Saturday, November 03, 2007

A great way to get lawyers interested in Identity Theft

5,098 New England School of Law alumni have personal information exposed in Google

Friday, November 02 2007 @ 11:33 AM EDT Contributed by: PrivacyNews News Section: Breaches

I haven't seen this in any mainstream media sources (yet), but the New England School of Law has notified New Hampshire that personal information on the school's server that included names, addresses, telephone numbers, dates of birth, and Social Security numbers of 5,098 alumni was inadvertently exposed and indexed by Google. The exposure was discovered in mid-October and notification to the state was on Oct. 29.

Source - Notification to NH [pdf]

My students are telling me the same thing

Handling Goofs Cause Many Data Leaks

Saturday, November 03 2007 @ 06:55 AM EDT Contributed by: PrivacyNews News Section: Breaches

Since January 2005, there have been 167.7 million records containing sensitive personal information exposed by security breaches, according to a running total kept by the Privacy Rights Clearinghouse.

The question is, How does this information get out there?

Loss or theft of a physical object forms by far the largest hole in data security. According to an analysis (PDF) done recently by David Litchfield of Next Generation Security Software, based in Surrey, England, 43 percent of records lost since Jan. 1 slipped out of organizations on paper, computers, laptops, disks or backup media.

Other researchers put the figure higher for records that were exposed due to lost or stolen computers or media—security expert Chris Walsh has analyzed New York data sets and puts the figure closer to 99 percent.

Source - eWeek

Related - Can we make any sense out of breach reports? (Chronicles of Dissent, blog)

Are you sure it was a French court? They hate everything not French...

Wikipedia wins privacy case

Saturday, November 03 2007 @ 07:09 AM EDT Contributed by: PrivacyNews News Section: In the Courts

A French court has ruled that Wikipedia could not be held responsible for content posted by its users in a landmark ruling for the internet giant.

Three plaintiffs were each seeking 69,000 euros ($110,000) in damages for invasion of their privacy after their homosexuality was revealed on the website, which is written and edited by thousands of anonymous contributors.

Source -

Do you have a perfect driving record, or are you in this database? Why does this even exist? “Osama is a bad driver.”

Federal Driver Database Filled with Security Holes

Friday, November 02 2007 @ 11:52 AM EDT Contributed by: PrivacyNews News Section: Fed. Govt.

The Department of Transportation's Inspector General released a report on Wednesday documenting problems with the National Driver Register, a federal database of driving convictions used by state departments to motor vehicles. The $4 million registry maintains files on motorists across the country that contain names, dates of birth, sex, heights, weights, eye colors and the details of any tickets received. About one out of five drivers -- 42 million -- is listed in the database.

The audit found the national driver's license database was filled with security holes, foremost among which was that the network through which state DMVs connect to access this information does not use any form of encryption to prevent unauthorized parties from intercepting the data.

Source -

Related - Audit of Security and Controls Over National Driver Register (Department of Transportation IG, 10/31/2007)

Oooh! This could be interesting.

Oregon Attorney General And University Of Oregon Tell The RIAA They're Not It's Free Investigators

from the can't-just-push-around-students dept

Earlier this year, the RIAA began to focus many of its file sharing lawsuits on college students. The RIAA incorrectly referred to it as an education campaign, when it might more accurately be described as pissing off the very people the RIAA needs to support any future business model (oops, too late for that). While the RIAA tried to force universities to just hand over the names of those it accused of file sharing, it was nice to see at least a few universities fight back. In most cases, this mean telling the RIAA to shove off, as it wasn't the university's job to help serve legal complaints. Eventually though, when subpoenas came through, most universities would hand over the info. However, it looks like the University of Oregon is taking a stand. Together with the Attorney General of Oregon, they've actually filed a motion to quash the RIAA's attempt to identify students at the school. In other words, they're not just refusing to pass on the info, they're actively pushing back against the RIAA's lawsuit.

Specifically, the Attorney General points out that with just IP addresses, it's basically impossible to identify the students that the RIAA is asking the university to hand over: "Plaintiffs' subpoena is unduly burdensome and overbroad. It seeks information that the university does not readily possess." In order for the university to figure out who was associated with those IPs, it would involve a level of investigation that isn't required (and shouldn't be required) under law. In other words, the university isn't there to be the free investigative arm of the RIAA. It doesn't get to just throw some weak evidence over the wall and tell the university to figure out who's responsible. Either it comes up with a better way to find the information itself, or it should stop filing these lawsuits. It should be interesting to see if this works... and if other universities follow suit.

Is it possible that Privacy is becoming a hot topic? (or at least a major field for lawyers?)

Google Hires Gonzales's Privacy Lawyer

Friday, November 02 2007 @ 03:53 PM EDT Contributed by: PrivacyNews News Section: Businesses & Privacy

Google added the Justice Department's chief privacy officer Jane Horvath to its growing stable of privacy lawyers in September 2007, a hire that comes as regulators are increasingly scrutinizing Google's massive data banks. Horvath's joins Google a little more than a year and a half after then-Attorney General Alberto Gonzales appointed her as the first ever DOJ privacy officer in February 2006 .

Source - Threat Level (blog)

Are we approaching a tipping point?

Open source gaining traction in U.S. government

According to a survey by the Federal Open Source Alliance, more than half of all U.S. government executives have implemented open-source software at their agencies

By Grant Gross, IDG News Service November 02, 2007

More than half of all U.S. government executives have rolled out open-source software at their agencies, and 71 percent believe their agency can benefit from open-source software, according to a survey.

Fifty-five percent of respondents said their agencies have been involved or are currently involved in an open-source implementation, according to the survey, commissioned by the Federal Open Source Alliance, a group pushing the use of open-source software in government. The alliance is made up of Intel, Hewlett-Packard, and Red Hat.

In addition, 29 percent of respondents who haven't adopted open-source software plan to do so in the next six to 12 months, the survey said.

"Open source is really gaining momentum in the federal marketplace," said Cathy Martin, director of public sector initiatives at HP. "It really came out loud and clear here. It was a little stronger than I even anticipated."

