Saturday, July 28, 2007

Oh my, how unexpected.

Ohio Data Leak Gets Pinned On The Intern

from the passing-the-buck-eye dept

You might remember the recent data leak in Ohio, where personal info on a million or so people was lost, after a storage device containing it was stolen from an intern's car. The intern, who apparently took the device home with him as part of a security protocol, has now been fired by the state, and says he's being made the scapegoat for the loss. [What, you expected the Governor to assume responsibility? Bob] Despite the governor's claims to the contrary, of course the intern's being scapegoated, even though he apparently was just doing what he was told. That's how things work with data leaks: the buck is passed, and responsibility shirked. In this instance, the state can say the responsible party has been fired, glossing over the fact that he was apparently just following directions he'd been given, and that the real problem here was a flawed security plan that was either devised by an idiot, [I'd like to vote for that one, but Ignorance is much more likely... Bob] or, more likely, by somebody who didn't take the security of other people's personal info very seriously. That's the problem here: nobody seems to care when it's other people's data. There are never any real ramifications from these leaks, as long as companies or governments are seen to have some security plan in place, even if it's not a good one. Until that changes -- and the scapegoating and responsibility shirking stops -- data leaks and breaches are going to keep on coming.

Perhaps their encryption is weak?

Newcastle Council admits to data breach

Card payment details on insecure server for 15 months

Andrew Charlesworth,, 27 Jul 2007

Newcastle City Council has confessed to exposing up to 54,000 credit and debit card details between February 2006 and April 2007.

... The information was contained in a file of transaction details about payments to the council for business rates, council tax, rent and parking fines. The file was encrypted but uploaded to an insecure server. [So in the US, this would not be considered a breach Bob]

Newcastle's security breach came to light last Thursday during an independent security review commissioned by the council.

... UK companies are not obliged to reveal such security breaches. The California Security Breach Information Act, made law on 1 July 2003, compels Californian companies to inform all those affected by a breach, under the threat of heavy penalties for failing to comply.

Think you're confused about Privacy? (They should have said, “Google promises not to keep any data about you, except as required by law.”),1540,2159182,00.asp

The Pointless Privacy Debate

By Larry Downes July 27, 2007

The battle over consumer data protection may be more about money-making opportunities than user safety.

In response to criticism from a british privacy group and European Union data overseers, Google recently announced it would anonymize data it retains on user searches after 18 months.

The EU applauded the move as it had lauded Google's agreement to comply with its 2005 directive requiring service providers to retain all identifiable records up to two years. Huh?

E-Discovery Evidence suggesting why we couldn't find the evidence?

Merely Cloaking Data May Be Incriminating?

Posted by Zonk on Friday July 27, @07:39PM from the what's-mine-is-mine dept. Privacy Encryption

n0g writes "In a recent submission to Bugtraq, Larry Gill of Guidance Software refutes some bug reports for the forensic analysis product EnCase Forensic Edition. The refutation is interesting, but one comment raises an important privacy issue. When talking about users creating loops in NTFS directories to hide data, Gill says, 'The purposeful hiding of data by the subject of an investigation is in itself important evidence and there are many scenarios where intentional data cloaking provides incriminating evidence, even if the perpetrator is successful in cloaking the data itself.' That begs the question: if one cloaks data by encrypting it, exactly what incriminating evidence does that provide? And how important is that evidence compared to the absence of anything else found that was incriminating? Are we no longer allowed to have any secrets, even on our own systems?"

[As often happens, the comments are interesting. Like this one...

Any compression system might be viewed as encryption if you don't know how to decompress it.

I actually had to throw together an encryption system today to store some archival material online. I wrote a one time pad in python where my pad was just a jpeg of a mountain I had lying around. I contend that my ciphertext is art, a picture of a mountain combined with some literature. Who's to say it isn't?

As goes California, so goes the country!

California: E-voting security not up to snuff

Research teams contracted by the state found security issues in every single e-voting system tested, casting doubt on the reliability and security of e-voting

By Robert McMillan, IDG News Service July 27, 2007

Researchers commissioned by the State of California have found security issues in every electronic voting system they tested, California Secretary of State Debra Bowen said Friday.

... "The security teams were able to bypass both physical and software security in every system they tested," Bowen said Friday during a conference call with media.

Bowen is set to decide by Aug. 3 which systems will be certified for use in the 2008 presidential primaries.

... California's review is the most thorough review of voting machine technology yet undertaken in the U.S.

Oh look! Business Strategy 101

Washington Post Shows That The Newspaper Business Isn't Doomed

from the doing-okay dept

While many in the newspaper business are whining about the struggles some newspapers face, a few in the actual newspaper business are actually adapting and thriving. A detailed article in Fortune takes a look at how the Washington Post has thrived, while its competitors have struggled. The keys aren't too surprising: diversify away from just news, embrace new outlets for news and invest in unique investigative reporting skills. There are still plenty of questions, but it becomes clear very quickly that the Washington Post knows that it's future is quite different than it's past -- and it's not going to wait around to find out how things play out. Instead, it wants to drive news innovations forward, while others complain that nothing can be done.

Sounds familiar...

Update: Intel accused of breaching European antitrust rules

Intel has 10 weeks to reply to the EC's accusation that it abused its position in the microprocessor market to exclude rival AMD

By Peter Sayer, IDG News Service July 27, 2007

Just because it legalizes SPAM doesn't mean it can't also harm small businesses...

List Building: Is Your Email Within The Law?

Tellman H. Knudson

It's been almost three and a half years since the U. S. CAN-SPAM act went into effect, and though it didn't help to stem the flow of spam into our inboxes every day, you still have to follow the law.

Here are some important parts of the law:

This looks interesting. I wish I spoke British...

BBC launches free Internet TV service

Fri Jul 27, 2007 11:03AM EDT By Peter Griffiths

LONDON (Reuters) - Billed as the biggest change in the way viewers watch television in 40 years, the BBC launched an online service on Friday that allows people to download many programs from the last week.

BBC Director General Mark Thompson says the arrival of the "on-demand" iPlayer is as important as the first color broadcasts in the 1960s.

Viewers can choose from 400 hours of programs, between 60 and 70 percent of the total TV output, including hit shows such as "EastEnders, "Doctor Who" and "Planet Earth".

It faces competition from similar services provided by Channel 4 and ITV and from increasingly popular video-sharing sites such as YouTube.

The growth of the Internet, mobiles and hard-drive recorders that save hours of programs, has destroyed the notion of fixed TV schedules delivered through a TV in the corner of the room.

Broadcasters are under pressure to hold on to viewers by letting them watch programs when and where they want.

"Our vision is for BBC iPlayer to become a universal service available not just over the Internet, but also on cable and other TV platforms, and eventually on mobiles and smart handheld devices," said the BBC's Ashley Highfield, director of future media and technology.

The service, at, is free, but people will not be allowed to save permanent copies to their computer. It could take 30 minutes to download an hour-long show.

It is only available to people living in Britain with computers that run the Microsoft XP operating system.

Programs will be automatically deleted after viewing or after 30 days. Copyright protection software will prevent the copying of shows. [Want to bet? Bob]

Friday, July 27, 2007

The duck will go crazy!

JP: Computer stolen with personal info on 152,000 Aflac customers

Thursday, July 26 2007 @ 06:38 AM CDT Contributed by: PrivacyNews News Section: Breaches

Aflac Japan said on Thursday that an employee of an agent had a computer stolen containing information on more than 152,000 customers. The stolen computer contains insurance contracts on 152,758 customers, their addresses, names and birthdates. Aflac Japan officials said that the information was coded [Let's hope they mean encrypted... Bob] and that outsiders would not be able to decode the data.

Source - Mainichi Daily News

Sounds like someone actually looked at the activity logs!

Security breach hits thousands

Thursday, July 26 2007 @ 12:32 PM CDT Contributed by: PrivacyNews News Section: Breaches

A COUNCIL computer blunder has led to a serious breach of security for credit and debit card holders on Tyneside.

Police and security experts have been called in after details of thousands of people’s cards were downloaded to an address which has been traced to the Middle East.

As a result of the mistake, millions of financial records held by Newcastle City Council have been accessed and up to 54,000 individual card holders are affected.

Information was placed in error on an open server site which could be accessed by outsiders instead of a secure network. The site was shut down as soon as the problem was discovered.

Source -

Related - ComputerworldUK: Insecure server sees Newcastle council suffer massive data breach

Still a lot of people who never got the memo?

Concern about USB sticks used for handovers

Thursday, July 26 2007 @ 04:27 PM CDT Contributed by: PrivacyNews News Section: Medical Privacy

The security of data stored on USB sticks has been called into question following the theft of a stick containing unprotected confidential patient details at the Nottingham University Hospitals Trust.

Around a third of junior doctors currently use universal serial bus (USB) sticks as a means of saving and storing patient data, to pass on to other members of the clinical team at the end of a shift.

These should be stored on secure sticks which use at least 129-bit encryption protection, to be used solely on the trust’s computers but E-Health Insider has been told that this is far from the case.

Source - e-Health Insider

So many its hard to keep score...

5,000 student loan customers' info on stolen laptop

Friday, July 27 2007 @ 05:22 AM CDT Contributed by: PrivacyNews News Section: Breaches

The theft of one laptop computer has resulted in compromising the personal information of more than 5,000 student loan customers.

American Education Services -- the revenue-generating arm of the Pennsylvania Higher Education Assistance Agency -- has sent letters to 5,184 student loan customers telling them that their personal information was on a laptop stolen in a burglary at a subcontractor's headquarters in Livermore, Calif.

The subcontractor is Vista Financial Inc., a subsidiary of Performant Financial Corp.

The information, which was not encrypted, included name, address, phone number, e-mail address and Social Security number.

Source - Post-Gazette

No mandatory maximum? Google might want to move its servers...

Data retention law passed in UK

Friday, July 27 2007 @ 04:38 AM CDT Contributed by: PrivacyNews News Section: Non-U.S. News

UK telecoms companies will have to keep phone call logs for a year under a new law to come into force in October. The law does not apply to records of internet activity, such as web surfing, email and Voice over Internet Protocol (VoIP) phone calls.

The Data Retention (EC) Regulations were approved by the House of Lords on Tuesday and signed into law by Home Secretary Jacqui Smith on Wednesday. The Regulations transpose into UK law most of the European Union's Data Retention Directive.

The new law is intended to ensure that security services have a reliable log of mobile and fixed-line phone calls to be used in investigations, and relates not to the content of calls but only to records of their occurrence.

Source -

This won't stand. “Your honor, we've arrested the man we think stole that nuclear weapon. We'd like a subpoena to search his vehicle since he keeps saying “Soon, American dogs!” To speed things up, we've towed the vehicle over to your house so we can start looking as soon as you sign the....” (BOOM!)

Jul 26, 2007 5:07 PM

AZ Supreme Court rules against post-arrest car search

A sharply divided Arizona Supreme Court has ruled that it violates Fourth Amendment rights for police to search an arrested person's vehicle without a warrant when the scene is secure and the arrestee is handcuffed, seated in a patrol car and under supervision of an officer.

... Thomas J. Jacobs, a Tucson attorney for the defendant in the case, agreed and said the ruling could affect hundreds or even thousands of Arizona cases either awaiting trial or pending appeal by requiring that authorities prove there was actual and justifiable circumstances allowing warrantless searches.

"In this technological age, when warrants can be obtained within minutes, it is not unreasonable to require that police officers obtain search warrants when they have probable cause to do so to protect a citizen's right to be free from unreasonable governmental searches," Vice Chief Justice Rebecca White Berch wrote for the majority.

... In the case that produced the ruling, police on Aug. 25, 1999, seized cocaine and drug paraphernalia after Rodney Gant got out of his parked car and was arrested about 10 feet away by officers who had earlier learned that Gant was named on an arrest warrant for driving with a suspended license.

Gant had been handcuffed and placed in a locked patrol car under police supervision by the time police searched his car.


CDT Analysis: Constitutional Protection for Email

Thursday, July 26 2007 @ 04:23 PM CDT Contributed by: PrivacyNews News Section: In the Courts


A recent federal court decision affirming that e-mail exchanges are protected under the Fourth Amendment brings welcome certainty to an undeveloped area of the law, CDT concludes in an analysis issued today. The Sixth Circuit court of appeals held in Warshak v. US that Internet users have a reasonable expectation of privacy in e-mail stored with service providers, requiring the government to either get a warrant or provide users notice when the government seeks their e-mail.

Warshak Analysis [PDF], July 26, 2007: [PDF]

Worth a look

Computer science resources for academics

7/26/2007 04:36:00 PM Posted by Dan Peterson, Product Manager

Google has a long history of involvement with universities, and we're excited to share some recent news on that front with you. At the main Google campus this week we're hosting the Google Faculty Summit, which involves universities all over participating in discussions about what we're up to in research-land as well as computer science education - something very near and dear to us.

Meanwhile, because we know that between teaching, doing research and advising students, computer science educators are quite strapped for time, we've recently launched a site called Google Code for Educators. While you may have previously heard about our offerings for K-12 teachers, this new program is focused on CS topics at the university level, and lets us share the knowledge we've built up around things like distributed systems and AJAX programming. It's designed for university faculty to learn about new computer science topics and include them in their courses, as well as to help curious students learn on their own.

Right now, Google Code for Educators offers materials for AJAX web programming, distributed systems and parallel programming, and web security. The site includes slides, programming labs, problem sets, background tutorials and videos. We're eager to provide more content areas and also more iterations for existing topic areas. To allow for liberal reuse and remixing, most sample course content on Code EDU is available under a Creative Commons license. Please let us know your thoughts on this new site.

Beyond CS education, another important faculty topic is research. Google Research offers resources to CS researchers,including papers authored by Googlers and a wide variety of our tech talks. You might be interested in learning more about MapReduce and Google File System, two pieces of Google-grown technology that have allowed us to operate at enormous scale. We also recently put together a few university research programs and we're eager to see what academics come up with.

Ever want to pilot the Exxon Valdez through the narrows?

