Monday, December 31, 2007

“We don't need no stinking security!”

(update) Computer heist puts voter IDs in danger

Sunday, December 30 2007 @ 08:51 AM EST Contributed by: PrivacyNews News Section: Breaches

The names, addresses and complete Social Security numbers of more than 337,000 Davidson County voters may be in the hands of thieves, Metro election officials said Friday.

... Election officials had said earlier in the week that the computers stolen over the Christmas holiday from the Metro Election Commission offices at Howard School Building, 800 Second Ave. S., contained voters' partial Social Security numbers, along with other personal information.

"As we looked deeper … we now know that full Social Security numbers were included on the voter files contained on one or more of the stolen computers," county Election Administrator Ray Barrett said.

Source -

[From the article:

It wasn't the only break-in of a public building over the holiday. Several laptop computers and a desktop computer were stolen from the state Safety Department's information technology building in south Nashville on Christmas Eve or Christmas Day.

The agency issues Tennesseans handgun-carry permits, and in the past it has overseen the unit that issues drivers' licenses. However, Safety Department officials said they believe personal information was not compromised, because nearly all of the computers were taken from a repair office and their memories are believed to be blank. [How about their hard drives? Bob]


Data “Dysprotection:” breaches reported last week

Monday, December 31 2007 @ 08:16 AM EST Contributed by: PrivacyNews News Section: Breaches

A recap of incidents or privacy breaches reported last week for those who enjoy shaking their head and muttering to themselves with their morning coffee.

Source - Chronicles of Dissent

Anyone who would like this protection can apply for Ordination in the Church of the Suppressed Evidence for a mere $19.95

FL: Pastor had a reasonable expectation of privacy in his church office computer

Monday, December 31 2007 @ 08:28 AM EST Contributed by: PrivacyNews News Section: In the Courts

Search of a church office computer of the pastor was unconstitutional. The operational realities of the workplace are to be considered. And, the defendant had a subjective expectation of privacy in his office computer. The fact that his superiors in the church could enter the office did not mean that the police could, too. State v. Young, 2007 Fla. App. LEXIS 20515 (Fla. App. 1DCA December 26, 2007)

Source -

[From the case:

The events leading to the search of Young’s office and computer began when the church administrator received a call from the church’s internet service provider.

A representative from that company informed the church administrator that spam had been linked to the church’s internet protocol address. In response to this call, the church administrator ran a “spybot” program on the church’s computers. [Holy Hacking, Batman! Bob] She testified that when she ran the program on Young’s computer, she saw “some very questionable web site addresses.” The church administrator then contacted a member of the staff parish and an information technology (IT) person to set up a time to have the computer examined.

... When a computer is involved, relevant factors include whether the office has a policy regarding the employer’s ability to inspect the computer, whether the computer is networked to other computers, and whether the employer (or a department within the agency) regularly monitors computer use.

Nice simple overview of Data Mining...

December 30, 2007

Recent CRS Reports: Tanzania, Data Mining and Homeland Security, Egypt, China and WMD

Worth looking at... (Includes a pointer to the complete list)

Google Products You Forgot All About

Posted by Zonk on Monday December 31, @02:27AM from the hiding-in-plain-sight dept. Google The Internet

Googling Yourself writes "Lifehacker has an interesting blog post on the "Top 10 Google Products You Forgot All About" that includes stalwarts like Google Trends and Google Alerts and a few others that may not be quite so familiar like Google Personals, Google's WYSIWYG web site creation tool, and Flight Simulator for Google Earth."

Sunday, December 30, 2007

No doubt they track the preferences of their listeners...

Montgomery Man's Personal Information on Missing Military Computer

Saturday, December 29 2007 @ 03:21 PM EST Contributed by: PrivacyNews News Section: Breaches

J.J. Evans spent 24 years in the Air Force protecting our country. Now he's angry because he says the military didn't protect his personal information. He says, "When you trust someone with that, you expect better."

Air Force officials sent Evans a letter detailing how a military laptop computer is missing and it contains personal information including social security numbers, birth dates, addresses, and telephone numbers of active and retired Air Force members. "When someone gets a hold of a computer, they can wreck things," Evans says.

The laptop belonged to an Air Force band member at Bolling Air Force Base in Washington D.C. He reported it missing from his home. Evans questions why a band member would have a computer that contained personal information. He says, "I can't think of anything job related reason."

Source - WSFA

Note: In earlier coverage, Air Force officials indicated that the data for 10,501 people were on the computer.

Who signs off on these decisions?

Update: Adobe Replies To Privacy Spy Concerns

Saturday, December 29 2007 @ 11:44 AM EST Contributed by: PrivacyNews News Section: Businesses & Privacy

Yesterday we wrote about Adobe (Nasdaq: ADBE) and their potential spying on CS3 customers. The questions were based on screenshots showing a domain "" which is owned by tracking firm Omniture. The screenshot (posted below again) shows what appears to be an internal IP address which it's not. Why would Adobe try to hide the tracking with a fake IP address?

John Nack, Adobe Photoshop product manager has provided a reply to the privacy concerns. He mentions that Adobe is closed this week and so his reply is the best he could find out while everyone else is away.

.... So John, let me throw it back over to - you note that I can opt-out of the tracking. Where in the installation process is the opt-out screen? Can you post a screenshot of the opt-out screen on installation? And why does Adobe try to hide the tracking by using a fake IP address? Don't say because that's how Omniture said to set it up. Thanks!

Source - CenterNetworks

The 2007 International Privacy Ranking

Saturday, December 29 2007 @ 06:30 PM EST Contributed by: PrivacyNews News Section: Other Privacy News

Each year since 1997, the US-based Electronic Privacy Information Center and the UK-based Privacy International have undertaken what has now become the most comprehensive survey of global privacy ever published. The Privacy & Human Rights Report surveys developments in 70 countries, assessing the state of surveillance and privacy protection.

The most recent report published in 2007, available at, is probably the most comprehensive single volume report published in the human rights field. The report runs over 1,100 pages and includes 6,000 footnotes. More than 200 experts from around the world have provided materials and commentary. The participants range from eminent privacy scholars to high-level officials charged with safeguarding constitutional freedoms in their countries. Academics, human rights advocates, journalists and researchers provided reports, insight, documents and advice. In 2006 Privacy International took the decision to use this annual report as the basis for a ranking assessment of the state of privacy in all EU countries together with eleven non-EU benchmark countries. Funding for the project was provided by the Open Society Institute (OSI) and the Joseph Rowntree Reform Trust. Follow this link for more details of last year's results.

The new 2007 global rankings extend the survey to 47 countries (from the original 37) and, for the first time, provide an opportunity to assess trends.

The intention behind this project is two-fold. First, we hope to recognize countries in which privacy protection and respect for privacy is nurtured. This is done in the hope that others can learn from their example. Second we intend to identify countries in which governments and privacy regulators have failed to create a healthy privacy environment. The aim is not to humiliate the worst ranking nations, but to demonstrate that it is possible to maintain a healthy respect for privacy within a secure and fully functional democracy.

Source - Privacy International: Leading surveillance societies in the EU and the World 2007

Related - Globe and Mail: Canada leads world in privacy: report

These are either the basis for security policy guidelines or a list of Class Action triggers...

IT and the Changing Privacy Landscape: Eight Areas to Watch in '08

Saturday, December 29 2007 @ 11:40 AM EST Contributed by: PrivacyNews News Section: Other Privacy News

In the waning days of the 20th century, privacy was more a marketing hook than an obligation, focused on customer preference and features to help companies earn a competitive edge. Privacy today is a concept more closely associated with the potential for abuse and the very real threat of inappropriate access or exposure, identity theft and fraud—with the responsibility resting squarely on the shoulders of any organization handling personal information for consumers, customers, employees or business partners.

Source - CIO

Clearly this is a trend. Is there a market for a more elaborate method of searching than Google provides?

December 29, 2007

Massachusetts Cases From 1986-1996 Now Online

Massachusetts Trial Court Law Libraries Blog: "We are pleased to announce the availability of all Supreme Judicial Court and Mass. Appeals Court cases from 1986-1996 at Cases are accessible by citation, case name, or through a Google custom search on the site. The collection also includes hundreds of the most-cited older Mass. cases."

[Even this Google tool: ]

You could start from scratch, but why re-invent?

December 29, 2007

Draft Guide for Assessing the Security Controls in Federal Information Systems

SP 800-53 A - DRAFT Guide for Assessing the Security Controls in Federal Information Systems: "NIST announces the release of Draft Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems. This final public draft provides comprehensive assessment procedures for all security controls in NIST Special Publication 800-53 (as amended) and important guidance for federal agencies in building effective security assessment plans. Comments will be accepted until January 31, 2008... Final publication of NIST Special Publication 800-53A is expected in March 2008."

Tools & Techniques

5 “Disposable” Web Accounts to Keep Your Identity Safe — Fed up with spam? Tired of telemarketing calls? Feelin’ paranoid about identity theft? … Here you’ll find a bunch “throwaway” web tools that can help you out.

Interesting, but I'm not certain the studios will recognize this as a threat. Consider a parallel. High school kids produce the plays of Shakespeare (Greek tragedy, Aesop's Fables, etc.) and distribute them free...

Writers Guild Members Look to Internet Distribution

Posted by Soulskill on Saturday December 29, @12:24PM from the playing-nice-with-others dept. Media The Internet

stevedcc writes "The Guardian is running an article about members of the Writer's Guild, still on strike, creating their own ventures to deliver content over the internet. The intention is to get their work to consumers while bypassing the movie studios. Their effort will include actors and directors, and it is not the first step they have taken to expand their interests during the strike. One particular project is said to include A-list talent, and will be released in roughly 50 daily segments before going to DVD. This is also relevant to the strike because, as the article states, 'at the core of the current dispute is the question of how to reimburse writers for work that is distributed on the internet.'"

Have they lost it entirely?

RIAA Now Filing Suits Against Consumers Who Rip CDs

Posted by Zonk on Sunday December 30, @08:31AM from the because-we-needed-another-reason-to-be-cranky-at-them dept. Music Businesses

mrneutron2003 writes "With this past week's announcement by Warner to release its entire catalog to Amazon in MP3 format with no Digital Rights Management, you would think that the organization that represents them, The RIAA, would begin changing its tune. Instead, they are pressing on in their campaign against consumers by suing individuals who merely rip CDs they've purchased legally. 'The industry's lawyer in the case, Ira Schwartz, argues in a brief filed earlier this month that the MP3 files Howell made on his computer from legally bought CDs are "unauthorized copies" of copyrighted recordings.'"

Because you can never have enough... - User-submitted Audio Jokes

Here’s a site that will come in handy for the ever present uncle that has been telling the same jokes over the past 20 years. is a community of jokers that submit audio jokes which can be later heard or shared by other community members by pasting html codes in their respective sites, social networking profiles or blogs. Each joke is presented in an individual site and is played with a fast-loading flash player, and as each joke can be tagged, users can browse the site by joke category (wife, kids, cowboy, cannibal, priests, bar, dog, woman, blonde, etc). Additionally, jokes can be commented on and rated, which is a rather vital issue, as there is an ongoing contest to find “the best joke teller on the planet”, with a $2,500 cash prize. In order to record a joke on ComicWonder, users have to indicate their phone number, and will later receive a call from the system which will guide through recording, in order to ensure adequate payback quality.

Saturday, December 29, 2007

How complex could the contract language be that would require encryption or forbid transporting copies of data? Should take a competent lawyer about 15 minutes, right? (Is that why it isn't done? Too few billable hours?)

MN Agency Data On Computer Stolen In Philadelphia

Friday, December 28 2007 @ 04:23 PM EST Contributed by: PrivacyNews News Section: Breaches

A laptop computer containing names, Social Security numbers and other personal information for 219 Minnesotans licensed by the state Department of Commerce has been stolen.

Commerce Department officials say the computer belonging to a vendor went missing December sixth in Philadelphia. The vendor, Promissor Corporation, notified police of the apparent theft. But state officials say the company waited until December 21st to tell the Department of Commerce.

Source - WCCO

“Let's implement the technology now, we can worry about security later.”,1759,2242210,00.asp

Passenger Hacks NYC Taxi Computer System

December 28, 2007 By Renee Boucher Ferguson

The New York City Taxi and Limousine Commission's technology enhancement plan that puts GPS systems, credit card scanners and monitors in the city's 13,000-plus taxis has come under fire again—this time from a passenger who hacked the computer monitor and gained access to its operating system.

On Dec. 1 software engineer Billy Chasen posted a walk-through on his personal blog '[An Error Occurred While Processing This Directive].com' of how he hacked into a computer screen mounted on the back seat of a cab he hailed on New York's Upper West Side. The story was initially reported Dec. 26 on, a local news station.

... Using his cell phone camera Chasen documented how he was able to open Internet Explorer using the touch-sensitive screen. He was then able to use a Sprint card listed on the monitor to get a dial-up connection giving him full administrative access to the monitor's operating system.

"It was not only a security flaw, but people also pay with the screen if they use a credit card," wrote Chasen. "That information could potentially be stored locally."

... "There are extensive contract-required security protocols in place, which have exceeded government and credit card industry standards and have been stringently tested by internal and external security experts, which fully prevent access to anything other than media content residing in the taxicab itself," said Fromberg in an e-mail to eWEEK. "There is no potential for any malicious activity." [“Nothing can go wrong... go wrong... go wrong...” Bob'

I was pretty sure this would be traced to a tiny little third-party firm that would probably go out of business because they irritated Wal-Mart. Guess I was wrong.,1759,2242154,00.asp?kc=EWRSS03119TX1K0000594

Gift Card Verification Glitch Hits Wal-Mart, Others

By Evan Schuman December 28, 2007

Wal-Mart apologizes to customers and blames its third-party vendor.

Shoppers at Wal-Mart and other chains were unable to use their gift cards much of Dec. 26. While Wal-Mart apologized to customers, it laid the blame squarely on the shoulders of its technology partner.

... Wal-Mart did not identify the supplier in its statement, but a South Carolina television journalist reported that Wal-Mart told her it was First Data.

Well, this should solve everything.

Sex Offenders Are Barred From Internet by New Jersey

By THE ASSOCIATED PRESS December 28, 2007

EWING, N.J. (AP) — New Jersey enacted legislation on Thursday banning some convicted sex offenders from using the Internet.

... No federal law restricts sex offenders’ use of the Internet, and Florida and Nevada are the only other states to impose such restrictions.

The bill applies to anyone who used a computer to help commit the original sex crime. It also may be applied to paroled sex offenders under lifetime supervision, but it exempts work done as part of a job or search for employment.

... Under the new law, convicted sex offenders will have to let the State Parole Board know about their access to computers; submit to periodic, unannounced examinations of their computer equipment; and install equipment on their computer so its use can be monitored. [“After all, if we can't trust sex offenders to let us know what they're doiing, who could we trust?” Bob]

How to be Green? Might be a model for my web site or small business classes...

Vienna Launches Online Flea Market

Dec 28, 9:30 AM EST

VIENNA, Austria (AP) -- Regift - online.

Viennese city officials have launched a free Web forum for people to trade, sell and give away things they do not need - including unwanted Christmas gifts.

The idea is simple: People post their offerings online and are contacted by those in their area who are interested. Requests can also be submitted.

Ulli Sima, city councilor for environmental issues, said she hopes the online flea market will mean less waste.

"Whoever uses the flea market does something good for the environment and, at best, will save money," Sima said.

Posted items cover a broad spectrum, including clothing, toys, furniture, sports equipment and electronics.

Vienna Flea Market,

Another potential “small business” Oh, wait, I do this already! Note that the subject has to be narrow but useful. Perhaps I could start a class “Blogging for Dollars?”

Blogging for Dollars

By Candice Choi AP 12/28/07 8:32 AM PT

It doesn't take much technical skill to publish a blog -- just have something to say that a select group of people might find interesting. Even though most blogs don't get giant amounts of traffic, those that manage to attract a regular stream of readers who share the blogger's interest are a prized audience for advertisers looking to target their ads with pinpoint accuracy.

Zach Brooks pocketed US$1,000 this month blogging about the cheap lunches he discovers around midtown Manhattan ($10 or less, preferably greasy, and if he's lucky, served from a truck).

The site,, is just a year and a half old and gets only about 2,000 readers daily, but it's already earning him enough each month for a weekend trip to the Caribbean -- or in his case, more fat-filled culinary escapades in the city.

... Some advertisers have even found better response from smaller sites with more passionate, engaged audiences.

Friday, December 28, 2007

Interesting, not for the volume but for the possibility there is a leak in a banks IT systems that allows this. If I was the WaMu CIO, I'd be sweating.

HI: Thief Snags Identity of 900 People

Friday, December 28 2007 @ 06:26 AM EST Contributed by: PrivacyNews News Section: Breaches

Police need your help catching a sophisticated identity thief.

He has racked up 900 victims nationwide and stolen $88,000 from ATM's all over Oahu. All the victims have accounts with Washington Mutual Banks.

Police think he gets victim’s personal information, changes their pin numbers and requests duplicate ATM cards. [Not a fast way to the cash, but safe? Where do they send the cards? Bob]

"He somehow got information from victims, whatever information needed, and on his cell phone was able to call Washington Mutual Bank and change pin numbers for over 900 victims," said Kim Buffett, CrimeStoppers.

Source - KGMB9

A shame this requires a law, rather than a “standard medical procedure.” Does the information stay with the Doctor or go to the State?

N.J. Orders HIV Testing For Pregnant Women

Friday, December 28 2007 @ 06:31 AM EST Contributed by: PrivacyNews News Section: State/Local Govt.

New Jersey this week launched one of the most ambitious efforts in the country to control mother-to-child transmission of HIV, making screening tests mandatory for all pregnant women in the state beginning next year.

A bill signed into law Wednesday by the Senate president, Richard J. Codey, in his capacity as acting governor, requires two tests for pregnant women, at the beginning of the pregnancy and again in the third trimester, unless the mother objects. [So much for mandatory... Bob] If the mother objects, the objection will be noted and the newborn will then be tested for HIV, with the only exception being on religious grounds. Newborns will also be tested if the woman tests positive.

Source - Washington Post

Convergence. Who should pay and with what rules?

iPhone and the Business-to-Personal Gadget Migration

By David Pendered Atlanta Journal-Constitution 12/28/07 4:00 AM PT

There's no doubt that wireless devices are everywhere. They chirp in theaters and tablecloth restaurants. People with laptops access the Internet in restaurants and other public places. What's new is the growing migration of the full contingency of wireless devices from the business world into the personal realm. Devices like the iPhone come in handy for both business and pleasure.

Perhaps better packaging next time?

(update) Missing NY state employee data tapes found

Thursday, December 27 2007 @ 05:31 PM EST Contributed by: PrivacyNews News Section: Breaches

Five computer tapes containing the Social Security numbers, birth dates and other personal information for about 900 employees and retirees are back in the hands of the state Dormitory Authority after going missing for more than a week.

Authority spokesman Marc Violette says UPS found the tapes at its Missouri warehouse for lost items, where they were sent after getting separated from their packaging at a sorting facility in Manhattan. They were returned Thursday.

He says the tapes were checked and found undamaged and free of tampering. [Copying leaves no evidence... Bob]

Source - Newsday

An important research tool?

Ig Nobel Prize publisher to go free online

Posted by Candace Lombardi December 27, 2007 9:00 AM PST

The Annals of Improbable Research, best known as the host of the Ig Nobel Awards, will now offer a free online version of its journal.

The Ig Nobel Prizes ceremony, an annual event held at Harvard University and parody of the Nobel Prizes, honors discoveries in science and technology that "first make people laugh, and then make them think."

Past winners include: Mayu Yamamoto of the International Medical Center of Japan who invented a way to extract vanilla fragrance and flavoring from cow dung; an Air Force Research Laboratory in Dayton, Ohio, who invented a chemical weapon that when dropped causes heterosexual men to become attracted to each other; and Howard Stapleton for his so-called electromechanical teenager repellent device that produces a sound audible only to those 30 or younger.

The Annals of Improbable Research journal, while now available free online will still continue to be offered in a print version "for subscribers who like their electrons blended with protons and neutrons," the publisher said in a statement.

No doubt the first of many....

THREAT LEVEL's Year in Review -- 2007

By Kevin Poulsen EmailDecember 27, 2007 | 5:34:32 PM

Hard to kill, but they keep trying.

SCO Receives Nasdaq Notice Letter

Thursday December 27, 1:24 am ET

LINDON, Utah, Dec. 27 /PRNewswire-FirstCall/ -- The SCO Group, Inc. ("SCO") (Nasdaq: SCOX - News), a leading provider of UNIX® software technology and mobile services, today announced that it received a Nasdaq Staff Determination letter on December 21, 2007 indicating that as a result of having filed for protection under Chapter 11 of the U.S. Bankruptcy Code, the Nasdaq Listing Qualifications Panel has determined to delist the company's securities from the Nasdaq Stock Market and will suspend trading of the securities effective at the open of business on Thursday, December 27, 2007.

Thursday, December 27, 2007

Was this report the basis for TJX's level of security spending?

December 26, 2007

2007 Annual Study: U.S. Cost of a Data Breach

Ponemon 2007 Annual Study: U.S. Cost of a Data Breach - Understanding Financial Impact, Customer Turnover, and Preventitive Solutions: This study "was derived from a detailed analysis of 35 data breach incidents. According to the study, the cost per compromised customer record increased in 2007, compared to 2006. Lost business opportunity, including losses associated with customer churn and acquisition, represented the most significant component of the cost increase. Companies analyzed were from 16 different industries, including communications, consumer goods, education, entertainment, financial services, gaming, health care, hospitality, internet, manufacturing, marketing, media, retail, services, technology, and transportation."

One positive outcome of the TJX data spill?

OR: Law requires businesses to protect personal data

Thursday, December 27 2007 @ 06:38 AM EST Contributed by: PrivacyNews News Section: State/Local Govt.

... Identity theft is rampant in the U.S. The Federal Trade Commission ranks Oregon as the 13th-worst state per capita for this crime. Therefore, it's good business to protect personal information. And in a few days -- Jan. 1 -- it will be law.

The Oregon Identity Theft Protection Act (SB 583) will require businesses, organizations and government agencies to have a plan in place to protect the personal data they collect, keep and share. Personal data is defined as a person's name in combination with either a Social Security number, Oregon driver's license or identification card number, passport number or other U.S.-issued identification number or financial account number, credit or debit card number along with any required access code or password that provide access to a financial account.

All plans are not made equal --they will vary depending on the nature and size of the business. The key is taking reasonable measures to ensure the confidentiality of your customer and employee information. For example, encrypt, or make unreadable, computerized files -- especially files on laptops; designate one or more employees to coordinate a security program; and know what sensitive information you have.

Source -

...and a negative outcome? This is simpler than it sounds. Just give the government all the data you want kept secret, and they will match it against online data (and send the take-down notices) for you! Aren't they nice guys?

Can Legislation Let People Opt-Out Of Having Their Info Show Up Online?

from the seems-like-a-long-shot dept

The "Do Not Call" list has been something of a success over the past five years, but the various attempts at similar "do not X" lists always seem a bit ridiculous. The latest, coming from the state of Connecticut, would institute an impossible to enforce and most likely unconstitutional universal opt-out list for your info online. The idea is that there are so many directory sites/people search engines/list sites online, many of which have your name, address and potentially other information such as where you work. The law proposed by Connecticut's governor would allow you to "opt-out" and require all of these sites to take your info offline. Of course, as the article notes, much of that info is already public info and there's nothing illegal about compiling a list of public information. Where would the line be drawn? If your info shows up in a Google search, is Google suddenly liable? It's also unclear how you could possibly enforce a requirement that someone's name and address never get posted online. If anything, it sounds like more grandstanding legislation designed to make a politician look good rather than deal with the very real issues at hand concerning privacy.

In order to manage this (or any) risk, first you must formulate a strategy. “Don't worry about it.” isn't the one I would recommend.

UK: Primary school data 'at risk'

Wednesday, December 26 2007 @ 02:56 PM EST Contributed by: PrivacyNews News Section: Non-U.S. News

Personal details of some two million primary schoolchildren in England is being put at risk by staff taking home unprotected data, it has been claimed.

A survey of almost 1,000 primary schools found that almost half, 49%, were backing up pupil data onto discs, memory sticks or tapes which were taken off the school premises, exposing the material to loss or theft.

IT experts, RM School Management Solutions (RM SMS), which carried out the survey, said that just 1% or respondents encrypted the data.

Source -

Not uncommon for data to exist in one system, but be unavailable to another. You have to PLAN to use your data to advantage...

SF meter maids ticket stolen car 29 times

A San Francisco woman reported her Honda Civic stolen to the San Francisco police. A few weeks later, she got a parking citation in the mail for her stolen car. Then she got another. And another. In total, her car got ticketed 29 times while being listed as stolen. She called the police and the city's Department of Parking and Traffic, but didn't get any solid answers about the whereabouts of her car, nor why it was being ticketed after being reported stolen. Eventually, she and a friend decided to drive around locations where the car had been ticketed to try to find it.

After driving for three hours, they located the car and waited for an hour before the police showed up. San Francisco's finest were not interested in catching the thieves and didn't search the car before releasing it.

Hey, we don't lecture so you can quote us!

Professor Uses Copyright Threats After Joke Commercial Uses Some Of His Lecture

from the copyright-insanity dept

So many stories of copyright being abused, so little time... The latest, as sent in by Jon and a few others involves an MIT professor who got upset when he found out that a commercial for a Ricoh copier happened to use a tiny bit of text (2 sentences) from one of his published lectures to set up a joke. You can see the commercial here:

You can see the full lecture, but the quotes in the commercial come from the sixth paragraph. The professor then sent a legalistic letter to the folks who made the commercial, who have agreed to "settle" by donating $5,000 to two science related charities. Once again, though, we're seeing a misuse of copyright law in action -- even if the end result is positive (some extra cash for some science charities). It would seem like a clear case of fair use here, where the use of these lines in the commercial were unlikely to damage the commercial potential of the professor's work. It's yet another case where someone is using copyright to try to control all aspects of his work, when that's not its purpose at all.

Interesting. I wonder what other areas are hot?

The Journalism Business Is Dying? Someone Forgot To Tell Sports Reporters...

from the time-to-go-into-sports-reporting dept

For all the whining from professional journalists about how the internet is killing newspapers and putting journalists out of work, apparently someone forgot to explain that some of the companies hiring journalists these days. The NY Times has an article noting how ESPN, Yahoo and Sports Illustrated have been slugging it out trying to hire sports reporters from various newspapers, sometimes at three times their existing salaries. Newspapers are complaining that they just can't keep their sports reporters -- which is a fairly amazing statement, because being a sports reporter is a dream job for many people. So, perhaps rather than freaking out about how the internet is "destroying" their business, journalists might want to start looking around at the new opportunities the internet is creating for journalists where they can keep doing what they do best, and actually earn a lot more money.

Your tax dollars at work? Another high-priority target for hackers? (The comments are interesting...)

FBI to Put Criminals Up in Lights

Posted by samzenpus on Thursday December 27, @07:52AM from the billboard-busted dept. United States Technology

coondoggie writes "The FBI today said it wants to install 150 digital billboards in 20 major U.S. cities in the next few weeks to show fugitive mug shots, missing people and high-priority security messages from the big bureau. The billboards will let the FBI highlight those people it is looking for the most: violent criminals, kidnap victims, missing kids, bank robbers, even terrorists, the FBI said in a release. And the billboards will be able to be updated largely in real-time — right after a crime is committed, a child is taken, or an attack is launched. Chicago, Las Vegas, Los Angeles and Miami will be among those cities provided with the new billboards."

Wednesday, December 26, 2007

...and a Merry Christmas to all Class Action lawyers!

Facebook alarms privacy advocates again

Tuesday, December 25 2007 @ 09:17 AM EST Contributed by: PrivacyNews News Section: Internet & Computers

Six weeks after Facebook launched a controversial advertising program that tracked its members around the Internet, the Palo Alto company is quietly testing a new system that slips links to its mobile software onto smart-phones on the T-Mobile USA network without the permission of the devices' owners.

BlackBerry owners can hide the blue-and-white Facebook icon, but they can not delete it.

Brandee Barker, director of corporate communications for Facebook, said users still must choose to use the mobile application and that no personal information will be at risk. She said Facebook will not share its members' data with T-Mobile or Research in Motion, which makes BlackBerry devices. In addition, she said, neither T-Mobile nor Research in Motion is sharing the information they gather about a person's location or the contacts stored on his or her BlackBerry with Facebook.

Source -

Unfortunately, a logical (perhaps not ethical) conclusion.,1895,2240150,00.asp

Where Does TJX Lie on the Naughty-Nice Line?

December 24, 2007 By Evan Schuman

As the TJX case all but winds itself to a close, it's not a bad time to look at everything we've learned and try and answer the holiday-themed IT security question: Does TJX deserve a lump of coal for the worst data breach in credit card history, affecting some 100 million credit cards?

Regular readers of this column know that I have had a wide range of less-than-flattering things to say about the security setup of The TJX Companies, but there's a broader question here. TJX is a business. A $16-billion-a-year massive retail chain kind of business. As a publicly held company, it has a fiduciary obligation to do things in a certain way. [Not so. HOW they achieve goals is completely open. Bob]

If we move away from the question, "Did TJX do everything possible to try and protect consumer data?" (which merits a "What planet are you on? Of course it didn't,") and focus on, "Did TJX do what was reasonable and appropriate at the time it did it?" things look a lot different.

The latest news was utterly predictable. TJX's deal with Visa, in which TJX would give money to certain banks in exchange for promises to not sue, was approved overwhelmingly on Dec. 20. Two days earlier, TJX also worked out similar settlements with most of the banks suing it. In short, only one bank is left suing TJX and that litigation will happen in Alabama state court. The consumer class action lawsuit is essentially settled as well. (The final approval will come from a federal judge who has already said he will approve it.)

The core problem with the TJX cases is that the lawsuits wanted to accuse TJX of something that is not illegal in any state. They wanted to hold the retailer liable for not properly protecting consumer credit card data. But there isn't anything on the books in any state or the federal government that requires that. Some industry efforts—most notably the PCI DSS (Payment Card Industry's Data Security Standard)—seek to require it, but those efforts have no muscle, other than the ability to deny a chain the right to accept the cards for payment.

But the persuasive power of any threat is in direct proportion to the likelihood that said threat would ever be carried out. The card brands might exclude some tiny store to make a point, but the amount of lost revenue from excluding a Wal-Mart, a Target or a TJX would make that threat rather non-frightening.

One of TJX's defenses has been that its security wasn't materially worse than any other retailer of similar size. Sadly, it's a true point and one which we made in this column many months before TJX made it.

But that's not TJX making excuses. When the chief financial officer and CIO of any retailer evaluate technology investments, they look at the issues of return on investment (a big-time Achilles heel for security), risk avoidance (the savior for security) and keeping up with the Joneses. Expenditures will seem prudent as long as the company's security measures are not dramatically different from those of other similarly sized retailers.

Let's take a quick look at the lawsuits, because they become relevant here.

Myth #1: TJX was sued because it was breached. Reality: Tons of retailers are breached every week. TJX was sued because word of this breach was announced and—much more importantly—because TJX has deep pockets. Without sounding like a corporate titan apologist, the suggestion that TJX was sued because it has money is really not that far off.

Myth #2: TJX was sued because its security was pathetic. Reality: this myth is a lot closer to the truth, but again, tons of retailers have pathetic security. To honestly evaluate TJX's decisions requires a lot of context. Had TJX invested a lot more money in beefing up its security, would this breach have necessarily been prevented? How about future breaches? Had the TJX CFO asked that question a few years ago, I think the question would have been, "There's no way to make any system completely secure, sir, no. We could spend all this money and theoretically still get breached."

TJX was spending millions on security and its security systems—although weak—do not appear to be that much worse than others in that space.

The lawsuit issue is an interesting one. What if TJX had approved all of those security upgrades and still gotten breached? Even better, what if it had spent an extra $100 million and made its systems quite secure—much more so than similarly sized rivals—and avoided a breach? Now what if its profits plunged? Could not stockholders have sued the company for having spent money recklessly and needlessly? How many advertising campaigns and CRM (customer relationship management) programs and Web site upgrades would have been delayed because that money had been put into security? [Most unlikely. However, it would have been useful to have someone look at activity logs – they could have detected the hackers setting up new passwords. Bob]

I'm not saying that TJX was blameless. (I'm still waiting for an explanation of how intrusions continued to happen for multiple years before they were detected.) But I am pointing out that security investments are among the most difficult decisions and we need to be careful before criticizing those decisions.

A small window into the thinking of TJX came out in court filings that quoted TJX CIO Paul Butka's e-mails. They revealed a thoughtful internal debate about wireless security upgrades, in which cost was indeed a consideration, as it needed to be, and there was an intent to eventually make the upgrades.

That said, 'tis time to make that Santa Coal recommendation.

I'd say yes to coal for most of the major retailers for dropping the ball on security. Bigger chunks of coal need to go to state legislators and the U.S. House and Senate for failing to pass any laws protecting consumer data (although Minnesota got quite close). But to TJX? I'd give it a pass.

TJX theorized—correctly—that any breach wouldn't cause any impact on sales, as consumers (protected by the card brands' zero-liability deals) would stand by it. With that regrettable fact out there, it would have been extremely difficult for TJX to have justified spending much more than it did.

Well, this should solve everything!

TJX creates executive jobs to deal with privacy issues

Tuesday, December 25 2007 @ 09:14 AM EST Contributed by: PrivacyNews News Section: Breaches

TJX Cos. is getting on the privacy bandwagon.

The Framingham parent of stores including TJ Maxx and Marshalls - and the target of a record-setting data breach discovered at the end of last year - has given the title of "chief privacy officer" to one of its senior executives and is looking to fill the position of "privacy director," according to a memo circulated by its search firm, Heidrick & Struggles.

.... TJX spokeswoman Sherry Lang declined to provide more details yesterday except to note that senior executive vice president for administration and business development Jeffrey Naylor also gained the title of chief privacy officer within the past year. "In today's world, privacy issues are increasingly challenging and are an area of ongoing focus for many large companies, including TJX," Lang wrote in an e-mail.

Source - Boston Globe

Interesting analysis. Makes me wonder if we (managers) made any real effort to understand computers until a few years ago. (see: The Dynamo and the Computer, Paul A. David)

Eight business technology trends to watch

From the McKinsey Quarterly Special to CNET December 26, 2007 4:00 AM PST

Technology alone is rarely the key to unlocking economic value: companies create real wealth when they combine technology with new ways of doing business.

See what happens when you elect Sonny Bono pharaoh?

Egypt to copyright pyramids

December 25 2007 at 06:17PM

Cairo - In a potential blow to themed resorts from Vegas to Tokyo, Egypt is to pass a law requiring payment of royalties whenever its ancient monuments, from the pyramids to the sphinx, are reproduced.

Zahi Hawass, the charismatic and controversial head of Egypt's Supreme Council of Antiquities, told AFP on Tuesday that the move was necessary to pay for the upkeep of the country's thousands of pharaonic sites.

"The new law will completely prohibit the duplication of historic Egyptian monuments which the Supreme Council of Antiquities considers 100-percent copies," he said.

"If the law is passed then it will be applied in all countries of the world so that we can protect our interests," Hawass said.

For some of us, this is amusing.

December 25, 2007

1950-1955, The Intelligence Community

Press release: "The Office of the Historian, Bureau of Public Affairs, U.S. Department of State, released...a retrospective intelligence volume in the Foreign Relations of the United States series, documenting the development and consolidation of the intelligence community. This volume, The Intelligence Community, 1950–1955 (867 pages, PDF), is the sequel to The Emergence of the Intelligence Establishment, 1945–1950, published in 1996. This new volume, which is organized chronologically from January 1950 to December 1955, documents the institutional growth of the intelligence community during its heyday under Directors Walter Bedell Smith and Allen W. Dulles, and demonstrates how Smith, through his prestige, ability to obtain national security directives from a supportive President Truman, and bureaucratic acumen, truly transformed the Central Intelligence Agency (CIA). It closes with a collection of relevant National Security Council Intelligence Directives (NSCIDs) issued during the years 1950–1955 as approved by the National Security Council and the President, as well as revisions to earlier NSCIDs published in the Emergence of the Intelligence Establishment, 1945–1950."

Tuesday, December 25, 2007

Mele Kalikimaka!

Oh, the horror! Perhaps a match against the Congressional Directory ( is in order?

Thousands of Adult Website Accounts Compromised

Posted by kdawson on Tuesday December 25, @04:01AM from the how-not-to-handle-a-data-breach dept. Security

Keith writes "Tens of thousands — or maybe more — accounts to adult websites were recently declared compromised and apparently have been that way since some time in October 2007. The break occurred when the NATS software used to track and manage sales and affiliate revenues was accessed by an intruder. The miscreant apparently discovered a list of admin passwords residing on an unsecured office server at Too Much Media, which makes and maintains NATS installations for adult companies. It would appear that Too Much Media knew of the breach back in October, and rather than fixing the issue tried to bury it by threatening to sue anyone in the adult industry who talked about it."

The article gives suggestions for anyone who opened an account at any adult website in the last several months.


The Big Brother Watching Your Screen !! watch! — Van Eck phreaking is the process of eavesdropping on the contents of a CRT display by detecting its electromagnetic emissions.Information that drives the video display takes the form of high frequency electrical signals.

Clear indication that management knows nothing about technology (or that their PR department assumes the public knows nothing)

(update) UK: PCT's memory stick is recovered uncorrupted

Monday, December 24 2007 @ 07:35 AM EST Contributed by: PrivacyNews News Section: Breaches

A MEMORY stick containing data from doctors' practices across the county was lost. The data mislaid by the East and North Herts Primary Care Trust that included reports from GP practices is yet another case of wholesale information loss by government services.

National newspapers revealed on Sunday the body was one of nine bodies around the country to lose important medical and personal information.

A PCT spokeswoman told the WHT the loss was reported as a "precaution" and that the stick was found uncorrupted. [Why is that a good thing? Bob]

.... * A spokesman for the East and North Herts NHS Trust confirmed it was not involved in any misplaced data.

He said: "Contrary to the impression provided in national media reports since Sunday, the trust is not one of the nine NHS organisations that the Department of Health has confirmed mislaid patient data recently.

Source - Herts24

We're thinking of retiring our pigeons.”

December 23, 2007

Postal Service Strategic Transformation Plan 2006-2010

"The Strategic Transformation Plan 2006-2010 details how the Postal Service will improve the value of mail while continuing to address the nation's mailing needs with affordable and reliable universal service. Like the 2002 Transformation Plan, it will drive the Postal Service to become even more streamlined and efficient, and continue to achieve record levels of service and customer satisfaction."

What a business model! That God bidness is pretty profitable!

Church Collections Go Online in Ohio

Dec 24, 11:19 AM EST

CINCINNATI (AP) -- No cash for the collection basket at church? No problem. The Roman Catholic Archdiocese of Cincinnati has made online giving an option for its 230 parishes and 110 parochial and diocesan schools in its 19-county region.

They even have good Loss-Prevention technology. (Merry Christmas, thieves...)

Last Updated: Sunday, 23 December 2007, 22:47 GMT

US infant Jesus statue to get GPS

A statue of the infant Jesus on display near Miami in Florida is being fitted with a Global Positioning System device after the original figurine was stolen.

The near-life-size figure forms part of a nativity scene in Bal Harbour.

The original vanished three weeks ago, despite being bolted to the ground.

Dina Cellini, who oversees the display, says the statues of Mary and Joseph will also be fitted with a satellite tracking device to deter thieves.

She said: "I don't anticipate this will ever happen again, but we may need to rely on technology to save our saviour."

A Jewish lawyer, Jeffrey Harris, from Cincinnati, who read about the theft on the internet, has donated the new Jesus figurine in the Founders Circle area of the city.

Mr Harris, who celebrates Hanukkah, not Christmas, told the Miami Herald: ''I felt bad. How could someone steal a baby Jesus? Even though I am Jewish, I like the Christmas spirit.''

Useful now? - The Web Service Directory Solution

Wsoogle, though hard to say, is not to be overlooked. It’s an online directory for web services and resources that span the globe. It’s useful for finding software, programs, and services that cater to your needs. Wsoogle covers 15 wide-ranging areas including e-commerce, business, internet and government. By using Wsoogle to find the software solution for your business or company, you save both time and money. Companies may also create revenue by selling their web service solutions through Service Oriented Architecture.Wsoogle uses web service search engine technology that searches keywords and UDDI registries for web services rather than simply searching the web itself. It crawls the web 24 hours a day, ensuring up-to-date information. Search results are clustered based on keywords so you can shop around and compare services until you find one that suits you.

This might become useful.... - Leave a Comment on any Website

Have you even been enraged by an article online but unable to vocalize your two cents? Many websites frustratingly have no comment sections, but Spipra changes that- the website is a centralized outlet for commenting on web pages. Users simply enter the web link into Spipra and all comments are stored on the site. Web pages that do not have commenting capabilities can also have permanent links back to Spipra so users can instantly click through to the site and type in their point of view. It also allows users to comment on a variety of web pages with just one unique login. Spipra is a completely free service.

Monday, December 24, 2007

Sounds like an education issue. NO ONE should ignore a potential security breach. (You have to make some changes to the system to get an ATM to screw up like this...)

Ca: ATM spits out private info

Monday, December 24 2007 @ 06:50 AM EST Contributed by: PrivacyNews News Section: Older News Stories

An Edmonton man was shocked when an ATM [at the Manning Crossing branch of the Royal Bank ] he was using started spitting out personal financial information on 25 other customers, including account numbers and corresponding account balances.

... The couple alerted the branch manager but were told the information couldn't be used for anything since each account number was missing five digits.

The girlfriend didn't buy it.

"That's not true. I used to work for Royal Bank. I know that these numbers are account numbers," she said, adding that she and Kostiuk felt the bank didn't take their concerns seriously.

Source - Edmonton Sun


Data “Dysprotection:” breaches reported last week

Monday, December 24 2007 @ 06:53 AM EST Contributed by: PrivacyNews News Section: Breaches

A recap of incidents or privacy breaches reported last week for those who enjoy shaking their head and muttering to themselves with their morning coffee. Source - Chronicles of Dissent

Observing is not seeing Yogi Berra? Just because you deal in information, does not mean you can connect the dots...

DECEMBER 20, 2007

Professor Moriarty probably didn’t get his start this way

Here at Very Short List, we pride ourselves on being ahead of the curve. But sometimes we’re downright prescient.

On December 14, we pointed you to the website for the Newseum, a real-time collection of the front pages from nearly 600 daily newspapers from across the country and around the world. Had you gone on the site that very day to look at the front page of the Lewiston Tribune (of Lewiston, Idaho, population 31,293), you too could have played the role of an armchair Sherlock Holmes.

That morning, page 1A ran two substantial photos: In one, a husky man in a black-and-blue checkered coat is seen hanging Christmas decorations in a shop window. In the other, a surveillance camera shows a convenience-store customer’s unattended wallet being swiped by

. . . a husky man in a black-and-blue checkered coat. Local police noticed the similarities, and quickly arrested the hapless criminal mastermind for felony second-degree theft. If the charges stick, we’ll gladly take the credit for the collar.

What's next?

Police Begin Fingerprinting on Traffic Stops

By Sarah Thomsen

If you're ticketed by Green Bay police, you'll get more than a fine. You'll get fingerprinted, too. It's a new way police are cracking down on crime.

If you're caught speeding or playing your music too loud, or other crimes for which you might receive a citation, Green Bay police officers will ask for your drivers license and your finger. You'll be fingerprinted right there on the spot. The fingerprint appears right next to the amount of the fine.

... Police say they want to prevent the identity theft problem that Milwaukee has, where 13 percent of all violators give a false name.

... Citizens do have the right to say no. "They could say no and not have to worry about getting arrested," defense attorney Jackson Main said. "On the other hand, I'm like everybody else. When a police officer tells me to do something, I'm going to do it whether I have the right to say no or not."

The cost of repair would shoot up due to the increase in liability. If a $15 per hour techie can't figure out what's wrong, he just starts replacing parts until something works. If you got the parts back and someone else could prove there was nothing wrong with them...

Should Apple Give Back Replaced Disks?

Posted by kdawson on Sunday December 23, @11:53PM from the consider-it-a-trade-in dept. Privacy

theodp writes "As if having to pay $160 to replace a failed 80-GB drive wasn't bad enough, Dave Winer learned to his dismay that Apple had no intention of giving him back the disk he paid them to replace. Since it contained sensitive data like source code and account info, Dave rightly worries about what happens if the drive falls into the wrong hands. Which raises an important question: In an age of identity theft and other confidentiality concerns, is it time for Apple — and other computer manufacturers — to start following the practice of auto mechanics and give you the option of getting back disks that are replaced?"

Learn like Pres. Bush! Seriously, there seems to be a recognition that the Internet has changed the way people educate themselves. Perhaps Universities will be reduced to proctoring the final exams...

Dec. 12

Open Courses Open Wider

For those inclined to dig through university Web sites, it’s long been possible to browse scattered lecture notes and PowerPoint slides intended for enrolled students. A handful of colleges intentionally make course materials available to anyone with an Internet connection, and now a major name may redefine expectations for online learning. Following its announcement last year, Yale University on Tuesday launched its free, online archive of popular undergraduate courses — including not only syllabi, problem sets and course materials, but videos and audio files of the lectures themselves.

Dubbed Open Yale Courses, the Web site’s creators hope the archive will serve as a resource for students abroad or even as support for lecturers at other institutions who need to supplement their own material. In the spirit of keeping information freely available, the lectures are protected under a Creative Commons legal license that allows users to download, share and remix the material in any way they see fit, as long as their purposes aren’t commercial and they credit Yale.

...because it is so easy to share information. - Learn Something

SlideStar is an open educational platform akin to your local college or library but in cyberspace. The SlideStar community is made up of mainly students and academics who can exchange any educational content and material they find useful. Publishers of content are free to define their own terms of use. If agreed upon, materials can be used and furthered for your own studies or research. Your Slideware (content) can come in any number of formats such as the almighty PowerPoint slide, an audio file, video, PDFs, Word, of course, and plenty of other mediums to suit your learning pleasure. Profs can share their e-lectures with just their students, or the whole world if they so choose. This is a community and like any online community these days, members can pick and choose their favorite Slideware by ratings and votes. Organizations, aptly called Slidespots in SlideStar lingo, can register and let others view what they have to offer. A world map shows each registered SlideSpot for easy comparison. Anyone can become a SlideStar. Even you.

Every try searching for something on Craig's List? You have to do a separate search in each city, right? Well not any more... (Tested by one of my research associates who was looking for a 1972 Volvo for his collection.)

search craigslist like a madman