Computer Internet network security News

Growing up, you learn many of the things you need to know about how to operate and care for a car by sitting in the back seat while adults drive and care for their vehicles. Similarly, you learn many of the things you need to know about how to care for and maintain a home by watching what is done to the one where you live. It is a slow, gradual process, so slow in fact you are probably unaware that you are learning the skills you need to do these same jobs yourself.

You don’t have that same luxury of time to learn how to care for and operate your home computer. When you attach it to the Internet for the first time, it instantly becomes a target for intruders. You need to be ready right from the start.

As you grow up, you also learn that you need to spend time and money to repair and replace those things around your living space and your car that need your attention. You learn that you have to spend more time and more money to tailor them to meet your needs and to keep you and others safe during their use. You accept these responsibilities and their costs as part of the total cost of ownership of that car and living space.

Your home computer is much the same. There is the initial money that you pay to purchase that system. Then there are additional costs to tailor it and to keep you and the others who use your system safe. These additional costs are also your responsibility, and they are part of the total cost of ownership of your home computer.

This document helps you think about the problems you face when you have a home computer and gives you advice on how to address these problems. By taking the time to read this document, you know more about securing your home computer and the extra costs required to do this job. Do the tasks described here and share this document with your friends. We all benefit from a more secure Internet.

Read the full detail at http://www.cert.org . It is a very useful information and one can get the full concept of home computer security.

Computer security education Computer-security, Computer-security-education, home-computer, security

The routing primitives implemented by current structured p2p overlays provide a besteffortservice to deliver a message to a replica root associated with a given key. Asdiscussed above, a malicious overlay node has ample opportunities to corrupt overlaylevelcommunication. Therefore, these primitives are not sufficient to construct secureapplications. For example, when inserting an object, an application cannot ensure thatthe replicas are placed on legitimate, diverse replica roots as opposed to faulty nodesthat impersonate replica roots. Even if applications use cryptographic methods to authenticateobjects, malicious nodes may still corrupt, delete, deny access to or supplystale copies of all replicas of an object.To address this problem, we must create a secure routing primitive. The secure routingprimitive ensures that when a non-faulty node sends a message to a key k, themessage reaches all non-faulty members in the set of replica roots Rk with very highprobability. Rk is defined as the set of nodes that contains, for each member of the setof replica keys associated with k, a live root node that is responsible for that replica key.In Pastry, for instance, Rk is simply a set of live nodes with nodeIds numerically closestto the key. Secure routing ensures that  the message is eventually delivered, despitenodes that may corrupt, drop or misroute the message; and  the message is deliveredto all legitimate replica roots for the key, despite nodes that may attempt to impersonatea replica root.Secure routing can be combined with existing security techniques to safely maintainstate in a structured p2p overlay. For instance, self-certifying data can be stored on thereplica roots, or a Byzantine-fault-tolerant replication algorithm be used tomaintain the replicated state. Secure routing guarantees that the replicas are initiallyplaced on legitimate replica roots, and that a lookup message reaches a replica if oneexists. Similarly, secure routing can be used to build other secure services, such asmaintaining file metadata and user quotas in a distributed storage utility. The details ofsuch services are beyond the scope of this paper.Implementing the secure routing primitive requires the solution of three problems:securely assigning nodeIds to nodes, securely maintaining the routing tables, and securelyforwarding messages. Secure nodeId assignment ensures that an attacker cannotchoose the value of nodeIds assigned to the nodes that the attacker controls. Withoutit, the attacker could arrange to control all replicas of a given object, or to mediate alltraffic to and from a victim node.Secure routing table maintenance ensures that the fraction of faulty nodes that appearin the routing tables of correct nodes does not exceed, on average, the fraction offaulty nodes in the entire overlay.Without it, an attacker could prevent correct messagedelivery, given only a relatively small number of faulty nodes. Finally, secure messageforwarding ensures that at least one copy of a message sent to a key reaches each correct

Networking security network-security, Networking security, p2p, security

Symantec client management solutions offer speed, reliability, and ease-of-use for Windows Vista migration. Leveraging our industry-leading expertise in Windows migration, Symantec provides integrated, automated, and comprehensive solutions to assist in all phases of Vista migration, including planning, implementation, and ongoing system management. Symantec’s solution provides hardware and software inventories, a centralized management console, accelerated deployments, extensive PC user personality migration, and real-time status reporting. Symantec enhances Microsoft’s Vista migration best practice procedures and offers the most widely used corporate imaging solution in the industry. For complete, end-to-end Vista migration with confidence, think Symantec.

Planning Your Migration

Planning starts with a system inventory and an assessment of the current environment. This allows you to identify PCs that fall short of the minimum requirements and to create a plan for upgrading or securely retiring those systems. Migration to new or existing hardware will determine whether users’ personality settings need to be captured.

Performing the Migration

The actual migration involves deployment of the new image and restoration of users’ personality setting packages. A best practice for reducing migration costs is to eliminate duplication wherever possible. For example, minimize the overall number of tools required for migration as well as the number of system configurations.