Wasn't this obvious?

Study Says P2P Downloaders Buy More Music

Posted by Zonk on Saturday November 03, @07:17AM from the not-all-that-kooky dept. Music Businesses The Almighty Buck Politics

An anonymous reader writes "Michael Geist posts to his site about a study commissioned by the Canadian government intended to look into the buying habits of music fans. What the study found is that 'there is a positive correlation between peer-to-peer downloading and CD purchasing.' The report is entitled The Impact of Music Downloads and P2P File-Sharing on the Purchase of Music: A Study For Industry Canada, and it was 'conducted collaboratively by two professors from the University of London, Industry Canada, and Decima Research, who surveyed over 2,000 Canadians on their music downloading and purchasing habits. The authors believe this is the first ever empirical study to employ representative microeconomic data.'"

Teaching tools

Videos Demonstrate The Complexities Of Fair Use

from the human-judgment-required dept

On Thursday, Mike noted EFF's Fair Use Principles for User Generated Video Content. I wanted to highlight the "test suite" of fair-use videos they released in concert with those principles. It's a a gallery of videos that EFF thinks constitute fair use of copyrighted works. It includes a number of golden oldies that made the rounds in recent years, including "Ten Things I Hate About Commandments", a video featuring that ridiculous Nixon Peabody song, and a video about fair use constructed by splicing together short Disney Cartoon clips. [I show this one in my Web Site class Bob] It's worth noting that the law is far from settled in this area, so it's far from certain that the courts would find all of these videos to be fair use under copyright law. But in a sense, that's the point: deciding what constitutes fair use requires the exercise of human judgment. The four factors determining fair use include subjective factors like "the effect of the use upon the potential market" and "the purpose and character of the use" that simply can't be determined by an automated algorithm.

“I have an e-dream!”

China's President Hu Talks IT Warfare

Posted by Zonk on Friday November 02, @05:57PM from the reading-dilbert-in-the-trenches dept. The Military Politics IT

narramissic writes "In his keynote speech at the Communist Party Congress in October China's president Hu Jintao was specific in his references to one area of IT: defense. 'We must build strong armed forces through science and technology. To attain the strategic objective of building computerized armed forces and winning IT-based warfare, we will accelerate composite development of mechanization and computerization, carry out military training under IT-based conditions, modernize every aspect of logistics, intensify our efforts to train a new type of high-caliber military personnel in large numbers and change the mode of generating combat capabilities.'"

Surprised they haven't been doing this all along. Given the commercial applications, its even stranger...

DARPA Looks To Adaptive Battlefield Wireless Nets

Posted by Zonk on Saturday November 03, @02:23AM from the was-a-boring-conversation-anyway dept.

An anonymous reader passed us a NetworkWorld link about an effort at DARPA to succeed in combat through networking. The idea is to keep soldiers in a position of informational superiority through a tactical radio network that would 'link' everyone together on the battlefield. "Project WAND, for Wireless Adaptive Network Development, will exploit commercial radio components, rather than custom ones, and use a variety of software techniques and algorithms, many of them only just now emerging in mature form. These $500 walkie-talkie-size radios will form large-scale, peer-to-peer ad hoc nets, which can shift frequencies, sidestep interference, and handle a range of events that today completely disrupt wireless communications ... [right now] 'The average soldier on the ground doesn't have a radio,' says Jason Redi, principle scientist for BBN's network technologies group, and the man overseeing the software work. Radios are reserved for platoon and company commanders, in part because of their cost: typically $15,000 to $20,000 each, with vehicle-mounted radios reaching $80,000."

Question: Are there “news niches” that are of little interest generally but specialists are willing to pay for? I believe so, especially if the information is easily located and “pre-analyzed.” Think Poison database – the only people who need it are those who have been poisoned (or think they have been) but they need it NOW and they are likely willing to pay for it.

Yet Another Newspaper Paywall Dropped

from the not-too-many-left dept

Newspaper paywalls keep coming down. Just a month and a half after the NY Times dropped its paywall for TimesSelect, the Sacramento Bee is freeing its Capitol Alert service. This was actually a more interesting experiment. Launched in January of this year, it wasn't (like most paywalls) about taking content from the newspaper and hiding it behind walls, but creating a separate new service for political insiders. It was pricey, but the idea is that it would be worth it for folks like lobbying firms as it would be information that wasn't available elsewhere. Apparently, though, not enough people really were interested in paying -- especially compared to the prospect of increasing online ad revenues. So, Capitol Alert is ditching the paywall and going ad supported as of next week.

Friday, November 02, 2007

Gosh, a laptop theft. Who could have imagined such a thing?


Thursday, November 01 2007 @ 08:05 AM EDT Contributed by: PrivacyNews News Section: Breaches

As many as 20,000 current and former CUNY students are at risk of identity theft after a laptop with their names and Social Security numbers was stolen from a financial-aid office in Midtown, The Post has learned.

The potential breach angered students, who were sent letters Oct. 19 urging them to contact their credit-card companies and take other steps to protect themselves.

Source - New York Post

“We hadn't given this any thought before, but we're going to fix some of the really obvious problems sometime soon... Aren't we great managers?”

Ferris State makes changes after data is stolen

Thursday, November 01 2007 @ 02:01 PM EDT Contributed by: PrivacyNews News Section: Breaches

Ferris State University is overhauling its computer safety rules after a laptop holding the personal information of 18,000 applicants was stolen from an admission officer's car.

Leaders promised to review all procedures for gathering and storing student data, and they immediately ended the practice of allowing campus recruiters to carry students' personal information in laptops.

Source - mLive

Related. You don't have to research problems – but if you do you probably shouldn't ignore the results.

UK: Lords fume as government rejects e-crime threat

Thursday, November 01 2007 @ 06:17 PM EDT Contributed by: PrivacyNews News Section: Non-U.S. News

Ministers are “putting their heads in the sand” over online crime and personal data security, peers from the House of Lords science and technology committee have warned.

The warning comes after the government rejected a series of recommendations made by the committee following its inquiry into personal internet security.

