Saturday, June 21, 2008

Don't you love a good argument?

Why The 'Third Party Doctrine' Undermines Online Privacy Protections

from the fourth-amendment dept

There's been an interesting discussion going on between my colleague Jim Harper and legal scholar Orrin Kerr about the third party doctrine, the legal principle that, in effect, you lose your Fourth Amendment rights when you relinquish information to a third party. The doctrine has become increasingly important with the rise of modern technology because we now entrust a host of private data -- including our email, cell phone calling data, credit card transactions, and more -- to private companies, and the third party doctrine would seem to suggest that Fourth Amendment protections would not extend to such information. A couple of weeks ago, Kerr posted a draft paper defending the doctrine, arguing that it brings clarity and simplicity to privacy law and avoids the need for "a complex framework of sui generis rules." Jim strongly disagrees with Kerr, arguing that the third party doctrine was always misguided and that recent technological changes have simply made these flaws more evident.

Jim points out that when the Fourth Amendment was drafted, the vast majority of peoples' private activities occurred inside the home, and so it made sense to make the home focus of Fourth Amendment protections. But as people began conducting more and more of their lives outside of the home, with telephones, email, credit cards, and so forth, using the four walls of the home as the boundary for Fourth Amendment protection made less and less sense. And indeed, that's precisely what the Supreme Court recognized in the famous 1967 case of Katz v. United States, which held that the Fourth Amendment applied to wiretapping of public pay phones because the Fourth Amendment protects "people, not places." The same principle ought to apply to our emails, credit card transactions, and other data of a private nature: what matters is not where the data is located or who has custody over it, but whether the subject of surveillance had a reasonable expectation of privacy in his use of that data.

Kerr responded that "the real judges and Justices that make the rules" have recently shown greater sympathy for Kerr's view of the Fourth Amendment as a narrow doctrine of criminal procedure rather than a broad charter for protecting peoples' privacy. I agree with Jim that this isn't really responsive to his argument. Whether judges currently do see things Kerr's way tells us little about whether they ought to view them that way. Judges have gotten the Fourth Amendment wrong in the past. After all, Katz overruled Olmstead v. United States, a decision that had allowed warrantless wiretapping almost four decades earlier. So the fact that the courts have not yet extended Fourth Amendment protections to email or other digital records doesn't prove that a future court won't recognize that such information is as crucial to personal privacy as paper records and phone calls. Sticking with the third party doctrine would make the Fourth Amendment less and less relevant as technology changes because more and more private information to be held by third parties. If we want the Fourth Amendment to continue to be an effective protection for peoples' privacy, and I think we do, it needs to be continuously updated to reflect changing technological realities.

Another “Some courts get it wrong” brief

Law Profs File Friend-of-Court Brief Against RIAA

Posted by Soulskill on Saturday June 21, @08:19AM from the dissenting-opinions dept. Media The Courts

NewYorkCountryLawyer writes

"A group of 10 copyright law professors has filed an amicus curiae ('friend of the court') brief on the side of the defendant in Capitol v. Thomas, agreeing with the judge's recent decision that the $222,000 verdict won by the RIAA appears to be tainted by a 'manifest error of law.' The clear and well-written 14-page brief (PDF) argues that the 'making available' jury instruction, which the RIAA had requested and the judge ultimately accepted, was in fact a 'manifest error of law,' making the point, among others, that an interpretation of a statute should begin with the words of the statute. My only criticism of the brief is that it overstates the authorities relied on by the RIAA, citing cases which never decided the 'making available' issue as cases which had decided it in the RIAA's favor."

As it turns out, the MPAA, close ally to the RIAA, has come forth with a more controversial view. They suggest that proof of actual distribution shouldn't be required. From their brief (PDF): "Mandating that proof could thus have the pernicious effect of depriving copyright owners of a practical remedy against massive copyright infringement in many instances." [Huh? Bob]

Interesting question more businesses should be asking, with some useful answers. For my Business Continuation class

Best Way To Store Digital Video For 20 Years

Posted by kdawson on Friday June 20, @03:57PM from the thanks-for-the-memories dept. Data Storage

An anonymous reader writes

"My kid is now 1 year old and I already have 100G of digital video (stored on DVDs, DVD quality) and photos. How should I store it so that it's still readable 10 to 20 years from now? Will DVDs stil be around, and readable, 10 years from now? Should I plan for technology changes every 5 to 10 years (DVD->Blue-ray->whatever)? Is optical storage better, or should I try to use hard drives (making technology changes automatic)? And, if the answer is optical, how do you store optical disks so that they last?"

Interesting idea: let an independent group evaluate your product. How long before pay is based on this type of review?

Forbes has launched a Digg channel, and Digg widgets — has integrated with Digg to showcase the most dugg and most recently dugg stories, slide shows and videos.

Perhaps using the Kindle to replace textbooks isn't the ultimate in new education technology?

N.M. school tries to reach students via podcast

By FELICIA FONSECA Associated Press Writer Jun 21, 7:12 AM EDT

... This past semester, nearly every one of the roughly 100 students at Fort Sumner High School was outfitted with the Microsoft media player, similar to Apple's iPod, enabling them to watch videos and listen to recorded lectures created or recommended by teachers and fellow students.

... Teachers got a $400 bonus for coming up with lessons to identify 20 downloadable digital lectures that supported their lessons and to develop five of their own.

Economics in action

U.S. motorists brave Mexico border violence for fuel — By Lizbeth Diaz TIJUANA, Mexico (Reuters) - U.S. motorists are risking rampant drug violence in Mexico to drive over the border and fill their tanks with cheap Mexican fuel, some even coming to blows over gas shortages and long queues.

Business opportunity: A small investment in an e-commerce site could yield big bucks!

Less Well Known Musicians Embracing 'Pay What You Want'

from the small-musicians,-big-musicians-alike dept

It still amuses me how often when we talk about specific music business models, defenders of the old system rush in to explain why any particular example is an exception. For years, we showed examples of less well known musicians embracing these kinds of new business models, critics would complain that they might work for unknown musicians who have "nothing to lose" and need attention more than anything else, but it would never ever work for a big star who has too much to lose. Then, of course, we talked about big time musicians like Radiohead and Nine Inch Nails embracing these kinds of models, and the critics said "well, sure, it works for them with their well recognized name, but it would never work for unknown artists." Hell, someone said that just yesterday in response to a post here, leading another commenter to jokingly (I hope) coin the phrase "Masnick's Law", which is loosely defined as

"in any conversation about musicians doing something different to achieve fame and/or fortune someone will inevitably attempt to make the argument that 'it only worked for them because they are big/small and it will never work for someone who is the opposite,' no matter how much evidence to the contrary might be readily available."

I might expand on that definition a bit to have it go beyond just big/small. People will keep looking for excuses why each example is an exception, (big/small just being an easy such reason) to the point that they'll eventually miss the fact that all of those exceptions are the rule.

Anyway, based on all of this, it will be interesting to see how Girl Talk's new album does. Girl Talk is a one man DJ once mentioned (positively) in Congress as an example of why traditional copyright laws might not make sense anymore. With the release of his latest album, he's decided to use a Radiohead-style model, with a few improvements. That is, rather than just a pure "give it away and pray," he's giving people an additional reason to buy -- though I think he could still put together a better model. His is set up so you can pay what you want (including nothing at all) and get 320 kbps MP3 files, but if you pay over $5, he offers FLAC files as well, and at $10 you'll also get a copy of the physical CD when it comes out. If you pay $0, he does ask that you fill out a little survey explaining why. There still are some problems with this model (it's still a little too much like a give it away and pray model), but overall, it's quite similar to Radiohead's experiment.

Now, of course, all the folks who insisted that Radiohead's model would never work for a relatively obscure musician are supposed to now insist that this model won't work at all for Girl Talk, right? But what happens if Girl Talk is actually happy with the results, whether in direct payment amounts or in the fact that it gets him more publicity? Will they finally admit that the model isn't just an exception?

I like lists. I like RSS Feeds. How could I not like this?

What RSS Feeds Do You Use?

Posted by Soulskill on Saturday June 21, @05:14AM from the attention-deficit dept. The Internet

oncehour writes

"I'm looking to broaden my horizons in terms of news, industry information, and generally good-to-know stuff. I've found a lot of great blogs and websites over the years, but I'm wondering what Slashdotters read regularly? What's in your RSS feeds?"

We discussed this back in 2004, but the list of quality feeds has grown quite a bit in the past four years. Try to include at least a minimal description, so we know if we'll be looking at NASA news or up-to-the-minute cowboy boot fashion trends.

I'll save this for my web site class, but no doubt something like it will resurface whenever an organization and its employees are in conflict.

June 20, 2008 6:08 PM PDT

Let the fun begin: Yahoo auto resignation tool

Posted by Stefanie Olsen 4 comments

In true Internet-foolery fashion, someone is having a little fun at Yahoo's expense following its latest executive exodus.

By visiting the newly created site, current Yahoo employees can expedite their resignation to Yahoo Chief Jerry Yang with a host of Mad Libs-style pull-down menus.

Another for the web site class - Draw On Top of Google Maps

Google Maps are pretty fab and all, but haven’t you ever wished there were more color, more flash and more leeway to add doodles? The maps are primed for it and now, with QuickMaps, you can draw to your heart’s content on top of G-map of your choice (the Earth, stars, moon and Mars). You can add markers (and captions) and once you’ve complete your work, the map with all your added extras can be saved in your account. You’ll also be able to add your map to any website or blog and share it with pals. Each map may be accompanied by your own description and title; you can also import elements from another Quikmap, or from a KML or GPX file from the web or your computer.

Friday, June 20, 2008

How to ensure third party security” might make an interesting article.

Stolen State Street tower contained 3,659 Exeter Trust customers's data (State Street update)

Thursday, June 19 2008 @ 11:33 AM EDT Contributed by: PrivacyNews News Section: Breaches

Exeter Trust recently notified the Maryland Attorney General's Office that 3,659 of their clients were impacted by the theft of a computer tower from a third-party vendor hired by Investors Bank & Trust (IBT) to assist in compiling data required for federal regulators as part of the merger between State Street and IBT.

The stolen tower contained over 4 million emails which included individual names, social security numbers and/or checking account numbers. The server containing the email and client data was not recovered.

According to Megan Henry, the Executive Vice President of Exeter, the theft occurred on December 18, 2007. State Street notified Exeter on May 25, informing them that they had learned of the breach on January 25th and that it had taken them 4 months to review the 4 million emails to determine how many contained personally identifiable information.

In its notification letter to its clients, Exeter did something that other companies may wish to emulate: they not only set up a client assistance team with a phone number, but indicated the names and positions of the assistance team, which include the Executive Vice President of the company, the supervisor of account administration of individual services group, and three named senior account administrators.

Driver's licenses used to “prove” age?

Facebook software glitch exposes drivers' license images

Thursday, June 19 2008 @ 10:29 AM EDT Contributed by: PrivacyNews News Section: Breaches

Given all of the significant concerns raised about social networking sites and privacy, it seems almost ironic that Facebook, Inc. has notified the Maryland Attorney General's Office that on May 2, a glitch during a software update exposed some members' driver's license images to anyone viewing those pages for a period of about two hours.

Simon Axten of Facebook does not indicate how many members were affected by the breach in total, but notes that there was no evidence [Translation: “We don't keep no stinking records” Bob] that the 2 Maryland residents had their pages viewed during the critical time period.

Sometimes it pays not to be so popular, perhaps.

Eventually these thefts will result in changes in procedure... Eventually.

Stolen SunGard Availability Services laptop contained employee data

Thursday, June 19 2008 @ 11:06 AM EDT Contributed by: PrivacyNews News Section: Breaches

A laptop stolen from a SunGard HE employee earlier this year was not the only laptop containing personal information that was stolen.

In a report to the Maryland Attorney's General Office, SunGard Availability Services (SAS) reports that a company laptop was stolen on March 5th from an employee's car while it was parked outside a mall in King of Prussia, Pennsylvania.

Personal information including names, Social Security numbers, and in some cases, date of birth, address, phone number, compensation, and other human resources-related information on about 160 current and former SAS employees was on the laptop

The laptop was reportedly "protected with a complex alphanumeric password."

I wonder who holds the record? Is 'five' even in the top 100?

LPL FInancial reports 5th breach in less than a year

Thursday, June 19 2008 @ 11:21 AM EDT Contributed by: PrivacyNews News Section: Breaches

LPL Financial reports that hackers compromised the logon password of one of their financial advisors for what LPL believes was an attempt to gain access to customer accounts in a "pump and dump" penny stock scheme.

This is not the first report of this kind from LPL. As reported on previously, LPL Financial also discovered a similar scheme in July 2007 that covered 9 states and 14 financial advisors and that had gone on over a period of months. This latest incident reportedly occurred on May 5th and was detected the same day.

According to the letter signed by Keith H. Fine, the customer data potentially accessed included unencrypted names, addresses, and Social Security numbers of LPL customers and non-customer beneficiaries, but "LPL cannot determine whether the protected information was actually accessed." The Maryland AG's site reports that the total number of potentially affected individuals for the incident was 185, two of which are Maryland residents.

Some information is clearly required for business processes to function. (If you don't tell Sears where you live, they can't deliver your new refrigerator.) But who decides which “business processes” are appropriate?

Ca: NB Power wants too much information from ratepayers - Tories

Thursday, June 19 2008 @ 04:36 PM EDT Contributed by: PrivacyNews News Section: Non-U.S. News

Opposition leader Jeannot Volpe is questioning NB Power's policy of collecting personal information on all persons residing at an address before connecting power.

But NB Power said the practice is designed to protect customers from identify theft, collect old debts and make sure ratepayers aren't taken advantage of.

Source - The Daily Gleaner

Isn't there a law requiring auto manufacturers to ensure spare parts are available for at least 10 years after manufacture stops? Should there be one for digital products that extends as long as the bit & bytes?

Microsoft Keeps DRM Servers Alive For Now; Won't Screw Over Own Customers For A Few More Years

from the well,-that's-something dept

For years, we've given examples of how DRM ends up screwing over customers one way or another. One of the most obvious ways is when that DRM requires files to "check in" over the internet to work, and the company that manages the "check in" server takes it down. That's what's Microsoft announced it was doing with its incredibly-misnamed "PlaysForSure" DRM servers back in April. This was, effectively, going back on the terms of the deal they offered to music buyers. Following the outcry in response, however, it appears that Microsoft has reconsidered, saying that it will keep the servers running at least until 2011. So for the 35 people or so who bought into the PlaysForSure system, you have another 3 years to find new DRM-free sources of music.

Sneaky security tricks. Pass this to your security manager

Software makes virtual servers a moving target

Businesses can cut the damage hackers inflict by managing virtual servers and reducing the time that any one version of a server is exposed to the Internet, researcher says

By Tim Greene, Network World June 20, 2008

Carefully managed virtual servers can make the job of attackers more difficult by reducing the time that any one version of a server is exposed to the Internet, according to a George Mason University professor who has developed software that phases virtual servers in and out of use.

... "If you take a server offline every minute, the intruder has just one minute to play games," he says.

Timing capabilities within SCIT manage the life cycles of virtual servers, making sure some server is always available so that service is uninterrupted, Sood says. To client machines, SCIT-ized virtual servers appear as if they are a single server.

... Once a server has been in use for the prescribed period, it is taken offline where it can be killed. The SCIT Controller generates replacement virtual servers from a server image of known state. Used virtual servers can be analyzed before they are killed to look for whether any attacks were carried out against them. They can also be saved but kept offline for future reference, Sood says.

Is it a legal question or merely a technical one?

June 19, 2008 - 12:41 P.M.

Why It's OK to 'Steal' Wi-Fi

TIME Magazine printed this week a piece called, "Confessions of a Wi-Fi Thief," in which author Lev Grossman admits to using his neighbors' open Wi-Fi connections from inside his apartment.

Grossman writes that "stealing" Wi-Fi might be illegal (statutes vary according to where you live) but "definitely unethical." He also mentions a recent survey that found a slim majority -- 53% -- have "stolen" Wi-Fi.

I disagree with Grossman. I don't think it's unethical to "steal" Wi-Fi -- or even possible without deliberate hacking. And it shouldn't be illegal to simply use an open, unprotected wireless network.

1. By using a Wi-Fi network you're asking for, and receiving, permission from the owner.

When you open up your trusty laptop, check for available networks, choose one and click "Connect," you're instructing your computer hardware and software to communicate with the hardware and software that's providing the Wi-Fi network and ask permission to use the network.

When you do this, a router either grants permission, and assigns an IP address for you to use, or denies permission. If the connection simply works, it means by definition that the network is set up to automatically grant you permission to use it, and to actively provide the means for you to do so.

Repeated break-ins, spyware, password theft, this kid did it all.

Teen Hacker Could Get 38-Year Sentence for Fixing Grades

By Katherine Noyes E-Commerce Times Part of the ECT News Network 06/19/08 2:02 PM PT

If your security logs aren't kept or aren't reviewed you will never stop this.

1 In 3 Sysadmins Snoop On Colleagues

Posted by timothy on Thursday June 19, @01:13PM from the and-they-steal-chips-and-soda dept. Security

klubar writes

"According to a a recent survey, one in three IT staff snoops on colleagues. U.S. information security company Cyber-Ark surveyed 300 senior IT professionals, and found that one-third admitted to secretly snooping, while 47 percent said they had accessed information that was not relevant to their role. Makes you wonder about the other 2 out of 3. Did they lie on the survey or really don't snoop?"

For educational purposes only! (Includes some defensive tips)

Guide to DIY Wiretapping

Posted by CmdrTaco on Thursday June 19, @11:16AM from the do-you-hear-what-i-hear dept. Communications Security

Geeks are Sexy writes

" has a nice piece this week on how wiretapping works and how you can protect yourself from people who wants to snoop into your life. From the article 'Even if you aren't involved in a criminal case or illegal operation, it's incredibly easy to set up a wiretap or surveillance system on any type of phone. Don't be surprised to learn that virtually anyone could be spying on you for any reason.'"

Maybe I'm on the wrong track here, but I guess I assumed that wiretapping now happened in secret rooms at the telco, and not by affixing something physically to a wire in your home, but I'll definitely be aware next time I hear a stranger breathing next time I'm stuck on hold.

Future: Eventually, all movies (and music and everything else digital) will come via the Internet. We will only watch movies on our computers if we are traveling. Home viewing will be on our 72” wall mounted tv/monitor

June 19, 2008 6:53 AM PDT

Watch feature films free of charge at

Posted by Rick Broida

Many people already recognize video-streaming service as a great destination for watching TV shows (it has every single episode of Arrested Development, people!), but did you know it also offers movies?

... You'll have to sit through the occasional commercial--and stay tethered to your PC, of course--but that's a small price to pay for watching free movies on demand.

Global Warming! Neanderthal SUVs? Dinosaur flatulence?

Greenland ice core analysis shows drastic climate change near end of last ice age

Temperatures spiked 22 degrees F in just 50 years, researchers say

Public release date: 19-Jun-2008

Contact: Jim White 303-492-2219 University of Colorado at Boulder

Dilbert on Security Cameras

Thursday, June 19, 2008

Unreported breach, or just cleverly disguised?

Citibank Hack Blamed for Alleged ATM Crime Spree

Thursday, June 19 2008 @ 06:05 AM EDT Contributed by: PrivacyNews News Section: Breaches

A computer intrusion into a Citibank server that processes ATM withdrawals led to two Brooklyn men making hundreds of fraudulent withdrawals from New York City cash machines in February, pocketing at least $750,000 in cash, according to federal prosecutors.

The ATM crime spree is apparently the first to be publicly linked to the breach of a major U.S. bank's systems, experts say.

... Notwithstanding the court documents, Citibank said in an e-mailed statement that it was not the source of the breach. "There is no evidence that Citi servers were compromised in connection with this fraud," the company wrote.

Source - Threat Level

[From the article:

Citibank denied to's Threat Level that its systems were hacked. But the bank's representatives warned the FBI on February 1 that "a Citibank server that processes ATM withdrawals at 7-Eleven convenience stores had been breached," according to a sworn affidavit by FBI cyber-crime agent Albert Murray. [Why the denials? Bob]

... When they raided Ryabinin's home, agents found his computer logged into a carding forum. They also found a magstripe writer, and $800,000 in cash, including $690,000 in garbage bags, shopping bags and boxes stashed in the bedroom closet. Another $99,000 in cash turned up in one of the safe deposit boxes rented by Ryabinin and his wife, Olena. Biltse was also found with $800,000 in cash. [These are not small crimes. Bob]

... The timing of the caper -- which prosecutors say began in October -- overlaps Citibank's previously-unexplained lowering of ATM withdrawal limits in New York last December.

... That language suggests that the attackers may not have had access to stored account numbers and PINs, but instead were tapping into transactions in real time to vacuum up PIN codes as they flew past.

No one learns...

KS: Used state computers found with confidential files

Wednesday, June 18 2008 @ 01:17 PM EDT Contributed by: PrivacyNews News Section: Breaches

Used state computers that had been sent to the Surplus Property agency to sell still contained confidential information, according to a state audit released Wednesday.

... Foster and his team checked 15 computers at the state Surplus Property agency. Data was still on 10 of the computers, and 7 of those contained confidential documents, including thousands of Social Security numbers, he said.

Source - LJWorld

From the report [pdf]: We picked 15 computers from Surplus Property and used inexpensive fi le recovery software to see if any of them contained agency fi les. We were able to recover fi les from ten of the computers. Seven computers contained confi dential information (social security numbers, Medicaid information, and password fi les), four contained sensitive fi les that agencies probably wouldn’t want made public, and one contained copyrighted music files. In general, it didn’t appear that much had been done to most of the computers to remove the data. We found that the data weren’t properly removed from the computers because agencies lacked policies, thought that Surplus Property was removing the data, or did a poor job of keeping track of their computers. Because of the severity of our early fi ndings, the Department of Administration temporarily stopped selling computers in early May until they could make sure data were properly removed from all they had in stock.

[From the article:

For the Legislative Post Audit Committee, Foster demonstrated how he was able to access confidential files by using readily available $60 software. [Typical government employee – he could have used free software, just like the crooks do. Bob]

A few more details and some interesting questions. The very definition of “undue reliance”

Man Fired When Laptop Malware Downloaded Porn

Posted by samzenpus on Wednesday June 18, @06:59PM from the your-computer-wants-porn dept. Security

Geoffrey.landis writes

"The Massachusetts Department of Industrial Accidents fired worker Michael Fiola and initiated procedutes to prosecute him for child pornography when they determined that internet temporary files on his laptop computer contained child porn. According to Fiola, "My boss called me into his office at 9 a.m. The director of the Department of Industrial Accidents, my immediate supervisor, and the personnel director were there. They handed me a letter and said, "You are being fired for a violation of the computer usage policy. You have pornography on your computer. You're fired. Clean out your desk. Let's go." Fiola said, "They wouldn't talk to me. They said, "We've been advised by our attorney not to talk to you." [Shouldn't someone ask a few questions? Bob] However, prosecutors dropped the case when a state investigation of his computer determined there was insufficient evidence to prove he had downloaded the files. Computer forensic analyst Tami Loehrs, who spent a month dissecting the computer for the defense, explained in a 30-page report that the laptop was running corrupted virus-protection software, and Fiola was hit by spammers and crackers bombarding its memory with images of incest and pre-teen porn not visible to the naked eye. [Not sure what that means... Bob] The virus protection and software update functions on the laptop had been disabled, and apparently the laptop was "crippled" by malware. According to Loehrs, "When they gave him this laptop, it had belonged to another user, and they changed the user name for him, but forgot to change the SMS user name, so SMS was trying to connect to a user that no longer existed... It was set up to do all of its security updates via the server, and none of that was happening because he was out in the field." A malware script on the machine surfed foreign sites at a rate of up to 40 per minute whenever the machine was within range of a wireless site."

[From the first article:

Loehrs, who spent a month dissecting the computer for the defense, explained in a 30-page report that the laptop was running corrupted virus-protection software, and Fiola was hit by spammers and crackers bombarding its memory with images of incest and pre-teen porn not visible to the naked eye.

Two forensic examinations conducted by the state Attorney General’s Office for the prosecution concurred with that conclusion, Wark said.

... DIA spokeswoman Linnea Walsh confirmed Fiola “was terminated,” but declined to say if any internal discipline has been meted out as a result of his name being cleared in court.

We stand by our decision,” she said.

... “Anybody who has a work laptop, this could happen to,” he said. “Mike Fiola is a hunt-and-peck kind of computer guy. He can barely get on the Internet.”

Fiola’s troubles began in November 2006 when, seven years into a job probing workers’ compensation fraud, DIA gave him a replacement laptop for one that was stolen.

Months later, DIA information technology officials noted that the data usage on Fiola’s Verizon wireless bill was 4 times greater than his colleagues’. After discovering the child porn , Commissioner Paul Buckley fired him on March 14, 2007. [It took them 4 months to notice something was odd? Bob]

DIA turned the matter over to state police who, after confirming “an overwhelming amount of images of prepubescent children engaged in pornographic poses” were stored on the laptop, persuaded Boston Municipal Court to issue a criminal complaint against Fiola in August 2007. [For five months, all they looked for was the porn? Bob]

... Consistently, Loehrs’ findings noted, there was “no apparent origin or user interaction [Wouldn't “who done it?” be part of the prosecution's case? Bob] preceding the pornographic activity,” some of which was downloaded “fast and furious.”

[From article two:

IDGNS: So what do you think happened?

Fiola: It was either a rogue hack ... or after my computer was stolen, [the new computer] might have been loaded with the stuff, ready to go. I'm not accusing anybody, but if it was someone in the IT department who was doing this, [maybe they] never had a chance to take it off of there. [Interesting idea. Do you suppose there is still evidence to prove or disprove it? Bob]

[From article three:

"In the SMS software, they forgot to change the user name, so SMS was trying to connect to a user that no longer existed. So the day he walked out with the laptop, the SMS logs were red. If the IT department would have taken a single look at it, they would have seen that it was red and wasn't connecting to the server.

... "What I found is, he would log in to the state's Web site, he'd be on for five or 10 minutes and during the exact same time that he's filling out a form, an image shows up, out of nowhere. No typed [Uniform Resource Locator], no search, no Web site activity, just bam, a cached image shows up on his computer," Loehrs said. The offending images were located in the laptop's browser cache directory.

"He'd have 40 Web sites hitting his computer in a minute -- who's the IT guy who looked at this and said, "Wow, this guy is pretty active on the Internet?'" Loehrs said. "It's physically impossible!"

Loehrs found a script file that was set to go out and run its own searches on foreign Web sites, she said. "And once you get into some of these foreign sites, you'll get all kinds of stuff you don't want to see.

"Actually, the child pornography was just a very small portion of it. The majority was just bizarre porn. He was being hit with everything," she added.

Still, it took prosecutors months to drop the charges -- largely due to Loehrs uncovering the true nature of the images.

... Fiola's case raises serious questions about government security. If a state-run IT department can't configure a laptop properly, what can a person do to protect themselves from rogue malware?

... "Trojans are written by tech-savvy people. What's the first thing they are going to do? They're going to disable the protection," she added, noting that Fiola's Symantec-based logs were missing from the compromised laptop. [That would have been the easy way to determine what Fiola did. If they were missing, prosecutors must have assumed he was “covering up” and done no further investigation. Bob]

... The Fiola case brings up some troubling questions. What if a person actually did realize that his PC was compromised with child porn? How could someone safely remove it? If an innocent user took it to the company's IT department, he or she might get fired. A computer repair shop would probably alert the authorities, and there's a good chance the police would seize the computer, arrest the user and start the prosecution process.

[In case you need Tami Loehrs:

It would be nice if they contacted the victims, however the criminals encrypted their data (being more interested in security than the companies they stole it from)

Finjan Finds Health And Business Data Being Auctioned Online

Wednesday, June 18 2008 @ 07:30 AM EDT Contributed by: PrivacyNews News Section: Breaches

More than 500 megabytes of premium health- and business-related data, along with stolen social security numbers, have been found being offered to the highest bidder on crimeware servers in Argentina and Malaysia.

Security firm Finjan discovered the illicit data market and issued a report about its findings today.

Source - InformationWeek

Related - Finjan Discovers more than 500 Mb of Stolen Medical, Business and Airline Data on Crimeware Servers in Argentina and Malaysia
Finjan Report - Malicious Page of the Month [pdf] (requires free sub.)

“You may install software on my computer at any time for $327.50 per bit per day. Installation is evidence of acceptance of this contract.” (O boy, I'm gonna be rich!)

Watchdogs Claim NebuAd Hijacking Sites

By Roy Mark 2008-06-18

Two watchdog groups accused Silicon Valley startup NebuAd June 18 of hijacking Web sites and intercepting users' browsers. NebuAd is an online advertising company that provides targeted advertising for ISPs

According to a new technical report (PDF) by Free Press and Public Knowledge, NebuAd uses special equipment that "monitors, intercepts and modifies the contents of Internet packets" as consumers go online. The report found that NebuAd inserts extra hidden code into users' Web browsers that was not sent by the Web site being visited.

In turn, the code directs the browser to another site not requested or even seen by the consumer, where more hidden code is downloaded and executed to add more tracking cookies. Using the secretly collected information, NebuAd serves up ads based on the user's browsing habits.

Related: A more subtle hack

Web Browsers' 'Visited' Feature Creates Privacy Concerns

from the just-visiting dept

Ben Adida points to an interesting hack that takes advantage of a bug/feature (depending on your perspective) of modern browsers. When a webpage is rendered, the browser will typically display links that have been previously visited in a different color. Under the hood, this is implemented by setting the link's style to "visited." A website can use JavaScript to detect this information and report it back to the server -- and could even do something sneaky like adding "hidden" links not actually visible to users just to find out if you had visited certain sites. This behavior was noticed by the Mozilla community way back in 2002, but because of the way the spec was written, there wasn't any easy solution. Now somebody has figured out at least one useful purpose for this particular data leak: reducing the number of links some websites provide to social networking sites. As Digg, Reddit, and dozens of social news competitors have proliferated, blogs and news sites have increasingly faced the challenge of supporting ways to submit stories to those sites without unnecessarily cluttering up their pages. But this guy has developed some JavaScript code that will use the "visited" data leak to determine which social networking sites the user has visited and display badges only for those sites. It's a clever hack, albeit one that will make privacy sticklers' skin crawl. Browser vendors ought to fix the underlying privacy issue, which will break this little hack in the process, but in the meantime it doesn't hurt to put it to a useful purpose.

