Saturday, March 03, 2007

Too close to home.

Mar 2, 2007 6:47 pm US/Mountain

Metro State Computer With SS Numbers Stolen

(CBS4) DENVER College of Denver is working with the Denver and Auraria Police in the investigation of a theft of a computer stolen from campus that contained the names and Social Security numbers of 988 former students.

The laptop computer was stolen from its docking station in the late afternoon of Feb. 28 from a Metro State faculty member's office on the Auraria Campus. The case remains under investigation.

The stolen computer contained roster information of students enrolled in the faculty member's classes from the beginning of the 1999 fall semester to the end of the 2002 fall semester. The stolen computer was password protected.

... Metro State President Stephen Jordan said that this is a very specific incident. "Last spring, it was mandated that all College reports or studies that access private student information, including Social Security numbers, were to be approved through the President's Office," [So, was this one approved? Bob] he said, adding, that the College is completing a project to have College-owned laptops turned over to the Information Technology division for review of the data contained on their hard drives. [“Because all our IT geeks are lawyers who will immediately recognize anything inappropriate.” Bob]

... At this time the campus has no evidence that personal data were actually retrieved or misused. [Why does every organization feel they need to include a statement like this? Clearly two days is not long enough for victims to recognize identity theft, determine the leaking organization, and report it. Clearly self-serving, but does it also lull the victims into a false sense of security? Bob]

Silly? Pay attention class...

Saturday, March 03 2007 @ 06:45 AM CST

'Embarrassed' Gun Suspect Sues Microsoft After FBI Finds Sex Videos On His PC

Friday, March 02 2007 @ 04:18 PM CST - Contributed by: Lyger - Internet & Computers

A man awaiting trial for alleged gun crimes is suing Microsoft for privacy violations after FBI agents seized his home computer during a raid and found files containing sexually explicit videos of him and his girlfriend and evidence that he frequented pornographic Web sites.

Michael Alan Crooker, currently in jail in Connecticut, says security features advertised by Microsoft and its business partners should have kept federal agents from accessing the files on his PC. In court papers filed this week in Massachusetts Superior Court, Crooker says he "suffered great embarrassment" as a result of Microsoft's failure to keep the FBI's prying eyes off his computer.

Source - InformationWeek h/t - Fergie's Tech Blog

[From the article:

At the FBI lab, agents were able to access Crooker's files by making a mirror image of the hard drive. [A basic e-Discovery technique. Then the drive is attached as an external drive and read. If the operating system on the target drive is never used, all those security programs never run, never asks for your password, etc. Bob] Among the files, they found a video showing Crooker and his girlfriend having sex, his medical records, family photographs, and correspondence between Crooker and his attorneys. They also found Internet history files that showed Crooker's fondness for pornographic Web sites.

Crooker says he had set Internet Explorer to delete his Internet history every five days. "Any day beyond those parameters is supposed to be permanently deleted and is not supposed to be recoverable," Crooker says in the lawsuit. He also claims Compaq's DriveLock security system should have prevented the FBI from accessing his hard drive.

In the court papers, Crooker says he already has reached settlements with Hewlett-Packard, which owns the Compaq brand, and Circuit City.

Dear employee,

Worker Can Be Fired for Refusing Search of Briefcase

Friday, March 02 2007 @ 08:31 AM CST - Contributed by: PrivacyNews - In the Courts

A man who was fired for refusing to let his boss inspect the contents of his briefcase is not entitled to unemployment benefits, a Florida appeals court has ruled. The court said Bradley Leedham would receive no benefits because he was fired for misconduct connected with work.

Source - FindLaw

Eventually, we should be able to do this with any video camera on the Internet...

Near realtime free satellite images of the Earth

The MODIS satellites gaze back at the Earth constantly circling and snapping high res images of our world. You can see what they've been up to for the last couple days and download high res versions that are in the commons and ready for you to use for whatever you like.

Interesting. Other than “he passed” what does the test score reveal? Are grades confidential?

Lawsuit is about more than test scores

Attorney: Gallegos hopes to reverse AG ruling


A top ECISD administrator and his attorney said his fight to keep a test score private will have an impact on educators across the state.

... The test, called the Examination for the Certification of Educators in Texas, is one of two certification programs by the State Board for Educator Certification and Texas Education Agency that gauges an educator’s knowledge of information rather than performance, according to the TEA Web site.

... Lungwitz said everyone’s grades from bachelor’s to doctorate degrees are confidential, and Gallegos’ test scores are no different.
“Everybody’s grades are private in this country,” he said. “It’s in the same vein.”

Anyone want to start their own phone company?

FCC Grants Internet Phone Access

By Molly Peterson Bloomberg News Friday, March 2, 2007; Page D03

Rural telephone companies must allow carriers such as Verizon Communications to use local lines to connect Internet-based calls, U.S. regulators said yesterday.

A logical strategy. There are plenty of stories showing how poorly government agencies understand technology, so it is only logical for them to say “Keep everything forever. We'll try to figure out what we need by examining what defense attorneys ask for...”

Justice Department takes aim at image-sharing sites

By Declan McCullagh Story last modified Fri Mar 02 07:33:00 PST 2007

The Bush administration has accelerated its Internet surveillance push by proposing that Web sites must keep records of who uploads photographs or videos in case police determine the content is illegal and choose to investigate, CNET has learned.

That proposal surfaced Wednesday in a private meeting during which U.S. Department of Justice officials, including Assistant Attorney General Rachel Brand, tried to convince industry representatives such as AOL and Comcast that data retention would be valuable in investigating terrorism, child pornography and other crimes. The discussions were described to by several people who attended the meeting.

A second purpose of the meeting in Washington, D.C., according to the sources, was to ask Internet service providers how much it would cost to record details on their subscribers for two years. At the very least, the companies would be required to keep logs for police of which customer is assigned a specific Internet address.

Only universities and libraries would be excluded, one participant said. [News flash: Real ID required to use library! Bob] "There's a PR concern with including the libraries, [It is better to look good than to be secure... Bob] so we're not going to include them," the participant quoted the Justice Department as saying. "We know we're going to get a pushback, so we're not going to do that."

Attorney General Alberto Gonzales has been lobbying Congress for mandatory data retention, calling it a "national problem that requires federal legislation." Gonzales has convened earlier private meetings to pressure industry representatives. And last month, Republicans introduced a mandatory data retention bill in the U.S. House of Representatives that would let the attorney general dictate what must be stored and for how long.

... Often invoking terrorism and child pornography as justifications, the administration has argued that Internet providers must install backdoors for surveillance and has called for routers to be redesigned for easier eavesdropping. President Bush's electronic surveillance program, which was recently modified, has drawn an avalanche of lawsuits.

The Justice Department's request for information about compliance costs echoes a decade-ago debate over wiretapping digital telephones, which led to the 1994 Communications Assistance for Law Enforcement Act. To reduce opposition by telephone companies, Congress set aside $500 million for reimbursement and the legislation easily cleared both chambers by voice votes.

Once Internet providers come up with specific figures, privacy advocates worry, Congress will offer to write a generous check to cover all compliance costs and the process will repeat itself.

... Because the Justice Department did not circulate a written proposal at the private meeting, it's difficult to gauge the effects on Web sites that would be forced to record information on image uploads for two years. Meeting participants said that Justice officials (including Brand, the assistant attorney general for legal policy and a former White House attorney) did not answer questions about anonymously posted content and whether text comments on a blog would qualify for retention.

