Saturday, September 02, 2006

Even crooks can learn... (Good description in the SF Chronicle article)

Stolen AT&T Credit-Card Info Used To Launch Phishing Scam

from the be-sure-and-thank-them dept

It's not at all surprising any longer to hear about companies leaking data, or losing it to hackers, so the other day's news that 19,000 customers' credit-card information had been stolen from AT&T wasn't particularly interesting. However, some more information has come to light, showing this wasn't a run-of-the-mill credit-card theft. David Lazarus in the SF Chronicle discovered that the hackers didn't immediately go and try to max out the credit cards, they used the stolen info as the basis for an elaborate phishing attack in an attempt to gather more information -- such as Social Security numbers and dates of birth -- from their victims. A lot of credit-card theft remains a relatively low-level crime, where thieves will just try to buy stuff as long as they can. But these hackers eschewed those short-term gains, instead trying to get enough information to commit more serious identity theft, something that could have much longer-lasting and detrimental effects. The used the stolen information to make the email they sent to victims look much more credible than the average "DEAR SIR, Pleease be updating in your PayPal akount informations" message. Given people's growing suspicion of emails, even legitimate ones, it's an interesting tactic, and one that could become more common.

Have market, will cash in...

Breaking: MySpace to Sell Music From 3 Million Bands

September 1, 2006 Pete Cashmore

In a direct challenge to Apple’s iTunes, MySpace has announced its intention to sell songs from the 3 million unsigned bands on Even more surprising: the songs will be sold as unprotected MP3s, free from DRM.

... the new feature will be powered by Snocap, the music distribution service from Napster founder Shawn Fanning. Snocap only recently launched a MySpace music player, which allows users to buy unprotected songs via Paypal. Snocap charges the artists a small distribution fee, and most of the tracks are DRM-free. Unlike the fixed-price model of iTunes, artists on Snocap set their own price.

It sounded so good. Maybe someone will do it legitimately.

Is Browzar Just An Adware Machine?

Michael Arrington September 1 2006

Earlier this week the big story was the launch of a new “safe” browser called Browzar, which InfoWorld called “the latest entrant to the crowded Internet browser market”.

Browzar promises to make web surfing more anonymous by disabling cookies, history, auto-complete, etc. The story was widely circulated, including writeups on BBC, CNET, Slashdot and Digg, among others. We even wrote about in on TechCrunch UK.

There were initial doubts raised that this was simply a stripped down version of IE with the offending functionaltiy turned off, and therefore nothing special. But none of the publications above did enough research into the product to realize that not only is Browzar not really an interesting product from a security point of view, but that the “browser” is going to great lengths to force users to click on Overture ads by constantly redirecting them to search ad pages served by Browzar itself.

My guess is that subpoenas from many countries will result in a “least common denominator” type of retention policy... Isn't that bad?,1759,2011439,00.asp?kc=EWRSS03119TX1K0000594

Brazil Judge Orders Google to Disclose Users' Data

By Reuters September 1, 2006

SAO PAULO, Brazil (Reuters)—A Brazilian judge has ordered the local office of Web search company Google to disclose the data of users of Google's social networking site Orkut accused of crimes like racism or child pornography.

Federal judge Jose Lunardelli ruled late on Aug. 31 that Google be given 15 days to disclose the information, including the Internet Protocol addresses that can uniquely identify a specific computer on a network.

The judge set a daily fine of 50,000 reais ($23,255) for each individual case if Google refuses to reveal the data.

Brazilians account for 65 percent of Orkut's nearly 27 million users and public prosecutors have recently been investigating Orkut communities set up by Brazilians and dedicated to such subjects as racism, homophobia and pedophilia.

Google officials in Brazil have said all clients' data is stored on a server in the United States and is subject to U.S. laws, which makes it impossible for them to reveal the data in Brazil. They also said the local affiliate only deals in marketing and sales and has nothing to do with Orkut.

"The fact that the data are stored in the United States has no relevance as all the photographs and messages investigated by the prosecutors' office were published by Brazilians using Internet connections on the national territory," the judge said in his ruling.

He said Google's local office had shown a complacent attitude toward "the serious crimes practiced on Orkut" and showed "profound disrespect [Isn't that redundant? Google already said they were salesmen... Bob] for national sovereignty."

Company representatives could not provide an immediate comment on the ruling. Google lawyer Durval Goyos earlier called the case against the company absurd.

Hummm. I wonder what military grade equipment could do...

Hacker-Built PC Scans 300 Wifi Networks At Once

Posted by Zonk on Saturday September 02, @12:19AM from the quite-the-multitasker dept.

An anonymous reader writes to mention an Engadget post on an incredibly powerful wifi scanner. The 'Janus Project', as it is called, can sniff 300 networks simultaneously. It stores and encrypts the data as it receives it, for later use. From the article: "In addition, the Janus Project has an instant off switch, which requires a USB key that has a 2000-bit passkey and a separate password to regain access. What's under the hood? Williams packed an Ubuntu Linux machine running on a 1.5GHz VIA C7 processor with an Acer 17-inch screen into that snazzy little rugged yellow box. Oh, and the closed case is waterproof too, in case you need to transport Janus Project on a whitewater raft to your next hacking hotspot. We don't doubt someone will." The post leads to a tgdaily article, which offers more details.

Sounds to me like this will be a common way around open meetings laws...

Health administrator takes pot shot at editorial

Beginning Jan. 1, e-mail deliberations violate Illinois law

By DIANE KOMISKEY - Prairie Advocate Reporter, (815) 493-2560

MT. CARROLL – A public health department official took a swipe Aug. 24 at the wellness of an editorial in a Thomson paper that criticized the local health department.

