Saturday, September 29, 2007

Not much info here. Looks like they learned from TJX

http://www.infoworld.com/article/07/09/28/Gap-contractor-blamed-for-data-breach_1.html

Gap contractor blamed for data breach

Two laptops containing personal data on job applicants at the clothing retailer have been stolen, which Gap blames on an unnamed contractor

By Robert McMillan, IDG News Service September 28, 2007

An unnamed contractor is being blamed for a data breach at Gap Inc. that has compromised the data of about 800,000 people who applied for jobs with the U.S. clothing retailer.

On Friday, Gap said the data had been stored on two laptop computers that were stolen from the vendor's offices. Although the job applicant information on the laptop -- which included Social Security numbers -- was supposed to be encrypted, it was not.

... Gap learned of the theft on Sept. 19, the company said in a letter sent to those affected.

... Gap has set up a Web site to assist those who may have been affected by the breach. [Hard to locate on their web site, but it is at: www.gapsecurityassistance.com. Bob]



Not so fast, TJX

http://www.eweek.com/article2/0,1759,2190263,00.asp?kc=EWRSS03119TX1K0000594

Judge Pushes Back on TJX Settlement

By Evan Schuman, Ziff Davis Internet September 28, 2007

The federal judge overseeing the consumer portion of the TJX case wants vouchers replaced by cash.

The federal judge overseeing the consumer portion of the TJX case wants to see TJX vouchers offered in the proposed settlement replaced by cash.

U.S. District Court Judge William Young told attorneys in a hearing in Boston Sept. 27 that he "had a lot of questions and concerns" about the settlement, in which wronged consumers would be given $30 TJX vouchers, according to Thomas Shapiro, an attorney representing some of the consumer plaintiffs, who was present in the courtroom.

Attorneys on both sides had asked that the judge approve the proposed settlement and that he remove the trial—currently slated for July 2008—from the court calendar. H owever, Young refused to do that and ordered that the trial date be maintained. He scheduled another hearing for October.

According to two attorneys involved in the hearing and notes filed with the clerk's office, Young had concerns about the vouchers and asked what they were truly worth. [They are worth a lot to TJX. Bob] "He expressed a preference that the class members have the option of receiving cash," Shapiro said.

Said another attorney, who did not want to be identified: "Trial dates are sacrosanct with this judge." In response to a question about having the trial suspended, the judge said, "I'm not staying anything," according to the attorney.

Young also posed some detailed legal questions involving jurisdiction and whether consumers should have 60 days to file a claim (as sought in the settlement) or 90 days. "The judge wanted 90 days," said one participant, who also didn't want to be identified.

Young also asked if there was a practical way for TJX, of Framingham, Mass., to send notices to all 46 million consumer victims; a TJX attorney said the retailer did not have those addresses. [The credit card companies do... Bob]

Court observers said that it's not unusual for a judge who is being asked to approve a class-action settlement—especially such a high-profile case as TJX—to ask for changes. Unlike a traditional civil settlement where it's assumed that the interests of both sides have been protected, many of the consumers being represented by such a case have no input. Therefore, a judge will often push back harder.

Typically, the settlement will be adjusted somewhat to try to accommodate the judge. How far TJX will bend—the judge's concerns were all in the pro-consumer direction—and whether the judge will ultimately reject the agreement are the magic questions.



It will be interesting to see how this technology expands. I could see displays at each exit saying “Okay to walk around, but wear your galoshes”

http://www.eweek.com/article2/0,1759,2190344,00.asp?kc=EWRSS03119TX1K0000594

Text Messaging Warns St. John's Students of Gunman

By Roy Mark September 28, 2007

Students at St. John's University subscribe to a text messaging alert system that warned of danger within minutes after a gunman entered the campus.

Another lone gunman approached another campus full of students on Sept. 26, but this time there was no tragedy similar to the shootings at Virginia Tech University in April that killed 32 people and wounded many more.

Just 16 minutes after Omesh Hiraman, 22, walked on to the campus of St. John's University, in Queens, New York, with a loaded rifle, students, faculty and staff received e-mail and text messages alerting them to the danger.

Campus police and an NYPD police cadet spotted Hiraman, wearing a hooded sweatshirt and a Halloween mask, almost immediately. Hiraman, a St. John's student, was quickly arrested without a single shot being fired. But rumors spread that a second gunman was loose on the campus.

"From public safety. Male was found on campus with a rifle. Please stay in your buildings until further notice. He is in custody, but please wait until the all-clear," Thomas Lawrence, St. John's vice president for public safety, sent in a text message.

University officials said only 2,100 out of 20,000 students were signed up for the alert system. Lawrence's text message, and two more that followed, were widely forwarded around the campus. By the end of the day, subscribers to the service had jumped to more than 6,500 students.



Tools & Techniques Got firewalls?

http://arstechnica.com/news.ars/post/20070927-txtor-tool-circumvents-basic-torrent-blockers.html

"txtor" tool circumvents basic torrent blockers

By Jacqui Cheng | Published: September 27, 2007 - 03:26PM CT

To the frustration of many students and other avid torrent downloaders, some universities and ISPs have been known to block the download of .torrent files in an effort to curb illegal file sharing. This quick and dirty method [Requires little thought to implement and little effort to circumvent. Bob] of filtering Internet content is usually done through the use of a proxy server that will look for a torrent mime-type in the file or, even simpler, the file extension itself. Although this method seems almost too simple to take seriously, enough admins have found it effective enough to justify its use.

That's why a group of developers launched txtor today, a site that makes it possible to download .torrent files as if they were text files.



I wonder if Steve Jobs knows about this?

http://www.tuaw.com/2007/09/27/apple-geniuses-are-reportedly-unbricking-iphones/

Apple Geniuses are reportedly unbricking iPhones

Posted Sep 27th 2007 9:40PM by Erica Sadun Filed under: Apple Corporate, Retail, Bad Apple, iPhone

Apple continues posting warning signs around their stores, cautioning customers that unlocked and modded iPhones fall outside their warranty. And at the same time, Apple Geniuses around the country quietly are reportedly accepting bricked iphones, slipping into the back and returning with functioning units.

We're not sure whether they're doing a low-level reflash or just swapping units out. We have reports of at least four customers who walked in with iBricks and walked out with iPhones. It is unclear at this time whether these customers unlocked their iPhones or not--we're also receiving reports of iBricks from people who never unlocked or modded their units.



See what you can do with a good college education?

http://www.news.com/8301-10784_3-9787549-7.html?part=rss&subj=news&tag=2547-1_3-0-5

CMU develops scam-busting online game

Posted by Stefanie Olsen September 28, 2007 1:36 PM PDT

There's no end to scams on the Internet, and it can be hard for anyone to tell the difference between a legitimate and fake Web address. (Can you pick the bogus URL between "www.express.ebay.com" and "www.ebaysale.nl"?)

That's why computer scientists at Carnegie Mellon University developed a cutesy online game to teach people how to spot a so-called phishing scam before giving up personal information like bank account passwords to a rogue operator. The 15-minute game, called Anti-Phishing Phil, features a little fish named Phil that must discern between good and bad Web addresses in order to eat worms and gain points. It was developed at CMU's Usable Privacy and Security (CUPS) Laboratory.



