Saturday, September 13, 2008


But we had a policy!

TSU says student Social Security numbers have gone missing

Friday, September 12 2008 @ 03:16 PM EDT Contributed by: PrivacyNews

Tennessee State University this afternoon announced that a flash drive containing the financial information and Social Security numbers of more than 9,000 students was reported missing earlier this week.

A financial aid counselor reported the flash drive missing Tuesday morning after discovering that it was no longer in her possession, administrators said. The flash, which contained financial records of TSU students dating back to 2002, was last seen Monday evening. There have been no attempts to use the data. [“We didn't know our data had been copied but we have checked the entire world and are sure nothing has happened...” Riiiight... Bob]

... University officials don't believe the missing flash drive was encrypted or password-protected, although TSU policy requires Social Security numbers be stored in protected data files. The school also no longer uses Social Security numbers as students' primary identification numbers.

The incident is under investigation by TSU's Department of Internal Audit. The employee has been placed on administrative leave with pay pending the outcome of the investigation. [Encouraging, but unlikely to go further. Bob]

Source - Nashville Post

Mellon Bank continues to make headlines – although it looks like they are simply paraphrasing other news stories.

Lenders say private customer records have been breached

Saturday, September 13 2008 @ 07:05 AM EDT Contributed by: PrivacyNews

Hundreds of thousands of Florida customers of Countrywide Finance Corp. and The Bank of New York Mellon Shareowner Services are at risk after two instances of data being compromised.

... Since January, the Florida attorney general has received 1,646 complaints from residents concerned their identities had been stolen, nearly 200 from security breaches. Only 30 such complaints were reported in 2007.

Source - Miamia Herald

New technology follows the same learning curve previous technologies followed – same with law and regulation. (Think Video Recorders and Napster)

Cloud Computing May Draw Government Action

Posted by Soulskill on Friday September 12, @07:31PM from the internet-is-a-series-of-jet-streams dept. Government The Internet

snydeq brings us this excerpt from InfoWorld:

"Cloud computing will soon become an area of hot debate in Washington, as the increasing popularity of cloud-based services is putting pressure on policy makers to answer tough questions on the privacy and security of data in the cloud. For example: Who owns the data that consumers store on the network? Should law enforcement agencies have easier access to personal information in the cloud than data on a personal computer? Do government procurement regulations need to change to allow agencies to embrace cloud computing? So far, US courts have generally ruled that private data stored in the cloud doesn't enjoy the same level of protection from law enforcement searches that data stored on a personal computer does, said Ari Schwartz, COO of the Center for Democracy and Technology. 'I do think government has an almost infinite ability to screw up things when they can't see the future,' former Bill Clinton tech policy adviser Mike Nelson added. 'We have to have leadership that believes in empowering users and empowering citizens.'"


Va. court strikes down anti-spam law

Friday, September 12 2008 @ 10:28 AM EDT Contributed by: PrivacyNews

The Virginia Supreme Court declared the state's anti-spam law unconstitutional Friday and reversed the conviction of a man once considered one of the world's most prolific spammers.

The court unanimously agreed with Jeremy Jaynes' argument that the law violates the free-speech protections of the First Amendment because it does not just restrict commercial e-mails.

Source - AP

Why spend big buck getting into a vanishing market? They won't. They will customize a Linux variation.

Report: HP trying for 'end-run' around Windows

Posted by Erica Ogg September 12, 2008 3:02 PM PDT

This used to be provided by the news services, but now they copy stories from Google & Yahoo with no fact checking (a la the United Airlines bankruptcy story)

Homeland Security lacking 'open source' intelligence

Posted by Stephanie Condon September 12, 2008 4:01 PM PDT

Hack du jour Not even “really smart guys” are able to make security perfect.

Greek Hackers Target CERN's LHC

Posted by ScuttleMonkey on Friday September 12, @04:18PM from the try-try-again dept. Security Science

Doomsayers Delight writes

"The Telegraph reports that Greek hackers were able to gain momentary access to a CERN computer system of the Large Hadron Collider (LHC) while the first particles were zipping around the particle accelerator on September 10th. 'Scientists working at CERN, the organization that runs the vast smasher, were worried about what the hackers could do because they were "one step away" from the computer control system of one of the huge detectors of the machine, a vast magnet that weighs 12,500 tons, measuring around 21 meters in length and 15 meters wide/high. If they had hacked into a second computer network, they could have turned off parts of the vast detector and, said the insider, "it is hard enough to make these things work if no one is messing with it."'"

[From the article:

The scientists behind the £4.4bn atom smasher had already received threatening emails and been besieged by telephone calls from worried members of the public concerned by speculation that the machine could trigger a black hole to swallow the earth, or earthquakes and tsunamis, despite endless reassurances to the contrary from the likes of Prof Stephen Hawking. [Do you suppose the hackers came from the “flat earthers?” Bob]

... "We think that someone from Fermilab's Tevatron (the competing atom smasher in America) had their access details compromised," said one of the scientists working on the machine. "What happened wasn't a big deal, just goes to show people are out there always on the prowl."

Hack du November? Who do you want to be President and how much money do you have? Of course this wont be as bad as the “Hanging Chad” story since most voters don't understand technology well enough to see the risks.

Sequoia E-Voting Equipment Allowed Thousands Of Fake Write-In Votes

from the don't-you-feel-great-about-our-upcoming-election? dept

Just this week, we pointed to a rather graphic demonstration of how easy it is to hack an election using Sequoia's e-voting machines. Sequoia's machines have been implicated in numerous problematic elections, such as vote totals in New Jersey that don't add up properly, or the discovery that with a little effort you can vote multiple times on some Sequoia machines. And, of course, Sequoia's usual response to these sorts of things is to deny any and all responsibility and maybe even threaten to sue those who discover the problems.

Well, here they go again. In a Washington DC primary election that used Sequoia's machines, election officials are trying to deal with the fact that the machines seem to have added thousands of votes for a non-existent write-in candidate. [I am not “non-existant!” (Anyone want to be my VP? No experience needed.) Bob] The election board is blaming a "faulty cartridge" (though no one seems to know what that means, exactly). Sequoia, however, denies a faulty cartridge or a faulty database and says that it must be human error or maybe "static discharge." You would think that a company like Sequoia would be quite concerned that its machines could change the course of democracy based on static discharge or basic human error, but it seems more concerned with avoiding any blame:

"There's absolutely nothing wrong with the database," said Michelle Shafer, spokeswoman for California-based Sequoia Voting Systems. "There's absolutely no problem with the machines in the polling places. No. No."

