Saturday, December 09, 2006

It's Friday again, time to disclose the latest screw-ups leading to identity theft.!news!education

E-mail includes data on students

VCU by mistake sends personal information, grades of 561 students


For the second time this year, the personal information and Social Security numbers of hundreds of Virginia Commonwealth University students have been compromised.

According to the university's technology services Web site, personal information on 561 VCU students in the College of Humanities and Sciences was inadvertently included [I know of no email system that randomly attaches files. The user MUST specify the file. Bob] in two attachments in an e-mail.

The information included names, Social Security numbers, local and permanent addresses and grade-point averages.

... Kapelewski said she thought a university as large as VCU 30,000 students -- would have security measures to prevent such disclosures. [A reflection of her education. Isn't that a shame? Bob]

... Chuck Epes, Virginia communication director for the Chesapeake Bay Foundation, also had his personal information compromised in the glitch. [Is there more here than the school admits? Bob]

... Epes said he doesn't know how his personal information was obtained. He is not a current student and hasn't taken full-time classes at VCU for years.

... In September, VCU said the names, Social Security numbers and e-mail addresses of about 2,100 current and former students had been online for eight months, because of human error.

... Also, a former VCU student pleaded guilty two months ago in federal court to illegally acquiring the log-in names and passwords for the e-mail and online accounts of many students and university staff members.

Perhaps we could issue “Goofy Awards” to security managers who are surprised by this type of error?

Saturday, December 9, 2006

Goof posts SS numbers on Net

Vermont health care providers’ info accidentally goes public


MONTPELIER, Vt.— At least several hundred, likely more, Social Security numbers of health care providers were posted to the Internet in a state contractor’s mistake that officials were scrambling to fix yesterday.

... Commissioner Thomas Murray of the state Department of Information and Innovation said his staff had been working since first learning of the problem on Monday to make sure the information is no longer on the Internet.

... McIntire said the information was posted on the Web site on which the state calls for bids on contracts from May 12 and was taken down June 19. But she said a doctor, whom she would not identify, told the state that her Social Security number was on the Internet as of this week.

... Robert Snapp, an associate professor of computer science at the University of Vermont, said it’s impossible to be completely sure that something once posted to the Internet isn’t still available in cyberspace despite efforts to remove it.

Is there anything to stop people from suing...

Can Your Firm Be Sued for a Data Breach?

By Gregory T. Parks and Megan E. Adams E-Commerce Times 12/08/06 4:00 AM PT

In July 2003, California Senate Bill 1386 went into effect, becoming the first state law providing for mandatory notification in the event of a breach. Some 30 states have enacted similar legislation. Although these laws do not provide for a private cause of action, they could still contribute to increased litigation because more consumers will know about data breaches.

Continuing technological advances allow companies to store increasing amounts of personal data about their customers. Maintaining this information can help both companies and consumers, allowing for more tailored customer service without requiring customers to provide the same information repeatedly.

... The federal Privacy Act allows individuals to sue the government for failure to adequately protect personal data, but there is no counterpart applicable to the private sector.

Companies can be held liable in a broader context -- as opposed to an individual lawsuit -- in two ways: via the Federal Trade Commission and through consumer class actions brought by private parties or state attorneys general.

... Initially, the FTC only enforced company "privacy policies," reasoning that a company's failure to follow its own published policy was a "deceptive act" punishable by the agency.

,,, Since 2004, the FTC has expanded its enforcement activities. The agency now claims that a company's failure to take reasonable measures to protect customers' personal information is itself an unfair practice in violation of the FTC Act.

... Consumers often wish to enforce their rights through private litigation, where they can potentially receive financial awards generally not available through FTC settlements. In the past several years, consumers have flooded the courts with lawsuits -- primarily class actions -- often following FTC action. Many of these cases are still pending. If one of these cases results in a verdict, it would be a first.

Although some cases have settled with payments to plaintiffs, litigation in this area is currently problematic for plaintiffs for two reasons:

* As there are no laws providing private rights of action to consumers specifically for a data security breach, consumers must generally rely on state consumer protection, false advertising, implied contract, and fraud laws to bring suit against private companies. These tools are vague, at best, and rarely provide a framework that is adequate for dealing with data security breaches.

* Data security breaches often do not cause any identifiable or quantifiable harm to the individuals whose information was compromised. In certain cases, courts have therefore labeled the damages claimed by plaintiffs as "speculative" or "nonexistent" and have dismissed lawsuits because of this defect. However, certain political and legislative developments indicate that the climate could soon change.

Compliance could be harder than the Senator assumes. Who will look at each image (and video?) and determine illegality?

Senator: Illegal images must be reported

By Declan McCullagh Story last modified Fri Dec 08 19:04:24 PST 2006

Millions of commercial Web sites and personal blogs would be required to report illegal images or videos posted by their users or pay fines of up to $300,000, if a new proposal in the U.S. Senate came into law.

The legislation, drafted by Sen. John McCain and obtained by CNET, would also require Web sites that offer user profiles to delete pages posted by sex offenders.

In a speech on the Senate floor this week, the Arizona Republican and former presidential candidate warned that "technology has contributed to the greater distribution and availability, and, some believe, desire for child pornography."

After a report of illegal activity is filed, the Web site must retain any "information relating to the facts or circumstances" of the incident for at least six months. [Retain, not forward to an appropriate law enforcement agency? Who would be appropriate, by the way? Bob] Webmasters would be immune from civil and criminal liability if they followed the specified procedures exactly.

