Saturday, April 26, 2008

Close to home

CU-Boulder Alerting Students And Faculty In Wake Of Compromised Continuing Education Computers

Friday, April 25 2008 @ 05:20 PM EDT Contributed by: PrivacyNews News Section: Breaches

The University of Colorado at Boulder today announced that it discovered three computers in the Division of Continuing Education and Professional Studies were compromised and that one of the computers contains private data (i.e. names, Social Security numbers, addresses, grades) of approximately 9,000 students and approximately 500 instructors.

Although at this time there is no reason to believe that the data on the computer has been accessed, the university will be contacting the affected students and instructors to provide guidance about how to protect their identities.

An analysis of the data compromise is being conducted by a computer forensics firm hired by the university. While this analysis is still in progress, it is believed that this data compromise affects some students who were enrolled in Division of Continuing Education and Professional Studies courses between 1997 and 2003, as well as some instructors employed by the division. The university will mail letters to affected parties by the end of next week.

Source - University of Colorado - Boulder

First words form SunGard?

Sungard still assessing the scope of breach (update)

Friday, April 25 2008 @ 07:08 PM EDT Contributed by: PrivacyNews News Section: Breaches

As of today, Sungard Higher Education was continuing to investigate and analyze the incident involving a laptop stolen from one of their employees. The total number of clients and individuals who had personal information on the laptop is not yet known. Some more new details did emerge today, however.

In contrast to many recents breaches where a laptop was stolen from an employee's vehicle or home, the Sungard laptop was stolen from an employee while the employee was working at a customer site. [That may complicate liability, but the solution is the same. Encryption. Bob] According to a spokesperson, the employee was not following company policies. In a statement provided to, Laura Kvinge, Senior Director of Communication, wrote, "SunGard Higher Education has strict policies for data retention and the handling of sensitive customer information. In this case that policy was not followed."

In order to assist their customers, and in addition to the web site and FAQ they created quickly to respond to the situation, Sungard is offering one year of credit monitoring membership for all affected individuals. In an effort to alleviate the number of calls that the institutions would otherwise have to handle, Sungard has also created a help desk to personally answer calls and assist individuals.

According to Ms. Kvinge, Sungard also offered to assist with the entire notification process, including the production and mailing of notification letters as the institution deems appropriate.

"This incident is a serious matter for SunGard Higher Education. We realize that this challenges the relationship of trust we have built with our customers and we are going to have to work very hard to gain that back."

How to handle the fallout from a security breach? (Remember the “Streisand Effect”)

LendingTree Pressures Blogger To Remove Comments

from the section-230-anyone? dept

You may have heard the story earlier this week about how LendingTree had a security breach as employees were apparently handing out company passwords to mortgage firms, allowing them to access customer data directly. [Not in the articles I read... Bob] LendingTree is now suing the mortgage firms involved. However, LendingTree is apparently trying to crack down on some of the discussion about all of this. On one blog that wrote about the story, a commenter left a comment alleging that LendingTree doesn't actually "let banks compete" but has its own lending center -- which seems to be based on a class action lawsuit that was filed against LendingTree a couple years ago.

However, LendingTree is now putting pressure on bloggers to remove such comments, mentioning that they're defamatory. Of course, thanks to section 230 of the CDA, a blogger is not responsible for defamatory content left by others (they are still responsible for their own defamatory content, of course). While it doesn't appear that LendingTree's legal notes have entirely reached the level of a cease & desist (more like a legalistic nudge), it does sound like they've convinced some other bloggers to remove content that need not be removed. And, of course, by claiming that the content is defamatory, it may scare some bloggers who don't understand their section 230 safe harbors to feel obligated to remove the content.

A mere amateur. The pros were intercepting the wireless signals from another building...

If Top Gov't Officials Need To Leave Blackberries Outside A Meeting, Shouldn't Someone Guard Them?

from the just-a-thought dept

Apparently a Mexican press attache at a meeting with White House officials in New Orleans saw an opportunity and swiped the Blackberries of a bunch of White House staffers. At many such meetings, it's required for attendees to leave their phones and mobile devices outside of the meeting room. You would think that with such high-powered government officials that someone would then be left to guard the devices, but apparently not. This guy grabbed a bunch of the devices and made a run for the airport, where he was caught by Secret Service officials, who promptly showed him the surveillance camera footage of him taking the devices. His response was that he thought the devices had been left behind, and he was merely picking them up to return them to their owners, which might be more believable if the folks weren't still in the meeting room when he grabbed all the devices. Who knows if it's true, but I'm still wondering why no one was guarding the Blackberries.

CyberWar For my Security students

Page last updated at 13:48 GMT, Friday, 25 April 2008 14:48 UK

Hackers warn high street chains

High street chains will be the next victims of cyber terrorism, some of the world's elite hackers have warned.

... "If someone wants to have a pop at the UK, they are unlikely to go for the government web servers. They will go for the lower hanging fruit - companies which are seen as good representatives of the country.

Moving into the 21st Century... Blogging done right!

Beer, Blogs And Bias

from the i'll-drink-to-that dept

The Wall Street Journal has an article focusing on a blog set up by Miller Brewing Company called Brew Blog. There are a few different, interesting points worth discussing here. First, the blog isn't used as a blog about what's going on at Miller Brewing. Instead, Miller hired an experienced reporter, and told him to just cover the beer industry as if he were a beat reporter. In other words, it's reporting news -- and even breaking stories on the competition. In fact, it revealed that main rival Anheuser-Busch was planning a new beer before A-B was able to make the announcement itself. This is certainly a recognition of how content is advertising. The blog clearly isn't "advertorial." It's full-on reporting about the industry, in a way that's interesting and relevant to those in the industry.

What may be even more interesting, though, is what the article says about journalism. In an age in which journalists are whining that their jobs are disappearing, here's yet another example of where suddenly there are new types of jobs for journalists appearing every day. But, even more interesting, is a quote at the end of the article highlighted by David Card. It's from Harry Schuhmacher, the editor and publisher of a fee-based trade publication on the beer industry:

"I tell Miller you're subsidizing a free publication, and it hurts the trade press," he says. "But they don't care."...Mr. Schuhmacher adds that he writes fewer positive pieces about Miller than he once did because he knows Brew Blog will always publish the same stories.

Think about this for a bit. People complain that when you have a company-sponsored publication it will inevitably be biased -- but the sponsorship of that site is totally open and in the clear. The site's content stands for itself. Yet, at the same time, a supposedly "objective" traditional journalist is admitting that he writes fewer stories about Miller because he's upset that it's competing with his own publication. From that, it would certainly seem like the Brew Blog is a lot more credible (it's biases are out in the open), while this fee-based trade pub admits that story choices are sometimes based on personal vendettas.

If I recall correctly, this is called “undue reliance” The computer is NOT always right, nor are procedures always adequate. (Besides, an “irate” judge often writes amusing opinions...)

Judge Slams Florida Authorities For Bogus Toll Fines

from the it's-all-about-the-money dept

It's not just with red light cameras that local authorities are squeezing extra money out of drivers, Consumerist points us to the news that a judge in Florida has tossed out thousands of bogus toll citations, slamming both the Orlando-Orange County Expressway Authority and Florida Turnpike Authority for failing to deal with the fines properly. It appears that some of the fines resulted from malfunctioning toll transponders. The judge noted that this should have been easy for the traffic authorities to correct, but instead they made it a bureaucratic nightmare for those unfairly and incorrectly accused of running tolls. The judge has even gone so far as to bar the two Authorities from issuing any new citations to drivers who have prepaid or credit-card accounts -- to the point that he's instructed the court clerks in both places to refuse to accept any new citations without affidavits swearing that the offenders have no money in their accounts.

[From the article:

"In this technology age, it is hard to believe it would take more than a few computer keystrokes to rectify the problem of matching alleged violators to account holder's vehicles," Galluzzo wrote.

Perhaps they could wire the attorney's chairs in order to deliver instant (1000 volt) sanctions?

April 25, 2008

Long Range Plan for Information Technology in the Federal Judiciary

"The fiscal year 2008 update to the Long Range Plan for Information Technology in the Federal Judiciary articulates five-year directions and objectives for the judiciary’s information technology program. The plan presents the program in terms of five fundamental areas: external participants, court operations, judges and chambers, probation and pretrial services, and information technology infrastructure. This represents a more aggressive effort to identify needs by various constituents. Future updates to the plan will build on this approach and incorporate additional elements."

What do you need to know and how will you find out?

UK: Office snooping software attacked by privacy groups

Friday, April 25 2008 @ 09:41 AM EDT Contributed by: PrivacyNews News Section: Non-U.S. News

Companies are coming under fire from privacy campaigners for rolling out a computer program which enables them to track the communications and contacts of their staff.

... One of the more sophisticated programs, provided by a software company called Contact Networks, analyses the frequency of an employee's communications with their contacts, to distinguish, for instance, between someone contacted briefly in relation to one deal, say, and someone with whom a more long-standing relationship exists.

Source - Times Online

[From the article:

The software can be put to a range of uses, from a simple trawling of the entire company's Microsoft Outlook database to see if any employee knows someone at 'company X', through to a more intrusive approach, including monitoring the content of e-mails on a regular basis.

Perhaps we shouldn't follow their lead...

Department of Homeland Security website hacked!

By Dan Goodin Published Friday 25th April 2008 18:57 GMT

The sophisticated mass infection that's injecting attack code into hundreds of thousands of reputable web pages is growing and even infiltrated the website of the Department of Homeland Security.

While so-called SQL injections are nothing new, this latest attack, which we we reported earlier, is notable for its ability to infect huge numbers of pages using only a single string of text. At time of writing, Google searches here, here and here showed almost 520,000 pages containing the infection string, though the exact number changes almost constantly. As the screenshot below shows, even the DHS, which is responsible for protecting US infrastructure against cyber attacks, wasn't immune.

... The script is also notable for its ability to slip past web application defenses. The SQL query is mostly made up of HEX code, allowing it to obscure itself, at least to apps that use Microsoft SQL. MySQL and PostgreSQL are less easily fooled, according to researcher Ronald van den Heetkamp.

Sites are getting pwned because they fail to sanitize user supplied data.

Got video? For my web site class - Create the Next Big Thing Online

Just as the name implies, Start Your Tube is a site that encourages users to start their own version of YouTube in hopes that it explodes. Start Your Tube allows users to create their own video sharing site within minutes for free, then invite friends to view the uploaded content. Users may customize their own Tube site with colors, text, and graphics, in addition to posted material. Tube creators can easily spread the word about their created site through the “Share” function. Other Tubes can be searched and viewed for inspiration and entertainment. Furthermore, users have the ability to make money from advertising on their Tubes.

I bet they meant to do that – or perhaps none of them have minds like Bevis & Butthead?

OGC unveils new logo to red faces

By Aislinn Simpson Last Updated: 3:58pm BST 25/04/2008

Friday, April 25, 2008

A small breach, but some interesting questions...

'Significant security hole' found in Wisconsin database

Thursday, April 24 2008 @ 10:24 AM EDT Contributed by: PrivacyNews News Section: Breaches

A computer program housing personal information about Wisconsin seniors and disabled people had a "significant security hole," a state health official overseeing the program said in an e-mail obtained by The Associated Press. [AP hacked the email system? Bob]

In addition, a senior center volunteer in McFarland said he could see hundreds of files of people's private information from across the country in the system run by Virginia-based Harmony Information Systems.

Source - Forbes

[From the article:

Chuck Crawford, the deputy security manager at DHFS, said in an e-mail provided to the AP that Harmony would be asked whether it has a confidentiality agreement with the state [Shouldn't the state have a copy? Bob] and what procedures are in place to inform those in the database about how their information is being used.

Another 'consulting firm' with multiple customers' data on their laptops.

Chipotle Mexican Grill, Inc. employee data on stolen USinternetworking laptop

Thursday, April 24 2008 @ 11:13 AM EDT Contributed by: PrivacyNews News Section: Breaches

Chipotle Mexican Grill, Inc. has become the third company to report [pdf] that their employees' personal information was on a laptop stolen from an employee of USinternetworking. The personal information for the unspecified number of current and former employees included name, address, Social Security number.

Source - Notification to employees [pdf]

“Let's randomly select a few potential victims! Won't that be fun!” (Tip of the hat to Gary at the Law Library!)

UNITED STATES: University Computer Breach Risks Data of Students Who Never Went There

Wednesday, April 23, 2008

A computer server at Antioch University containing more than a decade of sensitive information on 60,000 people, some entirely unconnected with the university, was breached three times last year.

The server contained data going back to 1996 on current and former students and employees, as well as on students who had been scouted by the university but never attended or even applied. The data contained ample material for identity theft—Social Security numbers, names, academic records, and payroll records—but university officials said they do not know of any theft connected to the breaches.

University officials noticed something wrong on February 13, 2008, when users who logged into the server received a "mildly profane" message sent by a virus, according to William H. Marshall, the university''s interim chief information officer. The server was taken offline, and an outside company''s forensic investigation of the server found that "an unauthorized intruder" breached the system on June 9, 2007, June 10, 2007, and October 11, 2007. Mr. Marshall declined to say if he knew if the breach came from an internal or external hacker, citing a continuing law-enforcement investigation.

The university, which has six campuses in four states, began sending out letters about two weeks ago notifying people whose information was compromised and giving them a toll-free number to call for more information. The institution has received about five or six calls a day since then. "The most common calls are from people wondering why Antioch would have had their information on the system in first place, probably rightfully so," said Mr. Marshall.

The university has used outside companies to identify prospective students. "I think it is fairly common for universities, particularly in the last few years, to be more proactive in identifying and tracking students they''re interested in," said J. Brice Bible, chief information officer at Ohio University, which endured high-profile security breaches several years ago. Antioch University officials [Non sequitur alert! Bob] "have obviously acquired information to be competitive, which had made it more challenging for them to maintain a secure environment," he said.

Privacy advocates said there was no excuse for colleges to fail that challenge. "We have a very simple recommendation for universities," says Marc Rotenberg, executive director of the Electronic Privacy Information Center. "If they can''t protect it, they shouldn''t collect it." [Where can I buy this bumper sticker? Bob]

Come for the swimsuit models phone number, leave with their social security numbers... hacked; customer credit card info accessed

Thursday, April 24 2008 @ 05:32 PM EDT Contributed by: PrivacyNews News Section: Breaches (SWB), a Texas-based online retailer of men and women's swimwear, reports [pdf] that on March 28, it discovered that their databases had been accessed sometime between March 26- March 28. [suggesting that they do not keep logs, which record access to the second. Bob] An unspecified number of customers had their names, addresses, SWB account passwords, email addresses, and credit card information accessed.

In addition to accessing customer data, the intruders reportedly also corrupted existing data, rendering it unusable or unreadable. [Typically, only the loss of data is reported. Bob]

In his notification letter to the New Hampshire DOJ on behalf of SWB, Ronald I. Raether, Jr. of Faruki Ireland & Cox, P.L.L., wrote, "In addition, to any affected customer requesting assistance from us, SWB will offer a year's subscription to the LoudSiren Identity Protection NetworkTM. We are committed to helping our customers affected by these criminal acts."

SWB's notification letter to customers makes no mention of any SWB-subsidized services, [a clever strategy for reducing costs... Bob] suggesting that only customers who call SWB and specifically request assistance will actually be offered the free service. Calls to SWB to clarify this were referred to SWB's attorney, who did not return our call by the end of the day.

Another SunGard victim – no new information

Stolen laptop contains personal data for 'nearly 2,000' current, prospective Fisher students (Sungard Update)

Thursday, April 24 2008 @ 06:05 PM EDT Contributed by: PrivacyNews News Section: Breaches

Personal information (name, Social Security number, and date of birth) for close to 2,000 current and prospective St. John Fisher students may have fallen into the wrong hands as part of a security breach that involves a number of area colleges.

Source - Cardinal Courier Online Related - St. John Fisher College FAQ

Identity theft immediately! A very bad strategy...

NY: Credit card info stolen in Canton

Friday, April 25 2008 @ 06:54 AM EDT Contributed by: PrivacyNews News Section: Breaches

Police are investigating hundreds of reports of thefts of credit and debit card numbers belonging to customers who shopped at WiseBuys department store in December.

"We have had hundreds of victims and thousands of thefts. We have had amounts as high as $3,000 and as low as $10," said Sgt. Lori A. McDougal of the village police department. "I would say at this point they total upwards of $100,000."

Victims are all believed to have shopped at the Canton WiseBuys store between Dec. 5 and 20, Ms. McDougal said. Since then, stolen credit card numbers have been used to create fake cards in New York City.

... The Canton store was the only one in the WiseBuys and Hacketts chain that was affected by the number thefts. The stores use the credit card processing system used by nearly every True Value hardware store in the nation, Mr. Garrelts said.

WiseBuys changed its computer system in December and investigators are attempting to determine whether that was when the numbers were stolen, Ms. McDougal said. Village police have begun interviewing about 30 WiseBuys employees but so far have not identified any as suspects.

Source - Watertown Daily Times

Follow-up: A non-TJX reaction after all. PCI security isn't sufficient. ISO 27001 will take 18 months.

Hannaford CIO: We Need To Spend Millions, Go Well Beyond PCI

Friday, April 25 2008 @ 07:23 AM EDT Contributed by: PrivacyNews News Section: Breaches

Hannaford CIO Bill Homa, overseeing a data breach probe that exposed some 4.2 million payment cards, said this week that his chain needs to go well beyond PCI to try and be secure, an effort he predicted would cost his department millions of dollars "but not tens of millions."

Homa called a news conference to detail some of those planned security improvements, including Triple DES PIN encryption ("customer card information is now encrypted from the PINpad at the store register and remains encrypted while it's in our own internal network"), host and network intrusion prevention systems ("to proactively prevent malware from being installed in our systems") and better payment segmentation.

Source - StorefrontBacktalk

Tools & Techniques for ubiquitous surveillance

The Open GPS Tracker is a small device which plugs into a $20 prepaid mobile phone to make a GPS tracker. The Tracker responds to text message commands, detects motion, and sends you its exact position, ready for Google Maps or your mapping software. The Tracker firmware is open source and user-customizable.

It's safe, therefore we can use it more...

More privacy-boosting technology begets more video surveillance

By: Rosie Lombardi, (Apr 25, 2008 06:00:00)

... Developed by Karl Martin and Kostas Plataniotis, researchers at the faculty of engineering, their secure visual object coding application uses cryptography techniques to encrypt "objects of interest" within video frames -B faces or other features that may be used to identify a person - and store them separately. In order to view the original complete image, a decryption key is needed to restore the object of interest.

What was the real reason to go to electronic voting?

Diebold Admits ATMs Are More Robust Than Voting Machines

Posted by Soulskill on Friday April 25, @08:23AM from the votes-on-the-cheap dept.

An anonymous reader points out a story in the Huffington Post about the status of funding for election voting systems. It contains an interesting section in which Chris Riggall, a spokesman for Premier (formerly Diebold) acknowledged that less money is spent making an electronic voting machine than on a typical ATM. The ironically named Riggall also notes that security could indeed be improved, but at a higher price than most election administrators would care to pay. Also quoted in the article is Ed Felten, who has recently found some inconsistencies in New Jersey voting machines. From the Post:

"'An ATM is significantly a more expensive device than a voting terminal...' said Riggall. 'Were you to develop something that was as robust as an ATM, both in terms of the physical engineering of it and all aspects, clearly that would be something that the average jurisdiction cannot afford.' Perhaps cost has something to do with the fact that a couple of years ago, every single Diebold AccuVote TS could be opened with a standard key also used for some cabinets and mini-bars and available for purchase over the Internet."

Will he win if the data has been gathered legally? (e.g. From a state database that failed to remove the SSAN?)

Missouri AG Attempts to Stop Web Site from Selling Personal Information

Apr 24, 2008, News Report

Attorney General Jay Nixon is seeking to shut down a Web site that permits anyone with a credit card to purchase detailed personal information about Missouri consumers -- including Social Security numbers -- and have its operator fined a significant sum for each violation of state consumer protection laws.

... Anyone who provides this information to third parties is obligated under federal law to ensure that the third party's use of the information is for a legitimate purpose allowed under the law. Nixon says A1 Peoplesearch unethically failed to properly verify the use to which its subscribers put the data the defendant sold to them. [So add a screen that requires you to state the purpose (selected from a pull down menu of 'legitimate purposes') Bob]


Companies To Be Liable For Deals With Online Criminals

Posted by kdawson on Friday April 25, @09:46AM from the sees-you-when-you're-sleeping dept.

Dionysius, God of Wine and Leaf, sends us to DarkReading for a backgrounder on new rules from the FTC, taking effect in November, that will require any business that handles private consumer data to check its customers and suppliers against databases of known online criminals. Companies that fail to do so may be liable for large fines or jail time. In practice, most companies will contract with specialist services to perform these checks. Yet another list you don't want to get on.

"The [FTC's] Red Flag program... requires enterprises to check their customers and suppliers against databases of known online criminals — much like what OFAC [the Treasury Department's Office of Foreign Asset Control] does with terrorists — and also carries potential fines and penalties for businesses that don't do their due diligence before making a major transaction."

I am noticing an increase in the number of articles where reporters are taking organizations to task for failure to secure the data, even doing some basic research to learn what the “normal” practices are.

Ie: Potential for data leakage rife in Irish organisations

Friday, April 25 2008 @ 06:21 AM EDT Contributed by: PrivacyNews News Section: Non-U.S. News

The failure by Bank of Ireland and other financial institutions as well as some of the largest corporations and government bodies to sign up to an international security standard accredited by the Irish Government means that more embarrassing data leak scandals such as laptop theft will occur again. has learned that an important data security management standard ISO 27001, which governs the prevention and handling of security breaches and is used worldwide by financial institutions and government bodies, is not in place in any Irish financial institution – save a Credit Union in Waterford.

The ISO 27001 standard sets out best practices for IT security techniques and management systems.

Source - Silicon Republic

[From the article:

In the UK, for example, all financial institutions have had to qualify for the standard, otherwise the payments association APACS won’t do business with them. [Compare to PCI standard “enforcement”... Bob]

... Asked if organisations are perhaps unaware of the ISO 27001 standard, Brophy said: “Three or four years ago that might have been the case. Anyone who works in IT would know that this standard is a basic minimum requirement and can be tailored to suit any organisation of any size. Waterford Credit Union achieved the standard in recent months. Why larger financial organisations haven’t seen the need to go for it is beyond me.”

On the subject of whether Irish government bodies are subscribing to the standard, Brophy said that despite healthy attendance by government bodies at ISO 27001 training courses, no government body has moved to get certified.

I expect a few amusing articles as this process 'works out the kinks”

Face scans for air passengers to begin in UK this summer

Friday, April 25 2008 @ 06:16 AM EDT Contributed by: PrivacyNews News Section: Surveillance

Airline passengers are to be screened with facial recognition technology rather than checks by passport officers, in an attempt to improve security and ease congestion, the Guardian can reveal.

From summer, unmanned clearance gates will be phased in to scan passengers' faces and match the image to the record on the computer chip in their biometric passports.

Border security officials believe the machines can do a better job than humans of screening passports and preventing identity fraud. The pilot project will be open to UK and EU citizens holding new biometric passports.

Source - Guardian

[From the article:

Border security officials believe the machines can do a better job than humans [Translation: you can trust the machines Bob] of screening passports and preventing identity fraud. The pilot project will be open to UK and EU citizens holding new biometric passports.

But there is concern that passengers will react badly to being rejected by an automated gate. To ensure no one on a police watch list is incorrectly let through, the technology will err on the side of caution and is likely to generate a small number [see below Bob] of "false negatives" [Translation: you can't trust the machines. Bob] - innocent passengers rejected because the machines cannot match their appearance to the records. [Translation: We will deliberately tackle, handcuff and hood, strip and cavity search a few so called “innocents” just to demonstrate that we are serious about protecting innocents” Bob]

... Phil Booth of the No2Id Campaign said: "Someone is extremely optimistic. The technology is just not there. The last time I spoke to anyone in the facial recognition field they said the best systems were only operating at about a 40% success rate in a real time situation. I am flabbergasted they consider doing this at a time when there are so many measures making it difficult for passengers."

The latest French version of our regional TIA systems – they've been doing this since at laeast 1974...

France 'suspends' Creation of Big-Brother Database

Thursday, April 24 2008 @ 11:46 AM EDT Contributed by: PrivacyNews News Section: Non-U.S. News

The French government will "suspend" the use of new software for recording the personal habits and affiliations of its citizens in a police database, following an outcry by civil rights groups.

Interior Minister Michèle Alliot-Marie took the decision Tuesday to suspend trials of the Ardoise software while officials consider how to reconcile privacy rights and operational needs, her spokesman confirmed Thursday.

Source - CIO

[From the article:

Campaigners say that Ardoise infringes civil liberties by allowing law enforcers to tag a person's file with annotations including "runaway child," "handicapped," "homeless," "trade unionist," "alcoholic," "narcotics user," "transvestite," "transgendered," "homosexual," "prostitute," "person who frequents prostitutes," "psychologically disturbed" or "member of a sect," simply by picking them from a list.

... The database also holds information about religion, sexual orientation and race, according to the Interior Ministry.

[What information do the police need? Bob]

Related. This is what happens when databases are matched...

IN: Judge refuses to stop license revocations

Thursday, April 24 2008 @ 01:18 PM EDT Contributed by: PrivacyNews News Section: In the Courts

The Indiana Bureau of Motor Vehicles reports that it has revoked the driver’s licenses and ID cards of about 32,455 people this year because their personal information didn’t match Social Security records.

On Wednesday a Marion Superior Court judge denied an injunction that would have temporarily stopped the BMV from revoking the credentials, a new process that began last year.

The injunction was sought by the American Civil Liberties Union of Indiana. It was paired with a class-action lawsuit where the key plaintiff was South Bend attorney Lyn Leone.

Source - WSBT

[From the article:

The ACLU’s lawsuit claimed that it’s against state law and the U.S. Constitution to take away licenses because of mismatches between BMV and Social Security records.

A hearing was held April 11 before Judge Kenneth Johnson in Indianapolis.

In his 44-page ruling, Johnson wrote that the suit failed to show any harm or hardship [I'll have to read the ruling, but no license and the need to re-apply should be harm, right? Bob] to Leone by the BMV’s new screening process, which began last year.

... The BMV says it will reinstate a license — at no charge — if the customer can successfully show their personal information matches that of Social Security records. To date, the BMV says 835 credentials have been reinstated. [Doesn't this suggest that the matching process is flawed? Bob]

Talk on implementation of HIPAA rules.


Pointer: Case Study: Five ways to energize your information security program

Jim Reiner’s presentation at the 15th National HIPAA Summit is now available online.

My friendly neighborhood Linux geek sent me this article. Looks very interesting...

Ubuntu 8.04’s Wubi makes for universal desktop

by David M Williams Wednesday, 23 April 2008

... Today, I’d like to talk about something else which is new in this release: Wubi, the Windows based Ubuntu Installer.

Wubi offers a remarkable new way of trying out Ubuntu, making it even more of a risk-free proposition than ever before.

... Wubi’s goals are to assist a Windows user unacquainted with Linux in trying Ubuntu out without risking any loss of information, because although the hard disk will be written to there is no disk partitioning or formatting involved. The existing hard drive configurations, and Windows installation, are not affected in any way.

Wubi runs straight from within Windows and will install Ubuntu onto a disk image – that is, a single disk file which emulates a stand-alone hard drive. Using Wubi, Windows users can try Ubuntu out without any complex installation.

... At worst, if you don’t like it, uninstallation is a snap and your computer is left as it was.

... On rebooting I’m greeted with a boot loader menu asking which operating system I wish to use; choosing Ubuntu fires up the new operating system without hitch and with just a few more questions on the way.

Thursday, April 24, 2008

Extra care is indicated when you deviate from 'normal practice' – it is 'normal' for a reason.

(follow-up) UK: The 'local bank' loses 370,000 customers' details

Wednesday, April 23 2008 @ 11:08 AM EDT Contributed by: PrivacyNews News Section: Breaches note: Apparently, HSBC has yet to send out notification letters.

The largest bank in the UK, HSBC, has admitted that it may never find the disk that contained thousands of its customers details on it.

The "world's local bank" sent 370,000 customers details in the post from HSBC's life offices in Southampton to Swiss Re in Folkestone in February.

The bank added that it is putting together customer communications and letters are going to be sent out shortly.

HSBC said that the disk, which was password protected but not encrypted, would "normally" be sent electronically, but was sent through the mail when it could not be sent using this method. [The Internet was closed that day? Bob]

HSBC apologised for the breach. Candice Durrett, HSBC's media relations executive, said: "The data disk lost by HSBC contains no address or bank account details for any customer and would therefore be of very limited, if any, use to criminals.

"The data, which was password-protected, includes names, life insurance cover levels, dates of birth and whether or not a customer smokes. There is nothing else that could in any way compromise a customer and there is no reason to suppose that the disk has fallen into the wrong hands. "

Source - FTAdviser

[From the article:

Norwich Union Life was handed the eighth largest fine in the history of the FSA following poor security checks at call centres. The breach allowed fraudsters to impersonate customers and cash in their policies, leaving customers with a £3.3m loss through identity fraud. The regulator fined Norwich Union £1.26m. [I didn't notice the “cash in their policies” bit. Must have come as a shock to find out they were dead. Bob]

Good news: Organizations are starting to review their systems. Bad news: They should have been doing this for years...

CT: SCSU security breach

Wednesday, April 23 2008 @ 02:35 PM EDT Contributed by: PrivacyNews News Section: Breaches

About 11,000 current and former students at Southern Connecticut State University may be at risk for identity theft.

SCSU was reviewing their Web server when they realized that the names, addresses and Social Security numbers of students since 2002 were vulnerable to access by unauthorized individuals.

SCSU has been notifying the affected students and is offering free identity protection services for up to two years.

A help desk has been established to respond to questions at (203) 392-7216 or you can visit

Source - WTNH

[From the article:

The move comes after a website with student and alumni information was found to be easily accessible to hackers.

... SCSU says records of about 11,000 students and alumni may have been compromised by hackers.

[These two statements seem to conflict. Was the data unprotected, or was the University hacked? Bob]

Too common.

Ca: Chrysler unit's missing tape contains sensitive personal information

Thursday, April 24 2008 @ 06:40 AM EDT Contributed by: PrivacyNews News Section: Breaches

Chrysler's lending arm has admitted a courier service may have lost a data tape with sensitive personal information of thousands of Canadian auto customers.

Chrysler Financial also acknowledged yesterday it didn't inform customers for five weeks or longer about the "destroyed or lost" tape because of an internal search and investigation. [Unlikely they were searching internally for a tape they sent out. Most likely they were trying to determine what was on the tape. Bob]

Chrysler has still not recovered the tape, but a company official emphasized that it would be extremely difficult to access the contents, which include names, addresses and social insurance numbers.

... Jelich said the data on the mainframe computer tape contains details from "thousands" of customers in several provinces, but Chrysler would not disclose the specific number. During the last week, customers received letters from Brian Chillman, general counsel for Chrysler Financial, that informed them of the incident.

Source - Toronto Star

[From the article:

Chrysler did not contact police, but Jelich said the company voluntarily informed federal and provincial privacy commissioners about the possible breach.

The company said it was in the process of changing the way it was sending the sensitive data when the breach occurred.

"We are now using a secure electronic transmission," Jelich noted.

... As Chrysler prepared to notify customers three weeks later about the missing tape, UPS indicated it had found one. Chrysler verified that it wasn't the tape in question [Perhaps another instance of lost data they hadn't noticed? Bob] and Chrysler proceeded again with the process of informing customers by letter, Jelich said.

Easy to do” does not equal “Smart”

Crooks Rig ATM with Eee PC to Steal Credit Card Info

In yet another demonstration of the never-ending hacking possibilities of the ASUS Eee PC laptop, three criminals in Brazil rigged an ATM with the little low cost computer to grab credit card information and personal information numbers to clone cards. Smart, except that one of them was a total moron.

The three men were specialized in cloning credit cards at ATMs, always with the same method. As you can see in the video, the first opens one of the machines, then another one comes to help him with the installation of a black Eee PC. Then they always proceeded to disable the rest of the machines, so clients were forced to use the rigged ATM. All this while they were being recorded by bank security cameras, of course.

The bank manager noticed that the door was forced and all the ATMs were disabled except for one, so he checked the security video and discovered what happened the night before. He immediately alerted the police, who started to search among the usual suspects. It didn't last long: Idiotic Crook Number One went to a police station to denounce a car accident and the three of them—who had a previous criminal history for bank assault in other parts of the country—were aprehended shortly thereafter.

Comments suggest this is the start down a slippery slope.

Google Turns Over Data on Suspected Pedophiles In Brazil

Posted by timothy on Thursday April 24, @09:39AM from the when-others-are-evil dept. Google Privacy

Dionysius, God of Wine and Leaf, points to a Yahoo! story which begins

"Google on Wednesday handed over data stored by suspected pedophiles on its Orkut social networking site to Brazilian authorities, ceding to pressure to lift its confidentiality duty to its users, officials said."

Of course we will be able to set our own criteria: “Caution Bob, you are approaching an area heavily infected by Democrats!”

GPS Will Now Tell You You're In A 'Bad' Neighborhood

from the now-that's-a-point-of-interest dept

While various GPS systems are competing to provide better, more interesting or more detailed "points of interest," it appears that Honda is going even further. Its new GPS system will also warn drivers when they're in a "bad neighborhood" where there's a high crime rate, and where their cars may be more likely to be vandalized or stolen. Right now, the product is only targeted at the Japanese market, but it's likely to eventually make it to the US. What will be worth watching is how communities respond if they're listed in GPS systems as being bad neighborhoods. These days, such designations are usually made by random people -- but having it in a GPS system (especially given how slavishly some listen to what their GPS tells them) may make it seem more "official." While I can imagine some communities getting angry about the designation, some might try to improve their reputations, which could have a very positive end result. Of course, when talking about American communities, that's probably not the case. They'll probably just sue, claiming defamation.

Quotable stats?

Web criminals fuel big rise in "trojans"

Wed Apr 23, 2008 2:49pm EDT

... In a report released in London, Microsoft said the number of trojans removed from computers around the world in the second half of 2007 rose by 300 percent from the first half.

[Find the report at:

Can application developers learn from a bad example?

FBI grilled again over computer upgrade woes

Posted by Anne Broache April 23, 2008 12:35 PM PDT

... Sensenbrenner accused Mueller of "continuously frustrating" his committee's attempts to find out how much money had been spent before the failed program was abandoned about three years ago. The FBI has since begun a new effort called Sentinel, whose first phase--a Web portal of sorts for investigators--went live in June last year.

... Mueller said the agency now has help from technology and business process experts that it didn't have when the Virtual Case File project began. He said the agency has also set "firm requirements" so that contractors have clearer guidance on what to build.

... Rep. Zoe Lofgren (D-Calif.) also urged Mueller to devote more attention to digitizing years of paper FBI records, arguing that if a company like Google can digitize university library volumes in a matter of months, the federal agency has no excuse for inaction. "I don't know if you've done a cost-benefit analysis," she said, "but it seems to me (it's) clear that if you move into the modern age, your agents are going to be optimized in terms of their performance." keep those UFO pilots from leaving?

US-VISIT Program: Collection of Alien Biometric Data upon Exit from the United States at Air and Sea Ports of Departure

Wednesday, April 23 2008 @ 08:56 AM EDT Contributed by: PrivacyNews News Section: Older News Stories

The Department of Homeland Security has uploaded, "United States Visitor and Immigrant Status Indicator Technology (US-VISIT) Program In conjunction with the Notice of Proposed Rulemaking on the Collection of Alien Biometric Data upon Exit from the United States at Air and Sea Ports of Departure", April 22, 2008, (PDF, 26 Pages - 851 KB).

The United States Visitor and Immigrant Status Technology (US-VISIT) Program is implementing the first phase of the Exit component of its integrated, automated biometric entry-exit system that records the arrival and departure of covered aliens; conducts certain terrorist, criminal, and immigration violation checks of covered aliens; and compares biometric identifiers to those collected on previous encounters to verify identity. The US-VISIT Program has been implemented in phases with each phase adding additional capabilities, locations of implementation, or subject populations. US-VISIT is publishing this Privacy Impact Assessment (PIA) in conjunction with the Notice of Proposed Rulemaking (NPRM) on Collection of Alien Biometric Data upon Exit from the United States at Air and Sea Ports of Departure. A revised PIA will be issued in conjunction with the Final Rule on Collection of Alien Biometric Data upon Exit from the United States at Air and Sea Ports of Departure. US-VISIT does not collect any information on United States citizens.

It is beginning to look like Comcast will get slammed. (The comments are interesting...)

FCC Reports Comcast P2P Blocking Was More Widespread

Posted by Soulskill on Wednesday April 23, @06:12PM from the saw-that-coming dept.

bob charlton from 66 tips us to a ComputerWorld story about FCC Chairman Kevin Martin, who has testified that Comcast's P2P traffic management occurred even when network congestion wasn't an issue, contrary to the ISP's claims. After defending its actions and being investigated by the FCC over the past few months, Comcast has tried to repair its image by making nice with BitTorrent and working towards a P2P Bill of Rights. Quoting:

"'It does not appear that this technique was used only to occasionally delay traffic at particular nodes suffering from network congestion at that time,' Martin told the Senate Commerce, Science and Transportation Committee. 'Based on testimony we've received thus far, this equipment was typically deployed over a wider geographic area or system, and is not even capable of knowing when an individual ... segment of the network is congested.'

...and this seems to be an indication that the phone companies are going the way of the music industry. “We don't understand it, so we aren't making money with it, so we should sue the people who are.”

Telecom carriers: 'Phantom' voice traffic costing billions

Some rural carriers are seeing up to 30 percent of their minutes eaten by voice calls lacking ID needed for carriers to charge access fees for use of their networks

By Grant Gross, IDG News Service April 23, 2008

I know there are people out there who hate PowerPoint – but honestly people... (Think of it as training for CyberWar)

SlideShare Slammed with DDOS Attacks from China

Mark Hendrickson April 23 2008

SlideShare, a Mountain View-based startup that lets you upload and embed PowerPoint presentations on the web, appears to have stirred the red dragon last week.

About ten days ago the company began receiving anonymous requests to delete slideshows that were deemed “illegal” by the requesters. The SlideShare staff checked out these slideshows and discovered them to be quite innocent. While some described ways to fight corruption in China, none of them violated the company’s terms of service, and so SlideShow did nothing to fulfill the requests.

SlideShare soon began receiving a different type of request from the same people, who could now be identified by their email addresses. This time they were pretending to be users who had lost their passwords. Once again doing nothing, the company got a very demanding, and almost threatening, call to its Indian office on Wednesday, one that insisted that the company grant access to an account.

After these three failed attempts, SlideShare experienced a massive distributed denial of service attack starting at 10pm on Thursday, one day before the CNN website was attacked by Chinese instigators in apparent backlash to its coverage of the Tibetan protests. We’ve been told that the attack reached a peak of 2.5GB/sec and consisted entirely of packets sent from China.

Not long after the first attack subsided, SlideShare was hit a second time on Friday and the site went down again until Saturday morning. Since then there have been no more attacks, but the company continues to receive fake password recovery and illegitimate takedown requests at a rate of about 5-10 per day (it has accumulated about 50-60 total).

There’s a lot of speculation around just what has happened here since no one knows for sure who is behind the requests and attacks. However, it seems likely that they were from the same hacker groups - possibly linked to the Chinese government - that attacked the CNN site (and later called their attack off after getting too much publicity). Some of the slideshows with takedown requests have been viewed many times recently, so their popularity seems to have landed them on the Chinese government’s radar.

SlideShare insists that it will do everything it can to protect its users’ freedom of speech. As such, it has no plans to remove any of the content in question.

The Sports Network was also recently taken over by Chinese hackers who mistook it for CNN sports.

Update: Just as I finished writing this post, I received word from the company that a third attack had begun.

...and on the flip side...

China worries hackers will strike during Beijing Olympics

Amid recent turmoil over Tibet, hackers view the Olympics as a challenge and a target; Chinese security officials say the network security situation is grim

By Sumner Lemon, IDG News Service April 24, 2008

... "Based on historical experience, many hackers seeking to make a name for themselves view the Olympic Games as a challenge and a target, and the Beijing Olympics may face attacks from individual hackers, groups, organizations, as well as other countries and those with all kinds of political motivations, therefore the network security situation is very grim," China's National Computer Network Emergency Response Technical Team (CNCERT) said in a report released earlier this month.

I think I've mentioned this before. Clear, simple, introductory guides...

In Pictures Is Now Apparently All Free

Posted: Apr. 23 7:12 p.m.

... all the tutorials are freely available on the Web. Among the tutorials are several Office applications, open office, and some Web programming basics.

For my web site students - Customize Websites on the Fly

Intel Mash Maker lets you mash together bits and pieces of them web, as if it were your own personal canvas. The tool which comes from the chip making monolith, is currently offered as a free browser extension for Firefox and IE (with more features for the former). Once downloaded, users can modify web pages, combining info from a range of sources. All of this occurs on the client, so you’re not making a brand new web app per se. You are adding visualizations etc via widgets. So basically, the masher allows you to customize a page by creating or modifying widgets to different web pages. Customization is thus on offer to everyone, not simply tech nerds. There is a gallery where you can find popular widgets to customize for your own use.

Wednesday, April 23, 2008

Remember, you hire your worst security threat.

LendingTree discloses insider data breach

Tuesday, April 22 2008 @ 11:25 AM EDT Contributed by: PrivacyNews News Section: Breaches

Web-based lending exchange LendingTree, which generates leads in the mortgage business by accepting online customer information, yesterday disclosed that it believes several former employees illicitly helped a handful of mortgage lenders gain access to customer data.

"Recently, LendingTree learned that several former employees may have helped a handful of mortgage lenders gain access to LendingTree's customer information by sharing confidential passwords with the lenders," LendingTree stated in a letter sent April 21 to its customers. "When we learned of this situation, we quickly contacted the authorities, and LendingTree is helping with the investigation. We promptly made several system-security changes. We also brought lawsuits against those involved." [Bravo Bob]

Source - Network World

Related - LendingTree tells clients of breach

[From the Network World article:

LendingTree believes the lenders gained illicit entry to its data systems to access LendingTree’s loan-request forms between October 2006 and early 2008. [Boo Bob]

Do you notify people or customers?

Bank customers urged to take precautions because of security breach

Tuesday, April 22 2008 @ 03:33 PM EDT Contributed by: PrivacyNews News Section: Breaches

A Laguna Woods Village resident was informed by letter from his bank this week that his "non-public private account" [as opposed to his public private account Bob] information might be at risk.

The Villager is not the only customer getting such letters, nor was his bank the only financial institute impacted by a security breach that occurred in a banking systems provider last month.

In the letter sent to the Villager from First Federal Bank of California it states that "a large number of financial institutions [This could be huge Bob] including First Federal Bank of California, was accessed."

First Federal Bank of California Counsel Greg Josephson and Chief Operating Officer Jim Giraldin explained that the breach in security occurred Easter Saturday, March 22, in a "subsystem of a financial data processor," Fiserv, Inc. of Wisconsin.

Fiserv, a Fortune 500 company, is one of the largest providers of electronic information technology to financial institutions and insurance industries worldwide.

Source - Thanks to Wilma Burt of the Identity Theft Resource Center for this link..

[From the article:

Fiserv Company Corporate Communications Vice President Melanie Tolley said... ...that it was "company policy" not to reveal any details about the breach including the number of banks involved, how many customers were impacted, the depth of information breached, how extensive the breach was geographically even which federal agencies were involved in the investigation.

She said releasing such information would hamper the investigation...

... She said ultimately the banks, not Fiserv, are responsible to their clients.

Looks like at least one news organization is beginning to see the obvious...

(follow-up) BoI kept quiet about stolen client details since February

Wednesday, April 23 2008 @ 12:38 AM EDT Contributed by: PrivacyNews News Section: Breaches

Bank of Ireland managers knew in early February that thieves had stolen personal data on 10,000 customers, but decided not to tell the authorities.

And even after the security breach was uncovered internally, the bank took no steps -- until yesterday -- to begin encrypting its laptop computers.

Despite making a profit of €1.7bn last year, Bank of Ireland's failure to spend an estimated €200,000 on encryption technology to protect its customers' data has caused shock.

Source -

[From the article:

The technology is used by all of its major banking rivals but Bank of Ireland's lack of investment in such a key area of basic security is a source of deep concern, experts said.

... The bank said there was no evidence of fraud so far, but yesterday a clearly embarrassed governor Richard Burrows said he could not guarantee the data would not be used by the thieves.

The Irish Independent learned the thefts -- between June and October 2007 -- were reported to gardai within hours but senior managers at the bank were not told.

... The Data Protection Commissioner wants to know why medical data was being stored at all.

Confusion or cover-up?

Hackers Breach System At UMass

Tuesday, April 22 2008 @ 10:20 PM EDT Contributed by: PrivacyNews News Section: Breaches

Hackers breached the computer system used by UMass Amherst's Health Services, potentially gaining access to thousands of medical records.

More than half of the student population at UMass Amherst are patients on record at the University Health Services.

Source - CBS

[From the article:

Officials believe outside hackers wanted to use the server as a host for illegal music and video downloads, one that would make the culprits untraceable.

... A fact that's even more unsettling for patients who were unaware of the breach more than a week after it occurred. The University did post a notice on the Health Services website, and say they are notifying patients when they enter the clinic.

... "If it's that easy for someone who just wanted to get music who knows what would happen for someone who was trying to get confidential information."

Campus officials say it will be weeks before they are completely sure what information, if any, was taken off the computers.

Save for college (because your credit history will be so screwed up you'll never get a loan!

CollegeInvest loses hard drive, customers' personal data

Tuesday, April 22 2008 @ 03:55 PM EDT Contributed by: PrivacyNews News Section: Breaches

CollegeInvest this week is sending letters to roughly 200,000 customers who had personal information stored on a computer hard drive that disappeared during a recent move.

CollegeInvest believes there is little risk of customers’ personal information being compromised because the data is in a format that would be difficult to access and also was password protected.

Personal data from some but not all CollegeInvest customers was on the hard drive.

... CollegeInvest moved to a new office space recently using an international relocation firm that offered specialists in moving computer equipment. CollegeInvest discovered while unpacking at the new location that a hard drive was missing.

.... CollegeInvest is a not-for-profit division of the Colorado Department of Higher Education. CollegeInvest helps families break down the financial barriers to college by providing expert information, simple planning tools, scholarships, college savings plans, and low-cost student and parent loans.

Source - North Denver News

Infosec: Reputation driving information security

Wednesday, April 23 2008 @ 07:13 AM EDT Contributed by: PrivacyNews News Section: Businesses & Privacy

Concerns over reputation and brand protection are key drivers of information security for nearly three-quarters of companies worldwide.

The findings come from the latest Global Information Security Workforce Study from ISC2 published at Infosec Europe 2008.

'Corporate image' topped the list of top priorities for motivating information security governance, but the privacy of customer data, identity theft and breach of laws and regulations are also key factors.

The fourth edition of the study was conducted by Frost & Sullivan and surveyed 7,548 information security professionals from companies and public sector organisations in more than 100 countries.

Source - IT Week

Global Information Security Workforce Study (PDF)

A step in the right direction? More likely: “The Scapegoat Minister has acknowledged his responsibility, and will immediately retire to his villa in the south of France.”

UK: Top officials to be held to account for data losses

Tuesday, April 22 2008 @ 11:17 AM EDT Contributed by: PrivacyNews News Section: Breaches

Senior Whitehall figures are to be held personally responsible if their department loses or mishandles personal information, under a range of measures designed to increase data security.

Officials across the public sector, including permanent secretaries and chief executives of NHS trusts, are to be forced to take data protection "much more seriously" under proposals due to be laid out by Gus O'Donnell, the Cabinet Secretary.

In the coming weeks Mr O'Donnell is expected to present the findings of a report on data security.

Source - TimesOnline

[From the article:

...the heads of departments would be personally responsible in the event of serious data breaches.

"It has to be the likes of chief executives (of NHS trusts) and permanent secretaries who are held accountable when things go wrong," Mr Thomas told a security conference in London. "They can't simply make assumptions that everything is in the hands of the 'techies'".

... "There are going to be new requirements for Whitehall departments and new guidance for the public sector at large," Mr Thomas said. "It's not just about data security. We need to ask a whole range of questions, such as why so much information is being collected. Why is it being retained for so long? Why are laptops which hold the information not being encrypted? And why are such laptops being left in the backs of cars?" [Noble words. Let's check back in six months. Bob]

Mentioned in the article above...

BERR Information Security Breaches Survey 2008

April 2008

Another “We're gonna fix everything” promise.

Hannaford details upgrades prompted by security breach

Tuesday, April 22 2008 @ 11:20 AM EDT Contributed by: PrivacyNews News Section: Breaches

Hannaford Bros. Co. says it's taking steps to enhance the security of its data network following a massive breach that compromised up to 4.2 million credit and debit card numbers.

Company officials announced Tuesday that the new measures include encryption of all card numbers during the entire time they are within the supermarket chain's data network. The company says it's also introducing a "24/7 monitoring system" to detect intrusions.

Source - WPRI

[From the article:

Hannaford President and CEO Ron Hodge apologized again Tuesday and said there has been no drop in sales since the breach was announced five weeks ago. [Maybe TJX was right, customers don't care. Bob]

...because cameras aren't enough? Will every prisoner get a Bluetooth device surgically implanted? (If not, won't they simply swap them randomly?)

Bluetooth Surveillance Tested In the UK

Posted by kdawson on Tuesday April 22, @02:37PM from the turn-the-darn-thing-off dept. Privacy Wireless Networking

KentuckyFC writes

"If you live in the city of Bath in the UK and carry a Bluetooth-enabled device, your movements may have been secretly monitored in an experiment designed to test surveillance techniques in prisons. Researchers from Bath University recorded the movements of 10,000 Bluetooth-enabled devices during their 6-month trial. They say the experiment was a test of a technique for monitoring the interactions between prisoners in jail that could be used to work out which inmates have become closely associated. The work was prompted by revelations that the Madrid train bombers who devastated the city in 2004 first met in a Spanish prison (abstract)."