Saturday, December 13, 2008

Don't worry, TJX still hold the world record...

http://www.pogowasright.org/article.php?story=20081213064457651

De: Berlin Bank Accused of Country's Largest Data Leak

Saturday, December 13 2008 @ 06:44 AM EST Contributed by: PrivacyNews

Consumers in Germany have been affected by what is being calling the country's largest data leak. A Berlin bank has reportedly lost data on thousands of credit card customers -- including their PIN numbers.

Strictly confidential information on over 10,000 credit card customers of the Landesbank Berlin (LBB) was anonymously sent to the Frankfurter Rundschau, the newspaper claimed on Saturday, Dec. 13.

... Supposedly, the data leak originated with another company, AtosWorldline, which LBB had hired to do its accounting.

Source - DW-World-de Related - The Local has additional details.



It's that time of year again, when criminals know they can count on retailers to cover-up any loss of credit card information until all the Christmas shopping is done.

http://www.pogowasright.org/article.php?story=20081213064942863

Credit-card data leak in online buys

Saturday, December 13 2008 @ 06:49 AM EST Contributed by: PrivacyNews

As online shopping reaches its annual crescendo of activity, here's another reminder to be mindful of the information you hand out.

A Greensboro company, Innisbrook, has notified thousands of parents across the country that their credit card information may have been compromised. Some parents in the Triangle have found fraudulent charges on their accounts.

Innisbrook works with thousands of schools nationwide and sells things like school supplies and wrapping paper to raise money for the schools.

The security breach happened in August, when many customers were placing orders for bundles of back-to-school supplies.

Twenty-four schools in North Carolina were affected, and only information from customers who placed orders online and paid with a credit card was at risk.

Source - News & Observer



When a Customer Service goes bad.

http://www.pogowasright.org/article.php?story=20081213062419224

CheckFree notified approximately 5 million of breach (follow-up)

Saturday, December 13 2008 @ 06:24 AM EST Contributed by: PrivacyNews

No primary sources were provided, but the Wisconsin Office of Privacy Protection is reporting that "An estimated 160,000 online bill paying consumers may have been affected. Notification was sent to approximately 5 million consumers that may have a relationship with CheckFree as a bill paying agent. Letters or emails have been sent from various banks and vendors. The notification letter offers 2 years of free monitoring services."



Little more on the Citibank ATM thefts, but the time-line seems strange... The hack occurred in 2007, was discovered in January 2008, people were arrested in February, but the cards were still being used as late as May? Did Citibank not know what cards were at risk or was it considered cheaper to let the thefts happen?

http://www.pogowasright.org/article.php?story=20081212135851461

Cyber Crook Pleads Guilty to Looting Citibank Accounts With Hacked ATM Codes

Friday, December 12 2008 @ 01:58 PM EST Contributed by: PrivacyNews

A 28-year-old man caught in the act of using hacked ATM codes to loot Citibank accounts last May pleaded guilty this week to a single count of access device fraud, bringing to five the number of defendants who've entered guilty pleas in connection with an intrusion into an ATM processing server that led to at least $2 million in fraudulent withdrawals this year.

Aleksandar Aleksiev pleaded guilty to a single count of access device fraud in federal court in Manhattan on Tuesday.

Source - Threat Level

[From the article:

A 28-year-old man caught in the act of using hacked ATM codes to loot Citibank accounts last May pleaded guilty this week to a single count of access device fraud,

... In late 2007, an unknown hacker penetrated a server that processes transactions from Citibank-branded ATMs at 7-Eleven convenience stores, and stole customer account numbers and PINs.

... The scheme began unraveling in January, when two alleged cashers — Nue Quni and Luma Bitti — were arrested after a lucky traffic stop caught them with blank cards and a mag-stripe writer in their car.

... Then in late February and early March, the FBI and the U.S. Secret Service arrested two Ukrainian immigrants and two alleged co-conspirators for allegedly using more of the stolen PINs.

... Once the hack came to light in January, Citibank began monitoring the compromised accounts. At the time of the May arrest, according to court records, some $180,000 in stolen cash had walked out of ATMs in the Upper East Side in the previous three days, prompting Citibank to put the 65th Street Branch under physical surveillance.



Surely no one expects politicians to understand privacy? (Or to get too upset when their private data is compromised.)

http://www.pogowasright.org/article.php?story=20081212163159525

FOX 5 Buys Second Info-Loaded Blackberry from McCain Campaign

Friday, December 12 2008 @ 04:31 PM EST Contributed by: PrivacyNews

Personal information for a former Virginia Governor is one of more than 300 'contacts' listed inside a second Blackberry phone purchased by FOX 5 during a fire sale at the McCain-Palin headquarters this week.

FOX 5 Investigative Reporter Tisha Thompson broke the story late Thursday night, just hours after she purchased a $20 Blackberry from the campaign.

Source - MyFOX



Ubiquitous surveillance is good? Failure to point out that this is true only in a perfect world (perfect as defined by me) suggests that someone has lost touch with reality – at least that's what their cellphone tells me. (I think this Prof. just wants to be on Oprah.)

http://www.pogowasright.org/article.php?story=20081213061339647

Less Privacy Means Less Discrimination

Saturday, December 13 2008 @ 06:13 AM EST Contributed by: PrivacyNews

Walking down a city street at night, you can already use your smartphone to check out reviews of the restaurant you’re considering. Should you also be able to check whether any of those teenagers a block away and closing have criminal records?

Yes, suggests Lior Strahilevitz, a professor at the University of Chicago. In fact, your phone might even automatically download that information from the teenagers’ phones.

Source - NY Times

[From the article:

An invasion of privacy? By many standards, yes, but consider current practice, Strahilevitz argued in a pair of articles this year in the law reviews of Northwestern University and the University of Chicago. Most people encountering teenagers size them up by judging their clothing, demeanor and ethnicity — they “profile.” Give people more information, [e.g. arrest records, report cards, psych history Bob] and they can make better, more individualized judgments.

[Law Review article (I can only find one):

http://www.law.northwestern.edu/lawreview/v102/n4/1667/LR102n4Strahilevitz.pdf

REPUTATION NATION: LAW IN AN ERA OF UBIQUITOUS PERSONAL INFORMATION



The end of “process servers?” Next, virtual juries – sit at home, watch the case via streaming video, send in your verdict via instant messaging! “OMG! Guilty!” Perhaps “HSNI” (he's so not innocent!) or “FTB” (fry the bastard!)

http://www.pogowasright.org/article.php?story=20081213061627566

Australian court serves documents via Facebook

Saturday, December 13 2008 @ 06:16 AM EST Contributed by: PrivacyNews

The big question about Facebook is does it have any valuable commercial application? Well it seems that the courts have found one.

Today in what appears to be a first in Australia and perhaps the world, Master Harper of the ACT Supreme Court ordered that a default judgement could be served on defendants by notification on Facebook.

Source - The Age



Trying to find the balance between overreacting and under reacting

http://www.pogowasright.org/article.php?story=2008121306361772

Final Regulations Published on Family Educational Rights and Privacy Act

Saturday, December 13 2008 @ 06:36 AM EST Contributed by: PrivacyNews

Following the tragic April 2007 shootings at Virginia Tech, the U.S. Department of Education published in today's Federal Register final regulations to clarify and give schools greater flexibility in making determinations about disclosures of information from students' education records in order to address threats to the health or safety of students or other individuals. The department published draft regulations March 24.

... The final regulations include changes and clarifications as a result of public comments on the proposed rules that prompted comments from more than 100 individuals and organizations. The regulations will take effect on Jan. 8, 2009.

Among the highlights:

SCHOOL SAFETY

  • In order to provide more flexibility to school administrators, language was removed requiring strict construction of the provision in FERPA that permits disclosure of education records, without consent, in order to deal with health or safety emergencies. Now, in making a determination concerning disclosures, a school may take into account the totality of the circumstances pertaining to a threat to the safety or health of the student or other individuals.

  • The school must record the significant threat that formed the basis for the disclosure and the parties to whom the information was disclosed. If there is a rational basis for the determination, the Education Department will not substitute its judgment for that of the educational agency or institution in deciding to release the information.

  • The final regulations clarify the Education Department's longstanding interpretation that "appropriate parties" to whom schools may disclose in a health or safety emergency include "parents of an eligible student."

[...]

SAFEGUARDING PRIVACY

  • The final regulations contain important recommendations to help educational agencies and institutions meet the challenges of safeguarding education records, especially records contained in electronic data systems.

  • The final regulations update the definition of "personally identifiable information."

Source - U.S. Dept. of Education Related - Final Regulations



Apparently it is more than a Japanese-US cultural difference – its a Sony cultural failure.

http://news.cnet.com/8301-1023_3-10122375-93.html?part=rss&subj=news&tag=2547-1_3-0-5

Sony needs a common-sense czar

Posted by Greg Sandoval December 12, 2008 3:31 PM PST

... Is there any major consumer company around that seems to understand basic customer relations less than Sony? Isn't rule No.1 in the CR manual, "Don't spy on customers?" If so, then rule 1-A must be: "Take extra care to avoid spying on customers' children."

The latest example of Sony's disconnect with the masses came this week when the company's music division was fined for surreptitiously collecting information on children under 13-years old.

On Thursday, Sony agreed to pay $1 million to the Federal Trade Commission for collecting information on 30,000 children without obtaining parental consent. According to the Associated Press, Sony violated the Children's Online Privacy Protection Act when it collected the data from hundreds of fan sites, including those of such musical acts as Kelly Clarkson, Britney Spears and Christina Aguilera.


Related? Commenters seems to think so...

http://www.pogowasright.org/article.php?story=20081212134831437

Privacy: On Doing No Harm

Friday, December 12 2008 @ 01:48 PM EST Contributed by: PrivacyNews

The launch of the AT&T-backed Future of Privacy Forum last month (see our own interview with principal Jules Polonetsky here ) sparked discussion about how digital media should best address the debate. Matthew Wise, CEO, Q Interactive and former senior vice president of account services at Draft, is a member of the Interactive Advertising Bureau board who takes issue with some of the early statement by FPF members. Rather than start the debate over whether data is or should be collected, Wise argues here that the argument really should surround data's proper use.

Source - MediaPost

[From the article:

Wise: Our discussions at the IAB with regulators is that there is no pending legislation, but the risk of that has increased dramatically over the last 24 months. In the last 12 months there has been a stepped-up effort to establish guidelines and privacy processes so that legislation doesn't come about. Most of the legislation that we see is well-intentioned but poorly executed, and often more detrimental than positive to the industry. [I concur, but don't agree with their conclusion that self-regulation will solve all privacy problems Bob]



Interesting arguments

http://www.pogowasright.org/article.php?story=20081212135553959

CO: Judge halts arrests in Weld County tax probe

Friday, December 12 2008 @ 01:55 PM EST Contributed by: PrivacyNews

A judge is questioning the legality of search warrants issued in a Weld County investigation into the alleged use of stolen or fake IDs to claim $2.6 million in tax refunds.

District Judge James Hartmann this week ordered authorities not to arrest anyone else in the case if the arrests are based on information from federal tax returns, saying that information is confidential.

He also demanded that District Attorney Ken Buck explain the legality of the search warrants.

Buck said last month that about 1,300 people may have used stolen or phony Social Security numbers to get refunds. About 35 had been arrested on charges of identity theft or criminal impersonation when Hartmann halted the operation.

Source - Examiner.com

[From the article:

Authorities seized two years of federal tax returns from a Greeley tax preparer's office last month in the investigation.

Hartmann, in a written order, said federal tax return information is protected by privacy provisions of federal law when it's in the possession of a tax preparer.

Buck said his staff researched the privacy issue and consulted with the IRS before getting arrest warrants.

... "I don't care for the order the judge issued because I think these people committed a crime and they need to be held accountable," he said. [Pivotal concept. Does this justify “illegal” evidence gathering? If so, let's wiretap everyone! Oh, wait, we already do that... Bob]



Culture is difficult to change in large corporations, and almost impossible in government where it is more important to protect your turf than to achieve your goals.

http://hardware.slashdot.org/article.pl?sid=08%2F12%2F12%2F2325208&from=rss

Report Rips Government Wireless Network Effort

Posted by Soulskill on Friday December 12, @07:20PM from the effort-is-kind-of-a-strong-word-for-it dept. Wireless Networking Government United States Technology

coondoggie writes with this excerpt from NetworkWorld:

"Like a bunch of children in a sandbox unable and perhaps unwilling to share their toys, multiple key government agencies cannot or will not cooperate to build a collaborative wireless network. The Government Accountability Office report (PDF) issued today took aim at the Departments of Justice, Homeland Security, and the Treasury which had intended what's known as The Integrated Wireless Network (IWN) to be a joint radio communications system to improve communication among law enforcement agencies. However IWN, which has already cost millions of dollars, is no longer being pursued as a joint development project, the GAO said. By abandoning collaboration on a joint implementation, the departments risk duplication of effort and inefficient use of resources as they continue to invest significant resources in independent solutions. Further, these efforts will not ensure the interoperability needed to serve day-to-day law enforcement operations or a coordinated response to terrorist or other events, the GAO said."



Delay might be a valid legal strategy, but you gotta “know when to fold 'em...”

http://news.cnet.com/8301-13505_3-10122256-16.html?part=rss&subj=news&tag=2547-1_3-0-5

Cisco discovers the FSF wasn't joking

Posted by Matt Asay December 12, 2008 2:07 PM PST

When I read that the Free Software Foundation is suing Cisco Systems over alleged violations of the GNU General Public License (GPL), my first reaction was, "Put that subpoena back in your pocket, FSF." A copy of the complaint is available on PDF.

After all, I figured that it was yet another BusyBox claim and, while I believe that everyone - including open-source developers - has a right and duty to protect its intellectual property, it has seemed lately that the open-source world is becoming as litigious as the proprietary world, and that's not a good thing.

However, reading OStatic's summary of the suit reminded me that for the FSF has never been particularly litigious, never visiting the courtroom in 15 years of license enforcement. For the FSF, through the Software Freedom Law Center, to take this action suggests that things must be very bad.

... In a statement, Cisco indicated that it believes itself to be in "substantial compliance" with the GPL, but that's like saying it's almost a virgin. Either you are, or you're not. In this case, given the FSF's nonlitigious track record, I suspect that Cisco is not, in fact, in compliance with the GPL. This, however, is easy to fix: release the code.



Open Source is cheap enough (free) to give vendors a distinct price advantage.

http://news.slashdot.org/article.pl?sid=08%2F12%2F13%2F032242&from=rss

HP Pushes Open Source For Small Businesses

Posted by Soulskill on Saturday December 13, @02:28AM from the financial-motivation dept. HP Businesses Linux News

ruphus13 writes

"HP finally begins to actively push open source in its products. From the post, 'HP has been quirky over the years when it comes to open source. It has been, traditionally, a company that supports open source — especially in larger enterprises... Wednesday, it announced two new open source products, geared to small businesses and educational institutions. HP plans on including its 'Mozilla Firefox for HP Virtual Solution' on more of its business class desktop PCs (to a total of seven models between the HP Compaq dc/dx lines in the US, eight models worldwide). Come December 15th, HP will also offer Novell's SUSE Linux Enterprise Desktop on its HP Compaq dc5850 model. The base SLED-equipped model will cost $519, and features the usual open source suspects for the small business setting — OpenOffice, and mail clients such as Evolution.'"


...but proprietary software is profitable enough to allow liberal bribes (campaign contributions) to politicians.

http://news.slashdot.org/article.pl?sid=08%2F12%2F12%2F2122206&from=rss

Windows Cheap Enough For $2B Aussie Laptop Deal

Posted by kdawson on Friday December 12, @06:31PM from the if-you-give-it-away dept. Education Windows Linux

An anonymous reader writes

"Windows-based netbooks aren't too expensive to be ruled out of the Aussie government's billion dollar promise to give a laptop to every school-aged child, according to several education departments. The admission follows an earlier report that open source machines based on Ubuntu or Mandriva are the only option to deliver up to four million computers to students for under $2 billion. Microsoft itself claimed it will keep costs per unit down by hosting a lot of the educational software in the cloud rather than on the netbook devices."



Another look at the Cloud

http://news.cnet.com/8301-1001_3-10122003-92.html?part=rss&subj=news&tag=2547-1_3-0-5

Handicapping cloud computing: The big picture

Posted by Larry Dignan December 12, 2008 10:17 AM PST

... Lindsay has cooked up this helpful chart that lines up the cloud stack that various vendors are trying to build. While Lindsay forgot a few vendors, the chart provides a handy overview:



For my Computer Forensics students. An example of poor evidence handling? Only one copy?

http://hardware.slashdot.org/article.pl?sid=08%2F12%2F13%2F0057236&from=rss

Recovered Data From a Corrupt DVD Leads To Conviction, 24-Year Sentence

Posted by Soulskill on Friday December 12, @10:14PM from the put-that-in-a-safe-place dept. Data Storage The Courts Technology

Lucas123 writes

"The Santa Cruz, Calif. DA's office had been counting on a DVD with the recorded testimony of a victim in case against a serial rapist, but when they popped the video into the player, nothing came up — the disc was blank. To make matters worse, the cop who performed the original interview with the victim told the DA she never said she was 'forced,' so the judge wasn't going to allow the witness to testify in a case where her original statement to police was in conflict with her current testimony. After two local data recovery firms said there was no way to restore the data, a third was able to recover the police interview from two years earlier, which led the defendant to plead guilty earlier this month. Close call."

[From the article at: http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=storage&articleId=9123244&taxonomyId=19&intsrc=kc_top

He said police recalled her statements -- the ones on the corrupted DVD -- as being different from what the victim planned to say during the trial, Isaac said. As a result, Barnes' lawyers claimed that the victim's original police interview, as police remembered it, would have been inconsistent with her trial testimony and therefore would be exculpatory evidence. "The loss of exculpatory evidence is a bad thing and the judge was inclined to punish us by not letting the witness testify because of the allegation that we'd lost the evidence," he said.



Useful site but it still doesn't translate “wife”

http://news.cnet.com/8301-17939_109-10122005-2.html?part=rss&subj=news&tag=2547-1_3-0-5

Nice Translator makes Google's translations sexy

Posted by Josh Lowensohn December 12, 2008 10:02 AM PST

If you like Google's translate service but want something that can do the same phrase in multiple languages at once and in real time, the Nice Translator is worth checking out.

This simple application uses Google Translate to do the heavy lifting. It lets users type in any phrase, in any language, then translates it into one of the other 34 available languages as they type.

The site works fairly well on mobile devices, including the iPhone, though not as well as Google's own mobile-translation page despite its one-language-at-a-time limitation.

No comments: