Saturday, February 03, 2007

Remember, this is two orders of magnitude better than the last time. Perhaps they have “improved” their security. I'd still like it to reach all the way to “adequate.”

http://www.mercurynews.com/mld/mercurynews/business/technology/16612710.htm

Posted on Sat, Feb. 03, 2007

VA hard drive with personal data missing

Associated Press

WASHINGTON - A portable hard drive that may contain the personal information of up to 48,000 veterans may have been stolen, the Department of Veterans Affairs and a lawmaker said Friday.

An employee at the VA medical center in Birmingham, Ala. reported the external hard drive missing on Jan. 22. The drive was used to back up information on the employee's office computer. [More common for this to be done over the network... Bob] It may have contained data from research projects, the department said.

The employee also said the hard drive may have had personal information on some veterans, although portions of the data were protected. Secretary of Veterans Affairs Jim Nicholson said that the VA and the FBI are investigating.

Rep. Spencer Bachus, R-Ala., said that the personal information of up to 48,000 veterans was on the hard drive and the records of up to 20,000 of them were not encrypted.

Pending results of the investigation, VA is planning to send individual notifications and to provide a year of free credit monitoring to anyone whose information is compromised.



Other than “quick” and “thinking,” this headline seems accurate.

http://wcbstv.com/topstories/local_story_033212750.html

Feb 2, 2007 9:27 pm US/Eastern

Quick Thinking Prevents Massive ID Theft Heist

Documents Containing SS Numbers Appear On Web Site

(CBS/AP) ALBANY The New York Department of State on Friday froze portions of a Web site listing commercial records that identity thieves could have used to access the Social Security Numbers of some New Yorkers -- including billionaire mogul Donald Trump.

It took the department more than three hours [see next article Bob] to block the information from being viewed after The Associated Press alerted officials to the problem.

The New York Department of State's Web site had posted commercial loan documents containing Social Security Numbers that could be viewed with a simple name search.

"Governmental Web sites should not make it easy for identity theft criminals to access personal information," said state Sen. Charles Fuschillo, a sponsor of numerous laws targeting identity theft.

The forms are posted by the department to let lenders know the current financial status of loan recipients. As a prerequisite for loans, many banks first research a debtor's name to ascertain their credit worthiness.

Trump was traveling and could not immediately be reached for comment.

The posted information also included the social security numbers of many farmers who had previously taken out loans for farm equipment and machinery.

Julie Suarez of the New York Farm Bureau said many farmers across New York could have been hurt by the release of the information because some lenders list the private numbers on the forms to track customers.

"We've done a lot of research on this and we are getting increasingly concerned," she said Friday before the information had been removed. "It's an optional part of the form, but not everybody knows this." [No “personal data” inventory exists? Bob]

Earlier this month, the Vermont Secretary of State's office took down similar Internet links [an indication that you should check your own procedures? Bob] to business files that contained the Social Security Numbers of individuals.

... The Social Security Number postings were discovered by B.J. Ostergren, a Virginia privacy rights activist.

It was unclear late Friday how long the information was available on the site, and the Department of State did not immediately return calls seeking clarification.



Management bloopers are all too common in these articles.

http://www.columbiatribune.com/2007/Feb/20070202News009.asp

Hacker hits MU database

Personal info stored in computer system.

By TERRY GANEY of the Tribune’s staff Published Friday, February 2, 2007

A hacker broke into a University of Missouri system computer server last month and might have gained access to personal information, including Social Security numbers, of 1,220 researchers on four campuses.

The passwords used for the system by more than 2,500 people might have been compromised as well. The university has sent e-mails and registered letters to everyone affected.

... The compromised computer is the university’s Research Board Grant Application System. Technicians have not identified the hacker, but an internal inquiry is under way to find the culprit’s "footprints."

An off-campus computer monitoring system that scans the Internet for crimes first notified the university of the problem at 8:33 a.m. Jan. 16. [Not familiar with this! Bob] The university’s informational technology staff took the system off line an hour later. A more detailed examination showed the system was first hacked at 3:30 p.m. Jan. 14.

The affected system, which is still off line, serves as an electronic clearing house for researchers applying for grants and being paid for them. In the application and payroll process, personal information such as Social Security numbers is often included. In addition, some system users might have substituted their own personal computer passwords for the numeric password generated by the system.

In those cases, it might be possible for an unauthorized third party to gain access to personal information if the system user applied that same password to personal accounts as well as the grant application system.

... A statement posted on the UM system’s Web site said the breach occurred through the system’s Web-based application that was developed several years ago and "did not have safeguards which current applications have to ward off increased threats from the Internet." [Regular review of security procedures might be indicated? Bob]

... The problem in which personal information might have been disclosed affects 820 faculty members on the UM’s systems four campuses, 76 former faculty members and 324 non-university personnel, mostly those who review grant applications, Charton said. In addition, the hacker might have seen 2,579 passwords.



Not that I would pick on poor TJX, but I can't help noticing a series of articles showing how they are dealing with their security breach... First, set aside some cash for future liabilities...

http://www.thestar.com/Business/article/177395

TJX expects fourth-quarter charge for security breach

February 02, 2007

NEW YORK–TJX Cos., which owns several retailers including Winners and HomeSense in Canada, said yesterday it expects to incur a charge related to its recent security breach, but remains comfortable with its fourth-quarter profit forecast.

The company's projected profit from continuing operations of 48 cents (U.S.) to 50 cents per share includes a 1-cent-per-share [ From the 10Q: “The number of shares of Registrant's common stock outstanding as of October;28, 2006: 455,098,947” So we're talking about $4.5 million so far. Bob] charge for costs from the computer systems breach, which analysts have said might have exposed millions of people's personal data.

... Framingham, Mass.-based TJX does not expect to be able to estimate losses from the breach when it releases year-end results Feb. 21. It said losses might stem from exposures to credit- and debit-card companies, banks and legal proceedings.


Then promote a bunch of people to reward them for... What was it again?

http://www.hometextilestoday.com/article/CA6412662.html

Senior executives promoted at TJX

Home Textiles Today By Staff -- 2/1/2007 12:08:00 PM

Framingham, Mass. – Off-price retailer The TJX Companies has made a series of promotions across its senior management team in the immediate aftermath of the elevation of president Carol Meyrowitz to president and ceo.

... * Ann McCauley has been promoted to evp, TJX, general counsel, from her post of svp, general counsel.


Then, take advantage of the depressed stock price... (Down almost a buck since Jan 17th when they announced the breach, sure to be lower still when they figure out what this will cost them.)

http://boston.bizjournals.com/boston/stories/2007/01/29/daily51.html

TJX to buy back stock

Boston Business Journal - 1:16 PM EST Friday

The TJX Companies Inc. announced Friday its board of directors approved the repurchase of up to $1 billion of TJX common stock.

The current prices would represent about 7.5 percent of the company's outstanding shares.

... The repurchase program has no time limit.



Depressing.

http://www.pogowasright.org/article.php?story=20070202165011258

Privacy Rights Clearinghouse: 2006 Breach Analysis

Friday, February 02 2007 @ 04:50 PM CST - Contributed by: PrivacyNews - Breaches

The Privacy Rights Clearinghouse has just published its analysis of data breaches in 2006. The analysis is based on 327 breaches included in their chronology.


Expected, but still depressing.

http://www.govtech.net/magazine/story.php?id=103606

Confidential Data Lost Via USB Drives and Other Mobile Devices, New Survey Finds

January 29, 2007 News Release

The results of a new survey conducted by Forrester Consulting entitled Data Loss Prevention and Endpoint Security: Survey Findings was announced today. The report reveals that most companies have lost confidential data through removable media such as USB drives in the past two years.

... Among the key findings:

* More than half of respondents (52 percent) have lost confidential data through removable media such as USB drives in the past two years.

* Currently, organizations rely mainly on paper-based controls such as written policies that information security asks employees to sign (40 percent).

* Downloading confidential data to desktop and laptop PCs is a significant threat: 76 percent of respondents said they are not satisfied with the visibility they have into confidential data being downloaded to PCs.



Is this a case of “We gotta do something?” Sure seems like it hasn't been thought through.

http://www.jg-tc.com/articles/2007/02/03/opinion/editorial/editorial001.txt

Our View: Meth database should be limited to protect privacy

By the JG/T-C Editorial Board editorial@jg-tc.com Published on Friday, February 2, 2007 11:30 PM CST

The proposal to establish an electronic database on people who buy cold medicine with pseudoephedrine should scare the dickens out of meth makers.

It might also make law-abiding people reluctant to purchase across-the-counter medicines for fear of being monitored by Big Brother.

Currently, Illinois law designed to crack down on meth makers requires retailers keep logs on people who buy cold medicines containing pseudoephedrine.

During a leadership summit Saturday at Eastern Illinois University, Steve Mange, a policy adviser with the Illinois Attorney General’s Office, said the problem with retailers’ written logs is that they are sometimes “barely legible.”

Another problem with current logs, Mange pointed out, is that police cannot always remember names to spot repeat buyers.

A database is clearly the next thing we need to do,” Mange told the participants in the drug summit. Mange said the database could include a list enabling authorities to determine purchasers of drug ingredients. He said it could also be used as an “authorization system” to prevent people from buying the medicine if they have reached federal or state limits.

Mange revealed Illinois Attorney General Lisa Madigan has met with representatives from other Midwestern states to discuss how a database might function.

Exactly how much and what types of information a database would include is unclear. There should be some specificity as to what authorities can put on the database.



When security procedures become too onerous...

http://news.zdnet.co.uk/itmanagement/0,1000000308,39285759,00.htm?r=1

NHS denies privacy risk over smartcard sharing

Connecting for Health admits that smartcards were shared by clinical staff, but plays down fears that patient confidentiality was breached [If a breach is defined as “access by an unauthorized person,” there is no way they have evidence to support this statement. Bob]

NHS Connecting for Health has admitted that smartcards were shared between staff at a Warwickshire hospital, but denied that this compromised the confidentiality of patient data.

Last week reports emerged that smartcards — used by clinical staff to access patient records on the overhauled NHS IT network — were being shared between A&E clinicians at South Warwickshire General Hospitals NHS Trust. This activity, which had been sanctioned by the Trust board, was caused by clinicians trying to avoid lengthy log-in times.

Paul Cundy, a spokesman for the British Medical Association's GP IT subcommittee, told Computer Weekly at the time that this approval "[drove] a coach and horses through the so-called privacy in the new systems".

... "The Trust is aware of the need to revert to the normal policy framework [Translation: We should follow the rules. Bob] for the use of smartcards and, as these early issues relating to the speed of the application are resolved, is it hoped this will happen in the near future," the statement added.

Previous statements from CfH had suggested that the sharing of smartcards would be treated as misconduct, requiring disciplinary procedures. However, Thursday's statement conceded that "responsibility for the security of patient information ultimately lies with individual Trusts, hospitals and NHS organisations".



What happens if access controls are too broad? i.e. Access needs to be more granular... At lest, they tested the security!

http://www.theregister.co.uk/2007/02/02/nhs_security_glitch/

Scottish NHS in cervical smear security blunder

By Lucy Sherriff Published Friday 2nd February 2007 00:02 GMT

The Scottish National Health Service has postponed the launch of a new cervical smear screening system, after concerns were raised about the security of the service during a trial of the system.

According to BMA News, the house magazine for British Medical Association members, Scottish Cervical Call-Recall System (SCCRS), allows anyone with password access - including many admin staff at GP practices taking part in the pilot - to access any Scottish woman's cervical screening records.

Forth Valley GP Brian Keighley said: "This is unacceptable and quite possibly illegal and I don't think GPs should co-operate with this."

... NHS NSS says no real records have been compromised because the pilot has been run using "existing board systems", essentially, dummy records.



Interesting legal technique? Another reason to ensure your security is current.

http://www.securityfocus.com/news/11440?ref=rss

Security pros work to undo teacher's conviction

Robert Lemos, SecurityFocus 2007-02-02

Researchers led by the head of a Florida anti-spyware firm aim to recreate what caused a Connecticut school's classroom computer to start displaying pornographic pop-ups in October 2004, an incident that recently led to four felony convictions for the substitute teacher involved.

On January 5, a six-person jury found former Kelly Middle School substitute teacher Julie Amero guilty of four counts of risk of injury to a minor. The charges stem from an October 19, 2004 incident when the computer in the classroom in which Amero was teaching started displaying pornographic pop-up advertisements. Prosecutors argued that Amero surfed porn sites while in class, causing the pop-up advertisements, while the former teacher's defense attorney argued that spyware installed from a hairstyling Web site caused the deluge of digital smut.

The case has attracted an enormous amount of interest, because the reported details of the trial appear to indicated that a lack of understanding of the technology involved and not solid digital evidence, led the jury to convict the teacher.

Alex Eckelberry, president of anti-spyware firm Sunbelt Software, hopes to put the case to rest. Armed with an image of the disk from the Windows 98 SE computer, the technology expert put out a call to interested security researchers and assigned his own workers to the case.

"We have had huge offerings of support from the security community," Eckelberry said this week. "Other experts in the forensics community--and these are not small players--have come to us and offered to help."

The criminal conviction would not be the first case of misunderstood technology leading to a guilty verdict. In 2002, a 29-year-old network adminstrator was convicted under the Computer Fraud and Abuse Act for sending 5,600 e-mail messages to customers of his former employer--the now-defunct e-mail provider Tornado Development--warning about a security hole in Tornado's service that left private messages vulnerable to unauthorized access. The prosecutors in the case argued, and the judge agreed, that McDanel was guilty of unauthorized access and abused Tornado's e-mail servers to send the messages. The prosecutors have since admitted their mistake and the case was overturned on appeal, but not before McDanel served 16 months in prison.