Source - CIO

[From the article:

The committee had tried to look ahead 10 years to take account of emerging risks, he said. “Unfortunately, the Government dismissed every recommendation out of hand, and their approach seems to solely consist of putting their head in the sand.”

Guidelines: Grasping the obvious?

Identity Theft Red Flag Guidelines Issued

Thursday, November 01 2007 @ 07:52 PM EDT Contributed by: PrivacyNews News Section: Businesses & Privacy

The 2003 FACTA Act directed federal regulators to issue identity theft guidelines on "red flags" and address discrepancies (identity thieves often use an address other than the consumer's because having credit cards, for example, sent to the consumer-victim will usually do the thief little good). The guidelines have finally been issued.

Source - Consumer Law & Policy Blog

Related - OCC Guidelines

[The guidelines can be found here.

OCC rules are hrer: all all 256 pages of them. Bob]

Privacy for the masses?

AOL Spreads Its Privacy Education Program

Submitted by David A. Utter on Thu, 11/01/2007 - 06:10.

AOL announced a program that will help Internet users understand behaviorally targeted advertising, along with providing mechanisms for opting out of such targeting.

The company estimated it can reach 91 percent of the US Internet audience [What's wrong with the other 9%? Bob] with its privacy education campaign. AOL expects to display millions of public service banner ads both on its properties and on the third party sites where its advertising appears.

... AOL said Tacoda uses a Web cache technique to preserve someone's opt-out choice even if they delete their browser cookies, [So even if they don't know who you are, they know who you are? Bob] something other opt-out systems cannot currently do. They may offer licenses of the technology on a royalty-free basis for use exclusively in consumer privacy protection programs.

... This position should have interesting implications for AOL's billion-dollar relationship with Google, which provides search and advertising for AOL. Google could be hard-pressed to explain opposition to using such an opt-out mechanism, unless they have something similar planned for their DoubleClick purchase.

Is this better than a Class Action suit?

FCC urged to stop Comcast Internet blocking

Posted by Marguerite Reardon November 1, 2007 11:41 AM PDT

Members of the Coalition and Internet scholars from Harvard, Yale and Stanford law schools filed a petition and complaint with the Federal Communications Commission Thursday in response to claims that Comcast is blocking some kinds of peer-to-peer traffic.

The complaint comes after the Associated Press discovered, based on its own testing, that content was blocked on several Comcast broadband connections using the peer-to-peer filing sharing network BitTorrent. Other Comcast users have also complained that their BitTorrent content has been blocked.

In their petition, the groups claim that Comcast is violating the FCC's Internet Policy Statement, which essentially states that consumers are entitled to access all applications, services and content of their choice. A footnote to the policy acknowledges that Internet service providers are able to engage in "reasonable network management."

Concast certainly takes it seriously (and vindictively)

Comcast Hunts BitTorrent Memo Leaker

According to an inside source, Comcast is trying to hunt down who leaked the internal BitTorrent memo to us last week. The rumor is that they're interrogating supervisors and then customer service representatives. Memos regarding the dire consequences of providing internal information to the press are being distributed.

Does this have implications in the “unlimited” use of the Internet debate?

Seagate Offers Refunds on 6.2 Million Hard Drives

Posted by CowboyNeal on Friday November 02, @04:55AM from the making-things-right dept. Data Storage The Almighty Buck Hardware

An anonymous reader writes "Seagate has agreed to settle a lawsuit that alleges that the company mislead customers by selling them hard disk drives with less capacity than the company advertised. The suit states that Seagate's use of the decimal definition of the storage capacity term "gigabyte" was misleading and inaccurate: whereby 1GB = 1 billion bytes. In actuality, 1GB = 1,073,741,824 bytes — a difference of approximately 7% from Seagate's figures. Seagate is saying it will offer a cash refund or free backup and recovery software."

It should be easy to link a bunch of these “guidelines” together with a bit of description and become an instant “expert” in the Identity Theft Remediation field...

November 01, 2007

Consumers Union Online Guide to ID Theft Safeguards

Press release: "Starting November 1, consumers in all 50 states will be able to freeze access to their credit files at all three major credit bureaus to prevent identity thieves from opening fraudulent accounts in their names. By that date, all three major credit bureaus will offer “security freeze” protection to all consumers living in the eleven states that have not passed laws requiring it and the five states that currently limit this protection to identity theft victims. To help consumers learn how to take advantage of this powerful identity theft safeguard, Consumers Union, the nonprofit publisher of Consumer Reports, is making available online an updated Guide to Security Freeze Protection."

It is hard to protect yourself from religious fanatics. (No chance they'll ever collect this award)

Federal jury orders military funeral protesters to pay $11M to father of Marine

Thursday, November 01 2007 @ 07:57 AM EDT Contributed by: PrivacyNews News Section: In the Courts

A federal jury awarded the father of a fallen Marine almost $11 million in damages Wednesday for harm caused by a Kansas Christian fundamentalist church's protests at his son's funeral. ... The jury ordered the defendants to pay $2.9 million in compensatory damages for violations of Snyder's privacy, $2 million for intentional infliction of emotional distress, and an additional $6 million in punitive damages.

Source - JURIST

Tracking down outlandish statements by the bureaucrats – is nothing sacred any more?

November 01, 2007

ALM Corporate Fraud Data Base

Corporate Fraud Data Base: "Last spring, as the five-year anniversary of the Corporate Fraud Task Force approached, The American Lawyer set out to review its record of fraud prosecution. This turned out to be a difficult undertaking. The U.S. Department of Justice, after repeated inquiries, finally explained that it collects its statistics from individual U.S. attorney’s offices and does not maintain a centralized record of the corporate fraud cases that produced the 1,236 convictions cited by then–attorney general Alberto Gonzales at the task force’s anniversary celebration last July. So we developed our own database of significant corporate fraud prosecutions. In this we were guided by the Corporate Fraud Task Force Web site, which identified about 80 investigations deemed important by the Justice Department. We added criminal cases cited in reports published by the task force, as well as more recent prosecutions mentioned by Justice Department officials in speeches or testimony. In all, we analyzed 124 corporate fraud investigations, which resulted in 440 indicted defendants. Our sources were publicly available case records, as well as interviews with hundreds of prosecutors and defense lawyers. This database contains information about when and where these 440 cases were brought, the lawyers on both sides, and how the cases turned out. In all, we believe the database provides a historic portrait of corporate fraud prosecution in the post-Enron age."

