Saturday, May 12, 2007

It has been a slow week...

Data “Dysprotection” Weekend Roundup for Week Ending May 13th

Friday May 11th 2007, 5:26 pm

Hacker know how to secure their PII

User data stolen but not unsecured

Hi, we have some sad news, but don't be alarmed...

Some people (and yes, we know who) found a security hole on our web site (in fact, actually in this blog).

They have got a copy of the user database. [Okay, perhaps they don't know everything... Bob] That is, your username and passwords. But, the passwords are stored encrypted, so it's not a big deal, but it's still very sad that it's out there. All e-mails are for instance encrypted as well, they will most likely not be able to decrypt them either (they are _very_ encrypted).

We encourage all our users to change passwords as soon as possible - and if you have the same password on the bay as other places, you should update them as well. [Should be a standard security reminder Bob]

Be afraid, be very afraid...

Fix for Microsoft Automatic Updates not working

Users report continued problems with Microsoft patch, even after downloading and running new hotfix

By microsoft automaticupdates, IDG News Service May 11, 2007

Windows XP systems are still locking up during patch update attempts -- even after users deployed the fix suggested by Microsoft.

Symptoms of the long-running problem -- which the Windows Server Update Services (WSUS) team dubbed the "svchost/msi issue" -- include 100 percent CPU usage by svchost.exe and its multiple processes during Automatic Updates scanning, update downloads, and sometimes even if AU is simply enabled on a machine.

"Of course, the computer is virtually unusable" when that happens, said a user identified as Foxy-Perth on the Windows Update support forum.

... A hotfix, updated just Thursday, is available on the Microsoft support site. The patch will be pushed out via Microsoft's usual update services, including Windows Update and Microsoft Update, late this month or in early June, said a developer on the WSUS blog. However, the fix can be downloaded and installed manually on Windows XP and Windows Server 2003 systems.

I haven't made sense of this yet. Part of their reasoning is to comply with laws not yet in existence... Could be my natural ignorance showing through...

Why does Google remember information about searches?

5/11/2007 11:21:00 AM Posted by Peter Fleischer, Global Privacy Counsel [Interesting. Not a CPO, but responsible for tracking privacy law globally? Bob]

... We spent a great deal of time sorting this out and thought we’d explain some of the things that prompted us to decide on 18-24 months.

... For those who want to see what their logs history looks like, we offer transparent access via a Google Account to their own personal Web History. [but you have to sign into your account to see it. I'd like to see what they were able to put together about me when I don't sign in... Bob]

Always something fun going on in DC Question: Is the frequency of governmental stupidity much different from the national average?

Bushies Behaving BadlyAn illustrated guide to GOP scandals.

By Holly Allen, Christopher Beam, and Torie Bosch

Updated Friday, May 11, 2007, at 12:36 PM ET

For an interactive feature on the recent scandals of the Republican party, click here.

...and equal time for the Democrats Note: This is not unusual. Politicians invent their own history as often as other politicians invent lies about them...

Friday, May 11, 2007


I Know This Will Shock You, But a Hillary Tale About Her Childhood Doesn't Add Up

A reader notes this column in the Chicago Daily Herald by Chuck Goudie, pointing out that Hillary Clinton's tales of spending time in her childhood on nearby farms with migrant workers just doesn't add up...

Your government in action! Finding new ways to waste money?

Blinding Eyes in the Sky Won't Work, Say Sat Pix Providers

By John P. Mello Jr. TechNewsWorld 05/11/07 9:30 AM PT

The government may under certain circumstances need to clamp down on commercial satellite imagery, such as the kind found in utilities like Google Earth, Robert Murrett, director of the National Geospatial-Intelligence Agency, said this week. However, the providers of those images, who are licensed by the government, say that such restrictions would be useless.

... Moreover, closing the tap on U.S. sources of satellite imaging will only open it for overseas imagers, according to Mark Brender, vice president for communications and marketing for GeoEye.

... In Iraq and Afghanistan, releases of satellite photos have been suppressed or delayed by the military with questionable results, contended Simpson of American University.

"Whether that has saved lives is certainly open to debate," he said. "There's no indication that any of the opposition forces in Afghanistan have realistic access to this imagery or the capability to use it."

... Through its licenses with the satellite imaging companies, the federal government has substantial control over what's done with eye-in-the-sky pics -- including barring the photographing of any area of the earth entirely -- but it appears to have used its powers with restraint.

"In five years of operation, we haven't been requested to either not to image or hold imagery back from certain areas," DigitalGlobe spokesperson Chuck Herring told TechNewsWorld.

While the government hasn't asked to imagers to avoid taking pictures of particular areas, it has sought to control distribution of images through "preclusive buying," or buying all the photos of a particular area on an exclusive basis. That was done for three months during the war in Afghanistan.

"Our government pays farmers not to farm, so they can buy up imagery over a particular part of the world -- but it's expensive," GeoEye's Brender observed.

He explained that at the time the government embarked on its preclusive buying spree, satellite technology was new and the feds weren't quite sure how handle it.

"On a 'let's be safe' basis, they decided to buy up the imagery," he opined, "but they quickly realized that was fruitless because foreign providers were selling the imagery."

A balanced article, but Al Gore (inventor of Global Warming) will be furious!

Could Global Warming Make Life on Earth Better?

Posted by Zonk on Friday May 11, @12:43PM from the makes-for-lots-of-swimming-opportunities dept. Science

mikee805 writes "A lengthy article in Spiegel explores the possibility that global warming might make life on Earth better, not just for humans, but all species. The article argues that 'worst-case scenarios' are often the result of inaccurate simulations made in the 1980s. While climate change is a reality, as far as the article is concerned, some planning and forethought may mean that more benefits than drawbacks will result from higher temperatures. From the article:'The medical benefits of higher average temperatures have also been ignored. According to Richard Tol, an environmental economist, "warming temperatures will mean that in 2050 there will be about 40,000 fewer deaths in Germany attributable to cold-related illnesses like the flu." Another widespread fear about global warming -- that it will cause super-storms that could devastate towns and villages with unprecedented fury -- also appears to be unfounded. Current long-term simulations, at any rate, do not suggest that such a trend will in fact materialize.'"

