This could hurt...
Fla., TJX differ on scam timeline
Police file suggests chain knew 9 months earlier of data breach
By Ross Kerber, Globe Staff April 7, 2007
State investigators looking into the theft of more than 45 million credit and debit card numbers from TJX Cos. are trying to determine when the Framingham retailer first learned that its computer systems were compromised.
In recent weeks several legal documents in connection with the incident, the largest reported breach of card data in US history, have been filed in Florida courts and with securities regulators. The firm's timeline of events, however, doesn't match the version of events as outlined by Florida investigators.
TJX, parent of discount chains including TJ Maxx and Marshalls, said in a securities filing last month that it learned of the security breach in its systems on Dec. 18, when it discovered unauthorized software had been placed its computer systems. It also reported that it delayed notifying the public for a month, at the direction of the US Secret Service, which TJX said wanted to make sure a disclosure wouldn't compromise its ongoing investigation. The Secret Service is the federal agency that protects the nation's electronic-payment and financial systems.
However, a document filed by Florida police officials says that TJX reported a breach involving thousands of card numbers to the Secret Service in March of 2006, nine months earlier. Florida officials filed the document in connection with the arrests of six people charged with using information taken from TJX to steal millions of dollars with worth of goods.
Kim Bruce, a spokeswoman for the US Secret Service, disputed the suggestion that the agency learned of the breach in March 2006. "We first got the information from TJX in December and have been investigating since then," she said.
A TJX spokeswoman, Sherry Lang, called the March date in the Florida filing incorrect. "We stand behind our statements we have made in our press releases," she said. "We reported it to law enforcement in December of 2006. Anything else anyone is saying about this is incorrect."
The issue of timing is important because had TJX learned of and reported the problem earlier, security specialists say, customers and merchants could have had more warning to guard against fraud, potentially saving millions of dollars in losses. Several pending lawsuits against TJX question whether the company disclosed the breach early enough.
Randy Roberts, a detective in Gainesville, Fla., who signed the filing known as a probable cause affidavit, said he could not discuss the March date. He said he learned of the TJX connection to his investigation once it began in November. He referred further questions to a department spokesman, who declined to elaborate.
A group of state attorneys general led by Massachusetts Attorney General Martha Coakley is looking into the TJX data breach to determine whether consumer-protection laws were violated. In an interview yesterday, Coakley did not address the discrepancies directly, but said "we're looking at all the factors in this breach, including when and how it was discovered and when it was reported to the authorities."
Another participant in the group, Connecticut Attorney General Richard Blumenthal, confirmed that "the issue of timing relative to the discovery of this problem" is under investigation. Both Blumenthal and Coakley said they couldn't comment further.
Why transport this data? “We've always done it that way...”
Hortica Alerting Public to Loss of Backup Tapes
2007-04-06 19:48:09 -
EDWARDSVILLE, Ill., April 6 /PRNewswire/ -- Florists' Mutual Insurance Company (Hortica), an Illinois-based provider of employee benefits and insurance to companies in the horticultural industry, today announced that a locked shipping case containing magnetic backup tapes cannot be located. Hortica believes that the backup tapes contained personal information including names, Social Security numbers, drivers' license numbers, and/or bank account numbers.
The locked shipping case was being transported by UPS from a secure offsite facility to the company's Illinois headquarters. UPS informed Hortica that the shipping case could not be located, and Hortica has been working with UPS in an attempt to locate the case. On April 5, 2007, UPS notified Hortica that all internal recovery processes had been exhausted and the shipping case could not be located.
... Mr. McClellan said Hortica has since altered its backup tape storage procedures so shipment of backup tapes by common carrier is no longer required. [Prior to this incident, we didn't think thinking was required...” Bob]
... Information regarding the loss of the locked shipping case will also be posted on Hortica's website at http://www.hortica-insurance.com/.
How does one forecast the time required?
