Multi Hover Effect On Blogger Images Using Pure CSS

Today I'm going to show you how to add an amazing mouseover effect for Blogger images using only CSS, in which moving your mouse over an image from different directions (from above, from below, etc) will cause an overlay transitioned in from the same vector. This trick will change not only the images appearance when moving mouse over them, but will also allow you to add inside a text with a description.

You can see the effect on this image below: try moving your mouse from the left, right, and above.

hover right hover top hover left hover bottom

Adding Hover Effect From Different Directions on Blogger Images

First thing to do is to add the CSS style to our Template:

Step 1. From Blogger Dashboard, go to Template and press the Edit HTML button

Step 2. Search for the </head> tag - to find it, click anywhere inside the code area, press CTRL + F keys and type it in the search box.

Step 3. After you found it, add the following style just above it: 

<style>
  /* The container and the image */
  div.multi-hover {
    overflow: hidden;
    position: relative;
    vertical-align: middle;
    width: 100%;
    height: 358px;
    line-height: 358px;
  }
  div.multi-hover img {width: 100%;}

/* The texts that, by default, are hidden */
  div.multi-hover span {
    color: #FFF;
    font-size: 32px;
    font-weight: bold;
    height: 100%;
    opacity: 0;
    position: absolute;
    text-align: center;
    transition: all 0.3s linear 0s;
    width: 100%;
  }

/* And this is what will generate the effect */
  div.multi-hover span:nth-child(1) { /* right */
    background: none repeat scroll 0 0 rgba(255, 189, 36, 0.6);
    left: 90%;
    top: 0;
  }
  div.multi-hover span:nth-child(2) { /* top */
    background: none repeat scroll 0 0 rgba(106, 170, 255, 0.6);
    left: 0;
    top: -80%;
  }
  div.multi-hover span:nth-child(3) { /* left */
    background: none repeat scroll 0 0 rgba(204, 87, 166, 0.6);
    left: -90%;
    top: 0;
  }
  div.multi-hover span:nth-child(4) { /* bottom */
    background: none repeat scroll 0 0  rgba(97, 181, 115, 0.6);
    left: 0;
    top: 80%;
  }

  div.multi-hover span:hover {opacity: 1;}
  div.multi-hover span:nth-child(2n+1):hover {left: 0;}
  div.multi-hover span:nth-child(2n):hover {top: 0;}

</style>

Step 4. Save the Template

Now we are going to add the HTML that is nothing but a DIV where we included four SPAN tags with texts and an image:

Step 5. Choose Posts, create a New Post, click on the HTML tab (1) and paste this code inside the empty box:

<div class=multi-hover>
  <span>hover right</span>
  <span>hover top</span>
  <span>hover left</span>
  <span>hover bottom</span>
  <img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggjy7DRfB8x2UnGQXMarh-eMV5Sv5E0P2OYz1b89Y8aD3mqN3iqLbeKp4_LUUimRlgH9FfC0xfg0F5YBL3agklue47xd72q8qfu5iAiAC9K0u0YMZpFE7Be3raZb1GNaI9GePN1D2lORw/s1600/flowers">
</div>

Add your own text/description to "hover right", "hover top", "hover left" and "hover bottom" (2) and replace the url in blue with the image URL (3) where you want to apply the effect.
Important! Do not click on the Compose tab, otherwise the changes will be lost.

Step 6. After you finished editing your post, click Publish (4)

And that's it... enjoy! :)

Read more »

LinkedIn gets a little safer with two-step verification

The new security measure makes it more complicated for hackers to access your account because it requires access to your password and your mobile phone.

by Jennifer Van Grove

May 31, 2013 10:20 AM PDT

(Credit: LinkedIn)

Following Twitter's lead, LinkedIn introduced two-step verification as an optional security feature members can use to protect their accounts.
LinkedIn's new security measure emulates the two-step verification process of other sites and requires members to input a code, sent via SMS, when logging in from an unrecognized device for the first time.
"Most internet accounts that become compromised are illegitimately accessed from a new or unknown computer," LinkedIn Director Vicente Silveira wrote on the company blog. "When enabled, two-step verification makes it more difficult for unauthorized users to access your account, requiring them to have both your password and access to your mobile phone."
The update follows a similar addition from Twitter, where high profile members are often the frequent targets of hacking exploits. But LinkedIn has been far from a safe haven. Last year, the company was publicly embarrassed when it fell victim to hackers who managed to get access to millions of passwords that were then posted online.
Enabling two-step authentication should make it more difficult for hackers to access your LinkedIn account, but it's not an impenterable system as CNET senior reporter Seth Rosenblatt explains in his FAQ on the login system.

Jennifer Van Grove

Jennifer Van Grove covers the social beat for CNET. She loves Boo the dog, CrossFit, and eating vegan. Her jokes are often in poor taste, but her articles are not.

 

Read more »

How secure is quantum cryptography?

How secure is quantum cryptography?

Read more »

Dan Kaplan, Executive Editor                     

May 21, 2013

California law would require breach notice if online account information is stolen

The state Senate in California unanimously has passed a law that would require organizations that are breached to alert victims when intruders access online account information belonging to consumers.
Existing state law only requires notification when unauthorized individuals obtain "unencrypted Social Security numbers, driver's license numbers, medical information, health insurance information and specific financial account information, such as credit card numbers with security codes," according to Senate Majority Leader Ellen Corbett, who introduced the measure.
The new legislation, passed last week, would amend the definition of "personal information" under the state's breach notification law to also include "a username or email address, in combination with a password or security question and answer that would permit access to an online account."
Many consumers use the same login information across several websites, so theft of this data from one entity could allow fraudsters to potentially raid other accounts, such as online banking. According to documents chronicling the bill's history, it appears the flurry of mega password breaches this year, affecting companies like Yahoo and LinkedIn, prompted the update to the breach notification law.
“Cyber criminals are becoming increasingly savvy, particularly now that more individuals are using laptops, smartphones and even tablets to conduct personal business and shop online," Corbett said in a statement. "It is critical that consumers are informed whenever their information is accessed or stolen to minimize potential theft and damages."
The bill, dubbed SB-46, now makes its way to the state Assembly.
In 2003, California was the first state to enact a data breach notification law. Since then, nearly all other states have followed suit. There is no federal law, though there are national notification guidelines related to health care breaches.