One way to deal with e-voting...

http://techdirt.com/articles/20070928/004959.shtml

Dutch Gov't Pulls The Plug On E-Voting (For Now)

from the did-they-vote-on-that? dept

While the US is still trying to figure out what to do about problematic e-voting machines, over in the Netherlands, they've apparently decided to ditch the machines (or, at least, ditching the regulation approving the machines), at least until they've figured out a way to make them more reliable, secure and trustworthy. Sounds like a reasonable plan, though it sounds like they may be looking to bring the machines back rather quickly, with just a paper trail -- which may not be enough. At some point people need to realize that many of these machines can't be retrofitted to fix things, but need to be rethought from the ground up.


Here's an alternative approach. (read the first comment.)

http://politics.slashdot.org/article.pl?sid=07/09/28/1942209&from=rss

Out With E-Voting, In With M-Voting

Posted by Zonk on Friday September 28, @05:22PM from the has-to-be-safer-than-diebold dept. The Internet Communications Politics

InternetVoting writes "The ever technology forward nation sometimes known as 'E-stonia' after recently performing the world's first national Internet election are already leaving e-voting behind. Estonia is now considering voting from mobile phones using SIM cards as identification, dubbed 'm-voting.' From the article: 'Mobile ID is more convenient in that one does not have to attach a special ID card reader to one's computer. A cell phone performs the functions of an ID card and card reader at one and the same time.'"



From the People's Republic of Boulder (Down the road from the home of the four word editorial)

http://digg.com/world_news/Boulder_CO_High_students_walk_out_during_Pledge_reciting_their_own

Boulder High students walk out during Pledge, recite own version

The Associated Press Article Last Updated: 09/27/2007 12:02:46 PM MDT

BOULDER, Colo.—About 50 Boulder High School students walked out of class Thursday to protest the daily reading of the Pledge of Allegiance and recited their own version, omitting "one nation, under God."

The students say the phrase violates the constitutional separation of church and state.



Not sure I get all of this, but some of the ideas are amusing...

http://www.theage.com.au/news/security/google-looking-at-privacy-protections-for-users/2007/09/28/1190486555877.html

Google looking at privacy protections for users

September 28, 2007 - 4:43PM

Google, the world's web search leader, told US Senators today the company is pursuing new technologies to protect the privacy of internet users as it seeks to acquire advertising company DoubleClick.

Google's chief legal officer, David Drummond, testified that the company was looking at the internet display advertising business with a "fresh eye and evaluating whether changes can be made to innovate on user privacy in this space".

... As a general matter, Drummond also sought to address antitrust concerns about the deal, describing it as pro-competitive.

... He cited as an example a possible new technology that Google called "crumbled cookie" in which information about an internet user would not be connected to a single piece of identifying code, [“We'll use two possibly as many as three, sent simultaneously and reassembled at our end. Aren't we benevolent?” Bob] known as a cookie.

Google was also exploring better ways of providing notice within advertisements to identify who was responsible for them, [“Some people think we could just include the name of the ad purchaser... How naive.” Bob] Drummond said.



For my Business Continuity class... Forward to your favorite geek.

http://www.securityfocus.com/infocus/1894?ref=rss

Passive Network Analysis

Stephen Barish 2007-09-28

... The first, most basic information, we need about our networks in order to defend them well is the network map.



I suppose this was inevitable...

http://science.slashdot.org/article.pl?sid=07/09/28/1644233&from=rss

Know How To Use a Slide Rule?

Posted by kdawson on Friday September 28, @12:46PM from the try-your-hand dept. Math Hardware

high_rolla writes "How many of you have actually used a slide rule? The slide rule was a simple yet powerful and important tool for engineers and scientists before the days of calculators (let alone PCs). In fact, several people I know still prefer to use them. In the interest of preserving this icon we have created a virtual slide rule for you to play with."

Wikipedia lists seven other online simulations.



Interesting resource, but not updated too often

http://www.freetechbooksonthenet.blogspot.com/

Free Technical Books on the Net



I'm trying for the role of humorous sidekick and chief food taster... Anyone out there know how to boil water?

http://www.killerstartups.com/Web20/cookshow--Visual-Recipes/

Cookshow.com - Visual Recipes

If you’ve ever picked up a copy of Julia Child’s an attempted to demystify one of her recipes, you’ll understand the need for sites like Cookshow. That is to say, sometimes, the recipe just isn’t enough for an amateur chef to be able to produce a succulent finished product, and a visual aid would be helpful. Cookshow goes beyond simple photos and brings you video recipes, so you can see exactly what you’re supposed to do, which ingredients you’re supposed to add, and when. It’s essentially a video-cooking social network for all ranges of abilities, however; anyone can join and upload videos. You can search for recipes and tips by category (for example, you can search for a recipe in French for a second-course Asian fusion dish), and you can also join groups and meet other chefs. If you like a recipe, tell the uploader by commenting on it and add them to your “Favorite chefs”. The site operates in English, French, and German currently.

http://www.cookshow.com/index.php?val=1&language=english&id_pub=2&lan=2

Friday, September 28, 2007

Strange but interesting.

http://www.infoworld.com/article/07/09/27/eBay-says-phishing-likely-to-blame-for-members-data-theft_1.html?source=rss&url=http://www.infoworld.com/article/07/09/27/eBay-says-phishing-likely-to-blame-for-members-data-theft_1.html

eBay: Phishing likely to blame for members' data theft

eBay's security experts have determined that the 'fraudster' who posted personal data for 1,200 users acquired it through phishing and not hacking

By Juan Carlos Perez, IDG News Service September 27, 2007

eBay's security experts have determined that it's highly likely that whoever posted confidential information about its members in a company discussion forum this week stole the data via an e-mail phishing scam, an eBay spokeswoman said Thursday.

The perpetrator of the data disclosure on about 1,200 eBay members didn't hack into eBay systems, spokeswoman Nichola Sharpe said in an e-mail interview, reiterating an assurance eBay made when the incident happened on Tuesday.

eBay is working with law enforcement to take action against the fraudster, she said, while declining to answer whether the person has been identified or caught. Because the situation is delicate, eBay can't fully disclose the information it has gathered, she said.

Sharpe also defended eBay's reaction to the incident, in which a malicious user posted members' information like names, addresses, user IDs and, apparently, credit card numbers on the company's Trust & Safety discussion forum.

In a discussion forum thread, some eBay members have criticized the vendor for, in their view, taking too long in shutting down the forum used by the fraudster.

eBay took the Trust & Safety forum offline about an hour after the fraudster began posting the confidential data.

Regarding the credit card numbers, eBay now knows they didn't belong to the affected members and is fairly certain that the numbers weren't valid at all. "We have reason to believe this data was falsified to cause public concern," Sharpe said.

eBay hasn't been able to determine when the phishing scam may have taken place, she said, while declining to comment on whether the data theft may involve more than the 1,200 members whose information was listed.

Sharpe declined to answer whether eBay can or plans to implement changes to its discussion forums so that potentially malicious postings or suspicious activities can be automatically flagged and alerts triggered.

... More information about safety measures on eBay can be found on this Web site.



