Saturday, August 30, 2008

There must be more here than is reported in the article.

Malicious link leaves St. Joseph’s site exposed

Saturday, August 30 2008 @ 06:52 AM EDT Contributed by: PrivacyNews

Thousands of personal records were briefly at risk this summer when an intruder placed a malicious link on the Web site of St. Joseph’s Academy in Baton Rouge.

Earlier this week, the all-girl Catholic high school sent out about 7,000 letters to anyone who might have been affected, including students, parents, teachers, staff as well as alumnae going back to the class of 1985.

... The malicious link appeared on the news page of the school’s Web site on July 21.

Greg Hanner, systems administrator for the private school, said the link directed clickers to a site in China, which would then place malicious software on that person’s computer.

Source -

[From the article:

He said the school removed the link within minutes of it appearing and corrected the Web coding that allowed it to appear. Hanner said he is “99.9 percent” sure that the breach went no further, but said theoretically hackers could have used their access to that Web server to break into protected [How? Passwords? Bob] databases also on that same server. [Poor planning to have sensitive data on the same server... Bob] The protected databases included names, social security and bank routing numbers.

... Since the breach, the school has made changes.

“Now, the databases are completely on a separate physical server,” Hanner said. “The Web server now has no access to the business database at all.”

Also the school is planning in the future to hire a second computer security firm to add to the school’s overall level of cyber-protection.

It’s unreasonable to expect that any one company can cover everything,” Hanner said. [Interesting statement. Bob]

The TJX strategy has evolved. Now that they are not making headlines where their customers are likely to see them (in the general news) they can be more aggressive in their defense.

TJX reacts to bank lawsuit (follow-up)

Saturday, August 30 2008 @ 06:28 AM EDT Contributed by: PrivacyNews

The parent company of the T.J. Maxx and Marshall's chains has filed a forceful response to a lawsuit brought by TrustCo Bank Corp NY, saying the Glenville bank-holding company "unnecessarily and unreasonably" canceled customer debit cards after the retailer's highly publicized 2006 data breach.

... in the response filed Wednesday, TJX says TrustCo "caused or contributed to, and failed reasonably to mitigate, any injury they allegedly have suffered."

The retailer claims TrustCo "failed to implement policies or procedures" that would have allowed the bank to avoid canceling and replacing customer debit cards, including installing certain fraud-detection software, monitoring international transactions and implementing transaction limits. [A specious argument? Bob]

TJX spokeswoman Sherry Land did not return a phone call seeking comment Friday.

Source - Times Union

E-Vigilantism? “We don't like you, therefore it's okay to hack you.” Sound familiar?

De: Report: Left-Wing Hackers Break into Neo-Nazi Server

Saturday, August 30 2008 @ 06:49 AM EDT Contributed by: PrivacyNews

Left-wing computer hackers have reportedly broken into the secure server of one of the world's largest neo-Nazi groups, copying more than 30,000 pieces of data.

Members of the anti-fascist left-wing group Daten-Antifa on Friday, Aug. 29, managed to break the access codes and enter the databank of Blood and Honour (B&H), a neo-Nazi organization that has been banned in Germany since 2000.

"Now some people in the far-right extremist scene are going to get very nervous, including activists from the NPD (Germany's far-right National Democratic Party)," Guenther Hoffmann from the Center for Democratic Culture told the Frankfurter Rundschau on Saturday.

Source -

[From the article:

Katharina Koenig from the Action Alliance against the Right in Jena told the Frankfurter Rundschau that evidence had been found that B&H concerts had taken place in Germany and that German extremists had organized far-right concerts abroad.

Koenig said that the new information would be helpful to police, although the data was gathered illegally.

Tools & Techniques: Simplifying a forensic process that was already availble.

CSI Stick grabs data from cell phones

Saturday, August 30 2008 @ 06:54 AM EDT Contributed by: PrivacyNews

If someone asks to borrow your cell phone, or you leave it unattended, beware!

Unless you actually watch them use it, they may be secretly grabbing every piece of your information on the device, even deleted messages. If you leave your phone sitting on your desk, or in the center console of your car while the valet parks it, then you and everyone in your contacts list may be at risk, to say nothing of confidential e-mails, spread sheets, or other information. And of course, if you do not want your spouse to see who you are chatting with on your phone, you might want to use extra caution.

There is a new electronic capture device that has been developed primarily for law enforcement, surveillance, and intelligence operations that is also available to the public. It is the Cellular Seizure Investigation Stick, or CSI Stick as a clever acronym. It is manufactured by a company called Paraben, and is a self-contained module about the size of a BIC lighter. It plugs directly into most Motorola and Samsung cell phones to capture all data that they contain. More phones will be added to the list, including many from Nokia, RIM, LG and others, in the next generation, to be released shortly.

Source - Cnet

[From the article:

The good news: the device should find wide acceptance by parents who want to monitor what their kids are doing with their phones, who they are talking to and text messaging, and where they are surfing.

Is this aggressive lawyering or just bad lawyering? (Or is it that I love articles with “epistemlogical” in the title?)

Lenz Ruling Raises Epistemological Questions

August 22nd, 2008 by David Robinson

Stephanie Lenz’s case will be familiar to many of you: After publishing a 29-second video on YouTube that shows her toddler dancing to the Prince song “Let’s Go Crazy,” Ms. Lenz received email from YouTube, informing her that the video was being taken down at Universal Music’s request. She filed a DMCA counter-notification claiming the video was fair use, and the video was put back up on the site. Now Ms. Lenz, represented by the EFF, is suing Universal, claiming that the company violated section 512(f) of the Digital Millennium Copyright Act. Section 512(f) creates liability for a copyright owner who “knowingly materially misrepresents… that material or activity is infringing.”

Did you ever get the feeling that some surveys are a bit self-serving?

Survey: IT staff would steal secrets if laid off

by Computerworld UK staff August 29, 2008, 11:58 AM — Computerworld UK

Most IT staff would steal sensitive company information, including CEO's passwords and customer details, if they were laid off, according to a new survey from Cyber-Ark.

A staggering 88 percent of IT administrators admitted they would take corporate secrets, if they were suddenly made redundant. The target information included CEO passwords, customer database, research and development plans, financial reports, M&A plans and the company's list of privileged passwords.

The research also revealed that, of that 88 percent, a third would take the privilege password list to gain access to valuable documents such as financial reports, accounts, salaries and other privileged information.

Identity management firm Cyber-Ark conducted the survey of 300 IT professionals in its annual review 'Trust, Security & Passwords'.

... One third of companies believe that industrial espionage and data leakage is rife, with data being leaked out of their companies and going to their competitors or criminals, usually via high gigabyte mobile devices such as USB sticks, iPods, Blackberry's and laptops or even sent over email.

“Of course I listen to the PACs. What? The Facts? Oh, never mind.”

Professor Slams European Commission For Ignoring The Evidence On Copyright Extension

from the it's-not-about-evidence,-it's-about-campaign-contributions dept

We were pretty surprised a few weeks back when the European Commission endorsed a plan for copyright extension, despite ample evidence that retroactive copyright extension is a bad idea. Soon after that announcement, a group of European academics sent a letter warning that such extension would harm innovation. The academics keep piling on, as Professor Bernt Hugenholtz, the director of the University of Amsterdam's Institute for Information Law (IViR) has sent an open letter to the Commission blasting them for ignoring all of the research showing that copyright extension is bad. Specifically, Hugenholtz is amazed that the Commission relied only on reports prepared by industry, and willfully ignored research prepared by independent academics, such as his own group, claiming that by ignoring such studies, the Commission has a clear intention to mislead the rest of the EU by hiding the research that shows why copyright extension is a bad idea.

You know by now that I live lists. Some of these are just silly (in a good way) and some I might even consider.

21 Cool and Unusual USB Powered Devices

So you might be like most people, spending all day working in your room or cubicle with the same old stuff plugged into your USB ports. Well today we have put together a list of USB powered devices to help you step outside the box.

Friday, August 29, 2008

For TJX, the impact of their data breach never ends.

TrustCo sues TJX over breach (follow-up)

Friday, August 29 2008 @ 07:20 AM EDT Contributed by: PrivacyNews

TrustCo Bank Corp is resorting to litigation to recoup costs it incurred after reissuing thousands of credit cards to customers affected by the security breach at the parent company of the T.J. Maxx and Marshalls chains.

The Glenville bank holding company last month filed a lawsuit in Schenectady County Supreme Court against TJX Companies, shedding light on the financial burdens hackers are indirectly imposing on local banks and credit unions. The TrustCo Bank parent is suing the Framingham, Mass.-based TJX to recover the costs stemming from the cancellation and reissuance of MasterCard debit cards to affected customers. The breach, which TJX discovered in mid-December 2006, ended up costing the bank up to $20 per affected account.

Source -

The list of victims is interesting...

Tw: Biggest ever ID theft in Taiwan

Thursday, August 28 2008 @ 12:30 PM EDT Contributed by: PrivacyNews

Six people are currently being held in custody for what is believed to be the biggest personal data hacking enterprise undertaken in Taiwan's internet history.

Among the identities of those compromised are the current and several former national presidents, ZD Net reports.

An official speaking on behalf of the Taiwanese Criminal Investigation Bureau (CIB) said: "The suspects are believed to have stolen more than 50 million records of personal data including information about President Ma Ying-jeou, his predecessor Chen Shui-bian and police chief Wang Cho-chiun."

The information that the perpetrators - believed to have been operating out of Taiwan and China - appropriated was then offered for sale at around £5 per entry and they also made millions of Taiwanese dollars by raiding online bank accounts.

Source - Periscope IT

Related - ZDNet: Taiwan busts hacking ring, 50 million personal records compromised

A small breach, another unencrypted laptop, another vague reason for having the data in the first place.

OH: Laptop With Students' Personal Information Stolen

Thursday, August 28 2008 @ 02:38 PM EDT Contributed by: PrivacyNews

A laptop containing the personal information of at least 4,000 students was stolen earlier this week, according to a Reynoldsburg City School district spokeswoman.

The spokeswoman told 10TV News that the laptop was stolen from a district employee on Monday.

The employee informed administrators that files on the laptop contained students' personal information, including Social Security numbers, 10TV News reported.

Source - 10TV News

[From the article:

The employee, who has been placed on paid administrative leave, [Is this “self defense” or did he do something wrong? Bob] said the laptop was stolen from his car while he attended a wedding. District officials said the employee was using the laptop to collect data for the district's lunch program, [and SSAN is required to plan a menu? Bob] 10TV's Brittany Westbrook reported

We don't know” One of many recurring themes.

Network accessed, but Nye Lubricants unsure if employee data accessed

Thursday, August 28 2008 @ 11:59 AM EDT Contributed by: PrivacyNews

Jackson Lewis, lawyers for Nye Lubricants, has notified the New Hampshire Attorney General that an employee "may have accessed electronic personal information stored in certain of the Company's databases without proper authority and/or for improper purposes" on or about August 15.

According to the notification, 173 employees are being notified that their personal information, including their Social Security numbers, may have been accessed or misused, but the firm was reportedly unable to determine whether any of the current or former employees' data were accessed or misused. Frederic C. Mock, Executive Vice-President of Nye Lubricants, wrote to those affected that an employee had accessed the network without authorization, but "Despite our best efforts, we could not determine if any personal information contained in the databases on the Company's network was actually compromised -- only that the opportunity for unauthorized access or use of personal information existed." Nye Lubricants reports that it is reviewing its security and systems going forward and has offered employees free credit monitoring for one year.

Related One of the downsides of “not knowing” is that you make headlines every time you learn (and must disclose) new figures

State learns customers affected by bank data loss could balloon to 10 million (BNY Mellon update)

Thursday, August 28 2008 @ 12:51 PM EDT Contributed by: PrivacyNews

Governor M. Jodi Rell today announced that the state’s investigation into the loss of confidential data of more than 500,000 Connecticut residents by the Bank of New York Mellon Corp. has revealed that the security breach is much broader than first reported.

... “It is simply outrageous that this mountain of information was not better protected and it is equally outrageous that we are hearing about a possible six million additional individuals and businesses six months after the fact,” Governor Rell said. “We fear a substantial number Connecticut residents are among this latest group.”

Source -

[From the article:

The most recent figures came in response to the subpoenas that Governor Rell had ordered be issued in May by the state Department of Consumer Protection. [Looks like they don't entirely trust the 'disclosure' laws to extract full information. Expect to see much more of this! Bob]

BNY Mellon informed the state that it will begin the process of notifying these additional customers today. Under Connecticut state law, banks are required to immediately notify customers when such information is lost.

Related: See? Another headline. Anyone like to bid 15 million?

Bank of NY Mellon data breach now affects 12.5 mln

Thursday, August 28 2008 @ 02:40 PM EDT Contributed by: PrivacyNews

Bank of New York Mellon Corp said on Thursday that a security breach involving the loss of personal information, including Social Security numbers, now affects about 12.5 million customers, up from an earlier 4.5 million.

Connecticut Gov. Jodi Rell, who announced a probe of the security breach in May, said in a statement she is still pursuing remedies against the New York-based bank, including a possible "substantial" fine, restitution and other remedies.

Source - Reuters


August 28, 2008

Justice Department Revises Charging Guidelines for Prosecuting Corporate Fraud

News release: "Department of Justice is revising its corporate charging guidelines for federal prosecutors throughout the country. The new guidance revises the Department’s Principles of Federal Prosecution of Business Organizations, which govern how all federal prosecutors investigate, charge, and prosecute corporate crimes. The new guidelines address issues that have been of great interest to prosecutors and corporations alike, particularly in the area of cooperation credit.

First, the revised guidelines state that credit for cooperation will not depend on the corporation’s waiver of attorney-client privilege or work product protection, but rather on the disclosure of relevant facts. Corporations that disclose relevant facts may receive due credit for cooperation, regardless of whether they waive attorney-client privilege or work product protection in the process. Corporations that do not disclose relevant facts typically may not receive such credit, like any other defendant."

Corporate Charging Guidelines

Related: Apparently, Best Western does know how many victims they had – they just can't convince the newspapers.

Best Western CIO Scott Gibson On The Data Breach That Wasn't

Thursday, August 28 2008 @ 05:19 PM EDT Contributed by: PrivacyNews

Best Western CIO Scott Gibson hasn't been getting much sleep. "I've decided that sleep is highly overrated," he says ruefully.

Gibson has been dealing with a small data breach that somehow became "one of the most audacious cyber-crimes ever," as Glasgow's Sunday Herald put it.

Source - InformationWeek


Best Western forced to play defense on data breach disclosure

Thursday, August 28 2008 @ 02:35 PM EDT Contributed by: PrivacyNews

... Best Western's experience highlights the public relations problems that can result from breach disclosures, as well as the need for companies to have comprehensive incident-response plans in place for dealing with such disclosures.

In this case, Best Western could have beaten the Sunday Herald to the punch by breaking the news about the breach itself. The intrusion took place on Aug. 21; according to the newspaper, it brought the breach to the company's attention the following day, two days before the story was published.

In comments sent via e-mail this week, a Best Western spokeswoman indicated that the company was blindsided by the Sunday Herald's claims about the scope of the breach. The reporter who wrote the story didn't mention the possibility that 8 million records had been stolen when he talked to Best Western officials, the spokeswoman said. She said that he simply asked for the number of Best Western hotels and rooms in Europe, and that he appears to have used those numbers to extrapolate the 8 million figure.

And the only evidence of a breach that the reporter presented was a screenshot of a single log-in suggesting a possible compromise, the spokeswoman added. "Basically, the Herald elicited a statement from us on one issue and used the statement to report on another," she said.

The reporter, Iain S. Bruce, has yet to respond to questions about the matter that were sent to him via e-mail at his request on Tuesday. Included was a question about whether he had discussed the claim of 8 million victims with Best Western before his story was published.

Source - Computerworld

[From the article:

In this case, Best Western could have beaten the Sunday Herald to the punch by breaking the news about the breach itself. The intrusion took place on Aug. 21; according to the newspaper, it brought the breach to the company's attention the following day, two days before the story was published.

... It's reasonable for a company whose systems have been breached to make sure it fully understands the extent of what has happened before going public, said Chris Hoofnagle, senior staff attorney at the Berkeley Center for Law and Technology at the University of California, Berkeley. "The general rule is that one should not disclose the breach until its scope has been determined," [See Mellon Bank, above Bob] Hoofnagle said.

... The episode shows why companies should simulate various worst-case scenarios [Could make an interesting article... Bob] when they test their incident-response plans, Pescatore added. Best Western, he said, may have discovered what "many businesses learn the first time they actually have to implement their disaster recovery plan — 'Oops, we should have had a dry run.'" [Amen! Bob]

Future fraud: Will this US export help the economy?

UK: Hackers prepare supermarket sweep

Thursday, August 28 2008 @ 09:11 AM EDT Contributed by: PrivacyNews

Self-service systems in UK supermarkets are being sought by hi-tech criminals with stolen credit card details.

A BBC investigation has unearthed a plan hatching online to loot US bank accounts via the checkout systems. Fake credit cards loaded with details from the accounts will be used to get cash or buy high value goods.

The supermarkets targeted said there was little chance the fraudsters would make significant amounts of cash with their plan.

With the help of computer security experts the BBC found a discussion on a card fraud website on which in which hi-tech thieves debated the best way to strip money from the US accounts.

The thieves claim to have comprehensive details of US credit and debit cards passed to them from an American gang who tapped phone lines between cash machines and banks.

Source - BBC

[From the article:

He said it was an example of a long observed trend in fraud.

"We've seen a shift from card-present fraud to card-not-present to fraud abroad," he said.

... He said many criminal gangs even offer their fraudulent services via the web.

"They will do it for you in India and China," he said.

Hack du jour

Download MP3s from Streaming Music Sites

From Wired How-To Wiki

Have you ever been annoyed that services like Muxtape (which is currently unavailable, thanks to the RIAA), Favtape or other playlist-based music sites don't let you download songs? The better sites offer a link to purchase the songs through the iTunes Store or, but the rest just stream the music. And once the player moves on to the next song, that song is gone.

Or is it? Most services like the ones above rely on Flash or JavaScript to obfuscate URLs [Security through obscurity Bob] and make it difficult, though not impossible, to download the actual files.

In this guide, we'll show you how you can grab just about any file you want by exploring your browser's cache.

NOTE: Depending on the copyright applied to the song you're downloading, using this technique may violate the copyright of the content owner. This wiki article is not intended as legal advice and is for educational purposes only. [Oh, like ditto, dude. Bob]

How to get the word out?

August 28, 2008

Pew Internet Survey: Podcast Downloading 2008

Pew Internet and American Life Project - Podcast Downloading 2008, 8/28/2008, Mary Madden Sydney Jones

  • "As gadgets with digital audio capability proliferate, podcast downloading continues to increase. Currently, 19% of all internet users say they have downloaded a podcast so they could listen to it or view it later. This most recent percentage is up from 12% of internet users who reported downloading podcasts in our August 2006 survey and 7% in our February-April 2006 survey. Still, podcasting has yet to become a fixture in the everyday lives of internet users, as very few internet users download podcasts on a typical day."

Still manipulating the system.

Kevin Mitnick Tells All in Upcoming Book -- Promises No Whining

By Kim Zetter August 28, 2008 | 8:19:07 PM

Why an NDA? Unless Microsoft has another questionable contract with Lenovo...

Lenovo Requires NDA For Windows License Refund

Posted by timothy on Thursday August 28, @02:36PM from the deserves-a-raise dept. Windows Microsoft The Almighty Buck

tykev writes

"A customer wanted to return the license for preinstalled Windows Vista Business that came with his Lenovo laptop. After some lengthy negotiations with representatives of Lenovo's technical support and management, he was offered financial compensation for returning the license in the amount of CZK 1950 (USD 130, EUR 78), pending his acceptance of a non-disclosure agreement that would cover the entire negotiations with the company and its results. He declined and published his experiences on a Czech Linux website. [and now “everyone” knows... Bob] The website editors decided to reward the customer for publishing the article by paying him an author's royalty in the same amount as was the offered compensation for returning the license."

The politician's need to be seen “doing something” should never outweigh the need to think that something through...

UK: ContactPoint child database launch delayed following security fears

Friday, August 29 2008 @ 05:17 AM EDT Contributed by: PrivacyNews

The launch of the Government's flagship database of every child living in England has been delayed just days after The Daily Telegraph exposed serious concerns about its purpose.

ContactPoint will include the names, ages and addresses of all 11 million under-18s in the country, as well as detailed information on their parents, GPs and schools.

It was announced in the wake of the murder of Victoria ClimbiƩ as a way to protect children by connecting the different services dealing with them, but this newspaper disclosed that it will actually be used by police to hunt for evidence of crime.

Source - Telegraph

[From the article:

The £224million computer system was meant to come into operation in April 2008 but was delayed following the loss of data discs containing 25 million child benefit records by HM Revenue & Customs last year, which triggered fears that ContactPoint records could easily find their way into the hands of paedophiles.

A review of its security - which the Government refused to publish in full - found the risk of a data breach could never be eliminated and the launch of ContactPoint was pushed back to October.

Goodbye “unlimited use” Comcast opens the door (wider) for competition. I suppose it is better than “double secret” caps.

Comcast To Cap Data Transfers At 250 GB In October

Posted by timothy on Thursday August 28, @08:10PM from the crimp-in-your-style dept. The Internet Networking

JagsLive writes with this story from PC Magazine:

"Comcast has confirmed that all residential customers will be subject to a 250 gigabyte per month data limit starting October 1. 'This is the same system we have in place today,' Comcast wrote in an amendment to its acceptable use policy. 'The only difference is that we will now provide a limit by which a customer may be contacted.' The cable provider insisted that 250 GB is "an extremely large amount of data, much more than a typical residential customer uses on a monthly basis. ... As part of our pre-existing policy, we will continue to contact the top users of our high-speed Internet service and ask them to curb their usage,' Comcast said Thursday. 'If a customer uses more than 250 GB and is one of the top users of our service, he or she may be contacted by Comcast to notify them of excessive use,' according to the AUP."

Creating the perfect Privacy Policy? Contracting with third parties...

The privacy policy problem, Part 2: Controlling business partners

Thursday, August 28 2008 @ 12:34 PM EDT Contributed by: PrivacyNews

In this series of four articles, I'm exploring privacy policies. Today I'll continue with an analysis of potential problems due to independent partner organizations working on behalf of their clients without adequate supervision and coordination.

... The lesson I draw from this cursory investigation is that no one can afford to do business with people who do not use the same strict policies of privacy protection as their own organization. Readers should perform a systematic audit of all their organizations’ links to third parties to verify that deviations from their privacy policies do not lead to embarrassment and legal liability.

Source - NetworkWorld

It is bettetr to look secure than to be secure.” Hernando (and the folks in Microsoft's Marketing Dept.)

IE8's 'privacy' mode leaks your private data

Friday, August 29 2008 @ 05:47 AM EDT Contributed by: PrivacyNews

Information concealed by the InPrivateBrowsing feature of Microsoft's Internet Explorer 8.0 can easily be recovered by forensic experts, a Dutch website has found.

The InPrivate Browsing feature in Microsoft's latest browser is designed to delete a user's browsing history and other personal data that is gathered and stored during regular browsing sessions. The feature is commonly referred to as 'porn mode' for its ability to hide which websites have been visited from nosy spouses or employers.

Forensic experts however found it trivial to retrieve the history, according to a test by, an affiliate of PC Advisor in the Netherlands, and Fox IT, a Dutch firm specialising in IT security and forensic research.

"The privacy option in this beta is mainly cosmetic. For a forensic investigator, retrieving the browsing history should be regarded as peanuts," said Christian Prickaerts, forensic IT expert with Fox IT.

Source - PC Advisor

Maybe this is why my anti-virus programs are blocking SP3...

Microsoft warns of IE8 lock-in with XP SP3

XP SP3 users won't be able to uninstall either the service pack or Internet Explorer 8 under some circumstances

By Gregg Keizer, Computerworld August 28, 2008

Microsoft yesterday warned users of Windows XP Service Pack 3 (SP3) that they won't be able to uninstall either the service pack or Internet Explorer 8 (IE8) under some circumstances.

Sure to be of interest to my Security Process Engineering class. Their project is to secure a wiki for use by the White Hat Hacker club... - Create Your Own Wiki Or Blog

If you still haven’t created your own blog, or you want to create your personal wiki, you should try out With this free service, you’ll be able to create and host your own blog and/or wiki. The customizable dashboard will allow you to easily keep track of all your accounts, making updating and things of that nature flow smoothly. You can control who accesses what page. This could allow you to create different content for different people, letting your better organize your wiki and blog. You can upload photos to the site too. All these features make it possible for you to have a highly customized interface that allows you to control all the content you’ve chosen to share with others. Another great thing about the site is how quickly you can get the hang of it, allowing you to thoroughly enjoy the experience without having to spend too much time figuring things out.

Unlimited spaces for wiki or blog. [Unlike Comcast, above Bob]

Politicians know this. They just can't see themselves being defeated.

In YouTube age, political criticisms can (and will) be used against you

Posted by Declan McCullagh August 28, 2008 4:36 PM PDT

DENVER--If you're a candidate for president during the 2012 primaries, you may want to watch how sharply you criticize your rivals. Your critiques may come back to haunt you on the Web.

That's what the Republicans, at least, are hoping to demonstrate with their site, which features clips of Hillary Clinton, Bill Clinton, and John Edwards slamming Barack Obama last year and earlier this year for being inexperienced or over his voting record in Illinois.

Thursday, August 28, 2008

There are many ways to increase your retirement fund... Note that they did detect this email. Better would have been securing the database from wholesale copying in the first place.

OH: Database security breached

Wednesday, August 27 2008 @ 03:17 PM EDT Contributed by: PrivacyNews

A database that contains the names, addresses and Social Security numbers of 13,000 retired Ohio police officers was improperly transmitted by a retired Ohio Police & Fire Pension Fund employee, officials said Wednesday.

... The pension fund employee retired Aug. 15. Within 30 hours, the state discovered he had emailed the database to himself at home. Warning letters were mailed Monday.

State officials do not believe the unidentified employee would have used it for "malicious intent," so they do not plan to prosecute him at this point, according to pension fund spokesman David Graham.

Source -

Think locally act globally? (or at least Federally)

AU: Civil libertarians concerned by Qld's phone tapping move

Thursday, August 28 2008 @ 05:54 AM EDT Contributed by: PrivacyNews

Civil libertarians are up in arms over moves to give Queensland Police and the Crime and Misconduct Commission (CMC) police phone-tapping powers.

The Qld Government has been reluctant to allow telephone interception laws because of privacy concerns, but the Commonwealth has agreed to change federal legislation to set up a Public Interest Monitor.

Source - ABC

[From the article:

"Criminal cases will be compromised, police and prosecutors will get access to the private conversations of lawyers and their clients when they are preparing cases," he added.

Plan Behind! Governments tend not to look at risk, but the appearance of risk. The public doesn't see these systems, so there is no (political) risk.

After flight delays, FAA may add backup system

Posted by Stefanie Olsen August 27, 2008 5:55 PM PDT

Using technology to secure technology. But guessing a password still allows you complete access. Perhaps they should have used one of the USB fingerprint readers too.

Nortel uses USB drive to secure remote work

Nortel's 'office on a stick' USB drive can link almost any PC with a corporate VPN and keep all the information from a session encrypted

By Stephen Lawson, IDG News Service August 28, 2008

... To use the USB stick, workers can simply plug it into a USB port and enter a username and password, said Rod Wallace, director of security services and solutions at Nortel. Software on the stick first checks the PC for viruses and required security mechanisms, and then sets up an encrypted remote session. It typically will provide access to remote applications via the Web browser or another method. It can completely take over the system using a remote desktop and block off printing, document-saving and remote drives, preventing employees from improperly copying sensitive data.

... As a result, IT administrators can know that sensitive information isn't out in the world on PCs they can't control. [PCs are easy, it's the people they can't control... Bob] Policies can be configured so that users who plug the drive into less-secure PCs get either limited or no access to applications, he said.

Tools & Techniques: Something to keep handy when you are out of town? - Make Free Calls

The folks from Jaduka labs have come up with a useful tool that will allow you to make calls from your computer to any phone number in North America. All you have to do is register (which is free), and you can start making calls to all your friends and family. Just go on the site, log in, and dial the number you want to call. You’ll be connected and be able to talk just like you were using a phone. This reminds me of when Skype first came out and it revolutionized the way people thought about making calls.