There. Now, doesn't that make you feel oh-so-confident in the ability of these machines to conduct a free and fair democratic election for President this November?

Guiding my hackers. Since we are starting a White Hat Club, this subject interests me.

University Brings Charges Against White Hat Hacker

Posted by Soulskill on Saturday September 13, @01:40AM from the easier-than-fixing-security-holes dept. Education Security

aqui writes

"A university student at Carleton is learning that no good deed goes unpunished. After hacking into what was probably a not-so-secure university network, this guy took the time to write a 16-page paper on his methods and sent it to the system admins. Sounds like White Hat behavior to me. Yes, he should have asked permission before trying, but throwing the book at the guy and wrecking his life with criminal charges (which stick for a long time) seems a little excessive. The university should spend money on hiring some admins with better computer skills and teaching skills rather than paying lawyers. In the Engineering department at my old university, the unofficial policy was that when you broke in, didn't damage anything, and reported the problem and how you broke in, they didn't charge you (if you maliciously caused damage, you usually faced academic sanctions). In some cases, the students were hired or they 'volunteered' for the summer to help secure the servers or fix the hole they found. The result was that Engineering ended up with one of the most secure systems in the university."

Read on for the rest of aqui's comments.

[From the article:

The writer, who used a pseudonym, claimed he easily broke into the accounts using a program that captures computer keystrokes. [Does that mean I can't give this software to my students any more? Bob]

... The breach allowed access to the Campus Cards that students use as debit cards for campus purchases, including photocopiers, food kiosks and the bookstore.

With the information, the hacker could also have accessed e-mails, course registrations, library records and personal financial information about loans and scholarships.

... Det. Villeneuve said it is unclear whether the suspect could have accessed the student accounts with the programs that he had and the information he had gathered.

I will follow this – it started in July. My recommendation has always been for governments (municipal or state) to create a holding company to lay fiber to the home and then offer it to all comers. No need for monopolies that way.

Telco Sues Municipality For Laying Their Own Fiber

Posted by Soulskill on Friday September 12, @09:28PM from the we're-here-to-help-and-we-brought-lawyers dept. Networking Businesses Communications

unreceivedpacket writes

"Ars Technica reports that a company called TDS Telecom is attempting to sue the town of Monticello, Minnesota for deploying their own fiber network. Shortly after the town voted to lay the fiber, TDS Telecom filed suit and notified the town that they would be deploying their own fiber network. The telco has recently responded to Ars Technica, saying they only sued to save Monticello from itself, apparently feeling that the municipality is unprepared for the onerous costs of maintaining such a network, and would lack the expertise to do so."

[From the article:

Its claim: taking out bonds to build a fiber network is illegal.

Bridgewater Telephone argues that the city cannot use tax-exempt bonds to "enter into direct competition with incumbent commercial providers of telephone, Internet, and cable television services." The odd thing about the complaint, a copy of which was seen by Ars Technica, is that it makes almost no argument; instead, the company simply quotes a short bit of Minnesota law and essentially says, "See, it's illegal!" without offering an explanation.

Potential business model or online game? - Bid On Startups

Do you think you have what it takes to spot a winner amongst the millions of websites that are started every year? If you do, then take a look at Through the site, you’ll be able to buy virtual shares of sites you think will be successful, and if the site does become popular, you’ll be able to cash out and make some extra cash. This is a creative take on the Startup finding page. People will be able to play stock market with startups, making it possible for others to find out about new startups and what they do. It’s a very creative site that could give you many cash rewards. Prizes are awarded to the best people who spot good sites, so you should try to do your best in picking sites that you think will make it big. Anyone with a knack for startup spotting should consider using this site.

Friday, September 12, 2008


How vague can a disclosure be? Wouldn't it be useful to know who was breached? When the breach occurred and what dates the records lost cover?

American Express notifying some customers of breach at unnamed merchant

Thursday, September 11 2008 @ 01:19 PM EDT Contributed by: PrivacyNews

Evan Francen of The Breach Blog has uploaded a notification letter dated August 26th received by one of his site's readers. No other information about the breach seems to be available at this time, but it is interesting that AmEx notified the customer about a cancelled account and indicates that it will monitor the (cancelled) account for activity.

Francen wonders whether this breach might be related to the recent revelation that a computer containing customer data was sold on ebay. It's a good question. Would that companies provide us with more details in their notification letters.

How do I interpret this? Is it more FBI braggadocio? (“This arrest solves 92% of all crime worldwide.”) Is it true, but they don't want to embarrass anyone? Is it true, and the economhy would collapse if the scope was revealed? Would FOIA answer any of these questions?

Hacker pleads guilty in breach (TJX update)

Friday, September 12 2008 @ 06:17 AM EDT Contributed by: PrivacyNews

Federal prosecutors won a guilty plea yesterday from one of 11 men who made up a ring that was charged last month with the largest data theft case in history, involving tens of millions of customers of retailers, including TJX Cos. of Framingham and BJ's Wholesale Club of Natick.

Separately the government also said it has evidence the group breached the security of many more businesses than previously disclosed.

... And in a separate court filing yesterday, Heymann wrote the government has evidence that Toey and his coconspirators hacked into "numerous other businesses." The filing did not disclose the businesses, and Heymann did not release any more details in court.

Source -

Comment: and were the customers of those "numerous other businesses" ever notified of the breaches? Did the businesses even know that they had been breached or did the federal government not communicate with them? -- Dissent

If it was common practice to encrypt any files transmitted with the public key of the recipient, this would have been a non-issue.

Personal Information Of 23,000 Ivy Tech Students Sent Out Over E-Mail (update)

Thursday, September 11 2008 @ 04:49 PM EDT Contributed by: PrivacyNews

The personal information of about 23,000 Ivy Tech students was accidentally sent out in an e-mail to 1,400 people, according to a letter from the school.

In the letter Ivy Tech Indianapolis Vice President of Administration William Morris writes that the e-mail was sent during the last week of July.

He said an employee intended to e-mail the list -- which included the names, addresses and Social Security numbers of students who were enrolled in distance-education courses -- to a colleague. Instead, the file drop was sent to an e-mail group that included about 1,400 current and former Ivy Tech Indianapolis employees, including some current and former student employees.

