Saturday, November 17, 2007

Rather than one lawsuit, we should have 26.5 million?

Vets can sue VA over stolen laptop

Friday, November 16 2007 @ 06:40 PM EST Contributed by: PrivacyNews News Section: Breaches

The massive VA data breach affecting 26.5 million veterans and others in May 2006 resulted in a number of lawsuits which are still working their way through the courts. Today, U.S. District Judge James Robertson ruled that lawsuits filed by veterans against the government may go forward.

A number of veterans and veterans' organizations had filed suit, seeking class action status. In today's ruling, Judge Robertson held that only individuals may sue. According to an Associated Press account, he also threw out claims of constitutional violations and said the theft did not qualify as an "unauthorized disclosure" under the Privacy Act [Perhaps we need a new term: Negligent Disclosure or Disclosure by Bad management? Bob]

Source - Associated Press

Not clear if he stole them or they came from one of the other VA data spills...

CA: Man arrested in theft of 1.8 million Social Security numbers from veterans

Friday, November 16 2007 @ 08:44 PM EST Contributed by: PrivacyNews News Section: Breaches

A man who purchased $5,600 in jewelry at a store in Tustin using three fraudulent credit cards, one belonging to actor Marlon Wayans, was arrested Thursday in Los Angeles after a months-long investigation, said Tustin police Lt. John Strain.

The investigation also uncovered from his home computer about 1.8 million Social Security numbers from the U.S. Department of Veteran Affairs, where Kim had been employed as an auditor. Veterans Affairs' officials have said only 185,000 numbers are at risk because many were repeated in the file.

Source - Orange County Register

[From the article:

Kim had worked at the Veteran Affairs office since 2003 when he was a student at USC but quit in February of this year when he discovered a background check would be conducted.

This happened in Ohio, where the theft of a laptop (from an employee's vehicle) was headline news for months. Apparently these auditors can't read.

OH: Laptop with workers' personal information stolen from auditors

Saturday, November 17 2007 @ 01:21 AM EST Contributed by: PrivacyNews News Section: Breaches

A laptop stolen from a Kettering auditing firm contained personal information on employees of up to 10 businesses, including Springfield-based Ohio Masonic Home, officials said Friday.

Battelle & Battelle LLC (sic) would not disclose the number of individuals affected by the theft but Masonic Home officials said 600 of its employees' information was stored in the laptop.

Battelle was conducting the home's pension plan audit when the laptop was stolen last month from an employee's vehicle.

Source - Dayton Daily News

“Judge, it's simple. You gots your first class citizens – those who can see anything we have and then you gots your second class citizens who can't.”

NH: Judge doubts basis of voter data law

Friday, November 16 2007 @ 11:25 AM EST Contributed by: PrivacyNews News Section: In the Courts

A Merrimack County judge said yesterday that she is "struggling" to understand the basis for a new law that allows the state to sell detailed voter data only to the major political parties. The Libertarian Party has filed suit asking the court to strike down the law as unconstitutional.

The attorney general's office argued at a hearing yesterday that the state's interest in protecting voter privacy allows it to limit who can buy the data. The file includes a voter's party registration history and year of birth.

Source - Concord Monitor long as we're talking about who can see your data – here's the future. (At present, only all the advertisers can see this information.)

More On the Law Blog’s Facebook Foray

Friday, November 16 2007 @ 04:38 PM EST Contributed by: PrivacyNews News Section: Internet & Computers

Earlier this month we posted on the legal privacy issues raised by Facebook’s new “Facebook Ads” strategy, in which it will attach names and photos of Facebook users to ads for products they like.


Well, get this Law Blog Facebook experience. Last Sunday the Law Blog purchased three tickets to “Bee Movie” on Fandango, the movie site. After we did this, Facebook automatically updated our profile to say, “Peter bought ‘Bee Movie’ on Fandango.”

Source - Wall Street Journal Law Blog

(Props, Concurring Opinions)

Here's how the Feds say they will share information...

US Government Releases Information Sharing Privacy Principles

Friday, November 16 2007 @ 06:12 PM EST Contributed by: PrivacyNews News Section: Fed. Govt.


The US government has released its "National Strategy for Information Sharing." The strategy describes information sharing between state and local governments, the private sector and foreign governments, and includes the administration's "core privacy principles" for protecting privacy. Privacy guidelines, developed by the Attorney General and Director of National Intelligence, are built on these core principles.

Source - National Strategy for Information Sharing
Related - EPIC's page on Fusion Centers

Can software void a contract (also see next article)

Cox Jamming Traffic Just Like Comcast

from the always-good-to-be-second... dept

You didn't think Comcast was the only company jamming certain types of traffic, did you? With all the heat on Comcast, it's no surprise that others are being discovered as well. For example, people are now noticing that cable provider Cox is using a very similar method to jam bittorrent uploads. It's too bad to hear this from a cable company that prided itself on actually being consumer friendly. Perhaps that means that Cox will actually admit to what it's doing, unlike Comcast. Of course, it also probably helps Cox that it wasn't the first one called out on this. Just like Sony took all the heat for the rootkit, even though the same rootkit was also found on CDs from other labels, it's likely that Comcast will take most of the heat for its bittorrent jamming.

Interesting question with examples...

Aye, Robot, or Can Computers Contract?

Mark Rasch, 2007-11-16

A contract is usually described as a "meeting of the minds." One person makes an offer for goods or services; another person sees the offer and negotiates terms; the parties enter into an agreement of the offer; and some form of consideration is given in return for the provision of something of value. At least that's what I remember from first year law school contracts class.

... Take for example, the recent case of Ticketmaster L.L.C. v. RMG Technologies, Inc., (U.S.D.C., Central District of California, October 16, 2007.) Ticketmaster, like many other Web sites has a "Terms of Use" that you must agree to before they will allow you to directly enter their Web site. These terms allow people to access the site only for non-commercial purposes, and do not permit the use of "automated devices" to access the service. Both the terms of use and certain technological measures are intended to prevent people from accessing the site more than once every three seconds and to limit the number of tickets that can be purchased during any individual visit.

The defendants, RMG, created a tool they called the "Ticket Broker Acquisition Tool" (TBAT) that would repeatedly visit the Ticketmaster site to acquire tickets from the site. Despite a lack of direct evidence that proved the defendants personally visited the Web site, or agreed to the terms of use, the court found that the nature of the tool itself made the defendant liable for the "infringing" cache copies of the Ticketmaster site which were copied by the tool. The court found that it was "highly likely" that the defendants received notice of the terms of use "by actually using the Web site."

Towards a completely virtual business model

Look, ma, no servers

November 16, 2007

Robert Scoble notes the rise of "the serverless Internet company" that can launch and run a webwide business through the window of a browser. He writes of a recent conversation he had with Max Haot, the CEO of Mogulus, a site that lets people produce and broadcast video programs:

At one point Max seemed like he was joking around with me when he told me “we don’t own a single server.” I asked him FOUR more times to make sure I heard him right ... He nicely and calmly explained that, yes, every server the company owns is actually running on Amazon’s S3 and EC2 services.

... What's particularly noteworthy about Mogulus is that it shows how layers of utility computing services can be built atop a single shared infrastructure. Mogulus runs its business by drawing on computing and storage services provided by Amazon Web Services, allowing it to avoid any capital investment in computing gear. And then Mogulus offers a set of sophisticated computing services to its own customers, including video editing, storage, and transmission, that until recently would have themselves required big investments in expensive software and hardware.

Amusing, but likely to become increasingly common.

Police Blotter: Can a cell phone camera intimidate a witness?

By Declan McCullagh Story last modified Fri Nov 16 14:16:15 PST 2007

What: Massachusetts defendant acts like he's taking a photograph of an undercover officer with a cell phone camera.

When: Massachusetts appeals court rules on November 15.

Outcome: Defendant is found guilty of additional criminal offense of witness intimidation.

What happened, according to court documents and other sources: On December 1, 2004, David Casiano was on trial, facing criminal charges relating to drug possession, when he noticed that an undercover police officer was present to testify against him. With camera-equipped cell phone in hand, Casiano exited the court room and acted as if he was taking photographs of the undercover officer and other police officers who were in the hallway outside.

Those officers complained to the judge, who ordered that the phone be confiscated. Casiano was reported saying, after his phone was seized: "What do you think I am...stupid? [Yes, actually. Bob] I already e-mailed the pictures to my house before you took the phone."

A court officer who was asked to inspect the cell phone could not find any photographs of either the undercover officer or any of the other police officers, and couldn't even determine whether the phone was capable of sending e-mail messages.

That led Casiano, 37, to be additionally charged with witness intimidation. (A local news report says he pleaded guilty to and went to jail for trespassing charges related to his original drug charges. Court records say the jury returned a not-guilty verdict on the original drug charge.)

During his subsequent trial on the witness intimidation charge, Casiano essentially invoked the I-was-just-kidding defense. He produced an affidavit from T-Mobile saying his cell phone wasn't even operational on the day of the incident. But the judge rejected it, saying the affidavit was not relevant, apparently on grounds that the threat of a photograph was what mattered. Casiano was found guilty, and he also lost on appeal.

Friday, November 16, 2007

Isn't it nice to know that the VA has implemented all the security measures they promised?

VA Hospital Records Compromised In Security Breach

Thursday, November 15 2007 @ 07:27 AM EST Contributed by: PrivacyNews News Section: Breaches

A major security breach at the Indianapolis Veterans Administration hospital compromised files on about 12,000 patients, officials said late Thursday.

The VA said three computers were taken from locked offices at the Roudebush VA Medical Center on Saturday, but the theft was not discovered until Monday.

Source - The Indy Channel

Related - Committee on Veterans' Affairs Press Release via Inside Indiana Business.

No need to look far for the next TJX...

Many Retailers Easy to Hack, Study Finds

By MARK JEWELL AP Business Writer Nov 16, 1:27 AM EST

BOSTON (AP) -- Half of more than 3,000 retail stores that a wireless security company secretly monitored at major shopping areas in the U.S. and Europe use wireless data systems vulnerable to hacking, the company said Thursday.

The data that stores routinely transmit on wireless networks include credit card and Social Security numbers and other sensitive customer information.

AirDefense Inc., an Atlanta-based maker of security products for wireless data systems, found that about 25 percent of the stores' 4,748 wireless access points were exchanging data with no encryption at all to foil electronic eavesdroppers.

Another 25 percent were using an outdated encryption method called Wireless Equivalent Privacy that is easily cracked by thieves using widely available tools.

Now here's an idea that needs work.

UK: Doctors may be prosecuted if their laptops are stolen

Thursday, November 15 2007 @ 07:25 AM EST Contributed by: PrivacyNews News Section: Breaches

Doctors who have laptops containing patients’ records stolen from their cars could end up in court.

Richard Thomas, the Information Commissioner, said a “blatant breach of fundamental observation” should attract criminal penalties. He told the Lords’ Constitution Committee that this was a new criminal offence being sought to enforce compliance with data protection laws.

The offence would be for knowingly or recklessly flouting data protection principles. [Keep the title, rework the rest. Bob] Offenders could be fined up to £5,000 in a magistrates’ court or unlimited sums in the Crown Court.

Source - TimesOnline>

Related... (and we haven't talked about thumbdrives or IM yet.)

IT's Love-Hate Relationship With Laptops

Posted by CowboyNeal on Thursday November 15, @11:11PM from the caucophony-of-pleasure-and-pain dept. Portables Hardware

Ian Lamont writes "Are laptops really as great as they're cracked up to be? We love their portability, and we've been charting the steady rise of laptop sales for years. Yet while many of us depend on them for work, our IT departments view them with mixed feelings. IT managers point to wi-fi configuration, complicated authentication procedures, and eight other issues as making their jobs a lot harder. What else is missing from the list of laptop limitations? What would you like to see in the next generation of laptop computers?"

Well, that's one way to handle things – push communication off of email to IM or even phones...

Blunt creates permanent e-mail retention system

Posted: Thursday, November 15, 2007 at 9:49 a.m.

(AP) -- JEFFERSON CITY, Mo - Under fire over how his office handles electronic records, Governor Blunt is creating a permanent e-mail retention system.

Blunt announced today that every e-mail in all of state government will be retained automatically and permanently. And he said it will be open for public inspection, except where "legal and privacy concerns apply."

Blunt has come under scrutiny in recent weeks after disclosing the administration was deleting certain internal office e-mails.

Former Blunt staff attorney Scott Eckersley has said he was fired for offering legal advice on e-mail retention that contradicted actions by the governor and senior advisers.

Democratic Attorney General Jay Nixon hinted yesterday that he will soon open an investigation into how the governor's office handles public records.

Nixon plans to challenge Blunt in the 2008 election.

What information should you collect, how should you collect it, how long do you keep it, how much reliance can you place on it...

November 15, 2007

Minimum Criminal Intelligence Training Standards For Law Enforcement and Other Criminal Justice Agencies in the US

Minimum Criminal Intelligence Training Standards, For Law Enforcement and Other Criminal Justice Agencies in the United States, Findings and Recommendations, Version 2, October 2007. Prepared by the Intelligence Training Coordination Working Group, Presented to the Counter-Terrorism Training Coordination Working Group, the Global Intelligence Working Group, and the Criminal Intelligence Coordinating Council (64 pages, PDF).

  • "The intent of this document is to provide perspective and guidance for the development and delivery of law enforcement intelligence training. It is recognized that any type of “standard” can be debated based on an individual’s personal philosophy, professional priorities, and life experiences. In order to minimize bias or atypical context, the development process for these standards used a consensual approach reflecting the cumulative judgment of law enforcement intelligence practitioners, managers, executives, trainers, and scholars from all levels of government."


Boeing bosses spy on workers

Friday, November 16 2007 @ 07:44 AM EST Contributed by: PrivacyNews News Section: Workplace Privacy

Within its bowels, The Boeing Co. holds volumes of proprietary information deemed so valuable that the company has entire teams dedicated to making sure that private information stays private.

One such team, dubbed "enterprise" investigators, has permission to read the private e-mails of employees, follow them and collect video footage or photos of them. Investigators can also secretly watch employee computer screens in real time and reproduce every keystroke a worker makes, the Seattle P-I has learned.


Recently, a Boeing investigator told a Puget Sound-area employee that he was followed off company property to a lunch spot, that investigators had footage of him "coming and going" and that investigators had accessed his personal Gmail account.

The primary reason for the 2007 investigation, the employee said, was Boeing's suspicion that he had spoken with a member of the media. The employee learned the details of the investigation during a three-hour meeting, in which investigators laid out some of their findings. He has since been fired.

Source - Seattle Post-Intelligencer


GPS Helps Cities Catch Goof-Offs

By FRANK ELTMAN Associated Press Writer Nov 16, 2:26 AM EST

ISLIP, N.Y. (AP) -- GPS tracking devices installed on government-issue vehicles are helping communities around the country reduce waste and abuse, in part by catching employees shopping, working out at the gym or otherwise loafing while on the clock.

The use of GPS has led to firings, stoking complaints from employees and unions that the devices are intrusive, Big Brother technology. But city officials say that monitoring employees' movements has deterred abuses, saving the taxpayers money in gasoline and lost productivity.

... Still, in Indiana, six employees of the Fort Wayne-Allen County Health Department lost their jobs last year after an administrator bought three Global Positioning Satellite devices out of her own pocket and switched them in and out of 12 department vehicles to nail health inspectors running personal errands on the job. [Isn't there a question about motive here? Bob]

What were you expecting?

New NSA-Approved Encryption Standard May Contain Backdoor

Posted by Zonk on Thursday November 15, @01:21PM from the find-out-by-knocking dept. Security Encryption United States Government

Hugh Pickens writes "Bruce Schneier has a story on Wired about the new official standard for random-number generators the NIST released this year that will likely be followed by software and hardware developers around the world. There are four different approved techniques (pdf), called DRBGs, or 'Deterministic Random Bit Generators' based on existing cryptographic primitives. One is based on hash functions, one on HMAC, one on block ciphers and one on elliptic curves. The generator based on elliptic curves called Dual_EC_DRBG has been championed by the NSA and contains a weakness that can only be described as a backdoor. In a presentation at the CRYPTO 2007 conference (pdf) in August, Dan Shumow and Niels Ferguson showed that there are constants in the standard used to define the algorithm's elliptic curve that have a relationship with a second, secret set of numbers that can act as a kind of skeleton key. If you know the secret numbers, you can completely break any instantiation of Dual_EC_DRBG."

Just a small question. Who gets to authorize something like this? I doubt the Board of Directors debates for hours – does some entry level manager have the authority to put the organization at risk?

Employees suing over bathroom surveillance

Thursday, November 15 2007 @ 05:30 PM EST Contributed by: PrivacyNews News Section: Workplace Privacy

Kroger Co. is being sued by its employees for allegedly putting the bathroom of one of its U.S. grocery distribution centers under hidden video surveillance.

A total of 138 current and former employees in Kentucky and Indiana allege in their lawsuit filed in Jefferson (Ky.) Circuit Court, that using hidden video equipment at the Kroger distribution center in Louisville violated their privacy and harmed them, The (Louisville) Courier-Journal said Wednesday.

Source - UPI

Darwin never saw this...

The Evolution of Spam, Part 2: New Defenses

By Andrew K. Burger E-Commerce Times Part of the ECT News Network 11/16/07 4:00 AM PT

"There is no single head to cut off, no centralized command structure to attack. These aren't the Red Coats standing in a neat formation; these are guerrillas scattered across the landscape with known objectives and infrequent need for direction," said Randy Abrams, ESET's director of technical education.

... Part 1

Thursday, November 15, 2007

How nice. A wake up call at no extra charge... They chose to reduce the value of their service while continuing to claim otherwise in their advertising. Fraud?

Comcast hit with class-action lawsuit over traffic blocking

By Eric Bangeman | Published: November 14, 2007 - 04:57PM CT

Comcast's traffic management practices have landed the cable giant in court. Yesterday, a California resident filed a lawsuit in state court accusing Comcast of breach of contract, breach of implied covenant of good faith and fair dealing, and violating the California Consumer Legal Remedies Act.

... Hart is seeking class-action status for the lawsuit, damages, a change in the company's advertising to reflect its traffic-shaping practices, and an injunction barring Comcast from further interference with the "Blocked Applications."

One of those year-end lists you should be embarrassed to make.

A Rogues Gallery of Data Protection Miscreants

Wednesday, November 14 2007 @ 07:37 PM EST Contributed by: PrivacyNews News Section: Breaches

.... without further ado, we present our list of top data protection miscreants. Each comes with a brief explanation of the organization's most prominent disaster, with suggested lessons learned. We've also taken the liberty of ranking the list from least to most negligent, depending on our view of the circumstances -- not the results -- according to the following scale: 5 = Data Protection's Worst Enemy; 4 = Notable Rogue; 3 = Middling Miscreant; 2 = Petty Offender; 1 = Caught Once, Badly.

The List:

* 1) State of Ohio and Accenture
* 2) Deloitte & Touche and McAfee
* 3) TJX
* 4) Los Alamos National Lab
* 5) Department of Veterans Affairs
* 6) Iron Mountain

Source - ByteandSwitch

What happened to a presumption of innocence? (Are they really encrypted file or merely corrupt? How could the court tell the difference?)

First Use of RIPA to Demand Encryption Keys

Posted by samzenpus on Thursday November 15, @12:22AM from the tell-us-everything dept. Encryption

kylehase writes "The Regulation of Investigatory Powers Act (RIPA) is being used for the first time to force an animal activist to reveal encryption keys for encrypted files she claims to have no knowledge of. According to the article, she could face up to two years if she doesn't comply."

Hogwarts School of Law

Rowling Sues Harry Potter Lexicon

Posted by samzenpus on Thursday November 15, @03:30AM from the the-first-rule-of-potter-is-you-don't-talk-about-potter dept. The Internet

Snape kills Trinity with Rosebud writes "Apparently famous authors don't like it if you try to make a buck using their imaginary property because J.K. Rowling is suing the publishers of the Harry Potter Lexicon for infringement. This should prove an interesting test case for fair use given that the lexicon contains mostly factual information about the series, not copies of the books' text. Of course, both sides seem a bit touchy about imaginary property rights, with Rowling's lawyers being miffed after being told to print it themselves when they asked for a paper copy of the lexicon's website, and the lexicon website itself using one of those insipid right click disabling scripts."

Earning your trust, every day...

Disappearing Gmail messages baffle users

A steady stream of Gmail users are reporting that their inboxes are being erased, and they find Google's expanations thus far to be lacking

By Juan Carlos Perez, IDG News Service November 14, 2007

When Jeneane Sessum logged into her Gmail account on the afternoon of Oct. 27, she was greeted with a horrifying sight: an empty inbox.

... Days earlier in Chicago, Jessica Squazzo, a writer and editor, accessed Gmail and stared at her computer screen in disbelief: All messages from 2007 had disappeared from her inbox.

Sessum and Squazzo are just two of a small but steady stream of Gmail users who regularly report losing some, many, or all of their messages without a clue as to why.

It seems that hardly a week goes by without at least several users reporting this problem on discussion boards, such as the official Gmail Help forum.

How indeed.

November 14, 2007

How E-Government Is Changing Society and Strengthening Democracy

GSA Office of Intergovernmental Solutions Newsletter Issue 20: How E-Government Is Changing Society and Strengthening Democracy, 48 pages, PDF, November 14, 2007.

This was never secret, was it?

November 14, 2007

Free Federal Case Law Archive Available Online in 2008

Press release: "Public.Resource.Org and Fastcase, Inc. announced today that they will release a large and free archive of federal case law, including all Courts of Appeals decisions from 1950 to the present and all Supreme Court decisions since 1754. The archive will be public domain and usable by anyone for any purpose."

Wednesday, November 14, 2007

More points to control, same controls, what's missing?

Corporate data control policies are failing

Tuesday, November 13 2007 @ 09:04 AM EST Contributed by: PrivacyNews News Section: Businesses & Privacy

More than a fifth of employees stores corporate files on memory sticks, despite the risk to security, new research has found.

A survey of 300 employees across the UK and Ireland found that nearly half – 49% - stored work material “in multiple locations”, with 21% holding it on portable USB memory sticks.

Another 14% of employees said they stored corporate material on a laptop hard drive, with 9% admitting that they kept work-related material on non-work owned personal devices, the research by Dynamic Market for enterprise content management company, Tower Software found.

Source - ComputerworldUK

Would HIPAA be interpreted the same way?

(update) Ca: Capital Health failed to protect patient info

Tuesday, November 13 2007 @ 09:02 PM EST Contributed by: PrivacyNews News Section: Breaches

Capital Health breached the Health Information Act when it failed to adequately protect health information stored on laptop computers that were later stolen, Information and Privacy Commissioner Frank Work said today.

Work has issued the final report of his investigation into the theft of four laptop computers from a Capital Health office in downtown Edmonton on May 8.

One of the laptops contained patient information.

Source - Edmonton Journal

Don't let the name fool you. This is the Total Information Awareness database that has been “canceled” several times now...

November 13, 2007

DHS OIG Audit: Automated Targeting System Controls and Personally Identifiable Information

OIG-08-06 - Better Administration of Automated Targeting System Controls Can Further Protect Personally Identifiable Information (Redacted) (PDF, 22 pages) - New 11/09/2007

Hey, its cheaper than keeping them in prison! (Perhaps they could make them an 'un-protected class' and declare open season?)

State wants special car plates for sex offenders

Thu Mar 1, 2007 2:54pm EST

CINCINNATI (Reuters) - Lawmakers in Ohio said on Wednesday they want to force convicted sex offenders to use a fluorescent-green license plate on their cars so they can be easily identified.

A Republican and a Democrat in the state legislature in Columbus have joined forces to propose the law, which echoes measures in several U.S. states that require convicted drunken drivers to use a yellow, pink or red plate on their cars.

Thinking along the same lines? Why not put them on the Internet so parents, the producers of 'America's funniest videos,' and the guys with fluorecent green license plates can watch too?

Sign Of Times: NJ School Cameras Fed Live To Cops

Tuesday, November 13 2007 @ 07:40 AM EST Contributed by: PrivacyNews News Section: Minors & Students

Surveillance cameras rolling inside our local schools is nothing new, but what's taking place inside Demarest's public schools is truly cutting edge: a live feed from more than two dozen cameras with a direct connection to the police.

It's an expensive, but effective [but not as a preventative measure Bob] tool that could be a sign of the times with an increase in school shootings over the years.

The system, which cost about $28,000, can even track movement in a crowded room.

Source - CBS

Toward “Ubiquitous Surveillance” All this information stays with the picture

Up next: Cameras that know who you photographed

Posted by Stephen Shankland November 14, 2007 4:00 AM PST

... Many cameras today can detect the faces of those being photographed, which is handy for guiding the camera to set its exposure, focus, and color balance properly. But the more difficult challenge of face recognition is more useful after the photo has been taken.

... That's because of a concept called autotagging, one of a number of technologies that make digital photography qualitatively different from the film photography of the past.

Tags of descriptive data can be attached to digital photos, and they help people find and organize pictures. The only problem is that tagging your photos, today a laborious manual task, is like eating your vegetables. It's good for you but a lot of people don't like it.

I'm sure it is 'frightening' but it is also something the security community has been saying for years.

Microsoft exec calls XP hack 'frightening'

By Tom Espiner Story last modified Tue Nov 13 07:00:47 PST 2007

A Microsoft executive calls the ease with which two British e-crime specialists managed to hack into a Windows XP computer as both "enlightening and frightening."

The demonstration took place Monday at an event sponsored by Get Safe Online--a joint initiative of the U.K. government and industry. At the event, which was aimed at heightening security awareness among small businesses, two members of the U.K. government intelligence group Serious Organized Crime Agency connected a machine running Windows XP with Service Pack 1 to an unsecured wireless network. The machine was running no antivirus, firewall, or anti-spyware software and contained a sample target file of passwords to be stolen.

... Mick used a common, open-source exploit-finding tool he had downloaded from the Internet. SOCA asked ZDNet UK not to divulge the name of the tool.

... Using a different attack tool, he produced a security report detailing the vulnerabilities found on the system. Mick decided to exploit one of them. Using the attack tool, Mick built a piece of malware in MS-DOS, giving it a payload that would exploit the flaw within a couple of minutes.

Getting onto the unsecured wireless network, pinging possible IP addresses of other computers on the network, finding Andy's unpatched computer, scanning open ports for vulnerabilities, using the attack tool to build an exploit, and using the malware to get into the XP command shell took six minutes.

... Mick then went into the My Documents folder and, using a trivial transfer protocol, transferred the document containing passwords to his own computer. The whole process took 11 minutes.

A SOCA representative said that the demonstration was "purely to point out that, if a system hasn't had patches, it's a relatively simple matter to hack into it." SOCA stopped short of recommending small businesses move to Vista; a SOCA representative said that applying Service Pack 2 to XP, with all the patches applied, and running a secured wireless network is "perfectly sensible way to do it."

...and they're all guilty!

All Fifty States May Face Voting Machine Lawsuit

Posted by ScuttleMonkey on Tuesday November 13, @02:51PM from the counters-fans-of-fuzzy-math dept.

according to an announcement made by activist Bernie Ellis at the premier of David Earnhardt's film "Uncounted [The Movie]" all fifty states could be receiving subpoenas in the National Clean Election lawsuit. The documentary film, like the lawsuit, takes a look at the issue of voting machine failure and the need for a solid paper trail. "The lawsuit is aimed at prohibiting the use of all types of vote counting machines, and requiring hand-counting of all primary and general election ballots in full view of the public. The lawsuit has raised significant constitutional questions challenging the generally accepted practices of state election officials of relying on "black box" voting machines to record and count the votes at each polling station, and allow tallying of votes by election officials outside the view of the general public."

...and so is the rest of the world?

Privacy group slams government stance on e-voting

1:21PM, Tuesday 13th November 2007

The Open Rights Group has condemned the UK government's decision to continue with e-voting, despite calls from the Electoral Commission to abandon the scheme.

The commission, which oversees all elections in the UK, called on the government in August to suspend internet voting until the current system had been modernised and made more secure.

The government disagrees, claiming that each of its pilot e-voting tests, "supported successful elections".

"The Government is not aware of any instances of alleged fraud during the elections and does not believe that the pilots increased the risk of electoral fraud," the Ministry of Justice concluded. "We do not agree

Reminds me of the story about “Famous Amos” giving away cookies at the mall. Soon he had to expand because he couldn't bake enough in his original kitchen...

Independent Film Makers Thrilled That People 'Pirated' Their Movie

from the understanding-buzz dept

On the same day that the guy who was caught filming the Simpson's movie with his mobile phone (which still doesn't make sense to us) was fined in Australia, some independent film makers are talking up how wonderful it is that people are "pirating" their film. The website reviewed their film, The Man from Earth, and pointed out the many places online where it could be downloaded. It turned out that people really seemed to love the movie. Thousands downloaded it... and they started promoting it to others. The movie's ranking on IMDB shot up and it's getting attention from all over the place. The producer of the movie wrote to rslog to thank them for promoting the movie, noting that next time he'll probably upload his next movie to various torrent sites himself.

The director of the movie also chimed in with his support. He notes that they definitely view this a bit as "doing a Radiohead," but that's perfectly reasonable. They're hoping many people do decide to buy the DVD or donate money to the project, which seems like a reasonable request. However, what may be more likely is that they can use this groundswell to push for both theater showings of the movie and a distribution deal for their followup. And while this shows an example of moviemakers using the Radiohead example -- there's a big difference here as well. Many critics have been falsely dismissing the Radiohead experiment by saying that only big, well known bands can pull it off. However, what the folks behind this movie are doing is exactly the opposite. They're smaller names, who are generating tremendous publicity and opportunity for themselves by not treating their fans as criminals -- even those who clearly are downloading unauthorized versions. Instead, they're embracing them for the free publicity they're providing the movie and helping to turn it into a hit. Once again, the old saying is true: obscurity is a much bigger threat to creative works than piracy.

Pull down a copy of “War & Peace”, change all those funny Russian names to sound more American, change a few scenes to resemble modern day Washington, and you have a novel about Iraq.

20+ Places for Public Domain E-Books

November 12, 2007 — 10:24 PM PST — by Sean P. Aune

Another freebie...

IBM updates free Symphony suite

Posted by Elsa Wenzel November 13, 2007 2:43 PM PST

IBM is releasing an update today to its free Lotus Symphony productivity suite, which remains in beta testing.

The three desktop applications, Documents, Spreadsheets and Presentations, are counterparts to Microsoft Word, Excel and PowerPoint. The latest iteration of Symphony is supposed to be faster than its predecessor, which debuted less than two months ago.

The package is one of several low-cost or free alternatives to Microsoft Office.

... More than one quarter of a million people have downloaded the software to date, according to IBM.

Our first take review details how Symphony worked in CNET's early tests.

Expect military tech to be at least an order of magnitude better...

This world view is twice as sharp

Posted by Mark Rutherford November 14, 2007 6:37 AM PST

A global leader in commercial satellite imagery and geospatial information has just doubled up.

DigitalGlobe has released photos captured by its WorldView-1 remote sensing satellite launched in September that have twice the resolution of previous images, allowing viewers to see things on the ground as small as 20 inches in diameter. The black and white shots captured with equipment developed by ITT's Space Systems Division are part of a program sponsored by the National Geospatial-Intelligence Agency to provide imagery for military, intelligence, foreign policy, homeland security, and civil use.

They include shots of Houston, Texas, Yokohama, Japan, and Addis Ababa, Ethiopia. To date, the company's library contains more than 300 million square kilometers of satellite and aerial imagery. The unit is capable of collecting 290,000 square miles of images every day, according to the company, which promises to produce the "most advanced imagery ever seen."

The new gear is four times more power-efficient, six times lighter, and costs a third as much as previous models, according to ITT. The system captures "panchromatic" imagery, multispectral imagery across a wide swath, the end product is a 11x11 kilometer snapshot.

If you hold out until 2008, the company promises to deliver "lifelike true color" with an ITT eight-band, multispectral system from aboard the WorldView-2. And speaking of the NGA, it offers a Baghdad reference map, plus tons of other cool stuff available to the public here.

Geek alert!

MIT Releases the Source of MULTICS, Father of UNIX

Posted by Zonk on Tuesday November 13, @01:24PM from the linux's-dad's-dad dept. Operating Systems Education Unix

mlauzon writes "Extraordinary news for computer scientists and the Open Source community was announced over the weekend, as the source code of the MULTICS operating system (Multiplexed Information and Computing Service), the father of UNIX and all modern OSes, has finally been opened. Multics was an extremely influential early time-sharing operating system and introduced a large number of new concepts, including dynamic linking and a hierarchical file system. It was extremely powerful, and UNIX can in fact be considered to be a 'simplified' successor to MULTICS. The last running Multics installation was shut down on October 31, 2000. From now on, MULTICS can be downloaded from an official MIT site (it's the complete MR12.5 source dumped at CGI in Calgary in 2000, including the PL/1 compiler). Unfortunately you can't install this on any PC, as MULTICS requires dedicated hardware, and there's no operational computer system today that could run this OS. Nevertheless the software should be considered to be an outstanding source for computer research and scientists. It is not yet known if it will be possible to emulate the required hardware to run the OS." [Expect the virtual machine folks will do this! Bob]

Tuesday, November 13, 2007

Close to home

Clients' Legal Info Found Dumped In Lawyer's Trash

Monday, November 12 2007 @ 11:46 AM EST Contributed by: PrivacyNews News Section: Breaches

GREENWOOD VILLAGE, Colo. -- Police collected 17 boxes filled with Social Security numbers and other personal information from a trash container behind an office building in Colorado on Sunday.

... they appeared to be from the office of W. Dan Mahoney, an attorney who works in the building, and who admits throwing them in the trash.

Source - CBS

Is this a wise policy?

Personal information on students stolen

EDMONTON - Personal information about 560 Catholic school students has been stolen, after a school bus employee had her purse stolen.

The purse contained a memory stick with the names, addresses and phone numbers of kindergarten, Hand in Hand pre-school program and special needs students in the school district, the district said in a press release Monday.

The school board was informed of the theft a week earlier by the school bus company involved, R.L. Smith Transportation Inc. The school bus employee left the memory stick in her purse in the trunk of her car, which was then stolen. When the car was recovered, the purse and its contents were missing.

The bus company has routinely sent a copy of student information with their bus drivers. [Why would they even have this information? Bob] City police are investigating the theft. The employee is not longer with the company.

Catholic schools says letters have been sent home to all affected parents, and extra security methods have been put in place. [All the measures that should have been in place before? Bob]

Effective immediately, the school district has asked school bus companies not to let their employees carry student information outside the office. Four of the five companies have complied, it said, and the fifth has promised a response this week.

All information about students must now be encrypted on memory sticks, as well as password protected, says the school district. The lost information is not encrypted.

Let's hope there was language in the contract covering something like this...,1759,2215792,00.asp?kc=EWRSS03119TX1K0000594

Attackers Snatch Member Data from 92 Nonprofits

November 12, 2007 By Lisa Vaas

Attackers have stolen passwords and accounts from 92 nonprofits by infiltrating systems at Convio, the leading online marketing company for nonprofits.

Affected nonprofit organizations include the American Museum of Natural History, Working Assets, CARE and Free Press.

According to a letter sent by Convio to one of the affected organizations, the e-mail addresses and member passwords were downloaded without authorization from 92 GetActive clients between Oct. 23 and Nov. 1. GetActive is an application that Convio acquired with the nonprofit eCRM software company, also named GetActive, in February.

The attacker or attackers had prepared to steal the same information from another 62 GetActive clients, but the attempt was foiled when Convio discovered the breach late in the day on Nov. 1.

"The attack was carried out by an outside party who temporarily gained limited access to our systems," the letter said. "As soon as this attack was discovered, we took immediate steps to correct the situation. We are confident that these steps have restored the security of our systems. We are also cooperating with federal authorities to investigate the illegal access and data theft."

According to Convio, no credit card or other personal data was lost in the breach, only e-mail addresses and passwords. A spokesperson for Convio told eWEEK that Convio doesn't store credit cards, although the legacy GetActive application does to some extent.

... Convio is recommending that its client organizations notify any constituents with user-created passwords that might have been disclosed. Some of those individuals might use the same e-mail address and password with multiple online service providers such as Yahoo or PayPal or even at banks or online merchants, any of which could open them up to compromise of those additional accounts. Individuals who are affected should change their passwords at such accounts as soon as possible.

Convio is also warning GetActive users to be on the alert regarding e-mail that appears to be from a brand name organization that urges recipients to visit a Web site to provide personal or financial information because an account may have been compromised or deactivated. Such e-mail would come from phishers running a scam, as legitimate businesses wouldn't ask for such information.

Convio has created a query within its dashboard that can be used to identify which members of an organization's list might be affected.

“HI! Could you give me all my personal information – I seem to have forgotten it.”

Commerce Bank Issues Identity Theft Warning

Monday, November 12 2007 @ 05:37 PM EST Contributed by: PrivacyNews News Section: Breaches

Note: social engineering or something else? More details would help...

Commerce Bank officials have sent letters to the affected customers regarding an investigation of identity fraud.

The letter states that a Commerce employee gave out personal information -- including Social Security and loan account numbers -- to outside parties.

Source - NBC 10

Because terrorists love Mickey Mouse

Finger Scanning At Disney Parks Causes Concern

POSTED: 5:12 pm EDT July 14, 2005 UPDATED: 10:47 am EDT July 15, 2005

ORLANDO, Fla. -- The addition of finger scanning technology at the entrances of Walt Disney World theme parks for all visitors has caused concern among privacy advocates, according to a Local 6 News report.

[I think it's a step in the wrong direction," Civil Liberties Union spokesman George Crossley said. "I think it is a step toward collection personal information on people regardless of what Disney says.]

Tourists visiting Disney theme parks in Central Florida must now provide their index and middle fingers to be scanned before entering the front gates.

What we've been saying for years!,1759,2215951,00.asp?kc=EWRSS03119TX1K0000594

SCO Guilty of Lying About Unix Code in Linux

November 13, 2007 By Steven J. Vaughan-Nichols

In the United States, SCO's Linux/Unix litigation has been stalled out while the company's bankruptcy trial is being dealt with. In Germany, however, several court cases have found SCO Group GmbH, SCO's Germany branch, guilty of lying about Linux containing stolen Unix code.

In the first case, reported on by Heise Online, the pro-Linux German companiesTarent GmbH and Univention found that SCO was once more making claims that Linux contained Unix IP (intellectual property). Specifically, SCO GmbH made the familiar claims that "As we have progressed in our discovery related to this action, SCO has found compelling evidence that the Linux operating system contains unauthorized SCO UNIX intellectual property (IP)." This was followed by the usual threat "If a customer refuses to compensate SCO for its UNIX intellectual property found in Linux by purchasing a license, then SCO may consider litigation."

How can a little tiny country like Israel claim to have the largest database? Perhaps it includes a copy of the US databse...

Knesset panel okays Western world's largest database for police use

Monday, November 12 2007 @ 12:05 PM EST Contributed by: PrivacyNews News Section: Non-U.S. News

The Knesset Constitution, Law and Justice Committee approved Monday morning the establishment of a police search engine, which, if passed by the Knesset, would be the largest legal database in the Western world for police use.

The database is to include names, unlisted and listed phone numbers, Internet addresses, computer and modem numbers, and cell-phone identifiers to pinpoint signals and allow the police to track individual conversations.

Source -

If this was a test of the market, I'd say we'll see more like it.

Wal-Mart's $200 Linux PC Sells Out

Posted by kdawson on Monday November 12, @09:55PM from the ok-there's-a-market-for-it dept. Linux Business Enlightenment

hankmt writes "About a week ago Wal-Mart began selling a $200 Linux machine running on a 1.5 ghz VIA C7 processor and 512 MB of RAM. While the specs are useless for Vista, it works blazingly fast on Ubuntu with the Enlightenment Window Manager. T he machine is now officially sold out of their online warehouses (it may still be available in some stores). And the product sales page at is full of glowing reviews from new and old Linux users alike."

Why be President (Salary $400,000) when you can get a share of the next Google?

Al Gore's next act: Planet-saving VC

The recovering politician is teaming with a legendary venture capitalist and bigtime moneyman to make over the $6 trillion global energy business. A Fortune exclusive

By Marc Gunther and Adam Lashinsky, Fortune November 12 2007: 2:49 PM EST

This might be useful for my students... Not sure I'd trust them with anything personal. - Protecting Your Data

Have you become frustrated with loosing your data? Do you always forget to backup four files? has the solution to your problem. Zoogmo backs up your data over the internet or within a LAN on your computer or your family/friend’s computer. If you have Windows XP or 2003 with a broad band connection you can you can install the Zoogmo software and backup your data. Zoogmo gives you unlimited space and you can have an unlimited number of partners for free. Zoogmo keeps your files safe; you don’t need to worry about if your computer viruses affecting your data. If your connection is interrupted during a file transfer don’t worry you files will be safe because there is a built in retry system to automatically reconnect. Backing up your files is quick and easy with

Monday, November 12, 2007

Perhaps they should have held a “customer appreciation sale” like TJX? Another indication that the rules don't scale.

After the Data Breach: Navigating State Disclosure Laws

Sunday, November 11 2007 @ 01:09 PM EST Contributed by: PrivacyNews News Section: Breaches was caught off guard last year. The musical instrument sales site suffered a data breach that was followed swiftly by a double whammy of consequences.

Roughly 250 customer records were exposed, likely after an individual stole an administrative password by accessing systems remotely.

... Despite its efforts, Bananas apparently failed to meet all the various state notification requirements and was subsequently slammed with fines and fees by major credit companies. "They did not specifically provide a reason for the fees other than saying that we had not met all of the terms in our agreements with them," says Bananas President J.D. Sharp. "They'll fine the pants off you," he adds.

Source - TechNewsWorld


Data “Dysprotection:” breaches reported last week

Monday, November 12 2007 @ 07:14 AM EST Contributed by: PrivacyNews News Section: Breaches

A recap of incidents or privacy breaches reported last week for those who enjoy shaking their head and muttering to themselves with their morning coffee.

Source - Chronicles of Dissent

If you don't look for it, this isn't a problem.

Votes Flipped in Ohio Race that Used E-voting Machines

By Kim Zetter EmailNovember 08, 2007 | 2:20:19 PMCategories: E-Voting, Election '08, Glitches and Bugs

Votes cast yesterday on e-voting machines made by Election Systems & Software went to the wrong candidates, according to officials in Lawrence County, Ohio.

Although a tally printed from the machines at the end of the day and posted on the door of a county precinct got the numbers correct -- 374 votes for Bill Robinson in the Hamilton Township trustee position and 170 votes for Allan Blankenship -- a tabulation machine at the county's headquarters flipped the numbers and gave 374 to Blankenship and 170 to Robinson. Officials noticed the problem when they compared the two tallies.

... Overbeck said this was the only race affected [Sure it was... Bob] in this way on a ballot that included more than 100 races.

Always assume the pros are at least as good as the amateurs.

Tracking People Using Bluetooth

Posted by CmdrTaco on Sunday November 11, @08:59AM from the turn-your-bluetooth-off dept. Privacy Wireless Networking

damdam writes "A Dutch guy seems to have set up a small network of bluetooth scanners. He has all the information logged to a central database and you can search it over the web. On his website it says "Some of these matches were only minutes apart. Therefore I could even calculate the approximate speed of someone moving from one location to another.". There are also some interesting statistics on his site showing traffic volume in his hometown (based on bluetooth signals) and he even lists popularity of certain Nokia phones. It's interesting to see how much information an individual can gather using old equipment."

Isn't this “cloneism?” “They're not like us, so we should eliminate them”

World should ban human cloning, except medical: U.N.

Monday, November 12 2007 @ 07:18 AM EST Contributed by: PrivacyNews News Section: Other Privacy News

The world should quickly ban cloning of humans and only allow exceptions for strictly controlled research to help treat diseases such as diabetes or Alzheimer's, a U.N. study said on Sunday.

Without a ban, experts at the U.N. University's Institute of Advanced Studies said that governments would have to prepare legal measures to protect clones from "potential abuse, prejudice and discrimination".

Source - Reuters

I'm sure it is fun to analyze this type of email, but wouldn't it be much faster to ask?

Is that email message legit? How a computer nerd analyzes it

Posted by Michael Horowitz November 11, 2007 1:41 PM PST

My clients often ask my opinion on whether an email message is legitimate or not. The message below, asking for credit card information and claiming to come from, was a doozy, a lot can be learned from analyzing it.

Cyberwar? Is China getting more aggressive or are we just detecting more?

Trojan Found In New HDs Sold In Taiwan

Posted by kdawson on Sunday November 11, @09:36PM from the bourne-again dept. Security Data Storage IT

GSGKT writes "About 1,800 brand new 300-GB or 500-GB external hard drives made for Maxtor in Thailand were found to have trojan horse malwares pre-installed (autorun.inf and ghost.pif). When the HD is in use, these forward information on the disk to two websites in Beijing, China: or The article implies that authorities believe the Chinese government is behind the trojans. A later article pins down the point of infection to a subcontractor company in China. A couple of months back the Register was reporting on pre-installed malware detected on Maxtor disks sold in the Netherlands. This earlier report was downplayed by a Seagate spokesman."

The more recent Taipei Times article says that Seagate admits the problem on its Web site, but a search there turns up nothing.

Resource: Would this be useful in identifying and tracking legal trends?

November 11, 2007

NCSL 50-State Legislative Tracking Web Resources

  • "Updated August 2007: At the request of NCSL's Legislative Research Librarians (LRL) staff section, NCSL has developed this resource of 50-state compilations covering various issues that concern state legislators and legislative staff. Here you will find a topical, alphabetical listing of legislative and statutory databases, compilations and state charts/maps."

  • "2006 State Legislation Related to Immigration: Enacted and Vetoed, October 31, 2006: In 2006, 570 pieces of legislation concerning immigrants have been introduced in state legislatures around the country. At least 90 bills and resolutions passes the legislatures in 2006. 84 bills were signed into law, more than double the amount of 2005. 6 bills were vetoed. While legislation covered a wide variety of topics, many states focused on education, employment, identification and driver’s licenses, law enforcement, legal services, public benefits, trafficking, and voting procedures."

Newspapers aren't too concerned when non-journalists (like me) post online. Perhaps they will re-think that when the people they lay off try to return the favor...

Online MinnPost Offers Local Coverage

By PATRICK CONDON Associated Press Writer Nov 11, 5:32 PM EST

MINNEAPOLIS (AP) -- The first lead story on, a new daily news site, is a 1,400-word report on the Minnesota Democratic Party's finances.

It's not the kind of flashy tidbit guaranteed to goose online traffic. But flash isn't the idea at MinnPost, a venture staffed mostly by recent casualties of newspaper downsizing.

MinnPost, led by a former Minneapolis Star Tribune publisher and editor, Joel Kramer, is aiming at the small audience they believe is thirsting for substantive local journalism. The site's staffers say that kind of work is on the decline, and they blame it on cost-cutting as the industry faces dwindling circulation and ad revenue.

Almost the model I expect to win. Short, clear tutorials (probably in video format) that you can query as needed. Downside is, you often must look at dozens of truly bad tutorials to find a gem...

Edumax Provides The Basics on Several Computer Topics

11th November 2007

... Edumax, at offers online tutorials of several different topics AND forums for those topics.

There are about two dozen tutorials at this site, covering several aspects of Microsoft Office as well as eBay, several programming languages, and non-programming topics like Success and Debt Management.

The government explain everything. Do they get anything right?

College Students & Privacy: Do Your Homework

By Rebecca Hagelin Thursday, November 8, 2007

... The Department of Education has prepared a brochure to let parents know the facts.

Dilbert explains tech support