Saturday, June 23, 2007

Typical press release. Are they setting themselves up for a fall? See the next couple of articles...

Bank warns of possible ID theft

10:14 AM CDT on Friday, June 22, 2007 By Laura Elder / The Daily News

TEXAS CITY — Texas First Bank is notifying about 4,000 customers that their personal information could have been compromised when thieves last month stole a laptop computer during a car theft in Dallas.

But officials say there’s no cause for alarm and that the bank is taking measures to protect affected customers against identity theft.

They said the odds that thieves have been able to retrieve any information from the laptop are low.

The laptop had a heavily secure password [Try searching Google for the phrase “heavily secure password” and then tell me their PR department didn't invent it on the spot. Bob] and was equipped with technology designed to prevent unauthorized access, said Matt Doyle, vice chairman of the Texas City-based bank. [No encryption? Bob]

... Officials say the laptop owned by S1 Corp., the bank’s former online banking vendor, [Should they still have this data? Bob] was stolen on May 19.

... Texas First had changed online banking vendors in March but still was in the process of converting data, Doyle said.

... Texas First said it is offering a free 24-month [Twice normal? Perhaps they feel more guilty than others? Bob] membership to Equifax Credit Watch, an identity-theft protection service, to customers who might have been affected by the theft.

The service alerts customers to changes in their Equifax credit file. Among other measures, the bank also is offering to pay for $20,000 in identity-theft insurance with no deductible to customers whose information could have been compromised. The bank also is monitoring accounts.

AGs are finding easy picking here. All they need do is ask the simple questions journalists no longer ask...

Pfizer Gets More Time On Data Breach

By Lee Howard Published on 6/23/2007 in Home »Business »Business Main Photo

State Attorney General Richard Blumenthal has granted Pfizer Inc. a two-week extension to prepare responses to a series of questions about a data breach last month at the company that led to the posting of nearly 17,000 Social Security numbers and other personal information on the Internet.

... Pfizer had been asked, in a June 6 letter from Blumenthal, to answer 14 questions about the security breach, including specifics that Pfizer has been reluctant to disclose in the past, such as how it first learned of the breach, how it determined what data was actually accessed and what potentially was accessed, and when it first discovered the problem. Blumenthal also asked Pfizer to outline a plan for preventing future security breaches [A plan! What a concept! Bob] and to identify any corporate policies relating to the security of computers, facilities and personal information.

This is so common, I bet someone has written a paper on how to deal with it... Now if organizations only had someone who could read... (Some amusing comments, too.)

Ohio Data Leak Follows The 'Worse Than First Thought' Plan

from the working-for-you dept

It's pretty much par for the course that when a data leak gets disclosed, it's followed up a few weeks later with another announcement revealing that even more people's information was lost than first thought. Whether that's because it takes some time to figure out the extent of losses or is just a PR ploy [If it is, it's a bad one. Bob] is open for debate. In any case, you might remember the recent case in Ohio, where the personal information of all the state's 64,000 or so employees was lost when a storage device containing it was stolen out of an intern's car. True to form, the state's governor has issued an update, revealing that it's not just the state employees whose info was stolen, but a total of about 500,000 people, including welfare recipients, state employees' dependents, and taxpayers with uncashed income tax refunds. We noted earlier that the intern had the device as part of the state's security protocol, in which employees rotated taking backups home with them in case data on the state's system was lost. While storing backups off-site has some merit, this incident highlights the idiocy of just passing out devices to employees and having them take them home, rather than storing them in some more secure manner. The state has now ordered an end to the practice, while the state police have set up a post office box "in hopes that the storage device would be returned anonymously." Somehow, given the great job state officials have done to advertise the potential value of the device, that seems pretty unlikely.

This is the first time I've seen this in an Identity Theft case. I like the idea, but need to know more about how it is secured. (They don't have the best reputation...) Not easy to find on the web site, either.

OH: Your name on stolen data disk?

Friday, June 22 2007 @ 10:46 AM CDT Contributed by: PrivacyNews News Section: Breaches

To see if your name is on the list of people whose personal information was on the stolen computer tape, go to on the Internet.

You will be given a personal ID number at that site to sign up for Debix ID protection.

Letters have been mailed to all affected Ohioans, also containing a PIN number and details about free ID protection.

Or call this automated number, 888-644-6812, for updates.

To speak to someone live, call 800-267-4474 Monday through Friday from 8 a.m. to 5 p.m.

Source - The Enquirer

Worth reading? (You can shoot for “low key” but remember, the entire internet is watching you...)

Friday, June 22, 2007

Low key launch for NSW LRC privacy paper

Without any fanfare (not even a media release), the NSW Law Reform Commission has released its Consultation Paper on "a statutory cause of action for privacy". The Paper provides a broad canvas of the issues, case law developments, the situation in other similar countries and puts forward a tentative view that we should join the ranks of those who should act to fill this current significant gap in our legal framework.

The Commission makes two proposals: that if a statute is to create a cause of action, the approach should be to identify in the legislation the objects and purposes it seeks to achieve, and incorporate a non-exhaustive list of the types of invasion that fall within it. It also suggests that the range of remedies include but not be limited to, damages (other than exemplary damages).

The Paper lists 20 questions and seeks responses during a consultation period to run until September.

Would this have any bearing on the evidence found on a multi-user computer?

The Supreme Court's Recent Decision Regarding Whether a Car Passenger is "Seized" in a Traffic Stop (Analysis)

Friday, June 22 2007 @ 12:57 PM CDT Contributed by: PrivacyNews News Section: In the Courts

Earlier this week, the Supreme Court ruled, in Brendlin v. California, that when a police officer effects a traffic stop of a passenger vehicle, the passengers - and not just the driver -- are "seized" within the meaning of the Fourth Amendment. Accordingly, the passengers - and not just the driver -- may challenge the constitutionality of the stop.

The decision was interesting for a number of reasons - including its unanimity. (Justice Souter wrote for the entire Court.) In this column, I'll discuss why the decision was unanimous, and focus on the specific nuances of the Court's holding.

Source - FindLaw's Writ

What law prohibits videotaping the police? Would this apply to surveillance cameras?

Charges Dropped In PA Video Taping Arrest

Journal written by twitter (104583) and posted by kdawson on Friday June 22, @06:24PM

from the common-sense-prevails dept.

Cumberland County District Attorney David Freed has reversed himself completely over the charges against Brian Kelly, arrested for wiretapping after videotaping a police stop. Now let's see if they are good enough to compensate Kelly for the 26 hours he spent in jail and the anguish of the cloud over his future caused by a felony arrest. From the article: "... [DA] Freed said his decision will affect not only Brian Kelly, 18, but also will establish a policy for police departments countywide. 'When police are audio- and video-recording traffic stops with notice to the subjects, similar actions by citizens, even if done in secret, will not result in criminal charges,' Freed said yesterday. 'The law itself might need to be revised.'"

The reasoning seems weak...,0,3631978.story?coll=wpmt-news-3

Carlisle teen cleared after wiretapping incident

June 20, 2007

... The arresting officer was already taping the stop with a dashboard camera and therefore he had no expectation of privacy.

...and does the ACLU know about the anti-videotaping law?

Citizens Given Video Cameras To Monitor Police

Posted by kdawson on Friday June 22, @02:12PM from the project-vigilant dept. The Courts

atommota writes "After years of complaints of police misconduct, the ACLU is giving free video cameras to some residents of high-crime neighborhoods in St. Louis, MO to help them monitor officers. The ACLU of Eastern Missouri launched the project Wednesday after television crews last year broadcast video of officers punching and kicking a suspect who led police on a car chase. 'The idea here is to level the playing field, so it's not just your word against the police's word,' said Brenda Jones, executive director of the ACLU chapter. The ACLU has worked closely with the police to make sure they are aware of this program. This is in stark contrast to the recent Pennsylvania arrest for felony wiretapping of a guy who was videotaping a police stop."

How come this isn't a concern of the Digital Rights world?

Elcomsoft cracks Quicken "backdoor"

Published: 2007-06-22

Russian security software firm Elcomsoft announced on Friday that the company's researchers had cracked the master password that secures encrypted Quicken files and which allows the software's developer, Intuit, to retrieve lost passwords.

Calling the existence of a 512-bit encryption key a "backdoor," Elcomsoft said the master key could be used by the federal government to access taxpayer records. Starting with Quicken 2003, Intuit beefed up the encryption of Quicken's password protection. While the better protection made it infeasible for a cracker to brute force the password to a particular Quicken file, Intuit offers a service to recover the files for people who had lost their passwords.

Does that mean freelancers need to control this with a contract?

Court Ruling Limits Copyright Claims

Posted by Zonk on Friday June 22, @11:18AM from the put-your-cap-back-on dept. Media The Courts

Spamicles writes "A federal appellate panel in Atlanta has reversed its circuit's 6-year-old opinion in a major copyright case, declaring the ruling's mandate on behalf of freelance photographers to be "moot." Until now, publishers could be forced to share with freelancers whenever they reproduce and sell those freelancers' previously published works in merchandise designed for computer access. The new ruling says that reproduction on a CD or other media is not a new use of formerly published issues. The full court decision (pdf) is available online, and has an analysis of the ruling's repercussions."

Attention Virtual Lawyers!

Congress set to issue virtual taxation report in August

Posted by Daniel Terdiman June 22, 2007 1:33 PM PDT

For months, the community of virtual world publishers, players and economists has been holding its breath, waiting for the U.S. Congress to issue its report on the potential taxation of virtual goods.

... Meanwhile, a lot is riding on the outcome. If Congress signals it intends to start taxing in-world commerce, that could create huge problems for publishers who may have to figure out efficient ways to track all such trades. If Congress goes the other way, many people will feel that it is just punting and that it will still only be a matter of time before some major government decides to step in.

Is this related to the story above? In any case, some interesting comparisons.

June 21, 2007

EU: eGovernment in the European countries

EU: eGovernment in the European countries, 19 June 2007: "As part of its mission to inform the European eGovernment community about key issues of common interest, the eGovernment Observatory maintains a series of Factsheets presenting the situation and progress of eGovernment in 32 European countries: EU-27, Croatia, Turkey, Iceland, Liechtenstein and Norway, providing for each one of them a wide and consistent range of information... As a general rule, factsheets are updated every 6 months with a new Edition."

Also a concern for Virtual Lawyers? (...and the “traditional” phone companies?)

June 21, 2007

Surveys Examine the Impact of the Growing Cell-Only Population

Follow up to May 14, 2007 posting, Nearly 16% of U.S. Homes Have No Landline Phone, see also these related studies:

Ditto? What happens if a “Please lock your door” message delays a “Your baby has stopped breathing” message?

Police Plan To Bluespam People About Locking Their Doors

from the this-is-a-good-idea-how? dept

We still can't figure out why anyone thinks "bluespamming" is a good idea. Bluespamming, if you don't know, is setting up a system to look for phones with bluetooth enabled, and sending them an automatic message if they're nearby. It's spam, via bluetooth. Yet, for some reason, many organizations that are doing it, such as the US Navy don't seem to realize it's intrusive and annoying. The latest to dip into bluespamming are police in West Yorkshire who somehow think that bluespamming people reminders to lock their doors and windows will be effective. Perhaps it'll teach people to better lock up their mobile phones so bluespamming doesn't bother them instead.

For those of us who laughed... Could Hit Jackpot on Auction Block

By DENNIS K. BERMAN June 22, 2007; Page B3

Entrepreneurs Jake Winebaum and Sky Dayton were widely mocked for lavishing $7.5 million on a single Internet domain name -- -- back in 1999. It was the single highest price paid for a domain name at the time.

Now look who is having the last laugh.

The company that grew out of -- a search engine used by businesses to find products and services -- is now on the auction block, and could fetch anywhere between $300 million and $400 million, according to people familiar with the matter.

Surely your software is not obsolescent, but is this the sign you must upgrade?

Microsoft stops shipping Office 2003

Posted by Reverend on 22 Jun 2007 - 17:55 GMT

Microsoft has confirmed that it will stop shipping Office 2003 at the end of June 2006.

Stupid is as stupid does. F Gump

What's Wrong With This Picture?

just take a moment and figure it out - you'll laugh when you do

Some Folk Wisdom is worth quoting...

  • If you are choking on an ice cube, don't panic. Simply pour a cup of boiling water down your throat and presto, the blockage will be almost instantly removed.

  • Clumsy? Avoid cutting yourself while slicing vegetables by getting someone else to hold them while you chop away.

  • You can avoid arguments with the Mrs. about lifting the toilet seat just by using the sink.

  • Sometimes, we just need to remember what the rules of life really are: in life, you only need two tools - WD-40 and Duct Tape. If it doesn't move but should, use the WD-40. If it should not move and does, use the duct tape.


Friday, June 22, 2007

A short follow-up. Probably all organizations will get reports like this. What is unusual is when the organization actually does something because of it. NOTE: If this breach impacts Strickland’s political career, expect a flood of laws to protect politicians.

Report warned Strickland of data risk

COLUMBUS (AP) — Months before a computer device containing the Social Security numbers and other personal information of more than 500,000 Ohioans was stolen from an intern’s car, the state was warned it was vulnerable to data theft, The Columbus Dispatch reported Friday.

Before he took office in January, Gov. Ted Strickland asked teams of experts to evaluate key areas of state government and submit findings and recommendations.

The team studying the Office of Information Technology concluded the state had “little to no policy guidance or standards” for protecting Social Security numbers and other sensitive information, according to a report prepared as part of Strickland’s transition team.

What weren't you thinking? Mug shots?

ISTEP collage causes a stir

By John Martin (Contact) Thursday, June 21, 2007

New Harmony (Ind.) School officials acknowledged Wednesday that a picture collage of students who did not pass the most recent ISTEP test has filtered out into the community.

They said the privacy breach violates a federal law and they are trying to determine why and how it happened.

The pictures were intended to be given only to faculty at New Harmony's public school, which has students in kindergarten through 12th grade, said Fran Thoele, superintendent of the school district.

... Asked if she thought the principal's motivational tactic was appropriate, Thoele replied, "If the teachers would have used it in the way it was Thoele said the leak of the pictures could be a violation of the Family Educational Rights and Privacy Act. [Huh? Bob]

... The principal's statement goes on to say that the school "is taking this very seriously," and "if the person responsible is found, they will be handled in accordance to school board policy regarding student confidentiality and ethical behavior.

"It is unclear why this teacher [Why is it a teacher? Bob] chose this type of act instead of using the proper school procedure to express concerns."

We can, therefore we must!

EUB fails integrity test by spying on residents

Paula Simons, The Edmonton Journal Published: Thursday, June 21, 2007

When the story started oozing out, it sounded almost too paranoid to be true.

The Alberta Energy and Utilities Board, an arm of the Alberta government, has been hiring private investigators to monitor farmers and acreage-dwellers from central Alberta.

... The landowners oppose an application by AltaLink to build a new 500,000-volt transmission line from Wabamun to Calgary across their properties.

Tempers have been running so high, the EUB has actually banned members of the public, including affected property owners and opposition MLAs, from attending the "public hearings" in person.

Instead, they have to watch the proceedings from a separate building on closed-circuit TV. Not satisfied with that security measure, the EUB went one step further and hired private undercover agents to infiltrate those meetings.

