Saturday, March 31, 2007

Perhaps the data should have been stored someplace secure? Why did the prof. have this data?

Students’ personal information stolen from UM-Western office

(Created: Friday, March 30, 2007 12:04 PM MDT) DILLON (AP)

Between 400 and 500 current and former University of Montana-Western students are at risk of identity theft after a computer disk containing their Social Security numbers and other personal information was stolen from a professor’s office this week, school officials said. The stolen information belonged to students enrolled in the TRIO Student Support Services program, which offers financial and personal counseling and other assistance.

... Two professors’ offices in the university’s Main Hall were broken into sometime after 11:30 p. m. Monday, when the last university employee did a sweep of the building. The theft was discovered Tuesday morning, and Dillon police were notified. Some cash, the disk, and other university and personal items were stolen, school officials and police said. The investigation is still in the “early stages,” and no arrests have been made, Police Chief John Gutcheck said. “Anybody that had been in Main Hall that night is a suspect,” he said. In addition to Social Security numbers, the disk contained students’ names, birth dates, addresses and other information.

Looks like an over abundance of caution. Good for them!,15240,130657,00.html

Navy Laptops With Sailor Info Stolen

Navy News March 30, 2007

Norfolk, VA. -- Three password protected laptop computers have been identified as missing from the Navy College Office located on Naval Station San Diego. While the Navy College Office does not have complete information about what information was on the laptops, Personally Identifiable Information (PII) may be on the computers, including Sailors’ names, rates and ratings, social security numbers, and college course information.

This potential compromise of information could impact Sailors and former Sailors homeported on San Diego ships from January 2003 to October 2005 and who were enrolled in the Navy College Program for Afloat College Education. The Naval Criminal Investigative Service (NCIS) is investigating the incident as a possible theft, working with the San Diego police department to recover the computers.

At this time, it is not known if any Sailor has been affected by the theft, and it is not yet possible to determine whether any of the personal information contained in these laptops has been compromised.

Looks like an under abundance of caution...

Bush Press Corps in an E-mail Blunder

A mundane trip manifest of reporters who traveled to Latin America with President Bush has turned colossally controversial because the White House mistakenly included personal ID info on the E-mail sent to news bureaus and accountants. The key ingredients of identity theft–Social Security and passport numbers and dates of birth–were included in the E-mail that the White House Travel Office sent out in what's typically the first stage of billing.

... The manifest usually includes just the names of those on the trip and what they owe. But this E-mail, sent to media billing offices and bureau officials March 21, included a spreadsheet that on the far-right-hand side included the personal identity numbers. Why's it a problem? "I don't know everyone on that list. It could have been taken by somebody shady," frets one TV reporter. "It was an honest mistake," says C-SPAN's Steve Scully, president of the White House Correspondents' Association. He said that a day after the E-mail went out, the travel office apologized and tried to retrieve the E-mails. In a March 22 note, the deputy travel office director said the office "goes to great lengths to protect the personal information of the White House press corps, and immediately following the discovery of the mistake, steps were taken to recall the manifest. The White House Travel Office sincerely regrets the concern this has caused. Already, procedures are in place to provide continued and additional security for the White House press corps personal information."

The event prompted the White House to speed up plans to institute a new check-in and billing system. Some news organizations aren't taking chances. They are warning correspondents to check their charge accounts, and at least one is probing who will be liable if staff identities are stolen.

Interesting questions raised. The prosecutor found this? Sounds like a good job of “monitoring the opposition” by someone!

Port protest case ends in mistrial after data breach

Christian Hill Published March 30, 2007

The trial of 15 people who protested last year at the Port of Olympia ended in a mistrial Thursday after the judge learned confidential jury information was sent out over a compromised e-mail listserv used by the co-defendants.

The issue came to light after the lunch recess when Senior Deputy Prosecuting Attorney Steve Straume showed Thurston County District Court Judge Susan Dubuisson a copy of an e-mail that was obtained from the supposedly secure listserv. A listserv is an electronic mailing list.

Straume would not tell Dubuisson in court how he obtained a copy of the e-mail. [Why not? Bob] The e-mail contained a spreadsheet with the names of the more than 60 prospective jurors and their responses to a jury questionnaire. A legal aide for one of the defense attorneys created the spreadsheet and sent it to the listserv Saturday, said Andrew Yankey, one of the co-defendants. Six jurors and two alternates were selected from the pool Monday.

Most of the information on a jury questionnaire is not to be shared with anyone other than the defendants, defense lawyers and prosecutors. People other than the co-defendants and their attorneys had access to the e-mail listserv. [Like the prosecutor... Bob]

Straume and the other prosecutor assigned to the trial, Debra Eurich, could not be reached for comment Thursday evening.

Dubuisson said she declared a mistrial because of her concern that this breach would taint their ability to reach a fair verdict.

The questionnaires compiled on the spreadsheet did not contain information that could be used for identity theft, such as birthdates and Social Security numbers, but were of a general nature to help determine whether a prospective juror could be impartial, Dubuisson said.

... A co-defendant created the listserv through — which provides “mail, lists and hosting for those working on liberatory social change,” according to its Web site — in the wake of the arrests at the Port of Olympia during a May 30 protest over a military shipment. All of the co-defendants were charged with second-degree criminal trespass for remaining on the port’s secured operations yard when authorities instructed them repeatedly to leave the area.

The co-defendants used the listserv to send out reminders about court dates and draft briefs and for other attorney-client work products. [but if others could see it, does that privilege still apply? Bob]

Approval needed to be granted by the listserv administrator before an individual could subscribe to it, Yankey said.

But with some basic information, a reporter from The Olympian located and subscribed to the listserv in minutes without authorization Thursday night.

The legal aide put the spreadsheet on the listserv Saturday, and another subscriber, recognizing the sensitivity of the information, quickly followed up with a message requesting that people not involved in the trial ignore it, Yankey said.

Dubuisson requested more information to determine what effect the compromised listserv will have on the ability to retry the case.

Arizona listened?

State pulls data off Web; threat to security cited

The Associated Press Published: 03.31.2007

PHOENIX - The Arizona Secretary of State's Office yanked Internet access to documents containing the Social Security numbers of Arizonans on Friday, just hours after a privacy rights activist told officials they were "spoon-feeding criminals."

