Saturday, July 12, 2008

Looks like fast police work or poor coverup by the hacker...

Police arrest Texas man in Cal identity theft case

Friday, July 11 2008 @ 04:40 PM EDT Contributed by: PrivacyNews

A man has been charged in Texas in an identity theft case that affected more than 1,100 students at the University of California, Irvine, authorities said Friday.

...Authorities allege Thomas breached computer security at the Dallas office of UnitedHealthcare's department of student resources while he worked there in December 2007.

Source - Houston Chronicle

[From the article:

... Authorities allege Thomas breached computer security at the Dallas office of UnitedHealthcare's department of student resources while he worked there in December 2007.

... The thefts came to light in March, after students began telling police that someone was filing fraudulent tax returns and collecting the refunds using their private information.

University computer experts were unable to find a breach in their system and federal and local officials ultimately determined all the students were enrolled in the university's insurance program for graduate students, which was administered by UnitedHealthcare.

The public is easily manipulated by the “Don't you agree torturing kittens is bad” type of article.

Technology Moral Panics: But Think Of The Children!

from the everyone-panic dept

Recently I wrote about a dreadful article in USA Today hyping up the "oh-no-think-of-the-children problem" of predators using console games to seek out kids. This followed similarly bogus news articles hyping up the threats of predators on social networks. Yet, all the "panic" raised by those articles has politicians practically shoving each other aside to introduce legislation against those social networks, or just various Attorneys General threatening those social networks without any evidence that there's a significant problem, other than a few totally hyped up news articles.

It turns out that a PhD Candidate at NYU, Alice Marwick has recently published a paper discussing exactly this type of "moral panic," focusing on the situation in 1996 in which Time Magazine famously published a scare mongering article about porn online, now known as the Rimm Report. Sean Garret, who pointed me to Marwick's paper has a good analysis of the Rimm Report's ripple effects as well (as does Adam Thierer). Basically, the report, which claimed that 83.5% of images online were porn was based on ridiculously faulty premises and research. It was almost entirely wrong.


Look what I found on the SlashDot site. I'm not sure it's true, but it is amusing. (Is that defamation or breach of privacy?)

Mother Sues After Bebo Story Hits Press

Posted by kdawson on Friday July 11, @11:51AM from the what-was-once-private dept.

slick_shoes notes a story out of England: a woman named Amanda Hudson is suing six national newspapers for defamation and breach of privacy after they ran stories based on her 15-year-old daughter's exaggerated claims about her party, published on her Bebo site. The party was held at the family's £4m villa in Spain, and the daughter's account claimed that jewelery had been stolen and furniture and a television set thrown into the swimming pool; in addition there were claims of sex and drug use. The mother says that this was all falsehood and exaggeration. A number of newspapers picked up claims and photos from Bebo and ran them nationally. From the article:

"The case is expected to have far-reaching consequences for third parties who use or publish information from social networking sites. Lawyers say it could place a duty on all second-hand users to establish the truth of everything they want to republish from such sites." [Not gonna happen. Bob]

Interesting discussion starter for governments.

July 11, 2008

Web 2.0: The Future of Collaborative Government

"Today’s tech-savvy world demands tech-savvy government. Increasingly connected citizens and stakeholders are asking governments to deliver services more rapidly and efficiently. Yet the public service bureaucracies that form the governmental backbone often take a conservative approach to adopting the latest Internet-based technologies to accelerate service delivery. On June 3, 2008, Deloitte and the National Academy of Public Administration convened a group of government leaders, subject matter experts and forward thinkers to develop a road map to help the next administration navigate the work force and organization changes that need to occur to move to a more collaborative model of government." [Note: links to related documents are here]

Niche business: (mostly) free data gathered wholesale, marketed retail.

Amazing New Trade Data

By Justin Wolfers June 27, 2008, 10:48 am

The latest:, the brainchild of brothers Ryan and David Petersen, with Michael Kanko. They exploit customs reporting obligations and Freedom of Information requests to organize and publish — in real-time — the contents of every shipping container entering the United States.

Insightful (because it agrees with me) review.

iPhone 3G review

by Ryan Block, posted Jul 11th 2008 at 2:45PM

... The wireless industry is a notoriously tough nut to crack, and it's become pretty clear that the first iPhone wasn't about total domination so much as priming the market and making a good first impression with some very dissatisfied cellphone users. With the iPhone 3G, though, Apple's playing for keeps. Not only is this iPhone's Exchange enterprise support aiming straight for the heart of the business market, but the long-awaited 3rd party application support and App Store means it's no longer just a device, but a viable computing platform. And its 3G network compatibility finally makes the iPhone welcome the world over, especially after Cupertino decided to ditch its non-traditional carrier partnerships in favor of dropping the handset price dramatically.

Friday, July 11, 2008

Perhaps someday all reported security breaches will be because of exceptions – people violating standing orders. But by then, our job will be to detect those who are not in compliance – and kill them.

Army records on stolen laptop

Friday, July 11 2008 @ 05:57 AM EDT Contributed by: PrivacyNews

A laptop computer that was reported stolen from an Army employee’s truck last week contained personal information on about 800 to 900 Fort Lewis soldiers, said military and Lacey police officials.

... Officials said the employee, a civilian military personnel specialist, appears to have violated Army standards and policies for protecting personal information and government property.


In this case, an Army employee told Lacey police he left the laptop and a 500-gigabyte removable hard drive on the seat of his Dodge truck, parked unlocked in front of his house overnight July 3. He reported them stolen about 10 a.m. on July 4.

He told police there was no classified, secret or top-secret information on the laptop and the hard drive.

Source - The News Tribune

[From the article:

Army laptops and removable storage devices containing personal information are generally restricted to on-post workplaces but can be signed out with a supervisor’s permission. They’re also supposed to be password-protected and personal information is supposed to be encrypted, Caruso said.

I wonder if they got the idea from the one the CIA started in Iran? I wonder if the Iranians started this one? (How would we know?)

Internet Based Political "Meta-Party" For Massachusetts

Posted by timothy on Friday July 11, @12:34AM from the thought-you-said-mega-party dept. Government United States Politics

sophiachou writes

"The Free Government Party, a non-profit, open source political 'meta-party' focused on providing citizens with more direct control of Congress through online polling and user-drafted bills, seems to be looking for a candidate to endorse for US Representative of Massachusetts' 8th Congressional District. If you're from the Boston area, you might have seen this already on Craigslist. The chosen candidate will be bound by contract to vote in Congress only as do his or her constituents online. However, they don't seem to be going for direct democracy. To make voting convenient, you can select advisers to cast your votes for you, unless you do so yourself. Supposedly, interviews for the candidate position are already underway. Anyone from MA's 8th Congressional District on Slashdot already apply?"

A story to watch! Can Comcast regulate the FTC?

FCC Chief Finds Comcast Guilty of Network Neutrality Violations

By Roy Mark 2008-07-11

Comcast is guilty of blocking consumers' access to the Internet and faces federal sanctions, FCC Chairman Kevin Martin said July 10.

... Marvin Ammori, general counsel of Free Press, said, "This is an historic test for whether the law will protect the open Internet. If the commission decisively rules against Comcast, it will be a remarkable victory for organized people over organized money."

Politics 101: Announce that you are responsible for making the earth round, saving countless lives of the people who would otherwise fall off the edge... (Or claim to have invented the Internet?)

July 10, 2008 3:41 PM PDT

N.Y. A.G. says AOL will curb access to Usenet. It already did

Posted by Declan McCullagh

... In his press release, which was reproduced uncritically, Cuomo claimed that AOL has "agreed to eliminate access to child porn newsgroups, a major supplier of these illegal images" and said that the company will "purge" its "servers of child porn websites."

... There's just one problem with the press release. AOL isn't doing anything different today than it did yesterday. "We have not changed any policies or procedures as part of today's announcement," AOL spokeswoman Allie Burns told me via e-mail.

Security from non-traditional sources. Think of it as allowing you to seal your mail in an envelope rather than requiring postcards...

The Pirate Bay's Plans To Encrypt the 'Net

Posted by timothy on Friday July 11, @06:50AM from the pretty-ned8bdrnki(bdr## dept. The Internet Encryption Privacy

Keeper Of Keys writes

"According to, The Pirate Bay, those fun- and freedom-loving Swedes, have embarked on a project to encrypt all internet traffic, probably by means of an OS-level wrapper around all network connections, which would fall back to an unencrypted connection when the other end is not similarly equipped. The move has been prompted by a recent change in Swedish law, allowing the authorities to snoop on network traffic. This will be a boon to filesharers and anyone else concerned about authorities and trade groups' recent moves towards 'policing' network traffic at the ISP level."

Think of it as “hacking the press” Since military technology would accurately count the missiles launched, games like this are clearly aimed at other targets...

July 10, 2008, 9:16 am

In an Iranian Image, a Missile Too Many

By Mike Nizza and Patrick Witty

... For its part, Agence France-Presse retracted its four-missile version this morning, saying that the image was “apparently digitally altered” by Iranian state media. The fourth missile “has apparently been added in digital retouch to cover a grounded missile that may have failed during the test,” the agency said. Later, it published an article quoting several experts backing that argument.

For your Security Manager (and my Hacker Club)

July 10, 2008

National Insitute of Standards Draft Guide to Bluetooth Security

Draft Guide to Bluetooth Security, July 9, 2008, SP 800-121.

  • "Bluetooth is an open standard for short-range radio frequency (RF) communication. Bluetooth technology is used primarily to establish wireless personal area networks (WPAN), commonly referred to as ad hoc or peer-to-peer (P2P) networks. Bluetooth technology has been integrated into many types of business and consumer devices, including cellular phones, personal digital assistants (PDA), laptops, automobiles, printers, and headsets. This allows users to form ad hoc networks between a wide variety of devices to transfer voice and data. This document provides an overview of Bluetooth technology and discusses related security concerns."


July 10, 2008

NIST Draft Guidelines on Cell Phone and PDA Security

Draft SP 800-124, Guidelines on Cell Phone and PDA Security, July 2008.

"Cell phones and personal digital assistants (PDAs) have become indispensable tools for today's highly mobile workforce. Small and relatively inexpensive, these devices can be used for many functions, including sending and receiving email, storing documents, delivering presentations, and remotely accessing data. While these devices provide productivity benefits, they also pose new risks to an organization’s security.

This document provides an overview of cell phone and PDA devices in use today and offers insights into making informed information technology security decisions on their treatment. The document gives details about the threats and technology risks associated with these devices and the available safeguards to mitigate them. Organizations can use this information to enhance security and reduce incidents involving handheld devices."

Ditto (For the Hack collection)

iPhone OS 2.0 Unlocked

The new iPhone OS 2.0 software has been unlocked and jailbroken. It was released just hours ago and it has already been cracked by the iPhone Dev Team. The first one took a couple of months, but this one was actually unlocked before Apple released it to the public.

