Perhaps the data should have been stored someplace secure? Why did the prof. have this data?
Students’ personal information stolen from UM-Western office
(Created: Friday, March 30, 2007 12:04 PM MDT) DILLON (AP)
Between 400 and 500 current and former University of Montana-Western students are at risk of identity theft after a computer disk containing their Social Security numbers and other personal information was stolen from a professor’s office this week, school officials said. The stolen information belonged to students enrolled in the TRIO Student Support Services program, which offers financial and personal counseling and other assistance.
... Two professors’ offices in the university’s Main Hall were broken into sometime after 11:30 p. m. Monday, when the last university employee did a sweep of the building. The theft was discovered Tuesday morning, and Dillon police were notified. Some cash, the disk, and other university and personal items were stolen, school officials and police said. The investigation is still in the “early stages,” and no arrests have been made, Police Chief John Gutcheck said. “Anybody that had been in Main Hall that night is a suspect,” he said. In addition to Social Security numbers, the disk contained students’ names, birth dates, addresses and other information.
Looks like an over abundance of caution. Good for them!
Navy Laptops With Sailor Info Stolen
Navy News March 30, 2007
Norfolk, VA. -- Three password protected laptop computers have been identified as missing from the Navy College Office located on Naval Station San Diego. While the Navy College Office does not have complete information about what information was on the laptops, Personally Identifiable Information (PII) may be on the computers, including Sailors’ names, rates and ratings, social security numbers, and college course information.
This potential compromise of information could impact Sailors and former Sailors homeported on San Diego ships from January 2003 to October 2005 and who were enrolled in the Navy College Program for Afloat College Education. The Naval Criminal Investigative Service (NCIS) is investigating the incident as a possible theft, working with the San Diego police department to recover the computers.
At this time, it is not known if any Sailor has been affected by the theft, and it is not yet possible to determine whether any of the personal information contained in these laptops has been compromised.
Looks like an under abundance of caution...
Bush Press Corps in an E-mail Blunder
A mundane trip manifest of reporters who traveled to Latin America with President Bush has turned colossally controversial because the White House mistakenly included personal ID info on the E-mail sent to news bureaus and accountants. The key ingredients of identity theft–Social Security and passport numbers and dates of birth–were included in the E-mail that the White House Travel Office sent out in what's typically the first stage of billing.
... The manifest usually includes just the names of those on the trip and what they owe. But this E-mail, sent to media billing offices and bureau officials March 21, included a spreadsheet that on the far-right-hand side included the personal identity numbers. Why's it a problem? "I don't know everyone on that list. It could have been taken by somebody shady," frets one TV reporter. "It was an honest mistake," says C-SPAN's Steve Scully, president of the White House Correspondents' Association. He said that a day after the E-mail went out, the travel office apologized and tried to retrieve the E-mails. In a March 22 note, the deputy travel office director said the office "goes to great lengths to protect the personal information of the White House press corps, and immediately following the discovery of the mistake, steps were taken to recall the manifest. The White House Travel Office sincerely regrets the concern this has caused. Already, procedures are in place to provide continued and additional security for the White House press corps personal information."
The event prompted the White House to speed up plans to institute a new check-in and billing system. Some news organizations aren't taking chances. They are warning correspondents to check their charge accounts, and at least one is probing who will be liable if staff identities are stolen.
Interesting questions raised. The prosecutor found this? Sounds like a good job of “monitoring the opposition” by someone!
Port protest case ends in mistrial after data breach
Christian Hill Published March 30, 2007
The trial of 15 people who protested last year at the Port of Olympia ended in a mistrial Thursday after the judge learned confidential jury information was sent out over a compromised e-mail listserv used by the co-defendants.
The issue came to light after the lunch recess when Senior Deputy Prosecuting Attorney Steve Straume showed Thurston County District Court Judge Susan Dubuisson a copy of an e-mail that was obtained from the supposedly secure listserv. A listserv is an electronic mailing list.