“Stupid is as stupid does.” F. Gump

Blog Receives Takedown Notice For Embedding A Video With Authorized Embed Code

from the keep-the-lawyers-busy dept

A year and a half ago, I wondered outloud if embedding an infringing video would be considered infringement as well. Technically, it's no different than just linking to infringing content. However, imagine an even more ridiculous scenario: what if a website puts up its own videos with an embed code, but then sends out takedown notices to anyone who embeds it? Russ writes in to let us know that's exactly what happened with an Iowa sports blog that was trying to raise awareness of the floods in Iowa (a good thing) and embedded a video from the website of the Des Moines Register using the very embed code offered by the Des Moines Register. So what happens? The Des Moines Register sends a takedown notice claiming copyright infringement. After complaining about this on the blog, and getting some attention over it, someone from the Register apologized and said that it was an overeager staffer who was unfamiliar with the fact that videos on the site included embed codes.

While it's great that the Des Moines Register quickly recognized its mistake, apologized and promised to make sure it wouldn't happen again, it still does raise some questions that are almost certain to show up in the future. It's still not clear if a site is responsible for embedding infringing videos. But what if the video's copyright holder doesn't like how a video is being used? What if, for example (and this is not what happened in this case) a site had used that same video of the Iowa floods to mock the victims? I would imagine that it would be tempting in that case to send out the takedown notice, even though the embed code had been offered up. We're almost certainly going to see this happen in the near future. Someone who puts up a video with an embed code is going to be unhappy with how that content is being used, and will claim infringement, even though the content was freely offered up.

The copyright implications of embedding are not at all clear -- and that means you can be sure that lawsuits are on their way.

Is it overly optimistic to think someone will actually read these?

GAO releases three privacy-related reports

Wednesday, June 18 2008 @ 02:01 PM EDT Contributed by: PrivacyNews News Section: Fed. Govt.

The following GAO reports are now available:

Privacy: Agencies Should Ensure That Designated Senior Officials Have Oversight of Key Functions, GAO-08-603, May 30, 2008: Summary Full Report [pdf]

Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information, GAO-08-536, April 19, 2008: Summary Full Report [pdf]

Privacy: Congress Should Consider Alternatives for Strengthening Protection of Personally Indentifiable Information, GAO-08-795T, June 18, 2008: Summary Full Report [pdf[

This is interesting. The text message is private despite being transmitted by radio (unencrypted?) to a local receiver (think cell tower and anyone else with a radio tuned to that frequency) and then to the provider's computers via wire (secure) or satellite (now even aliens can intercept it), then it is archived (where the copy the cops obtained came from). Then the whole process is reversed to deliver the message to the addressee.

Ninth Circuit Upholds Privacy of Text Messages

Wednesday, June 18 2008 @ 02:27 PM EDT Contributed by: PrivacyNews News Section: In the Courts

Today the Ninth Circuit issued its opinion in Quon v. Arch Wireless, holding that "users of text messaging services such as those provided by Arch Wireless have a reasonable expectation of privacy in their text messages."

Source - EFF

What happens when golf fans can't get to their televisions to watch Tiger Woods? Certain to join the Streisand Effect ( ) in the lexicon.

The Tiger Effect and Internet DDoS

Posted by timothy on Wednesday June 18, @03:32PM from the aka-the-kenn-starr-steamroller dept. The Internet Media Security IT

An anonymous reader writes

"Many US and Canadian ISPs thought they were under a massive denial of service attack yesterday — traffic spiked by hundreds of gigabits across North America. Turns out that the traffic was due to live streaming of the U.S. Open and Tiger Woods nail-biting victory."

Perhaps I'll use this to explain arbitrage... Naaaaah. More likely to explain out-of-control marketing departments.

Would You Buy $630 For $715? Thanks To Microsoft, You Can Make Money Doing So

from the loopholes dept

Just last month, Microsoft announced its desperation plan of bribing users to use Microsoft's search. Basically, if you bought certain products via a Microsoft search, Microsoft would pay you cash back. And, of course, as soon as the cash got involved, it didn't take long for people to find loopholes. Various messages boards are highlighting how this works, but the end result is that people are buying $630 in cash for $715 (via Whitney McNamara), knowing that Microsoft will pay them "cash back" that more than makes up the difference -- in some cases up to $250. So, in that case, the seller of the "cash" ends up making $85, and the "buyer" makes $165. Microsoft, of course, is out the $250. Talk about arbitrage.

Trend or aberration?

Teens use technology to party in strangers' pools

By James Sherwood 18th June 2008 15:36 GMT

Tech savvy teens are using Google Earth’s splendidly clear aerial shots of the UK to launch a summertime craze – pool crashing.

Teens begin by surfing Google Earth’s satellite images to find houses with swimming pools — or at least paddling pools. Once a target has been identified, sweaty swimmers then use Facebook to arrange an organised, but uninvited, pool-crash.

Another way to interest children in the legal system.

Court overturns father's grounding of 12-year-old

20 hours ago

OTTAWA (AFP) — A Canadian court has lifted a 12-year-old girl's grounding, overturning her father's punishment for disobeying his orders to stay off the Internet, his lawyer said Wednesday.

The girl had taken her father to Quebec Superior Court after he refused to allow her to go on a school trip for chatting on websites he tried to block, and then posting "inappropriate" pictures of herself online using a friend's computer.

... Beaudoin noted the girl used a court-appointed lawyer in her parents' 10-year custody dispute to launch her landmark case against dear old dad.

What does a data center cost? (Just a few pictures, early in the construction.)

Inside Microsoft's $550 Million Mega Data Centers — A tour of Microsoft's gargantuan, under-construction San Antonio data center reveals a state-of-the-art IT infrastructure on an immense scale.

Future: Anything digital on demand

YouTube Shifts Strategy, Tries Long-Form Video

Michael Learmonth | June 18, 2008 11:47 AM

... YouTube's 10-minute limit has served a couple of purposes to date: It keeps bandwidth costs down, and it makes it harder for copyright owners to complain about unauthorized streams...