The EUB says its agents were only supposed to monitor those watching the hearings, to watch for signs of violence.

But the farmers and their lawyers allege the private investigators also insinuated themselves into private solicitor-client conversations.

Coming soon to a country near you!

Data Protection Commissioner deplores "trend towards a Big Brother state"

21.06.2007 14:51

Upon presenting his 8th Report Harald von Bose, the Data Protection Commissioner of the German federal state of Saxony-Anhalt, has publicly deplored the increasing degree to which the state and private companies crave and achieve access to the personal data of citizens. "Restraint and moderation are no longer much in evidence," he said on Wednesday in Magdeburg. "The trend towards a big Brother state defined by comprehensive registration, surveillance, evaluation and control has picked up pace significantly," he added.

Apparently they are done with Estonia...

Crackers Cause Pentagon to Put Computers Offline

Posted by CowboyNeal on Friday June 22, @01:15AM from the better-safe-than-sorry dept. Security United States IT

Anarchysoft writes "As many as 1500 Pentagon computers were brought offline on Wednesday in response to a cyber attack. Defense Secretary Robert Gates reported of the fallout both that the attack had 'no adverse impact on department operations' and that 'there will be some administrative disruptions and personal inconveniences.' When asked whether his own e-mail had been compromised, Gates responded, 'I don't do e-mail. I'm a very low-tech person.'"

Do you think someone should tell them it's not just search engines?

EU Probe to Look at All Search Engines

By AOIFE WHITE The Associated Press Thursday, June 21, 2007; 7:13 PM

BRUSSELS, Belgium -- A European Union probe triggered by concerns over how long Google Inc. stores user information has widened to include all Internet search engines.

The EU's panel of national data protection officers said it's now concerned over the retention of data that the companies use to deliver more relevant search results and advertising. Some fear the data could be targeted by hackers and governments. [Most are completely oblivious... Bob]

Ubiquitous surveillance: No more taking tests in the nude, people. Please!

Online Test Takers To Have Their Every Move Watched By Special Webcams

from the we're-watching-you.... dept

For years now, there have been questions about the increase in high-tech cheating among students. One solution, of course, is to change the way students are measured, recognizing that collaboration is important so that working together and using additional sources is encouraged (you know, like in the real world). However, there still can be times where a good old fashioned test might make sense -- and that gets even more difficult when you're dealing with an online only school trying to give an online exam. A few years ago we discussed one school that was testing the use of a webcam system to take regular snapshots of the student while they took the test. It appears that just that type of technology is becoming increasingly popular for online test taking, with some believing it's more effective at preventing cheating than traditional proctored exams. The new camera system records a 360 degree view (to make sure there's no one behind the camera helping out), records all audio as well and even requires a fingerprint to make sure you're really who you say you are. It also has some method for alerting monitors to suspicious activity (such as if someone starts getting a bunch of questions right soon after taking a phone call). All in all, it sounds pretty thorough -- though, we're sure someone will figure out an effective way around it before too long. In the meantime, some are suggesting that such a system is too invasive -- but as long as the test-taker knows what he or she is getting into, it's hard to see how that's a problem.

Ubiquitous surveillance: What are you doing in that womb, kid?,0,237135.story?coll=ny-region-apnewjersey

NJ lawmakers approve HIV testing for pregnant women, newborns

By TOM HESTER Jr. Associated Press Writer June 21, 2007, 10:15 PM EDT

TRENTON, N.J. -- New Jersey on Thursday moved to require both pregnant women and some newborns to be tested for HIV.

... It requires all pregnant women be tested twice for HIV, once early and once late in the pregnancy, unless the mother asks not to be tested.

It also requires newborns to be tested if either the mother has tested positive or her HIV status is unknown at time of birth.

... The American Civil Liberties Union and women's groups contend the bill deprives women of authority to make medical decisions.

"Women's privacy rights and choices are as constitutionally valid as any other citizen, regardless of reproductive status," said Maretta J. Short, New Jersey's National Organization of Women president.

... According to the Kaiser Foundation, a nonprofit research organization focusing on U.S. health care issues, Arkansas, Michigan, Tennessee and Texas require health care providers to test a mother for HIV, unless the mother specifically asks not to be tested.

Connecticut, Illinois and New York test all newborns for HIV, according to the foundation.

Seems to be a theme in the news today...

E-Voting Report Finds Problems with Modern Elections

Posted by Zonk on Thursday June 21, @06:04PM from the i'm-going-to-count-these-again-if-you-don't-mind dept. Politics Technology

JonRob writes "The Open Rights Group has released a report on challenges faced by voting technology. Using the May 2007 Scottish/English elections as a testbed, researchers have collated hundreds of observations into a verdict on voting in the digital age. 'The report provides a comprehensive look at elections that used e-counting or e-voting technologies. As a result of the report's findings ORG cannot express confidence in the results for the areas we observed. This is not a declaration we take lightly but, despite having had accredited observers on location, having interviewed local authorities and having filed Freedom of Information requests, ORG is still not able to verify if votes were counted accurately and as voters intended.' The report is available online in pdf format for download."

So a willingness to share your source code should be a competitive advantage, right? (ES&S must have good lawyers...)

Appeals Court Says E-Voting Company Doesn't Need To Reveal Source Code

from the this-again? dept

Back in January, a district court turned down the request from the losing candidate in a Florida election trying to see the source code of the e-voting machine, since it appeared to lose a ton of votes. The judge in that case worried that exposing the code to experts for review (not to the whole world) would somehow violate the company's trade secrets. An appeals court has now agreed, and will not force ES&S to hand over the code even though a report between the two cases showed that ES&S knew its machines were buggy while experts like Ed Felten show that a bug in the software could explain the mistakes found in the system. But, of course, protecting the "trade secrets" of a company that can't program straight is apparently more important than, say, a functioning democracy.

Is this a hospital's responsibility under HIPAA? If they discover a situation like this can they ignore it? It looks like they believe they are required to investigate...

Blog sued by hospital

By Bill Hankins The Paris News Published June 20, 2007

Essent Healthcare, parent company of Paris Regional Medical Center has filed a lawsuit in Lamar County’s 62nd District Court against unknown “bloggers,” contending a blog — — has defamed the hospital and that bloggers are breaking the law in releasing patient confidential information.

... “It is our duty as a healthcare entity and our obligation to the community to protect our patients’ rights to privacy,” said Kim Fox, a spokesperson for Essent. “We are morally and legally compelled to do everything we can to stop these violations.”

Part of my continuing rant that we will need “Virtual Law” experts in the very near future!

June 20 2007

Virtual Goods: the next big business model

Susan Wu

This guest post is written by Susan Wu, a Principal with Charles River Ventures, where she focuses on digital media, software, and infrastructure. Susan is coproducing the Virtual Goods Summit this Friday at Stanford University - most of the companies mentioned below will be presenting.

People spend over $1.5 billion on virtual items every year.

... While people preoccupy themselves with mocking the absurdities of some of these virtual worlds, the reality is that there are many businesses out there making meaningful amounts of money in virtual goods:

  • Tencent is one of the largest Internet portals in China with over 250 million active user accounts. They generated $100 million+ in Q1 of 2007 and over 65% of their revenue comes from virtual goods.

  • Habbo Hotel has over 75 million registered avatars in 29 countries and 90% of their $60 million+ yearly revenue comes from virtual goods.

  • Gaia Online does over 50,000 person to person auctions and 1 million message board posts a day- making them the 3rd largest auction site and the 2nd largest message board on the Internet. Their average user consumes 1200 page views a month. They employ 3 people whose sole job it is to open snail mail envelopes full of cash that people send in for virtual goods.

  • There’s a commonly held misperception that virtual goods are only for online gamers. Both Dogster and HotorNot are succeeding with a hybrid ad/virtual goods business model. Currently, over 40% of HotorNot’s revenue comes from virtual goods.

  • Major mainstream brands are now buying advertising in the form of virtual goods in social networks. Gaians can now purchase and pimp their virtual Scion xBs. Coca Cola and Tencent partnered to allow Tencent’s users to trade codes taken from real Coke cans for virtual objects in the Tencent network. Wangyou, a Chinese based social network, has also been extremely aggressive in experimenting with branded virtual goods.

... So why do people spend real money on virtual objects? There are four major reasons:

Virtual objects aren’t really objects - they’re services

... People on HotorNot are paying $10 to send the object of their affection a virtual flower - which is a staggering 3-4x what you might pay for a real flower!

Virtual objects create real value for people

... I see widgets fueling a massively distributed microtransaction economy in the not too distant future.

The cost of buying objects can be cheaper than “earning” them

You can make money off of virtual objects

Last year we were inundated with stories about Second Life’s first real estate millionaire.

Perhaps a simple re-work of other papers?


Wednesday, June 20 2007 @ 06:00 PM CDT Contributed by: PrivacyNews News Section: Other Privacy News


The Student "I": A student conference on privacy and identity

University of Ottawa, Faculty of Law October 25, 2007

Graduate and undergraduate students from all disciplines are invited to submit an abstract for The Student “I”, a student conference on October 25, 2007 at the Faculty of Law, University of Ottawa, Canada.

Preceding the Revealed “I” conference hosted by researchers from On the Identity Trail, this day long student conference brings together students from around the world, selected through a peer-review process, to present research relating to identity, privacy, anonymity, technology, surveillance, and other related topics engaged by the On the Identity Trail project.

Source - blog*on*nymity

Sure. Research. Right. Although I think the author got it right – as do most of the comments. Actually worth reading!

10 Sales and Marketing Tips I Learned From Strippers

Strippers are such great salespeople. Reall, they use a lot of highly effective sales and marketing techniques that can be applied in any business.

For those who have the white bronco as their screensaver...

O.J Simpson’s ‘Murder Confession’ Leaked to BitTorrent

In 2006 O.J Simpson announced he was releasing a book in which he would detail what would have happened, had he really committed the murders of his ex-wife and her boyfriend in 1994. After public outrage, the book was shelved and 400,000 copies of the book were destroyed but now a digital version has been leaked to BitTorrent.



Thursday, June 21, 2007

When you don't control your data (inventory, access rules, a plan!) you wind up in situations like this – where you repeatedly announce ever larger volumes of lost data. In short, you sound like a fool (or at best , an incompetent manager.)

Ohio Update: Strickland: Taxpayer info also on stolen computer tape

Wednesday, June 20 2007 @ 04:56 PM CDT Contributed by: PrivacyNews News Section: Breaches

Gov. Ted Strickland announced Wednesday that up to 225,000 taxpayers' personal information was also on the computer data tape that was recently stolen from a part-time intern's car. So far, information on nearly 500,000 Ohioans is confirmed to be on the stolen device.

Strickland disclosed Wednesday that the data tape included:

up to 225,000 names and Social Security numbers of Ohioans with uncashed tax refund checks issued in 2005, 2006 and through May 29, 2007.

602 Ohio Lottery winners who have not cashed their checks

2,488 Ohioans with uncashed checks of unclaimed funds

names and bank account numbers for 650 to 1,000 electronic fund transfer transactions that were rejected.

Source - Dayton Daily News

...for further investigation...

American pilots protest security breach on company Web site

Wednesday, June 20 2007 @ 06:40 PM CDT Contributed by: PrivacyNews News Section: Breaches

Personal information including Social Security numbers of more than 300 pilots and other employees at American Airlines, including the chief executive, was exposed on a company Web site, according to the pilots' union.

The company said it determined that only pilots and union officials saw the information on a password-protected internal site.

Source - Associated Press

This is the future. Live with it!

N.J. ID Theft Bill Stirs Insurers’ Ire

Wednesday, June 20 2007 @ 05:19 PM CDT Contributed by: PrivacyNews News Section: State/Local Govt.

New Jersey property-casualty insurance firms and other industries are objecting to a proposed regulation that would require the installation of what they term expensive and uniform information security systems.

The Division of Consumer Affairs recently closed the comment period on the new rule it has put forward to implement the Identity Theft Prevention Act of 2005.

Richard Stokes, regional manager for the Property Casualty Insurers Association of America (PCI), said his group and other industry trade groups have expressed concern about the security systems, based on federal standards, that must be emplaced by all businesses regardless of size.

Source - National Underwriter

Related - The New Jersey Consumer Affairs Division Has Gone Too Far, Says PCI

Before we laugh at “le frogs,” perhaps we should look around our own organizations. Would a threat of “immediate termination” stop tis practice?

French Officials Can't Resist Their Crackberries, Even If It Means Giving Secrets To American Spies

from the must...-use...-crackberry dept

We've all heard the RIM Blackberry referred to as a "Crackberry" for its supposedly addictive nature... however, we never thought that it was true that anyone really couldn't do without their Blackberry mobile device. Apparently the French government has banned the devices for certain government officials who might email sensitive information. Since RIM has all emails run through its own servers, some of which reside in the US, the French government is worried (perhaps reasonably so) that American spies are snooping on their sensitive emails. However, apparently many French government officials just can't let go and are still using Blackberry devices on the sly... even if it means sending classified info. What's odd is that various officials say they can't find anything else that works quite like the Blackberry, even though there are more and more solutions that do -- and many of them don't require emails to go through special servers in the US.

Wow! This is like free money! If I sue 10 spammers a month, I'll be richer that Bill gates in 3.2 years!

Lawsuit shows how to sue spammers

Wednesday, June 20 2007 @ 05:15 PM CDT Contributed by: PrivacyNews News Section: In the Courts

news analysis A recent decision in a lawsuit filed against a Florida credit counseling company offers a promising road map to follow for suing spammers.

After receiving at least nine unsolicited e-mail messages offering credit counseling services, Washington state resident Joseph Hylkema did more than just consign the spam to his junk mail folder: he decided to get even.

Source - C|net

Ubiquitous surveillance: This will continue to happen, I guarantee it!

Belk employees' lawsuit over hidden cameras heads to trial

Wednesday, June 20 2007 @ 05:17 PM CDT Contributed by: PrivacyNews News Section: Workplace Privacy

Belk department store managers allowed four cosmetics employees to continue changing in a stockroom for months after installing a hidden video camera, an Athens lawyer said in court Monday.

A jury trial to decide a lawsuit the employees filed in 2005 against Belk and several managers began Monday afternoon with opening statements and witness testimony. Four women, who sold makeup for the cosmetics firm MAC at the Atlanta Highway Belk, are seeking unspecified damages. Belk management expressly allowed the MAC employees to change in a stockroom, even setting up a mirror and a rack to hold clothes, their attorney Jimmy Hurt said.

Source - Rome News-Tribune (Props, Flying Hamster)

A new twist!

Judge Tells RIAA: Irreparable Harm Doesn't Mean What You Think It Means

from the try-again,-folks dept

The recording industry loves to throw around the term "irreparable harm" in its various lawsuits -- as if someone hearing a song they didn't pay for will mortally wound the industry. While some say that this is just standard legalese and we shouldn't read too much into it, it looks like a judge in New Mexico disagrees. In denying the RIAA's request to have the University of Mexico simply hand over info on someone using their network (without letting that individual fight back against the request for info), the judge notes: "While the Court does not dispute that infringement of a copyright results in harm, it requires a Coleridgian 'suspension of disbelief' to accept that the harm is irreparable, especially when monetary damages can cure any alleged violation." However, the judge argues, turning over someone's private info without giving them a chance to defend themselves and protest could cause irreparable harm: "the harm related to disclosure of confidential information in a student or faculty member’s Internet files can be equally harmful." Nice to see the judge recognize that just because someone may have listened to a song without paying for it, it doesn't mean that they lose all other rights.

Build your own robot lawnmower?

NASA Frees Their Robotics Software

Posted by samzenpus on Wednesday June 20, @07:19PM from the now-everyone-will-make-robots dept. Robotics Science

kremvax writes "It's a field day for robotics hackers everywhere, as NASA releases the first installment of their CLARAty reusable robotic software framework to the public. According to the JPL press release, these modules contain everything from math infrastructure to device drivers for common motors and cameras, and computer vision, image, and 3D processing."

You mean Al Gore might be wrong?

Read the sunspots

The mud at the bottom of B.C. fjords reveals that solar output drives climate change - and that we should prepare now for dangerous global cooling

R. TIMOTHY PATTERSON, Financial Post Published: Wednesday, June 20, 2007

... Climate stability has never been a feature of planet Earth. The only constant about climate is change; it changes continually and, at times, quite rapidly. Many times in the past, temperatures were far higher than today, and occasionally, temperatures were colder. As recently as 6,000 years ago, it was about 3C warmer than now. Ten thousand years ago, while the world was coming out of the thou-sand-year-long "Younger Dryas" cold episode, temperatures rose as much as 6C in a decade -- 100 times faster than the past century's 0.6C warming that has so upset environmentalists.

Wednesday, June 20, 2007

Old Identity Theft cases never die...

FTC looks for more victims of ChoicePoint breach

Breach victims have until August 18 to file claims with the FTC and get reimbursed from a fund ChoicePoint set up as part of its settlement

By Grant Gross, IDG News Service June 19, 2007

The U.S. Federal Trade Commission (FTC) is looking for victims of a data breach at ChoicePoint announced in early 2005.

Victims with out-of-pocket expenses due to the breach have until Aug. 18 to file claims and be eligible for payments from a $5 million fund that ChoicePoint agreed to pay in its January 2006 settlement with the FTC.

The FTC has now mailed reimbursement claim forms to 2,400 consumers who may have been victims of identity theft due to the breach, the agency said in a speech. The FTC has mailed claim forms to 1,000 consumers since December 2006, it said.

In addition, the FTC has created a Web site where consumers who do not receive a claim letter can download a claim form and get more information about the claims process.

Data broker ChoicePoint announced in early 2005 that identity thieves had set up fake businesses as a way to buy personal information from the company. The breach, affecting about 163,000 U.S. residents, set off a debate in the U.S. Congress about data breach protections, but Congress has yet to pass a data breach notification bill.

In its January 2006 settlement with the FTC, ChoicePoint agreed to pay a $10 million fine in addition to the $5 million victims fund. The company also agreed to third-party security audits every other year until 2026.

ChoicePoint also agreed in May to pay a $500,000 fine and change the way it screens new customers in a settlement with 43 states and the District of Columbia.

Tip on encryption, but interesting statistics...

Locking down laptops before it's too late

By Bill Watkins Story last modified Wed Jun 20 04:00:02 PDT 2007

... During 2005, 20 percent of all banks, 18 percent of credit card companies, 13 percent of government organizations and 9 percent of health care companies reported data breaches--and that number is growing.

... On a state by state basis, 29 states thus far have enacted data protection legislation and 28 of these laws have provisions calling for the encryption of digital content.

The flaw with current legislation is that it does not specify how to encrypt data--and that's critical. If agencies and companies encrypt their data using software, it's like locking individual car engine components–-time-consuming, expensive and fraught with failure points. By contrast, hard drive full disc encryption is similar to a car key: it protects everything from the engine to the dashboard with a single mechanism and point of entry.

Wishing is not a very effective plan...

Massachusetts Far Behind on Open Document Format Adoption

By Eric Lai Computerworld 06/19/07 10:32 AM PT

Massachusetts' open formats policy is off to a slow start with only 250 of the government's 50,000 PCs outfitted with the necessary technology. Since the policy was publicly introduced last year, the plan has seen resistance from state employees and Microsoft, lobbying heavily against the format change.

Just an observation, but when the big boys start acquiring security companies it indicates (to me) that security is about to become a service differentiator.

HP to acquire SPI Dynamics

Published: 2007-06-19

Hewlett-Packard announced on Tuesday that the technology giant has agreed to buy Web security assessment company SPI Dynamics for an undisclosed sum.

The Atlanta-based security firm develops technology to assess Web site and application risks from development to deployment. The number of vulnerabilities in Web applications has skyrocketed in recent years, making up the lion's share of software flaws disclosed each year.

"Today, HP Software provides solutions that ensure that business applications run well," Jonathan Rende, vice president of products for HP's Quality Management Software group, said in a statement. "Now with the addition of SPI Dynamics, we can make sure it is also secure.”

The acquisition news comes two weeks after IBM revealed it had agreed to buy compliance and security firm Watchfire. IBM did not disclose the terms of that deal.

I wonder if they would be available for seminars?

Amero case spawns effort to educate

Robert Lemos, SecurityFocus 2007-06-19

A group of security professionals, legal experts and educators who helped former Connecticut substitute teacher Julie Amero overturn a conviction on charges of exposing her students to pornographic pop-up ads has formed a permanent organization that aims to educate the courts and legislators about technology, crime and digital forensics.

Taking the name of the person who brought them together, the members of the Julie Group intend to teach lawyers and end user about issues of technology and criminal law, lobby policy makers for fairness in criminal codes and regulations, and bring to light unfair prosecutions. The group will likely again offer their computer-security expertise to prosecutors and defense attorneys in future cases.

"Our helping Julie Amero was about two things: Getting Julie out of jail and making sure that something like this doesn't happen to other people," said Alexander Eckelberry, president of security firm Sunbelt Software. "We learned with Julie that giving people a voice makes a big difference."

On January 5, a six-person jury found Amero, a former substitute teacher at Kelly Middle School in Norwich, Connecticut, guilty of four counts of risk of injury to a minor, a Connecticut law that includes endangering a the morals of a minor. The charges stem from an incident on October 19, 2004, when Amero's classroom computer started displaying pornographic pop-up advertisements.

Prosecutors argued that the images appeared because Amero visited porn sites while in class, while the former teacher's defense attorney argued that spyware installed from a hairstyling Web site caused the deluge of digital smut. The four convictions could have resulted in a maximum of 40 years in prison for the former schoolteacher.

Following the conviction, Eckelberry and others formed a group to analyze the evidence, producing a digital-forensics report that refuted many of the statements made by the prosecution's cybercrime expert, Mark Lounsbury, a detective with the Norwich Police Department, Eckelberry said.

The analysis was not straightforward. Other people, including the middle school's information technology administrator, had accessed the hard drive of the classroom's computer -- a Windows 98 SE machine sporting Internet Explorer 5 and expired security software -- following the pop-up incident. [“Contaminating the e-Crime Scene” Might be an interesting paper... Bob] Moreover, the investigators only gave the defense a copy of the files on the hard drive, not a bit-for-bit copy of the disk, said Joe Stewart, senior researchers for security firm SecureWorks and a member of the Julie Group's forensic analysis team.

"We had to go with what the prosecution gave to the defense," Stewart said. "You couldn't tell after the fact what had happened. You could tell that things were changed, but you couldn't tell how they were changed."

The security researcher hacked together a Web server that could use the browser cache and temporary files to recreate the last Web pages that appeared on the computer. The researchers used that and other digital forensics techniques to piece together some of what happened and refute the prosecution's interpretation of events.

The independent group's analysis of the classroom computer, and vocal criticism from technology professionals across the Internet, convinced the prosecution to request its own digital forensics report from the state's crime laboratory. Following that analysis -- and after delaying Amero's sentencing four times to allow any new evidence to be uncovered -- the judge granted on June 6 a motion by the defense to overturn the verdict and allow a new trial.

... The Amero case would not the first time that confusion about technology has led problematic prosecutions. In 2002, a 29-year-old network administrator was convicted under the Computer Fraud and Abuse Act for sending 5,600 e-mail messages to customers of his former employer -- the now-defunct e-mail provider Tornado Development -- warning about a security hole in Tornado's service that left private messages vulnerable to unauthorized access. The prosecutors in the case argued, and the judge agreed, that McDanel was guilty of unauthorized access and abused Tornado's e-mail servers to send the messages. The prosecutors have since admitted their mistake and the case was overturned on appeal, but not before McDanel served 16 months in prison.

While such cases appear to account for a small number of prosecutions, the increased sophistication employed by bot masters and fraudsters in compromising victims' computer could mean that more muddled cases might be ahead.

"Thinking about the implications -- that any teacher could get infected after going online, have porn show up on their computer and go to jail for 40 years -- that's bad," said SecureWorks' Stewart.

I haven't seen details of the presentations yet, but I'll check back...

Global legal challenges: General Counsel Forum, Stanford’s E-Commerce Best Practices conference

Posted by Denise Howell @ 5:34 pm June 18th, 2007

... The session focused on legal issues related to doing business globally. My notes follow.


June 19, 2007

May 2007 Global Legal Monitor Now Online

Law Library of Congress Global Legal Monitor, May 2007, Issue 5 (58 pages, PDF)

Should we abandon “need to know?” Very “Internet”

June 19, 2007

DNI McConnell's Foreign Affairs Article

DNI McConnell's Foreign Affairs Article, "Overhauling Intelligence" (10 pages, PDF): "Before World War II, the United States' defense, intelligence, and foreign policy apparatus were fragmented, as befitted a country with a limited role on the world state. With U.S. entry into the war, interagency collaboration developed out of crisis-driven necessity. Wartime arrangements, although successful, were ad hoc. And after the war, President Harry Truman and Congress realized that the United States could not meet its new responsibilities without a national security structure that ratinoalized decision-making and integrated the intelligence and military establishments."

I just love these lists. Always something new to check out...

Webware 100 winners announced!

By Rafe Needleman – June 18, 2007, 3:00 PM PDT

Dilbert's advice to drivers of gas guzzlers...