Saturday, June 28, 2008

It should be interesting to hear how they justified their failure to notify.

http://www.pogowasright.org/article.php?story=20080627134348636

Wards didn't tell consumers about credit card hack

Friday, June 27 2008 @ 01:43 PM EDT Contributed by: PrivacyNews

Associated Press reports that Montgomery Ward, which had been bought out by Direct Marketing Services, was hacked and at least 51,000 customers' credit card numbers were accessed -- but DMS didn't notify the customers, despite the fact that they were aware of the problem since December and had notified their payment processor, MasterCard, Visa, and the Secret Service. AP


Related There is more from the Breach Blog

http://breachblog.com/2008/06/27/wards.aspx

Montgomery Ward breached, no notification obligation?

Posted by Evan Francen at 6/27/2008 11:31 PM and is filed under SearsRoomForKids.com,Hack,HomeVisions.com,Intrusion,Direct Marketing Services,Montgomery Ward,SearsHomeCenter.com,SearsShowPlace.com

Technorati Tag: Security Breach

Date Reported: 6/27/08

Organization: Direct Marketing Services Inc.

Contractor/Consultant/Branch:
Montgomery Ward
HomeVisions.com
SearsHomeCenter.com
SearsShowPlace.com
SearsRoomForKids.com
Victims: Customers

Number Affected: "at least 51,000 records"

Types of Data: Names, addresses, phone numbers, card numbers, "security codes", and expiration dates

Breach Description: "NEW YORK (AP) -- The parent company of Montgomery Ward is admitting that it was hit with a credit card hack, but it didn't inform the customers affected."

Reference URL: The Associated Press The Associated Press via WZTV Channel 17 News

Report Credit: The Associated Press

... Direct Marketing Services' CEO, David Milgrom, said the financial company Citigroup detected the computer invasion in December.

By going through HomeVisions.com, another Direct Marketing Services site, hackers had plundered the database that holds account information for all the company's retail properties.

[Evan] The AP story names five of the six Direct Marketing Services retail properties (See Above). I don't know what the sixth is.

... Milgrom said Direct Marketing Services immediately informed its payment processor and Visa and MasterCard.

Direct Marketing Services closely followed a set of guidelines, issued by Visa, on how to respond to a security breach.

[Evan] This is sad. The Visa documentation regarding breach response is way too narrowly focused to be used as an organizational incident response. Every organization that creates, collects, uses, stores, and/or transfers confidential information should have an incident response policy and accompanying procedures. Take a look at the Visa "What To Do if Compromised" procedures, and judge for yourself.

... This hack might have stayed quiet except for online chatter detected in June by Affinion Group Inc.'s CardCops, a group of investigators who track payment-card theft for financial institutions.

... Along with the card numbers, their three-digit "security codes" and expiration dates, the thieves had the cardholders' names, addresses and phone numbers.

... Avivah Litan, an analyst at Gartner Inc., believes unreported data breaches might still outnumber the ones that do get publicized.

On the Net: Links to the 44 state notification laws



Is this related to the Citibank ATM hack?

http://www.pogowasright.org/article.php?story=20080628075605220

EXCLUSIVE: Visa notifying many New York banks of debit card compromise

Saturday, June 28 2008 @ 07:56 AM EDT Contributed by: PrivacyNews

The Dime Savings Bank of Williamsburgh has notified some of its customers that it is reissuing debit cards to some of its customers whose accounts may have been compromised.

According to their letter dated June 25, "Many area banks have recently received information from Visa's Security and Risk Management department advising us of the possible compromise of a minimal amount of Debit Card account numbers."

The Dime Savings Bank of Williamsburgh is a Brooklyn-based bank. At this time, it is not known what other area banks in New York have been notified by Visa and whether this breach has any connection with the ring involved in the Citibank ATM breach. If anyone has additional information, please email it to privacynews@pogowasright.org



No indication in the article as to which breach this was. Also note that the local banks were not warned by the Secret Service – does that suggest a Credit Union only breach?

http://www.pogowasright.org/article.php?story=20080627110242146

Credit card theft hits Envision members, Tallahassee residents

Friday, June 27 2008 @ 11:02 AM EDT Contributed by: PrivacyNews Breaches

Theft of information from more than a million credit and debit cards by computer hackers who gained access to the database of a national restaurant chain has turned 612 Envision Credit Union members — and perhaps others in the area — into victims.

A spokesman for the credit union said only two fraudulent attempts to use cards have been noted, including one using the card of Ray Cromer, Envision's president.

Source - Tallahassee.com

Note: this may be related to the Dave & Buster's breach -- Dissent.



It would be nice to have someone match the reports of breach with the transcripts of prosecutions. Perhaps it would shed more light on the techniques used and point out the non-disclosers at the same time.

http://www.pogowasright.org/article.php?story=20080627170553250

Maple Grove hacker corrals thousands of credit card accounts

Friday, June 27 2008 @ 05:05 PM EDT Contributed by: PrivacyNews

A 21-year-old Maple Grove man admitted in federal court today to hacking his way to the credit card account information of thousands of people and using some of the information to add value to gift cards that he purchased and then sell the cards on Craigslist. Mann obtained credit card account information from thousands of victims by hacking into an Internet-based order-processing server.

Zachary W. Mann pleaded guilty to wire fraud and aggravated identity theft before U.S. District Court Chief Judge James Rosenbaum in Minneapolis.

Source - Star Tribune

[From the article:

From January to March, [Justice is swift in Minneapolis. Bob[ Mann obtained credit card account information from thousands of victims by hacking into an Internet-based order-processing server.



Undue reliance? Socialized medicine? Osama bin Laden?

http://www.phiprivacy.net/?p=506

Jun-27-2008

UK: Computer failure puts cancer sufferers at risk

Suspected cancer patients at top London hospitals have missed critical appointments after their records were lost by a new multi-billion-pound computer system.

Patients missed appointments with a specialist within the necessary two weeks because of problems with the new Care Records Service installed under the NHS £12.7 billion

Programme for IT (NPfIT). Problems arose in April when Bart’s and The London Trust switched to the new system, which failed to keep track of patient data. As well as missing urgent appointments, patients were booked into closed clinics and appointments were repeatedly cancelled, a report in Computer Weekly revealed today.

Full story - Evening Standard

[From the article:

The Care Records Service - the world's largest non-military IT programme - was launched in 2002 to keep an electronic record for 50 million patients across Britain.

Directors at Bart's were told of the problems at a board meeting this week.



Business opportunities: There should still be space for sites like “How to fill out legal forms” and “TaxWiki” and “Grammar School Tutor” and “Algebra for Fun and Profit” and “Hacking into TJX”

http://www.technewsworld.com/rsstory/63583.html

The Web Knows How

By Eric Benderoff Chicago Tribune 06/28/08 4:00 AM PT

... The Web has become the place where people go to learn new tricks. Traffic to sites like eHow.com and WikiHow.com have doubled over the past year, according to figures from ComScore Networks, while start-ups such as Howcast.com and Findhow.com, a search engine to find "how-to" content, are entering the field.

... This month, Ted Ives launched his new site, Findhow.com. It's a search engine for how-to content that categorizes a wide range of content from various sites across the Web.

... If you want to learn how to change a dimmer switch, Findhow offers eight results, including video and text-based content from HomeDepot.com.