More at http://www.symantec.com/

Windows security symantec, vista, vista-migration, Windows security, Windows-security

A cryptogram is a block of text which has been rendered unreadable through the use of what is called a “substitution cypher”. This means that each letter used in the original text has been substituted with another (G becomes A, F becomes P, etc.). Letter/word positions, spaces and punctuation remain unchanged.

Cryptograms have been used as a means of protecting sensitive information for thousands of years, though today computers and more advanced cryptographical methods have made simple substitution cyphers much less practical. Still, they live on in newspapers and puzzle books as a popular form of brain exercise.

Why another cryptogram website?

There are a lot of other websites out there which offer cryptograms, but I wanted to offer a new type of online cryptogram software which could be played exactly as you would play it on paper. Cryptograms.org requires no special keypunches, pull-down menus, or dragging-and-dropping. You can play these puzzles just as you would with pencil and paper – enter a letter anywhere in the puzzle, and the software will automatically copy it for you across all companion positions.

How do I solve a cryptogram?

Cryptograms are solved primarily by two methods. First, pattern recognition. The easiest to recognize are single-letter words, which generally can only be A or I (or, rarely, O). Then there are a limited number of two-letter words such as IN, IS, IT, TO, AN, AT, AS, WE, HE, US, etc. One trick in particular is to look for the common TH- words, i.e. THE, THAT, THEN, THEY, THERE, THEIR.

Secondly, the successful cryptogrammer will use letter frequency to help suss out a difficult puzzle. The twelve most frequently-used letters in the English language are ETAOIN SHRDL, in that order. The least common letters are JXQZ. If you notice a certain letter being used again in again in any given cryptogram, at a frequency much higher than any other letter, its a good bet that its unencrypted form will be one of the ETAOIN group.

More at http://www.cryptograms.org/

Cryptography cryptogram, Cryptography, Encryption

  In cryptography, a one-time pad is a system in which a private key generated randomly is used only once to encrypt a message that is then decrypted by the receiver using a matching one-time pad and key. Messages encrypted with keys based on randomness have the advantage that there is theoretically no way to “break the code” by analyzing a succession of messages. Each encryption is unique and bears no relation to the next encryption so that some pattern can be detected. With a one-time pad, however, the decrypting party must have access to the same key used to encrypt the message and this raises the problem of how to get the key to the decrypting party safely or how to keep both keys secure. One-time pads have sometimes been used when the both parties started out at the same physical location and then separated, each with knowledge of the keys in the one-time pad. The key used in a one-time pad is called a secret key because if it is revealed, the messages encrypted with it can easily be deciphered. One-time pads figured prominently in secret message transmission and espionage before and during World War II and in the Cold War era. On the Internet, the difficulty of securely controlling secret keys led to the invention of public key cryptography.

One-time pads don’t make sense for mass-market encryption products. They may work in pencil-and-paper spy scenarios, they may work on the U.S.-Russia teletype hotline, but they don’t work for you. Most companies that claim they have a one-time pad actually do not. They have something they think is a one-time pad. A true one-time pad is provably secure (against certain attacks), but is also unusable.

Elementrix, now defunct, announced a one-time pad product a few years ago, and refused to recant when it was shown that it was no such thing. More recently, TriStrata http://www.tristrata.com  jumped on the world’s cryptography stage by announcing that they had a one-time pad. Since then, they’ve been thoroughly trounced by anyone with a grain of cryptographic sense and have deleted the phrase from their Web site. At least they’ve exhibited learning behavior.

The one time pad is a private key method of encryption, and requires the safe and secure distribution of the pad material, which serves as the key in our solution. The security of the key distribution comes down to how secure you want to be — for communicating point-to-point with one other person, we suggest a face-to-face hand-off of the pad material.” Remember that you need to hand off the same volume of bits as the message you want to send, otherwise you don’t have a one-time pad anymore.

Cryptography Cryptography, Encryption, one-time-pad

Refers to a cryptography or security product that makes exaggerated claims of what the product is capable of, giving the user a false sense of security. The term snake oil, which is credited to Matt Curtin for using in reference to computer security products, comes from the 19^th-century American practice of selling cure-all elixirs in traveling medicine shows. Snake oil salesmen would falsely claim that the potions would cure any ailments. The term has been appropriated to mean security and encryption products that make impossible claims, such as unbreakable codes.

The problem with bad security is that it looks just like good security. You can’t tell the difference by looking at the finished product. Both make the same security claims; both have the same functionality. Both might even use the same algorithms: triple-DES, 1024-bit RSA, etc. Both might use the same protocols, implement the same standards, and have been endorsed by the same industry groups. Yet one is secure and the other is insecure.

Many cryptographers have likened this situation to the pharmaceutical industry before regulation. The parallels are many: vendors can make any claims they want, consumers don’t have the expertise to judge the accuracy of those claims, and there’s no real liability on the part of the vendors (read the license you agree to when you buy a software security product).