Ship Simulator 2008 Demo

Posted by Reverend on 26 Jul 2007 - 18:33 GMT | 0 comments Previous Post | Games | Next Post

Lighthouse Interactive has released a playable demo of Ship Simulator 2008, giving you the chance to try out the latest installement in the ship sim series, now available in many stores in the UK and Scandinavia as well as online.

Ship Simulator 2008 includes three new sailing areas like San Francisco, Southampton/Solent area incl. Cowes, and Marseille, nine brand new vessels, from pilot boat to supertanker, including even a massive offshore oil rig, user-controlled harbour container cranes, ocean waves with realistic ship motions, open sea missions and more.

Download: Ship Simulator 2008 Demo

Thursday, July 26, 2007

I have no comment, but I will smile for the hidden camera... (Mild paranoia is a symptom of technological ignorance.)

Appeals Court Clarifies: Government Spyware Not Protected in Ruling

Wednesday, July 25 2007 @ 07:07 PM CDT Contributed by: PrivacyNews News Section: In the Courts

Orin Kerr at the Volokh Conspiracy has been looking at whether the FBI can legally install its CIPAV spyware on your computer without a search warrant or wiretap order under a recent U.S. 9th Circuit Court of Appeals decision. Today the 9th Circuit clarified: no, it can't.

The original July 6th opinion in U.S. v. Forrester upheld the DEA's limited monitoring of a suspect's internet use under the low "pen register" standard, which requires only that a law enforcement agency certify that the surveillance will be "relevant" to an investigation -- no probable cause or judicial fact finding needed.

Source - Threat Level (blog)

Read 'em and weep, Hollywood.

July 25, 2007

Pew Internet Project's First Major Report on Online Video

Press release: "The growing adoption of broadband combined with a dramatic push by content providers to promote online video has helped to pave the way for mainstream audiences to embrace online video viewing. Fifty-seven percent of online adults have used the internet to watch or download video, and 19% do so on a typical day. Three-quarters of broadband users (74%) who enjoy high-speed connections at both home and work watch or download video online."

Never bite the hand that feeds you.

LA Times Kills Editorial On How To Revitalize Both Music And Newspaper Industries To Avoid Pissing Off Both

from the how-dare-you-make-a-suggestion-that-will-help-us! dept

Last month, when the news first came out that Prince did a deal to have a UK newspaper give away a free copy of his latest CD with every paper, we noted that this showed a great way to increase the value for both the music industry and the newspaper industry in one single move. Apparently, I wasn't the only one to think so. A columnist for the LA Times, Patrick Goldstein, felt the same way as well -- and actually had some fantastic ideas to improve on Prince's experiment in a way that would add tremendous value to a bunch of musicians and the LA Times in a single move. Of course, the LA Times sometimes is known for catering to the incumbent established entertainment industry which so dominates LA -- and perhaps that's why the LA Times' new associate editor killed the column and refused to run it (found via Romenesko). Of course, in true Streisand Effect fashion, the column has leaked and it's hard to see any reason why the LA Times would spike it, other than it was afraid of pissing off the established recording industry.

You can read the whole spiked column at the link above, and it's a worthwhile read. The smart changes Goldstein proposed were that it be a regular series of free CDs distributed with the newspaper (encouraging more subscriptions and positioning the paper as a "tastemaker"). And rather than have the newspaper pay the musicians directly (which is how the Prince deal worked), have a sponsor pony up the money to be associated with the musician (this is exactly how much music is already created). Everyone wins in this deal... except stubborn record labels who don't understand that they should be in the music promotion business and think they're only in the business of selling plastic discs. The musicians get paid, get a lot more attention and are likely to make even more in terms of a wider audience willing to go to more shows, buy more merchandise and increase the amount future sponsors will be willing to pay. The newspaper gives people a fantastic new reason to subscribe and reinvents the role of the newspaper as a tastemaker. Sponsors get a great way to associate their brand with hot musicians. And, most importantly, everyone else benefits by getting access to more good music. Yet, in a town where the entertainment industry rules all, apparently, protecting obsolete business models is more important than publishing interesting columns with fantastic suggestions for creating a great new service.

Goldstein's final paragraph is too good not to repeat (especially since the LA Times doesn't think it's worth even printing once:

"Giving music away doesn't mean it has lost its value, just that its value is no longer moored to the price of a CD. Like it or not, the CD is dying, as is the culture of newsprint. People want their music -- and their news -- in new ways. It's time we embraced change instead of always worrying if some brash new idea -- like giving away music -- would tarnish our sober minded image. When businesses are faced with radical change, they are usually forced to ask -- is it a threat or an opportunity? Guess which choice is the right answer."

And we're not counting Congressmen (See the DC Madam story below)

MySpace erases 29,000 sex offenders

By Lester Haines Published Wednesday 25th July 2007 08:51 GMT

MySpace yesterday announced it had "detected and deleted" 29,000 convicted sex offenders on the social networking site, Reuters reports.