Future, convergence The device is still huge (the size of an iPod) but potentially could be squeezed into the next generation iPhone

World’s Smallest Projector, TI Optoma Pico, Coming to U.S. Next Year

June 18, 2008

Wednesday, June 18, 2008

Did the loss of these cards go unreported? No word from 1st Source Bank yet.

UPDATE: List of affected customers growing after reports of fraudulent withdrawals

Wednesday, June 18 2008 @ 06:08 AM EDT Contributed by: PrivacyNews News Section: Breaches

Local police and FBI agents are investigating after hundreds across the area reported money missing from their bank accounts over the weekend.

Police agencies across the area are reporting account breaches from at least 10 different banks, credit unions and other financial institutions. Thousands of dollars have been reported stolen.

Source - WSBT

Comment: what's interesting about this breach, if one theory is correct, is that a May breach involving 1st Source Bank may have affected non-1st Source Bank customers who used 1st Source's ATM machines.

Isn't this the opposite of Identity Theft? Identity Erasure?


Local Man Sentenced For Deleting Medical Records

A disgruntled worker is paying the price for deleting medical records, 10News reported.

Jon Paul Oson, of Chula Vista, was sentenced to more than 5 years in prison for hacking into the database of a local health clinic.

It was the very person trusted to protect the Council of Community Health Clinics who went on a hacking rampage.

[...] Dembin said Oson’s actions affected thousands of patients’ records. That is because the organization provides various services to 17 regional health clinics in Southern California, including the North County Health Services Clinic in San Marcos.

Full story -

React first, think later?

June 17, 2008 10:55 AM PDT

State worker cleared on child porn charges that were due to malware

Posted by Elinor Mills 2 comments

A fired Massachusetts state worker has been exonerated of a charge of possessing child pornography after computer forensics showed that his work laptop was infected with malicious software that was surreptitiously visiting illegal Web sites. [I'm starting a business to sell this software to federal judges... Bob]

Michael Fiola, 53, was fired as a worker's comp fraud investigator with the Massachusetts Department of Industrial Accidents in March 2007 [Took 'em long enough. Bob] after IT administrators found cached images of child porn in the temporary Internet files in his browser, according to the Dark Reading security news site.

Fiola, described as being "computer illiterate," hired a forensics expert who found the evidence that was used to convince the court to drop the case last week. He remains unemployed and plans to sue the agency over his firing. [Shocking... Bob]

"Our lives have been hell," Fiola, a former state park ranger now living in Rhode Island told the Boston Herald. "I hope to recover my reputation, but our friends all ran."

His laptop initially attracted attention because its wireless usage was four times higher than that of his co-workers. [Someone noticed? How unusual! Bob] But because the IT department hadn't properly configured the agency laptop and antivirus software wasn't working on the machine, it was riddled with Trojans and viruses, in addition to the malicious software that was bringing up the porn sites. [Remember, IT Security can save you money! Bob]

Oh the horror!

All Your Coffee Are Belong To Us

Posted by kdawson on Wednesday June 18, @02:19AM from the pouring-over-it dept. Security It's funny. Laugh. Hardware

Wolf nipple chips writes

"Craig Wright discovered that the Jura F90 Coffee maker, with its honest-to-God Jura Internet Connection Kit, can be taken over by a remote attacker, who can cause the coffee to be weaker or stronger; change the amount of water per cup; or cause the machine to require service (call this one a DDoC). 'Best yet, the software allows a remote attacker to gain access to the Windows XP system it is running on at the level of the user.' An Internet-enabled, remote-controlled coffee-machine and XP backdoor — what more could a hacker ask for?"

Cheaper to buy the ads? Not likely...

June 16, 2008 2:52 PM PDT

Accused spammer must pay MySpace $6 million

Posted by Greg Sandoval 3 comments

MySpace continues to wage a legal war on alleged spammers.

An arbitrator has ordered Media Breakaway and Chief Executive Scott Richter to pay the social-networking giant $4.8 million in damages and $1.2 million in legal fees, according to legal filings. The company's employees were also ordered to stay off MySpace.

This kind of surprises me. Insiders have the best picture of the operation and its weaknesses. Perhaps the average security set-up is weaker than I thought?

Insiders No Longer The Biggest Threat To Computer Networks

from the but-why? dept

For years, we've been told that the biggest threat to various companies' computer networks doesn't come from outside hackers, but from internal (often disgruntled) employees. However, a new study disputes that, saying that less than one in five security breaches were due to insiders. Business partners are nearly twice as likely to be the cause of an attack, [What does the contract allow? Bob] and then outside hack attacks are the largest threat. Of course, what isn't explained is whether or not the earlier data was just wrong -- or if something has changed over the last few years (more outside hacking, better controls on employees, etc.). That would probably be a lot more interesting and useful than just knowing the percentages.

For your Security geeks

Kaspersky workaround for encryption virus comes with a catch

Kaspersky Lab has published advice on recovering files encrypted by the Gpcode.ak virus

By John E. Dunn, Techworld June 17, 2008

Kaspersky Lab has published advice on recovering files encrypted by the frightening Gpcode.ak virus, but there is a big catch -- users must not have turned off their PC first.

We need to do this in the US.

UK: FSA fines stockbroker over weak data security

Tuesday, June 17 2008 @ 10:57 AM EDT Contributed by: PrivacyNews News Section: Breaches

A stockbroker has been fined £77,000 by the Financial Services Authority (FSA) for failing to protect its customers from identity fraud – despite the firm not having had a data breach.

Source - IT Pro

We need to NOT do this in the US. (As Shakespeare said, “To be, or not...”)

Associated Press: Fair Use Limits You To Four Words; Five Words Costs $12.50

from the make-it-stop dept

As we wait with bated breath for the Associated Press to come down from the mountain with its own rules for "fair use for bloggers," Patrick Nielsen Hayden gives us a sense of what the AP considers fair use (found via Boing Boing). Apparently, for quite some time, the AP has had up a page that lists out prices for quoting AP text. I will quote the list prices, and hope I don't get a DMCA takedown:

  • 5-25 words: $ 12.50

  • 26-50 words: $ 17.50

  • 51-100 words: $ 25.00

  • 101-250 words: $ 50.00

  • 251 words and up: $ 100.00

Oh, and it gets better. The AP claims that it can revoke the license at any time if it feels you're saying something negative about the Associated Press: "Publisher reserves the right to terminate this Agreement at any time if Publisher or its agents finds Your use of the licensed Content to be offensive and/or damaging to Publisher’s reputation."

Now, these are the terms that the AP has had on its site for some time -- but they explain why the AP went after the Drudge Retort for quoting less than 100 words. To the AP, that was a violation requiring a $25 license. So, while some believe that those criticizing the AP are overreacting, I'd argue that's not the case at all. This is not, as suggested, a one-time thing. This is an ongoing pattern of misuse of copyright law by the AP. And it's been pointed out to the AP in the past that these actions are wrong -- and it did nothing to change the AP's behavior. Instead, it seems to have only emboldened the AP.

Besides, it now appears that the AP's way of having this "conversation" with bloggers on what is AP-acceptable "fair use" is to meet with some guy who represents some blogging "group" I've never heard of. That group does not represent bloggers and it certainly doesn't speak for all of us in reaching some sort of "agreement." If the AP really wants to engage with the critics, why doesn't it come out and talk to those of us criticizing its actions? So far, the only engagement has been to cut and past the same comment on a bunch of blog sites... Other than that, it has only spoken to reporters about this issue.

Are there 300 types of files that need to be PDFs? - PDF Converter

If you want to convert your documents to PDF files without investing in expensive software you should visit PrimoOnline. In 3 easy steps you can convert over 300 types of files to PDF documents. To begin you must enter your email address, then you can select your file which can be any type of document from a PowerPoint presentation to an Excel sheet or even graphics. Once you have selected your file you can create a PDF and send it to your email address so you can easily access the file from any computer. You can create a PDF file online from any platform, Windows, Mac or Linux. There is a PrimoPDF user’s manual for anyone who may experience difficulties using the converter. PrimoOnline is simple to use and you can create PDF files without the hassle of purchasing and installing software. PrimoOnline offers a no fuss and no hassle way to create and convert your documents to PDF files.

Convergence? Another time-waster? (Another reason handhelds will replace laptops?)

ShoreTel Ships New Unified VOIP System

By Chris Preimesberger 2008-06-16

... ShoreTel claims to be the first vendor to deliver a system that takes advantage of a recent enhancement to the H.264 standard for video compression: SVC (Scalable Video Coding). This new feature permits high-quality video on every desktop, including those of remote workers, a company spokesperson told eWEEK.

Schneier is always worth reading...

LifeLock and Identity Theft

Tuesday, June 17 2008 @ 08:06 AM EDT Contributed by: PrivacyNews News Section: Other Privacy News

LifeLock, one of the companies that offers identity-theft protection in the United States, has been taking quite a beating recently. They're being sued by credit bureaus, competitors and lawyers in several states that are launching class action lawsuits. And the stories in the media ... it's like a piranha feeding frenzy.

There are also a lot of errors and misconceptions. With its aggressive advertising campaign and a CEO who publishes his Social Security number and dares people to steal his identity -- Todd Davis, 457-55-5462 -- LifeLock is a company that's easy to hate. But the company's story has some interesting security lessons, and it's worth understanding in some detail.

Source - Schneier on Security

Data Centers are not “a space for some computers” any longer.

Data Center Designers In High Demand

Posted by timothy on Tuesday June 17, @09:53AM from the blinky-blue-is-the-new-dull-amber dept. Data Storage IT

Hugh Pickens writes

"For years, data center designers have toiled in obscurity in the engine rooms of the digital economy, amid the racks of servers and storage devices that power everything from online videos to corporate e-mail systems but now people with the skills to design, build and run a data center that does not endanger the power grid are suddenly in demand. 'The data center energy problem is growing fast, and it has an economic importance that far outweighs the electricity use,' said Jonathan G. Koomey of Stanford University. 'So that explains why these data center people, who haven't gotten a lot of glory in their careers, are in the spotlight now.' The pace of the data center build-up is the result of the surging use of servers, which in the United States rose to 11.8 million in 2007, from 2.6 million a decade earlier. 'For years and years, the attitude was just buy it, install it and don't worry about it,' says Vernon Turner, an analyst for IDC. 'That led to all sorts of inefficiencies. Now, we're paying for that behavior.'"

On a related note, an anonymous reader contributes this link to an interesting look at how a data center gets built.


Fascinating Video Tour of an Equinix Data Center — Equinix is responsible for holding massive amounts of data, including storage for popular sites like Take a tour of the facilities, and see how much energy it takes to keep the Web alive. CNET's Neha Tiwari reports.

For my Software Process Engineering class

Anatomy of a Runaway Project

Posted by kdawson on Tuesday June 17, @01:47PM from the off-the-tracks-and-ploughing-up-dirt dept.

JCWDenton recommends a piece by Bruce Webster revealing some insights into a failed multi-million-dollar IT project.

"The following document is the actual text — carefully redacted — of a memo I wrote some time back after performing an IT project review; names and identifying concepts have been changed to preserve confidentiality (and protect the guilty). The project in question was a major IT re-engineering effort for a mission-critical system; at the time I did this review, the project had been going on for several years and had cost millions of dollars; it would eventually be canceled and the work products abandoned. The memo itself provides an interesting glimpse into just how a major IT project can go so far off the tracks that nothing useful is ever delivered."

Even I need a break now and then. - Free Flash Games

With over 11,000 flash games available to play for free, Bigfuncity is one of the larger sites for flash gamers. Games are well-categorized into: Action, Puzzle, Sport, Brain Training, Adventure, Racing, Kids and Casino or simply search by keyword for the game of your choice. If you register, you can also join the gaming community and communicate with other gamers on the site. Without registering, you can still access and play their entire database of games which are relatively quick to load, of a generally good quality, and easy to find. While there are many free gaming portals available these days, Bigfuncity is definitely worth a look the next time you need your fix.


Cosmopolitan Teaches Girls How to Break DRM & Pirate Music — I have new respect for this magazine.

[Picture of the page:

This proves my thesis that some people will spend any amount to save a few cents on gas...

Segway sales hit all time high, thanks OPEC!

by Darren Murph, posted Jun 16th 2008 at 8:54AM