"In technologically complicated cases, expert testimony is really important--more so then in your normal prosecutions," said Jennifer Granick, executive director of the Center for Internet and Society at Stanford University's School of Law and the attorney that defended McDanel in his appeal. "It is complicated for a normal person--the idea that the computer does something without your agency is not something that they understand."

In the latest case, a regular teacher logged into the classroom computer, because Amero did not have credentials. The substitute teacher was told not to log out or turn off the computer, according to media reports.

What happened after that has become the main point of contention.

A detective on the case using off-the-shelf recovery software argued that Amero clicked on pornographic Web links and caused the computer to display pornographic pop-up advertisements. However, the defense's forensic expert, Herbert Horner, stated that a more complete analysis showed that a harmless hairstyling Web site had actually redirected the PC's browser to pornographic sites, setting off the deluge of offensive ads.

Horner, the principal at Contemporary Computer Consultants, had walked into the courtroom to discuss his analysis but was prevented from doing so in detail because the prosecution argued that they had not had full disclosure of his testimony.

In an interview with SecurityFocus, Horner voiced obvious frustration at his inability to relate all his findings to the jury.

"It is kind of like you have a fire truck and a full tank of water and you can save everybody, but someone said you can't do that because the container you put the water in is against the rules," Horner said.

Prosecutors have also focused on the fact that Amero did not turn off the computer, though she did go for help during a class break, Horner said.

Both the prosecutor in the case, state attorney David J. Smith, and Amero's attorney, John F. Cocheo, declined to comment for this story, prior to the sentencing hearing on March 2. The public filings in the case could not obtained in time for this article.

The team of security professionals analyzing the forensic evidence are not yet ready to release an opinion, but one thing is clear, Eckelberry said: The classroom's machine was infested with spyware and the school did not have adequate protections in place.

It's an issue that has refocused some of the debate on administrators at Kelly Middle School. School officials recently told parents that the incident could never happen today, because the district has installed security software and a filtering system.

"This was a Windows 98 SE machine with IE 5 and an expired antivirus subscription," Eckelberry said. "It hadn't been updated since August, and there was no anti-spyware, no pop-up protection, no firewall and no content filters. Regardless of whatever happened, this machine was a machine that should not have been on the Internet."



He really hammers them.

http://blog.wired.com/27bstroke6/2007/02/identity_theft_.html

27B Stroke 6 by Ryan Singel and Kevin Poulsen Friday, 2 February 2007

Identity Theft Not Down, It's Different, Expert Says

Javelin Strategy and Research, an independent research group, this week released a new report -- funded by Visa, Wells Fargo and Checkfree -- that found that in 2006, 8.4 million Americans were hit by identity fraud, a full half a million fewer than in 2005. The study, based on a phone survey of 5,000 American adults, found the total amount lost to identity theft fell 12%, from $55.7 billion to $49.3 billion.

The study was widely reported in the media yesterday -- AP, Reuters, and UPI. But Chris Hoofnagle, an expert in data privacy laws who is also an attorney at the Berkeley Center for Law and Technology, says the study is dead wrong, both in its methodology and its conclusions.

Public polling on identity theft completely misses the biggest modern fraud issue–synthetic identity theft. In synthetic cases, the impostor creates an entirely new identity using information from many different victims. Since this synthetic identity is based on some real information, and sometimes upon artfully created credit histories, it can be used to apply for new credit accounts. This harms consumers because it creates subfiles at the CRAs, and the real owner of the SSN is sometimes targeted by collections efforts.[...]

Hoofnagle also argues that the survey -- which found that more than half of identity theft is perpetrated by a friend or family member -- is skewed because it undercounts identity theft that happens by remote attackers.

First, victims are obviously more likely to know the identity of the victim when it is a family member/friend. They’re much less likely to know when someone far away from them committed the crime (such as the many well documented cases of outsourced data being sold to thieves). Second, existing studies of confirmed victim studies (from police reports and newspaper reports, such as Collins’ report in 2004) shows that the most likely source of data is businesses. Similarly, internal analyses written by the business community itself estimates that identity theft finds its roots in business databases 50-70% of the time. Finally, even if risk behaviors are consistent between the known and unknown victims, certain threats (such as security breaches, outsourcing risk, etc) are not addressed by any consumer action. That is, you are just as likely to become a victim, regardless of whether you shred, etc.

The FTC rejects Javelin's findings as "misleading:" In an email to Wall Street Journal reporter Robin Sidel, obtained under the Freedom of Information Act concerning the Javelin Report, an FTC employee wrote: "Since most surveyed–74 percent–could not identify the person who stole their identity, and half the 26 percent who could identify the thief either didn't personally know the thief or said it was someone other than a friend or relative, it would be misleading to suggest that the 'Culprit is likely a friend or relative.'"

A free copy of the short copy of the report can be downloaded here after you are asked for identifying information.



My tax dollars at work. More of the “We can, therefore we must” strategy?

http://techdirt.com/articles/20070201/170616.shtml

Why Is The Government Putting DRM On Its Own Public Files?

from the just-wondering dept

Documents released by the US government have no copyright -- yet, apparently that doesn't stop some government officials from acting as if it does. Jerry Brito highlights how in doing some research for a discussion on the 9/11 Commission Report, he was disappointed to find that the government-released PDF has copy protections that stop people from copying and pasting material from inside the document. He notes that, even though the content isn't covered by copyright, circumventing that protection would likely mean he had broken the DMCA's anti-circumvention clause. Doesn't it seem like there's a problem when you could get in trouble for circumventing copy protection on content that is in the public domain?

[NOTE: The comments include methods for easily circumventing this protection. Bob]



Attention Class Action Lawyers! This scenario is likely to be repeated frequently!

http://blogs.law.harvard.edu/jim/2007/02/02/the-viacom-international-copyright-dmca-debacle-about-youtube-videos-should-we-counter-sue/

The Viacom International Copyright DMCA debacle about YouTube videos--should we counter-sue???

Friday February 02nd 2007, 3:07 pm

I just recieved a notice that a video of mine has been removed from YouTube because of a complaint by Viacom. The video, for the record, is a short home clip, about 30 seconds, of me and several friends having dinner in a ribs place in Somerville. That this is the case should not be confusing to Viacom, given that the video is titled:

Sunday nite dinner at Redbones in Somerville, Mass: http://www.youtube.com/watch?v=QUzOP42dg1I

Here is the email I just got from YouTube. I support YouTube in sending this on to me and taking down the video. What else are they to do? Of course, now they have set up a situation where I perhaps have legal standing to go after Viacom. Of course I can’t afford to do this alone--but perhaps now I am part of a “class”--as in “class action law suit?” Anyone else interested. This blog, by the way, is hosted at Harvard Law School Berkman Center for Internet & Society, so we should be able to get some local talent to help out.

Here is the YouTube notice I just received:

YouTube | Broadcast Yourself™

Dear Member:

This is to notify you that we have removed or disabled access to the following material as a result of a third-party notification by Viacom International Inc. claiming that this material is infringing:

Sunday nite dinner at Redbones in Somerville, Mass: http://www.youtube.com/watch?v=QUzOP42dg1I

Please Note: Repeat incidents of copyright infringement will result in the deletion of your account and all videos uploaded to that account. In order to avoid future strikes against your account, please delete any videos to which you do not own the rights, and refrain from uploading additional videos that infringe on the copyrights of others. For more information about YouTube’s copyright policy, please read the Copyright Tips guide.

If you elect to send us a counter notice, to be effective it must be a written communication provided to our designated agent that includes substantially the following (please consult your legal counsel or see 17 U.S.C. Section 512(g)(3) to confirm these requirements):

1. A physical or electronic signature of the subscriber.

2. Identification of the material that has been removed or to which access has been disabled and the location at which the material appeared before it was removed or access to it was disabled.

3. A statement under penalty of perjury that the subscriber has a good faith belief that the material was removed or disabled as a result of mistake or misidentification of the material to be removed or disabled.

4. The subscriber’s name, address, and telephone number, and a statement that the subscriber consents to the jurisdiction of Federal District Court for the judicial district in which the address is located, or if the subscriberis address is outside of the United States, for any judicial district in which the service provider may be found, and that the subscriber will accept service of process from the person who provided notification under subsection (c)(1)(C) or an agent of such person.

Such written notice should be sent to our designated agent as follows:

DMCA Complaints

YouTube, Inc.

1000 Cherry Ave.

Second Floor

San Bruno, CA 94066

Email: copyright@youtube.com

Please note that under Section 512(f) of the Copyright Act, any person who knowingly materially misrepresents that material or activity was removed or disabled by mistake or misidentification may be subject to liability.

Sincerely,

YouTube, Inc.

Copyright © 2007 YouTube, Inc.

It looks like what Viacom has done to YouTube is simply search everyViacom trademarked and copyrighted term against every Tube name, and then asked YouTube to pull down the videos, [Could have been a match of “Redbones” to “Leon Redbone.” Just a guess. Bob] under the terms of the onerous and notorious DMCA. YouTube has now pulled the videos. Unfortunately, I suspect that tens of thousands of these videos are completely legitimate.



http://www.bespacific.com/mt/archives/013834.html

February 02, 2007

Cornell Law Library Announces Launch of Legal Research Engine

"The Cornell Law Library is pleased to announce its new Legal Research Engine This specialized search engine helps users easily find authoritative online legal research guides on every subject. It searches approximately 20 different web sites that either prolifically publish guides, or index and link to guides."

Friday, February 02, 2007

Typical Friday story.

http://www.boston.com/business/ticker/2007/02/workers_comp_da.html

Thursday, February 1, 2007

Workers comp data stolen

A former state contractor allegedly accessed a workers' compensation database to steal personal information and fraudulently obtain credit, the Department of Industrial Accidents announced today.

The agency said up to 1,200 people who had submitted workers' compensation claims to the state -- and their Social Security numbers -- may have been compromised, although officials have evidence that only three people had their personal information used improperly.

The worker, who was not immediately identified, was fired, arrested and charged with identity fraud. Law enforcement officials notified the agency of the alleged breach. [Insider actions are more difficult to detect, but not impossible. Bob]

"The DIA has taken swift action to inform the public and the 1,200 individuals potentially affected by this situation," the agency said in a statement. "DIA has sent written notifications directly to the potentially impacted claimants. In addition, DIA has posted information on its web site [ http://www.mass.gov/dia/ ] and established a telephone hotline to address claimant concerns."

The statement added: "All of us at the Department of Industrial Accidents deeply regret what happened. We take our public trust very seriously and we are taking immediate steps to ensure that this situation does not happen again."



Even evil intent winds up exposed on the Internet..

http://www.pogowasright.org/article.php?story=20070201151800621

Ripon firm tried to keep tax error mum, records show

Thursday, February 01 2007 @ 03:18 PM CST - Contributed by: PrivacyNews - Breaches

A printing company responsible for an error that led to the disclosure of thousands of Wisconsin taxpayers’ Social Security numbers tried to convince the state Department of Revenue to keep the mistake quiet, e-mail records show. Revenue officials initially agreed taxpayers should not be notified and asked media outlets not to report the story, concerned disclosure would increase the risk of identity theft, e-mails obtained by The Associated Press show.

Source - http://www.thenorthwestern.com/apps/pbcs.dll/article?AID=/20070202/OSH0101/70201103/1128/OSHnews



Not the most brilliant logon process.

http://news.com.com/2100-1030_3-6155425.html?part=rss&tag=2547-1_3-0-5&subj=news

Police blotter: Texas student guilty in SSN hack

By Declan McCullagh Story last modified Fri Feb 02 04:00:03 PST 2007

"Police blotter" is a weekly News.com report on the intersection of technology and the law.

What: Former University of Texas student appeals conviction of computer fraud.

When: The 5th Circuit Court of Appeals rules on January 24.

Outcome: Conviction, restitution and sentence of five years of probation is upheld.

What happened, according to court documents:
Around 1990 at Carnegie Mellon University, an undergraduate student wrote a program designed to steal his classmates' accounts.

It mimicked the text-based login prompt used on the school's Sparcstations and DECstations, and surreptitiously recorded hapless students' usernames and passwords when they tried to log in. Once those were saved, it printed the equivalent of "try again," exited and brought up a real login prompt.

The faux username prompt was discovered when a system administrator tried to log in--and noticed the system rejected his password far more quickly than it should have, if it actually took the time to authenticate through the Kerberos protocol. After being nabbed and disciplined internally, the student graduated and went on to work as a staff member at the university. Today he's a well-respected programmer.

That was a more innocent era, before the rise of the Web and widespread criminal activity online. Just ask Christopher Phillips, a former University of Texas computer science student who was convicted in federal court of hacking and is appealing his sentence.

Phillips wrote a Java program that was less clever and more aggressive than the one at Carnegie Mellon more than a decade earlier. It used the brute-force method of trying to connect to a UT computer called "TXClass Learning Central," which required only a Social Security number to log in. (A more secure system would have required a password and other hard-to-guess information as well.)

The Java program was eventually refined so that instead of trying random SSNs, it generated ones that came from only the 10 most populous Texas counties. (The formula is publicly available.) When Phillips' program found a valid SSN, it entered that person's account and automatically extracted personal information about that individual from the TXClass database. The Java program then changed the SSN by an increment of one and tried again.

What's a little odd is that this apparently continued for some 14 months without UT realizing what was going on. [Not odd at all, unfortunately. Bob] Normally, TXClass received 20,000 log-in attempts per month, but Phillips' program increased it to as many as 1.2 million. [You won't notice this if you don't monitor activity. Bob] The overload allegedly caused TXClass to crash several times in early 2003, making hundreds of Web applications inaccessible--including online library, payroll, accounting, admissions and medical databases.

Eventually, UT discovered the intrusion attempts and contacted the Secret Service. Phillips admitted that he was behind the brute-force attack on TXClass, but claimed that he was not going to use or sell the information.

He was indicted and convicted by a jury of one count of computer fraud. An article from June 2005 in the Austin American-Statesman said Phillips was 22 years old and that he was acquitted of more serious charges.

"I'm sorry to my parents, the University of Texas and all these people," he said at the time. "It just wasn't in my mind-set that this kind of thing was going to have this sweeping effect."

A federal judge sentenced Phillips to five years of probation, 500 hours of community service and restitution of $170,056, the amount the university said it cost to investigate and fix the problem. He appealed, claiming that the restitution figure was too high and that the jury instructions were in error.

The 5th Circuit Court of Appeals upheld Phillips' conviction and sentence on January 24.

Excerpts from the 5th Circuit's opinion:

Phillips asserts that the Government failed to produce sufficient evidence that he "intentionally access(ed) a protected computer without authorization."

Courts have therefore typically analyzed the scope of a user's authorization to access a protected computer on the basis of the expected norms of intended use or the nature of the relationship established between the computer owner and the user.

Applying such an intended-use analysis, in United States v. Morris (PDF), a case involving an invasive procedure that prefigured modern port scanning, the Second Circuit held that transmission of an Internet worm designed "to demonstrate the inadequacies of current security measures on computer networks by exploiting...security defects" was sufficient to permit a jury to find unauthorized access."

Phillips' brute-force attack program was not an intended use of the UT network within the understanding of any reasonable computer user and constitutes a method of obtaining unauthorized access to computerized data that he was not permitted to view or use.

During cross-examination, Phillips admitted that TXClass' normal hourly hit volume did not exceed a few hundred requests but that his brute-force attack created as many as 40,000. He also monitored the UT system during the multiple crashes his program caused and backed up the numerical ranges of the Social Security numbers after the crashes so as not to omit any potential matches.

Phillips intentionally and meticulously executed both his intrusion into TXClass and the extraction of a sizable quantity of confidential personal data. There was no lack of evidence to find him guilty of intentional unauthorized access.

Phillips makes a subsidiary argument that because the TXClass Web site was a public application, he, like any Internet user, was a de facto authorized user. In essence, Phillips contends that his theft of other people's data from TXClass merely exceeded the pre-existing generic authorization that he maintained as a user of the World Wide Web, and he cannot be considered an unauthorized user.

This argument misconstrues the nature of obtaining "access" to an Internet application and the CFAA's use of the term "authorization." While it is true that any Internet user can insert the appropriate URL into a Web browser and thereby view the "TXClass Administrative Training System" login Web page, a user cannot gain access to the TXClass application itself without a valid Social Security number password to which UT has affirmatively granted authorization.

Neither Phillips nor members of the public obtain such authorization from UT merely by viewing a login page or clicking a hypertext link. Instead, courts have recognized that authorized access typically arises only out of a contractual or agency relationship.

Finally, Phillips contends that the district court erred in its award of restitution for costs incurred by UT in conducting a computer damage and systems evaluation, and contacting individuals whose biographical information and Social Security numbers were stolen.

Since Phillips raises this issue for the first time on appeal, we review the award for plain error. There is no error at all... UT was a victim, and it collaborated with the investigation and incurred costs to notify other victims of Phillips' data theft in order to determine whether they had suffered further damage.



This type of law to “prevent Identity Theft” will no doubt become very popular. It also reduces the potential for people to report finding personal data in the bank/hospital/government agency's trash.

http://www.eastvalleytribune.com/index.php?sty=83303

'Dumpster diving'? Get permission first

By Brian Powell Tribune February 1, 2007

Scottsdale has banned taking trash out of a container without permission, or "Dumpster diving," saying it will help protect against identity theft. The City Council voted 4-2 to make it illegal to collect, scavenge or disturb the garbage in a trash can or recycling container unless authorized to do so.

The council chose not to include a prohibition on taking items set out on the curb by a homeowner [who we know to be second class citizens... Bob] for bulk trash pickup, such as a couch or other household item that often disappear before the actual collection.

Police Chief Alan Rodbell said the ordinance will allow patrol officers to approach someone who they feel may be looking to steal identification from the garbage, which in older city neighborhoods are placed in alleys behind homes.

This also presents an opportunity for people to observe homes and yards. [Is this one of those “you have to be a lawyer to understand” things? Bob]

... A report presented to the council said that scavenging through garbage is one of the main ways criminals gather information for identity theft. That information also could be traded for drugs, the report states.

In addition, the report said this will prevent the unsanitary and unhealthy activity.



Another step to reduce litigation: make it impossible to gather evidence?

http://www.nytimes.com/2007/02/01/nyregion/01tape.htm?_r=3&oref=slogin&oref=slogin&oref=slogin

Student’s Recording of Teacher’s Views Leads to a Ban on Taping

By TINA KELLEY February 1, 2007

After a public school teacher was recorded telling students they belonged in hell if they did not accept Jesus as their savior, the school board has banned taping in class without an instructor’s permission, [Teachers gots rights, chillins doesn't!” Bob] and has added training for teachers on the legal requirements for separating church and state.

A junior at Kearny High School in New Jersey, Matthew LaClair, 16, complained to his principal after the teacher in his American history class, David Paszkiewicz, told students that evolution and the Big Bang were not scientific, that dinosaurs were aboard Noah’s ark and that only Christians had a place in heaven. He started recording the comments in September because, he said, he was afraid school officials would not otherwise believe that the teacher had made them. Matthew said he was ridiculed and threatened after his criticism became public.

After several students complained to the school board that their voices had been broadcast on the Internet and on television news programs without their consent, the board adopted a policy in mid-January that requires students to request permission from an instructor to record or videotape a class.

... Meanwhile, Matthew said that Mr. Paszkiewicz recently told the class that scientists who spoke about the danger of global warming were using tactics like those Hitler used, by repeating a lie often enough that people come to believe it.

Mr. Lindenfelser said that the district did not investigate the report of that comment, which he said was not religious or a violation of “any kind of law.”


It could be worse... We could be living in a very liberal state.

http://news.bostonherald.com/localRegional/view.bg?articleid=180436

SJC: private schools have more leeway than public in searches

By Associated Press Thursday, February 1, 2007 - Updated: 07:25 AM EST

BOSTON - Students who attend private schools do not have the same protections against unreasonable searches as students who attend public schools, [Not doubt this will make it easier to serch students in religious (read: Muslim) schools. Bob] the state’s highest court said Wednesday in a ruling some legal analysts said could lead to arbitrary searches of backpacks or lockers.

The Supreme Judicial Court drew a distinction between public school officials and private school officials in the case of three Catholic school students who were arrested after drugs and alcohol were found in their hotel room during a school ski trip.

The court said that public school officials are agents of the state and therefore subject to the rule against unreasonable searches contained in the Fourth Amendment. But the court said the same protections don’t apply in private schools.

”Fourth Amendment protection does not apply to searches conducted by persons who are not state agents,” the court ruled in a unanimous, 7-0, decision.