Seems worse than the casual downloading of “free” music. Another indication that management is not in control of their business?

EMI Caught Offering Illegal Downloads

Posted by Zonk on Thursday November 01, @09:52PM from the dirty-dealings dept. Music Businesses The Internet

Hypocricy, LLC writes "While the RIAA is swift to punish any person caught offering illegal downloads, they're not very swift with outrage when a member company like EMI offers illegal downloads. Not only did the band King Crimson's contract never allow digital distribution to begin with, but band member Robert Fripp claims that EMI offered their music for sale even after their contract ended entirely."


Blogger Wins 1.5 Year Legal Battle

Posted by Zonk on Wednesday October 31, @04:44PM from the fighting-the-good-fight dept. Censorship The Internet The Media

FixYourThinking writes "After nearly one and a half years of harassment from a relentless attorney, it seems that quietly a blogger in South Carolina has won a monumental ruling in favor of bloggers. In a summary judgement requested by the Defendant, Philip Smith was able to obtain a special sanction after the Plaintiff attorney put a 'notice of lien' (called lis pendens) on Smith's residence. The judge also reprimanded the Plaintiff attorney for abusive deposition and court procedure. The case set forth the following; 'It's not the format; it's the content and intention that make text journalism / reporting.'"

I just love the headline...

Sign of the Apocalypse? Wal-Mart Sells Linux PCs

By Peter Svensson AP 11/01/07 4:00 AM PT

Wal-Mart Stores sold Linux computers online -- but not in stores -- starting in 2002 at prices as low as $199. Computers from several manufacturers were available for several years but they didn't find much of a market, and they're gone now. The variant of Linux on the gPC is called "gOS" and is derived from the popular Ubuntu variant. It's heavily oriented toward Google's Web sites and online applications.

For an English teacher I know... Writing with consequence.

Students Assigned to Write Wikipedia Articles

Posted by CowboyNeal on Friday November 02, @01:53AM from the term-papers-that-live-on dept. Education The Internet

openfrog writes "An inspired professor at University of Washington-Bothell, Martha Groom, made an interesting pedagogical experiment. Instead of vilifying Wikipedia as some academics are prone to do, she assigned the students enrolled in her environmental history course to contribute articles. The result has proven "transformative" to her students. They were no longer spending their time writing for one reader, says Groom, but were doing work of consequence in a "peer reviewed" environment, which enhanced the quality of their output."

Thursday, November 01, 2007

Large lists of applicants are important recruiting tools because...

MI: Ferris applicants' information on stolen laptop

Wednesday, October 31 2007 @ 12:53 PM EDT Contributed by: PrivacyNews News Section: Breaches

A laptop holding some personal information of 18,000 applicants to Ferris State University was stolen from an admissions officer's car in the Chicago area, the school revealed today.

... The laptop included applicants' names, addresses, telephone numbers, dates of birth, e-mail addresses and academic information. The computer did not have financial information, social security numbers, driver's license data or credit card numbers, the school said.

The computer was stolen from a locked car used by an admissions official who was in Chicago for student recruiting events, according to the school.

Source - mLive

Related - Ferris State University incident web site

Ohio follow-up “We lost your data. Pay us!”

(update) OH: Contractor agrees to pay part of state data-theft cost

Wednesday, October 31 2007 @ 02:48 PM EDT Contributed by: PrivacyNews News Section: Breaches

A state contractor has agreed to paid $300,000 to help defray the estimated $3 million cost related to the theft of a computer-back-up tape containing Social Security numbers and other sensitive information.

Compuware Corp., which worked on the state’s new payroll and accounting system, is making the payment in part in response to the theft from a state intern’s car and for ongoing support of project, according to an Oct. 18 agreement released today.

Source - The Columbus Dispatch

I doubt this will gain any traction...

Banks neglect responsibility for data breaches, some say

Wednesday, October 31 2007 @ 02:50 PM EDT Contributed by: PrivacyNews News Section: Breaches

Security experts say banks that are suing TJX Cos. Inc. over the data breach that compromised more than 94 million credit card accounts should accept more of the blame for what happened. By requiring that merchants store credit card transaction records for up to 18 months, they say, banks are putting companies like TJX at heightened risk of attack.

Others debunk that assessment, saying there's confusion over the storage rules and that TJX and other merchants opened themselves up to network break-ins by failing to institute well-rounded security policies.

Source -

Let the government show you how they don't do it...

Guides on Sharing Information Released

Wednesday, October 31 2007 @ 08:30 AM EDT Contributed by: PrivacyNews News Section: Minors & Students

U.S. Education Secretary Margaret Spellings yesterday released what she called "user-friendly" guidelines to help educators and parents interpret federal privacy laws in an initiative prompted by the mass shooting at Virginia Tech.

... The Education Department released three brochures on the law: one for K-12 educators, one for colleges and one for parents. ['cause different ages got different rights. Bob] They will be sent to schools, school boards and education associations.

Lawmakers are also considering revising the privacy law. Rep. Tim Murphy (R-Pa.) has introduced legislation to allow school officials to contact parents if a student is considered suicidal or a threat to attack someone.

Source - Washington Post

Since all email involves a third party (who can read the email) is email automatically bad for lawyer-client communications? Does that change if you encrypt?

Email Security and Privacy: NY Hospital Retention Ruling Points Out Importance of Policies and Awareness

Wednesday, October 31 2007 @ 12:04 PM EDT Contributed by: PrivacyNews News Section: In the Courts

On October 17, 2007, there was a very interesting ruling regarding a doctor's email communications sent to an attorney and the associated attorney privilege. In the matter of Scott v Beth Israel Med. Ctr. Inc. the New York Supreme Court found that the doctor's email messages to his attorneys using the hospital network were not privileged and could be retained by the hospital even though the doctor wanted the hospital to stop retaining his messages and delete all emails related to his communications with his lawyers.

