When given a choice, 61 percent of Americans say they are more concerned about the government enacting new anti-terrorism policies that restrict civil liberties, compared to 31 percent who say they are more concerned about the government failing to enact strong new anti-terrorism policies.

According to the Privacy Rights Clearinghouse, the loss or improper disposal of paper records, portable devices like laptops or memory sticks, and desktop computers have accounted for more than 1,400 data-breach incidents since 2005 -- almost half of all the incidents reported. More than 180,000,000 individual records were compromised in these breaches...

It is the hacker -- a sort of modern folk devil who personifies our anxieties about technology -- who gets all the attention. The result is a set of increasingly paranoid and restrictive laws and regulations affecting our abilities to communicate freely and privately online, to use and control our own technology, and which puts users at risk for overzealous prosecutions and invasive electronic search and seizure practices. The Computer Fraud and Abuse Act, the cornerstone of domestic computer-crime legislation, is overly broad and poorly defined. Since its passage in 1986, it has created a pile of confused caselaw and overzealous prosecutions.

Many members of the American public are already convinced something should be done about hackers. Many of our representatives feel the same way. A lack of knowledge of the underlying technology, much less the methods or culture, hasn't deterred legislators from crafting an overbroad response with the CISPA bill. Examining the issues more closely or reconsidering the legislation doesn't seem to be an option. After all, a "cyber Pearl Harbor" is all but inevitable, a conclusion confirmed by shouting "HACKER!" in the halls of Congress and hearing it echoed back by like-minded representatives, sympathetich government agencies, the media and a subset of the American public.

In the effort to protect society and the state from the ravages of this imagined hacker, the US government has adopted overbroad, vaguely worded laws and regulations which severely undermine internet freedom and threaten the Internet's role as a place of political and creative expression.

Under the program, critical infrastructure companies will pay the providers, which will use the classified information to block attacks before they reach the customers. The classified information involves suspect Web addresses, strings of characters, email sender names and the like.

• Eviscerating existing privacy laws by giving overly broad legal immunity to companies who share users' private information, including the content of communications, with the government.
• Authorizing companies to disclose users' data directly to the NSA, a military agency that operates secretly and without public accountability.
• Broad definitions that allow users' sensitive personal information to be used for a range of purposes, including for "national security," not just computer and network security.

After Hurricane Sandy wreaked havoc on the East Coast, Napolitano said people should look than no further than the damage caused by the massive storm to understand the need to boost the nation's cybersecurity protections.

"One of the possible areas of attack, of course, is attacks on our nation's control systems — the control systems the operate our utilities, our water plants, our pipelines, our financial institutions," Napolitano said. "If you think that a critical systems attack that takes down a utility even for a few hours is not serious, just look at what is happening now that Mother Nature has taken out those utilities."

"The urgency and the immediacy of the cyber problem; the cyberattacks that we are undergoing and continuing to undergo can not be overestimated," she said.

When asked by Post editor Mary Jordan about whether hackers are stealing information or money from banks, Napolitano answered "yes" and then quickly added, "I really don't want to go into that per se."

"All I want to say is that there are active matters going on with financial institutions," she said.

The next great battle America faces is likely to involve cyberwarfare, Leon Panetta, the Central Intelligence Agency director, warned senators Thursday, predicting that "the next Pearl Harbor that we confront could very well be a cyberattack that cripples" America’s electrical grid and its security and financial systems.

"The potential for the next Pearl Harbor could very well be a cyber-attack," he testified on Capitol Hill Thursday before the House Permanent Select Committee on Intelligence.

“An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches,” Mr. Panetta said. “They could derail passenger trains, or even more dangerous, derail passenger trains loaded with lethal chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.”

"This threat is increasing in scope and scale, and its impact is difficult to overstate."

Officials behind the false claims told Senate investigators that such reports weren’t meant to be “finished intelligence” and that despite their report’s inaccuracies and sloppy wording they considered it to be a “success.”

“[It did] exactly what it’s supposed to do – generate interest,” DHS officials told Senate investigators.

Someone did access the water district’s SCADA system from Russia, but it was a water district contractor who was asked to access the system by water district employees, as Wired first reported. They had called him to seek his opinion on something while he was on vacation in Russia, and he had logged into the system remotely to check on some data for them.

When the pump broke five months later and someone examined the network logs to determine the cause, they found an IP address from Russia listed in the logs next to the username and password of the contractor. No one ever bothered to call the contractor to see if he had logged in from Russia; they just assumed someone in Russia had stolen his credentials.

"We think there might be one last shot here -- maybe I'm just an eternal optimist -- to get this thing sparked back to life."

Driving the interest, he said, has been a series of briefings for key legislators "on what appears to be a new level of threat that would target networks from -- I've got to be careful here -- an unusual source."

Rogers has been giving fellow legislators a "glimpse" of this new danger. "I figured if I can't sleep at night, why should any other member of Congress?" He declined to describe the threat, citing the highly classified nature of the information. "I look really bad in orange -- those orange jumpsuits with the numbers on the back," he said to laughter.

“The companies surveyed estimated they lost a combined $4.6 billion worth of intellectual property last year alone, and spent approximately $600 million repairing damage from data breaches,” the release said. “Based on these numbers, McAfee projects that companies worldwide lost more than $1 trillion last year.” The release contained a quote from McAfee’s then-president and chief executive David DeWalt, in which he repeated the $1 trillion estimate. The headline of the news release was “Businesses Lose More than $1 Trillion in Intellectual Property Due to Data Theft and Cybercrime.”

The trillion-dollar estimate was picked up by the media, including Bloomberg and CNET, which expressed no skepticism.

Among [the study's researchers] was Ross Anderson, a security engineering professor at University of Cambridge, who told ProPublica that he did not know about the $1 trillion estimate before it was announced. “I would have objected at the time had I known about it,” he said. “The intellectual quality of this ($1 trillion number) is below abysmal.”

.... The company’s method did not meet the standards of the Purdue researchers whom it had engaged to analyze the survey responses and help write the report. In phone interviews and emails to ProPublica, associate professor Jackie Rees Ulmer said she was disconcerted when, a few days before the report’s unveiling, she received a draft of the news release that contained the $1 trillion figure. “I expressed my concern with the number as we did not generate it,” Rees Ulmer said in an email. She added that although she couldn’t recall the particulars of the phone conversation in which she made her concerns known, “It is almost certainly the case that I would have told them the number was unsupportable.”

...The news stories got the worried attention of some of the report’s contributors because McAfee was connecting their names to an estimate they had no previous knowledge of and were skeptical about. One of the contributors, Augusto Paes de Barros, a Brazilian security consultant, blogged a week after the news release that although he was glad to have been involved in the report, “I could not find any data in that report that could lead into that number.... I’d like to see how they found this number.”

“Far from being broadly-based estimates of losses across the population, the cyber-crime estimates that we have appear to be largely the answers of a handful of people extrapolated to the whole population.”

One recent estimate placed annual direct consumer losses at $114 billion worldwide. It turns out, however, that such widely circulated cybercrime estimates are generated using absurdly bad statistical methods, making them wholly unreliable.

Most cybercrime estimates are based on surveys of consumers and companies. They borrow credibility from election polls, which we have learned to trust. However, when extrapolating from a surveyed group to the overall population, there is an enormous difference between preference questions (which are used in election polls) and numerical questions (as in cybercrime surveys).

For one thing, in numeric surveys, errors are almost always upward: since the amounts of estimated losses must be positive, there’s no limit on the upside, but zero is a hard limit on the downside. As a consequence, respondent errors — or outright lies — cannot be canceled out. Even worse, errors get amplified when researchers scale between the survey group and the overall population.

In a further attempt to downplay RF standards, the letter claims:

one recent study found that a typical laptop contains over 250 technical interoperability standards - with 75% of these being developed under FRAND terms, and only 23% under Royalty Free terms.

But when we look at the study itself, this is what we find:

we created a set of broad categories - display, graphics, sound, storage, BIOS, input device, processor, power, file system, networking, wireless, I/O ports, memory, software, codecs, content protection, security and “other” - and sought relevant standards.

As this makes clear, those "250 technical interoperability standards" were mostly about hardware interoperability. Of the purely software standards a far greater proportion were in fact made available under RF terms. Even more interesting, those RF-licensed standards included many of the absolutely core ones like HTML5, HTTP and HTTPS.

Understand? No? Good! We want you confused and bewildered! If you're not careful, I will steal your external hard drives and stalk your attractive female employees. I even contribute to littering. And I do it all to the ominous notes of pizzicato strings, like Elmer Fudd hunting wabbits. Learn more at Microsoft's anti-piracy website, which is so poorly designed as to look like a knockoff itself—that is, if I don't run off with your computer first. Muahahaha! Piracy!

“Easy access to information online is a huge safety issue,” said Von Palmer, the real estate board’s chief privacy officer. “There is a real possibility of break-ins and assaults; you only have to read the headlines to imagine what might happen. You hear stories about realtors getting attacked and killed. Can you imagine if we put that information out there about consumers? You can only imagine the headlines.”

A spokesman for the Toronto Police Service said he wasn’t aware violence against real estate agents was a problem in the city.

That's not meant to dismiss cybersecurity professionals—obviously they do a lot of important work, and obviously the FBI is going to need their assistance for plenty of things. But to call cybercrime the country's biggest threat is to lump together a whole bunch of unrelated crimes, most of which aren't even new:

"We are losing data, we are losing money, we are losing ideas and we are losing innovation,' Mueller said at the RSA Conference in San Francisco. 'Together we must find a way to stop the bleeding."

The dangers posed by organized cyber-crime, rogue hacktivists and computer breaches backed by foreign governments have become a focus for the FBI.

Counterterrorism is still the agency's top priority, but the agency has retooled to prepare for Internet-based aggressors, Mueller said. Cyber-squads in every FBI field office now monitor for crimes ranging from mortgage and health care fraud to child exploitation and terror recruiting, he said.

Presumably the FBI already has people specializing in mortgage and health care fraud, child exploitation and terror recruiting—so why portion off the "cyber" versions of these crimes into a separate "squad"? To then combine those things with hacktivism and online espionage just makes the category of "cybercrime" utterly meaningless. It is indicative of their struggle (which mirrors that of governments, the entertainment industry and others) to understand a core concept: the internet is not a separate thing. And even if there is a good administrative reason for organizing things in this way, it is highly misleading to call such a diverse array of crimes a single giant threat.

Why would Anons shut off a power grid? There are ppl on life support / other vital services that rely on it. Try again NSA. #FearMongering

A stateless group like Anonymous doesn’t yet have that capability, officials say. But if the group’s members around the world developed or acquired it, an attack on the power grid would become far more likely, according to cybersecurity experts.

Shorter version: Anonymous doesn’t have the power to attack the grid, but if they were able to get it someday, then they would have it. Got it.

• That baseball player doesn't yet have the capability to hit a baseball thrown by a pitcher, officials say. But, if he somehow developed or acquired it, his likelihood of being able to play baseball effectively would become far more likely, according to sports experts.
• An infant doesn't yet have the capability to drive, officials say. But, if toddlers around the world develop or acquire it, automobile accidents would become far more likely, according to automotive experts.
• Prisoners don't yet have the capability to shoot each other, officials say. But, if inmates around the world developed or acquired it, gunfights in prison would become far more likely, according to anger management experts.
• Techdirt readers don't yet have the capability to make clueless government officials get transferred to jobs washing toilets, officials say. But, if the community there develops or acquires it, dumb politicians being out of work would become far more likely, according to political pundits.

The great thing about these licensing deals is that no details need be given afterwards – indeed that's usually a condition of them. So the patent holder can use them to insinuate to the rest of the world that fabulous sums are involved for multiple patent infringements, and that other people had better sign up quick before they get sued for even more.

Back in 2007, Microsoft tried to deploy this approach against companies – and users - using free software, which represented an increasing threat to Microsoft's dominance:

"We live in a world where we honor, and support the honoring of, intellectual property," says Ballmer in an interview. FOSS patrons are going to have to "play by the same rules as the rest of the business," he insists. "What's fair is fair."

Microsoft General Counsel Brad Smith and licensing chief Horacio Gutierrez sat down with Fortune recently to map out their strategy for getting FOSS users to pay royalties. Revealing the precise figure for the first time, they state that FOSS infringes on no fewer than 235 Microsoft patents.

Microsoft announced today that it has signed a definitive agreement with Samsung Electronics Co. Ltd., to cross-license the patent portfolios of both companies, providing broad coverage for each company’s products. Under the terms of the agreement, Microsoft will receive royalties for Samsung’s mobile phones and tablets running the Android mobile platform. In addition, the companies agreed to cooperate in the development and marketing of Windows Phone.

In the context of all the attention intellectual property matters have received in recent months, it’s worth taking a moment to reflect on the meaning and impact of these agreements. The Samsung license agreement marks the seventh agreement Microsoft has signed in the past three months with hardware manufacturers that use Android as an operating system for their smartphones and tablets. The previous six were with Acer, General Dynamics Itronix, Onkyo, Velocity Micro, ViewSonic and Wistron.

These agreements prove that licensing works. They show what can be achieved when companies sit down and address intellectual property issues in a responsible manner. The rapid growth of the technology industry, and its continued fast pace of innovation are founded on mutual respect for IP. Intellectual property continues to provide the engine that incentivizes research and development, leading to inventions that put new products and services in the hands of millions of consumers and businesses.

It turns out that the Halloween sadist is about 1 percent fact and 99 percent myth. One California dentist in 1959 did pass out candy-coated laxatives, and some kids got bad stomachaches. But instances over the past 40 years where children were allegedly harmed by tainted candy have invariably fallen apart under scrutiny. In some cases, there was evidence that someone (a family member) was attempting to harm a particular child under cover of Halloween. In other cases, poisoning which had another cause was misattributed to candy. Not surprisingly, the myth created its own reality: As the stories of Halloween tampering spread, some kids got the idea of faking tampering as a sort of prank. Despite all evidence to the contrary, the myth persists.

Wrappers are like candy condoms: Safe candy is candy that is covered and sealed. And not just any wrapper will do. Loose, casual, cheap wrappers, the kind of wrappers one might find on locally produced candies or non-brand-name candies, are also liable to send candy to Halloween purgatory. The close, tight factory wrapper says "sealed for your protection." And the recognized brand name on the wrapper also lends a reassuring aura of corporate responsibility and accountability. It's a basic axiom of consumer faith: The bigger the brand, the safer the candy.

Ironic, since we know that the most serious food dangers are those that originate from just the kind of large-scale industrial food processing environments that also bring us name-brand, mass-market candies. Salmonella, E. coli, and their bacterial buddies lurking in bagged salads and pre-formed hamburger patties are real food dangers; home-made cookies laced with ground glass are not.

Blumsack, Hines and Cotilla-Sanchez decided to contrast the performance of a topological model with one based on actual physics - specifically on Ohm's and Kirchoff's Laws governing the flow of electricity in the real world. They tried out both kinds of model on an accurate representation of the North American Eastern Interconnect, the largest and one of the most trouble-prone portions of the US grid, using real-world data from a test case generated in 2005.

The three engineers say that the physics-driven model was much closer to reality, and that this verifies what physics models show. The results showed that in fact it is major grid components through which a lot of power flows - big generating stations and massive transformers - which are the main points of vulnerability, not the minor installations scattered across the country.

It isn't so much that a minor event on a minor line or installation can't crash the network: such things do happen. But in general there have to be huge numbers of such minor events before one of them happens to hit the miracle weak point and bring everything down. It would be an impossible task for terrorists or other malefactors to know in advance just where and when a minor pinprick could cause massive effects.

"Our system is quite robust to small things failing," says Hines.