Saturday, October 20, 2007

Clear evidence that management is incompetent? 1) They don't know what is happening on their own system, 2) They keep unencrypted passwords (I thought this practice ended in 347BC)

Banking data fears over Fasthosts intruder

Friday, October 19 2007 @ 09:30 AM EDT Contributed by: PrivacyNews News Section: Breaches

Investigators are racing to establish whether banking information was stolen by the intruder who hacked into a server at Gloucester-based web host Fasthosts.

The breach was revealed yesterday. Fasthosts has told customers to change all their passwords, which were not encrypted.

Source - The Register

Notification seems to have taken quite a while... How could they not notice all that data being sent out? (Why was that computer even configured to allow that?)

Data on Saint Vincent's patients goes astray

Saturday, October 20 2007 @ 07:19 AM EDT Contributed by: PrivacyNews News Section: Breaches

Saint Vincent Catholic Medical Centers of New York has warned 100,000 current and former patients that databases holding some of their personal information and insurance policy numbers were breached earlier this year.

... Compromised data included patients' names, dates of birth and, in 40 percent of the cases, Social Security numbers, along with insurance carrier and claim information, Fagan said yesterday.

Source -

[From the article: None of the data, which a former employee transmitted to his home computer in February, appears to have been misused beyond that unauthorized act, Michael Calder, a Saint Vincent's official, said in the letter, a copy of which was obtained by the Advance.

However, Calder added, there was a possibility the employee may have sent the databases to another person not associated with Saint Vincent's.

... Saint Vincent's first learned of the breach in June and reported it to authorities, including the Manhattan district attorney's office, said Calder.

The comments in the AZ paper suggest this isn't over yet. Questioning the DA's control of his office!

Don't Click On This Link Unless You Don't Mind A Grand Jury Knowing What You Read

from the privacy?-schmivacy dept

Apparently two executives from Village Voice Media (publishers of The Village Voice and other independent newspapers) were arrested yesterday for revealing grand jury information that was supposed to be private. Specifically, they had published an article in one of its publications, the Phoenix New Times, accusing a grand jury of unconstitutional behavior in issuing a subpoena for all sorts of information about the Phoenix New Times and its readership. Now, before you click on the link to the article, it's worth noting that the subpoena in question demands that the newspaper hand over incredibly detailed log information on every visitor to that website since January 2004. This is because someone is upset about four articles dealing with a local sheriff. Yet, though the supposed problem is with the four articles, the subpoena demands information on every visitor to the site, including such things as their IP address, which articles they read, any information obtained by cookies, the referral links that got them to the website, their type of browser and their type of operating system. In other words, all the info typically found in a log file -- but it's unclear why this information could possibly be necessary in a complaint about 4 specific articles. Update: As pointed out in the comments, just as we were writing up this story, the original lawsuit was dropped and the special prosecutor was fired.

You can be in compliance, you just have to do a few things you should be doing already!,1759,2203288,00.asp

Compliance Can Be a Bumpy Ride

October 19, 2007 By Cameron Sturdevant

Denver International Airport is among the busiest airports in the world and boasts one of the longest runways in the United States. The airport also conducts a lot of business using credit cards. DIA recently completed its Level 1 (more than 6 million transactions per year) PCI DSS (Payment Card Industry Data Security Standard) audit, a journey which had its fair share of turbulence.

However, as DIA CIO Robert Kastelitz recounted to eWEEK Labs, noncompliance was not an option. "You really don't have a choice but to do it," Kastelitz said. "The bottom line is if you don't do it, then the hammer [the PCI member companies] hold over your head is that they won't let you take credit cards anymore."

In January 2006, when DIA's effort to become PCI- compliant began in earnest, the airport's IT organization found that many of the elements required for compliance had been satisfied by a recently completed project to implement network best practices throughout the airport. [YES! If you do one thing correctly, you don't need to revisit it for each application! Bob]

As Kastelitz explained, "When we started looking at PCI, many parts were already in place. We perfected some of it and initiated some of it." For instance, Kastelitz's team was already conducting network audits, which included penetration tests and vulnerability assessments, to ensure their network was secure.

... However, DIA's compliance program didn't come without pain. For Level 1 organizations, PCI mandates that network audit information be made available on a quarterly basis for perusal by an outside audit company. [I wonder if the “outside auditors” cross check these logs to detect subtle attacks? Bob]

... In light of PCI requirement 3, which governs the protection of stored cardholder data, the airport decided to retain no information at all. Kastelitz worked with other airport stakeholders to resolve business operations issues around not having the cardholder information on hand.

Thank you for blocking the Bible. I'm sure everyone will understand that you are just “protecting” our children and not interfering with freedom of religion. Way to go, Osama!

Associated Press Confirms That Comcast Blocks Some BitTorrent Traffic; Despite Comcast Denials

from the someone's-not-being-totally-honest-here... dept

Back in August, there was a report that Comcast was throttling certain types of BitTorrent traffic making it difficult to impossible to seed a download. In response, Comcast vehemently denied this was happening, despite many people saying they were experiencing it. Specifically, Comcast said: "the company doesn't actively look at the applications or content that its customers download over the network. But Comcast does reserve the right to cut off service to customers who abuse the network by using too much bandwidth." The EFF went and spoke with Comcast and got the same story. However, with so many people reporting the same thing, some were wondering how truthful Comcast was. Now the Associated Press has done their own investigation (trying to transfer the Bible since it's in the public domain) and found that Comcast is clearly blocking the ability to upload completed files via BitTorrent, inserting a message to a computer trying to upload a file pretending to be from the downloading computer, telling it to stop sending. This seems to go against what Comcast originally said, though when the AP asked for a comment, Comcast subtly changed it's story. Rather than saying it doesn't look at applications or content, now it says: "Comcast does not block access to any applications, including BitTorrent." No, it doesn't block "access" but it does limit the functionality greatly (including perfectly legitimate uses of BitTorrent) without letting people know about it.

Who's (buying) who

October 18, 2007

Nationwide Study Grades and Ranks Campaign Disclosure

Press release: "Access to state-level candidate campaign disclosure data continued to improve in states across the country, according to Grading State Disclosure 2007, a comprehensive evaluation of campaign finance disclosure laws and programs in the 50 states. The 2007 study, released today by the California Voter Foundation, found that Washington State ranks first in the nation in campaign disclosure, while Oregon ranked as the most improved state in 2007. The study is the fourth in a series, which was first conducted in 2003."

[From the web site: Colorado was one of the five most improved states in the 2007 study. The Secretary of State’s adoption of mandatory electronic filing for statewide and legislative candidates in 2007 pushed Colorado into the B range, a remarkable improvement over the D+ the state received in Grading State Disclosure 2005.

This is already quite common: We purchase a tool that uses us to provide the vendor with information they can sell to others – including other users of the tool. If they make more money selling our input, they can give the initial tool away free.

New GPS Navigator Relies On 'Wisdom of the Crowds'

Posted by Zonk on Saturday October 20, @05:34AM from the you're-always-guided-using-renraku-gridguide-system dept. Communications Hardware Technology

Hugh Pickens writes "The New York Times is running an article on Dash Express, a new navigation system for automobiles that not only receives GPS location data, but broadcasts information about its travels. Information is passed back to Dash over a cellular data network, where it is shared with other users to let them know if there are slowdowns or traffic jams on the road ahead. The real benefit of the system isn't apparent until enough units are collecting data in a given area - so Dash distributed over 2,000 prototype units to test drivers in 25 large cities."

I have to agree with Bruce Schneier (as I usually do) but if there are simple tools available, I wonder if we couldn't use them for other purposes (watermarking for example)

Evidence of Steganography in Real Criminal Cases

Posted by Zonk on Saturday October 20, @07:14AM from the not-just-a-numb3rs-plot dept. Security The Internet IT Technology

ancientribe writes "Researchers at Purdue University have found proof that criminals are making use of steganography in the field. Steganography is the stealth technique of hiding text or images within image files. Experts say that the wide availability of free point-and-click steganography tools is making the method of hiding illicit images and text easier to use. Not everyone is convinced; some security experts such as Bruce Schneier have dismissed steganography as too complex and conspicuous for the bad guys to bother using, especially for inside corporate espionage: 'It doesn't make sense that someone selling out the company can't just leave with a USB.'"

In a variation of the “Streisand Effect,” the comments on this article include a host (pun intended) of sites that offer similar links.

TV Links Raided, Operator Arrested

Posted by Zonk on Friday October 19, @03:23PM from the there-goes-the-neighborhood dept. Media The Internet Businesses Politics

NetDanzr writes "TV Links, a Web site that provided links to hundreds of movies, documentaries, TV shows and cartoons hosted on streaming media sites such as Google Video and YouTube, has been raided by UK authorities. The Site's operator was also arrested, The Guardian reports. Even though the site has not hosted any pirated content, [like the RIAA case, perhaps “making available” is sufficient? Bob] it was a thorn in the side of movie and TV studios, thanks to having links to newest movies and TV shows. As the largest site of its kind, it showcased the power of user-driven Internet, with the site's visitors helping to keep links to content constantly updated."

Friday, October 19, 2007

You can't stop human error... (But the death penalty lowers recidivism rates...)

Duquesne U Accidentally E-Mails Personal Student Info

Thursday, October 18 2007 @ 07:22 PM EDT Contributed by: PrivacyNews News Section: Breaches

The private information of nearly 8,000 Duquesne University students was put into the hands of a person who's not supposed to have it.

... According to the university, a file containing the personal information, mostly financial aid information, was mistakenly e-mailed to a student.

Source - WTAE

Strategy: Identify these people and ask them for their videos of defensive signals?

Patriots Get Ticket Sellers' Names

Thursday, October 18 2007 @ 06:39 PM EDT Contributed by: PrivacyNews News Section: In the Courts

The New England Patriots have won a court action to obtain the names of all fans who purchased tickets, sold them, or attempted to do either through online ticket reseller StubHub Inc., a subsidiary of eBay, Inc. The action has to do with violating state law and team rules that prohibit reselling tickets for a profit, although it is not yet clear what the team intends to do with the names that were turned over last week.

CDT responded to the court order by describing it as an infringement of the privacy rights of Patriots fans.

Source - Associated Press

Isn't it great when someone “gets it?”

The Best Person Of The Week

Friday, October 19 2007 @ 07:29 AM EDT Contributed by: PrivacyNews News Section: Breaches

Nominations are closed. It's federal Judge William Young, who's insisting on an openness in the lawsuit over the massive TJX credit card theft.

... "Given the nature of this case, I don't see why any of this case, any of it, should be conducted out of the public's spotlight and it will not be, unless there is a specific reason, persuasive to me, made in public documents," he said.

Source - Editor & Publisher

[Someone is blogging about the TJX case! Schuman is covering the TJX developments like a blanket on his blog "Storefront Backtalk: Techniques, Tools, and Tirades About Retail Technology and E-Commerce." (

Same as the US? I doubt it!

Ca: Privacy Commissioner Releases Annual Report and Survey on Privacy Attitudes

Thursday, October 18 2007 @ 11:47 AM EDT Contributed by: PrivacyNews News Section: Non-U.S. News

Privacy Commissioner of Canada Jennifer Stoddart has issued her annual Privacy Act report, which chronicles the year in privacy from a public sector privacy perspective. The report places the spotlight on the ongoing frustration with a woefully outdated privacy law and the mounting concern with identity theft, cross-border data transfers, and Internet harms such as spam.

Source - Michael Geist (blog)

Related - Ekos study on Canadians' attitudes toward privacy

[From the article: Only 17% of Canadians believe the govenrment takes protecting personal privacy seriously. That number dips to 13% of Canadians who believe businesses do so. Optimists! Bob]

So where is the Privacy Foundation?

The Best Privacy Advisers in 2007

Thursday, October 18 2007 @ 05:13 PM EDT Contributed by: PrivacyNews News Section: Businesses & Privacy

If your company loses a laptop, rolls out a new Web site, or globalizes its HR information system, who are you going to call to square away the privacy requirements?

That's the question I recently posed to over 400 corporate privacy leaders in North America and Europe for the second year running.

Source - Computerworld

Restating the “not so” obvious?

Why, Even If You Have Nothing To Hide, Government Surveillance Threatens Your Freedom

Friday, October 19 2007 @ 07:10 AM EDT Contributed by: PrivacyNews News Section: Surveillance

"I've got nothing to hide, so electronic surveillance doesn't bother me. To the contrary, I'm delighted that the Bush Administration is monitoring calls and electronic traffic on a massive scale, because catching terrorists is far more important that worrying about the government's listening to my phone calls, or reading my emails." So the argument goes. It is a powerful one that has seduced too many people.

Source - FindLaw's Writ

Think Google will do it better than Microsoft? (There must be money to be made...)

Google unveils plans for online personal health records

Heather Havenstein October 17, 2007 (Computerworld)

Less than two weeks after Microsoft Corp. announced plans to support online personal health information records, Google unveiled plans to follow suit.

Marissa Mayer, Google's vice president of search products and user experience, said Wednesday here at the Web 2.0 Summit that Google plans to support the "storage and movement" of people's health records.

Although she provided only scant details on the effort, she noted that Google became interested in the personal health record market as it watched Hurricane Katrina take aim at the Gulf Coast and all the paper-based records stored in various medical offices and hospitals in the region.

"In that moment, it was too late for us to mobilize," Mayer said. "It doesn't make sense to generate this volume of information on paper. It should be something that is digital. People should have control over their own records."

For example, she noted, when people change physicians, they should have access to their own X-rays, which they can take to their own doctor instead of having new ones made.

"This is obviously a really big vision. It is a huge endeavor. It will take a lot of breakthroughs in digitization," Mayer said. "This is something we are committed to. You'll be seeing a lot more activity here in the...months to come, so stay tuned."

Microsoft launched its Healthvault measure two weeks ago at an event in Washington.

Thursday, October 18, 2007

Why carry a heavy laptop? It probably isn't even running Linux!

Thief Walks Off With ID Data On Former UC Students

Wednesday, October 17 2007 @ 05:47 PM EDT Contributed by: PrivacyNews News Section: Breaches

Sensitive information about more than 7,000 former University of Cincinnati students was stolen, officials said.

The data, which included Social Security numbers, was encoded onto a Flash drive taken from an employee’s desk.

Source - WLWT

Follow-up. “Our procedure is to sign for all four packages, put all three on our truck, then remove them both at the storage site, and put that package securely under lock and key!”

(update) Contractor loses La. scholarship account data dating back to 1998

Wednesday, October 17 2007 @ 10:05 AM EDT Contributed by: PrivacyNews News Section: Breaches

Backup data for the Louisiana Office of Student Financial Assistance, dating back to dating back to 1998, were reportedly not loaded properly onto an Iron Mountain truck on Sept. 19 during a move.

Information about this incident can be found at To determine if your data were among those lost, there is a secure web site set up at

Source - Associated Press

Interesting (but obviously flawed) defense. “When we started keeping credit card data, these rules didn't exist.” The flaw is, that when the data was spilled, the rules did exist. Maybe this time we will get a good look at what happened?,1895,2200254,00.asp

Court Zeros In on What TJX Didn't Say

October 17, 2007 By Evan Schuman

TJX knew how "antiquated and deficient" its security efforts were and yet never told MasterCard or Visa, resulting in negligent misrepresentations. That's how U.S. District Judge William Young summed up what the banks are going to have to prove to win at trial in his courtroom.

In an hourlong federal court hearing Oct. 16 in Boston, Young peppered attorneys from TJX, TJX processor Fifth Third Bank and banks suing TJX, providing a good sense of where a TJX bank trial might go.

TJX has reached a settlement with a class-action consumer lawsuit, and Young is preparing to approve that settlement. That case went relatively easy on TJX because there were minimal—and often no—monetary damages suffered by consumers, thanks to zero-liability credit card programs.

But the banks are the ones that had to reissue credit cards and handle fraud losses, so TJX is in for a more fierce fight in that arena.

The court hearing involved whether Young would certify many of the banks to sue together as a class—making this another class-action lawsuit—or have them proceed individually. Unlike the consumer case, the banks involved could indeed sue on their own, so the question of class certification isn't likely to kill the case, regardless of how the judge ultimately rules.

The core accusation against TJX is that it was not truthful with the banks—and with Visa and MasterCard specifically—as to the state of its data security operations for its credit cards.

In what is widely considered the worst-ever data breach reported, the Framingham, Mass., retail chain in January disclosed that the credit card data of some 46 million consumers fell into unauthorized hands in a series of penetrations from July 2005 to December 2006. TJX filings have raised questions about its encryption practices, its wireless security choices, and whether intruders successfully planted Trojan horses into the system and whether they had the company's encryption key.

In summarizing the plaintiff's claim, Young said the fraud accusations seem to come down to what TJX did not say, rather than what it did.

... TJX attorney Richard Batchelder argued that the complicated nature of the relationships between banks and the credit card companies and the processors and TJX—coupled with the long duration of these data breaches—makes a class certification inappropriate.

"You described it as an implied security assurance. That means when some customer goes into a store and their card is swiped, that there's some implied security assurance that in some way, through this complex web, [the assurance] gets back to these member banks and they somehow relied upon that," Batchelder said. "When you look at that as their basis for the negligent misrepresentation case, you can see how class certification isn't appropriate. Think about it. They're talking about transactions in 2003, '04, '05, '06, '07. They're talking about operating regulations that weren't even in existence in '03 and '04 that then came into effect in '05 and then changed in '06. They're talking about a security system that in '03, '04, '05, '06, '07 is developing and evolving, as every merchant's security systems was. So what exactly is the representation being made every single time? How are we possibly going to try that on a class basis? It would be impossible."

... One important theme that has underscored much of the TJX data breach saga has been secrecy, starting with TJX having learned of the breach in mid-December 2006 but not reporting it publicly until mid-January 2007. With so much of the law on its side in the consumer lawsuit, the most pressing matter for TJX was the fear of having to reveal embarrassing internal security details in open court.

... The judge then ordered all attorneys to halt sending documents directly to his chambers labeled confidential.

"You will not in the future file any document other than electronically, pursuant to the rules of this court," he said. "And the documents you file will be public. Entirely public. You will not file a document under seal and some [cleaned up] document that the public can't look at. You will file a public document. If you think anything needs to be filed under seal, you will file a public document, supported by public affidavits, detailing why the specifics, and I am extraordinary skeptical of your view of what's confidential. I've told you what's confidential: Things that bear on the actual operation of the computers, the actual security standards for the computers, and the like."

Young also said he wants attorneys to reveal much more to the public. "Given the nature of this case, I don't see why any of this case, any of it, should be conducted out of the public's spotlight, and it will not be, unless there is a specific reason, persuasive to me, made in public documents," he said.


Cafe Latte attack steals data from Wi-Fi PCs

Security researcher uncovers technique that exploits holes in WEP encryption to log onto supposedly secure wireless networks

By Robert McMillan, IDG News Service October 17, 2007

If you use a secure wireless network, hackers may be able to steal data from your computer in the time it takes to have a cup of coffee.

At the Toorcon hacking conference in San Diego this coming weekend, security researcher Vivek Ramachandran, will demonstrate a technique he's developed to attack laptops that use the WEP encryption system to log on to secure wireless networks.

Developed in the late 1990s, WEP was the default method of securing Wi-Fi networks. Though the WPA (Wi-Fi Protected Access) system replaced it, about 41 percent of businesses continue to use WEP. [Hey! It was good enough for Dad! Bob] That percentage is even higher among home users, security experts say.

That's unfortunate because WEP has been riddled with security problems. In fact, WEP was blamed for the recent TJX Companies data breach in which thieves were able to access 45 million credit- and debit-card numbers.

To date, however, researchers have tended to focus on exploiting WEP flaws in order to break into wireless networks. That generally meant that the attacker would roll up near the WEP-encrypted router, crack the WEP key used to encrypt network traffic, and then log on to the network.

Ramachandran, a senior wireless security researcher with AirTight Networks, has taken a look at the client side of things and developed a way of tricking a WEP-enabled client into thinking that it is logging on to a network that it already knows.

His technique, which he calls the Cafe Latte attack, allows an attacker to circumvent firewall protection and attack the laptop or to set up a "man in the middle" attack and snoop on the victim's online activity. "Until now, the conventional belief was that in order to crack WEP, the attacker had to show up at the parking lot," he said. "With the discovery of our attack, every employee of an organization is the target of an attack." [Oh, joy. Bob]

Related. Wouldn't you fix any problem you encountered? Apparently not! (When did Forrest Gump become our philosopher of choice?)

No Breach, No Foul

Wednesday, October 17 2007 @ 06:35 PM EDT Contributed by: PrivacyNews News Section: Breaches

If you find a new security vulnerability on your Website, do you have to fix it? Not necessarily.

As long as the vulnerability isn't detected in a compliance audit scan, or doesn't get exploited by an attacker, a business could theoretically just sit on a Website bug -- either for cost reasons, a lack of resources, or ignorance of its implications, security experts said this week.

Source - Dark Reading

...and now, from our “Well, DUH!” department:

NSA may be Reading Windows Software in your Computer

Wednesday, October 17 2007 @ 01:01 PM EDT Contributed by: PrivacyNews News Section: Surveillance

... European investigative reporter Duncan Campbell claimed NSA had arranged with Microsoft to insert special "keys" in Windows software starting with versions from 95-OSR2 onwards.

And the intelligence arm of the French Defense Ministry also asserted NSA helped to install secret programs in Microsoft software.

Source - Scoop

Welcome to the Forrest Gump law firm! (“You can't look at our ads, either. Or our phone number in the Yellow Pages. Or our office building...”)

Law Firm Uses Copyright Claim To Say You Can't View Its Website's HTML Source

from the that's-a-new-one dept

Greg Beck writes in to let us know that the law firm that was recently challenged for claiming that it was a copyright violation to post its cease-and-desist letter also has some other interesting ideas about copyright, including banning people from looking at the firm's source code. You can view the entire user agreement, but the amusing part is:

"We also own all of the code, including the HTML code, and all content. As you may know, you can view the HTML code with a standard browser. We do not permit you to view such code since we consider it to be our intellectual property protected by the copyright laws. You are therefore not authorized to do so."

As Beck says, "That's kind of like a puppet show invoking copyright to prohibit the audience from looking at the strings. The user agreements of the law firm and one of its clients also contain a bunch of terrible terms that have become all too common: a prohibition on linking to the site, copying anything from the site (even if its fair use), and even referring to the website owner by name. The law firm doesn't even allow its own clients to say they're represented by the firm without permission." He also notes that the law firm in question is demanding that another website remove criticism of one of their clients because it did not receive permission to use the client's name or link to the website -- two things that the laws and the courts have been pretty clear in saying is perfectly legal over the years.

E-Disaster. If we keep irritating everyone (China, Turkey, etc.) this is inevitable... Isn't it?

Will cyberintrusions crash U.S. electrical grid?

Posted by Anne Broache October 17, 2007 4:10 PM PDT

WASHINGTON--Some critics of the U.S. government's cybersecurity efforts might argue that nothing short of a bomb going off--or, well, purported Chinese cyberattacks on feds' machines--will land the issue more notice.

This time around, the wake-up call for politicians was, indeed, an explosion: In September, U.S. Homeland Security officials revealed that researchers at the Idaho National Laboratory had managed to destroy a small electrical generator through a simulated cyberattack. A few weeks ago, CNN aired a gloom-and-doom segment featuring snips from the once-classified video showing the device going up in smoke.

Although the prospect of that sort of incident causing massive disruption to the U.S. electrical grid has been around for years, the success of the experimental hack is drawing new calls from Congress for tougher federal security standards on the computer systems that control the nation's power systems.

... It's widely agreed that the threats to so-called "control" systems--sometimes known by the acronym SCADA, short for "Supervisory Control And Data Acquisition"--have grown in recent years. That's because more and more of them are being hooked up to "open" networks, including corporate intranets and the Internet, in an effort by their owners and operators to improve efficiency and lower costs.

But there was never much focus on the idea of building security features into those systems when they were first created, and that trend, unfortunately, continues today, [See TJX article, above Bob] said Joseph Weiss, a consultant and nuclear engineer who spent more than 30 years designing, implementing and analyzing control systems.

Feds: We're on it

Government regulators, for their part, say they are growing increasingly aware of those shortcomings and working valiantly to address the problem.

... The proposed rules are written in such a way that they would not even require electric grid operators and owners to install comprehensive security measures on all critical pieces of their systems that, if compromised, could cause significant disruptions, they argued. Instead, they'd have some latitude to focus only on certain components and neglect others.

... After all, the first prominent recorded incident of such an act came in 2000, when a software developer in Australia, apparently miffed after being turned down for a government job, used stolen radio equipment to hack into a system controlling a sewage plant. On nearly 50 occasions, he sent malicious code that opened control valves, causing refuse to ooze into nearby rivers and parks.

Related? Imagine sending SWAT to the local gun club on swap night...

Man Hacks 911 System, Sends SWAT on Bogus Raid

Posted by Zonk on Wednesday October 17, @03:33PM from the word-dumb-doesn't-cover-it dept. Security The Courts

An anonymous reader writes "The Orange County Register reports that a 19 year old from Washington state broke into the Orange County California 911 emergency system. He randomly selected the name and address of a Lake Forest, California couple and electronically transferred false information into the 911 system. The Orange County California Sheriff's Department's Special Weapons and Tactics Team was immediately sent to the home of a couple with two sleeping toddlers. The SWAT team handcuffed the husband and wife before deciding it was a prank. Says the article, 'Other law enforcement agencies have seen similar breaches into their 911 systems as part of a trend picked up by computer hackers in the nation called "SWATting"'"

Related. Sometimes extremes point out where trends are heading. (Think of it as “lowering the common denominator”)

When Your Backup Brain (i.e., Technology) Takes On Primary Memory Functions

from the i'd-say-it's-bad,-but-my-computer-disagrees... dept

For years, we've talked about the idea that computers and the internet are becoming something of a backup or second brain. The more we use these technologies, the more we allow them to remember stuff for us -- knowing we can always track down that information. In fact, Clive Thompson's latest column is about how the generation of kids growing up online tend not to remember little things that older generations definitely remember, like phone numbers and birthdays. Why remember those things when they're easily stored away and easily accessed thanks to technology? While Thompson talks about how nice it is that he can feel much smarter while he's connected, he also worries that it makes him "mentally crippled" when not connected. There may be something to that idea. After all, a few years ago there was a story about Steve Mann, a professor who had been living his life with a wearable computing system for 20 years. At an airport, he was forced to take the apparatus off and immediately had trouble functioning normally. He had become so reliant on the technological enhancements, that being without them left him somewhat crippled. While few people will have reached that point, it's certainly suggestive of what happens if we become too reliant on those external backup brains. That's not to say we shouldn't be using technology for this purpose -- or even that it's not a good thing. However, we should be aware of what it means and potentially the impact should it go away (temporarily or permanently).

Is this too related? Can some 12-year-old in Bolivia choose our next President?

Ohio brings in experts to review troubled e-voting systems

Review by a testing lab and experts from three universities is aimed at finding and fixing potential problems with Ohio's e-voting hardware, software, and processes

By Todd R. Weiss, Computerworld, IDG News Service October 17, 2007

A Denver-based e-voting testing laboratory and experts from three universities have been hired by the state of Ohio to undertake independent evaluations of the states' e-voting hardware, software, and processes. The move is aimed at finding and fixing potential problems before the 2008 presidential election.

The work is being done under a $1.7 million contract awarded earlier this summer by the state to get an in-depth picture of how the e-voting system is working. Since the 2000 presidential election, critics of e-voting systems have voiced concerns about the accuracy, integrity, and security of e-voting results and have pushed for tougher means of ensuring that every vote cast is properly counted.

Ohio has faced e-voting problems in several elections in which electronic machines were used, including a May 2006 primary election, when a host of accuracy problems were reported.

Hey! I know how to generate random numbers – give me a grant! I'll call it the Center for Improbable Events! (Is this a precursor to Asimov's Psycho-history?)

Computer Software to Predict the Unpredictable

Posted by samzenpus on Wednesday October 17, @07:13PM from the zombo-com dept. Software Technology

Amigan writes "Professor Jerzy Rozenblit at the University of Arizona was awarded $2.2Million to develop software to predict the unpredictable — specifically relating to volatile political and military situations."

From the article: "The software will predict the actions of paramilitary groups, ethnic factions, terrorists and criminal groups, while aiding commanders in devising strategies for stabilizing areas before, during and after conflicts. It also will have many civilian applications in finance, law enforcement, epidemiology and the aftermath of natural disasters, such as hurricane Katrina."

Politics decrypted! Video well worth watching.

The Onion: Bullshit Is Most Important Issue For 2008 Voters watch! — For a majority of likely voters, meaningless bullshit will be the most important factor in deciding who they will vote for in 2008.

It's not just humor, it's true politics!

Attention fellow teachers! Since I already have CDs full of multiple choice questions, I should be able to use this site for most of my classes. (Trivial Statistics, Trivial Math, Trivial Computing... Okay, maybe not.) Perhaps this will help some of those who hate homework? - Create Your Own Trivia Game is a site where you can create your own trivia questions, then play your own game online. Create a profile at and start to make your own game. You can make trivia questions on whatever subject you would like, history, science, pop culture, etc…. Write your questions, write four answers, three which are false one which is correct, and then include an explanation for the correct answer. When you create the game you can include an image, such as a photograph, map or diagram. Once you are finished you are able to play your game and so are other Qtoro users. Other users can vote on your questions, whether or not they think they are good, they can add comments and email the questions to a friend. The way the game works is the question appears on screen and you have 20 seconds to answer the question. The timer starts out green and as time goes by it starts turning red. After 10 seconds it crosses out one of the incorrect choices, and after another 5 seconds it crosses out a second incorrect choice. You get 10 points for every correct answer and the game keeps track of your score. Visit to crate your own trivial game and have fun playing the games other users have created.

Another student tool? - A Community For Creating Polls

Once known as dpolls,, is a community that focuses on the creation of polls and surveys. Do you want to know what the popular opinion is on a certain topic, get answers from the 400,000 users. Register at and become a user so you can create your own polls and surveys. Your polls can be on any topic, you can have as many answer options as you like, although t is recommended only to have a few, and you can upload images for your poll as well. You can choose the category and sub-category for your poll along with tagging it so other users can easily find it. has a points system where you can earn virtual money that you can spend on vouchers and prize draw tickets. You earn points by being an active user, creating polls and opinions and participating in surveys. Your points are saved in your account for 2 years, if they haven’t been spent after that long they will expire. You can easily export polls and opinions to your blog. Make new friends in the community or browse through the site by category or list of polls, such as, most recent and most popular. You can also browse through surveys and opinions. is an active and fun community where you can express your opinion and discover the opinions of others.