McCain's proposal, called the "Stop the Online Exploitation of Our Children Act" (click for PDF), requires that reports be submitted to the National Center for Missing and Exploited Children, which in turn will forward to the relevant police agency. (The organization received $32.6 million in tax dollars in 2005, according to its financial disclosure documents.)

Internet service providers already must follow those reporting requirements. But McCain's proposal is liable to be controversial because it levies the same regulatory scheme--and even stiffer penalties--on even individual bloggers who offer discussion areas on their Web sites.

"This constitutionally dubious proposal is being made apparently mostly based on fear or political considerations rather than on the facts," said Kevin Bankston, an attorney with the Electronic Frontier Foundation in San Francisco.

According to the proposed legislation, these types of individuals or businesses would be required to file reports: any Web site with a message board; any chat room; any social-networking site; any e-mail service; any instant-messaging service; any Internet content hosting service; any domain name registration service; any Internet search service; any electronic communication service; and any image or video-sharing service.

Kate Dean of the U.S. Internet Service Provider Association said her members appreciated McCain's efforts to rewrite the current procedures for reporting illegal images, which currently are less than clear.

McCain's proposal comes as concern about protecting children online has reached nearly a fever pitch in Washington. Attorney General Alberto Gonzales gave two speeches this week on the topic, including one on Friday in which he said "we must do all that we can to protect our children from these cowardly villains who hide in the shadows of the Internet."

But the reporting rules could prove problematic for individuals and smaller Web sites because the definitions of child pornography have become relatively broad.

The U.S. Justice Department, for instance, indicted an Alabama man named Jeff Pierson on child pornography charges because he took modeling photographs of clothed minors with their parents' consent. The images were overly "provocative," a prosecutor claimed.

Deleting sex offenders' posts

The other section of McCain's legislation targets convicted sex offenders. It would create a federal registry of "any e-mail address, instant-message address, or other similar Internet identifier" they use, and punish sex offenders with up to 10 years in prison if they don't supply it.

Then, any social-networking site must take "effective measures" to remove any Web page that's "associated" with a sex offender.

Because "social-networking site" isn't defined, it could encompass far more than just, Friendster and similar sites. The list could include Slashdot, which permits public profiles;, which permits author profiles and personal lists; blogs like that show public profiles. In addition, media companies like publisher CNET Networks permit users to create profiles of favorite games, gadgets and music.

"I think there is an irrational hysteria surrounding these social-networking sites and the threat to youngsters on these sites, so I don't see these measures being justified," said EFF's Bankston.

A McCain aide, who did not want to be identified by name, said on Friday that the measure was targeted at any Web site that "you'd have to join up or become a member of to use." No payment would be necessary to qualify, the aide added.

In this political climate, members of Congress may not worry much about precise definitions. Another bill also vaguely targeting social-networking sites was approved by the U.S. House of Representatives in a 410-15 vote.

And in July, for instance, Congress overwhelmingly approved a bill that made it a federal felony for Webmasters to use innocent words like "Barbie" or "Furby" to trick minors into visiting their sites and viewing sexually explicit material.

Next year, Gonzales and the FBI are expected to resume their push for mandatory data retention, which will force Internet service providers to keep records on what their customers are doing online. An aide to Rep. Diana DeGette, a Colorado Democrat, said Friday that she's planning to introduce such legislation when the new Congress convenes.

Cathy Milhoan, an FBI spokeswoman, said on Friday that the FBI "continues to support data retention. We see it as crucial in advancing our cyber investigations to include online sexual exploitation of children."

In addition, Sen. Chuck Schumer, a New York Democrat, and McCain said this week that they'll introduce similar legislation dealing with sex offenders and social-networking sites in January.

I am always impressed by effective legal strategies...

Secret To Suing Dell: Focus On A Kiosk, Not Headquarters

from the legal-strategies dept

It's no secret that Dell has had some... problems with their customer service operations over the years, some of which have been well publicized. I recently heard from someone that Dell now constantly scours blogs for any complaints to try to respond to them quickly. However, they still run into some problems at times. When one man had the company lose his laptop, and he wasn't satisfied with their replacement offer (and long drawn out conversations), he sued the company in small claims court (sent in by reader Chester Kee). However, rather than send the lawsuit to Dell headquarters, or even a Dell office, he sent it to the local Dell sales kiosk at the mall near his home. Not surprisingly, no one from Dell showed up in court (they probably had no idea the case even existed), and the man won $3,000 -- and even got an order saying court workers could seize merchandise from the kiosk. Once Dell found out about this, they quickly settled the case (as they should have), but it still seems a bit odd that it was okay for the case to be served to a random sales kiosk -- and that the court allowed the reimbursement to come from that kiosk as well.

They just don't get it. Why would I want to download a separate reader for each newspaper (news source) I read each day? (For that matter, why would I want to read anything “offline?”)

Download of the Day: New York Times Reader (Windows)

Windows only: The New York Times Reader lets you download full editions of the NYT to your desktop where you can browse the contents offline in a very familiar newsprint format.

I'm always happy to tell my students about potential scholarship funds...

Criminals 'target tech students'

The boom in cyber crime is forcing criminals to go to great lengths to recruit skilled hackers, says a report.

Some criminal gangs are paying students while they study to ensure they have a pool of tech-savvy workers to call on, says the report from McAfee. [Perhaps a wee exaggeration? Bob]


McAfee said children as young as 14 years old were being targeted by some criminal gangs.

... "Traditional criminals have the ability to move funds and use all of the background they have," he said, "but they don't have the technical expertise."

How Much Privacy?

Lisa Lerer, 12.08.06, 6:00 AM ET

ComScore Networks is the Big Brother of the Internet. [They must love this kind of start to the story... Bob] The widely-used online research company takes virtual photos of every Web page viewed by its 1 million participants, even transactions completed in secure sessions, like shopping or online checking. Then comScore aggregates the information into market analysis for its over 500 clients, including such large companies as Ford Motor, Microsoft and The New York Times Co.

ComScore says that its participants are willing exhibitionists, happily selling their online privacy for gift certificates and free screensavers. But two computer scientists are raising new questions about comScore, claiming that company tracking software is being installed without consent on an unknown number of computers.

"[The] software is sneaking onto users' computers without the user agreeing to receive it," says Harvard University researcher Ben Edelman, who documented at least ten unauthorized comScore downloads. Eric Howes, director of malware research at antivirus company Sunbelt Software, and his researchers separately observed hundreds of unauthorized comScore downloads in a three-month period this fall. (Edelman and Howes spend their days patrolling the Internet for new threats.)

What a country! We can argue any side of an issue. (By the way, you can join my militia for only $29.95)

Scope of 2nd Amendment's Questioned

By MATT APUZZO The Associated Press Thursday, December 7, 2006; 8:49 PM

WASHINGTON -- In a case that could shape firearms laws nationwide, attorneys for the District of Columbia argued Thursday that the Second Amendment right to bear arms applies only to militias, not individuals.

...and here's the flip side. Perhaps they will declare neutrality, like Switzerland? Remember, lots of kids in PA bring their guns to school (leaving them in their cars) during hunting season.

Town mulls recommending guns for all

By Jon HurdleThu Dec 7, 11:10 AM ET

A tiny town in western Pennsylvania could ask all of its residents to own guns, if a proposal under consideration on Wednesday wins approval from local officials.

... In written comments, Statkowski said homeowners have a right and a responsibility to defend against intruders rather than calling police and waiting for help to arrive.

... The measure was unlikely to pass because state law prevents municipalities from making their own gun laws, Ramsey said. He said about 40 percent of Pennsylvania households own guns.

Aaron Fry, owner of the Cherry Tree Cafe, said he did not understand why the measure was necessary because guns are common. "Every house has a couple of guns," he said.

Friday, December 08, 2006

More on HP

December 07, 2006

CA AG Announces Settlement with HP Over Pretexting

Press release: "Attorney General Bill Lockyer today announced Hewlett-Packard (HP) will finance a new law enforcement fund to fight violations of privacy and intellectual property rights, and adopt corporate governance reforms, under a $14.5 million settlement that resolves allegations the firm used false pretenses – or pretexting – to unlawfully access phone records during its probe of boardroom leaks to the media." [see this FTC Factsheet on Pretexting]

Sounds to me like the background check would not have prevented anything.

Are Background Checks Necessary For IT Workers?

Posted by CowboyNeal on Thursday December 07, @07:16PM from the better-safe-than-sorry dept.

Security Privacy

4foot10 writes "UBS PaineWebber learned a hard lesson after hiring an IT systems admin without conducting a background check. Now its ex-employee is slated to be sentenced for launching a 'logic bomb' in UBS' computer systems that crashed 2,000 of the company's servers and left 17,000 brokers unable to make trades."

[From the article: Prosecutors charged that Duronio, angry over not receiving as large a bonus as he had expected, sought revenge against his employer by building, planting, and disseminating the logic bomb. I

Okay, he did have a record... Bob]

Think this might help their corporate reputation?

Lifetouch Gets It Right on Kids' Privacy

Jay Cline December 07, 2006 (Computerworld)

The constant drumbeat of news stories chronicling the security blunders of U.S. corporations makes it seem as if no business, no matter how trusted, is up to the task of protecting our personal information. So it’s all the more noteworthy when companies do the right thing with personal privacy. I learned recently that Eden Prairie, Minn.-based Lifetouch Inc. got it right when the feds came knocking.

What is Lifetouch? The privately held company photographs over 24 million North American schoolchildren each fall, making it the market leader. It also takes pictures of millions of other people through J.C. Penney, Target and Flash Digital Portraits studios.

You might not think that photos are sensitive information, but any parent would disagree with you. Try this test with your co-workers: Ask them what data they consider most private. Is it their Social Security numbers, credit card numbers, salaries, health data or information about their children? Whenever I’ve posed this question to a U.S. audience, kids’ information has always won, hands down.

Lifetouch gets this, and having been in business for 70 years, it got it long before the age of digital identity theft. Senior attorney Laurie Dechery, who advises on privacy law issues at Lifetouch, told me, "Given the nature of our product, privacy has always been a core component of the culture here."

Lifetouch regularly received urgent calls from law enforcement agencies seeking a missing child’s photo in cases where parents were unable to provide a high-quality one for reprinting. Lacking the means to immediately authenticate whether these requests were valid, Lifetouch’s response was tough, but predictable: not without a subpoena or verifiable parental consent.

The story might have ended there, with a stalemate between privacy interests and personal safety. But in 2004, Lifetouch contacted the National Center for Missing and Exploited Children, which helps attempts to find the 2,000 children reported missing in the U.S. each day, with a five-step proposal:

  1. Lifetouch would enlist partner schools that would allow it to distribute to each student a set of wallet cards that include a unique retrieval code and crisis hot-line number for the center.

  2. Lifetouch would provide round-the-clock staff for the center’s hot line. If a child went missing, parents could call the hot line with the code.

  3. The center would authenticate the case and the parents’ consent with law enforcement and then contact Lifetouch with the image-retrieval code.

  4. Lifetouch would immediately transmit to the center the image of the child, faster than many parents could get a high-quality, usable image to the center.

