One of the bigger announcements coming out of Macworld Expo in San Francisco today is a new pricing structure for iTunes: Beginning today, songs on iTunes will be offered in three tiers: 69 cents, 99 cents and $1.29. After years of holding firmly to a 99 cent price point – to the consternation of many record companies, which wanted a bigger share of the royalty pie – Apple has re-negotiated the terms of its licensing deals. It won’t be long before the Beatles catalog becomes available via download.

But for our purposes, the security angle comes in Apple’s announcement that it is banishing DRM (digital rights management) from its music library. Apple is saying the new offerings, without DRM, provide “higher-quality 256 kbps AAC encoding for audio quality virtually indistinguishable from the original recordings.”

DRM, you may remember, was the culprit in one of the first rootkit cases to make its way into mainstream media. In 2005, Sony installed DRM protection on several of its CDs to prevent consumers from making multiple copies of the digital music files. But there was a more nefarious component. Two software technologies embedded in the download - SunnComm’s MediaMax and First4Internet’s Extended Copy Protection – enabled Sony to gather information on customers listening to these CDs, and the software installed hidden files on users’ computers that opened consumers to attacks from third parties.

Even though the CD packages were clearly marked with a DRM warning, consumers knew little about the technology, so went ahead and got their PCs infected.

Beyond the technical intrusion, the issue raised a number of ethical and privacy concerns. And the uproar, aided by an angered community formed via internet connection, took Sony to task. The company’s initial dismissive response only increased the volatility of the situation and managed to bring the issue into the spotlight. It was a PR nightmare for Sony, which eventually relented, attempted to fix the problem, settled court cases (with compensation for some victims), and ultimately, as had several other record labels, stopped using DRM on its CDs for the American market.

So, while it’s been a year since any major record label has placed DRM on its CDs, Apple’s announcement today – that music offered on iTunes will be DRM free – hopefully puts the issue to rest.

In his speech, Philip W. Schiller, Apple’s senior vice president of worldwide product marketing, filling in for Steve Jobs, said that Apple will offer eight million songs without DRM and add the store’s remaining two million songs by the end of the quarter.

With a new presidential administration about to take office, many are hopeful that the “change” promised on the campaign trail will begin to take effect sooner than later.

When it comes to industry regulations and the variety of data breach laws on the books, some look to President-elect Obama and express confidence that he can garner the momentum to help bring some needed order to the disparate edicts on the books, regulating everything from patient health care records to financial data to retail customers’ credit card information.

The Obama platform has offered specific remedies to help the government and private industry to become more efficient, including more automating of data accumulation. But, some warn that it will likely take time for any meaningful legislation to make its way through the Congress.

“With the current budget, it may or may not happen,” one vendor of compliance tools told SC yesterday. “In the early part of the administration, a reform bill is not likely to come out early,” he said.

But, as the stock market rally the past two days may show, the reaction to Obama’s competency in putting together an economic team portends positive results for future initiatives.

Even though he may be forbidden – for state security reasons – to use his BlackBerry, it’s comforting to know that the person in charge has an acute awareness of technology. We can pretty well assume he will be a champion and strong advocate for procedures affecting the transmission of data.

As well, President Obama is likely to show more concern than the previous administration for the affairs of the nation’s citizens, meaning that he will likely work to protect consumers from data fraud and enact stronger punishments for those responsible for data breaches.

In the January issue of SC Magazine, our reporter Angela Moscaritolo speaks with several experts on how an Obama presidency will affect the IT security field, referencing Obama’s speech at Purdue University where he pointed out that our country’s system of information networks are the backbone of our economy.

We will also examine a brand new data breach law in Massachusetts, said to be the strictest in the nation. Will this become a model for federal legislation? Please check back, it’s an ever evolving stage.

There’s nothing new about heading to the polls and picking a president, but citizens have a new source today for obtaining the results: the internet.

In addition to the mainstream online news sources, hundreds of citizen journalists on hundreds of different personal websites will be blogging, crunching numbers and analyzing results, making predictions and providing commentary. And much of this journalism and opinion will be of expert caliber, as many of these new pundits are, in the noble tradition of democracy, committed to sharing their views with the populace. And blogging makes it easy.

Irregularities at the polling place? You can be sure these dedicated watchdogs will be reporting on it. While they may not have access to the big players, these investigators will be keeping a close eye on every conceivable angle related to the election process – from the size of the crowds to the effectiveness of the polling procedures. They will doggedly interview any disgruntled voter coming out of a polling place upset because of some procedural glitch. Nonstop coverage will detail not only all the news that’s fit to print, but also the color commentary missing from the premier editions.

