Saturday, July 19, 2008

The cost of a HIPAA Privacy Breach

HIPAA privacy and security violations cost Seattle company $100,000

Friday, July 18 2008 @ 04:06 PM EDT Contributed by: PrivacyNews

The Department of Health and Human Services has settled complaints over breaches of health information privacy and security rules by a Seattle home health care company.

Health records of more than 386,000 patients were compromised, according to an HHS news release. Under the first-of-its-kind agreement, Providence Health & Services of Seattle has paid $100,000 and promised to take steps to ensure further breaches do not happen.

Source - Government Health IT

Related - HHS Press Release

[From the article:

The agreement labels the $100,000 payment a “resolution amount.” “Providence’s cooperation with [HHS offices] allowed HHS to resolve this case without the need to impose a civil monetary penalty,” the news release states. [They get to say, “We were never fined?” Bob]

... The agreement states that laptops, disks and tapes containing individuals’ health records protected under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) were taken from cars parked by Providence employees on five occasions in 2005 and 2006. [So HHS is about 18 months behind in its investigations? Bob]

Forgive me for applying logic, but wouldn't the fact that a defendant named “A” is using the identification of a victim named “B” suggest that he knew the ID wasn't his?

Some rulings on aggravated identity theft

Saturday, July 19 2008 @ 05:46 AM EDT Contributed by: PrivacyNews

Another federal appellate court holds that the crime of aggravated identity theft requires proof that the defendant knew that the means of identification belonged to another person: The U.S. Court of Appeals for the First Circuit, in a ruling that you can access here, becomes the second federal appellate court to so hold in two days. Yesterday, in a ruling that you can access here, the majority on a divided three-judge Ninth Circuit panel reached the same result. Interestingly, today's First Circuit ruling was written by a senior Ninth Circuit judge sitting by designation.

Source - How Appealing blog

Strangely, you must download the book one chapter at a time. I wonder why they did it that way?

The Freewheeling Web's Privacy Noose

By Katherine Noyes TechNewsWorld 07/19/08 4:00 AM PT

It's no secret that individual privacy has already suffered since the Internet era began, but privacy law expert Daniel Solove believes things are likely to get even worse -- much worse -- and he illustrates his vision in living color with a wealth of examples from the here and now.

In The Future of Reputation: Gossip, Rumor, and Privacy on the Internet (Yale University Press, 2007) -- now available as a free download -- Solove begins his dark tale with the classic story of "dog poop girl," a young woman now famous for refusing to clean up after her dog on a South Korea subway train.

Tools & Techniques Also has application in the Forensics world, but is not a perfect solution.

July 18, 2008 2:47 PM PDT

Security Bites 108: Understanding white listing

Posted by Robert Vamosi

To put it simply, the concept of "white listing" is to define a set of software, a set of vendors, and allow only those trusted applications or files from those vendors to run on your machine. If a file or application is not approved, it will not run.

... Massachusetts-based Bit9 has created one of the largest catalogs of "known good" and "known bad" applications.

I wonder how much play this will get in the media?

GOP cyber-security expert suggests Diebold tampered with 2002 election

Larisa Alexandrovna and Muriel Kane Published: Friday July 18, 2008

A leading cyber-security expert and former adviser to Sen. John McCain (R-AZ) says he has fresh evidence regarding election fraud on Diebold electronic voting machines during the 2002 Georgia gubernatorial and senatorial elections.

Bad hackers, good hack? What kinds of legal knots does this tie?

Ubisoft Uses Internet Crack To Get Around Its Own DRM

from the ah,-the-irony dept

Ubisoft, one of the larger video gaming companies out there, has a somewhat troubled history of overburdening its games with awful DRM. And, as with most DRM systems, the people it tends to hurt most are the legitimate purchasers who somehow run afoul of whatever DRM rules are in place. In this case, the Ubisoft game Rainbow Six: Vegas2 (R6V2) had some DRM that would check to see if the physical media (CD-ROM) was in the drive before it would let you play. Unfortunately, Ubisoft also offered the game as a download via IGN's Direct2Drive store. They had set it up so this would work even without the actual CD, but a recent patch didn't take that into account, and broke the game for anyone who had purchased it via D2D.

So, what does Ubisoft do? It releases a patch that isn't actually a "patch" but a well known crack that it downloaded off the internet. As TorrentFreak points out at the link, according to the way companies like Ubisoft look at things, it "stole" someone else's code and passed it off as its own. And, of course, there's the somewhat delicious irony that it didn't just "steal" any code for its own use, but the very code that companies like Ubisoft insist is evil, immoral and illegal. Except, of course, when Ubisoft is in desperate need of it, apparently.

Bad use of the Internet. Ask the photographer to capture your good side...

Web networking photos come back to bite defendants

By ERIC TUCKER Associated Press Writer Jul 18, 2:35 PM EDT

PROVIDENCE, R.I. (AP) -- Two weeks after Joshua Lipton was charged in a drunken driving crash that seriously injured a woman, the 20-year-old college junior attended a Halloween party dressed as a prisoner. Pictures from the party showed him in a black-and-white striped shirt and an orange jumpsuit labeled "Jail Bird."

In the age of the Internet, it might not be hard to guess what happened to those pictures: Someone posted them on the social networking site Facebook. And that offered remarkable evidence for Jay Sullivan, the prosecutor handling Lipton's drunken-driving case.

Sullivan used the pictures to paint Lipton as an unrepentant partier who lived it up while his victim recovered in the hospital. A judge agreed, calling the pictures depraved when sentencing Lipton to two years in prison.

Online hangouts like Facebook and MySpace have offered crime-solving help to detectives and become a resource for employers vetting job applicants. Now the sites are proving fruitful for prosecutors, who have used damaging Internet photos of defendants to cast doubt on their character during sentencing hearings and argue for harsher punishment.


Millionaire posts divorce payout online

Businessman silences critics

Written by Guy Dixon, 18 Jul 2008

Gary Dean, a Lancashire-based millionaire businessman, has published full details of his divorce settlement online in a bid to quash rumours which branded him as "tight".