Straume would not tell Dubuisson in court how he obtained a copy of the e-mail. [Why not? Bob] The e-mail contained a spreadsheet with the names of the more than 60 prospective jurors and their responses to a jury questionnaire. A legal aide for one of the defense attorneys created the spreadsheet and sent it to the listserv Saturday, said Andrew Yankey, one of the co-defendants. Six jurors and two alternates were selected from the pool Monday.
Most of the information on a jury questionnaire is not to be shared with anyone other than the defendants, defense lawyers and prosecutors. People other than the co-defendants and their attorneys had access to the e-mail listserv. [Like the prosecutor... Bob]
Straume and the other prosecutor assigned to the trial, Debra Eurich, could not be reached for comment Thursday evening.
Dubuisson said she declared a mistrial because of her concern that this breach would taint their ability to reach a fair verdict.
The questionnaires compiled on the spreadsheet did not contain information that could be used for identity theft, such as birthdates and Social Security numbers, but were of a general nature to help determine whether a prospective juror could be impartial, Dubuisson said.
... A co-defendant created the listserv through riseup.net — which provides “mail, lists and hosting for those working on liberatory social change,” according to its Web site — in the wake of the arrests at the Port of Olympia during a May 30 protest over a military shipment. All of the co-defendants were charged with second-degree criminal trespass for remaining on the port’s secured operations yard when authorities instructed them repeatedly to leave the area.
The co-defendants used the listserv to send out reminders about court dates and draft briefs and for other attorney-client work products. [but if others could see it, does that privilege still apply? Bob]
Approval needed to be granted by the listserv administrator before an individual could subscribe to it, Yankey said.
But with some basic information, a reporter from The Olympian located and subscribed to the listserv in minutes without authorization Thursday night.
The legal aide put the spreadsheet on the listserv Saturday, and another subscriber, recognizing the sensitivity of the information, quickly followed up with a message requesting that people not involved in the trial ignore it, Yankey said.
Dubuisson requested more information to determine what effect the compromised listserv will have on the ability to retry the case.
State pulls data off Web; threat to security cited
The Associated Press Published: 03.31.2007
PHOENIX - The Arizona Secretary of State's Office yanked Internet access to documents containing the Social Security numbers of Arizonans on Friday, just hours after a privacy rights activist told officials they were "spoon-feeding criminals."
The Social Security numbers could be viewed on the secretary of state's Web site in links to financial documents, such as state and federal lien statements.
Deputy Secretary of State Kevin Tyne said his office pulled half a million documents, but he didn't know how many contained Social Security numbers.
BJ Ostergren, who has made it her mission to raise awareness about identity theft, has gotten about a half-dozen states to remove Social Security numbers on similar government Web sites. She called the Arizona Secretary of State's Office on Friday morning to complain about its Web site.
By Friday afternoon, the office had removed all the links.
... Arizona has the highest per-capita rate of identity theft complaints nationwide, and Phoenix has the same rank among the nation's metropolitan areas, according to the Federal Trade Commission.
Ostergren said the Secretary of State's Office should have acted before she called.
... Ostergren said she has gotten states including New York, Oregon, New Mexico and Colorado to stop making Social Security numbers available on government Web sites.
Not as quick off the mark...
Privacy advocate prompts Colo. to end Web access to some public docs
Potentially thousands of UCC records showed Social Security numbers
March 30, 2007 (Computerworld) -- The Colorado Secretary of State's business division shut down online access to certain documents on its Web site after being notified by a privacy advocate that the site had been posting potentially thousands of documents with Social Security numbers since 2001.
Secretary of State Mike Coffman took the step to "prevent identity thieves from pulling personal identifying information from Uniform Commercial Code filings" posted on the site, according to a statement posted on the agency's site last night.
... In Colorado's case, the state had previously undertaken a redaction effort to black out Social Security numbers from UCC filings received prior to July 1, 2001. That effort was completed in May 2003, with Social Security numbers cut from more than 610,000 filings out of a total of about 1.7 million.
