Saturday, July 26, 2008

“There are some things man was not meant to know.” (The comments run from profound to hilarious)

San Francisco DA Discloses City's Passwords

Posted by Soulskill on Friday July 25, @06:59PM from the you-sure-showed-him dept. It's funny. Laugh. Security News

snydeq writes

"The office of San Francisco District Attorney Kamala Harris has made public close to 150 usernames and passwords used by various departments to connect to the city's VPN. The passwords were filed this week as Exhibit A in a court document arguing against a reduction in $5 million bail in the case against Terry Childs. Though they placed the passwords in the public record, city prosecutors do seem to think that they are sensitive. InfoWorld's Paul Venezia, who has been following the case closely, provides further analysis of the technical details in the city's case. 'By themselves, [the passwords] would not be enough to allow anyone to access the network via VPN,' Venezia writes, 'but the fact that the city entered them into evidence is quite shocking. At the very least, they'll have to shut down their VPN access for awhile until they've changed them all and modified the configurations of some large number of VPN clients.'"

Did they have an agreement with their vendor to cover the vendor's vendor?


Grady patients’ medical records stolen

Craig Schneider reports:

The FBI is investigating the theft of medical records of patients at Grady Memorial Hospital, officials said Friday.

Grady spokeswoman Denise Simpson provided few details on the thefts that were discovered late Thursday. She said it remains unknown how many patient records were stolen, which patients were affected or how the records were stolen.

Grady officials do not at this point believe the records contained patients’ Social Security numbers or financial information such as credit card numbers, but Simpson emphasized that investigators are only starting their inquiry.

Simpson did not identify either the vendor or subcontractor.

Full story - AJC

[From the article:

The records pertained to recorded physician comments that Grady sent to a vendor to transcribe into medical notes. The records were stolen from a subcontractor employed by the vendor. [Fourth Party? Bob]

... Grady officials do not at this point believe the records contained patients' Social Security numbers or financial information such as credit card numbers, but Simpson emphasized that investigators are only starting their inquiry. [They had to include some form of identification to match the “notes” to the patients. Bob]

Hackers Breach Connecticut College Library System

Saturday, July 26 2008 @ 06:29 AM EDT Contributed by: PrivacyNews

A Connecticut College library system was breached by hackers apparently looking to set up chat rooms or send spam e-mails, the school reported Friday.

The hackers broke into two servers holding data for a consortium of Connecticut College, Wesleyan University and Trinity College. The servers are located at the consortium's headquarters at Wesleyan.

The database includes the names, addresses and Social Security or driver's license numbers of approximately 2,800 Connecticut College library patrons, 12 Wesleyan University patrons and three from Trinity.

Source -

Follow-up: Copycats or “vast criminal conspiracy?”


Kelsey-Seybold Clinic patients in second breach or one multi-year breach?

Bob Dunn had an eyebrow-raising story on earlier this week. The story concerned recent grand jury indictments of 38 people involved in stealing identities to use for a payday loan scheme.

... This is not the first report implicating Kelsey-Seybold Clinic. In March 2008, a story in the Houston Chronicle (archived copy here) reported that Kelsey-Seybold insurance analyst Kretia Lutriel Griffin had been sent to prison for her role in stealing patient information of 200 patients between October 2005 and March 2007.

Another ID Thief sentenced

NJ: Teen ringleader gets 5 years for skimming data from credit cards

Saturday, July 26 2008 @ 08:04 AM EDT Contributed by: PrivacyNews

Using technology to steal credit-card numbers may seem like a well thought out plan to an older generation, defense attorney John Zarych said Friday. But to teens, "They're playing around. It's like a computer game."

But Zarych's client found out it's no joke. Vimal Patel, 19, was sentenced to five years in prison Friday for obtaining skimmers - handheld devices that can copy all the information from a credit card - and giving them out to friends to use at their jobs. One worked at Resorts Atlantic City and another at Dunkin' Donuts. At least 150 people had their information stolen.

Source -

[From the article:

"A credit-card offense, to us, seems to be very well planned," Zarych said. "But these kids think of something and, in an hour, it's done. [Yes, we call that Insta-Hacking Bob]

"They don't take it seriously."

Sanctions may take the form of a strongly worded letter -- “Gee we wish you hadn't done that” But, this is a strategic move to increase the FCC's power.

Hammer drops at last: FCC opposes Comcast P2P throttling

By Nate Anderson Published: July 25, 2008 - 09:13PM CT

Once FCC Chair Kevin Martin announced his support for sanctions against Comcast, penalties looked inevitable. The two Democrats on the Commission, long supportive of network neutrality, seemed set to vote along with Martin and punish Comcast for its P2P "delaying" techniques; late this afternoon at FCC headquarters, they did, and a majority has now spoken.

The Wall Street Journal reports tonight that commissioners Copps, Adelstein, and Martin have decided against the cable giant, paving the way for an official vote when the order is publicly voted on next Friday. US ISPs, take note: the FCC has just used its 2005 Internet Policy Statement to draw a line in the sand. Step across it at your peril.

Related? Proactive or over-active? Are Blogs really e-SuggestionBoxes?

Comcast Is Reading Your Blog

Posted by CmdrTaco on Saturday July 26, @09:30AM from the they-want-to-know-about-your-cats dept. The Internet

Paolo writes

"A Washington student got a bit of a shock when he received an email from internet service provider Comcast about comments he had made on his blog. Brandon Dilbeck, a student at the University of Washington, writes a blog and used it to complain about the service he was getting from Comcast. Shortly afterwards he got an email message from Comcast apologizing for the problems and suggesting he might look at a guide it had posted on its web site. Lyza Gardner, a vice president at a Web development company in Portland used Twitter to complain about the company and was surprised to be contacted directly. Comcast is now monitoring blogs as a way of improving its image among customers. The company was ranked at the bottom of the most recent American Customer Satisfaction Index."

No wonder things get lost... Giga-Google?

Google URL Index Hits 1 Trillion

Posted by Soulskill on Saturday July 26, @12:03AM from the orders-of-magnitude dept.

mytrip points out news that Google's index of unique URLs has reached a milestone: one trillion. Google's blog provides some more information, noting,

"The first Google index in 1998 already had 26 million pages, and by 2000 the Google index reached the one billion mark. Over the last eight years, we've seen a lot of big numbers about how much content is really out there. To keep up with this volume of information, our systems have come a long way since the first set of web data Google processed to answer queries. Back then, we did everything in batches: one workstation could compute the PageRank graph on 26 million pages in a couple of hours, and that set of pages would be used as Google's index for a fixed period of time. Today, Google downloads the web continuously, collecting updated page information and re-processing the entire web-link graph several times per day."