The Social Security numbers could be viewed on the secretary of state's Web site in links to financial documents, such as state and federal lien statements.

Deputy Secretary of State Kevin Tyne said his office pulled half a million documents, but he didn't know how many contained Social Security numbers.

BJ Ostergren, who has made it her mission to raise awareness about identity theft, has gotten about a half-dozen states to remove Social Security numbers on similar government Web sites. She called the Arizona Secretary of State's Office on Friday morning to complain about its Web site.

By Friday afternoon, the office had removed all the links.

... Arizona has the highest per-capita rate of identity theft complaints nationwide, and Phoenix has the same rank among the nation's metropolitan areas, according to the Federal Trade Commission.

Ostergren said the Secretary of State's Office should have acted before she called.

... Ostergren said she has gotten states including New York, Oregon, New Mexico and Colorado to stop making Social Security numbers available on government Web sites.

Not as quick off the mark...

Privacy advocate prompts Colo. to end Web access to some public docs

Potentially thousands of UCC records showed Social Security numbers

Jaikumar Vijayan

March 30, 2007 (Computerworld) -- The Colorado Secretary of State's business division shut down online access to certain documents on its Web site after being notified by a privacy advocate that the site had been posting potentially thousands of documents with Social Security numbers since 2001.

Secretary of State Mike Coffman took the step to "prevent identity thieves from pulling personal identifying information from Uniform Commercial Code filings" posted on the site, according to a statement posted on the agency's site last night.

... In Colorado's case, the state had previously undertaken a redaction effort to black out Social Security numbers from UCC filings received prior to July 1, 2001. That effort was completed in May 2003, with Social Security numbers cut from more than 610,000 filings out of a total of about 1.7 million.

In 2001, the state also released a new UCC form that did not require Social Security numbers. However, many financial institutions appear to have continued using the older UCC form, [and no one noticed? Bob] which includes a box that asks for a Social Security number, yesterday's statement said.

As a result, potentially thousands of UCC records on the Colorado Secretary of State's Web site contain the numbers, said B.J. Ostergren, a privacy advocate in Richmond, Va. Ostergren, who runs a Web site called The Virginia Watchdog, alerted officials to the problem earlier this week.

For the past several years, she has documented cases where county governments and secretary of state offices around the country have routinely posted sensitive data online. Ostergren said she was able to easily access more than 100 records containing Social Security numbers from the Colorado site and had threatened to post the data on her own Web site if the state did not move to shut down access to the UCC filings. [politicians understand threats Bob]

Ostergren said that when she first contacted Coffman's office earlier this week about the problem, officials appeared to be unaware of the issue and initially doubted her claims -- until she showed them records she had downloaded from the site.

Would this suggest that controls were not adequate?

Worker arrested in Baptist privacy breach

An employee who appeared to have stolen credit card information from patients was arrested last week.


Document | Criminal complaint against Adrian Green

Thousands of patients at Baptist Hospital appear to have had their credit card information stolen by an employee, Adrian Green, who was arrested late last week.

Green was caught after using Baptist telephone extensions to give various names in purchasing $3,000 worth of fancy watches, according to an affidavit filed by U.S. Secret Service Agent Shannon Jayroe.

The purchases were made by phone to, a Brooklyn, N.Y., watch merchant. The merchant became suspicious because orders using different persons' names were coming from the same phone number, as identified by the company's caller ID service.

The Secret Service, which handles credit card fraud, was alerted, and agents found that Green kept calling the merchant from different extensions at the hospital, Jayroe stated.

Green's job, which he had held for almost two years, was registering patients, giving him access to all their personal information, including Social Security and credit card numbers.

While agents monitored his actions at Baptist, Green was discovered accessing a patient's name and credit card information at 3:45 p.m. on March 19 and then placing an order with the merchant seven minutes later, the affidavit said.

Agents later went to Green's house in Homestead, where they saw a 46-inch flat-screen Samsung TV and a Sony Blue Ray Disc Player, according to the affidavit, which stated that Green admitted the items were bought with stolen card numbers after being read his Miranda rights.

Baptist has fired Green, the hospital said in a news release. The institution didn't know ``the extent of the problem, but it appears to involve a single employee who, we believe, accessed the financial records of several thousand patients at Baptist Hospital. We expect to know more in the next few days.''

Does this make you feel all warm and fuzzy? (...and you thought TJX lost lots of data...)

Report: IRS bungles may imperil data

March 30, 2007 1:29 PM PDT

Just in time for tax day, government auditors have issued a new report that raps the Internal Revenue Service on a number of security vulnerabilities in its computer systems.

"Significant weaknesses in access controls and other information security controls continue to threaten the confidentiality, integrity, and availability of IRS's financial and tax processing systems and information," the Government Accountability Office said in a report (PDF) released Friday.

The findings run the gamut: failure to audit who has accessed what on its various systems, inconsistent encryption of data, and lack of physical security controls--such as surveillance cameras, security guards and locks--for starters. Overall, the GAO found that the agency had corrected only about one-third of the 73 security weaknesses it reported as unresolved during its last review.

Are we in fact creating classes of citizens (those with greater privacy rights) when we do this?

Bill would further restrict release of officer addresses


Nevada lawmakers reviewed a bill Friday that would further restrict the release of police officers' personal information, a follow-up to a 2005 measure allowing officers to remove their names from county assessor records.

Current law restricts the release of an officer's photo and address, unless the officer has been arrested or gives permission.

Assembly Bill 50 would prohibit the release of an address in any circumstances.

... Barry Smith of the Nevada Press Association asked that the bill be amended so the press would continue to have access to police reports and 911 records related to the arrest of an officer if those reports contain the officers' address.

Kallas said he was open to that amendment, but was not as agreeable to an amendment offered by the Nevada Attorneys for Criminal Justice and American Civil Liberties Union that would facilitate serving a subpoena on police officers. [Subpoenas are for second class citizens Bob]

Big deal? It might be big for Google...

Adult site's legal battle could aid Web hosting services

By Anne Broache Story last modified Fri Mar 30 15:41:54 PDT 2007

A federal appeals court ruling in a case involving an adult publisher appears to have delivered broader legal protections for online service providers against lawsuits claiming privacy violations and other illicit behavior by their users.