Read more »

KPMG In Germany Selects SunGard’s Adaptiv Analytics For CVA’s Under Basel III

http://www.iss-mag.com/news/kpmg-in-germany-selects-sungarda-s-adaptiv-anal

KPMG In Germany Selects SunGard’s Adaptiv Analytics For CVA’s Under Basel III

KPMG AG Wirtschaftsprüfungsgesellschaft (KPMG) has chosen to use SunGard’s Adaptiv Analytics to help provide its clients with assessments of credit valuation adjustments (CVA) and to support their use of simulation-based approaches to compute derivatives exposures for internal risk steering and regulatory capital calculations.
For the latter purpose, KPMG has integrated Adaptiv Analytics with its proprietary risk-weighted asset (RWA) calculator and related tools to create “IMM-2-Go,” a framework to help firms rapidly implement an internal models method (IMM) to calculate Basel III default risk and CVA risk charges with respect to derivatives exposures.  The use of an IMM can help to alleviate a firm’s regulatory capital constraints which can help provide them with an important competitive advantage under Basel III.
Cubillas Ding, research director at Celent, said, “In today’s increasingly competitive and unpredictable global markets, it is critical to efficiently use and manage capital, with Basel III RWA and CVA as areas of particular concern for many financial institutions. It is important for firms to prepare and equip themselves to perceive and discern risk more clearly to develop competitive advantage in our rapidly changing environment as new risks and regulatory realities emerge on the horizon.”
Juerg Hunziker, president, trading and risk, SunGard’s capital markets business, said, “Basel III is pressuring firms to rapidly adopt advanced simulation approaches to calculate measures like RWA and CVA for internal steering of credit risk. SunGard’s Adaptiv Analytics can help firms and their clients to quickly respond to these requirements and support efficient management of counterparty exposure and CVA.”

Read more »

Dan Kaplan, Executive Editor

May 24, 2013

Proxy research firm settles charges with SEC over client breach

Institutional Shareholder Services (ISS), a research firm the advises clients on voting in proxy fights, must pay $300,000 to the U.S. Securities and Exchange Commission (SEC) to settle charges that it failed to protect client information due to access control shortfalls.
The breach happened after an ISS employer allegedly divulged sensitive information to a proxy solicitor, a person hired by shareholders to find proxy voters to replace shareholder votes, in exchange for gifts.
"An SEC investigation found that an employee at ISS provided a proxy solicitor with material, nonpublic information revealing how more than 100 ISS institutional shareholder advisory clients were voting their proxy ballots," the SEC said in a Thursday news release. "In exchange for voting information, the proxy solicitor provided the ISS employee with meals, expensive tickets to concerts and sporting events, and an airline ticket."
The ISS is a registered SEC investment adviser.
The breach, which had been ongoing from 2007 to 2012, was enabled by ISS failing "to establish or enforce written policies and procedures reasonably designed to prevent the misuse of material, nonpublic information by ISS employees. Specifically, ISS lacked sufficient controls over employee access to databases of confidential client vote information."

Read more »

How To Add Social Media Icons to Blogger Header

This tutorial will help you to add social media icons in the top right corner of the page which could increases the likelihood that readers can follow through the various social networks. There are several ways to do this, like adding a new widget section to the blog header but now, we'll do it using an unordered list that uses icons of Facebook, Twitter, Google+ and blog feed, and as a bonus, the icons will rotate when you hover over them.

You can see a demo in this test blog.

Adding Social Media Icons to Blogger Header

Step 1. From your Blogger dashboard, go to Template and click on the Edit HTML button:

Step 2. To expand the style, click on the small arrow on the left of <b:skin>...</b:skin> (screenshot 1), then click anywhere inside the code area to search (using CTRL + F) for the ]]></b:skin> tag (screenshot 2) and add this code just above it:

 /* Social icons for Blogger
----------------------------------------------- */

#social-icons {
margin-bottom:-30px;
height:50px;
width:100%;
clear:both;
z-index: 2;
position: relative;
}
.social-media-icons {
display:table
}
.social-media-icons ul {
text-align:right;
padding:5px 5px 0 0
list-style-image:none;
list-style-position:outside;
list-style-type:none;
}
.social-media-icons ul {
margin-bottom:0;
padding:0;
float:right;
}
.social-media-icons li.media_icon {
margin-left:6px;
padding-left:0 !important;
background:none !important;
display:inline;
float:left;
}
.social-media-icons li:hover {
-moz-transform: rotate(360deg);
-webkit-transform: rotate(360deg);
-o-transform: rotate(360deg);
transform: rotate(-360deg);
-moz-transition: all 0.5s ease-in-out;
-webkit-transition: all 0.5s ease-in-out;
-o-transition: all 0.5s ease-in-out;
-ms-transition: all 0.5s ease-in-out;
transition: all 0.5s ease-in-out;
}

Screenshot 1:

Screenshot 2:

Step 3. Now search for this line

<b:section class='header' id='header' maxwidgets='1' showaddelement='no'>

Step 4. And just above it, add this code:

<div class='social-media-icons' id='social-icons'>
<ul>

<li class='media_icon'><a href='http://facebook.com/username'><img border='0' src='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRrDFV3ReZ0jf95z1i7aCnlAVd4p2FG8m0A_zl_cVYA6_HTcPkfW9CAEAr2lbvUq-OBeT31N0WgWb6Mp8XBX4CuV6ffZnODKEe4UN1Jb3j5HTfYs9iv31zez5lWZqJm00gy86afosXmeU/s1600/Facebook.png'/></a></li>

<li class='media_icon'><a href='http://twitter.com/#!/username'><img border='0' src='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrY6VEpDCnHITgbMG-04WptavoTiUZfUrAJ2cA7WEnAdq_7dJqetu-kwLxOR316ziEMlFJAoLvxUaCQLJfCeichrVq6wYNlZEKYYF14rTGt_OtxzQZX4YWeuMXyMRCt9NEgkhQDXSe_Ro/s1600/Twitter.png'/></a></li>

<li class='media_icon'><a href='https://plus.google.com/XXXXXXXXXXXXXXXXXX/about'><img border='0' src='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8XlyEZHQsYxrenxTajVZ7HBqcLYu9mwRdGbGog6FYfoUWwZX8Dfl8yWew-q3QsVHKmDVVd91pc8neQ623mvZBifdq6ON6H6F5c0exLpB0L4tdg-93I9ohExp_fafFZ08WNgugejWdmZ4/s1600/googleplus.png'/></a></li>

<li class='media_icon'><a href='http://name-of-your-blog.com/feeds/posts/default'><img border='0' src='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOQEt6HEgh2F2CmLNwcUAwFQGna2SlfGA-gD47B3RK4uO3MSYyZjsnQxhzdAoRYseDDQqlydZbq3QKc_xRMnpRrn9v8badZImUxERgGdbvjZsNtJbaxPElz8imOWvVqF7KMT8nWfRPu2w/s1600/RSS.png'/></a></li>

</ul></div>

Customization

- Change what's in red with your usernames and id: the first is your Facebook username, the second is that of Twitter, in the third you should change the X by the ID of your Google+ profile and in the fourth you will put the name of your blog.
- To change the icons, just replace the urls in blue with the ones of your images.
- You can add more icons if you want, you just have to add before </ul></div> a line like this for each extra icon you want:

<li class='media_icon'><a href='Link URL'><img border='0' src='Image URL'/></a></li>

Step 5. Finally, Save the Template to apply the changes.
The effect is done with CSS3, so this effect will not work in older browsers.