Gee, there must be a market for surveillance...

http://science.slashdot.org/article.pl?sid=07/09/27/1857244&from=rss

Sony Developing Gigapixel Satellite Imaging

Posted by Zonk on Thursday September 27, @04:04PM from the hello-up-there dept. Privacy Science

holy_calamity writes "Sony and the University of Alabama are working on a gigapixel resolution camera for improved satellite surveillance. It can see 10-km-square from an altitude of 7.5 kilometres with a resolution better than 50 centimetres per pixel. As well as removing annoying artefacts created by tiling images in Google Earth and similar, it should allow CCTV surveillance of entire cities with one camera. 'The trick is to build an array of light sensitive chips that each record small parts of a larger image and place them at the focal plane of a large multiple-lens system. The camera would have gigapixel resolution, and able to record images at a rate of 4 frames per second. The team suggests that such a camera mounted on an aircraft could provide images of a large city by itself. This would even allow individual vehicles to be monitored without any danger of losing them as they move from one ground level CCTV system to another.'"



Cute

http://digg.com/offbeat_news/A_Brief_History_of_Surveillance_PIC

A Brief History of Surveillance (PIC)

A timeline of technological and policy innovations in the art of commercial and state surveillance

http://www.aclu.org/images/privacy/milestones.gif



Somehow, I doubt this...

http://hardware.slashdot.org/article.pl?sid=07/09/27/2157230&from=rss

Internet Uses 9.4% of Electricity In the US

Posted by Zonk on Thursday September 27, @06:03PM from the that's-it dept. Power The Internet

ribuck writes "Equipment powering the internet accounts for 9.4% of electricity demand in the U.S., and 5.3% of global demand, according to research by David Sarokin at online pay-for-answers service Uclue. Worldwide, that's 868 billion kilowatt-hours per year. The total includes the energy used by desktop computers and monitors (which makes up two-thirds of the total), plus other energy sinks including modems, routers, data processing equipment and cooling equipment."



I wonder what their contract says... “Don't mess with us or we'll turn your iPhone into a $600 'Pet Rock'”

http://www.news.com/8301-13579_3-9786644-37.html?part=rss&subj=news&tag=2547-1_3-0-5

September 27, 2007 3:11 PM PDT

Owners of unlocked iPhones hosed by software update

Posted by Tom Krazit

Well, you can't say they didn't warn you.

Apple released an update for the iPhone on Thursday that brings the Wi-Fi Music Store to the device, as well as several security fixes and enhanced features. But, as expected, it also turns iPhones that were unlocked to run on cellular networks other than AT&T's into little more than emergency call boxes.

Macworld reported two iPhones in its office with SIM (subscriber identity module) hacks did not work after the update was installed. A message prompted the phone's owner to install "an unlocked and valid SIM card" before the phone could be completely activated. It's almost like the phone was in the same pre-activation limbo stage that frustrated many iPhone users waiting for activation the first weekend the device went on sale.


Related or “something completely different?”

http://slashdot.org/article.pl?sid=07/09/27/1852202&from=rss

Microsoft Should Abandon Vista?

Posted by Zonk on Thursday September 27, @03:21PM from the seems-a-bit-harsh dept. Microsoft Windows

mr_mischief writes "An editorial written by Don Reisinger over at CNet's News.com takes Microsoft to task for the outright failure of Vista. He suggests that Vista may be the downfall of the company as, despite years in development, Vista was delivered to market too early. His suggestion? Support those who are running it, but otherwise ditch Vista and move on. 'Never before have I seen such an abysmal start to an operating system release. For almost a year, people have been adopting Vista and becoming incensed by how poorly it operates. Not only does it cost too much, it requires more to run than XP, there is still poor driver support ... With Mac OS X hot on its tail, Vista is simply not capable of competing at an OS level with some of the best software around. If Microsoft continues down this path, it will be Vista that will bring the software giant to its knees--not Bill Gates' departure.'"



For those idle moments...

http://digg.com/movies/Top_10_Streaming_Movie_TV_Websites_of_2007

Top 10 Streaming Movie & TV Websites of 2007

We've searched far and wide, through every nook and cranny of the deepest recesses of the internet with one goal in mind -- To find the absolute best websites that offer Streaming Video Entertainment for movies, television series, cartoons, anime, bollywood flicks and beyond. So, with no further ado, here is the result of our journey.

http://www.kazoop.net/index.php?option=com_content&task=view&id=4&Itemid=24



I'm disappointed they haven't yet connected this to either Osama or copyright piracy...

http://www.clickondetroit.com/news/14214576/detail.html

Suspects Arraigned In Pop Can Smuggling Ring

Authorities: Smuggling Rings Defrauded Mich. Bottle Deposit Fund

POSTED: 10:31 pm EDT September 26, 2007 UPDATED: 7:58 pm EDT September 27, 2007

DETROIT -- Authorities said they arrested 10 people and seized more than $500,000 in cash after breaking up a smuggling ring that collected millions of beverage containers in other states and cashed them in for 10 cents apiece in Michigan.

The 10 people were arraigned on charges ranging from false pretense, a possible 5-year felony to running a criminal enterprise, a possible 20-year sentence.

A total of 15 people were named in a 67-count warrant issued as part of Operation Can Scam, Attorney General Mike Cox said Wednesday. Some suspects were members of two smuggling rings based in Ohio and others were Michigan merchants who took part in the scheme, he said.

Thursday, September 27, 2007

Disinformation? Most tapes have the format printed on the label, don't they? Give a format, you can get a tape drive on e-Bay with little effort. (Of course, if you were targeting specific information, you'd have the tools already.)

http://www.pogowasright.org/article.php?story=20070926204319614

Opinion: Lost data tapes are non-events

Wednesday, September 26 2007 @ 08:43 PM EDT Contributed by: PrivacyNews News Section: Breaches

The recent theft of a tape containing bank-account and other sensitive financial data for all Connecticut state agencies made for great headlines but, all things considered, it was probably a non-event (see "Connecticut sues Accenture over stolen backup tape").

Much of the concern about lost, misplaced and stolen tapes stems from the fear that the data stored on these tapes is in an unencrypted format. While this concern is certainly justified if a laptop or USB drive should go missing, the risk of just anyone retrieving usable data from a tape is almost nonexistent for the following reasons:

  • Numerous tape formats. 3592, 9840, 4mm, 8mm, LTO, SAIT and SDLT are just some of the available tape

Source - Computerworld



“Customers have 'no worries' because our data is password protected!”

http://it.slashdot.org/article.pl?sid=07/09/26/1959246&from=rss

Convicted VoIP Hacker Robert Moore Speaks

Posted by ScuttleMonkey on Wednesday September 26, @06:35PM from the kind-of-thing-an-idiot-would-have-on-his-luggage dept. Security News

An anonymous reader writes "Convicted hacker Robert Moore, who will report to federal prison this week, gives his version of 'How I Did It' to InformationWeek. Breaking into 15 telecom companies and hundreds of corporations was so easy because most routers are configured with default passwords. "It's so easy a caveman can do it," Moore said. He scanned more than 6 million computers just between June and October of 2005, running 6 million scans on AT&T's network alone. ' You would not believe the number of routers that had "admin" or "Cisco0" as passwords on them,' [These are the default (out of the box) passwords. The documentation always tells you to change them first thing... Bob] Moore said. 'We could get full access to a Cisco box with enabled access so you can do whatever you want to the box We also targeted Mera, a Web-based switch. It turns any computer basically into a switch so you could do the calls through it. We found the default password for it. We would take that and I'd write a scanner for Mera boxes and we'd run the password against it to try to log in, and basically we could get in almost every time. Then we'd have all sorts of information, basically the whole database, right at our fingertips.'"



