Saturday, October 27, 2007

100 down, 93,999,900 to go!

Ann Arbor Police hit the 'mother lode' in identity theft case

Friday, October 26 2007 @ 10:52 PM EDT Contributed by: PrivacyNews News Section: Breaches

In the largest local identity theft probe in recent memory, Ann Arbor Police arrested a man accused of posing as at least a dozen people to bilk banks across the country out of thousands of dollars.

Matthew Kent Ii, 38, was arraigned Thursday on 16 felony counts that included operating a criminal enterprise, punishable by up to 20 years in prison. Matthew Kent Ii.

... The files contained names, dates of birth, Social Security numbers, home addresses and even phone numbers of more than 100 people - other potential identity theft victims from around the country, said Detective Laura Burke.

Source - mLive

[From the article:

... Last year, Pilon discovered that five financial institutions had issued fraudulent credit cards to the same Ann Arbor address [at some point, this information should have been cross-checked. Bob] occupied by two University of Michigan students. The students were cleared by investigators, who found a stack of unopened mail containing credit cards the students believed were intended for a previous resident.

... Several more banks reported that fraudulent credit cards were sent to Ann Arbor addresses within the same apartment complex and a complex nearby.

Using a federal database, ['cause the phone book is too unreliable... Bob] investigators learned Ii lived in the complexes and built enough evidence to obtain a search warrant, Burke said.

For my Security Management class. This suggest that there might be a lot more data spills (of a typr that does not require disclosure) Question: If the IT Forensics guys work for the lawyers, are they covered by privilege?

What Not to Do After a Security Breach

Expert familiar with TD Ameritrade, TJX cases discusses the mistakes enterprises often make following a breach

OCTOBER 26, 2007 | 4:00 PM By Kelly Jackson Higgins Senior Editor, Dark Reading

Step number one after a security breach: Don't immediately bring in the outside forensics team --- get your attorney up to speed on the attack first. And don't assume just because you had a break-in that you have to disclose it publicly -- it all depends on whether data covered under regulatory mandates was exposed.

It still comes down to proving damages...)

Ca: Case Report - Court articulates framework for privacy tort

Friday, October 26 2007 @ 09:53 AM EDT Contributed by: PrivacyNews News Section: Non-U.S. News

Although there have been previous cases that have recognized the common law tort of invasion of privacy in Ontario and a few recent cases in which Ontario courts have made strong statements in refusing to strike claims based on the tort, the confines of the tort have not yet been clearly articulated. On September 21st, Deputy Judge Criger issued a small claims court judgement in which she articulated a form of test that balances an individual’s expectation of privacy in personal information against any countervailing interests in the information’s collection use and disclosure.

Source - All About Information (blog)

[From the article:

Here is her six-part test:

  1. Is the information acquired, collected, disclosed or published of a kind that a reasonable person would consider private?

  2. Has the Plaintiff consented to acquisition or collection of the information?

  3. If not, has the information been acquired or collected for a legal process or public interest reason? If so, what is that reason?

  4. Has the Plaintiff consented to disclosure or publication of the information?

  5. If not, has the information been disclosed or published for a legal process or public interest reason? If so, what is that reason?

  6. Is the legal process or public interest reason put forward for acquisition, collection, disclosure or publication one that a reasonable person would consider outweighs the interest of the individual in keeping the information private?

Inevitable, but not welcome...

The University's Role in Advancing Data Encryption, Part 1

By Andrew K. Burger TechNewsWorld 10/27/07 1:30 AM PT

"Much like Moore's Law, PGP has seen huge advances in encryption technologies over the years -- specifically the ability for encryption to work faster and easier in a network while still being transparent to the end user," said PGP spokesperson Tom Rice. Excellent encryption research is being carried out at a number of major universities, though it's still at a nascent stage.

Technological advances are making adoption of network and data encryption more practical than ever, spurring its use in enterprises. Sixty-six percent of respondents to a Ponemon Institute survey said they were hatching strategic plans to meet their organizations' encryption needs, and 16 percent of them already had enterprise-wide encryption strategies in place.

Start with the ones that are hard to argue with, then extend the program to children (who don't get a choice) then eventually we can force everyone to have them installed at birth!

Technology as Tattletale

Posted by Zonk on Saturday October 27, @05:15AM from the spy-in-your-belt-buckle dept.

The New York Times is carrying an article noting the increasing presence of location-sensing technologies in our lives. It discusses several applications of the technology like tracking stolen cash from a bank, or making sure a teenage son follows the rules. The article also notes that these ultra-high resolution GPS trackers can allow freedom as much as restrict it:

"Project Lifesaver, a nonprofit group in Chesapeake, Va., fits Alzheimer's patients and autistic children with radio frequency beacons disguised as bracelets, which help emergency responders find them if they are lost. Next spring the group will introduce new bracelets, created by Locator Systems, a British Columbia company, that combine radio signals with G.P.S. and cellular communications. That should allow caregivers to establish a zone where patients can safely wander, said Jim McIntosh, the company's chief executive. If patients wander off, emergency crews could receive more specific information."

“We're number 168! We're number 168!” (US moves up to #48!)

October 26, 2007

2007 World Press Freedom Index

Press release: "Eritrea has replaced North Korea in last place in an index measuring the level of press freedom in 169 countries throughout the world that is published today by Reporters Without Borders for the sixth year running...Outside Europe - in which the top 14 countries are located - no region of the world has been spared censorship or violence towards journalists. Of the 20 countries at the bottom of the index, seven are Asian (Pakistan, Sri Lanka, Laos, Vietnam, China, Burma, and North Korea), five are African (Ethiopia, Equatorial Guinea, Libya, Somalia and Eritrea), four are in the Middle East (Syria, Iraq, Palestinian Territories and Iran), three are former Soviet republics (Belarus, Uzbekistan and Turkmenistan) and one is in the Americas (Cuba)."

Related: How the press is “handled” in a democracy. Politicians and bureaucrats can't stand reporters – but this may be a bit over the top. “Hey! You'll never know what you can get away with unless you try!”