Read more »

9 Biggest Data Encryption Myths Busted

• By David Tishgart, Gazzang
• 05.23.13

•  Edit

Image: CJ Schmit/Flickr

Rarely a day goes by that you don’t hear about a data breach. Hospital records stolen. Social media accounts hacked. Education transcripts revealed. Every industry is susceptible and every company is at risk. The result can be embarrassing and expensive at best and absolutely crippling at worst, with potential fines, time-consuming lawsuits, and subsequent loss of customer trust.
The steady pace of breaches reinforces the need for encryption as a last line of defense. Recently however, one of the oldest and most effective security tactics has been largely relegated to an afterthought in today’s new cloud and big data environments.
This is the result of some common misperceptions about encryption and key management related to cost, performance and ease of use.
Today we set the record straight, breaking down the nine biggest encryptions myths.
MYTH 1: Encryption is only for organizations that have compliance requirements. Certainly any company in a regulated industry that mandates data security and privacy should encrypt. That’s a no brainer. But a better way to think about encryption is this: if you’ve got data about your products, customers, employees or market, that you believe is sensitive/competitive, then you should ALWAYS encrypt it, whether there’s a legal obligation or not.
MYTH 2: SSL encrypts data everywhere.
SSL only encrypts data in motion; it does not cover data at rest. As data is written to disk, whether it’s stored for one minute or several years, it should be encrypted.
MYTH 3: Encryption is too complicated and requires too many resources.
Data encryption can be as complicated or as easy as you want to make it. The key is to understand the type of data that needs to be encrypted, where it lives and who should have access to it. There are plenty of readily available, easy to use and affordable encryption tools on the market. If application performance is important, look for a transparent data encryption solution that sits beneath the application layer and does not require modifications to your operating system, application, data or storage.
MYTH 4: Encryption will kill database performance.
There are a number of factors that impact database performance, and encryption is just one. Application-level encryption tends to pack the greatest performance hit, while the file-level encryption penalty is much lower. For maximum application performance, run block-level encryption on a system utilizing the Intel AES-NI co-processor.
MYTH 5: Encryption doesn’t make the cloud more secure.
On the contrary, in many cases storing encrypted data in the cloud is oftentimes more secure than keeping it on premises where insiders may have easier access. To ensure the safekeeping of encrypted data in the cloud, make sure you, not your cloud provider, maintain control of the encryption keys. If your provider requires you to hand over your keys, find another cloud service.
MYTH 6: Encrypted data is secure data.
Too many organizations fail to effectively manage their encryption keys, either storing them on the same server as the encrypted data or allowing a cloud provider to manage them. Storing the key on the same server as your data or handing them over to your cloud provider is akin to locking your car and leaving the keys in the door. Good key management, with strong policy enforcement makes all the difference.
MYTH 7: Key management requires expensive, cloud-adverse hardware.
While this was once true, today there are effective software-based solutions that enable organizations to deploy key management in the cloud or on premises. These solutions can typically be provisioned far faster than hardware security modules (HSMs), are very cloud friendly and meet most compliance statutes.
MYTH 8: If your data is encrypted, it can’t be stolen.
There is no security solution that will protect your data 100%. In fact, companies should operate with the mindset that their data can and likely will be compromised at some point in time. Data encryption can make the breach aftermath much more palatable though, since encrypted data cannot be decrypted without the key
MYTH 9: Encryption is old school. I need a newer security technology to protect big data.
Data encryption is a proven security technique that works very well in modern NoSQL environments. As big data projects move from pilot to production, sensitive data such as protected health information (PHI), financial records, and other forms of personally identifiable information (PII) will likely be captured, processed, analyzed and stored.  Encryption is just as integral to securing data in NoSQL as it is in traditional relational database systems.
Firewalls and VPNs can provide some protection against data breaches and theft, but there is no substitute for strong encryption and effective key management, especially in big data and cloud environments. Now that the biggest myths have been busted, there’s no longer an excuse not to encrypt.
David Tishgart is director of product marketing and strategic alliances at Gazzang.

Originally posted by:

Read more »

Fading Box With Newer/Older Posts Links and Titles for Blogger

The navigation links are those that appear at the bottom of the page that says "Older Posts", "Newer Posts" and "Home" and help us to move through the blog posts. This tutorial will show you how to change the word "Older Posts" and "Newer Posts" for post titles and make these to appear in a box "fading" when you scroll down the page.

You can see it in action on this demo blog - when you scroll down, the navigation links will appear showing the post titles for the older/newer entries.

This way to display the navigation links will be seen only in individual entries, while those on the homepage and other parts of the blog will still be displayed as usual.

How to Add Navigation Box with Newer & Older Posts on Blogger

Step 1. From your Blogger Dashboard, go to Template > Edit HTML, click anywhere inside the code area and search - using CTRL + F - for this line:

<b:include name='nextprev'/>

Screenshot:

Step 2. REPLACE the code above with this one:

<b:if cond='data:blog.pageType != &quot;item&quot;'>
<b:include name='nextprev'/>
</b:if>
<b:if cond='data:blog.pageType == &quot;item&quot;'>
<div id='blog-pager-box'>
<h4>Other posts published:</h4>
<b:include name='nextprev'/>
</div>
</b:if>

Note: you can change the "Other posts published" title with your own

Step 3. Now add just above </head> the following code:

<b:if cond='data:blog.pageType == &quot;item&quot;'>
<script src='http://ajax.googleapis.com/ajax/libs/jquery/1.8.2/jquery.min.js' type='text/javascript'/>
<script>
// <![CDATA[
$(function() {
$('#blog-pager-box').toggle()
.css({
width: '520px',
height: '150px',
position: 'fixed',
padding: '1em',
bottom: 0,
right: 0,
background: 'url(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj10ErS6Y9Gx68_rM0Lx2CH9v_1QKJLy-_HND767r66Syf6k_rRdBq93RtJGBhayhaSmQ-OXiq4CSrm0nHyqjXx2lYoYYL_PYwli4fHhfJgDlD0jWAW1CQ_QpRoRd5EKGhnEzsBu1SlN5h9/s1600/paper.jpg)'
});