Justice Roderick Ireland, in a concurring opinion, urged private schools to develop search policies to guard against abuses.

... ”Parents don’t need any justification to search their child’s room at home, and many parents chose private schools specifically for the reason they want them to do the same thing they would do,” said Capeless. ”This is private action by private individuals.”



Does this suggest that Sarbanes doesn't already cover computer security? Surely that is part of a “system of control” over financial data.

http://techdirt.com/articles/20070201/100011.shtml

What A Sarbanes-Oxley For Computer Security Might Look Like

from the bad-ideas dept

One problem with all of the constant talk about data breaches, phishing and identity theft is that it definitely has the potential to induce some shortsighted legislation in hopes that it will make the problem go away. Some have even said that nothing will happen on the legislative front until we see some sort of "digital Enron" that forces politicians into action. Of course, the actual Enron resulted in the much-lamented Sarbanes-Oxley, which stands as evidence that sweeping laws shouldn't be made in haste, during times of crisis. It's not clear whether or not we've had our "digital Enron" yet , but already some pundits are putting forth their ideas for a digital Sarbanes-Oxley. Ira Winkler at Computerworld argues that Congress should mandate ISP liability for malicious traffic on their networks, something which we've argued many times is a bad idea, since it's an approach that goes after the wrong party. But this is just the beginning. In addition to placing liability on ISPs, he says that individual computer users should be held liable if they fail to keep their computer secure, and it becomes part of a botnet. It's really hard to know where to start with that idea, other than to say that it again goes after the wrong party, and it could really discourage the average person from ever wanting to go online. His final suggestion is that Congress pass a law that makes security software better. He doesn't really offer anything concrete on this point, which is not surprising, because it's really out of the realm of what Congress can do. Simply legislating that something be made better will only increase the costs of making it, and reduce its availability. Seeing as the government can't even pass effective laws against spam, anything that it does in the area of identity theft or computer security should be viewed suspiciously. Fortunately, this particular proposal seems so extreme, it's hard to imagine it going anywhere. It's also interesting to note that this is the second thing we've seen today from Computerworld that calls for more government involvement in tech issues. Sounds like they could use some more skepticism about the government's ability to solve these problems.



Another contradiction. “Good law is complex law.”

http://techdirt.com/articles/20070130/225828.shtml

Without Copyright Owner's Permission

from the good-decisions dept

The right of first sale is an important feature of copyright law that doesn't get that much attention. Since copyright has fundamentally different characteristics than traditional property, questions have arisen concerning whether things that you can do with tangible property also apply to copyrighted creative works. So, for example, if I buy a chair from the guy who built a chair, I can legally resell that chair without getting permission from the guy who made it. However, if I buy copyrighted content from someone, can I then resell that content the same way I could resell that chair? The right of first sale says that, in most cases, I can -- assuming, of course, that I haven't just sold the content, but also gotten rid of any copies I own as well. Of course, in most cases, content owners have now gotten around this by not selling you content, but merely licensing you the use of their content under very limited terms. Either that, or they've put in place technical measures, such as DRM, that make it effectively impossible to exercise your right of first sale. There are some areas where the right of first sale still matters. In fact, it's an issue that's been fought about in some areas, such as when the UK discussed banning the right of first sale on artwork -- meaning that any sale of a particular piece of artwork (even after it was sold initially) needed to have the approval of the artist.

Back in the US, there was recently a case that looked at first sale doctrine as it relates to audio books. William Patry explains the decision found that there's no copyright violation in renting out audio books without first getting the copyright holder's permission. The law has banned that right for music and computer software -- but since the law doesn't clearly describe audio books as well, the court found that it was not exempt from right of first sale coverage. This is definitely a good decision -- though, it wouldn't be surprising to see publishers now freak out about this and push for more explicit language to be added to the law at some point.



If the previous article wasn't enough to make you think copyright law was strange...

http://techdirt.com/articles/20070201/140812.shtml

NFL Wants To Remind You That Having People Over To Watch The Super Bowl On A Big Screen Is Copyright Infringement

from the laws-written-by-lobbyists dept

What is it with sports leagues and their desire to limit how their fans can enjoy the game? There's Major League Baseball, who keeps trying to insist that they own the facts related to a game, and no one can use them without paying MLB first. Then, there's the NFL, who freaked out about TiVo and also tried to ban any broadcasters from using "unauthorized" video feeds to show what happens in the stadium (i.e., no sideline cameras any more). They've been particularly fussy about the Super Bowl, however, forcing advertisers to call it "the Big Game" or whatever, claiming excessive control over the trademark (remember, trademarks are really designed to prevent consumer confusion, not to give holders full control over the mark).

The latest situation is perhaps even more bizarre -- but tragically, seems to fall closer to a correct legal reading of a really poorly written law. The NFL apparently nastygrammed a church for planning to host a Super Bowl party. The original complaint was first that the church was charging people, but also that they used the term "Super Bowl" (as if people would somehow believe that the church was associated with the NFL?). After the church agreed to let people in for free and not use the term, the NFL continued to complain, saying that showing the Super Bowl on a screen larger than 55 inches represents copyright infringement. While we, at first, doubted the reality of this, Ben Austro sent in the fact that it is, indeed, spelled out in copyright law that once you get above 55", you may be talking about a "public performance," though, as Ben notes, the wording sounds like it was clearly written by a lobbyist. No matter what the law states, this seems ridiculously short-sighted by the NFL. It's hard to see how they lose out in any meaningful way by not allowing groups to watch the Super Bowl together. Of course, now that this particular quirk of copyright law is getting some attention, how long will it be until the MPAA starts cracking down on those of you with really big screen TVs from showing movies in your home theaters. What was a joke just a few months ago, may become real.



Would this hold even where the company monitored e-mail and took action for some “violations of policy” but ignored others?

http://techdirt.com/articles/20070201/151427.shtml

California Court Exempts Employers From Email Liability

from the breathing-room dept

For reasons related to regulatory compliance and legal liability, many companies have rather strict policies on how employees can use their company email addresses. Often, the policies seem overly strict, but with the constant chatter over things like getting sued for sexual harassment for failing to block porn spam, we can understand their desire to err on the side of caution. Some California companies may see some relief as a judge has ruled that employers are not liable for the email activity of their employees. It cited the same law the exempts ISPs and sites like Craigslist from the activities of their users. Still, it seems the ruling is likely to open up a fresh can of worms. In this case, things were fairly cut and dry, as the court ruled that Agilent didn't bear any responsibility for harassing emails that its employees sent to an opposing party in a lawsuit. But there are other situations where things could get trickier, particularly if the email seems to have been sent in some official company capacity. So for now, even with the ruling, it's not too likely that companies will loosen the reigns much in terms of email policy.



Free is good!

http://education.zdnet.com/index.php?p=814

January 31, 2007

Legal download service Ruckus expands to all colleges

Ruckus Network, a free and legal online music resource, has expanded service to include all U.S. colleges, not just subscribers, reports eSchool News.