  5. The center could then broadcast the image through Amber alerts, its Web site, posters and mail inserts.

... Since the launch, Lifetouch has spent more than $2 million to keep the program running and has assisted in more than 400 searches. Lifetouch images directly led to the recovery of seven children, O’Brien said.

Thursday, December 07, 2006

This story has been quiet, but I guess things have been happening.

Sources: HP to settle civil complaint

By Ina Fried Story last modified Thu Dec 07 04:29:11 PST 2006

The California attorney general's office is expected to announce Thursday that it has settled civil complaints with Hewlett-Packard over the company's spying tactics, CNET has learned.

The civil complaints are separate from the criminal charges already brought forward by the attorney general's office. Five people, including former HP Chairman Patricia Dunn, are facing felony charges in connection with HP's campaign to determine the source of unauthorized media leaks. All five have pleaded not guilty.

A lawyer for the attorney general's office confirmed that an announcement is scheduled for Thursday, but would not confirm or deny the civil settlement. CNET reported last week that the state's top prosecutor was considering a civil complaint over HP's tactics.

An HP representative declined to comment.

As part of its effort to uncover the source of news stories, HP investigators employed the practice of "pretexting," or using false pretenses, to obtain the phone records of more than a dozen people, including board members, journalists and HP employees. The company also employed physical surveillance and sent a bogus tip with an electronic tracer to a CNET reporter.

After the company's tactics came to light, Congress held hearings, and the FBI and Justice Department also launched probes. HP also faces a formal SEC inquiry into the matter.

The scandal also prompted the departures of Dunn, general counsel Ann Baskins and two other HP employees.

The number of leaks isn't the lever to move administrators, it's personal liability that gets their attention...

U. of Kentucky: No changes made after 4 personal data leaks

Wednesday, December 06 2006 @ 12:38 PM CST - Contributed by: anonadmin - Minors & Students

Months after the last incident in a series of private information leaks, UK has not made any policy or personnel changes to enhance its data security. A series of four data-leaking incidents took place over four months from May to August this year. According to the Privacy Rights Clearinghouse Web site, these incidents compromised the confidentiality of more than 8,500 UK students' and employees' Social Security numbers.

Source - KY Kernel

Here is how you get management's attention.

ChoicePoint ID Theft Victims' Day Has Come

By Roy Mark December 7, 2006

Victims of the ChoicePoint identity theft scandal will soon be receiving claims forms to recover out-of-pocket expenses.

The Federal Trade Commission (FTC) mailed more than 1,400 of the forms Wednesday and made them available for download at the FTC ChoicePoint site. Restitution claims must be postmarked by Feb. 4.

The victims will be paid out of a $5 million fund established by ChoicePoint as part of its January settlement with the FTC. ChoicePoint also agreed to pay a $10 million fine for failing to adequately protect the consumer information in its databases.

... In February 2005, ChoicePoint disclosed that an ID theft ring gained access to the company's vital credit information. The breach involved more than 160,000 records.

In a complaint brought against ChoicePoint, the FCC said the company did not have reasonable procedures in place to screen prospective clients, turning over consumer personal data to customers whose applications raised obvious red flags.

Tools & Techniques: Software to manage an organization's network (add, delete or update software on employee's computer) has been available for years. You can even expect software vendors to “take control” of your PC to solve problems or demonstrate how to perform some obscure task. This is not such a great leap when many high speed networks are “always on”

Prosecuting and security authorities to be allowed to search PCs online

07.12.2006 13:40

What the Minister of the Interior of the German federal state of North Rhine-Westphalia Ingo Wolf had already proposed as a completely worked-out plan and the Federal Minister of the Interior Wolfgang Schäuble hinted at in his program for strengthening the internal security of the Federal Republic, which has a price tag of 132 million euros, is now to become a reality: In addition to its previous rights the Federal Office of Criminal Investigation (BKA) is to be given permission to access PCs of citizens of the Federal Republic online. In August of this year Mr. Wolf had already presented the draft bill of a new Protection of the Constitution Act, which, once adopted, will among other things give the Office for the Protection of the Constitution undercover access to "hard disks" and other "information technology systems" on the Internet. In November the Budget Committee of the Bundestag, the lower chamber of Germany's federal parliament, had moreover signed off on Mr. Schäuble's Program for Strengthening the Federal Republic's Internal Security, which the minister hopes will allow authorities to nip in the bud or at least contain terrorist and other threats by monitoring online forums more closely.

In the finished program, which the German daily Süddeutsche Zeitung has seen, the Federal Ministry of the Interior declares the ability to search PCs without physical access to them to be a key component in the fight against terror. Searches of this kind "put a considerable strain on technical and human resources," the paper observes. But would nonetheless, according to the ministry, be considered an option when there were concrete grounds for suspecting that a criminal act had been or was about to be committed and a judge had given his or her approval. "Substantial resources" would be required to carry out such searches on a regular basis, the newspaper states. The Federal Ministry of the Interior apparently intended to engage in "nationwide PC screening," the daily quotes the expert on budget matters of the opposition liberal Free Democratic Party (FDP) Jürgen Koppelin as saying. There was no legal basis for doing so, Mr. Koppelin, according to the paper, went on to say.