$(window).scroll(function() {
if($(this).scrollTop() > 100) {
$('#blog-pager-box').fadeIn();
} else {
$('#blog-pager-box').fadeOut();
}
});
});
$(document).ready(function(){
var newerLink = $("a.blog-pager-newer-link").attr("href");
$("a.blog-pager-newer-link").load(newerLink+" .post-title:first", function() {
var newerLinkTitle = $("a.blog-pager-newer-link:first").text();
$(".blog-pager-newer-link").html("<div>Newer Posts:</div>" + newerLinkTitle);
});
var olderLink = $("a.blog-pager-older-link").attr("href");
$("a.blog-pager-older-link").load(olderLink+" .post-title:first", function() {
var olderLinkTitle = $("a.blog-pager-older-link").text();
$(".blog-pager-older-link").html("<div>Older Posts:</div>" + olderLinkTitle);
});
});
// ]]>
</script>

<style type='text/css'>
<!--
#blog-pager-box {
box-shadow: 0 0 3px #AEAEAE;
z-index:9;
}

#blog-pager-box h4 {
margin:0;
padding:0;
color:#4898B9; /* Widget's title color */
font-size:16px; /* Title font size */
}

#blog-pager-newer-link {float:left;clear:both;line-height:30px;}
#blog-pager-older-link {float:left;clear:both;line-height:30px;}
.home-link {display:none;}
.blog-pager-older-link, .blog-pager-newer-link {
background-color: transparent !important;
background-image: none !important;
border:0 !important;
color: #4B4B4B !important; /* Color of the links */
float: left;
width: 500px;
clear:both;
}

a.blog-pager-older-link:hover, a.blog-pager-newer-link:hover {
text-decoration:none !important;
}
 
a.blog-pager-newer-link:before {
content: url(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIO5LRtrOJYa9X5q-lNwwkbal4J3FeXqfzKpS_NTL0w_Y1S7w_GsGajnrwzIrsXlhJ5luJbcOecMNAgAYJG3HNE6tkZGZ9wG8nj7v5MQKZmXQiHeHeETP0_-21Ux2lQ66fSQLJOeShcbw/s1600/back.png);
float:left;
}
a.blog-pager-older-link:before {
content: url(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmetr1xDLZ0zzQl26yPuiZzJ2sjEXh3kdTCHisLGTDdm3SPVMjquPsmNn54wvubFg0ad-l99dS6FSIR_lDy-o_pLGi2_qhmp_MB7x1KXUAgbaRAOOLf8pxibk72AbKQ6Av8QVZwUckfPU/s1600/forward.png);
float:left;
}
#blog-pager {
width:500px;
background-color: transparent !important;
background-image: none !important;
border:0 !important;
text-align:left;
}
 
#blog-pager div {
color:#0577AB; /* Color for the "Newer Posts" and "Older Posts" text */
font-weight:bold;
margin-bottom: -5px;
}
a#blog-pager div:hover {
text-decoration:none !important;
color:#4898B9; /* Color for the "Newer Posts" and "Older Posts" text */
}
-->
</style>
</b:if>

Note that this gadget uses jQuery, so try to have only one version.

Customization:

- There are three URLs in blue, the first is the paper background image for the box, the other two are the icons that correspond to the arrows. You can replace these with your own.
- In green you can see where to change the text colors.
- The red number is the distance in pixels that activates the gadget, this means that the box will appear when you scroll down the 100px. You can use a higher value if your posts are usually long and therefore the "height" of the scroll is greater.
Step 4. Now, Save the Template and that's it!

You can also change the "Older Posts" and "Newer Posts" links with posts titles or images.

Read more »

New Blogger Widget: Contact form - Change Style & Install in a Static Page

Just a few days ago, Blogger introduced a new widget. It is about a contact form that you can add to your blog easily. It is very basic, because - at least for now, does not permit incorporating files or send anything other than plain text.

The contact form for Blogger has the following features:

• Field for the user name
• Field for email
• Field for the message (textarea)
• Submit Button

Screenshot

 The design is simple and the text colors inherit the section where you add it. At the moment, this widget has no configuration options and is not available for dynamic views.

How to Add Contact Form to Blogger

To add it to your blog, just select the Layout tab, then click on Add a gadget in the section you want to show, for example, in the sidebar. Then, select the More gadgets tab and add the Contact Form gadget.

Styling Contact Form

As the background is transparent, the form will integrate well, aesthetically speaking, but nevertheless it is easy to modify using Style Sheets (CSS) to the appropriate selectors. Here's an example:

/* Contact Form Container */
.contact-form-widget {
width: 500px;
max-width: 100%;
margin: 0 auto;
padding: 10px;
background: #F8F8F8;
color: #000;
border: 1px solid #C1C1C1;
box-shadow: 0 1px 4px rgba(0, 0, 0, 0.25);
border-radius: 10px;
}

/* Fields and submit button */
.contact-form-name, .contact-form-email, .contact-form-email-message {
width: 100%;
max-width: 100%;
margin-bottom: 10px;
}

/* Submit button style */
.contact-form-button-submit {
border-color: #C1C1C1;
background: #E3E3E3;
color: #585858;
width: 20%;
max-width: 20%;
margin-bottom: 10px;
}

/* Submit button on mouseover */
.contact-form-button-submit:hover{
background: #4C8EF9;
color: #ffffff;
border: 1px solid #FAFAFA;
}

This is how it will look like after applying the style:

To add this style, go to Template > Edit HTML, click on the sideways arrow next to <b:skin>...</b:skin> and paste the code just above ]]></b:skin> (press CTRL + F to find it):

How To Add Contact Form In A Static Page

First step is to add the Contact Form gadget (Layout) and second, to edit the template (Template > Edit HTML) to remove most of the gadget. You have to search for the id "ContactForm", expand the widget by clicking on the black arrow on the left (same with the includable) and then delete the part that I have colored in red (see below):

Part to be removed:

  <b:widget id='ContactForm1' locked='false' title='Contact Form' type='ContactForm'>
    <b:includable id='main'>
  <b:if cond='data:title != &quot;&quot;'>
    <h2 class='title'><data:title/></h2>
  </b:if>
  <div class='contact-form-widget'>
    <div class='form'>
      <form name='contact-form'>
        <p/>
        <data:contactFormNameMsg/>
        <br/>
        <input class='contact-form-name' expr:id='data:widget.instanceId + &quot;_contact-form-name&quot;' name='name' size='30' type='text' value=''/>
        <p/>
        <data:contactFormEmailMsg/> <span style='font-weight: bolder;'>*</span>
        <br/>
        <input class='contact-form-email' expr:id='data:widget.instanceId + &quot;_contact-form-email&quot;' name='email' size='30' type='text' value=''/>
        <p/>
        <data:contactFormMessageMsg/> <span style='font-weight: bolder;'>*</span>
        <br/>
        <textarea class='contact-form-email-message' cols='25' expr:id='data:widget.instanceId + &quot;_contact-form-email-message&quot;' name='email-message' rows='5'/>
        <p/>
        <input class='contact-form-button contact-form-button-submit' expr:id='data:widget.instanceId + &quot;_contact-form-submit&quot;' expr:value='data:contactFormSendMsg' type='button'/>
        <p/>
        <div style='text-align: center; max-width: 222px; width: 100%'>
          <p class='contact-form-error-message' expr:id='data:widget.instanceId + &quot;_contact-form-error-message&quot;'/>
          <p class='contact-form-success-message' expr:id='data:widget.instanceId + &quot;_contact-form-success-message&quot;'/>
        </div>
      </form>
    </div>
  </div>
  <b:include name='quickedit'/>
</b:includable>
  </b:widget>

After you have saved the template, go to Pages and paste the following code into a new blank page with the title you want:

 <div class='widget ContactForm' id='ContactForm1'>
  <div class='contact-form-widget'>
    <div class='form'>
      <form name='contact-form'>
        <p>Name</p>
        <input class='contact-form-name' id='ContactForm1_contact-form-name' name='name' size='30' type='text' value=''/>
        <p>E-mail *</p>
        <input class='contact-form-email' id='ContactForm1_contact-form-email' name='email' size='30' type='text' value=''/>
        <p>Message *</p>
        <textarea class='contact-form-email-message' cols='25' id='ContactForm1_contact-form-email-message' name='email-message' rows='5'></textarea>
        <input class='contact-form-button contact-form-button-submit' id='ContactForm1_contact-form-submit' type='button' value='Submit'/>
        <p class='contact-form-error-message' id='ContactForm1_contact-form-error-message'></p>
        <p class='contact-form-success-message' id='ContactForm1_contact-form-success-message'></p>
      </form>
    </div>
  </div>
</div>

Messages will be sent to the same email that you have registered in Blogger.

Here's a demo page where you can test it (it is an account that I don't use, so don't expect reply).
That's it! If you have any questions or comments please post below.

Read more »

Hold Merchants Accountable for Breaches?

Banking Group Asks Congress to Take Action

By Tracy Kitten, May 22, 2013.Follow Tracy @FraudBlogger

 

Banking institutions rarely recover the financial losses they suffer after cards are exposed as the result of a retail breach. Losses have increased in the last year as a result of targeted malware attacks specifically designed to capture card data.
Card issuers say they don't hold their breath for much to change, at least not near-term. But the National Association of Federal Credit Unions is asking Congress to step in and hold breached retailers and processors accountable when their lax security practices result in the leakage of card data.

 Merchants and processors should be investing in systems and technologies that help them better detect attacks to their own networks, but they have little incentive to do so. 

         
Will Congress take notice of the recommendations? And is the NAFCU the right group to press for legislation? I don't know if the NAFCU on its own has the muscle to push Congress to take notice, but the group's advocacy is commendable.
I'm hopeful other banking organizations, such as the American Bankers Association and the Independent Community Bankers of America, join the cause.
Retail card compromises have for too long been pain points for banks and credit unions that card brands have failed to address. Retailers need to take on more responsibility for the breaches they suffer. Regulatory reform, which calls for more scrutiny of their networks and systems, is a viable solution.

A 5-Point Plan

The NAFCU's Five-Point Plan for Regulatory Relief recommends establishing national standards for the protection of all financial information, including payment card data. It also recommends holding merchants accountable for expenses, such as costs associated with card re-issuance, if card numbers and details are exposed during a breach. It calls for creating uniform federal enforcement standards for data security, which would prevent merchants from storing card and other financial information. And it asks that merchants be required to share their data security policies with customers.
The five-point plan also recommends that the burden of proof after data breaches fall back onto the merchant and/or processor that is attacked, rather than, as is the current practice, relying on card issuers to trace the fraud back to a common point of suspected compromise.
David Carrier, NAFCU's chief economist, says the average annual cost to a credit union after a retail breach involving card numbers is $86,000, based on a recent survey of the association's 800 institution members. Those expenses include the issuance of new cards and covering losses - such as account losses - when fraudulent transactions occur. "That was much higher than expected," he says. "We think merchants need to be held accountable for breaches due to their own negligence. As it is right now, credit unions end up paying."
Complying with the Payment Card Industry Data Security Standard should mean that processing networks and POS devices and systems are not storing or exposing card data. But it doesn't, as recent retail attacks prove.

Retailers' Role for Better Security

Ensuring point-of-sale devices and systems are secure isn't easy. Nick Percoco, senior vice president at security vendor Trustwave, says legacy POS terminals, for example, often inadvertently store data.
"Today we see malware that is much more advanced," he says. "There is a population of merchants in the U.S. that still have point-of-sale systems that are ripe for these types of attacks. Right now, not all merchants are secure."
The PCI Security Standards Council, the card brands and others are pushing merchants to get all of their outdated devices and systems upgraded to avoid these types of security vulnerabilities. But that effort will take time.
And while the PCI-DSS clearly prohibits the storing of card data, it does not require full, point-to-point data encryption.
"PCI does not require encryption of data if it's being transmitted over a private network," Percoco says. "So if you have a merchant with a corporate office and 1,000 locations, and the data is being transmitted to other locations over a VPN, it can be sent in the clear."
Criminals know if they hack a corporate environment, they likely will have access to clear text data, he adds.

And then there's the issue of enforcement. The PCI SSC oversees the PCI-DSS, but it has no authority to enforce compliance. Visa and MasterCard require merchants and processors to attain PCI compliance in order to transact on their networks. But there's no uniformity to PCI audits, nor is there uniformity to how the qualified security assessors who perform the audits carry out their reviews.
And for banking institutions, as issuers, the costs associated with protecting card data after it's exposed are tough to recoup. Tracing card compromises to their source is becoming increasingly difficult as well.
Card issuers have to ensure they detect compromises as quickly as possible to limit their losses. As it is, issuing institutions are typically the first to identify an attack and link it to a breach.
But merchants and processors should be investing in systems and technologies that help them better detect the attacks their networks suffer. The problem is, they have little incentive to do so.
Until retailers and processors are held more accountable for losses and insufficient security practices, not much will change.
Legislation could really make a difference, and the NAFCU deserves praise for its five-point plan. I hope other groups will lend their support to the effort as well.
          

Read more »

SunGard Introduces New Consolidated Protegent Compliance Platform To Help Manage Regulatory Compliance

SunGard has developed the Protegent Compliance Platform, a new consolidated technology platform to help financial firms achieve competitive advantages by streamlining their regulatory compliance management.
A common platform can help firms use their compliance technology budgets more efficiently, enabling them to keep up with industry changes while continuing to effectively mitigate increasingly complex regulatory risks. SunGard’s Protegent Compliance Platform’s integrated core components help firms reduce the time and resources required for implementation, support and training while increasing compliance visibility of key data through a single, consolidated interface. The web-based Protegent Compliance Platform addresses the needs of global organizations by providing multi-language and multi-time zone capabilities while also positioning the applications for use on mobile and tablet devices.
SunGard’s Protegent solutions for compliance help firms manage:

• Market abuse and insider trading
• Personal trading and conflicts of interest
• Sales practice review
• Best execution
• Trade cost analysis
• Policy management
• Social media surveillance
• Customer onboarding

Sang Lee, managing partner, Aite Group, said, “The nature of new regulations is leading firms to rethink their organizational structures, business processes, and underlying technology architectures. Investing in a consolidated compliance technology framework could greatly enhance firms’ ability to keep pace with rapidly changing regulatory demands, thereby helping enable these firms to re-focus on identifying new revenue opportunities and staying ahead of the competitive curve.”
Steve Sabin, chief operating officer, SunGard’s Protegent business, said, “SunGard’s consolidated Protegent Compliance Platform helps our customers achieve a competitive advantage by being able to respond more quickly to regulatory inquiries and audits such as providing evidence of review and other requested data without causing a costly and disruptive drain in resources.”      

Read more »

DDoS attack trends highlight increasing sophistication, larger size

DDoS attack trends highlight increasing sophistication, larger size

Read more »

The CSO perspective on healthcare security and compliance

The CSO perspective on healthcare security and compliance

by Mirko Zorz - Editor in Chief - Monday, 20 May 2013.

 

For details we refer to: http://www.net-security.org/article.php?id=1841

The CSO perspective on healthcare security and compliance

Read more »

Configuration Management for virtual and Cloud Infrastructures

Configuration Management for Virtual and Cloud Infrastructures

The top seven things to consider

May 17, 2013.

By Ronni J. Colville and George Spafford

www.gartner.com

Configuration management is a key process for any IT endeavor — including

legacy IT systems, as well as private and public clouds. Without visibility to the

configuration of the relevant IT service, IT will not be able to manage the

multisourced cloud infrastructure and software.

Organisations adopting virtualisation and cloud delivery services need to review

their configuration management processes to ensure that they are optimised to

support these services.

A review of the configuration management process should focus on, and alter as

required, the process design, including inputs and outputs, workflows, controls,

roles and responsibilities, data models, reporting and opportunities for process

automation.

Through 2015, 80% of outages impacting mission-critical services will be

caused by people and process issues, and more than 50% of those outages will

be caused by change/configuration/release integration and hand-off issues.

As IT adopts technologies such as virtualisation and cloud services, new

dynamics will be introduced (e.g., mobility and offline/online), as well as

opening its doors to external providers (e.g., infrastructure as a service [IaaS]).

This complexity will require IT to add more rigor (not less) to their configuration

management process.

As the number of internal and external service providers increases, the need for

timely, accurate and secure information flows also increases. With any delivery

method, configuration plays a vital role in providing logical views of IT services,

including changes to configurations.

Consider the following questions and responses to rightsise your configuration

management process for virtual and cloud infrastructures:

1. How well are standards defined and followed? Standard implementations

bring predictability and speed in deployment, but the mobility of virtualisation

adds unpredictability in performance, because changes can be done in real time

without an impact assessment. Add a shared infrastructure (e.g., multiple VMs

per host and cluster) and what was standard and predictable for one IT service

will potentially be affected by other IT services. These new dynamics will affect

how standards are assessed and maintained, and will require closer inspection

of how dynamic (versus standard and static) the IT service blueprint should be.

Standards will need to be reassessed on an ongoing basis to ensure scalability

and predictable availability.

2. How well are IT services documented or tracked in systems such as the

configuration management database (CMDB)/configuration management system

(CMS)? The CMDB/CMS will maintain a trusted view using integration and

federation to bring in configuration data from a wide variety of sources. Some

discovery sources can take triggers from virtual infrastructures and become

closer to a "real-time view." This view, coupled with a runtime view for

application performance, will enable better predictive planning. Because having

visibility to public cloud infrastructures can be limited with today's discovery

tools, it is critical for IT organisations to understand the service or application,

and how it is manifested (internally and externally).

3. How well is automation used to discover and execute changes? While IT

resources are often experts, they are still prone to human errors. Using

automation to discover and better target changes will significantly reduce

outages. Automating provisioning without understanding the impact of the

single change to a system or software on the broader IT service or application

may have a negative effect (e.g., outage) systemwide. In addition, with the

frequency of changes to the virtual and cloud infrastructures, coupled with new

agile development and deployment, automation will improve the speed of

changes and reduce the errors to which humans cannot scale, to accommodate

the increase in changes without an increase in errors.

4. How well are audit requirements for contractual and regulatory compliance

addressed? Enterprises can no longer exist without mechanisms that prove

sufficient control is in place. Virtualisation enables the swift and real-time

movement of servers and applications from one place to another. Due to this

type of movement, organisations could fail to comply with restrictions, which

could subject the enterprise to significant consequences. This applies not just to

country- or industry-specific regulations (e.g., payment card industry) or

security-based regulations (e.g., Center for Internet Security[CIS]), but broader

regulations (e.g., the USA Patriot Act) that will impact or support global

enterprises.

5. How well are software licenses tracked and are they accurate? Virtual

infrastructures add mobility and offline dynamics that can present a challenge

for tracking application and software usage. IT organisations will have to be

prepared with documentation and discovery methods that can prove license

instantiation.

6. How well does IT already manage multisourced or multivendor operating

environments? The public cloud is not necessarily new; in many respects, it's

another flavor of outsourcing or software as a service (SaaS). IT organisations

are still responsible for their data, their application availability, etc., but now

there is a middleman. IT organisations that have best practices in place for

multisourced or SaaS infrastructures likely will have less of a challenge adapting

their configuration strategies to the public cloud. IT should seek out lessons

learned from traditional outsourcing vendors and incorporate them for the

broader use cases in the public cloud.

7. What is the degree of business risk that IT organisations will tolerate,

associated with specific types of changes (e.g., to business-critical systems,

preapproved changes, emergency changes, etc.)? Today, changes are controlled

within the IT infrastructure, but cloud infrastructures will take change-impact

assessment beyond the corporate firewall into more "opaque" environments

(public clouds). As the scope of control alters with public cloud scenarios,

business risk factors will need to be re-examined, and existing policies will

need to change to enable a 90% success rate or better.

This report is based on independent technology advisory research from Gartner,

Inc. Gartner delivers the technology-related insight necessary for IT leaders to

make the right decisions every day.

Read more »

Cybercriminals Net Big Payday Targeting Banks - PKWARE Blog

Cybercriminals Net Big Payday Targeting Banks - PKWARE Blog

Read more »

The State of UK Cybersecurity - PKWARE Blog

The State of UK Cybersecurity - PKWARE Blog

Read more »

List of mandatory documents required by ISO 27001

'By 'Dejan Kosutic on April 09, 2013

   

inShare8

It’s actually funny, but it is rather difficult to find a list of all mandatory documents required by ISO 27001 anywhere on the Internet – this problem came to my attention when one of the readers of my blog told me he had to read several of my articles to assemble this list.
Anyway, a complete list of mandatory documents has two parts: the first part is related to documents which are required in the main part of the standard (clauses 4 to 8), and the second part is related to Annex A.
Mandatory documents required in the main part of ISO 27001
The first part is rather straightforward – most of required documents are listed in clause 4.3.1:

• ISMS scope
• ISMS policy and objectives
• Risk assessment methodology
• Risk assessment report
• Statement of Applicability
• Risk treatment plan
• Description on how to measure effectiveness of controls
• Procedure for document management
• Controls for record management
• Procedure for internal audit
• Procedure for corrective action
• Procedure for preventive action

Records required by the main part of the standard are as follows:

• Records related to effectiveness and/or performance of the ISMS
• Records of management decisions
• Records of significant security incidents
• Records of training, skills, experience and qualifications
• Results of internal audit
• Results of management review
• Results of corrective actions
• Results of preventive actions

Documents for Annex A
This is where it gets confusing – ISO 27001 doesn’t require all the controls from Annex A to be implemented, and it doesn’t clearly indicate how each control should be documented. To learn how to determine which controls to implement, read this article: ISO 27001 risk assessment & treatment – 6 basic steps.
The documents that are mandatory in Annex A (providing that the control is applicable) are the following:

• Information security policy
• Inventory of assets
• Rules for acceptable use of assets
• Definition of roles and responsibilities
• Operating procedures for information technology and communications management
• Access control policy
• List of relevant statutory, regulatory and contractual requirements
• Records provided by third parties
• Logs recording user activities, exceptions, events, etc.

And, here are the documents that are quite commonly used when implementing controls from Annex A, although they are not mandatory:

• Classification policy
• Change management policy
• Backup policy
• Disposal and destruction policy
• Information exchange policy
• Password policy
• Clear desk and clear screen policy
• Policy on use of network services
• Mobile computing and teleworking policy
• BYOD – Bring your own device policy
• Incident management procedure

Which documents do you think should be used in ISO 27001 implementation?
Click here to download a white paper Checklist of ISO 27001 Mandatory Documentation with more detailed information on the most common ways for structuring and implementing mandatory documents and records.

Read more »

Important Considerations for Seamless McAfee E-Business Server Replacement - PKWARE Blog

Important Considerations for Seamless McAfee E-Business Server Replacement - PKWARE Blog

Read more »

Cloud-service contracts and data protection: Unintended consequences

By Michael Kassner

May 13, 2013, 11:52 AM PDT

Takeaway: There are things your cloud-service (Facebook, Amazon, Google, Dropbox, etc.) contracts aren’t telling you. Michael P. Kassner interviews an attorney concerned about what’s not being said.

“If it’s not private, it’s not protected.”
When I heard Tyler Pitchford mention the above quote in his ShmooCon 2013 talk: “The Cloud, Storms on the Horizon,” I thought he was stating the obvious. I mean duh, if it’s public; of course, it’s not protected. Fortunately for me, I kept watching the video, eventually learning that’s not what Tyler was trying to say.
What’s more, by the end of the video it became apparent that I needed to rethink how and why I use cloud services. Using cloud services could lead to significant legal implications, and ultimately, financial hardships.
If you’re thinking this is yet more chastising to get everyone to read End User’s License Agreements (EULA), it’s not. I’m taking aim at what’s not being said in EULAs and privacy policies.
First things first: who is this guy Tyler Pitchford? And, why does an attorney know so much about IT, especially software? Well, Tyler followed a different drummer prior to seeing the judicial light. He graduated with a B.A. in Software Systems Design. After which, Tyler put his expertise to use. If you ever used the file-sharing protocol BitTorrent, you are probably familiar with his BitTorrent client — Azureus.
I don’t know what more a “non-legalese speaking” guy writing about the legal implications of cloud services could ask for.

The cloud legally is?

Like all good attorneys, Tyler first defined the terms under discussion, in this case — the cloud:

The cloud is loosely defined as services (think Google, Facebook, Amazon, LinkedIn, and a whole host of others) delivered over a network. For our purposes: market-speak for resource and cost sharing.

Tyler added one caveat:

The cloud is an excellent way to maximize your resources, but filled with potential legal pitfalls. The larger your operation, the more hassles you’ll face.

Third-party legal issues

Now to the crux of what I wanted to talk about. It may not be correct legalese, but I call it third-party legal issues — something unfortunate happens that is outside our control. In the legal realm, third party refers to:

An individual or group who does not have a direct connection with a legal action, but is affected by it.

Third-party legal issues are particularly important to those of us who use or provide cloud services. Third-party eDiscovery can affect our personal or company’s ability to function. Tyler provided two real-world examples to explain how serious it can be.
First example: A small web-hosting service rented space to a business for its website. The business came under government investigation. The web-hosting service received a third-party subpoena even though it was not under investigation. The web-hosting service had to hire an attorney, produce documents, and shut down servers for eDiscovery, ultimately spending 50,000 dollars to meet the conditions of the subpoena.
Second example: A mid-sized business located its servers at a colocation facility. The government began investigating the owners of the colocation facility, issuing warrants, seizing everything in the building, including the servers of the mid-sized business even though the owners were not part of the investigation. The exact figure is unknown, but minimally, the mid-sized business was unable to function until the government returned their servers.
As you can see, through no fault of our own, we can suffer some serious digital and financial trauma. Tyler had several suggestions to reduce the fallout from being an innocent participant in a third-party legal action:

• Encrypt, encrypt, encrypt!
• Implement data-retention policies, and follow them religiously.
• Delete redundant copies.
• Quarantine data as much as possible.