The service, currently used by over 100,000 students, used to be only available through universities that had an agreement with the company. Now, any student that has a valid .edu email account can download music for free. There is, however, a charge for transferring music to a portable music player such as an iPod or MP3 Player.



http://www.bespacific.com/mt/archives/013820.html

February 01, 2007

Special Master Reports Now Available on U.S. Supreme Court Site

Special Master Reports are now posted on the Supreme Court's website, under the link for Dockets, which in turn has a link to Special Master Reports on the bottom portion of the page.

  • Via Wex: "A "special master" is appointed by a court to carry out some sort of action on its behalf. Theoretically, a "special master" is distinguished from a "master". A master's function is essentially investigative, compiling evidence or documents to inform some future action by the court, whereas a special master carries out some direct action on the part of the court. It appears, however, that the "special master" designation is often used for people doing purely investigative work, and that the simple "master" designation is falling out of use."



Something for my “Business Continuity” class

http://www.pandemicflu.gov/plan/community/community_mitigation.pdf

Interim Pre-pandemic Planning Guidance:

Community Strategy for Pandemic Influenza Mitigation in the United States—



Potential for a collaborative blog?

http://www.podtech.net/home/technology/2022/demo-of-trailfire-shows-new-way-to-share-find-whats-important-on-the-web

Demo of Trailfire shows new way to share find what's important on the Web

MP4 Video Video | Posted by Robert Scoble | February 1st, 2007 2:35 pm

Trailfire is a new way to both mark what you find is important on the Web as well as find other "trails" that people have left for you. I'm not explaining it very well, it's a cool way to group together interesting sites. Here is a good demo of Trailfire and why it might be useful.

Thursday, February 01, 2007

Go where the money is... Video suggests they have arrested one of the women, but also mentions that many dealerships have been hit.

http://cbs4.com/consumer/local_story_031172038.html

Exclusive: ID Thieves Hit Car Dealer In New Scam

Sources Say More Dealerships May Have Been Victims

Brian Andrews Reporting Jan 31, 2007 7:47 pm US/Eastern

(CBS4) MIAMI GARDENS Customers of a North Dade luxury auto dealership have been warned that their identities, bank accounts, even social security numbers may have been compromised by thieves who apparently have adapted low tech [but still relying on lax security Bob] criminal techniques to the high-tech crime of identity theft.

CBS4 News has learned that a criminal is probe underway into what happened at the Warren Henry automotive group, after a woman walked in off the street and took off with a box of sensitive customer data.

The business is known as one of South Florida's top luxury car dealerships, selling Infinitis, Jaguars, Land Rovers and other high-end brands to well-heeled customers.

Now, this dealer is dealing with the aftermath of this showroom security breach. Sources close to the investigation confirm a woman walked in off the street a few weeks ago pretending to look at cars in the showroom. While another woman was engaged in conversation with sales personnel, the suspect made her way to a back office and grabbed a box containing the sensitive financial data of dozens of customers who'd recently purchased fancy cars from the dealer.

The sources also say it's believed the document heist was well orchestrated as the woman knew where to go and what to grab. The source told CBS4 News that the thieves even had a getaway car waiting for them, without a license tag on the back so they couldn't be tracked.

As a result of the theft, Warren Henry has had to contact dozens of customers to let them know their bank accounts, credit, and other personal information may have been compromised.

Miami-Dade Police are investigating, but declined to talk to us about the case, saying they haven't made an arrest. Sources near the investigation say they're close and have already identified one suspect off the showroom's surveillance system, and told CBS4's Brian Andrews that other dealerships may have been targeted in the same scheme.

It's unclear at this point if the woman has actually used any of the data that was stolen.

Warren Henry Management is expected to release a statement later tonight.



TJX's education continues...

http://www.pogowasright.org/article.php?story=20070131075025656

Bank files class-action lawsuit against retailer

Wednesday, January 31 2007 @ 08:23 AM CST - Contributed by: PrivacyNews - Breaches

TJX has been hit with a second class-action lawsuit over the theft of customer credit card data by computer hackers.

The Boston Globe reports that Alabama-based AmeriFirst Bank filed the suit in U.S. District Court. The bank is seeking to recover the costs of replacing compromised credit cards and covering fraudulent purchases.

Source - WHDH Related - Press Release on Lawsuit



Statistics...

http://news.zdnet.com/2100-1009_22-6155277.html

Identity theft on the wane

02 / 01 / 07

Americans lost about $49.3 billion in 2006 to criminals who stole their identities, an 11.5 percent decline that may reflect increased vigilance among consumers and businesses, a study released Thursday shows.

Losses declined from a revised $55.7 billion in 2005, according to the third annual study by Javelin Strategy & Research. [ http://www.javelinstrategy.com/ ] They had increased in each of the prior two years.

The average identity theft fraud fell 9 percent to $5,720 from $6,278, while the median--where half were larger and half were smaller--held steady at $750.

... According to the study, 8.4 million adult Americans, or one in 27, learned last year that criminals committed fraud with personal data such as credit card or Social Security numbers. That's down from 8.9 million in 2005 and 10.1 million in 2003.

Adults under 25, African-Americans and people who make more than $150,000 were among the groups most likely to suffer fraud, the study said. The youngest adults were also among the least likely to take steps to stop it, the study said.

Consumers, on average, spent $535 to clear up a fraud, though more than half spent nothing, the study said. Many businesses excuse customers from liability for certain frauds.

Results were based on a phone survey last fall of 5,006 people, including 469 who said they were fraud victims.



Well, they certainly got publicity. I wonder what this will cost them?

http://techdirt.com/articles/20070131/144709.shtml

Marketing Stunt Shuts Down City Of Boston

from the attention-grabber dept

Sometimes attempts at viral, word-of-mouth marketing can go too far. Turner Broadcasting thought it had come up with a slick way of promoting a show on Adult Swim by placing glowing signs featuring one of the show's characters all around the city of Boston. There was just one problem: with everyone so on edge these days about terrorism and suspicious objects, the signs drew out the bomb squads, and much of the city's infrastructure ground to a halt. Highways, commuter rail lines and the subway were all affected, as crews responded to worried phone calls throughout the city. The city's response is very similar to when some girls were arrested for playing a real-life version of the game Super Mario Brothers, which involved them placing boxes with question marks all around their neighborhood. While this latest stunt is bringing a lot of publicity to Turner Broadcasting, it's safe to say that this isn't what they hoped to see happen. The company will almost certainly face fines and other legal sanctions for tying up the city's anti-terrorism resources. Perhaps the marketing department at Turner Broadcasting needs to audit that college course on viral marketing.

