Saturday, January 19, 2008

It seems J.C.Penny wasn't to blame. Strange how this one is leaking a bit at a time. Stories report either 600,000 or 650,000, all J.C.Penny or 100 retailers or 230 retailers. Should be interesting to see how GE handles this.

(update) 230 retailers affected by data breach after tape lost

Saturday, January 19 2008 @ 12:39 AM EST Contributed by: PrivacyNews News Section: Breaches

A backup tape containing credit-card information from hundreds of U.S. retailers is missing, forcing the company responsible for the data to warn customers that they may become the targets of data fraud.

GE Money, which manages in-store credit-card programs for the majority of U.S. retailers, first realized that the tape was missing from an Iron Mountain secure storage facility in October, said Richard Jones, a company spokesman.

... The tape contained in-store credit-card information on 650,000 retail customers, including those of J.C. Penney, he said. GE Money employees are also affected by the breach.

The missing backup tape was unencrypted.

Although J.C. Penney was the only company that Jones would confirm as affected by the missing tape, that retailer accounts for just a small percentage of all accounts that were compromised. In total, 230 retailers are affected by the breach. "Clearly that number includes many of the national retail organizations," he said.

The tape also contained Social Security numbers of 150,000 customers. When matched with name and address information, Social Security numbers can be used to set up fraudulent credit-card accounts, a common form of identity theft.

Source - InfoWorld

Say something “techie” and cover your ass?

KY: Laptops Stolen From Corbin Social Services Office

Saturday, January 19 2008 @ 06:48 AM EST Contributed by: PrivacyNews News Section: Breaches

Corbin Police are looking for someone who stole nine thousand dollars worth of laptop computers from the Corbin Social Services Office early Tuesday morning.

Police say the computers do contain personal information, but are password protected [worthless! Bob] and encrypted into programs. [Not sure what they are saying. The article suggests that only the password is needed. Bob]

Source -

None of these organizations seem able to keep track of their assets. Perhaps they could learn from the next articles?

(follow-up) KC faulted after probe of IRS tapes missing from City Hall

Saturday, January 19 2008 @ 12:56 AM EST Contributed by: PrivacyNews News Section: Breaches

A federal investigation of missing Internal Revenue Service tapes from City Hall in Kansas City has concluded that the city failed to follow “proper safeguards for protecting federal tax return information.” [Wow! What an insight! Bob]

That conclusion is contained in a heavily redacted report obtained recently by The Kansas City Star under a Freedom of Information Act request to the Treasury Department’s inspector general for tax administration.

The inspector general’s investigation stemmed from the disappearance of 26 IRS computer tapes containing taxpayer information.

Source - Kansas City Star

[From the article:

Nearly all other information in the 42 pages supplied to The Star is redacted. The agency said it was withholding an additional 105 pages because their disclosure “could impede its law enforcement activities.” [Huh? Bob]

... The report says a copy was given to the IRS but not to the U.S. attorney’s office.

... The IRS has never said what information was on the tapes, how many taxpayers were affected, or whether those taxpayers would ever be notified about the missing information.

City officials said they didn’t know how many taxpayers were affected.


NKC School District to use electronic card system to track students riding buses

Saturday, January 19 2008 @ 06:47 AM EST Contributed by: PrivacyNews News Section: Minors & Students

The North Kansas City School District this fall will begin using a radio-frequency identification card system to help officials keep track of students who ride district buses.

Hundreds of elementary school pupils will receive small cards and carry them in their backpacks or pockets [Want to bet? Bob] to automatically record them getting on and off buses. It will give officials instant confirmation that youngsters are on the right buses and were dropped off at the right stops. [What will happen when the system reports the card didn't get on the bus? Calls to parents? Panic? Bob]

Source - The Kansas City Star

Ditto? How did they do this before Facebook? Will they also monitor the pages of the athletes friends and relatives? It would be easier to keep them in a cage. As for non-athletes, the hell with them?

Software lets officials track student athletes

Saturday, January 19 2008 @ 06:45 AM EST Contributed by: PrivacyNews News Section: Minors & Students

A new software program released last week gives coaches and athletic departments the ability to monitor the Facebook pages of their student athletes.

The software, called YOUDiligence and developed by GlobalNI, is advertised as a tool to help institutions supervise their student-athletes' social networking pages.

Source - The Daily Tar Heel

[From the article:

GlobalNI CEO Bryan Rich stated in an e-mail that student athletes, who are subject to high media exposure, could unknowingly be associating themselves with information that could damage their careers.

"It's important that it's not characterized as an invasive technology," [Oops! Too late. Bob] he said in an interview, stressing that the program was meant to be a safeguard for users. [but remember, the students are not the users. Bob]

Much as we thought... (Takeaway 6: If you are the biggest screw-up, you remain the one every article points to.)

One year later: Five takeaways from the TJX breach

Friday, January 18 2008 @ 11:43 AM EST Contributed by: PrivacyNews News Section: Breaches

One year ago today, The TJX Companies Inc. disclosed what has turned out to be the largest information security breach involving credit and debit card data -- thus far, at least.

The data compromise at the Framingham, Mass.-based retailer began in mid-2005, with system intrusions at two Marshalls stores in Miami via poorly protected wireless LANs. The intruders who broke into TJX's payment systems remained undetected for 18 months, during which time they downloaded a total of 80GB of cardholder data.

... Here, on the one-year anniversary of the breach becoming known, are five takeways for security managers:

Source - Computerworld

Stupid is as stupid does.

Official: Video destroyed in shock case

Investigator: School Destroyed Video It Was Ordered to Preserve of Students Being Shocked

Staff AP News Jan 18, 2008 10:30 EST

A special education school destroyed videotape showing two of its students being wrongly given electric shock treatments despite being ordered to preserve the tape, according to an investigator's report.

One student was shocked 77 times and the other 29 times after a prank caller posing as a supervisor ordered the treatments at a Judge Rotenberg Educational Center group home in August. The boys are 16 and 19 years old and one was treated for first-degree burns.

... An investigator with the commission, which examines abuse allegations and can refer cases for criminal prosecution, viewed the tapes and asked for a copy, according to the commission's report obtained by The Boston Globe.

But school officials declined, saying they "did not want any possibility of the images getting into the media." The investigator told the school to preserve a copy so state police could use it in their criminal investigation. A trooper later told the investigator the tapes had been destroyed.

Redundant advice, but one interesting statement...

Laptop Security in the Workplace: How to Protect Your Mobile Assets

By John Livingston, CEO, Absolute Software 2008-01-18

As laptop computers become more prevalent in the workplace, Absolute Software's CEO John Livingston says that IT professionals face the new security challenge of protecting hardware and company information that is increasingly mobile. In this environment, the loss of even a single laptop can result in a business-jeopardizing data breach.

In 2008, one of every two computers in the world will be a laptop.

Now this is scary... If it isn't just bad reporting, lots of Security managers could be at risk!

Anti-Spammer Fined For DNS Lookup Of Spammer

from the ouch dept

Anti-spam activists often need to do quite a bit of hunting to track down the real identity of various spammers. Over the years, spammers have become increasingly adept at hiding from those trying to shine light on their activities. However, when one well-known anti-spammer used some standard whois and DNS lookup tools (the same kind many of us use every day) to find out the identity of a spammer, the spammer sued him... and won! The anti-spammer has to pay over $60,000 in fines, and possibly much more once lawyers' fees are added up. The judge ruled that some rather basic tools suddenly constituted "hacking" even though the details don't suggest any actual hacking. The anti-spammer simply used the tools available to get the information necessary. He didn't need to break through any security or do anything malicious to get the info. If you read the ruling, it sounds like a judge could define plenty of perfectly normal online activities as "hacking." Update: There's a good discussion in the comments, suggesting that there's a lot more going on here than is clear from the article itself. The judge's finding of facts suggest that the anti-spammer did some questionable things, including lying and ignoring an injunction -- which certainly hurt his case. However, others are suggesting that the judge's finding of facts are incorrect and there's much more to this story that will come out on appeal.

[From the article:

Hearings in Fargo last October before Judge Cynthia Rothe-Seeger resulted in a surprise 11 January ruling (PDF, transcript with commentary) against Ritz.

Not in the US and only one instance. Why are they releasing this information at all? Must want a budget increase.... Still, something for my Disaster Recovery class.

CIA Claims Cyberattacks At Fault In Blackouts

from the now-they-tell-us dept

A few years back, after a major blackout hit the northeast, many people immediately assumed that it had something to do with a terrorist attack on the electricity system or perhaps a computer worm/cyber attack. It turned out to be neither, but it wasn't that surprising that people jumped to that conclusion. However, afterwards, people began discussing how likely it was that a cyberattack really could take out the power grid for a city, and some people felt that it was fairly unlikely to occur. The CIA, apparently, would disagree. Late Friday, a CIA official claimed that cyberattacks have been to blame for certain blackouts over the past few years, and that the agency had debated whether or not to release that information publicly. Of course, without much in the way of detail, it's difficult to have any sense of what's actually happening here and how accurate the information really is. However, we will repeat what we said after that huge blackout: even if it was a cyberattack, it wasn't particularly damaging. Yes, it was an inconvenience. And, yes, it was annoying, and some businesses were temporarily hurt due to the blackout. But, compared to other types of attacks, shutting off the power certainly seems relatively minor.

Perhaps this is why the CIA is releasing information about a utility hack – Sort of a “the threat is real” comment on these regulation? (or is that too obvious?)

Feds Set Standards for Protecting Power Cos. From Cyber-Attacks

By Dan Caterinicchia AP 01/18/08 10:30 AM PT

The Federal Energy Regulatory Commission has approved cyber-security standards to protect the electric industry from hackers. The Edison Electric Institute, which represents investor-owned utilities that supply about 70 percent of the nation's electric generation had advocated for standards and welcomed the decision.

Not sure about the report, but the chart is interesting... (Web 4.0? Aren't we pushing things a bit?)

Semantic Wave 2008 - Free Summary Report for RWW Readers

Written by Richard MacManus / January 17, 2008 9:40 PM

Project10X has just released a 400-page study of semantic technologies and their market impact, entitled Semantic Wave 2008: Industry Roadmap to Web 3.0 and Multibillion Dollar Market Opportunities. The report discusses the emergence of semantic technologies for consumer and enterprise applications, and the evolution from Web 2.0 to the so-called "Web 3.0".

A free 27-page summary of Project10X’s Semantic Wave 2008 Report has been made available to ReadWriteWeb readers.

I hereby Copyright © the following: “Honest Lawyer” “Good Law Firm” “Fight for your rights” “Money Damages” and “Sue the Bastards!” Royalties should be huge! (This lends credence to the old joke: “99% of lawyers make the rest look bad.”)

There Can Be Only One... Cyberlawyer?

from the seriously? dept

In our culture where some companies (and their lawyers) have convinced people that intellectual property gives you total control over things, we start to see some bizarre and ridiculous trademark claims. The latest comes to us via the EFF, who point to a lawyer who has received a trademark on the term "cyberlaw" and is going after other lawyers who use the term which has been in fairly common usage for ages. As the EFF notes, it's especially upsetting that an intellectual property lawyer would abuse trademark law this way in a manner well beyond what trademark law is supposed to do -- while also warning that courts as well as tech companies don't tend to look kindly on people who abuse trademark law.

For my web site class. Create, download and modify... - On The Fly Form Creator

PhpForm is an on the fly, no coding skills needed form maker. There are three stems to making forms you site visitors will fall in love with. The first step involves choosing your color—there are 25 to select from in total. Next you’ll need to pick your field types; there are a variety to choose from: multiple choice, drop-down, address, single line, and the list goes on. Choose as many as necessary. Drag and drop each element to achieve the look and design that you want. Customize each field, using the field properties tool. Finally, preview and save your form. With PhpForm, you can also send entries to email, and save submissions to your database. All of this without writing one single line of code.

Web sites, Part Deux - Make Comics Out of Your Photos

The world of social design has just gotten a breath of fresh air with the arrival of Comiqs, a community bearing comic styled photographs. This Singapore-based newcomer brings a bright combo of levity as fresh and as pure as can be, along with succinct, priceless tales. Take your average photo spread, add comi-esque captions, doodles and borders, and voila, you get something neater and more compelling than just words alone. Check out the featured strip of the day which takes a punch at Ron Paul. Alternatively, browse the obligatory, but funny nonetheless pet comics. Making your own comic is easy; you can drag and drop elements onto your drawing board, and you’re given a variety of different frames and shapes to work with. Once you’ve started, you’ll probably want to create more. On the social side, there’s commenting, rating and profiles.

Friday, January 18, 2008

Is this the “major retailer” stories have been hinting at? Looks too small to me...

Data Lost on 650,000 Credit Card Holders

Friday, January 18 2008 @ 06:54 AM EST Contributed by: PrivacyNews News Section: Breaches

Personal information on about 650,000 customers of J.C. Penney and up to 100 other retailers could be compromised after a computer tape went missing. GE Money, which handles credit card operations for Penney and many other retailers, said Thursday night that the missing information includes Social Security numbers for about 150,000 people.

Source - Newsday editor's note: we had reported this incident on January 7, based on GE Money's report to the NH Dept. of Justice. At the time, we noted that nationwide totals had not been provided in the disclosure notice. New York State's new reporting form does require entities to provide total numbers. Hopefully, NYS will consider publishing the reports on a public web site.

Similar to earlier identity theft – bad guys put their own card reader on top of the ATM's, and record all the data from your card.

CA: Costco customers, staff hit by ID theft

Thursday, January 17 2008 @ 07:11 AM EST Contributed by: PrivacyNews News Section: Breaches

At least 20 Costco employees and customers have told police their banking account information and personal identification numbers have been stolen by thieves who emptied their bank accounts, city spokesman Matt Robinson said.

Investigators suspect the thieves may have used a skimming device

Source -

[From the article:

Investigators suspect the thieves may have used a skimming device, which would have copied debit card information from an ATM, possibly inside the Grant Line Road store, when a card was swiped, Robinson said.

Does this remind you of TJX?

(follow-up) Online Apparel Retailer Settles FTC Charges That It Failed to Safeguard Consumers’ Sensitive Information

Thursday, January 17 2008 @ 02:13 PM EST Contributed by: PrivacyNews News Section: Breaches

An apparel company that collected sensitive consumer information and pledged to keep it secure has agreed to settle Federal Trade Commission charges that its security claims were deceptive and violated federal law. The order against Life is good, Inc. and Life is good Retail, Inc. bars deceptive claims about privacy and security policies and requires that the companies implement a comprehensive information-security program and obtain audits by an independent third-party security professional every other year for 20 years.

... According to the FTC’s complaint, through its Web site, Life is good has collected sensitive consumer information, including names, addresses, credit card numbers, credit card expiration dates, and credit card security codes. Its privacy policy claimed, “We are committed to maintaining our customers' privacy. We collect and store information you share with us - name, address, credit card and phone numbers along with information about products and services you request. All information is kept in a secure file and is used to tailor our communications with you.” Contrary to these claims, the FTC alleges that Life is good failed to provide reasonable and appropriate security for the sensitive consumer information stored on its computer network. Specifically, the FTC charged that the company:

* unnecessarily risked credit card information by storing it indefinitely in clear, readable text on its network, and by storing credit security card codes;
* failed to assess adequately the vulnerability of its Web site and corporate computer network to commonly known and reasonably foreseeable attacks, such as SQL injection attacks;
* failed to implement simple, free or low-cost, and readily available security defenses to SQL and similar attacks; failed to use readily available security measures to monitor and control connections from the network to the Internet; and
* failed to employ reasonable measures to detect unauthorized access to credit card information.

The FTC alleges that, as a result of these failures, a hacker was able to use SQL injection attacks on Life is good’s Web site to access the credit card numbers, expiration dates, and security codes of thousands of consumers.

Source - FTC Press Release
Related - FTC files
Related - AP: Apparel firm settles security charges

“When we authorized them to sell the information we never thought they would actually sell the information!”

UK: DVLA's 5m driver details giveaway

Thursday, January 17 2008 @ 11:49 AM EST Contributed by: PrivacyNews News Section: Non-U.S. News

The DVLA's sale of driver details to anyone with £2.50 to spare must stop, says the Scottish National Party, having uncovered just how many peoples' records have been sold by the department.

Christine Grahame, an SNP Member of the Scottish Parliament, accused the agency of recklessly handing out driver and vehicle requests to private companies.

Grahame used a Freedom of Information request to discover the DVLA has sold 5.3m driver records since 2002/2003 when it was first allowed to sell the data.

Source - The Register

Long look at the future?

Institutionalized Spying on Americans

Thursday, January 17 2008 @ 07:46 AM EST Contributed by: PrivacyNews News Section: Surveillance

This article reviews two police state tools (among many in use) in America. One is new, undiscussed and largely unknown to the public. The other was covered in a December article by this writer called Police State America. Here it is updated with new information.

The National Applications Office (NAO)

The Department of Homeland Security (DHS) established a new domestic spying operation in 2007 called the National Applications Office (NOA) and described it as "the executive agent to facilitate the use of intelligence community technological assets for civil, homeland security and law enforcement purposes within the United States." The office was to begin operating last fall to "build on the long-standing work of the Civil Applications Committee (CAC), which was created in 1974 to facilitate the use of the capabilities of the intelligence community for civil, non-defense uses in the United States."

With or without congressional authorization or oversight, the executive branch is in charge and will let NAO use state-of-the-art technology, including military satellite imagery, to spy on Americans without their knowledge. Implementation is delayed, however, after Committee on Homeland Security Chairman, Bennie Thompson, and other committee members raised questions of "very serious privacy and civil liberties concerns." In response, DHS agreed to delay operating (officially) until all matters are addressed and resolved.

Source -

If nothing else, something to point to and say “You messed up!”

EPIC Proposes Privacy Conditions for Video Surveillance

Thursday, January 17 2008 @ 10:58 AM EST Contributed by: PrivacyNews News Section: Surveillance

In comments (pdf) filed today with the Department of Homeland Security, EPIC detailed its "Framework for Protecting Privacy & Civil Liberties If CCTV Systems Are Contemplated." EPIC explained that it "does not support the creation nor the expansion of video surveillance systems, because their limited benefits do not outweigh their enormous monetary and social costs." EPIC's guidelines explain that (1) alternatives to CCTV are preferred; (2) there must be a demonstrated need for the system; (3) the public and privacy and security experts must be consulted before the system is created; (4) Fair Information Practices must govern any use of video surveillance; (5) there must be a privacy and civil liberties assessment; and (6) there needs to be room to create enhanced safeguards for any enhanced surveillance. EPIC's framework is based on Fair Information Practices, the Privacy Act of 1974, the 1980 OECD Privacy Guidelines, and the Video Voyeurism Act. See EPIC's page on Video Surveillance.

Source -

What are the implications of the Class Action? If someone gets notice from the RIAA and immediately joins the Class, does that stop progress of the lawsuit?

Exonerated RIAA defendant scores double victory in court

By Eric Bangeman Published: January 17, 2008 - 10:36AM CT

A US District Court judge in Oregon has reaffirmed a magistrate's award of attorneys' fees and the dismissal of exonerated RIAA defendant Tanya Andersen's counterclaims against the RIAA without prejudice so that her class-action lawsuit against the record labels can move ahead.

Andersen, a disabled single mother who resides in Oregon, was sued by the RIAA in February 2005 for distributing gangster rap over KaZaA using the handle "gotenkito." She denied all of the RIAA's allegations and filed the now-dismissed counterclaims in October of that year. After over two years of contentious filings and allegations of misconduct by the RIAA's investigators, Atlantic v. Andersen was dismissed with prejudice after the record labels decided to drop the case.

Andersen was awarded attorneys' fees by the magistrate overseeing the case in September of last year, a decision that was quickly appealed by the RIAA. In a ruling noticed this morning by copyright attorney Ray Beckerman, Judge James A. Redden agreed with the magistrate's findings, writing that "the court's order dismissing Andersen's claims without prejudice provide a sufficient 'judicial imprimatur' on the 'alteration of the legal relationship of the parties' to justify conferring prevailing party status on Andersen."

Judge Redden also upheld the magistrate's decision to dismiss her counterclaims without prejudice so that they could be heard as part of a malicious prosecution lawsuit filed by Andersen last June after the RIAA's case was dismissed, citing the "interests of judicial economy and comprehensive litigation."

Andersen's malicious prosecution lawsuit accuses the RIAA of invasion of privacy, deceptive business practices, libel, slander, and a host of other misdeeds, saying that the RIAA has "engaged in a coordinated enterprise to pursue a scheme of threatening and intimidating litigation in an attempt to maintain its music distribution monopoly." Her complaint contains some very disturbing allegations, including one that labels attempted to contact her then eight-year-old daughter under false pretenses without Andersen's permission.

Andersen is seeking class-action status for her lawsuit, which would allow anyone who was "sued or were threatened with sued by Defendants for file-sharing, downloading or other similar activities, who have not actually engaged in actual copyright infringement" to join the lawsuit. The RIAA has denied any wrongdoing and has moved for dismissal of the lawsuit.

Thursday, January 17, 2008

Close to home...

CO: Credit Card Numbers At Online Grocer Stolen

Wednesday, January 16 2008 @ 02:30 PM EST Contributed by: PrivacyNews News Section: Breaches

Several employees and customers of Aspen Grove Market in Boulder have complained about apparent identity theft and the stealing of their credit card numbers, police said Wednesday. Aspen Grove Market is an online grocery delivery service at 2885 Wilderness Place in Boulder.... Police believe there may be more victims.

Source -

I have a heavily encrypted copy of the Constitution on my hard drive...

Pretty Good Privacy Causes Legal Problems for a Vermont Court

Wednesday, January 16 2008 @ 11:35 AM EST Contributed by: PrivacyNews News Section: In the Courts

Pretty Good Privacy is an encryption software used to protect computer files. One Canadian man, Sebastian Boucher, uses the PGP program to protect certain files, and those certain password protection files are the focus of the US District Court in Vermont.

... Boucher is being asked to provide the password to open the Z drive, however Magistrate Judge Jerome J. Niedermeier says “If Boucher does know the password, he would be faced with the forbidden trilemma: incriminate himself, lie under oath, or find himself in contempt of court.”

It’s a tricky case. A privacy and technology expert, Mark D. Rasch, says that ruling will be a “dangerous” one for law enforcement. “If it stands, it means that if you encrypt your documents, the government cannot force you to decrypt them…So you're going to see drug dealers and pedophiles encrypting their documents, secure in the knowledge that the police can't get at them."

Source - TransWorldNews
Related - Washington Post: In Child Porn Case, a Digital Dilemma


Child porn defendant locked up after ZIP file encryption broken

Posted by Declan McCullagh January 16, 2008 10:38 AM PST

Government investigators were able to easily break the ZIP file encryption that a Texas man allegedly used to conceal illegal images, a recent court case shows.

Updating 1984 technology. Thanks Microsoft!

How computer spy in the office will monitor everything you do

David Brown, Elizabeth Judge From The Times January 16, 2008

Every aspect of computer users’ lives — from their heartbeat to a guilty smile — could be monitored and immediately analysed under the futuristic system detailed in Microsoft’s patent application.

Details of the planned “Big Brother” system are revealed in an application to the US Patent and Trademark Office, seen by The Times, over seventeen pages of text with ten diagrams.

The systems work not only through desktop or laptop computers but even through mobile phones or handheld PCs, meaning that even out of the office the employee can still be monitored. In its most advanced format, the system will monitor users’ private interests.

I wonder if they'll add Geek? - Speak in Tongues, Really

Whoever said learning languages is easy. It’s not. Forget high school Spanish 101 or that college Italian minor you thought might give you the upper edge in ordering pasta all’amatriciana with real unsmoked, pig jowl. So far the easiest way to pick up a language is to pack your bags and spend a few months in the language of your choice—that or an expensive Berlitz type deal that somehow leaves you craving something more authentic. If you really want to learn a language without spending thousands of dollars or leaving the country, try Babbel. Babbel is a rich new Flex application that helps you wrap your tongue around the subtleties of Italian, English, German, French or Spanish. And it’s got a social twist. Send messages to users, create your own lesson plans, vocabulary, and get motivated. Babbel uses images and audio to help you learn. You can submit your own content as well. Or if you feel your learning experience could be better, feel free to add to the available content. And you don’t have to worry about paying—the only thing Babbel requires is an open mind and a willingness to learn.

Here's a thought. The writers deal with these folks because they have a functioning model to pay the writers. Is that automatically rejected by Hollywood? - Original Internet Programming

If you think you will be craving original programming once the writer’s strike fully affects the airwaves, you should tune into 60 frames now. The site, which hosts a handful of original shows produced to be broadcast exclusively over the internet, has struck a goldmine with their programming lineup, and plans to produce regular episodes for their multiple series. The programs are reminiscent of some HBO shows- there are little or no restrictions, they often deal with unusual themes or subgroups, and they are hilarious. The site is welcoming new actors and producers, distribution sites (they are often aired over social networking sites), and national advertisers.

Wednesday, January 16, 2008

Sound familiar? We may have another TJX! (Think of TJX as a “proof of concept” attack and now the crime group is selling attacks to order... May be related to cyber-espionage – see the article below.)

"Major Retailer's" Data Breach Results In Wave Of Credit Card Fraud?

Tuesday, January 15 2008 @ 01:09 PM EST Contributed by: PrivacyNews News Section: Breaches

Anecdotal evidence suggests that a recently reported data breach by an undisclosed "major retailer" has resulted in a jump in consumers having their debit cards forcibly reissued, or calls from their bank to verify their recent purchase history. The problems seem to have started just around Christmas time and have continued into mid-January. [Starting right before Christmas may be strategic – Retailers want the Christmas business and therefore won't raise flags that could impact sales. Bob]

The thefts cut across all types of credit cards, but one of the common threads is that the cards are being used to purchase physical products in-store. This is a contrast to the big credit card reissue last year when stolen debit cards were being used to make fraudulent ATM withdrawals. Which retailer? Who's behind it? Nobody knows and we won't find out for some time, not until the cops catch the robbers. Until then, here's all the people on our site talking about the recent seeming surge of fraudulent activity..

Source - The Consumerist (blog)

There is always a cost to a data spill...

Nashville laptop theft may cost $1 million

With Social Security numbers at risk, county officials offer registered voters in Tennessee county a year of free identity theft protection at the cost $10 per account

By Robert McMillan, IDG News Service January 14, 2008

... County election officials began notifying residents of the breach on Jan. 2, and the local government is offering victims one year of free identity theft protection from Debix Identity Protection Network.

Debix says that 25 to 35 percent of victims of this type of breach typically request this service. With the city paying Debix just under $10 per account, the price tag for the laptop theft is expected to be in the $1 million range.

... "It is a very bad information-handling practice to keep sensitive information about individuals including their Social Security numbers on an unencrypted laptop or any other device that is removable," said Paul Stephens director of policy and advocacy with Privacy Rights Clearinghouse, a privacy advocacy group that has tracked the exposure of 217 million records in the United States over the past three years.

Associations like this will tend to implement “least common denominator” levels of security. (Why would members pay for more security here than on their own systems?) web site exposure of personal information

Tuesday, January 15 2008 @ 05:00 PM EST Contributed by: PrivacyNews News Section: Breaches

In response to a blog entry on Chronicles of Dissent discussing concerns about the Direct Marketing Association's method for opting out of mailing lists, a reader reported that the DMA's site was exposing users' personal details. A ccording to details subsequently provided, after registering at, the user logged in to his account. Once logged in, it was a simple matter to simply change the customerid that showed in the url to see other consumers' full names, addresses, email addresses, and passwords. The passwords were exposed in clear text.

According to the consumer, there were about 30,000 consumers' details in the database.

The site was taken offline shortly after they received his email alerting them to the problem. It is now back online using a different authentication system, but the consumer notes that the password cookie is still displaying/storing the password in clear text. [Apparently, they didn't read the entire email... Bob]

Attempts to get a statement from DMA have been unsuccessful, and it is not clear whether their other opt-out web pages/databases also suffered from the same vulnerability or if anyone attempted to access others' data via any of their databases. DMA did not respond to a separate email inquiry last week as to whether they store or purge the credit card number they require for identification verification.

Should they provide a statement or response, this post will be updated.

Thanks to Forrest for alerting me to this breach and for the additional detail he provided.

You knew this, right?

Cyber-espionage moves into B2B

The SANS Institute says that cyber-espionage has spilled from governments into the private sector and that it will expand in international business in 2008

By Matt Hines January 15, 2008

... While the United States and Chinese governments, most notably, have accused each other in recent years of carrying out surreptitious hacking campaigns aimed at stealing strategic information from their respective IT systems -- and many security experts believe that both countries, and many others, are actively engaging in such electronic warfare -- leaders with SANS maintain that the practice has recently begun to spill over into the private sector with greater frequency.

According to the training institute's latest research, cyber-espionage efforts funded by "well-resourced organizations" -- including both government-backed and private efforts -- will expand significantly during 2008, in particular as overseas companies look to gain an upper hand in negotiating business deals with large companies based in the U.S. and Europe.

... SANS reported that the attack of choice in many cases of cyber-espionage is a targeted spear phishing campaign that attempts to dupe workers into opening tainted attachments made to appear as if they come from people they work with.

Pass this to your IT Department. (Good for AT&T!)

AT&T To Replace 17,000 Batteries

Posted by kdawson on Tuesday January 15, @05:05PM from the fire-to-the-node dept. Power Communications

An anonymous reader writes "After four fires in two years — see earlier Slashdot discussions for background — AT&T is going against its own independent lab findings and declaring that the Avestor batteries powering its U-verse network aren't safe and need to be replaced. This is the network that SBC was building out prior to acquiring AT&T. Following the latest broadband equipment cabinet explosion in Wisconsin, the carrier says it will swap out 17,000 batteries deployed in several states across its network."

Is “go to hell” a direction?

Is GPS liability next?

By Eric J. Sinrod Story last modified Wed Jan 16 04:00:03 PST 2008

An automobile driver recently was held responsible for crashing a rental car into a train after following global positioning system instructions that put his rental car onto the train tracks.

This raises the specter of automobile drivers pointing the liability finger at GPS providers and filing lawsuits against such providers when GPS instructions are not accurate.

The facts of the particular rental car-train crash were reported at (a news outlet for New York's Lower Hudson Valley) on January 3.

I would expect Pirate Bay will put the document online and ask a few thousand users to help review it – piece of cake.

Pirate Bay Gets a 4,000-Page Complaint

Posted by kdawson on Tuesday January 15, @10:27PM from the ianal-but-that's-a-lot dept. The Courts

I Don't Believe in Imaginary Property writes "Swedish prosecutors appear to be close to finally pressing charges against The Pirate Bay, having served them with 4,000 pages of legal papers. While this might appear bad, the administrators have already moved some of the servers out of the country, so Swedish prosecutors can't shut it down, even if they want to. Moreover, the people of Sweden are decidedly on their side, with the Pirate Party, which is sympathetic to TPB's cause, being one of the top ten political parties in the country. Still, this looks like a dirty trick on the part of the prosecutors — like they're dumping all of this on the defendants in the hope that they won't have enough time to sort through it and defend themselves. For comparison, the second-biggest murder case in Sweden required only 1,500 pages." [Yeah, but knives and guns are old technology that doesn't take much explaining to a jury. Bob]

Steve does it again. Close to what I think the ultimate business model will be: Access to any movie, in any format, on demand, for a nominal price.

Apple Reinvents Film Biz With iTunes Movie Rentals

By Eliot Van Buskirk Email 01.15.08 | 3:30 PM

The new iTunes movie rentals service, announced Tuesday by Apple CEO Steve Jobs during his Macworld Expo keynote, is powered by deals with all the major film studios and stands to reinvent the way people rent and watch movies, analysts say.

"They really nailed it," Jupiter Research Vice President and Research Director Michael Gartenberg said of Apple's move into movie rentals. "This is going to be extremely disruptive, doing for movies what the iTunes music store did for music."

The new service will let anyone with iTunes or an iPod rent DVD-quality movies with stereo sound for $3 ($4 for new releases). HD movies with 5.1-channel sound cost a dollar more. The "completely reinvented" Apple TV -- sporting an upgraded user interface at a lower price -- allows viewers to place orders from their couches. Unlike Amazon Unbox, which doesn't allow movies to play until they are totally downloaded (generally taking a matter of hours), Apple's new service allows movies to begin just seconds after an order is placed.

Technology in Education. (Probably more fun than building a baking soda volcano.)

High School Sophomores Discover Asteroid

Posted by kdawson on Wednesday January 16, @05:34AM from the october-sky dept.

Several readers sent us the story of three high school sophomores in Racine, Wisconsin who were just notified that a celestial body they had discovered during a science project has been verified as an asteroid. The students at Racine's Prairie School will be given the opportunity to name the asteroid in about four years. They used a telescope in New Mexico, belonging to a college in Michigan, that they controlled over the Net.

Increasingly common, but takes some mining...

January 15, 2008

UC eScholarship Repository exceeds 5 million full-text downloads

Press release: "The University of California announced this week that its widely used eScholarship Repository has surpassed the 5 million mark for full-text downloads of its open access scholarly content. This major milestone reflects the impressive adoption and usage rate the repository has enjoyed since its inception in 2002, with University of California academic units and departments from its 10 campuses publishing or depositing more than 20,000 papers and works."

Tuesday, January 15, 2008

Identity Theft can be expensive, so is a search for lost data... But don't worry, the taxpayers will foot the bill.

(follow-up) UK: Police seek full costs of HMRC CD search

Tuesday, January 15 2008 @ 06:41 AM EST Contributed by: PrivacyNews News Section: Breaches

Scotland Yard will demand HM Revenue & Customs (HMRC) foot the record bill for the force's hunt for the missing data discs containing 25 million child benefit records.

The Metropolitan Police force has said it will seek full costs from the HMRC for what is being reported as the most expensive lost property inquiry in the UK.

... A spokeswoman for HMRC said the department has agreed to pay the costs that "we have triggered as a result of the police investigation into the disappearance of the child benefit data".

Source -

[From the article:

The Met would not confirm the exact cost of the investigation but an article in The Telegraph says the investigation has cost tens of thousands of pounds, quoting a source at the Yard as saying it had demanded more resources "than you would see used in a major murder investigation".

The Year in review...

Ca: Information and Privacy Post: 2007 Year in Review

Monday, January 14 2008 @ 02:02 PM EST Contributed by: PrivacyNews News Section: Non-U.S. News

... the Hicks Morley Information and Privacy Post is our regular publication on the law of information and privacy. We’ve defined information and privacy in a way that’s broader than most would ordinarily conceive, covering case law on the law relating to privacy, freedom of information, records management, business information and the law of production. We thought that a perspective focussed on any one of these domains was too narrow and wanted to draw interest from all the professionals who manage information – in-house legal advisors, privacy officers, records managers, information technology professionals and others.

This 2007 retrospective includes all of the 2007 cases we have covered.

Source - Hicks Morley [pdf]

(Props, All About Information blog)

This shouldn't surprise anyone. “We can, therefore we must!”

US drafting plan to allow government access to any email or Web search

Monday, January 14 2008 @ 03:07 PM EST Contributed by: PrivacyNews News Section: Surveillance

National Intelligence Director Mike McConnell is drawing up plans for cyberspace spying that would make the current debate on warrantless wiretaps look like a "walk in the park," according to an interview published in the New Yorker's print edition today.

Debate on the Foreign Intelligence Surveillance Act “will be a walk in the park compared to this,” McConnell said. “this is going to be a goat rope on the Hill. My prediction is that we’re going to screw around with this until something horrendous happens.”

Source - The Raw Story
Update: The full-text article can be found here [pdf]
Related - The New Yorker: What we Know (link to audio file)

Bob's first variation to “We can, therefore we must!” is : “We could, therefore we did!” And that introduces the first parallel rule: “We did it for your own good!”

Secret GPS in firefighters' vehicles OK'd

AARON LEO Article Last Updated: 01/14/2008 08:41:10 PM EST

BRIDGEPORT — Departmental hearings against two city fire inspectors — facing termination for allegedly using their work minivans for personal business — will proceed after a Superior Court judge rejected their argument that the Global Positioning System units in their new municipal vehicles violated the state's electronic-monitoring law.

Two other inspectors facing the same charge didn't join the legal challenge.

Judge Deborah Frankel issued the 18-page decision Dec. 31, but city officials didn't receive it until last week.

... It was "the first decision under the electronic-monitoring statute in the state," he added.

The statute requires employers to notify their workers if they are being monitored on the job.

However, under the statute, an employer can monitor workers without telling them when there are "reasonable grounds" to believe illegal activity is taking place or other workers' legal rights are being violated.

“WE could, therefore we did!” Political argument 26b: “You want to keep your children safe, right?”

Quiet installation of cameras in Newton schools sparks debate

Tuesday, January 15 2008 @ 06:38 AM EST Contributed by: PrivacyNews News Section: Minors & Students

In the City of Newton, where civil liberties and liberal politics run deep, disclosure that two local schools installed security cameras without informing faculty, the School Committee, or the school community has touched off a debate pitting the right to privacy against protecting valuables in the schools.

Source - Boston Globe

Careful what you do with those cameras! (Perhaps Ford should have someone supervise those recent law school graduates...)

Ford: Car owners are pirates if they distribute pictures of their own cars

Posted by Cory Doctorow, January 13, 2008 10:11 PM | permalink

Josh sez, "The folks at BMC (Black Mustang Club) automotive forum wanted to put together a calendar featuring members' cars, and print it through CafePress. Photos were submitted, the layout was set, and... CafePress notifies the site admin that pictures of Ford cars cannot be printed. Not just Ford logos, not just Mustang logos, the car -as a whole- is a Ford trademark and its image can't be reproduced without permission. So even though Ford has a lineup of enthusiasts who want to show off their Ford cars, the company is bent on alienating them. 'Them' being some of the most loyal owners and future buyers that they have. Or rather, that they had, because many have decided that they will not be doing business with Ford again if this matter isn't resolved."

Why don't we do that at the SuperBowl? We know Osama is a big fan...,,-7225900,00.html

Beijing demands personal data for ceremony tickets

BEIJING, Jan 15 (Reuters) - Beijing Olympics organisers have told those who have secured seats for the opening and closing ceremonies to submit photographs and other personal information before they get their tickets.

"To ensure security, eradicate fake tickets, control speculative ticket reselling, and safeguard the lawful interests of the majority of the buyers, a real-name entry system will be applied for the opening and closing ceremonies," they said.

For my web site class, with caution not to let their children grow up to be politicians...

January 14, 2008

New Report: Lessons from the Best Web Sites on Capitol Hill

Press release: "A new report from the Congressional Management Foundation (CMF) on congressional Web sites says the overall quality “continues to be disappointing,” with more than 40% of congressional Web sites earning a substandard or failing grade. The report also contains recognition and praise for the best Web sites on Capitol Hill with the announcement of the winners of the 2007 Gold, Silver, and Bronze Mouse Awards... Funded by a grant from the National Science Foundation, The 2007 Gold Mouse Report: Lessons from the Best Web Sites on Capitol Hill (115 pages, PDF) evaluated 618 congressional Web sites, including those of all Senate and House Members and Delegates, committees (both majority and minority sites) and official leadership sites."

Tools & Techniques

Watch YouTube videos on your iPod, anytime

Ernst-Jan Written on January 15, 2008 – 1:04 pm

... Tooble automatically downloads, converts and imports any YouTube video to play on your video iPod, iPhone, AppleTV, or even on your computer with iTunes. Of course you could already watch videos on the iPhone and iPod Touch using GPS, but the only joy that comes from that is making up original ways of swearing about the damn lack of speed.

It useta-was we had book larn'en, now I don't need ta read ta larn stuff.

New Instructional Video Site — MonkeySee

15th January 2008

... MonkeySee has launched with a lot of instructional videos, adding both user-submitted videos and videos from professionals. The front page covers a lot of bases, from how to solve a Rubik’s Cube to how to buy a diamond to how to do trick shots in pool. Of course there’s the usual crop of “how to” stuff that doesn’t quite fit but looks useful anyway — in this case for fire safety and “flair bartending” (including a nifty and loud way to open a beer. Wonder if this would work for root beer.)

... The interesting thing about MonkeySee is that how-to concepts are gotten across with a series of videos instead of just one. How to get out of a speeding ticket, for example, includes fifteen videos that walks through several steps of what to do when getting pulled over, before going to court, etc.

Monday, January 14, 2008

Isn't this obvious?

(Paper) Confidentiality: An Expectation in Health

Monday, January 14 2008 @ 07:31 AM EST Contributed by: PrivacyNews News Section: Medical Privacy

This article by Anita L. Allen is slated for publication in Penn Guide to Bioethics Springer (2008)


The practice of confidentiality has continued in an era of increased, voluntary openness about medical information in everyday life. Indeed the number and variety of state and federal laws mandating confidentiality by medical professionals has increased in the last dozen years. Moreover, personal injury suits alleging breach of confidentiality or invasion of privacy, along with suits asserting evidentiary privileges, reflect the reality that expectations of confidentiality of medical records and relationships remain strong.

Source - Berkeley Electronic Press

I have to admit, this baffles me. I guess there is no mandatory sanction for lying to the court?

Qualcomm’s “Monumental Discovery Violations” Provokes Only Wimpy Sanctions

The Qualcomm e-discovery saga of lying and cheating finally ended, not with a bang of severe sanctions as most hoped and expected, but with a whimper. The federal court in Qualcomm’s home town talked tough, and spelled out “monumental discovery violations,” including lying and fraud on a grand scale. But in the end it was just empty talk, and, despite the headlines you might have read to the contrary, no serious sanctions were imposed.

The 48 page Sanctions Order dated January 7, 2008, by Magistrate Judge Barbara L. Major does a good job of summarizing the truly incredible litigation misconduct by Qualcomm and its attorneys. Order Granting in Part and Denying in Part Defendant’s Motion for Sanctions and Sanctioning Qualcomm, Incorporated and Individual Lawyers.

... In fact, the Sanctions Order imposed no new monetary penalties on anyone. Qualcomm had already been ordered to pay $8,568,633.24 in fees in the underlying case in Judge Brewster’s Order Granting Broadcom Corporation’s Motion for Exceptional Case Finding and for an Award of Attorney’s Fees. All the Sanctions Order did was provide another basis for the same award. The court makes clear that Qualcomm will not have to pay twice.

In theory, any type of research could benefit from these techniques. Any suggestions?

January 13, 2008

Science 2.0: Great New Tool, or Great Risk?

Scientific American: Wikis, blogs and other collaborative web technologies could usher in a new era of science. Or not. By M. Mitchell Waldrop: "The explosively growing World Wide Web has rapidly transformed retailing, publishing, personal communication and much more. Innovations such as e-commerce, blogging, downloading and open-source software have forced old-line institutions to adopt whole new ways of thinking, working and doing business. Science could be next. A small but growing number of researchers--and not just the younger ones--have begun to carry out their work via the wide-open blogs, wikis and social networks of Web 2.0. And although their efforts are still too scattered to be called a movement--yet--their experiences to date suggest that this kind of Web-based "Science 2.0" is not only more collegial than the traditional variety, but considerably more productive."

One of these will actually work. Let's hope it's this one. - Let's You Search Inside Audio and Video

There are seemingly hundreds of search engines out there, but none of them are quite like Pluggd. Pluggd wants to change the way you search media content on the internet. Instead of focusing on the text-based web, Pluggd focuses on audio and video content. It provides the tools to help you find the content you want. Pluggd’s HearHere and SeeHere technology lets you search podcasts so you can jump to the exact spot you want. The same goes with video. Pluggd has an extensive catalogue of podcasts even the Library of Congress would be proud of. Pluggd is free to join. Once in, you can create your own favorites playlists, share them, subscribe to shows, download them to watch with your iPod or mobile device, and watch others picks as well. Using the search tools is easy, just type in the word or phrase that you’re looking for in the searchbar. A heatmap will appear on the bottom of the player indicating the points where your word or phrase appears. Use your mouse to see the matches and click on what you want to see or hear. It’s that simple.

Sunday, January 13, 2008

Sounds like Mission Impossible is getting ready to strike...

Laptop, gear stolen from haz-mat truck

Saturday, January 12 2008 @ 11:34 AM EST Contributed by: PrivacyNews News Section: Breaches

A county hazardous-materials-response truck was burglarized last month, resulting in the loss of $35,000 in equipment, including a laptop with phone numbers of 1,000 employees.

No suspects have been identified, and the items, which included lists of the hazardous materials on-site at every San Diego business, plus breathing apparatus and a county officer badge, have not been recovered.

County official Nick Vent said he did not think the theft posed a security threat because access to the laptop's haz-mat lists requires passwords. [Stupid or incredibly naive? Bob]

...The burglary occurred about 4 a.m. on Dec. 9 in La Mesa. A county environmental health specialist parked the truck about 200 yards from his home, Vent said. The burglars smashed through a window and stole nearly everything inside the truck, including two radios, a digital camera, a uniform, and keys to other haz-mat vehicles and a chemical testing lab.

According to a La Mesa Police report, about 750 keys were stolen from the truck. But Vent said that only about 10 keys were stolen, including those for three of the county's five haz-mat trucks and a chemical lab. Locks for the trucks and the lab were changed the following day, Vent said.

Source - SignOnSanDiego

So much for getting your fact straight...

Student Expelled For Facebook Photo Description

Posted by kdawson on Sunday January 13, @07:58AM from the what-is-this-privacy-of-which-you-speak dept. Censorship Education

flutterecho writes "A sophomore at Valdosta State University was expelled after criticizing his university's plan to build two new parking garages with student fees. In a letter apparently slipped under his dorm room door, Ronald Zaccari, the university's president, wrote that he 'present[ed] a clear and present danger to this campus' and referred to an image on the student's Facebook page which contained a threatening description. 'As additional evidence of the threat posed by Barnes, the document referred to a link he posted to his Facebook profile whose accompanying graphic read: "Shoot it. Upload it. Get famous. Project Spotlight is searching for the next big thing. Are you it?" It doesn't mention that Project Spotlight was an online digital video contest and that "shoot" in that context meant "record."' In a post-Virginia Tech world, has university surveillance of online identities gone too far?"

All the earmarks of a Soprano-like scheme...

Courts strip elders of their independence

Within minutes, judges send seniors to supervised care.

By Jeff Kelly, Maggie Kowalski, and Candice Novak Globe Correspondents / January 13, 2008

Should be an interesting read...

EFF Takes On RIAA "Making Available" Theory

Posted by kdawson on Saturday January 12, @05:21PM from the lending-a-welcome-hand dept. The Courts Music

NewYorkCountryLawyer writes "In Atlantic v. Howell, the Phoenix, Arizona, case in which a defendant who has no legal representation has been battling the RIAA over its theory that merely 'making files available for distribution' is in and of itself a copyright infringement, Mr. Howell has received some help from an outside source. On the last day allowed for the filing of supplemental briefs, the Electronic Frontier Foundation filed an amicus curiae brief agreeing with Mr. Howell, and refuting the RIAA's motion for summary judgment. The brief (PDF), which is recommended reading for anyone who wants to know what US copyright law really says, points out that 'contrary to Plaintiffs' arguments, an infringement of the distribution right requires the unauthorized, actual dissemination of copies of a copyrighted work.' This is the same case in which the RIAA claimed that Mr. Howell's MP3s, copied from his CDs, were themselves unlawful."

A PR site for the YouTube age. (Want to be seen as an expert?) - News You Choose

News junkies, producers, and broadcasters alike will love what ClipSyndicate has to offer. It’s the latest video-sharing content site with a focus on news and video news syndication. With ClipSyndicate, everyone profits. ClipSyndicate provides video content producers, advertisers and web publishers an appealing package. Partnering with more than 350 video producers and 250 TV network affiliates such as Bloomberg TV and AP, ClipSyndicate lets your content be seen by thousands and it offers you a new way to generate revenue. Have media you want broadcasted? ClipSyndicate will syndicate your clips to thousands of vertical websites, garnering you a larger audience and a significant increase in ad revenue. Advertisers have the opportunity to reach an engaged audience through specific targeted ads. Web publishers can use ClipSyndicate to find content relevant to their website. ClipSyndicate will store and serve the video, as well as offer headlines and news summaries. Currently in beta, ClipSyndicate is free to use.

[Bob's video pick: ]

Innovative archive?

An archive as gripping as it is good

The Economist has shown how backfile digitisation should be done. Mark Chillingworth hits the search button

Mark Chillingworth, Information World Review 07 Jan 2008

Geek out, dudes!

SimCity Source Code Is Now Open

Posted by kdawson on Saturday January 12, @03:01PM from the but-you-can't-call-it-that dept. Programming Games

Tolkien writes "Source code for SimCity has been released under the GPLv3. For legal reasons the open source version was renamed Micropolis, which was apparently the original working title. The OLPC will also be getting a SimCity branded version that has been QA'ed by Electronic Arts. Some very cool changes have been made by Don Hopkins, who updated and ported what is now Micropolis. (Here is an earlier Slashdot discussion kicked off by a submission Don made.) Among other things, it has been revamped from the original C to using C++ with Python. Here is the page linking all the various source code versions. Happy hacking!"