The figure is considerably higher than the 7,000 it said it had identified back in May, after coming under strong pressure to tackle the sex offender menace. A coalition of Attorneys General led by Connecticut AG Richard Blumenthal demanded it do more to protect minors and hand over details of known miscreants.

Following a stand-off during which the News Corporation-owned company refused ( to supply the requested information "because law enforcement officials hadn't followed the required legal process", MySpace eventually agreed to cough "the names, email addresses, and IP addresses of all convicted sex offenders who have set up a profile on the site".

Luddites or Libertarians?

Taxi Drivers Threaten To Strike Over GPS Proposal

July 25, 2007

Some taxi drivers are angry about a plan to install global positioning system devices in their yellow cabs and they are threatening to hang up their keys.

The New York Taxi Workers Alliance has long opposed the plan – claiming it is an invasion of drivers' privacy.

... The TLC says the new technology is intended to help cab drivers get around the city, reunite passengers with lost items, and help the police catch criminals preying on taxi drivers.

... Owusu says the devices, which would cost drivers at least an extra $40 a month, are just an extra expense they do not need.

... In a statement, the commissioner says, "I am puzzled that this group is not telling its members that drivers with the systems are making an average 18 percent more in tips."

It's probably not a student conspiracy... - The Student's Craigslist

posted 5 Hours 4 Minutes ago by Siri

ULoop could be thought of as the young love child of Craigslist and Facebook; or one might say it’s just another online classifieds sites, with a special focus. It’s meant for students—to join you need an .edu email address. Once you’ve registered you can sell your books, trade your LP’s, search for an apartment or roommates, and promote your band—all without charge.

Ah! Summertime reading.

The Complete Works of Friedrich Nietzsche Online

This site contains an almost complete online version of the works of the famous philosopher/philologist Friedrich Nietzsche.

Madam, do you need assistance? (A Geek is helpful, loyal, clean...)

GoDaddy Heps Out the DC Madam

“They came in and offered unlimited bandwidth forever and ever — they thought it was their patriotic duty,” Palfrey gushed.

Wednesday, July 25, 2007

If I “discovered” these records, would you assume I had a right to make a copy and view them? See the next article before you answer...

Patient Information Exposed In Hospital Security Lapse

Tuesday, July 24 2007 @ 10:42 AM CDT Contributed by: PrivacyNews News Section: Breaches

Editor's note: As expected, Verus was involved in yet another hospital-related incident....

A security lapse at St. Vincent Hospital in Indianapolis compromised the names, addresses and Social Security numbers of about 51,000 patients. St. Vincent notified patients by mail last week that personal information had been exposed, 6News' Cheryl Jackson reported.

.... St. Vincent officials said the problem happened when they subcontracted Verus Inc. to set up a program that would allow patients to pay bills online. "The Verus technician made a change to the Internet server, which left some of our patient information online, unprotected," said Johnny Smith, a spokesman for St. Vincent.

Hospital officials said the information was left unprotected for a "brief time," but said it is possible that no one accessed it. [Translation: We don't keep the logs that are designed to record who accessed the data. Bob]

"We have no way of knowing if the information was compromised, accessed or retrieved in any way," Smith said.

Source - The Indy Channel

Think of this ruling in light of hackers taking unprotected data. Are they now protected? Are the lawyers okay because “their cause was just?” Are non-lawyers second class citizens?

Federal Judge Clears Law Firm Accused of Hacking Opponents' Web Archives

Michael Booth New Jersey Law Journal July 24, 2007

A law firm did not violate copyright and computer anti-hacking laws when it used a Web archive search tool to recover old Web pages of its client's adversary, says a federal judge.

Although the archived pages were supposed to be shielded from public view, the protections failed and lawyers at Harding Earley Follmer & Frailey in Valley Forge, Pa., did not hack their way in, Eastern District of Pennsylvania Judge Robert Kelly Jr. ruled last week on summary judgment.

"They did not 'pick the lock' and avoid or bypass the protective measure, because there was no lock to pick," Kelly wrote in Healthcare Advocates Inc. v. Harding Earley Follmer & Frailey, No. 05-3524. "Nor did the Harding firm steal passwords to get around a protective barrier. ... The Harding firm could not 'avoid' or 'bypass' a digital wall that was not there."

The ruling, if it stands, wards off a potential judgment of $3 million in damages a patients' advocacy company sought from the firm.

... In his July 20 ruling, Kelly found the firm was viewing Web pages that were publicly accessible -- even if mistakenly so -- and that there were no copyright violations because there was no public dissemination of the pages copied. The pages were made available only to other lawyers at the firm, which is akin to one person making copyrighted material available to family members.