Related Like www.LULU.com, but limited to magazines. There might be a market – people who want documents they can hold... (Not much on this site, yet.)

http://www.killerstartups.com/eCommerce/magcloud-com-publish-and-print-your-own-magazine/

MagCloud.com - Publish and Print your Own Magazine

MagCloud allows you to publish your own magazine and sell it online so that you make all the profit. MagCloud takes care of all the work after you create it yourself – printing, mailing, subscriptions, etc. It doesn´t cost you anything to design your magazine and all you need is a PayPal account so that you can sell the product above production cost to generate your earnings. MagCloud requires that you upload a PDF but that´s pretty much about it – the rest is up to you. You can also browse others´magazines on MagCloud and purchase those you wish by creating an account. While MagCloud is in it´s Beta stage, magazine creators have to request an invitation in order to publish.

http://magcloud.com/home

Friday, June 27, 2008

Another third party breach. I wonder how many companies (99%?) give sensitive data to outsiders without specifying how it is to be protected?

http://www.pogowasright.org/article.php?story=20080626182755900

TX: Workers' data stolen from DPS-contracted company

Thursday, June 26 2008 @ 06:27 PM EDT Contributed by: PrivacyNews

... A lockbox containing the information of 826 Texas state employees was taken from the home office of an employee of L-1 Identity Solutions, a private company contracted by the Department of Public Safety to do fingerprinting.

Notices are in the mail to inform the hundreds of victims that their names, home addresses, dates of birth, driver's license and Social Security numbers are in the hands of criminals. About 100 of those people work for the State Board of Education, and this is happening less than a year after the Texas Legislature mandated that all education employees submit their fingerprints for criminal background checks.

Source - KXAN



Follow-up This is the one Citibank has been reluctant to comment on.

http://news.slashdot.org/article.pl?sid=08/06/26/1932233&from=rss

Crooks Nab Citibank ATM Codes, Steal Millions

Posted by timothy on Thursday June 26, @04:07PM from the ha-ha-you-can't-steal-it-if-I-lose-it-first dept. Security The Almighty Buck IT

An anonymous reader writes

"Citibank is reissuing ATM cards following a December server breach in which hackers stole customer PIN codes, Wired reports. In recent months the FBI has arrested 10 people in the New York area who were allegedly involved in using the codes to steal over $2 million from Citibank checking and savings accounts, including two Ukrainian immigrants who were each caught with $800,000 in cash stashed in boxes and shopping bags in their homes. Some of the suspects are cooperating, telling the feds that they've been working for a Russian hacker. They use magstripe writers to encode the stolen account numbers onto blank cards, then hit ATMs in New York, and transfer 70% of the loot back to Russia."

[From the article:

Six months after the 2007 breach, Wired.com is receiving scattered reports of Citibank customers still suffering mysterious withdrawals from their bank accounts.

The FBI believes the brains behind the operation is a Russian man, who's receiving the lion's share of the profits through international wire transfers and online-payment systems. While Citibank and federal officials are being closed-mouthed about the PIN theft and the ensuing fraud, the Citibank heist provides a rare look at how a single high-value breach reverberates through the international "carding" community of bank-card fraudsters. What's more, neither Citibank nor the third-party transaction processor involved in the breach has warned consumers to watch for fraudulent withdrawals, raising questions about the disclosure policies in the financial industry. Citibank spokesman Robert Julavits says the bank "has complied with all applicable notification requirements."

... Meanwhile, there's evidence that the fraud is not confined to the Big Apple. Rahul Kumar, a transportation consultant in San Diego, says someone took $3,000 from three of his Citibank accounts on June 15, while his ATM card was safely in his wallet.



Interesting in a “If we don't start planning/doing this, we'll have to scramble (spend more with less useful results) when it becomes mandatory” perspective...

http://www.securityfocus.com/brief/764?ref=rss

EU advisors: Secure ISPs, form "cyber-NATO"

Published: 2008-06-26

HANOVER, NH -- Academic researchers tasked with making information-security recommendations to the European Union called for rules to force Internet service providers to clean up their networks, for the passage of a comprehensive breach-disclosure law, and for the formation of a group to manage and aid international investigations.

The fifteen recommendations, part of a report (pdf) prepared by University of Cambridge researchers and funded by the European Network and Information Security Agency (ENISA), could form the basis of future rules governing EU members, said Tyler Moore, a researcher and PhD student at University of Cambridge, who presented the work on Thursday at the Workshop on the Economics of Information Security (WEIS) 2008.


Related At least there is some evidence we know what to do, NOW DO IT!

http://www.infoworld.com/article/08/06/26/Antispam_group_outlines_defenses_to_block_botnet_spam-IDGNS_1.html

Antispam group outlines ways to block spam from botnets

MAAWG recommends new best practices for ISPs to stop increasing volumes of spam

By Jeremy Kirk, IDG News Service June 26, 2008

A major antispam organization is pushing a set of new best practices for ISPs to stop increasing volumes of spam from botnets.

The guidelines, from the Messaging Anti-Abuse Working Group (MAAWG), were drawn up at a meeting in Germany last week and deal with forwarded e-mail and e-mail that is sent from dynamic IP addresses.



IT is moving into the cloud – deal with it.

http://www.killerstartups.com/Web-App-Tools/humyo-com-lots-of-free-storage/

Humyo.com - Lots of Free Storage

Online storage sites are a dime a dozen these days. The majority of them give you a gig or two free of storage and then offer variously priced package plans for more storage, more gigs. But it's not always cheap, which is why Humyo is a treasure chest as far as online storage sites go. Humyo is a German based online storage mecca that acts as a replacement for your hard drive. You actually get 30gb storage free right off the bat when you open an account. You can store and play media files direct from the site. You can keep all your pc's synced and backed up without ever having to transfer files. Humyo is accessible worldwide with internet access. There's plenty of other handy features as well. You can publish any content such as photos or videos easily; you can share and send files at whim; and you can even access your info from your smartphone, which means unlimited storage always on hand. Humyo is secure too. Sign up to join.

http://www.humyo.com/



This changes the “IT ecosystem”

http://www.infoworld.com/article/08/06/26/8_in_10_businesses_now_using_Macs_1.html?source=rss&url=http://www.infoworld.com/article/08/06/26/8_in_10_businesses_now_using_Macs_1.html

Survey: 8 in 10 businesses now using Macs

Apple has made significant inroads with corporate users as the percentage of businesses using Macs has doubled in the past two years

By Gregg Keizer, Computerworld June 26, 2008



This is interesting. If politicians don't do this themselves, some very non-flattering alternatives are likely to appear.

http://techdirt.com/articles/20080626/1824551529.shtml

Politicians Embracing Technology To Actually Communicate With Constituents

from the warms-my-heart dept



Network neutrality in a country that respects politeness...

http://techdirt.com/articles/20080625/1933101519.shtml

Japanese Broadband Caps Compared To US Broadband Caps

from the take-a-look-around dept

With various US broadband firms implementing usage caps sometimes as low as 5GBs/month, we are quite concerned about how these moves will hinder innovation by effectively placing much greater mental transaction costs on using any kind of application online. In defense of these caps, some have pointed out that even Japanese ISPs (sometimes used as an example of a much better broadband system than in the US) are also implementing caps.

Broadband Reports now has the details on some of those caps, and they're much higher than in the US (just like Japan's broadband speeds). The cap is 30 gigs per day of upload. There are no download caps. So, yes, the Japanese caps (that some want to use as an example of why caps are necessary) are many times greater per day than what some US firms want to offer per month -- and it's only for upload, rather than download. Suddenly, I get the feeling we'll be hearing the example of Japanese broadband caps a lot less frequently.



The FBI continues to “not get it” If they have no plan, how will they know they have succeeded?

http://www.pogowasright.org/article.php?story=20080626195737635

FBI Data-Mining Slashed After G-Men Dis Congress

Thursday, June 26 2008 @ 07:57 PM EDT Contributed by: PrivacyNews

There was a time, early in the war on terror, when agencies like the FBI could have told Congressional investigators to go to hell, without paying much of a price. Not any more. Earlier today, a House appropriators voted to pull $11 million to expand a controversial FBI data-mining project, after the Bureau repeatedly stiff-armed Congressmen and their gumshoes in the Government Accountability Office.

Source - Danger Room blog

[From the article:

In fact, we’re only doing what they told us to do,” said Congressman Brad Miller in a statement. “The Department of Justice... said that if Congress didn’t like what they were doing, we could pull their funding. Well, that’s what we’ve done...