Also for my Hackers... Why was all of this on an Internet connected computer?


IL: New Trier hacker saw teacher salaries, medical records

Dan Rozek reports:

Jonah Greenthal said he hacked into the computer system at New Trier High School to check his class rank, but the 18-year-old senior found much more than that.

Greenthal managed to tap into confidential school data that included teacher salaries, medical records and grade histories for students who had graduated as long as three years ago, authorities said Wednesday.


As part of his plea deal with Cook County prosecutors, Greenthal was sentenced to one year of court supervision and ordered to perform 50 hours of community service and pay $320 in court costs. Before imposing the sentence, Judge Earl B. Hoffenberg call the security breach “a pretty serious matter.”

Full story - Chicago Sun-Times

[From the article:

Prosecutors said Greenthal cooperated with police and school officials investigating the hacking, allowing them access to his laptop, which included more than a dozen "hacking" tools. [I suspect computers are shipped for the factory with at least a dozen “hacking tools” -- if you know how to use them. Lawyers: is that “probable cause?” Bob]

Perhaps we should start a website that points to all the free tools for securing employee computers... Oh wait, there are thousands of websites like that.

July 11, 2008 5:00 AM PDT

Back up everything you own with free set-and-forget utilities

Posted by Rick Broida

Data disaster can strike anywhere, anytime. If you're not making regular backups, you're asking for trouble. Trust me. In that spirit of doom of gloom, I've rounded up five free backup utilities for preserving different types of data. All of them are "set-and-forget" programs, meaning once you've installed and configured them, they'll do their thing in the background. Doesn't get much easier than that.

Not terribly informative, but a useful overview?

July 10, 2008

NASCIO Report: State CIOs and Electronic Records

"The National Association of State Chief Information Officers (NASCIO) is pleased to announce the release of its research brief, Ready for the Challenge? State CIOs and Electronic Records. The brief is a product of NASCIO's Electronic Records and Digital Preservation Working Group and may be found online. States continue to struggle with new challenges presented by a growing portfolio of electronic records and digital content that must be preserved. Within this context, the issue of electronic records (e-records) management has emerged as a high-priority policy and technology issue for state CIOs. This issue is now driven by emerging trends such as new Web 2.0 collaboration tools that create e-records in forms that are transitory, yet still document the business of government. The importance of the subject is driven by vulnerability of essential e-records during disasters and a growing emphasis on transparency and accountability in state government, including online public access to records on spending, performance, procurements, and contracts."

Thursday, July 10, 2008

Is there a crime here?

California state worker probed in ID security breach (follow-up)

Thursday, July 10 2008 @ 06:17 AM EDT Contributed by: PrivacyNews

A state worker recently married to a member of the Mexican Mafia who is in Corcoran State Prison for a gang murder is herself under investigation for downloading more than 5,000 names, addresses and Social Security numbers belonging to Department of Consumer Affairs staff, The Bee has learned.

Source - SacBee

Prior coverage: CA: Security breach compromises 5,000 social security numbers at Consumer Affairs

[From the article:

Dumbrique did not respond to several e-mail or telephone messages seeking her comment, but she suggested in an e-mail to her former bosses on June 11 that she sent the data file to her personal e-mail account by mistake. [If she normally emailed files like this, that could be a hard argument to disprove. Esp. if she was emailing a number of personal files because she was leaving this job for another. Bob]

... The affidavit by Consumer Affairs investigator Loomis claims that Dumbrique downloaded the data [...] on Friday, June 6.

She then reportedly forwarded the roster, as an attachment, to her own personal Yahoo e-mail account, the affidavit adds.

Special security software alerted Consumer Affairs data security officials to the breach that same day, but the department's criminal probe only began Monday, June 9. There was no explanation for the two-day delay, other than it was a weekend.

Consumer Affairs data security experts and Dumbrique's former bosses in the human resources unit told Loomis that Dumbrique had access to the confidential data on a daily basis as a regular part of her job, the affidavit states.

But the personnel specialist did not have a valid reason to download the data nor did she have permission to transmit it to an outside e-mail account, the affidavit adds.

The Hacker misplayed this one. Politicians plea for money all the time. What he should have done is requested that they send the money directly to his bank account... but then, he probably didn't know what a potential gold mine he had.

Guam: Senator Stung By Identity Theft

Wednesday, July 09 2008 @ 07:13 PM EDT Contributed by: PrivacyNews

With the warning from federal authorities of increased cases of identity theft, one case would hit close to home.

Senator Adolpho Palacios has revealed that someone hacked into his email account over the weekend and sent a letter to everyone in his address book asking for money.

Palacios says the hacker, in the letter said that he needed money because he was stranded in London. Palacios says that wasn’t true and reported the incident to the FBI.

Source - Pacific News Center

Question for the “Command Structure” Could spam cause a war? (Social engineering on a national scale?)

July 9, 2008 12:50 PM PDT

Storm worm e-mail says U.S. attacked Iran

Posted by Robert Vamosi

Recent e-mails stating that the U.S. has already attacked Iran and, in some cases, also offering links to a video purportedly from a soldier, are not to be believed, according to Websense. The security vendor said in an advisory Wednesday that it has linked the provocative e-mails to the Storm worm.

Very different cultures produce very different laws?