The true hacker. (Not the “most wanted” hacks, but amusing)

July 18, 2008 10:28 AM PDT

Team debuts electronic-hacking how-to videos at HOPE conference

Posted by Elinor Mills

... A team of do-it-yourself technology gurus are creating a video series that will show you how to hack everyday gadgets to get more--and novel--uses out of them.

Economics: One measure of value is the resale price of a good.

July 18, 2008, 7:47 pm

There’s Lots of Money in Those Old iPhones

By David F. Gallagher

I was walking by the lengthy iPhone line outside the Apple Store in Soho on Sunday when I heard someone call out: “Turn in your old iPhone and get the new one free!”

... But Joe Weingarten of FreeiPhoneSwap, who has been soliciting used phones in Miami, gave a different account to The Miami Herald:

“There’s a very big demand, especially because there is a big shortage overseas,” Weingarten said. He added that he has 15 people working with him and he will be doing the same thing at stores in New York.

... EBay’s marketplace is setting prices for those used phones that make FreeiPhoneSwap’s payout levels look like a ripoff. The 8-gigabyte model is getting bid up to well over $300 on eBay, versus the $200 you would get from FreeiPhoneSwap. It’s not hard to find similar offers on Craigslist.

Might be interesting... - WhiteBoard for Collaborative Drawing

DabbleBoard is a very user-friendly application that allows you to have fun while drawing, sharing, and collaborating in real-time. If you’d like to share and collaborate with others you’ll have to sign up for a free account but if you just want to draw and explore on your own, you can do so without even needing to sign up. You can choose whether to make a free-hand drawing from scratch, or you can upload a photo from your desktop or by entering a URL. The image upload feature makes it easy to make notes on any image and share them with others making DabbleBoard a great project collaboration tool. There is an array of features which include the ability to effortlessly type in text, scale objects and relocate them.

Friday, July 18, 2008

This is a new justification as far as I know....

Disgruntled Tech In Liechtenstein Steals Banking Info On Tax Cheats; Turns It In For Rewards

from the good-or-bad? dept

Forget the disgruntled tech holding the city of San Francisco hostage. An even more interesting story of a disgruntled tech is coming out of the tiny European country of Lichtenstein. Apparently (who knew?) Lichtenstein is a favorite destination for money of rich folks looking to avoid taxes. It's banking system is apparently quite secretive... except, of course, in the hands of a disgruntled computer tech. It appears that just such a tech, named Heinrich Kieber walked off with tons of data from Liechtenstein LGT Group, a bank owned by Lichtenstein's ruling family. He then sold that data to a variety of countries to help those countries find and arrest tax cheats. This turned out to be quite lucrative for Kieber. For example, the US offers such "whistle blowers" 30% of whatever tax money they recover. Germany apparently paid him somewhere between $6 million and $7.3 million for the info. The guy's lawyer insists he's a whistleblower -- while those exposed have a different word (or words) they think of when discussing Kieber.

Ignorance of the law is... useful? ...cheaper than compliance? ...worth the risk? ...a way to attract corporate clients?

Houston law firm threw confidential client information in the trash

Posted by Evan Francen at 7/17/2008 2:53 PM and is filed under Weber Law Firm,Insecure Discard

... "HOUSTON -- Harris County Sheriff's deputies uncovered hundreds of people's personal financial files that had been discarded in a dumpster in northwest Houston on Monday."

... When the sheriff's office first arrived, the responding deputies had no idea what to do with the records.

So, they called the law office from where the records had come from. 11 News called the law offices of William Weber as well.

[Evan] Mr. Weber's bio is pretty extensive.

Weber, who eventually arrived to pick up the discarded records, told both 11 News and the sheriff's office that it was "no big deal"

[Evan] Obviously, this answer probably doesn't go over very well. In hindsight, I am guessing that Mr. Weber wishes he could take these words back.

Still, at the insistence of the sheriff's office, Weber did arrive to pick the boxes up.

Weber had a different answer for 11 News when he showed up to retrieve the 32 boxes.

"It's a mistake," he said. "We regret it. We regret it. They weren't intended to be put here. I didn't put them here. It was a misunderstanding between me and my wife."

[Evan] Ugh. Blaming the wife would not be a good idea in my house, even if it were her fault.


TX: AG looking into Houston file-dumping case (follow-up)

Friday, July 18 2008 @ 06:39 AM EDT Contributed by: PrivacyNews

Bankruptcy case files dumped in a Houston trash bin have gotten the attention of the Texas Attorney. After 11 News broke the story about the 32 boxes of personal – and sensitive -- information discarded in a dumpster, the AG says there is a potential that “hundreds or thousands of violations” occurred.

Source - KHOU

[From the article:

“If there were boxes of documents that potentially contained hundreds or thousands of names, that could potentially be hundreds or thousands of violations,” Abbott said.

Violations of the Texas ID Theft Act. It is a civil law that requires business to destroy or make unreadable anything containing clients' personal information. It carries up to a 50,000 fine per violation for those found to have violated the law.

“It is a very expensive proposition not to comply,” said Abbott. “It is in every business' best interest for their bottom line to comply with the law.”

... Weber confirmed that he has been contacted by the AG's office and said he will cooperate with any investigation. He also said he destroyed all of the documents that were found in the trash. [Notification is going to be difficult. Bob]

“We don't bother to look so we get defensive when someone points to a problem.”

UT students' personal info found online (follow-up)

Thursday, July 17 2008 @ 01:09 PM EDT Contributed by: PrivacyNews

A Washington D.C. Web site that documents illegal online disclosures of personal information has accused UT of posting the private data of 2,500 UT students.

... "We ended up notifying a very small subset of those that Mr. Titus claims were exposed," Roberts said. "What he claims is personal information is not what the law requires to trigger a notification."

In a Jan. 30 e-mail correspondence with Titus, Cam Beasley, chief information security officer said, "You were likely the only individual to view the files containing particularly sensitive data in some time, and we have no evidence to indicate any malicious use has occurred." [That is not a requirement for disclosure... Bob]

... "As I recall, he was incorrect about the number," said Jeffery Graves, associate vice president for Legal Affairs. "He lumped together those who had just normal information like directory information and a very few who had sensitive information and he lumped them together in one number. Very few had information disclosed that was confidential or sensitive information."

Source - Daily Texan Online

Not a wholesale release. Would you count this as 23,000 individual breaches?