[From the article:

During the so-called Medieval Warm Period between about 900 and 1300 A.D., for example, the Vikings raised livestock on Greenland and sailed to North America. New cities were built all across Europe, and the continent's population grew from 30 million to 80 million.

The consequences of the colder temperatures that plunged civilization into the so-called Little Ice Age for several centuries after 1300 were devastating. Summers were rainy, winters cold, and in many places temperatures were too low for grain crops to mature. Famines and epidemics raged, and average life expectancy dropped by 10 years.

... When temperatures plunged unexpectedly once again in the 1960s, many meteorologists were quick to warn people about the coming of a new ice age -- supposedly triggered by man-made air pollution. Hardly anyone at the time believed a warming trend could pose a threat.

Friday, May 11, 2007

Perhaps the TJX hackers have moved to Sweden? (Perhaps the Swedes just read the hacker manual/Wall Street Journal article?)

Fraudsters hijack SEB credit cards

Published: 9th May 2007 08:10 CET

Credit and debit card numbers belonging to at least 10,000 SEB customers could have been hijacked by fraudsters, the bank has admitted.

"Other banks are hit by this too," bank spokeswoman Kerstin Ottosson said.

Eurocard announced on Tuesday that 1,000 customers were hit by a similar fraud attempt.

SEB received the first indications that something was amiss about ten days ago. The bank says that hackers broke into a national computer system handling card payments for shops, hotels and other retailers.

Ottosson said that card information should never be stored by payment systems, but said in this case it had been.

"That's a criminal act, pure and simple," she said. [It's a crime in Sweden? Bob]

Question for my computer forensic associates: How did they know the computers on e-bay were theirs?

Hospital computers stolen, sold on eBay

(May 10, 2007) — Highland Hospital officials and police say they believe patient information contained on a stolen computer is safe, after the computer was erased and sold over eBay.

Two laptop computers were stolen from a Highland Hospital business office at 175 Corporate Woods Boulevard on April 13. One of those computers contained information on 13,000 former patients, including Social Security numbers.

... Because of the nature of the crime, it’s believed the thieves were out to make a quick profit, [News flash: selling the information required for Identity Theft is profitable! (and it takes less time to copy the files than to pack the computers for shipping.) Bob] and not use the patient information for other means, according to hospital officials.

The computers were sold and shipped to Lakeland, Fla. and Calexico, Calif. The computer from Lakeland has been recovered.

... Highland said it is investing $200,000 to install encryption software on 2,000 computer devices by Aug. 1.

It could have been one laptop or one CD. (No one noticed the trucks backed up to the door?)

Personal data missing from UCI Medical Center

Police are investigating the disappearance of medical files that contained personal histories and social security numbers for about 300 patients.

By BLYTHE BERNHARD The Orange County Register Friday, May 11, 2007

Police are investigating the disappearance of medical files containing personal information for nearly 300 patients from UCI Medical Center, university officials said Thursday.

About 1,600 file boxes stored in an off-site university warehouse were discovered missing [so that's 1600/300 = 5.33 boxes per patient? I can see why they want to keep their records digitally... Bob] in the last two months. The files are generally held in storage for seven years according to state law prior to being destroyed, officials said.

The missing boxes represent about 2 percent [1600/.02 = 80,000 boxes (15,000 patients) Bob] of the hospital's records stored at the facility.

... University police were notified March 6 when the first boxes were discovered missing.

... 287 patients whose identifying information was contained in the boxes were sent letters on Monday notifying them of the situation.

... The hospital has used the storage facility for more than 12 years, officials said. The remaining documents will be moved to an outside company that specializes in document security.

No indication of numbers, but another case of “lost luggage.” If the feds are keeping our medical records, the least they could do is receive them electronically. Even the White House uses email!

[May 9, 2007, 8:18 pm]

"HCA Information Lost"

Some Mid-State hospital patients are learning their personal information was lost in the mail.

Hospital Corporation of America, HCA, sent out a letter to inform Summit Medical Center patients about the problem.

The Hermitage hospital sent a compact disc with names and social security numbers of people treated in 2006 to federal record keepers but the disc never arrived.

UPS tracked the disc to the Nashville distribution center but can't find it.

Will we be required to do this?

No more secrets in the city

Now you can track your neighbors’ violations on the Web, how they’re being addressed

By GINA Posted on Fri, May. 11, 2007

Oh sure, you can peek out from behind your curtains and spy on your neighbors.

But the city of Columbia is now offering a way-cooler, technology-driven method of snooping.

Log on to the city’s Development Services Department Web site to find out which of your neighbors failed to bring in their roll carts this week, whose cars are illegally parked in their yards and whether Mr. Smith is in trouble for his weed-filled, overgrown yard.

Street maps of all of the city’s neighborhoods can be found on the Web site along with:

A table that lists addresses where violations have occurred, the type of violation and the status of each case

Dates when the violation was reported and when the city will next review the case. A “review” could simply be a check back by a code officer to see if the problem has been resolved. Or it could mean a car will be towed or a citation issued.

The name and phone number of your neighborhood’s code enforcement, housing, and zoning inspectors. Call them if you have any questions about violations.

The Web site will be updated approximately every 60 days, according to the city.

This is a giant step forward for people who want to know what’s going on in their neighborhood,” said Marc Mylott, the city’s director of development services.

... For the record, we checked. None of the seven City Council members have violations at their home addresses. [Perhaps an updated admonition, like that given to Caesar's wife would be in order? Bob]

This is one hack I was certain was coming. The potential for damage is HUGE!

Hackers hijack Windows Update's downloader

Component of Windows XP, Server 2003, and Vista bypasses firewalls, could be used to pass malicious code downloads to PC

By Gregg Keizer, Computerworld May 10, 2007

Hackers are using Windows Updates' file transfer component to sneak malicious code downloads past firewalls, Symantec researchers said Thursday.

The Background Intelligent Transfer Service (BITS) is used by Microsoft's operating systems to deliver patches via Windows Update. BITS, which debuted in Windows XP and is baked into Windows Server 2003 and Windows Vista, is an asynchronous file transfer service with automatic throttling -- so downloads don't impact other network chores. It automatically resumes if the connection is broken.

"It's a very nice component and if you consider that it supports HTTP and can be programmed via COM API, it's the perfect tool to make Windows download anything you want," said Elia Florio, a researcher with Symantec's security response team, on the group's blog. "Unfortunately, this can also include malicious files."

Florio outlined why some Trojan makers have started to call on BITS to download add-on code to an already compromised computer. "For one simple reason: BITS is part of the operating system, so it's trusted and bypasses the local firewall while downloading files."

... Although BITS powers the downloads delivered by Microsoft's Windows Update service, Friedrichs reassured users that there was no risk to the service itself. "There's no evidence to suspect that Windows Update can be compromised. If it has a weakness, someone would have found it by now. [but not necessarily told Microsoft about it. Bob]

... Florio noted that there's no way to block hackers from using BITS. "It's not easy to check what BITS should download and not download," he said, and then gave Microsoft some advice. "Probably the BITS interface should be designed to be accessible only with a higher level of privilege, or the download jobs created with BITS should be restricted to only trusted URLs."

You need to “sign in” but no PII required. I wonder if law schools will have to add a “technology for lawyers” class?

May 10, 2007

Seventh Circuit Practitioner's Handbook Posted on Judicary Wiki

The Wiki of The United States Court of Appeals for the Seventh Circuit provides Electronic Access to Seventh Circuit Case Information, Rules, Procedures and Opinions. This is the first public wiki launched by the federal judiciary. According to Chief Judge Frank Easterbrook, who spearheaded the wiki project, and reported by the National Law Journal, "The wiki will welcome comments from lawyers across the nation because issues of federal practice, especially in the appellate courts, are common ones..."

Kinda like pretexting, but apparently not. (Isn't there an implied attorney-client relationship?)

Murder Verdict Upheld Despite DNA Trick

Police didn't violate any privacy laws when they posed as lawyers to get a man's DNA sample from an envelope he licked, the state Supreme Court ruled Thursday, upholding the man's murder conviction.

John Athan was sentenced to at least 10 years in prison for the 2004 Seattle killing of a 13-year-old girl in 1982, when Athan was 14.

Police suspected him at the time but lacked the evidence to arrest him, and the case went unsolved for two decades. In 2003, police sent Athan a letter on the stationery of a fictitious law firm, asking if they could represent him in a class-action lawsuit. Read more

Our world, she is a changin' (Remember, the goal is to generate cheap content.)

Calif. Web Site Outsources Reporting

By JUSTIN PRITCHARD Associated Press Writer May 11, 12:08 AM EDT

PASADENA, Calif. (AP) -- The job posting was a head-scratcher: "We seek a newspaper journalist based in India to report on the city government and political scene of Pasadena, California, USA."

... James Macpherson, editor and publisher of the two-year-old Web site, acknowledged it sounds strange to have journalists in India cover news in this wealthy city just outside Los Angeles.

But he said it can be done from afar now that weekly Pasadena City Council meetings can be watched over the Internet. And he said the idea makes business sense because of India's lower labor costs.

... This is not the first time media jobs have been shipped to India.

The British news agency Reuters runs an operation in the technology capital of Bangalore that churns out Wall Street stories based on news releases.

... Macpherson posted the help-wanted ad Monday on the Indian edition of Within days, he said, he had hired two Indian reporters, one a graduate of the journalism school at the University of California at Berkeley.

... On the Net:

The news site:

The ad:


Disney sells 24 million TV shows through iTunes Store

Latest Disney results confirm steady iTunes media sales

Jonny Evans Thursday, 10 May 2007

Walt Disney this week confirmed it continues to enjoy strong sales of its television shows and films through iTunes.

Company CEO Bob Iger confirmed the company to have sold 23.7 million episodes of its television shows and an additional two million films through Apple's media service.

In November 2006, Iger confirmed Disney to have sold 500,000 films and 12 million television show episodes since such content reached iTunes. Disney hit 1.3 million films sold in February.

... Iger also confirmed Disney to be satisfied with iTunes prices – the company makes as much from an online sale as it does from a physical one, he explained.

We're the government. We can do (or not do) anything we want!” (What would this do to admissibility of evidence?)

Analysis: Airlines buck fingerprint plan

RSS Feed - Security & Terrorism – Analysis Published: May. 10, 2007 at 5:06 PM

By SHAUN WATERMAN UPI Homeland and National Security Editor

WASHINGTON, May. 10 (UPI) -- U.S. air carriers have angrily rejected Homeland Security Department plans to make their staff collect fingerprints from foreign visitors leaving the United States, writing to the White House in what executives say is an effort to squash the proposal.

The department "has decided, without consultation with the airline industry, to relieve itself of the responsibility of collecting biometric information upon departure and, instead, to direct airlines to do so," James C. May, president of the Air Transport Association, wrote to President Bush's homeland security adviser, Fran Townsend, Tuesday.

Too cool. Think of the possibilities!