How big is too big? If you index 99% of the Internet are you automatically a Monopoly?

July 25, 2008 3:42 PM PDT

Google explains: We're not a monopoly, not by a long shot

Posted by Charles Cooper

... But Google obviously doesn't agree that size and market dominance pose even remote antitrust parallels with IBM in the 1960s or Microsoft in the 1990s. The chief reason: the markets in question are very different. Earlier Friday, Google's general counsel, Kent Walker, and Dana Wagner, the U.S. competition counsel, got on the phone to explain why.

"The nature of the Internet is just a fundamentally different world from the sale of packaged software or the bundling of software with OEMs (original equipment manufacturers)," said Walker, "The standard line we have is that competition is just one click away,"

Walker offered what he called both a "structural" answer as well as the "behavioral" answer.

Listen now: [Note: the interview is sliced into sub-topics. Listen to them all or see the article for specifics... Bob]

For those who should backup but never seems to remember. (Hacker note: If we could suppress the “You've been backed up” message, this could be used to automatically steal data.) - Back Up Before It's Too Late

If you are thinking of backing up your data, but can’t find a secure server to do so in, then you should take a look at Once you become a paying costumer [$5 per month for “Unlimited Storage” Bob] of the site, you will be able to back up your computer’s information onto their server. This means that, no matter what happens to your computer (or maybe your whole office, in case of a natural disaster) you will be able to recuperate all of your data. The How It Works section has detailed information on how the back up process takes place. All of your information will be backed up to a secure facility, so you don’t need to worry about it being in harm’s way.

How to abandon your customers. Perhaps they will sell you the DRM codes you need? QUESTION: Is there a parallel to this in the non-digital world or can it only happen there?

Yahoo: Burn Your DRMed Tracks to CD Now

Jeremy Kirk, IDG News Service Friday, July 25, 2008 4:10 AM PDT

Yahoo has become the latest company to abandon customers who bought tracks from its music store encoded with DRM (digital rights management), drawing fire from the Electronic Frontier Foundation (EFF).

(Read PC World blogger Erik Larkin's take on today's news.)

On Sept. 30, Yahoo will shut down the servers that are needed to reauthorize music purchased from its failed Unlimited Music Store if it is transferred to a new PC, Yahoo said in an e-mail to customers. The rule to designed to slow music piracy. Re-authorization is also needed if someone upgrades their PC's operating system.

The only workaround for customers wanting to listen to their music on a new or upgraded computer after this date is to burn the tracks to a CD and then reload them on a PC.

NASA gets big money to look for aliens, but only on the US-Mexico boarder...

NASA Opens Space Image Library

Posted by Soulskill on Saturday July 26, @05:13AM from the pretty-pictures dept. NASA Space

slatterz writes with an excerpt from a brief PC Authority article:

"Nasa is to make its huge collection of historic photographs, film and video available to the public for the first time. A partnership with the non-profit Internet Archive will see 21 major Nasa imagery collections merged into a single searchable online resource. The Nasa Images website is expected to go live this week. The content of the site covers all the diverse activities of America's space programme, including imagery from the Apollo missions, Hubble Space Telescope views of the universe and experimental aircraft past and present."

The site is working already, and it looks fantastic. Don't hesitate to share any interesting pictures or movies you find.

Humor: Doing things right v. doing the right things

Friday, July 25, 2008

There is no reason why a programmer should have live data.

FL: Loss Of HCC Worker's Laptop Spurs ID Theft Warning

Thursday, July 24 2008 @ 02:53 PM EDT Contributed by: PrivacyNews

Hillsborough Community College warned its roughly 2,000 employees on Wednesday to monitor their bank accounts because an HCC programmer's laptop was stolen from a hotel parking lot in Georgia.

The college also is looking into acquiring technology that will allow workers to remotely locate laptops and to encrypt computers or disks.

Source - Tampa Tribune

[From the article:

There was no intentional negligence on this programmer's part that requires discipline, Carl said. [Agreed, but let's fire the manager who gave her the data Bob]

PR apologists take note!

WI: MPTC warns of data breach

Thursday, July 24 2008 @ 03:03 PM EDT Contributed by: PrivacyNews

Moraine Park Technical College, with campuses in Beaver Dam, Fond du Lac and West Bend, sent a letter to its bookstore customers on Tuesday notifying them of an incident that occurred when the equipment hosting the system provided by the bookstore software provider experienced a security breach. [Interesting phrasing. Probably their equipment, (no indication otherwise) but by adding the reference to the software provider they shift some of the blame. Bob]

According to Moraine Park President Gayle Hytrek, the information affects only those customers who purchased books and supplies between 2002 and July 2006.

Source - WiscNews

The “give as few details as possible” approach. Bloggers will speculate that EVERYONE (all native Alaskans plus employees and their families) was compromised. All of these people will call Sealaska and demand to know if they are included in the breach. Details will eventually come out. Is this a viable strategy?

AK: Sealaska arranges for credit protection after data stolen

Thursday, July 24 2008 @ 03:17 PM EDT Contributed by: PrivacyNews

Sealaska Corp. arranged credit protection service for its shareholders after company data was stolen from one of its employees.

Sealaska declined to provide details about the theft. Sealaska spokesman Todd Antioquia said he couldn't describe where, when or how the theft occurred, but he said it wasn't at Sealaska headquarters in Juneau.

Source -

Related More details come out in response to victims outrage?


Scope of Saint Mary’s database questioned (follow-up)

Jason Hildago reports:

The fallout continued Thursday from the announcement by Saint Mary’s Regional Medical Center of a potential database intrusion that might have exposed the personal information of thousands of clients and patients.

Several recipients of the letters expressed concern about the nature of the database, including its size, about 128,000 records, and how their information was collected. Saint Mary’s officials said they were trying to determine if everyone affected was informed and the records were compiled properly.


Saint Mary’s officials said the database is “absolutely separate” from hospital medical records and that Palka was not added to the database as a result of an emergency room visit. Information for people, such as Palka and Pyne, likely was added through community screenings or workplace flu shots, said Gary Aldax, marketing manager for Saint Mary’s.

They may have never even set foot in any of our facilities,” Aldax said. “Many companies contract with us to do health fairs and flu shots. Say, you were at Scolari’s during flu season to get a shot, you usually fill out a form and that gets added to the database.”

Full story -

Gee Willikers! We deal with crime all day, every day – but it never occurred to us that we might be victims!

UK: Ministry of Justice loses 45,000 records

Friday, July 25 2008 @ 06:04 AM EDT Contributed by: PrivacyNews

The details of 45,000 people, including criminal records and banking and court information have been lost or compromised in the past year by the Ministry of Justice (MoJ).

The MoJ has lost laptops, portable storage devices and papers containing information on recruits, offenders, court appellants and suppliers, the department's annual resource accounts have revealed.

The MoJ didn't notify more than 30,000 of the 45,016 affected by the data breaches, first when MoJ supplier records were compromised in June 2007 and then when the names, addresses, birth dates and alleged offences relating to 3,648 people were lost in November 2007.

Source -


Personal info for 20,000 found (update)

Friday, July 25 2008 @ 05:53 AM EDT Contributed by: PrivacyNews

Officials say a back up computer tape that could contain personal information for more than 20,000 people in the Chicago suburb of Tinley Park has been found.

Village manager Scott Niehaus said Thursday the tape that was lost in June was not tampered with. [Tapes do not record access. There is no way to know if it was read. Bob]

Source - Chicago Tribune

[From the article:

Officials say it's not clear how the backup tape, which could contain driver's license numbers, Social Security numbers and bank account information, was lost.

Niehaus says a Tinley Park resident found the tape in a parkway [Sounds like the tape was set on the roof of a car while the employee unlocked the door and then stayed there as he drove off. Bob] and threw it in the garbage, but then returned it to the village hall after hearing media reports and getting a letter. [This must be one of those trash cans that never get emptied? Bob]

I'm seeing more articles like this one, that point out that bad 9or no) security isn't sufficient.

Ca: School board broke privacy law in computer theft case: report (follow-up)

Friday, July 25 2008 @ 07:11 AM EDT Contributed by: PrivacyNews

The largest school board in Newfoundland and Labrador breached privacy legislation, according to a ruling made in the wake of computer thefts from the board's offices this winter.

Four laptops were stolen from the St. John's headquarters of the Eastern School District in February.

... In a report released Thursday, the information and privacy commissioner said the school board did not do enough to protect the information of its students.

Source -

[From the article:

The board breached the provincial Access to Information and Protection of Privacy Act, Ed Ring said, "by not having reasonable safeguards in place to protect personal information which then resulted in unauthorized disclosure of personal information."

Among other things, Ring found that security provisions on the laptop computers amounted only to passwords. [so, passwords are NOT reasonable safeguards. Told-ya-so! Bob]

Local, no comment

Fugitive spammer dead in apparent murder-suicide

Friday, July 25 2008 @ 05:51 AM EDT Contributed by: PrivacyNews

Convicted penny-stock spammer Eddie Davidson has died of a self-inflicted gunshot wound, apparently after killing his wife and three-year-old daughter in his hometown of Bennet, Colorado, the Department of Justice said Thursday.

Davidson had been a fugitive from the law since walking away from a federal minimum-security prison camp in Florence, Colorado on Sunday.

Source - Computerworld

Lots of juicy details...

Researchers could face legal risks for network snooping

Thursday, July 24 2008 @ 03:45 PM EDT Contributed by: PrivacyNews

A group of researchers from the University of Colorado and University of Washington could face both civil and criminal penalties for a research project in which they snooped on users of the Tor anonymous proxy network. Should federal prosecutors take interest in the project, the researchers could also face up to 5 years in jail for violating the Wiretap Act.

Source - Surveill@nce St@te

[From the article:

The team of two graduate students and three professors neither sought legal review of the project, nor ran it past the Human Subjects Committee at their university, putting them in a particularly dangerous position.

The academic paper, "Shining Light in Dark Places: Understanding the Tor Network" (pdf) was presented at the Privacy Enhancing Technologies Symposium yesterday, in Leuven, Belgium.

... In order to study Tor, the researchers setup their own 'exit node' server on the University of Colorado's high-speed network. For 4 days in December 2007, they logged and stored the first 150 bytes of each network packet that crossed their network, thus revealing what kind of traffic was crossing the network, and the remote websites that Tor users were visiting. While the authors do not state how many sessions they snooped on, they do state that their server carried over 700GB of data.

In a second part of the study, the researchers ran an 'entry node' to the network for 15 days, which allowed them to determine the source IP address of a large number of Tor users. They used this to learn which countries use Tor more heavily than others. Note that in this second part of the study, the researchers did not have access to the destination site information, nor were they able to observe the kinds of traffic going through their server.

The researchers found that HTTP (web traffic) was responsible for 58% of their servers' bandwidth. They also found that the BitTorrent file-sharing protocol, while accounting for only 3% of the number of connections, was responsible for over 40% of the overall bandwidth. They also observed that German users were responsible for over 30% of the requests through their server. [Huh! I wonder why? Bob]

... Bauer said that the researchers "spoke informally with one lawyer, who told us that that area of the law is ill defined" based on this, the researchers felt that it was "unnecessary to follow up with other lawyers."

The lawyer they spoke to was Professor Paul Ohm, who teaches at the University of Colorado Law School. Ohm has previously collaborated with two of the researchers on an earlier publication, which discussed the legal risks faced by academics engaged network monitoring research.

... During his presentation, Bauer revealed that the researchers did not seek the approval of their university's Institutional Review Board -- a body that reviews research projects that involve human subjects. He said that, "we were advised that it wasn't necessary," adding that the IRB review process is used "used more in medical and psychology research at our university," and was not generally consulted in computer science projects

[Paper on Institutional Review:

Well, that didn't take long!

July 25, 2008 5:01 AM PDT

University clears Tor snooping researchers of misconduct

Posted by Chris Soghoian Post a comment

An internal review by University of Colorado officials has found that a controversial research project conducted by a team of computer scientists did not constitute research misconduct. University lawyers have also stated their belief that the team probably did not violate US wiretapping laws.

What is the sentencing formula? TJX paid a couple of bucks per victim.

OR: Medford woman receives 7½ years for identity theft

Friday, July 25 2008 @ 06:10 AM EDT Contributed by: PrivacyNews

A 36-year-old Medford woman was sentenced to seven and a half years in prison Wednesday for a series of identity thefts that damaged the credit of 33 people, police said.

Christina Lynn Harrison pleaded guilty in Jackson County Circuit Court to seven counts of identity theft, tampering with evidence, first-degree aggravated theft and unlawful use of a computer, [I'll have to look that one up. Bob] court records show.

... Harrison utilized methods such as stealing from cars and mailboxes to obtain her victims' sensitive information such as their Social Security and bank account numbers.

Source - Mail Tribune

[From the article:

Harrison, who is no stranger to prison after having served time in 2005 for identity theft, [i-Theft has a high recidivism rate. Bob] was described by Medford Detective Katie Ivens as a "one-person crime spree."

Harrison's stiff sentence was a pleasant surprise for Ivens, [Perhaps it was his birthday? Bob] who specializes in financial crimes.

... Harrison's conviction just happened to fall on the day before the Southern Oregon Financial Fraud and Security Team celebrated its 10-year anniversary.

This is a follow-up to an earlier post.

Recent Cert. Petition on Aggravated Identity Theft

Thursday, July 24 2008 @ 02:38 PM EDT Contributed by: PrivacyNews

On Tuesday, we filed this cert. petition in Flores-Figueroa v. United States. The petition asks the Court to resolve a 3-3 circuit split over the mens rea requirement of the federal “aggravated identity theft” statute, 18 U.S.C. § 1028A(a)(1). That statute provides a mandatory 2 year sentence upon anyone who, during and in relation to certain enumberated [Help me out readers, is this a simple typo or a legal term that I'm unfamiliar with? Bob] felonies, “knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person.” The question is whether the “knowingly” requirement extends through the entire clause, requiring the Government to show that the defendant knew that the identification he used belonged to another person. [Is the term “another person” defined such that “not the defendant” is specifically excluded? That seems (to this non-lawyer) to be the issue. Bob] The question arises frequently in immigration cases, when defendants acquire or make up false social security numbers having no idea whether the fabricated number belongs to another person or is simply invalid.

Source - SCOTUSBlog

[I find it amusing that they are aslo starting a Wiki: Bob]


New FISA Analysis

(Posted by mordaxus)

Vox Libertas, a blogger at the Daily Kos has written an analysis of the new US FISA law in his article, "I think I understand the FISA bill. Do I?"

Post hack, ergo propter hack? ( don't often get to make a pun in my pidgen Latin)

Hacked Oyster Card System Crashes Again

Posted by kdawson on Friday July 25, @09:54AM from the no-pearls-in-sight dept.

Barence sends along PcPro coverage of the second crash of London's Oyster card billing system in two weeks. Transport for London was forced to open the gates and allow free travel for all. "There is currently a technical problem with Oyster readers at London Underground stations which is affecting Oyster pay as you go cards only," explains the TfL website. This follows the first crash two weeks ago, which left 65,000 Oyster cards permanently corrupted. Speculation is increasing that the crashes may be related to the hacking of the Oyster card system by Dutch researchers from Radboud University, though TfL denies any link. Plans to publish details of the hack were briefly halted when the makers of the chip used in the system sued the group, although a judge ruled earlier this week that the researchers could go ahead. During the court action, details briefly leaked on website Wikileaks.

Not just for students!

July 24, 2008

New on - Review of Zotero

A Review of Zotero, the free, Firefox extension to assist in collecting, managing and citing research sources - Stacy Bruss focuses on specific and practical examples of using this flexible application to organize and manage current collections of resources as well as citations to documents, web sites, and blogs. — Published July 24, 2008

This is easy to disprove, just look at the source code. Oh, wait! Skype is not open source.

Speculation over back door in Skype

Thursday, July 24 2008 @ 03:48 PM EDT Contributed by: PrivacyNews

According to reports, there may be a back door built into Skype, which allows connections to be bugged. The company has declined to expressly deny the allegations. At a meeting with representatives of ISPs and the Austrian regulator on lawful interception of IP based services held on 25th June, high-ranking officials at the Austrian interior ministry revealed that it is not a problem for them to listen in on Skype conversations.

Source - Heise

The impact of this is in compatibility...

Forrester survey: Enterprises reject Vista like 'new Coke'

Fewer than one in 11 of the PCs being used in large or very large enterprises runs Windows Vista.

By Eric Lai, Computerworld July 24, 2008

Fewer than one in eleven of the PCs being used in large or very large enterprises runs Windows Vista , according to survey results released Wednesday by Forrester Research Inc.

Thursday, July 24, 2008

It's never too late to breach your privacy...

IL: Computer tapes with Social Security umbers lost

Thursday, July 24 2008 @ 06:04 AM EDT Contributed by: PrivacyNews

The AP reports that computer backup tapes containing Social Security numbers of about 19,000 residents and another 1,400 current, former or retired village employees of Tinley Park were lost while being transferred from the village hall to another site within the Chicago suburb on June 23. Some of the information on the tapes goes back 15 years.

Source - Chicago Tribune

Sounds like a perfect mess...


NV: Hospital warns of possible data leak

Saint Mary’s Regional Medical Center sent warning letters this month to about 128,000 patients and clients after a possible intrusion into a proprietary databases.

The database, used for Saint Mary’s health education classes and wellness programs, [What reason would a “health class” have to access this data? Bob] contained personal information such as names and addresses, limited health information and some Social Security numbers. The database did not contain medical records or credit card information, said Gary Aldax, marketing manager for Saint Mary’s.

[...]The potential breach was discovered in April 28. Saint Mary’s officials said they immediately shut down the database and launched an investigation. The delay in notifications occurred because the database had to be reconstructed, Aldax said.

[...]The last time her daughter had anything to do with Saint Mary’s occurred when she got her tonsils removed about 40 years ago, Sheldon said. The letter has Sheldon seething.

Full story -

[From the article:

The potential breach was discovered in April 28. Saint Mary's officials said they immediately shut down the database and launched an investigation. The delay in notifications occurred because the database had to be reconstructed, Aldax said. [Non sequitur? Shutdown does not destroy a database. Bob]

... Eighty-year-old Wilma Sheldon of Reno thought the letter she received -- dated July 15 -- was a scam when she first read it. [“What we've got here is a failure to communicate. Bob] Sheldon said she became especially suspicious after she found out her daughter got a letter, too.

The last time her daughter had anything to do with Saint Mary's occurred when she got her tonsils removed about 40 years ago, Sheldon said. [It's never too late to breach your privacy... Bob] The letter has Sheldon seething.

... To prevent another potential breach, safeguards have been added to the database, said Mike Uboldi, Saint Mary's president and chief executive officer in a news release. [Indication that the database was not adequately secured before the incident (like we didn't know that already) Bob]

"Our first concern is for the continued privacy and well-being of our patients and customers." [Sure. Bob]

Has implications for “Homeland Security” as well...

Ca: Visa probes Pearson kiosks after reports of fraud

Thursday, July 24 2008 @ 06:26 AM EDT Contributed by: PrivacyNews

An investigation into a suspected security breach at Toronto airport self-service kiosks has caused at least one airline to suspend the use of credit card information as a check-in option.

A spokesperson for WestJet told that customers now have to use their reservation number if they want to bypass the line-up at the counter for a boarding pass.

Source - CTV

[From the article:

WestJet decided to take the step after a report surfaced in The Globe and Mail Wednesday that the financial community is investigating a number of frauds that occurred while people were using the self-service kiosks at Toronto Pearson International Airport.

"There's been no verified threat [Spin Alert: Fraud is not a “verified threat” Bob] to our guests' information, but we want to make sure we take a prudent course of action to protect their information," said WestJet's vice-president of operations, Ken McKenzie. "That's why we're doing this."

Perhaps Identity Theft is a addiction? (or too simple and profitable to resist?) “Hey, I got lawyer bills!”

Ca: Alleged fraudster rings up 30 new charges (follow-up)

Thursday, July 24 2008 @ 07:22 AM EDT Contributed by: PrivacyNews

A 26-year-old woman already linked by police to a massive credit card and identity fraud scheme in the city is facing 30 additional charges.

In early January, the woman was arrested following a routine traffic stop when she produced two pieces of false identification. A police investigation uncovered a pile of stolen personal information and a computer that contained more than 30,000 credit card files from across the country.

... When police checked in on the woman earlier this month, they found she was no longer living at her last known address. She was located and arrested three days ago, allegedly in possession of counterfeit gift cards and stolen personal information.

Source - Edmonton Journal

[From the article:

Police believe the woman was not acting alone but do not suspect the involvement of organized crime. [Disorganized crime... Bob] Some of the items recovered are believed to be stolen from mail boxes.

What is really going on?

Police Director Sues AOL For Critical Blogger's Name

Posted by samzenpus on Thursday July 24, @03:46AM from the tell-us-everything dept. Privacy

Pippin writes

"Memphis Police Director, Larry Godwin, is suing AOL for the names of the authors of the Enforcer 2.0 blog. The blog is rumored to be authored by a Memphis police officer, and is critical of the department, Godwin, and some procedures. Godwin is actually using taxpayer dollars for this and is interestingly, the complaint is sealed".

[From the article:

It wasn't clear if the lawsuit is aimed at shutting down the site or if it's part of an effort to stop leaks that might affect investigations. [Easy to see which side will argue which way... Bob]

... The bloggers also said city attorneys earlier this year wrote a threatening letter on city letterhead to a company that produced T-shirts for the bloggers. [Now, what was the legal argument behind that? Bob]

The latest “We can, therefore we must” kerfuffle... Sort of a “How Not To” for ISPs

Rogers Looks For New Ways To Annoy Customers, Hijacks Failed DNS Lookups

from the nobody-likes-anti-features dept

Rogers -- a Canadian telco -- has been attracting a lot of negative attention lately between deliberately disabling notifications for cellular roaming charges, setting ridiculous iPhone pricing plans and injecting its own content into Google's home page. As if that wasn't enough, Rogers has started hijacking failed DNS lookups. This means that when a user types in a web address that doesn't exist, instead of getting a "page not found" error, the user is redirected to a search page filled with banner ads and sponsored links. Michael Geist notes that there's an "opt-out" feature, but it doesn't take long to see that it's pretty pathetic. The "opt-out" sends a cookie which just redirects the user to a different Rogers page instead -- a fake "Internet Explorer" error page hosted on the same server. It does essentially the exact same thing, only pretending (poorly, for non-IE users) to revert back to expected behavior. And the option is reset whenever the browser's cookies are cleared. The comments on Geist's post are evidence that many Rogers customers are not pleased (myself included).

This isn't just annoying, it's also a security threat. It breaks how the internet was designed to work; a lot of software is written with the expectation that a DNS lookup for a non-existent domain name will return an error. For example, Kevin Dean notes in the comments on Geist's post how this has caused problems for him accessing his VPN. At first, he thought his computer had been compromised, since Rogers' new "feature" ends up resembling a hostile attempt to redirect traffic to an unknown server.

Some American ISPs already do this, such as Earthlink (which was used to demonstrate the security risk), though it seems to have a slightly better opt-out process, instructing users to configure alternate DNS servers instead of setting a browser cookie. VeriSign had originally tried to do something similar with SiteFinder back in 2003 (though not at the ISP level), but it didn't exactly go over too well. VeriSign reluctantly backed off, though it just recently obtained a patent on the concept. Rogers is the first Canadian ISP to implement the practice and it seems to think it won't meet much resistance. In another comment on Geist's post, Ian relates a telling quote from the FAQs page for Paxfire (the American company handling this for Rogers): "What feedback you do receive typically will come from a small group of highly technical users. Even that feedback tends to fall away after just a few weeks -- as they get used to the new behavior."

Rogers thinks it can just brush off complaints from its users, especially since there really isn't a lot of choice in the Canadian ISP market. However, Rogers should be careful in treading so brazenly into what some consider "net neutrality" territory. Bell Canada (one of Rogers' few competitors) has landed itself in front of a national regulatory body over its throttling practices. Rogers wants to have complete control over its network, but by continually pushing the line they only spur on the debate about net neutrality and government regulation. We haven't heard the last of this.

This is interesting, given “the long tail.” Think it will ever catch on?

How About Five Year Renewable Copyrights With A Use-It-Or-Lose-It Clause?

from the different-ideas dept

Over the years, we've seen numerous ideas and recommendations for ways to fix copyright, and a popular one is getting rid of the automatic creation of copyright on new works, requiring individuals to actually register that work -- often combined with a shorter time limit on copyrights that would have a renewal option. Larry Lessig has long supported such a system. The thinking is that this still lets those big companies who want to hoard their copyrights forever do so, but opens up plenty of other orphaned content that is locked down just because Disney doesn't want to lose the copyright on Mickey Mouse. Benjamin Krueger points us to Andrew Dubber's recent proposal of switching to a five-year renewable copyright plan, that also includes a use-it-or-lose it clause. Basically, copyright holders who want to retain their copyright can do so, but they have to renew the registration once every five years. And, during those five years, the content has to be available commercially one way or another. This way, if content is being neglected, ignored, abandoned or orphaned, it makes its way into the public domain in short order, where perhaps others can make it more useful. This would seem to fit much more closely with the original purpose of copyright law, though (as per usual), I'm sure there will be many complaints from copyright holders about how such a system would destroy their rights. When reading through those, though, note that they never seem very concerned with the rights of the public either.

This sounds very similar to the Wiki my security class is designing.

July 23, 2008

Google Launches Online Topical Knowledge Resource

Official Google Blog: "A few months ago we announced that we were testing a new product called Knol. Knols are authoritative articles about specific topics, written by people who know about those subjects. Today, we're making Knol available to everyone.

The web contains vast amounts of information, but not everything worth knowing is on the web. An enormous amount of information resides in people's heads: millions of people know useful things and billions more could benefit from that knowledge. Knol will encourage these people to contribute their knowledge online and make it accessible to everyone.

The key principle behind Knol is authorship. Every knol will have an author (or group of authors) who put their name behind their content. It's their knol, their voice, their opinion. We expect that there will be multiple knols on the same subject, and we think that is good."

Bill (Squeeze 'em for every penny) Gates must be dumping his shares...

Microsoft Drops Player Fees On Games For Windows Live

The service is cross-compatible with Microsoft's Xbox Live network, which lets Xbox 360 owners play games against each other online.

By Paul McDougall InformationWeek July 23, 2008 02:36 PM

Microsoft said late Tuesday that it will no longer charge a fee for PC game players who wish to connect with each other over the company's Games For Windows Live online service.

Games For Windows Live is "now offering completely free online multiplayer" service, Microsoft said in a statement posted on the service's Web site. The company previously charged a monthly fee of $7.99. However, the emergence of several free online gaming services may have prompted Microsoft to drop the monthly charge. [This can't be the entire reason Bob]

For your security manager...

Researchers Create Highly Predictive Blacklists

Posted by samzenpus on Wednesday July 23, @10:32PM from the evil-detector dept. Security The Internet IT

Grablets writes

"Using a link analysis algorithm similar to Google PageRank, researchers at the SANS Institute and SRI International have created a new Internet network defense service that rethinks the way network blacklists are formulated and distributed. The service, called Highly Predictive Blacklisting, exploits the relationships between networks that have been attacked by similar Internet sources as a means for predicting which attack sources are likely to attack which networks in the future. A free experimental version is currently available."

Ditto (Long winded)

July 23, 2008 5:15 PM PDT

Pairing your cell with Bluetooth? Buyer beware

Posted by Elinor Mills

... Security experts discussed the risks to Bluetooth users at the Last HOPE (Hackers on Planet Earth) conference in New York last weekend, warning people to change the default password, turn off the headsets when not in use, and limit access to the data when communicating with other devices.

... On Wednesday, the U.S. CERT (Computer Emergency Readiness Team) decided the Bluetooth security risk was serious enough to publish a security advisory about it.

Related? For all you cell phone addicts... Lawyers: Consider this an early Potential Class Action Alert! (or as we non-lawyers see it: Chum in the water.)

Jul 24, 7:13 AM EDT

Pittsburgh cancer center warns of cell phone risks

By JENNIFER C. YATES and SETH BORENSTEIN Associated Press Writers

PITTSBURGH (AP) -- The head of a prominent cancer research institute issued an unprecedented warning to his faculty and staff Wednesday: Limit cell phone use because of the possible risk of cancer.

Tools & Techniques: Phone Hacks (and another example of Kevin Mitnick cashing in...)

July 23, 2008 6:25 PM PDT

Hacking Caller ID: unblocking blocked phone numbers

Posted by Michael Horowitz

Lawyers use Macs?

Mac Wares for the Jurisprudence Crowd

By Erika Morphy MacNewsWorld Part of the ECT News Network 07/24/08 4:00 AM PT

"The Jury Loved My iBook" is how Peter Zavaletta begins his testimonial on MacLaw Online. A personal injury and medical malpractice attorney in Brownsville, Texas, Zavaletta attributes his victory in an obstetrical negligence case in part to his array of Mac tools.

Which is cheaper, Traffic tickets or tools to avoid traffic tickets? (Don't even consider obeying the law?)

Website claims to help drivers avoid speed traps

Wed Jul 23, 2008 3:46pm EDT

NEW YORK (Reuters) - Drivers in most of the United States and some of the UK can find out where the police speed traps and so-called red-light cameras are on the Internet -- for free.

But, U.S. drivers can also download that information to their car's GPS system for a fee.

... Atkinson, whose full time job is as a systems engineer, set up the website ( last summer. Most of the information on the speed traps is user generated, [The Internet version of flashing headlights? Bob] and gathered anonymously, he said.

Cloud Security

Is Web 2.0 Security's Achilles Heel?

By Doug Camplejohn TechNewsWorld 07/24/08 4:00 AM PT

Evolving Web 2.0 technologies -- wikis, blogs, social networking sites, etc. -- have resulted in a mashup of content sources that makes it very difficult to definitively determine the trust level of a particular site, writes Mi5 Networks CEO Doug Camplejohn. Standing up to security threats in such an environment requires a multilayer defense strategy.

... Only 15 percent of organizations are performing the deeper inspection and blocking on Web traffic necessary to protect their employees, according to Gartner.

Should we expect Amazon's Kindle to follow?

Jul 24, 1:19 AM EDT

Sony opens up e-book Reader to other booksellers

By PETER SVENSSON AP Technology Writer

NEW YORK (AP) -- With the market for electronic books still relatively sleepy, Sony Corp. is trying a new tack: untethering the latest model of its e-book reading device from its own online bookstore.

On Thursday, Sony will provide a software update to the Reader, a thin slab with a 6-inch screen, so the device can display books encoded in a format being adopted by several large publishers. That means Reader owners will be able to buy electronic books from stores other than Sony's.

Wednesday, July 23, 2008

I was unable to tell from the article if there was a third party (storage provider) involved, but experience suggest if there were, they would have been blamed for the “error” They did blame the government for requiring offsite backup. They made no mention of encryption.


UK: Littleborough surgery’s patient records stolen

Thousands of patient records [on a backup tape Bob] have been stolen while they were in storage at an unknown location in the Rochdale area.

The data, belonging to 3,500 patients from Trinity Medical Centre on Winton Street in Littleborough, was taken during a burglary on 12 July.

The stolen records contained personal details and full medical history of patients, which includes names and address and dates of birth of patients.

Full story - Rochdale Online

[From the article:

A spokesman for the Heywood, Middleton and Rochdale Primary Care Trust said that this was an isolated incident and they have written to the patients affected to say that it would be 'extremely difficult' for anyone to access the patient records without a password and login details. [One does not “logon” to a reel of tape. Bob]

... "Following consultation with the IT system suppliers, we believe that it would be extremely difficult for anyone to access or use data. [Translation:You would need a tape drive Bob]

I think I'll try to have one of my students write a paper on the process used to detect access to a computer. As far as I know, you can't make a statement like this with any certainty.

Stolen Indiana State laptop returned to professor

Tuesday, July 22 2008 @ 04:11 PM EDT Contributed by: PrivacyNews

Indiana State University officials say a computer stolen from a professor has been returned and none of its personal student information was accessed.

School spokesman Dave Taylor said Tuesday the laptop computer was mailed anonymously to the professor, who received it Friday, six days after it was stolen along with other personal items.

Source - WLFI

At last we get some details...

San Francisco's mayor gets back keys to the network

IT administrator Terry Childs is in jail for previously refusing to hand over the admin passwords to the city's multimillion dollar WAN

By Robert McMillan and Paul Venezia, IDG News Service July 23, 2008

... Childs' attorney has asked the judge to reduce Childs $5 million bail bond, describing her client as a man who felt himself surrounded by incompetents and supervised by a manager who he felt was undermining his work.

"None of the persons who requested the password information from Mr. Childs ... were qualified to have it," she said in a court filing. [Not an actual detail, but amusing and he may have a point (see below) Bob]

... He also found that Childs had configured several of the Cisco devices with a command that would erase critical configuration data in the event that anyone tried to restore administrative access to the devices, [a Cisco feature Bob] something Ramsey saw as dangerous because no backup configuration files could be found. [Unforgivable (and impossible if management was doing its job) Bob]

... But without access to either Childs' passwords or the backup configuration files, administrators would have to essentially re-configure their entire network, an error-prone and time-consuming possibility, Chase said. "It's basically like playing 3D chess," he said. "In that situation, you're stuck interviewing everybody at every site getting anecdotal stories of who's connected to what. And then you're guaranteed to miss something." [This goes beyond missing backups to a complete lack of documentation! Bob]

Government has a duty... At least Europe agrees with me. Perhaps we (the US) will get to this point in twenty or thirty years...

Data blunders can breach human rights, rules ECHR

OUT-LAW News, 22/07/2008

The European Court of Human Rights has ordered the Finnish government to pay out €34,000 because it failed to protect a citizen's personal data. One data protection expert said that the case creates a vital link between data security and human rights.

The Court made its ruling based on Article 8 of the European Convention on Human Rights, which guarantees every citizen the right to a private life. It said that it was uncontested that the confidentiality of medical records is a vital component of a private life.

... The woman in the case did not have to show a wilful publishing or release of data, it said. A failure to keep it secure was enough to breach the Convention. [Or as that eminent Philosopher Forrest Gump said, “Stupid is as stupid does” Bob]

A Finnish woman worked in an eye clinic where she also received treatment, having been diagnosed as having AIDS.

The woman began to suspect that news of her disease had spread to other employees and asked to be shown who had accessed her medical records and when. The health authorities only kept a note of the last five people to have accessed a record.

... The Court recognised that the Finnish courts did not find in I's favour because she could not prove that her record had been misused, but said that "to place such a burden of proof on the applicant is to overlook the acknowledged deficiencies in the hospital’s record keeping at the material time." [YES! Bob]

"It is plain that had the hospital provided a greater control over access to health records … the applicant would have been placed in a less disadvantaged position before the domestic courts," the Court said. "For [this] Court, what is decisive is that the records system in place in the hospital was clearly not in accordance with the legal requirements."

Related? Do banks have a duty? NOTE: This study is based on data from 2006. This is ancient history, but I suspect some of the problems noted will have never been repaired or have been reintroduced.

U of M Study: Most Bank Web Sites Flawed

Tuesday, July 22 2008 @ 11:17 AM EDT Contributed by: PrivacyNews

A new University of Michigan study finds that more than 75 percent of bank websites had at least one design flaw that could make customers vulnerable to cyber crooks.

Atul Prakash, a professor in the Department of Electrical Engineering and Computer Science, along with a pair of doctoral students, examined the Web sites of 214 financial institutions in 2006.

Source - WWJ

Interesting because Fifth Third also handled TJX card processing...

Bank Back On Hook For Data Theft At BJ's Wholesale

Tuesday, July 22 2008 @ 11:12 AM EDT Contributed by: PrivacyNews

An appeals court reversed a lower court ruling absolving Fifth Third Bancorp from paying damages associated with replacing credit cards.

Source - InformationWeek

[From the article:

Fifth Third provided credit card processing services to BJ's. In its initial complaint, PSECU argued that Fifth Third bore some liability for the data breach because it failed to properly train the retailer's staff in proper security procedures.

... At one point, the case involved IBM. BJ's Wholesale sought to recover some of its losses from the computing giant, claiming that when it upgraded card-processing software, it told IBM to deactivate a feature that retains magnetic strip data so that a transaction can be processed offline. [First mention of this. I guess they didn't bother to check before they approved the upgrade... Bob] It's that data that was hacked.

Amusing article, but I can make up excuses too:

...because he' not second class trash, that's why

...because he approves our budget

...because we aren't supposed to have that video

...because we might look dumb

City still refusing to release McIver arrest video

03:23 PM PDT on Wednesday, July 16, 2008


SEATTLE - Once again, the City of Seattle is refusing to release a video that recorded the arrest of a current city councilmember. In one month, the City of Seattle has given KING5 News no less than four different explanations why it will not release the video. The reasons range from privacy concerns to the video was nowhere to be found.

But, it's for the children!

Spy cameras in students’ homes?

Tuesday, July 22 2008 @ 11:58 AM EDT Contributed by: PrivacyNews

Tucked away in a 1,200-page bill now in Congress is a small paragraph that could lead distance-education institutions to require spy cameras in their students’ homes, [Overstating it a bit, but the article points out a few potential problems Bob] writes Andrea L. Foster in Chronicle of Higher Education.

It sounds Orwellian, she says, “but the paragraph - part of legislation renewing the Higher Education Act - is all but assured of becoming law by the fall” and, “No one in Congress objects to it.

Source -

[From the article:

The paragraph is actually about clamping down on cheating, says New Systems Keep a Close Eye on Online Students at Home.

It says an institution offering an online program, “must prove that an enrolled student is the same person who does the work” and, “Already, the language is spurring some colleges to try technologies that authenticate online test takers by reading their fingerprints, watching them via Web cameras, or recording their keystrokes. Some colleges claim there are advantages for students: The devices allow them to take tests anytime, anywhere.”

... But some college officials are wary of the technologies, noting that they are run by third-party vendors that may not safeguard students’ privacy. Among the information the vendors collect are students’ fingerprints, and possibly even images from inside their homes.

Related? How long should you argue that a poorly written law is okay?

COPA Suffers Yet Another Court Defeat

Posted by kdawson on Tuesday July 22, @05:41PM from the let-it-die-already dept.

A US federal appeals court today struck down COPA, the Child Online Protection Act, a Clinton-era censorship law that the Justice Department has been struggling to get implemented for a decade. (The ACLU filed suit as soon as COPA was signed in 1998 and won an immediate injunction.) The battle has made it to the Supreme Court twice, and the DoJ has essentially never gotten any satisfaction out of the courts. This was the case for which the DoJ famously went trolling for search histories. In the ruling issued today, the 3rd US Circuit Court of Appeals upheld a lower-court ruling that COPA violates the First Amendment because it is not the most effective way to keep children from visiting adult Web sites. [The court cares about effectiveness? I gotta read this one... Bob] The law would require sites to check visitors' ages, e.g. by taking a credit card, if the site contained any material that is "harmful to minors," whatever that means.

Related Links to the ruling...

July 22, 2008

CDT Applauds Appeals Court Ruling In COPA Case

"The 3rd U.S. Circuit Court of Appeals today upheld a lower court ruling striking down the controversial Child Online Protection Act (COPA) that required Web operators to restrict access to large amounts of constitutionally protected speech. COPA placed severe restrictions on a wide range of legal, socially valuable speech, including content relating to sexual identity, health and art. CDT, which has filed friend-of-the-court briefs opposing COPA and supporting parental empowerment technology, applauds the ruling. July 22, 2008.

Related? Will all this activity result in more poorly crafted “technology” law?

ISP Justifies, But Doesn't Explain Secret Customer Eavesdropping

Wednesday, July 23 2008 @ 05:32 AM EDT Contributed by: PrivacyNews

Just last week, a trio of powerful federal lawmakers asked the large ISP Embarq to answer questions about the company's secret testing of technology that spied on its customers' web habits in order to serve them targeted advertisements.

... Most of the letter consisted of Embarq -- an ISP -- trying to convince the lawmakers that total online awareness of its paying customers complied with the Federal Trade Commission's proposed rules about behavioral advertising and longstanding privacy rules.

Source - Threat Level blog

Related - Ars Technica: Embarq: Don't all users read our 5,000 word privacy policy?

[From the article:

Embarq - a Fortune 500 telecom provider -- looked to escape the wrath of the trio, explaining that its test of technology from NebuAd was small and that it added a paragraph to its privacy policy to let its customers know about the test. [Because every customer checks the Privacy Policy every day! Bob]

We are starting to see some hints alluding to a possible future proposal relative to suggested directions for eventually “doing something” to improve intelligence sharing, maybe.

July 22, 2008

Intel Community Releases "Vision 2015: A Globally Networked and Integrated Intelligence Enterprise"

Vision 2015: A Globally Networked and Integrated Intelligence Enterprise: "Vision 2015 expands upon the notion of an Intelligence Enterprise, first introduced in the National Intelligence Strategy and later in the 100 and 500 Day Plans. It charts a new path forward for a globally networked and integrated Intelligence Enterprise for the 21st century, based on the principles of integration, collaboration, and innovation.

  • "By 2015, a globally networked Intelligence Enterprise will be essential to meet the demands for greater forethought and improved strategic agility. The existing agency-centric Intelligence Community must evolve into a true Intelligence Enterprise established on a collaborative foundation of shared services, mission-centric operations, and integrated mission management, all enabled by a smooth flow of people, ideas, and activities across the boundaries of the Intelligence Community agency members. Building such an Enterprise will require the sustained focus of hard-nosed leadership. Services must be shared across the entire spectrum, including information technology, human resources, security, facilities, science and technology, and education and training."

Something for the toolkit? - Multilingual Translator

Woxkion is an online translator and multi-language dictionary. Users enter in a word into the translation search field, or search a word listed alphabetically in the chosen language dictionary. Once they select to translate the word, the user is provided with the translation in eight languages.

Signs of a trend? Easily explained. Every time Baen adds a free book to its online library, sales of that book go up.

July 23, 2008 5:01 AM PDT

Free ebooks-- some for a limited time only

Posted by Peter Glaskowsky

A friend of mine told me recently about, a new site managed by Tor Books, part of the Macmillan publishing group.

There's something cool going on there for just the next few days, and if you've bought Amazon's Kindle or Sony Reader-- or just like to read ebooks on your laptop, cellphone, or other system-- you'll want to scoot right over to the "Freebies Bonanza" page.

There you'll find 24 free ebooks and a collection of downloadable high-res cover art suitable for use as computer desktop backgrounds.

... This content will only be available through July 27, so don't delay, download today.

... Tor and its authors are following a path blazed most notably by Baen Books. The Baen Free Library has been giving away free ebooks for years, attracting considerable attention in the publishing industry and-- more importantly-- lots of extra business for Baen's participating authors.

Will this become an instant collectors item?

Esquire to Put Digital Moving Pix on Mag Cover

By Walaika Haskins TechNewsWorld 07/22/08 1:18 PM PT

To celebrate the 75th anniversary of Esquire magazine, the publication's editors plan to release 100,000 copies of its October 2008 edition with a cover made of electronic paper.