FEMA Sorry for Faking News Briefing

Posted by Zonk on Saturday October 27, @03:25AM from the if-you-want-a-job-done-right-do-it-yourself dept. United States Censorship The Media Politics

theodp writes "The Federal Emergency Management Agency's No. 2 official apologized Friday for leading a staged news conference Tuesday in which FEMA employees posed as reporters. All the while, real reporters listened on a telephone conference line and were barred from asking questions. In the briefing, Vice Adm. Harvey E. Johnson Jr., FEMA's deputy administrator, called on questioners who did not disclose that they were FEMA employees, and gave replies emphasizing that his agency's response to this week's California wildfires was far better than its response to Hurricane Katrina in August 2005."

Another helpful government agency?

"TSA Breaks Your Laptop, Threatens You With Arrest"

"Reader Jake says a TSA agent dropped his laptop, smashing it in several places, then threatened him with arrest when he asked about filing a damage claim."

Friday, October 26, 2007

Slowly, we are learning that TJX never read “Security for Dummys”,1759,2207675,00.asp

TJX Intruder Moved 80GB of Data Without Detection

October 25, 2007 By Evan Schuman

Citing new information about the TJX data breach, attorneys suing the clothing retail chain amended their complaints on Oct. 25 and want a jury to evaluate TJX's security professionalism.

New details that emerged from documents filed in federal court Oct. 25 include:

# A TJX consultant found that not only was TJX not PCI-compliant, but it had failed to comply with nine of the 12 applicable PCI requirements. Many were "high-level deficiencies," the consultant said.

# "After locating the stored data on the TJX servers, the intruder used the TJX high-speed connection in Massachusetts to transfer this data to another site on the Internet" in California. More than "80 GBytes of stored data improperly retained by TJX were transferred in this manner. TJX did not detect this transfer." [At minimum, one would need to look at the increasing volume of storage (the hacker encrypted his files before transfer) and in traffic to plan changes in the IT infrastructure. Bob]

# In May 2006, a traffic capture/sniffer program was installed on the TJX network by the cyber-thieves, where it remained undetected for seven months, "capturing sensitive cardholder data as it was transmitted in the clear by TJX."

# In 2004, before the attacks began, TJX was issued a report on its security compliance that "identified numerous serious deficiencies at TJX, including specific violations. TJX did not remedy many of these deficiencies."

# At his deposition, the unnamed TJX consultant said that "he had never seen such a void of monitoring and capturing via logs activity at a Level One merchant as he saw at TJX."

# "The data breach at TJX affected more than 100 million separate and distinct credit and debit card account numbers, more than twice the size of the next largest data breach in the history of the country."

# The filings confirmed that both Visa and MasterCard have fined TJX. Visa issued "a substantial fine" in connection with the TJX data breach, dubbing it an "egregious violation" of security procedures. The sizes of the fines were not specified.

The filings for the first time also listed the key security problems that a TJX consultant found: improperly configuring its wireless network; not segmenting cardholder data devices from the rest of network traffic; "TJX did not have an IT department that was properly tasked to manage the environment used to store, process or transmit cardholder data"; improperly storing prohibited cardholder data; using usernames and passwords "that were easy to penetrate"; improper patch procedures; logs not properly maintained; anti-virus protection "improper"; and weak intrusion detection.

Oct. 25's revised complaint linked the bad security practices with the computer breach, which forced banks to take expensive actions to defend themselves. One key issue in civil cases such as this is whether the defendant can be shown to be simply careless or deliberately reckless. That distinction relies on showing what was likely in the defendant's mind at the time of the acts that led to the data breach.

Attorneys for the banks indicated they would try to show that intent with internal TJX documents obtained during discovery. "TJX knew—and discussed internally prior to the breach—that its deficiencies in network and data security could lead to the exact losses incurred here in the many millions of dollars," said the filing. "Had TJX properly disclosed information about the extent of its noncompliance with network security requirements prior to the breach, then actions to correct the deficiencies and prevent the breach could have been taken," the filing said.

Here's a question for someone who knows Public Relations better than I do: Why would a CEO want to keep the story alive by making public (but fact free) announcements?

Company says personal information untapped on stolen laptop

© 2007 The Associated Press Oct. 25, 2007, 4:39PM

DALLAS — The chief executive of a personnel-services company said Thursday there is no indication that anyone has tapped personal information on nearly 160,000 people that was contained on a stolen computer. [Nor is there any evidence that Aliens haven't kidnapped him and replaced him with a robot. Bob]

Even Librarians understand Privacy...

October 24, 2007

OCLC Report: Sharing, Privacy and Trust in Our Networked World

OCLC press release and related links: "The practice of using a social network to establish and enhance relationships based on some common ground—shared interests, related skills, or a common geographic location—is as old as human societies, but social networking has flourished due to the ease of connecting on the Web. This OCLC membership report explores this web of social participation and cooperation on the Internet and how it may impact the library’s role, including: T he use of social networking, social media, commercial and library services on the Web; How and what users and librarians share on the Web and their attitudes toward related privacy issues; Opinions on privacy online; Libraries’ current and future roles in social networking."

An interesting take on the story. Is this a (government sanctioned) monopoly acting evil? An interesting tack for the Class Action lawyers to sail.

Comcast and Net Neutrality

October 24th, 2007 by Ed Felten

The revelation that Comcast is degrading BitTorrent traffic has spawned many blog posts on how the Comcast incident bolsters the blogger’s position on net neutrality — whatever that position happens to be. Here is my contribution to the genre. Mine is different from all the others because … um … well … because my position on net neutrality is correct, that’s why.

Let’s start by looking at Comcast’s incentives. Besides being an ISP, Comcast is in the cable TV business. BitTorrent is an efficient way to deliver video content to large numbers of consumers — which makes BitTorrent a natural competitor to cable TV. BitTorrent isn’t a major rival yet, but it might plausibly develop into one. Which means that Comcast has an incentive to degrade BitTorrent’s performance and reliability, even when BitTorrent isn’t in any way straining Comcast’s network.

For my Contingency Planning students.

Running the Numbers on a US Pandemic

Posted by Zonk on Thursday October 25, @03:54PM from the plz-stay-theoretical-k-thnx dept. Businesses Security Science

Lucas123 writes "A U.S. pandemic would exhaust antiviral medications, reduce basic food supplies, put ATMs out of service, shut down call centers, increase gas prices and up health insurance claims by 20%, according a test project developed by financial service firms. The pandemic paper planning scenario is used by 3,000 banks, insurance companies and security firms in preparing for disasters. The financial services groups are now sharing the pandemic flu exercise information, and all the scenarios are available for download.", how could you train people to deal with a pandemic?

The E-Learning Adventure

By Nicole Girard TechNewsWorld 10/25/07 6:15 AM PT

Improvements in the processing power of personal computers combined with Internet delivery applications provide a tremendous opportunity for novel approaches to preparedness training. The power of virtual learning environments lies in creating 3-D spaces that give users a sense of learning by doing.

For my Security Management students: “Some users weren't doing what we thought they should do, so we 'fixed them.'”

Microsoft's OneCare silently changes Automatic Updates

Many Windows XP and Vista users were mystified when their Automatic Updates settings were changed without approval, and a researcher thinks OneCare is to blame

By Gregg Keizer, Computerworld October 25, 2007

Microsoft's consumer security software changes the AU (Automatic Updates) settings in Windows XP and Vista without telling users or getting their approval, a researcher said Thursday -- behavior that may explain recent reports of patches being installed and systems rebooting without permission.

When Microsoft responded to new charges of silent changes last week, however, it denied that AU settings were ever altered without user approval, and it didn't mention OneCare as a possible culprit.

Scott Dunn, an editor at the "Windows Secrets" newsletter, reported Thursday morning that OneCare silently changes AU settings as it installs. No matter what AU setting the user selected previously, OneCare's installer quietly changes it to the fully automatic option.

...and as proof that “Bill knows best” (Hey! It's their operating system, we're just renting it. This could be a matter of National Security!)

More gnashing of teeth after Microsoft update brings PCs to a standstill

Resource-hogging search app sprung on reluctant admins

By Dan Goodin Published Thursday 25th October 2007 01:04 GMT

Updated This story was updated on Thursday 25th October 2007 23:21 to add comment from Microsoft.

Something seems to have gone horribly wrong in an untold number of IT departments on Wednesday after Microsoft installed a resource-hogging search application on machines company-wide, even though administrators had configured systems not to use the program.

... The blogosphere is buzzing with similar reports, as evidenced by postings here, here and here.

Education is changing. It should be possible (I can see no technical obstacles) to generate “one off” degrees for students with very specific interests. (A PhD in Blogging, for example.)*A1192705200000*B1193346097000*DgroupByDate*I1016152*J2*N1000934&newsLang=en&beanID=936930065&viewID=news_view

October 25, 2007 08:30 AM Eastern Daylight Time

Concord Law School Partners with Loyola University Chicago School of Law to Introduce Online Version of Popular MJ Degree in Health Law

LOS ANGELES--(BUSINESS WIRE)--Concord Law School announced today that it will partner with Loyola University Chicago’s School of Law to offer a Master of Jurisprudence (MJ) in Health Law online to Loyola students beginning May 2008.

“Increased accessibility to legal education is a significant part of Concord’s mission, and we are very pleased to be part of this project,” said Barry Currier, Dean of Concord Law School. “Bringing our online expertise to this partnership will give Loyola an opportunity to bring its health law curriculum to a broader audience, providing both opportunities for students and service to the health care industry.”

Now this has potential! A non-browser browser...


By: LabRats On: October 25th, 2007 Posted In: Mozilla Labs

Personal computing is currently in a state of transition. While traditionally users have interacted mostly with desktop applications, more and more of them are using web applications. But the latter often fit awkwardly into the document-centric interface of web browsers. And they are surrounded with controls–like back and forward buttons and a location bar–that have nothing to do with interacting with the application itself.

... Prism is an application that lets users split web applications out of their browser and run them directly on their desktop.

Attention fans of the Da Vinci Code! (Think of it as e-art – when you have a wall sized hi-def TV, this can be your screen saver...)

"Last Supper" to go online

Thu Oct 25, 2007 3:53pm EDT By Gilles Castonguay

MILAN (Reuters) - A high-resolution image of Da Vinci's "Last Supper" will soon be posted on the Internet by an Italian technology firm, allowing art lovers and conspiracy theorists alike to scrutinize it from their own computers.

Thursday, October 25, 2007

Details are slow to emerge, but eventually they must...

True Lies and Data Breaches

October 24, 2007

... When they were done, they'd stolen at least 45.7 million credit card numbers – a new high (or low) in the world of consumer data breaches. The actual count could be much higher, though we'll never know exactly how high; TJX deleted most of its records before the store realized it had been hacked. The hackers left a bunch of their own files on TJX's network, but TJX can't read them because they're encrypted.

In other words, TJX didn't know or care enough to encrypt its records, but the hackers did.

... Of course, TJX will pay in other ways. It's proposed a $200 million settlement to compensate consumers for identity theft, but mostly in the form of store vouchers and a three-day 'customer appreciation event' next year. That's like mugging somebody, then offering to take them to dinner using the money you just stole from them.

Just so we can all remember what was being said way back at the start of the TJX data spill – now at 94 million (and counting?)

Data Breach Could Affect Millions of TJX Shoppers

By ERIC DASH Published: January 19, 2007

... TJX’s vice president for investor and public relations, Sherry Lang, said yesterday that the amount of information removed was “substantially less than millions,” but conceded that many more could have been “potentially exposed.”

...and do we learn from the mistakes of others? Alas, no...

Canada execs not confident in data security -survey

Wed Oct 24, 2007 12:24pm EDT

TORONTO, Oct 24 (Reuters) - Almost half of Canadian executives aren't confident that their company's private information is secure and more than a third admit to taking no action despite recent headlines about high-profile security breaches, a new survey has found.

As well, one in five executives at Canadian companies said his or her company currently doesn't use anti-virus software and 25 percent operate without firewall applications, according to the survey conducted by Leger Marketing and released on Wednesday.