Solid freeform fabrication: DIY, on the cheap, and made of pure sugar

In February we gave a sneak preview of our project to construct a home-built three dimensional fabricator. Our design goals were (1) a low cost design leveraging recycled components (2) large printable volume emphasized over high resolution, and (3) ability to use low-cost printing media including granulated sugar. We are extremely pleased to be able to report that it has been a success: Our three dimensional fabricator is now fully operational and we have used it to print several large, low-resolution, objects out of pure sugar.

I am shocked! What happened to the First Amendment right to embarrass/blackmail your congressman?

Judge Orders Lid On Phone Records

Release Likened to Witness Intimidation [That too! Bob]

By Carol D. Leonnig Washington Post Staff Writer Friday, May 11, 2007; B03

Deborah Jeane Palfrey, the woman accused of being the D.C. madam, can't release any more phone records that would reveal patrons of her Washington escort service, a federal judge said yesterday.

Thursday, May 10, 2007

There are some downsides to outsourcing you must consider, even if you only pay 17 cents/hour...

Grantsville employee info may have been compromised at prison

The Associated Press Article Last Updated: 05/09/2007 07:10:39 AM MDT

Posted: 7:11 AM- DRAPER -- The personal information of Grantsville City employees may have been compromised by prison inmates contracted to handle the info.

Anyone who has worked for the city for the last 45 years has been told that they may want to cancel their credit cards and close bank accounts. [Must be serious! Bob]

Grantsville City contracts with the prison to have inmates input the information of former and current employees. About 65 inmates transcribe paper and older records onto CDs.

The inmates worked with social security numbers, birth dates, addresses, and even bank account numbers. Mayor Byron Anderson says using the inmates saved the city about half what it would cost to have it done elsewhere. [Obviously he's overpaying these people. Bob]

But about three weeks ago one of the inmates told the city that all the information had been compromised.

Grantsville has sent out about 500 letters to employees going back as far as 1960. The letters explain what happened and include suggestions on what to do if they're a victim of identity theft.

Perhaps we should get out the old Pringle's can antenna and check out the neighborhood?

May 10th, 2007

Retailers haven’t learned from TJX - still running WEP

Posted by George Ou @ 3:46 am Categories: Security, Mobile/Wireless, Networking, Servers, Hardware, Desktop

When I blogged earlier this week about TJX's failure to secure their wireless LAN and how it may end up costing TJX a billion dollars, I knew that it was merely the tip of the iceberg with so many retailers still running WEP encryption. As if WEP wasn't already broken enough, WEP is now about 20 times faster to crack than in mid-2005 when TJX's WEP-based wireless LAN was broken and I knew from experience that most retailers were still running WEP. I decided to stroll through town and check on some of the largest retail stores in the country to see how they're doing today. The reason I looked at the large retailers is because they're the big juicy targets with millions of credit card transactions that the TJX hackers love. What I found was truly disturbing and I'm going to tell you what I found.

Faster than the government, I suppose.

Survey on Universities' Use of SSN on Transcripts

Wednesday, May 09 2007 @ 08:01 AM CDT - Contributed by: PrivacyNews - Minors & Students

In light of all the breaches of university databases and the risk of ID theft when SSN are used on transcripts, Aaron Titus recently conducted a survey on universities' use of SSN on student transcripts. His results have been written up and he has graciously made them available to this site.

Report - The Secure Transcript: Survey of National Universities' Use of the SSN on Academic Transcripts [pdf]

Some decisions take no time at all... So fast, you might think they were pre-made!

Agency Affirms Mandates for Driver’s Licenses

By MATTHEW L. WALD Published: May 9, 2007

WASHINGTON, May 8 — The Homeland Security Department said Tuesday that it would plow ahead with national standards for driver’s licenses, despite a highly unusual level of activity by state legislatures opposed to the idea, and substantial second thoughts in Congress.

The department said it had received about 12,000 public responses to its draft rules, in a 60-day comment period that ended Tuesday. Russ Knocke, a spokesman, said the comments were mixed.

Could be useful

May 08, 2007

National Center for State Courts Database Links to Over 130 Court Related Issues

"The CourTopics database contains resource guides, state profiles, and much more for over 130 court-related topics."

Could be amusing...

May 08, 2007

Rhode Island Launches New Public Inmate Search Function

Inmate Search - "The Department of Corrections website is a service that is maintained by the Department of Corrections (“DOC”) to provide certain inmate information to the public. The information on this service is provided as a voluntary service to promote communication between the DOC and the public by allowing computerized access to certain information contained in DOC files.... After agreeing to a disclaimer, visitors to the site can enter partial or complete information about an inmate and press the search button. The information displayed includes: Inmate ID, Last Name, First Name, Name Type (Real or Alias), Race, Sex, Age, Last Known City/Town, and Current Security. The inmate's sentences and charges are also displayed." []

Geeky, but keep this one in mind.

Replace Windows Explorer with Xplorer2

... The "lite" version of Xplorer2 has a few features disabled, but it's far from limited; it's free for personal or academic use.

For English majors only!

Penn Archive Offers Downloadable Poetry

By KATHY MATHESON Associated Press Writer May 9, 12:48 PM EDT

PHILADELPHIA (AP) -- When you're done loading your iPod with Better than Ezra and Carlos Santana, why not try a little Ezra Pound or William Carlos Williams?

Recordings of the poets' works are available for free through PennSound, an online audio archive developed by professors at the University of Pennsylvania.

On the Net:

I suppose now we'll see ads suggesting you “Sue da bastids!”

Chicago dumps racy law firm billboard

Staff and agencies 09 May, 2007

CHICAGO - A racy billboard proclaiming "Life‘s short. Get a divorce" caused enough of an uproar, city workers stripped it from its downtown perch after a week.

A city alderman who lives nearby found a technical reason to jettison the sign.

Fetman and Garland say they‘re upset the sign was removed.

Despite its brief run, the sign apparently was good for business. Since it went up last week, the two women said calls to their law firm have gone up dramatically.