The U.S. Court of Appeals for the 9th Circuit on Thursday released a 26-page opinion (PDF) that upholds a number of lower-court findings against the adult-oriented Web site Perfect 10 in a lawsuit against a family of companies including Web hosting service CWIE and credit card processing firm CCBill.

The same appeals court is also preparing to release rulings in two other cases involving Perfect 10, whose online presence boasts "thousands of images of the most beautiful natural women in the world"--one against Google and and the other against MasterCard and Visa.

... One of the most significant parts of the court's opinion is a brief section that appears to clarify questions about how a portion of a federal law called the Communications Decency Act (CDA) applies to state laws, lawyers following the case said.

The CDA's Section 230, which has proven to be a critical defense for Internet service providers, bloggers and Web publishers, broadly immunizes providers of an "interactive computer service" from liability for content that others post, provided they make good-faith efforts to restrict access to material that could be considered "filthy, excessively violent, harassing or otherwise objectionable."

In its ruling, the 9th Circuit essentially concluded that Section 230 can also shield service providers from liability when they are confronted with allegations that their users violated state laws, such as right of publicity and trademark statutes, which was not always clear. (Disputes involving federal copyright and criminal laws, however, continue to be exempt from such immunity.)

... "The reality is, the way that this 9th Circuit ruling reads, it now makes entirely clear that plaintiffs can't make any state-based claims against online service providers--they're all gone," said Eric Goldman, a professor at Santa Clara University School of Law in Santa Clara, Calif.

Companies wishing to bring suits alleging bad behavior by Internet users could still target the users themselves, but they may have a weaker case against the intermediaries that post their content.

Interpreting the DMCA

Much of the rest of the opinion centers on interpretations of a 1998 federal law called the Digital Millennium Copyright Act (DMCA). A provision in that law says Web hosts are generally not liable for the content their users post, as long as they take down the offending content promptly upon being notified by the copyright holder and meet a number of other standards, such as not receiving "direct financial benefit" from infringing content. [Isn't this exactly what the Europeans are saying in the next article? Bob]

Some of the conclusions reached by the judges could aid content hosts making arguments in high-profile suits such as one Viacom recently brought against YouTube. "The court made it very clear that providers do not have to actively police their systems to look for infringement," EFF's Schultz said.

... The judges said they worried about the First Amendment free-speech violations that could occur if a site removes content when it doesn't actually infringe on copyrights.

So it's okay to rip music in Europe. RIAA will freak!

Private File Sharing to Remain/Become legal in EU

Posted by Zonk on Friday March 30, @03:14PM from the nice-change-of-pace dept. The Courts The Internet Politics

orzetto writes "Italian newspapers are reporting that the European parliament's Commitee for Legal Affairs approved an amendment presented by EMP Nicola Zingaretti (PSE, IT), that makes piracy a felony—but only if a monetary profit is made. As in the EU parliament's press release: ' Members of the Legal Affairs' committee [...] decided that criminal sanctions should only apply to those infringements deliberately carried out to obtain a commercial advantage. Piracy committed by private users for personal, non-profit purposes are therefore also excluded.' The complete proposal was passed with 23 votes in favour, 3 against and 3 abstained, and is intended to be applied to copyright, trademark, design and other IP fields, but not patent right which is explicitly excluded. The proposal has still to pass the vote of the parliament before becoming law in all EU countries, some of which (like Italy) do have criminal laws in place for non-profit file sharing. A note: Most EU countries use civil law, not common law. Translation of legal terms may be misleading."


DVD consortium loses court case over DVD copying

By Eric Bangeman Published: March 29, 2007 - 08:08PM CT

A California judge handed a victory to Kaleidescape, which manufactures home media servers, ruling that the company's products do not violate the DVD industry's CSS license. The company was sued by the DVD Copy Control Association, which said that Kaleidescape's media servers violate its standard licensing contract.

The Kaleidescape System is a kind of home media server on steroids. Starting at $10,000, it consists of a server, movie player, and music player. The server is designed to store all of the owner's movies and music, ripping them from their original source discs for playback at a later time. To no one's surprise, the DVD CCA took issue with that functionality, accusing Kaleidescape of opening the door to massive copyright infringement and arguing that any device that played movies from a DVD needed to have physical access to the disc in order to do so.

After a week-long trial, Judge Leslie C. Nichols ruled in Kaleidescape's favor, saying that the 20-page CSS spec was not technically included as part of the license agreement. As a result, the company is in full compliance with the DVD CCA's CSS license, noting in his decision that Kaleidescape had made "good faith efforts" to ensure that its products were fully compliant.

... The complexity of the DVD CCA's licensing agreement proved to be its downfall. [Wow! How un-lawyer-like! Bob] Witnesses during the trial characterized the license drafting process as having been carried out over a series of 100+ meetings by a group of entertainment-industry lawyers with feedback from engineers. The result was a confusing standard licensing contract, one that omitted key details about the CSS General Specification.

Unfortunately for consumers, the decision is a narrow one. It looks to be applicable only to commercial home media server products [So I need to offer the one I built for myself for sale to anyone? Bob] that store single copies of a DVD in a copy-protected form for personal use. Kaleidescape's rips remain CSS protected on the hard drive, and Malcolm tells Ars that some parts have an "extra layer of AES-256 encryption." So those who wish to rip their own DVD libraries for personal use will continue to operate in the murky, grey intersection of the DMCA and fair use.

Although no formal appeal has been filed, it is likely that the DVD CCA will ask a higher court to overturn the decision.

Tools & Techniques

False Negatives Abound With protexIP 4.0

By Andrew Binstock InfoWorld 03/30/07 4:00 AM PT

A developer can cause disaster for his or her company by borrowing code from a copyrighted open source project. Black Duck Software's protexIP 4.0 checks code against known sources and alerts the user to problematic similarities. The license management portion of the product is robust and well-designed. The code analysis and identification, however, leave much to be desired.

As open source Latest News about open source software pushes its way further into the enterprise, a new set of risks has arisen regarding IP (intellectual property). The problem is that developers happily borrow code from various projects to save themselves from having to reinvent it.

