marți, 30 octombrie 2007

Excel 2007 flunks some math problems

Microsoft confirms spreadsheet returns 100,000 when it should show 65,535

Microsoft Corp. yesterday confirmed that Excel 2007, the newest version of its market-leading spreadsheet, returns incorrect calculation results in some cases.

The math bug first surfaced Saturday on Microsoft's own Excel support newsgroup when a user named Molham Serry reported that when he multiplied 850 by 77.1, Excel 2007 returned 100,000 rather than the correct 65,535. Others on the newsgroup quickly took up the standard, eventually posting more than 120 messages to the thread. Among their findings: Other calculations claimed 100,000 was the correct answer.

Yesterday, the Excel team offered a mea culpa posting to a Microsoft company blog. "The majority of reports were focused on multiplication, but our testing showed that this really didn't have anything do to with multiplication," said David Gainer, lead project manager for Excel. "It manifested itself with many, but not all calculations in Excel that should have resulted in 65,535. Further testing showed a similar phenomenon with 65,536 as well."

Only Excel 2007 is a math dummy. Earlier versions of the spreadsheet, including its immediate predecessor, give the correct answers.

Gainer said that the bug isn't in Excel's calculations, but in code that takes values and formats them to be displayed in the worksheet. To prove that Excel knows its multiplication tables, he suggested entering 850*77.1 in Excel 2007 -- yielding the incorrect 100,000 -- then multiplying the result by 2. The spreadsheet will return the right value, 131,070, not 200,000.

Excel displays the wrong result in an even dozen cases, Gainer added, all involving six floating-point numbers around 65,535 and 65,536. "All other calculation results are not affected," he said.

A fix for Excel -- and for SharePoint's Excel Services, which also sports the bug -- is in the works, Gainer said. He didn't set a date for the bug fix release, saying only that "we expect [it] to happen very soon." The patch will be posted for downloading, presumably to Microsoft's download site, and will also be pushed to users via a future Windows Update and a Windows Server Update Services offering. A Microsoft spokeswoman, however, said a date had not been set for the fix, or for its appearance on WU and WSUS.

Microsoft's next scheduled security patch day is Oct. 9.

Microsoft rebuts OneCare auto update accusations

But it should better spell out user settings changes, says adware expert

Microsoft Corp. confirmed that its OneCare consumer security software modifies Windows' overall patch options during installation but said that the tool tells people that their settings may be changed.

"When you first install Windows Live OneCare, setup informs you that if you choose to proceed, your computer settings will be changed to automatically download and install important updates from Microsoft Update," an unidentified member of the OneCare team blogged late last Thursday.

Earlier that same day, a popular Windows newsletter reported that OneCare altered Automatic Updates (AU) in Windows XP and Vista without telling users or getting their approval. According to Scott Dunn, an editor of the "Windows Secrets" newsletter, OneCare sets AU to full-automatic mode and even switches a pair of services back on if they have been manually disabled by the user. Dunn speculated that the behavior might explain two-week-old reports of patches being installed and systems rebooting without permission.

"This behavior is by design and is not unique to the latest version of OneCare," the Microsoft blog post continued. "It helps ensure that your computer continues to receive important updates as soon as possible after they are released."

The post included a screenshot of the first installation dialog that users see. Text in that dialog reads, "By using OneCare you agree to let Microsoft make changes to your system, such as enabling features that keep your system up to date and make it safer for you to browse the Internet." The disclaimer does not specifically say that AU's settings will be changed and, contrary to the statement in the OneCare blog post, it does not mention the Microsoft Update patch service.

A researcher noted for his work in dissecting questionable install disclosures said that OneCare fumbles when it comes to adequately informing users.

"Microsoft uses a lengthy multiparagraph statement in an installer screen, and the affirmative button is labeled simply 'Next' (not 'I agree' or similar)," said Harvard Business School assistant professor Ben Edelman, who has investigated adware installation disclosure policies and language. "This design means some users will inevitably 'consent' and receive updates without fairly understanding what will occur."

Edelman called on Microsoft to clearly state what it will do to users' PCs before it installs OneCare. "[They] ought to do more to alert users to the significance of the text on that screen, both by emphasizing what's most important and by assuring that the continue-install button alerts users to the fact that they're not just going on to the screen, but that they're actually indicating agreement to have their computer modified as Microsoft sees fit," he said.

The OneCare team hinted that it might do just that but stopped short of promising changes. "We are evaluating user feedback and will be revisiting how we communicate the installation details of Windows Live OneCare," the blog said.

A OneCare user commenting to the Microsoft blog called for more information during installation. "I see no practical reason you cannot post a warning label on that same initial notice that all updates for the OS on which OneCare is being installed will be set to 'Install updates automatically,' and give an opt-out option," said someone identified as Uncfudd.

Dunn, the "Windows Secrets" editor who first reported on OneCare's AU changes, reacted Monday to Microsoft's rebuttal. "It isn't apparent that this [disclosure] refers to updating your entire system via AU or just updating virus definitions," he said in an e-mail. "A better way to go would be to ask a question as part of the installer, with the default being to not change the user's current settings.

"Microsoft used to be an innovator in user interface research," he added. "Surely this isn't too hard for them to figure out."

After a Data Breach: Navigating the tangle of state notification laws can be exasperating -- and costly

There are already more than 30 different notification requirements on the books was caught off guard last year. The musical instrument sales site suffered a data breach that was followed swiftly by a double whammy of consequences.

Roughly 250 customer records were exposed, likely after an individual stole an administrative password by accessing systems remotely. (Site owner Bananas at Large has since put additional security procedures in place to prevent a recurrence.)

After the breach, the 25-person company scrambled to comply with the many state laws requiring customer notification. It alerted only the affected customers, either by mail or e-mail. Because its own resources were limited, Bananas referred victims to large credit-reporting agencies to monitor for subsequent financial damage from the breach.

Despite its efforts, Bananas apparently failed to meet all the various state notification requirements and was subsequently slammed with fines and fees by major credit companies. “They did not specifically provide a reason for the fees other than saying that we had not met all of the terms in our agreements with them,” says Bananas President J.D. Sharp. “They’ll fine the pants off you,” he adds.

The Bananas experience provides a hint of the turmoil a company can face as it tries to cope with disclosure requirements in the wake of a data breach. With more than 30 state data-disclosure notification laws now on the books, officials at many companies doing interstate business are hoping that cohesive national legislation will smooth out the nuances among differing statutes. But so far, federal legislation that would unify corporate disclosure rules is merely inching forward.

With no imminent legislative relief in sight, corporations sometimes resort to blanketing customers with notifications after a breach — lobbing disclosures even in those states that don’t require them, simply to cover all bases. But this practice can have “unintended detrimental consequences,” says Robert Scott, managing partner at the Dallas office of Scott & Scott LLP, a law and IT services firm.

Studies have shown that most customers would take their business elsewhere if they received two or more security breach notices, says Scott. “When faced with a security incident, businesses should carefully determine who has been impacted, review their breach notification laws in the relevant states, and devise a breach notification strategy that satisfies the legal obligations and properly notifies affected consumers,” he says.

Many organizations are integrating the efforts of IT, Legal and other departments to come up with strategies to comply with state regulations and ultimately weather worst-case scenarios.
Others are stepping up encryption efforts, since many states don’t force companies to disclose security incidents if the compromised data was encrypted.

Companies as varied as Microsoft Corp., Bank of America Corp. and Verizon Communications Inc. have all taken steps to address the issue with specific teams and processes to handle disclosure in the event of a breach. In large companies, disclosure activity often involves multiple jurisdictions, such as the offices of the chief auditor, the chief compliance officer, the chief privacy officer and the chief technology officer or the CIO, says Joseph Rosem­baum, a partner at New York law firm Reed Smith LLP.

The lack of a central authority can create problems.

“Where responsibilities are partitioned across a diverse set of functions, each office may have the ability to provide greater focus on individual issues, but the challenge of coordination across multiple disciplines is more difficult,” Rosembaum notes.

Moreover, it takes corporate vigilance to keep pace with so many differences in state disclosure laws — variations that start with notification triggers. Some states require notification only if a breach is likely to harm individuals. Others force companies to cast a wider net.

“For some states, any breach that compromises the security or confidentiality of covered personal information triggers the obligation to notify the affected individuals,” notes Thomas Smedinghoff, a partner at Chicago law firm Wildman, Harrold.

The timing on triggers also varies. “Some states require that consumers be notified when their information is lost. Other states will allow the breached entity to perform some analysis to determine the degree of risk to consumers,” says Jorge Rey, information security and audit manager at independent accounting firm Kaufman Rossin Co. in Miami.

Notification triggers aren’t the only differences among state laws. For example, although one state might allow exemptions for compromises of encrypted data, “another state without such an exception would require a notice, even though the data was unreadable,” says Geoff Gray, a privacy and data security consultant at the Cyber Security Industry Alliance in Arlington, Va.

And as learned, the high cost of notification compliance doesn’t stop with the resources it takes to coordinate a response and alert customers. “Enterprises may face potential litigation and fines,” says Scott.

Damage Control

The team at ChoicePoint Inc. knows all too well the complexities of navigating state disclosure laws.After a data breach two years ago, the Alpharetta, Ga.-based company dashed out notices to about 163,000 people. “We expanded upon legislation that only existed at the time in California and opted to make nationwide notification of potentially affected consumers, without any state or federal law requiring us to do so,” says Christopher Cwalina, ChoicePoint’s assistant general counsel and vice president for compliance.

The company’s woes made headlines, but the incident also prompted it to codify breach management plans and assemble a response team. Its policy now “lists all enacted state data breach notification laws, as well as the unique requirements of each law,” Cwalina says.

In addition, ChoicePoint leans heavily on its government affairs team and legal department to track the laws and monitor compliance in the event of a breach.

Large or small, companies should plan ahead to lessen the burden of notification in the event of a data breach. “Encryption is the single most effective way to avoid the negative business impact of data breaches,” says Scott. “Under most privacy statutes, if you have encryption, you get a free pass from notification.”

But with or without encryption, it’s wise to devise a strategy for disclosure in the event of a breach. Companies should have a team in place that can assess the scope of damage and meet the demands of state regulators and credit card companies.

The goal, says Cwalina, is to “act quickly, investigate thoroughly and notify promptly.”