Saturday, April 28, 2007

I wonder what the contract says about incidents like this?

Cat computer equipment stolen

Vendor-owned equipment contained personal employee data

Saturday, April 28, 2007

PEORIA - Caterpillar Inc. said Friday that computer equipment containing personal identity information about current and former employees was stolen from a vendor.

... "We deeply regret that this incident occurred," said Sid Banwart, vice president over Caterpillar's Human Services Division. "We are putting in place an enhanced level of protection for this type of personal data, [Isn't that the same as admitting they didn't get it right the first time? Bob] as part of our commitment to ensure the security of information that is entrusted to us. We take data privacy seriously, and we are committed to implementing additional safeguards regarding the handling of employee information by our vendors." [Ditto Bob]

Cost of security breach...

New York Settles First Security Breach Case

Company Delayed in Notifying 540,000 New Yorkers their Data Was Missing

April 27, 2007

New York Attorney General Andrew M. Cuomo has reached the first settlement under New York's Information Security Breach and Notification Law.

CS STARS LLC, a Chicago-based claims management company, failed to notify the owner of computerized data and approximately 540,000 New York consumers that their personal information was at risk for seven weeks.

... Under New York's Information Security Breach and Notification Law, any business which maintains private information which it does not own must notify the owner of the data of any security breach “immediately following discovery” of the breach and must notify all affected consumers in the “most expedient time possible.”

... The company also agreed to implement more extensive practices relating to the security of private information. CS STARS will pay the Attorney General’s office $60,000 for costs related to this investigation. [A dime a record? That's it? Bob]

Summary too long to list here. Sad, isn't it.

Data “Dysprotection:” Weekend Roundup

Friday April 27th 2007, 5:04 pm

Filed under: Privacy, Identity Theft, Data Protection, Medical Privacy

A recap of some of the breaches and follow-ups reported in the news section this week. This roundup may be updated over the weekend.


April 26, 2007

74 Percent of Security Executives Concerned About Impact of Payment Card Data Loss

LONDON --(Business Wire)-- Qualys, Inc., the leading provider of on demand security risk and compliance management solutions, today announced that 74 percent of European senior security executives see the impact of payment card loss on brand reputation as their biggest concern. In addition, the majority of European professionals -- over 90 percent -- are already preparing for deperimeterization.

... Results highlight key differences between security preconceptions of U.S. executives as compared to their European counterparts.

"The fact that the majority see the effect of data loss on brand reputation as their biggest concern not only demonstrates the awareness built by incidents such as the TJ Maxx data breach but clearly also reflects on the changing role of CSOs today. No longer are security professionals pure technologists. They are now taking on more responsibility on a corporate level and realize that security needs to be moved higher up the business agenda," said Philippe Courtot, CEO and chairman of Qualys, who opened the Jericho Conference earlier this week with a call to action for vendors to support Jericho by rising to the challenge of designing to the Jericho Blueprint.

... Over 50 percent of executives on both sides of the Atlantic see compliance as the biggest driver in their security strategy.

Other key findings from the survey show:

-- 69 percent of European executives believe that insider threats pose more serious problem than threats from outside the organization. Considering 80 percent of security budget is spent on strengthening the perimeter, this suggests a real need to shift the focus.

-- Europe is more reliant on ISO 17799 with over 82 percent of professionals using it within their company and 15 percent of these already certified.

-- In relation to security metrics, Europe was somewhat behind with 39 percent currently defining their metrics and only 29 percent with mature metrics in place.

Is there money in Privacy? Looks like an emerging field.

Eight Privacy Firms to Watch

Jay Cline

April 27, 2007 (Computerworld) A handful of brave souls have bet the farm that North American companies have a lot of privacy work left to do and not enough staff to do it. So far, their hunches are paying off. But prospective entrepreneurs, take heed: The privacy market is still new and evolving, with little predictability.

Just seven years ago, there wasn't even a privacy market to speak of. The ink on most privacy laws wasn't dry yet, fewer than 50 people worldwide bore the title "chief privacy officer," and the International Association of Privacy Professionals didn't exist.

The people speak! (What are they actually saying?)

Clamp on access to personal documents doomed

5:00AM Friday April 27, 2007 By Paula Oliver

The Government appears headed for an embarrassing defeat over its proposal to tightly restrict access to birth, death and marriage certificates.

An outcry from historians, genealogists and researchers [Am I a researcher if I'm looking for ways to steal your identity? Bob] has prompted several of Parliament's smaller parties to revisit their stances on the Government's Births, Deaths, Marriages and Relationships Amendment Bill.

... "People are going to find that they're going to have some considerable difficulty getting access [Technically, that is referred to as “the point” Bob] to data," Mr Dunne said.

Google to buy TSA?

Denied Entrance Into The US Thanks To A Google Search Of Your Permanent Record

from the think-of-all-those-myspace-kids-who-will-never-be-able-to-travel dept

For a long time, people have talked about how Google has effectively created the infamous "permanent record" teachers always warned us about in school. And, now, it appears that it's not just being used for background checks on dates and job reference checks, but for official government purposes as well. Joe McEnaney writes in to alert us to a story of a Canadian man who was denied entrance to the US after border guards did a Google search on his name and discovered a peer-reviewed academic paper he'd written years earlier that mentioned his own LSD use over 30 years ago. Setting aside any thoughts one way or the other on whether or not that should be a criteria for entering the US, just think of what this means for teens today who are discussing their lives very publicly on sites like MySpace. We've already wondered what will happen once the MySpace generation runs for office, but right now they might just want to be careful leaving and entering the country.

We only passed that stupid law to bring lobbyists (with large expense accounts) to the state...

High-Tech Execs Meet With Lawmakers Over Web Search Keyword Law

By The Associated Press 04-27-2007

A Utah law that sets up a trademark registry aimed at restricting rival advertisers on the Internet likely won't be enforced when it takes effect Monday, lawmakers said after meeting with high-tech executives.

... The Legislature unanimously approved the Trademark Protection Act in February despite warnings from state lawyers that it could be overturned in court.

We don't base our Security choices on effectiveness, nor on efficiency! (Don't think of it as a bribe, think of it as a discount!)

And The Gold Medal For Stupidity Goes To...

from the greedathlon dept

We've discussed before the asinine level of special protection Olympic organizers regularly demand for their trademarks and even plenty of common words, as well as event sponsors. However, organizers of the 2012 summer games in London have set the bar for stupidity even higher by apparently decreeing that it will only use security technology provided by paid sponsors. Even with the ridiculously high level of concern over security at these events, organizers won't choose the best solutions, just those provided by companies that have paid to sponsor the games. This means that, apparently, matters of identity management and authentication will be left up to Visa. Yes, that's the Visa that's a credit-card company for which data leaks, identity protection and authentication are in no way a problem. While we're handing out medals for stupidity, let's go ahead and give the silver to the site on which the original article appears for its annoying registration scheme. Visit the page once, and everything's cool. Visit it again, and you get hit with a demand to register, which seems like a really, really great way to encourage new visitors to the site to read more keep coming back.

Economics close to home.,1759,2123318,00.asp?kc=EWRSS03119TX1K0000594

Colorado's Tech Industry Loses Some Luster

April 27, 2007 By Deborah Perelman

Colorado, once considered among the most promising hubs for technology companies, took a big employment and market share hit in recent years, finds the Cyberstates 2007 report, released on April 24.

After holding first place in tech concentration for nine years, Colorado fell to third place, according to the report by AeA, a Washington D.C., high-tech industry trade association. Colorado was surpassed by Virginia, where 8.9 percent of the work force is in the tech industry compared to 8.6 percent in Colorado.

... In addition, Colorado's venture capital investments were down 5 percent in 2006 to $622 million.

... "What's really strong for Colorado right now, and will be even if Intel sells, is that they're increasing their R&D and design work," Wright said. "There's a lot of good universities in-state, and they want access to these people. They're very high-level jobs. If you're an engineer or in the R&D segment, you're very employable in Colorado."

[Report is $125/250, at Bob]

Again, the comments are as interesting as the article. Would you hire this kid? Should Cisco?

Student Attempting To Improve School Security Suspended

Posted by Zonk on Friday April 27, @05:13PM from the no-good-deed-goes-unpunished dept. Education Security IT

TA_TA_BOX writes "The University of Portland has handed a one-year suspension to an engineering major after he designed a program to bypass the Cisco Clean Access (CCA). According to the University of Portland's Vice President of Information Systems, the purpose of the CCA is to evaluate whether the computers are compliant with current security policies (i.e., anti-virus software, Windows Updates and Patches, etc.). Essentially the student wrote a program that could fool the CCA to think that the computers operating system and anti-virus were fully patched and up to date. 'In the design of his computer program, Maass looked at the functions CCA provides and identified vulnerabilities where it could be bypassed. He wrote a program that emulated the same functions as CCA and eliminated some security issues. He says that the method he chose is "one of six that I came up with." Maass says his intent was not malicious. Rather, the sophomore says he was examining vulnerabilities so that they could be fixed. "I was planning on going to Cisco with the vulnerability this summer," Maass says. '"

Perhaps we could start “The Political Chanel” -- selling ads should be a snap! (“You want a share of the pork, don't you?”)

NBC Believes They Own Political Discourse

Posted by Zonk on Saturday April 28, @03:25AM from the they-the-people dept. Television The Internet The Media Politics

PoliSciASU writes "MSNBC has established draconian rules regarding the use of the Presidential Primary Debates on the internet. Some examples: '5. No excerpts may be aired after 8:30 pm on Saturday, May 26th. Excerpts may not be archived. Any further use of excerpts is by express permission of MSNBC only. 6. All debate excerpts must be taped directly from MSNBC's cablecast or obtained directly from MSNBC and may not be obtained from other sources, such as satellite or other forms of transmission. No portions of the live event not aired by MSNBC may be used.' Kevin Bondelli talks about why this is 'shameful and wrong'. Voters are missing out on the ability to actually have an engaged conversation about the candidates and their debate performances because of NBC's greed."

Alexander Wolfe at InformationWeek and Jeff Jarvis at BuzzMachine share similar sentiments, and discuss the matter in different ways.

Another tool for the virtual company.

Amazon To Offer Storage And Shipping On Demand

from the click-and-mortar dept

In the past year or so, Amazon has made a big push to position itself as a leading purveyor of web services, with the idea being that all of the computing infrastructure it has built up for its own needs can be rented out over the web to third parties. The recent brouhaha with Alexaholic notwithstanding, this strategy has done a lot to help disabuse people of the notion that the company is just a lumbering, "web 1.0" dinosaur, whose business model is not all that different from the brick-and-mortar retailers that it's sought to displace. Today, the New York Times has an interesting story about a new service from the company that will allow a third-party retailer (such as companies that sell through eBay) to use Amazon's physical distribution infrastructure to fulfill orders. Before, this was only open to retailers which sold their goods through Amazon, but now it can be used by people that sell on any site. Basically, the third party will ship their goods to Amazon, to be stored in Amazon's warehouse. At that point, Amazon will take care of storage, packaging, managing deliveries and handling returns. Although this will be an added cost to those retailers (because they will have to pay to ship the good to Amazon), Amazon hopes it will save them money by removing a lot of other headaches from the order fulfillment process. The thinking behind the service is basically the same as with its web services: the company has built up this big infrastructure for its own needs, so why not rent it out to anyone? Still, despite all of the hype about its burgeoning services business, it remains a small part of the overall picture for the company. The company recently reported excellent earnings, but all of that was from its traditional business. And while the company has been early to market with some of its computing-on-demand products, you have to assume that similar offerings are on the way from Microsoft and Google, which are investing heavily in massive data power plants. In a way, it's order fulfillment service might have brighter products, if only because none of its obvious competitors have built up a similar infrastructure.

Strategy is as strategy does?

Telcos' Biggest Marketing Strategy: Inertia

from the just-keep-paying-us dept

A new study says that half of the US households that moved in the fourth quarter of 2006 dropped their landline service. A quarter of them went wireless-only, 13% switched to cable operators, while 6% chose another type of VoIP provider. The trend away from landlines has been visible for a while, but it's interesting to note how moving accelerates it -- making it appear that many people hang on to their landline just because they already have it, rather than because they really want or need it. For many people, landline service isn't something they want or need, and moving appears to act as a prompt to make them consider that. The stat also helps explain why telcos do so many things they do, like hamstring VoIP providers with patent suits, resist naked DSL, and sell bundles geared towards forcing people to buy landline service they don't want.

Geek stuff (Toys for my web site class)

Over 300 Gorgeous Icons (they're free, licensed under creative commons)

Handy for anyone who wants to add some pretty icons to an app or website

Friday, April 27, 2007

How accidental does this sound? (I can't find anything on their web site...)

Ceridian: Data from NY firm accidentally leaked

Minneapolis / St. Paul Business Journal - 1:00 PM CDT Thursday, April 26, 2007

by Carissa Wyant Staff Writer

Payroll processing firm Ceridian Corp. said employee data from a New York advertising firm had been accidentally leaked on a Web site, the company confirmed Thursday.

Bloomington-based Ceridian (NYSE: CEN) notified New York advertising company Innovation Interactive last week, after it learned that ID and bank-account data on 150 employees had been posted online, company spokesman Pete Stoddart said.

Ceridian said a former employee accidentally posted the information on a personal Web site. The employee took the data by accident after leaving the company in March 2006.

Web pages are often named following a scheme that makes it easy to follow the flow (Home-page, employee-access, public-access, Secret-data-1, Secret-data-2, etc.). After a breach, expect hackers to analyze that scheme and try accessing other pages by “guessing” the next page name...

Friday, April 27, 2007

nhs data breaches worse than thought

On Wednesday, Channel 4 discovered that anyone could access the personal information of doctors and students through the NHS Medical Training Application Service website. The BBC reported that the NHS claimed to have closed the breach by the end of the day.

Yesterday, Channel 4 discovered that the website was still wide open:

For the second day in a row there has been a breach in the security on the MTAS computer system - used by 32000 junior doctors to apply for training posts. [...]

All it took was a simple changing of a number on the URL. Personal messages and details could be found. Initially we thought it was just MTAS applicants who have their own registration number who could do this.

Now we have learned that if an email was sent with the URL to anyone - not just an applicant - they could access the private sites without even logging in.

And the "short period of time" of the breah wasn't so much a couple of hours as several days - most likely since Monday afternoon, right up until Channel 4 contacted the department of health.

Speaking of hackers...

April 27, 2007

Teenager charged with hacking into AOL databases

Alleged acts cost AOL over $500,000

By Juan Carlos Perez, IDG News Service

A teenager broke into AOL networks and databases containing customer information and infected the servers with a malicious program to transfer confidential data to his computer, AOL and law enforcement officials have alleged.

In a complaint filed in the US courts, the Manhattan district attorney's office alleges that 17 year old Mike Nieves committed offences including computer tampering, computer trespass and criminal possession of computer material between 24 December 2006 and 7 April 2007.

He is accused of:

accessing systems containing customer billing records, addresses and credit card information

infecting machines at an AOL customer support call centre in India, with a program to funnel information back to his PC

logging in without permission into 49 AIM instant message accounts of AOL customer support employees

attempting to break into an AOL customer support system containing sensitive customer information

engaging in a phishing attack against AOL staff, through which he gained access to over 60 accounts from AOL employees and subcontractors

Nieves faces four criminal charges and one misdemeanour charge. He appeared in court earlier this week and has been remanded in custody, a spokesperson for the Manhattan district attorney's office said.

The complaint filed against Nieves claims that he admitted to investigators that he had committed the alleged acts, because AOL took away his accounts. "I accessed their internal accounts and their network and used it to try to get my accounts back," the defendant is quoted as saying in the complaint. The court papers also claim Nieves admitted to posting photos of his exploits in a photo web site. [Sometimes, evidence gathering is easy... Bob]

Nieves was arrested after AOL provided law enforcement authorities with information from an internal investigation into the alleged acts. AIM subscriber information and IP address data led AOL to Nieves, whose address and phone number AOL had on file, the court papers say.

The alleged acts cost AOL more than $500,000 (£250,000). It is not clear whether customer data was stolen. [Aren't they required to disclose in NY? Bob] AOL declined to comment.

...and sometimes the hacking is automated...,139033343,339275127,00.htm?feed=rss

Facebook e-mail notifications breach privacy

By Munir Kotadia, ZDNet Australia 27 April 2007 11:59 AM

Shortly after joining the social networking site Facebook, I received an e-mail telling me a friend had "written on my wall". Within two clicks I was logged-in and had full access to her account.

... I logged out (of her account) and then tried clicking on the link again to try and recreate the effect but it didn't work. However, when I opened the main Facebook page and typed the first letter of my friend's name, the browser had somehow remembered her username and password and allowed me to log into her account at will.

... As Facebook doesn't list a contact phone number, I haven't been able to get in touch with them yet. However, I will be sending them a copy of this blog as soon as it is published -- in the hope of finding out what is going on.

...or you could hire a hacker... (pretexting r us?)

Suggestion: Don't Name Your Illegal Computer Spying Business 'Hackers Are Us'

from the just-a-tip dept

While everyone has different ways of going about marketing various businesses, you would think that if you're involved in something illegal, you wouldn't refer to your organization in a way that reveals the illegality of what you're doing. Apparently, a private detective firm in the UK had a separate group which they proudly named "Hackers Are Us," which was making quite a bit of money by helping people get info from the computers' of others. There's no real mystery (and no real "hacking") in how they did so. They just sent an email and used some social engineering to convince people to click on the attachment, which loaded a keylogger. Pretty straightforward. Of course, the group is now in court trying to defend these actions -- but the use of the name probably doesn't help.

This is the second mention of this report...

McAfee, Inc. Releases New Research Suggesting Data Loss Will Lead To Next Major Corporate Collapse

A Third of Enterprises Surveyed Believe a Major Breach Could Put Their Companies Out of Business

INFOSEC, LONDON, April 24, 2007 - McAfee, Inc., today announced it has released a report, Datagate: The Next Inevitable Corporate Disaster?, revealing a widespread belief that a major security breach, even an unintentional one, could lead to the collapse of a major corporation. The global research, conducted for McAfee® by Datamonitor, surveyed more than 1400 IT professionals at companies with at least 250 employees in the United States, the United Kingdom, France, Germany and Australia. Thirty-three percent of respondents said they believe a major data loss incident involving accidental or malicious distribution of confidential data could put them out of business.

The research also suggests that while awareness regarding the danger of breaches is high, the problem continues to grow. Sixty percent of respondents said they had experienced a data breach in the past year, and only six percent of respondents could say with certainty that they had not experienced one in the previous two years. However, despite the prevalence of breaches, enterprises are still devoting just a fraction of their IT budgets to the problem. On average respondents spend just one-half of one percent of their overall IT budgets on data security. [Would spending 1% make your security “better than average?” Bob]

... For more information and to download a copy of “Datagate: The Next Inevitable Corporate Disaster?” visit

These all end with close-up pictures of politician's pockets?

April 26, 2007

Web Mashups Help Citizens Track the Political Money Trail

From Wired, Web Mashups Turn Citizens Into Washington's Newest Watchdogs: "Sites like, and Follow the Money, along with wiki-based political reporting resources like Congresspedia, are increasingly giving ordinary citizens the ability to easily document the flow of special-interest money and how it influences the legislature. These new tools are providing an unprecedented level of transparency, exposing patterns of influence that otherwise would have remained invisible to ordinary citizens."

  • See also Citizen-mapped agency data - A quick guide to citizen-mapped agency data sites: "The Web is awash in citizen-run sites that map government-generated data. These sites use free services such as Google Maps and Microsoft Virtual Earth and public records from agencies such as the Environmental Protection Agency and the Geological Survey. With these sites, Web surfers can enter their addresses and see government data in their area, or to browse a certain region to find items of interest."

I don't think this is a good idea, unless politicians are smarter than all of their constituents (and the rest of the world)

Malaysia To Set Up Government Agency To Respond To Blogs

from the respond-in-kind dept

Over the last few weeks we've been following the hubbub in Malaysia, where some government officials were quite upset with some bloggers leading to at least two bloggers being sued and the possibility of forcing bloggers to register with the government -- a plan that was later rejected. However, now the government has come up with a new plan to deal with what it still calls "lies" being spread online: it will create a special government unit to monitor and respond to what various internet sites are saying. Assuming they identify themselves as working for the government, this sounds like a pretty good idea. Rather than trying to intimidate or force critics offline, take them on with facts. If sites are not telling the truth or even being misleading, respond and explain why. That's the great thing about the internet. You can always counter whatever is being said about you, and it doesn't require the use of any lawyers or lawsuits.

Shouldn't you assume any new technology comes with risks?,1406,KNS_347_5507506,00.html

Judge: Cellular GPS data can be used as a tracking device

By JAMIE SATTERFIELD, April 27, 2007

Expect a little privacy, cellular phone user?

Quit talking on it in public and turn it off.

That may seem like a simple concept, but the conclusion is actually plowing new legal ground in Knoxville's most high-profile pot-peddling case in recent times.

In a groundbreaking ruling, U.S. District Magistrate Judge Bruce Guyton on Thursday ruled that law enforcement can use global positioning satellite data from cellular phones as tracking devices.

"To say that case law is substantially undeveloped as to what rights are accorded a cell phone's user, particularly in these circumstances, would be an understatement," Guyton wrote.

The ruling comes in the case of a father and son accused of ferrying nearly 1,000 pounds of marijuana in an RV as part of the case of Market Square businessman Scott West, his brother, sister-in-law and wife.

In a move reminiscent of a James Bond flick, U.S. Drug Enforcement Administration agents Michael Davis and Dave Lewis had used real-time data from a GPS unit installed on a cellular phone to find accused couriers Melvin Skinner and Samuel Skinner at a Texas truck stop on the eve of a July raid of West's Market Square properties.

The agents didn't even know the alleged couriers' names. All they had was a pay-as-you-go cell-phone number issued in a fake name. A confessed Arizona drug dealer testified it was one of dozens he bought to use in his illegal trade.

It is the latest trend among dope peddlers trying to outsmart law enforcement.

Once nabbed, the Skinners, via attorneys Ralph Harwell, Tracy Jackson Smith and Mike McGovern, cried foul, arguing that federal prosecutors David Jennings and Hugh Ward themselves violated the rules in their zeal to take down West and his brother. The attorneys had tried at hearings earlier this year to convince Guyton that law enforcers should not be allowed to use GPS devices on cell phones as tracking devices without jumping through some serious legal hoops.

Faced with what he termed a "novel" issue, Guyton turned to all manner of research, ranging from case law on beepers to National Public Radio reports.

The judge's conclusion: Cellular phone users give up privacy rights every day.

"Generally, a defendant can claim little expectation of privacy in a cell phone that he utilizes in public," Guyton wrote. "As to cell-phone signals, a cell phone can only be used to locate a person if the phone is within the person's possession and the user has turned the phone on. Moreover, these signals are knowingly exposed to a third party, the cell-phone company, when a party uses the phone. [Would that automatically breach attorney-client privilege? Bob]

"This third-party exposure diminishes an expectation of privacy," the judge continued. "Therefore, if the cell-phone's possessor intended to keep the phone's location private, the possessor could turn off the phone, which would disallow signal transmission."

Besides, Guyton wrote, a wide range of people and businesses already use cell phone GPS data, so why should law enforcers be treated any differently? Police, after all, still have to get the court's permission to glean the data.

"If rescue operations, employers, and friends can all track the location of a person using the GPS capability in the cell phone, it is reasonable to allow law enforcement officers to do the same," the judge ruled.

This could be hard to interpret. At least I find it so...

California eyes stronger cyberstalking laws

Jaikumar Vijayan

April 25, 2007 (Computerworld) California legislators are considering a new bill that would extend the state's antistalking laws to the Internet.

The proposed bill (AB 919) is authored by Republican state Rep. Guy Houston and is designed to prevent individuals from using Web sites such as and Craigslist to deliberately incite harassment or abuse against an individual.

Such harassment can include the posting of digital images or messages on Web sites in an effort to cause fear, harassment or harm to an individual, according to an official description of the bill. The measure would allow California law enforcement officials to pursue stalking charges against people responsible for such messages.

More than 40 states already have some form of cyberstalking legislation in place. But most of these laws, including the one in California, deal with crimes involving intimidation and harassment of a person via, for instance, e-mail messages, pagers, phones and cell phones.

AB 919 is believed to be the first state law that extends the notion of stalking to messages and images posted on Web sites, a spokesman for Houston said.

Useful background!

NIST Issues Guidelines for Ensuring RFID Security

April 26, 2007 News Report

Retailers, manufacturers, hospitals, federal agencies and other organizations planning to use radio frequency identification (RFID) technology to improve their operations should also systematically evaluate the possible security and privacy risks and use best practices to mitigate them, according to a report issued today by the National Institute of Standards and Technology (NIST).

... The new NIST report focuses on RFID applications for asset management, tracking, matching, and process and supply chain control. It lists of recommended practices for ensuring the security and privacy of RFID systems, [Quite a lot actually. Is it enough? Bob] including firewalls that separate RFID databases from an organization's other databases and information technology (IT) systems, encryption of radio signals when feasible, shielding RFID tags or tag reading areas with metal screens or films to prevent unauthorized access, and other security measures.

Two case studies -- in health care and supply chain settings -- provide examples for identifying and minimizing security risks throughout the various stages of an RFID project.

Guidelines for Securing Radio Frequency Identification (RFID) Systems (Special Publication 800-98), 154 pages. Available on-line at

First you grab the video of President Bush dancing(?) to the beat of African drums, then you whip up some (in)appropriate lyrics, then you share it with the world on Youtube...

Rocker Townshend unveils song composing software

Wed Apr 25, 2007 6:45PM EDT By Sylvia Westall

LONDON (Reuters) - British rocker Pete Townshend on Wednesday unveiled an Internet-based software program that will help music fans compose personalized tracks at the click of a button.

The Who guitarist/songwriter said that with a voice recording, a digital image and a rhythm clapped into a microphone, his new "Method" software will create spontaneous digital music and allow anyone to be a composer, and possibly a rock star.

... From May 1, users will be able to get free access to the Web site ( for three months, and will be able to compose instrumental tracks that they can e-mail or post on their Web sites. From August 1, it will become a subscription-based service.

Thursday, April 26, 2007

The MBA press release... TJX last updated their information March 28...

Massachusetts Bankers Association

CONTACT: Bruce E. Spitzer FOR IMMEDIATE RELEASE 617-523-7595

... The suit will seek to recover damages in the “tens of millions of dollars,”

... The three bankers associations represent nearly 300 banks.

... Cases of fraud due to the TJX breach have been reported from all over the world.

... Preliminary estimates of the costs vary from institution to institution, up to $25 dollars per card.

... "Protecting consumers is our number one priority" said Lindsey Pinkham, senior vice president of the Connecticut Bankers Association. "However, retail data breaches are getting larger and more frequent and we cannot continue to absorb the costs."

This pretty much sums up the majority view, I think.

Wednesday, April 25, 2007 1:25 PM PT Posted by Tom Spring

TJX Data Breach Gets Even Uglier

What is it going to take to make companies better protect our data? I'm not convinced lawsuits are the solutions. But they sure make me feel better.

... I spoke to Massachusetts Bankers Association's spokesperson Bruce Spitzer. He gave me an earful. "Major retailers have not stepped up to the plate and protected their customer's financial data," he told me. "These companies have not been held accountable. We plan on setting an example with TJX."

Go get 'em Spitzer. But you'll have to get in line.

... At this rate TJX is going to have to spend more money on legal fees than upgrading its IT department and better protecting customer data.

I have zero sympathy for TJX.

... TJX says that it delayed telling its customers, not (as I suspect) to avoid hurting holiday sales, but in order to notify law enforcement first.

“Junior Doctors” are like Interns or Residents in the US?

Security lapse in junior doctor jobs website

By Nic Fleming, Medical Correspondent, and Stephanie Condron Last Updated: 8:46pm BST 25/04/2007

An investigation was launched tonight after a serious security breach on the website used by medical students applying for junior doctor positions.

A Channel 4 news reporter was able to [break the law? Bob] access applicants’ confidential personal details including their addresses, telephone numbers, criminal convictions, sexual orientation and religion, following a tip off from a doctor. Details were available to anyone with the right internet address (URL) for at least nine hours today.

The data on medical students applying for foundation course posts to become junior doctors had been stored on Microsoft Excel files and placed on the NHS Medical Training Application Service website.

The Information Commissioner tonight promised to investigate the security breach, which was closed half an hour after the Department of Health was informed at 4.35pm.

... “It doesn’t address the issue of how it got there in the first place and that still needs a very serious inquiry, a proper in-depth look into how this possibly could have happened, particularly when we have known for such a long time that there are concerns about this website.

How worthless are passwords?

04/26/07 07:26:06 am, by fourth Categories: General

10th Cir.: Elderly father who had no knowledge of computers had apparent authority to consent to search son's password protected computer

From a reader, a seriously troubling case from the Tenth Circuit not supplied by Lexis this morning:

The police conducted a knock-and-talk in a child porn case based on an investigation of a child porn website, and defendant's 91 year old father was the only person at home. A few leading questions later, nothing pertaining to equal access to the computer, the father was asked to consent to a search of his 51 year old son's bedroom where, with his government computer equipped with EnCase, the officer opened child porn pictures. The Tenth Circuit found the officers reasonably could rely on the father's apparent authority to consent to a search of his adult son's room, a finding that defies common sense (few 91 year olds know a thing about computers, and the record show that this one did not). The son was contacted, and the police stopped the search and waited for him and then arrested him. The court noted that EnCase enables the officers to by-pass all passwords on the computer. This computer was password protected, but that did not bother the court. The majority of the court essentially puts the burden on the defendant to show that password protection of computers is common and shows an expectation of privacy like a locked container, and finds that he did not in this case. United States v. Andreas, 2007 WL 1207081 (10th Cir. April 25, 2007) (2-1).

In a society of “ubiquitous surveillance” these laws will need to be reviewed. “Evidence is evidence!”

Police blotter: Secret recording inadmissible against bus driver

By Declan McCullagh Story last modified Wed Apr 25 08:13:11 PDT 2007

Police Blotter is a weekly CNET report on the intersection of technology and the law.

What: Milwaukee school bus driver's abuse of a child is discovered after parents place a voice-activated recorder in son's backpack.

When: Wisconsin Court of Appeals rules April 3.

Outcome: Court says in 2-1 vote that recording cannot be used against bus driver in court because it was not obtained by police. [Like the Rodney King video? Bob]

What happened, according to court documents:
Sometime around April 2003, Jacob Mutulo's parents began worrying that their 9-year-old son was being mistreated by the school bus driver.

According to a report that they placed on their own Web site, the school reported earlier in that school year that Jacob had been yelling and shouting in class and was reluctant to get on the school bus to return home. And the bus driver, Brian Duchow, complained that Jacob had been spitting at him.

Because Jacob has Down syndrome, the parents couldn't easily find out directly from him what was going on. According to Milwaukee radio station WTMJ AM 620, Jacob weighed about 50 pounds at the time and was not able to carry on a normal conversation. (He had also been diagnosed with Attention Deficit Hyperactivity Disorder.)

His frustrated parents eventually came to suspect that Jacob's poor behavior at school had something to do with the bus driver who had started at the beginning of the school year. They placed a voice-activated tape recorder in Jacob's backpack and listened to it at the end of the day.

It was a remarkably disturbing recording. The tape revealed Duchow yelling such things as, "Stop before I beat the living hell out of you" and "I'm going to slap the hell out of you." Another statement was: "Do I have to tape your mouth shut, because you know I will."

The parents called the police, and Milwaukee Police Officer Steven Wells interviewed Duchow after listening to the recording for himself. The police chose not to carry out their own electronic interception. [Will they now have to? Is the tape “probable cause?” Bob]

Duchow eventually was charged with intentionally causing bodily harm to a child and with disorderly conduct. He admitted to slapping the boy twice that day. What makes this case relevant to Police Blotter is that Duchow asked the judge to suppress the recording so it could not be used against him.

After the trial judge denied the request, Duchow pleaded guilty to intentionally causing bodily harm to a child--but reserved his right to appeal.

Wisconsin state law generally prohibits the disclosure of intercepted conversations, leaving the appeals court in a bit of a tight spot. The exceptions to that general rule apply to police and to people working in concert with police.

A majority of the Wisconsin appeals court ruled that the recording was lawfully obtained--but could not be lawfully disclosed because it was not done in cooperation with police--and reversed the lower court's ruling. The case was sent back to a circuit judge, and it's unclear what will happen next.

If the police had bugged the bus the next day and remained nearby to intervene, if necessary, this would have never become an issue.

Excerpts from the Wisconsin appeals court's majority opinion:
If the interception in this case had been obtained "under color of law"--that is, through police involvement--references to the interception in the complaint would be permitted. A repeat interception in the present case could have been supervised by law enforcement with the resulting information obtained "under color of law."

That would have made the contents of such a recording admissible in this felony prosecution under Wis. Stat. 968.29(3) and properly disclosed in the complaint. However, in the present case, Duchow pleaded guilty and, therefore, the content of the interception was not used at trial. Whether the complaint itself, with disclosure of the content of the interception, would have been admissible at trial, we need not decide.

Jacob's parents acted responsibly and in the best interests of their child when they took reasonable action to protect their child from a reasonably suspected threat of harm. As the private party under the rationale of the Waste Management case, they promptly disclosed what they recorded to a law enforcement officer. There was nothing more appropriate they could have done under the circumstances.

Likewise, the officer acted appropriately in investigating the information that properly came to his attention. He interviewed Duchow and could properly communicate what he learned from the interview.

However, the recording by Jacob's parents, while "not unlawful," was not one they obtained "under color of law." Therefore, law enforcement officers or agents were not permitted by Wis. Stat. 968.29(3) to disclose the contents of the interception because they had not obtained the interception from someone acting under color of law.

This problem might have been easily remedied if another secret recording under the supervision of the police had occurred. Had that step been taken, we have little doubt that such a follow-up interception would have been obtained under color of law and admissible.

For all the foregoing reasons, we conclude that Duchow's electronically intercepted communications were "oral communications" under Wis. Stat. 968.27(12), that Jacob's parents properly consented on his behalf to the electronic interception under Wis. Stat. 968.31(2)(c), that they properly delivered the recording to law enforcement and that law enforcement officers properly used the information they learned in their investigation.

However, because the interception was not obtained under color of law, the contents of the interception were not admissible in the felony prosecution against Duchow. Therefore, we reverse and remand to the trial court for further proceedings consistent with this opinion.

Excerpts from the dissent by Judge Patricia Curley:
I agree with the majority's conclusions that the recorded statements of Duchow were oral communications and that the child victim's parents could give vicarious consent to tape-record the conversation the child victim had with Duchow. However, I disagree with the majority's conclusion that the tape recording was inadmissible.

Here, the child victim's parents consented on the child's behalf to intercept the conversation between the child and Duchow, and the recording was turned over to the police. Further, their purpose in doing so was not to commit "a criminal or tortuous act." Thus, following the Maloney holding, the tape was admissible.

Moreover, under the circumstances present here, it seems illogical and contrary to common sense to approve the parents' actions to protect their child by tape-recording the conversation but prevent the state from prosecuting the offenses revealed by the recording.

I am also concerned with the majority's solution that "(t)his problem might have been easily remedied if another secret recording under the supervision of the police had occurred."

Clearly, this child had already been victimized by Duchow. The tape revealed Duchow yelling such things as, "Stop before I beat the living hell out of you," and "I'm going to slap the hell out of you."

Duchow also admitted to the police that he had slapped the child twice on the bus ride. To suggest that the victim be subjected to another such incident, just to make the recording admissible, is cruel and inhumane.

Therefore, although I agree with the majority's analysis in all other respects, I respectfully dissent with regard to the admissibility of the recordings at trial.

Thieves promise: “We will do better!”

1 in 5 people's data stolen so far in 2007

Laptop thefts highlighted at InfoSecurity Europe event

Dan Grabham 25 Apr 2007 13:31

One in every five people in the UK have had their personal information stolen because of computer theft so far in 2007. That's according to a new survey from laptop security vendor Kensington

Is it the same in the US?


Tuesday April 24,2007

The number of people taking privacy and intrusion issues to the Press Complaints Commission (PCC) is growing - and dwarfs the number of cases taken to courts, according to its annual report.

So where are my virtual lawyers?

Filtering Boston’s free municipal Wi-Fi net: legal? Web’s lawyer not so sure

Posted by David Berlind @ 11:26 am April 25th, 2007

One of my favorite people — Danny Weitzner, general counsel to the World Wide Web Consortium — is chiming in on the news that the City of Boston's free municipal Wi-Fi is selectively filtering access to certain Web destinations like Boing Boing (the technical culprit was later identified). But in a single blog post, Weitzner nails the legality of such filtering as well as how its defeating the purpose of that sort of Internet access in the first place. Given the Web's role in public discourse, such commentary is befitting of its offical lawyer:

Various people (including David Sheets, a student of mine at MIT, and Seth Finkelstein) have pointed out over the last few days that the ‘free’ municipal WiFi service offered by the City of Boston comes with mandatory content filtering that blocks all kinds of sites which are not even close to illegal nor are they sources of pornography that might be considered harmful to children… If the City is allowed to do this, then they can block just about anything: Web sites operated by the opposing political party, critiques of the Big Dig, not to mention One has to ask whether this is really a path that any city would want to open up for itself?…. As a constitutional matter, it’s not quite clear whether the government can require government-funded Internet service providers to filter content. In United States v. American Library Association, 539 U.S. 194 (2003), the US Supreme Court decided that the Congress could require libraries receiving federal Internet access subsidies (the e-rate) to filter out porn. However, it’s not clear whether this case applies to the muni Wifi situation….. For what purpose is muni wifi offered? [Isn't] it precisely to create an expanded public forum to increase the flow of information and new web services around the city?

Is this related? (It will likely create more problems than it solves.)

Ohio University Says No File Sharing Allowed

from the throwing-out-the-baby-with-the-bathwater dept

While some universities have fought back against RIAA complaints about their students using file sharing for making unauthorized copies of content, it appears that Ohio University is going to the opposite extreme. Slashdot points out that the university has announced that all P2P file sharing is banned as of this coming Friday. The university gives a variety of reasons for it and seems to bounce back and forth between rationales. It may be because file sharing could overwhelm network resources, though they give no indication that current file sharing systems have actually been a problem -- just that it could be a problem. Then they claim that file sharing could transmit bad stuff like viruses and spyware. Of course, so can email and the web, but the university doesn't appear to be banning the use of either of those things. Then, finally, the university brings up the real reason for the ban. Apparently, staff at the university are sick of dealing with those new prelitigation letters from the RIAA. Rather than following in the footsteps of the University of Nebraska and sending the RIAA a bill for time wasted, Ohio University has decided it's best to just ban P2P apps altogether. Of course, while they have a "partial list" of banned apps, the description is so vague, it's unclear what might get you kicked off the university network. Something like Skype is P2P and uses up bandwidth -- so based on some of the university's reasoning, it too should be banned. It's a sad statement of the times that an institution designed for educating and learning about new things would decide to completely shut off any use of powerful technologies that have plenty of perfectly legitimate uses just because some backwards industry group can't figure out how to change its outdated business models.

Includes privacy and forensic topics

April 25, 2007

Report of the Defense Science Board Task Force on Defense Biometrics

Report of the Defense Science Board Task Force on Defense Biometrics, March 2007 (178 pages, PDF). "The final reports includes overall findings and recommendations that focus on information management and sharing; R&D, material and technology; issues beyond DoD; issues internal to DoD; DoD organizational issues; and legal and privacy issues."

I haven't reviewed it yet.

HHS launches new Web site on HIPAA privacy

The U.S. Department of Health and Human Services (HHS) launched an enhanced Web site to make it easier for consumers, healthcare providers, and others to get information about how the HHS enforces health information privacy rights and standards.

The new Web site coincides with the fourth anniversary of the enforcement of the HIPAA Privacy Rule.

The Web site provides comprehensive information about the Privacy Rule, which creates important federal rights and requirements to protect the privacy of personal health information. The enhanced Web site,, provides information for consumers, healthcare providers, health plans, and others in the health care industry about HHS’s compliance and enforcement efforts.

“We are prepared to start considering meetings to discuss future planning to establish a timeline for thinking about moving forward.”

April 24, 2007

Privacy and Civil Liberties Board Delivers First Report to Congress

Press release: "The Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA), which created the Privacy and Civil Liberties Oversight Board (Board), requires that "[n]ot less frequently than annually, the Board shall prepare a report to Congress, unclassified to the greatest extent possible...on the Board's major activities during the preceding period." This report discusses the Board’s activities from its first meeting on March 14, 2006, at which the Members were sworn in and an Executive Director was appointed, through March 1, 2007. This report contains no classified information."

  • Privacy and Civil Liberties Board First Annual Report to Congress, March 2006 - March 2007 (49 pages, PDF).


April 25, 2007

Research Study on Business Journalism Blogging Released by Reynolds Center

Press release: "Three-fourths of the nation's largest newspapers now offer blogs on business-related topics, according to a study released today by the Donald W. Reynolds National Center for Business Journalism at Arizona State University. These popular online Web journals written by reporters get breaking news to readers more quickly, according to 60 percent of the business bloggers who responded to the study. However, more than half of respondents also said this also takes away from their regular reporting time."

Dilbert on Corporate Blogs... Be afraid!

These robots will make taking your money even easier! “Beep! Stick 'em up! Beep!”

Google, Intel, Microsoft Fund Robot Recipes

Posted by samzenpus on Wednesday April 25, @10:00PM from the cook-until-sentient dept. Robotics Google Intel Microsoft

Dotnaught writes "Google, Intel, and Microsoft are funding what may become a robot invasion. Money from the three tech companies has enabled researchers at Carnegie Mellon University to create a new series of Internet-connected robots that almost anyone can build using off-the-shelf parts. These "recipes" describe how to build a robot that connects to the Internet using common parts and a $349 Qwerk controller from Charmed Labs."

I suppose we could hire Chinese students to explain the problems to our kids, but who will explain it to the “educators?”

Encouraging Students to Drop Mathematics

Posted by ScuttleMonkey on Wednesday April 25, @03:33PM from the math-be-tough-let's-go-shoppin dept. Education Math

Coryoth writes "The BBC is reporting that students in the UK are being encouraged to drop math at the senior levels. It seems that schools are seeking to boost their standing on league tables by encouraging students not to take 'hard' subjects like mathematics, in favor of easier subjects in which they are assured good grades. [GOV101 Meeting government education goals the easy way Bob] The result is Universities being forced to provide remedial math classes for science students who haven't done math for two years. The BBC provides a comparison between Chinese and UK university entrance tests — a comparison that makes the UK look woefully behind."

England is really, really, really into surveillance... Note how simple it is to generate publicity given the right technology and a photogenic subject.;_ylt=AgDXtxuRCbzc5YvjWGpWYjjMWM0F

Maturing British cheese becomes Internet star

Wed Apr 25, 1:29 PM ET

LONDON (Reuters) - A large English cheddar cheese has become a star of the Internet, attracting more than 1 million viewers to sit and stare at it as it slowly ripens.

First placed in front of a webcam in late December, the Westcombe cheddar from West Country Farmhouse Cheesemakers leaped to public attention in early February and has since attracted viewers from 119 countries.

"The hits went over 1 million this morning. It has been a real challenge keeping the cheese up and running with all the interest it has generated," a spokesman for the company running the website,, said on Wednesday.