Source - The Indy Channel

It looks like the courts are becoming better educated on security “Best Practices” (Or maybe this one was just glaringly obvious...)

Brokerage to pay fine for alleged security breach (LPL Financial update 2)

Thursday, September 11 2008 @ 03:33 PM EDT Contributed by: PrivacyNews

A brokerage firm has agreed to pay a $275,000 fine following a series of alleged online hacking incidents into customer accounts.

The Securities and Exchange Commission said Thursday that LPL Financial Services failed to protect its customers' personal information, leaving at least 10,000 clients vulnerable to identity theft.

Source - Associated Press

Note: this appears to be related to two breaches reported on here and here. LPL Financial has reported six breaches that we know of in the past year.

Updated 9-12-08: See also SEC Charges LPL Financial for Failing to Protect Customer Privacy in Financial News and the SEC Order [pdf], which pretty much says that LPL knew back in 2006 that they were at risk on security and didn't do enough to protect customer data.

[From the SEC Order:

    Regarding password complexity, LPL’s internal auditors identified the following weaknesses concerning the BranchNet application: (1) RR passwords did not meet industry standards for so-called “strong” passwords, because, among other things, the passwords had no requirements on length or alphanumeric/special character combinations; (2) passwords were not set to expire after a certain period of time; (3) users could not change their own passwords; and (4) there was no automatic lockout feature related to unsuccessful login attempts. Additionally, over 300 LPL information technology employees had access to a list of BranchNet passwords, and a number of former employees likely had access to such a list before leaving the firm.

The cost of Identity Theft just went up...

Identity-Theft Victims Owed Duty of Care in Bank Fraud Investigations, N.J. Court Says

Mary Pat Gallagher New Jersey Law Journal September 11, 2008

A bank that pursues criminal charges against an innocent third party whose identity is stolen and used to defraud the bank can be sued for negligence and malicious prosecution, an appeals court held Tuesday in a case of first impression in New Jersey.

The court, in Brunson v. Affinity Federal Credit Union, A-4439-06, ruled that financial institutions and fraud investigators have a duty to "pursue with reasonable care their responsibility for protecting not only their own customers, but non-customers who may be victims of identity theft."

This Ausie author misses the whole point. A cost/benefit analysis is logical for businesses, but a “Look! I'm doing something to protect you, let's not talk about cost & benefits” approach wins votes and therefore is the default among politicians.

The terrifying cost of feeling safer

Ross Gittins August 26, 2008

... It's now clear that when people think about defence and national security, the main thing they have in mind is the risk of terrorism, not the risk of invasion by another country.

... It's a well-known finding of psychology that humans tend to overestimate the probability of rare events, while underestimating the probability of more common events. That's partly because rare events may be more dramatic and tend to stick in our minds, whereas more frequent events tend to fade into the background.

Are we Balkanizing Law Enforcement?

Senate Judiciary Committee Approves Copyright Cops

Posted by kdawson on Friday September 12, @08:54AM from the keystone-of-the-law dept. Government

I Don't Believe in Imaginary Property writes

"The Senate Judiciary Committee has approved the EIPA (the Enforcement of Intellectual Property Rights Act of 2008), which would create copyright cops. And these cops would take over the RIAA's War on Sharing by filing civil lawsuits and using civil forfeiture laws to take any and all computers engaged in infringement. Worse, they would even seize computers (such as servers or database farms) that house the data of innocent people, and these people would not have any right to get their data back. At best the 'virtual bystanders' who happened to have data on a computer used for infringement could get a protective order saying that no one should go rummaging through their stuff. Perhaps the only good thing in the bill is that they've excluded DMCA circumvention from the list of grounds for seizure. So while the Senators believe this is needed to combat foreign copyright infringement cartels, it's entirely likely that innocent people will be harmed by this law."

...but if the location data is stored at the phone company all bets are off?

New Court Decision Affirms that 4th Amendment Protects Location Information

Thursday, September 11 2008 @ 09:59 AM EDT Contributed by: PrivacyNews

In an unprecedented victory for cell phone privacy, a federal court has affirmed that cell phone location information stored by a mobile phone provider is protected by the Fourth Amendment and that the government must obtain a warrant based on probable cause before seizing such records.

The Department of Justice (DOJ) had asked the federal court in the Western District of Pennsylvania to overturn a magistrate judge's decision requiring the government to obtain a warrant for stored location data, arguing that the government could obtain such information without probable cause. The Electronic Frontier Foundation (EFF), at the invitation of the court, filed a friend-of-the-court brief opposing the government's appeal and arguing that the magistrate was correct to require a warrant. Wednesday, the court agreed with EFF and issued an order affirming the magistrate's decision.

Source - EFF


IPhone Takes Screenshots of Everything You Do

Thursday, September 11 2008 @ 04:55 PM EDT Contributed by: PrivacyNews

Your iPhone is watching you.

If you've got an iPhone, pretty much everything you have done on your handset has been temporarily stored as a screenshot that hackers or forensics experts could eventually recover, according to a renowned iPhone hacker who exposed the security flaw in a webcast Thursday.

Source - Gadgets Lab

Related? Governments will be able to claim, “We're just following International Standards...”

U.N. agency proposes curbs on Internet anonymity

Friday, September 12 2008 @ 05:37 AM EDT Contributed by: PrivacyNews

A United Nations agency is quietly drafting technical standards, proposed by the Chinese government, to define methods of tracing the original source of Internet communications and potentially curbing the ability of users to remain anonymous.

The U.S. National Security Agency is also participating in the "IP Traceback" drafting group, named Q6/17, which is meeting next week in Geneva to work on the traceback proposal. Members of Q6/17 have declined to release key documents, and meetings are closed to the public.

Source - Cnet

Facts suggest little real privacy...

Debunking Google's log anonymization propaganda

Thursday, September 11 2008 @ 01:16 PM EDT Contributed by: PrivacyNews

Google announced on Monday that the company will be reducing the amount of time that it will keep sensitive, identifying log data on its search engine customers. To the naive reader, the announcement seems like a clear win for privacy. However, with a bit of careful analysis, it's possible to see that this is little more than snake oil, designed to look good for the newspapers, without delivering real benefits to end users.

Source - Surveill@nce St@te, on Cnet

[From the article:

As an example, an IP address of a home user could be After 18 months, Google chops this down to 173.192.103.XXX.

Since each octet (the numbers between each period of an IP) can contain values from 1-255, Google's anonymization technique allows a user, at most, to hide among 254 other computers. In comparison, Microsoft deletes the cookies, the full IP address and any other identifiable user information from its search logs after 18 months.

Google has now revealed that it will change "some" of the bits of the IP address after 9 months, but less than the eight bits that it masks after the full 18 months. Thus, instead of Google's customers being able to hide among 254 other Internet users, perhaps they'll be able to hide among 64, or 127 other possible IP addresses.

Related? The Commish' talks about working with Facebook on Privacy (very positivly) and mentions another video on how to set privacy rules in Facebook – but I can't seem to find that one.

Your privacy, your responsibility says Ontario Privacy Commissioner

Friday, September 12 2008 @ 05:49 AM EDT Contributed by: PrivacyNews

Ann Cavoukian talks about working with Facebook on boosting user privacy, and has some cautionary words for job seekers using social networking. Istory and video)

Source -

How is this different than looking at the pictures displayed in an employee's cubicle?

One In Five Employers Scan Applicants' Web Lives

Posted by timothy on Thursday September 11, @04:38PM from the other-four-are-lying dept. Social Networks Privacy

Ned Nederlander writes

"CareerBuilder's new survey finds: 'Of those hiring managers who have screened job candidates via social networking profiles, one-third (34 percent) reported they found content that caused them to dismiss the candidate from consideration.' Some red flags: content about applicant using drugs or drinking, inappropriate photos and bad-mouthing former bosses."

“Look. We only want docile customers who are cheap to service. (Sheep who are too ignorant to complain about the lousy service) We won't kick real users off our system, just heavily restrict the bandwidth we promised them without letting them out of their contracts.”

AT&T Changes TOS, Start Slowing Rebel Downloaders Next Month — AT&T's just updated its terms of service for broadband customers, and starting next month, if you're a heavy downloader, get ready to have your connection squeezed to a trickle. While they haven't implemented usage caps a la Comcast (yet) they are using a similar traffic management technique starting on Oct. 18 that will slow down your whole...

SETI at home, adopted for storage. Should be fun for the e-Discovery lawyers...

Online Storage With a Twist

Posted by timothy on Thursday September 11, @01:57PM from the wiseacres-will-volunteer-to-store-porn dept. Data Storage Encryption Privacy The Internet

mssmss writes

"For a long time, I have been looking for a way to securely store my files online without being tied to a single vendor — whose survival my storage depends on. It looks like Wuala has a way to do this, according to this story in the Economist. They use donated disk space of users to scatter your encrypted files over multiple computers."

Hey! I gots kulcha... – Buy Classical Music

Are you tired of iTunes’ focus on popular music? If you’re looking for a place to find all your classical music cravings, check out On this rapidly growing online store, you’ll find the world’s largest library of DRM-free classical tracks from both major and independent labels. The tracks you purchase from the site can be transferred to any device and burned into CDs, making it a lot easier for you to share your music and take it with you on the go. If online retailers focused more on DRM-free tracks, they would probably sell a lot more, and these guys seem to know that. Like with any other store, the music is divided into many categories to make finding it easier. You can search for music by label, genre, periods, artists, and even composers. Classical music lovers are going to love this site and its comprehensive library.

Thursday, September 11, 2008


Is they was or is they wasn't breached?

Countrywide, Franklin Savings Security Breach

Wednesday, September 10 2008 @ 07:56 PM EDT Contributed by: PrivacyNews

John Matarese mentions a breach for which I've found no confirmation so far, and I have contacted the bank to ask for confirmation and additional details. This report will be updated as information becomes available.

.... Letters are going out to customers of Franklin Savings and Loan, one of Cincinnati's oldest banks. A similar letter is going out to Countrywide mortgage customers.

The Blue Ash-based Franklin Savings has eight branches: are in Anderson and Delhi Township, Blue Ash, Obryonville, Roselawn, Forest Park, Sharonville, and Western Hills.

Franklin tells me a hacker accessed files of 25,000 customers...but says there is no evidence of any ID theft.

Source - WCPO

[The Franklin Artuicle:

Franklin tells me a hacker accessed files of 25,000 customers...but says there is no evidence of any ID theft. [The law doesn't require USE of the information stolen before it qualifies as Identity Theft, does it? Bob]

[The Countrywide article:

This time, there's no doubt: The personal information of more than 28,000 Connecticut residents was stolen from Countrywide Home Loan computers and sold.

The theft of data about more than 2 million people who applied to Countrywide for mortgages between July 2006 and July 2008 is unlike other recent data losses, Connecticut Attorney General Richard Blumenthal said Wednesday, because there is no doubt the information isn't just missing.

"It was sold, we know that. We don't know precisely who bought it," Blumenthal said, calling the loss "extraordinarily frightening," because it definitely came about through criminal activity.

... According to the affidavit, Rebollo said he downloaded information about approximately 20,000 customers each week for nearly two years onto a portable flash drive.

Most of Countrywide's computers had security features that blocked the use of the drives, but Rebollo, who worked at Countrywide for 9 1/2 years, said he had access to a computer without those features. He sold each group of 20,000 or so names for $500.

This would be fun here in the US. New Privacy laws would pop up everywhere! (Shouldn't we be able to call Paris Hilton and wish her a Happy Birthday?

Se: Site unmasks hidden info on Swedish celebs

Thursday, September 11 2008 @ 05:49 AM EDT Contributed by:PrivacyNews

High profile Swedish politicians and prosecutors, famous artists and other celebrities with unlisted telephone numbers and addresses can all be found using a website designed to help people remember friends' birthdays – and there’s nothing the notables can do about it.

Those who ask to be removed from have so far had their requests denied.

“It’s not our database. We cannot and may not change it. So either we get rid of everything or we don’t get rid of any,” said Patric Ă–rner, the CEO of Berlock Information, which operates the site to the TT news agency.

Source - The Local

Comment: if that's their answer, then they should get rid of everything. -- Dissent.

[From the article:

That publishes the addresses of people with unlisted numbers has been known since the site was launched in the spring of 2006.

But the storm of criticism quickly died down when the company said it would change the site’s search function.

However, it’s still possible to look up celebrity’s addresses. The only difference is that now users must register themselves as a member of the site, which takes a matter of seconds.


