Monday, April 28, 2008

1) If you only improve your security, have you shifted the liability to others? 2) Is that a reasonable strategy or should “protecting our customers” be in there somewhere?

http://www.pogowasright.org/article.php?story=20080428071107198

(follow-up) Paying breach bill may not buy Hannaford full data protection

Monday, April 28 2008 @ 07:11 AM EDT Contributed by: PrivacyNews News Section: Breaches

Hannaford Bros. Co. said last week that it expects to spend "millions" of dollars on IT security upgrades in response to the the recent theft of up to 4.2 million credit and debit card numbers from its systems.

Some of the new measures that the grocer outlined go beyond the controls mandated by the Payment Card Industry Data Security Standard, or PCI. But it isn't clear whether they actually will address the issues that led to the data breach.

Source - Computerworld

[From the article:

Huguelet said that the planned end-to-end encryption of card data also sounds good — on paper. But to make the data hacker-proof, he added, it would have to be encrypted from the PIN entry devices in stores to the systems of the payment-processing firm that authorizes card transactions.

And because almost no payment processors accept encrypted data at this point, Hannaford would likely need to convince the firm it works with to make system changes as well.

Similarly, Hannaford's decision to replace all of its existing PIN entry devices puts it ahead of the curve in meeting a PCI mandate that companies must start using models with built-in support for Triple DES by July 2010.

But in most cases, the Triple DES technology encrypts only a customer's PIN, according to Huguelet. So even if Hannaford was already using such devices, it's unlikely that they would have prevented the card numbers from being compromised, he said.

Litan views Hannaford's plan to bolster its network defenses via the use of intrusion-prevention systems as another step in the right direction. But she said there are indications that the breach may have been the handiwork of a rogue insider — in which case the intrusion-prevention tools probably wouldn't have helped stop the attack.



...because...

http://www.pogowasright.org/article.php?story=20080428065836714

Data “Dysprotection:” breaches reported last week

Monday, April 28 2008 @ 07:10 AM EDT Contributed by: PrivacyNews News Section: Breaches

A recap of incidents or privacy breaches reported last week for those who enjoy shaking their head and muttering to themselves with their morning coffee.

Source - Chronicles of Dissent



“Don't tell us what could go wrong, wait until the e-chad hang, then tell us what we could have done to prevent it...”

http://techdirt.com/articles/20080426/142226957.shtml

New Jersey Court Says Independent Investigators Can Review E-Voting Machines

from the protect-the-vote dept

Last month, e-voting firm Sequoia threatened both independent researchers and New Jersey election officials if those independent researcher were allowed to inspect Sequoia's e-voting machines. This seemed like a very odd threat for a variety of reasons. Why wouldn't Sequoia want its machines inspected? The very fact that it was threatening legal action seemed like grounds to simply never use Sequoia e-voting machines. Sequoia claimed that existing inspections were enough, despite a history of problems in those inspections. Furthermore, Sequoia's own explanations for the problems with its machines in the primary elections this year were wrong. Ed Felten found that Sequoia's explanations didn't actually explain many of the problems. Unfortunately, though, with the threat of legal action, New Jersey agreed not to have Felten test the machines.

However, a New Jersey state judge has now ruled that it's perfectly reasonable for independent inspectors to review the machines. Unfortunately, she pushed back the date for such inspections until September, meaning that it won't affect this year's presidential election -- which will still use machines that may have problems. So while Sequoia didn't succeed in stopping independent examination of its machines, it did stall the process long enough so that the existing machines will stay in use for this year's elections -- despite the long list of problems that have been discovered with them. Apparently, we're still in beta when it comes to democracy.



Do they “get it?”

http://www.nytimes.com/2008/04/28/technology/28ecom.html?_r=1&ex=1367035200&en=4b3a478845a3ea12&ei=5088&partner=rssnyt&emc=rss&oref=slogin

Users Demand Expertise at How-To Web Sites

Article Tools Sponsored By By BOB TEDESCHI Published: April 28, 2008

IF the Internet can make anyone a star, can it turn Barnes & Noble into one, too?

The bookseller has taken another step beyond its traditional business into the online publishing world, recently introducing Quamut.com, a site that teaches Web users things as diverse as the basics of football and how to build a Web site.

... Quamut differentiates itself from the long list of how-to sites like eHow, HowStuffWorks.com and, to a lesser degree, About.com (which is owned by The New York Times Company), with a somewhat novel twist: selling downloadable documents of its otherwise free content.


Some “expertise” isn't fully appreciated...

http://www.bespacific.com/mt/archives/018198.html

April 27, 2008

EU Backs Criminalizing Posting Bomb Making Instructions on Web

European Digital Rights: "The European Ministers of Justice and Internal Affairs have agreed to make publishing bomb-making instructions on the Internet a crime...Justice and interior ministers from the EU member states backed a proposal from Commissioner Frattini to harmonise the normative acts that will make the "public provocation to commit a terrorist offence, recruitment, and training for terrorism" a crime. According to the statements of the EU officials publishing these acts on the Internet completed the European legislation in this domain. They described the Internet as "a virtual training camp for militants, used to inspire and mobilise local groups." Gilles de Kerchove, the EU anti-terrorism co-ordinator, declared that there are approx. 5,000 websites that are used to radicalise young people."



Interesting talk at the Berkman Center

http://tech.slashdot.org/article.pl?sid=08/04/27/1422258&from=rss

Mining the Cognitive Surplus

Posted by kdawson on Sunday April 27, @02:28PM from the looking-for-the-mouse dept.

Clay Shirky has been giving talks on his book Here Comes Everybody — his "masterpiece," per Cory Doctorow — and BoingBoing picks up one of them, from the Web 2.0 conference. Shirky has come up with a quantification of the attention that TV has been absorbing for more than half a century. Shirky defines as a unit of attention "the Wikipedia": 100 million person-hours of thought. As a society we have been burning 2,000 Wikipedias per year watching mostly sitcoms. We're stopping now. Here's a video of another information-dense Shirky talk, this one at Harvard.



Another column on e-discovery, with some interesting links...

http://ralphlosey.wordpress.com/2008/04/26/e-discovery-at-the-harvard-club-in-new-york-city/

e-Discovery at the Harvard Club in New York City

[I had never heard of the Legal Electronic Document Institute for instance http://www.gulfltc.org/ Bob]



I wonder if anyuone in Congress has heard of these?

http://blog.lib.umn.edu/lawlib/lexlibris/2008/04/congressional_research_video_t.html

Congressional Research: Video Tutorials

The University of California at Berkeley has created several video tutorials that demonstrate how to do Congressional research in the following areas, each of which is highly useful for law students:

Finding bills and Congressional debates from 1989 forward on Thomas

Finding a Congressional report on LexisNexis Congressional

Finding debates from 1873 to the present in print in the Congressional Record.

Note that the video tutorials last from two to five minutes apiece, and that they require Macromedia’s Flash player to be installed on your computer.



Sometimes it's hard to tell the difference between good legal research and great legal research. Here is one or the other from Stephen Rynerson

http://www.bbspot.com/News/2008/04/top-11-privacy-policy.html

Lines You Don't Want to See in a Privacy Policy

11. No one will have access to your data, not even my brother-in-law in the Russian mafia.

10. We collect personal information including pages visited and time spent on pages. Also a man will be around tomorrow to collect your fingerprints, a vial of urine and a DNA sample.

9. Sharing is caring. We care about your privacy.

8. We do not ask children under 13 for personal information, but we wouldn't mind if they sent us pictures.

7. Your credit card information will be securely stored using our patented ROT-26 encryption.

6. We reserve the right to use any pictures we may have obtained from your unsecured webcam.

5. We limit access to your personal information to anyone in our company with a computer and an Internet connection.

4. We will not sell your personal information unless offered money for it.

3. Just because we don't share your private information doesn't mean our spyware won't.

2. If an employee from our company shows up at your door with flowers, he certainly didn't get the information from us.

1. We're doing a heckuva job protecting your privacy.

No comments: