Saturday, August 02, 2008

If it takes 16 laptop thefts just to get their attention, how many does it take to get them to take action?

Ie: Alarm over staff details after 16th laptop is stolen from key officials

Saturday, August 02 2008 @ 06:34 AM EDT Contributed by: PrivacyNews

THE personal details of hundreds of Government staff were on a laptop stolen from an official at the Office of the Comptroller and Auditor General (OCAG).

The missing laptop -- taken at a bus stop last month -- is the 16th to be stolen from an OCAG official since 1999.

.... The names of hundreds of employees at the Department of Enterprise, Trade and Employment, their weekly pay, and their Personal Public Service (PPS) numbers were among the personal information contained on the laptop.

Source -

[From the article:

The loss of the laptop is the latest in a series of high-profile data security blunders involving State bodies and banks.

Last night OCAG said it "very much regrets" [Translation: “wish we could blame someone else...” Bob] the loss of the 16 laptops, only one of which has since been recovered.

Yet another COLT victim and another example of poorly thought out disclosure.

Kana employees first being notified of Colt Express burglary

Saturday, August 02 2008 @ 06:41 AM EDT Contributed by: PrivacyNews

Two months after the burglary at Colt Express Outsourcing, Inc., and a month and a half after they were first notified of the theft, some of Colt's clients were first notifying their current and former employees of the breach. Among them is Kana, Inc., who had terminated using Colt Express as their vendor in March 2006.

Unlike many of the other affected clients, Kana did not offer its current and former employees any free credit monitoring services, but reading their notification letter, it is not clear whether they were told that their data may have been on the stolen computers or definitely was on the stolen servers, as their letter says that the stolen servers "may have contained files related to Kana...."

"May have"? Doesn't Kana know for sure, and if not, why not? If I was an employee, I'd sure want to know more definitively.

Will this ruling invalidate the agreement with NY AG Cuomo to block child porn?

Comcast Ordered to Allow Free Flow of File Sharing Traffic

By David Kravets August 01, 2008 12:03:57 PM

In a landmark ruling, the Federal Communications Commission has ordered Comcast to stop its controversial practice of throttling file sharing traffic.

By a 3-2 vote, the commission on Friday concluded that Comcast monitored the content of its customers' internet connections and selectively blocked peer-to-peer connections.

The selective blocking of file sharing traffic interfered with users' rights to access the internet and to use applications of their choice, the commission said.

... The commission, without ordering monetary sanctions, ordered a halt to the practice and gave Comcast 30 days to fully disclose its throttling methods.

According to the commission, Comcast uses deep-packet inspection to monitor customers' internet traffic, and routes packets according to their content, not their destination.

"In essence, Comcast opens its customers' mail because it wants to deliver mail not based on the address on the envelope but on the type of letter contained therein," the commission said.

... Martin, a Republican, proposed Friday's order. Jonathan Adelstein and Michael Copps, both Democrats, signed on with Martin. Republican commissioners Robert McDowell and Deborah Taylor Tate voted against the measure. [Is this purely political? Bob]

... McDowell said the decision politicizes the internet.

"The majority has thrust politicians and bureaucrats into engineering decisions," he said in a sharp dissent. "It will be interesting to see how the FCC will handle its newly created power because, as an institution, we are incapable of deciding any issue in the nanoseconds of internet time. Furthermore, asking our government to make these decisions will mean that every two to four years the ground rules could change depending on election results."

Related? Do “community standards” make a nation-wide Class Action impossible?

Judge Trips Up Settlement In Hot Coffee Class-Action

Posted by ScuttleMonkey on Friday August 01, @06:11PM from the isn't-it-cold-coffee-by-now dept.

GamePolitics is reporting that a Judge has put another substantial hurdle in the Hot Coffee class-action case. Claiming that individuals involved in the suit could be affected differently by laws in their respective states, Judge Shirley Wohl Kram declared that this case could not be resolved by a single proceeding.

"'Accordingly, the court decertifies the settlement class on the grounds that common issues do not predominate over individualized issues,' the judge wrote. The judge's latest decision undermines a settlement agreement reached between lawyers for purchasers of the game who contended they were offended by the hidden scenes, on the one hand, and lawyers for the game's makers, Take-Two Interactive Software and Rockstar Games."

Related? Does the FCC ruling negate sections of this bill?

Senate Passes Bill Targeting College Piracy

Posted by Soulskill on Saturday August 02, @08:08AM from the since-colleges-don't-have-anything-better-to-do dept.

An anonymous reader brings news that the College Opportunity and Affordability Act has passed in the US Senate and now awaits only the President's signature before becoming law. Hidden away in the lengthy bill are sections which tie college funding to "offering alternatives to illegal downloading or peer-to-peer distribution of intellectual property as well as a plan to explore technology-based deterrents to prevent such illegal activity." The EFF issued a statement expressing concern over the bill earlier this year, shortly before the House of Representatives approved it. We discussed the introduction of the bill last November. The Senate vote was 83-8, with 9 not voting. The full text of the bill is available. The relevant section is 494, at the end of the general provisions.

[From the bill:


(a) In General- Each eligible institution participating in any program under this title shall to the extent practicable--

(2) develop a plan for offering alternatives to illegal downloading or peer-to-peer distribution of intellectual property as well as a plan to explore technology-based deterrents to prevent such illegal activity. [or does that mean you need a plan but don't need to implement it? Bob]

This is one of a class of business models intended to showcase the skills of job seekers. I think this one is poorly designed, but then my students just may be smarter than these guys. What would you like to know about someone you are considering hiring? - Find The Perfect Chef

So you are opening a restaurant and are having a hard time finding the right chef. Don’t worry, that is what is for. On this site, chefs will be able to create a profile and upload pictures and recipes of their work. This will allow them to gain exposure in that very competitive world. Creating a profile is free, so everyone from world class chefs to beginners can post their profiles on the site. If you are looking for a chef, take a look at the Find Chefs section. There, you’ll be able to find out more about the chefs that are listed with the site. Keep in mind the site is fairly new, [Perhaps they'll improve. Bob] and the list of chefs is sure to grow as time progresses. Chef portfolios can be printed out directly from the website in a printer-friendly format. The gallery management is simple. Just upload the pictures of your work and name them, the site will take care of the rest.