By the way, the bill of the new Protection of the Constitution Act, which Mr. Koppelin's fellow party member Ingo Wolf has proposed, is scheduled to be adopted by the parliament of the federal state of North Rhine-Westphalia today. How a screening of PCs protected by a firewall or tucked away behind a router with Network Address Translation is to be carried out the proposals of the politicians concerned with internal security remain conspicuously silent, however. Be that as it may an important element of Mr. Schäuble's Security Program is the establishment of an "Internet Monitoring and Analysis Unit " (IMAS) at the Joint Center for Defense against Terrorism (Gemeinsames Terrorismusabwehrzentrum; GTAZ), which is run by the police and the security forces in Berlin. Some 30 million euros are said to have been spent there on new hardware that makes it possible to eavesdrop on Internet telephone calls and closed chat rooms. The first task of the new surveillance unit is to increase the authorities' understanding of jihadists' machinations as they appear on the Internet. It has also been given the task to find ways to clear cyberspace of vicious, malevolent and inflammatory propaganda and remove such things as bomb-building manuals from the Net.,72250-0.html?tw=wn_politics_privacy_1

DHS Passenger Scoring Illegal?

By Ryan Singel 02:00 AM Dec, 07, 2006

WASHINGTON -- A newly revealed system that has been assigning terrorism scores to Americans traveling into or out of the country for the past five years is not merely invasive, privacy advocates charge, it's an illegal violation of limits Congress has placed on the Department of Homeland Security for the last three years.

The Identity Project, founded by online rights pioneer John Gilmore, filed official objections (.pdf) to the Automated Targeting System, or ATS, on Monday, calling the program clearly illegal.

The comment cited a little-known provision in the 2007 Homeland Security funding bill prohibiting government agencies from developing algorithms that assign risk scores to travelers not on government watchlists.

... A DHS spokesman said the language in the appropriations bill doesn't cover the ATS, and insisted the program is legal.

... Paul Rosenzweig, a high-level Homeland Security official, told Congress in September that the system had "encountered 4801 positive matches for known or suspected terrorists." However, it is unclear how many of those were correct matches.

... The comment period on the proposal, which ended Monday, will be re-opened on Friday for additional feedback. Comments can be submitted online using docket number DHS-2006-0060.

Dec 6, 2006 8:33 pm US/Mountain

Jeffco DA Teaches Parents About Online Predators

Ericka Lewis Reporting

(CBS4) DENVER On Wednesday, Jefferson County's district attorney's office released a video on their Web site to make it easier for parents to teach younger children how to protect themselves against Internet predators.

... Access the video provided by the Jefferson County District Attorney's office.

Not such a big deal, my students divide by zero all the time, they just keep getting different answers each time.

Professor Comes Up With a Way to Divide by Zero

Posted by samzenpus on Thursday December 07, @02:01AM from the it-seems-so-obvious-now dept. Math Science

54mc writes "The BBC reports that Dr. James Anderson, of the University of Reading, has finally conquered the problem of dividing by zero. His new number, which he calls "nullity" solves the 1200 year old problem that niether Newton nor Pythagoras could solve, the problem of zero to the zero power. Story features video (Real Player only) of Dr. Anderson explaining the "simple" concept."

Dilbert summarizes society in three panels...

Wednesday, December 06, 2006

If I was a terrorist and wanted to terrorize, what better way than to target the families of deployed National Guard units?

Computer Stolen from 130th Airlift Wing in Charleston

Tuesday, December 05 2006 @ 09:46 PM CST - Contributed by: PrivacyNews - Fed. Govt.

A laptop computer with personal information about every member of West Virginia's Army National Guard 130th Airlift Wing in Charleston recently was stolen. The government-owned laptop computer was stolen from a member of the unit while he was attending an offical training course. Maj. Todd Harrell said the computer's hard drive contains personal information, including Social Security numbers, names and birth dates of everyone in the 130th Airlift Wing.

Source - The State Journal

Personal info disappears from college

Tuesday, December 05 2006 @ 11:42 AM CST - Contributed by: lyger - Minors & Students

Someone made off with a print-out of personal information about Nassau Community College's entire student body, more than 21,000 students, prompting the college to offer to pay for credit monitoring services for students for one year.

Source -

[From the article: Reginald Tuggle, college spokesman, said the list went missing last Tuesday. Tuggle said an administrative assistant in the college's Student Activities Office, who was authorized to use the list, was cross-checking the names of individuals involved in various student activities against the master list of students registered at the college. [...and this is done manually? Bob]

Bank data stolen out of exec’s vehicle

By Michael D. Sorkin ST. LOUIS POST-DISPATCH Wednesday, Dec. 06 2006

Banks like to advertise how careful they are with customer information. Premier Bank is no exception. Its executives recall just one time when they left account data in a parked vehicle.

That was the evening of Nov. 16. Dozens of employees were gathered at the Chase Park Plaza hotel to watch as Premier became the first bank to receive a Missouri Chamber of Commerce Award as one of the state's fastest growing businesses.

With the bankers inside celebrating, a thief was outside working. One of the vehicles broken into that night in the hotel garage was a GMC truck owned by Premier's vice president and chief financial officer.

Taken from the truck was a bound, blue book about the size of a laptop computer. It contained paper reports with the names and account numbers of 1,800 customers who had opened Premier accounts in October.

... "I guess you could debate whether we should have had" the information in the truck, Anderson said. "Obviously, we have changed our procedure; none of the reports will be out of the bank now."

The thief also stole a $250,000 non-negotiable bank certificate, $400 in cash and a black leather jacket valued at $250, according to St. Louis police.

... After the break-in, the bank's security consultant hired a private investigator to search trash bins for the stolen records. [Good one! If recovered, it would save a lot of time and effort! Bob]

... ONeill questioned why the bank would take information about his account out of the office.

Anderson says the bankers had planned to use the papers at a meeting the next morning to discuss new accounts.

Files with personal information found buried in Converse park

Tuesday, December 05 2006 @ 09:53 AM CST - Contributed by: PrivacyNews - State/Local Govt.