This is not to say that there are no good cryptography products on the market. There are. There are vendors that try to create good products and to be honest in their advertising. And there are vendors that believe they have good products when they don’t, but they’re just not skilled enough to tell the difference. And there are vendors that are just out to make a quick buck, and honestly don’t care if their product is good or not.

Most products seem to fall into the middle category: well-meaning but insecure. I’ve talked about the reason in previous CRYPTO-GRAM essays, but I’ll summarize: anyone can create a cryptography product that he himself cannot break. This means that a well-meaning person comes up with a new idea, or at least an idea that he has never heard of, cannot break it, and believes that he just discovered the magic elixir to cure all security problems. And even if there’s no magic elixir, the difficulty of creating secure products combined with the ease of making mistakes makes bad cryptography the rule.

Cryptography cipher, Cryptography, Encryption, snake-oil

Cryptography alogrithm, cipher, Cryptography, Encryption

Good cryptography is an excellent and necessary tool for almost anyone. Many
good cryptographic products are available commercially, as shareware, or
free. However, there are also extremely bad cryptographic products which not
only fail to provide security, but also contribute to the many
misconceptions and misunderstandings surrounding cryptography and security.

Why “snake oil”? The term is used in many fields to denote something sold
without consideration of its quality or its ability to fulfill its vendor’s
claims. This term originally applied to elixirs sold in traveling medicine
shows. The salesmen would claim their elixir would cure just about any
ailment that a potential customer could have. Listening to the claims made
by some crypto vendors, “snake oil” is a surprisingly apt name.

Superficially, it is difficult to distinguish snake oil from the Real Thing:
all encryption utilities produce garbled output. The purpose of this
document is to present some simple “red flags” that can help you detect
snake oil.

Other factors that can influence the relative security of a product are
related to its environment. For example, in software-based encryption
packages, is there any plaintext that’s written to disk (perhaps in
temporary files)? What about operating systems that have the ability to swap
processes out of memory on to disk? When something to be encrypted has its
plaintext counterpart deleted, is the extent of its deletion a standard
removal of its name from the directory contents, or has it been written
over? If it’s been written over, how well has it been written over? Is that
level of security an issue for you? Are you storing cryptographic keys on a
multi-user machine? The likelihood of having your keys illicitly accessed is
much higher, if so. It’s important to consider such things when trying to
decide how secure something you implement is (or isn’t) going to be.

Cryptography Computer security programming, crptography, Cryptography, snake-oil

One of the things my team has been working to enable has been the ability for .NET developers to download and browse the source code of the .NET Framework libraries, and to easily enable debugging support in them.Today I’m excited to announce that we’ll be providing this with the .NET 3.5 and VS 2008 release later this year.

We’ll begin by offering the source code (with source file comments included) for the .NET Base Class Libraries (System, System.IO, System.Collections, System.Configuration, System.Threading, System.Net, System.Security, System.Runtime, System.Text, etc), ASP.NET (System.Web), Windows Forms (System.Windows.Forms), ADO.NET (System.Data), XML (System.Xml), and WPF (System.Windows).  We’ll then be adding more libraries in the months ahead (including WCF, Workflow, and LINQ).  The source code will be released under the Microsoft Reference License (MS-RL).

You’ll be able to download the .NET Framework source libraries via a standalone install (allowing you to use any text editor to browse it locally).  We will also provide integrated debugging support of it within VS 2008.

More at http://weblogs.asp.net/

.NET Framework security .NET Framework security, .NET-Framework-security, MCL, Microsoft security

An extranet is a private network that uses Internet technology and the public telecommunication system to securely share part of a business’s information or operations with suppliers, vendors, partners, customers, or other businesses. An extranet can be viewed as part of a company’s intranet that is extended to users outside the company. It has also been described as a “state of mind” in which the Internet is perceived as a way to do business with other companies as well as to sell products to customers.An extranet requires security and privacy. These can include firewall server management, the issuance and use of digital certificates or similar means of user authentication, encryption of messages, and the use of virtual private networks (VPNs) that tunnel through the public network.

Companies can use an extranet to:

• Exchange large volumes of data using Electronic Data Interchange (EDI)
• Share product catalogs exclusively with wholesalers or those “in the trade”
• Collaborate with other companies on joint development efforts
• Jointly develop and use training programs with other companies
• Provide or access services provided by one company to a group of other companies, such as an online banking application managed by one company on behalf of affiliated banks
• Share news of common interest exclusively with partner companies

An extranet can allow public access to employees, customers, clients or partners. The extranet uses Internet protocols so users can navigate with a browser, but resides on the company’s private server rather than on a public Internet server. Extranet access from the Internet can be controlled through various architectures that are password or username specific. In other words, areas of the extranet will be available according to password credentials. This limits users to extranet pages relevant to the business they might be conducting, while keeping other areas of the extranet private and secure.

E, Glossary of computer security, Networking security E, EDI, extranet, Glossary-of-computer-security, network, network-security

Having regard to the Treaty establishing the European Community, and in particular Article 100a thereof,

Having regard to the proposal from the Commission.

Having regard to the opinion of the Economic and Social Committee.

Acting in accordance with the procedure referred to in Article 189b of the Treaty

1. Whereas the objectives of the Community, as laid down in the Treaty, as amended by the Treaty on European Union, include creating an ever closer union among the peoples of Europe, fostering closer relations between the States belonging to the Community, ensuring economic and social progress by common action to eliminate the barriers which divide Europe, encouraging the constant improvement of the living conditions of its peoples, preserving and strengthening peace and liberty and promoting democracy on the basis of the fundamental rights recognized in the constitution and laws of the Member States and in the European Convention for the Protection of Human Rights and Fundamental Freedoms;
2. Whereas data-processing systems are designed to serve man; whereas they must, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably the right to privacy, and contribute to economic and social progress, trade expansion and the well-being of individuals;
3. Whereas the establishment and functioning of an internal market in which, in accordance with Article 7a of the Treaty, the free movement of goods, persons, services and capital is ensured require not only that personal data should be able to flow freely from one Member State to another, but also that the fundamental rights of individuals should be safeguarded;
4. Whereas increasingly frequent recourse is being had in the Community to the processing of personal data in the various spheres of economic and social activity; whereas the progress made in information technology is making the processing and exchange of such data considerably easier;
5. Whereas the economic and social integration resulting from the establishment and functioning of the internal market within the meaning of Article 7a of the Treaty will necessarily lead to a substantial increase in cross-border flows of personal data between all those involved in a private or public capacity in economic and social activity in the Member States; whereas the exchange of personal data between undertakings in different Member States is set to increase; whereas the national authorities in the various Member States are being called upon by virtue of Community law to collaborate and exchange personal data so as to be able to perform their duties or carry out tasks on behalf of an authority in another Member State within the context of the area without internal frontiers as constituted by the internal market;
6. Whereas, furthermore, the increase in scientific and technical cooperation and the coordinated introduction of new telecommunications networks in the Community necessitate and facilitate cross-border flows of personal data;
7. Whereas the difference in levels of protection of the rights and freedoms of individuals, notably the right to privacy, with regard to the processing of personal data afforded in the Member States may prevent the transmission of such data from the territory of one Member State to that of another Member State; whereas this difference may therefore constitute an obstacle to the pursuit of a number of economic activities at Community level, distort competition and impede authorities in the discharge of their responsibilities under Community law; whereas this difference in levels of protection is due to the existence of a wide variety of national laws, regulations and administrative provisions;
8. Whereas, in order to remove the obstacles to flows of personal data, the level of protection of the rights and freedoms of individuals with regard to the processing of such data must be equivalent in all Member States; whereas this objective is vital to the internal market but cannot be achieved by the Member States alone, especially in view of the scale of the divergences which currently exist between the relevant laws in the Member States and the need to coordinate the laws of the Member States so as to ensure that the cross-border flow of personal data is regulated in a consistent manner that is in keeping with the objective of the internal market as provided for in Article 7a of the Treaty; whereas Community action to approximate those laws is therefore needed;
9. Whereas, given the equivalent protection resulting from the approximation of national laws, the Member States will no longer be able to inhibit the free movement between them of personal data on grounds relating to protection of the rights and freedoms of individuals, and in particular the right to privacy; whereas Member States will be left a margin for manoeuvre, which may, in the context of implementation of the Directive, also be exercised by the business and social partners; whereas Member States will therefore be able to specify in their national law the general conditions governing the lawfulness of data processing; whereas in doing so the Member States shall strive to improve the protection currently provided by their legislation; whereas, within the limits of this margin for manoeuvre and in accordance with Community law, disparities could arise in the implementation of the Directive, and this could have an effect on the movement of data within a Member State as well as within the Community;
10. Whereas the object of the national laws on the processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy, which is recognized both in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms and in the general principles of Community law; whereas, for that reason, the approximation of those laws must not result in any lessening of the protection they afford but must, on the contrary, seek to ensure a high level of protection in the Community;
11. Whereas the principles of the protection of the rights and freedoms of individuals, notably the right to privacy, which are contained in this Directive, give substance to and amplify those contained in the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data;
12. Whereas the protection principles must apply to all processing of personal data by any person whose activities are governed by Community law; whereas there should be excluded the processing of data carried out by a natural person in the exercise of activities which are exclusively personal or domestic, such as correspondence and the holding of records of addresses;
13. Whereas the activities referred to in Titles V and VI of the Treaty on European Union regarding public safety, defence, State security or the activities of the State in the area of criminal laws fall outside the scope of Community law, without prejudice to the obligations incumbent upon Member States under Article 56 (2), Article 57 or Article 100a of the Treaty establishing the European Community; whereas the processing of personal data that is necessary to safeguard the economic well-being of the State does not fall within the scope of this Directive where such processing relates to State security matters;
14. Whereas, given the importance of the developments under way, in the framework of the information society, of the techniques used to capture, transmit, manipulate, record, store or communicate sound and image data relating to natural persons, this Directive should be applicable to processing involving such data;
15. Whereas the processing of such data is covered by this Directive only if it is automated or if the data processed are contained or are intended to be contained in a filing system structured according to specific criteria relating to individuals, so as to permit easy access to the personal data in question;
16. Whereas the processing of sound and image data, such as in cases of video surveillance, does not come within the scope of this Directive if it is carried out for the purposes of public security, defence, national security or in the course of State activities relating to the area of criminal law or of other activities which do not come within the scope of Community law;
17. Whereas, as far as the processing of sound and image data carried out for purposes of journalism or the purposes of literary or artistic expression is concerned, in particular in the audiovisual field, the principles of the Directive are to apply in a restricted manner according to the provisions.
18. Whereas, in order to ensure that individuals are not deprived of the protection to which they are entitled under this Directive, any processing of personal data in the Community must be carried out in accordance with the law of one of the Member States; whereas, in this connection, processing carried out under the responsibility of a controller who is established in a Member State should be governed by the law of that State;
19. Whereas establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements; whereas the legal form of such an establishment, whether simply ‘branch or a subsidiary with a legal personality, is not the determining factor in this respect; whereas, when a single controller is established on the territory of several Member States, particularly by means of subsidiaries, he must ensure, in order to avoid any circumvention of national rules, that each of the establishments fulfils the obligations imposed by the national law applicable to its activities;
20. Whereas the fact that the processing of data is carried out by a person established in a third country must not stand in the way of the protection of individuals provided for in this Directive; whereas in these cases, the processing should be governed by the law of the Member State in which the means used are located, and there should be guarantees to ensure that the rights and obligations provided for in this Directive are respected in practice;
21. Whereas this Directive is without prejudice to the rules of territoriality applicable in criminal matters;
22. Whereas Member States shall more precisely define in the laws they enact or when bringing into force the measures taken under this Directive the general circumstances in which processing is lawful. Whereas Member States are empowered to ensure the implementation of the protection of individuals both by means of a general law on the protection of individuals as regards the processing of personal data and by sectorial laws such as those relating, for example, to statistical institutes;
23. Whereas the legislation concerning the protection of legal persons with regard to the processing data which concerns them is not affected by this Directive;
24. Whereas the principles of protection must be reflected, on the one hand, in the obligations imposed on persons, public authorities, enterprises, agencies or other bodies responsible for processing, in particular regarding data quality, technical security, notification to the supervisory authority, and the circumstances under which processing can be carried out, and, on the other hand, in the right conferred on individuals, the data on whom are the subject of processing, to be informed that processing is taking place, to consult the data, to request corrections and even to object to processing in certain circumstances;
25. Whereas the principles of protection must apply to any information concerning an identified or identifiable person; whereas, to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person; whereas the’ principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable; whereas codes of conduct within the meaning of Article 27 may be a useful instrument for providing guidance as to the ways in which data may be rendered anonymous and retained in a form in which identification of the data subject is no longer possible;
26. Whereas the protection of individuals must apply as much to automatic processing of data as to manual processing; whereas the scope of this protection must not in effect depend on the techniques used, otherwise this would create a serious risk of circumvention; whereas, nonetheless, as regards manual processing, this Directive covers only filing systems, not unstructured files; whereas, in particular, the content of a filing system must be structured according to specific criteria relating to individuals allowing easy access to the personal data; whereas, in line with the definition the different criteria for determining the constituents of a structured set of personal data, and the different criteria governing access to such a set, may be laid down by each Member State; whereas files or sets of files as well as their cover pages, which are not structured according to specific criteria, shall under no circumstances fall within the scope of this Directive;
27. Whereas any processing of personal data must be lawful and fair to the individuals concerned; whereas, in particular, the data must be adequate, relevant and not excessive in relation to the purposes for which they are processed; whereas such purposes must be explicit and legitimate and must be determined at the time of collection of the data; whereas the purposes of processing further to collection shall not be incompatible with the purposes as they were originally specified;
28. Whereas the further processing of personal data for historical, statistical or scientific purposes is not generally to be considered incompatible with the purposes for which the data have previously been collected provided that Member States furnish suitable safeguards; whereas these safeguards must in particular rule out the use of the data in support of measures or decisions regarding any particular individual;
29. Whereas, in order to be lawful, the processing of personal data must in addition be carried out with the consent of the data subject or be necessary for the conclusion or performance of a contract binding on the data subject, or as a legal requirement, or for the performance of a task carried out in the public interest or in the exercise of official authority, or in the legitimate interests of a natural or legal person, provided that the interests or the rights and freedoms of the data subject are not overriding; whereas, in particular, in order to maintain a balance between the interests involved while guaranteeing effective competition, Member States may determine the circumstances in which personal data may be used or disclosed to a third party in the context of the legitimate ordinary business activities of companies and other bodies; whereas Member States may similarly specify the conditions under which personal data may be disclosed to a third party for the purposes of marketing whether carried out commercially or by a charitable organization or by any other association or foundation, of a political nature for example, subject to the provisions allowing a data subject to object to the processing of data regarding him, at no cost and without having to state his reasons;
30. Whereas the processing of personal data must equally be regarded as lawful where it is carried out in order to protect an interest which is essential for the data subject’s life;
31. Whereas it is for national legislation to determine whether the controller performing a task carried out in the public interest or in the exercise of official authority should be a public administration or another natural or legal person governed by public law, or by private law such as a professional association;
32. Whereas data which are capable by their nature of infringing fundamental freedoms or privacy should not be processed unless the data subject gives his explicit consent; whereas, however, derogations from this prohibition must be explicitly provided for in respect of specific needs, in particular where the processing of these data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy or in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms;
33. Whereas Member States must also be authorized, when justified by grounds of important public interest, to derogate from the prohibition on processing sensitive categories of data where important reasons of public interest so justify in areas such as public health and social protection – especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system – scientific research and government statistics; whereas it is incumbent on them, however, to provide specific and suitable safeguards so as to protect the fundamental rights and the privacy of individuals;
34. Whereas, moreover, the processing of personal data by official authorities for achieving aims, laid down in constitutional law or international public law, of officially recognized religious associations is carried out on important grounds of public’ interest;
35. Whereas where, in the course of electoral activities, the operation of the democratic system requires in certain Member States that political parties compile data on people’s political opinion, the processing of such data may be permitted for reasons of important public interest, provided that appropriate safeguards are established;
36. Whereas the processing of personal data for purposes of journalism or for purposes of literary of artistic expression, in particular in the audiovisual field, should qualify for exemption from the requirements of certain provisions of this Directive in so far as this is necessary to reconcile the fundamental rights of individuals with freedom of information and notably the right to receive and impart information, as guaranteed in particular in Article 10 of the European Convention for the Protection of Human Rights and Fundamental Freedoms; whereas Member States should therefore lay down exemptions and derogations necessary for the purpose of balance between fundamental rights as regards general measures on the legitimacy of data processing, measures on the transfer of data to third countries and the power of the supervisory authority; whereas this should not, however, lead Member States to lay down exemptions from the measures to ensure security of processing; whereas at least the supervisory authority responsible for this sector should also be provided with certain ex-post powers, e.g. to publish a regular report or to refer matters to the judicial authorities;
37. Whereas, if the processing of data is to be fair, the data subject must be in a position to learn of the existence of a processing operation and, where data are collected from him, must be given accurate and full information, bearing in mind the circumstances of the collection;
38. Whereas certain processing operations involve data which the controller has not collected directly from the data subject; whereas, furthermore, data can be legitimately disclosed to a third party, even if the disclosure was not anticipated at the time the data were collected from the data subject; whereas, in all these cases, the data subject should be informed when the data are recorded or at the latest when the data are first disclosed to a third party;
39. Whereas, however, it is not necessary to impose this obligation of the data subject already has the information; whereas, moreover, there will be no such obligation if the recording or disclosure are expressly provided for by law or if the provision of information to the data subject proves impossible or would involve disproportionate efforts, which could be the case where processing is for historical, statistical or scientific purposes; whereas, in this regard, the number of data subjects, the age of the data, and any compensatory measures adopted may be taken into consideration;
40. Whereas any person must be able to exercise the right of access to data relating to him which are being processed, in order to verify in particular the accuracy of the data and the lawfulness of the processing; whereas, for .the same reasons, every data subject must also have the right to know the logic involved in the automatic processing of data concerning him, at least in the case of the automated decisions referred to in Article 15 (1); whereas this right must not adversely affect trade secrets or intellectual property and in particular the copyright protecting the software; whereas these considerations must not, however, result in the data subject being refused all information;
41. Whereas Member States may, in the interest of the data subject or so as to protect the rights and freedoms of others, restrict rights of access and information; whereas they may, for example, specify that access to medical data may be obtained only through a health professional;
42. Whereas restrictions on the rights of access and information and on certain obligations of the controller may similarly be imposed by Member States in so far as they are necessary to safeguard, for example, national security, defence, public safety, or important economic or financial interests of a Member State or the Union, as well as criminal investigations and prosecutions and action in respect of breaches of ethics in the regulated professions; whereas the list of exceptions and limitations should include the tasks of monitoring, inspection or regulation necessary in the three last-mentioned areas concerning public security, economic or financial interests and crime prevention; whereas the listing of tasks in these three areas does not affect the legitimacy of exceptions or restrictions for reasons of State security or defence;
43. Whereas Member States may also be led, by virtue of the provisions of Community law, to derogate from the provisions of this Directive concerning the right of access, the obligation to inform individuals, and the quality of data, in order to secure certain of the purposes referred to above;
44. Whereas, in cases where data might lawfully be processed on grounds of public interest, official authority or the legitimate interests of a natural or legal person, any data subject should nevertheless be entitled, on legitimate and compelling grounds relating to his particular situation, to object to the processing of any data relating to himself; whereas Member States may nevertheless lay down national provisions to the contrary;
45. Whereas the protection of the rights and freedoms of data subjects with regard to the processing of personal data requires that appropriate technical and organizational measures be taken, both at the time of the design of the processing system and at the time of the processing itself, particularly in order to maintain security and thereby to prevent any unauthorized processing; whereas it is incumbent on the Member States to ensure that controllers comply with these measures; whereas these measures must ensure an appropriate level of security, taking into account the state of the art and the costs of their implementation in relation to the risks inherent in the processing and the nature of the data to be protected;
46. Whereas where a message containing personal data is transmitted by means of a telecommunications or electronic mail service, the sole purpose of which is the transmission of such messages, the controller in respect of the personal data contained in the message will normally be considered to be the person from whom the message originates, rather than the person offering the transmission services; whereas, nevertheless, those offering such services will normally be considered controllers in respect of the processing of the additional personal data necessary for the operation of the service;
47. Whereas the procedures for notifying the supervisory authority are designed to ensure disclosure of the purposes and main features of any processing operation for the purpose of verification that the operation is in accordance with the national measures taken under this Directive;
48. Whereas, in order to avoid unsuitable administrative formalities, exemptions from the obligation to notify and simplification of the notification required may be provided for by Member States in cases where processing is unlikely adversely to affect the rights and freedoms of data subjects, provided that it is in accordance with a measure taken by a Member State specifying its limits; whereas exemption or simplification may similarly be provided for by Member States where a person appointed by the controller ensures that the processing carried out is not likely adversely to affect the rights and freedoms of data subjects; whereas such a data protection official, whether or not an employee of the controller, must be in a position to exercise his functions in complete independence;
49. Whereas exemption or simplification could be provided for in cases of processing operations whose sole purpose is the keeping of a register intended, according to national law, to provide information to the public and open to consultation by the public or by any person demonstrating a legitimate interest;
50. Whereas, nevertheless, simplification or exemption from the obligation to notify shall not release the controller from any of the other obligations resulting from this Directive;
51. Whereas, in this context, ex post facto verification by the competent authorities must in general be considered a sufficient measure;
52. Whereas, however, certain processing operation are likely to pose specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, such as that of excluding individuals from a right, benefit or a contract, or by virtue of the specific use of new technologies; whereas it is for Member States, if they so wish, to specify such risks in their legislation;
53. Whereas with regard to all the processing undertaken in society, the amount posing such specific risks should be very limited; whereas Member States must provide that the supervisory authority, or the data protection official in cooperation with the authority, check such processing prior to it being carried out; whereas following this prior check, the supervisory authority may, according to its national law, give an opinion or an authorization regarding the processing; whereas such checking may equally take place in the course of the preparation either of a measure of the national parliament or of a measure based on such a legislative measure, which defines the nature of the processing and lays down appropriate safeguards;
54. Whereas, if the controller fails to respect the rights of data subjects, national legislation must provide for a judicial remedy; whereas any damage which a person may suffer as a result of unlawful processing must be compensated for by the controller, who may be exempted from liability if he proves that he is not responsible for the damage, in particular in cases where he establishes fault on the part of the data subject or in case of force majeure; whereas sanctions must be imposed on any person, whether governed by private of public law, who fails to comply with the national measures taken under this Directive;
55. Whereas cross-border flows of personal data are necessary to the expansion of international trade; whereas the protection of individuals, guaranteed in the Community by this Directive does not stand in the way of transfers of personal data to third countries which ensure an adequate level of protection; whereas the adequacy of the level of protection afforded by a third country must be assessed in the light of all the circumstances surrounding the transfer operation or set of transfer operations;
56. Whereas, on the other hand, the transfer of personal data to a third country which does not ensure an adequate level of protection must be prohibited;
57. Whereas provisions should be made for exemptions from this prohibition in certain circumstances where the data subject has given his consent, where the transfer is necessary in relation to a contract or a legal claim, where protection of an important public interest so requires, for example in cases of international transfers of data between tax or customs administrations or between services competent for social security matters, or where the transfer is made from a register established by law and intended for consultation by the public or persons having a legitimate interest; whereas in this case such a transfer should not involve the entirety of the data or entire categories of the data contained in the register and, when the register is intended for consultation by persons having a legitimate interest, the transfer should be made only at the request of those persons or if they are to be the recipients;
58. Whereas particular measures may be taken to compensate for the lack of protection in a third country in cases where the controller offers appropriate safeguards; whereas, moreover, provision must be made for procedures for negotiations between the Community and such third countries;
59. Whereas, in any event, transfers to third countries may be effected only in full compliance with the provisions adopted by the Member States pursuant to this Directive, and in particular Article 8 thereof;
60. Whereas Member States and the Commission, in their respective spheres of competence, must encourage the trade associations and other representative organizations concerned to draw up codes of conduct so as to facilitate the application of this Directive, taking account of the specific characteristics of the processing carried out in certain sectors, and respecting the national provisions adopted for its implementation;
61. Whereas the establishment in Member States of supervisory authorities, exercising their functions with complete independence, is an’ essential component of the protection of individuals with regard to the processing of personal data;
62. Whereas such authorities must have the necessary means to perform their duties, including powers of investigation and intervention, particularly in cases of complaints from individuals, and powers to engage in legal proceedings; whereas such authorities must help to ensure transparency of processing in the Member States within whose jurisdiction they fall;
63. Whereas the authorities in the different Member States will need to assist one another in performing their duties so as to ensure that the rules of protection are properly respected throughout the European Union;
64. Whereas, at Community level, a Working Party on the Protection of Individuals with regard to the Processing of Personal Data must be set up and be completely independent in the performance of its functions; whereas, having regard to its specific nature, it must advise the Commission and, in particular, contribute to the uniform application of the national rules adopted pursuant to this Directive;
65. Whereas, with regard to the transfer of data to third countries, the application of this Directive calls for the conferment of powers of implementation on the Commission and the establishment of a procedure as laid down in Council Decision 87/373/EEC 4 ;
66. Whereas an agreement on a modus vivendi between the European Parliament, the Council and the Commission concerning the implementing measures for acts adopted in accordance with the procedure laid down in Article 189b of the EC Treaty was reached on 20 December 1994;
67. Whereas the principles set out in this Directive regarding the protection of the rights and freedoms of individuals, notably their right to privacy, with regard to the processing of personal data may be supplemented or clarified, in particular as far as certain sectors are concerned, by specific rules based on those principles;
68. Whereas Member States should be allowed a period of not more than three years from the entry into force of the national measures transposing this Directive in which to apply such new national rules progressively to all processing operations already under way; whereas, in order to facilitate their cost-effective implementation, a further period expiring 12 years after the date on which this Directive is adopted will be allowed to Member States to ensure the conformity of existing manual filing systems with certain of the Directive’s provisions; whereas, where data contained in such filing systems are manually processed during this extended transition period, those systems must be brought into conformity with these provisions at the time of such processing;
69. Whereas it is not necessary for the data subject to give his consent again so as to allow the controller to continue to process, after the national provisions taken pursuant to this Directive enter into force, any sensitive data necessary for the performance of a contract concluded on the basis of free and informed consent before the entry into force of these provisions;
70. Whereas this Directive does not stand in the way of a Member State’s regulating marketing activities aimed at consumers residing in territory in so far as such regulation does not concern the protection of individuals with regard to the processing of personal data;
71. Whereas this Directive allows the principle of public access to official documents to be taken into account when implementing the principles set out in this Directive,

Data Security, E, Glossary of computer security Data Security, data-protection, E, eu-data-protection-directive, Glossary-of-computer-security

Email bombing is characterized by abusers repeatedly sending an email message to a particular address at a specific victim site. In many instances, the messages will be large and constructed from meaningless data in an effort to consume additional system and network resources. Multiple accounts at the target site may be abused, increasing the denial of service impact. Email spamming is a variant of bombing; it refers to sending email to hundreds or thousands of users (or to lists that expand to that many users). Email spamming can be made worse if recipients reply to the email, causing all the original addressees to receive the reply. It may also occur innocently, as a result of sending a message to mailing lists and not realizing that the list explodes to thousands of users, or as a result of a responder message (such as vacation(1)) that is setup incorrectly.

• If you provide email services to your user community, your users are vulnerable to email bombing and spamming.
• Email spamming is almost impossible to prevent because a user with a valid email address can spam any other valid email address, newsgroup, or bulletin-board service.
• When large amounts of email are directed to or through a single site, the site may suffer a denial of service through loss of network connectivity, system crashes, or failure of a service because of
  • overloading network connections
  • using all available system resources
  • filling the disk as a result of multiple postings and resulting syslog entries

An email bomb is basically an attempt to overwhelm an email server or, more specifically, a single inbox, with so many messages that it becomes unusable. Due to the way current messaging systems work, even shutting off the server or disconnecting it from the network would not help the situation, as the messages would simply wait for the system to come back on line. 

Most messages wait for at least several hours, and sometimes they wait for days. After all, the internet was designed to handle the vast outages that occur during nuclear warfare – and a system being offline for a short amount of time is definitely within design parameters.

Many of us have experienced situations similar to email bombs. For example, at my own company we had one system that got infected with “Iloveyou” a few years ago. Before we could identify and shut down that workstation, our email server was overwhelmed with over 50,000 messages! 

Since most ISPs restrict the size of email accounts to just a few megabytes, it does not take much to effectively “bomb” an inbox and make it unusable. Your average ISP allows one to five megabytes of messages, which translates to just a few hundreds emails and bang, you inbox is useless. In some cases the ISP will cancel the receiving account, even though the receiver is probably innocent of any crime.

E, Email security, Glossary of computer security E, email-bomb, email-bombing, email-security, Glossary-of-computer-security