In 2001, the state also released a new UCC form that did not require Social Security numbers. However, many financial institutions appear to have continued using the older UCC form, [and no one noticed? Bob] which includes a box that asks for a Social Security number, yesterday's statement said.
As a result, potentially thousands of UCC records on the Colorado Secretary of State's Web site contain the numbers, said B.J. Ostergren, a privacy advocate in Richmond, Va. Ostergren, who runs a Web site called The Virginia Watchdog, alerted officials to the problem earlier this week.
For the past several years, she has documented cases where county governments and secretary of state offices around the country have routinely posted sensitive data online. Ostergren said she was able to easily access more than 100 records containing Social Security numbers from the Colorado site and had threatened to post the data on her own Web site if the state did not move to shut down access to the UCC filings. [politicians understand threats Bob]
Ostergren said that when she first contacted Coffman's office earlier this week about the problem, officials appeared to be unaware of the issue and initially doubted her claims -- until she showed them records she had downloaded from the site.
Would this suggest that controls were not adequate?
Worker arrested in Baptist privacy breach
An employee who appeared to have stolen credit card information from patients was arrested last week.
BY JOHN DORSCHNER jdorschner@MiamiHerald.com
Thousands of patients at Baptist Hospital appear to have had their credit card information stolen by an employee, Adrian Green, who was arrested late last week.
Green was caught after using Baptist telephone extensions to give various names in purchasing $3,000 worth of fancy watches, according to an affidavit filed by U.S. Secret Service Agent Shannon Jayroe.
The purchases were made by phone to Bacario.com, a Brooklyn, N.Y., watch merchant. The merchant became suspicious because orders using different persons' names were coming from the same phone number, as identified by the company's caller ID service.
The Secret Service, which handles credit card fraud, was alerted, and agents found that Green kept calling the merchant from different extensions at the hospital, Jayroe stated.
Green's job, which he had held for almost two years, was registering patients, giving him access to all their personal information, including Social Security and credit card numbers.
While agents monitored his actions at Baptist, Green was discovered accessing a patient's name and credit card information at 3:45 p.m. on March 19 and then placing an order with the merchant seven minutes later, the affidavit said.
Agents later went to Green's house in Homestead, where they saw a 46-inch flat-screen Samsung TV and a Sony Blue Ray Disc Player, according to the affidavit, which stated that Green admitted the items were bought with stolen card numbers after being read his Miranda rights.
Baptist has fired Green, the hospital said in a news release. The institution didn't know ``the extent of the problem, but it appears to involve a single employee who, we believe, accessed the financial records of several thousand patients at Baptist Hospital. We expect to know more in the next few days.''
Does this make you feel all warm and fuzzy? (...and you thought TJX lost lots of data...)
Report: IRS bungles may imperil data
March 30, 2007 1:29 PM PDT
Just in time for tax day, government auditors have issued a new report that raps the Internal Revenue Service on a number of security vulnerabilities in its computer systems.
"Significant weaknesses in access controls and other information security controls continue to threaten the confidentiality, integrity, and availability of IRS's financial and tax processing systems and information," the Government Accountability Office said in a report (PDF) released Friday.
The findings run the gamut: failure to audit who has accessed what on its various systems, inconsistent encryption of data, and lack of physical security controls--such as surveillance cameras, security guards and locks--for starters. Overall, the GAO found that the agency had corrected only about one-third of the 73 security weaknesses it reported as unresolved during its last review.
Are we in fact creating classes of citizens (those with greater privacy rights) when we do this?
Bill would further restrict release of officer addresses
AMANDA FEHD ASSOCIATED PRESS Posted: 3/31/2007 CATHLEEN ALLISON/NEVADA APPEAL
Nevada lawmakers reviewed a bill Friday that would further restrict the release of police officers' personal information, a follow-up to a 2005 measure allowing officers to remove their names from county assessor records.
Current law restricts the release of an officer's photo and address, unless the officer has been arrested or gives permission.
Assembly Bill 50 would prohibit the release of an address in any circumstances.