"Our View," in the Aug. 2 issue of "The Carroll County Review" appeared with the headline, "Meetings by e-mail are violation."

Its author, who was not identified in the column, alleged that the Carroll County Board of Health violated the intent of a recent amendment to the Illinois Open Meetings Act by using e-mail.

Among the things that the writer of the opinion piece said in a 60-word sentence were, "(The board members) are disenfranchising the public from being involved in the decision-making process and from learning how each members arrived at whatever decision they made."

Carroll County Public Health Administrator Craig Beintema took issue with the editorial and any allegation that the board had violated the act. He said the bill that amended the state law passed after the health board met, and the measure's effective date is Jan. 1, 2007.

"I've not responded to any editorial, but it wasn't done in secret," Beintema said. "We weren't trying to do anything illegal."

The allegation arose over how the health department planned to meet a County Board deadline for submitting a budget: by Beintema distributing a budget by e-mail for members to comment on by e-mail.

Governor Rod Blagojevich signed Senate Bill 585, now Public Act 094-1058, into law on July 31. The Board of Health had met July 27. The amendment to the Open Meetings Act is effective Jan. 1, 2007.

"We weren't trying to do anything illegal," said Beintema. He said that the person who wrote the editorial needed to continue reading to the effective date.

Beintema did not dispute the effects of electronic communications on the public's right to an accountable government with public officials deliberating and making decisions in a public forum that is open to citizens.

The amendment to the Open Meetings Act can be found by linking to and entering SB585 under "By Number."

The health board considered the budget in an open meeting on Aug. 24. Most of the debate centered on whether to contract with Stephenson County or hire employees. For more, see story about the department's proposed budget and levy in this week's issue of the Prairie Advocate.

If this is done by IT types, is there less liability than if it is corporate policy?

Comcast Blocks Yet Another ISPs E-Mail

Posted by kdawson on Thursday August 31, @03:13PM from the i-can't-heeeeear-youuuu dept. Censorship

Nom du Keyboard writes, "Last week Comcast shutdown e-mail forwarding from NameZero entirely. People who have bought private domain names (i.e. and have e-mail forwarding to their current Comcast e-mail account through NameZero aren't receiving it any longer. No warnings — no e-mail. Now, again without warning, they've blocked out The Well, one of the oldest ISPs on the net. And nobody can get through to the Comcast people in charge of this to discuss the issue with them. Not the ISPs being blocked. Not the customers who pay Comcast to deliver e-mail to them. Comcast says they're protecting 10M customers from spam. I am a current Comcast broadband customer and I feel I should have the right to whitelist and receive e-mail from whomever I designate. I don't want as much protection as Comcast is giving me. Is it a basic right to be allowed to receive e-mail from whomever I desire, or does Comcast have the right to censor as they wish?" Last week Comcast was also blocking mail from I (probably among many others) left a complaint on the phone line identified in bounce messages; the block was eventually lifted.

Study Analyzes 16 Months of Data Breaches

A new report on consumer data breaches recorded over the past 16 months indicates that hacking remains the most frequent source of data theft and loss, with breaches reported by educational institutions making up 43 percent of all reported data thefts or losses.

The study was conducted by the AARP (formerly the American Association of Retired Persons) using data from 244 breaches reported from Jan. 1, 2005, through May 26, 2006. The data was compiled from publicly disclosed security breaches involving information that collectively involved nearly 90 million people, as compiled by the Identity Theft Resource Center, a San Diego-based nonprofit organization.

The study found that criminal hacking was responsible for one-third of all reported breaches, while physical theft of laptops and other data storage media accounted for 29 percent. Twenty-three percent of breaches were the result of sensitive consumer information being improperly displayed, such as on a public Web site. Roughly 7 percent of breaches were caused by employees stealing or selling personal data, while just 2 percent resulted from back-up tapes being lost.

Colleges and universities were more than twice as likely to report a breach as any other entity, followed by government agencies (17 percent) and businesses (15 percent). While educational institutions reported the most largest number of breaches, the total number of potential identity fraud victims of those breaches was just over 3.6 million, far less than the number of potential victims of data breaches, thefts or losses at financial institutions (47 million) and government entities (34.1 million).

According to the study, that statistic holds true even without the two biggest incidents that contributed to those numbers -- the database breach at now-defunct credit card processor CardSystems that jeopardized roughly 40 million credit card accounts, as well as the theft of a laptop from the Department of Veterans Affairs, which contained sensitive data on more than 26 million Americans (the laptop was later recovered).

Taking away those two huge incidents, breaches from insider access and lost back-up tapes accounted for the greatest number of potential victims.

I'll be online today at 11 a.m. ET for my regular Web chat on computer security. Submit a question here.

Don't be surprised when the FBI requests Congress pass laws to “Match” those in other countries...

Zimbabwe debates 'oppressive' bugging laws

If you thought RIPA was bad...

By John Leyden Published Friday 1st September 2006 15:21 GMT

Proposed telecoms interception laws in Zimbabwe have created a furore with the government apparently awarding itself unlimited snooping powers.

The Interception of Communications Bill, the topic of hearings before the African country's Parliament on Wednesday, allows for email and phone interception warrants against targeted individuals that might be extended indefinitely, under the control of politicians and with little or no judicial oversight.

The bill also calls for the establishment of a monitoring centre, reportedly outfitted with bugging equipment supplied by China. Telecoms providers would be obliged to install snooping equipment onto their networks, linked to the proposed monitoring centre. ISPs, not the Zimbabwean government, would be forced to foot the bill.

The government says its proposals are needed for national security, in the fight against crime, and in line with measures introduced by other countries. Zimbabwean phone calls are already monitored, the BBC reports, so the bill essentially extends existing provisions for the internet age.

President Robert Mugabe's government has an abysmal human rights record, with laws that curtail movement and opposition against his regime. Criticism of the country's proposed telecoms interception laws has focused on the lack of judicial oversight. Earlier communications laws, which also lacked court oversight, were overturned by a Zimbabwean High Court in 2004 as unconstitutional.

"An aggrieved person is given a right to appeal to the minister (of Transport and Communications), who is neither independent nor impartial. He authorises the interception and monitoring in the first place," Wilbert Mandinde, legal officer of the Media Institute for Southern Africa in Zimbabwe, told the BBC.

Opposition parties joined in this criticism. "It seems to give carte blanche - the minister is the judge and the jury, it violates the whole concept of the separation of powers," said Jessie Majome, a legal advisor for opposition Movement for Democratic Change.

I want to start recording my lectures, perhaps with light jazz background music...

George Washington Students to Get a Taste of iTunes U

By Eric Roper The GW Hatchet 09/02/06 4:00 AM PT

Offering a service like iTunes U may be risky, says Dianne Martin, a GW computer science professor specializing in the social and ethical impact of technology. "However, if professors are doing interesting, interactive lessons instead of lectures, then students will need and want to be in class."

Beginning this fall, George Washington University will team up with Apple computers to offer audio recordings of classroom lectures over the Internet using the iTunes music program.

The new software, called "iTunes U," is designed to record lectures and broadcast them over the iTunes network where students can download them onto their computer or iPod.

According to Assistant Vice President of Academic Technology P.B. Garrett, the new service will be available for 15 courses this fall and most likely more in the future.

"It makes a lot of sense to deliver course content to students in a medium they are familiar with [rather than a classroom... Bob] as so many students already use iTunes, and have iPods," Garrett wrote in an e-mail.

... "I agree that students may skip lectures if they know they can download them at their convenience," Martin wrote in an e-mail. "However, if professors are doing interesting, interactive lessons instead of lectures, then students will need and want to be in class."

After extensive testing, we think Bill Gates is Osama bin Laudin...

In mixup, CA antivirus flags Windows component

Update erroneously flags a security-related process in Windows as malicious but is soon corrected

By Robert McMillan, IDG News Service September 01, 2006

CA Inc. caused some headaches this week after its antivirus software inadvertently flagged part of the Windows OS as malware.

The SANS Internet Storm Center reported the problem Friday saying that an overnight update to CA's eTrust Antivirus signatures had caused the software to flag a security-related process in Windows as malicious. The faulty update caused some Windows 2003 servers to crash and become unusable, SANS said.

... It is not unheard of for signature files to mistakenly identify legitimate software as malware, but it is remarkable that CA's software made the mistake with a well-known Windows component, according to Johannes Ullrich, chief research officer at SANS. CA should have been able to detect the problem in its quality-assurance testing, he said.

The mixup apparently did not disrupt a large number of users, but it still reflects poorly on vendors like CA, Ullrich said. "It's another loss in trust toward the antivirus business," he said. "It tells you that the antivirus vendors don't do the testing." [Why bother? We have thousands of customers who will tell us if their systems crash... Bob]

Today's Dilbert is on executive compensation:

Friday, September 01, 2006

Sometimes it is better to look good than to feel good.

Sony names product safety chief

Company continues to deal with the fallout of two recalls in recent weeks of laptop batteries

By Martyn Williams, IDG News Service September 01, 2006

Sony has appointed one of its presidents to oversee product quality and safety, the first time such a high-level member of staff has taken that position at the company.

The new role for Makoto Kogure's, who was president of Sony's TV division, came as the company deals with the fallout of two recalls in recent weeks of laptop computer batteries that included Lithium Ion cells that it produced.

A guide for those suing the leakers of personal data?

"Security Engineering" Is Now Online

Posted by kdawson on Thursday August 31, @01:06PM from the security-just-got-cheaper dept. Security

An anonymous reader writes "Ross Anderson, author of 'Security Engineering', notifies in a message to comp.risks that he just got permission from Wiley to let anyone download the full content of his book for free. This is one of the best books on computer security and it is used as textbook in many University courses (I teach two of them)."

I'll be teaching PowerPoint this month...

Continued Opposition To Laptops in Schools

Posted by Zonk on Thursday August 31, @03:56PM from the grinding-for-faction-in-math-class dept. Education Portables

theskeptic writes "The WSJ has an article about opposition to programs that provide laptops to 6-8th grade kids. Detractors say that the kids are wasting too much time online browsing dangerous sites, instant messaging friends, and posting to Myspace. Parents are worried that serious learning is being neglected in the quest to 'dazzle up presentations with fancy fonts instead of digging through library books.' Some parents however are 'enthusiastic laptop proponents,' one saying the laptop has helped her twelve-year-old son 'master critical professional skills like how to compile a PowerPoint presentation.'"


Gosh Mr. Peabody...

Wayback Machine Safe, Settlement Disappointing

Posted by Zonk on Thursday August 31, @06:08PM from the get-me-out-of-here-mr-wizard dept. The Courts The Internet

Jibbanx writes "Healthcare Advocates and the Internet Archive have finally resolved their differences, reaching an undisclosed out-of-court settlement. The suit stemmed from HA's anger over the Wayback Machine showing pages archived from their site even after they added a robots.txt file to their webserver. While the settlement is good for the Internet Archive, it's also disappointing because it would have tested HA's claims in court. As the article notes, you can't really un-ring the bell of publishing something online, which is exactly what HA wanted to do. Obeying robots.txt files is voluntary, after all, and if the company didn't want the information online, they shouldn't have put it there in the first place."