AZ: Death notices removed from county Web site

Thursday, September 11 2008 @ 05:56 AM EDT Contributed by: PrivacyNews

Privacy concerns and identity-theft fears prompted Maricopa County Recorder Helen Purcell to halt public viewing of death certificates on the agency's Web site.

"There is so much personal information on them: a mother's maiden name, what they died from," Purcell said, adding that her office has been fielding complaints for years about the office's practice of posting death-certificate images. The office quietly took them down last month.

Source -


Irate Ark. man posts county e-mail records in privacy fight

Thursday, September 11 2008 @ 06:43 AM EDT Contributed by: PrivacyNews

An Arkansas resident is posting the internal e-mail records of various officials in the Pulaski County clerk's office on his Web site in retaliation for what he calls the county's refusal to remove certain public documents containing Social Security numbers from its Web site.

The e-mails are considered public records and were obtained by Bill Philips, a native of North Little Rock, under Arkansas' Freedom of Information Act (FOIA).

Source - Computerworld

Further IT incompetence?

The SF rogue admin Terry Childs installed a 'terminal server,' which appears to be a router, on the city's network, but investigators haven't been able to find or log into it

By Robert McMillan, IDG News Service September 10, 2008

... After a dramatic jailhouse meeting with San Francisco's mayor one week after his arrest, Childs handed over the data, but DTIS Chief Administrative Officer Ron Vinson said Wednesday that the city now expects to spend more than $1 million to clean up the mess. To date, DTIS has paid out $182,000 to Cisco contractors and $15,000 in overtime costs, he said.

The city has also set aside a further $800,000 to address the problem. Vinson did not specify what the additional money was expected to cover, but if the city has to hire network consultants to remap, reconfigure and lock down its network, this would not be an unreasonable estimate. The city has also retained a security consulting firm called Secure DNA to conduct a vulnerability assessment of its network.

What is the fix (technological or otherwise) for this type of crime? (Use cash?)

GA: Liquor Store Clerk Busted for Huge ID Theft Operation

Thursday, September 11 2008 @ 06:05 AM EDT Contributed by: PrivacyNews

The Secret Service has arrested a man who is suspected of stealing credit card information from customers and using that information to live high on the hog.

Agent Forrest Pruitt tells WSB’s Jennifer Griffies that 29-year-old Vycas Yada, who was a clerk at Perry's Liquor Store in Athens, was arrested in Mississippi. “Items recovered include embossing machines, a laptop, as well as credit card coding machines. Other items taken of evidentiary value include items that were purchased illegally.”

According to authorities, Yadav had installed a secret camera at the cash register that would record a person's credit card information.

Source -

The true power of Google?

Automated News Crawling Evaporates $1.14B

Posted by kdawson on Wednesday September 10, @04:10PM from the who-shall-watch-the-watchers dept. Google News

cmd writes

"The Wall Street Journal reports that Google News crawled an obscure reprint of an article from 2002 when United Airlines was on the brink of bankruptcy. United Airlines has since recovered but due to a missing dateline, Google News ran the story as today's news. The story was then picked up by other news aggregators and eventually headlined as a news flash on Bloomberg. [Fact checking is no longer an option. Bob] This triggered automated trading programs to dump UAL, cratering the stock from $12 to $3 and evaporating 1.14 billion dollars (nearly United's total market cap today) in shareholder wealth. The stock recovered within the day to $10 and is now trading at $9.62, a market cap of $300M less than before Google ran the story."

The article makes clear that Google's news bot only noticed the old story because it has been voted up in popularity on the site of the South Florida Sun-Sentinel newspaper. The original thought was that stock manipulation may have been behind the incident, but this suspicion seems to be fading. [Tracks covered, check! Bob]

Pogo seems to be on a “find some studies” kick. Interesting stuff! (Sometimes scary...)

Most Companies Believe Theirs Sensitive Data Is at Risk

Thursday, September 11 2008 @ 05:58 AM EDT Contributed by: PrivacyNews

Nearly 70 percent of executives believe that their companies' sensitive information is at risk of data theft. [Should be 100% The trick is how they respond to that risk. Bob] But not all of them are taking the right steps to prevent it, according to a study published earlier today.

In a survey of more than 1,300 corporate executives -- 54 percent of whom have some direct responsibility for security -- security vendor Finjan found that 68 percent believe that their companies' intellectual property and other sensitive information is at risk of data theft. Seventy-three percent are more concerned about data theft than they are about lost productivity due to worms or virus infections.

Source - Dark Reading

Related - Finjan's press release and Finjan's Web Security Survey Report – H1/08 [pdf] (free reg. req.)


Financial firms could have sensitive data stolen in 30 minutes or less

Thursday, September 11 2008 @ 06:14 AM EDT Contributed by: PrivacyNews

TraceSecurity, in its five-year statistics on Social Engineering and Penetration Testing, said that, on average, 95 percent of U.S. financial institutions’ sensitive data, including bank account records and social security numbers, could have been stolen in 30 minutes or less.

Between 2003 and 2008, TraceSecurity’s engineering team, headed by Jim Stickley, compromised the security of more than 1,000 financial institution branches. Had the attempts been genuine, TraceSecurity said that tens of millions of records could have been compromised as a result.

Source - The Tech Herald


Study: Most U.S. banks not yet compliant with identity theft rules

Thursday, September 11 2008 @ 06:41 AM EDT Contributed by: PrivacyNews

Less than one-third of U.S. banks will be fully compliant with the U.S. government’s identity theft prevention rules by the Nov. 1 deadline, according to a new study.

With the deadline looming, research by Needham, Mass.-based TowerGroup found that many U.S. financial services institutions have mistakenly considered compliance with the “Red Flags Rules,” as they are known, as merely an administrative exercise.

Source - Business Journal

Is this related to reports of the Dear Leader's health problems?

Korea Logs Highest Number of Network Security Breaches in August

Wednesday, September 10 2008 @ 09:30 PM EDT Contributed by: PrivacyNews

Nearly half of all computer network security breaches in the world last month occurred in South Korea, an industry report showed Thursday, tarnishing the nation's image as an information technology (IT) stronghold.

A network monitoring survey conducted recently by AhnLab, the nation's largest security solutions company, showed that 48 percent of all network security threats last month occurred in South Korea. The report did not elaborate on the number of breaches.

South Korea was trailed by the United States and Japan, with 17 percent and 13 percent, respectively. Hong Kong and India followed, with 7 percent and 5 percent, the report said.

Source - Telecoms Korea

“Good morning, Dave. Would you like to play a game of Chess?”

The Amazing 150″ Panasonic Life Wall TV Learns Your Preferences

This is the Life Wall by Panasonic. An extremely thin 150″ TV that does amazing things. It has face recognition so that it recognizes the face(s) that watch it and adjusts the display or program to that person’s preferences automatically.

Even my students agree with me that this is coming fast.

The meek shall inherit the web

Sep 4th 2008 From The Economist print edition

Computing: In future, most new internet users will be in developing countries and will use mobile phones. Expect a wave of innovation

... A case in point is M-PESA, a mobile-payment service introduced by Safaricom Kenya, a mobile operator, in 2007. It allows subscribers to deposit and withdraw money via Safaricom’s airtime-sales agents, and send funds to each other by text message. The service is now used by around a quarter of Safaricom’s 10m customers. Casual workers can be paid quickly by phone; taxi drivers can accept payment without having to carry cash around; money can be sent to friends and family in emergencies. [No need for checks, credit/debit cards, banks – any of that old 'brick & mortar' stuff. Bob]

... Xuehui Zhao, a recent graduate of the Anyang Institute of Technology in Henan province, explains that a typical monthly package for five yuan ($0.73) includes 10 megabytes of data transfer—more than enough to allow her to spend a couple of hours each day surfing the web and instant-messaging with friends. It is also much cheaper than paying 200 yuan per month for a fixed-broadband connection. [Looks like China could own the market here, if they chose to compete.. Bob]

Related Training (addicting?) them young.

Mobile carriers see opportunity in 'tween' market

Posted by Marguerite Reardon September 10, 2008 5:43 PM PDT

SAN FRANCISCO--Nearly half of kids age 8 to 12 years old own cell phones in the U.S., in what could be the next big cell phone demographic for the mobile industry, according to a Nielsen report released here Wednesday at the CTIA Fall 2008 trade show.

Does this mean Friday's orgy has been cancelled?

September 10, 2008

Interior OIG Investigations of Minerals Management Service Employees

"This memorandum conveys the final results of three separate Office of Inspector General (OIG) investigations into allegations against more than a dozen current and former Minerals Management Service (MMS) employees. In the case of one former employee, Jimmy Mayberry, he has already pled guilty to a criminal charge. The cases against former employees, Greg Smith and Lucy Querques Dennet, were referred to the Public Integrity Section of the Department of Justice (DOJ). However, that office declined to prosecute. The remaining current employees await your discretion in imposing corrective administrative action. Others have escaped potential administrative action by departing from federal service, with the usual celebratory send-offs that allegedly highlighted the impeccable service these individuals had given to the Federal Government. Our reports belie this notion." Investigative Reports as follows:

Collectively, our recent work in MMS has taken well over two years, involved countless OIG human resources and an expenditure of nearly $5.3 million of OIG funds. Two hundred thirty-three witnesses and subjects were interviewed, many of them multiple times, and roughly 470,000 pages of documents and e-mails were obtained and reviewed as part of these investigations."

Related? Management is often clueless...

Verizon Tech Accused Of Making $220K In Sex Calls On User Lines

Posted by samzenpus on Thursday September 11, @02:31AM from the lots-of-lotion dept.

Joseph Vaccarelli, a former Verizon Technician, has been charged with racking up $220,000 in phone-sex calls by tapping into the land lines of nearly 950 customers. Authorities say that he made approximately 5,000 calls, resulting in 45,000 minutes of call time. Verizon estimated that out of a 40-week period, Vaccarelli spent 15 weeks talking on sex lines. How in the world do you have this much phone sex, period, but especially at work, and not have anyone notice?

The most significant use for the Internet since e-mail? to uncork wine sales

Posted by Steven Musil September 10, 2008 5:00 PM PDT customers will be able to buy wine through the e-tailer's Web site as early as this month, a spokesman for the Napa Valley Vintners Association said Wednesday.

Is this the future of textbooks? (Comments include a Texting version of the Origin of the Universe -- cute)

Virginia Begins Open-Source Physics Textbook

Posted by CmdrTaco on Wednesday September 10, @12:46PM from the wiki-physics-are-much-easier-than-textbook-physics dept. Education

eldavojohn writes

"The Commonwealth of Virginia has issued a request for contributions to an open source physics textbook (or 'flexbook' they termed it). They are partnering with CK-12 to make this educational textbook under the Creative Commons by Attribution Share-Alike license."

Wednesday, September 10, 2008


New record? (Apparently Maryland only had 21 victims)

Macro Intl reports unauthorized access to a database with info on "most people in the United States"

Wednesday, September 10 2008 @ 07:59 AM EDT Contributed by: PrivacyNews

Macro International Inc. provides research, technical support, and management consulting services for private and public sector clients. They recently notified the Maryland Attorney General's office that an individual or individuals used credentials (e.g., user/pass) assigned to Macro International employees to access a database that "contains information on most people in the United States. The database is compiled and maintained by one of our business partners, and is used by many companies nationwide."

Guy Garnett, Macro's Vice-President. reported that the company had detected an unusual pattern of search activity and that its investigation revealed that the unauthorized access occurred between December 2007 and March 2008.

According to his letter, there was no indication that any files had been downloaded, retained, or misused. And as of the time of his report, there was no indication that any suspects had been identified or arrests made.

It's not just HSBC.

HSBC warns of major security breach

Tuesday, September 09 2008 @ 10:20 AM EDT Contributed by: PrivacyNews

HSBC is warning its customers to change their personal identification numbers (PINs), used to withdraw cash at teller machines, after it experienced a significant security breach.

The company has sent text messages to all card holders in the UAE, advising them to make the change by the close of business tomorrow. “Together with other UAE-based banks, we have been experiencing an attack on our local accounts from counterfeit ATM card usage abroad,” said Jonathan Campbell-James, the head of security and fraud risk, at HSBC Middle East. “We have been pro-actively communicating to our customers via SMS [Dude, OMG! chg yr pwrd? Bob] to change their PIN numbers at any HSBC ATM as a precaution, and have implemented various containment strategies to minimize the threat posed.”

Source - The National

[The article:

... On Aug 26, the US Embassy warned citizens in the UAE about credit and debit card fraud that had affected an unusually large number of its employees.