Each bullet helps isolate your data or your company’s data from other third-party data stored on the cloud service, lowering the interest level of the civil, criminal, or governmental entity investigating the cloud service or another third party using the same cloud service.
Now that we are up to legalese speed, let’s get to some questions.
Kassner: Everyone mentions we should retain an attorney if we do not understand contracts related to cloud services. What kind of attorney is that? What is your specialty?

Pitchford: Sadly, like all things legal, it depends. Generally, you should be able to talk to any good business litigation or contract attorney to handle a general review of cloud-service contracts. If you’re worried about a specific question (privacy, intellectual-property rights, etc.) then you’d want to speak to a specialist.
As for me, I’m an appellate attorney, which means I deal with cases spanning the entire legal field. That said, the areas where I focus most of my time are mass-torts, complex commercial litigation, constitutional law, cyber law, and intellectual property.

Kassner: If you were tasked with setting up a cloud service for a company, what specifically would you want in the agreement?

Pitchford: I’d want the venue, forum-selection, and choice-of-law provisions (clauses that determine the location of the suit, the forum of the suit, court vs. arbitration; and what laws the court will apply) to match the location of the company headquarters, the main location of their legal offices, or anywhere I know that has laws favorable to the company’s expected battles. Depending on the company’s resources, and various other factors, I’d also consider an arbitration clause.
Specifically related to cloud computing, I’d want a guaranteed uptime with a defined penalty provision even though damages resulting from an outage can be difficult to quantify. I would also want some assurance as to whom I’d be sharing servers with.

Kassner: In your talk, you emphasize the need for companies to create a “data-retention policy.” What is it? And, why is it important?

Pitchford: A data-retention policy defines how long an entity stores data. For example, a company might issue a policy stating employees are only to keep emails for 180 days, or back-up servers should only retain two weeks’ worth of information.
A proper policy needs to balance how much of a data archive the corporation really requires to function versus the risk of a complete failure and an inability to recoup the data. The policy must keep the company functional, but should prevent data hoarding. And here’s why: the more data you have, the more data you’ll have to protect and search through if you’re ever involved in litigation.
A retention policy becomes even more important when you realize that you can be required to provide information as part of a lawsuit against a third party.
Kassner: That’s interesting, Tyler. I was under the assumption that a business or person being served a subpoena would be in trouble if they did not have the asked-for data?

Pitchford: As with all things legal, there’s a catch, and it varies by jurisdiction. The general rule is if you’re aware that litigation is likely, you must preserve relevant information within your control. Put simply, you can’t intentionally delete information relevant to a lawsuit against the company directly, or as the result of a third party, it’s illegal. But if there is no threat of litigation, eliminate the data; then there’s nothing to hand over.
It’s less expensive to explain that all potentially relevant information has been destroyed as part of the company’s retention policy, than it is to sort through umpteen years’ worth of archives.
Kassner: You talked about something rather scary, “plain-view doctrine.” If I understand correctly, the government can charge a person based solely on evidence found while looking for something else. Is that right?

Pitchford: That’s correct. Coolidge v. New Hampshire, 403 U.S. 443 (1971), established the parameters of the plain-view doctrine, but they have since been massaged by the more recent Horton v. California, 496 U.S. 128 (1990).
A common example is the traffic stop; where during the stop the officer notices drugs sitting on the passenger seat. The doctrine, however, is also applicable to electronic information. If an officer were to lawfully seize and search a server as part of a raid on a cloud-service provider, immediately incriminating data located while executing the warrant would, arguably, be subject to the plain-view doctrine.
I should note there’s a split between the jurisdictions on exactly what the limits of the doctrine are as they apply to electronic search, but a full explanation would require an article all itself.

Kassner: Could the government take on a whole service like Dropbox, using a third-party subpoena, and then gather evidence using the plain-view doctrine?

Pitchford: Well, no. If a party turned over information by subpoena than the plain-view doctrine wouldn’t apply because the information was handed over voluntarily, and they could do as they pleased with it.
If, however, we tweak your question a little to seizing an entire cloud service by warrant (think Megaupload), then it’s possible the government could utilize the plain-view doctrine to justify locating any incriminating information seized outside the scope of the warrant. But there are certainly limits.

Waiving privacy

Remember, “If it’s not private, it’s not protected.”
I thought I had better explain what Tyler was trying to get at. Most cloud-service contracts are agreements made between a person or company and a third-party service provider. What’s interesting is they can include clauses which define and or waive any expectation of privacy.

When the agreements contain these types of clauses, data residing on a cloud-service provider’s servers is neither considered private, nor protected under the Fourth Amendment. And even if the agreement contains no explicit waivers, the government can still argue a waiver of privacy simply because you have provided your data to a third party.

The government has used these arguments successfully to get data turned over if a warrant could not be obtained; so, those private comments on Facebook — not so private. Now you also understand why Tyler earlier emphasized “encrypt, encrypt, encrypt.” It is the only way data stored in the cloud is truly private.

Final thoughts

It’s been a long, challenging piece. I’ll end by asking Tyler for his “big picture” view.

I think cloud services are valuable tools, but they’re not the answer to everyone’s problems. When a company is deciding whether to adopt cloud services or not, it’s important they evaluate the full picture, not just how much money it can save by slashing IT budgets. And while there are plenty of discussions about the danger of service outages, there simply aren’t enough discussions going on about the possible legal ramifications.

I definitely wanted to thank Tyler, and his mother for allowing me time today — Mother’s Day — to ask a few last-minute questions. As an extra bonus, here are a few “bits of legal wisdom” from Tyler:
Reasonable Searches

• Ideal: Probable cause required, vetted by the courts, and limited in scope to only what’s required.
• Reality: Government will get the benefit of the doubt, and they’ll take everything. If you balk, they may give some back.

Due Process

• Ideal: You’ll be given equal footing in court to present your case; if the government deprives you of property; you’ll be paid.
• Reality: Courts will typically defer to the government, and there are many exceptions to takings.

Statutes

• Ideal: To strike a balance between your rights, and the ability for the civil and criminal systems to function in a meaningful manner.
• Reality: The laws are outdated, and don’t offer much protection. If you have the means, you may be able to put up a fight, but by that point you’ll already have suffered major loses.

Read more »