In practice, some Web businesses already make it a practice to store personal information forever. Google stores search terms indefinitely, for instance, while AOL says it deletes them after 30 days.

David Weekly, a San Francisco-area entrepreneur who founded popular Wiki-creation site, said the Justice Department's proposal would be routinely evaded by people who use overseas sites to upload images. (PBWiki, which recently raised $2 million from Mohr Davidow Ventures, lets people embed photographs on pages they create with a point-and-click editor.)

If the proposal were to become law, PBWiki would already be in compliance, Weekly said. "We already keep all that data pretty much indefinitely because it's invaluable for us to mine and figure out how people use services," he said. "How do they use services now versus a year ago? Was February a bad month for traffic?... We already have the data there. It's already searchable. It's already indexed."


ISP snooping timeline

In events first reported by CNET, Bush administration officials have said Internet providers should keep track of what Americans are doing online. Here's the timeline:

June 2005: Justice Department officials quietly propose data retention rules.

December 2005: European Parliament votes for data retention of up to two years.

April 14, 2006: Data retention proposals surface in Colorado and the U.S. Congress.

April 20, 2006: Attorney General Alberto Gonzales says data retention "must be addressed."

April 28, 2006: Democrat proposes data retention amendment, followed by a Republican.

May 26, 2006: Gonzales and FBI Director Robert Mueller pressure Internet and telecom companies.

September 26, 2006: Politicians suggest that Web hosts and registrars might have to comply. Search engines are also mentioned.

January 18, 2007: Gonzales says administration will ask Congress for new laws.

February 6, 2007: Republicans introduce mandatory data retention "Safety Act."

How do I love my customers, let me count the ways... OR How to attract a swarm of Class Action lawyers... OR No one will ever notice....,0,5198012.column?coll=hc-utility-local

Best Buy Confirms It Has Secret Website

March 2, 2007

Under pressure from state investigators, Best Buy is now confirming my reporting that its stores have a secret intranet site that has been used to block some consumers from getting cheaper prices advertised on

Company spokesman Justin Barber, who in early February denied the existence of the internal website that could be accessed only by employees, says his company is "cooperating fully" with the state attorney general's investigation.

Barber insists that the company never intended to mislead customers.

... Blumenthal said Wednesday that Best Buy has also confirmed to his office the existence of the intranet site, but has so far failed to give clear answers about its purpose and use.

"Their responses seem to raise as many questions as they answer," Blumenthal said in an interview. "Their answers are less than crystal clear."

... Then they threw in this interesting line: "Although we have an intra-store web site in place to support store operations (including products and pricing), we are reminding our employees how to access the external web site to ensure customers are receiving the best possible product price."

That last sentence seems to indicate that Best Buy, which is supposed to be staffed by tech-savvy employees, is putting the blame on memory lapses: that employees have somehow forgotten how to access from the store.

... This is not the first time the giant electronic retailer has gotten into trouble misleading customers. The firm, based in Minneapolis, operates more than 1,100 electronic retail stores in the U.S., Canada and China. It has more than 125,000 full-time employees.

Attorneys general in New Jersey and Ohio have accused Best Buy of deceptive sales practices, repackaging used merchandise and selling it as new, and failing to pay rebates and refunds. It paid $135,000 in New Jersey three years ago to settle that state's suit, which was based on hundreds of consumer complaints. The Ohio case is ongoing.


Disk Drive Failures 15 Times What Vendors Say

Posted by Zonk on Friday March 02, @04:15PM from the cough-sputter-wheeze-choke dept. Data Storage Hardware

jcatcw writes "A Carnegie Mellon University study indicates that customers are replacing disk drives more frequently than vendor estimates of mean time to failure (MTTF) would require.. The study examined large production systems, including high-performance computing sites and Internet services sites running SCSI, FC and SATA drives. The data sheets for the drives indicated MTTF between 1 and 1.5 million hours. That should mean annual failure rates of 0.88%, annual replacement rates were between 2% and 4%. The study also shows no evidence that Fibre Channel drives are any more reliable than SATA drives."


Security Software Costs More to Renew Than Buy New

Posted by Zonk on Friday March 02, @01:21PM from the helping-the-consumer-choose dept. Security The Almighty Buck Software

Matt Whipp writes " In a story I wrote for PCPro, I explore a tip submitted by one of our readers. They pointed out how much more it costs to renew security software, rather than buying it new. In fact it cost less than half the price to buy it new than it does to renew the license because of heavy discounting. He feels a bit cross that, as a loyal customer, he is the one penalized.

From the article: 'ZoneAlarm may have tripped up on this discount issue, but it's not alone. It highlights just how cynical companies can be in relying on customers' assumptions that a renewal should be cheaper than buying new. McAfee's Internet Security Suite costs just £24.99 with the current 50 per cent discount. However, should you be fool enough to already be a customer of McAfee, you'll have to pay £39.99 to renew your licence.'"

How good is your antivirus?


Posted by Mikko @ 14:26 GMT

Latest comparative test results from are out. We did very nicely in the test and netted the highest "ADVANCED+" rating - unlike the big boys.

This test used almost half a million sample files. For full results, download the test report.

Cool! I only got 49... Shame on me. I like the format though...

You have 10 minutes to name as many of the 54 African Countries as you can.

If you thought that naming the 50 States was easy, test yourself with this significantly harder challenge. You'll be surprised how little you know about Africa--yes, even less than you think you do.

Dare the New York Times (or the National Enquirer) fall behind?,72829-0.html?tw=rss.index

The Onion Goes Viral With Video

By Sonia Zjawinski 07:50 AM Mar, 01, 2007

Before The Daily Show With Jon Stewart and The Colbert Report, there was The Onion. So why hasn't the satirical weekly taken a swipe at broadcast journalism yet?

"We've been waiting for technology to catch up with our frighteningly advanced vision for the future of news," says Sean Mills, president of Onion Inc. "That day has finally come."

In late March, the company will launch The Onion News Network, a service that will stream original clips every week produced by a team of 15 new hires, including an entire production team. (That pushes the Onion empire to roughly 145 staffers.)

... Footage is based on the premise that the paper has been running a 24-hour news service for the past 75 years, only no one knew about it.

... But while Time and restrict their videos to their sites or affiliates' sites, the Onion News Network will encourage bloggers to embed clips on their own pages.

Too cruel? Or too true?

Visual Aid For Boston Police Department

This person has created a visual aid to help the hard working officials in Boston spot items that are NOT bombs.

Friday, March 02, 2007

Gosh, Friday already?

Records of 2,000 Westerly Hospital patients posted online

March 1, 2007

WESTERLY, R.I. --Two-thousand patients at Westerly Hospital had their names, Social Security numbers and medical records posted on a publicly accessible Web site, and the hospital said it doesn't know who did it.

"We don't know why it happened. We don't know how it happened. But we will," hospital President and CEO Charles Kinney told The Westerly Sun.

The Web site included detailed information about patients' surgical procedures and medical histories, as well as people's home addresses and insurance information.

... Westerly Police learned of the problem on Wednesday afternoon when a woman looked up her phone number on the Internet search engine Google and found a link to the site. Police called the hospital, then the FBI and State Police. [The Hospital probably never even looks at their web site Bob]

The hospital worked with several Internet companies, including Yahoo Inc., to take the site down, and it was taken offline five hours later, [In most circumstances, this is as simple as pulling a plug, even if you do it electronically Bob] according to the Sun. It's not clear how long the site was up or how many people saw the information.

Kinney said there was a breach in the hospital's computer database system that allowed hackers to access the information. [And another that allowed the hackers to access the hospitals computers? And another that allowed them to change the web site? Bob] The hospital plans to send a letter to every affected patient as soon as possible, Kinney said.

Note that they detected the attack themselves (see TJX, it can be done) although why they think changing the passwords (if the hacker has already broken the encryption) would make things secure again I don't know...

A&M computer system attacked

By LAURA HENSLEY Eagle Staff Writer Updated March 1, 2007 7:08 AM

Texas A&M University officials ordered all 96,000 users of the school's computer system to change their passwords Wednesday after an attempt was made to gain unauthorized access to electronic files over the weekend.

Officials said they believe no data - including Social Security numbers and financial information - were stolen. But, officials cautioned, if the person responsible was able to crack the encrypted passwords they could have access to individual accounts.

... Interim University President Ed Davis would not give specific details about the computer system break-in, citing an ongoing criminal investigation, but he said a monitoring system first discovered the problem within the NetID system early Saturday.

Davis said it took a few days to determine if the security breach was intentional, [I wonder what made them even consider “accidental hacking” Bob] but computer personnel quickly disabled the compromised campus computer Saturday morning. He said they decided to delay an announcement because they didn't want to disrupt the criminal investigation. He said they also needed to give staff members time to devise a plan for how to proceed.

The hacker was attempting to access files that contained encrypted passwords, according to Davis, who said financial, payroll and student administrative systems were not impacted.

... Tom Putnam, executive director of computing and information services, said this is the first time the university's computer system has been compromised on such a large scale. It remained unclear late Wednesday how much, if any, information the person was able to retrieve. [You did log that activity, right? Bob]

... Putnam said officials know how the hacker was able to infiltrate the system, and there already have been technical changes to the system to address the weakness.

"We learn from our mistakes," said Pierce Cantrell, vice president and associate provost for information technology. "These are complicated systems, and there is a huge learning curve. It's a computer cat-and-mouse game in this business, and I think we do a really good job handling account security."

I wonder when the doctor noticed it was gone?

SickKids notifies study participants of stolen laptop

TORONTO, March 1 /CNW/ - The Hospital for Sick Children (SickKids) is notifying patients that have participated in 10 different research studies about a stolen laptop that contained their personal health information. The laptop was stolen on January 4, 2007 from the car of a physician who was doing data analysis.

SickKids reported the incident to Ontario's Information and Privacy Commissioner (IPC) and is working in full cooperation with the IPC in an independent review of this incident.

The laptop was password protected and it is not likely that the data could be easily understood by someone who lacks clinical training. [Name and address is too technical for hackers? Bob] Patient care is not affected by this incident since the stolen laptop contained research data and not patient charts.

The studies involved patients in the rheumatology, endocrinology, infectious diseases and cardiac program. Many of the patients in the cardiac studies were treated in the cardiac program at SickKids as children.

Notification letters were sent to study participants who are active patients. In certain circumstances, patients were notified in person at clinic appointments.

The hospital is committed to the protection of patient privacy and is pleased to be working with the IPC on a review of applicable policies and practices to ensure appropriate privacy and security safeguards are in place and that they are clearly and consistently communicated to hospital staff.

Public inquiries may be directed to the hospital's privacy office Monday to Friday 8:30 a.m. to 5:00 p.m. at 416-813-7474, or by email to Inquiries may also be directed to the IPC at 416-326-3333, or by email to

Not all personal information is stolen. (I bet there will be a new law forbidding this in record time.)

March 01, 2007

D.C. Madame to Sell 10,000 Phone Records of High-End Washington Clients

Deborah J. Palfrey is unhappy. And, if you know who Deborah J. Palfrey is—and especially if you know her by Jeane—you probably don’t want her unhappy. From 1993 until this past summer, Palfrey ran Pamela Martin and Associates, a “high-end adult fantasy firm which offered legal sexual and erotic services across the spectrum of adult sexual behavior,” according to a statement she put out today hoping to raise funds for her legal defense.

The way she plans to raise those funds could reverberate through Washington’s power corridors. She is considering “selling the entire 46 pounds of detailed and itemized phone records for the 13 year period,” reports The Politico's Ryan Grim. In October, the Internal Revenue Service seized her assets; the sale of the records would fund her fight against the seizure.

Palfrey released what she said were a sample of the records, which don’t include names, but do feature a number of Washington area exchanges.

Her attorney, Montgomery Blair Sibley, said that prices have yet to be set for the data. “We don’t actually know that yet,” he said, “because we haven’t finished mining the data to identify the individuals. Obviously if Bill Clinton’s on the list that’s a different matter than you know, somebody nobody’s ever heard of before.”

But, he said, chances are good that some interesting names will pop up. “Statistically, if you have 10,000 people, and given the structure of this particular service, these weren’t people beckoning from car windows,” he said. “The escorts only responded to four and five star hotels or private residences. And so the landlines will show up on the private residences real quickly.”

He'll probably find a sympathetic jury, too.

Alabama Guard sergeant brings class action suit on VA

Posted by Birmingham News staff March 01, 2007 11:34AM

WASHINGTON -- A staff sergeant in the Alabama National Guard has sued the U.S. Department of Veterans Affairs on behalf of the 535,000 veterans whose personal data were contained on a computer hard drive missing from the Birmingham VA Medical Center since late January.

The case, filed in federal court in Birmingham as a class action, alleges the VA knew or should have known about long-standing security problems that threatened the privacy of veterans. [Congress agrees... Bob]

The VA still has not found the hard drive, which contains data on the veterans plus 1.3 million health-care providers. "With each passing day the chance increases for the plaintiff and those similarly situated to become victims of identity theft," the lawsuit states.

The plaintiff, Greg Fanin, was on active military duty twice in Iraq and once each in Jordan and Qatar, and he has received medical services at VA hospitals between 10 and 15 times since Nov. 2001, the lawsuit states.

I wonder how common this is? An earlier article hinted the same thing had been done in other states, but gave no indications if it was these same guys.

Stop & Shop keypad theft suspects charged federally

Thursday, March 01 2007 @ 11:13 PM CST - Contributed by: Lyger - In the Courts

Four men suspected of replacing checkout lane keypads at Stop & Shop supermarkets to steal more than 1,000 card numbers of customers were charged in federal court for the alleged scheme.

The four California men appeared Thursday afternoon before U.S. Magistrate David Martin on federal charges of aggravated identity theft and conspiracy to fraudulently traffic in access devices. Martin ordered all four men detained pending a court hearing Tuesday afternoon. They did not enter pleas.


1 in 6 Canadians hit by identity theft, survey suggests

About one-third of adults have been suckered by marketing frauds, poll indicates

Last Updated: Thursday, March 1, 2007 | 5:27 PM ET CBC News

Identity theft has hit one out of every six adult Canadians — more than 4.2 million people — either directly or within their immediate households, a survey suggests.

The poll, conducted in 2006 by the Strategic Counsel for the Competition Bureau of Canada, suggests that 17 per cent of Canadians aged 18 or older have either been victimized themselves or had an incident affect someone in their homes.