Publishing a leak is one thing, selling “first access” is another. The cost is to their ethics...

Wikileaks To Sell Hugo Chavez' Email

Posted by samzenpus on Thursday August 28, @05:31AM from the how-much-to-look-through-his-garbage dept. Privacy

I Don't Believe in Imaginary Property writes

"Wikileaks seems to be a bit hard-up for cash, so they're trying a little experiment. They plan to auction off an archive with three years worth of Hugo Chavez' email. The winner will get a period of embargoed access to break any stories they can find in the files, while Wikileaks will later publish the archive in full. Wikileaks plans to use the profits for their legal defense fund, but they may run into trouble because most reputable news outlets have policies against paying sources."

Demonstration of bad security: It has long been a “Best Practice” to encrypt (hash) the users password and store the encrypted version rather than the plaintext. If a hacker copies the password file, he can't use it to gain access. This article shows that Llyods has not done that and that employees are free to browse the password file.

Changing Customers Password Without Consent

Posted by samzenpus on Thursday August 28, @12:09AM from the leave-my-words-alone dept. Businesses IT

risinganger writes

"BBC News is reporting that a customer had his password changed without his knowledge. After some less than satisfactory service the customer in question changed his password to 'Llyods is pants'. [More for my “english as a foreign language” notebook Bob] At some point after that a member of staff changed the password to 'no it's not'. Requests to change it back to 'Llyods is pants', 'Barclays is better' or censorship were met with refusal. Personally I found the original change funny, like the customer did. After all, god forbid a sense of humour rears its ugly head in business. What isn't acceptable is the refusal to change it per the customer's requests after that."

An interesting question... Which is more important, a license or expertise?

Do RIAA Snoops Need P.I. Licenses?

By David Kravets August 26, 2008

... But demanding a private investigator's license doesn't make such sense for computer forensic work, according to the American Bar Association. In a recent report, the country's largest legal lobbying group urges the states to jettison the idea of, or licensing requirement for computer forensic specialists, especially since most state licensing boards don't demand education in such work.

... Among other things, the ABA report and recommendation (.pdf) says "investigation and expert testimony in computer forensics and network testing should be based upon the current state of science and technology, best practices in the industry and knowledge, skills and education of the expert."

... "Computer forensic assignments often require handling data in multiple jurisdictions. For example, data may need to (be) imaged from hard drives in New York, Texas and Michigan," the report notes. "Does the person performing that work need to have licenses in all three states?"

If nothing else, this might be useful to the small (sole practitioner) tech user. There are still a number of issues to address (SLA, security, etc.) but this will only get simpler and cheaper.

The opportunity for backup and disaster recovery in the Cloud

Posted by Dave Rosenberg August 27, 2008 3:48 AM PDT

Very interesting! Could this translate into stockholder suits seeking to cut costs in US businesses? (The commenters seem to like the idea.)

Quebec Gov Sued For Ignoring Free Software

Posted by samzenpus on Thursday August 28, @02:58AM from the what-about-the-cheap-stuff dept. Government Linux

Mathieu Lutfy writes

"The CBC is reporting that 'Quebec's open-source software association is suing the provincial government, saying it is giving preferential treatment to Microsoft Corp. by buying the company's products rather than using free alternatives. ...Government buyers are using an exception in provincial law that allows them to buy directly from a proprietary vendor when there are no options available, but Facil said that loophole is being abused and goes against other legal requirements to buy locally.' The group also has a press release in English."

Related Quebec insists they are French, so why don't they do things the French way?

Open source: What you should learn from the French

With open source embraced at all levels, the real benefits of a passionate community arrive

By Tom Kaneshige August 28, 2008

... This summer, an economic commission set up by French President Nicolas Sarkozy recommended tax benefits to stimulate even more open source development.

... French authorities, for instance, handed out 175,000 open-source-software-equipped memory sticks to high school students last year. Technical universities have made open source their top priority, and some offer advanced degrees.

You should know that I like lists. Even if you think you've been everywhere on the web, I bet you missed a few of these...,2817,2328649,00.asp

The Top 100 Classic Web Sites


PC Magazine's definitive list of the best and most trustworthy Web sites of 2008.

For my website students, because the world is in the wrong format...

YouConvertIt, the world's first and most complete conversion, file storage, units conversion website allowing internet users to convert audio video images and documents into an array of formats also sending or delivering file(s). support unit conversion of thousands of types making it easy for users to reach one stop shop without the need to jump from one location to another.

Dilbert explains the role of the corporate lawyer (and how to estimate billable hours)

Wednesday, August 27, 2008

Could have been one of those unethical defense lawyers...

UK: Secret files found in bin

Wednesday, August 27 2008 @ 06:15 AM EDT Contributed by: PrivacyNews

SENSITIVE Merseyside police documents containing details of secret tactics used to smash a global drugs ring have been found dumped in a bin.

Nine men were jailed for a total of more than 100 years after the police sting in which lorry-loads of drugs were stopped making their way from the Continent into the hands of Liverpool gangsters.

The drugs were all intended to flood the streets of Merseyside giving the gangsters control of the markets, meaning they could set prices and drive competitors out of business.

But now every single shred of evidence – including secret tactics and names of witnesses and undercover police officers – have been discarded.

It is believed a builder found the files, running into hundreds of pages, discarded in a recycling bin.

Today an investigation was launched into the security breach.

Source - Liverpool Echo Related - Drugs bust files found at Leyland tip

Clearly computer theives are not interested in computing

Britain investigates sale of computer with banking data on eBay

Tuesday, August 26 2008 @ 01:30 PM EDT Contributed by: PrivacyNews

A computer containing banking security details of more than one million people has been sold on eBay for $64, bank officials said Tuesday - the latest in a series of losses of personal data in Britain.

The computer contained account numbers, passwords, cellphone numbers and signatures. It belonged to MailSource UK - an arm of Graphic Data, an archiving company that holds financial information for Royal Bank of Scotland, NatWest and American Express.

Source - Canadian Press

Related - Cnet: Amex, Royal Bank of Scotland, NatWest customer details sold on eBay

[From the article:

The security breach became known when the computer's buyer found the information and contacted authorities. [There are a few honest and aware people left in the world. Bob]

Keeping you secure, the Big Brother way!

UK: Officials 'back ban on data sale'

Wednesday, August 27 2008 @ 04:59 AM EDT Contributed by: PrivacyNews

There is massive support among election officials in England for a ban on the sale of voters' personal data to direct mail companies, a survey has found.

The Local Government Association poll of more than 200 administrators found 98% supported an end to the practice.

Source - BBC

[From the article:

The Direct Marketing Association said the majority of its members used the edited roll only to confirm the accuracy of the personal details they held. [In other words, “We already know everything about you.” Bob]

And it said that banning sales could lead to more, not less unwanted mail. [Seems to conflict with the first sentence... If they used the voter data to drop people from their mailing list, why don't they say that? Bob]

No surprise...

August 26, 2008

Steady Increase in IDThefts Recorded So Far For 2008

News release: "Today, the total number of breaches in on the Identity Theft Resource Center’s (ITRC) 2008 breach list surpassed the final total of 446 reported in 2007, more than 4 months before the end of 2008. As of 9:30 a.m. August 22nd, the number of confirmed data breaches in 2008 stood at 449. The actual number of breaches is most likely higher, due to under-reporting and the fact that some of the breaches reported, which affect multiple businesses, are listed as single events. In the last few months, two subcontractors became examples of these “multiple” events. In one case, the customers and/or employees of at least 20 entities were affected by a breach that the ITRC reported as a single breach event....Breaches: 449 Exposed: 22,091,338."

[From the Breach List:

It should be noted that the ITRC does not place an inordinate weight on the count of records exposed. While the ITRC breach list reflects compromised records of more than 22 million, in more than 40% of breach events, the number of records exposed is not reported or fully disclosed. This means the number of affected records is grossly incomplete and unusable for any statistic or research purpose. The use of potentially affected records generally causes more concern and is ‘news-sexy’.

For your Security Manager

Four quick tips for choosing an IM security product

71 percent of businesses will invest in real-time messaging this year. [I bet less than 10% have even considered IM security Bob] If you're one of them, be sure to protect your enterprise

By Chenxi Wang, August 26, 2008

Should we look at this an an effort to make phishing more genteel?

Call out a phisher, get attacked by malware

In new twist, phishing scam snares victims through a log-in screen where they can give the cybercrooks a piece of their mind

By Gregg Keizer, Computerworld August 26, 2008

... In a new twist, phishers using the Asprox botnet have struck victims who use the scam's log-in screen to give the crooks a piece of their mind. The scammers fire off a multi-exploit attack kit against anyone who uses profanity in place of the username or password, said Joe Stewart, director of malware research at SecureWorks Inc.

Resource for a “Policy Guideline?”

The privacy policy problem, Part 1: A model policy

Tuesday, August 26 2008 @ 06:43 AM EDT Contributed by: PrivacyNews

Many organizations strive to protect the confidentiality of prospects and clients. In this column and the next three, I want to explore issues relating to privacy policies and the sometimes problematic relations between legitimate, well-meaning institutions and the commercial organizations with which they do business - and the criminal organizations which abuse their good names and reputations.

Norwich University’s Privacy Policy stands as an excellent example of a clear, well-written and comprehensive document - an example that could usefully be considered by readers of this column who may need a sample policy for their own organization’s use.

Source - NetworkWorld

Hack du jour... (Filed under: Passwords are not adequate security)

Locked iPhones can be unlocked without a password

Private information stored in Apple's iPhone and protected by a lock code can be accessed by anyone just by pushing a few buttons

By Peter Sayer, IDG News Service August 27, 2008

Related: There are many was to 'hack the system'

iPhone developers beat Apple's NDA with $1 bills — iPhone developers still bound by an Apple gag order are paying each other $1 to share coding tips. That way, if challenged by Apple's legal department, they can argue that they are subcontractors and therefore free to discuss the software.,0,2200545.story

We don't need no stinking legal basis for harassing people we don't like!” (Clearly adds fuel to the recall fire – don't these people think before they act?)

Woman Sues Mayor For Order Demanding She Remove City Links From Her Website

from the abuse-of-power dept

GigaLaw points us to the news of a lawsuit filed by a woman in Sheboygan, Wisconsin, against that city's mayor and other officials for demanding that she remove links to the city's police department from her website. The woman believes that the demand was in response to her own support of an effort to recall the mayor.

Apparently, sometime after this effort, the mayor's secretary asked the city attorney if it was legal for the woman to link to the city's police department website from her web design company's website (totally separate from the website about the mayor's recall). The city attorney told the mayor that a link is perfectly legal -- but offered to send a cease-and-desist anyway, which the mayor approved. The woman says she felt threatened in getting a cease-and-desist from the mayor's office and took the link down.

From the facts presented in the article, this certainly sounds like an abuse of power. There's nothing inherently illegal in just linking to someone else's website, and it appears the city attorney even knew this. So it looks like the mayor and the city attorney decided to send the cease-and-desist anyway to intimidate the woman -- which worked (at least temporarily). While it's not clear if this woman will be able to win any damages, it's good to see her fighting back against what appears to be an abuse of power.

If this was in the US (and it was and will be again) there would be more Class Action Lawyers than wheat in Alberta! (“Hey dude, we know that we promised 'unlimited' phone service but we never expected anyone would actually require us to deliver it.!”)

TELUS Forcing Customers Off Unlimited Plans

Posted by kdawson on Tuesday August 26, @05:42PM from the can't-eat-all-that dept. Cellphones The Almighty Buck

An anonymous reader writes

"Canadian telco TELUS sold a bunch of (expensive) Unlimited EV-DO aircard accounts last winter and are now summarily canceling them or forcing people to switch to much less valuable plans. TELUS is citing 'Violations,' but their Terms Of Service (see #5) are utterly vague and self-contradictory. The TELUS plans were marketed as being unlimited, without the soft/hard caps that the other providers had at the time. They were purchased by a lot of rural Canadians who had no other choice except dialup. Now TELUS is forcing everyone to switch from a $75 Unlimited plan to a $65 1GB plan, and canceling those who won't switch. Have a look at the thread at Howardforums, a discussion of the TELUS ToS (in red at the bottom), an EV-DO blogger who's been a victim, a post at Electronista, and of course Verizon getting fined for doing the same thing! Michael Geist has taken an interest as well."

Tools & Techniques: Intercepting the data is simple, storing the data is expensive, extracting exactly what you need/want is incredibly difficult (unless you want “everything.”)

The Internet's Biggest Security Hole Revealed

Posted by kdawson on Tuesday August 26, @11:16PM from the kaminsky-was-a-warmup dept.

At DEFCON, Tony Kapela and Alex Pilosov demonstrated a drastic weakness in the Internet's infrastructure that had long been rumored, but wasn't believed practical. They showed how to hijack BGP (the border gateway protocol) in order to eavesdrop on Net traffic in a way that wouldn't be simple to detect. Quoting:

"'It's at least as big an issue as the DNS issue, if not bigger,' said Peiter 'Mudge' Zatko, noted computer security expert and former member of the L0pht hacking group, who testified to Congress in 1998 that he could bring down the internet in 30 minutes using a similar BGP attack, and disclosed privately to government agents how BGP could also be exploited to eavesdrop. 'I went around screaming my head about this about ten or twelve years ago... We described this to intelligence agencies and to the National Security Council, in detail.' The man-in-the-middle attack exploits BGP to fool routers into re-directing data to an eavesdropper's network."

[Try it yourself... Bob] Here's the PDF of Kapela and Pilosov's presentation.

Another “security hole” but somewhat less vast... (Not quite half-vast...)

Out of Sight, But Not Gone

Tuesday, August 26 2008 @ 06:16 AM EDT Contributed by: PrivacyNews

To protect the privacy of litigants, the Federal Rules of Practice and Procedure require that certain personal data identifiers be modified or partially redacted from federal court case files. These identifiers are Social Security numbers, dates of birth, financial account numbers, and names of minor children, and in criminal cases, also home addresses.

In all cases, it is the responsibility of the attorney and the parties in the case to redact personal identifiers.

But redaction, once a matter of drawing a heavy black line through the words on paper, has changed with the electronic filing of documents. A black bar drawn over the text is no longer enough to block it from view. In an electronic file, the obscured text still lurks beneath the highlighter box and can be readily recalled. The text is hidden, not excised.

... Many courts, such as the District of Arizona and the Northern District of California, have posted information to their websites on effective redaction techniques. For a look at their tips, visit their websites at: or$file/redaction.pdf. [The second links points to even more links Bob]

Source - The Third Branch

The changing (globalizing?) legal world. I hope they write better contracts for themselves than the contracts they write for their clients.

ABA Gives Thumbs Up to Legal Outsourcing

Wednesday, August 27 2008 @ 05:00 AM EDT Contributed by: PrivacyNews

The American Bar Association has waded into the debate over legal outsourcing with an ethics opinion blessing the outsourcing trend as "a salutary one for our globalized economy."

A growing number of legal process outsourcing (LPO) companies have sprouted up in recent years to offer the services of lawyers abroad to handle the most labor-intensive aspects of U.S. legal matters, especially document review in large-scale litigation. India has been the most popular destination for legal outsourcing because it has a common-law system and English is widely spoken.

Source -

because you can never have enough video... - Video Learning Network is an extensive educational video library that will allow you to learn about any topic you can think of. Teachers and students will both benefit from the many videos that can be viewed through the site. The many documentaries that can be seen online will allow you to learn more about topics as diverse as sports and science (there’s even a category named “weird”). This makes the site a great resource that can be consulted when you want to learn more about any particular subject. There are many long documentaries hosted by the site, not just snippets.

How would you describe this niche? (I suspect there are many demonstrators with “Official Rodney King” model video cameras too.)

Democratic Convention: Live Audio of Denver Police

By Kevin Poulsen August 26, 2008 | 1:19:14 PM

If you're less interested in the speeches inside the Pepsi Center than the rubber bullets flying outside, the donation-supported scanner site is streaming the dispatch frequency for the Denver police.

I want one, but it might be difficult to get by TSA at airport security...

Space Cube – the World's Smallest Linux PC

Posted by timothy on Wednesday August 27, @09:47AM from the not-time-cube-note dept. Portables Power Space Linux

Barence writes

"Meet the Space Cube — the world's smallest fully functional PC. Primarily designed for use in space, it somehow manages to cram a working PC with USB ports, card readers, audio outputs and proprietary interfaces into a tiny cube chassis measuring just two inches square. It runs a basic Linux front-end, which the blogger takes a look at, and there are some great photos of the device being loomed over by everyday objects like coffee mugs and cellphones. It has connections for controlling various electronics used by ESA, NASA and JAXA, but it will also apparently be for sale to the public soon, for use by amateur engineers and robotics clubs."

Have you noticed that some technology is near the Gilette model (give away the razor, sell the blades)

Print without wires for $41 shipped

Posted by Rick Broida August 27, 2008 5:08 AM PDT

... Circuit City has the Lexmark Z1480 color inkjet on sale for $40.96 shipped

... A set of replacement cartridges will run you $39.99 if purchased at Circuit City