Data Security, Privacy in Asia

Thursday, July 10 2008 @ 06:21 AM EDT Contributed by: PrivacyNews

This note undertakes a discussion of historical evolution, culture and current Asian data security and privacy laws by examining these aspects in three Asian countries - Japan, China and South Korea. Next, this note compares data security and privacy laws in Asia to that of relevant laws in the United States. Finally, this note works toward making a proposal to harmonize a legal solution for the international contexts because the Internet is inherently international. This note suggests a reciprocal enforcing system among countries as one of the possible solutions. [Perhaps we could send all the Crackers to Guantanamo? Bob]

Source - The Seoul Times

Is this the Internet (global) equivalent of hanging lost hubcaps on your fence?

Lose a camera?

Thursday, July 10 2008 @ 06:31 AM EDT Contributed by: PrivacyNews

Imagine you lost the camera that had those one-of-a-kind vacation photos, or images of a keepsake moment. Now imagine a stranger finding it: Would you feel happy, or somehow that your privacy was invaded, if that stranger put some of your images on the web to track you down?

A new website,, aims to do exactly that: Using the power and reach of the Internet, it asks people who find cameras, memory sticks or photos to upload and send a few of the images, which are posted for all to see. The intent is for people who visit the site to scroll through the pictures for their lost memories or for faces they know.

Source - North Bay Nugget

Not everyone who cracks new technology is nice enough to tell us about it.

FasTrak Toll Hacked, Exposing Privacy Dangers

Wednesday, July 09 2008 @ 07:09 PM EDT Contributed by: PrivacyNews

Zipping through that electronic toll fast-lane on the highway may save you time, but it also may cost you your privacy.

A Black Hat researcher recently reverse-engineered the popular RFID-based FasTrak toll tag that some drivers in the San Francisco Bay Area affix to their windshields for pre-paying highway tolls and discovered some gaping security holes that leave these transponders vulnerable to sniffing, cloning, and surreptitious tracking of a driver’s comings and goings. Nate Lawson, principal with Root Labs, will demonstrate at Black Hat USA next month in Las Vegas what he found inside those toll tags (hint: no encryption), and he will release an open-source tool for users to protect their toll tags from abuse.

Source - Dark Reading

I'm glad someone is trhying to explain this to me. (Would shipping the PC back to an out-of-state manufacturer violate the law?)

Follow-up On Texas PI Law For PC Techs

Posted by samzenpus on Wednesday July 09, @07:14PM from the are-you-licensed-to-look dept. Government writes

"Network Performance Daily has put out an in-depth series on the Texas law that requires private investigator licenses for computer repair techs, network analysts, and other IT professionals. It includes an interview with the author of the law, Texas Rep. Joe Driver, the captain of the Texas Private Security Bureau, RenEarl Bowie, and Matt Miller at the Institute for Justice, which is suing the state over the law. Finally, there's a series summary and editorial."

If true, does “always on” Internet access mean I should be paid for working 24 hours per day? Would a policy that says:”Outside of normal business hours, turn your toy off” solve this problem? Ah, but then why give them to employees in the first place.

Workplace BlackBerry Use May Spur Lawsuits

Posted by samzenpus on Wednesday July 09, @10:23PM from the I've-worked-80-hours-this-week dept. The Courts

An anonymous reader writes

"From an article on 'As employers hand out electronic devices to their employees at a greater pace, there are growing concerns that workers eligible for overtime pay, known as non-exempt employees, could begin suing their employers for overtime hours earned while tapping on their devices during after-work hours. As a result, lawyers are advising their corporate clients to update their policies and handbooks related to BlackBerry use and reconsider who gets a device.'"

This from IBM, Open Office (Star Office) from Sun, Koffice and several others are free alternatives to Microsoft's Office suite. Since none are “significantly better,” there still is no compelling reason to switch other than cost.

Lotus Symphony: Big Blue Got It Right This Time

By Lou Dolinar Newsday 07/10/08 4:00 AM PT

... It includes a word processing module, a spreadsheet, and a presentation graphics package. Its underlying coding draws on OpenOffice, with a radically different user interface by IBM. For the first version, IBM left out the database and drawing tools that come with OpenOffice, although they may show up at a later date.

IBM/LS demonstrates both the strengths and weaknesses of open source. Of course, it's free, but unless you're a corporate client of IBM's, you'll have to pay for support.

Wednesday, July 09, 2008

Close to home... and some fairly basic security failures

DMV puts Coloradans at risk of ID theft

By Jessica Fender The Denver Post Article Last Updated: 07/09/2008 06:10:43 AM MDT

The Division of Motor Vehicles put 3.4 million Coloradans at risk of identity theft due to flaws in the way driver's-license information is handled, lawmakers learned Tuesday at an interim transportation committee hearing.

The DMV regularly sends large batches of personal information over the Internet without encryption and has failed to properly limit access to its database, according to a recent audit. At one point, 33 former DMV employees could access names, addresses, dates of birth and Social Security numbers — some workers more than a year after their departure, auditors found.

... Colorado ranks eighth in the nation in identity-theft complaints per person and first in the nation when it comes to general fraud reports.

... Auditors said the DMV's method for handling sensitive information was "fragmented, disorganized and poorly planned," partly because the division is made up of a number of decentralized offices scattered across the state. No one person is responsible for security.

This is as small an ID Theft as you can get (one person) but I wonder how often this trick is tried/successful? It is Social Engineering at its worst – yet it still worked! Do you think this could happen thousands of times every day?

Apple just gave out my Apple ID password because someone asked

By Marko Karppinen on July 8, 2008

... Based on the emails that have appeared in my .Mac mailbox, this was accomplished by sending this classy one-liner to Apple:

am forget my password of mac,did you give me password on new email marko.[redacted]

Should make an interesting CASE for my security class. What would you do, if...?


KS: Medical Group Investigates Allegations of Stolen Records

Denise Hnytka reports:

The Wichita Radiological Group received an anonymous call saying their patient records may have been stolen. On Monday, the executive director reported the information to Wichita police.

According to the police report, the caller claims a former employee stole patient records before being fired from the Wichita Radiological Group. The caller said the former employee is now using patients’ personal and financial information to pay bills.

The radiological group is not sure how much, if any information was stolen. So far, they have not found any evidence of the theft. But tens of thousands of patient records were in the database could have been compromised.


[From the article:

An attorney for the Wichita Radiological Group tells Eyewitness News they have launched an internal investigation. The group changed internal passwords to make sure no more records are accessed.

Wichita police say they need identity theft victims from the case to come forward before they can proceed in their investigation.

Not sure from the article how this was discovered, but it wasn't by the investment firm.

Justice Breyer Is Among Victims in Data Breach Caused by File Sharing

Wednesday, July 09 2008 @ 06:07 AM EDT Contributed by: PrivacyNews

Sometime late last year, an employee of a McLean investment firm decided to trade some music, or maybe a movie, with like-minded users of the online file-sharing network LimeWire while using a company computer. In doing so, he inadvertently opened the private files of his firm, Wagner Resource Group, to the public.

That exposed the names, dates of birth and Social Security numbers of about 2,000 of the firm's clients, including a number of high-powered lawyers and Supreme Court Justice Stephen G. Breyer.

The breach was not discovered for nearly six months. A reader of's Security Fix blog found the information while searching LimeWire in June.

Source - Washington Post

[From the article:

What users may not be aware of is that the software that facilitates file sharing may be configured to allow access to a portion, if not all, of a user's documents.

... they're not paying attention to the default settings that come with the application," Cabri said.

Interesting that the videos are only now being released. Perhaps it takes this long to sort through all the videos and identity people in the right place and time? (Do these guys look like “Master Hackers” to you?)

2 sought in debit card skimming thefts

Tuesday, July 08 2008 @ 05:07 PM EDT Contributed by: PrivacyNews

Authorities have released video surveillance photos of the suspects believed to have stolen motorists' debit card information at convenience stores gas pumps in Pennsylvania and Delaware.... Trooper Christopher Shoap, of the Pennsylvania State Police, said these skimmers have turned up inside gas pumps in Concord Township, Downingtown, Bristol Township and Uwchlan Township in Pennsylvania, and in New Castle, Del.

Shoap said the skimmers have primarily been used at Wawa Food Market locations in New Castle County, Delaware, and in Delaware, Chester, Montgomery and Bucks counties in Pennsylvania.

Source - DelawareOnline

[From the article:

The investigation into this debit card fraud dates back to April, when it was discovered that thieves were rigging gas pumps with skimming devices to capture the customers’ debit card information and empty their bank accounts.

The skimming devices are being used on local gas station fuel pumps' credit card readers and are not easily detected.

... The suspects were believed to have placed a device inside the pump, where it would not be visible to customers, and later retrieved it, Shoap said.
With the stolen debit card information, these thieves have then made fraudulent withdrawals from ATM machines at Wawa and 7-Eleven convenience store locations throughout the area and even at casinos in Atlantic City.

So small as to be trivial, but the article includes an interesting proposal for compensating Class Action Lawyers... The coupon idea is similar to the “penalty” TJX paid.

Stein Mart Settles Personal Data Breach By Offering... Coupons

Tuesday, July 08 2008 @ 05:08 PM EDT Contributed by: PrivacyNews

Stein Mart was caught "printing expiration dates and/or more than the last five digits of credit cards on receipts," and was subsequently hit with a class action lawsuit for exposing sensitive customer data. Now they've settled by agreeing to run coupons in local newspapers.

Source - The Consumerist

[From the article:

We need a new federal law that says class action lawyers have to be compensated in the same manner as their clients. Give those hard working guys and gals some $30-off coupons, please!

Anything that reduces phishing is good.

July 8, 2008 11:03 AM PDT

Gmail now blocking fake eBay, PayPal e-mails

Posted by Elinor Mills

... The technology, DomainKeys, uses cryptography to verify the domain of the sender of an e-mail. It allows e-mail providers to validate the domain from which an e-mail originates, and it enables easier detection of phishing attempts by helping identify abusive domains.

Note that there is no requirement to prevent Identity Theft – these rules deal with records of transactions the thief made with your credit card...

July 08, 2008

Red Flag’ Regulations Require Financial Institutions and Creditors to Have Identity Theft Prevention Programs

Federal Trade Commission: "Financial institutions and creditors are now required to develop and implement written identity theft prevention programs under the new Red Flags Rules.

The Red Flags Rules are part of the Fair and Accurate Credit Transactions (FACT) Act of 2003. Under these Rules, financial institutions and creditors with covered accounts must have identity theft prevention programs in place by November 1, 2008, to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft.

The Commission staff is launching an outreach effort to explain the Rules in greater detail. It has now published a general alert on what the Rules require, and, in particular, an explanation of which businesses - financial institutions and creditors - are covered by the Rules."

Tools & Techniques Stephen Rynerson submitted this one. It's so scary that I'm planning to move to Australia (by boat)

Want some torture with your peanuts?

Aviation Security


By Jeffrey Denning

Just when you thought you’ve heard it all...

A senior government official with the U.S. Department of Homeland Security (DHS) has expressed great interest in a so-called safety bracelet that would serve as a stun device, similar to that of a police Taser®. According to this promotional video found at the Lamperd Less Lethal website, the bracelet would be worn by all airline passengers.

This bracelet would:

• take the place of an airline boarding pass

• contain personal information about the traveler

• be able to monitor the whereabouts of each passenger and his/her luggage [Does the luggage get its own bracelet, or is it attached to the passenger? Bob]

• shock the wearer on command, completely immobilizing him/her for several minutes [What a fun hack! Think of it: “Welcome aboard, Congressman!” ZAP “Welcome aboard, Senator!” ZAP Bob]

[I still like my idea – make everyone fly nude. Bob]

Detailing the governments efforts to “help you?”

Tax-related identity theft rose 644%, IRS official says

Tuesday, July 08 2008 @ 01:04 PM EDT Contributed by: PrivacyNews

Tax-related identity theft grew more than seven times over a four-year period ending Sept. 30, according to a new report that said efforts by the Internal Revenue Service to deal with problem are further hurting victims.

Source - New York Daily News

[The report: Fiscal Year 2009 Objectives Report

Fiscal Year 2009 Objectives Report Supplement

No surprise. This is hard to do!

July 08, 2008

New GAO Report Reveals Agencies are Not Complying with Requirements to Preserve E-mails

Committee on Oversight: "Rep. Henry A. Waxman, Rep. Wm. Lacy Clay, and Rep. Paul W. Hodes released a new GAO report that finds that senior federal officials are failing to comply with requirements to preserve e-mail records. On Wednesday, the House is expected to consider legislation (H.R. 5811) to modernize the Federal Records Act and the Presidential Records Act to ensure the preservation of these important federal records.

The new GAO report, Federal Records: National Archives and Selected Agencies Need to Strengthen E-Mail Management, finds:

  • All four of the agencies examined — the Department of Homeland Security, the Department of Housing and Urban Development, the Environmental Protection Agency, and the Federal Trade Commission — are relying on outdated and unreliable “print and file” systems for preserving e-mail records.

  • Senior agency officials did not fully comply with key requirements for preserving e-mail records. GAO reviewed the practices of 15 senior agency officials in the four agencies and found that a majority of these officials failed to manage their e-mail records in accordance with regulatory requirements. E-mails were not retained in adequate recordkeeping systems, making the e-mail records easier to lose, harder to find, and vulnerable to deletion or other tampering. Inadequate oversight and training within agencies contributed to the inconsistent compliance with preservation requirements..."

Tuesday, July 08, 2008

Very light on details...

Florida Organ and Tissue Registry security flaw exposes 55,000 donors' details

Tuesday, July 08 2008 @ 06:44 AM EDT Contributed by: PrivacyNews

Q: What happened?
A: We learned of a potential security flaw in the state’s Organ and Tissue Registry. We stopped all access to the database, identified the flaws and corrected them.

Q: What information was potentially accessed?
A: The database includes names, addresses, social security numbers, dates of birth, and driver’s license numbers.

Q: How do I know whether my records were affected?
A: The system has identified approximately 55,000 individuals whose information may have been viewed by unauthorized persons. We are in the process of contacting each person affected by mail.

Source - Florida Agency Healthcare Administration FAQ on Organ and Tissue Database breach

Note: According to a report by ABC, the breach occurred on June 20th and was fixed the next day. [This makes it sound like a hacker attack Bob]

BreachBlog makes some amusing (and very familiar) comments on the breaches it reports...

Laptop containing personal information is stolen from U.S. Foodservice

Posted by Evan Francen at 7/7/2008 11:28 PM

... Reference URL: New Hampshire State Attorney General breach notification

Old news I thought. Everyone knows the job sites are skimmed... Don't they?

Trojan trawls recruitment sites in ID harvesting scam

Monday, July 07 2008 @ 10:19 AM EDT Contributed by: PrivacyNews

Hackers have turned the harvesting of personal information from and other large US jobsites into a lucrative black market business

A Russian gang called Phreak has created an online tool that extracts personal details from CVs posted onto sites including, AOL Jobs,,,,,,, and As a result the personal information (names, email addresses, home addresses and current employers) on hundreds of thousands of jobseakers has been placed at risk, according to net security firm PrevX.

Source - The Register

Thanks to Brian Honan for this link.

...because... (I can't be everywhere and do everything!)

Data “Dysprotection:” breaches reported last week

Monday, July 07 2008 @ 07:56 AM EDT Contributed by: PrivacyNews

A recap of incidents or privacy breaches reported last week for those who enjoy shaking their head and muttering to themselves with their morning coffee.

Source - Chronicles of Dissent

5 Ways to Build an Indestructible Customer Data Fortress

By Kristin Lovejoy E-Commerce Times Part of the ECT News Network 07/08/08 4:00 AM PT

On June 30, data security standards set by the Payment Card Industry (PCI) became mandatory for organizations that handle online credit card payments. This is a significant milestone in the ongoing push to strengthen online security as these important standards have moved from recommendations to hard and fast mandates.

Key Issues [These are far from new Bob]

As it pertains to efforts around PCI DSS compliance and protection of customer data, there are five key issues that organizations must not overlook to improve their overall security stature:

1. First, retailers need to be vigilant in managing the chain of custody and closely monitoring how business partners are handling data.

2. Privileged user access also is important. This means monitoring the activities of those individuals who have root access to sensitive data and implementing necessary controls to ensure information is protected.

3. Another major security hazard lies in "unstructured" data -- information outside of databases, typically stored in documents.

4. Additionally, shared accounts and passwords are often culprits of security breaches. Shared passwords are used 73 percent of the time to manage network devices, according to the Password Research Institute. This makes it impossible to track and monitor user activity, prove segregation of duties, restrict access to cardholder data based upon principle of least privilege, etc.

5. Lastly, default passwords and settings left unchanged -- particularly at the organization's perimeter -- are an open invitation to hackers. Organizations should do a thorough check for default settings. Although most organizations have a "no default" mandate in their written policies, enforcement is not always vigilant.

They capture ans index everything, why should this be different?

Stolen data live on in Google searches

Monday, July 07 2008 @ 06:06 PM EDT Contributed by: PrivacyNews

A Colorado woman logged on to her computer in April, voted on a CNN poll, shopped for airline tickets and calculated payments for a $25,000 car loan from Wells Fargo.

She didn't suspect that a malicious software program was recording every keystroke - frequent-flier numbers and passwords, her home address and phone number, an online conversation she was having with some friends.

But it was, and months after authorities were alerted to the breach and disabled the server in Malaysia where her data were being stored, the information was still available online - in a Google search.

Source - SFGate

[From the article:

Finjan reported the stolen data to a variety of authorities, but one of them, the FBI, said it wasn't concerned with the cache - only the evidence on the server.

"We tell people we can't be responsible for protecting data or ensuring that whatever is happening is all cleaned up," said Joe Schadler, a spokesman for the FBI's San Francisco office. "We're not security experts."

[I wonder if there is a business model here. Sell a “locate and destroy” service to breach companies so they can protect the victims – like credit monitoring but more immediate... Bob]

It has started. No doubt this will become much more interesting during the Democratic Convention...

Librarian with ‘McCain=Bush’ sign charged with trespassing at public campaign event

Sen. John McCain (R-AZ) was in Denver, CO, today for a town hall meeting. The event, at the Denver Center for the Performing Arts, was billed as “open to the public.” Yet Carol Kreck, a 61-year-old librarian carrying a “McCain=Bush” sign, was taken away by police for trespassing. A police officer told Kreck:

You have two choices. You can keep your sign here and receive a ticket for trespassing, or you can remove the sign and stay in line and attend this town hall meeting.

[Wouldn't all those who voted for Bush think the sing pointed out a good thing? Bob]

Interesting, but I suspect you don't need an close approximation of a signature to commit fraud.

NZ: Watchdog warns against posting signatures online

Monday, July 07 2008 @ 08:01 AM EDT Contributed by: PrivacyNews

The Privacy Commissioner says the posting of signatures in online registers is a matter of concern, after an Auckland-based IT contractor found his published and available to anyone at the Charities Commission website.

Privacy Commissioner Marie Shroff says signatures posted online present some concerns. She encourages agencies to obscure, suppress or pixelate them wherever possible.

Source - Computerworld

Asking the question from a reverse perspective, How important (risk level) must it be before it is appropriate to take fingerprints (or other biometrics)

Ca: Hands off LSAT students' fingers

Monday, July 07 2008 @ 07:46 AM EDT Contributed by: PrivacyNews

A recent decision by the Privacy Commissioner of Canada found that taking finger/thumb prints from those writing the Law School Admission Test (LSAT) is a privacy breach and must be stopped.

Source - David Canton, in CANOE

[From the article:

The Commissioner considered this four-point test:

- Is the measure demonstrably necessary to meet a specific need?

- Is it likely to be effective in meeting that need?

- Is the loss of privacy proportional to the benefit gained?

- Is there a less privacy-invasive way of achieving the same end?

I guess remaining anonymous is no longer an option? Perhaps anonymous equals sex offender? Perhaps terms of service has the force of law? (Does that work both ways?)

User Charged With Felony For Using Fake Name On MySpace

Posted by ScuttleMonkey on Monday July 07, @03:53PM

from the understand-before-you-prosecute dept.

Recently a user, Lori Drew, was charged with a felony for the heinous crime of pretending to be someone else on the Internet. Using the Computer Fraud and Abuse Act, Lori was charged for signing up for MySpace using a fake name.

"The access to MySpace was unauthorized because using a fake name violated the terms of service. [Which is a felony? Bob] The information from a "protected computer" was the profiles of other MySpace users. If this is found to be a valid interpretation of the law, it's really quite frightening. If you violate the Terms of Service of a website, you can be charged with hacking. That's an astounding concept. Does this mean that everyone who uses Bugmenot could be prosecuted? Also, this isn't a minor crime, it's a felony punishable by up to 5 years imprisonment per count. In Drew's case she was charged with three counts for accessing MySpace on three different occasions."

[A (up till now) useful site: Bob]

Looks interesting for the e-Discovery crowd...


Second International Workshop on Supporting Search and Sensemaking for Electronically Stored Information in Discovery Proceedings

Wednesday June 25, 2008 - University College London, U.K.

The full proceedings as a zipped pdf

This could be useful... - Business Intelligence Dashboard

Sisense, a company which specializes in business intelligence or decision support, has just launched Prism an information analysis tool which supports out of the box connectivity to different data sources. Prism allows data to be picked apart, processed, and scrutinized from a WYSIWYG interface with emphasis on visuals and instant results. Users can easily create dashboards, reports, widgets and charts; Sisense connects to Excel, SQL, and Oracle. They’ve also got a beta Amazon S3 Dashboard which basically makes it easy to make sense of Amazon’s S3 data with visualizations of your service’s stats. Developers can receive data as charts, in tabular format, and they can schedule key performance indicator reports. Prism is a free 10meg download which comes with video tutorials and a learning center for beginners.

You never know what your are buying... Why would any company voluntarily cripple their product? Do they see the $99 option as a money maker (like the airlines charging to check a bag?)

Bend Over Dude, You’re Getting A Dell — Some Dell laptops come with dissabled audio ports, after pressure from the RIAA. Dell will enable them for you for only $99. Bargin.

From the comments, this could become a hot discussion topic, but since the lobbying is all on one side, all we can do is complain.

Telecoms Suing Municipalities That Plan Broadband Access

Posted by kdawson on Monday July 07, @08:04PM from the buggy-whips-mean-jobs dept. has up a review of ongoing and historical cases of telecoms suing municipalities that plan broadband networks. In many cases those same telecoms have spent years ignoring as potential customers the cities and towns now undertaking Net infrastructure projects, only to turn around and sue them. One lawyer who has defended many municipalities in this position says, "This is similar to electrification a century ago when small towns and rural areas were left behind, so they formed their own authorities." Bob Frankston has been writing for years about the financial model of artificial scarcity that underlies the telecoms businss plans. This post gives some of the background to the telecoms' fear of abundance.

I don't often get to say nice things about Comcast! This should be a natural reaction to new technologies – figure out how to monitor them and how to use them to enhance the organization.

Hurry up, the customer has a complaint

As blogs expand the reach of a single voice, firms monitor the Internet looking for the dissatisfied

By Carolyn Y. Johnson Globe Staff / July 7, 2008

When C.C. Chapman noticed a blemish in his high-definition television's reception during the NBA playoffs recently, he blasted a quick gripe about Comcast into the online ether, using the social network Twitter.

Minutes later, a Twitter user named ComcastCares responded, and within 24 hours, a technician was at Chapman's house in Milford to fix the problem.

"I was so floored," said Chapman, who runs a digital marketing agency and advises companies to do what he experienced with Comcast - listen to what customers are saying about them online and respond. "When it actually happened to me, it blew me away," he said. "Now I have a case study."

... Other companies are moving in the same direction.

At Southwest Airlines, the social media team includes a chief Twitter officer who tracks Twitter comments and monitors a Facebook group, an online representative who fact checks and interacts with bloggers, and another who takes charge of the company's presence on sites such as YouTube, Flickr, and LinkedIn. So if someone posts a complaint in cyberspace, the company can respond in a personal way.

Tools & Techniques Adding the “I'm being coerced” option.

TrueCrypt 6.0 Released

Posted by kdawson on Tuesday July 08, @05:36AM from the plausible-deniability dept. Encryption Security

ruphus13 writes

"While most of the US was celebrating Independence Day, the true fellow geeks over at TrueCrypt released version 6.0 of TrueCrypt over the long weekend. The new version touts two major upgrades. 'First, TrueCrypt now performs parallel encryption and decryption operations on multi-core systems, giving you a phenomenal speedup if you have more than one processor available. Second, it now has the ability to hide an entire operating system, so even if you're forced to reveal your pre-boot password to an adversary, you can give them one that boots into a plausible decoy operating system, with your hidden operating system remaining completely undetectable.' The software has been released under the 'TrueCrypt License,' which is not OSI approved."

July 7, 2008 5:02 PM PDT

Geeks get a word in with Merriam-Webster

Posted by Michelle Meyers 4 comments

Geek culture is once again showing its influence over the mainstream lexicon in the latest version of the Merriam-Webster Collegiate Dictionary, which includes word additions such as webinar, malware, netroots, pretexting (thank you Hewlett-Packard), and fanboy (thank you Apple).

Another large list of free stuff. How can I resist?

Open Source Windows

Is this an indication that the government wants to tax your ancestors?

July 07, 2008’s Family History and Genealogy page

Family History and Genealogy page includes the following topical links:

Something for my Process Engineering Class... (Perhaps you should check the design your apprentice architect came up with?

Is There Something Wrong? — Can you find what is wrong with this building?


Technology reshapes America's classrooms

By Jason Szep Mon Jul 7, 10:42 AM ET

... Education experts say her school, the Lilla G. Frederick Pilot Middle School in Boston, offers a glimpse into the future.

It has no textbooks. Students receive laptops at the start of each day, returning them at the end. Teachers and students maintain blogs. Staff and parents chat on instant messaging software. Assignments are submitted through electronic "drop boxes" on the school's Web site.

... Classwork is done in Google Inc's free applications like Google Docs, or Apple's iMovie and specialized educational software like FASTT Math.

... "Our projections show that 50 percent of high school courses will be taught online by 2019. It's about one percent right now," said Horn, executive director of education at Innosight Institute, a nonprofit think tank in Massachusetts.

Ditto. Perhaps some ideas (at least a list of risks)

Handling Flash Crowds From Your Garage

Posted by kdawson on Tuesday July 08, @02:50AM from the to-scale-or-not-to-scale dept. The Internet Networking IT

slashdotmsiriv writes

"This paper from Microsoft Research describes the issues and tradeoffs a typical garage innovator encounters when building low-cost, scalable Internet services. The paper is a more formal analysis of the problems encountered and solutions employed a few months back when Animoto, with its new Facebook app, had to scale by a factor of 10 in 3 days. In addition, the article offers an overview of the current state of utility computing (S3, EC2, etc.) and of the most common strategies for building scalable Internet services."