Source - Realtime IT Compliance (blog)

Everything you ever wanted to know about privacy?

October 31, 2007 2:22 PM PDT

Google launches privacy channel on YouTube

Posted by Elinor Mills

Google launched a privacy channel on YouTube Wednesday with videos explaining its privacy policies. The move comes on the eve of a two-day Federal Trade Commission-hosted town hall event on behavioral ad targeting to be held in Washington, D.C.

Yeah, but what if...

Experts skeptical of alleged Nov. 11 cyber jihad

DEBKAfile is reporting that numerous al-Qaeda-affiliated hackers are planning a massive DDOS-style attack for November 11, but security experts are unconvinced

By Robert McMillan, IDG News Service October 31, 2007

Security experts are saying that a reported al-Qaeda cyber jihad attack planned against Western institutions should be treated with skepticism.

Still going...

Grokster Case Lumbers On; Judge To Issue Permanent Injunction

October 17th, 2007 by Ed Felten

Remember the Grokster case? In which the Supreme Court found the filesharing companies Grokster and StreamCast liable for indirect copyright infringement, for “inducing” infringement by their users? You might have thought that case ended back in 2005. But it’s still going on, and the original judge just issued an interesting ruling. (Jason Schultz has a two part summary of the ruling.)

Normalizing infringement?

EFF: Copyright owners think twice before pulling YouTube clips

Posted by Greg Sandoval October 31, 2007 11:43 AM PDT

Everybody knows that copyright owners can demand that YouTube and other Web sites remove unauthorized copies of their work under the law. But what happens when the owners of intellectual property err in their claims?

On Wednesday, the Electronic Frontier Foundation (EFF), a group that advocates for the rights of Internet users, issued six principles that copyright holders should consider before trying to remove a piece of content.

Do you see any value to this approach?

Perspective: How we went wrong on identity

Steven Gal says the current ID infrastructure has left consumers annoyed and feeling victimized, and needs to be completely re-engineered.

By Steven Gal Published: November 1, 2007, 4:00 AM PDT

After years working on identity and its protection, I've concluded that our identity infrastructure is fundamentally broken--and the Web is what ultimately broke it.

Always some good stuff...

October 31, 2007

New on for October 2007

Should be interesting.

US Voting Machines Standards Open To Public

Posted by samzenpus on Wednesday October 31, @11:29PM from the now-you-can-see-it-coming dept. United States Politics

Online Voting writes "The U.S. Election Assistance Commission has published new voting systems testing and certification standards for 190 days of public comment. For all the critics of electronic voting, this is your opportunity to improve the process. This will be the second version of the federal voting system standards (the first version is the VVSG 05). To learn more about these Voluntary Voting System Standards see this FAQ."

Reputation Repair will be a profitable consultancy...

Ten Ways to Avoid a Google Reputation Management Nightmare

Wednesday, October 31st, 2007; -- Andy Beal |

Google is no longer just a search engine. With your potential customers, future employers, and members of the media turning to Google for information about your business, Google has become a reputation engine.

Amusing, but some interesting comments on the Conference.

What’s Wrong With This Picture? Star Trek Lessons for e-Discovery

... According to Dan Regard, one of the keynote speakers at the Masters e-Discovery Conference in Washington D.C. last week, Star Trek has an important lesson to teach to e-discovery: bring the engineers onto the bridge and make IT an integral part of your core e-discovery team.

Just a thought. If you are serious, shouldn't you be trying any/all ways to win? (Strategy 101)

Published: 06:13 EST, October 31, 2007

Scientists treat cancer as an infectious disease -- with promising results

Researchers at the Albert Einstein College of Medicine of Yeshiva University have shown for the first time that cancers can be successfully treated by targeting the viruses that cause them. The findings, published in the October 31 issue of PloS One, also raise the possibility of preventing cancer by destroying virus-infected cells before they turn cancerous.

A look-alike competitor for ZamZar

Movavi Online

Movavi Online is a mutli-feature online video conversion tool.

Wednesday, October 31, 2007

Hey! We're looking out for you!

Hartford Financial misplaces back-up tapes with personal data on policy holders

Some 237,000 may be affected in the breach

Jaikumar Vijayan

October 30, 2007 (Computerworld) -- The Hartford Financial Services Group Inc. has notified about 237,000 policy holders of a potential compromise of their personal data.

The warning followed the loss of three backup tapes [There is no reason to have tapes. Backups can be sent electronically. Bob] containing the names, addresses, Social Security numbers and driver's license numbers of customers of the company's personnel lines claims center. The tapes were discovered to be missing on Sept. 27.

So far, there is no evidence that the tapes were stolen or that the information has been misused, a company spokeswoman said. Hartford Financial Services has no idea if the tapes were misplaced while in transit to another location or if they went missing inside the company. But the information contained on them could only be read with "the use of sophisticated and expensive equipment," she added. [Or you could have a “service” convert the tape to DVD for about $20 Bob]

... The Hartford breach is similar to scores of others [suggesting it could have been anticipated and avoided... Even without my class. Bob] in recent years involving the loss or theft of computers and media containing sensitive personal data. Security analysts have recommended that companies use encryption to mitigate potential data loss in such situations. Many companies that have been reluctant to do so because of cost concerns end up paying significantly more in notification and other costs when a breach occurs, analysts have previously noted.

We didn't encrypt. We didn't know what was on the laptop. We're USPS managers!

USPS Stolen Laptop Held Hawaii Employee Information

Tuesday, October 30 2007 @ 08:08 AM EDT Contributed by: PrivacyNews News Section: Breaches

About 3,000 Oahu postal employees received letters in the mail this weekend warning them that their personal information may be compromised.

The employees' names, Social Security numbers and other information were on a laptop computer that was stolen in August.

... "It took so long to notify our employees because it took that long for investigators to determine that one file out of the thousands that were on the laptop contained personal identifying information.

Source - KITV

[From the article:

"It took so long to notify our employees because it took that long for investigators to determine that one file out of the thousands that were on the laptop contained personal identifying information. As soon as the one file was discovered, the notification process began," Gonzalves said.

This may become a trend. It is a quick, inexpensive way for a politically ambitious DA (is there any other kind?) to gain attention. Sort of like shooting fish in a barrel, but with media coverage.

KY: Attorney general: Many businesses aren’t protecting personal records

Tuesday, October 30 2007 @ 02:26 PM EDT Contributed by: PrivacyNews News Section: Breaches

Attorney General Greg Stumbo displayed a large table of records Tuesday with personal information including Social Security numbers and medical information that his investigators had recovered from the trash of 121 businesses chosen at random in Lexington, Frankfort, Florence and Louisville.

... Stumbo said 33 of the 121 businesses [probably on one day... Bob] threw more than 500 records containing personal information about more than 1,250 people into publicly accessible trash receptacles.

Fourteen of those businesses tossed out more sensitive information about nearly 1,000 people, he said.

Source -

An old (pre-Internet?) scam was to send “subscription renewal invoices” to managers, many of who would automatically forward them for payment. This sound similar, but with higher dollar amounts. Probably looking for one score and out. (Is $10,000,000 enough to retire in Brazil?)

Phishing Scammers Convince Grocery Store To Give Them $10 Million

from the the-big-phish dept

By now, most people are familiar with how phishing scams work, usually preying on individuals and tricking them into handing over data that allows the scammers access to bank accounts or other useful info. However, scammers have been aiming a bit higher lately. One tactic is commonly referred to as "spear phishing," where scammers focus on business targets, and attempt to convince them that they're actually coming from partners or suppliers. Apparently one such spear phishing attempt nearly worked to the tune of $10 million. The scammers sent two emails [Perhaps each made the other look valid? Bob] to someone at the headquarters of the supermarket chain Supervalu, purporting to be from Supervalu suppliers American Greetings and Frito-Lay. Both emails claimed that their bank account info had changed and Supervalu now needed to deposit payments into different accounts. Someone at Supervalu followed the instructions, leading approximately $10 million to be deposited into the two accounts over a period of about 4 days. At this point, someone from Supervalu figured out there was a problem and alerted the authorities, who were then able to recover most of the money before the scammers withdrew it. However, it appears that no one has yet figured out who opened the accounts, though Supervalu has filed a lawsuit in order to try to get that information.

Useful! Find the original quote (Yes they stole some credit card data, but certainly not millions.”) and compare it to the facts (94 Million accounts)

October 29, 2007

Guide to Finding Old Web Pages

Greg R. Notess updated his guide, Finding Old Web Pages: "The Web changes constantly, and sometimes that page that had just the information you needed yesterday (or last month or two years ago) is not available today. At other times you may want to see how a page's content or design has changed. There are several sources for finding Web pages as they used to exist. While Google's cache is probably the best known, the others are important alternatives that may have pages not available at Google or the Wayback Machine plus they may have an archived page from a different date. The table below notes the name of the service, the way to find the archived page, and some notes that should give some idea as to how old a page the archive may contain."

Mothers: Give your children a leg up on the 2048 presidential campaign. Get them involved in “poster child” litigation as toddlers!

Mother protects YouTube clip by suing Prince

Posted by Greg Sandoval October 30, 2007 12:25 PM PDT

The pop star wanted YouTube to remove a clip of an infant boy dancing to his 1984 hit song "Let's Go Crazy." When the clip got scrubbed, the baby's mother cried foul and filed suit asking for damages. The woman's lawyers at the Electronic Frontier Foundation (EFF) say the dancing-baby clip is the poster child for fair use.

[Naturally, the 30 second video clip is available with the article and I wonder how anyone identified the song. Bob]

An indication the dominoes are starting to fall?

Australian agency won't block Google-DoubleClick deal

Tuesday, October 30 2007 @ 05:02 PM EDT Contributed by: PrivacyNews News Section: Businesses & Privacy

The Australian Competition and Consumer Commission (ACCC) said today that it will not stand in the way of Google Inc.'s proposed acquisition of online advertising company DoubleClick Inc.

Source - Computerworld

Will articles like this encourage anyone to speed up their nets? Unlikely.

Is U.S. Stuck in Internet's Slow Lane?

By PETER SVENSSON AP Technology Writer Oct 30, 6:34 PM EDT

NEW YORK (AP) -- The United States is starting to look like a slowpoke on the Internet. Examples abound of countries that have faster and cheaper broadband connections, and more of their population connected to them.

... In a move to get a clearer picture of where the U.S. stands, the House Energy and Commerce Committee on Tuesday approved legislation that would develop an annual inventory of existing broadband services - including the types, advertised speeds and actual number of subscribers - available to households and businesses across the nation.

... In South Korea, for instance, the average apartment can get an Internet connection that's 15 times faster than a typical U.S. connection. In Paris, a "triple play" of TV, phone and broadband service costs less than half of what it does in the U.S.

The Organization for Economic Co-operation and Development - a 30-member club of nations - compiles the most often cited international comparison. It puts the U.S. at 15th place for broadband lines per person in 2006, down from No. 4 in 2001.

On the Net: Columbia Institute for Tele-Information:

A nice short summary of what you can log (right out of the box) if you choose to... Still current Of course, then you have to actually look at the logs, but the article points you to tools to automate that process.

SolutionBase: Creating an effective audit policy for your organization

by Guest Contributor | Jun 19, 2006 Tags: Brien M. Posey MCSE

Logon events

... what is more important than knowing who is using your system and who has attempted to use your system?

Object access

... the most important type of auditing for file servers. The basic idea is that you can use object access auditing to watch over specific files and folders to see who is accessing them and when.

Account management

... refers to auditing the creation and modification of user accounts.

Policy change

... policy change auditing logs things like changes to user rights. Knowing when user rights change is definitely important, but more important is that fact that auditing policy changes helps to keep administrators honest. Think about it for a second. If you wanted to perform some sort of unauthorized administrative task, what's the first thing that you would do? Disable auditing? Well, disabling (or re-enabling) auditing is a type of policy change.

System events

Auditing system events creates an audit log entry any time the system is rebooted or when you do something that "affects the system security or security log" (in Microsoft's words).

Interesting student paper for us news-o-philes...

CASCADES project: Cost-effective Outbreak Detection in Networks.

by Jure Leskovec, Andreas Krause, Carlos Guestrin, Christos Faloutsos, Jeanne VanBriesen and Natalie Glance SCHOOL OF COMPUTER SCIENCE, CARNEGIE MELLON UNIVERSITY

Blog rankings

Rankings are based on the following question: Which blogs should one read to be most up to date, i.e., to quickly know about important stories that propagate over the blogosphere?

Winner of the Best Student Paper Award. [PDF] [extended version with proofs] [PowerPoint] [Presentation video]

Tuesday, October 30, 2007

Attention hackers!

Privacy, Personal Information At Risk On Campuses

Monday, October 29 2007 @ 11:55 AM EDT Contributed by: PrivacyNews News Section: Breaches

A survey by CDW Government of 151 higher education IT directors and managers shows that there has been little progress in improving data security.

... It reveals that, despite increased attention to better IT security in higher education, there has been little progress. The report concludes that less than half of campus networks are safe from attack, with 58% reporting at least one security breach in the last year. Data loss or theft has increased 10% in the last year, up to 43%, according to the CDW-G. That includes loss or theft of staff and student personal information.

Source - InformationWeek

Because they're better at it than I am...

Data “Dysprotection:” breaches reported last week

Monday, October 29 2007 @ 07:42 AM EDT Contributed by: PrivacyNews News Section: Breaches

A recap of incidents or privacy breaches reported last week for those who enjoy shaking their head and muttering to themselves with their morning coffee.

Source - Chronicles of Dissent

Oh, the horror!

Researching British Family History No Longer Possible With Paper Records

from the looking-through-the-past dept

Though geneaology is one of the most popular activities on the Internet, family historians in the UK are used to going to the Family Records Centre in London and doing research the old fashioned way, by looking through the written records of births, deaths and marriages. So, their decision to cease all access to paper records this weekend has caused quite an uproar amongst researchers. The records are still available via microfiche, but researchers claim that the microfiche is illegible for many of the records on file. The project to provide online access to all of the records is slated to complete sometime in mid-2009, but that timeline, as with most IT projects, could slip further. The question remains though, while searching through the records may be aided with its digitization -- the project will create an online index of 250 million births -- how accurate will the digitized data be? The paper records are being stored permanently in Christchurch, so the project, outsourced to India are using the same illegible microfiche currently available in place of the paper versions. Or, perhaps the researchers will find that the ease of use afforded by online technologies will actually lead to them finding data more easily, which not only make their jobs easier, but also expose many more people to the joys of researching their pasts.

Always un-amusing

October 29, 2007

FTC Releases Consumer Fraud Survey

Press release: "The Federal Trade Commission today released a statistical survey of fraud in the United States that shows that 30.2 million adults – 13.5 percent of the adult population – were victims of fraud during the year studied. More people – an estimated 4.8 million U.S. consumers – were victims of fraudulent weight-loss products than any of the other frauds covered by the survey. Fraudulent foreign lottery offers and buyers club memberships tied for second place in the survey. Lottery scams occur when consumers are told they have won a foreign lottery that they had not entered. Victims supplied either personal information such as their bank account numbers or paid money to receive their “winnings.” In the case of buyers clubs, victims are billed for a “membership” they had not agreed to buy. An estimated 3.2 million people were victims of these frauds during the period studied."

As we predicted...

Daylight Savings Day Massacre... Part II

from the not-so-bad... dept

Back in the spring time, we noted how there was as lot of hype coming in the press about how the change in when Daylight Saving Time started would be just like another Y2K. In the end, it turned out to be pretty much exactly like Y2K: a lot of hype, a few minor issues that were easily taken care of and no major problems. Given that, it appears the press didn't bother to whip everyone up into a frenzy for this past weekend, which is when the latest time shift would have happened if Congress hadn't changed the schedule. In fact, we hadn't heard anything at all, but it didn't seem to change the results. Joseph Beck writes in to let us know of assorted minor time change problems including screwed up parking meters. In other words, basically the same totally minor problems that happened in the spring... or in years past when people simply forgot to change their clocks. My cell phone was among those that got the time shift wrong, but it wasn't too difficult to figure out the problem and fix it Sunday morning when I noticed it had the wrong time. So, basically, hype or no hype, every time there's a time change, there are going to be a few minor problems, but it's no "aclockalypse now".

[There is a video... Bob]

For my Business Continuity students

Pandemic Planning at the Community Level: Online Database

29th October 2007

There’s a new Web site devoted to bringing together community-level practices for dealing with public health emergencies. At the moment that site has over 130 practices from four countries, 22 states, and 33 counties. It’s available at .

Monday, October 29, 2007

Is this how everyone will handle data spills (since TJX was so successful)'s Website Hacked; Customers Alerted Of Possible Identity Theft

October 28, 2007 11:08 a.m. EST Harriette Cecilio - AHN News Writer

Emeryville, CA (AHN) - An online retailer of posters, prints and framed art on Saturday alerted customers that hackers had gotten into website to access credit card accounts. But the company offered assurances that it has beefed up security to avoid future attacks. [Translation: Current customers are screwed... Bob], which operates websites including and, said it is investigating the intrusion and asked its clientele to be more vigilant. [Translation: You are probably going to be screwed again Bob]

The chief said the cyberspace criminals gained systems entry despite "multiple security layers" [Translation: Our Captain Midnight Decoder Ring never let us down before Bob] and accessed some credit card transaction from July to September.

"To date, the company is unaware of any unauthorized use of those credit card numbers [Translation: Since we haven't told you before today, only psychics would know who to complain to. Bob] or any attempted identity theft related to the intrusion," a company statement said.

Wow almost a penny per stolen account! That's socking it to 'em

Visa fines bank after losses in TJX breach

By Ross Kerber, Globe Staff October 29, 2007

Visa USA issued $880,000 in penalties against a bank that processed transactions for TJX Cos., after an investigation of a computer hacking incident at the retailer.