This help is all well and good as long as the resulting software complies with the licenses of the donor projects. The problem managers have is that they cannot know what parts of their code base come from open source projects. A code snippet reused from a newsgroup posting could actually have come from a copyrighted open source project. Its use could legally require the company to open source its entire product.

If the company is an ISV (independent software vendor), it might even be faced with being required to offer its product at no cost.

Free is good! (Thanks for the research PC World.),130045/article.html?tk=pr_3/23/07

101 Fantastic Freebies

Want to make your PC more productive, secure, informative, and entertaining? These downloads and services will do the trick--and they don't cost a dime.

Preston Gralla, PC World Wednesday, March 28, 2007 01:00 AM PDT

Once upon a time you actually had to pay for great software and services -- hard to believe, but true.

Geeky, but I bet it grows fast...

Thursday, March 29, 2007

Tweako A Social News Site For Tutorials

Tweako is a new social news aimed at programmers that just launched a couple of hours ago. Tweako bears a certain similarity to Digg, but instead of news headlines the user submitted content is geared toward tutorials, guides, resources and services.

Friday, March 30, 2007

I have been finding a few details of the TJX breach in the news but not in their SEC filing. The “informal” source is TJX spokeswoman Sherry Lang. NOTE: They have updated their Frequently Asked Questions (FAQ) but there is no indication of that until you click on the undated link and scroll to the bottom of the page to see the date (March 28, 2007). And they still make statements like this:

How many payment card numbers were used fraudulently?

We do not know whether any fraudulent use has occurred or if so, to what extent. Law enforcement has advised us that they are investigating what may be fraudulent use of information stolen from our systems. We have provided extensive transaction information to the banks and payment card companies, but they have not shared details of possible fraudulent use with us.

This seems contradicted by the story this week about the card scam in Florida and as far back as January by the banks.,289142,sid14_gci1241259,00.html

Retailer suffers world's biggest ever data breach

Forty five million credit card details fraudulently accessed over 18 months

By Jaikumar Vijayan, Computerworld

... In its filing, TJX confirmed that its systems were first accessed illegally in July 2005 and then on several occasions later in 2005, 2006 and even once in mid-January 2007 -- after the breach had already been discovered. [This suggests it was useful to hold the announcement. One assumes this access was traced. Bob] However, no data appears to have been stolen after 18 December 2006, when the intrusion was first noticed.

... It is hard to know exactly what kind of data was stolen because a lot of the information accessed by intruders was deleted by the company in the normal course of business. "In addition, the technology used by the intruder has, to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006," the company said. It did not elaborate on the technology it was referring to. [You can bet this will be of utmost interest to the Security community... Bob]

... "We are continuing to try to identify information stolen in the computer intrusion through our investigation, but other than the information provided ... we believe that we may never be able to identify much of the information believed stolen," TJX said.

Payment systems culprit in TJX heist

Security experts contend that criminals found a common weakness in retailers' defenses by targeting TJX's payment card systems

By Matt Hines, IDG News Service March 29, 2007

... At the time that TJX hired IBM and General Dynamics to begin investigating the break-in during Dec. 2006, the consultants found that the malware tools used by the data thieves were still present in the company's systems.

... The analyst said that sources were telling her that the attack carried out against TJX originated in Eastern Europe and likely took advantage of an unprotected wireless network somewhere at the company to break into the software controllers that drive its point-of-sale registers in addition to hacking into its back-end systems.

Most companies do not monitor all their point-of-sale controllers, and from there, the criminals were likely able to find a way to penetrate the firm's back-end servers, she said.,1759,2109299,00.asp?kc=EWRSS03119TX1K0000594

TJX Intruder Had Retailer's Encryption Key

By Evan Schuman, Ziff Davis Internet March 29, 2007

The massive data breach at $16 billion retailer TJX involved someone apparently armed with the chain's encryption key, but it might not have been needed as the cyber-thief was accessing data during the card-approval process before it was encrypted.

... The intruder or intruders here apparently planted software in TJX systems to capture data throughout the day and they also engaged in an increasingly popular tactic: post-event cleanup.

That's where intruders spend extra effort cleaning up their tracks—deleting and otherwise tampering with log files, [This should not be possible in a reasonable security system Bob] changing clock settings and moving data to hide their movements.

... Veteran retail technology analyst Paula Rosenblum, a vice president with Retail Systems Alert Group, said the fact that the software went undiscovered for so long is most troubling.

“It’s incomprehensible that what amounts to a computer worm was placed on mission-critical systems at one of the world’s largest retailers and remained there—undiscovered—for 18 months. The scope of the theft is stunning," she said.

“Let the executions begin!” (various)

Weak Fines Aren't Going To Stop Data Leaks

from the falling-short dept

The concept of "pretexting" -- posing as somebody else in order to gain access to their personal information -- got a lot of publicity when it was revealed that HP investigators used the tactic to spy on board members and journalists. However, it's a problem that's been going on for some time, and the usual responses to it gloss over the fact that wireless operators' inadequate security is to blame for these leaks as much as any fraudster. Many attempts to enact or strengthen legislation in this area focus on people selling the information, rather than doing anything to force the operators to better secure their customers' private data, but the FCC has proposed a $100,000 fine against virtual operator Amp'd for its shoddy safeguards to protect users' calling records. The amount is a drop in the bucket for the company, or any other operator, and isn't likely to do much in the way of motivation, since enacting better security procedures probably costs more than the fine. This is a big problem with pretexting, or other forms of identity theft: companies have very little motivation to do much to prevent it, since the costs of a leak are borne largely by the victims or third parties. Many companies, including the wireless operators, have been very successful with their PR efforts to make themselves look like victims here, and generate the public perception that hackers and criminals are the real problem, when corporate sloppiness, incompetence and disinterest are more to blame.

True enough?

Veterans argue stolen information could still pose risk

March 29, 2007 03:00 PM

(LOUISVILLE) -- Data thieves could have swiped personal information on millions of veterans from a stolen laptop and be waiting for the right time to use it, according to a court filing from veterans who sued last year over the highly publicized theft.

Federal officials say they are confident that no sensitive information was copied from the laptop, which was taken from a Veterans Affairs analyst's Maryland home on May 3 and recovered on June 29. The computer contained sensitive information on 26.5 million veterans in the VA's system.

... The veterans said in a court filing Wednesday that the suits should go forward because, among other reasons, the data could have been accessed and copied by thieves without leaving any evidence of tampering. The information on the laptop included the names, birth dates and social security numbers of veterans discharged since 1975, which identity thieves could use to apply for credit cards or loans.

... Attorneys for the government said the suit should be thrown out because, among other reasons, the plaintiffs lack standing to sue under the federal Privacy Act.

... But attorneys for the veterans argued that sophisticated identity thieves depend on intermediaries to bring them raw data from stolen hard drives and personal computers. They said thieves could "lie low" until the public uproar dies down.

"Will it happen next month or two months from now or a year from now because somebody got it?" said Douglas J. Rosinski, a South Carolina attorney who represents the Vietnam veterans. "The worry itself is harm, and we oppose the government's position that 'Hey, we got it back, no harm occurred."'

There are many cases like the VA laptop theft...

Stolen hospital laptop recovered

Last Modified: 29 Mar 2007 Source: PA News

A stolen laptop containing information on about 11,000 young patients has been recovered by police.

The computer - carrying names, addresses and dates of birth of children aged eight months to eight years old - was one of three taken from an office at King's Mill Hospital, in Sutton-in-Ashfield, Nottinghamshire, on Wednesday.

It was found after a "detailed investigation" by detectives, Notts Police said.

... A man and a woman have been arrested in connection with the theft and a second burglary. They have been released on police bail pending further inquiries.

...and they can critique your grammar (and grampar).

Software Needed To Detect If This Post Is Or Is Not True

from the quandary dept

No matter what advances technology throws at us, people remain fascinated with developing the ability to detect when people are lying. Polygraphs remain largely inaccurate (and easily gamed), so researchers focused on the legal, security and defense markets remain busy, while others explore new ways to detect lies and and learn more about people in other fields as well. While we've seen before applications for mobile phones that purport to be able to detect lies, some researchers at Cornell now think they can develop software that will be able to detect lies in emails and text messages. They say they can use linguistic information like word choice, shifts in verb tense and use of the passive voice to detect lies, and they've analyzed materials such as emails from the Enron fraud case to hone their methods. They plan to spend the next three years working on a system to evaluate the content and context of communications, with a view to training software to be able to detect subtle changes that may indicate a lie. Or at least that's what the article says. After all, they could be lying.

Sounds like this one will be amusing...

Google to Viacom - The Law is Clear, and On Our Side

Posted by Zonk on Thursday March 29, @04:11PM from the time-is-on-their-side-too-i'm-told dept. Google The Courts

An anonymous reader writes "Google responded to the opinion piece in the Washington Post by a Viacom Lawyer with a letter to the editor titled 'An End Run on Copyright Law.' Their strong wording sends a very concrete message: 'Viacom is attempting to rewrite established copyright law through a baseless lawsuit. In February, after negotiations broke down, Viacom requested that YouTube take down more than 100,000 videos. We did so immediately, working through a weekend. Viacom later withdrew some of those requests, apparently realizing that those videos were not infringing, after all. Though Viacom seems unable to determine what constitutes infringing content, its lawyers believe that we should have the responsibility and ability to do it for them. Fortunately, the law is clear, and on our side.'"

No copyright issue here, right?

March 29, 2007

Appellate Courts Go Live on Case Management/Electronic Case Files

The Third Branch, March 2007: "Some day in the not-too-distant future, locating and reading a brief filed in a federal appellate case will become as easy as finding an appeals court opinion. And electronic appellate briefs will feature hyperlinks to lower court rulings, statutes, regulations, and other cited materials. “Judges generally are excited about having attorneys file briefs that contain hyperlinks to citations,” said Gary Bowden, chief of the Administrative Office’s Appellate Court and Circuit Administration Division. “And through PACER (the Public Access to Court Electronic Records system) these briefs will be available to everyone.” Until late last year, 10 of the 12 regional appellate courts were using an antiquated system of receiving, storing and tracking their cases, a system that at age 20 was long overdue for retirement." The St. Louis-based U.S. Court of Appeals for the 8th Circuit took a giant step in December when it became the first of those 10 courts to go live with Case Management/Electronic Case Files (CM/ECF). The rest are to follow by the end of 2007."

Another approach to copyright infringement?

McLean Students Sue Anti-Cheating Service

Plaintiffs Say Company's Database of Term Papers, Essays Violates Copyright Laws

By Maria Glod Washington Post Staff Writer Thursday, March 29, 2007; Page B05

Two McLean High School students have launched a court challenge against a California company hired by their school to catch cheaters, claiming the anti-plagiarism service violates copyright laws.

The lawsuit, filed this week in U.S. District Court in Alexandria, seeks $900,000 in damages from the for-profit service known as Turnitin. The service seeks to root out cheaters by comparing student term papers and essays against a database of more than 22 million student papers as well as online sources and electronic archives of journals. In the process, the student papers are added to the database.

Two Arizona high school students also are plaintiffs. None of the students is named in the lawsuit because they are minors.

"All of these kids are essentially straight-A students, and they have no interest in plagiarizing," said Robert A. Vanderhye, a McLean attorney representing the students pro bono. "The problem with [Turnitin] is the archiving of the documents. They are violating a right these students have to be in control of their own property."

... Attorneys for the company and various universities and public school systems, including Fairfax , have concluded that the service doesn't violate student rights. [No bias here! Bob] Turnitin is used by 6,000 institutions in 90 countries, including Harvard and Georgetown universities, company officials have said. Some public schools in Arlington, Prince George's and Loudoun counties use the service.

According to the lawsuit, each of the students obtained a copyright registration for papers they submitted to Turnitin. The lawsuit filed against Turnitin's parent company, iParadigms LLC, seeks $150,000 for each of six papers written by the students.

One of the McLean High plaintiffs wrote a paper titled "What Lies Beyond the Horizon." It was submitted to Turnitin with instructions that it not be archived, but it was, the lawsuit says.

Kevin Wade, that plaintiff's father, said he thinks schools should focus on teaching students cheating is wrong.

"You can't take a person's work and run it through a computer and make an honest person out of them," Wade said. "My son's major objection is that he does not cheat, and this assumes he does. This case is not about money, and we don't expect to get that."

Andrew Beckerman-Rodau, co-director of the intellectual property law program at Suffolk University Law School, said that although the law regarding fair use is subject to interpretation, he thinks the students have a good case.

"Typically, if you quote something for education purposes, scholarship or news reports, that's considered fair use," Beckerman-Rodau said. "But it seems like Turnitin is a commercial use. They turn around and sell this service, and it's expensive. And the service only works because they get these papers."

Interesting business model. You easily could do this at home, in your spare time.

SellABand Music Model Gaining Traction

Michael Arrington March 29 2007

Marshall Kirkpatrick wrote about German startup SellABand when it launched last August.

Like Amie Street, SellABand has an innovative way for struggling new artists to get their music heard, and make some money as well. Artists sign up and upload some of their music. Users listen to it. If they like it, they pay $10. If a band reaches $50,000 in donations, SellABand helps them record an album with a studio and expert producer.

It’s great in theory. At the time of our original post there wasn’t much data - 130 bands had signed up in the first couple of weeks, and had raised a few hundred dollars each.

But a few months later, wow. 2700 bands from all over the world have signed up, and four have already reached the $50,000 mark and have recorded albums (Nemesea, Cubworld, Second Person and Clemence, and more are on the way. Mandyleigh, one of our readers, is currently no. 4 on the top list and looks to be headed to the studio soon.

Listeners who donate to an artist get a free CD when the goal is reached - and are refunded their money if it isn’t. Artists get 1/3 of all advertising revenue from their profile, and 60% of proceeds from eventual album sales. They also get all rights back to their music a year after the album comes out.

No doubt it is copyrighted and the RIAA will sue...

RIAA Lawsuit Decision Matrix

By Brian Briggs Thursday, March 29 12:00 AM ET

BBspot has obtained secret documents which RIAA lawyers use to determine whether to file a lawsuit against a copyright violator. These documents give insight into the RIAA's decision-making process, and could help people avoid lawsuits in the future. We offer these documents as a public service.

Emily of the State - Internet Spying Short

Thursday, March 29, 2007

Well it's official. TJX is a name that will live in infamy –at least in IT Security circles, and until the next “largest ever”

Breach of data at TJX is called the biggest ever

Stolen numbers put at 45 .7 million

By Jenn Abelson, Globe Staff March 29, 2007

At least 45.7 million credit and debit card numbers were stolen [I didn't see this in the SEC filing. Bob] by hackers who accessed the computer systems at the TJX Cos. at its headquarters in Framingham and in the United Kingdom over a period of several years, making it the biggest breach of personal data ever reported, according to security specialists.

While details are still sketchy, TJX said unauthorized software placed on its computer systems stole at least 100 files [I didn't see this in the SEC filing. Bob] containing data on millions of accounts from systems that process and store transaction information in Framingham and Watford, United Kingdom. Moreover, TJX believes the hackers last year had the capability to steal payment card data from its Framingham system as transactions were being approved.[I didn't see this in the SEC filing. Bob] Even the files TJX tried to protect through encryption may have been compromised because the company believes the hackers had access to the decryption tool. [I didn't see this in the SEC filing. Bob]

"It's the biggest card heist ever," said Avivah Litan of technology consulting firm Gartner Inc. " It's done considerable damage."

TJX, the discounter that operates the T.J. Maxx and Marshalls chains, also said in a regulatory filing yesterday that another 455,000 customers who returned merchandise without receipts had their personal data stolen, including driver's license numbers.

The filing provided the first detailed accounting on the breach since TJX publicly disclosed the problem in mid-January. TJX spokeswoman Sherry Lang said about 75 percent [75% unusable? That leaves 25% or 11.4 million... Bob]of the compromised cards were expired or had data in the magnetic strip masked, meaning the information was stored as asterisks rather than numbers. But the true extent of the damage likely will never be known, Lang said, because of the methods used by the intruder and file deletions by TJX done in the normal course of business.

... The security breach has already cost the retailer $5 million for the investigation and new computer security, among other efforts, but TJX said it cannot yet estimate total losses. This case represents one of the most aggressive and widespread data security breaches ever, according to several security specialists. The Federal Trade Commission has struck more than a dozen settlements with businesses following data security breaches.

"These guys perpetrated a perfect crime," Ken Steinberg , chief executive of Savant Protection Inc. a Nashua maker of security software, said of the TJX case. "This is what scares the living daylights out of everybody. And this one won't be the last."

[Full 10K

[Discussion of intrusion follows:]

We suffered an unauthorized intrusion into portions of our computer systems that process and store information related to customer transactions [Does that qualify as a “financial system” under Sarbanes-Oxley? Bob] that we believe resulted in the theft of customer data.

... Discovery of Computer Intrusion. On December 18, 2006, we learned of suspicious software on our computer systems. [Trojan horse? Rootkit? Bob] We immediately initiated an investigation, and the next day, [“We knew we were in big trouble... Bob] General Dynamics Corporation and International Business Machines Corporation, leading computer security and incident response firms, were engaged to assist in the investigation. They determined on December 21, 2006 that there was strong reason to believe that our computer systems had been intruded upon and that an Intruder remained on our computer systems.

... On December 22, 2006, we notified law enforcement officials [Actually quite timely... Bob] of the suspected Computer Intrusion and later that day met with representatives of the U.S. Department of Justice, U.S. Secret Service and U.S. Attorney, Boston Office to brief them.

... With the assent of law enforcement, on December 26 and December 27, 2006, we notified our contracting banks and credit and debit card and check processing companies of the suspected Computer Intrusion (we refer to credit and debit cards as “payment cards”). On December 27, 2006, we first determined that customer information had apparently been stolen [What was the basis for contacting law enforcement before that? Bob] from our computer systems in the Computer Intrusion.

... On January 13, 2007, we determined that additional customer information had apparently been stolen from our computer systems.

On January 17, 2007, we publicly announced the Computer Intrusion and thereafter we expanded our forensic investigation of the Computer Intrusion.

On February 18, 2007, in the course of our ongoing investigation, we found evidence that the Computer Intrusion may have been initiated earlier than previously reported and that additional customer information potentially had been stolen. On February 21, 2007, we publicly announced additional findings on the timing and scope of the Computer Intrusion.

Timing of Computer Intrusion. Based on our investigation to date, we believe that our computer systems were first accessed by an unauthorized Intruder in July 2005, on subsequent dates in 2005 and from mid-May 2006 to mid-January 2007, but that no customer data were stolen after December 18, 2006.

Two points: 1) I'm amazed people still use floppy disks and 2) It is probably more secure because many computers (particularly laptops) don't come with floppy drives any more...

Printing firm loses personal data of successful university applicants

A floppy disc containing names and other private information of 972 people who passed entrance examinations for Waseda University's commerce faculty has been lost, it has emerged.

Waseda University had employed a Tokyo-based company to print and send letters to the 972 examinees notifying them of their successful results.

The company later told officials of the university that it had lost a floppy disc containing the names, addresses, and examinee numbers of the 972 people.

"We don't know where it is now," an official of the company was quoted as telling the university.

There must be more here than meets the eye...

Senator Involved In Computer Case Fires Back

School District Alleges Senator Took Advantage Of Situation

POSTED: 3:34 pm EDT March 28, 2007 UPDATED: 6:04 am EDT March 29, 2007

GREENVILLE, S.C. -- The Greenville County School District alleges that a South Carolina senator misused his office when he didn't tell the district about school computers that were auctioned off while they still contained personal information.

VIDEO: Thomas Responds To School District's Charges

The district said that Sen. David Thomas took advantage of his elected office and was the situation for his own personal gain.

Wednesday, Thomas denied those claims, and said that he was acting as a public servant, trying to protect students.

WYFF News 4 first learned about the computer in question last year when Kenneth Holbert and Scott Mann claimed they bought school computers and found thousands of private student records

Thomas later showed News 4 those computers in his Greenville office.

The school district sued Hobert and Mann to get the data back. The men then filed a counter-suit against the district.

Hobert and Mann said that they would settle for an apology and reimbursement for their costs.

On Tuesday, the district rejected that offer to settle, and in their response, made the allegations against Thomas that he used the situation for his personal gain.

There are some things everyone involved has publicly admitted: the computer was owned by the district and it does contain confidential information about thousands of Greenville County students.

But now in question is the motivation of the two men who bought the computer, and why is Thomas involved?

WYFF News 4's Gordon Dill spoke with Thomas in Columbia.

Thomas said, "... They then came to me because they knew I was an attorney and I had a lot of interest in the issue of identity theft"

... The district also said that Thomas misused his position as state senator. Specifically, they said that while he was holding the information, he introduced an identity theft bill in the Senate.

Previous Stories:

No one likes anonymity...

JP: Police call on Internet cafes to record users' data to fight cyber crime

Thursday, March 29 2007 @ 07:15 AM CDT - Contributed by: PrivacyNews - Non-U.S. News

A National Police Agency (NPA) cyber security committee is calling for Internet cafes in Japan to check the identity of users and introduce methods to eliminate password-stealing software on computers to fight illegal computer access.

The calls from the NPA's general security measures council follow a police report showing that as of the end of May last year, 139 out of 277 cases in which police failed to apprehend people for illegal computer access involved computers at Internet cafes.

Source - Mainichi Daily News

Legislate first, consider the facts later?

Inmate GPS tags approved by panel

Minimum-security prisoners would wear the devices

Matthew Yi, Chronicle Sacramento Bureau Wednesday, March 28, 2007

(03-28) 04:00 PDT Sacramento -- After an emotional plea from the mother of a slain San Francisco police officer, an Assembly committee unanimously approved a bill on Tuesday that would require inmates in minimum-security facilities to wear GPS tracking devices.

Officer Bryan Tuvera, 28, was allegedly gunned down by Marlon Ruff after a foot chase in San Francisco's Sunset District on Dec. 22.

... That confrontation occurred 22 months after Ruff walked away from the Eel River Conservation Camp in Redway (Humboldt County).

Ruff was eligible for the minimum-security program after the Department of Corrections deemed him nonviolent despite his conviction for punching an armored car guard and stealing $4,600 in 2003. He was on parole for a gun conviction at the time of that robbery.

More than a dozen inmates walk away from facilities like Eel River every year because there are no security fences around the perimeter of the camps, said Assemblywoman Fiona Ma, D-San Francisco, who is writing the measure, AB439.

... There was no opposition to the bill, but a representative of a prison reform activist group testified that before mandating GPS devices for inmates, a better solution would be to make sure that violent criminals like Ruff don't end up in minimum-security facilities.

... Besides, an inmate bent on escaping could simply ditch the device before making a run for it, he said.

Only second class citizens should be surveiled.

Friday, 30 Mar 2007

Surveillance upsets nursing home staff

Filming staff in rest homes shows a "lack of trust" in nurses and carers responsible for vulnerable patients, a nurses' union says.

Responding to a staff complaint about surveillance cameras in Christchurch's Rosewood Resthome, the New Zealand Nurses Organisation (NZNO) yesterday questioned why areas such as tea rooms and the nurses' station needed to be monitored.

A registered nurse working at the home said he and other staff did not like being on camera constantly. ... He did not object to cameras placed in other areas to watch the residents, despite failing to understand how it aided their safety, but said there was no need in staff-only areas.

I suspect this is far broader than just legal education. Could it be a business opportunity?

March 28, 2007

White Paper Addresses Legal Education and the Promise of Technology

New Skills, New Learning: Legal Education and the Promise of New Technology, by Gene Koo, Berkman Center for Internet & Society at Harvard Law School, March 26, 2007.

  • "A large majority of lawyers perceive critical gaps between what they are taught in law schools and the skills they need in the workplace, and appropriate technologies are not being used to help close this gap. This was the core conclusion of a new study by the Berkman Center for Internet & Society at Harvard Law School, in partnership with LexisNexis, which found:
    • More than 75 percent of lawyers surveyed said they lacked critical practice skills after completing their law school education.
    • Today's workplace demands skills that the traditional law school curriculum does not cover.
    ◦ Many attorneys work in complex teams distributed across multiple offices: nearly 80 percent of lawyers surveyed belong to one or more work teams, with 19 percent participating in more than five teams. Yet only 12 percent of law students report working in groups on class projects.
    ◦ Smaller firms can stay competitive with larger firms through more nimble deployment of technology tools and by exploiting the exploding amount of data openly available on the Web. Attorneys at these firms need tech-related skills to realize these opportunities.
    Legal educators seriously under-utilize new technologies, even in those settings, such as clinical legal education, that are the most practice-oriented.
    Research also suggests a breakdown in post-school workplace training, with smaller firms particularly unable to afford formal professional development.
    • Neither law schools nor most workplaces provide new attorneys with a structured transition between school and practice. Only 36 percent of lawyers surveyed report a dedicated training experience during their first year of employment.
    • Clients are increasingly unwilling to pay for training of associates, e.g. prohibiting firms from billing for young attorneys' attendance at client-facing meetings. New lawyers' involvement in such meetings has long been an important apprenticeship activity.
    Finally, advances in computing and networking offer potential solutions to shortcomings in skills training at law schools.
    • Utilizing authentic practice technologies to support law school clinical programs exposes law students to the practical tools they need to succeed in future practice.
    • Learning through computer simulation mirrors the technology-based foundation of most legal practice settings today and enables participants to experience non-linear decision making closest to real-world casework."

How did they get caught in this mess in the first place? (See previous article?)

Julie Amero Sentencing Delayed Again; Prosecutors May Be Trying To Figure Out How To Back Out Gracefully

from the just-admit-you-were-wrong dept

The Julie Amero case has been getting plenty of attention lately, after prosecutors (and the local press) in Connecticut condemned a local substitute teacher after the classroom computer she was using was overrun with porn popups from spyware. For this, she was facing 40 years in jail. While the local paper and the prosecutor kept insisting that everyone didn't know the full story, once the transcripts became available it became clear that it was the prosecutors, the local police and the local press who didn't seem to recognize the full story. While the local Norwich Bulletin continues to insist she deserves to be thrown in jail (update: they no longer support jailing Amero, but still get twisted about trying to explain how she's guilty of something), it sounds like the prosecutors on the case may be recognizing that they were wrong. The sentencing has been delayed for another month, and the suggestion is that its the prosecution that's looking for a way to get out of this mess cleanly without looking too bad. In the meantime, the Hartford Courant put together a good article summarizing the details of the case that make it clear this whole thing was something of a witch hunt.

How can they lose? (AT&T will no doubt love the free publicity this generates for FreeConference.) I see parallels in DRM and RIAA... Sues AT&T For Blocked Phone Calls

from the need-a-resolution dept

Earlier this month, we were surprised to hear that various mobile operators were blocking phone calls to services like When you get phone service, you expect that the phone service will work to any phone number, not the ones that your phone provider decides are okay. Oddly, given the attention the story received, the FCC has remained quiet about it. Apparently, the folks at got tired of sitting around and waiting and have decided to sue AT&T, asking for an injunction against the company to get it to stop blocking calls to the service. It's no secret that services like are costing AT&T money, mainly through ridiculous termination fees set up by regulators protecting rural telcos. However, AT&T should take that up with the regulators, rather than simply blocking access to the service. Either way, it seems likely that both the FCC and the courts will soon be deeply involved in this issue.

Why do people still use a technology invented before the Civil War? (Think of it as proof that crooks will use any technology available.)

J2 Files Lawsuit Against Hot Lead

Associated Press 03.27.07, 9:42 AM ET

Voicemail and fax services provider j2 Global Communications Inc. said Tuesday it filed a lawsuit against Hot Lead Co. and its founders for sending unsolicited faxes to j2 customers.

In the lawsuit, j2 said it believes Hot Lead sent hundreds of thousands of illegal junk faxes every day.

... In January j2 settled junk fax lawsuits against Venali and Vision Lab Telecommunications Inc. and certain affiliates. The company said it also continues to pursue a lawsuit against Protus IP Solutions, a Canadian company that owns

Clearly news reading was more efficient on the Internet, perhaps it is more effective as well?

Shocking News: Online Readers Actually Have An Attention Span

from the and-it's-not-that-short dept

There's been plenty of talk the web shortening people's attention spans, but the latest Eyetrack study from the folks at the Poynter Institute has found instead that online news readers are actually much more likely to read to the end of news stories than those who are reading news stories offline. Of course, it's not that hard to figure out why: newspapers lose an awful lot of readers when they put in a "go to page 14 to continue." It ruins the entire flow of reading a news story, and it's the point at which anyone who's not fully engaged simply gives up. Still, it does say something that people do tend to read to the end of online news stories, rather than being quickly distracted by the next random viral video on YouTube.

I'll remember this the next time one of my students claims their hard drive crashed...,1759,2108697,00.asp?kc=EWRSS03119TX1K0000594

Web Site Offers Directory of Data Recovery Services, Software

March 28, 2007 By Chris Preimesberger

Two leading IT think tanks estimate that 5.6 million hard drives will fail in 2007, and chances are fair to good that one or more of them might well be yours. So a new company has decided to step in and help out.

Data Recovery Who's Who on March 28 launched the Internet's first one-stop directory of data recovery services and software, Data Recovery - Who's Who.

The first comment pretty much sums this up: “Why take two years to produce incompetent results when you can be just as incompetent in a few months?

USPTO New Accelerated Review Process

Posted by samzenpus on Wednesday March 28, @09:49PM from the take-only-one-cookie dept. Patents Politics

Intron writes "Perhaps you have been lying awake worrying that your software patent on bubble sort might spend too much time being "examined" or "peer reviewed". You will be pleased to know that the US Patent and Trademark Office has launched their accelerated review process. "Applicants' submissions enjoy a presumption of patentability" says the patent office. Applicants are also responsible for disclosing any prior art."

I knew there had to be at least one site like this. Dennis pointed me to it. You should be able to find a blog like this for every case/cause/story of interest...

Recording Industry vs The People

A blog devoted to the RIAA's lawsuits of intimidation brought against ordinary working people.