Saturday, July 14, 2007

There seems to be some confusion on the total count. Last story I posted claimed about 860,000 total, or perhaps I didn't read it carefully enough.

Ohio data theft deepens

Stolen device has information on 1.1 million people and businesses

By Dennis J. Willard Beacon Journal Columbus Bureau

... Strickland moved quickly to mail notices to taxpayers, former state employees dating back to 1999, vendors who had conducted business with the state and others as the seemingly minor crime continues to broaden and possibly threaten the financial security of an estimated 859,852 individuals and 258,529 businesses, vendors, school districts and others for a total of 1,118,381.

... “While the state continues to believe it is highly unlikely that the information contained in the stolen device has been accessed, individuals affected by this latest announcement will be offered service by Debix,'' Strickland said, referring to the firm hired to provide identity theft protection to anyone affected for up to a year.

About 58,400 people have signed up for Debix. The newly found names will cost the state an estimated $890,000 more.

Although Strickland continues to stress that the information would be difficult to decode without a high degree of technological finesse, a top official in the Ohio Department of Administrative Services (DAS) admitted that an outside vendor, Interhack Corp. of Columbus, hired to assist the state, has been able to access information contained within a similar database encrypted by the same software.

... State Rep. Kevin DeWine, R-Fairborn, who co-chairs the Ohio Republican Party, said each weeks brings surprises and more bad news about how badly the data theft has been managed.

... State Sen. Kevin Coughlin, R-Cuyahoga Falls, said the cost to taxpayers is $2.2 million and growing.

... A subgroup of 14,874 individuals has had some business dealings with the state, but state officials have yet to determine the exact source of the data. [That can't be true, can it? “We do business with these folks, but don't know what business we do?” Bob]

... State officials acknowledged three people whose information is on the tape have reported incidents of identity theft, but the patrol believes there is no connection between the crimes and the data.

...and another trickle of information.

More People Busted With Credit-Card Numbers From TJX Breach

from the cha-ching dept

The Secret Service has busted four people in Florida, and recovered 200,000 credit cards from the TJX breach that was disclosed earlier this year. Recovering the credit-card numbers at this point does little more than link the fraudsters to the breach, but they're said to have been used to rack up more than $75 million in fraudulent charges. The people busted here didn't apparently participate in the theft of the credit-card data, but bought them from "known cybercriminals in Eastern Europe" and then used the numbers to make counterfeit cards. In any case, they're way more productive than another group of Florida scammers busted back in March, who only managed to rack up $8 million worth of goods at Sam's and Wal-Mart. Since banks get left holding the bag for this type of fraud, expect more lawsuits as they look to recover their losses from TJX's astounding level of incompetence. [Perhaps we could get them to adopt this as a new corporate motto? Bob]

He wasn't actually a disgruntled employee, but he expected to be in the near future. Looks like they would never have noticed this if the employee didn't brag to his peers...

MSD worker fired in security breach

Friday, July 13 2007 @ 02:10 PM CDT Contributed by: PrivacyNews News Section: Breaches

The Metropolitan St. Louis Sewer District has fired an employee after executives learned the employee had downloaded Social Security numbers of about 1,600 current or former district employees to a home computer. The Social Security numbers were part of a computer file the district uses to make sure workers get the proper pay.

The employee had worked more than 10 years in the finance department. Lance LeComb, a district spokesman, said the employee had insinuated to fellow workers that file could be used to retaliate against the district if that person was disciplined for poor performance. [“But fortunately we detected this and “pre-taliated” before he could re-taliate. Bob]

Source -

At least some interesting quotes...

IT Security: The Data Theft Time Bomb

While viruses and worms remain the most pesky security problems, data theft concerns simmer beneath the surface, according to InformationWeek's 10th annual Global Information Security survey.

By Larry Greenemeier, InformationWeek July 14, 2007

... InformationWeek Research's 10th annual Global Information Security survey, conducted with consulting firm Accenture, shows that two-thirds of 1,101 survey respondents in the United States and 89% of 1,991 respondents in China are feeling just as vulnerable to security attacks as last year, or more so.

Contributing to this unease is the perception that security technology has grown overly complex, to the point where it's contributing to the problem. The No. 1 security challenge identified by almost half of U.S. respondents is "managing the complexity of security." So-called "defense-in-depth" is just another way of saying "you've got a bunch of technologies that overlap and that don't handle security in a straightforward manner," says Alastair MacWillson, global managing director of Accenture's security practice. "It's like putting 20 locks on your door because you're not comfortable that any of them works."

Yet a case can be made that respondents aren't worried enough, particularly about lost and stolen company and customer data. Only one-third of U.S. survey respondents and less than half of those in China cite "preventing breaches" as their biggest security challenge. Only one-quarter of U.S. respondents rank either unauthorized employee access to files and data or theft of customer data by outsiders in their top three security priorities, and even fewer put the loss or theft of mobile devices containing corporate data or the theft of intellectual property in that category.

... Instead, as with last year, the top three security priorities are viruses or worms (65% of U.S. respondents, 75% in China), spyware and malware (56% and 61%), and spam (40% in both countries).

... For example, the No. 1 reason for feeling more vulnerable to attack this year, according to 70% of U.S. respondents, is the increased sophistication of threats, including SQL injections.

... The next three reasons for feeling vulnerable: more ways for corporate networks to be attacked (including wireless access points); increased volume of attacks; and more malicious intent on the part of attackers (i.e., theft, data destruction, and extortion).