Friday, August 01, 2008

A bit of a rant (sorry)

There is clearly a trend to be vague about the number of victims – I guess organizations think that makes the breach seem trivial. In my opinion, this is a “Worst Practice” since it suggests that ALL of their customers were victims. Anyone who does not get a letter will be calling to find out why. Companies like COLT are poorly served by having their victims report their breaches individually over months (several today). And the cult of “I don't know” continues to convince me that “They don't care” about security.

As computers become commodities, we think of them as unimportant as a loaf of bread. It's the UNSEEN data that's important – but “out of sight, out of mind.” We need to connect the concept “important data” to the consequence “Fired!”

Phase3 employee leaves laptop with Newedge client data in taxi

Thursday, July 31 2008 @ 02:22 PM EDT Contributed by: PrivacyNews

Through their attorneys, SunGard Data Systems reported that an employee of one of their business units, Phase3, left a company laptop in a taxi at a Florida airport on May 11.

Phase 3 processes trade data for retail/institutional brokerage firms and the lost laptop contained data belonging to Newedge USA, LLC.

The total number of individuals with data on the laptop was not revealed, but 350 Maryland residents were affected. The personal information may have included name, address, date of birth, Social Security number, telephone number, net worth, annual income, and Newedge account number. The laptop was password-protected, but the data were not encrypted. To their credit, SunGard's letter to those affected makes that distinction very clear.

Phase3 is offering those affected two years of free credit monitoring and credit restoration services (unless, of course, you're a NYS resident, in which case you can't get the identity theft insurance insurance and are just screwed if your data are misused).

This one seems to extend the “we don't know” response into new territory. Using aomeone else's report as a model is logical, copying it exactly seems like a new “Worst Practice”

Sava Senior Care revises its breach report

Thursday, July 31 2008 @ 03:26 PM EDT Contributed by: PrivacyNews

As reported here previously, Sava Senior Care Administrative Service's breach report from April of this year was identical to that reported by another firm -- down to the exact number of individuals.

This site wrote to the Maryland Attorney General's office to point out the amazing similarity between the reports, and it seems that the firm has now revised or corrected some aspects of its report.

In correspondence to the AG dated June 25, Miriam Murray, Director, Compliance and Privacy Officer, explains that Sava had sent three years worth of data for auditing/analysis (Windham Brannon was the firm involved). According to Murray, during shipment via UPS, the box containing the disc was lost and never located. The disc was password protected and the data were in SQL format.

There were 4,850 Maryland residents affected. It is not evident from the letter whether there were non-Maryland residents also affected.

Although the email provided some clarification and correction, the attached notification letter raises more questions. The letter talks about a stolen laptop, and says that skilled nursing home residents had their names, Medicare and Medicaid numbers, and resident medical assessment information on the stolen laptop.

A call to Ms. Murray to ask her to clarify their clarification has not yet been returned.

Fischbach backup disk lost; contained highly personal information

Thursday, July 31 2008 @ 01:20 PM EDT Contributed by: PrivacyNews

Fischbach LLC has notified the Maryland Attorney General's office that a backup media disk containing litigation records with personal information was lost in March of this year.

Glen Bronstein, Vice-President and General Counsel for the firm reports that the litigation records pertained to work done by Fischbach's subsidiaries and contained personal information such as Social Security numbers, dates of birth, work histories, medical records and mother's maiden name for individuals involved in either a lawsuit or workman's compensation claim against either Fischbach or a Fischbach subsidiary. The total number of individuals with personal data on the missing disk was not reported.

Fischbach first learned on March 21st that the disk had been lost during shipment due to damage to the shipping container, but did not notify those affected until the beginning of July. In their letter to those affected, they describe the process of reviewing thousands of legal documents to identify who to notify. They also conducted some analysis and informed those affected that an individual would have to have "intermediate database skills" to be able to extract the documents.

As a result of this incident, Fischbach says that it will encrypt data in the future and also use more secure packaging. [Because it's far cheaper to protect the data in the first place! Bob]

The company arranged for free one-year credit monitoring.

The article in the newspaper was written by “HOLLY HACKER,” too perfect. It also points out that UT had a breach in 2006 – a fact not mentioned on their website. I guess UT is not a “learning organization”

Computer breach at UT Dallas may have exposed students' personal info

Thursday, July 31 2008 @ 03:11 PM EDT Contributed by: PrivacyNews

A computer network attack at the University of Texas at Dallas may have exposed Social Security numbers and other personal information for 9,100 individuals, school officials said today.

A security breach in UTD’s computer network may have exposed Social Security numbers along with names, addresses, email addresses or telephone numbers, officials said.

Source -

Related - UT Dallas web page about breach

ANOTHER Colt client. (There were five other clients reporting to the Maryland AG in Pogo today.)

ABHOW notifies employees of computer theft (Colt Update)

Thursday, July 31 2008 @ 12:43 PM EDT Contributed by: PrivacyNews

American Baptist Homes of the West, Inc. ("ABHOW") recently notified its employees that their unencrypted names, addresses, date of birth, and Social Security numbers were on computers stolen from Colt Express Outsourcing, Inc.

Like many other clients affected by the theft, ABHOW had terminated its contract with Colt prior to the burglary. In its letter to its employees, David B. Ferguson, President and Chief Executive Officer of ABHOW, writes, "While ABHOW had terminated its relationship with this vendor two years ago, they were required by law to maintain the data for six years."

Comment: I do not know California's data retention law, but I doubt that there is anything in the law that requires a firm to maintain data on-site on hardware that might be stolen for its hardware value, or to maintain it unencrypted. -- Dissent.

It's rare for Pogo to make a mistake, but you have to admit that it can be confusing.

[CORRECTION] What a difference a report makes: AON Consulting breach affected over 57,000 (update)

Thursday, July 31 2008 @ 01:56 PM EDT Contributed by: PrivacyNews

Back in May, the Columbus Business First reported that 2000 current and former employees of Park National Corp. had personal information on a laptop computer lost by AON Consulting, Inc. The story did not seem to get picked up, but AON Consulting's notification to the Maryland Attorney General's office provides a very different impression of the incident.

According to the letter signed by Bobbie McGee Gregg, Vice President and Global Chief Privacy Officer for AON Consulting, the laptop was stolen from a restaurant in NYC on May 30, 2008. The company does not provide that detail in their notification letter to those affected, however, merely stating that a laptop was stolen from one of its employees.

The password-protected laptop contained personal information from pre-employment applications and screenings conducted by AON between July 2005 and February 2008 on behalf of Verizon. There is no mention as to whether the data were encrypted.

All told, the laptop contained names and SSN on 57,160 individuals.

CORRECTION, 7/31/08: it looks like there were TWO incidents involving AON. The first incident occurred in March (the lost laptop originally reported). The second incident occurred in May (the stolen laptop). Thanks to ITRC for alerting us to our error.

Just in case you thought I had too many breach reports today, I wanted you to know it could have been much worse.

Most Security Breaches Go Unreported

Friday, August 01 2008 @ 08:00 AM EDT Contributed by: PrivacyNews

More than 89% of security incidents went unreported in 2007, according to survey of about 300 attendees at this year's RSA Conference.

... 29% of those answering the survey said their organizations experienced customer or employee data leakage. Twenty-eight percent reported insider threats or theft and 16% reported intellectual property theft.

Source - InformationWeek

In keeping with the “we don't know” theme...

Inspector says TVA's computer tracking policy inadequate

Friday, August 01 2008 @ 06:06 AM EDT Contributed by: PrivacyNews

The TVA Inspector General office reports that the agency’s policies for tracking its computers are inadequate, and in “at least” one case, a stolen computer contained employee social security numbers.

According to the IG, Since TVA rolled out an inventory system for its computers in August 2004, called the HP Service Desk, TVA has been unable to track over 5,550 computers. “The inability to adequately track, as well as the lack of encryption, on these computers increases the risk for the disclosure of sensitive or restricted information,” the report stated.

Source -

You don't suppose this was paid for by the Class Action lawyers, do you?

EFF Releases "Switzerland" ISP Testing Tool

Friday, August 01 2008 @ 05:39 AM EDT Contributed by: PrivacyNews

Hours before the Federal Communications Commission (FCC) is expected to take action against Comcast for violating the FCC's net neutrality principles, the Electronic Frontier Foundation (EFF) is releasing "Switzerland," a software tool for customers to test the integrity of their Internet communications.

Source - EFF

For more information and to download the Switzerland software:

For more about EFF's "Test Your ISP" Project:

Still no attention to laptop confiscation on domestic flights... (Do they really think Osama is hiding in there?)

DHS Allowed To Take Laptops Indefinitely

Posted by kdawson on Friday August 01, @08:08AM from the reasonable-expectation dept.

andy1307 writes with a Washington Post story giving details of Department of Homeland Security policies for border searches of laptops and other electronic devices (as well as papers). (We have been discussing border searches for a while now.) DHS says such procedures have long been in place but were "disclosed last month because of public interest in the matter," according to the article. Here is a link to the policy (PDF, 5 pages).

"Federal agents may take a traveler's laptop or other electronic device to an off-site location for an unspecified period of time without any suspicion of wrongdoing, as part of border search policies the Department of Homeland Security recently disclosed. Also, officials may share copies of the laptop's contents with other agencies and private entities for language translation, data decryption, or other reasons, according to the policies, dated July 16 and issued by two DHS agencies, US Customs and Border Protection and US Immigration and Customs Enforcement... DHS officials said that the newly disclosed policies — which apply to anyone entering the country, including US citizens — are reasonable and necessary to prevent terrorism... The policies cover 'any device capable of storing information in digital or analog form,' including hard drives, flash drives, cell phones, iPods, pagers, beepers, and video and audio tapes. They also cover 'all papers and other written documentation,' including books, pamphlets and 'written materials commonly referred to as "pocket trash..."'"

Attention legal guys (and crooks?)

July 31, 2008

Why You Should Never Talk to the Police

This is an engaging and fascinating video presentation by Professor James Duane of the Regent University School of Law, explaining why -- in a criminal matter -- you should never, ever, ever talk to the police or any other government agent. It doesn't matter if you're guilty or innocent, if you have an alibi or not -- it isn't possible for anything you say to help you, and it's very possible that innocuous things you say will hurt you.

Definitely worth half an hour of your time.

And this is a video of Virginia Beach Police Department Officer George Bruch, who basically says that Duane is right.


A photo that can steal your online credentials

By placing a new type of hybrid file on Web sites that let users upload their own images, researchers can circumvent security systems and take over Web surfers' accounts

By Robert McMillan, IDG News Service August 01, 2008

At the Black Hat computer security conference in Las Vegas next week, researchers will demonstrate software they've developed that could steal online credentials from users of popular Web sites such as Facebook, eBay, and Google.