Our special election report on e-voting security concerns by our ace reporter Angela Moscaritolo, investigates some of the conflicts that may be in store for some voters: the possibility of votes not being counted, of security vulnerabilities in e-voting machines. For example, the article explains:

Touch-screen machines have come under fire. Numerous studies have shown that it would be easy to introduce malicious software to these machines, potentially allowing rogue insiders or malicious outsiders to sway an election.

While stories like this may or may not break through into mainstream media, independent bloggers will pounce at the opportunity to right a wrong, and it’s more likely we’ll see ancillary coverage digging deep into the mysteries and inadequately explained.

Giving voice to the marginalized. A venue for the disenfranchised presenting the average citizen’s experience. This is the provenance of the internet. And you don’t have to wait for the evening edition.

For up-to-the-nanosecond election results and coverage, the Huffington Post, for example, calls attention to dozens of sites to which internet users can tune in, each cornering a niche, a particular area of expertise and/or speculation.

In a few hours at a press conference in California, Apple is expected to announce two new MacBook laptops priced at around $1,200 and $1,500. Considering the downturn, let’s call it, in the economy, their strategy of offering more affordable laptops seems to be particularly well-timed.

Rumor sites are touting pumped up functionality – faster processing speed, faster wireless connectivity, better screen resolution, longer battery life – all the improvements one would expect with a new product line.

Our concern, however, is the security angle. As the price point of laptops continue to lower and they become more easily procurable to larger segments of the marketplace, their function broadens as well. No longer are they simply a hard drive on which road warriors can keep their accounts up to date. Laptops are quickly evolving into mobile devices. Anyone with one of these tools can flip it open and easily connect to a wireless network to send email or check their stocks or Facebook page. Witness the scene at any Starbucks or park.

In the old days, a year or so ago, laptops were generally checked out of the office, presumably with some security oversight. Nowadays, as they become more of a consumer buy, laptops are functioning in much the same manner as a smart phone or PDA. They’re not quite down to the size of a Dick Tracy wrist phone, but are certainly more ubiquitous.

Apple is not immune to vulnerabilities. In fact, just last week, in its latest software update, Apple fixed a security vulnerability which could have led to cross site request forgery. Sophos recently released a whitepaper offering 10 steps to better protect Macs from data theft.

But, while the Apple OS has been less of a target for malware writers than Microsoft’s Windows and Vista, that luxury may be waning. The popularity of the iPhone, and now the introduction of near-$1,000 laptops, while benefitting Apple shareholders by increasing the Cupertino, Calif-based company’s slice of the computer pie, is certain to invite assaults by virus writers, spear phishers, trojan spreaders and all the other n’er-do-wells who feed off the success of others.

The launch today of Android, Google’s new cell phone OS, has elicited the usual hoopla.

The system, in partnership with T-Mobile’s G1 cell phone, may prove to be, despite some lukewarm reviews, a worthy competitor to Apple’s iPhone. While many of its features are similar, offering the now standard Wi-Fi and Bluetooth, the prime selling point is the OS’s underlying Linux-based open source mobile platform.

The company is touting how this will allow its app store, called the Android Marketplace, to be completely open – the inference being that it will be easier for developers to create and distribute their applications for the device without the policing Apple provides with its app store.

Critics are already pointing out how this lack of security oversight could lead to viruses and malware being dropped into coding as easily as adding salt to a recipe.

In a piece today, NY Times tech and gadget guru David Pogue responds to those accusations, saying, “[Google] will remove apps that contain malware, copyright infringement, pornography, etc…”

But we have to wonder. Last year, Google got things rolling by offering $10 million in prizes to developers. Recently announced winners included Wertago, a social networking app that lets users hook up with their friends; and cab4me, which enables users to summon a taxi with one click.

Certainly, the first wave of apps will prove useful and fun for the ever-burgeoning techno set. However, the next wave of apps is sure to take advantage of the popularity of the new smart phone technology to launch insidious malware attacks.

Gene Munster, an analyst at Piper Jaffray, predicts that Google’s take from mobile search revenue will reach about $2 billion by 2012. So the stakes are high.

A new spam campaign is emerging that exploits the seedier side of computer users. In a new wave of social engineering, in language that might have been written by Borat, the spam promises videos of presidential candidate Barack Obama having “sex action with many ukrainian girls.”

If a moron clicks on the moronic message, a sex video begins playing. But at the same time, in the background, information-stealing code is downloaded to the victim’s machine, according to a release from Websense, which claims it discovered the email campaign.