... The G-Men claimed they had "no written plans" that "would provide any meaningful details," because the center was not yet "operational."

... But the mission of NSAC has expanded far beyond that limited purpose and scope and the Justice Department claims that with this new data mining center’s access to billions of personnel records the “universe of subjects will expand exponentially.” The potential for abuse and the possibility that innocent American citizens will become wrongfully ensnared within the FBI’s growing web of potential suspects is a grave concern.



Counter-surveillance: Obvious why you might want to confuse a cruise missile, but your boss? Grounds for instant dismissal?

http://tech.slashdot.org/article.pl?sid=08/06/27/0426216&from=rss

Intentional GPS Jamming On the Increase

Posted by timothy on Friday June 27, @05:27AM from the can-you-find-me-now-can-you-find-me-now dept. Security IT Technology

benst writes

"Here's yet another way to measure the success of GPS: by the efforts to negate it. While unintentional jamming continues to rise, intentional jamming by both foreign military forces and at-home miscreants of various stripes also has shown increased vigor in the past six months. Related here are recent instances of intentional jamming on each side of the border, and (briefly outlined) one initiative mounted by the National Geospatial Intelligence Agency (NGA) to counteract it. Also here ways to detect and prevent jamming."

[From the article:

Meanwhile, several Internet sites offer small, localized GPS jammers for sale in the U.S. domestic market. These include a "GPS Blocker" with an advertised 10-meter to 20-meter range for roughly $200. "Just plug into a standard cigarette lighter with 12 V for power," says the web page, "and it will automatically protect you from any GPS tracking on and within your vehicle. This is a popular item with sales personnel and delivery drivers, who wish to take lunch or make a personal stop outside of their territory or route."



We need this kind of analysis, even if it is brief and anecdotal, to help us plan to deal with the paradigm coming soon to all organizations. (Even the comments are worth reading)

http://tech.slashdot.org/article.pl?sid=08/06/26/1339227&from=rss

A Marine's-Eye View of the Networked Battlefield

Posted by CmdrTaco on Thursday June 26, @10:58AM from the so-it's-not-like-starcraft-at-all-then dept. The Military

Ian Lamont writes

"Tyler Boudreau, a Marine veteran of the war in Iraq and a blogger, has written an interesting analysis of the impact of email, IM, and other digital devices upon 'ground-pounders' and their commanders in the field. These innovations were introduced in hopes of increasing situational awareness, rapidly gathering data, analyzing it, organizing it, and then pushing it back out to operators as actionable intelligence. They also provide commanders with the freshest possible information and aid them in their moment-to-moment decision-making. However, Boudreau found that the technologies can lead to micromanagement and deep frustration, trends that he illustrates by describing a shooting incident in al Anbar and its aftermath. He also warns that soldiers can become too dependent upon headquarters for critical decisions, which can lead to dangerous situations when communications get cut off."



Is it normal to arrest someone for speeding? Is this in fact 22 separate offenses? How come no live cops noticed her? Does it take more than 45 days to send her a ticket? (If she had received several tickets, I could see why they might want to arrest her.)

http://news.yahoo.com/s/ap/20080626/ap_on_fe_st/odd_speeder_arrested;_ylt=Am6Qozgsb9y6_z9U.cfaBhys0NUE

Driver arrested after speeding 22 times in 45 days

AP Wed Jun 25, 10:49 PM ET

PHOENIX - A Nevada woman has been arrested after photo enforcement cameras on a Phoenix freeway captured her behind the wheel of a car speeding 22 times in a 45-day span, authorities said.

The woman, 24, was arrested by Arizona Department of Public Safety officers on suspicion of criminal speeding, reckless driving and endangerment.

During a 45-day period starting in May, DPS officials said the woman was captured by photo enforcement cameras on Loop 101 in Scottsdale 22 times, with her top speed at 92 mph.

The woman was living in Arizona temporarily when officers arrested her at her parent's north Scottsdale home last Friday, officials said.


Related?

http://www.pogowasright.org/article.php?story=20080627060633568

Schneier: CCTV doesn't keep us safe, yet the cameras are everywhere

Friday, June 27 2008 @ 06:06 AM EDT Contributed by: PrivacyNews

Pervasive security cameras don't substantially reduce crime. There are exceptions, of course, and that's what gets the press. Most famously, CCTV cameras helped catch James Bulger's murderers in 1993. And earlier this year, they helped convict Steve Wright of murdering five women in the Ipswich area. But these are the well-publicised exceptions. Overall, CCTV cameras aren't very effective.

Source - Bruce Schneier, writing in Guardian

[From the article:

Cameras afford a false sense of security, encouraging laziness when we need police to be vigilant.

... Additionally, while a police officer on the street can respond to a crime in progress, the same officer in front of a CCTV screen can only dispatch another officer to arrive much later. By their very nature, cameras result in underused and misallocated police resources.

... And from some perspectives, simply moving crime around is good enough. If a local Tesco installs cameras in its store, and a robber targets the store next door as a result, that's money well spent by Tesco. [In most cases, your security only needs to be obviously better than the alternative victim Bob] But it doesn't reduce the overall crime rate, so is a waste of money to the township.


Related – another insecure security technique... Note that not all organizations react the same way.

http://news.cnet.com/8301-10789_3-9978486-57.html?part=rss&subj=news&tag=2547-1_3-0-5

London transit cards cracked and cloned

Posted by Robert Vamosi June 26, 2008 1:43 PM PDT

Last week a Dutch researcher rode free on the London transit system, having hacked the public transit system's card system; he used a clone of a paying passenger's transit cards. His point? The transit smartcards, which are used my millions worldwide, are vulnerable to attack.

... Once he obtained the key used by the London transit system, Dr. Jacobs then brushed up aside passengers carrying Oyster cards. Wirelessly, Jacobs collected the person's card information on his laptop and later he was able to use that data to clone a fresh transit card and gain free access to the London transit system.

You can watch a video of a similar attack conducted on work access cards.

... The Dutch government is already taking that advice. A ministry official told the Times that the government is replacing the cards of all 120,000 civil servants at central government level. A spokesperson for the London transit system downplayed the importance of Dr. Jacobs' experiment and told the Times, "This was not a hack of the Oyster system. It was a single instance of a card being manipulated."

The Mifare Classic is produced by NXP Semiconductors, a company based in the Netherlands. The encryption used in the cards has been shown to be broken.



Has video replaced “light summer reading?” If so, you might want to view this one...

http://digg.com/educational/Google_Behind_the_Screen_5

Google: Behind the Screen watch!

youtube.com — This 50 minutes documentary gives an in-depth look in the world of Google and search. What if all the world's information would be available and easy to find? What if all the news, all books, all texts, photographs and videos would be collected in one place, and made available, always and everywhere? This is the goal of Google, and the com...

http://www.youtube.com/watch?v=TBNDYggyesc



Having grown up watching commercial TV I automatically 'tune-out' commercials – this “skill” translated easily to the Internet. I guess there are lots of prople who never learned to do this?

http://techdirt.com/articles/20080626/0055131522.shtml

Don't Blame Rick752 For Blocking Ads; Blame Those Who Made Ads Annoying

from the get-over-it dept

The Washington Post is profiling the semi-anonymous Rick752, a mid-50s guy in upstate NY who puts together and maintains EasyList, an extremely popular list that powers the popular AdBlock Firefox extension. Basically, (for the 12 of you who don't know) it lets people surf without seeing advertisements. And, of course, this pisses people off, unreasonably. The article is full of examples of sites either trying to block AdBlock or begging people not to use it, along with quotes from people whining about how if ads are blocked there will be less content online.



You should know by now that I love lists – especially those that point me to “new stuff”

http://www.technewsworld.com/rsstory/63527.html?welcome=1214575671

10 Great Software Programs You Can Get Gratis

By Peter Grad The Record 06/27/08 4:00 AM PT

[If you do nothing else, check these:

Paint.net 3.08

Coming out of left field in an already crowded category of Photoshop competitors, this beauty of a program is simply amazing. Features such as a gradient tool that blends images and colors in real time to generate stunning effects, a cloning tool that makes blemishes, obstructions and other unwanted elements disappear, red-eye removal, layer manipulation and a battery of slick filters make this one of the best graphics editors you're likely to find.

ooVoo 1.6.1

There are several free Internet-based telephony programs available, but ooVoo is easily the slickest-looking one, and it performs beautifully. Have your friends download a copy, and make unlimited-length calls to them for free, anywhere, anytime. Try out the free video phone call feature as well.

Thursday, June 26, 2008

Passwords are not adequate security...

http://www.pogowasright.org/article.php?story=2008062508080261

Some Quixtar independent business owners notified that their online accounts compromised

Thursday, June 26 2008 @ 06:20 AM EDT Contributed by: PrivacyNews

On May 27, Quixtar discovered that account passwords and user ids of some of their independent business owners (IBOs) had been compromised and that there was evidence that unauthorized persons were logging into the accounts to change deposit bank information.

Quixtar Director and Associate General Counsel Jon A. Sherk notified the New Hampshire Attorney General's office that the breach did not appear to be due to any insecurity with Quixtar's web site. [other than reliance on passwords alone to secure access... Bob] A spokesperson for Quixtar informed PogoWasRight.org that the problem appeared to originate with an external web site that linked to Quixtar's site.

In their disclosure letter and in their notification to IBOs, the company reported that a "small number" of accounts were accessed with the apparent intent being to divert bonus payments from the IBO's own banks to other banks. No other personal data such as Social Security numbers were viewable. According to the company's spokesperson, some IBOs had their accounts accessed but there was no diversion of bank deposit information, while a small number had their bank info altered.

Quixtar notified affected independent business owners by both email and a notice on their web site on May 30, scrambled passwords for affected users on June 4, and then sent notification by regular mail on June 11. As a precaution, they indicated that they were switching to paper checks for bonus payments for those who had been affected for that month. No IBOs have reportedly suffered any financial losses due to the incident. There has not been an arrest in the case yet.

Quixtar, which is the exclusive representative of Amway on the internet, describes itself as "the number-one online retailer in the Health & Beauty category based on sales, and 22nd among all e-commerce sites, according to Internet Retailer magazine’s “Top 500 Guide.” They have over 300 million independent business owners.



Which is worse, stealing an identity or deleting data required for a accurate diagnosis...

http://www.phiprivacy.net/?p=503

Jun-26-2008

Fired Houston organ bank worker accused of hacking into system

Cindy George of the Houston Chronicle reports on a hacking case that thankfully did not result in an interruption of patient care:

The fired technology director of a Houston organ donation company has been accused of hacking into its computer system and deleting records.

A federal indictment alleges that over two days in November 2005, Danielle Duann illegally accessed and damaged LifeGift Organ Donation Center’s database.

[...]

Duann is charged under a statute that makes it a federal crime to use technology to impair, or potentially impair, medical examination, diagnosis, treatment and care.

Full story - Houston Chronicle

[From the article:

The agency recovered the information from a backup system.

"All of the files were back within several months [Either they weren't very important or recovery was not as simple as suggested Bob] of the hacking and clinical operations were not affected in any way," Graham said.



Hardly a new term of art. A little light for a Wharton article...

http://knowledge.wharton.upenn.edu/article.cfm?articleid=1999

Privacy on the Web: Is It a Losing Battle?

Published: June 25, 2008 in Knowledge@Wharton

... But, what if you visited an investment site, only to find advertising messages suggesting therapies for your recently diagnosed heart condition? Chances are that you would experience what Fran Maier calls the "creepiness" factor, a sense that someone has been snooping into a part of your life that should remain private.


Related? I'll save you the read: NO! Are they doing what they were intended to do? YES!

http://www.securityfocus.com/news/11524?ref=rss

Breach-notification laws not working?

Robert Lemos, SecurityFocus 2008-06-25

The breach-notification laws passed by many states have failed, so far, to produce a measurable impact on identity theft, according to a group of academic researchers that will present their findings on Thursday at the Workshop on the Economics of Information Security (WEIS).

[The paper: http://weis2008.econinfosec.org/papers/Romanosky.pdf



For your security manager and my security class

http://www.bhconsulting.ie/securitywatch/

ENISA Publishes Paper on Securing USB Drives

June 25th, 2008

ENISA(The European Network and Information Security Agency) has recently released an interesting whitepaper on securing USB devices. The paper is a good read highlighting the threats that USB drives pose and listing a number of recommendations to minimise these threats.



Getting the word out...

http://www.f-secure.com/weblog/archives/00001462.html

Wednesday, June 25, 2008

Data Security Summary - January to June 2008

We've published our Security Threat Summary for the First Half of 2008.

You find the report and video from www.f-secure.com/2008/.

You can watch the video via our video-channel:

Or you can watch the video via our lab's YouTube Channel:

If you're behind some restrictive firewalls, such as .mil domains, e-mail and we'll provide you a link for a download. Cheers!



Something make me think they don't quite get it...

http://www.bespacific.com/mt/archives/018664.html

June 25, 2008

U.S. Copyright Office Releases New Technology to Process Applications Online

News release: "Handling about 550,000 copyright claims annually, the U.S. Copyright Office in the Library of Congress is making it much easier for the public to register and protect its collective creativity. On July 1, the Copyright Office will enter the next phase in the implementation of its multi-year business process re-engineering effort to modernize operations from a paper-based to a Web-based processing environment... In July the Copyright Office also plans to release the new Form CO, which effectively replaces six traditional paper application forms. [Good! Bob] Users will complete a Form CO online, [Good! Bob] print it out [Absurd! Bob] and send it to the Copyright Office with payment and a copy(ies) of the work being registered. Each Form CO is imprinted with 2-D barcodes [Why? Bob] that are scanned to automatically transfer the information contained in the form into an eCO service request record. The fee for registering a basic claim using Form CO is $45."



This makes sense. It's where I store my money.

http://www.pogowasright.org/article.php?story=20080625091547859

Majority of Identity Theft Victims Contact Their Financial Services Company Upon Learning of Crime, ITAC Survey Shows

Wednesday, June 25 2008 @ 09:15 AM EDT Contributed by: PrivacyNews

ITAC surveyed 1615 confirmed victims of identity theft helped by ITAC. The majority (65%) said the first thing they did was to contact their financial services company. Ten percent (10%) said they contacted the credit reporting bureaus. Seven percent (7%) contacted the police, and 2% checked their accounts online. Fourteen percent (14%) took different actions, including taking a call from their financial services company about suspicious activity concerning their account and contacting family members.

Source - ITAC Press Release



Some of the best plans (implementation is another topic) come from extreme embarrassment

http://www.pogowasright.org/article.php?story=20080625143016245

UK: Government lays plans to avoid future data security blunders

Wednesday, June 25 2008 @ 02:30 PM EDT Contributed by: PrivacyNews

The loss last year of 25 million records by HM Revenue and Customs (HMRC) was the result of "woefully inadequate" processes for data handling, not individual employees, according to an investigation. The Government has responded with new data security plans.

Three reports were published today relating to last November's news that two discs containing details of 25 million child benefit recipients had gone missing after being sent from HMRC to the National Audit Office (NAO). A fourth report, also published today, dealt with the theft in January of a Royal Navy recruiter’s laptop which contained unencrypted records on more than 600,000 people.

Source - Out-Law.com Links to the three reports can be found in the story.



So was this a politician with an enlightened view of the future, or a consumer who said to himself, “I'm gonna need cyber-cops someday...”

http://www.pogowasright.org/article.php?story=20080625171227601

Kentucky Attorney General’s identity stolen

Wednesday, June 25 2008 @ 05:12 PM EDT Contributed by: PrivacyNews

The Attorney General of Kentucky Jack Conway has had his identity stolen less than a month after setting up cyber crime unit.