The attack relies on a new type of hybrid file that looks like different things to different programs. By placing these files on Web sites that allow users to upload their own images, the researchers can circumvent security systems and take over the accounts of Web surfers who use these sites.

"We've been able to come up with a Java applet that for all intents and purposes is an image," said John Heasman, vice president of research at NGS Software.

Would this be a false criminal report (assuming they made a report?)

Band Leaks Track to BitTorrent, Blames Pirates — When we reported about the leak of a BuckCherry track last week, and specifically the band ’s response to it, we hinted that this could be a covert form of self-promotion. Indeed, after a few days of research we found out that the track wasn’t leaked by pirates, but by Josh Klemme, the manager of the band.

I've omitted a few, but these caught my eye...

July 31, 2008

New GAO Reports

  • Federal Information System Controls Audit Manual (FISCAM): Exposure Draft, GAO-08-1029G, July 31, 2008

  • United States Postal Service: Information on the Irradiation of Federal Mail in the Washington, D.C., Area, GAO-08-938R, July 31, 2008

At some point the pace of conversion to “Not Microsoft” will accelerate greatly. I think that 'tipping point' is getting close.

Firefox market share exceeds 20%! — A milestone for Firefox. IE down below 70%!

Techo-nomics I have proposed a neutral network organization rather than granting monopolies. I suspect this grass root approach will have a few problems. (If not, I'm gonna do one!)

What If You Owned Your Own Fiber Connection?

from the not-a-ridiculous-suggestion dept

Almost five years ago, we wrote about a project in Burlington, Vermont to bring fiber optics to residents there. The idea was that, rather than a traditional "municipally-owned" network, this would actually be owned by the residents themselves. The article focused on the work of economist Alan McAdams, who (it needs to be admitted) was the guy who not only sent me down the path of better understanding the economics of information over a dozen years ago, but also convinced me to start Techdirt in the first place. McAdams has been pushing for the idea that if the end users actually owned the network itself, you would end up with much greater broadband, in part because you might still end up with a single fiber network, but there would be significant competition of service providers on that network. And, indeed, it appears that's where the Burlington fiber project has gone. A more recent case study on the project suggests that, with a slow and deliberate pace, thousands of residents in Burlington now have access to the fiber network, and can choose their own ISP, if they want.

Tim Lee has now written about another example as well, where there's an effort underway in Ottawa (which is only about 170 miles from Burlington), to string up 400 homes with fiber, but where the individual home owners will pay for and own the "last mile" connection to their homes. This is definitely a test on a small scale, but it's a similar situation to what McAdams has been pushing for all along. Let the customer own the connection itself, and then get to choose the service provider. In the Ottawa case, once again, service providers would no longer have to worry about wiring up your home (the most expensive part), but just need to offer service at various peering points, and each individual could choose who to get service from. [Could these also be “user owned?” Bob]

In this manner, you still get real competition, which is sorely lacking in the telco arena, and you get the benefits of higher speed networks. It's not as crazy as it might sound, either. As Lee points out, the telephone company used to own not just the wiring in your house, but the actual telephone as well. Over the years, that's been pushed back. Now you own your own phone -- and the wiring inside your house. So is it so crazy to think that you should own the wires outside of your house out to the main network as well? There are still plenty of practical issues that need to be resolved -- and the initial economics may be a bit daunting for many (the idea of paying, say, $3,000, to own your own fiber drop may freak some people out). But, it's experiments like these that are a real step in the right direction towards adding real competition, rather than the faux duopoly we all deal with today.

Tools & Techniques: I don't think I'll share this with the wife... I don't need life size pictures of her horses... - Create Life Size Posters

On the site, you will be able to create life-size printouts from your favorite images, quickly. Just select an image (either from your PC or from the internet), and upload it. The program will then make it life size and give you back easy to print PDF files. If you are having a hard time using the online version, or have limited internet access, you can download the program to your computer. If you want to know what you can do with this great app, you can check out the site’s gallery.

[From the website: ...up to 20 meters in size.

Thursday, July 31, 2008

The ultimate Case Study? Loss of unencrypted tapes, third party involvement, outside the US, unknown number of companies involved – covers almost everything that could possibly be done wrong!

Lost backup tape contains TANA employee data

Wednesday, July 30 2008 @ 08:31 AM EDT Contributed by: PrivacyNews

Tele Atlas North America ("TANA") reports that Willis North America, [a UK company? Bob] TANA's third party benefits administrator, "inadvertently misplaced backup tapes while in transit to a storage facility in India" on June 9, 2008. TANA was first notified by Willis of the loss on June 30th. The backup tapes contained computerized data including the names and social security numbers of TANA employees and their dependents who have insurance provided through TANA.

A letter signed by James O'Gorman. Vice President, Operations & Organizational Development for TANA, indicates that Willis will be providing TANA's employees with identify theft protection and monitoring services through lDFreeze from lrustedlD.

It is not known at this time how many other companies may also have employees' personal information on the missing backup tape.

If you wanted to steal “high value identities,” not just a random sample of individuals using a credit card, wouldn't it make sense to target bank customers? And where best to find bank customers?

Thieves steal Vancouver client information from TD bank

Wednesday, July 30 2008 @ 08:53 AM EDT Contributed by: PrivacyNews

TD Canada Trust officials waited three weeks this summer before telling customers their personal information might have been stolen from a Vancouver branch.

Bank representative Kelly Hechler confirmed Tuesday a piece of computer equipment (thumb drive? Bob] stolen during a June 22 break-in at the 4597 West 10th Ave. branch contained confidential customer information.

... Hechler would not reveal how many customers were affected by the security breach, calling it a "relatively small number."

The letter to customers said the stolen equipment may have contained names, addresses, birthdates, social insurance numbers, account numbers, bill payment details, transactions and balances.

Source - Vancouver Sun

Stolen LPL laptop contained customer info

Thursday, July 31 2008 @ 06:54 AM EDT Contributed by: PrivacyNews

LPL Financial, which has reported five breaches involving personal information, has revealed a 6th incident involving customer data.

By letter to the New Hampshire Attorney General's office dated July 24, LPL reports that on April 4, 2008 one or more unknown persons broke into and entered the Lansing, Michigan office of William and Nathanael Flynn and stole a laptop computer.

The laptop contained unencrypted names, Social Security numbers, account numbers, and date of birth of an unspecified number of customers and non customer beneficiaries.

No explanation was provided as to why customers were not notified until some time in July.


A laptop is stolen from an LPL Financial office in Michigan

The long (never ending) series of negative headlines continues. Has no one ever read “The Prince?” (You know, at some point all of these ex-clients are going to start thinking the “data loss” was deliberate.)

24 Hour Fitness employee data on stolen Colt Express Outsourcing Services, Inc. computers

Wednesday, July 30 2008 @ 08:19 AM EDT Contributed by: PrivacyNews

And then there were 12....

Through its lawyers, 24 Hour Fitness has notified the NH Attorney General's office that Colt Express Outsourcing Services, Inc. had provided employee benefit plan administrative services for approximately ten years until 2006, when the relationship was terminated. Yet the employee data were still on computers in Colt's offices, unencrypted, when the computers were stolen on May 26th. As with other entities affected by the burglary, current and former employees' first names, last names and Social Security numbers were on the stolen computers, as were the employees' dependents' names and Social Security numbers.

In response to the theft, 24 Hour Fitness arranged for Triple Alert services for employees for one year at no cost to employees. The company also ."demanded the return of any other sensitive information that may still be in Colt's possession to ensure that Colt can cause no additional harm to its current and former employees and their dependents." [Interesting, but probably impossible. Demand all you want, the data Colt holds is probably needed for a variety of legal reasons (not least of which will be defending against an ever-increasing number of lawsuits.) Bob]


State Breach Disclosure Laws - Update

Wednesday, July 30 2008 @ 06:24 PM EDT Contributed by:PrivacyNews

Five states (and D.C.) have put data breach disclosure laws in the books in recent months. Article includes links to full text of each law.

Source - CSO

[From the article:



South Carolina:


Law does not apply to not apply to criminal intelligence maintained by law-enforcement agencies of the state and the organized Criminal Gang File of the Virginia Criminal Information Network (VCIN) ['cause criminals gots not rights? Anyone on those files who has NOT been convicted? Bob]

Washington D.C.

West Virginia

Once you steal an Identity, what can you do with it?

ID Analytics Study Reveals Employees' Criminal Misuse of Stolen Identities

Thursday, July 31 2008 @ 06:36 AM EDT Contributed by: PrivacyNews

... Key findings from the study include:

  • Fraudulent activity reflected a significant increase in attempts to acquire wireless phones. [First, I'll buy something they can easily trace! Bob] Of the 1,300 cases of attempted fraud, 69 percent targeted the wireless industry.

Today at 1:00 p.m. ET / 10:00 a.m. PT, ID Analytics product analyst Cooper Bachman will present the study findings in a free, one-hour webinar titled "What Happens After Employees Steal Data?" To register for the webinar, please visit .

Source - Press Release Related - ID Analytics

To request a white paper providing more detail on the research, please visit

Related. Another way to use all those identities... (Don't passports have unique numbers that can be flagged on the database?)

July 31, 2008

3,000 Blank British Passports Stolen

Looks like an inside job.

Are they saying that certain rights no longer exist or have been negated by technology?

Google says complete privacy 'does not exist'

Thursday, July 31 2008 @ 06:12 AM EDT Contributed by: PrivacyNews

Google has argued in a court submission that there can be no expectation of privacy in the modern world.

The search giant is being sued by a Pennsylvania couple after their home appeared on Google Street View. The couple's house is on a road clearly marked as private property.

Source -

Thanks to Brian Honan for this link.

Related: Maybe they are right.

UK: Google Street View gets go ahead

Thursday, July 31 2008 @ 07:21 AM EDT Contributed by: PrivacyNews

Google's controversial Street View photo-mapping tool has been given the all clear by the UK's privacy watchdog.

Source - BBC Related - Guardian: Watchdog clears Google's street cameras

Related Why not allow these future winners of a Darwin Award to remove themselves from the gene pool?

ER Doctors Warn About Walking While Texting; When Will We Start Seeing Laws?

from the they're-coming dept

Anyone want to take a guess on when we'll see the first laws proposed to ban the practice of walking-while-texting? We've already seen a few proposals that would ban walking and talking in a crosswalk. And, to add some fuel to the fire, some ER doctors are warning people who walk and text at the same time that it's risky behavior. The doctors say they're seeing a rise in reports of people walking and texting at the same time, leading to some sort of injury, including two people who were hit by a car after paying more attention to their phone than oncoming traffic. Since technopanics always seem to start with a news article, just wait for someone to propose a law against this -- rather than insisting that perhaps it's time to institute a little common sense.

Related? At least this is a response to all that video surveillance (assuming you can hack their database.)

Face-Swapping Tech Keeps Your Privacy Online By Making You Look Horrifying

... Well, this new "Face Swapper" software found on Boing Boing automatically switches out features on peoples faces with features from photos in its database, creating horrifying cross-gender hybrids.

[Imaging merging everyones face with Janet Reno – Oh the horror! Bob]

Are CISOs starting to feel vulnerable?

Data Breach Fallout: Do CISOs Need Legal Protection?

Wednesday, July 30 2008 @ 09:24 PM EDT Contributed by: PrivacyNews

Since the security executive is on the hot seat after a data breach, some industry experts suggest CISOs get themselves some form of liability protection. The downside is that such protection could shield those who deserve the blame for an incident

Source - CSO

[From the article:

In the wake of a data breach, the company's top brass may go looking for someone to blame. If you are the security chief, chances are it's going to be you.

... He has watched as some of his CSO acquaintances were blamed for a security failure or dismissed for trying to blow the whistle over the company's security holes.

... In the final analysis, experts say, the best insurance policy for CSOs is a security program that keeps incidents from happening in the first place.

Dan Lohrmann, CISO for the State of Michigan, notes that his staff is adequately protected as long as the team is following industry and government security best practices. Besides, he says, state workers are self-insured.

“It's not a bug, it's a feature!” W. Gates (Not a problem if you don't hack the system.)

Dual Boot Not Trusted, Rejected By Vista SP1

Posted by timothy on Wednesday July 30, @04:28PM from the that's-south-of-luckless dept. Bug Microsoft Operating Systems Windows

Alsee writes

"Welcome to our first real taste of Trusted Computing: With Vista Enterprise and Vista Ultimate, Service Pack 1 refuses to install on dual boot systems. Trusted Computing is one of the many things that got cut from Vista, but traces of it remain in BitLocker, and that is the problem. The Service Pack patch to your system will invalidate your Trust chain if you are not running the Microsoft-approved Microsoft-trusted boot loader, or if you make other similar unapproved modifications to your system. The Trust chip (the TPM) will then refuse to give you your key to unlock your own hard drive. If you are not running BitLocker then a workaround is available: Switch back to Microsoft's Vista-only boot mode, install the Service Pack, then reapply your dual boot loader. If you are running BitLocker, or if Microsoft resumes implementing Trusted Computing, then you are S.O.L."

For my Security students

NIST Publications

July 29th, 2008 by Brian Honan

The US National Institute of Standards and Technology, NIST, have released a number of publications that are well worth reading;

The above publications are well worth taking the time to download and review.

Geek stuff

An Illustrated Guide to Every Stupid Cable You Need — We put up with too many cables. There are at least four different kinds of USB plugs, two kinds of FireWire and like a million different ways to connect something to TV or monitor.

Every geek should be learning this technology (Quick! Before the lawyers realize what it really does!)

Review of Sun's Free Open Source Virtual Machine

Posted by timothy on Wednesday July 30, @05:33PM from the expanding-options dept. Operating Systems Software Sun Microsystems

goombah99 writes

"After snapping up virtualization company InnoTek at the beginning of the year, Sun has recently released VirtualBox as a fully functional and highly polished free GPL open source x86 Virtual Machine. It can host 32- or 64-bit Linux, Windows XP Vista and 98, OpenSolaris and DOS. It runs on Mac OS X, Windows, and Unix platforms. The download is just 27MB. A review of it on MacWorld, showing HD movies playing inside windows XP on a mac, demonstrates performance visually indistinguishable from VMware. Like its competition, it can run other OSes in rootless, rooted, or seamless modes display modes (where all the applications have their windows mixed at the same time). Each VM instance can only run single core (though I/O is multi-core), and it does not yet support advanced windows graphics libraries however, so some gamers may be disappointed. Slashdot discussed the InnoTek acquisition earlier.

Sometimes when things sound too good to be true, it's because they are.

India's "$10 Laptop" To Cost $100 After All

Posted by timothy on Wednesday July 30, @06:22PM from the ain't-it-the-way-of-things dept. Education Government Hardware

narramissic writes

"In case you missed it, India's Minister of State for Higher Education yesterday announced the development of a $10 laptop that will target higher education applications. There were no specifications given for the laptop and the rock-bottom price raised questions about government subsidies. Today, the figure was corrected: It's not a $10 laptop; it's a $100 laptop. Still no specs though."

With access to TV via the Internet, wasn't this inevitable? Perhaps the government will offer coupons for this, like those HD converter boxes... - 800 Channels Of Free International TV

With the WhereverTV Receiver (a portable device - 5"x 5"x 1" & 6 oz. now available for $199) you can now watch all of these live TV channels on any TV in the world.

Ah, I said to myself when I read the headline, Hackers! I guess this is how they do it if they don't have portable computers...;_ylt=AsgHaBpAVC4Fz1auzwKhHpCs0NUE

Angry, late, tired passengers make computers crash

Tue Jul 29, 7:20 AM ET

BEIJING (Reuters) - Scores of Chinese air passengers smashed computers and desks and clashed with police Tuesday after a night stranded at an airport without accommodation, state media said.

Wednesday, July 30, 2008

The saga of (and headlines about) the Colt security breach continue. Dragging out the revelations does not seem to be a great strategy.

California law firm also victims of Colt Express Outsourcing Services burglary

Wednesday, July 30 2008 @ 08:08 AM EDT Contributed by: PrivacyNews

By letter to the New Hampshire Attorney General's office, the law firm Pillsbury Winthrop Shaw Pittman LLP, reports that some of their employee data from 1998 - 2002 were on computers stolen from Colt Express Outsourcing Services, Inc. over the Memorial Day weekend. Details on the employees and their dependents included name, address, birth date and Social Security Number. The total number of employees affected was not indicated in the letter.

Pillsbury Winthrop Shaw Pittman LLP is the 10th firm to be identified by this site as having been affected by the burglary. Many of the businesses were no longer doing business with Colt and have reported that old data were still on computers in the office, unencrypted.

Given the nature and scope of this incident, it would be interesting to see if future contracts with vendors include more provisions about the protection and security of data -- not only at rest, but also upon termination of any contract.

The best information we have. Long list of dubious claims by the city, clear evidence of bad security management...

Sorting out fact from fiction in the Terry Childs case

San Francisco's network-abuse claims raise more questions than answers

By Paul Venezia July 30, 2008

... Here's what seems to be true, what is clearly open for question, and what lessons business IT should draw from this saga.

First, despite the many news reports claiming that Childs had shut down all or part of the city and county of San Francisco's network, what actually happened was that Childs refused to provide his superiors the passwords to the city's core FiberWAN network, effectively preventing them from administering the network. The network continued to function, and no city applications, data, or resources were lost or inaccessible.

... Following the completion of the FiberWAN, Childs looked upon his creation as art -- so much so that he applied and was granted a copyright for the network design as technical artistry. Skeptical of his colleagues' abilities, Childs became the sole administrator of the FiberWAN, and the only person with the passwords to the routers and switches that comprised the network. This state of affairs was widely known throughout DTIS, and Childs was the only point of contact for changes, troubleshooting, and overall management of this network.

Read the actual court documents.

There is a big difference between, “Let's do it!” and “Let's do it right!” You can't activate a tool without considering the implications.

Study: Customer, Corporate Data at Risk in Telecommuting Environment

Wednesday, July 30 2008 @ 07:18 AM EDT Contributed by: PrivacyNews

From CDT: Telecommuting and the virtual office put sensitive corporate data, including the personal information of customers, at risk of compromise, according to a report released today by the Center for Democracy & Technology and Ernst & Young. The report is based on a survey of 73 organizations and recommends that companies with a telecommuting workforce need to pay more attention to the unique privacy and security risks posed by remote access. The report offers practical advice to companies on securing data accessed by employees working from home or other remote locations.

Study Press Release

Report - Risk at Home: Privacy and Security Risks in Telecommuting [pdf]

Wee! Another 'guest' at Guantanamo? (X-File Alert. This is obviously a UFO cover-up!) Arrested in 2002 following the 9/11 hysteria? I want to learn what hacking was actually done.

British NASA hacker to face U.S. trial

Wed Jul 30, 2008 9:06am EDT

LONDON (Reuters) - A British computer expert lost his appeal on Wednesday against extradition to the United States where he is accused of "the biggest military hack of all time" and could face up to 70 years in prison.

... Using a limited 56K dial-up modem and the hacking name "Solo" he found many U.S. security systems used an insecure Microsoft Windows program with no password protection. [Is simple access a hack?

He then bought off-the-shelf software and scanned military networks, saying he found expert testimonies from senior figures reporting that technology obtained from extra-terrestrials did exist.

At the time of his indictment, Paul McNulty, U.S. Attorney for the Eastern District of Virginia, said: "Mr. McKinnon is charged with the biggest military computer hack of all time."

An all too familiar problem

Most Sensitive Data on Government Laptops Unencrypted

Tuesday, July 29 2008 @ 01:57 PM EDT Contributed by: PrivacyNews

Only 30 percent of sensitive information stored on U.S. government laptops and mobile devices, including the personal information of U.S. residents, was encrypted a year ago, despite a series of data breaches at government agencies in recent years, according to an auditor's report.

The report, by the U.S. Government Accountability Office, found that 70 percent of sensitive information held on laptops and mobile devices at 24 major U.S. agencies was unencrypted as of last September.

Source - PC World

Related - Information Security: Federal Agency Efforts to Encrypt Sensitive Information Are Under Way, but Work Remains, GAO-08-525, June 27, 2008

Preying on victims, an American tradition!

Privacy group says identity-theft monitoring services may be a waste of money

Many are overpriced and offer protections that can be had for free, PRC claims

By Jaikumar Vijayan

July 29, 2008 (Computerworld) Consumers who sign up for identity-theft monitoring services may be getting a lot less protection against some common types of fraud than they assume they are, according to an online guide released yesterday by the Privacy Rights Clearinghouse (PRC).

What's more, many of the services offered by identity-theft monitoring vendors can often be obtained for free, the San Diego-based privacy advocacy group claimed. [Sounds like a business opportunity to me! Bob]

Microsoft (at last) recognizes their flagship product has reached the end of its useful life?

Microsoft prepares for end of Windows with Midori

Midori is a componentized, non-Windows OS that will take advantage of technologies developed since the advent of Windows and likely will be Internet-based

By Elizabeth Montalbano, IDG News Service July 29, 2008

With the Internet increasingly taking on the role of the PC operating system and the growing prevalence of virtualization technologies, there will be a day when the Microsoft Windows client OS as it's been developed for the past 20-odd years becomes obsolete.

Moot if there is a clear succession plan.

Do investors have a right to know about a CEO’s illness?

Tuesday, July 29 2008 @ 06:52 PM EDT Contributed by: PrivacyNews

Steve Jobs’ health came under scrutiny recently after the Apple chief executive’s gaunt appearance at the company’s developer conference revived memories among observers of his battle with pancreatic cancer in 2004. An analyst subsequently inquired after the CEO’s well-being on a conference call. The company has said that its founder is merely suffering from a common bug. To what extent should any chief executive feel obliged to divulge health details to investors? Is it simply a private matter? And what is the best response when such questions are raised?

Source -

Just a thought, but is this the software you would need to start your own “Internet based” TV network? - Free Shows, Movies

Everyone loves to watch TV, movies, and cable shows. And now, thanks to the internet, we can watch almost anything for free. Almost. We all know how angry the big media companies can get when their precious tv shows are posted on the interwebs without their permission. Lawsuit, anyone? But that hasn't stopped the posting. Take the new site, FreetoWatchTV, which is what it's name indicates-- tv and movies links provided by users to watch for free. There's no telling how long the site will last, but the concept is good. You can upload whatever TV show or movie you want for others to watch. Or, check out what's on offer now. To view, simply sign up. There are also TV channels to be watched, but you have to get an invite to have access.

Just because they are so easy to pick on...

ABA Judges Get an Earful About RIAA Litigations

Posted by kdawson on Tuesday July 29, @07:20PM from the preaching-to-someone-other-than-the-choir dept. The Courts

NewYorkCountryLawyer writes

"I was afforded the opportunity to write for a slightly different audience — the judges who belong to the Judicial Division of the American Bar Association. I was invited by the The Judges Journal, their quarterly publication, to do a piece on the RIAA litigations for the ABA's Summer 2008 'Equal Access to Justice' issue. What I came up with was 'Large Recording Companies vs. The Defenseless: Some Common Sense Solutions to the Challenges of the RIAA Litigations,' in which I describe the unfairness of these cases and make 15 suggestions as to how the courts could level the playing field. I'm hoping the judges mod my article '+5 Insightful,' but I'd settle for '+3 Informative.' Here is the actual article (PDF). (If anyone out there can send me a decent HTML version of it, I'll run that one up the flagpole as well.)"

Wired is helping to spread the word on Ray's article.

I believe people read Jules Verne and thought, “How silly. Man will never make a Submarine.”

Are We Searching Google, Or Is Google Searching Us?

Posted by kdawson on Wednesday July 30, @05:43AM from the eye-to-eye dept. Sci-Fi Google

An anonymous reader writes

"The folks at the Edge have published a short story by George Dyson, Engineer's Dreams. It's a piece that fiction magazines wouldn't publish because it's too technical and technical publications wouldn't print because it's too fictional. It's the story of Google's attempt to map the web turning into something else, something that should interest us. The story contains some interesting observations such as, 'This was the paradox of artificial intelligence: any system simple enough to be understandable will not be complicated enough to behave intelligently; and any system complicated enough to behave intelligently will not be simple enough to understand.' After you read it, you'll be asking the same question the author does — 'Are we searching Google, or is Google searching us?'"

Legal research

July 29, 2008

New on - Legal Research Training for Summer Associates

Reference from Coast to Coast: Summer Musings - Jan Bissett and Margi Heinen provide a timely and valuable refresher on a range of well-sourced, reliable, topical websites, guides, print and program materials useful for summer associate legal research training.

Tech-onomics 101: When a technology reaches the “commodity” stage, prices fall like a stone.

India developing US$10 laptop

India is developing a laptop to be sold at US$10, that will target higher education applications, a minister of the federal government said Tuesday in Delhi.

By John Ribeiro, IDGNS July 29, 2008

... As part of this new "National Mission in Education through ICT", the government is also working on developing a very low-cost and low-power-consuming access device, according to Purandeswari. The government also plans to make available free bandwidth for education purposes to every Indian. [Attention US Presidential candidates! Bob] It plans to use this bandwidth to build a "knowledge network" between and within institutions of higher learning in the country.

We are considering this text for a Security Class – might make a good reference.

Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd Edition

Ross J. Anderson

ISBN: 978-0-470-06852-6

Hardcover 1080 pages April 2008

[As is happening with increasing frequency, the previous edition is available free online. (a mere 600 pages) Bob]

Convergence: Extend your home network to your appliances?

OpenRemote grows in popularity

By Dave Moyer Published: July 29, 2008 - 11:55AM CT

Not too long ago, Marc Fleury went public with his newest venture, an open source home automation "project" (not yet officially a company) called OpenRemote.

... Fleury continues to stress that what makes OpenRemote different from other home automation systems you may have seen is that it focuses solely on the software aspect of things. To help users who want to use the OpenRemote system in their own home, he and the community at OpenRemote have published a Bill of Materials and many other references to assist in the design, construction and implementation process.

You can sign up and join the conversations in the forums to get involved, or just learn a bit more about the system at the official website.

Related. Extend you iPhone to your car... (Any of you Venture Capitalists looking for a start-up?)

Teenager hacks together hardware for controlling your car via phone

by Chris Ziegler, posted Jul 28th 2008 at 11:43PM

Using little more than book knowledge, experience from previous projects, and a healthy shot of elbow grease, a Kenyan kid has constructed a nifty (and perhaps just a little scary) box that attaches to your car to provide a number of unique remote-control features that you're not going to find on your average OnStar setup. The flagship function seems to be the real-time lockout, which can call you as the car is being started; only if you confirm that it's not some baddie trying to jack your ride will the ignition request be granted. That's not all, though -- it'll also let you dial into the car and listen in on any conversations going on within. The young man says he's seeking additional funding to take his project to the next level, but in the meantime, don't even think about making off with a white Mitsubishi the next time you're in Mombasa. Follow the break for a video of the system in action.

Another iPhone hack – sort of a reverse Ringtone for voice mail – and recorded conversations? (Also instructions for the non-iPhone user)

How to Transfer iPhone Voicemail to Your Computer

For my website students

CSS Layouts: 40+ Tutorials, Tips, Demos and Best Practices

Ditto (An attention getter...) - Create Scrolling Text Signs

Signbot is a tool that allows users to create their own animated scrolling text LED sign. To use this tool, users enter in the text which will scroll across the page. Some typed characters will allow for picture text.

... Users then choose the width of the sign, either small, medium, or large. Next they simply select “generate sign” and wait a second for the sign to be produced.

Want to start you own University? - Manage School and Student Data

OpenSIS is a centralized management software system that manages students, classes, facilities, and much more. This downloadable tool offers numerous features to centralize and organize information on students and the school system. The Student Demographics function keeps track of the characteristics of enrolled students. The Contact Information function keeps a complete database of student, parent, and emergency contact info. The Scheduling feature maintains a massive list of all students’ schedules and courses. Grading is kept in line with the Gradebook and Report Cards functions. Other key data, such as health records, attendance, and discipline records, can all be managed with OpenSIS as well. Furthermore, this student information system is free of charge. Users may try out and switch over to OpenSIS at no cost at all.