Intel Gets More Time to Explain Lost E-Mails in Antitrust Case
April 6, 2007 By Chris Preimesberger
Intel, the world's largest microprocessor maker, has been granted a few more days to explain how it is trying to locate a long list of missing e-mails in the legal discovery phase of a 2-year-old court battle initiated by its major competitor, Advanced Micro Devices.
A U.S. District judge on March 7 originally gave Intel 30 days to try to recover more than 1,000 lost e-mails that it was required to keep for an antitrust lawsuit filed by AMD in 2005.
Federal court rules enacted Dec. 1 require enterprises to be able to quickly find such data when required by the court.
The e-mails that Intel claims are missing reportedly discuss details relevant to the AMD lawsuit, which alleges that Intel engaged in anti-competitive practices to maintain a "monopolistic position" in the PC processor market, according to court documents.
Since then, Judge Joseph Farnan of U.S. District Court in Delaware has opted to give the Santa Clara, Calif., chip maker 10 more days—until April 17—to come up with a report to AMD on how the e-mail search is progressing or whether the corporation will be able to produce the e-mails at all.
... Intel's e-mail system, which runs on Microsoft Exchange servers, serves 99,900 employees worldwide. It is automated to expunge e-mail sent or received by employees every 35 days; senior executive e-mail is purged every 45 to 60 days.
Some of the e-mail messages may be recoverable from backup tapes or by employee-initiated backup; Intel said it is busy tracking these down. However, trying to find individual e-mail messages with specific keywords in unindexed backup tapes is tedious and requires a substantial amount of work time. Individual backup tapes must be mounted one at a time to have their contents restored and examined.
About 1,000 Intel Employees Involved
According to court documents, Intel has identified about 1,000 employees as having potentially relevant information. In the company's best e-mail storage scenario, all these employees would have been contacted and asked to preserve the e-mails for the discovery team. Intel relies solely on employees to back up their own e-mail messages for reference.
In the best possible e-mail backup/archive scenario, Intel's employees wouldn't have had to worry about backing up any e-mails. A full-service corporate e-mail archiving system—a number of which have been available for several years and about which eWEEK has reported often —would likely have been able to solve this legal issue within a few hours.
If Intel cannot produce all the relevant e-mails that AMD and the court are demanding, the judge could levy a stiff fine if he considers this unreasonable behavior.
Judge Has Other Options
There are other ways to handle this loss of key evidence. It is entirely possible that AMD may have to help foot the bill for finding it if legal precedence comes into play.
... So, if Intel reports on April 17 that it will take much more time and money to recover the missing e-mails, Farnan could indeed grant the time and theoretically could even order AMD to pitch in for the e-discovery costs—which could easily run into high-six-figure territory.
Most of the missing e-mails were written after AMD filed suit against Intel on June 27, 2005, according to court documents.
In a statement sent to the court, AMD said: "Through what appears to be a combination of gross communication failures, an ill-conceived plan of document retention and lackluster oversight by outside counsel, Intel has apparently allowed evidence to be destroyed. Intel executives at the highest level failed to receive or to heed instructions essential for the preservation of their records, and Intel counsel failed to institute and police a reliable backup system as a failsafe against human error."
Intel Admits Its Foibles
To its credit, Intel has been candid about its e-mail problem.
eWEEK obtained a copy of a letter Intel sent to AMD and to Farnan last month. In it, Intel said that despite a companywide effort to comply with AMD's requests for evidentiary documents—including tape backups of more than 1,000 of its employees' correspondence—the company admitted there were "inadvertent mistakes in the implementation" of its preservation process.
For example, some employees obeyed the request to save their e-mails to a backup hard drive but did not save their "sent" e-mail folders—only the "incoming" mail folder. As a result, those sent e-mails were purged as part of Intel's regular maintenance program. In the letter, Intel also said a few employees didn't follow the directive at all because they believed the IT department was automatically saving their e-mail on its own.
Is this the opposite of identity theft? Interesting question. How far must the court go to protect people who used an illegal service? What assumptions are made here – that the users were ignorant?
Judge offers steroid buyers a shot at privacy
Customers of Florida pharmacy can oppose use of records in court
By BRENDAN J. LYONS, Senior writer First published: Friday, April 6, 2007
Tens of thousands of people across the United States who purchased drugs from an Orlando pharmacy at the center of an Albany steroids case must be notified that their prescription records were seized by police, a Florida judge ruled this week.
Those drug buyers, many of whom bought steroids through companies that have Web sites, will then have 30 days to object to their records being used in court, [on what basis? Bob] the judge said. The judge also ordered police to stop sifting through the documents until medical privacy issues have been resolved.
The sealing order by Circuit Judge John Marshall Kest of Osceola County, Fla., will indefinitely stall the sprawling steroids investigation. It could also allow professional athletes and others suspected of illicitly buying drugs a chance to keep their names from becoming public in court.
... Tingley argued in court that Orlando police and investigators in Albany County should not be given access to the seized records until the patients have had a right to invoke their rights to medical privacy. She said the seized items included all patient records, including, for instance, the records of dialysis patients.
... Florida prosecutors argued against the sealing order handed down Tuesday. They said more than half of Signature's customers were people who purchased drugs "for non-legitimate purposes." [Sounds logical, but is there any factual way to be certain? Bob]
Will this “improve service?” Does ISP liability increase as traffic is flagged for slowdown?
Rogers Traffic Shaping Making It Difficult For Users To Use Secure Email
from the nice-work dept
Canadian ISPs haven't been shy about using traffic shaping tools to try to slow down the use of things like BitTorrent. This is a lot of what the network neutrality debate is about -- as ISPs would like to shift all that traffic onto the slow lane. Of course, as has been pointed out, this can backfire badly. Trying to slow down BitTorrent traffic will just lead to more people encrypting all of their internet use -- increasing the overhead involved, increasing the traffic and making the attempts at traffic shaping pointless. This is exactly what's happened in plenty of cases. However, Canadian ISP Rogers has taken things to the next level, and apparently decided that all encrypted traffic must be bad and should be slowed down. That means that for folks who happen to do ordinary things like use encrypted email connections (as you should), Rogers can make email nearly impossible to use. It's not clear how this helps anyone. It pisses off users who (hopefully) will jump to other ISPs at the first opportunity (if there is one), and doesn't help Rogers keep bandwidth down on its network. It just makes the system more expensive and more overloaded, while making it nearly impossible for people to do basic things like email. Nice job, Rogers.
Did Google cave in?
Why Should AFP Need To License The Right For Google To Link To Its News Stories?
from the but-now-what dept
Two years ago, the news agency Agence France-Presse (AFP) bizarrely sued Google for linking to its news stories via its news search engine, Google News. This made very little sense, as it basically made it much harder for people to find or read AFP news. I n a highly competitive news market, making it harder to find your news isn't a particularly intelligent strategy. This actually made a number of news sites that licensed AFP news quite angry because they lost a ton of traffic that Google News drove to their sites. A similar story played itself out recently in Belgian courts with Google being barred from linking to certain Belgian newspaper sites as well. However, the AFP lawsuit was still out there, until today, when Google and AFP announced a settlement, including a license from AFP to put its stories back into Google News.
Unfortunately, there aren't that many details. It's unclear if Google paid any money for this "right" or if AFP finally came to its senses and realized that cutting yourself off from Google isn't particularly useful. Either way, though, it still sets a bad precedent that Google had to secure a special license to link to content. There's simply no need for a license to index and link to content -- and Google agreeing to a license from AFP just means that now other publishers will start lining up claiming that Google should pay them as well. It's the same thing that has happened since content companies discovered Google was willing to pay off record labels for having their content on YouTube. That eventually resulted in just about every media company lining up for its own cut -- and, eventually to Viacom's decision to sue for $1 billion, when Google wouldn't pony up as much as Viacom wanted. Google is setting a bad precedent here, agreeing to license content it doesn't need to license, and it's only going to create more problems down the road as other content firms line up demanding payment for similar licenses.
Get 'em while they're young!
Friday, April 06, 2007 5:26 PM PT Posted by Ramon G. McLeod
Taxpayer-paid iPods for Every Kid?
What the??? Yes, in the state of Michigan, which faces a $1 billion deficit, the Detroit News and Detroit Free Press are both reporting that House Democrats have offered a spending plan that would "buy an MP3 player or iPod" for every school-age kid.
The cost? How about $38 million, according to the Free Press. No or other details are available, which makes me think this is one of those off-the-wall ideas, so beloved in state houses and Congress, that won't go anywhere.
Or at least I HOPE it won't go anywhere...
Worth a listen...
April 05, 2007
RU Sirius Interview
RU Sirius interviewed me for his podcast show.
Show #98: Everything The US Government is Doing About Security is Wrong
You can test it yourself, or you can let someone else (the bad guys) take the first shot...
The IT Security Must Have for 2007: Penetration Testing Tools
April 6, 2007
Download this on demand webcast, FREE, compliments of Core Technologies!
Abstract: (Source: Core Technologies) Today's enormously complex enterprise IT infrastructures consist of hundreds and in some cases thousands of systems and subsystems. The task of correctly assessing the real security risks associated with a seemingly endless stream of vulnerability and patching reports for this infrastructure is a daunting task for the IT staff. Download this on demand webcast to learn the compelling reasons why automated penetration testing must be an integral part of an enterprise's security and vulnerability management processes and programs
Have we reached a tipping point?
Microsoft changes tune on selling DRM-free songs
After claiming that DRM is 'necessary' for digital media, the company will soon follow Apple's lead in offering DRM-free music
By Elizabeth Montalbano, IDG News Service April 06, 2007
Following digital music pioneer Apple's lead yet again, Microsoft said this week it will soon sell digital music online without DRM (digital rights management) protection.
Microsoft's apparent change of heart on selling DRM-free music came in response to Apple's deal earlier in the week to sell unprotected content from recording company EMI. The company previously claimed that DRM was necessary for current and emerging digital media business models.
Three articles documenting “politics over reason” If there is software capable of censoring the Internet (text, web sites, audio and videos), then that software can be used to identify copyright violators, terrorists, political dissidents, etc. Is it really possible or the wishful thinking of a few who don't understand technology?
Turkish Assembly Votes For Censoring of Web Sites
Posted by Zonk on Friday April 06, @08:49PM from the we're-actually-really-nice-out-here-guys dept. Censorship The Internet Politics
unity100 writes "CNN has some news about a recent development in Turkey where the Turkish assembly, totally out of line with Turkey's commitment to EU membership, has voted to have sites that 'insult to the founder of modern Turkey' censored from entire Turkish population. This, just about a month after the decision to censor YouTube was reached by the Turkish courts. 'On Thursday, lawmakers in the commission also debated whether the proposal should be widened to allow the Turkish Telecommunications Board to block access to any sites that question the principles of the Turkish secular system or the unity of the Turkish state -- a reference to Web sites with information on Kurdish rebels in Turkey.'"
Two More 'Offensive' Videos Fuel Thailand-YouTube Standoff
By Rungrawee C. Pinyorat AP 04/06/07 8:01 AM PT
Thailand has left its countrywide block of YouTube in place after users posted new videos that some in the country deem offensive. The ban began earlier this week when a user posted a slideshow that insulted the nation's king. The person who posted that video voluntarily removed it a day later, however two more insulting videos have since been posted. YouTube has declined to remove the content itself.
Tokyo Election Commission Worried People Might Actually Watch Candidate Speeches On YouTube
from the it-might-make-them-more-educated! dept
There's just something about politicians and their inability to understand the internet. Slashdot points us to an article about the Tokyo Election Commission demanding that YouTube take down videos of various local political candidates after a "fringe" candidate started getting plenty of attention. Apparently, Japan only allows candidate speeches to be aired on the local public broadcasting network, and somehow having them up on YouTube isn't fair. We're not exactly sure how making candidate videos available to more people in a more convenient way could ever be considered less fair, but I guess that's why we're not on the Tokyo Election Commission. Still, you would think that with the big challenges involved in making the electorate more informed, people would be enthusiastically supporting the idea of making the videos more, not less, available. Oh well. Maybe this means that Japan will ban YouTube as well.
I wonder if they will allow outsourcing to the US?
India High-Tech Industry Out of Workers
By TIM SULLIVAN Associated Press Writer Apr 7, 12:13 AM EDT
If I'm not listed (under GEEK) can I sue?
Posted by Zonk on Friday April 06, @11:37PM from the crying-with-information dept.
The Webguy wrote to mention a C|Net article talking about Google's newest toy - Local Voice Search. The service is dirt simple: you call a 1-800 number and, via voice recognition software, say the category of business you're trying to reach. You can also try for a specific name, though the C|Net blogger had some problems with that. The Google Blog has been updated with details as well: "Google Voice Local Search lets you search for local businesses from any phone and for free. If you're in the US, call 1-800-GOOG-411 and say what you want to find. Here are some of the features -You can find a business listing by category. Just say "pizza," for example. You can send the listing details to your mobile phone via SMS. The service is fully automated, so it doesn't rely on human operators. It connects you directly to the business, free of charge."
Proof suggests predictability. Should we invest in sunscreen?
April 06, 2007
Climate Change 2007 - Assessment Report of the Intergovernmental Panel on Climate Change
Climate Change 2007: "The IPCC 4th Assessment Report (AR4) consists of four volumes that will be released in the course of 2007. Compared to the 2001 report, the AR4 pays greater attention to the integration of climate change with sustainable development and the inter-relationships between mitigation and adaptation. Specific attention is given to regional issues, uncertainty & risk, technology, climate change & water.
Here are the release dates:
February 2 (Paris) - The Physical Science Basis
April 6 (Brussels) - Impacts, Adaptation and Vulnerability - Summmary for Policymakers
May 4 (Bangkok) - "Mitigation of Climate Change"
November 16 (Valencia) "The Synthesis Report"
Working Group I Report, "The physical science basis", assesses the current state of knowledge about the natural and human drivers of climate change, reflecting the progress of the climate change science in the observation of the atmosphere, the Earth's surface and oceans. It provides a paleoclimatic perspective and evaluates future projections of climate change. Main topics include changes in atmospheric composition, observation of various climate parameters, coupling between changes in climate and biogeochemistry, evaluation of models and attribution of climate change.
Working Group II Report addresses "Impacts, Adaptation and Vulnerability": It provides a detailed analysis of observed changes in natural and human systems and the relationship between those observed changes and climate change, as well as a detailed assessment of projected future vulnerability, impacts, and response measures to adapt to climatic changes for main sectors and regions.
Working Group III Report on "Mitigation of climate change" analyses mitigation options for the main sectors in the near term, addressing also cross sectorial matters such as synergies, co-benefits, trade-offs, and links with other policy objectives. It also provides information on long term mitigation strategies, for various stabilization levels, paying special attention to implications of different short-term strategies for achieving long-term goals.
April 5, 2007
Climate Update: Mars is Warming, Crops are Growing
Apparently all the manufacturing activity and the SUV's driving around Mars are starting to have an impact: The Martian climate is warming. What other explanation could there possibly be?
Also, Tim Blair has this post, noting first the dire predictions of warming and its impact on crop yields and then noting that crop yields are at an all-time high. Oh, well...
It's at least impolite (and in some quarters heresy) to speak of benefits from any potential warming, but it doesn't seem logical, does it, that warming would produce only negative results -- or that cooling would produce only negative results? It just doesn't make logical sense. In other words, warming or cooling would presumably bring with it a mix of good and bad, no? Wouldn't one of the upsides of warming be longer growing seasons in some areas, and thus higher crop yields? If you believe the globe has warmed a degree in the last century, then maybe that's what accounts for the high crop yields, which is good news for the world's poor, and the world at large.
Will Market Forces Stop Global Warming?
Published: April 6, 2007 Author: by Jim Heskett