Even more people have been hit by marketing fraud, according to the survey: 31 per cent or about one in three adults.

Here's a must read.

March 01, 2007

REAL ID Proposed Guidelines Issued

Press release: "The Department of Homeland Security (DHS) has announced draft regulations in the form of a Notice of Proposed Rulemaking to establish minimum standards for state-issued driver’s licenses and identification cards in accordance with the REAL ID Act of 2005. These proposed regulations set standards for states to meet the requirements of the REAL ID Act, including: security features that must be incorporated into each card; verification of information provided by applicants to establish their identity and lawful status in the United States; and physical security standards for locations where licenses and identification cards are issued."

Seems like a useful guideline – I wonder if there is a US version?

Are you disposing of confidential waste securely?

1 March 2007

The British Security Industry Association (BSIA) has published guidelines for compliance with the new British Standard 8470.

BS 8470:2006, which came into force last year, gives recommendations for the management and control of the collection, transportation and destruction of confidential material to ensure that such material is disposed of securely and safely.

... The BSIA’s guide to BS 8470:2006 is available to download from:


Your Wi-Fi can tell people a lot about you

By Joris Evers Story last modified Fri Mar 02 03:34:27 PST 2007

ARLINGTON, Va.--Simply booting up a Wi-Fi-enabled laptop can tell people sniffing wireless network traffic a lot about your computer--and about you.

Soon after a computer powers up, it starts looking for wireless networks and network services. Even if the wireless hardware is then shut-off, a snoop may already have caught interesting data. Much more information can be plucked out of the air if the computer is connected to an access point, in particular an access point without security.

"You're leaking all kinds of information that an attacker can use," David Maynor, chief technology officer at Errata Security, said Thursday in a presentation at the Black Hat DC event here. "If the government was taking this information from you, people would be up in arms. Yet you're leaking this voluntarily using your laptop at the airport."

There are many tools that let anyone listen in on wireless network traffic. These tools can capture information such as usernames and passwords for e-mail accounts and instant message tools as well as data entered into unsecured Web sites. At the annual Defcon hacker gathering, a "wall of sheep" always lists captured login credentials.

Errata Security has developed another network sniffer that looks for traffic using 25 protocols, including those for the popular instant message clients as well as DHCP, SMNP, DNS and HTTP. This means the sniffer will capture requests for network addresses, network management tools, Web sites queries, Web traffic and more.

"You don't realize how much you're making public, so I wrote a tool that tells you," said Robert Graham, Errata Security's chief executive. The tool will soon be released publicly on the Black Hat Web site. Anyone with a wireless card will be able to run it, Graham said. Errata Security also plans to release the source code on its Web site.

The Errata Security sniffer, dubbed Ferret, packs more punch than other network sniffers already available, such as Ethereal and Kismet, because it looks at so many different protocols, Graham said. Some at Black Hat called it "a network sniffer on steroids."

Snoops can use the sniffer tools to see all kinds of data from wireless-equipped computers, regardless of the operating system.

For example, as a Windows computer starts up it, it will emit the list of wireless networks the PC has connected to in the past, unless the user manually removed those entries from the preferred networks list in Windows. "The list can be used to determine where the laptop has been used," Graham said.

Apple Mac OS X computers will share information such as the version of the operating system through the Bonjour feature, Graham said. Bonjour is designed to let users create networks of nearby computers and devices.

Additionally, computers shortly after startup typically broadcasts the previous Internet Protocol address and details on networked drives or devices such as printers that it tries to connect to, Graham said.

"These are all bits of otherwise friendly information," Graham said. But in the hands of the wrong person, they could help attack the computer owner or network. Furthermore, the information could be useful for intelligence organizations, he said.

And that's just the data snoops can sniff out of the air when a laptop is starting up. If the computer is then connected to a wireless network, particularly the unsecured type at hotels, airports and coffee shops, much more can be gleaned. Hackers have also cracked basic Wi-Fi security, so secured networks can't provide a security guarantee.

In general, experts advise against using wireless networks to connect to sensitive Web sites such as online banking. However, it is risky to use any online service that requires a password.

It may not be obvious why my study of single malt Scotch is important to Homeland Security, but I assure you I will continue my diligent study until I find out!

March 01, 2007

New Report Reveals Homeland Security Boondoggles Coast To Coast

Press release: "Today, Rep. Anthony Weiner (D-NY), a member of the House Subcommittee on Crime, Terrorism, and Homeland Security, and Rep. Jeff Flake (R-AZ) released a report detailing some of the most outrageous homeland security spending boondoggles from coast to coast. The Congressmen also announced the Homeland Security Transparency Act, which would require public disclosure of all anti-terror spending by cities and states."

  • See also the Targeting Homeland Security Resources Effectively Against Terrorism Act, H.R. 911 - "to secure more urban homeland security funds for New York City, which would be accomplished by limiting eligibility for high threat grants to the 15 cities most at risk of a terror attack."

Perhaps well intentioned, but unlikely to address the problem (see last sentence),0,1729301.story

Legislation eyes nightclubs


Invoking the name of the woman who was raped and killed after leaving a Manhattan bar last year, the City Council passed a package of legislation yesterday aimed at changing the way nightclubs operate.

... Pending the mayor's signature, which is expected, all clubs where dancing is permitted will be required to install surveillance cameras at entrances and exits. While some Council members raised privacy concerns, the overwhelming majority agreed the surveillance tapes would be an invaluable deterrent and aid police if a crime is committed.

All surveillance tapes must be securely stored, and clubs could be fined up to $50,000 if the footage makes its way onto TV or gossip Web sites.

Industry representatives welcomed the surveillance camera vote, but pointed out that 90 percent of clubs with dancing already have such cameras installed.

The bar where Saint-Guillen, a graduate student, was last seen, The Falls, did not have a cabaret license, and would not have been required to have a surveillance camera.


Police blotter: Wife e-surveilled in divorce case

By Declan McCullagh Story last modified Thu Mar 01 11:30:06 PST 2007

"Police blotter" is a weekly report on the intersection of technology and the law.

What: Husband uses keystroke logger to spy on wife's suspected relationship with another woman, who sues to prevent the records from being used in the divorce case.

When: U.S. District Judge Thomas Rose in the southern district of Ohio rules on February 14.

Outcome: Rose denies request for injunction preventing the electronic documents from being introduced as evidence in the divorce case.

What happened, according to court documents:

Once upon a time, tempestuous divorces might have included one spouse snooping through the other's private correspondence or eavesdropping on private conversations taking place in another room.

That kind of snooping was, for the most part, entirely legal. But when the same kind of snooping happens in electronic form, it can be a federal crime. (Last year, Police Blotter covered the case of the Garfinkel divorce. Another case involving spyware arose a year earlier.)

That may or may not be the case here. Jeffery Havlicek filed for a divorce from his wife Amy Havlicek in Ohio's Greene County Common Pleas Court. Amy had been chatting through e-mail and instant messages with a woman named Christina Potter. Jeffery suspected that Potter and his wife, Amy, were romantically involved in a lesbian "relationship of some sort," his attorney would later say in a legal brief.

Around that time, Jeffery installed some sort of monitoring software on the family computer--a Dell Precision 220 that was located in the guest room, was used by multiple family members including teenage children, and did not have a password on it most of the time. (There is disagreement about why the software was installed; Jeffery says it was in part because of his daughter's increased use of the Internet.)