All that is not forbidden is mandatory, all that is not mandatory is forbidden.” The Once and Future King

Vista Startup Sound to be Mandatory?

Posted by CowboyNeal on Thursday August 31, @09:24PM from the any-sound-you-want-as-long-as-it's-this-one dept. Windows IT

Toreo asesino writes "There has been lots of debate in the past few days over Microsoft's plan to make the startup sound in Windows Vista something that can't be specifically silenced by changing the sound settings in the control panel. Users would be able to avoid hearing it by manually turning down the speaker volume, but then they would have to turn that volume back up to hear anything else."

[This comment is brilliant!wait until everyone learns that the new start up sound is the microsoft eula, read out loud, in nonrepeating segments”

Internet Not the Social Hinder it Was

Posted by CowboyNeal on Friday September 01, @04:39AM from the come-together dept. The Internet Communications

imjustatomato writes "A 1998 study showed that the Internet causes declines in social relationships and isolation, similarly to how television causes social disengagement and bad moods. This is the 'Internet Paradox' because while the internet is heavily used for communication, it makes people lonelier. However, a more recent study shows that now the internet has a positive effect on social and psychological well-being. This is even more so for those who have more social support and are extroverted in nature. Interestingly, frequent Internet use is associated with a decline in local knowledge and interest in living in the local area."

Anytime, anywhere

CBS Unit Launches Web Sports Channels

By ANICK JESDANUN AP Internet Writer Aug 31, 8:02 PM EDT

NEW YORK (AP) -- Football and other sporting events from dozens of colleges and universities will be available live over the Internet through a service launching Friday.

Notre Dame games will be free, while Navy, Stanford and other schools will charge $4.95 to $9.95 a month each for an "All-Access" broadband channel that includes live audio and video feeds of some games, news conferences, highlights, play-by-play animation and other features.

Terrorist Hunters Sifted Student Data

POSTED: 3:23 pm EDT August 31, 2006 UPDATED: 4:04 pm EDT August 31, 2006

WASHINGTON, D.C. -- For the past five years an office in the Education Department has scanned through its databases of millions of students' federal financial aid and college enrollment records in search of terrorist names supplied by the FBI.

The effort, dubbed "Project Strike Back," was created by the Education Department's Office of Inspector General after the terror attacks of Sept. 11, 2001, to expand the office's mission to include counterterrorism.

I'm not sure this is what you want to do...

Attention IT Managers: Malware Is Not Your Biggest Threat

By Dr. Todd Brennan TechNewsWorld 09/01/06 4:00 AM PT

Automatic graylists can be an ideal approach to managing today's dynamic desktop environments. Graylists take a holistic view of desktops, acknowledging that a great deal of software that enters the enterprise does so without the approval of the company's IT staff.

... To combat this Catch-22, a new desktop management approach called "automatic graylists" is enabling IT professionals to re-establish the integrity and reliability of their computing environment by enforcing software policies at the desktop. Software solutions providers utilize graylists to provide IT with the ability to control exactly which software can and cannot run on the desktop, proactively ensuring a desktop's conformance to a desired state. As a result, support, compliance and security problems that derive from unauthorized software -- typically addressed through reactive means -- can be limited or eliminated altogether.

August 31, 2006

National Criminal Intelligence Resource Center (NCIRC) Now Available on Secure Networks

"...the National Criminal Intelligence Resource Center (NCIRC) Web site...sponsored by the Bureau of Justice Assistance (BJA) for the purpose of providing a secure Web site developed to serve as a "one-stop shop" for local, state, tribal, and federal law enforcement to keep up with the latest developments in the field of criminal intelligence. You will find information regarding law enforcement intelligence operations and practices. Criminal justice professionals now have a centralized resource information bank to access a multitude of criminal intelligence resources in a secure environment."

This was one source Peter Drucker used to see the future of business...

August 31, 2006

America's Dynamic Workforce 2006

Press release: "The U.S. Department of Labor today released America's Dynamic Workforce 2006, a new report highlighting major trends in the American labor market and the importance of education and skills training to maintaining the competitiveness of America's workforce."

  • The full text version includes extensive discussion and additional data and analysis beyond the basic charts presented. (48 pages, PDF)

  • The chart book version features larger format charts for easier reading and summary text extracts related to each chart (72 pages, PDF)

Police blotter: Judge OKs text message use in drug case

By Declan McCullagh Story last modified Fri Sep 01 04:56:33 PDT 2006

"Police blotter" is a weekly CNET report on the intersection of technology and the law.

What: A man accused of involvement in a Washington, D.C., cocaine-distribution ring objects to his text messages being handed over to police.

When: U.S. District Judge Ellen Segal Huvelle ruled on Aug. 10.

Outcome: Huvelle lets text messages be used as evidence.

What happened, according to court documents:

Broadband companies tend not to save copies of people's e-mail. That means snoopy divorce lawyers and curious FBI agents who show up with a subpoena or search warrant generally will be out of luck.

But text messages sent on one's cell phone are a different story, as one alleged drug dealer in the Washington, D.C.-area learned firsthand.

On Oct. 24, 2005, federal police raided a home on Potomac Drive in Fort Washington, Md.--just south of the Washington Beltway. They allegedly seized about 213 pounds of cocaine and about 6.5 pounds of crack cocaine. Antoine Jones and four other men were caught up in the raid.