This email campaign loads a trojan dropper, which then installs a file in the computer user’s Temporary Internet Files folder, according to the Websense report. A browser helper object (BHO) is also registered, an information-stealing app that siphons off data from the end-user to a site registered in Finland.

We’ve been seeing various methods of phishing scams being perpetrated that exploit the topicality of the presidential campaign, but this one is particularly outrageous for the blatancy of its lies. It almost obliterates ethics in its stupidity. The message is so obviously untrue, yet it attempts to gain a measure of credibility by associating itself with a real person/event. It almost doesn’t matter that it is discrediting Obama. It could just as well be promising free jewels.

We’ve seen it before. Any item in the headlines – a natural disaster or celebrity disaster, say — draws out the malicious exploiters intent on capitalizing on people’s natural proclivity to be empathetic, or their being susceptible to voyeuristic opportunities.

While the Red Cross solicits funds for victims of hurricanes, ruthless parasites get in on the action to redirect the well-intentioned, or the bored.

As the Rolling Stones used to say, “What can a poor boy do?”

Despite taking all the prescribed precautions and having proper defenses in place, late last week, hotel chain Best Western allegedly suffered the indignity of a breach of its reservation system. Reportedly, the personal information of eight million customers was put up for sale on a pirate site (reportedly via a Russian mob), though the hotel issued a statement refuting this accounting.

While the facts at this point in the investigation are sketchy, a trojan placed on a computer within the chain is being cited as the hacker’s entry point. And this occurred even as the chain was doing everything it should to prevent such an intrusion. In a statement issued in response to a news report of the breach, the chain outlined all the steps it takes in its information security processes:

• “We comply with the Payment Card Industry (PCI) Data Security Standards (DSS). To maintain that compliance, Best Western maintains a secure network protected by firewalls and governed by a strong information security policy. We collect credit card information only when it is necessary to process a guest’s reservation; we restrict access to that information to only those requiring access and through the use of unique and individual, password-protected points of entry; we encrypt credit card information in our systems and databases and in any electronic transmission over public networks; and again, we delete credit card information and all other personal information upon guest departure. We regularly test our systems and processes in an effort to protect customer information, and employ the services of industry-leading third-party firms to evaluate our safeguards.”

From this security profile, it’s reasonable to assess that Best Western was doing everything “right.” But the end result proves that “right” just might not be enough.

As we hear over and over again: compliance does not necessarily equal security. Experts repeat ad nauseum that compliance is useful (even if begrudged), but that other measures must also be put in place to build up a stronger defense against the loss of data, both from without and within.

This latest alleged exposure raises a number of issues: Was Best Western doing everything right to defend its database and network? Can it have done anything different to beef up its defense? Is it inevitable, as many say, that it’s impossible to stop a breach? And, the inevitable, what now?

Whether the accusations are accurate or not, whether the charge that the personal info of eight million customers was exposed is overblown, as some are saying (including the hotel chain), or whether that number turns out to be much smaller, almost doesn’t matter at this point. Beyond the need for a reassessment of its information security systems, it’s a PR nightmare for Best Western.

“So much public scrutiny as a result of the published report could be detrimental to Best Western’s brand,” Ed Moyle, manager, CTG, a firm that provides information technology staffing and solutions, told SCMagazine.com yesterday.

Whether Best Western is the victim of a hacker or of a campaign to besmirch its name, this week’s latest entry into security celebrity status unfolds as an illustration for the rest of us. Will this negative attention mean much to the public? How will Best Western handle the accusations and the tangible setup of its IT security systems and processes?

Clue: They might look to Hannaford, who handled the aftermath of its breach with transparency.

The university environment tends toward open communications. The free flow of information is not only encouraged, but necessary for learning. Millions of students at these institutions, on their own for the first time, feed their hunger for information and stimulation via campus networks. They are researching and, in their more leisure moments, downloading songs and videos, playing online games, sharing data with peers via social networking sites. In other words, this population is maximizing the potential of the internet.

The IT staffs charged with keeping university networks operating are faced with a dilemma specific to this vertical: how to maintain network defenses within a culture that thrives on unfettered access to information. Students demand the fastest connections and cannot tolerate obstacles put in their path. IT administrators must provide as free and open a network as possible to foster the furthest evolution of their users.

But the academic environment is not only nurturing its students. It must also enable campus staff to perform their tasks as well. That means all the machinations of any commerce site are part of the mix. Personal student info must be protected from breaches. Protections must be put in place to guard against outside network intrusions, as well as data leaving from within.