... Similarly, viruses, worms, and phishing are the top three types of security breaches reported by U.S. Respondents. Seventh on the list: identity theft. But that doesn't mean that identity theft isn't a greater threat. Identity theft and fraud are worst-case scenarios for a company whose data has been compromised, but not having experienced them could be as much about luck as it is security.

... Perhaps the most surprising stat of the entire survey is that nearly a quarter of U.S. respondents don't measure the value of their security investments at all.

... Such intrusions, however, aren't the only concerns. Of the 804 U.S. respondents admitting to having experienced breaches or espionage in the past 12 months, 18% attribute the problem to unauthorized employees, and 16% suspect authorized users and employees.

... ... Some companies prefer the Big Brother approach. Of the U.S. respondents who say their companies monitor employee activities, 51% monitor e-mail use, 40% monitor Web use, and 35% monitor phone use, roughly consistent with last year's findings. However, other sources of data leakage are given less attention: Only 29% monitor instant messaging use, 22% the opening of e-mail attachments, and 20% the contents of outbound e-mail messages. And only a handful keep a close eye on the use of portable storage devices.

... A significant number of respondents want to put the responsibility for porous security on the companies selling them security technology. Forty-five percent of U.S. companies and 47% of companies in China think security vendors should be held legally and financially liable for security vulnerabilities in their products and services.

Some of the unease about corporate IT security may stem from the fact that most companies don't have a centralized security executive assessing risks and threats and then calling the shots to address these concerns. [see next... Bob]

... The number of chief information security officers has grown significantly in the last year. Roughly three-quarters of survey respondents say their companies have CISOs, [Yet they apparently are not responsible for security! See below Bob] compared with 39% in 2006. CISOs predominantly report to the CEO or the CIO.

When it comes to the ultimate sign-off, however, half of U.S. companies say that the CEO determines security spending. In the United States, the greatest percentage of respondents, 37%, say their companies assess risks and threats without the input of a CISO, while an astounding 22% say they don't regularly assess security risks and threats at all.

... If it all sounds overwhelming, don't panic. While information security has gotten more complex--as attackers alter both their methods and their targets, and companies layer more and more security products on top of each other--the good news is that the measures required to plug most security holes often come down to common sense, an increasingly important quality to look for in any employee or manager handling sensitive data.


How to Backup Your Smart Phone

Posted by Zonk on Friday July 13, @04:52PM from the smartness-of-user-not-guaranteed dept. Communications Handhelds IT

Lucas123 writes "According to a Computerworld story there will be 8 million cell phones/smart phones lost this year. The site describes how to easily back up data on handhelds. The piece also addresses the future of these technologies: 'In Dulaney's opinion, traditional USB syncing "will die." Gartner is telling its corporate customers they should hasten this process by not permitting their employees to sync to their PCs. He explains this by saying that individual end users can create distributed computing and security problems because they are poor data administrators. Moreover, he adds, PCs are not necessarily more reliable than cell phones. Drake gives a qualified endorsement of wireless e-mail as the master application for backing up and syncing data, saying the technology is fine for dedicated e-mail environments but insufficient for corporate environments that require a vast array of wireless applications.'"

This could never happen here... Oh, wait.

U.S. is building database on Iraqis

Friday, July 13 2007 @ 01:39 PM CDT Contributed by: PrivacyNews News Section: Fed. Govt.

The U.S. military is taking fingerprints and eye scans from thousands of Iraqi men and building an unprecedented database that helps track suspected militants.

U.S. troops are stopping Iraqis at checkpoints, workplaces and sites where attacks have recently occurred, and inputting their personal data using handheld scanners or specially equipped laptops. In several neighborhoods in and around Baghdad, troops have gone door to door collecting data.

The rapidly expanding program has raised privacy concerns at the Pentagon, although it has met little resistance from Iraqis. U.S. commanders say the data help to keep suspected militants out of neighborhoods and to identify suspects in attacks against U.S. troops and Iraqi civilians. Iraq has no other reliable ID system.

Source - USA Today

Law as a business strategy (or compensation for not having a strategy that works)

Another Telco Says Muni WiFi Is OK Only If It's Providing It

from the le-hypocrisy dept

Telcos' resistance to municipal WiFi broadband projects is pretty well documented, but it's been interesting to see how their position changes once they realize they can make some money from running the muni networks. Over in France, the country's incumbent operator, France Telecom, has filed a legal challenge to Paris' plan to roll out free hotspots (via MuniWireless), saying they will illegally compete with its network of 2,250 paid hotspots in the city. This argument has been made before in Europe, like in Barcelona, where the city was forced to shut down its hotspots after a similar complaint -- even though they blocked access to everything except 60 sites with city information and services. What makes France Telecom's suit even more ridiculous is that its mobile phone unit, Orange, bid on the tender to provide the service for the city. Now, after it's lost out, the company cries foul. [How can you lose the bid in a market where you are the monopoly and already have the infrastructure in place? Bob]

The young think differently (or not at all?)

Japan Bans Use of Web Sites in Elections

Posted by Zonk on Friday July 13, @09:49PM from the defeats-the-point-a-bit dept.

couch_warrior writes with a BBC article about Japan's choice to restrain political speech in the 21st century. The nation of Japan bans the use of internet sites to solicit voters in its upper house elections. Based on election laws drawn up in the 50s, candidates are restricted in the ways they can reach their constituents. Candidates are even restrained from distributing leaflets that will reach more than 3% of the voters. What's more, people who are trying to change the laws are failing. Despite heavy internet usage and a strong installed base of high-speed connectivity, young people just don't feel involved in politics. "In Japan, 95% of people in their 20s surf the web, but only a third of them bother to vote. Some, though, do not seem keen on politicians using the web to try to win their support. 'I believe that internet resources are not very official,' says Kentaro Shimano, a student at Temple University in Tokyo. 'YouTube is more casual; you watch music videos or funny videos on it, but if the government or any politicians are on the web it doesn't feel right.' Haruka Konishi agrees. 'Japanese politics is something really serious,' she says. 'Young people shouldn't be involved, I guess because they're not serious enough or they don't have the education. ' There cannot be many places in the world where students feel their views should not count. Perhaps it is really a reflection of the reality — that they do not."

[From the article:

... it is now illegal for candidates to create new websites or update existing web pages between now and election day, 29 July.

Another symptom of youth? (When Alzheimer's hits this generation, they'll forget where they left their iPods...)

Gadgets Have Taken Over For Our Brains

Posted by Zonk on Saturday July 14, @04:38AM from the let's-get-started-with-the-implants dept. Toys Handhelds Technology

skotte writes "According to a Trinity College survey released Friday, the boom in mobiles and portable devices that store reams of personal information has created a generation incapable of memorizing simple things. In effect, the study argues, these devices have replaced our long-term memory capabilities. 'As many as a third of those surveyed under the age of 30 were unable to recall their home telephone number without resorting to their mobile phones or to notes. When it came to remembering important dates such as the birthdays of close family relatives, 87 per cent of those over the age of 50 could remember the details, compared with 40 per cent of those under the age of 30.'"

"Alice laughed: "There's no use trying," she said; "one can't believe impossible things."

"I daresay you haven't had much practice," said the Queen. "When I was younger, I always did it for half an hour a day. Why, sometimes I've believed as many as six impossible things before breakfast."

Verizon Gets Out of The Copper Business

by Mark Ontkush, Boston, Massachusetts, USA on 07.12.07

Science & Technology (electronics)

Copper hit $3.66 a pound today on the COMEX exchange - that's a lot. Copper is heavier than iron, and the weight really adds up quickly. For example, it only takes 146 pre-1982 pennies to make a pound. Yes, that means you can make $2.20/lb. by melting down your pennies. Except, of course, it is explicitly illegal to do so. At current rates, A cubic inch of copper is worth a little over a dollar; a cubic foot is (get this) worth over $2000.

It's not just copper; aluminum, zinc, bronze and stainless steel are all commanding high prices these days. These may seem like novel facts until one more novel fact is added; that is, a lot of public infrastructure is made out of these metals. Enterprising folks are literally ripping off anything that isn't nailed down - bleachers for example. Beer kegs aren't being returned, and some police departments can't get ammunition. Fortune, for all its glory, printed a veritable how-to guide on how to pick and choose the Choice items in publo-sphere. And some big companies, like Verizon, are taking big hits.

Verizon, the telcom provider, is bleeding from every pore; vandals stole over $300,000 in copper from their cell phone towers last year, and that was just in California! In addition, their copper cable network is collapsing, because subscribers are abandoning it in favor of their faster FIOS (fiber optic) network. Maybe that's why Verizon made the decison to kill off their copper infrastructure.

Report from the license war...

Linux Creator Calls GPLv3 Authors 'Hypocrites'

Posted by Zonk on Friday July 13, @06:34PM from the family-fued dept. Linux Business

AlexGr writes "We've heard conflicting tales regarding Linus Torvalds' acceptance of GPLv3. InformationWeek reports on comments by Mr. Torvalds that would seem to decide the issue: 'Torvalds said the authors of a new software license expected to be used by thousands of open source programmers are a bunch of hypocrites ... For Torvalds' part, it appears unlikely he'll ever adopt GPLv3 for the Linux kernel. He accused the Free Software Foundation leadership, which includes eccentric, MIT-trained computing whiz Richard Stallman, of injecting their personal morality into the laws governing open source software with the release of GPLv3. "Only religious fanatics and totalitarian states equate morality with legality," Torvalds wrote.'"

e-Discovery I'm sure Microsoft planned to do this... (But be careful of “Subversive” bots that someone will certainly write to diddle the data and befuddle the lawyers.)

Vista Makes Forensic PC Exam Easier for Lawyers

Posted by Zonk on Saturday July 14, @07:07AM from the can-i-introduce-you-to-some-nice-encryption dept. The Courts Windows Encryption Privacy IT

Katharine writes "Jason Krause, a legal affairs writer for the American Bar Association's 'ABA Journal' reports in the July issue that Windows Vista will be a boon for those looking for forensic evidence of wrongdoing on defendants' PC's and a nightmare for defendants who hoped their past computer activities would not be revealed. Krause quotes attorney R. Lee Barrett, 'From a [legal] defense perspective, [Vista] scares me to death. One of the things I have a hard time educating my clients on is the volume of data that's now discoverable.' This is primarily attributable to Shadow Copy, TxF and Instant Search."

Another forensic tool. The dot pattern the printer use has been decoded. (it's Braille?)

MIT Group Starts Campaign to Stop Printer Companies From Spying On You

By Ryan Singel EmailJuly 13, 2007 | 12:02:56 PM

Manufacturers of color, laser printers quietly cooperated with the Secret Service to print nearly invisible tracking codes on every color page printed through laser printers individuals buy, ostensibly as a way to track down forgeries.

The Computing Counter Culture Group at MIT Media Labs now wants laser printer owners to start asking hard questions of the manufacturers. And they say that one person who contacted his printer manufacturer got a visit a few days later from Secret Service agents who wanted to know why that person hated freedom.

All the info is on their site, Seeing Yellow.

Interesting question... Next thing you know, they'll try to make us into a democracy! (You know, this would be so easy to do it could be a student project...)

Open Legislation, Part 1: What If Everybody Got to Write Laws?

By Katherine Noyes LinuxInsider Part of the ECT News Network 07/13/07 4:00 AM PT

Wikis and other online tools make possible a level of collaboration that couldn't have been imagined a few decades ago, noted Peter Leyden, director of the New Politics Institute. "Wikis are still a new technology that many people don't fully understand, but they're just useful tools to help collaboration, which ultimately is what much legislation comes down to," Leyden said.

Some areas were dropped because congress changed the definition – not because DHS is keeping secrets!

July 13, 2007

DHS Privacy Office 2007 Data Mining Report to Congress

2007 Data Mining Report (PDF, 42 pages) - DHS Privacy Office Response to House Report 109-699, July 6, 2007: "This is the second report by the Privacy Office to Congress on data mining. This report describes data mining activities deployed or under development within the Department that meet the definition of data mining as mandated in House Report No. 109-699 - Making Appropriations for the Department of Homeland Security for the Fiscal Year Ending September 30, 2007, and for Other Purposes."

This is sure to spread... (Of course it also raises the barrier to entry...)

ISP sues Dutch government for wiretapping costs

11/03/2005 by Joe Figueiredo

XS4ALL, the internet service provider and subsidiary of Dutch telecom concern KPN, is suing the Dutch government for the cost of enabling its network to handle wiretaps.

The handling of wiretaps is required by the Dutch Telecommunication Act of 1998, which was further expanded in 2004 to include European Union requirements.

XS4ALL says it has invested some €500,000 - a significant slice of its profits - since the end of 2001 in order to comply with the wiretapping requirements of the law, something the service provider finds unreasonable as such investments do not profit the company and are not reimbursable (as they are made in the public interest).

... Currently, the EU is proposing legislation that would oblige telecom providers save all traffic data on internet and telephony usage for a period of one to three years. This data retention requirement could financially affect Dutch telecom ISPs and telecom operators still further.

Friday, July 13, 2007

They are supposed to come to your site and destroy the documents under your supervision. Both parties have to screw up for this to happen. (And how mobile are you if you drive from Seattle to Dallas?)

Seattle loan documents scattered across Dallas

Thursday, July 12 2007 @ 08:35 PM CDT Contributed by: PrivacyNews News Section: Breaches

BELLEVUE, Wash. - Along a busy street in Dallas, Texas a mobile shredding truck recently lost some of its load.

Among the scattered materials were unshredded, easy-to-read loan documents that could be traced back to the Seattle and Bellevue areas.

Source -

Another interesting business decision?

AU: Alert for Visa card security

Thursday, July 12 2007 @ 08:36 PM CDT Contributed by: PrivacyNews News Section: Breaches

HUNDREDS of Tasmanian Visa card holders have been told to cut up their cards after a security breach in Sweden.

Computer tapes containing card holders' details nationwide were among items in a car stolen from a Swedish data processing company in May.

Many Australian financial institutions are affected, but only some are notifying customers.

Source -

This is only fair... Isn't it?

Sony BMG Hits Rootkit Providers With Lawsuit

from the misapportioned-blame dept

Sony BMG settled both the class-action lawsuit against it and with the FTC, after it distributed rootkits that opened up security holes on consumers' PCs in the copy protection it used on its CDs. Now the company's filed a suit of its own against Amergence, formerly known as SunnComm, and its MediaMax unit, which supplied one of the pieces of copy-protection software in question. The lawsuit alleges Amergence/SunnComm supplied Sony BMG with faulty software -- which, all things considered, seems true. But the bigger issue here is that Sony BMG is implying that none of this mess is its fault, when it's the one that felt the need to implement the DRM in the first place. As we've pointed out plenty of times, DRM doesn't stop piracy, it just annoys legitimate customers. The SunnComm and XCP copy-protection that Sony BMG implemented on its CDs didn't stop piracy, and it wouldn't have, even if it hadn't been "faulty", as the suit alleges. It created a huge PR mess for the company, and it's cost them a fair bit of money to clean things up. Getting $12 million from Amergence won't change the fact that deciding to put the DRM on its CDs was a bonehead move that never would have delivered any real benefits.

Oops is not a legal term.

Spam filter costs lawyers their day in court

Attempt to keep porn out of the workplace caused law firm to miss important notice

By Robert McMillan, IDG News Service July 12, 2007

The trouble at Franklin D. Azar & Associates began with pornographic spam.

Last May, the Aurora, Colo., law firm was being bombarded with offensive messages, and enough of it was seeping through the company's spam filters that employees complained to management. IT administrator Kevin Rea was told to do something.

What happened next, as detailed in federal court filings, shows how the fight against spammers can backfire. Spammers have been using increasingly sophisticated techniques to evade filters, so that over the past few years and despite predictions to the contrary, unsolicited e-mail continues to plague businesses worldwide.

On the morning of May 21, Rea dialed up the spam settings on the Barracuda Spam Firewall 200 used by Azar & Associates to block unwanted mail. The changes made it harder for spam to land on the desktops of company employees, but they also had one unforeseen consequence: The Barracuda Networks appliance began blocking e-mail from the U.S. District Court for the District of Colorado, including a notice advising company lawyers of a May 30 hearing in a civil lawsuit.