... Barry Smith of the Nevada Press Association asked that the bill be amended so the press would continue to have access to police reports and 911 records related to the arrest of an officer if those reports contain the officers' address.
Kallas said he was open to that amendment, but was not as agreeable to an amendment offered by the Nevada Attorneys for Criminal Justice and American Civil Liberties Union that would facilitate serving a subpoena on police officers. [Subpoenas are for second class citizens Bob]
Big deal? It might be big for Google...
Adult site's legal battle could aid Web hosting services
By Anne Broache Story last modified Fri Mar 30 15:41:54 PDT 2007
A federal appeals court ruling in a case involving an adult publisher appears to have delivered broader legal protections for online service providers against lawsuits claiming privacy violations and other illicit behavior by their users.
The U.S. Court of Appeals for the 9th Circuit on Thursday released a 26-page opinion (PDF) that upholds a number of lower-court findings against the adult-oriented Web site Perfect 10 in a lawsuit against a family of companies including Web hosting service CWIE and credit card processing firm CCBill.
The same appeals court is also preparing to release rulings in two other cases involving Perfect 10, whose online presence boasts "thousands of images of the most beautiful natural women in the world"--one against Google and Amazon.com and the other against MasterCard and Visa.
... One of the most significant parts of the court's opinion is a brief section that appears to clarify questions about how a portion of a federal law called the Communications Decency Act (CDA) applies to state laws, lawyers following the case said.
The CDA's Section 230, which has proven to be a critical defense for Internet service providers, bloggers and Web publishers, broadly immunizes providers of an "interactive computer service" from liability for content that others post, provided they make good-faith efforts to restrict access to material that could be considered "filthy, excessively violent, harassing or otherwise objectionable."
In its ruling, the 9th Circuit essentially concluded that Section 230 can also shield service providers from liability when they are confronted with allegations that their users violated state laws, such as right of publicity and trademark statutes, which was not always clear. (Disputes involving federal copyright and criminal laws, however, continue to be exempt from such immunity.)
... "The reality is, the way that this 9th Circuit ruling reads, it now makes entirely clear that plaintiffs can't make any state-based claims against online service providers--they're all gone," said Eric Goldman, a professor at Santa Clara University School of Law in Santa Clara, Calif.
Companies wishing to bring suits alleging bad behavior by Internet users could still target the users themselves, but they may have a weaker case against the intermediaries that post their content.
Interpreting the DMCA
Much of the rest of the opinion centers on interpretations of a 1998 federal law called the Digital Millennium Copyright Act (DMCA). A provision in that law says Web hosts are generally not liable for the content their users post, as long as they take down the offending content promptly upon being notified by the copyright holder and meet a number of other standards, such as not receiving "direct financial benefit" from infringing content. [Isn't this exactly what the Europeans are saying in the next article? Bob]
Some of the conclusions reached by the judges could aid content hosts making arguments in high-profile suits such as one Viacom recently brought against YouTube. "The court made it very clear that providers do not have to actively police their systems to look for infringement," EFF's Schultz said.
... The judges said they worried about the First Amendment free-speech violations that could occur if a site removes content when it doesn't actually infringe on copyrights.
So it's okay to rip music in Europe. RIAA will freak!
Private File Sharing to Remain/Become legal in EU
Posted by Zonk on Friday March 30, @03:14PM from the nice-change-of-pace dept. The Courts The Internet Politics
orzetto writes "Italian newspapers are reporting that the European parliament's Commitee for Legal Affairs approved an amendment presented by EMP Nicola Zingaretti (PSE, IT), that makes piracy a felony—but only if a monetary profit is made. As in the EU parliament's press release: ' Members of the Legal Affairs' committee [...] decided that criminal sanctions should only apply to those infringements deliberately carried out to obtain a commercial advantage. Piracy committed by private users for personal, non-profit purposes are therefore also excluded.' The complete proposal was passed with 23 votes in favour, 3 against and 3 abstained, and is intended to be applied to copyright, trademark, design and other IP fields, but not patent right which is explicitly excluded. The proposal has still to pass the vote of the parliament before becoming law in all EU countries, some of which (like Italy) do have criminal laws in place for non-profit file sharing. A note: Most EU countries use civil law, not common law. Translation of legal terms may be misleading."
DVD consortium loses court case over DVD copying
By Eric Bangeman Published: March 29, 2007 - 08:08PM CT
A California judge handed a victory to Kaleidescape, which manufactures home media servers, ruling that the company's products do not violate the DVD industry's CSS license. The company was sued by the DVD Copy Control Association, which said that Kaleidescape's media servers violate its standard licensing contract.
The Kaleidescape System is a kind of home media server on steroids. Starting at $10,000, it consists of a server, movie player, and music player. The server is designed to store all of the owner's movies and music, ripping them from their original source discs for playback at a later time. To no one's surprise, the DVD CCA took issue with that functionality, accusing Kaleidescape of opening the door to massive copyright infringement and arguing that any device that played movies from a DVD needed to have physical access to the disc in order to do so.
After a week-long trial, Judge Leslie C. Nichols ruled in Kaleidescape's favor, saying that the 20-page CSS spec was not technically included as part of the license agreement. As a result, the company is in full compliance with the DVD CCA's CSS license, noting in his decision that Kaleidescape had made "good faith efforts" to ensure that its products were fully compliant.
... The complexity of the DVD CCA's licensing agreement proved to be its downfall. [Wow! How un-lawyer-like! Bob] Witnesses during the trial characterized the license drafting process as having been carried out over a series of 100+ meetings by a group of entertainment-industry lawyers with feedback from engineers. The result was a confusing standard licensing contract, one that omitted key details about the CSS General Specification.
Unfortunately for consumers, the decision is a narrow one. It looks to be applicable only to commercial home media server products [So I need to offer the one I built for myself for sale to anyone? Bob] that store single copies of a DVD in a copy-protected form for personal use. Kaleidescape's rips remain CSS protected on the hard drive, and Malcolm tells Ars that some parts have an "extra layer of AES-256 encryption." So those who wish to rip their own DVD libraries for personal use will continue to operate in the murky, grey intersection of the DMCA and fair use.
Although no formal appeal has been filed, it is likely that the DVD CCA will ask a higher court to overturn the decision.
Tools & Techniques
False Negatives Abound With protexIP 4.0
By Andrew Binstock InfoWorld 03/30/07 4:00 AM PT
A developer can cause disaster for his or her company by borrowing code from a copyrighted open source project. Black Duck Software's protexIP 4.0 checks code against known sources and alerts the user to problematic similarities. The license management portion of the product is robust and well-designed. The code analysis and identification, however, leave much to be desired.
As open source Latest News about open source software pushes its way further into the enterprise, a new set of risks has arisen regarding IP (intellectual property). The problem is that developers happily borrow code from various projects to save themselves from having to reinvent it.
This help is all well and good as long as the resulting software complies with the licenses of the donor projects. The problem managers have is that they cannot know what parts of their code base come from open source projects. A code snippet reused from a newsgroup posting could actually have come from a copyrighted open source project. Its use could legally require the company to open source its entire product.
If the company is an ISV (independent software vendor), it might even be faced with being required to offer its product at no cost.
Free is good! (Thanks for the research PC World.)
101 Fantastic Freebies
Want to make your PC more productive, secure, informative, and entertaining? These downloads and services will do the trick--and they don't cost a dime.
Preston Gralla, PC World Wednesday, March 28, 2007 01:00 AM PDT
Once upon a time you actually had to pay for great software and services -- hard to believe, but true.
Geeky, but I bet it grows fast...
Thursday, March 29, 2007
Tweako A Social News Site For Tutorials
Tweako is a new social news aimed at programmers that just launched a couple of hours ago. Tweako bears a certain similarity to Digg, but instead of news headlines the user submitted content is geared toward tutorials, guides, resources and services.