UMD Released Students' Social Security Numbers

Friday, July 18 2008 @ 06:05 AM EDT Contributed by: PrivacyNews

University of Maryland said Thursday they accidentally released the addresses and social security numbers of thousands of students.

The University of Maryland's Department of Transportation Services sent all students, a total of more than 23,000, registered for classes a brochure with on-campus parking information. It was sent by U.S. Mail. The University discovered the labels on the mailing had the students' social security numbers on it as well. [Question: Why put either the SSAN or the University ID on the label? It serves no purpose. Bob]

Source - WJLA

When it came time to plan for Backups, my students didn't even consider physical media. Interesting how organizations can fail to review old, established procedures until they bite them.

Bristol-Myers: Tape With Workers' Personal Data Was Stolen

Thursday, July 17 2008 @ 03:55 PM EDT Contributed by: PrivacyNews

Bristol-Myers Squibb Co. (BMY) said a backup computer-data tape containing employees' personal information, including Social Security numbers, was stolen recently.

The New York drug maker learned of the theft on June 4, and began notifying current and former employees by letter in the past few days, spokeswoman Tracy Furey told Dow Jones Newswires Thursday afternoon.

... The information on the tapes included names, addresses, dates of birth, Social Security numbers and marital status, and in some cases bank-account information, the company said. Data for some employees' family members also were on the tape.

Source - CNN Money

[From the article:

The Bristol-Myers backup data tape was stolen while being transported from a storage facility, Furey said.

“We only use proven security technology – like this cupboard where we store the Earl Grey tea.”


UK: Patient data of 45,000 ‘is stolen from cupboard’

SOUTHWARK PRIMARY Care Trust lost sensitive and confidential information on 45,000 of the country’s most vulnerable patients, after a portable hard drive was reportedly stolen from a specialist disability rehabilitation centre.

The hard drive - containing the name, address, telephone number and a description of the level of disability of 45,000 patients at Crystal Palace’s Bowley Close, went missing from a locked cupboard.

The cupboard was described as ‘not normally accessible to the public’, and the disk went missing sometime between January 25-28.

Full story - Southwark News

[From the article:

Having begun the process of sending out recorded delivery letters to the estimated 45,000 victims across the country - 14,300 from Southwark - the PCT claim that the information may not have got into the wrong hands. [Oxymoron alert! (Or are they saying it could be in the right hands, but the owner of those hands is too stupid to realize it?) Bob]

Hey, it's an Identity Theft story. I can't help it if it's also amusing...

Duped by Dupre: N.J. woman charges Spitzer call girl with identity theft

Friday, July 18 2008 @ 06:36 AM EDT Contributed by: PrivacyNews

A shy dental assistant claims her good name is ruined because Eliot Spitzer's high-priced hooker stole her identity to appear in a "GirlsGone Wild" video.

Amber Arpaio filed a federal complaintcharging Ashley Dupre used Arpaio's lost New Jersey driver's license in the notorious 2003 video to hide the fact that she was a minor.

Source - NY Daily News

Real risk or good marketing?

HR directors targeted as computer hackers seek staff data

Friday, July 18 2008 @ 07:13 AM EDT Contributed by: PrivacyNews

A security analyst has warned HR directors they are "under threat" from computer hackers hunting for employee data, after unearthing a huge operation.

Anti-virus software giant McAfee discovered a scam targeting users of global recruitment website, less than a year after 1.3 million users' data was stolen from the site.

Source -

[From the article:

In the most recent attack, e-mails asking Monster users to click through and update their profile were in fact sending information to a computer in Turkey.

... "We're seeing scammers particularly targeting HR directors because they have the highest security clearance and access to vast amounts of information," Day told Personnel Today. [Not in any organization I know of... Bob]

I laughed at this the other day and my students laughed when I showed them the article. Either something is being withheld from the article or this is seriously mis-reported.

Experts Say Lax Security Allowed San Francisco Network Hijacking, Admin Offers Passwords

Friday, July 18 2008 @ 06:50 AM EDT Contributed by: PrivacyNews

San Francisco's "rogue" computer admin accused of commandeering the city's exclusive network passwords has offered to hand them over, his attorney said Thursday.

The jailed defendant, Terry Childs, 43, pleaded not guilty Thursday to four felony counts of denying access to the city's network and of producing an unauthorized access device to control the government's network remotely.

Childs is being held on $5 million bail, as the authorities fear he could unleash a wave of attacks on the FiberWAN system Childs built. It controls the city's e-mails, payroll, law enforcement records and other data.

Source - Threat Level blog

[From the article:

"We're regaining control of the access that Mr. Childs has denied us access to," he said in a telephone interview. "We're not sure what we were locked out of."

... "If they had adequate backup, they could effectively restore it with new passwords in days or so," Hom said in a telephone interview. "Unless the backups don't exist. The executive management should be held accountable for that."

Think of it as academic research for the times we will need to replace Real-ID cards as terrorists (translation: non-government employed teenagers) crack the codes...

After Security Breach, Harvard Unveils New IDs

Thursday, July 17 2008 @ 09:53 AM EDT Contributed by: PrivacyNews

The Faculty of Arts and Sciences (FAS) announced last week that students, faculty, and staff will receive new identification cards that use contactless Smartcard technology when they return to campus this fall.

The upgrade comes less than a year [this will have to improve, hackers will crack the codes while people are still lined up to get the new cards! Bob] after Theodore R. Pak '09 was caught creating duplicates of the Harvard University ID (HUID) cards belonging to University President Drew G. Faust, Assistant Dean of the College Paul J. McLoughlin II, and Dunster House Superintendent H. Joseph O'Connor.

Pak's hack revealed a significant security flaw in the more than 15-year-old swipe card system, as he was able to gain access to buildings and gates across campus with only knowledge of HUID numbers and a $200 card reader bought from eBay.

Source - The Harvard Crimson

[From the article:

Lichten said that the encryption makes the system more difficult to hack, but he said he is "not sure" if it is more secure than the swipe-access cards that Harvard has used for in the past. [Interesting that Harvard would implement an unproven system Bob]

... The security scare caused by Pak's forgery highlighted a significant vulnerability to student and faculty members' Crimson Cash accounts, which are directly linked to HUID numbers and are considered financial account numbers by the Commonwealth of Massachusetts.