Keeping your name firmly in the mud. Perhaps they've never read The Prince, which recommends getting all the bad news out at once. Perhaps by relying on their customers to notify individuals they have doomed themselves to months of article like this one.

Credit Breach Threatens 742K Floridians' Identities (BNY Mellon update)

Tuesday, September 09 2008 @ 01:13 PM EDT Contributed by: PrivacyNews

Attorney General Bill McCollum issued a consumer alert Tuesday after The Bank of New York Mellon Shareholder Services reported loss of personal data on 12.5 million customers, 742,000 of which are Floridians.

Consumers who are or were clients of BNY Mellon were asked to closely review their accounts for unauthorized charges and monitor their bank and credit card statements.

Source - Local10

[From the article:

The data breach occurred on Feb. 27 when a vendor for BNY Mellon lost six backup tapes during transport to a storage facility.

Policy without some means of enforcement is unlikely to have any effect on behavior.

Police: Pitt laptop stolen with Social Security numbers

Tuesday, September 09 2008 @ 03:49 PM EDT Contributed by: PrivacyNews

University of Pittsburgh and city police are investigating the theft of a laptop computer with the Social Security numbers of alumni from the College of Business Administration.

... Hill said the employee stored the information for a survey of undergraduate business school alumni but did so in violation of university policy. Only offices such as the registrar that have a need for such information are allowed to store it, he said. [But their system security software didn't “know” that. Bob]

Source - Pittsburgh Tribune-Review

Did their access terminate when the employees did?

Disgruntled COIL employee reportedly steals payroll data

Wednesday, September 10 2008 @ 06:46 AM EDT Contributed by: PrivacyNews

Communities Organized to Improve Life (COIL) discovered in July that some employee payroll information wound up on the internet after it had terminated an employee who had access to the payroll information in May.

According to its notification letter to the Maryland Attorney General's office, after terminating three employees in May, COIL discovered that some payroll files an employee had access to were missing from the administrative area and that remaining files were in disarray. A financial consultant was retained to review the situation, but it wasn't until mid-July that COIL discovered that payroll records were missing from their computer system and that payroll files containing the last four digits of employees' social security numbers were also missing. "Subsequently, some of the files missing were put on the Internet," according to COIL's legal counsel, Monte Fried, of Wright, Constable, & Skeen, LLP. Only their names appeared on the internet, however, and not the last four digits of their SSN.

The 47 employees whose data were missing and published on the Internet were notified promptly. That notification letter and any offer of services to them is not available on the web site, however.

Consequences: This was rather quick but I'm not sure if it was “scapegoating” or an excuse to terminate a contract they didn't like.

UK: Consulting firm sacked over data loss (PA Consulting follow-up)

Wednesday, September 10 2008 @ 08:21 AM EDT Contributed by: PrivacyNews

The government has sacked a consulting firm which lost the details of every prisoner in England and Wales in the latest Whitehall data security breach.

Home Secretary Jacqui Smith said it had ended the contract with London-based PA Consulting after an employee lost the data on an unencrypted computer memory stick.

"This was a clear breach of the robust terms of the contract covering security and data handling," Smith said in a statement to parliament. "We are reviewing our other contracts with PA, specifically from a data-handling and security perspective."

The missing memory stick contains the names and date of birth of every prison inmate. It also has the names, addresses and birthdate of 33,000 people with six or more convictions.

Source - Reuters

Great minds think alike? (Grate mines stink alike? Grape mimes...)

Why All the Data Breaches? Businesses Just Don’t Care

Tuesday, September 09 2008 @ 01:22 PM EDT Contributed by: PrivacyNews

U.S. businesses reached an ignominious milestone in August, when the number of data breaches disclosed publicly for the first eight months of 2008 already surpassed the total number of disclosed breaches for all of last year.

... All of these make tech security difficult—but not impossible. The real reason that data breaches are on the rise is that businesses don’t have a real incentive to invest more than the minimum required in security, [Make that “percieved minimum” and I'll agree entire.y Bob] says Bruce Schneier, chief security technology officer at BT Group.

“For the most part a company doesn’t lose its data, they lose your data,” Schneier tells the Business Technology Blog. Consequently, the entity responsible for the breach isn’t the party that is harmed by it. Victims are upset, but they are more likely to learn about the fraud that is committed in their name—not the breach where a criminal obtained the data. They are often powerless to punish the business that exposed the record because they can’t link the fraud to a cause, says Schneier.

Source - WSJ Business Technology Blog

[From the article:

At least 44 states have laws that require businesses to disclose data breaches. But a recent study by researchers at Carnegie Mellon University found no evidence that these laws actually reduce the incidents.

... Still, other studies suggest most security incidents never get reported at all. One reason is that the penalty for failing to disclose a breach under state laws is often minimal—just a maximum of $10,000 in the case of Arizona, for example. That is less than a business might spend figuring out which records were stolen in the breach.

Related Will they care when we turn off their machines?

Threat to computers for industrial systems now serious

Security researcher publishes code that gives hackers a back door into utility companies, water plants, and oil refineries in order to raise awareness of the vulnerabilities

By Robert McMillan, IDG News Service September 10, 2008

Laws are written at the end of a pendulum's swing. Without an attempt to derive a “Golden Mean” the pendulum swings for years.

WI: AG: State Privacy Law Should Be Loosened

Tuesday, September 09 2008 @ 03:54 PM EDT Contributed by: PrivacyNews

Privacy laws need to be loosened to better protect school children and teachers, Attorney General J.B. Van Hollen told a group studying the issue Tuesday.

He outlined a number of changes to state law that he said would allow police and schools to share more information and increase public safety.

Source - MyFOX N.E. Wisconsin

Oh great! Now everyone can have the morals of Osama bin Lauden...

Gandhi Pills? Psychiatrist Argues for Moral Performance Enhancers

By Alexis Madrigal EmailSeptember 09, 2008 | 10:59:24 AM

A British psychiatrist raises and argues for that possibility in a new paper in a prominent psychiatry journal. In fact, he says that in many clinical settings, moral steroids are already being used.

For your Security Manager

HTTPS Cookie Hijacking Not Just For Gmail

Posted by timothy on Tuesday September 09, @12:24PM from the cookie-monster-demands-satisfaction dept.

mikepery writes with a followup to last month's mention of a security vulnerability affecting Gmail accounts, which it seems understated the problem. "I figure the Slashdot readership is the best place to reach a large number of slacking admins and developers, so I want to announce that it's been 30 days since my DEFCON presentation on HTTPS cookie hijacking, and as such, it's now time to release the tool to a much wider group. Despite what was initially reported, neither the attack nor the tool are gmail-specific, and many other websites are vulnerable. So, if you maintain any sort of reasonable looking website secured by any SSL certificate (Sorry Rupert, you lose on both counts), even if it is just self-signed, you can contact me and I will provide you with a copy of the tool. Be sure to put 'CookieMonster' in the subject, without a space."

(More below.)

Research: I tried this with a search for “TJX breach” -- very slick! - Sort The Archives

They’ve done it again. While some were disappointed with Google’s Browser, the folks who revolutionized the way we search the internet have made it easier for us to search through news. Over at, you’ll be able to search through news articles on any topic, from any point in time. For instance, you’ll be able to track your favorite musician’s career from humble beginnings to superstardom. As if this wasn’t enough, you’ll be able to automatically generate timelines that will allow you to easily visualize your search results. Remember when you used to go to the library to sort through old microfilm? This site takes that concept and blows it out of proportion. By harnessing the power of Google’s search algorithms, this site will let you find news on anything, from anywhere, and from anytime. Whether you’re doing research, or you just want to reminisce about old times, this new service from Google is what you’ve been looking for.


September 09, 2008

Max Planck Encyclopedia of Public International Law

"The new online edition of the Max Planck Encyclopedia of Public International Law went live in August 2008. The initial upload included over 450 articles including over 120 that relate to judicial decisions and dispute settlement, and a set of articles covering the history of international law since the Peace of Westphalia in 1648. Of particularly topical interest are the articles on the fragmentation of international law, the position of heads of state and heads of government, Genocide, and the Taliban. The next upload will take place in October 2008."

What are 3 billion “ad viewers” worth?

Google Invests In Broadband For Poorer Countries

Posted by Soulskill on Wednesday September 10, @08:12AM from the first-one's-free dept. Google Communications Networking The Internet News

Chris Wilson writes

"According to the Financial Times, Google has announced their support for a new initiative called O3B to 'bring internet access to 3bn people in Africa and other emerging markets by launching at least 16 satellites to bring its services to the unconnected' by 2010. Coverage is available from Yahoo and the Wall Street Journal as well. ' The $750m project to connect mobile masts in a swath of countries within 45 degrees of the equator to fast broadband networks ... could bring the cost of bandwidth in such markets down by 95 per cent. ' This will probably be the largest single investment in network infrastructure for developing countries in history. Google clearly wishes to use this project to enable broadband Internet access in developing regions, but many other things must be in place before that can happen, including fixed power infrastructure, PCs or OLPCs, technical support and skills, and useful content and services for areas with lower literacy."

Great! Now perhaps we can do the same thing for organizations?

Article: The Influence of Personality Traits and Information Privacy Concerns on Behavioral Intentions

Tuesday, September 09 2008 @ 10:21 AM EDT Contributed by: PrivacyNews

By Korzaan, Melinda L Boswell, Katherine T


This study incorporates the Big Five personality traits into a theoretical model that explains and predicts individuals concerns for information privacy, computer anxiety, and individual behavioral intentions. Data was gathered via a survey, which was completed by 230 undergraduate college students, and analysis was conducted utilizing structural equation modeling. Agreeableness was found to have a significant influence on individual concerns for information privacy while neuroticism was found to have a significant influence on computer anxiety. In addition, intellect exerted a significant influence on both computer anxiety and behavioral intentions. Key insights for theory and practice are presented.

Source - RedOrbit

All we need is a good legal mind with some serious business savvy, Professor Sprague.

Why Starting a Legal Online Music Vendor Is Tough

Posted by Soulskill on Wednesday September 10, @05:08AM

from the all-about-the-benjamins dept.

Music Editorial The Almighty Buck News

Hodejo1 writes

"Former CEO Michael Robertson offers commentary at The Register saying any attempts to build a sanctioned digital music site today is doomed from the outset. 'The internet companies I talk to don't mind giving some direct benefit to music companies. What torpedoes that possibility is the big financial requests from labels for "past infringement," plus a hefty fee for future usage. Any company agreeing to these demands is signing their own financial death sentence. The root cause is not the labels — chances are if you were running a label you would make the same demands, since the law permits it."

This could be useful. I plan to give it a try - Tomorrow's Presentations Today

Power Point is boring. If you’re looking for a way to spice up your presentations, has what you’ve been looking for. With the site, you’ll be able to incorporate the advantages of web design, photos, PowerPoint and your voice notes to create really amazing presentations that will leave everyone in awe. Maybe real estate agents can use this to show homes they’re looking to sell, or you can use it to teach your students about a particularly complex subject. There are no downloads required, and you won’t have to install anything to create these presentations. This makes the site very accessible to anyone with an internet connection and the need to create a presentation. If you are looking for inspiration, you’ll be able to find it through the many “Flowgrams” that are available for you to view. Overall, this should be a great tool for anyone who needs to quickly whip up a presentation for any purpose.

Good intentions rarely override logic (or the Streisand Effect)

YouTube Reposts Anti-Scientology Videos

Posted by timothy on Tuesday September 09, @11:38AM from the fun-and-easy-to-destroy-stuff dept. Censorship

Ian Lamont writes

"YouTube has reposted anti-Scientology videos and reinstated suspended YouTube accounts after receiving thousands of apparently bogus DCMA take-down notices. Four thousand notices were sent to YouTube last Thursday and Friday by American Rights Counsel, LLC. After YouTube users responded with counter-notices, many of the videos were reposted. It turns out that the American Rights Counsel had no copyright claim on the videos, and the group may not even exist, although the text of the DCMA notices have been linked to a Wikipedia editor. While filing a false DMCA notice is a criminal offense, prosecution in these cases rarely comes about."

Watch closely. Reports vary from “He's dead” to this one. He has no successor (strangly, they all died) so what happens when he finds that he isn't immortal?

NKorea's Kim suffered stroke, will recover: South Korea

23 hours ago

SEOUL (AFP) — North Korean leader Kim Jong-Il has suffered a stroke but will recover, South Korea's intelligence agency told parliament Wednesday, according to a lawmaker.

Legislator Won Hye-Young quoted an intelligence official as telling a closed session that Kim had suffered a cerebral haemorrhage which caused the stroke but is in "recoverable condition."