Source - vnunet.com



What are the legal consequences of not opening an email? (Assume a recipient who cares about the law)

http://news.slashdot.org/article.pl?sid=08/06/25/1854231&from=rss

White House Refused To Open Unwelcome EPA E-Mail

Posted by timothy on Wednesday June 25, @03:39PM from the that's-one-way-not-to-have-seen-the-rules dept. Government Communications The Courts United States Politics

epfreed writes

"The White House lost a case in the Supreme Court about the need for the EPA to regulate greenhouse gases. So the EPA made new rule. And now the NYTimes reports that the White House did not want to get these new rules from the EPA about greenhouse gases. So they did not open the email."



I don't think I agree. You need a conceptual model as a road map. If the model is mathematical, it is still just a model. (Lots of interesting new terms though...) An article for my math and statistics classes.

http://science.slashdot.org/article.pl?sid=08/06/25/146250&from=rss

Google Begat the End of the Scientific Method?

Posted by CmdrTaco on Wednesday June 25, @11:42AM from the well-i-begat-a-roast-beef-sandwich dept. Google Science

TheSauce writes

"In a fairly concise one-pager from Chris Anderson, at Wired, the editor posits that all of our current (or now previous) models for collecting data are dead. The content is compelling. It notes that we've entered the Age of the Petabyte — where one can collect immense amounts of data that are paradigm agnostic. [What a concept! Bob] It goes on to add a comment from the head of Google's R&D, that we need an update to George Box's maxim: 'All models are wrong, and increasingly you can succeed without them.' Have we reached a time where all of our tool-sets are now made moot by vast clouds of information and strictly applied maths?"

[From the article:

an era of massively abundant data

the most measured age in history

children of the Petabyte Age

Data without a model is just noise.


On the other hand...

http://science.slashdot.org/article.pl?sid=08/06/26/1217221&from=rss

Why the Cloud Cannot Obscure the Scientific Method

Posted by CmdrTaco on Thursday June 26, @08:43AM from the because-of-science-dude dept.

aproposofwhat noted that Ars Technica's rebuttal to Yesterday's story about 'The End of Theory: The Data Deluge Makes the Scientific Method Obsolete'. The response is Why the cloud cannot obscure the Scientific Method and is a good follow up to the discussion.


Related

http://www.tgdaily.com/html_tmp/content-view-38115-113.html

Software predicts fate of death row inmates

Trendwatch By Wolfgang Gruener Wednesday, June 25, 2008 12:35

It turns out that certain profile data can give a clear indication whether a death row inmate will be executed or not. Gender was the most significant factor, as women are rarely executed. A clear indication was also the education level of the inmate, suggesting that the ability of an inmate to direct his appeal process can decide over life and death. The two scientists said that race was not found to be a decisive factor in execution decisions.

While the researchers do not expect their work to have much effect on policy, they believe that the predictions mad have “serious implications” on the fairness of the justice system.


Related? Edumacation in Amurica...

http://techdirt.com/articles/20080625/0306061515.shtml

Some Teachers Embracing Wikipedia, While Others Blame It

from the time-to-join-this-century dept

We've seen this before, of course. There are teachers and professors out there who blame Wikipedia for mistakes students make, and even those who demand that the entire Wikipedia be blocked in schools. However, there are those who are a lot more reasonable about it, recognizing that Wikipedia is just one source among many, and there's value in embracing Wikipedia: teaching kids what it is and how to use it reliably. That seems likely to be a lot more effective and useful for training kids how to critically judge the reliability of information out in the real world. Blocking, banning or blaming Wikipedia seems only designed to put one's head in the sand and pretend it doesn't exist. That's not preparing anyone for the real world.

Techdirt reader cram writes in to point out two contrasting articles that show this dichotomy of thought in action. First is a report out of Scotland last week blaming Wikipedia for kids getting failing grades. This, of course, seems ridiculous. What it really means is that teachers have failed to actually teach kids how to use Wikipedia properly. It's not the fault of Wikipedia -- which is merely an information source. It's a failure of teachers to teach kids how to properly use it. That's why it's nice to see the corresponding article, where students in Australia are now going to have a course available on how to use Wikipedia. That seems a lot smarter than just blaming Wikipedia.



Convergence. “Henry Ford, meet the Internet. Internet, Henry” (and we thought drivers on cell phones were bad)

http://tech.slashdot.org/article.pl?sid=08/06/25/2225230&from=rss

Chrysler To Offer Wireless Internet In 2009 Models

Posted by samzenpus on Wednesday June 25, @07:11PM Transportation The Internet

sunny in Seattle writes

"'Have you ever thought rush hour on the 405 Freeway might be more bearable if you could check your e-mail, shop for a book on Amazon, place some bids on EBay and maybe even, if nobody is looking, download a little porn? Then perhaps you should be driving a Chrysler.' LA Times reports that the nation's third-largest automaker is set to announce Thursday that it's making wireless Internet an option on all its 2009 models. The mobile hotspot, called UConnect Web, would be the first such technology from any automaker."



Tupperware is not a sufficient deterrent.

http://www.cbsnews.com/stories/2008/06/25/earlyshow/main4207156.shtml?source=RSSattr=SciTech_4207156

Taser "Parties" Pitching Them To Women

Not Just For Police Anymore, The Controversial Weapons Are Being Marketed To Civilians

SCOTTSDALE, Ariz., June 25, 2008



For my website class (Perhaps the lecture will be on youtube some day...)

http://www.bespacific.com/mt/archives/018661.html

June 25, 2008

Anthropology of YouTube

Pew Internet news release: "The Library of Congress invited Michael Wesch to deliver the third of four Digital Natives lectures. Wesch, creator of the world-famous YouTube video, The Machine is Us/ing Us, presented the "Anthropology of YouTube" to a packed, fascinated and amused audience on Monday... Wesch said that there are now well over 200,000 three-minute videos posted on YouTube. About half of those videos are posted by 18-24-year-olds."

Wednesday, June 25, 2008

“When,” not “if” -- plan appropriately!

http://www.pogowasright.org/article.php?story=20080624114400847

CA: Security breach compromises 5,000 social security numbers at Consumer Affairs

Tuesday, June 24 2008 @ 11:44 AM EDT Contributed by: PrivacyNews

The state Department of Consumer Affairs (DCA) has sent letters to 5,000 employees, contractors and board members warning them of a security breach that has compromised their names and social security numbers.

The breach occurred on June 5 or 6 when a Microsoft Word document was improperly transmitted electronically outside of the department, said DCA spokesman Russ Heimerich. The document also contained the salaries and titles of everyone on the list, but Heimerich noted that this was public information.

Source - Capitol Weekly

[From the article:

The DCA is the main state agency charged with protecting consumers in California.

... Heimerich said the incident is still being investigated, and that he could not disclose who had received the document. He said that so far there is no evidence that any information has been used. It was not even clear the recipient had opened the document.

"We know that it left the building and that it wound up somewhere it shouldn't have wound up," Heimerich. "We're looking into how that happened."



Third party again. Apparently, no one is thinking about how they should be controlled.

http://www.pogowasright.org/article.php?story=20080625080313870

Protected health information at risk; Ebara Technologies notifies participants of computer theft

Wednesday, June 25 2008 @ 08:03 AM EDT Contributed by: PrivacyNews

Ebara Technologies, Inc. Employee Medical Benefit Plan has recently notified the New Hampshire Attorney General’s Office that a break-in at one of their vendors resulted in the theft of computers that may have contained protected health information of former and current plan participants.

From the description of the incident, it appears that the unnamed vendor was Colt Express Outsourcing Services, Inc., who made notification to CNet.

