their friends and themselves instead of doing their fiduciary duty to their clients.”

There is nothing wrong with a small “pop” in the aftermath of an I.P.O.; investors, after all, don’t want to buy a stock that is going to go down immediately. But during the Internet bubble of the 1990s, the phenomenon of investment bankers wildly underpricing I.P.O.’s so that money could be diverted to favored investors got completely out of hand — stocks would sometimes rise 500 percent on the first day. It was obscene.

Indeed, most business journalists writing about the LinkedIn deal focused on the first-day run-up as evidence that we’ve entered another Internet bubble. But over at the Business Insider blog, Henry Blodget — who knows a thing or two about bad behavior on Wall Street — had the perfect analogy for what the banks had done to LinkedIn.

Suppose, he wrote, your trusted real estate agent persuaded you to sell your house for $1 million. Then, the next day, the same agent sold the same house for the new owner for $2 million. “How would you feel if your agent did that?” he asked. That, he concluded, is what Merrill and Morgan did to LinkedIn.

It’s worth remembering that most of the young Internet companies with those eye-popping I.P.O.’s back in the day are long gone. With their flawed business models, maybe they were doomed from the start — but the cash they left on the table at the I.P.O. might have allowed at least a few of them to survive.

Similarly, LinkedIn is still a fragile enterprise. Its business model remains unproved. It is going to have to grow awfully fast to justify its stock price. Its executives may yet rue the day they let themselves be sold down the river by their investment bankers. LinkedIn is supposed to be the client, but it was treated like the mark.

Ever since the financial crisis, investment bankers have been constantly questioned about whether they have any larger social purpose besides making money. What they invariably say is that they play a critical role in capital formation, meaning that they help companies raise the money they need to grow and prosper.

The LinkedIn deal suggests something darker. The crisis hasn’t changed them a bit. They’re still just in it for themselves.

IDG News Service - The company responsible for one of the most publicized data breaches this year fears it may now lose some business but says that it continues to pump out marketing email as usual.

Epsilon Interactive's parent company, Alliance Data, apologized Wednesday for a data breach that has left millions of customers of some of the largest U.S. companies wondering if they may soon be the target of spam or phishing attacks.

Alliance Data said the incident -- now under investigation by federal authorities -- will have a minimal effect on its bottom line but worried about the possible impact on its business.

"The company believes the greatest risk to Epsilon and Alliance Data is the potential loss of valued clients," Alliance Data said in a statement, but it "expects this incident to have minimal if any impact on Alliance Data's financial performance."

Alliance Data is one of the country's largest marketing data firms. Recently, someone broke into its subsidiary's computer systems and downloaded customer names and e-mail addresses belonging to nearly 60 Epsilon customers, who use the marketing company to send email messages to customers. Although the affected customers represented just 2 percent of Epsilon's 2,500 clients, they amount to a who's who of U.S. business.

Companies such as Citibank, Verizon, Marriott and Walgreens have sent out millions of notification emails this week, warning customers that their email addresses have been stolen, and telling them to be on the lookout for phishing messages or spam. Many consumers say they received several of these notification messages.

Security experts say that knowing people's names, email addresses and the companies they do business with makes it easier for scammers to craft believable "spear-phishing" messages. They worry that the breach could lead to a rash of spam or targeted phishing attacks.

Neither Epsilon nor Alliance Data will say how many customers are being notified, but they say that only customer names and email addresses -- not social security numbers or account information -- were stolen.

"We fully recognize the impact this has had on our clients and their customers, and on behalf of the entire Alliance Data organization, we sincerely apologize," Alliance Data said in its statement Wednesday. "We will leave no stone unturned and are dealing with this malicious act by highly sophisticated cyber-thieves with the greatest sense of urgency."

Alliance Data says that the 40 billion email messages that Epsilon sends out each year continue to be pumped out. "Epsilon's email volumes are not expected to be significantly impacted," the company said.

One client that's been caught up in the breach, Verizon, wouldn't say whether it plans to continue to do business with the email service provider. "We are continually reviewing our agreements with vendors and contractors and making whatever changes are in the best interest of our business," said Verizon spokesman Clifford Lee, when asked if Verizon plans to continue to employ Epsilon.

1

2

Next page

Sign up for the Computerworld Daily newsletter

No shit, Sherlock!