Very interesting article with a Colorado connection. Also a “How to” for prospective laptop thieves.

Here's how a slick laptop thief was foiled in Tampa

Smart, shrewd,determined. A serial thief was portrayed as all these. Here's how his alleged crime spree unraveled after a stop in Tampa.

By Scott Barancik, Times Staff Writer Published October 28, 2007

... Almly, of course, was not interested in the laptops' contents, and Outback had an ace up its sleeve. Nine of its 11 stolen laptops had been equipped with security software that transmits a stolen computer's physical location the moment a thief accesses the Internet with it.

See why I recommend full disk encryption? This makes it simpler for the iPhone, but riskier for the consumer.

Tip: iPhone - Buried File Contains Personal Data

By James Alan Miller October 26, 2007

Those who've hacked their iPhone for disk access—a default feature for the iPod, by the way—have the chance to look at a dynamic-text.dat file located in /var/root/Library/Keyboard. The file contains personal words not in the default dictionary, even passwords, in apparently easy-to-read text. Doesn’t seem very secure or private, does it? As points out, you may want to keep a close eye on this file, since it contains information you’ll likely want to keep away from prying eyes.

Would that extend to computers (anything) purchased with stolen credit cards? Seems logical to me.

No privacy right on a stolen computer, judge rules in child pornography case

By Janine Anderson Journal Times Friday, October 26, 2007 11:39 PM CDT

RACINE — A Racine County Circuit Court judge ruled Friday that an accused thief did not have an expectation of privacy to the contents of the allegedly stolen laptop, allowing prosecutors to continue with 27 charges of possession of child pornography in addition to the retail theft charge.

At night, they send in these little mechanical spiders to photograph your home. When they get the cameras small enough, they'll add them to the water supply and photograph your small intestines, then your DNA...

EveryScape brings 3D map views inside buildings

Posted by Elinor Mills October 28, 2007 9:01 PM PDT

The online mapping stuff just keeps getting better.

A company called EveryScape is launching on Monday a three-dimensional local search site that lets people "drive" down streets and even "walk" into buildings.

If you thought Google's Street View was cool, wait until you see how you can ski down the slopes in Aspen, Colorado, or whiz over taxicabs and pedestrians through the streets of New York, Boston, and Miami. The inside views of buildings are only available in Miami and Aspen right now.

... You can see a demo video of EveryScape here.

No privacy anywhere? Too obvious? Is there anyone who doesn't realize this?

Who's using your personal information?

James Munson Opinions Editor October 25, 2007

For many US schools, this warning comes too late.

UK Schools Warned Off Microsoft Deal

Posted by kdawson on Sunday October 28, @07:12PM from the do-not-sign-on-that-dotted-line dept.

rs232 sends in a BBC piece on the UK computer agency Becta advising schools against signing up for a Microsoft educational license because of alleged anti-competitive practices. "The problem was that Microsoft required schools to have licenses for every PC in a school that might use its software, whether they were actually doing so or running something else." We have discussed Becta's role in British education here several times as they have acted as a watchdog warning of perceived Microsoft excesses.

Are you insecure?

Test your email program

Posted by Michael Horowitz October 28, 2007 4:36 PM PDT

My last posting, Defending against a phishing email message, described a JavaScript trick bad guys use to make a link appear to go one place when it really goes somewhere else.

So that you can test if your email program (or webmail system) falls for this type of forgery, I created a test email message.

It is the nature of commodity services to be vulnerable to niche players.

In Some Places, Local Search Beating Google

Posted by kdawson on Monday October 29, @03:03AM from the think-globally-search-locally dept.

babooo404 points out Newsweek coverage of Google focusing on areas in which the search giant may be vulnerable. In some countries outside the US, local competition is handing Google its head. In South Korea a company called Naver dominates. And in Russia, portal site Yandex leads in both search and advertising. In the Cyrillic language market Google is a distant third in search, and Yandex is trouncing Google in the advertising arena by 70% to 2%.

We now have the technology to create specialized legal (or any other discipline) archives whenever we feel the need. Ideas anyone?

Legal archive free and online

DAVID BLACK October 29 2007

If you have anything to do with the law in Scotland and have not heard of CaseCheck yet, you soon will.

The brainchild of lawyer and legal technology consultant Stephen Moore, it is an online archive covering rulings by the Scottish courts and industrial appeals tribunals that went live on October 1, and it is free.

"It's like a mini-Wikipedia for Scotland's legal community," said Moore. "And I expect the main user-base to be lawyers in private practice, claims departments, in-house lawyers and law students."

Tools & Techniques: Feedback from my security students. Remember, they do this for a living...

Top 10 Password Crackers

... open source or commercial tools on any platform. Commercial tools are noted as such in the list below. No votes for the Nmap Security Scanner were counted because the survey was taken on a Nmap mailing list. This audience also biases the list slightly toward “attack” hacking tools rather than defensive ones.

Log Analyzer

Free is good. (see next article)

25+ Sources For Creative Commons Content

October 27, 2007 — 11:17 PM PDT — by Sean P. Aune

Yesterday I complained that no one was looking for Math prodigies... I reiterate my complaint. No doubt, now every school will need to cover every sporting event with multiple video cameras and take over the computer lab for hours each day to edit the videos.

YouTube For High-School Jocks

Posted by kdawson on Sunday October 28, @08:07AM from the sports-videographers dept. The Internet Education

theodp writes "Used to be college scouts had to put in lots of miles to find a hick from French Lick. But thanks to the Internet, athletic recruiters no longer have to traipse out to actual games to find talent. The players are coming to them via links to video streamed from sports-info websites like Student-Athlete Showcase, iPlayers, and GetMyNameOut. The home-video-meets-NFL-Films highlight reels — which parents commission for a fee ranging from $300 to $5,000 — have become a standard component of college applications for jocks (as well as for aspiring actors, dancers, and musicians). One sales pitch: 'Are you willing to risk your child's potential scholarship with a homemade videotape? Remember, first impressions last forever!'"