Jeffery has admitted this much. In a sworn affidavit (PDF), he said that he installed an unnamed monitoring utility in September 2005, three months before his wife moved out of their home. The affidavit said the utility "collects keyboard typing, screen shots, and requested access to Web sites... The keyboard typing utility logs the time and sequence of keystrokes... The screen shot logging feature is similar to hitting the 'print screen' button on most keyboards. It saves an image of what appears on the monitor."

He also admitted to downloading e-mail from his wife Amy's Web-based e-mail account, but claimed it was authorized because she had chosen to save her username and password through the browser's "remember me" feature.

In total, Jeffery has acknowledged compiling 80 keyboard and Web site log files in HTML format, more than 2,000 individual screen snapshots in JPEG format, six video tapes, six audio tapes, and numerous other files including "24 electronic documents from diaries, love letters, etc."

He planned to use that vast array of electronic evidence as ammunition to win his divorce case. Eventually his lawyer showed some of the correspondence between Amy Havlicek and Christina Potter to Amy's own attorney. In an affidavit (PDF), Potter claims that the correspondence was also shown to neighbors and a court-appointed custody evaluator "to harass, annoy, and inflict emotional injury on me."

Potter, his wife's alleged paramour, responded by filing a federal lawsuit designed to shut Jeffery up. She asked for an injunction barring any "disclosure" or "dissemination" of the electronic documents, including preventing them from being used in the divorce case taking place in state court.

The Electronic Communications Privacy Act, a federal law, was violated during the recording, Potter claimed. ECPA (18 USC Section 2511) bans anyone from disclosing "to any other person the contents of any wire, oral, or electronic communication" that was obtained illegally.

Potter lost. U.S. District Judge Thomas Rose said that ECPA does not permit courts to disallow such evidence, saying that appeals courts "have concluded that Congress intentionally omitted illegally intercepted electronic communications from the category of cases in which the remedy of suppression is available." He also rejected her request for a broader injunction, saying it would violate Jeffery's freedom of speech as protected by the First Amendment.

Rose did say, however, that "disclosure of the information in state court by Jeffery Havlicek or his attorney" might be "actionable civilly or criminally." He suggested that the "remember me" option probably didn't give Jeffery an implied right to view his wife's e-mail messages. And he ordered Jeffery to provide Potter, his wife's alleged paramour, with the complete set of electronic evidence that he had planned to use in the divorce case.

Excerpt from Rose's opinion:

Because the suppression provision excludes illegally intercepted wire and oral communications from the courtroom, but does not mention electronic communications, several courts, including the Sixth Circuit, have concluded that Congress intentionally omitted illegally intercepted electronic communications from the category of cases in which the remedy of suppression is available.

With this distinction in mind, the court finds that it does not have the authority to forbid the disclosure of the allegedly intercepted communications to the state official determining custody of the Havliceks' children or any other state court proceeding. This is not to imply, however, that disclosure of the information in state court by Jeffery Havlicek or his attorney might not be actionable civilly or criminally under 18 USC (Section) 2511. In any event, the court's inability to enjoin the presentation of this evidence in state court does not resolve the question of whether the injunction on disclosing this information in other context should issue. Therefore, the court will proceed to consider the appropriateness of relief in this case, beginning with plaintiff's chances of succeeding on the merits.

Defendant's response to the motion for preliminary injunction claims that the keystroke recording and screen shot recording software do not record communications contemporaneously with the transmission of the communications. Contemporaneousness was an element originally introduced to 18 USC (Section) 2511 when the law applied only to wire and oral communications...

We conclude that the term "electronic communication" includes transient electronic storage that is intrinsic to the communication process for such communications. That conclusion is consistent with our precedent...

Moreover, the court views the screen shot software as distinct from the keystroke software in regards to the interstate commerce requirement. In contrast to the keystrokes, which, when recorded, have not traveled in interstate commerce, the incoming emails subjected to the screen shot software have traveled in interstate commerce. Additionally, there is no evidence before the court to allow any conclusion that the technical aspects of the instant case result in Potter's claim being defeated by a lack of contemporaneousness, even if the court were to find this element necessary...

Defendant raises another hurdle to success on the merits, however, by referring to the case of United States v. Ropp, which focuses on the requirement in 18 USC (Section) 2510(12) that the interception be of an interstate or foreign communication or be of a communication affecting interstate commerce. Ropp notes that keystroke software records the entirely internal transmission from the keyboard to the CPU, and records all keystrokes, whether they initiate signals destined to travel in interstate commerce or not. The decision, however, seems to read the statute as requiring the communication to be traveling in interstate commerce, rather than merely "affecting" interstate commerce. It seems to this court that the keystrokes that send a message off into interstate commerce "affect" interstate commerce...

Because the ECPA does not provide for the relief of suppression of illegally intercepted electronic communications sought to be used as evidence in a court case, and because a balancing of plaintiff's impending irreparable harms and the public interest in the requested injunction against plaintiff's likelihood of success on the merits of her claims weighs in favor of not granting the requested injunction, plaintiff's motion for preliminary injunction, Doc. 16, is denied.

Very un-amusing. I guess these judges don't use e-mail. Perhaps the teacher in Connecticut who claims the images on her (the school's) computer were spam is also doomed.

Another Reason to Hate Spam

March 1st, 2007 by Robert Loblaw

U.S. v. Kelley, 05-10547 (9th Cir., Mar. 1, 2007)$file/0510547.pdf

Here’s an interesting Fourth Amendment decision about whether law enforcement has probable cause to search based solely on the fact that a suspect has received emails containing images of child pornography. A divided panel of the Ninth Circuit concludes that the answer is yes. Judge Rymer writes the majority decision, which is joined by the busy retiree herself, Justice Sandra Day O’Connor.

Judge Thomas dissents, arguing that the scourge of unsolicited emails means that anyone could be a target for a search under today’s decision. Here, the only evidence in the warrant affidavit was that the defendant received emails with unlawful images. Judge Thomas believes that Ninth Circuit precedent requires some additional showing that the emails were solicited or that the defendant would be inclined to view and keep them.

...perhaps red or blue depending on your political leanings?

Ohio Sex Predators May Get Green Car Tag

Mar 1, 3:18 PM EST updated Fri, March 02, 2007

COLUMBUS, Ohio (AP) -- Ohio already tags repeat drunken drivers' cars with bright yellow license plates. Now it wants to make convicted sexual predators use fluorescent green ones.

... Christine Link, executive director American Civil Liberties Union of Ohio, criticized the proposed requirement as political grandstanding. She said it could leave children with the idea that anyone without the special plates was safe to approach. [Perhaps we could paint these people fluorescent green? Bob]

Attention virtual lawyers!

John Edwards Second Life HQ vandalized.

user icon robinrising in News Feed of 2/28/2007 at 3:51 PM EST

Vandalism at John Edwards SL HQ

Shortly before midnight (CST) on Monday, February 26, a group of republican Second Life users, some sporting "Bush '08" tags, vandalized the John Edwards Second Life HQ. They plastered the area with Marxist/Lenninist posters and slogans, a feces spewing obsenity, and a photoshopped picture of John in blackface, all the while harrassing visitors with right-wing nonsense and obsenity-laden abuse of Democrats in general and John in particular.

I witnessed this event, taking names and photos, [The lead vandal was named D. Duck, and had a speech impediment. Bob] including the owners of the pictures. I also kept and saved a copy of the chat log. I have filed an abuse report with Linden Labs, and am awaiting their investigation.


Microsoft Launches New Web Site for Beginner Developers

The Beginner Developer Learning Center (BDLC) is a free, one-stop shop for learning Windows and Web programing fundamentals. It includes a learning path which starts with the absolute basics like how a Web browser works and builds on that with videos, tutorials, and downloadable sample projects using CSS, JavaScript, HTML, ASP.NET, VB, and C#.

Thursday, March 01, 2007

Was this a forbidden act? If so, why was it possible to use an external drive?

Tokyo University of Science loses personal info on 8,800 students, graduates

March 1, 2007

Tokyo University of Science has lost personal information on about 8,800 students and graduates, including their names, addresses and scores, university officials said Thursday.

A 56-year-old associate professor, who leads the alumni organization of the university's pharmaceutical faculty, took an external hard disk containing the information out of the institution on the night of Feb. 24, according to officials.

While he was riding a train home, his bag containing the disk was stolen.

The university is set to take punitive measures against the associate professor. The officials said they have not confirmed if the information has been placed on any website. [Was that a rumor? Bob]

Perhaps they should check to see if anyone listened to their security lecture?!news!archives

Gulf Coast Med. Computer Theft

Jennifer Turk ( News 13 on your side Wednesday, February 28, 2007

BAY COUNTY, Fla.-While no identity cases have surfaced yet, the threat has. Gulf Coast Medical Center announced Tuesday, 1900 patient had personal information stolen back in November and 8,000 more were victimized in February. The information was in a computer that went missing in Nashville, TN in November and a computer stolen in Tallahassee in February.

Rod Whiting with Gulf Coast Medical Center says no one has come forward with identity theft problems thus far. The hospital is giving patients who's names and social security numbers where in those computers one free year of credit monitoring with TransUnion.

Gulf Coast did implement a new security system for laptop computers close to a year ago. Each laptop comes equip with a lock to secure the laptop. [Perhaps you need to revisit that plan... Bob]

Hospital Corporations of America runs Gulf Coast Medical Center along with 171 other hospitals around the country. 69 Hospitals and surgry center are located in Florida.

I wonder if TJX will become a case study?,289142,sid14_gci1245727,00.html

PCI DSS auditors see lessons in TJX data breach

By Bill Brenner, Senior News Writer 01 Mar 2007 |

TJX Companies Inc. violated some of the basic tenets of the PCI Data Security Standard (PCI DSS) and according to several PCI auditors, it will pay a heavy financial price. They said companies should study the TJX security breach for clear lessons on what not to do with customer data.

Roger Nebel, director of strategic security for Washington D.C.-based FTI Consulting, said fines will almost certainly be imposed on TJX because it was clearly negligent in holding onto unencrypted cardholder data, a direct violation of the PCI DSS.

Framingham, Mass.-based TJX acknowledged in January that an attacker exploited a flaw in a portion of its computer network that handles credit card, debit card, check and merchandise return transactions.

The breach was worse than first thought, TJX officials admitted last week. The company initially believed that attackers had access to its network between May 2006 and January 2007. However, the ongoing investigation uncovered evidence that the thieves also were inside the network several other times, beginning in July 2005.

What not to do

Nebel and other PCI auditors said the breach offers some clear examples of the wrong way to treat sensitive data under the PCI DSS.

The standard sets out 12 basic security requirements, emphasizing the need for encryption, access controls and firewalls. Penalties for noncompliance range from fines of up to $500,000 to increased auditing requirements or even losing the ability to process credit card transactions.

Under the standard, Level 1 businesses -- those that process more than six million credit card transactions per year -- are subject to an annual on-site audit [and I doubt they would have missed this. Bob] and quarterly network scans performed by an approved vendor. Level 2 or 3 companies that process 20,000 to 6 million credit card transactions a year must fill out an annual self-assessment questionnaire and must also have an approved vendor conduct quarterly network scans.

TJX violated basic rules

In recent interviews, several PCI DSS auditors noted that while most of their clients are achieving PCI DSS compliance, many have been forced to address serious problems along the way. When reviewing what merchants are doing to protect their customers' credit card data, auditors are typically finding that:

  • Encryption is often inconsistent across a company's computer system. Credit card data may be protected in some instances, but not others.

  • Some companies unnecessarily store credit card data and, making matters worse, fail to isolate the data from traveling across less secure parts of the network.

  • Some IT shops fail to keep a log of network activity, making it nearly impossible to spot instances where malicious hackers or anyone without authorization are trying to access credit card data.

  • Some companies don't conduct regular scans for software vulnerabilities and abnormal activity.

  • Companies that thought they were all set after complying with such regulations as the Sarbanes-Oxley Act and HIPAA discovered their controls were not adequate to meet the PCI DSS.

At the very least, TJX violated the PCI DSS by storing unencrypted cardholder data, said James DeLuccia, an independent auditor based in Atlanta, Ga.

"Credit and debit card data is something the PCI Security Standards Council will be concerned about," he said. "You're not supposed to store that kind of data, and [TJX] had it online and unencrypted."

Price will be steep

Nebel and DeLuccia said TJX will pay a high price for the breach. So will the banks that do business with the retail giant.

"You have to remember how this works -- Visa and MasterCard only have a direct relationship with the member banks," Nebel said. "They can only fine the banks."

The banks though will almost certainly pass the fines on to TJX, he said. There is a process where violators can try to recover the fines, but Nebel said the bar is set pretty high.

"Before any fines are levied, Visa and MasterCard will require a forensic investigation to determine the extent and culpability," Nebel said. "The merchant must show that there was information not available to the forensic examiner that somehow shows they are not responsible." [I love it! “We're gonna look at the data you were supposed to monitor, then you can explain why all the indications that a breach was happening were ignored.” Gee, I hope they kept some of that data... Bob

Nebel said he's never heard of any fine being reversed.

He also said it's unlikely the public will hear details on the fines [Not fair! I want to be able to quote the numbers when I talk to my Security Management class. Bob] levied against the banks or TJX, and it can take anywhere from a few weeks to a few months for the forensic investigation to determine the scope and causes of such an incident, if they can be determined at all.

But in the end, DeLuccia said, TJX will end up having to spend a lot of money to put the issue to rest, namely due to numerous fines and fees, legal and otherwise.

"There's no question that 40 million accounts had problems," [Still unable to confirm that number... Bob] DeLuccia said. "The affected credit cards alone cost $25 each to re-issue. So the bank could say, 'Hey, it cost us $25 per card to re-issue 200 cards, and we're passing the bill to you.'"

TJX will also lose money from civil lawsuits, and for having to hire security firms to overhaul their systems, DeLuccia said, adding, "Even without punitive fines, they're still paying dearly." [attention Board members! When you hear “That's a risk we are willing to take.” Think TJX. Bob]

Lessons to be learned

Fortunately for other companies, the TJX case offers plenty of lessons on how not to approach the PCI DSS, the auditors said.

Joseph Krause, senior security engineer for Chicago-based AmbironTrustWave, said companies first have to get a fix on where customer data is on the network, where it travels and whether or not it's encrypted.

"Understanding where the data is and where it goes is a challenge for some, but it's a very important part of PCI DSS," he said. "If you don't know where your data is traveling and where it is stored, you can't secure it." [I like to see security strategies reduced to the “Well, DUH!” level. Bob]

Krause also said companies also have to be sticklers for network monitoring.

"Usually when we see an environment for the first time, we find they are deficient in this area," he said. "Just being able to help them understand which logs they need to have a close eye on, on a daily basis," is a lot of work.

Finally, companies need to understand that there's no single product or service that can alleviate an enterprise's PCI DSS compliance woes. Every business and every network is different, and PCI DSS controls must be tailored to an organization's particular make-up.

"I tell clients it's not an easy process and it is an educational experience," he said. "The requirements for every company on the path to PCI compliance are quite different.

"There's no one-size-fits-all approach."

Somewhat related...

Digital forensics plagued by expanding storage

Robert Lemos 2007-02-28

ARLINGTON, VA. -- The increasing storage requirements of consumers and businesses has become a plague for computer-crime investigators, a former special agent told attendees at the Black Hat DC Conference on Wednesday.

While only one percent of crimes involved DNA evidence, a majority of cases involve some sort of digital evidence, said Jim Christy, a retired special agent and director of the Defense Cyber Crime Center. And that evidence keeps growing in size. In 2006, the Defense Computer Forensics Laboratory--the largest such lab in the world--processed 681 case, up from 269 cases in 2001. The number of investigations increased 130 percent, a number that seems modest when compared with the factor of 13 increase--to 156 terabytes--of data processed during the year.

“Chide” Thats not exactly “Fire the bums!” is it?

Lawmakers chide VA over data security

BEN EVANS Associated Press Posted on Wed, Feb. 28, 2007

WASHINGTON - Veterans Affairs officials faced a fresh round of bipartisan criticism [both parties can see advantage... Bob] over data security Wednesday after auditors told a congressional committee that gaping holes persist and agency officials said they still don't know how a recent breach happened.

The department's inspector general's office told the House Veterans Affairs oversight subcommittee that even after a series of lapses in the past year, most VA data remains unencrypted and the department still doesn't know how many portable computers and hard drives are in use or what information is stored on them.

VA Deputy Secretary Gordon Mansfield also acknowledged that hundreds of thousands of medical providers whose sensitive information may have been compromised in Birmingham, Ala., more than a month ago have still not been notified they are at risk.

... Mansfield and several other VA officials tried to persuade the lawmakers they are making progress.

"We will get it done, sir. We will get it done," Mansfield said, emphasizing that the sprawling department has 235,000 employees and tens of thousands of contractors. "The problem we have is time." [“I want to make it to retirement and you want progress in your lifetime. Clearly not compatible concepts.” Bob

... Maureen Regan, counselor to the inspector general, said the VA still hasn't fully implemented any of its recommendations from reports dating back to 2001. The department also hasn't adopted five key recommendations issued shortly after a massive data breach last May involving nearly 27 million veterans.

The HP drama continues to bubble and everyone wants to write their own version of history...

Lawyer for former HP chairman vows revenge on Perkins

By Michael Kanellos Story last modified Thu Mar 01 06:00:05 PST 2007

Those former Hewlett-Packard board members aren't going to be exchanging a lot of Christmas cards this year.

A day after former HP board member and venture capitalist Tom Perkins lambasted the performance of former Chairman Patricia Dunn, the lawyer representing Dunn lashed out at Perkins, calling him a self-serving bully whose credibility will be impeached in court.

"I am sorry that Patricia Dunn must endure Mr. Perkins' cowardly attacks, but he has made the biggest mistake of his career. He is a bully, and he is bullying the wrong people," said James Brosnahan in a statement. "Mr. Perkins has rewritten the history of the Hewlett-Packard board and attacked its competence...Rarely has a prominent businessman uttered such an immediate self-refuting statement."

... Brosnahan asserted that Perkins is behind the charges.

"The case brought by the former attorney general at the insistence of Tom Perkins is pending in Santa Clara (County) Superior Court. Mr. Perkins generated an attack on Patricia Dunn, hired lawyers, hired a public relations firm and all because his colleague on the Hewlett-Packard board was found to be leaking information," Brosnahan said in a statement.

Brosnahan further claimed that because of the case, Dunn cannot publicly defend herself like Perkins and speak about the scandal.

The renowned lawyer, however, neglected to mention that Dunn has given lengthy interviews on the subject to The New Yorker magazine and the television news magazine 60 Minutes. The New Yorker piece and the 60 Minutes segment both became public after Dunn was charged with felonies in California.

Vanguard Opposes HP Director Proposal

By JORDAN ROBERTSON AP Technology Writer Feb 28, 3:30 PM EST

SAN JOSE, Calif. (AP) -- Hewlett-Packard Co.'s sixth-largest shareholder said Wednesday it opposes a proposal floated in the wake of the company's boardroom spying scandal that would allow shareholders to nominate candidates for the company's board of directors.

HP denies pretexting former employee

By Ina Fried Story last modified Thu Mar 01 06:00:53 PST 2007

In a court filing on Tuesday, Hewlett-Packard denied allegations that it pretexted a former employee with whom it is engaged in a legal dispute.

In 2005, HP sued Karl Kamb, a former vice president of business development and strategy, alleging he stole company trade secrets. In January, Kamb countersued HP alleging that his phone records were improperly obtained and also charging that he was instructed by HP management to spy on rival Dell.

"HP denies that the so-called pretexting alleged by Kamb in the counterclaim occurred," the company said in a filing made Tuesday with a federal court in Tyler, Texas. "HP denies that any so-called pretexting activities were part of a widespread pattern or practice at HP."

While HP denies pretexting Kamb, the company has said that as part of a separate--and now infamous leak probe--it obtained or tried to obtain the phone records of more than a dozen people including current and former directors, employees and journalists, including three CNET reporters.

Last month, the judge handling the case, District Court Judge Michael Schneider ordered Kamb to withdraw his countersuit and issued an injunction barring both sides from publicly discussing the case. Schneider said that Kamb could refile the case under seal.

Significant portions of HP's filing Tuesday were also made under seal.

Among the things the company did note publicly, is the fact that former ethics attorney Kevin Hunsaker was terminated by HP. The company confirmed in September that he had left the company's employ, but declined to say whether he resigned or was terminated.

Hunsaker has emerged as a central figure in both cases. In the leak probe, he faces felony charges over his role in allegedly overseeing the investigation, including the pretexting. In the current case, Kamb alleges that Hunsaker initially denied pretexting Kamb, but later admitted that HP did pretext him.

In its filing Tuesday, HP denied that Hunsaker "ever acknowledged that HP had engaged in so-called pretexting against Kamb."

In light of the TJX breach, the Massachusetts law is particularly interesting – since they don't have one.

United States: Six Additional State Data Security Breach Notification Laws Become Effective in 2007

Wednesday, February 28 2007 @ 01:10 PM CST - Contributed by: PrivacyNews - State/Local Govt.

With heightened awareness of the value and vulnerability of personal and financial information collected by businesses and governments, more states are enacting legislation to require consumer notification when there are security breaches involving this information. In 2006, 35 states and the District of Columbia introduced legislation addressing security breach notification. The latest legislation—Arizona, Hawaii, Maine, New Hampshire, Utah and Vermont—became effective in January 2007. Below is a brief summary of the newly effective laws. A full comparison matrix of the various state data breach laws is available here. [pdf]

Source - Mondaq

In the UK, it's a bit more interesting...