Wednesday, May 09, 2007

They thought something was wrong, but didn't bother to find out what!

Hacker Hits UM System

COLUMBIA - A computer hacker hit the university of Missouri. Now more than 22,000 people are at risk for identity theft. The university noticed a problem on Thursday of last week, but thought it was just related to repairs.

MU police got the FBI involved on Monday and its investigation is underway because names and social security numbers have been stolen. The university sent out a mass email Tuesday morning warning as many people as possible.

The people at risk: Anyone who worked for the UM system in 2004, and also anyone who is a current or former student of the Columbia campus.

So is this an "open and shut" case?

Union Sues TSA Over Personal Data Loss

By MICHAEL J. SNIFFEN The Associated Press Tuesday, May 8, 2007; 6:14 PM

WASHINGTON -- Airport security screeners filed suit Tuesday to expand the Transportation Security Administration's response to its loss of Social Security numbers, bank data and payroll information for about 100,000 employees.

If the data, which was contained on a lost computer hard drive, "were to fall into the wrong hands, false identity badges easily could be created in order to gain access to secure areas," said John Gage, president of the American Federation of Government Employees.

"A Department of Homeland Security agency that cannot even shield its own employee data is not reassuring." [.and no doubt that is exactly how the media will play it. Bob]

... The lawsuit asked the court to order TSA to take new security measures consistent with those laws, including encrypting personnel data and installing electronic monitoring on any mobile equipment that stores personnel information.
... The lawsuit asked the court to order TSA to grant administrative leave, without penalty, to any screeners who need time off to protect against or correct any identity theft or financial disruption. Finally, the suit sought reimbursement for any financial losses workers might suffer.

For shame!

Burglary leaves thousands at risk for ID theft

07:07 PM PDT on Tuesday, May 8, 2007 By ROB PIERCY / KING 5 News

MOUNT VERNON, Wash. – A burglary in Skagit County may have left as many as 3,000 people at risk for identity theft.

In February, someone stole a laptop computer from the Washington State Auditor's Office [As an Auditor, I find this shameful! Bob] in Mount Vernon. That computer contained names, addresses and social security numbers of workers at several local government agencies – everyone from Mount Vernon police officers to teachers at Skagit Valley College – and many of those workers are just now finding out.

... "The letter said that this laptop had been stolen February 1 and we are just now being notified three months later," she said.

... According to Mount Vernon Police, they did not ask the state auditor's office to withhold this information. In fact, police say they didn't even know what was contained on that computer until police officers themselves started receiving a copy of this letter.

Never mark the package “Hand Deliver” someone might have to actually, you know... work!

State employee blamed for mishandling records

Sensitive data was put in wrong bin, an official says

By JANET ELLIOTT May 8, 2007, 10:54PM

Copyright 2007 Houston Chronicle Austin Bureau

AUSTIN — A state employee, not a courier service, misplaced a box of computer tapes containing sensitive personal data for 1.1 million Medicaid clients, a state official said Tuesday.

A spokeswoman for the Health and Human Services Commission clarified the scenario that occurred as the box of tapes was being transferred last month.

After a courier dropped off the shipment at a state office building, a mailroom employee put the box in the wrong bin, Stephanie Goodman said. It remained there for two weeks [because if anyone picked up their mail, they might have to start working! Bob] before it was found and delivered to the vendor Friday; the state was notified Monday that the tapes had been found.

... HHSC and the lead contractor for the partnership, Affiliated Computer Services, are reviewing their procedures to ensure that shipments can be logged and tracked. They also are studying whether the data could be transmitted electronically to enhance security. [Yes. Next question? Bob]


Supreme Court says newspaper can see student punishment records


HELENA, Mont. - The state Supreme Court says a newspaper has the right to see documents dealing with the punishment given to Cut Bank High School students involved in a BB gun shooting.

A reaction/technique likely to spread...

Spy Chief Hints At Limits On Satellite Photos

Posted by kdawson on Tuesday May 08, @10:22PM from the don't-look-there dept. Censorship United States

An anonymous reader writes "Vice Adm. Robert Murrett, director of the National Geospatial-Intelligence Agency, says that the increasing availability of commercial satellite photos may require the government to restrict distribution. 'I could certainly foresee circumstances in which we would not want imagery to be openly disseminated of a sensitive site of any type, whether it is here or overseas,' he said. This would include imagery on Web sites such as Google Earth, because the companies that supply the photos get help from the NGIA with launches." I had never heard of this particular intelligence agency. During the early months of the invasion of Afghanistan they bought up all satellite imagery over that country, worldwide, in a tactic later dubbed "checkbook shutter control."

Perhaps we should limit Google searching?

Police blotter: Fired government aide sues over Googling

By Declan McCullagh Story last modified Wed May 09 04:11:01 PDT 2007

What: Government worker claims a department official violated his "right to fundamental fairness" by using Google to research his prior work history in dispute over misuse of government property.

When: U.S. Court of Appeals for the Federal Circuit rules on May 4.

Outcome: Unanimous three-judge panel says no harm was done by using search engine.

What happened, according to court documents:

We've known for years that jurors and judges occasionally use search engines, sometimes in ways that raise novel ethical and legal issues. But how about Googling by an employer?

... Excerpts from the appeals court's opinion:

No ex-parte communication occurred when the Deciding Official, Ms. Capell, discovered for herself that "in 1996, the Department of the Air Force removed the appellant from a civil service position and that in 1997, the Smithsonian Institution told (Mr. Mullins) to 'look for a new job.'" Indeed, the only "communication" that occurred was when Mr. Mullins communicated with Ms. Capell to bring to her attention the negative information about himself "by suggesting he had been subject to Board proceedings before."

Attention Class Action Lawyers!

AT&T Charging Eight Minutes For One Minute Call; Blames Regulations That Don't Appear To Exist

from the wouldn't-it-be-nice... dept

It really would be nice to have a day go by when we don't hear about yet another attempt by telcos to rip people off, usually either by exploiting some bad regulation or simply pretending that the fee is required by regulations. Falling into the latter camp is a story Broadband Reports points us to. It appears that in a few states, including Missouri, AT&T is charging phone card users 8 minutes of time for every 1 minute used for in-state calling. The company claims this is due to FCC regulations -- though the FCC responds that "Calling cards aren't regulated. Period." Oops. That last link shows a state-by-state list of what multiple is used for in-state calls. The only places where you get a 1 to 1 conversion are Washington DC, Illinois, Indiana, Massachusetts, Rhode Island and the US Virgin Islands. Everywhere else, and you're being charged three, five or eight minutes for every minute used.

Interesting... (I'm drafting a patent on B-flat – that'll fix it)

Club Owner Has To Pay $40,000 Because A Cover Band Played 10 Songs

from the yikes dept

In the past, we've covered some of the ridiculous claims that come out when ASCAP goes around suing restaurants, bars and clubs for performing music without securing a license first. The idea that having music playing in a restaurant without a license somehow causes "irreparable injury," seems ridiculous. If anything, having songs played in public places where people can hear them is likely to get those songs more attention, providing more opportunities to make money for the musicians behind the song. In the latest twist on this theme, Stephen writes in to let us know that the former owner of a night club in Vail, Colorado has agreed to pay $40,000 because a cover band performed 10 cover songs at his club, without him paying the required ASCAP fees. Note that the band itself didn't have to pay anything. The thing is, he got off cheap. ASCAP could have tried to charge him up to $30,000 per song. Again, it's unclear how this benefits anyone (other than some lawyers). All it does is make it a lot less likely that venues will want to play songs licensed via ASCAP. It's short-term thinking that destroys long-term value.

Two from e-Discovery Team...

The Admissability of Electronic Evidence

May 8th, 2007

Judge Paul Grimm has written a scholarly treatise on the admissibility of ESI, which is cleverly disguised as a district court opinion denying cross motions for summary judgment. Lorraine v. Markel American Ins. Co., 2007 WL 1300739 (D. Md. May 4, 2007).

Nonchalant Review Causes Attorney Client Privilege Waiver

May 6th, 2007

Legal counsel’s “nonchalant review” of electronic records acted to waive the attorney client privilege as to four inadvertently disclosed emails.

Nothing special about the device (Microcenter offers a 2GB thumb drive for $14.95), but some quotes are interesting.,1759,2127370,00.asp?kc=EWRSS03119TX1K0000594

New Laptop Data Protection Comes in a USB Flash Card

By Chris Preimesberger May 8, 2007

Rover Technology Fusions, a small data security provider, based in Tampa, Fla., introduced on May 7 a new data backup product for laptops and notebooks that uses solid-state Flash memory and IBM's Tivoli Continuous Data Protection for Files software.

... Various IT researchers report that about 60 to 70 percent of corporate data resides on mobile workstations and laptops that are not typically part of routine enterprise-wide backup solutions.

,,, A 2006 Forrester Research study found that 31 percent of all computer users have lost all their files due to events beyond their control, the spokesperson said.

Tuesday, May 08, 2007

Is this a new package of benefits for those at risk?

May 07, 2007

TSA Public Statement on Employee Data Security Incident

Follow up to May 5, 2007 posting, Missing TSA Hard Drive Has Data on 100,000 Employees, this additional update from the TSA: "Today the Transportation Security Administration (TSA) announced a benefit package to provide employees and former employees affected by the data security incident with free credit monitoring for up-to one year. In addition to credit monitoring, the package includes ID theft insurance up to $25,000, fraud alerts and identity restoration specialists who will complete paperwork and assist employees in the event they are a victim of identity theft. Current and former employees can register via phone, mail or online through a secure web site. More information is available at, including a list of frequently asked questions."

Hurry, hurry, hurry! Only three more years! (Just before we finish counting the Chad...)

FL: You're online -- for all to see

Monday, May 07 2007 @ 03:17 PM CDT - Contributed by: PrivacyNews - State/Local Govt.

The state's clerks of court will get three more years to black out Social Security, bank account, credit, debit and charge card numbers from public records available on the Internet.

That's three more years Florida citizens could be at risk of identity theft courtesy of state and local government. Until then, residents must submit a request in writing to have their personal information stricken from online documents.

Without debate, the State Senate voted (40-0) Wednesday to give clerks until the year 2011 to edit out personal information from online records. The bill (HB 7197) was approved by the House (115-0) last week. The legislation will now go to Gov. Crist for his review.

Source - Miami Herald (Props, The Virginia Watchdog)

Never a good sign...

Homeland Security's Own Privacy Panel Declines to Endorse License Rules

Monday, May 07 2007 @ 06:42 PM CDT - Contributed by: PrivacyNews - Fed. Govt.

The Department of Homeland Security's outside privacy advisors explicitly refused to bless proposed federal rules to standardize states' driver's license Monday, saying the Department's proposed rules for standardized driver's licenses -- known as Real IDs -- do not adequately address privacy, price, information security, redress, "mission creep", and national security protections.

Source - Threat Level (blog)

Picky, picky!

Journalists Intend to Sue Hewlett-Packard Over Surveillance

Monday, May 07 2007 @ 07:27 AM CDT - Contributed by: PrivacyNews - Businesses & Privacy

In an unusual step for the news media, three journalists whose private phone records were scrutinized by investigators working for Hewlett-Packard intend to sue the company for invasion of privacy.

The dispute stems from an investigation of Hewlett-Packard’s directors initiated under the company’s former chairwoman, Patricia C. Dunn. To try to uncover leaks from board members, private investigators examined the phone records of nine journalists who covered the company, as well as the records of some of their relatives.

Source - The Ledger

Quick summary

Privacy Laws by State

Track everyone/everything at all times.,1759,2126991,00.asp?kc=EWRSS03119TX1K0000594

Bermuda to Put RFID in All Vehicles on Island

May 7, 2007 By Renee Boucher Ferguson

Cars in Bermuda are getting chipped. RFID chipped that is.

Bermuda's Transport Control Department, a division of the tiny string of island's Ministry of Tourism, announced May 7 that it plans to automate vehicle registration, compliance and enforcement with an island-wide deployment of EVR (electronic vehicle registration). The EVR system is made up of RFID tags, antennas, readers and a database system.

Sometimes it is better to say nothing...

Verizon Says It Has A First Amendment Right To Illegally Give Your Call Records To The Government

from the that's-an-interesting-way-to-look-at-things dept

The nation's biggest telcos are working hard to make the lawsuits against them for passing customer call records and other info to the government as part of its program of warrantless wiretaps disappear. AT&T's argument that it was just following government orders didn't wash with a judge, and now Verizon is claiming that its passing of information to the government is protected by the First Amendment. Yes, you read that correctly: it says the Electronic Communications Privacy Act is unconstitutional, and the information it passed to the government -- in apparent violation of it, and to comply with the sort of warrantless surveillance the ECPA was designed to prevent -- is constitutionally protected free speech. This seems tenuous at best, but it fits with Verizon's MO. The company always tries to whitewash its customer data leaks by filing lawsuits and trying to shift the blame onto pretexters and information brokers, and making the problem appear to be solely these people's activities, rather than its own inability to protect customer data. Likewise in this case, it contends that it's done nothing wrong, and that the ECPA makes the mistake of trying to prevent free speech, rather than putting restrictions on the government's ability to ask for the information. Of course, those restrictions exist (in the form of having to get a warrant), but didn't really work so well here. Verizon's complicity seems pretty obvious and its free-speech claims look like little more than a hail-mary attempt to shirk liability for disclosing the customer information. That may not be necessary, though, if the Bush administration's attempts to get Congress to pass a law giving the telcos immunity from these sorts of lawsuits are successful.

Is this going to be fun or what? Imagine the RIAA trying to explain how their gibberish is superior to the defense the MIT students could mount. I can't wait!

RIAA Pre-Litigation Letters Sent to MIT

23 Students Accused of Copyright Violations

By Nick Semenkovich ASSOCIATE NEWS EDITOR May 8, 2007

Twenty-three MIT students have been sent pre-litigation settlement letters after allegedly illegally downloading copyrighted audio recordings, according to a press release from the Recording Industry Association of America.

MIT received the pre-litigation letters last Wednesday, May 2, said Daniel Jacobs, legal assistant in MIT's Senior Counsel's Office. At that time, Jacobs said that the letters would have to be analyzed before MIT considered forwarding them to students. These are the first RIAA pre-litigation letters received by MIT, according to Jacobs.

As of yesterday, MIT had forwarded the letters on to students, said Timothy J. McGovern, manager of IT Security Support for Information Services and Technology. McGovern also said that MIT suggested students talk with advisers, family members, or attorneys in considering a response to a pre-litigation letter.

McGovern declined to discuss legal specifics regarding the cases, saying the letters were part of a student's permanent record and thus legally protected by the Family Educational Rights and Privacy Act.

... A sample pre-litigation settlement agreement is available at

Jeffrey I. Schiller '79, Network Manager for IS&T, said that the letters also act as a preserve order for MIT, requiring the Institute to save information about the user of a specific IP. MIT maintains a database of IP addresses assigned to users and stores the information for 30 days, said Schiller. "Suppose on day 29 we get one of the pre-litigation notices. Once we get one of these, we basically … have to save the information forever."

... McGovern stated that "most" of the students who were sent pre-litigation letters had previously received Digital Millennium Copyright Act takedown notices [This suggests that “most” downloaders also put the music online for others... I doubt that is true. Bob]regarding the music in question. Schiller said that MIT, acting as an Internet Service Provider, forwards DMCA notices to students accused of violating copyright law.

... Moreover, Schiller cautioned that not all students who receive DMCA notices necessarily violated copyright law. Shiller said that it is becoming "quite difficult" to ensure IP addresses were actually used for infringement. "I've seen notices for random IP addresses that we would have never assigned," said Schiller.

Furthermore, the complexity of some protocols such as BitTorrent has caused erroneous DMCA notices to be sent. A discussion on the EDUCAUSE Security Discussion Group last month included concerns that HBO had sent a series of inaccurate DMCA notices with incorrect infringement times. The discussion also suggested that HBO was relying on questionable and possibly forged data from BitTorrent "trackers" — directory servers that contain information about IPs downloading a file — that could be readily forged.

Can this be correct? (see article on anti-SLAPP, below)

Library of Congress Threatens Washington Watch Wiki

Posted by kdawson on Monday May 07, @07:11PM from the trademark-madness dept. United States Politics

BackRow writes "Washington Watch, a site devoted to tracking the cost of federal legislation, has raised the hackles of the Library of Congress with a new wiki that makes an unfavorable comparison to the LOC's THOMAS legislative search engine. After Jim Harper, Washington Watch's creator and the director of information policy at the Cato Institute, announced the wiki, he received a nastygram from the LOC."

Quoting: "After the announcement, he was contacted by Matt Raymond, the Director of Communications at the Library (and the author of the Library of Congress' blog). Raymond said that he possessed 'statutory and regulatory authority governing unauthorized use of the Library's name and logo and those of Library subunits and programs,' and he asked that Harper stop using the names 'Library of Congress' and 'THOMAS' in his marketing materials."

Other wikis... (Want to build your own?)

Top 57 Wikis By Rank

Over the last couple years we’ve watched Wikipedia go from a virtually unknown website to one of the top 10 in the world - so it’s no secret that Wiki’s have seen an unprecedented amount of growth and popularity (not to mention free Wiki engines such as MediaWiki or MoinMoin feeding that growth).

I took the liberty to scour the web for as many Wiki’s as I could find, meanwhile compiling a list of each. Some of my findings were great, such as: WikiTravel, Heroes Wiki, and WoW Wiki (for all you WoW fanatics), and some, well, not so great.

I noticed a growing amount of businesses adopting the concept. Wiki’s aren’t only a helpful resource for customers, but a great way for marketers to obtain that all-too-important customer feedback, which is why it’s great that more businesses are beginning to understand the true value of Wikiing (wikiing?) :).

Anyway, on with the good stuff. Here’s a list of over fifty Wiki’s by rank. If there’s something I’ve missed, post a comment and I’ll be happy to add it. Enjoy…

Why do we care? See next article and the LOC article above

In Case You Didn't Know: Anti-SLAPP Laws Apply To Bloggers Too

from the fyi dept

This probably won't come as a huge shock to, well, anyone, but for the various bloggers who are getting sued by individuals or companies upset about what they're saying, bloggers do appear to be protected by anti-SLAPP laws. Of course, this doesn't mean bloggers can just go and defame or libel anyone -- but as long as there's support behind what they're saying, it sounds like a court will recognize if the suing party is simply trying to shut someone up, rather than respond to actual libel or defamation. If you're unfamiliar with them, anti-SLAPP laws are designed to protect individuals who are sued by companies who are simply trying to shut up the individual. The idea is that a big company can just file a libel suit against someone they don't like (even if there's no libel), and since it's so expensive (and scary) to be sued, the individual will be forced to quiet down. Anti-SLAPP laws give the individuals a quick way to fight back and stop such bogus lawsuits. many organizations forget this simple fact!

Thanks To The Web, Everybody's A Potential Critic -- So Treat Them Well

from the business-101 dept

The rise of blogs and user-generated content sites has turned every customer of a business into a potential critic with a big platform. Word of mouth still serves as a huge boon or burden to a company; but like so many other things, the internet has made its spread much more efficient. Many consumers check out all sorts of businesses and restaurants online before they visit them, and while professional reviews still matter, blogs and sites that aggregate user reviews are growing increasingly powerful. The question for businesses is how to respond to and capitalize on this trend. Some try to bury criticism or attack critics, but some are pointing out, the best way to keep potential customers from finding out you don't treat customers well is simply to treat them all well to begin with. Professional restaurant critics typically strive to maintain their anonymity, and restaurants strive to find out what they look like to they be sure to put their best foot forward when they visit. But as more people put stock in what fellow non-professional critics have to say about restaurants and other sorts of businesses, it means they'll have to raise their game for everybody. After all, you may figure out what the Times reviewer looks like, but you're going to have a hard time keeping track of all the "normal people" reviewers.

You have to design increased productivity into all parts of the process...;_ylt=AmRHnfDy7bIHSQhY3ogpJbrMWM0F

Prosecutors to go easy on speeding drivers

Mon May 7, 10:23 AM ET

Prosecutors in the Belgian capital, overwhelmed by the number of speeding fines imposed since fixed radar traps were installed, have asked police to let off all but the worst offenders -- angering local mayors.

The prosecutor's office, grappling with a backlog of 10,000 cases, has asked Brussels police not to fine drivers unless they are motoring at 87 kph (54 mph), or 67 kph (42 mph) near schools, the daily La Derniere Heure reported Saturday.

Speeding fines are not automatic in Belgium and each case goes through the prosecutor's office.

The paper quoted a letter from the prosecutor to district mayors suggesting they temporarily reduce the number of speed controls and that police report only the worst cases, when drivers exceed the limit by 30 kph plus a 6 kph tolerance margin.

The speed limit in most of Brussels is 50 kph, reduced to 30 kph in areas near schools.

RTBF radio quoted several district mayors as voicing outrage over the circular because most offenders would escape punishment. The prosecutor's spokesman was not available for comment.

If my integer is 00 00 00 00 00 00 00 00 01, can I sue anyone who publishes a one?

You Can Own an Integer Too — Get Yours Here

Monday May 7, 2007 by Ed Felten

Remember last week’s kerfuffle over whether the movie industry could own random 128-bit numbers? (If not, here’s some background: 1, 2, 3)

Now, thanks to our newly developed VirtualLandGrab technology, you can own a 128-bit integer of your very own.

Here’s how we do it. First, we generate a fresh pseudorandom integer, just for you. Then we use your integer to encrypt a copyrighted haiku, thereby transforming your integer into a circumvention device capable of decrypting the haiku without your permission. We then give you all of our rights to decrypt the haiku using your integer. The DMCA does the rest.

The haiku is copyright 2007 by Edward W. Felten:

We own integers,


You can own one too.

Here is your very own 128-bit integer, which we hereby deed to you:

49 73 B9 DC DC A0 81 D7 E8 05 93 0C 32 85 59 66

If you’d like another integer, just hit Shift-Reload, and we’ll make a fresh one for you. Make as many as you want! Did we mention that a shiny new integer would make a perfect Mother’s Day gift?

If you like our service, you can upgrade for a low annual fee to VirtualLandGrab Gold — and claim thousands of integers with a single click!

Read yourself to sleep?

PhD on Viruses

Posted by Mikko @ 14:41 GMT

There are surprisingly few people out there who have done their PhD thesis on computer viruses.

However, we just got one more. Mr. Jussi Parikka did his dissertation on his thesis titled "Digital Contagions. A Media Archeology of Computer Worms and Viruses" on Saturday at the University of Turku, Finland.

As we here at F-Secure have a fairly substantial collection of material and memorabilia from the early days of the computer virus problem, we lent some of this material to Mr. Parikka during his research phase. It's good to see the final outcome now.