Wednesday, October 17, 2007

Couldn't they nail them down?

Home Depot Laptop With Personal Employee Data Stolen

Tuesday, October 16 2007 @ 06:00 PM EDT Contributed by: PrivacyNews News Section: Breaches

Team 5 Investigates has confirmed that a Home Depot laptop containing the personal information of 10,000 employees has been stolen from the home of a worker in Massachusetts.

.... Team 5 Investigates has confirmed that the laptop was stolen from the personal car of an unnamed Massachusetts employee, while the car was parked at his residence. Home Depot will not disclose the city or town.

Source - Boston Channel

Another one? I would love to know what disciplinary action will be taken.

Laptop goes missing with data on workers

Administaff says information covers 159,000 past and present

By L.M. SIXEL Copyright 2007 Houston Chronicle Oct. 15, 2007, 10:54PM

Administaff is warning 159,000 of its current and former employees that a company laptop containing confidential information about them has gone missing.

... An employee had taken the computer home and stopped to go grocery shopping, said Richard Rawson, Administaff's president. The next day — on Oct. 3 — the laptop was no longer in his car. [If he didn't need to use the laptop, why did he take it home? Bob]

The laptop is password-protected, but the personal information was not saved in an encrypted location, which is a "clear violation" of company policies, [If that is the policy, why don't they enforce it by installing software that forces encryption? Bob] according to an Administaff announcement.

Another “Policy” that is unlikely to be followed...,1759,2199122,00.asp?kc=EWRSS03119TX1K0000594

TSA Demands Encryption Following Dual Laptop Loss

By Lisa Vaas October 16, 2007

All data must be encrypted, the TSA orders, after the loss of laptops holding hazmat driver data.

Read this!

Schneier: Security Risks of Wholesale Telephone Eavesdropping

Tuesday, October 16 2007 @ 08:35 AM EDT Contributed by: PrivacyNews News Section: Surveillance

A handful of prominent security researchers have published a report on the security risks of the large-scale eavesdropping made temporarily legal by the "Protect America Act" passed in the U.S. in August, and which may be made permanently legal soon. "Risking Communications Security: Potential Hazards of the 'Protect America Act'" -- dated October 1, 2007, and marked "draft" -- is well worth reading

Source - Schneier on Security


World Privacy Forum gives keynote speech to AHIMA on medical identity theft; outlines an 8-point plan for best-practice response

Tuesday, October 16 2007 @ 04:32 PM EDT Contributed by: PrivacyNews News Section: Medical Privacy

Executive director Pam Dixon spoke to thousands of AHIMA delegates in Philadelphia sharing the latest information on medical identity theft and outlining a new 8-point plan for responding to the crime. Dixon specifically asked for the creation of national guidelines for dealing with medical identity theft victims, the ability for victims to set red flag alerts in their health care files, that providers train and have dedicated personnel to help medical identity theft victims, "john and jane doe" file extractions, a focus on resolving insider access to patient information, risk assessments specifically for medical identity theft, and educational efforts. The information in the speech was based on the latest World Privacy Forum research in the area of medical identity theft.

Speech - Medical Identity Theft: Issues and Responses (PDF)

Opening the Class Action floodgates?

Bill would let ID theft victims seek restitution

Wednesday, October 17 2007 @ 08:26 AM EDT Contributed by: PrivacyNews News Section: Fed. Govt.

A bipartisan bill that would let victims of identity theft seek restitution for money and time they spent repairing their credit history was introduced on Tuesday in the Senate.

The legislation would also give federal prosecutors more tools to combat identity theft and cyber crime, according to sponsors Democrat Patrick Leahy of Vermont and Republican Arlen Specter of Pennsylvania.

Source - Washington Post

[From the article: The bill would also eliminate a requirement that the loss resulting from damage to a victim's computer must exceed $5,000 for prosecution; make it a felony to use spyware or keyloggers to damage 10 or more computers; and expand the definition of cyber crime to include extortion schemes that threaten to damage or access confidential information on a computer.

Closing the “public Information loophole?”

Judge: Feds Can Withhold Worker Records

“They waved the terrorism flag and the judge bought it.”

A judge says the federal government can legally withhold the names, salaries and positions of more than 900,000 federal employees from a university agency that for years has made the information public.

Chief U.S. District Judge Norman Mordue determined the privacy rights of the employees could be compromised by release of the information to the Transactional Records Access Clearinghouse, or TRAC, at Syracuse University.

The judge also agreed with the U.S. Office of Personnel Management that the release of certain information could compromise national security. Read more

Full story: Available on Topix from The Associated Press - 12 hrs ago

How broadcast TV will die? (Lists a number of free TV sources on the Internet.)

Watching TV on the laptop--and on the cheap

By Elinor Mills Story last modified Wed Oct 17 04:00:03 PDT 2007

... I went on a search for some of my old--and new--favorite TV shows on the Internet. The one caveat: it had to be free, because this TV dilettante wasn't paying for anything other than my phone and DSL broadband service.

10 TED videos... (I've used the Statistics talk in my class)

The Ten Videos to Change How You View the World watch! — I believe that a sign of good information is that it makes you think. If reading a book, listening to a lecture or watching a video doesn’t change how you think, it probably isn’t that important. But if you encounter something that forces you to change your views, even if you don’t completely agree with it, you’ve found something valuable.

Boy that Vista is one nifty operating system. Almost a good as Windows 3.1! Be sure to tell your techies they need to get this fix!

Vista Runs Out of Memory While Copying Files

Posted by kdawson on Tuesday October 16, @02:02PM from the how-hard-can-it-be dept. Bug Windows

ta bu shi da yu writes "It appears that, incredibly, Vista can run out of memory while copying files. ZDNet is reporting that not only does it run out of memory after copying 16,400+ files, but that 'often there is little indication that file copy operations haven't completed correctly.' Apparently a fix was scheduled for SP1 but didn't make it; there is a hotfix that you must request."

Attention Wife! Do not fall for this... Please! (Send us money or we'll shoot this dog!)

New Nigerian Scam Involves Cute Little Puppies

from the sucker-born-every-minute-ooo!-puppies! dept

The infamous "Nigerian 419" scam has been around for quite some time now. Having evolved since its original premise, the latest version of the scam preys upon dog lovers by goading them into paying exorbitant amounts of money to adopt nonexistent puppies from afar. In contrast to the original version of the scam, which appealed to people's greed, this latest version is unique in that it preys on the charitable -- people with big hearts that are looking to help out a few poor puppies. Whereas some may have held victims partly culpable in scams where the victims were looking to cash in on a large windfall, in the case of the puppies, it's hard to find fault in these scammed good Samaritans.

Tuesday, October 16, 2007

America's first line of defense, and best source of bad examples.

TSA Laptops With Personal Info Missing

Monday, October 15 2007 @ 05:20 PM EDT Contributed by: PrivacyNews News Section: Breaches

Two laptop computers with detailed personal information about commercial drivers across the country who transport hazardous materials are missing and considered stolen.

The laptops belong to a contractor working for the Transportation Security Administration and contain the names, addresses, birthdays, commercial driver's license numbers and, in some cases, Social Security numbers of 3,930 people, according to an Oct. 12 letter from TSA to lawmakers.

The contractor told TSA that the personal information was deleted from the computers before they were stolen, the letter stated. But after the second laptop was stolen, TSA investigators discovered that a person with data recovery skills [your average 12-year-old... Bob] could recover the personal information that the contractor deleted.

Source - Associated Press

I wonder what the contract says...

Office of financial aid loses back up info

Monday, October 15 2007 @ 07:29 PM EDT Contributed by: PrivacyNews News Section: Breaches

Iron Mountain Incorporated has notified the Louisiana Office of Student Financial Assistance (LOSFA) that it lost back-up media belonging to LOSFA on September 19, 2007.

... The lost media includes some personal information on individuals participating in, or considered for participation in, programs administered by LOSFA. The data is compressed and requires special software, specific computer equipment and sophisticated computer skills to access it.

Source - KATC


Governor Kills California Data Protection Law

Monday, October 15 2007 @ 10:08 AM EDT Contributed by: PrivacyNews News Section: State/Local Govt.

California Gov. Arnold Schwarzenegger on Oct. 13 vetoed—and effectively killed—one of the nation's most stringent proposed e-tail data breach security laws, saying that the bill would have "driven up the costs of compliance, particularly for small businesses."

The proposed California law—AB 779—would have required retailers to protect data in a manner more demanding than the current PCI DSS (Payment Card Industry Data Security Standard) requires.

Source - eWeek

Will this help put a value on personal information?

Customer is entitled to damages after CVS adds name to mailing

Monday, October 15 2007 @ 10:32 AM EDT Contributed by: PrivacyNews News Section: In the Courts

A CVS customer whose name and address were taken from a prescription list and used as part of a mailing campaign without his permission was entitled to damages where the pharmacy failed to notify him that it was profiting from the arrangement, a Superior Court judge has found.

The defendant CVS argued it had not engaged in any unfair or deceptive act where it had not disclosed any of the customer's privileged medical information and had included an explanation in the letter that the mailing was funded by a co-defendant pharmaceutical company.

Source - Massachusetts Lawyer Weekly

The 32-page decision is Kelley v. CVS Pharmacy, Inc., et al., Lawyers Weekly No. 12-278-07

One guidebook. Perhaps a basis for more comprehensive guidelines?

Inside Comcast's Surveillance Policies

Posted by kdawson on Monday October 15, @11:24PM from the cost-you-a-pretty-penny dept. Privacy

Monk writes "The Federation of American Scientists has obtained a recently disclosed Comcast Handbook for Law Enforcement which details its policies for divulging its customers' personal information. (Here's the handbook itself in PDF form.) All of Comcast's policies seem to follow the letter of the law, and seem to weigh customer privacy with law enforcement's requests. This is in apparent contrast to AT&T and a number of other telecommunication companies, which have been only too happy to give over subscriber records. According to the handbook, Comcast keeps logs for up to 180 days on IP address allocation, and they do not keep all of your e-mails forever (45 days at most). VoIP phone records are stored for 2 years, and cable records can only be retrieved upon a court order. The document even details how much it costs law enforcement to get access to personal data (data for child exploitation cases is free of charge)."

The initial take was that these were good...

Proposed global privacy standard is too vague and too weak, says expert

Monday, October 15 2007 @ 12:45 PM EDT Contributed by: PrivacyNews News Section: Internet & Computers

Last month Google's Global Privacy Counsel Peter Fleischer endorsed the Privacy Framework published by the Asia-Pacific Economic Community (APEC) in 2005, describing it as "the most promising foundation on which to build."

"Surely, if privacy principles can be agreed upon within the 21 APEC member economies, a similar set of principles could be applied on a global scale," wrote Peter Fleischer in the search giant's Public Policy Blog.

But privacy expert Dr Chris Pounder of Pinsent Masons, the law firm behind OUT-LAW.COM, has analysed the APEC rules and found that they are not only significantly more lax than those in operation in Europe, they are so broadly defined that they cannot operate as a standard at all.

Source -

Any guidelines here?

October 15, 2007

New Report Highlights Available Technologies Being Adapted for Homeland Security

Press release: "Innovations being developed for commercial use also have the potential to play a major role in protecting the country and improving our ability to respond to and quickly recover from a catastrophic event, according to a new report from the nonpartisan Reform Institute. From the Storefront to the Front Lines: The Private Sector and Homeland Security Investment (28 pages, PDF) examines commercial technologies that are currently being utilized in the homeland security arena." [Homeland Security Digital Library]

Where the data goes...

October 15, 2007

Annual Report to Congress on the Information Sharing Environment

Annual Report to Congress on the Information Sharing Environment, Department of Homeland Security's Information Sharing Environment, submitted by Ambassador Thomas E. McNamara, Program Manager for the Information Sharing Environment, September 2007 (44 pages, PDF).

Apparently they don't teach Constitutional Law at this school.

Law Student Faces Disciplinary Action Over Facebook Photo of Pat Robertson

Larry O'Dell The Associated Press October 12, 2007

A Regent University law student says school officials have threatened to discipline him for posting an unflattering photo of founder Pat Robertson on his Facebook page.

Adam M. Key, 23, posted a picture of Regent's founder and president making what appears to be an obscene gesture on the social networking Web site. Key copied it from a YouTube video in which Robertson scratches his face with his middle finger.

The second-year law student said officials at the private Christian university in Virginia Beach, Va., demanded that he either publicly apologize and withhold public comment about the matter, or submit to the law school dean a legal brief defending the posting. Key chose the latter, arguing that his posting was satire protected under the First Amendment. [Of course, it is also FACT... Bob]

Food for thought?

Email becomes the electronic equivalent of DNA evidence

IDC reports that companies will dump over $21.8 billion dollars into legal research data mining and litigation-support infrastructure services by 2010. Employees emails are being used in court more and more. ISPs are being forced to log emails, IMs and more. Warrants are not required to obtain most of this information. Enter the new DNA evidence.

Is this another case of “Our software doesn't work like we promise, so let's blame someone else?”

Judge bars sale of software that lets brokers snag prime event tickets

Associated Press Article Launched: 10/15/2007 01:27:34 PM PDT

NEW YORK - A federal judge ordered RMG Technologies on Monday to stop selling software that lets users flood the Ticketmaster Web site with requests and snap up tickets in bulk, beating the humans who log in manually to buy tickets.

"We will not allow others to illegally divert tickets away from fans," Ticketmaster Chief Executive Sean Moriarty said in a statement. Ticketmaster is a leading seller of concert and sporting event tickets.

Monday, October 15, 2007

If you haven't read about this earlier, take a look now. This is likely to grow. At least it looks that way to me. I suspect a school could easily step on a legal land mine by doing this... Think of all the ways a student could construct text messages that caused the school to overreact. (“Dear Principal X, Wow! I never knew you could do that with Mazolla Oil!”)

Student privacy murky in tech world

Sunday, October 14 2007 @ 11:42 AM EDT Contributed by: PrivacyNews News Section: Minors & Students

Public-school students can have their lockers searched, be sent home for wearing a shirt that promotes drugs and have an article in a school-sponsored newspaper or yearbook censored, but constitutional limits when it comes to the privacy of technology — such as cell phones — are murkier.

Source - DailyCamera

...because it only seems like I know everything!

Data “Dysprotection:” breaches reported last week

Monday, October 15 2007 @ 06:42 AM EDT Contributed by: PrivacyNews News Section: Breaches

A recap of incidents or privacy breaches reported last week for those who enjoy shaking their head and muttering to themselves with their morning coffee.

Source - Chronicles of Dissent

Consider: Businesses will locate where they believe the laws best allow them to prosper.

SWIFT to stop processing EU banking data in the US

Monday, October 15 2007 @ 06:30 AM EDT Contributed by: PrivacyNews News Section: Non-U.S. News

Payments processing body SWIFT will stop processing European banking transactions in the US in 2009. It is planning a restructuring of its network and the building of a new operations centre in Switzerland.

SWIFT has been heavily criticised for allowing US authorities access to records of banking transactions involving European citizens. It was revealed by The New York Times last year that US intelligence agencies were allowed to view Europeans' transactions.

Source - The Register

Related -

This is an interesting legal blog, with some useful information on a narrow topic (e-Discovery)

Sherlock Holmes in the Twenty-First Century: Definitions and Limits of Computer Forensics, Forensic Copies and Forensic Examinations

... The National Institute of Standards and Technology special publication (SP) 800-86 Guide to Integrating Forensic Techniques into Incident Responses provides an authoritative definition of computer forensics:

... John Patzakis has written a very comprehensive treatise on electronic discovery law related to his company’s software tools and forensic related issues called the EnCase Legal Journal (April 2007). At 143 pages and 446 legal citations, this is not your typical vendor white paper, and is well worth reading and using as a reference.

Where my tax dollars go...

October 14, 2007

Social Security, Medicare and Medicaid Account for Half of Federal Spending

Press release, October 9, 2007: "Social Security, Medicare and Medicaid accounted for more than $1 trillion of the $2.3 trillion the federal government spent in 2005, according to the U.S. Census Bureau, which publishes the only consolidated source of data on the geographic distribution of federal expenditures. The Consolidated Federal Funds Report for Fiscal Year 2005 [116 pages, PDF] is a presentation of data on most domestic spending by the federal government for state and county areas of the United States, including the District of Columbia and U.S. outlying areas. The data include expenditures for the Defense Department and the Department of Homeland Security. The report covers direct payments, grants, procurement awards, and salaries and wages by federal agency and program. The report does not include expenditures for selected intelligence agencies, international payments, foreign aid and interest on the federal debt. A companion report, Federal Aid to States for Fiscal Year 2005 [56 pages, PDF], contains federal agency and program-level data on grants to state and local governments."

Free is good! (Are we seeing the start of a “race to be free?”)

Intuit vs. Web 2.0: Entry-level QuickBooks software is now free

Posted by Rafe Needleman October 15, 2007 3:00 AM PDT

Intuit is making the 2008 version of its entry-level small-business accounting product, QuickBooks Simple Start Edition, free. Previous full versions of the program sold for $99.95, and "more than 300,000 businesses" use the product. So why give it away?

... Whether or not Simple Start is good software (I haven't used it and have no opinion), Intuit's move to make it free is defensive. Microsoft offers a competing stripped-down small-business accounting product, and there are new small business-focused Web 2.0 services coming online all the time. Most of the free and low-cost business apps are fairly basic, and that's all mom-and-pop startups need. What the accounting vendors really want is the more grown-up small business customers that are willing to pay for robust accounting solutions.

Now this is an interesting use of a social networking web site... - Find Solutions to Computer Error Messages

Have you been plagued by error messages from your computer that have left you without hope? If you have it is time you visit to find the solution to these annoying error messages. is a site where users go to find solutions to their computer error problems. Copy the error message you receive and go to Type your email address into the email address box, then paste the error message into the error box directly below where you write your email address. Then click search, will search for solutions to your error message that other users have submitted. A list will appear of solutions and you can choose the option that closest resembles your error. Click on the full solution details and read about what you should do to fix your problem. You can add a comment on the solution, and rate the solution by clicking on the green bug if you liked it or the red bug if you thought it was a bad solution. If for some reason on one has found a solution for your error message, you are on your own. You will be contacted in 48 hours to see how you dealt with the situation, and if you solved you will be asked to submit details on how you did. Don’t let these error messages destroy your life visit