Saturday, August 23, 2008

Good advice?


Friday, August 22 2008 @ 05:35 PM EDT Contributed by:PrivacyNews

I like to call them "Dear John" data letters. And just like those sad, cold notes from a lover announcing a breakup, those "We've lost your data" letters are almost always frustratingly vague.

A new study from identity theft research firm ID Analytics suggests that's both unfair and risky. The study shows that consumers victimized by insider data theft -- theft by an employee -- are 12 times more likely to be ultimately hit by fraud than victims of an accidental data loss, like a lost laptop computer.

Yet many Dear John data letters announcing security breaches offer precious few details about the circumstances of the loss. That leaves consumers completely in the dark about what to do.

Source - The Red Tape Chronicles

[From the article:

About half of U.S. adults have received at least one such letter, according to the Ponemon Institute.

... Here's why the details matter. ID Analytics analyzed 5 million pieces of identity data stolen in 12 separate insider thefts. More than one-third of consumers exposed by those incidents -- 36 percent -- were ultimately hit by identity fraud. Contrast that with ID Analytics data on lost laptops and hard drives, where victims were hit with fraud only about 3 percent of the time.

... Other circumstances surrounding the breach also help predict the likelihood of fraud, Cook said. This might sound counterintuitive, but the findings suggest that the larger the data leak, the less likely a victim will be hit by fraud.

... Consumers who are victims of data breaches should always get the answers to three critical questions, Cook said: the size of the breach, the precise data involved and the reason it was stolen or lost.

“It is better to look legal than to be legal”

But What If A Takedown Notice Isn't Actually A DMCA Takedown?

from the legal-gymnastics dept

We already covered the judge's ruling about how copyright holders need to consider fair use before sending a DMCA takedown notice, but there's another part of Universal's position in this case that has been widely ignored (even by the judge in the case), but which Ethan Ackerman wisely calls attention to: Universal claims that the takedown letter doesn't violate the DMCA because it wasn't actually a DMCA takedown. Instead, they said it was just a friendly "request."

This may seem like a silly assertion or, at best, a minor side point, but it could become quite important. The DMCA has some very specific conditions that those sending takedowns need to meet -- but there's nothing really stopping anyone from sending a request that isn't specifically a DMCA takedown notice. For copyright holders, this would remove some of the power of the takedown notice, as it wouldn't require the service provider to react, like a DMCA notice does. However, if rulings like this one stand, adding some amount of liability to copyright holders sending DMCA takedown notices, some may actually find it safer to send non-DMCA takedowns on the assumption (probably correct) that most service providers will treat them exactly the same as a DMCA takedown. In other words, would copyright holders "opt-out" of the DMCA terms in order to avoid that liability? It will be worth watching.

Of course, in this case, the court just assumed that even if it didn't hit all the criteria, it was for all intents and purposes a DMCA takedown letter. But that won't always be the situation in future cases -- especially if copyright holders become even more explicit that the letters aren't DMCA takedowns, but some other type of takedown request. And, of course, this could expand as well -- where a total non-copyright holder could send such "requests" for takedowns, and they conceivably might not be violating the DMCA's provision against false takedowns, because they won't even fall under the DMCA. One way or the other, you can bet lawyers are going to be busy.

Rather to keep shoveling money at vaguely defined projects, wouldn't it be simpler to use tools that already work for large volumes of data?

Fatal flaws found in terrorism database

Posted by Stephanie Condon August 22, 2008 2:11 PM PDT

One of the country's most important terrorism databases is on the verge of failure after suffering from gross mismanagement and technical design flaws that went ignored for months, a congressional investigation found.

A congressional committee on Thursday called for an investigation into a program called "Railhead," which was supposed to upgrade the National Counterterrorism Center's integrated terrorist intelligence database, called Terrorist Identities Datamart Environment (TIDE). The database serves the United States' 16 separate intelligence agencies, and as of January, contained more than 500,000 names (PDF), according to the NCTC. The program has cost an estimated $500 million.

Interesting, but a precedent others can use?

NJ: Court says data-mining firms must pay to keep Social Security numbers secure

Friday, August 22 2008 @ 02:01 PM EDT Contributed by: PrivacyNews

A state appeals court today ruled that data-mining companies must pay to have personal information like social security numbers masked from public view.

A three-judge panel of the New Jersey Appellate Division said privacy interests outweigh the interests of companies that gather massive amounts of public real estate records for profit.

... In 2006, Data Trace Information Systems filed an open public records request with the Bergen County Clerk's office requesting microfilm copies of the 13 kinds of realty documents covering decades of information. County officials said the request covered 2,559 rolls of microfilm that contain 8 million pages of documents and would cost $1.8 million.

A trial court judge ruled the records could be released, if company paid to remove social security numbers.

Source -

[From the article:

But allowing social security numbers to be collected and sold provides a "key to access a myriad of information about an individual" including their home, race, contact information, and criminal history, the judges said in the 40-page ruling.

"We are convinced that the right of privacy under the New Jersey constitution ... establishes protection for New Jersey citizens from wholesale disclosure of SSNs," wrote Judge Lorraine Parker, who was joined by Judges Dorothea Wefing and Rudy Coleman.

... "What it means to regular folks is where the legislature has failed to protect the citizens of New Jersey and their personal data, the courts have stepped forward and created a new right of privacy in the constitution," he said.

We can, therefore we must: Pretty mild in the state that made “aggravated littering” a capital crime.

TX: Court to monitor truant students with GPS ankle bracelets

Friday, August 22 2008 @ 05:33 PM EDT Contributed by: PrivacyNews

Court authorities will be able to track students with a history of skipping school under a new program requiring them to wear ankle bracelets with Global Positioning System monitoring.

But at least one group is worried the ankle bracelets will infringe on students' privacy.

Source - Houston Chronicle

[From the article:

"We are at a critical point in our time where we can either educate or incarcerate," Penn said, linking truancy with juvenile delinquency and later criminal activity.

... Asked why the students have to wear the ankle bracelet all the time instead of just the school day, Penn cited problems with runaways.

Related? When you have proof that the students are smarter than the Principal, shouldn't he be fired?

Principal Loses Lawsuit Against Students Over Fake MySpace Profile

from the taking-the-pal-out-of-principal dept

You may remember a story we had last year about a principal at a school so overreacting to some students creating a fake MySpace profile for him that he took them to court. It's one thing to ask MySpace to take down such a profile or to discipline the students in school (both of which would likely backfire as well), but to take them to court seems extreme. And, apparently, the courts think so too. An appeals court has upheld a lower court ruling that there was no defamation or intentional infliction of emotional distress in the case. Of course, the judge does also scold the kids for their "unacceptable" conduct. Luckily for the kids, "unacceptable" wasn't against the law in this case.

Wouldn't cooperation have been better, strategically?

Interview With MIT Subway Hacker Zack Anderson

Posted by timothy on Friday August 22, @03:01PM from the clearly-a-terrorist dept. Hardware Hacking The Courts Transportation

longacre writes

"In his most extensive interview since the DefCon controversy emerged, MIT subway hacker Zack Anderson talks with Popular Mechanics about what's wrong with the Charlie Card, what happened at DefCon, and what it's like to tango with the FBI and the MBTA. The interview comes on the heels of Tuesday's court ruling denying motions by the MBTA to issue a preliminary injunction aimed at keeping the students quiet for a further five months."

[From the article:

Popular Mechanics: All this started as a class project at MIT—is that right?

Zack Anderson: For Computer Network Security class, and it was basically the final project.

... Some significant physical security problems were present—not technology related, just things that are very easily overlooked. People could hit a button in an open box and all the turnstiles would open. I mean, why resort to some high-tech hack when you could just hit a button?

We also looked at the Charlie Ticket, which is a magnetic card. Actually, the MIT Tech [the university's daily newspaper] has a good article that basically went over everything that was made public—some of which came out through MBTA filings, not through anything we released.

I got a map of the campus.

Welcome, Freshmen. Have an iPod.

By JONATHAN D. GLATER Published: August 20, 2008

Taking a step that professors may view as a bit counterproductive, some universities are doling out Apple iPhones and Internet-capable iPods to students.

Related? Making markets rather than trying to capture existing ones...

Bringing Cell Phones To the Third World

Posted by Soulskill on Saturday August 23, @08:20AM from the strength-through-communication dept.

An anonymous reader tips a story about Denis O'Brien, a mobile phone entrepreneur whose goal is to spread cell phones throughout third-world countries. Quoting:

"...O'Brien keeps pouring money into the world's poorest, most violent countries. His bet: Give phones to the masses and they'll fight your enemies for you. ...In Trinidad & Tobago, where the state mobile phone firm was dragging its feet on connecting Digicel calls to its own customers, O'Brien harangued government officials to speed things up, even phoning one Christmas night to complain. After the launch the state firm started dropping Digicel calls anyway, making its new competitor look bad. O'Brien took his case to the people, taking out ads in T&T's papers listing life 'Before Digicel' and 'After Digicel' and held a press conference. The state firm eventually relented. In its first four months Digicel bagged 600,000 customers and is narrowing the gap now with the state in market share."

Well, it's cheaper than armed guards... (It's not just for your pets any more...)

Wealthy Mexicans Getting Chipped in Case of Abduction

Posted by samzenpus on Friday August 22, @04:44PM from the human-Lojack dept.

Because the number of abductions in Mexico has jumped almost 40% in the past 3 years, the wealthy are getting subcutaneous transmitters so they can be tracked when kidnapped.

Never fear! We'll have it fixed by early December at the latest!

Ohio's voting machine glitch exposed

Touch-screens can't be fixed before election, Brunner says

Thursday, August 21, 2008 8:34 PM By Mark Niquette THE COLUMBUS DISPATCH

The maker of touch-screen voting machines used in half of Ohio's counties has admitted that its own programming error is to blame for votes being dropped in some counties.

The problem can't be fixed before the Nov. 4 election, so Premier Election Solutions and Secretary of State Jennifer Brunner are issuing guidelines to counties for how to avoid the problem. [Deny everything! Bob]

... But in a letter Tuesday to Brunner, Premier President David Byrd admitted that further testing showed a source-code error that can cause votes not to be recorded when memory cards are uploaded to computer servers under certain circumstances. [Like when the (insert party here) has the most votes. Bob]

... But Premier spokesman Chris Riggall said the programming problem had gone undetected after years of use and both federal and state testing. [Translation: we got away with it... Bob]

... She noted that Brunner has been issuing directives recently dealing with security measures surrounding the election and is expected to address computer server security soon.

"This is something that we will watch very closely," Leininger said. [This does not sound like a security issue – the machines are working as (mis?)-programmed. Bob]

Very impressive! Its ability to find “similar” images could be useful. - Reverse Image Search

Google’s image search is a great place for you to find images. But what if you want to see where an image you have can be found on the internet? If you want to find that out, check out This site allows you to upload a picture and find where on the internet you can find it. This will allow you to find more pictures like it, or know if your friends have been uploading pictures of you to their profiles. It’s surprising to see how accurate the image matching capabilities of the site are. It takes seconds for the site to tell you where the image you uploaded comes from. People worried about copyright infringement should love this site. Just upload a copyright protected picture and the site will tell you if someone has used it illegally. It’ll be interesting to see if the results get better as the site improves its search algorithms.

I love lists, someone has already done the hard work, all I need do is see if anything on the list is interesting – and a few of these are.

The Top 100 Undiscovered Web Sites — These sites let you crunch the numbers, analyze the data, or just look up who that one guy is in that one movie.,2704,2327437,00.asp

You'll forgive me if I think this proves the French are crazy. Apparently driving while blind is perfectly legal in France!;_ylt=ArjLXVNYIVLVl_745OO4Kyis0NUE

Blind Frenchman fined for drunk driving

Fri Aug 22, 7:54 AM ET

NANCY, France (AFP) - A blind journalist was given a month's suspended jail sentence and fined 500 euros (750 dollars) by a French court Friday for driving while drunk and without a license.

Friday, August 22, 2008

Interesting procedure for keeping data safe...

UK: Data on 130,000 criminals lost

Friday, August 22 2008 @ 05:54 AM EDT Contributed by: PrivacyNews

Confidential information on almost 130,000 prisoners and dangerous criminals has been lost by the Home Office, sparking yet another Government data crisis.

.... A Home Office spokesman said that the memory stick had been lost by PA Consulting, a private company they employed to track and analyse serious and prolific offenders in the "JTrack" programme. The Home Office sent the personal details on the criminals to the company on a secure encrypted email, which was then transferred in an unencrypted form on to the memory stick, which was then lost.

Source - Telegraph

[From the article:

The loss of the details, which were stored on an unencypted computer memory stick, has raised fears that the taxpayer may now face a multi-million pound compensation bill from criminals whose safety may have been compromised and police informants who could be at risk of reprisals.

Related: Big Brother loves you!

UK Gov't Lost Personal Data On 4M People In One Year

Posted by timothy on Friday August 22, @04:36AM from the of-which-they-are-aware dept. Privacy Data Storage Databases Government

An anonymous reader writes

"The U.K. government has lost the personal information of up to four million citizens in one year alone. The astonishing figures, calculated by the BBC, added up as Whitehall departments slowly released their annual reports for the year to April. And the trend has not stopped — in the latest revelation, HM Revenue Customs, which infamously lost the details of 25 million child benefits claimants last November on two unencrypted discs, experienced 1,993 data breaches between 1 October last year and 24 June."

(More below.)

They must be following some pre-breach script. Perhaps they should THINK before mouthing platitudes?

Cost Plus reports breach in security

Friday, August 22 2008 @ 06:01 AM EDT Contributed by: PrivacyNews

Cost Plus World Market got the first hint of trouble in mid-June when two employees reported unauthorized transactions on their debit card accounts.

By early July, bank card companies and other financial institutions were reporting a spate of fraudulent debit card transactions linked to several of the Oakland-based company's Southern California stores, including three in San Diego.

Cost Plus, a retailer of food, wine and furniture, began alerting customers July 22 that the debit card PIN pads at select stores had been tampered with between February and April. As a result, an unknown number of account numbers and PINs were hijacked, according to the company.

“We have now identified 11 stores,” Cost Plus spokesman Ronald Low said yesterday. “We believe this is an isolated incident involving a very small number of stores over a specific period of time.”

Source - SignOnSanDiego

[From the article:

There have been no reports of any credit card fraud associated with the incident, he said. [Except the fraud they reported in paragraphs one and two. Why didn't the reporters notice this? Bob]

... “Cost Plus is working with its bank and with the payment card companies to ensure that affected customers are identified in a timely manner,” Low said.

... Law said the company is working with law enforcement officials to identify those involved in the crime. [Translation: We have no record of customer payments... Bob]

... Cost Plus has now changed its point-of-sale procedures and has begun replacing the PIN pad devices throughout all of its 300 stores nationwide, Low said. That process will be completed by the end of this month. [A “rush” security upgrade is cheaper than allowing the fraud to continue? Interesting. Bob]

The flip side of Identity Theft – one group of 'end users' (If “guest workers” come to the US, could we “rent” them our SSANs for the increased retirement benefits?)

Agriprocessors identity theft puts data of 230-plus at risk

Friday, August 22 2008 @ 06:55 AM EDT Contributed by: PrivacyNews

The Social Security numbers used to employ illegal immigrants at Postville's meatpacking plant were stolen from people in at least 25 states, including two people from Iowa, and from 38 people who are dead, an analysis by The Des Moines Register shows.

The identity theft exposed during the federal raid at Agriprocessors Inc. may have imperiled the private information of more than 230 citizens and lawful immigrants whose Social Security or resident alien numbers were used by the illegal workers.

One federal official declined to say whether victims of the identity theft had been notified. Another said immigration officials generally do not notify victims. [Well, that clears that up! Bob]

Source - Des Moines Register


MI5 report challenges views on terrorism in Britain

Exclusive: Sophisticated analysis says there is no single pathway to violent extremism

Alan Travis, home affairs editor The Guardian, Thursday August 21 2008

If we don't get the answers we like we might 'counsel' the parents (or we could ignore the whole thing and just party on our grant money.)

School officials ponder privacy issues involving section of Healthy Youth Survey

Friday, August 22 2008 @ 06:05 AM EDT Contributed by: PrivacyNews

Substance abuse prevention groups in Cowlitz County are asking for more in-depth screening on students attitudes on drugs, alcohol and smoking.

Since 2004, students in all Cowlitz County school districts have been taken the Healthy Youth Survey every other year to provide substance prevention groups with information. Districts have had the option to tear off a sheet with more detailed and personal questions, but prevention groups say federal programs are requiring them to get answers to those questions to qualify for grants.

Source - TDN

[From the article:

Questions for elementary school students

• Do your parents give you lots of chances to do fun things?

• Do you enjoy spending time with your mother? Father?

• If you had a personal problem, could you ask mom or dad for help?

• How often do your parents tell you they are proud of something you have done?

For middle and high school students only

• Does your family have clear rules about alcohol and drug use?

• Would your parents know if you did not come home on time?

• If you carried a handgun without your parents’ permission, would you be caught by them?

• How wrong do your parents feel it would be for you to drink beer? Wine? Hard liquor? Smoke cigarettes? Smoke marijuana?

• If you skipped school, would you be caught by your parents?

“We'd like to instill a 'copyright phobia' in the youth of America.”

Nonprofit Distributes File Sharing Propaganda to 50,000 U.S. Students

By David Kravets August 21, 2008 | 6:06:37 PM

We're referring to an educational comic strip (fat .pdf) on unlawful file sharing of music developed by judges and professors to teach students about the law and the courtroom experience.

It was produced by the National Center for State Courts, a nonprofit describing itself as an "organization dedicated to improving the administration of justice by providing leadership and service to court systems in the United States."

But the story line here is a miscarriage of justice at best -- even erroneously describing file sharing as a city crime punishable by up to two years in prison.

Related? Non-profits are not the only ones re-inventing the law.

Comments of the World Privacy Forum regarding the Border Crossing Information System

Friday, August 22 2008 @ 06:19 AM EDT Contributed by: PrivacyNews

The World Privacy Forum submitted public comments today to the Department of Homeland Security regarding its proposed Border Crossing Information System. The BCI system would set up a database of all border crossings via car, rail, air and other means, including collecting identifiable data on the activities of American citizens. Information collected includes biographical and other information such as name, date of birth, gender, a photograph, itinerary information, and the time and location of the border crossing. The WPF comments focus entirely on the proposed Routine Uses of the system. As currently written, the DHS proposal contains some Routine Uses that directly contravene the Privacy Act of 1974 and are illegal. Other Routine Uses are overbroad and vague, and still others contravene guidance from the Office of Management and Budget (OMB). One example of an overbroad Routine Use is Routine Use J, which will allow DHS to release data collected for the Border Crossing Information System for hiring decisions or contract awards. This information may be requested by Federal, state, local, tribal, foreign, or international agencies. Another Routine Use, G, impermissibly duplicates and weakens the Privacy Act's condition of requirement for notice when information is disclosed in certain circumstances.

Source - WPF Comments [pdf]

An industry out of control? “We can change our Privacy Policy at any time (or ignore it completely) and if we sell you “unlimited high-speed Internet access” we can substitute “limited low-speed” whenever we want.”

A regulatory body that won't? No fine, no audits, just make you customer abuse “fair.”

Comcast to slow down heaviest 'Net users to DSL speeds

By Nate Anderson Published: August 21, 2008 - 11:43AM CT

The FCC yesterday issued its Order officially directing Comcast to stop using its current P2P-focused delaying technology to relieve network congestion. The company has until the end of the year to switch to a new throttling system that doesn't discriminate based on protocol, and Comcast is now offering more details about how it will do this. Heavy Comcast Internet users: prepare to be deprioritized.

“Hey! Comcast got away with it! That means we can too!”

Verizon: we need freedom to delay P2P traffic when necessary

By Nate Anderson | Published: August 21, 2008 - 05:10AM CT

... Lynch laid out Verizon's view on the matter: time-sensitive packets like VoIP should be prioritized over less-sensitive packets like P2P, but the company remains committed to "deliver any and all data requested by our customers." [...eventually. Bob]

I like guides. Sometimes I can even understand them!

Legal group releases guide to GPL compliance

Software Freedom Law Center says most GPL compliance violations stem from a few common mistakes that can be easily avoided

By Chris Kanaracus, IDG News Service August 21, 2008

Something to tease my website students... (Never underestimate the power of cute! )

A Small Empire Built on Cuddly and Fuzzy Branches Out From the Web

By DAN MITCHELL Published: August 19, 2008

... Stranger still, the birth of Cute Overload was almost purely accidental. Meg Frost, a 36-year-old design manager at Apple, started three years ago to test Web software. Within months, it became an online institution, drawing about 88,000 unique visitors a day — about the same as the political gossip blog Wonkette.

... Viewers send her about 100 submissions a day, and in doing so, grant her full republishing rights, she said. Ms. Frost is free to reuse the photos as she pleases. The calendar’s success may be just the beginning. She hints at other projects, possibly including a video channel. [Quick! Lock up! Can we patent cuteness? Bob]

... According to Blogads, a “premium” ad on Cute Overload costs about $2,000 a week, with an estimated 808,000 page views.

The site also offers “standard” ads for $500 a week. Those are taken up mostly by small companies serving what might be called the “cute market.” Sublime Stitching, for example, sells “cute embroidery patterns,” like “Forest Friends,” while Shanalogic offers clothing and accessories emblazoned with cute imagery.

According to Blogads, there are nine “standard” ads currently running on Cute Overload. [Nine times $500... Not too shabby. Bob]

... It is all about niches and demographics, said Henry Copeland, founder of Blogads. The audience is overwhelmingly female and between 18 and 34. “For these women,” he said, “recently graduated from college and sitting in grim corporate America, Cute puts them in touch with their nonwork selves. It’s escapism.”

Hacking for fun and profit! (Sure to complicate those patent applications?) - Hackers Come Together is a website on which hackers can come up with hacking projects and present them to their friends and peers. This will allow hackers from around the world to hack their way to a new friendship. If you have an idea, you’ll be able to submit it. If people find it interesting, your idea will be ranked higher. The higher an idea is ranked, the higher are the chances that it’ll get done by someone. Creative hackers will also be able to post ideas for new start ups, in order for investor to find them and start doing business. The ideas on the site range from simple startups to really complicated ideas that if put to work, could really change the way the internet is used. All in all, this site could be a place for investors to find the next Bill Gates.

Interesting, but with many shortcomings. Be sure to watch the video! (And the site was overloaded!)

From Snapshots, a 3-D View

By DAVID POGUE Published: August 21, 2008

... Wednesday, Microsoft introduced yet another way to represent a place: Photosynth. This sophisticated technology does a simple thing. It turns a bunch of overlapping photos into a 3-D panorama.

Global Warming! Global Warming!

2008 Is the Coldest Year of the 21st Century

Posted by timothy on Thursday August 21, @08:20PM from the problem-with-complexity-is-all-the-complexity dept. Earth Science

dtjohnson writes

"Data from the United Kingdom Meteorological Office suggests that 2008 will be an unusually cold year due to the La Nina effect in the western Pacific ocean. Not to worry, though, as the La Nina effect has faded recently so its effect on next years temperatures will be reduced. However, another natural cycle, the Atlantic Multidecadal Oscillation, is predicted to hold global temperatures steady for the next decade before global warming takes our planet into new warmth. If these predictions are correct, there must be a lot of planetary heat being stored away somewhere ... unless the heat output from the sun is decreasing rather than increasing or the heat being absorbed by the earth is decreasing due to changes in the earth's albedo."

Dilbert hate PowerPoint! (or perhaps bad PowerPointers)

Thursday, August 21, 2008

Couldn't happen to a better victim (from a Security Manager's perspective) Willing or not, this CEO will learn a lot about security and privacy in the next few months.

UK bank chief stung in ID theft scam

Wednesday, August 20 2008 @ 07:09 PM EDT Contributed by: PrivacyNews

Accounts belonging to Andy Hornby, 41, who earns an estimated £1m a year, were frozen after unauthorised withdrawals of at least £7,000 from his accounts. UK tabloid The Sun reports that crooks used an old bank statement from Hornby to pose as the bank chief.

Hornby, who took over as chief exec of HBOS in 2006, was reportedly told of the breach while he was on holiday. The exact mechanism of the audacious scam is unclear, but it seems that a fraudster succeeded in persuading HBOS to issue replacement cards or other account credentials.

Source - The Register Thanks to Brian Honan for the link.

[From the article:

HBOS declined to discuss the alleged fraud, which raises questions about its internal systems as well as the care its chief exec takes with his own banking details.

The breach is hugely embarrassing, but not unprecedented. In January a thief defrauded Barclays of £10,000, having tricked staff into handing out a credit card while posing as its chairman Marcus Agius.

Greetings new customer! Welcome to the Wells Fargo family! We want you to enjoy all the benefits available to our existing customers, so let me explain our friendly Victims of Identity Theft process...”

Another Wells Fargo incident: Tape with bank records ‘lost'

Wednesday, August 20 2008 @ 08:10 PM EDT Contributed by: PrivacyNews

A computer data tape with customer information from five new Wells Fargo banks is missing.

Banks involved are Shoshone First Bank in Cody and Powell, Jackson State Bank & Trust, Sheridan State Bank, First State Bank of Pinedale and United Bank of Idaho in Driggs.

“The tapes were being transported from one bank site to another,” SFB executive vice president Glenn Ross said. “When they (staff) arrived at the site they discovered the tape was missing.”

The information on the computer tape included names, addresses, Social Security numbers and account numbers.

“The tapes may have contained account balances and phone numbers, but we can't say they specifically had that information for all customers,” Ross added.

Source - Cody Enterprise

[From the article:

“But we can definitely say this wasn't a theft. [I can say the moon is made of green cheese... Bob]

“The tape was lost in transit,” he added. “People can feel safe the information wasn't stolen.” [“Rejoice! It wasn't hackers! We have met the enemy and they is us!” Bob]

This could be interesting. Let's hope they use a rating scale with levels like: “Totally Clueless” “It Takes Real Work to be This Bad” and “Forest Gump could Hack these Bozos”

Hilb Rogal & Hobbs To Launch Privacy Breach index With Ponemon Institute

Thursday, August 21 2008 @ 07:16 AM EDT Contributed by: PrivacyNews

Hilb Rogal & Hobbs Co. said it teamed with the Ponemon Institute, a privacy and information management research firm, to launch the Privacy Breach Index. Hilb Rogal & Hobbs indicated the Privacy Breach Index as the first publicly available benchmarking tool to objectively measure a company's response to data loss or theft, especially when it concerns information about people and their families.

Source - RTTNews

A copy of the Privacy Breach Index(TM) Executive Summary and a questionnaire that can be used to create a company's PBI score will be made available for download via the following link:

Related? Maybe we should blame the victim.

30% Of Internet Users Admit To Buying From Spam

from the hence-your-email-inbox dept

Over the years, we've seen plenty of studies or reports about the people who actually buy from spam. The percentages vary widely, with one report saying 4% of spam recipients buy from spam, another saying 11% and another saying 20%. Those were all a few years ago. A more recent study is now claiming that 30% of people will readily admit to buying from spam. Of course, the methodologies could be different, as some may count things such as marketing emails that you signed up for as spam, while others probably would not. Either way, it's clear that plenty of people [a tiny percentage of a global population Bob] are still buying, because otherwise spam would have died out a long time ago.

There is one other interesting point made in the study. It notes that the industry consensus is that less than one in a million emails leads to a sale (actually, the report says ten in ten million, but I don't see why that shouldn't be reduced), but that number is somewhat misleading, because so much spam is caught in filters. So, the percentage of spams that get through and lead to a sale is much, much higher.

Definitely needs work, but has potential!

Update: Online encyclopedia lists internal network security threats

Promisec includes popular Web-based applications among possible data-loss threats

By Amir Ben-Artzi, IDG News Service August 20, 2008

A free online encyclopedia of internal network security issues was released Tuesday by network security provider Promisec, which includes popular Web-based applications among possible data-loss threats.

Law in the Cloud. Understand the technology you use or it will bite you. (Technology is like lion taming...) “Ignorance of the (lack of a) law is no excuse!”

Cloud computing lets Feds read your email

Wednesday, August 20 2008 @ 07:05 PM EDT Contributed by: PrivacyNews

... On July 11, 2008, Steven Warshak, the president of a nutrition supplement company, learned the hard way (pdf) about the dangers of using web-based email. On May 6, 2005, the government got such an order for the contents of his emails.

Generally, the internet service provider (ISP) is required to give the subscriber notice of the subpoena, but the statute allows a delay of up to 90 days if the government just asks for the data and the court finds that "there is reason to believe that notification of the existence of the court order may have an adverse result", like endangering the life or physical safety of an individual, flight from prosecution, destruction of or tampering with evidence, intimidation of potential witnesses, or otherwise seriously jeopardizing an investigation or unduly delaying a trial. Using this provision the government got an order allowing it to delay telling Warshak of its access for 90 days, until early July 2006. July came and went, as did August, September, October, November, December, January, February, March, April and May of 2007 before the government finally got around to telling Warshak that it had been reading his mail.

Source - The Register

Thanks to Brian Honan for the link.

[From the article:

Warshak, like many others, used web-based or third-party provided email services like Yahoo! mail and NuVox communications. Thus, his inbox and outbox were literally out of his hands. If Warshak had used an internal email service that he controlled and the government wanted to get access to the contents of his email, they would have had to do it the old-fashioned way: Obtain a search warrant supported by probable cause, issued by a neutral and detached magistrate, specifying the place to be searched and the items to be seized. [Choosing new technologies removes your rights under old laws (and constitutions) Bob]

... The Warshak court said that it had no idea if emails potentially seized by the government without a warrant would be subject to any expectation of privacy by Warshak. The Court noted that ISPs have all kinds of policies and practices regarding the privacy of their customers electronic communications, with some like AOL saying that the ISP "will not read or disclose subscribers' emails to anyone except authorized users," some like Juno saying they "will not intentionally monitor or disclose any private email message" but that it "reserves the right to do so in some cases" and some like Yahoo stating that they shall have the right to pre-screen content, or that content may be provided to the government on request.

... The government urged the court to go even further, arguing that there is no constitutional protection of privacy in email where, for example, the ISP used malware scanners to look for malicious code in email or deep packet inspection of email.

... The real problem with the Warshak Court's ruling - and here is where it gets dangerous - is that it essentially held that your expectation of privacy with respect to the government's seizure of your email is dictated by the terms of the contract with the ISP.


AU: No such thing as privacy: top judge

Thursday, August 21 2008 @ 06:05 AM EDT Contributed by: PrivacyNews

PEOPLE'S willingness to talk loudly on mobile phones and reveal personal information about themselves online indicates that the privacy laws may require a rethink, says the country's top judge, Murray Gleeson.

In his final public address as Chief Justice of the High Court, Justice Gleeson said yesterday that he had begun to change his view that "certain things … were self-evidently private".

Source - The Sydney Morning Herald

[From the article:

Graham Greenleaf, an expert on privacy and information technology law at the University of NSW, said that legal definitions of privacy were "not static" and new technologies had enabled people to be increasingly willing to disclose information [Probably lost something in the translation from the Australian, but aren't we assuming “Perfect Knowledge” of the technology and the consequences of its use? Bob] that would once have been considered private.

... "People are only now beginning to understand the privacy implications of social-networking sites and user-generated content … It may be that the pendulum will swing away somewhat from the great enthusiasm for disclosure that we are seeing now." [Let's encourage that... Bob]

Related Brief but interesting...

Short Cuts

Daniel Soar

[You have no privacy – deal with it. Bob]

Related Then there are the “Please don't through me into the brier patch” laws.

Analysis: FCC Comcast Order is Open Invitation to Internet Filtering

By David Kravets EmailAugust 20, 2008 | 3:53:43 PM

... In essence, the commission said carriers cannot discriminate against file sharing protocols, but they may act as a traffic cops and block illegal material and "transmissions that violate copyright law."

[The order:

Related? We need to search the world for better interpretations of the US Constitution?

Boston Court's Meddling With 'Full Disclosure' Is Unwelcome

Bruce Schneier

In eerily similar cases in the Netherlands and the United States, courts have recently grappled with the computer-security norm of "full disclosure," asking whether researchers should be permitted to disclose details of a fare-card vulnerability that allows people to ride the subway for free.

The "Oyster card" used on the London Tube was at issue in the Dutch case, and a similar fare card used on the Boston "T" was the center of the U.S. case. The Dutch court got it right, and the American court, in Boston, got it wrong from the start -- despite facing an open-and-shut case of First Amendment prior restraint.

Our “First Line of Defense” -- god help us. (Probably been done hundreds of times before, but domestic calls don't impact the budget.)

FEMA Phones Hacked, Calls Mideast and Asia

Posted by CmdrTaco on Thursday August 21, @09:30AM from the oh-that's-just-not-good dept. Security

purplehayes writes

"A hacker broke into a Homeland Security Department telephone system over the weekend and racked up about $12,000 in calls to the Middle East and Asia. The hacker made more than 400 calls on a Federal Emergency Management Agency voicemail system in Emmitsburg, Md., on Saturday and Sunday, according to FEMA spokesman Tom Olshanski."

[From the article:

The voicemail system is new and recently was installed.

... This type of hacking is very low-tech and "old school," said John Jackson, a St. Louis-based security consultant. It was popular 10 to 15 years ago.

... Sprint caught the fraud over the weekend and halted all outgoing long-distance calls from FEMA's National Emergency Training Center in Emmitsburg. [I hope they checked with someone first! Bob]

Is this truly the first? No court has said “you must read the entire law before claiming a violation?”

Judge: Copyright Owners Must Consider 'Fair Use' Before Sending Takedown Notice

By David Kravets August 20, 2008 | 6:21:03 PM

In the nation's first such ruling, a federal judge on Wednesday said copyright owners must consider "fair use" of their works before sending takedown notices to online video-sharing sites.

The 10-page decision (.pdf) came a month after Universal Music told a San Jose, California federal judge that copyright owners need not consider the "fair use" doctrine before issuing takedown notices requiring online video-sharing sites to remove content.

... Fogel added that an "allegation that a copyright owner acted in bad faith by issuing a takedown notice without proper consideration of the fair use doctrine thus is sufficient to state a misrepresentation claim."

... The case considered a lawsuit brought by a Pennsylvania woman whose 29-second garbled video of her toddler dancing to Prince's "Let's Go Crazy" was removed last year after Universal sent YouTube a takedown notice under the DMCA. [and a boring little video at that... Bob]

... Universal argued that copyright owners may lose the ability to respond rapidly to potential infringements if they are required to evaluate fair use prior to issuing takedown notices. [“You want us to actually look at it? What are you, nuts!” Bob]

I hope these guys don't fly very often...

Ninth Circuit rules people on 'no-fly' list can challenge status in federal courts

Devin Montgomery at 2:39 PM ET Tuesday, August 19, 2008

The US Court of Appeals for the Ninth Circuit [official website] ruled [decision, PDF] Monday that those placed on the government's "no-fly list" can challenge their inclusion on the list in federal district courts. The issue came before the court in a case brought by a woman on the list, in which a district court had ruled that it lacked jurisdiction because of a law [statute text] exempting Transportation Security Administration (TSA) [official website] orders from federal trial court review. Reversing the decision, the Ninth Circuit held that the Terrorist Screening Center [official website] which actually maintains the list is a subsection of the Federal Bureau of Investigation (FBI) and is therefore subject to review by the district courts:

Shouldn't management be logging and reviewing this already?

Ie: New guidelines to tighten up data protection in insurance sector

Wednesday, August 20 2008 @ 07:03 PM EDT Contributed by: PrivacyNews

Plans have been announced to make the data protection in the insurance sector more secure..... It follows revelations that the Department of Social and Family Affairs was routinely leaking social welfare and employment records to the insurance firms, to help them investigate claims.

Under the new code, companies must keep a record of exactly how their customers' personal data is being used.

Source - Thanks to Brian Honan for the link.

On the other hand...

Changes to PCI standard not expected to up ante on protecting payment card data

Wednesday, August 20 2008 @ 08:13 PM EDT Contributed by: PrivacyNews

The group that administers the Payment Card Industry Data Security Standard — or PCI, for short — this week released a summary of the changes that are being made to the requirements in a revision scheduled to be published in October.

As expected, the modifications that the PCI Security Standards Council is implementing in the upcoming Version 1.2 of the standard are largely incremental in nature and appear unlikely to cause any major new compliance challenges for companies, analysts said. In fact, the update will ease some of the mandates set by the standard, such as how quickly software patches need to be applied to systems.

Source - Computerworld

Now there's a sad statistic

42% of Web Users Sneak Onto Other Online Accounts

Posted by samzenpus on Wednesday August 20, @09:51PM from the what-are-you-doing-there dept. The Internet

An anonymous reader writes

"In an online survey, 42 percent of Internet users admitted to logging into other people's email and social networking accounts without their knowledge. The poll doesn't ask if passwords were found, granted, or stolen — which would make for further interesting results. The write-up summarizing the results defines the respondents as part of an "educated tech-readership" and questions the ethics of logging onto someone else's account, and whether those differ depending on the person and relationship."

Tools & Techniques: Don't bother detecting secret messages, just scramble them. Let's hope this does not become common. Imaging the impact if x-rays are modified, for example.

Are you hiding secret messages in LOLCAT photos? — Earlier this year, someone at the US Department of Justice smuggled sensitive financial data out of the agency by embedding the data in several image files. Defeating this exfiltration method, called steganography, has proved particularly tricky, but one engineering student has come up with a way to make espionage work against itself.

[From the article:

Bertolino’s method turns this technology on itself. The key to jamming steganography, he says, is using steganography—what he calls “double-stegging.” Double-stegging adds some noise, scrambling some of the image’s least-significant bits. “As long as you’re damaging at least some part of the file,” Bertolino explains, the hidden file becomes garbled and cannot be deciphered.

Youse want solar energy wid dat?” Pizza Hut Buy enough pizza and you can disconnect from Xcel...

Solar Cells - Made In a Pizza Oven

Posted by CmdrTaco on Thursday August 21, @08:46AM from the because-you-can dept. Power Science

stylemessiah writes

"The winner of several Eureka Science Awards in Australia is a crafty chick who devised a way to create solar cells cheaply using a pizza oven, nail polish and an inkjet printer. This was developed to address the high cost of cells and in particular for the worlds poorest regions. She wanted to give the @2 billion people around the world who dont have electricity the gift of light and cheap energy. This could have profound (and a good profound) implications for education and health in those in the poorest regions in the world. And it all started with her parents giving her a solar energy kit when she was 10..."

Let's gang up on that bastids! - Get Rid Of Telemarketers offers users a huge database (over 50,000) of known telemarketers. Users visit the site and can register their own complaints about telemarketers. Many, many users do so each day. If a user just wants to get some information about who called from a given phone number, that's possible too. also offers several tools for users to block telemarketers from calling them at home. The site has Windows-based software and an API, each of which can allow users to sidestep phone solicitors.

Tools & Techniques: Plus it's a (rather geeky) list! (How could I not include it.)

August 20, 2008

New on Technology Tools for Information Management

Technology Tools for Information Management - Roger V. Skalbeck and Barbara Fullerton's share a fast paced presentation of 19 practical, low cost and innovative tech tools they respectively use on a regular basis. So if you are looking for ideas to improve your use of Outlook, RSS, Adobe, and enhance your presentations and collaborative goals, this article is a must read.

[This one is interesting:


This is a web-based tool that lets you create an RSS feed from a page that doesn't otherwise have one. You simply browse to the page, click on a few links where new material appears, and it generates the feed for you.


If You're Looking To Learn Basic Economics, Here's A Free Textbook

from the cool dept

Against Monopoly points us to an LA Times story about an economics professor from Caltech, R. Preston McAfee, who has written what he calls an "open source" economics textbook. Y ou can download the textbook for free, and can even modify it (he offers up both a pdf version and a "source code" Word doc). It's not quite "open source" in that you're not allowed to do anything commercial with it, but it's certainly a lot cheaper than a standard econ textbook. We get plenty of questions here about where one should start learning about economics knowledge -- and while a textbook without a teacher isn't always the best place, if you did want to dig into a text, this is obviously a good place to start.

I haven't gone through the whole thing, but a quick spot check on various topics suggests that (at least in that random sample) the text is clear, well-written and does a good job explaining those concepts. And while it doesn't get into anything beyond your basic intro econ, the guy does seem to recognize the basic economics of information. As he notes in the LA Times article:

"What makes us rich as a society is what we know and what we can do. Anything that stands in the way of the dissemination of knowledge is a real problem."

And, in the opening itself certainly suggests he understands the whole scarce/infinite goods dichotomy:

Economics studies the allocation of scarce resources among people – examining what goods and services wind up in the hands of which people. Why scarce resources? Absent scarcity, there is no significant allocation issue.

Indeed. And, it's nice to see scarcity becoming absent from a good econ text as well, so "allocate" away.

But Honey! I'm doing it for my health!

Research Suggests Polygamous Men Live Longer

Posted by timothy on Wednesday August 20, @02:23PM from the depends-which-part-of-utah dept. Medicine Science

Calopteryx writes

"Want to live a little longer? Get a second wife. A study reported in New Scientist suggests that men from polygamous cultures outlive those from monogamous ones. After accounting for socioeconomic differences, men aged over 60 from 140 countries that practice polygamy to varying degrees lived on average 12% longer than men from 49 mostly monogamous nations."

English, as she is spoke (The sad part is, I can't even guess what some of these people intended to say...)

Engrish Funny

Engrish Pictures and other Funny Engrish Mistakes in English from around the world.

Wednesday, August 20, 2008

When you put all your eggs in one basket, SECURE THAT BASKET!

Dominion Enterprises Discloses Data Breach in Business Division

Tuesday, August 19 2008 @ 08:06 PM EDT Contributed by: PrivacyNews

Dominion Enterprises today announced that a computer server within InterActive Financial Marketing Group (IFMG), a division of Dominion Enterprises located in Richmond, Virginia, was hacked into and illegally accessed by an unknown and unauthorized third party between November 2007 and February 2008.

The data intrusion resulted in the potential exposure of personal information, including the names, addresses, birth dates, and social security numbers of 92,095 applicants who submitted credit applications to IFMG’s family of special finance Web sites. [This computer serviced several websites... Bob]

Source - Dominion Enterprises

It will never happen to us.

WA: Kingston Tax Service computers stolen; clients warned of identity theft

Tuesday, August 19 2008 @ 11:44 AM EDT Contributed by: PrivacyNews

Immediate action is necessary on behalf of all Kingston Tax Service clients to protect themselves from identity theft.

Office computers were stolen from the business in a reported burglary sometime before 8:30 a.m. on Aug. 12.

[...] Although the information was password protected, Winsor states they aren't foolproof.

[...] According to Kitsap County Sheriff reports, Winsor believes he saw his computer for sale on on Aug 14, two days after the burglary.

The computer he suspects was his was listed without its hard drive. He couldn't positively identify the computer because photos of the computer's serial number were blurred, the report states.

Source - North Kitsap Herald

[From the article:

Because of the burglary, the message also states that filing some deadlines were missed. [“Not only did we fail to secure your data, we didn't even back it up!” Bob]

This raises a few interesting questions...

Pilot Sues To Get Off Terror Watch List

Wednesday, August 20 2008 @ 05:54 AM EDT Contributed by: PrivacyNews

A commercial airline pilot and convert to Islam who says his name is on the U.S. government's secret terrorist watch list has fought back, filing a federal lawsuit against the Homeland Security Department and various other federal agencies.

Erich Scherfen said unless his name is removed from the list, he faces losing not only his job but the ability to make a living in his chosen profession.

Source -

[From the article:

Scherfen said he learned that he was a "positive match" on a list maintained by the Transportation Security Administration in April, when his employer, Colgan Air Inc., suspended him for that reason. [So TSA “ratted him out?” How else would they find out his name was on the list, since TSA claims they won't tell anyone? Bob]

First, read the law! (Second, fix the system? Nahhh too obvious.)

MIT Students' Gag Order Lifted

Posted by kdawson on Tuesday August 19, @03:22PM from the common-sense-descends dept.

mytrip and several other readers let us know that a judge in Boston has lifted the gag order — actually let it expire — against three MIT students who discovered flaws in the security of the local transit system, the MBTA. We've discussed the case over the last 10 days.

"Judge O'Toole said he disagreed with the basic premise of the MBTA's argument: That the students' presentation was a likely violation of the Computer Fraud and Abuse Act, a 1986 federal law meant to protect computers from malicious attacks such as worms and viruses. Many had expected Tuesday's hearing to hinge on First Amendment issues and what amounts to responsible disclosure on the part of computer security researchers. Instead, O'Toole based his ruling on the narrow grounds of what constitutes a violation of the CFAA. On that basis, he said MBTA lawyers failed to convince him on two points: The students' presentation was meant to be delivered to people, and was not a computer-to-computer 'transmission.' Second, the MBTA couldn't prove the students had caused at least $5,000 damage to the transit system."

Tools & Techniques: Shouldn't everyone know how to commit computer crimes?

How I Stole Someone's Identity Using the Internet — A little digging on social networks, blogs and Internet search engines lets you put together information about people like pieces of a puzzle —And it's not a pretty picture for security or privacy. I decided to conduct an experiment to see how vulnerable people's accounts are to mining the Web for information.

Attention Florida! You can get these cheap, and avoid “hanging chad!” (No need to test, after all, none of these states did...)

States Throw Out Electronic Voting Machines

Posted by kdawson on Wednesday August 20, @08:16AM from the returning-to-paper dept.

Davide Marney passes along an AP story about the thousands of voting machines gathering dust in warehouses across the country after states such as California, Ohio, and Florida have banned their use. Many of these machines cost $3.5K to $5K each. Local election boards are struggling to find ways to recover any of the cost of the machines, or even to recycle them. The picture in Ohio is the most confusing, as multiple court cases limit the state's options and result in a situation in which the discredited machines will nevertheless be used in the presidential election coming up in November. The state's new (Democratic) attorney general has just issued a rule banning the practice of election workers taking the machines home with them the night before elections.

(This happened last year.) Like the folks at SlashDot, I wonder if this opinion has been overturned or actually used in defense?

Judge Rules Man Cannot Be Forced To Decrypt HD

Posted by kdawson on Tuesday August 19, @06:21PM from the cold-dead-fingers dept. The Courts Encryption United States

I Don't Believe in Imaginary Property writes

"In Vermont, US Magistrate Judge Jerome Niedermeier has ruled that forcing someone to divulge the password to decrypt their hard drive violates the 5th Amendment. Border guards testify that they saw child pornography on the defendant's laptop when the PC was on, but they made the mistake of turning it off and were unable to access it again because the drive was protected by PGP. Although prosecutors offered many ways to get around the 5th Amendment protections, the Judge would have none of that and quashed the grand jury subpoena requesting the defendant's PGP passphrase. A conviction is still likely because prosecutors have the testimony of the two border guards who saw the drive while it was open."

The article stresses the potential importance of this ruling (which was issued last November but went unnoticed until now): "Especially if this ruling is appealed, US v. Boucher could become a landmark case. The question of whether a criminal defendant can be legally compelled to cough up his encryption passphrase remains an unsettled one, with law review articles for the last decade arguing the merits of either approach."

Update: 08/19 23:49 GMT by KD : Several readers have pointed out that this story in fact did not go unnoticed.

From the e-Discover blog, aA brief overview of hash values and their use in forensics... Looks like lawyers need to study math.

New Case where Police Use Hash to Catch a Perp and My Favored Truncated Hash Labeling System to ID the Evidence


P2P investigation leads to child-porn busts

Published: 2008-08-19

... The investigation, ... used unspecified "sophisticated computer programs" to identify child pornography stored in folders shared through peer-to-peer applications Law enforcement officers have previously used pattern-matching programs, similar to antivirus scanners, to quickly scan Usenet groups for images that match a list of known images of child abuse.

An interesting concept. You don't need to buy hardware for your backup site, you just describe it and when needed implement a virtual system.

IBM invests $300 mln in disaster recovery centers

Tue Aug 19, 2008 11:20pm EDT

BOSTON (Reuters) - IBM plans to spend $300 million this year to build 13 "cloud computing" data centers where businesses can store information for quick retrieval in case their computer systems are destroyed in a disaster.