The philosophy of the campus is ideal. Running the operation involves nuts and bolts. A special, new online exclusive section on the SC website looks at several instances of how various campuses are contending with these issues. You are invited to take a look:

http://www.scmagazineus.com/pages/section.aspx?sectionid=540&pagetypeid=1&publishDate=False

Last Thursday, I wrote a news article for the SC website covering a speech on cybersecurity that Sen. Barack Obama delivered at Purdue University.

The point of the reporting was to acknowledge that a presidential candidate had an understanding of cybersecurity issues. The challenge was to not turn the piece into a testimonial.

Trying to retain a sense of fairness and balance proved difficult and, fortunately for me, astute online editor Chuck Miller was able to take my story and hack it to pieces in order to remove a tone of preferential treatment that I hadn’t quite masked.

But the fact is, irrespective of what you think about the two candidates’ positions on other issues, when it comes to cybersecurity, preferring Obama is a no-brainer.

Obama not only has an awareness of cybersecurity, but offers proposals and a strategy that would not only protect the nation’s computer networks, but also strengthen science and computer education programs.

Cybersecurity would be made a top priority in his administration, he said.

This is a stark contrast to the awareness, or lack of awareness, shown by his opponent in the presidential contest, Sen. John McCain. There is nothing on McCain’s website that addresses cybersecurity, and he has hardly addressed the issue.

In fact, last week, Richard Clarke, a partner at Good Harbor Consulting, who has served the last three presidents as a senior White House adviser, told SCMagazineUS.com: “We couldn’t find that McCain has any position on cybersecurity. They just taught him how to ‘watch the Drudge Report.’ How can you expect a guy who has never used a PC to understand cybersecurity?”

Eugene Spafford, executive director of Purdue University’s CERIAS (Center for Education and Research in Information Assurance and Security), in response to Obama’s Purdue speech (and a discussion following), commented on CERIAS’s blog that, “Sen. Obama was engaged, attentive and several of his comments and questions displayed more than a superficial knowledge of the material in each area. Given our current president referring to ‘the Internets’ and Sen. McCain cheerfully admitting he doesn’t know how to use a computer, it was refreshing and hopeful that Sen. Obama knows what terms such as ‘fission’ and ‘phishing’ mean. And he can correctly pronounce ‘nuclear’! His comments didn’t appear to be rehearsed — I think he really does ‘get it.’”

Regarding McCain’s take on cybersecurity, after praising his service to the nation, Spafford said McCain is “a generation out of date on current technology and important related issues.”

Despite his unfamiliarity with computers and the internet, an argument could be made that Sen. McCain’s stance on national security matters could lead to more money being budgeted for cybersecurity under his administration.

But I still prefer Sen. Obama’s rationale in approaching the subject as an advancing of the technology and a means to “coordinate efforts across the federal government,” not just as a matter of military readiness, as Sen. McCain claims.

A federal judge has put off until next week the sentencing of so-called spam king Robert Alan Soloway. More witnesses need to take the stand, after which Judge Marsha Pechman is expected to hand down her sentence. He could receive 20 years, though that seems unlikely.

The case is vexing for Pechman because there is little in the way of legal precedence, she said. While spam is an established fact of internet use these days, troubling and disruptive to most, determining an appropriate penalty for those responsible for the unwanted email raises issues beyond the annoyance factor.

Soloway was arrested in May 2007 following criminal charges brought by the U.S. Department of Justice. He plead guilty to single counts of mail fraud, email fraud and tax evasion.

His defense attorney argues that this is simply a spam case, which under the CAN-SPAM Act carries a maximum penalty of five years in prison.

But others contend that the case is not simply about a vendor sending out millions of unsolicited email messages. Soloway is also accused of misrepresenting his business and not delivering on services and products offered.

While Soloway’s being held responsible for his actions may bring satisfaction to many, the judge’s decision over how much jail time he should serve as a consequence has to be a tough call.

Were spam recipients victims of a crime? Certainly those who purchased from Soloway software that didn’t work were victims of fraud.

At times, judges in cases such as this like to say in their ruling that they are making an example. Determining the extent of criminality in this case, and the price to be paid, may or may not send shockwaves through the internet marketplace.

Perhaps the sentencing next week in Soloway’s case will cause a ripple. But, as long as there is money to be made from activities such as those embodied by Soloway, the verdict is neither in or out. Whether he gets a short or long sentence, those miscreants behind internet fraud schemes are unlikely to slow their activities.

Now if the feds can catch up to some perpetrators of identity fraud.