Perhaps they should have pointed to the SPAM laws...

http://www.news.com/8301-10784_3-9785927-7.html?part=rss&subj=news&tag=2547-1_3-0-5

Verizon refuses to carry activist text messages

Posted by Amy Tiemann September 26, 2007 6:37 PM PDT

This news may hit CNET tomorrow as a New York Times cross-post, but I haven't seen anything about it yet so I wanted to be sure it was reported here.

According to the Times, Verizon, one of the nation's two largest wireless carriers, told NARAL that it would not allow the reproductive rights organization to send text messages through a program using Verizon's mobile network, on the grounds that Verizon has the right to block "controversial or unsavory" text messages.

I am no expert on Net Neutrality, but the idea that a telecom carrier will refuse to carry messages based on content is incredibly scary. Could they decide to broadcast messages sent by the Democratic party, but not Republicans? Christian messages but not Jewish? Everybody has a point of view that could be viewed as "controversial or unsavory" to someone else. I thought that controversy and open dialogue were integral parts of our democratic process. Idealism dies hard even in this day and age.

Apparently the First Amendment does not in itself prohibit such censorship, but we should not accept such an action, which has been likened to the mass censorship of political speech by the Chinese government, no matter whether the carrier agrees with the content or not.

Laws that forbid common carriers from interfering with voice transmission on phone lines do not apply to text messages. It's time to change that law to protect free speech, no matter how it is communicated.


The opposite of blocking? Perhaps NARAL should have used this technique?

http://techdirt.com/articles/20070925/003229.shtml

Comcast Fined For Airing Fake News Without Revealing It Was Fake

from the this-ain't-Jon-Stewart dept

Over the last few years there's been quite a bit of controversial over the practice of biased parties putting together video news releases. They look like typical local news feature segments on a particular topic, but they're actually put together by companies, PR agencies or even government agencies. Cheap or lazy TV stations will often air them as filler, though they rarely explain the origins of the report (and often will play them off as the work of their own news agency). The FCC has been warning stations about the practice of airing these videos without disclosure, but it hasn't had much of an impact. That may be changing. The FCC has now fined Comcast $4,000 for airing one such VNR, about some kind of sleeping pill without disclosing that the "news" report was produced by the company that made the sleeping pill. While it's nice that someone is cracking down on this deceptive practice, there are questions over jurisdiction. The FCC has jurisdiction over broadcast TV, but not necessarily cable TV. If anything, this seems like the sort of thing that the FTC should be looking into, rather than the FCC. Either way, the point should be clear: TV stations that are airing these videos may start to be a bit more careful (and a bit more open) about using them.


...or Verizon could have tipped these guys to the “Evil Messages” After all, we know exactly how terrorists write -- don't we?

http://blog.wired.com/defense/2007/09/do-you-write-li.html

Do You Write Like a Terrorist?

By Noah Shachtman EmailSeptember 24, 2007 | 12:00:00 PMCategories: Info War

You might think your anonymous online rants are oh-so-clever. But they'll give you away, too. A federally-funded artificial intelligence lab is figuring out how to track people over the Internet, based on how they write.

The University of Arizona's ultra-ambitious "Dark Web" project "aims to systematically collect and analyze all terrorist-generated content on the Web," the National Science Foundation notes. And that analysis, according to the Arizona Star, includes a program which "identif[ies] and track[s] individual authors by their writing styles."



What do they think they are, some kind of Democracy?

http://slashdot.org/article.pl?sid=07/09/27/0334220&from=rss

New Zealand Police Act Wiki Lets You Write the Law

Posted by samzenpus on Thursday September 27, @02:20AM from the I-can-speed-every-tuesday dept. The Internet News

PhoenixOr writes "New Zealand is now on the top of my list for cool governments. They've opened a wiki allowing the populous to craft a new version of their Police Act, the legislative basis for policing in New Zealand."


What did they think they were, some kind of un-Democracy?

http://www.bespacific.com/mt/archives/016100.html

September 26, 2007

Court Rules Unconstitutional Two Provisions of FISA

EFF: "Today, Judge Ann Aiken of the Oregon Federal District Court ruled that two provisions of the Foreign Intelligence Surveillance Act (FISA), "50 U.S.C. §§ 1804 and 1823, as amended by the Patriot Act, are unconstitutional because they violate the Fourth Amendment of the United States Constitution."



“Reach out... Reach out and jail someone!” [PDF]

http://www.fas.org/sgp/crs/misc/94-166.pdf

Extraterritorial Application of American Criminal Law



Now I can be the first one on my block to get the new “Obama Girl” video!

http://www.bespacific.com/mt/archives/016099.html

September 26, 2007

Google Video Alerts

Official Google Blog: "Video Alerts enables you to specify any topics or queries of interest so we can deliver interesting and relevant videos on a daily, weekly, or as-it-happens basis (your choice) to you via email. To start receiving Video Alerts, you can visit the Google Alerts homepage directly or set up the alert during your normal video searches. Videos may come from Google Video, YouTube, or many other video sources on the web."



How to target your hacker-bots?

http://www.bespacific.com/mt/archives/016097.html

September 26, 2007

List of Federal Agency Internet Sites Partnership Renewed

"GPO is pleased to announce the renewal of its partnership with the Troy H. Middleton Library of Louisiana State University through 2010.

Originally signed in 2001, this partnership provides for Federal depository library access to the List of Federal Agency Internet Sites Web site. Based on the U.S. Government Manual, the List directs users to the Web sites of active Federal agencies, and can be searched in several ways. Users can view a hierarchical or an alphabetical list of all agencies. The agencies are also listed by broad category, such as boards/commissions, legislative, and quasi-official. The entire list is searchable by agency keyword as well."



Ain't technology wonder-ful? ...or is this another effect of “Global Warming?” (I'm selling “Save the hyphen” T-shirts. How many would you like?)

http://www.reuters.com/article/oddlyEnoughNews/idUSHAR15384620070921?sp=true

Thousands of hyphens perish as English marches on

Fri Sep 21, 2007 4:54pm EDT By Simon Rabinovitch

LONDON (Reuters) - About 16,000 words have succumbed to pressures of the Internet age and lost their hyphens in a new edition of the Shorter Oxford English Dictionary.

Bumble-bee is now bumblebee, ice-cream is ice cream and pot-belly is pot belly.

And if you've got a problem, don't be such a crybaby (formerly cry-baby).

Wednesday, September 26, 2007

More reaction to the TJX settlement

http://techdirt.com/articles/20070925/113835.shtml

Shocker, TJX Credit Card Breach Settlement Proposal Lacks Any Real Settlement

from the oops-we're-real-sorry dept

TJX, the parent corporation of retailer TJ Maxx,proposed a settlement to the class action suits leveed against it in what could be largest credit card breach ever, approximately 45 million records. TJX is offering claimants up to three years of credit monitoring along with $20,000 identity theft insurance coverage. This settlement sounds pretty good, until you read the fine print (via Consumerist). In order to qualify for the settlement, you must have returned an item to the store without a receipt; this limits the claimants to approximately 455,000 people, or only about 1% of class. The remaining 44.5 million are only eligible for $30 vouchers in store credit, and only with documented proof of a loss. This definitely seems like a slap on the wrist for TJX. Sure, it's bad, but surely TJX hasn't lost 77% of its customer base from this incident. Finally, in a clever move at the end of the settlement proposal, TJX took this as an opportunity to announce that all of its stores will be having a 15% sale sometime in 2008. Way to turn a class action lawsuit settlement into free advertising, TJ Maxx.