Kelly also found the firm was putting the searched documents to fair use. "The Harding firm's purpose in viewing and printing copies of the archived images of Healthcare Advocates' website was primarily to defend their clients. The Harding firm viewed these archived web pages to assess the merit of the claims brought against their client. They hoped they might discover facts allowing them to refute the allegations."

Kelly continued: "It would be an absurd result if an attorney defending a client against charges of trademark and copyright infringement was not allowed to view and copy publicly available material, especially material that his client was alleged to have infringed."

... Healthcare Advocates' lawyer, Scott Christie, says he is disappointed by the outcome but "pleased that, as a matter of first impression, a robot.txt file qualifies as a security measure that controls access." Christie, of Newark, N.J.'s McCarter & English, adds that he believes his client will prevail in an appeal to the 3rd U.S. Circuit Court of Appeals.

Same problem as above...

Patient Information Exposed In Hospital Security Lapse

Tuesday, July 24 2007 @ 10:42 AM CDT Contributed by: PrivacyNews News Section: Breaches

Editor's note: As expected, Verus was involved in yet another hospital-related incident....

A security lapse at St. Vincent Hospital in Indianapolis compromised the names, addresses and Social Security numbers of about 51,000 patients. St. Vincent notified patients by mail last week that personal information had been exposed, 6News' Cheryl Jackson reported.

.... St. Vincent officials said the problem happened when they subcontracted Verus Inc. to set up a program that would allow patients to pay bills online. "The Verus technician made a change to the Internet server, which left some of our patient information online, unprotected," said Johnny Smith, a spokesman for St. Vincent.

Hospital officials said the information was left unprotected for a "brief time," but said it is possible that no one accessed it.

"We have no way of knowing if the information was compromised, accessed or retrieved in any way," [Translation: We turned off the logging feature Bob Smith said.

Source - The Indy Channel

New law?

Password protected website did not create a reasonable expectation of privacy (updated)

Tuesday, July 24 2007 @ 11:35 AM CDT Contributed by: PrivacyNews News Section: In the Courts

Police received information from one of defendant's neighbors that defendant and his live-in girlfriend had posted pictures form a cellphone on a Sprint PCS website. "The caller provided the address of D'Andrea's apartment (90 Veteran's Way in Gloucester, Massachusetts), the log-in name and password for the website, and the number of a cellular telephone used by defendants." The police went to the website and downloaded the pictures. A search warrant was obtained for defendant's premises. First, "[t]he warrant permitted the seizure of 'cameras' and 'computer storage devices.' The modern cellular telephone fits easily into these categories. It can also be a 'computer accessory,' as the warrant also specified.[n.4]" Second, the password protection on a website did not provide a reasonable expectation of privacy, rejecting LaFave's view. United States v. D'Andrea, 2007 U.S. Dist. LEXIS 52558 (D. Mass. July 20, 2007):

Source -

See also: Orin Kerr, The Volokh Conspiracy

Another incident grows beyond the initial report...

Disney data thief hit Johnson & Johnson, too

Tuesday, July 24 2007 @ 08:34 PM CDT Contributed by: PrivacyNews News Section: Breaches

A document on file with the state of New Hampshire indicates that the employee of a Disney contractor caught in a federal sting selling the credit-card information of Disney Movie Club members also victimized customers of Johnson & Johnson.

How many others he targeted is anybody's guess ... and the fact we have to guess should be considered everybody's problem.

First to draw attention to the Johnson & Johnson involvement was a staffer from the security Web site who writes under the name "d2d."

Source - Networkworld


Your tax dollars at play. (Perhaps they left the doors “unprotected?”)

Auditors Can't Find VA Computer Gear

Tuesday, July 24 2007 @ 06:44 PM CDT Contributed by: PrivacyNews News Section: Breaches

More than a quarter of the computer equipment at the Veterans Affairs Medical Center in Washington could not be found by investigators, government auditors reported Tuesday.

Three other VA facilities showed slightly better results but still could not locate between 6 percent and 11 percent of their equipment, including computers, hard drives, monitors and other devices. In all, the four facilities audited by the Government Accountability Office reported more than 2,400 missing items originally worth $6.4 million.

Source - Associated Press

No comment

Judge rules against government in warrantless surveillance cases (updated)

Tuesday, July 24 2007 @ 07:04 PM CDT Contributed by: PrivacyNews News Section: In the Courts

A federal judge in California ruled Tuesday against the federal government's attempts to stop investigations in five states, including Connecticut, of President Bush's domestic spying program.Mo

Source - Associated Press

Related - Court Order

Once they can prove you don't have the right DNA, they ship you to the camps for the “Final Solution.”

AU: DNA discrimination at work

Tuesday, July 24 2007 @ 07:03 AM CDT Contributed by: PrivacyNews News Section: Workplace Privacy

... It might sound far fetched but in some parts of the world people have been refused jobs on the basis of genetic tests which have shown they could develop certain diseases in the future.

In 2004 a woman in Germany was refused a teaching job on the basis of a medical examination that found she had a family history of the degenerative Huntington’s Disease. She successfully contested the decision in the Administrative Court.

In the US a railway company was found to have secretly tested employees for carpal tunnel syndrome. The tests were ruled unlawful and unnecessary by the US Federal Court under the Disability Act.

In Hong Kong three men were awarded damages in the District Court after being refused employment with the government because of a family history of schizophrenia.

Source -

What do you bet that by Monday, Al Gore will have invented this?

From Wales, a box to make biofuel from car fumes

Thu Jul 19, 2007 10:01AM EDT By Michael Szabo

QUEENSFERRY (Reuters) - The world's richest corporations and finest minds spend billions trying to solve the problem of carbon emissions, but three fishing buddies in North Wales believe they have cracked it.

They have developed a box which they say can be fixed underneath a car in place of the exhaust to trap the greenhouse gases blamed for global warming -- including carbon dioxide and nitrous oxide -- and emit mostly water vapor.

The captured gases can be processed to create a biofuel using genetically modified algae.

If I understand this, we could have a University gather information about who owns what (let's say rare coins) they we could hire someone to steal them – right?

Collections Finder: West Florida Information

Filed under: US-Florida

The University of West Florida has launched a portal for finding pointers to holdings on West Florida history. The collections contains information on more than 700 collections of family papers, business records, maps, photographs, and so on. It’s still under development but you can check it out at .

Tuesday, July 24, 2007

I wonder how they'll report it?

Fox News Breach

Monday, July 23 2007 @ 04:02 PM CDT Contributed by: PrivacyNews News Section: Breaches

A security hole on the Fox News web server Sunday exposed sensitive content to the public, including login information that allowed hackers to access names, phone numbers, and email addresses of at least 1.5 million people: has learned that an FTP server belonging to publishing company Ziff-Davis could be accessed with a username and password found on the Fox News site, with customer details among the internal data publicly available.

The FTP site, used for collaboration between different global aspects of Ziff-Davis business, contains data ranging from expense sheets to resumes to opt-out lists used by customers who wish to avoid receiving unsolicited emails. Many of the compromised files make reference to Acxiom, a data management company that in 2003 experienced a similar theft of personal information. It is not believed that the files exposed by the Fox News oversight contain customer Social Security numbers or bank accounts, however, as was the case in the 2003 breach. However, telephone and address details appear included in the data.

Hackers were quick to leave their mark on the compromised Ziff-Davis server, uploading pornography and claiming to have come from popular Internet comedy site Ebaumsworld.

Source - WikiNews

Editor's note: tracking the story back, it seems to have first been reported on Linuxit

(h/t, The Hacker Webzine).

Interesting that in the article, the Florida Attorney General says it has been “contained”

No criminal ID theft yet from Certegy breach

Monday, July 23 2007 @ 06:29 PM CDT Contributed by: PrivacyNews News Section: Breaches

Attorney General Bill McCollum cautioned Floridians and other consumers potentially affected by a data breach at Certegy Check Services to closely monitor their financial accounts to ensure their personal information is not further compromised.

Certegy Check Services, Inc., a subsidiary of Fidelity National Information Services Inc, reported on July 3 that personal information and bank account numbers of 2.3 million consumers had been stolen by a former Certegy employee and sold to numerous data brokers and marketers.

... Since July 3, the estimated number of consumers affected by the data breach has risen to 4 million and it is likely that this number will continue to increase as more information about the theft surfaces.

Source - Tampa Bay Business Journal

Data “Dysprotection:” breaches reported last week

Monday, July 23 2007 @ 07:31 AM CDT Contributed by: PrivacyNews News Section: Breaches

A recap of incidents or privacy breaches reported last week for those who enjoy shaking their head and muttering to themselves with their morning coffee.

Source - Chronicles of Dissent

This suggests a business model: “Handler of Data Spills” -- allow us to mitigate your stupidity!

The dos and don'ts of data breaches

How security professionals can lessen the impact

By Cara Garretson, Network World July 24, 2007

This is the second in a series of stories that will be addressed at The Security Standard event scheduled for Sept. 10-11 in Chicago.

Believe it or not, a data breach isn't the worst thing that could happen to your organization. Reacting poorly to the incident could be, however.

... "It makes all the difference in the world" if a company is prepared to respond to a data breach or other type of cyberintrusion, says Tom Bowers, managing director of Security Constructs, a security services firm based in Philadelphia.

Here is a list of what companies should do and what they should avoid doing in the case of a data breach, besides putting a computer-emergency response team in place to react to such incidents.

... DO confirm and contain the problem.

DON'T contaminate the crime scene.

DO communicate with and rely on other departments.

DON'T go on the defensive.

DO remember that it's not only your job that could be affected by a breach.

DO be honest in communicating with the public, customers, employees, and partners.

DON'T go public until you know what happened.

July 23, 2007

New GAO Reports: Cybercrime, Federal Farm Programs, FHA, Influenza Pandemic

  • Cybercrime: Public and Private Entities Face Challenges in Addressing Cyber Threats, GAO-07-705, June 22, 2007: "Cybercrime has significant economic impacts and threatens U.S. national security interests. Various studies and experts estimate the direct economic impact from cybercrime to be in the billions of dollars annually. The annual loss due to computer crime was estimated to be $67.2 billion for U.S. organizations, according to a 2005 Federal Bureau of Investigation (FBI) survey. In addition, there is continued concern about the threat that our adversaries, including nation-states and terrorists, pose to our national security."

  • Federal Farm Programs: USDA Needs to Strengthen Controls to Prevent Improper Payments to Estates and Deceased Individuals, GAO-07-818, July 9, 2007

  • Federal Housing Administration: Proposed Legislative Changes Would Affect Borrower Benefits and Risks to the Insurance Funds, GAO-07-1109T, July 18, 2007

  • Federal Real Property: DHS Has Made Progress, but Additional Actions Are Needed to Address Real Property Management and Security Challenges, GAO-07-658, June 22, 2007

  • Federal Retirement Thrift Investment Board: Many Responsibilities and Investment Policies Set by Congress, GAO-07-611, June 21, 2007

  • Financial Audit: Significant Internal Control Weaknesses Remain in the Preparation of the Consolidated Financial Statements of the U.S. Government, GAO-07-805, July 23, 2007

  • Hanford Waste Treatment Plant: Department of Energy Needs to Strengthen Controls over Contractor Payments and Project Assets, GAO-07-888, July 20, 2007

  • Influenza Pandemic: DOD Combatant Commands' Preparedness Efforts Could Benefit from More Clearly Defined Roles, Resources, and Risk Mitigation, GAO-07-696, June 20, 2007

  • Information Technology: Treasury Needs to Strengthen Its Investment Board Operations and Oversight, GAO-07-865, July 23, 2007

Not very conclusive. I'm watching this one!

Judge Throws Out Case Against Online Travel Companies

The Associated Press 07-23-2007

Florida's Orange County won't be able to collect higher hotel taxes from online travel companies after a judge threw out a lawsuit being brought by county officials.

The county contended the Internet hotel-booking agencies were not fully paying local taxes. County officials learned of the lawsuit's dismissal by Circuit Court Judge Cynthia Mackinnon on Friday. Orange County officials are just some of the latest to fail in their bid to get the companies to pay more in taxes.

The dispute in Orange County centered on the way online companies like Expedia and Orbitz calculate their tax payments. The companies generally negotiate lower rates with hotels for a large number of rooms then offer those rooms to customers at a higher price.

But the companies pay taxes to the county on the lower rate, saying the higher price the consumer pays is the charge of the service not the cost of the room.

Orange County disagrees, and its lawyers told the Orlando Sentinel they expect to appeal the ruling.

Auditors have calculated that Orange County misses out on at least $5.5 million a year in hotel taxes because of online bookings, the paper reported.

Mackinnon tossed out the case in a one-page ruling. She sided with lawyers for the online companies, who argued that lawsuit shouldn't be allowed to continue because Orange County has not exhausted all of its options, like trying to audit the companies.

Messages left by The Associated Press for Expedia and Orbitz on Saturday were not immediately returned.

Tools & Techniques: How to be an online people finder.

Where to find public records online

You can use the web to find lots of things: information, videos, books, music, games, and yes, even public records. While our most private information can (usually) not be found online, you can track down items like birth certificates, marriage and divorce information, obituaries and licenses on the web. Keep reading to learn where to find public records online.

A brief note

All of the following web sites and methods of discovery are absolutely free, unless stated otherwise.

HBS Cases: How Wikipedia Works (or Doesn't)

Published: July 23, 2007 Author: Sean Silverthorne

HBS professor Andy McAfee had his doubts about Wikipedia, the online encyclopedia created and maintained by volunteers. "I just didn't think it could yield a good outcome or a good encyclopedia. But I started consulting it and reading the entries, and I said, 'This is amazing.' "

Think of this as one of those articles about overcompensation of CEOs, but with the job descriptions changed.

DV Expose: Models Make Too Much Money

Written by Anthony Burch recently released a list of the 15 richest supermodels on the planet. After reviewing the facts and figures, we’ve come to one conclusion: these women earn too goddamn much.

FACT: Pretty women make more money than you or anyone you will ever know

It’s not that we don’t think they shouldn’t be compensated for their work – they should – but looking attractive and possessing the ability to walk in a straight line should net, at most, a hundred thousand dollars in monetary reward.

But how much are these women making? Well, let’s look at the top five highest-earning models on the planet: