Saturday, March 22, 2008

So another quarter comes to a close. I am ending PowerPoint, Math, Math, Web sites, Math, and Statistics and starting Small Business Management, Marketing, Computer Security and Math. So it is time once again to remind my e-mail “subscribers” that they can stop cluttering their Inboxes and read the blog instead. (Of course this isn't required if you stop the emails at the firewall.)

CyberWar: When you have a tool, there is a tendency to use it.

Cyber Attacks against Tibetan Communities

Posted by ScuttleMonkey on Saturday March 22, @05:22AM from the that's-right-all-the-tea dept. Security The Internet

UnderAttack writes

"The SANS Internet Storm Center reports about an increasing number of sophisticated and targeted cyber attacks against Tibetan NGOs. These attacks appear to be related to attacks against other anti-chinese groups like Falun Gong. 'There is lots of media coverage on the protests in Tibet. Something that lies under the surface, and rarely gets a blip in the press, [Highly desirous attributes. Bob] are the various targeted cyber attacks that have been taking place against these various communities recently. These attacks are not limited to various Tibetan NGOs and support groups. They have been reported dating back to 2002, and even somewhat before that, and have affected several other communities, including Falun Gong and the Uyghurs.'"


US Olympic tourists warned about monitoring in hotels

Saturday, March 22 2008 @ 08:11 AM EDT Contributed by: PrivacyNews News Section: Non-U.S. News

Americans traveling to China for the Olympic Games in August can expect their hotel rooms there to be monitored, the State Department warned on its website.

"All visitors should be aware that they have no reasonable expectation of privacy in public or private locations," according to the State Department site.

"All hotel rooms and offices are considered to be subject to on-site or remote technical monitoring at all times. Hotel rooms, residences and offices may be accessed at any time without the occupant's consent or knowledge," it said.

Source -

Big Brotherism?

Feds Tout New Domestic Intelligence Centers

By Ryan Singel March 20, 2008 | 8:02:57 PM

... But critics say that "all hazards, all threats" approach sounds suspiciously like the government is building a distributed domestic intelligence service that could easily begin keeping tabs on Americans exercising their First Amendment rights. The scope also seems at odds with the federal government's Information Sharing Environment guidelines, which say these centers are supposed to focus on terrorism.

... Earlier this year, the ACLU issued a warning report about Fusion Centers, complete with an interactive fusion center map, earlier this year. [There are no Fusion Centers in Idaho yet, proving once a for all that potatoes need little surveillance. Bob]

We love and respect our customers..

Comcast Cameras to Start Watching You?

Friday, March 21 2008 @ 06:18 PM EDT Contributed by: PrivacyNews News Section: Businesses & Privacy

If you have some tinfoil handy, now might be a good time to fashion a hat. At the Digital Living Room conference today, Gerard Kunkel, Comcast’s senior VP of user experience, told me the cable company is experimenting with different camera technologies built into devices so it can know who’s in your living room.

The idea being that if you turn on your cable box, it recognizes you and pulls up shows already in your profile or makes recommendations. If parents are watching TV with their children, for example, parental controls could appear to block certain content from appearing on the screen. Kunkel also said this type of monitoring is the “holy grail” because it could help serve up specifically tailored ads. Yikes.

Kunkel said the system wouldn’t be based on facial recognition, so there wouldn’t be a picture of you on file (we hope). Instead, it would distinguish between different members of your household by recognizing body forms.

Source - NewTeeVee

Ditto? Do “shrink wrap” rules apply? How about “bait and switch?”

If You Don't See The Terms Of Service Until After You Buy, Are They Valid?

from the seems-a-bit-unfair dept

There have been lawsuits over software packages that only allow you to see the end user license agreement (EULA) after you've already paid for the software, but does that apply in other situations as well? Broadband Reports points us to the news that for people who sign up for Verizon's FiOS fiber optic broadband, you don't get to see the full terms of service until after it's installed. Verizon claims it's just easier this way -- and that all the important points are explained ahead of time. It also says that users can cancel within 30 days with no penalty if they're uncomfortable with the terms. However, that leaves out the fact that a lot of time and effort went into installing the actual FiOS system, which could also disrupt other systems (in fact, in a few cases -- though certainly not all -- a FiOS installation cuts the old copper line). So, in that case, it would be difficult to just go back to what you had before.

Are they really errors if it is part of the design?

New Study Shows Massive Error Rates In E-Voting Machines

from the that-can-swing-an-election dept

Just as e-voting firm Sequoia is resisting having its machines reviewed independently, the Brookings Institute has put a bunch of e-voting machines to the test, and found error rates around 3% on some of the machines. These weren't errors due to software problems, but usability problems, where the design of the system resulted in people voting for a candidate they did not want. 3% is a huge number, and could easily change the results of an election. While the study found that people generally like e-voting technology, that still doesn't mean it's particularly effective. One other interesting part of the finding: when there was a voter-verified paper trail, it didn't cut down on errors. [Now that's depressing... Bob] This suggests that many voters were either confused or didn't even bother to verify their vote. This should all be very worrisome. Even ignoring the technology problems that these machines have been shown to have, the fact that the design tends to create so many mistake votes should lead people to seriously question the use of e-voting machines.

If we know how to do it, is it negligence to NOT do it?

Training Your Sights on Online Fraud

By Carol Baroudi E-Commerce Times Part of the ECT News Network 03/20/08 4:00 AM PT

... Recent Aberdeen research has shown that those organizations that are getting the best results in both growing user confidence and reducing fraud have over the last 12 months been able to reduce the number of incidents of fraud and reduce financial loss attributable to fraud. Simultaneously, they were able to increase the number of user accounts, the number of online transactions and the number of online transactions per user.

Survey results show that the top performing firms enjoying Best-in-Class performance share several common characteristics:

  • Ninety-two percent authenticate users at the creation of the account;

  • Eighty-four percent use encryption; and

  • Sixty-eight percent monitor transactions.

... The complete report that identifies what Best-in-Class companies are doing to achieve their superior results as well as concrete steps to reduce fraud is available here.

Tools & Techniques: Hacking video.

How to hack RFID-enabled credit cards for $8

Posted on March 19, 2008 12:20 AM

Hacking without hacking? (How Zen)

What Happens To Bounced E-Mails

Posted by ScuttleMonkey on Friday March 21, @04:30PM from the lazy-people-who-can't-configure-mail-servers-to-do-their-bidding dept. Security The Internet

An anonymous reader writes

"The Washington Post's Security Fix blog today features a funny but scary interview with a guy in Seattle who owns the domain name Apparently, everyone from major US banks to the Transportation Security Administration to contractors in Iraq use some variation on the address in the "From:" field of all e-mails sent out, with the result that bounced e-mails go to the owner of 'With the exception of extreme cases like those mentioned above, Faliszek says he long ago stopped trying to alert companies about the e-mails he was receiving. It's just not worth it: Faliszek said he is constantly threatened with lawsuits from companies who for one reason or another have a difficult time grasping why he is in possession of their internal documents and e-mails.'"

I doubt it's a cultural thing, after all they have American based PR people. It must be that they don't talk to each other... (Of course, this is similar to the bank that charged you a dollar a month to NOT issue you a debit card.)

Breaking: Sony Won't Charge $50 To Remove Bloatware

By Rob Beschizza March 21, 2008 | 11:13:07 AM

Responding to a tidal wave of outrage, Sony has reversed a plan to charge $50 to remove all the pre-installed applications — often derided as "bloatware" or "craplets" — from its high-end TZ-series notebooks.

Earlier today, PC World reported that Sony would charge $50 for a configuration option called "Fresh Start," which would not include the bloatware. When contacted by Gadget Lab, a spokesperson for Sony said that the company will now remove that charge.

Toward a fully “on demand,” pay by the drink, entertainment industry?

CBC Plans To BitTorrent Its Own TV Program

from the about-time... dept

Four years ago, we were among a group of folks talking about how the combination of BitTorrent and RSS could create a really fantastic online TiVo type solution. Rather than having to wait for your TV to broadcast a show, broadcasters could put the shows online, via BitTorrent, and you could subscribe with RSS, getting every TV show you wanted. Of course, since that time, online hosted video has become more popular, with the likes of YouTube getting much of the attention. However, it looks like the idea of using BitTorrent to distribute TV programs in an authorized manner hasn't disappeared. Joe writes in to alert us that CBC Television up in Canada is planning to distribute copies of their program Canada’s Next Great Prime Minister via BitTorrent right after it airs. And, yes, they'll be doing it DRM-free. As the folks behind the show have said: "The show will [be] completely free (and legal) for you to download, share & burn to your heart's desire." Nice to see some are starting to get it. Rather than locking stuff down, you want to share it as widely as possible.

Wall Street Journal “Hack?”

2008.03.21 • 07:28 EDT

The Wall Street Journal's Web site is already (secretly) free

... The system works like this: If you click on a subscriber-only WSJ link from an ordinary Web site -- say, a link that I post here, or a link from within the Journal's own site -- you'll be sent to a limited version of the article, and you'll be asked to log in to read the whole thing.

But if you click on a link to that same article in Google News, you'll be sent to the full story for free. This is true, also, of WSJ links on Digg, and probably a few other big referral sites, too.

Friday, March 21, 2008

We are learning about some breaches ONLY because we can access the mandatory reports to the states (at least New Hampshire) Is this part of the “Official TJX Keep It Quiet Protocol?”

Lippincott Williams & Wilkins online customer database hacked; hack went undetected for 5 months

Thursday, March 20 2008 @ 02:11 PM EDT Contributed by: PrivacyNews News Section: Breaches

On March 10, Wolters Kluwer notified [pdf] the New Hampshire Department of Justice of a security breach affecting one of its businesses, Lippincott Williams & Wilkins. On February 27th, LW&W was notified by its web hosting company that one of its web sites,, had been hacked. [Strange how few organizations detect breaches themselves... Bob] Consumer information that may have been compromised included names, addresses, telephone numbers, email addresses, credit card numbers with expiration dates, and card verification numbers of customers who made online purchases between August 30, 2007 and February 27, 2008.

The company has notified those affected by mail and arranged for credit watch protection for one year.

Just a statistical point. Notice that the number of records breached is always significantly greater than the current number of students + employees. I wonder if there is a mean around 3-500%?

MA: Lasell College latest to have user data stolen (updated)

Thursday, March 20 2008 @ 12:57 PM EDT Contributed by: PrivacyNews News Section: Breaches

Lasell College reports one of its employees has hacked its network, gaining access to personal information of students, employees and alumni.

The breach, which the school said it discovered on Feb. 6, included information on 20,000 students, employees and alumni, including social security numbers. The school, which has about 1,300 students, said the breach was carried out by a member of its IT department.

Source - Mass High Tech

Update: The college's notification letter to the NH Dept. of Justice is available online. [pdf] The college has also set up a web site for information on the breach:

Ja, you can trust us with your informazion.

German government says 500 computers were lost or stolen in three years

Thursday, March 20 2008 @ 09:04 AM EDT Contributed by: PrivacyNews News Section: Breaches

The German government said about 500 of its computers where either misplaced or stolen [Wishful thinking, unless there have been incidents where the computers were later un-misplaced? Bob] in various administrative departments over the last three years, prompting calls from the opposition for better data protection for citizens.

Source - Forbes

Note from Dissent: in what may be the "Understatement du Jour," Carl-Ludwig Thiele, the deputy parliamentary-group leader of the opposition FDP party, is quoted as responding to the news by saying, "This requires clarification."

I'll follow this one until it fizzles....

Hannaford data breach offers twists from prior attacks

By Associated Press Thursday, March 20, 2008

PORTLAND, Maine (AP) -- At first, it sounded like another in a long line of credit card breaches: Up to 4.2 million account numbers were stolen by thieves who cracked computers at Hannaford Bros. Co., an Eastern supermarket chain.

But the specifics of the crime, revealed this week, included some troubling twists that might expose big holes in the payment industry's security standards.

For one thing, Hannaford said this sensitive data were exposed when shoppers swiped their cards at checkout line machines and the information was transmitted to banks for approval.

... Another intriguing facet is that Hannaford was found -- while the hack was still going on last month -- to be in compliance with the security standards required by the Payment Card Industry, a coalition founded by credit card companies.

... David Navetta, president of InfoSecCompliance LLC, a Denver law firm that concentrates on computer security and regulatory compliance, argues that Hannaford and its assessor may have been tripped up by ambiguity in the PCI standards about when companies must encrypt payment data to cloak it from outsiders.

... Litan argues that the biggest lesson is that the banking industry needs to make it harder for thieves to put stolen credit card data to use. Requiring PINs on credit card transactions, she said, ''would remove 75 to 90 percent of the fraud in the system.'' [I wonder if there is an “Opt in” available from any of the card issuers? Bob]

... Hannaford doesn't store credit card information in its databases and uses a wired network to transfer information, said spokeswoman Carol Eleazer. Hannaford is still trying to figure out, she said, how its thefts occurred.

Related and unique(?) dialog

Insurance broker for Hannaford provides insider view on data theft insurance

Friday, March 21 2008 @ 02:20 AM EDT Contributed by: PrivacyNews News Section: Breaches

I have been exchanging emails off-line with Kevin P. Kalinich, J.D. Kevin is the Co- National Managing Director of the Financial Services Group at Professional Risk Solutions. A couple days ago Kevin emailed me a response to my blog on the Hannaford credit card theft and state of privacy breach insurance. Kevin is a pioneer in this emerging insurance space and I found his insight and experience very valuable. He sent me an excellent (30+ page) whitepaper he authored on the current state of the privacy breach insurance marketplace. Once he finishes his current revisions I hope to add a link to it here. It is a must read for any company considering a privacy breach insurance policy. With Kevin’s permission, here is the dialog we have had so far.

Source - Jamey Heary, on NetworkWorld

Just like Britanny Spears? Perhaps we need a “Sell it to the National Enquirer” exception to Privacy law?

2 fired over Obama passport file breach

Thursday, March 20 2008 @ 08:07 PM EDT Contributed by: PrivacyNews News Section: Breaches

Two contract employees of the State Department were fired and a third person was disciplined for inappropriately looking at Democratic Sen. Barack Obama's passport file.

.... McCormack said the department itself detected the breaches, which occurred separately on Jan. 9, Feb. 21 and March 14.

... The three people who had access to Obama's passport records were contract employees of the department's Bureau of Consular Affairs, NBC News reported.

A senior official told NBC News there was "no political motivation" to the incidents, [State has mind eraders? Bob] adding that the three were low-level contract employees doing administrative work and accessed Obama's records out of "curiosity."

Source - MSNBC Related - Obama demands probe over passport breach

Is this e-Entrapment or just a poorly designed sting? Plus a great April Fools Day joke for all your friends!

Click This Link, Go To Jail

from the wide-open-to-abuse dept

Declan McCullagh has written up an article about a questionable tactic used by the FBI to go after people looking for child porn. It set up a honeypot server and then posted links to it on a forum frequented by those who are looking for child pornography. It then used the IP address of people who clicked on the link as enough evidence to charge them with a crime. In the specific case McCullagh discusses, the guy was found guilty of simply clicking on that link. Of course, it's always difficult to separate out legal discussions like this from the fact that it involves child pornography -- which immediately sets off an emotional response. The problem here, though, is that the evidence on which the guy was found guilty could be used to find many people guilty of many things. The FBI didn't even track the referrer log -- just who went to the site. In other words, if someone had taken that link out of the forum and posted it on another site, a blog or sent an email around -- and anyone clicked on it without knowing anything about the link, they could have broken the law. [Fortunately this article was published before April First... Bob] This is open to tremendous abuse. If all you need to do to get someone convicted of child porn charges is get them to click a link, that doesn't seem right. Furthermore, in this case, the only other evidence was two small (admittedly questionable) thumbnail images, that there was no evidence that the guy looked at. In other words, to have enough evidence to convict someone and send them to jail for years (and get them listed as a sex offender), you could just send them an email with a link and some thumbnail images attached. If they click on the link (even if they don't ever look at the attached files), that's enough evidence, according to this case. That seems incredibly problematic.

Interesting question?

Should Kids Get Control Of Their Data When They Come Of Age?

from the but-Dad,-I-don't-want-them-spamming-me... dept

If you're under a certain age, websites (at least under the law in many countries) cannot collect data on you -- or are required to get "consent" from an adult first. However, that's leading to a separate discussion about whether or not kids should have the right to take back that data once they come of age. A parent may agree to share certain data about a kid with a certain website, but once that kid is old enough, what if he wants to revoke that permission? It may sound like a simple thing, but once that data is out there, getting it back is nearly impossible. Yet, some politicians are trying to make that the law, even though it will be almost impossible to enforce in many cases.

Dis mouse got teeth!

Antigua Says It's Going To Start Ignoring US Copyrights (For Real This Time)

from the no,-really,-really,-really dept

Officials in Antigua are now trying to draw a line in the sand, claiming that if the US doesn't finally agree to allow some forms of online gambling by the end of this month, it will go ahead with its threats to ignore US copyrights with the approval of the WTO. As you may recall, back in December, the WTO granted Antigua that right, after a loooooooong series of battles with the US over whether or not the US was violating free trade agreements by banning online gambling. Of course, every time the WTO sided with Antigua, the US would stall, claim the WTO sided with the US (when it clearly did not) and (my personal favorite) claim that even if it had broken trade agreements, it didn't matter any more because the US was unilaterally changing its trade agreements so that it was no longer violating them.

Of course, when Antigua won the final decision in December, allowing the country to ignore US intellectual property rights, the US government and the entertainment industry quickly warned Antigua not to follow through on those plans -- but the US government still won't shift in its position on the matter. Thus, Antigua is agitating to get this show on the road. While it first needs to get one last permission slip from the WTO, once that's in place, it can start ignoring the copyright on American movies and music. Of course, while some are suggesting that it may make sense for The Pirate Bay to move to Antigua, that's not accurate. After all, the WTO has said that Antigua can only violate $21 million worth of intellectual property, and with the way the entertainment industry counts damages, that's like half an album or so.

In fact, that seems to be exactly the angle that the entertainment industry is taking in this fight. An MPAA letter warning: "The proposed retaliation would be impossible to manage. The real and resulting economic harm would vastly exceed any amount the (WTO) might approve, even the grossly exaggerated amount ($3.4 billion) for which Antigua seeks approval, plus the economic harm would extend to other WTO members."

Implications for e-Discovery?

Wells Fargo Launching "Virtual" Safe Deposit Boxes Online

Thursday, March 20 2008 @ 12:56 PM EDT Contributed by: PrivacyNews News Section: Businesses & Privacy

Wells Fargo bank is prepping to launch a new service called vSafe, which will essentially act as a "virtual" (i.e. non-physical) digital safe deposit box. Instead of storing heirlooms, cash, or jewelery, the "virtual" safe is designed to store digital records or copies of records, such as birth certificates or wills.

Wells Fargo will be facing an uphill battle, though.

Source -

[From the article:

The bank plans to charge $4.95 a month for 1-gigabyte (GB) of storage, $9.95 for 3-gigabytes, and $14.95 for 6-gigabytes.

... it isn't giving too many other details on why its service is better than the already copious amount of storage offered for free by the likes of Microsoft and AOL.

Move along. No legal issues here!

Librarian fired after reporting patron viewing child porn

Thursday, March 20 2008 @ 06:46 AM EDT Contributed by: PrivacyNews News Section: Other Privacy News

One California county may be facing a lawsuit by former librarian Brenda Biesterfeld, who says she was fired after alerting authorities that a patron was viewing child pornography on library computers.

A librarian assistant at the Lindsay Library, Biesterfeld was on the job late last month when she noticed 39-year-old Donny Chrisler downloading child porn on library computers. Biesterfeld told her supervisor Judi Hill, who instructed her to issue Chrisler a warning. Instead, Biesterfeld called police the next day. A few days later, Chrisler returned and Biesterfeld noticed he was once again viewing child porn. She notified police, who came and arrested Chrisler on the spot.

According to a press release, the police also confiscated the library's computer that had used by Chrisler. Supervisor Hill confronted police, accusing them of interfering where they did not belong and assuring them that county librarians were handling the matter internally. After police explained that, since federal law had been violated, it was now a legal matter in their hands, Hill demanded to know who reported the incident. The police protected Biesterfeld's identity. However, she was fired two days later.

Source -

Something for those Law School students reading this blog?

March 20, 2008

Interviews of United States Supreme Court Justices

In Series of Videos, Supreme Court Justices Make Their Case - Justices' candid observations and pet peeves spill forth in legal writing guru Bryan Garner's video interviews. Legal Times, Tony Mauro
March 11, 2008.

  • "...the collection of videos on were shot at the Supreme Court and they star eight of the nine justices speaking passionately, sarcastically, angrily, into the camera as they answer questions about brief writing, oral advocacy and their own love-hate relationships with the written word. Their interviewer, legal writing guru Bryan Garner, quietly posted the eight videos on the Web site in January. Garner has interviewed dozens of judges, lawyers and writers over the years, seeking video clips for use in his profitable legal writing seminars. But he realized the interviews with the justices, conducted a year ago or more, were a unique treasure that he should not profit from, so he put them up without restriction, editing, fee or fanfare."

I wonder if the US could import this system?

Do Not Call List' has telemarketers worried about hackers eliminating entire phone book

Thursday, March 20 2008 @ 01:01 PM EDT Contributed by: PrivacyNews News Section: Businesses & Privacy

Telemarketers are worried they'll be put out of business by enterprising hackers who figure out how to upload Canada's phone book to the new Do Not Call List.

When the national list is launched in September, consumers will be able to add their names through a website to avoid getting unsolicited calls. Telemarketing executive Jason White says this feature is ripe for abuse.

Source - Vancouver Sun

What a great business model! All the golf nuts (and smarter pro shops) will want it, and no doubt it will make a common gift for golfers... - For Students Of The Game provides free online golf swing analysis software that our members can use to analyze their own swing or any other swing in our extensive library. They can also view their videos side-by-side with any video.

The way it works id very simple and actually quite cool. You have got to start by videotaping your swing. Once you've done that, you will upload the video tape of your swing to There, you will be able to go to step three, which is analyzing your swing, with the same tools that the pros use to make their swing perfect.

Thursday, March 20, 2008

Notice that this happens much faster than it used to...

(follow-up) Hannaford hit with class action suit in data breach

Wednesday, March 19 2008 @ 07:17 PM EDT Contributed by: PrivacyNews News Section: Breaches

Hannaford Bros. Co. has been hit with two class action lawsuits filed on behalf of consumers whose credit and debit card numbers were stolen as a result of a security breach.

A Philadelphia law firm, Berger & Montague, said it filed suit Wednesday in U.S. District Court in Portland, alleging that the supermarket chain was negligent for failing to provide adequate security for computer data. A similar lawsuit filed in U.S. District Court in Bangor named Melinda Ryan as lead plaintiff.

Source -

Related - More Victims Emerge In Credit Card Theft

Just wait until the TSA gets its hand on this data!


States Hand Over the DNA of Newborns to DHS (OpEd)

Marti Oakley writes:

Unknown to most new parents, or those who became parents in the last ten or so years, DNA of newborns has been harvested, tested, stored and experimented with by all 50 states. And all 50 states are now routinely providing these results to the Homeland Security Department.

... There are other nagging problems with this system. Although the national website insists that this harvesting of DNA is a highly visible program, my own polling of parents of newborns, or the grand parents had no idea that this was being done to their children and grand children. Further, not one knew that they had the right to demand the blood and tissue samples be destroyed after 45 days per written request. Even had they known, and the samples were destroyed (you would have no way of knowing if they really were) the information gleaned from them would still be available and on file …. in perpetuity.

Worth tracking down this paper...

AU: Privacy reforms to cause industry shake-up

Thursday, March 20 2008 @ 06:43 AM EDT Contributed by: PrivacyNews News Section: Non-U.S. News

Australia could see its biggest data breach yet when tough privacy laws clash with lax security culture.

Amendments to the Privacy Act include a range of sweeping new powers allowing the Privacy Commissioner to enforce the mandatory reporting of new data breaches.

... An Australian Law Reform Commission (ALRC) discussion paper detailing 301 privacy reforms is expected to go to parliament in June after it was delayed past its March 31 deadline.

The reforms will be mandated after the paper and submissions have been discussed in parliament, which industry experts say will be no earlier than 2009.

Source - CIO

[ALRC web site:

Ignorance of the technology is no excuse?

You have right to remain silent; your car may not

Thursday, March 20 2008 @ 06:34 AM EDT Contributed by: PrivacyNews News Section: In the Courts

Raleigh police are building a second-degree murder case against a man accused of drunken driving in part by using a small on-board computer in the man's car. If he's like most people, he didn't know it was even there.

Investigators obtained a search warrant that allowed them to extract information from an instrument known as an event data recorder in the 2001 Cadillac Deville that Kenya Teverris Alston, 31, was driving when he struck a Honda in the early hours of March 1. The driver of the Honda, Matthew Kraft, 21, was killed.

Source - The News & Observer/a>

This pretty much sums it up.


Vendor identifies top five healthcare data security risks

Molly Merrill writes in Healthcare IT News that Absolute Software Corporation, a security software solutions vendor, has identified the top five data security risks most often faced by healthcare facilities. The five risks are:

1. Failure to protect sensitive data beyond encryption.
2. Inability to accurately manage mobile computer assets.
3. Sensitive information on public terminals.
4. Difficulty implementing a comprehensive data security plan.
5. Reluctance to create a data breach policy.

Full story - Healthcare IT News

What? A voting machine with errors? How unimaginable! Fortunately, the logs will reveal all...

Ohio Investigating Possible Vote Machine Tampering Last Year

Posted by Zonk on Wednesday March 19, @03:46PM from the bit-of-dirty-pool dept. Government The Courts Politics

MozeeToby writes

"The Columbus Dispatch is reporting on a criminal investigation currently being performed in Franklin County Ohio. It seems several voting machines listed a candidate as withdrawn from the race when in fact he wasn't. By the time the investigations tracked down which machines had been affected, the candidate's name was back on the ballot. Normally, we could dismiss this as confusion or a mistake on the part of the voter(s) who noticed it. In this case, the person who first noticed the discrepancy was Ohio Secretary of state Jennifer Brunner. Further compounding matters, the Franklin County Board of Elections had disabled virtually all logging on the machines to speed setup of the balot. Naturally, the county board remains sceptical of these accusations."

Related. How to steal an election? (Just practicing, but they didn't clean up very well...)

Evidence of New Jersey Election Discrepancies

March 19th, 2008 by Ed Felten

Press reports on the recent New Jersey voting discrepancies have been a bit vague about the exact nature of the evidence that showed up on election day. What has the county clerks, and many citizens, so concerned? Today I want to show you some of the evidence.

Related. “You can't investigate our product.” OR “Trust us. What could go wrong?”

More On Sequoia's Legal Threats Against Ed Felten: The Intimidation Worked

from the freedom-to-threaten-lawsuits dept

Yesterday we covered the threats that e-voting firm Sequoia had sent to Ed Felten and to various officials in New Jersey. Unfortunately, it appears those threats worked: the election officials have backed down and agreed not to send Felten the machine to test. has more details on both the reason for the test and Sequoia's response to the whole mess. The reason? Shockingly enough, Sequoia's e-voting machines malfunctioned during the primary in a way that should scare you: it gave two different vote counts. [Making re-counting twice as easy! Bob] You would think that's a pretty good reason for allowing a qualified, well-respected researcher like Felten to check out the machines. No such luck. Sequoia has tried to explain it away as a bug, but that doesn't explain why the machines shouldn't be tested by a third party.

Sequoia's response to that question is disingenuous, claiming that the company "supports third party reviews and testing of its election equipment." If that's so, then why not Ed Felten? Well, because Sequoia says that the machines have already been through a "rigorous" independent review from an accredited Voting System Test Labs. Ah? Would that be one of the accredited Voting System Test Labs that was barred from further testing for not having proper controls in place and having no evidence that tests were actually conducted? Most of those tests have very limited real-world applicability -- which is what Felten is good at testing. Sequoia also lists out some independent tests in other states that the company was forced into accepting, as if it willingly took part in them. Yet, what the company doesn't explain is what it's so scared of in having Felten test its machine. If the company is confident in the machines, then where's the problem? As a last resort, Sequoia appeals to the fact that such a test would break a licensing agreement, noting that "Licensing agreements are standard practice in the technology industry." That's clearly a cop out. While it may be legally correct, it's no reason not to let a researcher try to figure out if there are any problems with its machines. This isn't some random technology here. This is the technology we're trusting with providing a free and fair election. Sequoia should be ashamed of pulling out legal threats and weak excuses.

I will be watching this. I suspect it is more of the FBI's efforts to prove Congress should “adopt” laws in effect in other countries without mentioning the role they had in drafting them. If this was intended to fight cybercrime, wouldn't they include at least one non-English-speaking country?

The International Cyber Cop Unit

Posted by samzenpus on Wednesday March 19, @09:40PM from the cool-job-title dept. The Internet Government

coondoggie writes

"A group of international cyber cops is ramping up plans to fight online crime across borders. The unit, known as the Strategic Alliance Cyber Crime Working Group, met this month in London and is made up of high-level online law enforcement representatives from the U.S., Australia, Canada, New Zealand, and the United Kingdom. One of the main goals of the group is to fight cyber crime in a common way by sharing intelligence, swapping tools and best practices, and strengthening and synchronizing their respective laws."

[Mandatory FBI Press Release:

...and they're ugly, too!” Perhaps Comcast should read this blog. I wonder which agency's regulations they have been following? (We know which they ignore...)

Comcast Says FCC Powerless to Stop P2P Blocking

Posted by CmdrTaco on Wednesday March 19, @12:17PM from the impotence-is-a-troubling-issue dept. The Internet

Nanoboy writes

"Even if the FCC finds that Comcast has violated its Internet Policy Statement, it's utterly powerless to do anything about it, according to a recent filing by the cable giant. Comcast argues that Congress has not given the FCC the authority to act, that the Internet Policy Statement doesn't give it the right to deal with the issue, and that any FCC action would violate the Administrative Procedures Act of 1946. '"The congressional policy and agency practice of relying on the marketplace instead of regulation to maximize consumer welfare has been proven by experience (including the Comcast customer experience) to be enormously successful," concludes Comcast VP David L. Cohen's thinly-veiled warning to the FCC, filed on March 11. "Bearing these facts in mind should obviate the need for the Commission to test its legal authority."'"

Tools & Techniques


HyperSnap is the fastest and easiest way to take screen captures from Windows screen, and text capture (TextSnap™) from places where normal text copy is not possible. HyperSnap combines the power of a first-class screen capture application with an advanced image editing utility - wrapped into one easy-to-use tool!

Wednesday, March 19, 2008

Perhaps not exactly TJX, but big, with the potential to be a great “Bad example” for the textbooks.

Hannaford and the evolution of the data breach

Tuesday, March 18 2008 @ 05:54 PM EDT Contributed by: PrivacyNews News Section: Breaches

As the rash of large data breaches and thefts continues unabated, it’s important to resist the urge to lump them all together. Not all breaches are created equal, and the latest one, at Hannaford supermarkets, illustrates this point perfectly. A lot of people are comparing the incident to last year’s breach at TJX, but the two stories have far less in common that it appears at first blush.

Source - Security Bytes

[From the article:

The details of the Hannaford incident are still pretty murky, but the language in the statement from the company’s CEO and other bits of data that have emerged today suggest that the chain may have been the victim of a man-in-the-middle attack.


Hannaford Bros. Was in Compliance with PCI When Hacked

Tuesday, March 18 2008 @ 06:02 PM EDT Contributed by: PrivacyNews News Section: Breaches

Fraudsters obtained payment card data originating with Hannaford Bros. Co. while the regional supermarket chain was compliant with the Payment Card Industry data-security standard, or PCI. The disclosure may mark the first publicly known breach of a PCI-compliant merchant.

“We were certified [as PCI-compliant] last spring and we were recertified in February,” Hannaford vice president of marketing Carol Eleazer tells Digital Transactions News. She could not identify Scarborough, Maine-based Hannaford’s PCI assessor. Some 4.2 million credit and debit card numbers were exposed in a breach that happened between Dec. 7 and March 10 (Digital Transactions News, March 17). Some 1,800 cases of fraud are believed linked to the breach.

Hannaford’s president and chief executive, Ronald C. Hodge, indicated in a statement on Monday that the hacker or hackers obtained card numbers and expiration dates during the authorization process, implying possible illicit access as data moved between point of sale terminals, electronic cash registers, or servers. The PCI standards require encryption of data that are in transit. Older payment-processing technology can leave wireless data exposed to interception for a fraction of a second during authorizations.

Eleazer did not have further details on Tuesday about exactly how the fraud happened, saying it is under investigation by the U.S. Secret Service and experts inside and outside the company. But she does say that Hannaford had been using data encryption all of last year. In fact, she adds, “in 2007 we had just recently upgraded our wireless encryption.”

Source - Digital Transactions

Related only because the mention Hannaford, but it would be interesting to compare policies. Where do they see the risk?

The pros and cons of data breach insurance

Wednesday, March 19 2008 @ 07:19 AM EDT Contributed by: PrivacyNews News Section: Breaches

Security incidents at the Hannaford Bros. Co. supermarket chain and elsewhere illustrate the importance of a good response plan, but industry experts are less than enthusiastic when asked if such a plan should include data breach insurance.

Some experts say it doesn't hurt to include the insurance as part of a larger data breach response program. But in general data breach insurance is an immature product that lacks uniformity from one provider to the next, others warn.

Source -

Related? Scene of the next big data breach?

March 18, 2008

Study of Worldwide Airports Reveals Wireless Security Risks for Travelers and Airport Operations

Press release: "...AirTight® Networks, the global leader for wireless intrusion prevention systems...issued the findings from its study to assess information security risk exposure of laptop users at fourteen airports in the United States, Canada and Asia. The company set out to understand the risks to business travelers and their corporate networks of data leakage while those airline passengers are sending sensitive information using unsecured wireless access points while at the airports. It found surprising results, however, regarding the security posture of private Wi-Fi networks in these airports as well as the rapid spread of viral Wi-Fi networks.

One of the most surprising findings of this initial study was that some ticketing systems, baggage systems, shops and restaurants were using open or poorly secured wireless networks. Of the Wi-Fi networks detected by AirTight researchers, 77 percent were non-hotspot (i.e. private) networks and of those, 80 percent were unsecured or using legacy WEP encryption, a fatally flawed protocol. Based on detailed analysis of these access points, there is a high probability that some of these networks are used for critical airport logistics and operations. The consequences of this lack of security could result in disruption of baggage or passenger ticketing systems."

Another hack! Perhaps they should take my Computer Security class?

UK: Credit details stolen in Carshalton internet fraud

Wednesday, March 19 2008 @ 07:24 AM EDT Contributed by: PrivacyNews News Section: Breaches

Hundreds of customers have had their credit card details stolen after a Carshalton homeopathic store was hit by internet fraudsters.

Naturally Thinking in Carshalton High Street was targeted by hackers in October 2007 who gained access to customer details via the store's 24 hour online shopping website.

....hackers were able to get hold of customers' credit card numbers and personal details, including addresses.

One customer found a £4000 watch on his credit card bill which he had not bought and several other customers reported between £600 and £800 worth of unaccounted expenditure on their cards.

Source - Wimbledon Guardian

Another interesting (double-secret-probation type) business model.

Don't Want A Debit Card? Key Bank Will Charge You $1 A Month

Wednesday, March 19 2008 @ 07:40 AM EDT Contributed by: PrivacyNews News Section: Businesses & Privacy

After hearing about Hannaford's giant customer data breach yesterday, Brian decided to cancel the debit card he'd used there. That's when he found out that Key Bank really wants you to have a debit card. In fact, they'll charge you a small monthly fee to not have one linked to your "free checking" account. We figure that this means Key Bank makes about $12 a year more off of customers who have linked debit cards—and that if you want greater security on your account, it's going to cost you.

Source - The Consumerist

This falls into the category I call “Don't let 'em gather no evidence!”

UCLA hospital bans cellphones, laptops

Tuesday, March 18 2008 @ 05:08 PM EDT Contributed by: PrivacyNews News Section: Breaches

UCLA’s neuropsychiatric hospital has banned all cellphones and laptop computers after a patient posted group photos of other patients on a social networking website, officials confirmed Monday.

Dr. Thomas Strouse, medical director of the Resnick Neuropsychiatric Hospital, said in a statement that the decision was part of “UCLA Health System’s ongoing efforts to enhance patient privacy and confidentiality in compliance with California’s patient rights law.”

[…] UCLA spokeswoman Dale Tate said the hospital became aware of the posted photos coincidentally from a nurse’s family member. The patients apparently all gave their consent to be photographed, Tate said.

“I was concerned about the potential covert use of such cameras, without the consent of those being photographed, or under circumstances where someone’s agreement to be photographed might not be well-reasoned or fully competent,” Strouse said in the statement.

[…] Other hospitals have banned cellphone cameras as well. Rady Children’s Hospital in San Diego forbade employees from carrying cellphones in patient-care areas after investigators found images of children, taken at the hospital, on a respiratory therapist’s computer and cellphone. The therapist later pleaded guilty to child molestation and exhibiting a minor in pornography.

Source - Los Angeles Times

Another first for New Jersey?

College Gossip Site Under Scrutiny

By BRAD HAYNES Associated Press Writer Mar 18, 8:36 PM EDT

TRENTON, N.J. (AP) -- New Jersey prosecutors have subpoenaed records of, a Web site that publishes anonymous, often malicious gossip about college students.

Language on the site ranges from catty to hateful and offensive. One thread, for example, on the "most overrated Princeton student" quickly dissolves into name-calling, homophobia and anti-Semitism.

JuicyCampus may be violating the state's Consumer Fraud Act by suggesting that it doesn't allow offensive material but providing no enforcement of that rule - and no way for users to report or dispute the material, New Jersey Attorney General Anne Milgram said Tuesday.

I frequently rant about reliance on passwords. Here is a site (one of many) where you can determine how difficult your passwords would be to guess (using password cracking software) and why... - Test Your Password Strength

The Password Meter is a free program that will assess the general strength of any password you enter, so you can get an idea of how secure your password really is.

No doubt this will solve everything!

Facebook adds privacy features

Wednesday, March 19 2008 @ 06:43 AM EDT Contributed by: PrivacyNews News Section: Internet & Computers

Facebook Inc. is tweaking the privacy settings on its popular online hangout to let users exert greater control over which of their friends are allowed to see personal details they post.

The Palo Alto-based company said it would add features Tuesday night that will give its 67 million active users the option of selecting individual users who can or can't access certain parts of their pages.

Source - Forbes

Electronic devices are merely “containers,” and searching them increases national security, and the moon is made of cheese, and politicians have no hidden agenda, and....

Handhelds, laptops are next privacy frontier

Wednesday, March 19 2008 @ 06:40 AM EDT Contributed by: PrivacyNews News Section: In the Courts

William Leask may seem an unlikely and unseemly poster child for the privacy rights of Canadian travellers, considering he will appear in a Fort Erie, Ont., courtroom today to learn his sentence for crossing the Peace Bridge with child pornography on his laptop computer.

But legal experts say his case raises a larger and often overlooked issue – the power police and security officials have to probe the vast amounts of personal information contained on mobile electronics. They can now get access to mountains of digital information without a search warrant by confiscating or searching physical devices such as laptop computers or cellphones equipped with e-mail, such as BlackBerrys, something experts believe represents a gaping hole in Canadian law.

Source -

[From the article:

The situation in the U.S. has reached the point where some businesses, such as Toronto-based law firm Blaney McMurtry LLP, now require that employees ensure their laptops are “wiped clean” of any sensitive information before they cross an international border. The firm is drafting a similar policy for its BlackBerry devices.

... Most experts agree that the U.S. Constitution states that normally, government officers would need a warrant to search through the contents of someone's BlackBerry, cellphone or laptop. However, Orin Kerr, a law professor at George Washington University, says border crossings are an exception.

This is interesting – but ultimately useless.

Ohio E-Voting Machines Declared A Crime Scene?

from the good-luck-trying-to-pull-out-the-evidence dept

While it's difficult to believe some of the more conspiracy-minded theories that have gone around concerning voting results from Ohio in 2004, the simple fact that there's absolutely no way to go back and review the results highlights exactly the problem with e-voting machines. Ohio's current secretary of state has now declared some of the machines used in the '04 election as a crime scene to be investigated, but everyone admits that there's little to no chance of being able to recreate what actually happened on election night, and no way to tell if the machines acted properly or if they malfunctioned. And, if they did malfunction, there's no way to tell if it was due to an accident or something underhanded. In other words, whether or not everything worked great or everything worked terribly, there's simply no way to tell. That is why so many of us have trouble with the concept of e-voting machines. Even if they work perfectly, there's no way to confirm that -- and it just leads to more speculation and conspiracy theories about "stolen" elections

Always a topic of interest – how far behind the industry is the government?

March 18, 2008

DHS Privacy Office - 2008 Data Mining Report

2008 Data Mining Report (PDF, 46 pages), February 11, 2008. "This is the third report by the Privacy Office to Congress on data mining. This report identifies the data mining activities deployed or under development within DHS, as defined by the Data Mining Reporting Act, and describes the framework the Department will use to report on such activities in the future pursuant to Section 804 of the Implementing Recommendations of the 9/11 Commission Act of 2007, entitled, “The Federal Agency Data Mining Reporting Act of 2007” (Data Mining Reporting Act)."

  • 2007 Data Mining Report (PDF, 42 pages). "This is the second report by the Privacy Office to Congress on data mining. This report describes data mining activities deployed or under development within the Department that meet the definition of data mining as mandated in House Report No. 109-699 - Making Appropriations for the Department of Homeland Security for the Fiscal Year Ending September 30, 2007, and for Other Purposes."

The world, she is a-changing

Qwest Land-Line Workers Offered Buyouts

By P. SOLOMON BANDA Associated Press Writer Mar 18, 5:30 PM EDT

DENVER (AP) -- Up to 700 technicians and other Qwest Communications employees who work on traditional land telephone lines have been offered voluntary buyouts, the company announced Tuesday.

Related. Indications another “industry” is dying?

Science Journal Won't Publish Papers Because Authors Want To Put Them On Wikipedia

from the mine,-all-mine! dept

Over the last few months, we've been hearing more and more stories concerning some of the ridiculous levels of control that academic journals exert over the copyrights on the various papers and research they publish. Since many of those journals are ridiculously expensive, much of this important research is basically locked up entirely. This is especially troublesome when it comes to publicly funded research, which you would think should be available to the taxpayers who paid for it. While we've definitely seen a trend towards more open rules to publishing, many journals are still behind the curve. Reader parsko writes in to alert us to the news of the American Physical Society, which withdrew the offer to publish two recent studies in the Physical Review Letters because the authors wanted to be able to publish parts of the study in Wikipedia. Since the APS requires you hand over the rights to the study, they wouldn't allow it, and turned down the papers because of it. Not surprisingly, various scientists are upset about this, pointing out that it seems totally contrary to the purpose of the journal to hide such information using copyright claims. The APS has now said that it will reconsider the policy at its next meeting, but the fact that it even got this far suggests how locked down many of these journals are.

So Bear Sterns is in good hands?

JP Morgan's Insider Trading How-To On Wikileaks

Posted by kdawson on Tuesday March 18, @10:38PM from the ten-bee-five-dash-one dept. Businesses The Almighty Buck

An anonymous reader writes

"In an internal JP Morgan document published recently, Wikileaks exposes JPM's efforts to circumvent insider trading regulations, enabling their wealthy clients to profit even when others are losing. The document reads like a how-to and explains how to take advantage of SEC Rule 10b5-1, which has long been considered ripe for abuse. Now this abuse is publicly documented and will be hard to ignore."

Psst! Pass it on!

Google for Non-Profits

3/18/2008 01:15:00 PM Posted by Chris Busselle, Investments Manager,

Many of you spend your days making this world a better place, and we want to do our part to help. Today, we're excited to launch Google For Non-Profits, a one-stop shop for tools to help advance your organization's mission in a smart, cost-efficient way.

This is an interesting model – do you suppose they have a rep on each campus or work through the schools?

INTERNET INSITE: Take virtual college tours online

Posted at: 03/11/2008 07:46:25 AM By: Justin Piehowski, Web Manager

... Instead of shelling out the cash to visit the campuses all around the country, try heading first over to The site has 360 degree virtual tours of just about every college campus in the country (the University of Minnesota--Twin Cities, my alma-mater, is one campuses that's noticeably absent).

You must first register on the site before looking, but after that, it is fairly easy to use. Just do a search for the college you'd like to see by name or by selecting a state.

Won't this amaze my Statistics students! (You don't suppose the researchers too have a high “to much beer” correlation?) Perhaps we should get a government grant to study wine, Jack Daniels, etc

Scientists' Success Or Failure Correlated With Beer

Posted by kdawson on Wednesday March 19, @05:34AM from the malt-does-more-than-milton-can dept.

mernil sends in an article from the NYTimes that casts a glance at a study done in the Czech Republic (natch) on what divides the successful scientists from the duffers.

"Ever since there have been scientists, there have been those who are wildly successful, publishing one well-received paper after another, and those who are not. And since nearly the same time, there have been scholars arguing over what makes the difference. What is it that turns one scientist into more of a Darwin and another into more of a dud? After years of argument over the roles of factors like genius, sex, and dumb luck, a new study shows that something entirely unexpected and considerably sudsier may be at play in determining the success or failure of scientists — beer."

I wonder what the Swim Suit issue looked like 53 years ago?

March 18, 2008

Sports Illustrated Poised to Release Free Searchable Archive Dating Back 53 Years

New York Times: On Thursday [March 20, 2008] Sports Illustrated "will introduce the Vault, a free site within that contains all the words Sports Illustrated has ever published [over 53 years] and many of the images, along with video and other material, in a searchable database."

A legend is gone.. He wrote: “Any sufficiently advanced technology is indistinguishable from magic.” And “When a distinguished but elderly scientist states that something is possible, he is almost certainly right. When he states that something is impossible, he is very probably wrong.”

Arthur C. Clarke Is Dead At 90

Posted by kdawson on Tuesday March 18, @06:27PM from the pod-bay-doors-are-open dept.

Many readers are sending in word that Arthur C. Clarke has died in Sri Lanka. He wrote over 100 books including 2001: A Space Odyssey and Rendezvous With Rama, and popularized the ideas of geosynchronous communications satellites and space elevators.

Because I like lists...

Top 100 Tools for Learning Spring 2008

Interim rankings as at 19 March 2008