More reaction to the TJX settlement
http://techdirt.com/articles/20070925/113835.shtml
Shocker, TJX Credit Card Breach Settlement Proposal Lacks Any Real Settlement
from the oops-we're-real-sorry dept
TJX, the parent corporation of retailer TJ Maxx,proposed a settlement to the class action suits leveed against it in what could be largest credit card breach ever, approximately 45 million records. TJX is offering claimants up to three years of credit monitoring along with $20,000 identity theft insurance coverage. This settlement sounds pretty good, until you read the fine print (via Consumerist). In order to qualify for the settlement, you must have returned an item to the store without a receipt; this limits the claimants to approximately 455,000 people, or only about 1% of class. The remaining 44.5 million are only eligible for $30 vouchers in store credit, and only with documented proof of a loss. This definitely seems like a slap on the wrist for TJX. Sure, it's bad, but surely TJX hasn't lost 77% of its customer base from this incident. Finally, in a clever move at the end of the settlement proposal, TJX took this as an opportunity to announce that all of its stores will be having a 15% sale sometime in 2008. Way to turn a class action lawsuit settlement into free advertising, TJ Maxx.
Some details, but not enough...
TJX collected too much customer data: Canada report
Wojtek Dabrowski, Reuters Published: Tuesday, September 25
... The joint probe by the privacy commissioners of Canada and the province of Alberta found that TJX Cos Inc did not properly manage "the risk of an intrusion" and did not act quickly to upgrade the strength of its encryption systems.
... The report also found the company did not have a reasonable purpose for collecting driver's license numbers and other identification data when merchandise was returned without receipts.
[The Canadian Report: - Report [pdf]
If you got it, flaunt it!
http://www.pogowasright.org/article.php?story=200709251822226
eBay forum mysteriously leaks account details on 1,200 users
Tuesday, September 25 2007 @ 06:22 PM EDT Contributed by: PrivacyNews News Section: Breaches
Hackers brazenly posted sensitive information including home addresses and phone numbers for 1,200 eBay users to an official online forum dedicated to fraud prevention on the auction site. The information - which also included user names and email, and possibly their credit card numbers and three-digit CVV2 numbers - was visible for more than an hour to anyone visiting the forum. The miscreants appeared to create a script that caused each user to log in and post information associated with the person who owned the account. The script spit out about 15 posts per minute, starting around 5:45 a.m. California time.
An eBay spokeswoman said the posts were not the result of a security breach on eBay and that the credit card numbers contained in the posts were not those eBay or PayPal had on file for those users. eBay representatives have begun contacting all users whose information was posted to head off any further fraud and to learn more about the attack.
Source - The Register
Perhaps there are e-watchdogs out there... How will this impact privacy/security policies?
Centrelink denies hiding privacy breaches
Liam Tung, ZDNet Australia 26 September 2007 11:48 AM
Centrelink says it is completely candid about privacy breaches by employees, after it was forced to clarify the number of breaches that occurred during the last financial year.
"We're up front with this," a spokesperson told ZDNet Australia. "We are dedicated to protecting privacy breaches. It's a case of 'yes, this did happen' and we're not hiding it away."
Centrelink was forced to detail how many breaches had occurred during the last financial year to prevent potential misunderstanding caused by Channel 7 conflating figures it had acquired under a Freedom of Information request, which covered two separate investigations, said the spokesperson.
Centrelink publishes the results of its investigations in its annual report, the spokesperson added.
Would this be considered a conspiracy in restraint of trade?
http://techdirt.com/articles/20070924/033047.shtml
Ever Wonder How These Astroturf 'Coalitions' Are Formed?
from the lobbyists-and-shills-and-pr,-oh-my! dept
By now we've all seen the various fake "astroturf" PR/lobbying efforts out there, talking up some particular position, which is almost always created and funded by a company that benefits from having the public (or, more often, politicians) support that position. Most people recognize that they're just false fronts, but the details are often hidden. However, in at least one case, the details have been leaking out. Microsoft, who isn't in much of a position to call "antitrust" violations on others, is trying to stop Google from being able to acquire DoubleClick. In order to get support in blocking the deal, Microsoft apparently had a big PR firm try to put together one of these fake "coalitions" using the name "Initiative for Competitive Online Marketplaces" (gotta love the names of all of these coalitions), which appears to be designed solely to release reports critical of Google practices. The problem, though, is that the email the PR firm used to "recruit" members to join this group has leaked out and is getting press attention. Again, there's nothing particularly new in all of this. There are countless such organizations, but it's rare to get the details on how one was brought together. In this case, the email being sent to potential participants urges them to complain about Google's practices to politicians, regulators and the media. Even though Microsoft put the group together, apparently the PR firm did not reveal that. This won't change much, of course, and we can probably still expect to see reports coming out from the "Initiative for Competitive Online Marketplaces," but it would be nice to see the press act at least a little skeptical of any conclusions drawn from those reports.
Never try to stifle a blogger...
http://yro.slashdot.org/article.pl?sid=07/09/25/2342242&from=rss
Bloggers Versus Billionaire
Posted by kdawson on Tuesday September 25, @11:40PM from the nailing-jello-to-a-tree dept. Censorship
Roger Whittaker writes "An interesting case in England is pitting the combined power of multiple bloggers against an Uzbek billionaire. The bloggers are supporting the former UK ambassador to Uzbekistan, Craig Murray, who has written a book about what happened there after the fall of Communism. The book is apparently unflattering in the extreme to oligarch Alisher Usmanov, who has engaged the law firm Schillings (which seems to specialize in getting unfavorable Web content removed for rich clients). Their threats have led to the removal of Murray's blog site by his hosting company Fasthosts. But a large number of bloggers have taken up Murray's cause, and the content that caused the original complaint, and links to it, have now sprung up in a very large number of places. The Internet still seems to regard censorship as damage and route around it."
I doubt Lowes will fair any better...
http://techdirt.com/articles/20070924/040616.shtml
Lowes Tries To Silence Sucks Site For Complaints About Lowes
from the did-someone-call-Streisand's-name? dept
We've covered a variety of cases involving so-called "sucks sites," where someone registers as a domain name the name of a company and appends sucks to the end in order to create a complaint site. Companies have often complained that these sites are trademark violations, but that usually doesn't pass the moron in a hurry test. The latest such case involves home improvement store Lowes. A guy who bought a fence from them was upset that the installers botched the job. Lowes refused to take responsibility, so he set up a site at Lowes-Sucks.com and promptly received a cease and desist from the company claiming trademark violation. While early on, a few companies were able to get sucks sites shut down, it's become a lot rarer, as judges tend to recognize that criticism is perfectly legitimate -- and no one is likely to confuse a sucks site as being endorsed by the company. In the meantime, of course, in sending out such a cease and desist, Lowes has just drawn a lot more attention to the fact that they won't take responsibility for the botched fence install. Wouldn't it have just been better for business to fix the damn fence?
Tools & Techniques: Hacking
http://jeremiahgrossman.blogspot.com/2007/09/read-someones-gmail-made-simple.html
Tuesday, September 25, 2007
Read someone’s Gmail, made simple
I’m currently in Taiwan attending the OWASP Asia 2007 conference in large part due to generosity and coordination of Armorize Technologies. I plan to post more about the experience, but in the meantime I wanted to break blog silence to point out PDP’s ingenious Gmail CSRF attack technique where the details were partially disclosed. I haven’t verified this attack personally, but I see absolutely nothing preventing this type of attack from working exactly as advertised.
Essentially an evil website forces a logged-in Google user to create a new email filter (CSRF) which forwards out there email to any remote address of the hackers choosing. A current or incoming email arrives and poof is silently forward on its way, which would be extremely hard for anyone to spot. Simple, silent, and extremely clever. I also see why this technique could be easily applied to any other WebMail provider if they had a similar filtering technique in place.
This is especially scary because as I said WebMail accounts are in many ways more valuable than a banking accounts because they maintain access to many other online account (blog, banking, shopping, etc etc.). Check out Brian Kreb’s Washington Post article where he covers a situation where a hacker is extorting a user by locking off access to their WebMail.
Use the tools you have...
http://www.bespacific.com/mt/archives/016086.html
September 25, 2007
Google Videos on Search Privacy and Personalized Search
Jane Horvath, Senior Privacy Counsel at Google, has posted links to two YouTube videos providing users with details about privacy practices and personalizing your search.
...or use the tools everyone else is using.
http://www.bespacific.com/mt/archives/016091.html
September 25, 2007
State Department Launches First Blog
"Welcome to the State Department's first-ever blog, Dipnote... With the launch of Dipnote, we are hoping to start a dialogue with the public. More than ever, world events affect our daily lives--what we see and hear, what we do, and how we work. I hope Dipnote will provide you with a window into the work of the people responsible for our foreign policy, and will give you a chance to be active participants in a community focused on some of the great issues of our world today." [Posted by Sean McCormack]
Related news:
New York Times: At State Dept., Blog Team Joins Muslim Debate
But the politicians knew this going in... They only wanted to be able to say “We did something!” Perhaps voters should demand they do something correctly, or not at all.
http://www.news.com/8301-13578_3-9784556-38.html?part=rss&subj=news&tag=2547-1035_3-0-5
Ohio federal judge strikes down Net-censorship law
Posted by Declan McCullagh September 25, 2007 12:26 PM PDT
It's no surprise that politicians are rarely conversant with the limits on their legislating found in the U.S. Constitution. But it is worth noting when federal judges have actually read the First Amendment and strike down a law accordingly.
That brings us to Ohio's constitutionally impaired legislature, which enacted two laws that were touted as ways to protect children on the Internet but in reality would become a new censorship regime.
An Ohio federal judge on Monday struck down (see PDF) the state's combined "harmful to minors" law on the grounds that it ran afoul of the First Amendment's guarantee of freedom of speech.
Question: If you can prove an image has been altered, and I alter every image before I post it, would you have a hard time proving I copied your original?
http://hosted.ap.org/dynamic/stories/D/DEMO_TECH_SHOW?SITE=VALYD&SECTION=HOME&TEMPLATE=DEFAULT
Software Takes Aim at Altered Photos
By ELLIOT SPAGAT AP Business Writer Sep 25, 7:11 PM EDT
... Shoot & Proof shows where a photo was shot (if the phone is equipped with global positioning software), as well as when and on whose device.
A retailer client of CodaSystem uses Shoot & Proof to ensure manufacturers that their wares are being displayed as promised. A security company uses it to record break-ins and reassure insurance companies they aren't being bilked.
Near the opposite end of the spectrum, another participant in DEMOfall, MotionDSP Inc., introduced a Web site, http://www.fixmymovie.com , where consumers can sharpen pictures and videos taken on cell phones, images that are typically jumpy and heavily pixelated.
MotionDSP, based in San Mateo, Calif., got its start by licensing software from the University of California at Santa Cruz and targeting military and intelligence agencies. In-Q-Tel, an investment firm launched by the CIA in 1990 to support U.S. intelligence work, announced in July that it was an investor.
No comments:
Post a Comment