Azar & Associates lawyers blew their court date, and this week, the judge overseeing the matter ordered the company to pay attorney fees and expenses incurred by the lawyers who showed up representing the other side of the case. Rea did not return a call seeking comment on the matter.

... "You can be notified other ways, but by and large the business of law is carried on electronically, at least in the federal courts," Carelli said.

Putting the federal courts, which use the domain, on a "whitelist" of approved senders is one way to avoid problems receiving e-mail.

In fact, the Colorado federal court judge in the Azar & Associates case criticized the law firm for not whitelisting his court's domain name. [Judges got tech chops! Bob] "It would have been a very simple task to whitelist the... [domain] to insure that such e-mails within this domain would always be received."

The judge's order will probably end up costing Azar & Associates several thousand dollars, said Venkat Balasubramani, principal of Balasubramani Law, who has blogged about the issue.

... He avoids whitelists because they must be manually maintained, and there is the possibility for human error. But Fenwick & West IT staff uses several mail filtering systems, each considered to have a low frequency of error, and they've also programmed their filters to allow more spam than other businesses because of concern over this issue.

Perhaps a local group of religious fanatics? Shouldn't DHS get involved?

Threats by religious group spark probe at CU-Boulder

By The Denver Post Article Last Updated: 07/10/2007 03:09:28 AM MDT

University of Colorado police are investigating a series of threatening messages and documents e-mailed to and slipped under the door of evolutionary biology labs on the Boulder campus.

The messages included the name of a religious-themed group and addressed the debate between evolution and creationism, CU police Cmdr. Brad Wiesley said. Wiesley would not identify the group named because police are still investigating.

Why don't you just say, “Because we don't want to...”

UK: Experian rejects ID theft notification proposal

Thursday, July 12 2007 @ 10:22 AM CDT Contributed by: PrivacyNews News Section: Breaches

Credit rating giant Experian has rejected the notion of automatically informing UK citizens when their ID details may have been hijacked.

Experian’s hardline stance came at a conference on “Big Brother Britain” in London today, where a number of speakers said that more severe penalties and obligations should be imposed on companies to ensure data individuals' privacy concerns are taken seriously.

.... [Gillian Key-Vice, Experience’s director of regulatory affairs] said that while she recognised why people might “think it’s a good idea”, such a scheme could cause “unnecessary concern” amongst individuals where a breach has already been “managed”.

Source - The Register

Don't confuse me with facts!

Researcher: Optimal copyright term is 14 years

By Nate Anderson | Published: July 12, 2007 - 01:36PM CT

It's easy enough to find out how long copyrights last, but much harder to decide how long they should last—but that didn't stop Cambridge University PhD candidate Rufus Pollock from using economics formulas to answer the question. In a newly-released paper, Pollock pegs the "optimal level for copyright" at only 14 years.

Pollock's work is based on the promise that the optimal level of copyright drops as the costs of producing creative work go down. As it has grown simpler to print books, record music, and edit films using new digital tools, the production and reproduction costs for creative work in have dropped substantially, but actual copyright law has only increased.

According to Pollock's calculations (and his paper [PDF] is full of calculations), this is exactly the opposite result that one would expect from a rational copyright system. Of course, there's no guarantee that copyright law has anything to do with rationality; as Pollock puts it, "the level of protection is not usually determined by a benevolent and rational policy-maker but rather by lobbying." The predictable result has been a steady increase in the period of copyright protection during the twentieth century.

... Pollock has been an advocate for restricted copyright terms and stronger public domain for years; we earlier spotlighted a brief essay of his on the "Value of the Public Domain" that is well worth a read.

An insignificant (but amusing) first.

First YouTube video cited in court opinion

Posted by Declan McCullagh July 12, 2007 10:52 PM PDT

Terence Evans this week became the first judge in the United States to cite a YouTube video in a written opinion.

... As background, Evans included a description of what baseball fans remember as Brett's famous Pine Tar Incident in a 1983 game against the New York Yankees over whether the bat was legal to be used. Brett's home run was nullified by an umpire, the Yankees won, but on appeal to the American League his team got a second try and eventually beat the Yankees 5-4.

Evans wrote: "Baseball, like our legal system, has appellate review...It ended after 12 minutes when Royals' closer Dan Quisenberry shut the door on the Yankees in their half of the ninth to seal the win. The whole colorful episode is preserved, in all its glory, on YouTube, at (last visited June 6, 2007). See also Retrosheet Boxscore, Kansas City Royals 5, New York Yankees 4, at http://ww (last visited June 6, 2007)."

The YouTube video, by the way, has been taken down since the court visited it last week. A note on the site says: "This video is no longer available due to a copyright claim by MLB Advanced Media." (A search of a legal database on Thursday turned up some cases mentioning YouTube and copyright decisions involving the company, but no published opinions citing a specific video.)

... Evans, by the way, has a habit of writing amusing opinions. Another included this footnote: "The trial transcript quotes Ms. Hayden as saying Murphy called her a snitch bitch 'hoe.' A 'hoe,' of course, is a tool used for weeding and gardening. We think the court reporter, unfamiliar with rap music (perhaps thankfully so), misunderstood Hayden's response. We have taken the liberty of changing 'hoe' to 'ho,' a staple of rap music vernacular as, for example, when Ludacris raps 'You doin' ho activities with ho tendencies."

Good technology, bad technology

Discovery of body highlights growing use of cell phone technology

Associated Press July 12, 2007

MADISON, Wis. (AP) — The use of cell phone tracking to find a body believed to be that of a missing college student in rural Wisconsin highlights an increasingly important law enforcement tool.

... “The average citizen is not aware that they are carrying a location-tracking device in their pocket,” said Kevin Bankston, a lawyer for the Electronic Frontier Foundation, a San Francisco-based group that works to preserve privacy rights.

Without providing specifics, Madison police say cell phone technology is what prompted authorities to search a 3-square mile rural area 10 miles south of Madison on Monday where they discovered the body of Kelly Nolan, 22.

The technology allowed investigators to track Nolan’s movements after she vanished early June 23 after a night out in downtown Madison. Police Chief Noble Wray said numerous other locations, most of them in the city, were also searched. Police won’t say whether they recovered her phone at the scene.

... When they are turned on, cell phones constantly emit locator signals called pings so their companies know to which towers to route phone calls, Bankston said.

Investigators can obtain logs from wireless companies containing such data to track people’s movements, he said. In urban settings with many towers, the location can be narrowed down greatly — to within blocks. In more rural settings with fewer towers, a more general location can be established.

Most new phones also contain Global Positioning System chips that communicate with satellites, allowing authorities to pinpoint a precise location of the handset. The chips are one way companies can comply with federal rules designed to give emergency dispatchers more information on the location of cell phone callers.

... He said the technology is appropriately used to find missing people or in emergency situations but that federal authorities may be secretly expanding its use to track many other citizens.

Do you have control over whether someone knows about where you are? It appears, in the current technological landscape, the answer is no,” he said. “If you carry a cell phone, it’s possible that somebody may monitor your location without your knowledge or consent.”

Sure to be a real page-turner...

July 12, 2007

IT Disaster Recovery and Business Continuity Tool-kit: Planning for the Next Disaster

"A product of [National Association of State Chief Information Officers] NASCIO's Disaster Recovery Working Group, this tool-kit is designed to assist state CIOs and their staff in IT disaster recovery and business continuity planning. It is an updated and expanded version of business continuity and disaster preparedness checklists utilized for a brainstorming exercise at the “CIO-CLC Business Continuity/ Disaster Recovery Forum” at NASCIO’s 2006 Midyear Conference."

The “e-” equivalent (e-quivalent?) of looking in windows.

Ohio Man Gets 25 Years For Hacking Into Webcams, Recording Minors

A U.S. Attorney calls the Dayton man, who also distributed some of the recordings, a 'high-tech video voyeur.'

By Sharon Gaudin InformationWeek July 12, 2007 12:40 PM

An Ohio man was sentenced to 25 years in prison for hacking into minors' Webcams and secretly watching and recording them in their homes.

Mark Wayne Miller, 47, of Dayton, had pled guilty in January 2006 to one count of computer intrusion, as well as to one count of sexual exploitation of children relating to his successful efforts to persuade under-age girls to engage in sexually explicit conduct for him in front of their Webcams. At the time of his arrest, Miller was on probation with the state of Ohio and was a registered sex offender.

The FBI reported that Miller confirmed in court that he developed sexual relationships with minor-aged girls over the Internet, usually in online chat rooms. Tricking the girls with a fictitious name and a photo of an unknown young male, Miller said he used the "chats" to persuade the girls to engage in sexually explicit conduct in front of active Webcams.

In other cases, he hacked into the girls' computers to secretly intercept, watch, and record live Webcam footage of them. He distributed some of the recorded Webcam footage to others.

"Miller was a high-tech video voyeur," said U.S. Attorney for the Southern District of Ohio Gregory G. Lockhart in a statement. "He would 'phish' for the minors' passwords to a popular Internet portal, then secretly gain access to the minors' Webcam sessions."

The FBI reported that Miller's scheme was exposed when one of the girls sent a love letter to the fictitious boy Miller had made up, but she sent it to Miller's former workplace. His former employer read the letter and then found "additional evidence relating to child pornography while cleaning out Miller's work area." The employer then contacted some of the minors, and then contacted local law enforcement. After that, the FBI was called into the case.

Report from the GPL “License War”

Jeremy Allison Talks Samba and GPLv3

Posted by CowboyNeal on Thursday July 12, @10:03PM from the early-adopters dept.

GNU is Not Unix Software Windows Linux

dmarti writes "The software that enables Linux to act as a Windows file and print server is adopting the Free Software Foundation's new license. What will be the impact on users, distributors, and appliance vendors? Samba maintainer Jeremy Allison answers, in a podcast interview."

Thursday, July 12, 2007

Think of a new game show: “Credible or Incredible” Perhaps we could get Howie Mandel to host?

Ohio State Data Leak Now About 16 Times Worse Than Initially Disclosed

from the fun-with-numbers dept

Back in June, the state of Ohio said it had lost the personal information of some 64,000 state employees, after a storage device was stolen from an intern's car -- which, apparently according to its security protocols, was a suitable off-site storage location. The state dutifully followed the usual plan of releasing another announcement raising the number of people whose information was lost, putting it at 500,000. Turns out that was a little conservative; the state now says the figure is closer to one million, nearly 16 times the original claim. The governor and his staffers claim that nobody appears to have used the stolen information yet, and that it would take somebody with "special knowledge and understanding" to access it. Of course, coming from a place where storing stuff in an intern's car is regarded as secure and safe, that claim doesn't carry a lot of weight -- nor does it make up for the egregious breach that occured.

Ohio: Stolen Device Contains 859,800 IDs

By MATT LEINGANG Associated Press Writer Jul 12, 12:37 AM EDT

COLUMBUS, Ohio (AP) -- A stolen computer storage device contained more than twice the number of taxpayers' identifications than had been previously reported, Gov. Ted Strickland said Wednesday, but he emphasized there is still no indication the data have been compromised.

The names and Social Security numbers of 561,126 people who had not cashed state income refund checks were on the device, as well as 14,874 people who did business with the state, according to an ongoing review of the information it held. That brings the total number of taxpayers affected to 859,800, Strickland said.

The Mouse didn't do it, but his customers my not see it that way.

Disney Movie Club members victimized in latest data-breach horror show

Wednesday, July 11 2007 @ 06:37 PM CDT Contributed by: PrivacyNews News Section: Breaches

An undisclosed number of Disney Movie Club members have received letters informing them that their credit-card information was sold by an employee of a Disney contractor to a federal agent as part of an undercover sting operation, Network World has learned.

The sting occurred sometime in May, while the letter - a copy of which was forwarded to Buzzblog by the security Web site - is dated July 6. Why notification took that long is among this morning's unanswered questions (update below from Disney ... and later comments here from a club member/database security expert who got one of the letters).

The latest in a seemingly endless string of data-breach incidents involving major organizations, this one is being pinned on a third-party contractor, Alta Resources, according to the letter signed, "John Flynn, for the Disney Movie Club." The address on the Disney Movie Club stationery matches that of an Alta Resources P.O. Box in Neenah, Wis., so I'm presuming the verbiage comes from Alta Resources.

Source - NetworkWorld

Not much in the news about this one... (or is it an old one?)

University-owned laptop with student data stolen

Wednesday, July 11 2007 @ 06:03 AM CDT Contributed by: PrivacyNews News Section: Breaches

Elizabeth Beaumont and the political science department recently got a taste of technology's paradox: Convenience sometimes complicates matters.

While in Palo Alto, Calif., a perpetrator stole a laptop in Beaumont's possession that belonged to the political science department - out of a locked car. She is an assistant professor in the department.

According to an e-mail from department chair and Regents' professor John Sullivan to students enrolled in Beaumont's classes dating back to fall 2005, the information on the laptop included student names, e-mail addresses, University identification numbers and grades.

Source - The Minnesota Daily

[From the article:

... The files containing student data were not encrypted at the time of the theft. It is University policy to protect all nonpublic, electronic information through encryption.

... "The laptops are a security issue, of course," he said. "They've got a process afoot [Very Conan-Doyle old man... Bob] to do the encryption. They've got the product … it just hadn't been done yet."

... Hanna said last Friday about 20 to 30 percent of the laptops in the political science department were wholly encrypted.

Why CEOs get a bad reputation.

Whole Foods Is Hot, Wild Oats a Dud -- So Said 'Rahodeb'

Then Again, Yahoo Poster Was a Whole Foods Staffer, The CEO to Be Precise

By DAVID KESMODEL and JOHN R. WILKE July 12, 2007; Page A1

In January 2005, someone using the name "Rahodeb" went online to a Yahoo stock-market forum and posted this opinion: No company would want to buy Wild Oats Markets Inc., a natural-foods grocer, at its price then of about $8 a share.

"Would Whole Foods buy OATS?" Rahodeb asked, using Wild Oats' stock symbol. "Almost surely not at current prices. What would they gain? OATS locations are too small." Rahodeb speculated that Wild Oats eventually would be sold after sliding into bankruptcy or when its stock fell below $5. A month later, Rahodeb wrote that Wild Oats management "clearly doesn't know what it is doing .... OATS has no value and no future."

The comments were typical of banter on Internet message boards for stocks, but the writer's identity was anything but. Rahodeb was an online pseudonym of John Mackey, co-founder and chief executive of Whole Foods Market Inc. Earlier this year, his company agreed to buy Wild Oats for $565 million, or $18.50 a share.

... Mr. Mackey's online alter ego came to light in a document made public late Tuesday1 by the Federal Trade Commission in its lawsuit seeking to block the Wild Oats takeover on antitrust grounds. Submitted under seal when the suit was filed in June, the filing included a quotation from the Yahoo site. An FTC footnote said, "As here, Mr. Mackey often posted to Internet sites pseudonymously, often using the name Rahodeb."

After The Wall Street Journal contacted Whole Foods yesterday, the company said in a statement that among millions of documents it gave the FTC were postings its CEO made from 1999 to 2006 "under an alias to avoid having his comments associated with the Company and to avoid others placing too much emphasis on his remarks." The statement said, "Many of the opinions expressed in these postings now have far less relevance than when they were written." Whole Foods didn't confirm every Rahodeb posting as being from Mr. Mackey.

... Mr. Mackey declined to be interviewed. But he soon posted on the company Web site, saying that the FTC was quoting Rahodeb "to embarrass both me and Whole Foods." He also said: "I posted on Yahoo! under a pseudonym because I had fun doing it. Many people post on bulletin boards using pseudonyms." He said that "I never intended any of those postings to be identified with me." [I bet he didn't. Isn't that rather naive in the Internet age? Bob]

Mr. Mackey's post continued: "The views articulated by rahodeb sometimes represent what I actually believed and sometimes they didn't. Sometimes I simply played 'devil's advocate' for the sheer fun of arguing. Anyone who knows me realizes that I frequently do this in person, too."

Someone sees revenue in free music? RIAA will plotz.

Warner streams entire catalog of music for free on imeem

Posted By Matt Marshall On July 12, 2007 @ 12:55 am In Business and Technology

Warner Music Group is offering its entire music and video catalog for free streaming on [1] imeem, a Web site focused on letting users share music playlists.

The music is currently live on the San Francisco startup’s Web site, the company told VentureBeat Wednesday evening.

Now imeem users can make playlists with Warner music. Warner, in return, will get a piece of imeem’s ad revenue.

So music from Depeche Mode, a Warner artist, can be [2] played freely, for example. Press the play button on the widget below, for example, which we’ve just pulled from imeem.

This partnership is significant because it is the first time a major label has offered free ad-supported access to it entire catalog of music and video to such an online sharing site. It is also remarkable because Warner (along with other labels) had sued imeem less than two months ago for copyright infringement ([3] our coverage; scroll down). See suit [4] here.

Imeem has grown rapidly over the past year, bosting 16 million active users. Earlier this year, it arranged to pay a share of ad revenue to music content owners, as we [5] reported here. It recently offered free ad-supported streaming of music [6] from other labels, but not from the majors. Competitors such as SeeqPod ([7] our coverage) haven’t cut such deals.

Tools & Techniques I bet hackers can tap into your data from beyond 30 feet – still, an interesting and inevitable device.

Wirelessly Print, Watch Movies, and Listen to Music with Belkin’s New Wireless USB Hub

(Compton, CA) - July 11, 2007 – Belkin’s 4-port Wireless USB Hub gives you wireless access to your USB devices without the clutter of cables.

Simply plug your USB devices, such as your printer and hard drive, into the Wireless USB Hub. Then, attach the included USB Adapter to your computer. You are then free to roam the room with your laptop while still maintaining 30 feet of wireless access to your USB devices.

Hell hath no fury like a madam on trial... (I can't wait for the movie)

DC Madam Calls For Senator Vitter To Be Prosecuted

By: Logan Murphy on Wednesday, July 11th, 2007 at 10:12 AM - PDT

Interesting twist. Conspiracy theory anyone?

Internet Explorer Linked to Firefox Security Hole

By Chris Maxcer LinuxInsider Part of the ECT News Network 07/11/07 2:00 PM PT

The latest browser war dustup pits Mozilla's Firefox against Microsoft's Internet Explorer, but this time the tiff isn't about market share. It appears that IE may undermine Firefox's security when a Net surfer clicks on malicious page links using the IE browser and Firefox also happens to be installed on the machine.

... How It Works

Basically, the end user must use IE to navigate to a malicious Web page and click on a link. The problem only occurs when the user also has Firefox installed -- it does nothing if Firefox isn't installed.

The link, according to Mozilla, can cause IE to invoke another Windows program -- in this case, Firefox -- via the command line and pass that program the URL from the malicious Web page. This can cause data to be passed from the malicious Web page to the second Windows program, which could allow remote Manage remotely with one interface -- the HP ProLiant DL360 G5 server. code execution in Firefox, the browser's maker notes on its Mozilla Security Blog.

It may be possible to use the same method in IE to invoke action with other Windows programs, but none have yet been reported.

Interesting if true.

Is Microsoft Gaining Ground In The Search Wars?

from the maybe-a-little dept

A new report makes the surprising assertion that Microsoft is actually gaining ground in the search race and that in just the last couple of months it's significantly closed the gap with Yahoo for the #2 slot. Assuming the numbers are legitimate, this would be the first sign of life out of this business in quite a while. Still, it's hard to say whether Microsoft's momentum is real. The company is probably getting a moderate boost from the adoption of Vista and the new IE7, which has Live search set as a default. If you'll recall, this setting prompted Google to make an antitrust complaint against the company. The company has also been using other lures to get users, such as awarding points to certain searchers, which can be redeemed to purchase stuff from the company. None of this suggests that users are really switching from one site to another in significant numbers (which is what would be significant), though perhaps Microsoft is picking up a few marginal users that aren't particularly attached to one service or another. If true, Microsoft will probably hit a ceiling pretty quickly.

Is this a jurisdiction squabble? Whose laws apply to a global Internet service?

Arguing Over The Constitutionality Of Online Cockfighting Videos

from the chicken-on-chicken dept

Over the last year or so, the Humane Society's been threatening because a third-party merchant that used its e-commerce platform was selling magazines about cockfighting. The Humane Society contended that the magazines were illegal under the Animal Welfare Act, though Amazon disagreed -- but in any case, since Amazon wasn't the publisher, they didn't seem like the right people to sue. Cockfighting and free speech has come up again now, as a company that sells online cockfighting videos is challenging a federal law that makes it illegal to sell depictions of animal cruelty. The law was enacted in 1999 to combat the sales of "crush videos", which apparently depict women crushing animals to death in order to deliver some sort of sexual stimulation to the viewer. Then-President Clinton instructed the DOJ to enforce the law narrowly, to target such material, even though the law is worded much more broadly. The company says it operates from Puerto Rico, where cockfighting remains legal. It contends that the fights are an accepted part of the culture there, and appears to be claiming that because the fights themselves are legal in Puerto Rico, it should be able to sell videos of them over the internet to users in the rest of the country.

It's a complicated case, since generally, depictions of illegal activity aren't themselves illegal, and don't fall under the exceptions to free speech in the First Amendment. Should the law be upheld, it could establish an interesting precedent for the government being able to limit speech that depicts illegal activities and give the government a useful censorship tool. While it's unlikely it would seek to criminalize the broadcast of surveillance footage of bank robberies, gambling-related content would be a possible target, given the fervor with which online gambling has been attacked. Already, at least one state has tried to crack down on online gambling sites that don't offer gaming, just discussion and links. If this law is upheld, such efforts could receive a boost.