The raid represented the culmination of an extensive amount of surveillance that the FBI and other federal police had conducted--both physical and electronic.

Part of the electronic surveillance was done by obtaining logs from two unnamed wireless providers. According to federal authorities, the logs contained archived text messages that were sent by Jones and alleged co-conspirator Lawrence Maynard.

In the words of the court: "On Aug. 10, 2005, and again on Aug. 18, 2005, Magistrate Judge Alan Kay issued search warrants to two electronic communication service providers for stored text messages that had been transmitted over cellular telephones used by Jones and Maynard."

Jones, who is awaiting trial on charges of conspiracy to distribute cocaine and use of a communication facility to traffic in drugs, filed a brief claiming that the search warrants violated the federal Wiretap Act.

Huvelle ruled on Aug. 10 that the search warrants were permissible "because the Wiretap Act does not apply to the government's acquisition of text messages held in storage at electronic communication service providers."

Translation: The Wiretap Act only applies to live intercepts, not archived e-mail or SMS messages. In general, a lower legal standard applies to archived messages. (As an aside, the government claims that technology to capture the contents of text messages had "only become available to law enforcement within recent weeks.")

Jones also was wiretapped, which Huvelle concluded was done in compliance with relevant federal law.

In addition, his movements were monitored through a GPS tracking device placed on his Jeep Cherokee. While the feds obtained a court order for the GPS tracker, they kept it on Jones' truck after the order expired, claiming that no court approval was necessary anyway. ("Even in the complete absence of a court order," it is legal, the U.S. Justice Department claims.)

This is not a new debate. A CNET article published in January 2005 shows that courts are divided about whether a court order is required to install GPS trackers. Huvelle split the difference, saying that no court approval was necessary when the Jeep Cherokee was on a public road.

Excerpt from Huvelle's opinion:

Jones' argument that the text message affidavits lacked probable cause also misses the mark. The task of an issuing magistrate, when assessing probable cause for search warrants is simply to make a practical, common-sense decision whether, given all the circumstances set forth in the affidavit before him, including the "veracity" and "basis of knowledge" of persons supplying hearsay information, there is a fair probability that contraband or evidence of a crime will be found in a particular place...The court easily concludes that the information contained in Special Agent Yanta's supporting affidavits was sufficient to establish probable cause for the text message warrants.

The 29-page Aug. 10 affidavit, which served as the foundation upon which subsequent affidavits submitted in support of wiretap and search warrant applications were based, references information provided by three confidential sources who had firsthand knowledge of Jones' illicit activity...The affidavit further provides the basis for investigators' belief that Jones and Maynard were using text messaging in an attempt to conceal their alleged narcotics trafficking activities.

First, analysis of pen register data indicated that several weeks prior to Aug. 10, 2005, the target cellular telephones showed an increase in text messaging from 50 percent of all activations to 90 percent. And second, the technology to capture the contents of text messages had "only become available to law enforcement within recent weeks."

In summary, the court finds that the affidavit clearly establishes probable cause to believe that Jones operated a conspiracy to distribute narcotics and that Jones and Maynard were using text messages on their phones to further that conspiracy. Because the Aug. 18 affidavit contained all of the foregoing information, the court likewise finds that it is sufficient.,1759,2011151,00.asp?kc=EWRSS03119TX1K0000594

IRS Sets Refund for Individuals from Phone Tax

By Reuters August 31, 2006

WASHINGTON (Reuters)—Long-distance telephone customers can receive refunds of between $30 and $60 on their 2006 taxes to reimburse them for a now defunct telephone tax, the U.S. Internal Revenue Service said on Thursday.

The U.S. Treasury Department in May announced it would end its legal fight to keep a 3 percent federal excise tax on long-distance telephone service that dates back to 1898, when a luxury tax on wealthy Americans who owned telephones was imposed to help finance the Spanish-American war.

... Under the plan outlined by the IRS, an individual who claims one exemption would be entitled to a $30 refund; two exemptions would receive $40; three exemptions would get $50; and four exemptions would receive $60.

"These amounts save taxpayers from locating 41 months of old phone bills and analyzing these bills to determine the taxes paid," IRS Commissioner Mark Everson said in a statement. "We believe the standard amounts are both reasonable and fair."

Do you suppose this was decided by some entry-level IT geek?

Cox Decides Your Outbound Mail Is Spam, Doesn't Tell You

from the oops dept

ISPs that have overactive spam filters where they don't allow users a chance to get around them are nothing new. Remember two years ago when Verizon was blocking almost all European inbound mail? When people complained, Verizon told them that if they really wanted to communicate with people, they should use the phone. That didn't go over that well, and Verizon ended up having to pay up in a class action suit. However, the latest reports suggest that cable broadband provider Cox may have gone a step further. Rather than blocking inbound email as spam, they're now blocking outbound email as spam. Actually, not blocking... deleting. And, even better, not informing you that the emails you sent are gone, never to be delivered. And (yes, it gets better), Cox refuses to admit they've done anything. Trying to protect you from inbound spam is one thing, but having your own provider deleting your own outbound emails as spam without even letting you know or giving you a way around it is going way too far. As you might imagine, Cox customers are not amused.

Tracking the web with Single Page Aggregators

Thursday August 31st 2006, 3:12 pm

Thursday, August 31, 2006

Why you should ALWAYS listen to your employees.

Desperate Whistleblower Turns to YouTube

Former Engineer Accuses the World's Biggest Defense Contractor of Knowingly Jeopardizing National Security


"What I am going to tell you is going to seem preposterous and unbelievable."

Those are a few of the first words of a video posted on YouTube by former Lockheed Martin engineer Michael De Kort, claiming that the defense contractor had built and the Coast Guard had accepted a number of boats that fall far short of government standards and leave our national security in question.

De Kort had tried going through the chain of command at Lockheed, and had contacted the government, the Coast Guard and various members of Congress, but no one seemed willing or able to help.

"YouTube was my last best shot -- I never wanted to do this publicly," he explained. "I had gone there to look at entertaining videos and saw that hundreds of thousands of people were visiting the site, and I thought that if there was something that was novel ... maybe just the fact that I was doing it would be the story."

... And although De Kort's video has been viewed only a little more than 8,000 times since he posted it on Aug. 3, his story has appeared in print, on radio and TV -- further evidence that the Internet has given the average person a way to be heard.

Why would PDAs be any different than computer hard drives?

PDAs sold on eBay 'loaded with sensitive data'

Security firm recovers 27,000 pages of personal data

Robert Jaques, 30 Aug 2006

Most used smartphones and PDAs for sale online are loaded with sensitive data ranging from banking records to corporate emails that can easily be retrieved by hackers and data thieves, it was alleged today.

According to a sampling by mobile security software provider Trust Digital, much of this sensitive information is retained in the Flash memory of the devices because of a widespread failure to perform the advanced hard reset required to delete data.

Trust Digital claimed that its engineers were able to recover nearly 27,000 pages of personal, corporate and device data from nine out of 10 mobile devices purchased through eBay for the project.

This will scare politicians. It's like conducting business in the open! (Open Source government?)

Bloggers 1, Smoke-Filled Room 0

Posted by kdawson on Wednesday August 30, @05:01PM from the mister-can-i-have-some-pork dept. Censorship Politics

MarkusQ writes "A few days ago a bi-partisan bill (PDF) to create a searchable on-line database of government contracts, grants, insurance, loans, financial assistance, earmarks and other such pork was put on 'secret hold' using a procedure that does not appear to be mentioned in the Constitution or in the Senate bylaws. This raised the ire of bloggers left and right and started an all out bi-partisan effort to expose the culprit by process of elimination. As it turns out it was our old friend the right honorable Senator from Alaska, Mr. 'Series of Tubes', Ted 'Bridge to Nowhere' Stevens."

Does anyone have a good article on “E-mail manners?”

When Can I Expect an Email Response?

Posted by ScuttleMonkey on Wednesday August 30, @05:53PM from the turnabout-is-fair-play dept. Communications The Internet

An anonymous reader writes "Ever sit there waiting for an email response and wonder what's going on? Did they get it? Did it get filtered? A study looks at the responding habits of a large group of corporate users. They find, among other things, that users would try to 'project a responsiveness image. For example, sending a short reply if a complete reply might take longer than usual, intentionally delaying a reply to make themselves seem busy, or planning out timing strategies for email with read receipts.' Tit-for-tat, 'Users would try to reciprocate email behaviors -- responding quickly to people who responded quickly to them, and lowering their responsiveness to people who responded slowly to them in the past.'"

So why don't managers secure their systems? See next article...

Survey says security issues can be fixed

Luc Hatlestad (08/30/2006 7:57 AM EDT)

A pair of security surveys released this week shows that protecting corporate and consumer data is sometimes easier than people might think, but the broader problem still is confounding far too many organizations.

The first study, entitled "Network Attacks: Analysis of Department of Justice Prosecutions 1999-2006," shows most network attacks tracked by the DOJ used stolen IDs and passwords. Those attacks resulted in far more extensive damages than what had been assumed -- an average of more than $1.5 million per incident, with $10 million being the most damage incurred in one incident. The study, commissioned by Phoenix Technologies and conducted by research and advisory firm Trusted Strategies, analyzed data from all cases prosecuted and publicly disclosed by the DOJ between March 1999 and February 2006.

The report also maintains that a whopping 84 percent of these attacks could have been thwarted if, after checking the user ID and password, the organization had simply verified the identity of the invasive computer connecting to its network and accounts via device authentication policies and solutions.

We don't think we can, so we don't have to try.” (Think of this study as a guide for class action lawyers...)

Study: Many believe data thefts can't be prevented

Todd Weiss August 29, 2006 (Computerworld)

Fresh on the heels of a string of highly publicized, corporate data breaches, 63% of respondents to a new data security study said they don't believe they can prevent such breaches.

"This group came out much, much more negative than I ever expected," said Larry Ponemon, the founder and chairman of the Ponemon Institute LLC, an Elk Rapids, Mich.-based firm that looks at information and privacy management practices in business and government. "They said they're bad at detecting [breaches], but even worse at preventing [breaches]."

The 11-page study (PDF format), "National Survey on the Detection and Prevention of Data Breaches," which was released yesterday, is based on responses from 853 IT professionals, including senior executives, information security managers and others. The study was sponsored by PortAuthority Technologies Inc., a Palo Alto, Calif.-based vendor of information leak prevention software.

The study also found that 41% of respondents said their companies are not effective in enforcing data security policies because of a lack of corporate resources.

... About 66% of the respondents said their companies use hardware or software to help detect or prevent data breaches, but the remaining respondents said their companies don't use such tools because of their high costs. [Not even the free tools? Bob]

Some 16% said their companies believe that their manual security procedures are enough and that their company is not vulnerable to a data breach. [Fire these idiots immediately! Bob]

... 59% of those surveyed said they believe they can effectively detect a data breach using available IT tools and procedures.

Respondents reported a 68% probability of detecting a large data breach (of more than 10,000 data files), while they said small data breaches (fewer than 100 files) are likely to be detected only 51% of the time.