... Last week a contracting crew hired to do flood control work at the Converse North Park stumbled upon bundled-up piles of buried treasure, if you want to steal someone's identity. "Drivers license (numbers). Social Security (numbers). Lot of photographs. All the information you'd ever want if you were going to do any kind of fraud," said David Meyer, who is part of the crew that discovered the files.

"It's been exposed for about a week," Meyer said.

Converse City Manager Sam Hughes did not want to go on camera but says the city never envisioned that all those files, which were buried in 1998, would ever be accidentally dug up. [Obviously. Probably never thought at all – ever. Bob] Also found buried in the park were police reports, traffic tickets and even ironically a ticket for littering.

Source -

Does this change MySpace's legal status from a simple conduit (like an ISP) to a moderator? Won't they become liable for anything they miss? Can they limit this check to sex offenders and ignore stalkers, identity thieves, etc.

27 B Stroke 6

by Ryan Singel and Kevin Poulsen Tuesday, 5 December 2006

MySpace to Purge Sex Offenders

MySpace announced today it will begin searching its 100 million-plus user list for people listed in a national database of sex offenders.

Why didn't I think of that!

Just kidding. Obviously, this is a response to my story from October. If you missed it, I used a Perl script to screen-scrape the Department of Justice's National Sex Offender Registry and run all the names and ZIP codes through MySpace's search engine, verifying 744 matches from half the search results. One convicted child molester was actively courting new victims, and was arrested.

Now MySpace is going to do its own searching, in partnership with a background-check company called Sentinel Tech Holding Corp.

From the press release:

"We are committed to keeping sex offenders off MySpace," said MySpace's Chief Security Officer, Hemanshu Nigam. "Sentinel Safe will allow us to aggregate all publicly available sex offender databases into a real-time searchable form, making it easy to cross-reference and remove known registered sex offenders from the MySpace community. The creation of this first-of-its-kind real-time searchable database technology is a significant step to keep our members as safe as possible."

The whole first-of-its-kind, never-been-done-before, thank-God-the-technology-finally-exists thread runs throughout the press release. The language seems calculated to let MySpace escape responsibility for failing to police the sex offenders on its site prior to October, despite the availability of a free online registry demonstrably useful for exactly that purpose.

That said, Sentinel's database promises to be far more powerful than the DOJ registry I used. As described, it'll contain detailed information, including height, weight, eye and hair color, and the complete offense history of each offender -- all completely searchable. It'll be like a Google for sex offenders.

That leaves just one real disappointment in this announcement: How MySpace plans to use the data. With all that information at its disposal, and a "24-hour-a-day dedicated staff" using it, MySpace could seriously enhance its policing. Instead, the company is taking a sophisticated database and wielding it as a blunt instrument, simply banning everyone on the list from registering or keeping a MySpace account, regardless of who they are or what they did.

This is bad because, obviously, banning sex offenders won't keep them off MySpace: it'll just give them a reason to lie about their name or location, even if they aren't up to no good. (My survey found hundreds of past offenders, many with old or minor convictions, whose profiles reflected a seemingly normal life.) Now sex offenders who want to stay on MySpace will all be using false information from the start.

MySpace is essentially refusing an opportunity to detect and imprison active repeat offenders, by moving the entire superset of ex-offenders into the shadows. Does the convicted pedophile have lots of teenagers on his friendslist? MySpace won't know, because he'll be under same veil of anonymity as the flashers and peeping toms.

We know there are some ex-sex offenders who attempt to recidivate from accounts opened under their real names. If you believe they will now stay off MySpace, then the company's policy is good for safety. But if you think they'll simply start spelling their name a little different or lying about their ZIP code, then MySpace has lost the chance to take them off the streets.

MySpace is taking the easy way out. It may be good PR to be able to say that you don't allow past sex offenders of any stripe on your website, but the company should keep its eye on the ball: the goal isn't to keep a former flasher from blogging about his cat, it's to keep current pedophiles from pursuing children. MySpace could tell the difference, if it wanted to. A smart policing effort would use the sex offender database as one of many data points in keeping the site safe. Sometimes zero-tolerance is really tolerance.

To stop technology you must understand it. To understand it you must study it. To study it is forbidden. Oops!

Iran's Solution To The YouTube Question: Just Block It

from the much-easier dept

Rather than just worry about the content available on YouTube like some others, it appears that Iran has decided to just block the entire site outright. Of course, you have to wonder how effective such a block really is. After all, this is the same country where broadband service providers apparently have no worries about ignoring the government's ban on broadband (which would seem like it might make YouTube less than useful anyway). However, with hundreds of competing sites, and more popping up every day, it seems that the Iranians who want to view the next viral video, will just move on to some other site.

Mum's the Word on NSA Spying

chrisek submitted by chrisek 15 hours 8 minutes ago (via )

Under questioning, the White House's new privacy oversight board admits its knows how many Americans were targeted by a controversial surveillance program. But it won't share the data and won't say if it recommends the data be shared. In 27B Stroke 6.

This would seem to be overreaction (assuming adequate security in the first place...)

Hackers attack U.S. Naval War College's computer network

Posted on Tue, Dec. 05, 2006

PROVIDENCE, R.I. (AP) - Hackers attacked the computer network at the Naval War College in Newport, taking down the school's network for more than two weeks, including some e-mail services and the college's Web site.

The Navy Cyber Defense Operations Command in Norfolk, Va., detected the intrusion around Nov. 16 and took the system offline, spokesman Lt. Cmdr. Doug Gabos said. He said the unclassified network was used by students.

Military spokesmen would not give an estimate on when the school's Web site,, will be back up. [Not back up yet! Bob]

The Naval War College bills itself as the Navy's leading center of strategic thought and national security policy.

Investigators were trying to determine the extent of the intrusion, Gabos said. They planned to upgrade firewalls and make other unspecified improvements.

Once that is complete, the network will be restored,'' Gabos said.

miniLinks for 2006-12-05

December 05, 2006

Why the Novell / MS Deal Is Very Bad

Posted by kdawson on Tuesday December 05, @11:35PM from the laying-it-out dept. Novell Microsoft The Courts Linux

jamienk writes "PJ from Groklaw has taken the time to really explain the big picture of the Novell/MS deal and how it all fits into the SCO case and the strategy some have employed to attack Free Software. If you thought PJ was becoming too shrill before, or if you haven't understood what the big deal is with Novell's agreement, it's really worth a read."

From the article: "This is Groklaw's 2,838th article. We now have 10,545 members, who have worked very hard to disprove SCO's scurrilous claims, and we did. We succeeded, beyond my hopes when we started. But here's the sad part. As victory is in sight, Novell signs a patent agreement with Microsoft..."

Microsoft releasing book search in beta

By Candace Lombardi Story last modified Wed Dec 06 06:45:32 PST 2006

Microsoft is releasing Live Search Books, its competitor to Google Book Search, in beta on Wednesday.

The book search engine performs keyword searches for books that have been scanned as part of Microsoft's book scanning project, in the same way that Windows Live Search searches the Internet, said Danielle Tiedt, the general manager of Live Search Selection for Microsoft.

... Live Search Books' "Search inside a book" feature also allows users to search the full texts of scanned books. Microsoft has restricted the beta release of Live Search Books to only include noncopyright books scanned from the collections of the British Library, the University of California and the University of Toronto.

... Microsoft's new tool is similar in nature to Google Book Search in that it also allows full texts of public domain works to be viewed, searched or printed. Like Google, Microsoft has chosen to use PDF files for the full text downloads of books.

... Microsoft also plans to announce on Wednesday the addition of medical content to its Windows Live Academic Search, an engine that searches full texts of journals in conjunction with institutions' subscriptions to them. The addition of medicine as a category will "practically quadruple" the amount of available searchable content, according to Tiedt.

Chess Champion Loses Match to Computer

Dec 5, 6:24 PM EST

BONN, Germany (AP) -- World chess champion Vladimir Kramnik lost the sixth and decisive game against computer program Deep Fritz on Tuesday, ceding a hard-fought Man vs. Machine match 4-2.

The Russian takes $500,000 - half of what he would have received if he had won against Deep Fritz, a commercially available chess program that runs on a powerful personal computer.

Kramnik said he was "a bit disappointed" and expressed hope that a rematch could be arranged in a year or two. "With more time to prepare, I still have a chance."

Adobe Reader 8.0.0

Posted by Reverend on 05 Dec 2006 - 23:10 GMT

Adobe Reader 8 includes new document viewing options, advanced collaboration, increased time-saving ways to work with PDF files, and other new features to help you more securely and consistently communicate and collaborate using PDF files.

Download: Adobe Reader 8.0.0 (XP SP2/Vista)

View: Adobe Reader Homepage

Tuesday, December 05, 2006

Somehow this seems to lack a strategic vision...,1299,DRMN_15_5188588,00.html

Police camera proposal raises privacy concerns

Denver may expand surveillance already in place on Colfax

By Felix Doligosa Jr., Rocky Mountain News December 4, 2006

Denver criminals soon could be showing up on surveillance cameras on some of the city's most crime-ridden corners.

Members of the Denver Police Department are hoping to place cameras in targeted residential and commercial neighborhoods throughout the city. In some cases, the public might not know the equipment is there - unless they happen to spot the electronic eye atop a light pole or in another discreet location.

... "A program that assigns police officers to monitor public spaces through video surveillance has the potential to erode privacy, inhibit freedom and chill public expression in public places, with little or no benefit in reduced criminal activity," said Mark Silverstein, legal director for the American Civil Liberties Union of Colorado.

Silverstein said the benefits to law enforcement are illusory.

"If the cameras deter crime, (the criminals) simply move it to another place, potentially prompting a call for even more cameras and more surveillance."

... The equipment records images 24 hours a day, but officers do not constantly track the monitors. [So they're not interested in prevention? Bob] Investigators, however, can replay the video for help in identifying suspects or conducting an investigation.

Denver police have not been tracking any statistics on how much crime has been reduced from the cameras, but they believe the equipment is helping.

... In Baltimore, about 300 cameras survey alleys and streets in and near downtown.

Crime in these areas has gone down an average of about 17 percent, said Lt. Matthew Bauler of the Baltimore Police Department.

... Martinez insists that the Denver Police Department will not violate individual privacy rights.

Still very common and very, very irritating.

Monday, December 4, 2006 - Page updated at 12:07 PM

Washington state settles for $1 million in spyware case

The Associated Press

OLYMPIA - Washington state will receive a $1 million settlement from New York-based Secure Computer, resolving the state's first computer spy ware lawsuit, Attorney General Rob McKenna announced today.

More than 1,140 Washington residents who bought the company's Spy ware Cleaner software or in some cases, Popup Padlock, are eligible for refunds under the agreement filed in federal court last week.

Under the consent decree signed in Seattle by U.S. District Court Judge Ricardo Martinez, Secure Computer and company President Paul E. Burke agreed to pay $200,000 in civil penalties, $75,000 in restitution for consumers, and $725,000 in state attorneys' fees and costs. There was no admission or finding of wrongdoing under the agreement.

How not to research?

Swivel Aims To Become The Internet Archive For Data

Michael Arrington

Swivel Co-founders Dmitry Dimov and Brian Mulloy start off by describing their company as “YouTube for Data.” That’s a good start for someone trying to understand it, because the site allows users to upload data - any data - and display it to other users visually. The number of page views your website generates. Or a stock price over time. Weather data. Commodity prices. The number of Bald Eagles in Washington state. Whatever. Uploaded data can be rated, commented and bookmared by other users, helping to sort the interesting (and accurate) wheat from the chaff. And graphs of data can be embedded into websites. So it is in fact a bit like a YouTube for Data.

But then the real fun begins. You and other users can then compare that data to other data sets to find possible correlation (or lack thereof). Compare gas prices to presidential approval ratings or UFO sightings to iPod sales. Track your page views against weather reports in Silicon Valley. See if something interesting occurs.

And better yet, Swivel will be automatically comparing your data to other data sets in the background, suggesting possible correlations to you that you may never have noticed.

Talk about setting yourself up for failure!

Feds Vote To Keep Faulty E-Voting Machines Because It's Too Much Work To Fix Them

from the democracy-is-hard-work;-too-bad-not-everyone-agrees dept

Remember last week when we were surprised, but happy, to hear that the feds were finally set to recommend the US stop using paperless e-voting machines? Well, apparently we were celebrating a bit too early. It's just come out that, despite the report recommending rejecting such machines, the Technical Guidelines Development Committee rejected the proposal when they couldn't get the 8 out of 15 votes necessary (no word on whether they used e-voting machines to count the vote). While there was support for it from some, others disagreed. However, the reason given for rejecting the proposal are really ridiculous: "You are talking about basically a reinstallation of the entire voting system hardware." Why yes. Yes we are. That's because the entire voting system hardware is totally screwed up. So, to be more specific, we're talking about stopping an e-voting program that has serious problems and has raised plenty of legitimate questions about just how fair and accurate our elections are. That seems like a perfectly valid reason that shouldn't be tossed aside just because it'll be a lot of work. We also thought that democracy itself was supposed to be hard work, but apparently some of those on the Technical Guidelines Committee disagree. On the bright side, Sarasota County may still be able to resell those e-voting machines that lost tens of thousands of votes to some other state now.

It's not Virtual Law, but that's where it's heading...

Judge Posner, virtually

Judge Richard Posner of the Seventh Circuit Court of Appeals will visit Second Life on December 7th, from 6-8pm Second Life Time (PST). Read all about it here.

Why we need Virtual Law

Did Google Let Clickfraud Case Drop, Rather Than Reveal Clickfraud Details?

from the sneaky,-sneaky dept

Nearly three years ago, a man was arrested for trying to blackmail Google over clickfraud. It was an amazingly brazen attempt. The guy had created a software program that he claimed could click ads without detection from Google, and then asked the company for $150,000 to keep him from releasing it. Google invited him to their offices for a meeting, where the guy even joked that "this feels like a blackmail session." Of course, law enforcement listening in one room over felt it actually was blackmail and charged the guy. However, Business Week notes that prosecutors quietly dropped the case two weeks ago, noting that while no one will talk publicly about it, the main reason may have been Google's reluctance to reveal much information for the case. Basically, the article contends that for Google to show that there were damages, they would have to explain how this program could successfully engage in clickfraud. Google may have then been concerned that revealing any of that info could either help other fraudsters, or give more ammo to various advertisers who are intent on suing Google over being charged for ads that are fraudulently clicked. However, on the flip side, the article notes that this admission that Google will let such obvious cases drop may encourage more people to engage in clickfraud, knowing that the risks aren't as high. It's still not clear why Google isn't somewhat more upfront with clickfraud. The company claims they don't want to help those engaged in the practice, but the more secretive they are, the more people question how successful they really are. It seems like there should be some middle ground where they can reveal some details without revealing how to beat their anti-clickfraud attempts.

December 04, 2006

DNI Information Sharing Environment Privacy Guidelines Released

Press release: DNI Information Sharing Environment Privacy Guidelines

Indeed worth reading...

Bendrath on the Politics of “Identity Governance”

Posted on Monday, December 4th, 2006 at 9:34 am

Ralf Bendrath has a thoughtful post on Oracle’s recently announced “Identity Governance Framework”, a set of draft standards for sharing and controlling personally identifiable information across different systems and applications. He was particularly struck by the use of the term “governance” in this context, and how it reflects a changing discourse on privacy & identity management:

... He writes more, and it is worth reading.

Expect to see similar tools from other vendors...

CommVault Streamlines Legal Search and Discovery of Enterprise E-mail

New E-mail Management Enhancements Save Significant Discovery Time for Legal Teams, Builds on End-User Mailbox Management

CommVault (NASDAQ: CVLT), a leading provider of Unified Data Management solutions, today announced data archiving software enhancements that improve legal search and discovery of enterprise Microsoft Exchange e-mail. Building upon its proven end-user mailbox search and retrieval features, CommVault has added a new specialized discovery search capability to the Microsoft Outlook client. Now, legal or compliance teams can directly search and retrieve messages from e-mail archives, based on the content in e-mail messages, attachments, instant messages, PST files or SMTP messages, without IT assistance.

Today, e-mail is the most frequently-requested type of business record sought by courts and regulators. Research by industry analysts at the Enterprise Strategy Group indicates that an estimated 77 percent of organizations involved in an electronic data discovery request say they have been asked to produce e-mail messages. As a result, IT organizations and legal groups must collaborate on discovery processes that require the search, retrieval and production of e-mail for litigation support.