[From the comments: This issue would have been nonsense if there was a sticker with Cartoon Network and a phone number on the circuits. ]



Be careful what you discuss online! Imagine describing the steps to reformat a hard drive! No doubt the government will find a way to use a computer that (unlike citizens) listens to their commands...

http://techdirt.com/articles/20070131/073609.shtml

Microsoft Vista Takes Orders From Anyone Who Yells At It

from the listen-up dept

As Microsoft pushes Vista out the door, the company has a lot riding on the claim that the new operating system is significantly better than previous versions of Windows, in terms of security. While there have been some scattered reports of flaws, which is always to be expected, many feel that the company has made good progress in securing its system. One new vulnerability comes from the fact that Vista has voice recognition capabilities, and that the user can speak commands to the computer through a microphone. George Ou decided to test the question of whether a website could play an audio file containing spoken commands and commandeer the user's computer. As it turns out, if the speech is clear enough, the computer will respond to commands that come out of its own speakers. The volume didn't even need to be too high. It's still not clear how much of a threat this really is. Many people won't even have this capability activated, and if you stumble onto a website that starts barking orders to your computer, you might realize something odd is going on. But, as with many online threats, an attacker doesn't need a high rate of success for a certain approach to be worthwhile. [1% is acceptable, if you make several million attacks. Bob] For Microsoft, it will probably be one of several security issues it will have to deal with down the road.



Wow! If only the shows were in a language I understood...

http://digg.com/tech_news/BBC_to_Shake_Up_TV_Industry_with_Internet_TV

BBC to Shake Up TV Industry with Internet TV!

BBC will offer ALL its TV shows from the past 7 days on-demand and over the internet and people can save them to their PC for 30 days. Its much like an automated DVR service. Other TV Networks are shaking in their boots as this threatens to change the whole TV model. Big thumbs up to the BBC. It will be called iPlayer -sounds like an Apple product!

http://www.webtvwire.com/bbc-iplayer-bbc-gives-green-light-on-internet-tv-service/



Useful quotes? I'm sure Al Gore will find one...

http://www.zogby.com/news/ReadNews.dbm?ID=1244

Released: January 31, 2007

What is Privacy? Poll Exposes Generational Divide on Expectations of Privacy, According to Zogby/Congressional Internet Caucus Advisory Committee Survey

18-24 Year Olds Harbor Profoundly Different Privacy Perceptions, Survey Finds

Nine out of 10 Americans believe the Internet has changed our expectations of privacy, according to a new poll conducted by Zogby International on behalf of the Congressional Internet Caucus Advisory Committee in advance of its annual policy conference in Washington.

Ninety-one percent said they agreed with the statement that our expectations of privacy have changed due to technologies and the Internet. Seven percent disagreed and two percent were not sure.

But a vast chasm exists between what 18-24 year-olds believe is an invasion of privacy and what other Americans consider to be an intrusion. For example:

* Only 35.6 percent of 18-24 year-olds consider someone posting a picture of them in a swimsuit to be an invasion of their privacy, compared to 65.5 percent of other respondents.

* Only 19.6 percent of 18-24 year-olds consider their dating profile to be an invasion of their privacy, compared to 54.6 percent of other respondents.

Whether health care, e-commerce or social networking, privacy is at the forefront of every major policy debate,” said Tim Lordan, executive director of the Congressional Internet Caucus Advisory Committee. “This survey raises questions that could significantly impact our policymaking on privacy in years to come, assuming the MySpace generation maintains their privacy views as they age.”

The survey was released in advance of the Congressional Internet Caucus Advisory Committee annual State of the Net policy conference in Washington, DC on Jan. 31. For more information on the conference, go to netcaucus.org.

The Zogby poll underscores how 18-24 year-olds view, and use, the Internet in ways that distinctly set them apart:

* 45.4 percent of 18-24 year-olds say they, or someone they know, has broken up with someone using email or a text message. That contrasts with just 7.6 percent of all the other age groups polled.

* In good news for Al Gore, nearly 32 percent of the younger age group believes the former Vice President deserves credit for inventing the Internet, toppling one of the original founders of the Internet — Vint Cerf. That compares with just 9.8 percent of other age groups. Gore received criticism in the 2000 election for what was viewed as too much credit taking for his role in the Internet’s development. The Zogby survey suggests that many 18-24 year-olds remember the controversy in a way that works to the Vice President’s favor.

While the overwhelming majority of Americans believe our expectations of privacy have changed, they remain cautious about when a younger person should be allowed to use the Internet. Over 75 percent of those polled said a child should wait until they are 13 or older before getting email access (and 40.7 percent of them said the person should be at least over the age of 16 or wait until an adult). In addition, a whopping 65.6 percent said access to social networking sites should be restricted until the age of 16 or adulthood. Remarkably, 18-24 year-olds tended to be more cautious than their older counterparts in this regard. Across the board, from email to social networking, children should wait much longer to use the Internet according to 18-24 year olds.

And the Internet is still not viewed as the best place to meet someone. When asked if they had a 20-year-old daughter what would they least want their daughter to bring home as a boyfriend, respondents said they would least want it to be a guy she met on the Internet – even over someone she met at a bar or at a Star Trek convention. Of those polled, 31.9 percent considered the Internet boyfriend to be the worst, followed by a guy she met in a bar (22.3 percent) and then a Trekkie (16.1 percent).

Other findings from the poll include:

* Americans are split whether the Internet will cause profound change in China, or whether China will change the Internet. Forty-three percent said they believe that China will inevitably open up as citizens gain more access to information despite the government’s efforts to limit it. But 40.4 percent said it will be China that forces changes to the Internet that limit the flow of information. Asian Americans polled exhibited skepticism in that only 27.5 percent believed the Internet would change China.

* One in four 18-24 years olds admitted that they missed a deadline on an important project because they chose to surf the Internet instead. Only 7.8 percent of other respondents fessed up to doing that.

* When faced with having to give up television, radio or the Internet, 18-24 year-olds opted to hold on to their Internet at all costs. This demographic decided to jettison the TV first, followed by the radio. While the Internet was spared by 18-24 year-olds, it was the first choice to be tossed by all other older respondents, who’d rather keep their television and radio over the Internet.

* Most Americans don’t – or won’t fess up to – using the Internet to check up or snoop on co-workers or a potential boyfriend or girlfriend. Only 5.9 percent said they have used the Internet to find a co-worker and only 5 percent said they have used it to investigate a prospective mate.

The Zogby poll surveyed 1,200 adults and was conducted from 1/24-1/26. It has a margin of error of 2.9 percent. Conference sponsor 463 Communications helped conceive and develop the survey.



One version of collaboration.

http://www.wired.com/news/technology/software/0,72612-0.html?tw=rss.index

Jamming at the Speed of Light

By Mike Kobrin 10:00 AM Jan, 31, 2007

A new online service is about to launch that will allow bedroom musicians worldwide to play together in real time -- without leaving their own bedrooms.

In March, eJamming will introduce eJamming Audiio, an online music studio that uses peer-to-peer connections to eliminate lag times between live performers.



Amusing, but true!

http://www.bbspot.com/News/2007/02/windows-vista-upgrade-decision-flowchart.html

Windows Vista Upgrade

Decision Flowchart By Brian Briggs Wednesday, January 31 12:00 AM ET