RSA Executive Chairman Art Coviello warns customers about a security breach that affects its SecurID authentication technology.

(Credit: RSA)

Information about RSA's SecurID authentication tokens used by millions of people, including government and bank employees, was stolen during an "extremely sophisticated cyberattack," putting customers relying on them to secure their networks at risk, the company said today.

"Recently, our security systems identified an extremely sophisticated cyberattack in progress being mounted against RSA," Executive Chairman Art Coviello, wrote in an open letter to customers, which was posted on the company's Web site.

"Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat. Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products," the letter said.

"While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack," Coviello wrote. "We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations."

The company said it has no evidence that other products are affected or that personally identifiable data on customers or employees was compromised. RSA did not elaborate and a spokesman said he could not provide additional information at this time.

The tokens, of which 40 million have been deployed, and 250 million mobile software versions, are the market leader for two-factor authentication. They are used in addition to a password, providing a randomly generated number that allows a user to access a network.

The tokens are commonly used in financial transactions and government agencies; one source who asked to remain anonymous said SecurID users in those sensitive areas were scrambling to figure out what to do in light of the breach.

Because it's unclear exactly what type of information was stolen, sources told CNET they could only speculate as to what the potential outcome could be for companies using the devices.

"It's hard to say [how serious the breach is] until we know the extent of what the bad guys got a hold of," said Charlie Miller, a principal analyst at consultancy Independent Security Evaluators. "Any time a security company gets broken into, it reminds you that it could happen to anybody."

He used to work for a financial services firm that "basically ran everything on" SecurID, he said. "They would be very unhappy if they found out" it could be compromised somehow.

"The real story here is what was stolen. It definitely seems mysterious," said Ravi Ganesan, an operating partner at The Comvest Group and former founder and CEO of single sign-on provider TriCipher. "SecurID is a token authenticator device that flashes a new number every 60 seconds. The number is calculated from two things, a 'secret seed' unique to that device and the time of day. So your one-time password is output of [that] algorithm."

RSA has historically kept their algorithm secret, but that is not a good defense against a sophisticated attacker who could get a software version of the token or the back-end server and reverse engineer the code, Ganesan said. "So what on earth could have been stolen? I certainly hope RSA did not put some back door into the software and that was what got stolen."

While details were scarce, hints about the breach could be gleaned from a message to customers filed with the SEC. It recommended that customers increase focus on security for social-media applications and Web sites accessed by anyone with access to their critical networks; enforce strong password and PIN policies; as well as remind employees to avoid opening suspicious e-mails and providing usernames or other credentials to people without verifying the person's identity as well as avoid complying with e-mail or phone-based requests for such information.

Additionally, the message said customers should pay special attention to securing their active directories and use two-factor authentication to control access to them; watch closely for changes in user privilege levels and access rights; harden monitor and limit remote and physical access to infrastructure that hosts critical security software; shore up practices against social-engineering attacks; and update security products and patch operating system software.

Advanced Persistent Attacks often target source code and other information useful in espionage and involve knowledge of the company's network, key employees, and workings. Attackers use social engineering and exploits hidden in e-mail and other messages to sneak keyloggers and other snooping tools onto employees' computers. Google announced last year that it and other companies had been targeted in such an attack and it later came out that attackers used an unpatched hole in Internet Explorer to get into the company computers. Google said at the time that intellectual property was stolen and that the attacks appeared to originate in China.

Updated at 7:06 p.m. PT with reaction, more details, and background throughout.

“We must pledge ourselves to support those brave men and women who this very moment are carrying forth the struggle against British imperialism in the streets of Belfast and Derry,” Mr. King told a pro-I.R.A. rally on Long Island, where he was serving as Nassau County comptroller, in 1982. Three years later he declared, “If civilians are killed in an attack on a military installation, it is certainly regrettable, but I will not morally blame the I.R.A. for it.”

As Mr. King, a Republican, rose as a Long Island politician in the 1980s, benefiting from strong Irish-American support, the I.R.A. was carrying out a bloody campaign of bombing and sniping, targeting the British Army, Protestant paramilitaries and sometimes pubs and other civilian gathering spots. His statements, along with his close ties to key figures in the military and political wings of the I.R.A., drew the attention of British and American authorities.

A judge in Belfast threw him out of an I.R.A. murder trial, calling him an “obvious collaborator,” said Ed Moloney, an Irish journalist and author of “A Secret History of the I.R.A.” In 1984, Mr. King complained that the Secret Service had investigated him as a “security risk,” Mr. Moloney said.

In later years, by all accounts, Mr. King became an important go-between in talks that led to peace in Northern Ireland, drawing on his personal contacts with leaders of I.R.A.’s political wing, Sinn Fein, and winning plaudits from both Bill Clinton and Tony Blair, the former president and the British prime minister.

But as Mr. King, 66, prepares to preside Thursday as chairman of the House Homeland Security Committee at the first of a series of hearings on Muslim radicalization, his pro-I.R.A. past gives his many critics an obvious opening. The congressman’s assertions that 85 percent of leaders of American mosques hold extremist views and that Muslims do not cooperate with law enforcement have alarmed Muslim groups, some counterterrorism experts and even a few former allies in Irish-American causes.

Mr. King, son of a New York City police officer and grand-nephew of an I.R.A. member, offers no apologies for his past, which he has celebrated in novels that feature a Irish-American congressman with I.R.A. ties who bears a striking resemblance to the author.

Of comparisons between the terrorism of the I.R.A. and that of Al Qaeda and its affiliates, Mr. King said: “I understand why people who are misinformed might see a parallel. The fact is, the I.R.A. never attacked the United States. And my loyalty is to the United States.”

He said he does not regret his past pro-I.R.A. statements. The Irish group, he said, was “a legitimate force” battling British repression — analogous to the African National Congress in South Africa or the Zionist Irgun paramilitary in British-ruled Palestine. “It was a dirty war on both sides,” he said of I.R.A. resistance to British rule.

As for the hearings, he noted that counterterrorism officials from the Obama administration have often spoken, especially since a string of largely homegrown plots since 2009, of the threat from American Muslims who take on radical views. “Al Qaeda is recruiting from the Muslim community,” he said. “If they were recruiting from the Irish community, I’d say we should look at that.”

Mr. King’s witnesses at the hearing will feature a fellow House Republican, Frank Wolf of Virginia; Representative Keith Ellison, Democrat of Minnesota, who is Muslim; Dr. M. Zuhdi Jasser, a Muslim physician and activist who has been sharply critical of some fellow Muslims; and two family members of young men who embraced extremist violence. (The committee’s top Democrat, Representative Bennie G. Thompson of Mississippi, has invited Leroy Baca, the sheriff of Los Angeles County, who has praised Muslim assistance to law enforcement, and Representative John D. Dingell, Democrat of Michigan, who has many Muslim constituents.)

The furor about the hearing is less about the witness lineup, which does not seem especially incendiary, than about statements by Mr. King that appear to spread blame for terrorism to the entire population of American Muslims.

“This hearing is not focusing on the acts of a criminal fringe but is broad-brushing an entire community,” said Alejandro J. Beutel, policy analyst at the Muslim Public Affairs Council in Washington.

Mr. Beutel, who has compiled a database of terrorist incidents since 2001, said the problem of radicalization of young Muslims is serious, and his group has helped counter it with a number of measures, including a video featuring nine imams speaking against extremism that has become a Web hit. But he said broadly accusing Muslims of complicity in terrorism will hamstring the fight to prevent extremism, which depends on tips from citizens willing and unafraid to contact authorities.

Even Mr. King’s critics acknowledge a fundamental difference between the violence carried out by the I.R.A., which usually sought with varying success to minimize civilian casualties, and that of Al Qaeda, which has done the opposite. The I.R.A. was responsible for 1,826 of 3,528 deaths during the Northern Irish conflict between 1969 and 2001, including those of several hundred civilians, said the historian Malcolm Sutton

“King’s exactly right to say there’s a difference of approach between the I.R.A. and Al Qaeda,” said Tom Parker, a counterterrorism specialist at Amnesty International and a former British military intelligence officer. “But I personally consider both of them terrorist groups.”

Mr. Parker was at a birthday party for a friend in London in 1990 when the I.R.A. tossed a bomb onto the roof of the rented hall, a historic barracks. Many people, including Mr. Parker, were injured, but none died, by lucky chance of location and quick medical response, he said.

What troubles him, Mr. Parker said, is that Mr. King “understands the pull of ancestral ties. He took a great interest in a terrorist struggle overseas. He’s a guy who could bring real insight to this situation.” Instead, he said, “he is damaging cooperation from the greatest allies the U.S. has in counterterrorism.”

Some who have been close to Mr. King agree. Niall O’Dowd, an Irish-born New York publisher and writer who worked with him on the peace process in the 1990s, broke publicly with him Monday on his Web site, IrishCentral.com, describing Mr. King’s “strange journey from Irish radical to Muslim inquisitor.”

In Northern Ireland, Mr. O’Dowd said, they saw a Catholic community “demonized” by its Protestant and British critics and worked to bring it to the peace table. Seeing his old friend similarly “demonize” Muslims has shocked him, he said.

“I honestly feel Peter is wrong, and his own experience in Northern Ireland teaches him that,” Mr. O’Dowd said. “He’s a very honest, working-class Irish guy from Queens who’s had an amazing career. Now I see a man turning back on himself, and I don’t know why.”

Terrorist sympathizer, Rep. Peter t. King, (R., NY)

Computerworld - A security researcher today provided a way for users to see whether their e-mail addresses and passwords were among the 1.3 million compromised in a hack of Gawker Media's sites.

HD Moore, chief security officer at Rapid7 and the creator of the open-source Metasploit penetration-testing toolkit, came up with a down-and-dirty way for users to search the list of purloined account information without having to download the massive 487MB file from the Internet.

On Sunday, Gawker, which operates several popular technology sites, including Gizmodo and Lifehacker, confirmed that its servers had been hacked, and that hundreds of thousands of registered users' e-mail addresses and passwords had been accessed. A group calling itself "Gnosis" claimed credit for the attack, and said it had obtained more than 1.3 million accounts.

Gawker apologized for the breach, and urged users to change their passwords. If that password was used for accessing other sites, Gawker recommended that users change it for those destinations as well.

"It's best to assume that your username and password were included among the leaked data," Gawker said in an FAQ it posted on the Lifehacker site.

Moore had a better idea, and has assembled a way for people to check whether their account, including their password, has been compromised.

In an e-mail to Computerworld Monday, Moore spelled out the technique:

Step 1: Go to http://pajhome.org.uk/crypt/md5/, enter an e-mail address in the 'Input' field, click the 'MD5' button, then copy the hash from the 'Result' field.

Step 2: Go to http://www.google.com/fusiontables/DataSource?dsrcid=350662, click 'Show Options,' then paste the already-obtained hash in the field to the right of the '=' symbol. Change the left-most field to 'MD5.' Click 'Apply.'

If the e-mail address is among those compromised, the search will show a result.

Although Gawker said it encrypted users' passwords, some passwords have already been decrypted by Gnosis.

Moore used MD5 hashes of the e-mail addresses in the list he posted as a Google Fusion Table so users could check whether their accounts had been compromised without exposing the addresses a second time.

"This is a little clunky, but [it] works," he said.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at

@gkeizer or subscribe to Gregg's RSS feed

. His e-mail address is gkeizer@computerworld.com.

Read more about Security in Computerworld's Security Topic Center.

Sign up for the Computerworld Security newsletter

The Hewlett-Packard board is back to doing what it does best: shooting itself in the foot. By filing an embarrassing lawsuit against the company’s former chief executive, Mark V. Hurd, this week — a suit that unwittingly highlights the mistakes it made in the way it let Mr. Hurd go — the H.P. board can now lay claim, officially, to the title of the Most Inept Board in America. It’s going to take a yeoman effort to dethrone these guys.

Before moving on to today’s installment, let’s take a look at who a few of these directors are. The best-known director is the most recent addition to the board: Marc L. Andreesen, who more or less invented the browser while still in college, and has since become one of Silicon Valley’s biggest stars. He joined in 2009, a few years after H.P. bought Mr. Andreesen’s latest company for $1.6 billion.

Rajiv L. Gupta, who serves on three boards, spent a decade as the chief executive of Rohm & Haas. John H. Hammergren is the chairman and C.E.O. of McKesson; he’s also on three boards. Robert L. Ryan is the former chief financial officer of Medtronics. He sits on four boards. You’d think that these guys would know how to negotiate an airtight exit deal with a departing C.E.O. Apparently not.

Anyway, when last we left The Most Inept Board in America, it had booted Mr. Hurd for supposedly fudging his expense reports to hide the fact that he was using a former soft-core porn actress turned reality-TV contestant as a greeter at big H.P. customer events. (At least that is what I infer; H.P.’s public statements about the Hurd firing — or was it a forced resignation? — are not exactly models of transparency.)

This happened on Aug. 6. Because the H.P. board didn’t have the nerve to fire Mr. Hurd for cause, it wound up handing him a monster severance package. Much of it came in the form of stock options granted to Mr. Hurd in previous years. But $12.2 million was cash — money clearly meant as a kind of genteel, legal bribe to prevent Mr. Hurd from joining a direct competitor.

Mr. Hurd got his $12.2 million 30 days after leaving H.P. On Sept. 6 — which is to say, the 31st day — Oracle announced that Mr. Hurd was joining Oracle as co-president, reporting to its founder and chief executive, Lawrence J. Ellison, well known in Silicon Valley as a corporate mischief-maker.

Mr. Ellison was already on record, in an e-mail to The New York Times, describing the Hurd firing as “the worst personnel decision since the idiots on the Apple board fired Steve Jobs many years ago.” You could practically see him chortling in the press release announcing Mr. Hurd’s new job. “Mark did a brilliant job at H.P. and I expect he’ll do even better at Oracle,” Mr. Ellison was quoted as saying.

Seventeen hours later, H.P. filed its lawsuit, claiming that Mr. Hurd’s decision to join Oracle “has put H.P.’s most valuable trade secrets and confidential information in peril.” In effect, the company argued that Mr. Hurd’s brain was so stuffed with inside information about H.P. that everything he did at Oracle would unfairly take advantage of that knowledge.

Which may even be true. Perhaps the directors should have thought of that when they were negotiating his departure.

•

Let us acknowledge, before going any further, that Mr. Hurd does not appear to be a candidate for sainthood in this matter. This whole dustup began when Mr. Hurd was accused of sexual harassment by Jodie Fisher, the greeter in question. Although Mr. Hurd quickly paid to make the accusation go away — and although the two have denied having sex — it sure looks like something fishy was going on. You don’t keep someone off your expense account without a reason.

Indeed, three board experts I spoke to all felt strongly that the directors did the right thing in forcing Mr. Hurd to resign, even if they didn’t do it particularly well. Nell Minow, the co-founder of the Corporate Library, went so far as to say that, under the law, H.P. had no choice but to jettison Mr. Hurd.

Companies that do business with the government, she said, are legally required to apply their ethics policy even-handedly. If it’s a firing offense when a midlevel employee fudges an expense report, then it has to be a firing offense for the chief executive as well. “They had no other option,” she said.

Further, Mr. Hurd’s decision to join Oracle is not exactly a case study in ethical corporate behavior. Although Oracle and H.P. have long been business partners, the two companies are also poised to increasingly compete in the hardware market. Early this year, Oracle completed its purchase of Sun Microsystems, which puts it in head-to-head competition with H.P. (and I.B.M.) in the high-end server market.

Thus, the central contention in the H.P. lawsuit — that Mr. Hurd will inevitably use his inside knowledge of H.P.’s hardware business to help his new employer — strikes me as quite plausible. How can he not? He’s spent the last five years eating, drinking and sleeping H.P. (Well, except when he was eating and drinking with Ms. Fisher.) H.P. is in his bones.

• 1
• 2

Next Page »

IDG News Service - A large-scale study of password-protected Web sites revealed a lack of standards across the industry that harms end-user security, according to two researchers working at the University of Cambridge in England.

In particular, the weak implementations of password-based authentication at lower-security sites compromises the protections offered at higher-security sites because individuals often re-use passwords, Joseph Bonneau and Soren Preibusch asserted in a paper presented at the Workshop on the Economics of Information Security in Cambridge, Mass., Monday.

Attackers can use low-security Web sites such as news outlets to figure out passwords associated with certain e-mail addresses, and then use those passwords to access accounts at higher-security sites such as e-commerce vendors, Bonneau said.

In an effort that the researchers said is the largest empirical investigation into password implementations to date, they collected data from 150 Web sites and found widespread "questionable design choices, inconsistencies, and indisputable mistakes," according to Bonneau and Preibusch.