... Monitoring a company's data use policies is important, he said, but that's difficult to do because of employee training needs, turnover and other issues. "No one does that kind of stuff," he said.

Web browser leaves no footprints

Browzar deletes Internet caches, histories, cookies to protect user privacy

By China Martens, IDG News Service August 30, 2006

The latest entrant to the crowded Internet browser market is the appropriately named Browzar, a tool specifically designed to protect users' privacy by not retaining details of the Web sites they've searched.

,,, Browzar is being officially launched Thursday but can already be run or downloaded from its Web site. Users don't have to register to use the free browser.

If this is a data analysis tool they should be able to demonstrate data analysis – not a simple search for names.

FBI Shows Off Counterterrorism Database

By Ellen Nakashima Washington Post Staff Writer Wednesday, August 30, 2006; A06

The FBI has built a database with more than 659 million records [Modest by data warehousing standards Bob]-- including terrorist watch lists, intelligence cables and financial transactions -- culled from more than 50 FBI and other government agency sources. The system is one of the most powerful data analysis tools available to law enforcement and counterterrorism agents, FBI officials said yesterday.

The FBI demonstrated the database to reporters yesterday in part to address criticism that its technology was failing and outdated [We never said that. We said they don't have the technology they need. Still don't apparently. Bob] as the fifth anniversary of the Sept. 11, 2001, terrorist attacks nears.

... In a demonstration, Grigg sat at a computer and typed in the name "Mohammad Atta," one of the 19 hijackers in 2001. The system can handle variants of names and up to 29 variants on birth dates. He typed "flight training" in the query box and pulled up 250 articles relating to Atta.

The system, designed by Chiliad Inc. of Amherst, Mass., can be programmed to send alerts to agents [Oh boy! E-mail! Bob] on new information, Grigg said. Names, Social Security numbers and driver's license details can be linked and cross-matched across hundreds of millions of records.

... Grigg said that before 2002, it would take 32,222 hours to run 1,000 names and birth dates across 50 databases. Now agents can make such a search in 30 minutes or less, he said. [In a real data warehouse, the system would have already produced that information. Bob]

... David Sobel, senior counsel of the Electronic Frontier Foundation, said the Federal Register has no record of the creation of such a system, a basic requirement of the Privacy Act. He also said the FBI's use of an internal privacy assessment undercuts the intent of the privacy law.

FBI Shows Off Big Database... Just As UK Shows Why Big Databases Are Bad

from the great-timing dept

Remember all the trouble the FBI has been having getting its big new computer system working? They must be feeling a bit embarrassed about all that. That might explain why they were so proud to show off their big new counter-terrorism database. However, as the article notes, there are legitimate fears about peoples' privacy when such huge databases are put together by governments. In fact, across the Atlantic Ocean a story is coming out about a similar big database, as it's been revealed that government office workers have been hacking into the database to check out the profiles of people they know. With any of these big databases, it's only a matter of time before that data is abused in some manner -- no matter how carefully government officials claim that the data is only used for legitimate reasons.

No doubt law students will analyze these to determine where they will find the most clients...

August 30, 2006

Report Documents Federal Criminal Justice Trends from 1994-2003

Bureau of Justice Statistics press release: "The number of suspects and defendants processed in the federal criminal justice system grew substantially during the 10-year period of 1994 to 2003, the Justice Department's Bureau of Justice Statistics (BJS) announced today. U.S. federal prosecutors investigated more than 130,000 suspects during 2003 (a new record), up from 99,000 men and women in 1994."

  • "The report, Federal Criminal Justice Trends, 2003 (NCJ- 205331), is the first in a new series to track changes in the federal criminal justice system. It employed data from eight federal agencies to describe the enforcement of several thousand statutes in the U.S. Criminal Code. The report was written by BJS statistician Mark Motivans."

August 30, 2006

Presentation on 3 Must-Use Online Tools for Journalists

3 Must-Use Online Tools for Journalists, Amy Gahran's handout [HTML and PDF] from the annual conference of the Society of Professional Journalists (SPJ). [via Center for Media and Democracy]

Pass this to your Security guys...

Got Java?

Posted by Sean @ 14:45 GMT

Java Runtime Environment (JRE) 5.0 Update 8 is available. That being so, we attempted to update via the Java Control Panel applet. The result was a prompt informing us that we had the latest version.

You Already Have The Latest Java - Image

That seemed odd so we searched for details and discovered that Brian Krebs has written a very interesting article on the matter.

To sum it up: Installing a JRE Update doesn't remove the older versions of JRE that are installed. So, any older security issues remain installed as well. You'll want to manually uninstall the old version(s) before "updating".

Is a virtual “Pink Slip” legal?

Radio Shack's New Commitment To The Internet Includes Firing People Via Email

from the seems-a-bit-harsh dept

In the last few years, there have been a bunch of stories, usually out of the UK, of companies firing people via text message. Text messaging just isn't as popular in the US yet, so it seems that Radio Shack decided to go in a different direction and fire 400 people via email. The company is defending the decision by saying that employees had been told that they would be notified electronically, so they don't see what all the fuss is about. I guess that beats the excuse another company used recently, that being fired electronically was just a part of youth culture. Of course, over in the UK, some of the people who were fired by text message later won additional compensation for being cynically manipulated. Speaking of which, if being cynically manipulated deserves extra compensation, I'm sure there are plenty of people who are probably owed a lot of extra cash.

In Con-Law, students are intimidated by a requirement to re-write the constitution in their own words. “It's not written in English, so it's hard to understand what they mean!” Obviously not everyone finds that dificult.

Culver City Gets Around Pesky First Amendment With Terms Of Service

from the read-closely dept

Last week, we learned that Culver City, California was installing filters on its muni-WiFi network, in an attempt to block content it (or the MPAA) didn't like. Ignoring the facts that filters don't really work and they weren't aware of any real problem until a vendor pointed it out to them with a sales pitch, a local government deciding to put roadblocks up to undesirable, though not illegal, activities (surfing porn or using P2P, in this instance) is more than a little sketchy. But it gets a little more interesting: when logging on to the service, the city's terms of service says users must agree to "waive any First Amendment claims" stemming from the service. That seems like a slightly less nasty way to tell people their First Amendment rights simply don't apply -- but since users are "voluntarily" waiving them, it's somehow okay. Plenty of companies use things like end user license agreements to make it okay for them to do things like install spyware on your computer, and some have argued that EULAs can trump certain laws. But a city using a similar terms of service -- which most users aren't likely to read -- to make an end run around the Constitution seems like a silly measure that's destined to end up in court.

I bet we could come up with a bunch of other examples...

Fire-The-Coach Domain Squatting The Next Big Thing

from the just-can't-stop dept

Apparently, domain squatting involves being a bit more creative these days. You can't just pick up the names of companies too shortsighted to register their own names. Instead, you need to look for ways to predict what people will be interested in down the road. That could be hurricane names, or it could be cashing in on the inevitability of fans hating their coaches. One guy has apparently gone around registering "" domain names for a variety of famous sports coaches -- knowing that upset fans will make them valuable at some point. Consider it the human equivalent of companies who discover someone owns "" domain names. Of course, in that case, many companies sue to get those names back, claiming trademark infringement. How long until an angry coach sues to get back a website demanding he be fired?

Looks like a great strategy to me!

Amazon's Everywhere Strategy

Posted by Mitch Ratcliffe @ 8:34 am August 30, 2006

Amazon introduced the "aStore" this morning, in an email to associates. The service creates a dedicated retail environment that anyone can use to sell stuff in the Amazon catalog. I spent about 20 minutes setting up a store, which you can see here, and have a few thoughts. Here's what Amazon has to say about it:

Can you see them light the fuse? Can you hear the theme music?

This Email Will Self-Destruct

New Services Help Safeguard Outbound Messages Against Forwarding and Tampering

By ANDREW LAVALLEE August 31, 2006; Page D1

People who want to open email from patent attorney Andrew Currier have to know the drill. First, they must answer a predetermined question, such as "Where did we first meet?" If they answer correctly, they will then be allowed to view the contents of the email -- but they can't alter it or forward it to anyone else.

Concerned about privacy, the Toronto-based lawyer has begun using a new service that encrypts his emails and tries to keep unintended recipients from reading the contents. The tool, developed by Echoworx Corp., adds a "send secure" button to his Microsoft Outlook email program. Unlike other email-security systems Mr. Currier has tried, this one doesn't require recipients of his emails to download any software or use the same email program.

"I really need it to be easy for the client on the other end," says Mr. Currier, who says that leaked information could be disastrous for one of their patent applications. "People don't appreciate just how vulnerable email is."

Amid heightened privacy concerns, a handful of technology companies are touting new services designed to make existing email programs, such as Microsoft Corp.'s Outlook, more secure, with features ranging from emails that can't be forwarded to self-destructing messages that can be viewed only for a limited time. While most email programs by themselves guard against inbound attacks such as viruses and spam, they give computer users little control over the messages that are sent. So these third-party developers, which aren't working directly with Microsoft or other email companies, aim to fill that hole.

The new outbound-email services focus on safeguarding data and protecting the sender from legal liability, says Richi Jennings, an email-security analyst at Ferris Research in San Francisco. "The state of the art of the technology, though, for some time has just made it really difficult to deploy," he says. "That seems to be changing."

... Another new service, Kablooey Mail, allows consumers to send "self-destructing" emails that can be viewed for only a limited time, which may appeal to people who don't want a record of their correspondence. The free service, which made its debut in July, lets individuals log on to Kablooey's site to compose a message and set an expiration time, which can range from 10 seconds to two weeks after the message is opened. (Senders can also elect to have the message not expire.) A copy of the message is saved in the sender's account, where it can be reviewed by the sender later, or deleted altogether for extra security.

... A recipient is instructed to use only the up/down arrow keys or scroll bar to read the message; any other keystroke causes the message to expire instantly, which removes the message from the screen and prevents the recipient from accessing it again.

... Email is increasingly called on as evidence in court, says Dana Henry, a consultant for RPost International Ltd., a Los Angeles-based provider of "registered email" services. It is relatively easy to change the contents of a message or say it was never delivered, says Ms. Henry, a former Los Angeles County Superior Court judge. "There is such incredible deniability on the part of the other party who is the recipient."

The RPost service, which also works with Outlook, is designed to ensure the authenticity of messages so that they can be used in legal disputes, if necessary. The program adds a unique digital seal to each registered email. A few minutes after sending the message, the sender receives an email receipt that includes when the message was delivered and opened. RPost will also verify whether the original message's content was changed. The sender can choose whether or not the email tells the recipient that the message is registered.

The RPost service, which charges senders 59 cents for each registered email, added a new feature in July that checks for "risky" content, such as Social Security numbers or key words that senders -- or the senders' employer -- have flagged, before delivering the message. Customers, especially lawyers and technology professionals, are interested in using the service to protect senders from email-related liability, says RPost CEO Zafar Khan. "That can often cost the company quite a bit more, especially in this country, in litigation and litigation-discovery costs," he says.