In 2007, the Massachusetts state legislature passed a law that required all financial account numbers to be protected and mandated that notice should be issued whenever an incident compromises the security of that data.

“Hey, we spent a lot of time & treasure to make this possible. It would cost lots more to make it un-possible, so we'll just promise not to do it...”

Logged In or Out, Facebook Is Watching You

Posted by timothy on Thursday July 17, @02:50PM from the damn-addictive-scrabulous-and-cute-iris-chang dept. Social Networks Privacy

kaos07 links to this ZDNet story, according to which

"Researchers at software vendor CA have discovered that social networking site Facebook is able to track the buying habits of its users on affiliated third-party sites even when they are logged out of their account or have opted out of its controversial 'Beacon' tracking service. Responding to privacy concerns, Facebook has since moved to reassure users that it only tracks and publishes data about their purchases if they are both logged in to Facebook and have opted-in to having this information listed on their profile. But in 'extremely disconcerting' findings that directly contradict these assurances, researchers at CA's Security Advisory service have found that data about these transactions are sent to Facebook regardless of a user's actions."

“Und next, ve vill identify za homozexuals und the mental defectivz und der liberal politicians und...”

AU: Public servants may have to divulge religion and ethnicity

Thursday, July 17 2008 @ 10:28 AM EDT Contributed by: PrivacyNews

VICTORIAN public servants may have to divulge personal information about their religion and ethnicity under a move to crack down on workplace discrimination.

Source - Herald Sun

[From the article:

"In Victoria, the research found that those with Vietnamese and Greek-sounding names [“Sorry, Mr. Socrates, we only hire smart people.” Bob] had significantly less success in gaining job interviews than those with Anglo-Saxon names, despite the details in the applications being identical," it says.

Ooh! Instant research!

SS8 Publishes Follow-up Guide on Lawful Intercept Legislation

Thursday, July 17 2008 @ 10:30 AM EDT Contributed by: PrivacyNews

.... The Ready Guide to Intercept Legislation 2 (available for download at details 84 pages of intercept legislation from 31 different countries, with specific attention paid to personal privacy issues, responsibilities of carriers, accountability to national law making bodies and cost recovery mechanisms. The result of extensive research into LI legislation around the world, this pocket-sized booklet details the historical context for current worldwide LI statutes, and is designed to serve as a valuable reference for anybody connected with the surveillance industry.

Source - TMCnet,com (press release) Free registration required to obtain copy of guide.

Companies agree to obey the law! (Why is this news?)

AGs welcome massive agreement with ISPs

Friday, July 18 2008 @ 06:17 AM EDT Contributed by: PrivacyNews

What started with New York Attorney General Andrew Cuomo has spread across the rest of the country.

The National Association of Attorneys General announced an agreement with the National Cable & Telecommunications Association that is designed to limit the distribution of child pornography on the Internet.

Source - LegalNewsline

So everyone will want one? Naaaah! You have to be obeying the speed limits for it to be useful. I want the “create evidence as required” version

GPS Tracking Device Beats Radar Gun in Court

Posted by timothy on Friday July 18, @12:51AM from the double-edged-sword-at-least dept. The Courts Transportation Technology

MojoKid writes

"According to a release issued by Rocky Mountain Tracking, an 18-year old man, Shaun Malone, was able to successfully contest a speeding ticket in court using the data from a GPS device installed in his car. This wasn't just any old make-a-left-turn-100-feet-ahead-onto-Maple-Street GPS; this was a vehicle-tracking GPS device — the kind used by trucking fleets — or in this case, overprotective parents. The device was installed in Malone's car by his parents, and the press release makes no mention if the teenager knew that the device was installed in his vehicle at the time."

[From the article:

GPS expert, Dr. Stephen Heppe wrote a report that essentially said that the GPS data was not accurate enough to contest the accuracy of the radar gun. Malone appealed the decision and had his day in court. At trial, things played out differently:

"However, when he took the stand to begin his testimony, Dr. Heppe corrected that written report, saying that the Rocky Mountain Tracking device was "very" accurate, to within a couple of meters on location and to within 1 mph on speed. Dr. Heppe also pointed out that the GPS device released instantaneous data, and not data averaged over a distance."

[Makes you wonder about his “expertise” Bob]

Tools & Techniques How dare they not have WiFi everywhere!

A DIYer's Quick Guide To Cheap Wireless Extension

Posted by timothy on Thursday July 17, @01:17PM from the use-genuine-zip-loc-bags dept. Communications Hardware Hacking Wireless Networking

An anonymous reader writes

"This piece is described in one of the comments on it as 'a little piece of genius'... and I have to agree! Although Peter Cochrane seems a bit of a crack pot, the ways that he comes up with to get connected when he's out of range in the sticks are pure genius and he makes them appear really simple! Think old satellite dishes, USB dongles and plastic bags and you'd be on the right tracks to upping wi-fi signal by 4 bars."

A perfect excuse to link to one of my favorite sites, if you want more details and photos on similar jury-rigged long-distance connections. However, your meterage may vary — I've found USB Wi-Fi devices to be pretty fickle under Linux, with some distros working way better than others.

My students are tasked with installing and securing an application “in the cloud” -- they would certainly agree that there is no good definition...

Multiple Experts Try Defining "Cloud Computing"

Posted by timothy on Thursday July 17, @06:23PM from the chance-of-haze-leading-to-fuzziness dept. The Internet

jg21 writes

"Even though IBM's Irving Wladawsky Berger reports a leading analyst as having said recently that 'There is a clear consensus that there is no real consensus on what cloud computing is,' here are no fewer than twenty attempts at a definition of the infrastructural paradigm shift that is sweeping across the Enterprise IT world — some of them really quite good. From the article: 'Cloud computing is...the user-friendly version of grid computing.' (Trevor Doerksen) and 'Cloud computing really is accessing resources and services needed to perform functions with dynamically changing needs. An application or service developer requests access from the cloud rather than a specific endpoint or named resource.' (Kevin Hartig)"


GDocs vs. ThinkFree vs. Zoho vs. MS Office

Posted by timothy on Thursday July 17, @08:39PM from the probably-the-one-steel-cage-is-enough dept. Software Google Microsoft

CWmike writes

"Web-based productivity suites, once almost a contradiction in terms, have become real challengers to desktop applications. Google Docs, ThinkFree, and Zoho, have all made major improvements in recent months. They're becoming both broader, with more applications, and deeper, with more features and functionality in existing apps. The question is: Are these three applications really ready to take on a desktop-based heavy hitter like Microsoft Office?"

[From the article:

Microsoft Office (primarily its Word, Excel and PowerPoint applications) has long been famous for including every possible feature, no matter how obscure -- and for imposing a hefty load of code on your hard drive to provide all those features, not to mention the heavyweight user interface it takes to support them. [and most users probably use no more than 10% of the available features 99% of the time. Bob]

For my website class - Watch and Share Free Documentaries

SnagFlims makes it possible to find, watch, and share the best film documentaries out there. Users can log on and browse various categories of documentaries, such as environment, health, and politics. Listed films range from large titles, like National Geographic programs, to small lesser-known independent features. Because the goal is to spread the word about these films, all documentaries can be watched on the SnagFilms for free. Moreover, users can embed a widget that allows the films to be watched for free from their own sites. Before viewing the film, users may read a quick synopsis, as well as any corresponding comments that other users have made. When available, users may order a DVD of the film right from the SnagFilms site.

Thursday, July 17, 2008

Cost of “improper disposal” (If you don't have an “agreement” with the state, can you keep ignoring the law?)

Attorney General Abbott Reaches Agreements That Will Help Protect Texans From Identity Theft

Thursday, July 17 2008 @ 06:00 AM EDT Contributed by: PrivacyNews

Texas Attorney General Greg Abbott reached settlement agreements with Select Medical Corp. and RadioShack that will help protect Texans from identity theft.

... The state’s agreement with Select Physical Therapy Texas L.P. requires the health care provider to amend its existing information security procedures to ensure future compliance with identity theft prevention laws. Select Medical must implement a new training program that educates their Texas employees about newly established privacy procedures and reviews state laws governing the disposal of customer records.

Under the agreement, all Select Medical Texas employees must take the training annually for the next five years. The mandatory course will explain identity theft, its costs to individual customers and the importance of complying with the company’s newly implemented document disposal protocol. To further ensure that employees comply with the new protocol, each of Select Medical’s Texas locations must post signs detailing records storage and disposal requirements. They also must maintain certification records that show each employee’s compliance with the training requirements.

Select Medical agreed to pay the state of Texas $990,000, which includes $100,000 in attorneys’ fees. Under the Identity Theft Enforcement and Protection Act, the remaining sum will be appropriated for the investigation and prosecution of future identity theft cases.

The state opened its investigation into Select Medical after the Levelland Police Department reported that more than 4,000 documents containing customers’ sensitive information were found in garbage containers behind a Select Physical Therapy Texas Limited Partnership location in that city. The records discovered by authorities contained patients’ bank account numbers, sensitive medical evaluations, drug and alcohol testing verification results, plan of care forms, insurance verification sheets, and social and vocational therapy questionnaires.

Source - Press Release from the Attorney General of Texas

Related (The frequency of this type of violation makes it like shooting fish in a barrel. Any AG who wants to make news could find plenty of opportunity.)

Texas AG finishes probe of Radio Shack's identity protection measures

Wednesday, July 16 2008 @ 06:49 PM EDT Contributed by: PrivacyNews

Electronics retailer RadioShack Corp. has agreed to pay Texas Attorney General Greg Abbott's office $630,000 to settle an investigation into the company's identity-theft protection practices.

.... RadioShack was investigated after the attorney general learned a retail location had dumped thousands of sensitive records into a trash can. The records contained confidential client data, Social Security numbers, debit and credit information and personal contact information.

Source - Dallas Business Journal

“Sleep well, citizens. Your data is protected by the wisdom and experience of the entire government!” Apparently this was another case of poor systems design – the “file number” is appended to the URL to retrieve and display the record. Change the file number, get someone else's record.

UK: Online passport check suffers security breach

Wednesday, July 16 2008 @ 12:33 PM EDT Contributed by: PrivacyNews

The Identity and Passport Service (IPS) has admitted a data breach in its online passport application progress checking service.

The incident was formally reported to the Information Commissioner’s Office (ICO) but has not been made public until now.

“A parent was able to discover the existence of a child’s passport application by using the online application progress checking service, possibly without entitlement,” according to an annual report from the IPS.

Source - Computing

[From the article:

The report makes clear that the service is not required to disclose security incidents if disclosure created an “unacceptable risk of harm”.

The Home Office said such exemptions would apply if there was a danger to national security, if an investigation would be compromised, or if revealing a breach would conflict with data protection legislation by also revealing personal details.

Is some data obviously more sensitive than other data?


TX: Covenant says three laptops stolen since May

Kristen Hackney-redman of the Avalanche-Journal reports:

A total of three laptop computers have been reported stolen from two or more different areas of Covenant hospitals since May, said Gwen Stafford, a Covenant vice president.

At least one of the laptops contained personal information, including patient names, dates of births and reasons for being seen, but no financial information, such as bank account numbers, insurance information or Social Security numbers, Stafford said. She could not confirm the contents of the second or third laptops.

The Avalanche-Journal has learned one of the computers may have contained information collected from rape victims. Stafford said she could not confirm that due to HIPAA privacy concerns. [Is that legalese for “Yes?” Bob]

Stafford said the first laptop was stolen from the neurodiagnostic center in May and contained information on about 700 patients. That information is encrypted [Good for them! Bob] and password-protected, she said.

She could not comment on any information contained on the second laptop but said any information on that computer also was highly secure. [but not encrypted, so probably a (useless) password. Bob]

Full story - Lubbock Online

[From the article:

Lubbock police Capt. Greg Stevens said there is no indication the computers were taken for the information they contain. He said it is more likely the computers were stolen so they could be sold for parts or used personally. [This is certainly true, but what exactly would be an “indication” that the thief was after the data, a ransom note? Bob]

"There is no indication of information being compromised at all," he said. [Same comment. Bob]

“Because we can, we must!” What business purpose is served? Perhaps a scan is faster than asking an innumerate clerk to calculate age based on date of birth? Could you say, “I don't want the wine under these conditions. Please give me back my data?”

Target Must Record My Organ Donor Status to Sell Me Wine?

Thursday, July 17 2008 @ 06:43 AM EDT Contributed by: PrivacyNews

My wife and I were in a Target store this weekend, picking up some random items on our shopping list. We saw some good wine at a good price and decided to buy that as well. When we went to the check-out lane, the cashier said, “May I see your ID?”  

All that seemed perfectly normal to us. But then the craziness ensued…

Source - Thruhike98 blog

Comment: note all of the other blogs listed that have also complained about Target's practice on this. -- Dissent.

Props, The Consumerist

Sorry. I thought this was obvious.

Data can leak from partially encrypted disks

Apps like Microsoft Word and Google Desktop, which store data on unencrypted sections of the hard drive, [Those “temporary” working files where documents are stored until you actually SAVE them. Bob] can spill out information, even with encrypted files

By Robert McMillan, IDG News Service July 16, 2008

... The researchers say that people who are using full-disk encryption, where every piece of data on their hard drive is encrypted, do not have to worry.

The case that wouldn't die...

SCO Owes Novell $2.5 Million

Posted by samzenpus on Thursday July 17, @07:57AM from the please-die-already dept. The Courts Novell The Almighty Buck

CrkHead writes

"Groklaw has posted Judge Kimball's ruling on SCO v Novell. For those that have been following this saga, we finally get to watch the house of cards start to fall. For those new to this story, it started with SCO suing Novell and having all its motions decided in summary judgement and went to trial only on Novell's counter claims. Cheers to PJ for keeping us informed!"

Example of a “smoking email?”

When Colluding With A Competitor, Perhaps Don't Send A Direct Email Suggesting You Keep Prices High

from the might-come-back-to-bite-you dept

It's rather rare these days to see collusion lawsuits where there's overt evidence of collusion. Instead, it's usually implicit collusion where a case needs to be made that this is a problem. However, every once in a while you still get those good old fashioned situations where there's evidence of direct price fixing. For example, the Inquirer points us to a case involving questions of collusion in the graphics card market between ATI and NVIDIA, where it appears NVIDIA's VP of marketing sent an email to ATI's president and chief operating officer suggesting that, while the two companies were competitors, they should work more closely to make sure their stock prices each remained high. Apparently, the lawyers in the case tried to hide that document as a "trade secret." If you consider it to be a "trade secret" that the two companies may have been collaborating, then perhaps they have a point. But the judge didn't buy it: "This court is not a wholly-owned subsidiary of your companies. I am against you hiding information from the public."

Sign of a true politician: the ability to be “shocked” by the “discovery” of things you do every day...

PA: Angry prosecutors target privacy loophole

Thursday, July 17 2008 @ 06:13 AM EDT Contributed by: PrivacyNews

Pennsylvania's prosecutors, saying the public's privacy rights are threatened, will ask state lawmakers to close a legal loophole that allows open access to cell-phone and e-mail records.

District attorneys were "shocked" to discover that state law allows lawyers to obtain cell-phone records on behalf of clients through a simple subpoena without court review, said Carbon County District Attorney Gary Dobias, president of the state District Attorneys Association.

Source -

[From the article:

The issue became public this week when The Inquirer reported that defense attorneys, searching for the source of grand-jury leaks, legally obtained the cell-phone records of two Dauphin County prosecutors and two state police detectives. [The best defense is a good offense OR pretend to be shocked before the voters find out what you are doing... Bob]

... Scranton lawyer Sal Cognetti Jr., representing Sica, had given the company a subpoena for the records - without informing Marsico or the state police.

Prosecutors were livid, then surprised when they learned that Cognetti was under no legal obligation to tell anyone.

"It never came up before," Ferman said. "It was a loophole that no one was aware of."

The state's wiretapping and surveillance law says any communications provider may disclose records of any customers to any person except members of law enforcement, who must secure a warrant for such information. [Okay, that's strange, but how could they be unaware? Bob]


Bronx DA Backs Down After Sending Secret Subpoena To Unearth Anonymous Bloggers & Commenters

from the the-right-to-anonymity dept

Paul Alan Levy the lawyer from Public Citizen who defended the bloggers in this case was kind enough to write in alerting us to another job well done by Public Citizen. In this case, a NYC political blog site called Room 8 had some posts by an anonymous blogger criticizing some actions in the Bronx DA's office and the Bronx Republican Party. Not long after the posts, Room 8 received a subpoena from the DA's office not just demanding the IP address of the anonymous blogger and various anonymous commenters, but also warned them that even disclosing the subpoena could get the folks behind Room 8 in serious trouble. Luckily, Room 8 chose to fight this request, signing up the help of Levy, who convinced the DA's office to drop the subpoena and after Room 8 had to threaten the DA's office with a lawsuit of its own, it dropped the demand that the supboena be kept secret. Room 8 has a full account as well. Public Citizen also has posted links to a bunch of documents from the case.

What's still not clear is what was the purpose of the original subpoena. From the facts presented, it's easier to jump to the conclusion that it was purely political. Someone in the DA's office didn't like being criticized, and used the power of the office to try to squelch that voice (and, in fact, well before this came out, the anonymous blogger in question erased all his posts and disappeared). The folks who run Room 8 tried to determine what the actual issue was, and never received any answers. The whole thing is a bit scary, as it does show how a DA could abuse power to get info on anonymous critics simply by claiming it was a criminal investigation, without disclosing any details, and without letting the bloggers subpoenaed speak about it. Hopefully if other sites are getting bullied in this manner, they'll learn to fight back as well.

The way the world is going.

Control your PC or Mac Remotely from your iPhone [full demo] — A demo of Mocha VNC for the iPhone. Mocha VNC is a free application from the App Store that provides access to a VNC server. Using your iPhone, you can connect to a Windows PC or Mac OS X and see the files, programs, and resources exactly as you would if you were sitting at your desk, just on a smaller screen. [An even better hack is when I can see YOUR computer... Bob]


Gartner: Security through the cloud will triple by 2013

Security applications delivered as cloud-based services will more than triple by 2013, according to Gartner.

By Computerworld UK staff July 16, 2008

... Popular on-demand enterprise applications, such as those provided by, are allowing mobile workers to bypass the corporate network to access business data. [Not likely unless corporate data is not on the corporate network – i.e. It is stored “in the cloud.”. Bob] Gartner said this will force security teams to put controls between mobile workers and cloud based services.

... "One answer will be cloud-enabled security 'proxies' whereby all access to approved cloud-based IT services will be required to flow through cloud-based security services that enforce authentication, data loss prevention, intrusion prevention, network access control, vulnerability management and so on," he said.


All Signs Point to Virtualization

By Jeffrey Hill and Tom Karol TechNewsWorld 07/17/08 5:00 AM PT

... A recently published Aberdeen benchmark, Virtual Strategies: Managing Servers, Desktops and Storage for Infrastructure Efficiency (May 2008), found that 92 percent of companies have implemented some type of server virtualization.

... Virtualization can address many ills. Optimally, successful virtualization results in a more productive and more flexible data center, which can easily scale to meet new demands. It also results in reduced costs, both in power and data center footprint and increasing data availability -- an aggressive set of goals.


Windows will be killed by virtual appliances: VMware exec

by Stan Beer Wednesday, 16 July 2008

... When you go to Cisco and say you want a router and a firewall, they provide you with an appliance," says Harapin.

"Inside that appliance is probably a bootstrapped Linux operating system that they manage themselves, there's memory and all sorts of devices. If something goes wrong with that appliance, you don't open up the router and try to determine whether it's an OS problem or a memory problem, you simply call Cisco and tell them that's there's a problem with your appliance."

... "If there's a problem, there's no operating system that you need to worry about because you simply call the software (application) vendor up, tell them there's a problem with their VM, and they'll snapshot the VM, patch it and send it back to you. So it's an appliance but it just has no hardware around it."

Might be a way to register for seminars... - Add Live Voice Chat to Your Site is a tool that allows users to create phone button widgets and add them to their own blogs, websites, social networks, and various other online pages. Once the widget is added, users use their internet connection, not a telephone line, to place calls right from the site. The PhoneFromHere crew believes that live voice chat is a feature that will increase and retain traffic to a website. Having a PhoneFromHere button enables this instantaneous form of communication and information exchange to take place. PhoneFromHere widgets are run through an opensource solution, enabling them to dodge firewalls more easily. [Not a properly configured firewall... Bob] Furthermore, users do not need to download any software to utilize this tool.

To call this a straight line is to call Mt. Everest a bump in the road. (I can't get the images out of my head!)

Sex 'cuts public speaking stress'

Wednesday, July 16, 2008

Most common(?) means of Identity Theft and we still see the same PR spin attempting to calm the victims.

Stolen laptop contains ISU student information

Tuesday, July 15 2008 @ 05:56 PM EDT Contributed by: PrivacyNews

A password-protected laptop computer [Translation: Unprotected Bob] containing personal information for an estimated 2,500 or more current and former Indiana State University students was stolen during the weekend, the university reported today.

Source -

[From the article:

While there is no evidence to suggest that password security was breached, [Translation: We don't have a clue what the thief is doing, but we really really hope this is true. Bob] the university is taking the precaution [Translation: required by law Bob] of notifying all affected students for whom it has current contact information.

... Beginning in 2003, use of Social Security numbers as student ID numbers was discontinued [but we didn't make any effort to change existing files... Bob] in favor of university-specific identification numbers.

... Faculty and staff are being reminded that university policy prohibits the storage of private, sensitive data on portable computers. [it is only policy, since we have implemented no controls to prevent this Bob]

There is a tendency to anthropomorphise computers. It gives the true culprit (management) someone (something) to blame.

NV: Potential jurors’ IDs put at risk in breach (updated)

Wednesday, July 16 2008 @ 06:00 AM EDT Contributed by: PrivacyNews

District Court in Clark County inadvertently put tens of thousands of people at risk for identity theft during the past three years.

The court’s computer software allowed [Translation: The program was designed to... Bob] prospective jurors’ confidential personal information to be released to a private contractor, court administrators said.

Court officials stumbled onto the security breach [Now there a tried and true security procedure... Bob] a month and a half ago after learning that a woman who worked for the company that prints jury summons letters had sent names, dates of birth and Social Security numbers of 380 prospective jurors to her personal e-mail account.

Chuck Short, the court’s retiring chief executive, said that once officials learned of the breach at A&B Printing, they moved quickly to purge the computer software of all confidential data. [This make no sense for many reasons, including “How will you mail me a jury summons if you don't have my name and address?” Bob]

Source - Las Vegas Sun

Earlier coverage - from July 4.

Strange enough to see an organization that still uses physical media for backup, but floppy disks? How 1980's...


Hk: Yan Chai Hospital reports data loss

Yan Chai Hospital has lost a batch of backup floppy discs containing 3,000 medical record applicants’ names and identity card numbers.

The discs serve as backup copies storing the processing log sheet on medical report applications dated January 16, 2005, to January 15, 2006. They went missing during the encryption process [Must be one hell of a backlog... Bob] and the hospital management was informed of the incident on June 30. The files do not carry medical information.

Full story -

Another trend. Disclose a breach, but no information on how it happened – changing the question from “You still have no (encryption/locks on the doors/etc.)?” To “So you have no idea what happened?”

Breach puts Mo. soldiers' personal data at risk

Tuesday, July 15 2008 @ 11:45 AM EDT Contributed by: PrivacyNews

The Missouri National Guard has called for a criminal investigation after it learned that the personal information of as many as 2,000 soldiers had been breached.

... The Guard would not release how the personal information had been taken -- whether by computer hackers or other means -- because it has asked for a "full law enforcement investigation into the matter, the statement said.

Source -

[Not even BreachBlog has details: Bob]

For the record...

Making data-breach research easier

Submitted by Paul McNamara on Tue, 07/15/2008 – 6:36am.

... Logging these incidents and assembling reliable research data about the problem has been a bailiwick of security Web site since July 2005 -- and has at times proven daunting, as the database now contains more than 1,000 incident reports covering some 330 million records. Into the breach, so to speak, steps the Open Security Foundation, which is announcing with that as of this morning OSF will formally maintain the DataLossDB -- also known as the Data Loss Database - Open Source.


Breach notice primary sources

(Posted by cwalsh)

Today on the Dataloss mailing list, a contributor asked whether states in addition to New Hampshire and Maryland make breach notification letters available on-line.

... I know only of NH and MD.

... A later response pointed out that Wisconsin publishes some data as well. Actually, so does New York, but it's pretty measly.

A minimal “What we should do” suggestion list? Does your cell phone/PDA comply?

MMA Issues Mobile Privacy Guidelines

Wednesday, July 16 2008 @ 06:16 AM EDT Contributed by: PrivacyNews

Continuing its push for worldwide standards, the Mobile Marketing Association Tuesday released a set of global privacy guidelines for mobile marketers. The new Global Code of Conduct broadens the scope of privacy rules the MMA issued last year for the U.S., with input from its Latin America, Asia-Pacific and Europe, Middle East and Africa chapters.

Source - MediaPostPublications

[From the article:

The code encompasses voluntary guidelines in five categories:

• Notice -- Informing users of the marketers' identity or products and services offered and the key terms and conditions that govern an interaction between the marketer and the user's mobile device.

• Choice and Consent -- Respecting the right of the user to control which mobile messages they receive by obtaining opt-in consent and implementing a simple termination, or opt-out, process.

• Customization and Constraint -- Ensuring that collected user information is used to tailor communication to the interests of the recipient and is handled responsibly, sensitively and in compliance with applicable law. Mobile messages should be limited to those requested by the user and provide value such as product and service enhancements, contests, requested information, entertainment or discounts.

• Security -- The implementation of reasonable technical, administrative and physical procedures to protect user information from unauthorized use, alteration, disclosure, distribution, or access.

• Enforcement and Accountability -- The MMA expects its members to comply with the MMA Privacy Code of Conduct and has incorporated the code into relevant MMA guidelines, including the U.S. Consumer Best Practice guidelines.

Until the code can be enforced effectively by a third party enforcement organization, mobile marketers are expected to use evaluations of their practices to certify compliance with the code. [“After thinking about the marketing potential for several seconds, I hereby declare us “Compliance Certified!” Bob]

Is it: “Crooks make good cybercrime consultants?” or “Crooks want inside information on how cybercops find them?”

NZ teenage hacker charges dropped

Wednesday, July 16 2008 @ 05:36 AM EDT Contributed by: PrivacyNews

A New Zealand teenager who admitted to taking part in an international cyber-crime network has been discharged without a conviction. The charges against him related to a hack of a U.S. university in 2006. Police said the group hijacked more than one million computers and used them to take at least $20.4m (£10.3m) from private bank accounts. Owen Thor Walker, 18, was ordered to pay $10,000 (£5,000) in damages and hand over his computer-related assets. Police said they were interested in using his skills to fight cyber-crime.

Source - BBC

[From the article:

He did not take money from people's accounts, but he was paid nearly $31,000 (£15,500) for software he designed that gave the cyber-ring access usernames, passwords and credit card details.

Judge Judith Potter dismissed the charges, relating to a 2006 attack on a computer system at a US university, saying a conviction could jeopardise a potentially bright career. [Why didn't they try this with Charles Manson? Ted Bundy? Bob]

... Mr Walker pleaded guilty to charges of accessing a computer for dishonest purposes, interfering with computer systems, possession of software for committing crime and accessing computer systems without authorisation, the New Zealand Press Association said. [Apparently these are so minor he can still qualify to be a “computer cop” Bob]

I think this explains(?) the case I was confused about yesterday.

July 15th, 2008

You Bought It, But You Don't Own It

Posted by Corynne McSherry

In a devastating blow to user rights, an Arizona federal court has ruled that consumers can be guilty of copyright infringement if they violate the end user license agreement ("EULA") that comes with the software--even where the so-called "violation" is specifically excluded from copyright liability. Why? Because those protections only apply if you own the software you buy--not if you license it. Stunningly, this means that "cheating" while playing a computer game can expose you to potentially huge statutory damages for copyright infringement.

As we noted back in May, Blizzard Entertainment, the company that makes the hugely popular massively multi-player online role-playing game World of Warcraft, sued Michael Donnelly, the developer of Glider, a program that helps WoW users raise their character level to 70 by "playing" for the user. Blizzard said that because the license agreement forbids using Glider with WoW, Glider users are committing copyright infringement when they load copies of WoW into RAM in order to play the game, and Donnelly is illegally contributing to that infringement.

As Public Knowledge explained in its brief, Blizzard's theory confuses a copyright holder's intellectual property rights in the software it develops with a buyer's rights in the actual copy of the software. An owner of software has a right to copy it if that copy is essential to the customer's use of the software. (See Section 117 of the Copyright Act.) This rule helps balance the rights of the copyright holder to manage and benefit from its expressive work, and the rights of the public to use and build on that work.

It's not hacking, it's forensics!

Finding the name behind the gmail address

July 15th, 2008 by Aviram, Filed under: Web, Privacy, Full Disclosure, Google

Ever wondered what name is behind some obscure gmail address?

... Here’s a cute vulnerability in the gmail system that comes from the strong tie-ins between gmail, the google calendar and all the other services.

Everything you ever wanted to know about e-Discovery but were afraid to ask?

More “Must Read” 2008 Cases - Part One in a Three Part Series

This is the first of a three-part blog, and a follow-up to an earlier essay, Online Reference and Thirty One More e-Discovery Cases. In this and the next two blogs, I will add thirty new case summaries and analysis in alphabetical order.

For my website class - Free Flash Files and Tutorials

The site offers free flash files and tutorials as well. On the homepage you’ll find a collection of the latest free flash additions to the site; today’s selection includes a peeling sticker button, a calendar, a New Year’s greeting, and an XML music player among other things. Each item can be rated by the community at large, and each comes with a preview, review and short description. Beyond the homepage, there are three main sections (separated by navigational tabs) through which you can browse. Under resources you should be able to find links to flash resources, however the section hasn’t been completed yet. The tutorials section houses tutorials, of course, but like the other section, it has yet to be finished. You can browse the Gallery to find a range of flash files; filter your search by category, flash version, or sort by comments, date, ratings, etc. As the site is run by users, anyone can submit flash elements of their own making.