Comcast revises its story... Again. “We gots some customers we don't like and we gots some we like. We gonna take some bandwit from da ones we don't like and we gonna give to da ones what we like. Youse gotta problem wit dat?”

Comcast Admits Delaying Some Traffic

By PETER SVENSSON AP Technology Writer Oct 23, 7:17 PM EDT

Watch Related Video

NEW YORK (AP) -- Comcast Corp. on Tuesday acknowledged "delaying" some subscriber Internet traffic, but said any roadblocks it puts up are temporary and intended to improve surfing for other users.

Security Manager Alert! How to get past those pesky firewalls! - Beat Firewalls With ILoveIM

It is becoming more and more difficult to use our IM services at school and work these days. Many schools and offices have created a firewall for MSN and AOL chats. gives you a way to continue to stay in contact with your instant messenger buddies even at the office. The ILoveIM web messenger allows you to stay connected with your; MSN, Yahoo, GTalk , and AOL chats. All you need is to create an account, a web browser and internet connection. You don’t need to download any applications is easy to use and works behind a firewall. works like your other IM services, your buddy list appears with your buddies placed in the same groups you have put them into. You can set your online status. Don’t be discouraged by firewalls, gives you a way to always be connected to your friends.

Think of this one as an e-hit on Security researchers...

Storm Worm Strikes Back at Security Pros

Posted by ScuttleMonkey on Wednesday October 24, @01:25PM from the skynet-worm dept. Security Spam

alphadogg writes "The Storm worm, which some say is the world's biggest botnet despite waning in recent months, is now fighting back against security researchers that seek to destroy it and has them running scared, conference attendees in NYC heard this week. The worm can figure out which users are trying to probe its command-and-control servers, and it retaliates by launching DDoS attacks against them, shutting down their Internet access for days, says an IBM architect."

Makes a strange sort of sense...

Humans Not Evolved for IT Security

Posted by ScuttleMonkey on Wednesday October 24, @02:51PM from the wait-it-guys-have-emotions? dept.

Stony Stevenson writes to tell us that at the recent RSA Conference security expert Bruce Schneier told delegates that human beings are not evolved for security in the modern world, especially when it comes to IT.

"He told delegates at the 2007 RSA Conference that there is a gap between the reality of security and the emotional feel of security due to the way our brains have evolved. This leads to people making bad choices. 'As a species we got really good at estimating risk in an East African village 100,000 years ago. But in 2007 London? Modern times are harder.'"

I wonder if Steve Jobs gets a fee from AT&T anyway?

Apple COO: Users Unlock 1 in 6 iPhones Sold

By Troy Wolverton San Jose Mercury News 10/24/07 9:14 AM PT

The day Apple reported its Q4 earnings, COO Tim Cook estimated that a quarter million iPhones -- that's about a sixth of all the iPhones Apple has sold -- have gone to customers who have no intention of signing up to AT&T. Several methods for unlocking the phones can be found on the Internet, though Apple's latest software update reportedly ruined some unlocked iPhones.

The Japanese are too polite to say it, so they let their phones talk for them. In New York, the phones would have a built-in Taser...

Mobile App Warns Subway Gropers 'Hands Off!'

By Hiroko Tabuchi AP 10/24/07 11:54 AM PT

Uninvited gropes from strangers is a problem faced by many women on Japan's crowded subway trains. Game developer Takahashi has addressed the issue with its Anti-Groping Appli, a program for mobile phones that flashes messages across the user's screen like "Groping is a crime," while the user holds the screen in the groper's field of view.

October 24, 2007

New Pew Internet Data on Parents and Internet Use

"Parents today are less likely to say that the internet has been a good thing for their children than they were in 2004. However, this does not mean there was a corresponding increase in the amount of parents who think the internet has been harmful to their children. Instead, the biggest increase has been in the amount of parents who do not think the internet has had an effect on their children one way or the other. Fully, 87% of parents of teenagers are online -- at least 17% more than average adults."

Wednesday, October 24, 2007

Not timely, but honest!

Restaurant chain customers' credit card data stolen

Wednesday, October 24 2007 @ 03:59 AM EDT Contributed by: PrivacyNews News Section: Breaches

Not Your Average Joe's, a Massachusetts restaurant chain, said yesterday that thieves have stolen credit card data belonging to its customers.

The Dartmouth-based chain estimated less than 3,500 of the 350,000 customers it served in August and September had their credit card information stolen. The 14-restaurant chain said it is working with the US Secret Service and major credit card companies to determine how the data theft occurred and precisely how many customers were affected.

Source - Boston Globe

[From the article:

... Today, the chain plans to post on its website a notice to customers about the security breach.

... The breach at Not Your Average Joe's first surfaced on Cape Cod. Officials at Cape Cod Five Cents Savings Bank reported to local police that a handful of customers were seeing unauthorized charges showing up on their credit card statements.

... Scipione said the Cape Cod Five customers reported nearly $20,000 in unauthorized charges, nearly all of them rung up abroad. He said it appeared the thieves were using the stolen credit card information in conjunction with counterfeit credit cards.

[From their web site:

... The only data our company has access to are the credit card number, expiration date and name associated with the card. Not Your Average Joe’s does not have any other identifying data; therefore, no risk of identity theft associated with this issue exists. [Now that is how to say it! Bob]

... based on what we have learned to date the activity occurred largely between early August and late September; there has been no evidence of any fraudulent activity subsequent to September 29. [In and out before the credit card statements arrive... Bob]

You can state why you think Identity Theft is unlikely, or you can talk about how the Tooth Fairy will make it all better...

200,000 notified of missing tape containing personal information

Tuesday, October 23 2007 @ 08:02 AM EDT Contributed by: PrivacyNews News Section: Breaches

A computer tape containing personal information such as names, addresses and Social Security numbers on 200,000 past and current members of three health insurance programs is missing after it reportedly slipped out of a package during shipment. The information comes from the West Virginia Public Employees Insurance Agency (PEIA), the Children's Health Insurance Program and the AccessWV high risk insurance pool.

Source - Associated Press

[In the article, “Some state employees say they expect officials to recover a missing computer tape...” even though the tape went missing on Oct. 12 and “The third-party shipper reported it missing Oct. 16. After an exhaustive weekend search” Perhaps they are calling in Harry Potter? Bob]

Not your typical “they were only after the laptops” break-in – in fact no computers involved...

School Burglars Target Students' Information

Wednesday, October 24 2007 @ 04:01 AM EDT Contributed by: PrivacyNews News Section: Breaches

Four East Texas school districts had campuses burglarized within the past week, and one district has reason to believe the burglars' target may have been their students' Social Security information.

Source - Tyler Morning Telegraph

This happened September 11th – life moves at a slower pace in Utah. And they don't seem to keep logs, since they can't tell if anything was accessed or copied!

Personal information compromised on Dixie State computer system

Tuesday, October 23 2007 @ 01:33 PM EDT Contributed by: PrivacyNews News Section: Breaches

An unauthorized person reportedly gained access to Dixie State College's computer system and gained access to confidential files, including Social Security numbers, birth date information and addresses for some alumni and current DSC employees.

... Once DSC officials became aware of the incident, the compromised files, which contained approximately 11,000 names of those who graduated or worked at DSC from 1986 to 2005, were immediately deleted from the server. [Suggesting that they shouldn't have been there in the first place? Bob] In addition, law enforcement officials, the Utah State Attorney General’s Office and the Utah Higher Education Commissioner’s office were notified.

Source - The Spectrum

Ah! Someone finally noticed!

(update) Court filing in TJX breach doubles toll

Wednesday, October 24 2007 @ 04:03 AM EDT Contributed by: PrivacyNews News Section: Breaches

More than 94 million accounts were affected in the theft of personal data from TJX Cos., a banking group alleged in court filings, more than twice as many accounts as the Framingham retailer has said were affected in what was already the largest data breach in history.

The data breach affected about 65 million Visa account numbers and about 29 million MasterCard numbers, according to the court filing, which was made late yesterday by a group of banks suing TJX over the costs associated with the breach.

Source - Boston Globe

Have we lost something in the translation?

Privacy's Other Path: Recovering the Law of Confidentiality

Tuesday, October 23 2007 @ 07:10 PM EDT Contributed by: PrivacyNews News Section: Other Privacy News

Dan Solove and Neil Richards have uploaded the final version of their paper, Privacy's Other Path: Recovering the Law of Confidentiality up on SSRN. The abstract:

The familiar legend of privacy law holds that Samuel Warren and Louis Brandeis invented the right to privacy in 1890, and that William Prosser aided its development by recognizing four privacy torts in 1960. In this article, Professors Richards and Solove contend that Warren, Brandeis, and Prosser did not invent privacy law, but took it down a new path. Well before 1890, a considerable body of Anglo-American law protected confidentiality, which safeguards the information people share with others. Warren, Brandeis, and later Prosser turned away from the law of confidentiality to create a new conception of privacy based on the individual's inviolate personality. English law, however, rejected Warren and Brandeis's conception of privacy and developed a conception of privacy as confidentiality from the same sources used by Warren and Brandeis. Today, in contrast to the individualistic conception of privacy in American law, the English law of confidence recognizes and enforces expectations of trust within relationships. [Is there trust in a TJX-customer relationship? Bob] Richards and Solove explore how and why privacy law developed so differently in America and England. Understanding the origins and developments of privacy law's divergent paths reveals that each body of law's conception of privacy has much to teach the other.

Source - Concurring Opinions

We're your government. Trust us!

Federal security breaches double in four months

Tuesday, October 23 2007 @ 01:31 PM EDT Contributed by: PrivacyNews News Section: Breaches

Federal agencies report an average of 30 incidents a day in which Americans' personally identifiable information is exposed, double the incidents reported early this summer, according to the top information technology executive in the Bush administration.

The Office of Management and Budget issued a memo in July 2006 requiring agencies to report security incidents that expose personally identifiable information to the U.S. Computer Emergency Readiness Team within one hour of the security incident. In June 2007, 40 agencies reported almost 4,000 such security incidents, an average of about 14 per day. As of this week, the average had increased to 30 a day, said Karen Evans, administrator of the Office of Electronic Government and Information Technology at OMB.

Source - Government Executive

That's Comcastic! (Attention Class Action Lawyers!)

Comcast's Rootkit Moment

from the expected-filing-in-3...2...1... dept

With all the fuss over Comcast's decision to jam certain types of traffic without being even remotely transparent about it, people are starting the countdown to the inevitable lawsuits. This is beginning to take on some similarities to Sony's rootkit debacle, which started to spread in a similar matter. And, just like Sony responded initially by saying rootkits were okay because no one knows what they are, Comcast has said that people shouldn't worry about this because most people won't be able to detect it. In other words, just like Sony, Comcast is seriously underestimating what this is doing for the company's brand. As the link above notes, someone could make a pretty good case that Comcast's method of jamming traffic violates certain state laws forbidding impersonating others -- since, technically, that's exactly what Comcast is doing to jam the traffic. There's also the question of whether or not it becomes an FTC issue for misleading customers into believing they could do certain things with their connection that they could not. If Comcast wants to avoid a full Sony rootkit style mess, it would be good for the company to come right out and make it clear what they do and what that means for its customers.

Related In fact, almost exactly what Comcast is doing (above)

Verizon Fined For Pretending That Limited Service Was Unlimited

from the watch-out-comcast... dept

Back in 2005, we noted that Verizon Wireless was following the tactics of others in advertising "unlimited" wireless broadband services, while the truth was they were quite limited. As people later worked out, despite the claim of "unlimited," VZW was cutting off anyone who used more than 5 gigs of data per month. That's pretty limited, actually. When confronted about this, the company tried to argue that by "unlimited" it really meant "It's unlimited amounts of data for certain types of data." And they followed it up with this gem: "It's very clear in all the legal materials we put out." Right, see, that's the legal materials -- the stuff you know no one reads. Yet in the marketing materials it's quite clear that you're claiming "unlimited" and that has a pretty clear meaning. After many such complaints, Verizon Wireless finally started to back down from the false claim of "unlimited" earlier this year. Turns out that it wasn't because of any realization that lying to your customers is a bad idea, but because NY State was investigating the practice. NY has now fined Verizon Wirelss $1 million to be given out to customers who had their service unfairly terminated for actually believing that "unlimited" meant "unlimited." Of course, Comcast might want to start paying attention right about now. While lawyers everywhere are rushing to file lawsuits over its decision to jam broadband user accounts, before that happened Comcast was famous for many, many years for being one of the biggest ISPs to lie about offering unlimited service. It's a story that comes up in the press every year or so, and every year Comcast gives its own doublespeak about how it only cuts off the worst "abusers." However, it's still false advertising to claim unlimited service when that's not what you supply -- and it's hardly "abuse" if people are merely doing what you told them they could do.

Free to porn! (Porn free?) Now I can start my online hosting service for Amateur Pimps! (Porn Hobbyists?)

Court Throws Out Rule Requiring Adult Sites To Keep Records And Proof Of Age For All Performers

from the that-first-amendment-thing dept

Just last week, Wired had an article looking at how a particular section of law regulating adult content could potentially hurt the growth of "user generated" porn sites. The law in question required any "publisher" of adult content to obtain and permanently keep records proving that the "performers" in question were of legal age. Obviously, the goal here is to prevent child porn -- but many felt that such a rule was incredibly burdensome on those who were producing legitimate adult content, and it was even worse for "user generated" sites that would now require such information from every participant. Now, Slashdot points out that the Sixth Circuit Court of Appeals has found the law to be unconstitutional, as it violates the First Amendment. The Slashdot post is a little misleading, implying that the case was about age verification for viewers. It's actually about the performers. The full ruling (pdf) is an interesting read, but the crux of the argument is that while preventing child porn is a noble goal, if it ends up putting a burden on plenty of legitimate expression, then it's a clear First Amendment violation. Many people may not think this is a big deal, as they don't care for adult content or don't have any problem with having it heavily regulated -- but as the court notes, the right for people to remain anonymous is an important part of the First Amendment. [...even for people who videotape themselves having sex. Bob] Weakening that right -- even if for a reasonable end goal -- starts you down a slippery slope.

Using Virtuality for security

Virtual Browsers: Disposable Security

By Frank Hayes Computerworld 10/23/07 8:00 AM PT

If users are working on a virtualized PC, or at least a virtualized Web browser, then throwing it out is trivial. So is replacing it with a fresh, uncluttered, uninfected version. Virtual IT is built to be disposable. OK, you've heard about this virtualization magic before. However, it seems too good to be true, and it sounds complicated and expensive.

... Firewalls and antivirus software can block or kill some of it. But the bad guys keep getting more clever and more subtle. And more prolific -- for example, antivirus vendor Symantec (Nasdaq: SYMC) Latest News about Symantec says it now identifies new malware variations at the rate of nearly 1,200 per day.

Worse still, all that junk can hang around in the browser or PC until it's forcibly removed. That's if it can be removed.

There's one sure way to get rid of it: Throw away the PC. That's expensive -- at least, if you're actually throwing away the hardware. Or you can throw away just the software by reimaging the hard drive; no hardware cost there, but it still chews up time and manpower.

Toward the universal university...

Universities Figuring Out The Value Of Giving Away Content For Free

from the economics-lessons dept

It started with universities giving away all their courseware online for free, but recently some universities have started posting videos of all lectures for free on YouTube as well. This has some folks wondering what that means about the value of a university education. Andy Kessler does a nice job breaking down the details of what he calls "YouTube U.", noting that it plays directly into the economics of free content. The content itself, once recorded, is the infinite good -- but the scarce good remains the actual diploma of having successfully made it through the courses and the tests to prove that you had an acceptable level of understanding. While he then jokingly (right, Andy?) suggests that a more conspiratorial answer is that it's a professor's way of being lazy and focusing on the parts of being a professor that bring in money (research, consulting) he may not be that far off. Professors will embrace such things because if they really are good professors it does help build their own brand, which can help them in many ways, from getting grant money to getting better grad student researchers to many other things. And the fact that it can do all that while also helping many people who aren't attending the school learn about whatever topic is being taught seems like a pretty good deal.

I'm going to make a guess that this could be useful when coordinating a project outside a normal organization structure. Perhaps in a classroom (where students are global) or when writing a legal/technical paper (with input from a variety of sources) - For Efficient Project Management

Do you want to finish projects more efficiently? Does your company want more fluid communication between team members?

... The application has different roles for the members of the project. There are three different roles; guest, team member, and project manager. The guest can view the information but can not edit or add any new information. The team member can edit his/her tasks along with editing and commenting of the wiki page. The project manager has all of the privileges of the other roles and in addition can create and edit projects and approve time off requests.

... The dashboard is where all of your projects and tasks are listed there is even a personal to do section. The editor allows you to create new projects and tasks, along with invite new members to The wiki allows project members to communicate and give each others updates and additional information. The issues tracking system is for project managers to use to assign issues to team members and track the status of the issue until it is fixed.

Tuesday, October 23, 2007

No excitement in Denver! 8,000,000 hits in the first hour. Perhaps they should have used eBay?

Ticketless baseball fans in Denver

Posted by Steven Musil October 22, 2007 1:22 PM PDT

What if you threw a World Series and no one came because they couldn't buy tickets?

That is the dilemma facing the Colorado Rockies on Monday after the baseball team suspended online ticket sales because servers were overwhelmed by traffic.

"We are as frustrated and disappointed as (fans) are," Jay Alves told The Denver Post, adding that team officials had no idea so many people would try to use the Web site.

Oh boy, another “everyone is doing it” defense.

Tories turn tables, accuse Liberals of having database that invades privacy, too

Monday, October 22 2007 @ 07:10 PM EDT Contributed by: PrivacyNews News Section: Non-U.S. News

Liberal MPs use a constituent database that has some of the same invasive privacy capabilities as the maligned Conservative party system, according to a promotional web site for the software.

Peter Van Loan, the Conservative House leader, happily recited Monday the potential tools touted by The AIT Corp for its ElectSYS database.

Source - The Canadian Press

Because I'm trying to be less obsessive.

Data “Dysprotection:” breaches reported last week

Monday, October 22 2007 @ 07:47 AM EDT
Contributed by: PrivacyNews
News Section: Breaches

A recap of incidents or privacy breaches reported last week for those who enjoy shaking their head and muttering to themselves with their morning coffee.

Source - Chronicles of Dissent

Hey! They're just as forthcoming as the Attorney General nominee...

Comcast Still Dancing Around Its Content Jamming Operations; What's Wrong With Admitting It?

from the shhhh,-it's-a-secret-that-everyone-knows dept

With the news coming out that Comcast's broadband jamming operations actually interfere with other apps as well, Comcast is now trying to respond to the complaints in every way other than telling people what it is that they're doing, which at this point really does appear to be the only sensible response. Comcast went to Reuters (since it was AP who confirmed the original story) and repeated the carefully worded claim that Comcast is not blocking any kind of traffic. Of course, people aren't saying that it's completely blocking any traffic -- just that it's quietly pulling some background tricks to slow down certain types of traffic without letting its customers know. That's the key part, and it's the same complaint that people have had for years with Comcast concerning its fuzzy bandwidth caps. The company advertises unlimited service, but if it's not unlimited, why not come out and explain what the limitations are? It seems only fair.

Perhaps an answer comes from Tim Lee, who was invited to a conference call today with Comcast to help "clear up" the misperceptions Comcast feels are being spread in the media about its actions. The only problem is that Comcast doesn't clear up anything. It basically admits to the traffic shaping but says it can't tell people that it's doing that, as it could help them get around the shaping. Well, sorry, too late for that. Besides, what's wrong with simply telling people what the limitations are and then going after the violators for terms of service breaches? In being so secretive and misleading about it, all it's doing is causing many more people to get upset with Comcast and think that they're being targeted (even if they're not). It's a ridiculous PR situation for Comcast to be in -- and it could be solved easily enough if Comcast stopped beating around the bush, stopped giving gobbledy-gook doublespeak responses that don't actually answer the questions people are asking and simply told people what they're doing and why. It really is that simple. If the company has a legitimate reason for doing what it's doing (and some people say there is) then why not explain that?

The Streisand Effect

College Blocks Blog Critical Of Chancellor; Now That Blog Is Mainstream News

from the nice-work! dept

Witty Nickname writes "A new Chancellor was selected to lead a Community College District in northern Harris County, Texas. A critical blog was set up to blast the new Chancellor, who quickly had IT block it on all campus computers. As these things always do, it backfired. The college was sued, forced to unblock the blog, and thanks to the media attention, now everyone in Houston knows about the blog. [and both readers of my blog Bob]" Didn't quite work the way he expected, huh? One would imagine that the blog got barely any traffic prior to this. Perhaps ignoring it would have been a better option.

Copyright as a weapon

Nation's Largest Textbook Seller Copyrights Class Textbook Listings

October 22, 2007 - 9:48pm — MacRonin

Nation's Largest Textbook Seller Copyrights Class Textbook Listings: "

College students are all too familiar with paying heavy prices for textbooks. So it should come as no surprise that the nation's leading collegiate book provider is targeting an online competitor with a federal Digital Millennium Copyright Act lawsuit.

Follett Higher Education Group, the nation's largest wholesaler of higher education textbooks, is targeting California-based Ugenie, alleging that part of Ugenie's online textbook comparison shopping service contains pilfered data from Follett. The allegedly purloined data, which Follett says is copyright protected, is publicly available

The lawsuit, in U.S. District Court for the Northern District of Illinois, raises questions of how far the Digital Millennium Copyright Act protects publicly available material that is assembled on a commercial web site. The case also raises privacy interests, as Follett claims Ugenie has unleashed so-called 'bots' onto the web site, scooping up vast quantities of data in violation of its user agreement and data that would otherwise be impossible for a single user to acquire.

... The case is similar to Los Angeles federal court litigation where a judge last week issued an injunction against RMG Technologies, which sold software allowing ticket resellers to scoop up unlimited tickets at Ticketmaster ahead of the general public, and against Ticketmaster's user policy allowing a limited number of ticket purchases. The Pittsburgh company advertises that it's software is 'stealth technology that lets you hide your IP address, so you never get blocked by Ticketmaster.'

Like the Ticketmaster case, the Follett case alleges the Burlingame company violates Follett's terms of use agreement.

In the textbook case, the user agreement demands that users won't adapt the site's information for commercial gain. The terms of use agreement also 'expressly prohibits automated data gathering' from its site, where all content is copyrighted.

Free is good!

The Internet Is Good For Classical Music

from the dept

Back in 2005, the BBC made all nine of Beethoven's symphonies available for free download -- a move that made classical record label executives absolutely livid. We thought that their fear was short sighted, considering that the BBC was helping the classical music genre gain millions of listeners for free. A few years have passed now, and it looks like those record executives may finally be realizing that the Internet is, in fact, good for them. The classical music industry, struggling prior to 2000, is now on a huge rebound due largely to the Internet. Classical music labels are seeing record sales this year, now that the Internet allows music buyers access to their complete libraries of music, which would be completely impractical in a brick-and-mortar store. Classical music benefits more from the "long tail" since not only are there centuries of music from which to draw -- each piece is likely to have multiple recordings, resulting in a vast catalog. Furthermore, the Internet affords users with much richer music discovery process -- through blogs, YouTube, and sites like Michael Tilson Thomas' Keeping Score, where the San Francisco conductor leads a series of educational broadcasts, intended to educate listeners about classical music. It's nice to see that after initially being freaked out by change, the classical music world is now embracing these new technologies -- in the end, everyone benefits, listeners gain access to more music, and musicians and composers are able to expose their music to more people, oh, and yes, the labels do end up building a better business.

Odds are, it will be everywhere soon.

From Casinos to Counterterrorism

Monday, October 22 2007 @ 11:24 AM EDT Contributed by: PrivacyNews News Section: Surveillance

This city, famous for being America's playground, has also become its security lab. Like nowhere else in the United States, Las Vegas has embraced the twin trends of data mining and high-tech surveillance, with arguably more cameras per square foot than any airport or sports arena in the country. Even the city's cabs and monorail have cameras. As the U.S. government ramps up its efforts to forestall terrorist attacks, some privacy advocates view the city as a harbinger of things to come.

Source - Washington Post

When photos, birth certificates, fingerprints and a retinal scan isn't enough... - Genetics Completing Your Family Tree

Do you want to make a thorough family tree leaving no stone unturned? is a family tree site that approached the scientific side of creating family trees. offers DNA testing a way to link you with your ancestors and relatives.

When DNA, photos, birth certificates, fingerprints and a retinal scan isn't enough...

CalTech Creates Electronic Nose

Posted by ScuttleMonkey on Tuesday October 23, @04:38AM

from the smells-like dept. Biotech Science

eldavojohn writes "Researchers have created an electronic nose that can detect odor and identify which odors are a concern to it. From the article, 'The Lewis Group a division of Chemistry and Chemical Engineering at Cal Tech have a working model of an electronic nose. The efforts of Cal Tech scientists has led to an array of simple, readily fabricated chemically sensitive conducted polymer film. An array of broadly-cross reactive sensors respond to a variety of odors. However, the pattern of differential responses across the array produces a unique pattern for each odorant. The electronic nose can identify, classify and quantify when necessary the vapor or odor that poses a concern or threat.'"

Jurisdiction shopping...

Canadian Public Domain Not Good Enough For German Publisher

from the this-is-not-the-public-domain-you-were-looking-for dept

It's no secret that different countries have different lengths for copyright. That's why there are constant debates over copyright extension, as countries with shorter terms for copyright are pressured by those with longer terms to extend (or, better yet, to leapfrog) copyright terms. Otherwise, you end up with the situation where content in one country is in the public domain, while it's still under copyright elsewhere. In the age of the internet, where borders are somewhat meaningless online, that's going to cause some problems. Witness the situation with the International Music Score Library Project, a wiki-based project in Canada, for publishing public domain music scores online. The site was careful about copyright, making sure that the only content published was in the public domain. Since the site is based in Canada, it focused on Canadian copyright law and what was in the public domain in that country. Apparently, that was seen as problematic to a German publisher, Universal Edition AG, who found that some of the musical scores that are in the public domain in Canada are still under copyright in Germany. Universal Edition then hired a Toronto law firm to send a cease and desist letter, that caused the entire site to be taken down. Yes, even though all of the content was perfectly legal under Canadian law, this German publisher was able to get it taken offline because some of the content was still under copyright in Europe. If this type of thing is allowed to stand, then we reach a point where all copyright online automatically is covered by the absolute most draconian and stringent levels of copyright law, no matter what the law is anywhere else. That doesn't seem either reasonable or fair.

Worth a read?

Identity thieves likely to be first-timers, strangers

Robert Lemos, SecurityFocus 2007-10-22

An analysis of identity-theft cases closed by the U.S. Secret Service in the past six years has found that identity thieves typically do not have a criminal record and are generally not known by their victims.

The study, published on Monday, reviewed data from 517 cases resolved by the U.S. Secret Service between 2001 and 2006. The analysis found that nearly 60 percent of the 933 offenders implicated in the cases did not know their victims and more than 70 percent of the thieves had no prior criminal record. While most reports of identity theft focus on individuals, the analysis found that financial institutions are slightly more likely to be a victim.

The review is the first time that the federal agency has allowed the public analysis of its cases, said Gary R. Gordon, a professor of economic crime at Utica College and an author of the study.

... The average loss claimed by the victims totaled $31,356, with the largest loss totally $13 million. Women made up a significant percentage of offenders -- a third -- compared to other types of crimes, and 71 percent of offenders had not previously been charged with a crime.

Did Uncle Willy really win the Medal of Honor three times?

October 22, 2007

National Personnel Records Center Opens more than Six Million New Military Personnel Files

Press release: "The National Personnel Records Center (NPRC website) will open for the first time all of the individual Official Military Personnel Files (OMPFs) of Army, Army Air Corps, Army Air Forces, Navy, Marine Corps and Coast Guard military personnel who served and were discharged, retired or died while in the service, prior to 1946. Collectively, these files comprise more than six million records. This is the second step in the progressive opening of the entire paper and microfiche OMPF collection of over 57 million individual files. Additional military personnel records will be made available to the public each year through 2067 until the entire collection is opened."

Tools & Techniques - Cool Web 2.0 News, Products

MakeUseOf is a sort of tech blog/web 2.0 directory which only showcases the coolest, most useful and free apps out there. This isn’t a strictly techno-geek’s blog, it’s for everyone, even those that confuse ICQ with a stay in Cedars Sinai, or those who think tweets have something to do with Looney Tunes.

Sites consists of three main sections:

1. Blog (daily list-style software and web application reviews)

2. Directory (free web apps and mobile tools)

3. Tech Fun (Funny pictures and videos for tech minded folks, aka geeks)

Tools & Techniques

Hot deal: National Geographic National Park topo CD-ROMs for $2 each

Posted by Emily Shurr October 22, 2007 3:58 PM PDT

Lost your way? Try topos.

You're a dedicated digital professional of some kind, shackled to your desk all week. But you're a fearless explorer of the natural world on your days off. When you get ready for your next overland adventure, you can plan your route down the Shenandoah River or up Mount Everest with pens, highlighters and a large collection of topographical maps unfolded over every available surface--or you can use one little CD-ROM from National Geographic. No, you cannot plan it all out on a GPS. You need some old-fashioned know-how to go with your newfangled technology.

Assuming you have a color printer, National Geographic's TrailSmart National Park CD-ROM allows you to mark locations, add text boxes, map your route and create elevation profiles. It also points out attractions and features of the terrain along the route.

How much: $1.95 Shipping: $5.95 Where: Sierra Trading Post

Tools & Techniques

A look at TasteBook

October 22, 2007 9:01 PM PDT

TasteBook, a new Web site that allows people to search the Web for recipes and print out hardcover cookbooks, is set to launch Tuesday.