Source - PHIprivacy.net

[From the PHI post:

Somewhat puzzling, the notification letter says:

At this time, we do not know whether the protected health information of any Plan participants or dependents was actually taken.

Which raises the question, why don’t they know whether the data were on the stolen computers or not? And if the data were on the stolen computers, were they encrypted at the time of theft or not? And were they supposed to be encrypted at rest?

Is Ebara saying that they have not been told by Colt whether their files were on the stolen hardware? Given the details in Colt’s notification to CNet, this is somewhat surprising and bears further scrutiny.



Another resource? Doesn't look like “sucha mucha” to me, but I'll keep an eye on it for a time.

http://www.pogowasright.org/article.php?story=20080624113008817

ANNOUNCE: Resource on breaches

Tuesday, June 24 2008 @ 11:30 AM EDT Contributed by: PrivacyNews

If you haven't yet discovered his blog, Evan Francen's The Breach Blog provides detailed commentary on breaches.

As a convenience to PogoWasRight.org's readers, we've now added a feed from Evan's blog to our Breaches news section so that you can just click on links to his blog to read his commentary on particular breaches of interest to you. I f you get PogoWasRight.org news by our feed, then you just may want to add Evan's feed to your newsreader.



“We can, therefore we must!” As the article suggests, this is probably done because they can not rely on their employees to properly assess the ID offered. There should be a fancy term for this, perhaps “Invading your privacy for our convenience?” Or maybe just “Overkill”

http://www.pogowasright.org/article.php?story=20080625064541458

Target’s (The Retailer) Swipe At Privacy

Wednesday, June 25 2008 @ 06:45 AM EDT Contributed by: PrivacyNews

George Hulme describes an experience he had at Target's when a cashier asked to see his driver's license and then swiped it through the machine. Target's explanation did not reassure him, as you'll read.

Source - InformationWeek



Denver is using the same technology... The interesting thing is, we (the US) have no Privacy Commissioner to mis-represent.

http://www.pogowasright.org/article.php?story=20080625062806797

Ca: Privacy watchdog didn't endorse 'virtual strip search'

Wednesday, June 25 2008 @ 06:28 AM EDT Contributed by: PrivacyNews

Canada's privacy watchdog says it did not approve or endorse a controversial test project underway this week in a B.C. airport - despite a government news release that states the pilot project "meets all the conditions" of the Privacy Commissioner's Office.

Source - dose.ca



Be careful fellow bloggers, let's not get cocky...

http://news.slashdot.org/article.pl?sid=08/06/24/1232258&from=rss

Lawyer Who Subpoenaed Blogger Seidel Sanctioned

Posted by timothy on Tuesday June 24, @09:20AM from the nyuck-nyuck-nyuck-schmuck dept. The Courts

Zathras26 writes

"Slashdot has previously reported on a lawyer subpoenaing Kathleen Seidel for blogging about him in an unflattering light. Seidel successfully moved to quash the subpoena. In granting the motion to quash, the judge ordered the lawyer, Clifford Shoemaker, to show cause as to why he should not be sanctioned for his behavior. Whatever his response was, if any, it apparently wasn't good enough, because Shoemaker has been formally sanctioned for his actions."



How To: You don't need to spend billions... Lots of follow-on links...

http://tech.slashdot.org/article.pl?sid=08/06/24/1552225&from=rss

Huge Traffic On Wikipedia's Non-Profit Budget

Posted by timothy on Tuesday June 24, @01:11PM from the optimizing-smartitude dept. Networking Data Storage The Internet IT

miller60 writes

"'As a non-profit running one of the world's busiest web destinations, Wikipedia provides an unusual case study of a high-performance site. In an era when Google and Microsoft can spend $500 million on one of their global data center projects, Wikipedia's infrastructure runs on fewer than 300 servers housed in a single data center in Tampa, Fla.' Domas Mituzas of MySQL/Sun gave a presentation Monday at the Velocity conference that provided an inside look at the technology behind Wikipedia, which he calls an 'operations underdog.'"



Not everyone benefits. (Would CSI notice that floral arrangement with the RFID tag intact at your rich uncle's bedside?)

http://science.slashdot.org/article.pl?sid=08/06/24/2152212&from=rss

RFID Tags Can Interfere With Medical Devices

Posted by kdawson on Tuesday June 24, @06:17PM from the mind-how-you-radiate dept. Medicine Technology

An anonymous reader writes

"A new study suggests RFID systems can cause 'potentially hazardous incidents in medical devices.' (Here is the JAMA study's abstract.) Among other things, electrical interference changed breathing machines' ventilation rates and caused syringe pumps to stop. Some hospitals have already begun using RFID tags to track a wide variety of medical devices, but the new finding suggests the systems may have unintended consequences." [or intended consequences. Bob]



Interesting resource for the “pace and tone” not available on the printed page. (Allows you to hear how carefully the phrase “half-vast” is enunciated.)

http://www.bespacific.com/mt/archives/018652.html

June 24, 2008

US Courts: Digital Audio Recordings Online - Update

The Third Branch: "In a pilot project that began last August, five federal courts are docketing some digital audio recordings to Case Management/Electronic Case Files (CM/ECF) systems to make the audio files available in the same way written files have long been available on the Internet. The three other courts are the Eastern District of Pennsylvania, the U.S. Bankruptcy Court in Maine, and the U.S. Bankruptcy Court for the Northern District of Alabama.

In each court, the extent of accessibility is determined by individual judges, and not every judge in the five pilot courts is participating. “This is a judge-driven experiment,” said Mary Stickney of the Administrative Office’s Electronic Public Access Program Office. “Because providing digital audio recordings online is done as a convenience for lawyers and the public, each judge has total discretion to decide which proceedings get posted.”

The audio files are accessible through the Public Access to Court Electronic Records (PACER) system. Some 840,000 subscribers use PACER to access docket and case information from federal appellate, district, and bankruptcy courts."



Interesting, but not likely in the near future...

http://news.cnet.com/8301-10784_3-9976510-7.html?part=rss&subj=news&tag=2547-1_3-0-5

June 24, 2008 3:18 PM PDT

Could iPhone smoke the Kindle?

Posted by Greg Sandoval 38 comments

I wanted a Kindle. I was ready to buy a Kindle. The iPhone spoiled everything.



Interesting business model

http://news.cnet.com/8301-11128_3-9975926-54.html

June 24, 2008 7:14 AM PDT

Solar financier SunRun pulls in money

Posted by Martin LaMonica 4 comments

SunRun, a company that offers solar-electricity financing, announced Tuesday that it has raised $12 million from Foundation Capital.

... Rather than buy the panels, SunRun customers buy the electricity the panels generate. This model, called a power purchase agreement (PPA), is commonly used in large corporate renewable energy installations.



Interesting business service. Might translate to other services as well.

http://www.eweek.com/c/a/Retail/Simple-Shipping-for-Small-Retailers/

Simple Shipping for Small Retailers

By Dan Berthiaume 2008-06-24

On-demand shipping technology provider RedRoller is rolling out its One-Stop Shipping tool, a SAAS (software-as-a-service) solution designed to ease the shipping process for small businesses.

... “You can compare services and rates for various carriers on one screen,” he said. “It’s not an auction integrator or accounting system. It’s designed to make the process of shipping easy.

... “We deliver services to a small business via Web interface, which cuts down on update headaches,” Ordway said. “You can print labels, view order history, and perform other activities via browser. It’s like what Quickbooks does online. As an on-demand application, you don’t have to download any software and it won’t affect your operating system or application software. You can also be a mobile business.”

Tuesday, June 24, 2008

Let's hope it isn't another major retailer.

http://www.pogowasright.org/article.php?story=20080623174411435

Data breach at Bay Area bank

Monday, June 23 2008 @ 05:44 PM EDT Contributed by: PrivacyNews News Section: Breaches

Customers of one Bay Area bank should check their bank statements and apply for a new debit card after a data breach last week.

Bank Atlantic confirms they had a data loss, involving their MasterCard debit cards.

Source - My FOX Tampa Bay

[From the article:

A spokesperson says it happened through a local merchant, but at this time, isn't saying which one.



Not enough detail to know what actually happened.

http://www.pogowasright.org/article.php?story=20080623122652260

Former Southeast Employee Found with Computer Data Files

Monday, June 23 2008 @ 12:26 PM EDT Contributed by: PrivacyNews News Section: Breaches

A former Southeast Missouri State University employee has been found with computer data files of personal information of several hundred Southeast students.

According to Southeast, files with the names and Social Security numbers of about 800 Southeast students were found on the former employee's computer files.

The data was discovered by the Office of Information Technology while activity logs were being reviewed. [Apparently a new procedure. Not mentioned in the article. Bob]

Source - KFVS

[From the article:

http://www.kfvs12.com/Global/story.asp?S=8541051

According to the school, a grand jury in Georgia indicted a former worker on three felony counts.

Dr. Dennis Holt with Southeast, tells Heartland News the man worked for Residence Life, and he left Southeast in June of last year. The leak was discovered back in April.

... Holt says the security breach happened before the university upgraded it's computer security system last year, and that the same type of theft won't happen again.

Students were notified of the breach students via a letter on June 19.



Why is this even a story? Perhaps because it follows a number of real data losses and the politicians smell blood?

http://www.pogowasright.org/article.php?story=20080623150830276

UK: Ambulance service loses details of nearly million people

Monday, June 23 2008 @ 03:08 PM EDT Contributed by: PrivacyNews News Section: Breaches

A computer disk containing details of nearly a million people who dialled 999 has been lost, an ambulance service has admitted.

The information was supposed to be couriered by TNT from Scotland to Manchester two weeks ago, but never arrived at its destination and a search has failed to find it since.

The disk contained records of 894,629 calls to the Paisley Emergency Medical Dispatch Centre (EMDC), near Glasgow, spanning from February 2006.

It included the names of some patients, addresses of incidents, contact phone numbers and some medical details.

Source - Telegraph

[From the article:

But the Scottish Ambulance Service (SAS) said the disk was encrypted and password protected and its information would be extremely difficult to access.

... The information contained on the disk was to be used in the development of the service's command and control systems. [If they mean the data was to be used to test the system, that is wrong! Live data makes terrible test data – it has already passed all system edits and filters, leaving nothing for the new system to find and react to. Bob]



Technology to the defense! (Clearly a more honest measure that what people say in public)

http://yro.slashdot.org/article.pl?sid=08/06/24/1310241&from=rss

Google Trends vs. Community Standards On Obscenity

Posted by timothy on Tuesday June 24, @09:47AM from the gotta-worry-about-the-apple-pie-searchers dept. The Courts Censorship United States

circletimessquare writes

"Google Trends is being used in a novel way in a pornography trial in Florida. Under a 1973 Supreme Court ruling, 'contemporary community standards' may be used as a yardstick for judging material as unprotected obscenity. This is a very subjective judgment, and so Lawrence Walters, a defense lawyer for Clinton Raymond McCowen, is using Google Trends to show that, in the privacy of their own homes, more people in Pensacola (the only city in the court's jurisdiction that is large enough to be singled out in the service's data) are interested in 'orgy' than "apple pie'."



Where's the line between merely irritating and criminal? When is notice required? Any opportunity to “opt out?” Perhaps we need a “Do not spoof” law?

http://www.pogowasright.org/article.php?story=2008062317382219

Researcher: NebuAd forges Google data packets

Monday, June 23 2008 @ 05:38 PM EDT Contributed by: PrivacyNews News Section: Internet & Computers

The man who caught Comcast blocking BitTorrents has now turned his attention to NebuAd, the Phorm-like behavioral ad targeting service that's tracking net surfers from inside multiple American ISPs.

In a new report (PDF) released under the aegis of consumer watchdogs Free Press and Public Knowledge, Robb Topolski accuses NebuAd of more than just nabbing user data on the sly. The freelance networking guru says the ad service is also guilty of forging network packets from third-party sites, including Google and Yahoo!.

Source - The Register

[From the article:

late last month, a WOW! subscriber gave Topolski remote access to a machine on the ISP's network. The PC ran a freshly-installed OS and a freshly-installed browser, and when Topolski pointed the browser at Google, eight non-Google cookies turned up on the system, including one for the domain nebuad.adjuggler.com.

This we knew. But with help from a packet sniffer, Topolski noticed another wrinkle. Some of the network packets coming from Google, he says, weren't actually coming from Google.



Three guesses why politicians jumped on this one...

http://blog.wired.com/27bstroke6/2008/06/credit-card-fir.html

Credit Card Firm Cut Limits After Massage Parlor Visits, Feds Allege

By Ryan Singel EmailJune 20, 2008 | 3:58:23 PM

Government regulators are suing a sub-prime credit card issuing firm, alleging that the company secretly profiled its customers' transactions and reduced the credit limits of those who used the cards at bars, marriage counselors and tire retread stores.

The Federal Trade Commission filed the complaint against CompuScore in a federal court in Atlanta on June 10, alleging the Visa-card marketing service routinely abused debt collection law, failed to disclose hidden fees, and withheld the credit limits it promised to subprime borrowers.

Most intriguingly, however, the complaint (.pdf) alleges that CompuScore kept track of the kinds of purchases its card holders made, without adequately explaining they were doing so or what kinds of purchases would lead to lower limits.

... The FTC is not suing because it believes the practice is illegal. Instead, the regulators contend that the company wasn't forthright about what it was doing.



Did we really want to irritate the rest of the world, or were we simply not thinking? (The RIAA will have heart failure!)

http://techdirt.com/articles/20080621/1318431471.shtml

Brazil May Follow Antigua In Asking WTO For Permission To Ignore US Copyright And Patents

from the IP-as-international-retaliation dept

It appears that Brazil is considering following the lead of Antigua in asking the WTO for permission to ignore US copyright and patent laws (found via Howard Knopf). This isn't the first time that this has occurred. Three years ago, Brazil had suggested the same solution in response to the same issue: US subsidies to cotton farmers that Brazil feels go against international laws and treaties.

What's really interesting here, though is the ongoing recognition that this is an effective way to retaliate against US efforts to break treaties or laws. With a country like Antigua, which has little else it can do, it might not be that surprising. But seeing a much larger country like Brazil take this approach seriously may lead to it showing up in many more places as well.


Related? See, I'm not the only one who doesn't understand the intricacies of copyright law.

http://techdirt.com/articles/20080623/0226311478.shtml

We Can't Quote The AP... But Can Embed Its Videos?

from the left-hand,-meet-the-right-hand dept

The Associated Press is still insisting that bloggers shouldn't be excerpting its articles online without a license -- but apparently no one told the folks pushing AP videos. Jon Ashley wonders about this difference, noting that the AP has its own YouTube Channel, where it appears that the videos all have embedding enabled. This, of course, takes us right back to the question we asked last week concerning whether or not embedding videos can be seen as infringement. In the meantime, since the AP insists it really wants to be a part of the "conversation," can it explain why embedding videos is great, while quoting is not?



Tools & Techniques The photos are public, right?

http://www.pcpro.co.uk/news/207078/computer-scientists-scour-your-holiday-photos.html

Computer scientists scour your holiday photos

11:49AM, Wednesday 18th June 2008

Hundreds of thousands of images on Flickr are being used to teach a program to determine the geographic location of an image, simply by looking at it.

"Estimating geographic information from an image is an excellent, difficult high-level computer vision problem whose time has come," explains a paper written by James Hays and Alexei Efros of Carnegie Mellon University.



Amusing hack, this time. Imagine what they could have done...

http://news.cnet.com/8301-10784_3-9975758-7.html?part=rss&subj=news&tag=2547-1_3-0-5

June 23, 2008 5:23 PM PDT

Hacker changes news releases on sheriff's Web site

Posted by Elinor Mills 1 comment

Someone hacked into the Web site for the San Bernardino County sheriff's office in California and changed the wording on several news releases, forcing the agency to shut down the site last week, according to the Daily Bulletin.



Security (and exceptions) in the modern “papers, comrade citizen” era.

http://www.pogowasright.org/article.php?story=20080623151553231

Privacy: What It's Like To Fly With No ID Under The TSA's New Regulations

Monday, June 23 2008 @ 03:15 PM EDT Contributed by: PrivacyNews News Section: Fed. Govt.

David becomes our first reader to fly under the TSA's new ID policy. Formerly, if you refused or were unable to show ID you could still fly — but were required to undergo secondary screening by the TSA. Now they've altered their position slightly— fliers who willingly refuse to show ID are now barred from flying. The new rule went into effect over the weekend, and David says that in order to board the plane after forgetting his driver's license he had to answer questions about his political party affiliation and previous addresses.

Source - The Consumerist blog



Does your organization have control over the “Access Control” process?

http://www.pogowasright.org/article.php?story=20080623124519691

Alarming Number of Superusers Lurking Near Sensitive Data

Monday, June 23 2008 @ 12:45 PM EDT Contributed by: PrivacyNews News Section: Other Privacy News

When it comes to having superuser privileges in an IT environment that's host to sensitive information, absolute power can absolutely corrupt, a study shows.

The annual "Trust, Security and Passwords" survey conducted by Newton, Mass.-based IT security consultancy Cyber-Ark Software found that as many as a third of IT administrators said they still had access to the enterprise environment after leaving the job. Moreover, many also came clean about routinely abusing their admin privileges by accessing company systems and snooping through confidential files, databases and documents.

Source - RedmondMag.com



Since I like to collect business models, this strikes me as very interesting. I should have done it myself! (It's not too late to invest...)

http://techdirt.com/articles/20080623/0154541476.shtml

The New Music Business: Enabling Musicians To Take Advantage Of New Business Models

from the nice-to-see dept

It seems that whenever we write about various bands embracing new business models, one of the criticisms raised is this idea that we're somehow expecting musicians to also become businessmen to embrace these new models. Nothing could be further from the truth. In fact, we've pointed out that this is exactly the space on which record labels should be focused: helping musicians embrace these new business models, helping to handle the business and the technology, while the musicians focus on the music. Unfortunately, most major record labels still haven't figured this out, due to either legacy issues and contracts, an unwillingness to let go of old business models, or simple cluelessness.

Of course, the longer the major labels take to realize that this is where the market is headed, the bigger the opportunities there are for others to come in and fill that "enablement" gap. There are going to be more and more interesting startups entering the space. One that's starting to get some buzz is TopSpin, which just revealed its business late last week. TopSpin got some press a few months back by getting Yahoo Music boss Ian Rogers to join as CEO. We've written about some of Rogers' cogent writings on the music business before.

TopSpin isn't a record label, but it wants to basically enable all sorts of internet-based business models to work for musicians so that they can focus on making music. From the sound of it, that involves plenty of backend infrastructure, as well as front-end components, so that musicians can easily pick and choose custom, scaleable business models for their website with little effort. The company already has a nice headstart (and even some high profile customers). What may be most interesting, however, is to see how the business model opportunities evolve over time, as TopSpin may grow to have the best understanding of what business models really work, depending on what the circumstances are for the band. That could be incredibly powerful data by itself.



Geek stuff...

http://linux.slashdot.org/article.pl?sid=08/06/23/1728259&from=rss

Tru64 Unix Advanced File System (AdvFS) Now GPL

Posted by ScuttleMonkey on Monday June 23, @03:51PM from the yet-another-convert dept. Data Storage Linux

melios writes

"In a move that could help boost the scalability of Linux for grids and other advanced 64-bit multiprocessor applications, HP has released its Tru64 Unix Advanced File System (AdvFS) source code to the open source community. Source code, design documentation, and test suites for AdvFS are available on SourceForge."



More geek stuff. What would you like your phone to do for you? (Besides “everything”)

http://mobile.slashdot.org/article.pl?sid=08/06/24/1224209&from=rss

Nokia to Acquire and Open Source Symbian

Posted by timothy on Tuesday June 24, @08:59AM from the to-fight-an-android-you-must-become-one dept. Businesses Cellphones Communications Operating Systems

zyzko writes

"Nokia has placed an offer on Symbian stock — it currently owns a 48% share and intends to buy the other shareholders out, 91% of the stockholders have already agreed. The press has already labeled this as an countermeasure to fight Android. Nokia has also created Symbian foundation — it might mean more open Symbian."

Symbian is "currently the world's dominant smartphone operating system (206 million phones shipped, 18.5 million in Q1 2008)," writes reader thaig, who points out coverage in the Economic Times. If this deal goes through as expected, the Foundation says that selected components of the Symbian operating system would be made available as open source at launch under the Eclipse Public License (EPL) 1.0 , with the rest of the platform following over the next two years.



Old dogs learn new tricks!

http://www.bespacific.com/mt/archives/018638.html

June 23, 2008

New Study Shows Internet Users 50+ Are Rapidly Closing the Digital Divide with Booming Online Activity

News release: "Americans 50+ are increasingly becoming immersed in the Internet and in many ways can be compared to users who are decades younger, according to findings from the Center for the Digital Future released today in conjunction with AARP. The study takes a look at online behaviors of those age 50+ compared to the under 50 demographic... The Internet as news source – Users 50+ go online more frequently to check for news compared to those under 20. Forty-two percent of users 50 and older check the Internet for news daily or several times a day, compared to 18 percent of users under 20."


Related? Probably not, but amusing...

http://www.telegraph.co.uk/news/newstopics/howaboutthat/2180451/Italian-soldiers-floored-by-77-year-old-Japanese-woman.html

Italian soldiers floored by 77-year-old Japanese woman

By Nick Allen Last Updated: 7:42PM BST 23/06/2008

Italian soldiers are facing the embarrassment of being beaten up daily by a 77-year-old Japanese grandmother.

Martial arts expert Keiko Wakabayshi, nicknamed the "Samurai Granny", has been hired by the country's military to train recruits in hand-to-hand combat.



I gave this one the Yogi Berra test, and it passed, even though he said, “I didn't really say everything I said.”

http://www.killerstartups.com/Search/quotesdaddy-com-over-1-000-000-famous-quotes/

Quotesdaddy.com - Over 1,000,000 Famous Quotes

The next time you feel the need for a bit of inspiration or advice, check out Quotesdaddy.com which has more than 1,000,000 famous searchable quotes in its database. The Quotesdaddy database is very extensive and you can search by entering a term into the search bar or by using the tags function. Along with providing users with this wealth of sometimes funny and sometimes smart quotes, Quotesdaddy also provides a few tools to make the experience even better; You can get your very own Quotesdaddy widget for your site which includes the ability to choose what type of quotes you’d like to display, and you can also easily add a Quotesdaddy quote to the signature line of your Gmail account.

http://www.quotesdaddy.com/



For my web site class. Create your own history book – you standing next to Lincoln, Teddy Roosevelt, Hitler, Indiana Jones...

http://www.killerstartups.com/Video-Music-Photo/facedub-com-put-your-face-on-a-new-body/

Facedub.com - Put Your Face on a New Body

Face Dub is a free site that allows you to take a photo of your face and super-impose it on to a new body. The site has lots of templates to choose from which include famous celebrity photos, musclemen, and superheroes. There are a number of editing features available like face targeting that allow you to better size and place your head so that the final photo looks more genuine. Finally, once you’ve made your photo, you can share it will others on Facedub where it might even be included in the “top watched” section. User voting and behavior effects how your photo will be shown, in what order, and under what category. While there are a few other sites that provide a similar service, Facedub is arguably the most robust and user friendly.

http://www.facedub.com/