Some details, but not enough...

http://www.canada.com/edmontonjournal/news/business/story.html?id=9279b9aa-3cf9-43c2-a7a9-eae464a73525&k=10034

TJX collected too much customer data: Canada report

Wojtek Dabrowski, Reuters Published: Tuesday, September 25

... The joint probe by the privacy commissioners of Canada and the province of Alberta found that TJX Cos Inc did not properly manage "the risk of an intrusion" and did not act quickly to upgrade the strength of its encryption systems.

... The report also found the company did not have a reasonable purpose for collecting driver's license numbers and other identification data when merchandise was returned without receipts.

[The Canadian Report: - Report [pdf]



If you got it, flaunt it!

http://www.pogowasright.org/article.php?story=200709251822226

eBay forum mysteriously leaks account details on 1,200 users

Tuesday, September 25 2007 @ 06:22 PM EDT Contributed by: PrivacyNews News Section: Breaches

Hackers brazenly posted sensitive information including home addresses and phone numbers for 1,200 eBay users to an official online forum dedicated to fraud prevention on the auction site. The information - which also included user names and email, and possibly their credit card numbers and three-digit CVV2 numbers - was visible for more than an hour to anyone visiting the forum. The miscreants appeared to create a script that caused each user to log in and post information associated with the person who owned the account. The script spit out about 15 posts per minute, starting around 5:45 a.m. California time.

An eBay spokeswoman said the posts were not the result of a security breach on eBay and that the credit card numbers contained in the posts were not those eBay or PayPal had on file for those users. eBay representatives have begun contacting all users whose information was posted to head off any further fraud and to learn more about the attack.

Source - The Register



Perhaps there are e-watchdogs out there... How will this impact privacy/security policies?

http://www.zdnet.com.au/news/security/soa/Centrelink-denies-hiding-privacy-breaches/0,130061744,339282393,00.htm

Centrelink denies hiding privacy breaches

Liam Tung, ZDNet Australia 26 September 2007 11:48 AM

Centrelink says it is completely candid about privacy breaches by employees, after it was forced to clarify the number of breaches that occurred during the last financial year.

"We're up front with this," a spokesperson told ZDNet Australia. "We are dedicated to protecting privacy breaches. It's a case of 'yes, this did happen' and we're not hiding it away."

Centrelink was forced to detail how many breaches had occurred during the last financial year to prevent potential misunderstanding caused by Channel 7 conflating figures it had acquired under a Freedom of Information request, which covered two separate investigations, said the spokesperson.

Centrelink publishes the results of its investigations in its annual report, the spokesperson added.



Would this be considered a conspiracy in restraint of trade?

http://techdirt.com/articles/20070924/033047.shtml

Ever Wonder How These Astroturf 'Coalitions' Are Formed?

from the lobbyists-and-shills-and-pr,-oh-my! dept

By now we've all seen the various fake "astroturf" PR/lobbying efforts out there, talking up some particular position, which is almost always created and funded by a company that benefits from having the public (or, more often, politicians) support that position. Most people recognize that they're just false fronts, but the details are often hidden. However, in at least one case, the details have been leaking out. Microsoft, who isn't in much of a position to call "antitrust" violations on others, is trying to stop Google from being able to acquire DoubleClick. In order to get support in blocking the deal, Microsoft apparently had a big PR firm try to put together one of these fake "coalitions" using the name "Initiative for Competitive Online Marketplaces" (gotta love the names of all of these coalitions), which appears to be designed solely to release reports critical of Google practices. The problem, though, is that the email the PR firm used to "recruit" members to join this group has leaked out and is getting press attention. Again, there's nothing particularly new in all of this. There are countless such organizations, but it's rare to get the details on how one was brought together. In this case, the email being sent to potential participants urges them to complain about Google's practices to politicians, regulators and the media. Even though Microsoft put the group together, apparently the PR firm did not reveal that. This won't change much, of course, and we can probably still expect to see reports coming out from the "Initiative for Competitive Online Marketplaces," but it would be nice to see the press act at least a little skeptical of any conclusions drawn from those reports.



Never try to stifle a blogger...

http://yro.slashdot.org/article.pl?sid=07/09/25/2342242&from=rss

Bloggers Versus Billionaire

Posted by kdawson on Tuesday September 25, @11:40PM from the nailing-jello-to-a-tree dept. Censorship

Roger Whittaker writes "An interesting case in England is pitting the combined power of multiple bloggers against an Uzbek billionaire. The bloggers are supporting the former UK ambassador to Uzbekistan, Craig Murray, who has written a book about what happened there after the fall of Communism. The book is apparently unflattering in the extreme to oligarch Alisher Usmanov, who has engaged the law firm Schillings (which seems to specialize in getting unfavorable Web content removed for rich clients). Their threats have led to the removal of Murray's blog site by his hosting company Fasthosts. But a large number of bloggers have taken up Murray's cause, and the content that caused the original complaint, and links to it, have now sprung up in a very large number of places. The Internet still seems to regard censorship as damage and route around it."


I doubt Lowes will fair any better...

http://techdirt.com/articles/20070924/040616.shtml

Lowes Tries To Silence Sucks Site For Complaints About Lowes

from the did-someone-call-Streisand's-name? dept

We've covered a variety of cases involving so-called "sucks sites," where someone registers as a domain name the name of a company and appends sucks to the end in order to create a complaint site. Companies have often complained that these sites are trademark violations, but that usually doesn't pass the moron in a hurry test. The latest such case involves home improvement store Lowes. A guy who bought a fence from them was upset that the installers botched the job. Lowes refused to take responsibility, so he set up a site at Lowes-Sucks.com and promptly received a cease and desist from the company claiming trademark violation. While early on, a few companies were able to get sucks sites shut down, it's become a lot rarer, as judges tend to recognize that criticism is perfectly legitimate -- and no one is likely to confuse a sucks site as being endorsed by the company. In the meantime, of course, in sending out such a cease and desist, Lowes has just drawn a lot more attention to the fact that they won't take responsibility for the botched fence install. Wouldn't it have just been better for business to fix the damn fence?



Tools & Techniques: Hacking

http://jeremiahgrossman.blogspot.com/2007/09/read-someones-gmail-made-simple.html

Tuesday, September 25, 2007

Read someone’s Gmail, made simple

I’m currently in Taiwan attending the OWASP Asia 2007 conference in large part due to generosity and coordination of Armorize Technologies. I plan to post more about the experience, but in the meantime I wanted to break blog silence to point out PDP’s ingenious Gmail CSRF attack technique where the details were partially disclosed. I haven’t verified this attack personally, but I see absolutely nothing preventing this type of attack from working exactly as advertised.

Essentially an evil website forces a logged-in Google user to create a new email filter (CSRF) which forwards out there email to any remote address of the hackers choosing. A current or incoming email arrives and poof is silently forward on its way, which would be extremely hard for anyone to spot. Simple, silent, and extremely clever. I also see why this technique could be easily applied to any other WebMail provider if they had a similar filtering technique in place.

This is especially scary because as I said WebMail accounts are in many ways more valuable than a banking accounts because they maintain access to many other online account (blog, banking, shopping, etc etc.). Check out Brian Kreb’s Washington Post article where he covers a situation where a hacker is extorting a user by locking off access to their WebMail.



Use the tools you have...

http://www.bespacific.com/mt/archives/016086.html

September 25, 2007

Google Videos on Search Privacy and Personalized Search

Jane Horvath, Senior Privacy Counsel at Google, has posted links to two YouTube videos providing users with details about privacy practices and personalizing your search.



...or use the tools everyone else is using.

http://www.bespacific.com/mt/archives/016091.html

September 25, 2007

State Department Launches First Blog

"Welcome to the State Department's first-ever blog, Dipnote... With the launch of Dipnote, we are hoping to start a dialogue with the public. More than ever, world events affect our daily lives--what we see and hear, what we do, and how we work. I hope Dipnote will provide you with a window into the work of the people responsible for our foreign policy, and will give you a chance to be active participants in a community focused on some of the great issues of our world today." [Posted by Sean McCormack]

Related news:



But the politicians knew this going in... They only wanted to be able to say “We did something!” Perhaps voters should demand they do something correctly, or not at all.

http://www.news.com/8301-13578_3-9784556-38.html?part=rss&subj=news&tag=2547-1035_3-0-5

Ohio federal judge strikes down Net-censorship law

Posted by Declan McCullagh September 25, 2007 12:26 PM PDT

It's no surprise that politicians are rarely conversant with the limits on their legislating found in the U.S. Constitution. But it is worth noting when federal judges have actually read the First Amendment and strike down a law accordingly.

That brings us to Ohio's constitutionally impaired legislature, which enacted two laws that were touted as ways to protect children on the Internet but in reality would become a new censorship regime.

An Ohio federal judge on Monday struck down (see PDF) the state's combined "harmful to minors" law on the grounds that it ran afoul of the First Amendment's guarantee of freedom of speech.



Question: If you can prove an image has been altered, and I alter every image before I post it, would you have a hard time proving I copied your original?

http://hosted.ap.org/dynamic/stories/D/DEMO_TECH_SHOW?SITE=VALYD&SECTION=HOME&TEMPLATE=DEFAULT

Software Takes Aim at Altered Photos

By ELLIOT SPAGAT AP Business Writer Sep 25, 7:11 PM EDT

... Shoot & Proof shows where a photo was shot (if the phone is equipped with global positioning software), as well as when and on whose device.

A retailer client of CodaSystem uses Shoot & Proof to ensure manufacturers that their wares are being displayed as promised. A security company uses it to record break-ins and reassure insurance companies they aren't being bilked.

Near the opposite end of the spectrum, another participant in DEMOfall, MotionDSP Inc., introduced a Web site, http://www.fixmymovie.com , where consumers can sharpen pictures and videos taken on cell phones, images that are typically jumpy and heavily pixelated.

MotionDSP, based in San Mateo, Calif., got its start by licensing software from the University of California at Santa Cruz and targeting military and intelligence agencies. In-Q-Tel, an investment firm launched by the CIA in 1990 to support U.S. intelligence work, announced in July that it was an investor.

Tuesday, September 25, 2007

Since TJX announced on Friday, the comments are just starting to appear. (No damages, no foul!)

http://www.pogowasright.org/article.php?story=20070924125609442

What Was Behind the TJX Settlement? (opinion)

Monday, September 24 2007 @ 12:56 PM EDT Contributed by: PrivacyNews News Section: Breaches

When TJX announced Sept. 21 that it had worked out a settlement for all of the consumer lawsuits that had been filed against it, it provided an anticlimactic ending to much of this data breach saga.

But in many ways, this resolution—with a settlement offer that will cause TJX very little material pain—was inevitable. Despite the background of the most massive data breach in retail history, where credit card data of some 46 million consumers fell into unauthorized hands, TJX had virtually nothing to fear from the U.S. judicial system.

The area of data breaches with the goal of identity theft is a relatively unexplored one for both federal legislation and U.S. courts, with little legal precedent to help. With no help there, attorneys representing the consumers whose data was stolen had very little to work with.

Source - eWeek


http://www.digitaltransactions.net/newsstory.cfm?newsid=1525

TJX Settlement Leaves the Bigger Card-Security Issues Unsettled

(September 24, 2007) Off-price retailer TJX Cos. Inc. late Friday announced it had settled the consumer class-action lawsuits it faced in the wake of a security breach that compromised nearly 46 million payment card records in its computers, but big-picture issues facing card networks, processors, and merchants about the best ways to enhance card security and who should be responsible for it are far from settled.

The tentative settlement, which includes Fifth Third Bancorp, TJX’s U.S. merchant acquirer, includes free credit-report monitoring and identity-theft insurance for some customers, $30 vouchers for others, and a three-day “customer-appreciation” event featuring 15% price cuts at an unspecified future date. Those provisions drew fire from two analysts contacted by Digital Transactions News. “They’re getting off pretty easy,” says Larry Ponemon, chairman of the Ponemon Institute LLC, an Elk Rapids, Mich.-based privacy and security think tank. “It seems ludicrous to me. The cost of someone’s privacy can be reduced to a voucher for $30?”

Avivah Litan, a vice president at Stamford, Conn.-based research firm Gartner Inc. who has followed the breach since it was announced in early January, calls credit-report monitoring a “knee-jerk reaction” other companies have taken in the wake of computer breaches. It does nothing to solve the source of the problem or prevent some types of potential fraud, she argues. “Basically the winner in this case is the credit bureaus,” says Litan, who has long advocated that the card networks’ Payment Card Industry (PCI) standards place too much of the security burden and expense on merchants. Financial institutions should consider wider use of one-time PINs and other technologies to enhance security, she says.

... TJX denied the lawsuits’ claims, but said defending itself would be time-consuming and expensive. The company didn’t disclose the settlement’s cost, but said estimated expenses were reflected in a $107 million after-tax reserve for potential losses recorded in its fiscal 2008 second quarter and previously reported, estimated non-cash, after-tax charges of $21 million to be taken in fiscal 2009. In all, TJX had spent $215.9 million in the 26 weeks ended July 28 on the breach, according to its latest quarterly report, and its expected future charges mean total costs will exceed $236 million. Gartner’s Litan estimates TJX has spent about $125 million before taxes on enhanced computer security.

Curiously, even though a TJX filing with the Securities and Exchange Commission says Fifth Third also entered into the settlement agreement, the bank is not making a financial contribution to any settlement fund.

... The settlement, which is subject to court approval and other conditions, affects class-action lawsuits in the U.S., Canada, and Puerto Rico that had been filed on behalf of consumers and consolidated in U.S. District Court in Boston. It doesn’t cover lawsuits filed by others such as financial institutions that reissued cards.

... The settlement is contingent on completion of an evaluation by the plaintiffs’ independent security expert of TJX’s computer-security enhancements, and that expert’s acceptance of the enhancements. [First mention of 'acceptance' I've seen. Bob]

... In an August survey of TJX customers, Gartner estimated that 2.4% of TJX customers actually had account information stolen, resulting in estimated losses—include reissuance costs by their bank or credit unions—of $23.5 million.


Some details?

http://www.pogowasright.org/article.php?story=20070924124857276

Ca: Privacy Commissioners to release report on Winners/HomeSense breach

Monday, September 24 2007 @ 12:48 PM EDT Contributed by: PrivacyNews News Section: Breaches

The results of a joint investigation into a major privacy breach affecting the personal information of millions of shoppers, including Canadians who shopped at Winners and HomeSense stores, will be released tomorrow.

Jennifer Stoddart, the Privacy Commissioner of Canada, and Frank Work, the Information and Privacy Commissioner of Alberta, will summarize their findings into how intruders breached the computer system at TJX Companies Inc., the US-based owner of Winners and HomeSense stores, at a news conference in Montreal.

Source - PRNewswire

[Want to listen in?

Press conference details are as follows:
WHEN: 10:30 a.m., Tuesday, September 25th, 2007.
WHERE: Sheraton Montreal; 1201 Boulevard Rene-Levesque West. Frechette
Room, Level A.
PHONE-IN: Out-of-town media can join a teleconference by journalists can
call in to 1-888-265-0903 or 1-613-954-9003 and quote Conference
ID # 17628241.
The press conference is being held on the opening day of the 29th International Conference of Data Protection and Privacy Commissioners, which runs through September 28th. Information about the conference, a gathering of the world's top privacy experts, is available at http://www.privacyconference2007.gc.ca.



This one is easy to fix. Delete all employees! Or at least the managers who say, “We don't know/care/bother looking at what our employees are doing.”

http://www.pogowasright.org/article.php?story=20070924124606912

(update) Loans.co.uk finds source of data leak

Monday, September 24 2007 @ 12:46 PM EDT Contributed by: PrivacyNews News Section: Breaches

Loans.co.uk has identified the source of a database breach which led to the personal details of customers being passed on to rival companies.

The company said this week that an audit of its IT systems had shown an employee had accessed the company database without authorisation.

"Loans.co.uk has controls and systems in place to protect individuals' information, and this is evidenced by the fact that these systems detected unauthorised activity on the database," said a spokeswomen.

... A spokesman for the [Information Commissioner's Office] said it would help Loans.co.uk to ensure that this does not happen again. He added that individuals within companies can be prosecuted for breaching the Data Protection Act.

Source - ComputerWeekly.com


Related.

http://www.pogowasright.org/article.php?story=20070924133033411

Prying eyes: Protecting patient records

Monday, September 24 2007 @ 01:30 PM EDT Contributed by: PrivacyNews News Section: Medical Privacy

Electronic access to patient data has made it easier to look up information -- sometimes too easy.

You've probably heard stories about employees or others tapping patient information systems for identity theft. But the more frequent problem is snooping -- curious staff or others with system access who look at information they're not authorized to see.

It sounds innocent, but HIPAA and an increasing number of state laws that cover disclosure of information breaches don't make distinctions based on intent. An information breach is an information breach, which means physician practices not only have to find ways to keep gawkers away but also must be ready to carry out consequences -- or face them -- if a breach occurs.

Source - American Medical News (sub. req. for full access)



More...

http://www.pogowasright.org/article.php?story=20070923205548368

Data “Dysprotection:” breaches reported last week

Monday, September 24 2007 @ 07:59 AM EDT Contributed by: PrivacyNews News Section: Breaches

A recap of incidents or privacy breaches reported last week for those who enjoy shaking their head and muttering to themselves with their morning coffee.

Source - Chronicles of Dissent



How does one enforce this rule?

http://www.pogowasright.org/article.php?story=20070924172306905

Official: DRS worker could use laptop out of state, but not data

Monday, September 24 2007 @ 05:23 PM EDT Contributed by: PrivacyNews News Section: Breaches

Officials say a state employee whose stolen laptop contained the names and Social Security numbers of more than 100,000 Connecticut taxpayers had permission to take the computer out-of-state, but not the data.

The laptop was stolen from the worker's car last month in Long Island, New York.

Source - Boston Globe

Related - Stolen state laptop has income information


Also related.

http://www.pogowasright.org/article.php?story=20070925072046737

(update) Former Pfizer Worker Could Face Charges

Tuesday, September 25 2007 @ 07:20 AM EDT Contributed by: PrivacyNews News Section: Breaches

Pfizer Inc. has contacted federal authorities in hopes they will prosecute a former employee responsible for a data breach that affected 34,000 people, according to information released Monday by the Connecticut attorney general's office.

Pfizer attorney Bernard Nash, in a five-page response to questions posed earlier this month by state Attorney General Richard Blumenthal, said the company last month contacted “a management-level federal prosecutor” and now hopes the former employee will be prosecuted “to the fullest extent of the law.”

Nash, in his letter dated Sept. 21, said Pfizer learned of the data breach after the suspect had left the New York-based pharmaceutical company. The suspect's new employer sent Pfizer a DVD containing the missing data that had been discovered on his new computer.

Source - The Day



Probably not a “feature”

http://it.slashdot.org/article.pl?sid=07/09/24/2339203&from=rss

Excel 2007 Multiplication Bug

Posted by kdawson on Monday September 24, @10:37PM from the be-fruitful-and-all-that dept.

tibbar66 writes with news of a serious multiplication bug in Excel 2007, which has been reported to the company. The example first that came to light is =850*77.1 — which gives a result of 100,000 instead of the correct 65,535. It seems that any formula that should evaluate to 65,535 will act strangely. One poster in the forum noted these behaviors:

"Suppose the formula is in A1. =A1+1 returns 100,001, which appears to show the formula is in fact 100,000... =A1*2 returns 131,070, as if A1 had 65,535 (which it should have been). =A1*1 keeps it at 100,000. =A1-1 returns 65,534. =A1/1 is still 100,000. =A1/2 returns 32767.5."



Probably not something marketing will tout.

http://www.technewsworld.com/rsstory/59484.html

Microsoft Lets Vista Users Trade Down to XP

By Erika Morphy TechNewsWorld 09/24/07 2:37 PM PT

Microsoft has buckled under pressure from enterprises and computer manufacturers who aren't ready to put all of their eggs into the Vista basket. The software giant is offering users of the Business and Ultimate versions of the operating system the option to return to XP.



Why would you need a database to track earmarks?

http://www.bespacific.com/mt/archives/016068.html

September 24, 2007

Citizen Group Launches Online Tool to Investigate and Evaluate Earmarks

"Today, Sunlight and Taxpayers for Common Sense launched EarmarkWatch.org, a user-friendly, online investigative tool that lets citizens connect the dots between lawmakers, lobbyists, campaign contributors and earmarks, plus share info and comments on whether earmarks meet pressing needs, pay off political contributors, or are simply pure pork. Currently, the site includes nearly 3,800 earmarks from three bills: the House Defense Appropriations bill and both the House and Senate versions of the Labor, Health and Human Services, and Education Appropriations bill. We will continue to insert more bills for citizen scrutiny, and will continuously publish the results of ongoing investigation."

[The 109th Congress (from 2005-2006) indroduced 6,436 bills and passed 316. You do the math. Bob]



This is a far wiser use of the subpoenas that what the RIAA pulls...

http://www.denverpost.com/business/ci_6966387

Video Professor wants the book thrown at anonymous critics

By Al Lewis Denver Post Business Columnist Article Last Updated: 09/23/2007 10:49:01 PM MDT

There's one computer skill that the Video Professor, John Scherer, does not want anybody to learn: how to anonymously post disparaging remarks about his company on the Internet.

Scherer - a national infomercial sensation for two decades - has filed a lawsuit in Denver's federal court against 100 "John and Jane Does" who've trashed his computer tutorial products and sales practices online.

His lawsuit claims some of these writers may be competitors and seeks damages for false advertising and defamation.

"I have a right to find out who those people are," Scherer said Friday, "and I fully intend to exercise my right."

Scherer has been granted a subpoena that asks the owner of two websites - infomercialratings.com and infomercialscams.com - to cough up the identities of people who've posted messages.

... John Soma, a University of Denver law professor and the executive director of the Privacy Foundation, said that if Scherer can prove that his competitors are posing as anonymous consumers and flaming him, he may have a case.

"The First Amendment does not protect you from fraud," he said.



Win some, lose some.

http://www.privacydigest.com/2007/09/24/man+wins+partial+victory+circuit+city+arrest

September 24, 2007 - 11:11am — MacRonin

Man Wins Partial Victory In Circuit City Arrest: "JeremyDuffy writes 'Michael Righi, the man who was arrested at Circuit City for failing to show his reciept/driver's license, has fought a moral battle against the city for almost a month now. The case has already been settled and he emerged victorious... sort of. It turns out that he's already spent almost $7500 and would have kept fighting them too, but because his family would have been dragged into it, he was forced to take a deal. They've expunged his record and dropped all charges, but he had to give up his right to sue the city to do it.'



Tools & Techniques

http://www.privacydigest.com/2007/09/24/source+code+mediadefender+anti+piracy+tools+leaked

Source Code for MediaDefender Anti-Piracy Tools Leaked

September 24, 2007 - 5:10pm — MacRonin

Source Code for MediaDefender Anti-Piracy Tools Leaked: Hackers who seized more than 6,000 internal company e-mails from anti-piracy company MediaDefender, have made good on their promise to release additional material from the company. Today's trove includes source code for dozens of tools MediaDefender uses (or, perhaps, used to use) to thwart the trading of copyrighted content on file-sharing networks. These include tools like BTSeedInflator and BTDecoyClient that target the BitTorrent network.

The code is a boon to admins on the targeted file-sharing networks since it exposes MediaDefender's methods for seeding the networks with decoy files and, therefore, will help the admins combat those strategies.


Tools & Techniques: An attack by any other name...

http://www.infoworld.com/article/07/09/24/New-activist-tool-cyber-sit-ins_1.html?source=rss&url=http://www.infoworld.com/article/07/09/24/New-activist-tool-cyber-sit-ins_1.html

New activist tool: Cyber sit-ins

Civil disobedience gets an update, as protestors stage DoS-like attacks on Web sites to gain attention for their causes

By Robert McMillan, IDG News Service September 24, 2007

Dan Lohrmann, Michigan's chief information security officer, found out about the cyber sit-in from a reporter. It was Tuesday, May 15, 2007, and a group calling itself the Electronic Disturbance Theater asked Michigan residents to voice their opposition to proposed cuts in state health care programs by targeting the Michigan.gov Web site. Over the next two days, participants accessed the group's Web site and downloaded a small browser plug-in that repeatedly hit Michigan.gov.

Though Electronic Disturbance Theater sees its actions as a mixture of performance art and civil disobedience, to Lohrmann, it looked very much like a DoS attack. "Had a million people joined in, it would have been interesting," says Lohrmann. "Not in a good way."

To Lohrmann's relief, far fewer than 1 million people hit the Michigan.gov site on the day of the sit-in. Web counters reported a jump of several hundred thousand page views -- about a 10 percent bump in traffic. Cyber sit-ins came of age nearly a decade ago, but recently, these disruptions have been cropping up again.

There was a "sit-in element" to the attacks on Estonia's online infrastructure, according to Jose Nazario, senior security engineer at Arbor Networks. Though many of these attacks were conducted via networks of hacked, botnet computers, the attackers also created code that anybody could download to voluntarily turn their PC into part of the protest.

Lohrmann was struck by the type of people who were drawn into the Michigan protest. "This was parents working with bad guys," he says.

Unlike DoS attacks, cyber sit-ins do not really have to disrupt service to be effective, says Dorothy Denning, professor of defense analysis at the Naval Postgraduate School in Monterey, Calif. Like the sit-in protests of the 1960s, these actions are effective whenever they bring publicity to a particular cause. "That's mostly what they do," she says. Electronic Disturbance Theater may not have taken down Michigan.gov last May, but the Michigan press and this magazine covered the cyber sit-in, Denning points out. "Obviously they're getting a little publicity," she says. And that may just be enough for the activists.



You can't protect it if you don't know it's there!

http://www.computerweekly.com/Articles/2007/09/24/226959/law-firm-maps-infrastructure-to-net-savings.htm

Law firm maps infrastructure to net savings

Author: Posted: 16:22 24 Sep 2007

Global law firm Linklaters has implemented a network discovery and application-dependency mapping tool across 30 offices in 23 countries to gain a clear and accurate view of its IT infrastructure.

"We spent considerable time doing manual checks as we did not have a clear view of existing servers and relationships between the hardware, the applications on them, and the network infrastructure," said Simon Gilhooly, head of global technical systems at Linklaters.

The firm said it chose Tideway Foundation from Tideway Systems because, unlike competing products, it did not require any existing server monitoring and network management systems to be replaced or the installation of software agents throughout the network.

"Agentless tools do not install anything on servers and clients, making them easier and faster to implement. It also enables them to cover more of the infrastructure, including previously unknown servers, because you cannot install an agent on a server you do not know you have," said Gilhooly.

Linklaters had relied on spreadsheets filled in manually by IT teams [The shoemaker's children... Bob] to get an overview of the infrastructure. The mapping tool allows it see exactly what hardware is deployed and pinpoint the cause of incidents quickly, said Gilhooly.



I've suggested this technique to many of my “subscribers.” Here is a specific example of how to translate your expertise for a broader audience. Any takers?

http://ralphlosey.wordpress.com/2007/09/23/this-blog-to-become-a-book-and-you-are-invited-to-contribute-to-it/

This Blog to Become a Book! AND You Are Invited to Contribute to It

I am very pleased to announce that the American Bar Association will soon publish a book based on this blog. It will be called e-Discovery: Current Trends and Cases. This will be, to my knowledge, the first time a legal blog has become a book, now sometimes called a “blook.” Although the book will not be exactly the same as the blog, it will be derived from and based on it.

... The ABA is rushing the book to print so that it will be available by December. That is extraordinarily quick for a book publisher, far faster than any of the other major legal publishers who also expressed an interest in the project.

... So how can you be a part of this blog-to-book project? Leave a good, substantive comment on any of the blogs I have ever written, and it may be included in the book. One of the unique things about the new book is that it will include select comments by blog readers, and occasionally, my responses to these comments.