Privacy slights should prompt lawsuits

By Mark Ballard Published Wednesday 28th February 2007 10:02 GMT

Seek compensation if someone breaches your privacy, the Information Commissioner's Office (ICO) urged today.

The ICO issued a guidance note to point people in the right direction if they want recompense for a slight under the Data Protection Act.

People who think they have suffered because someone has breached their privacy, can apply to the ICO for an opinion on whether there had been offence under the Data Protection Act - if they agree, it might be worth taking to court.

The ICO wasn't able to give any examples. [Ah well, their heart is in the right place. Bob]

Can't wait!,1759,2099421,00.asp?kc=EWRSS03119TX1K0000594

DHS Confirms Real ID Act Regulations Coming; States Rebel

By Renee Boucher Ferguson February 28, 2007

Events at the state and federal level are converging around the Real ID Act, as a spokesperson from the Department of Homeland Security confirmed Feb. 28 that regulations outlining technology mandates could be handed down as early as March 1.

At the same time, as many as 38 states, under a coalition formed by Missouri Representative Jim Guest, have confirmed that they will rebel against the act through legislation in their own states.

It's a shame Microsoft couldn't build this in...

HUGE Windows Vista Tweaking Guide!

"The guide is designed for novice and advanced users alike, containing 250 pages of objective descriptions, recommendations and tweaks for every aspect of Windows Vista. It is all laid out in plain English, and while it may take you a few days to work through, I promise you that at the end of it you will not only have a better system..."

Perhaps these can be adapted to reflect less aggressive processes?

February 28, 2007

U.S. Army Field Manuals, War Department/Department of the Army Pamphlets

Library of Congress - U.S. Army Field Manuals, War Department/Department of the Army Pamphlets: "The full text of selected U.S. Army Field Manuals (FMs), War Department Pamphlets (WD PAMs), and Department of the Army Pamphlets (DA PAMs), which particularly address some of the current research needs and interests of The Judge Advocate General's Legal Center & School Library, U.S. Army, Charlottesville, Virginia, will be added regularly to this site."

Making your children feel loved...

In-Car Surveillance Cam Gives Parents Peek Into Teen Driving Habits

from the they're-watching dept

While lawmakers continue to explore pointless laws and increased surveillance as means of improving road safety, one insurance company is experimenting with a new approach to get people to drive better. When the company sells insurance for teen drivers, it's offering to install a camera inside the car that parents can watch to monitor their kids' driving skills. The camera doesn't record everything, rather it only captures 10 seconds before and after a major event, such as a rapid deceleration. The point isn't to catch teens driving badly, rather it's to deter them from driving badly in the first place. And according to those who have participated in a study, the camera does have a deterrent effect. This of course raises all sorts of other issues. Will the insurance company watch the video or use its content to set rates? They say no, but it's conceivable that down the road, the company might be able to offer lower rates to those drivers that agree to have a camera installed. It's also the kind of thing that teen drivers aren't going to like very much, although the fact that it's not recording everything they do in the car might make it a bit more palatable. And if the driver gets the bright idea of taking down the camera, or covering it up, the parents will find out rather quickly. Still, even if this particular form of surveillance is less offensive than others, because it's voluntary, it still fits in with a broader societal theme, whereby safety, or the perception of it, trumps any other considerations.

While we're at it, could we add “use of a barbeque's grill” and “bungee jumping” to the list? (See next article)

Brace Yourself For Laws Banning Laptop Use While Driving

from the just-wait dept

As legislators continue their pointless attempts to ban driving distractions one by one, rather than focusing on the underlying problem of unsafe and unintelligent drivers, hopefully at some point they'll realize that they can keep making laws all they want, but there's an infinite number of things to pull a driver's attention away from what they're doing. These sorts of laws and proposals typically follow some sort of incident, such as the recent proposal by a New York lawmaker to ban talking on a phone or listening to an iPod while crossing the street after two people got killed when they were crossing a street with headphones in. Keeping that in mind, don't be surprised when lawmakers start proposing laws to ban the use of laptops while driving, following a California accident that killed a man (who happened to be a computer tutor), and police think he might have been using a laptop while driving. The guy's Honda Accord went left of center, and hit an oncoming Hummer head-on. Investigators found his laptop plugged in to the cigarette lighter and still on, with some LED on it lit up as well. While they suspect he was using the laptop at the time of the crash, it is of course possible that he was simply charging it. But, most reasonable people would probably think that using a laptop while driving a car isn't a particularly safe thing to do -- just like plenty of other activities lawmakers have targeted with specific laws. These single-focus laws miss the point: that there are all sorts of activities that make driving less safe. The best way forward isn't to try and come up with laws banning each and every one, but rather to tackle the issue of unsafe driving as a whole.

Why would anyone use a laptop while driving? (Coming soon: Speed trap alerts. Satellite pothole cameras and my wife's favorite, Maps to garage sales

Stuck in traffic?

2/28/2007 09:01:00 AM Posted by David Wang, Software Engineer

There's nothing worse than getting stuck in traffic when you have some place to go, so I'm happy to tell you about a new feature on Google Maps that can help. For more than 30 major U.S. cities, you can now see up-to-date traffic conditions to help you plan your schedule and route. If you're in San Francisco, New York , Chicago, Dallas, or any of the other cities we now include, just click on the traffic button to show current traffic speeds directly on the map. If your route shows red, you're looking at a stop-and-go commute; yellow, you could be a little late for dinner; green, you've got smooth sailing.

Even more...

Cops may check crash drivers' mobile records

OUT-LAW News, 28/02/2007

The government may give police powers to check crash drivers' mobile phone records after a "routine accident", the Daily Telegraph reports.

By Lester Haines for The Register.

Currently, mobile phone records can be probed "only after a fatal accident and on the instruction of a senior officer".

The government says that in 2005, 13 road deaths, 52 serious and 364 minor accidents were linked to mobile phone use.

A Pontypool sales executive was recently jailed for two years following an accident which claimed the life of another driver. The prosecution said Michael Smith had sent a long text message just minutes before the head-on collision, and received a reply just as the incident occurred.

The new proposal is part of the Department for Transport's second review of road safety strategy, released to coincide with today's implementation of the increased £60 fine and three points for using a handheld phone. The paper says: "We will look at ways to make it easier for the police to be able to follow the process of investigating whether mobile phone use was a contributory factor in an accident and thus prosecute more offenders."

Yeah, sure... privacy concerns.. right...

District withholding info out of privacy concerns

Associated Press Posted on Wed, Feb. 28, 2007

CINCINNATI - The city school district has refused to provide the state with addresses of students who are eligible for vouchers to attend private schools, an Ohio Department of Education spokesman said.

The district's refusal has hindered efforts to contact the more than 11,500 Cincinnati students who could receive the state-funded vouchers next year, education department spokesman J.C. Benton said.

... The district gave the state names and addresses of eligible students last year. But student directories that once included addresses and phone numbers now only have student names, activities and awards, and that information was given to the education department, Walsh said.

Cincinnati is the only major school district in Ohio not providing the other information, Benton said. A couple of smaller districts haven't provided it because of technical problems, he said.

... "I think that CPS is generally not speaking in favor of things that could promote students leaving CPS," she said. [I think she's got it! Bob]