The researchers seemed disinclined to blame users for re-using passwords or making them easy to guess, arguing that most users have too many online accounts to manage them all securely.

"Sites' decisions to collect passwords can be viewed as a tragedy of the commons, with competing Web sites collectively depleting users' capacity to remember secure passwords," they wrote.

The large majority -- 78% -- of sites examined failed to provide users with feedback or advice on choosing a strong password. Only five sites let the user register password hints, a strategy that will encourage users to come up with stronger passwords. Just seven sites required users to mix numbers and letters, and only two demanded that passwords include non-alphanumeric characters as well.

Bonneau and Preibusch also identified widespread weaknesses in how passwords are submitted to the server when users log in. Only three sites used techniques that prevent the server from receiving a user's cleartext password at login, although two of those collected cleartext passwords at enrollment.

Most of the sites, 126 in all, seemed to allow unlimited attempts to guess a password; the researchers used a script that attempted incorrect guesses 100 times, after which a person typing in the correct password was able to log in successfully. This indicates that most sites don't bother to protect against guessing attacks, they said.

Overall, recognized best practices in password security are widely ignored, Bonneau and Preibusch said. Well over half the sites failed to use TLS (transport layer security) to protect password transmission at every stage -- some used it at enrollment but not at the login or update point, for example.

In what Bonneau called the "worst practice in the industry", 29% of sites tested e-mailed users cleartext passwords. In addition, 83% allowed unrestricted probing for user membership, and 84% permitted unrestricted password guessing.

The sites whose owners are the worst offenders are content sites as newspaper Web sites which don't tend to store sensitive user information, the researchers said. Conversely, sites that store payment details had significantly stronger security practices, the researchers said.

So why do so many sites collect passwords when the practice is generally harmful when poorly implemented? Those sites with poor password practices also seem to be those with an interest in collecting e-mail and personal data about their users.

While broader adoption of delegated protocols such as OpenID would help, Bonneau and Preibusch are pessimistic that the market will support such solutions at the cost of these opportunities to collect user information.

Sign up for the Computerworld Security newsletter.

So true. So obvious. Why does it take a large-scale study by a major research university to point this out?

And yet, there are people who say with a straight face that the stimulus bill didn't do anything...

Subscribe

The White House Blog

Still Not a "Government Takeover"

Posted by Dan Pfeiffer on January 31, 2010 at 12:21 PM EST

In an appearance on a morning news show today, House Minority Leader John Boehner repeatedly charged that the health insurance reform bills being considered in Congress represent a “big government takeover” of health care.

It’s important to know that’s just not true. The claim of a “government takeover” is a time-worn attack raised by opponents of reform whenever real change is in sight. But the bills passed by the House and Senate would enact nothing of the sort.

The legislation would create a marketplace where private insurance companies would compete for business, and it would expand coverage by providing subsidies for Americans to purchase affordable coverage from private insurers. At the same time, the legislation would put the brakes on rising health care costs and put an end to insurance company abuses.

That's not a "government takeover": it's the solution to problems that have plagued our health care system for decades and slowed American competitiveness. And if the specifics sound familiar, it's because this legislation is very much like the bipartisan approach proposed by former Senate leaders Bob Dole, Howard Baker, and Tom Daschle, and the health care system supported by Senator-elect Scott Brown in Massachusetts.

Unfortunately, the knowing repetition of false claims has become a defining characteristic of this debate – and as the President said on Friday to House Republicans, that’s a loss for everyone:

“So I am absolutely committed to working with you on these issues, but it can’t just be political assertions that aren’t substantiated when it comes to the actual details of policy.  Because otherwise, we’re going to be selling the American people a bill of goods.” 

The President also stressed the broader point that in these trying times, the American people expect more from their elected officials than the same old political tactics:

“But we’ve gotten caught up in the political game in a way that’s just not healthy.  It’s dividing our country in ways that are preventing us from meeting the challenges of the 21st century.  I’m hopeful that the conversation we have today can help reverse that.”

If you haven’t seen the video of President Obama’s remarkable question-and-answer with House Republicans yet, you can check it out here.

Dan Pfeiffer is White House Communications Director

Share/Bookmark

See more about Health Care