Saturday, December 06, 2008

Can they be this dumb? Apparently there was no actual security – not even a worthless password. Pure “Security by Obscurity” Do they know the Google (and others) already have this data?

Email error exposes NACDS applicant database

Saturday, December 06 2008 @ 06:59 AM EST Contributed by: PrivacyNews

The National Association of Chain Drug Stores (NACDS) reports that its scholarship applicant database was made available to applicants due to the inclusion of the wrong link in an email [Instead of “www.your.file” they sent “www.entire.file” Bob] sent to applicants on October 7th. As a result of the error, the 160 applicants were able to access each other's application data, which includes name, Social Security number, and home and school addresses.

Phillip L. Schneider, President, notes that NACDS was notified of the problem on October 7th and disabled the link on October 8th.

RIAA-like bluff tactics in the UK – did they break the law? The author of this article thinks so.

UK: Accused of Illegal File-Sharing? Complain to the Government

Friday, December 05 2008 @ 09:41 AM EST Contributed by: PrivacyNews

Lawyers in the UK are obtaining the personal details of over 25,000 alleged file-sharers for the purposes of sending them a £500+ bill accompanied by threats of being sued. Read why the government’s Information Commissioner has let down every single one of them and why each disclosure could be a serious breach of the Data Protection Act.

Source - TorrentFreak

[From the article:

However it was only when responses started to flood in - many in their hundreds to Lawdit Solicitors - did it become clear that while IP addresses could reveal a name and real-life address, it did not reveal the culprit. It proved very little. It certainly did not prove that any copyright infringement had taken place, far from it. Only by inspecting the hard drive of the customer’s computer could you do this. If there were any other evidence to sit alongside the IP address, for example a user name or password of the file sharing software you could sympathize with the rights holder.

... The silence is even more deafening in that on 29 January 2008, the ECJ held that Community law does not require member states to oblige ISPs to disclose details of suspected file-sharers to enable a copyright owner to bring civil proceedings.

Lots of small breaches (due to P2P) for just 30 days... Share this with your Security manager!

P2P breaches you don’t read about in the news...

A friend of mine recently updated me about what he’s been working on and what he’s found in the past 30 days on P2P networks. Rian Wroblewski is the Director of Open Source Cyberintelligence at RedTeam Protection and he’s a skilled information security researcher, especially when it comes to finding sensitive information on P2P networks.

Update. The BNP is apparently filled with nuts, so disclosing the list of members was similar to releasing mental health records – and the perpetrator was so nuts, she was kicked out of the party! (At least, that's how I read it.)

Two arrested in Notts over BNP membership leak

Friday, December 05 2008 @ 09:40 AM EST Contributed by: PrivacyNews

Police have arrested two people in Notts over the unauthorised release of the British National Party membership list.

The Post understands officers raided a house in the county last night.

Today a spokeswoman for Dyfed Powys Police said: "We can confirm that last night Nottinghamshire Police arrested two people as part of a joint investigation with Dyfed Powys Police and the Information Commissioner's Office in conjunction with alleged criminal offences under the Data Protection Act.

Source -

I've been sensing this from the articles I read, but it's good to have statistical confirmation.

Survey: The best privacy advisers in 2008

Friday, December 05 2008 @ 07:13 PM EST Contributed by: PrivacyNews

Which are the best firms at helping organizations navigate the complexities of managing customer and employee information? That's the question I posed last month to over 2,000 people responsible for data protection. This was the third year asking this question (see "The best privacy advisers in 2007" and "The best privacy consultancies"), so we're now able to see some trend lines. I was surprised at the results.

Source - Computerworld

[From the article:

The most remarkable finding was that 31% of companies said they're planning to increase their 2009 budgets for outside privacy advice,

... How can data protection officers survive the budget scalpels everyone else is facing? One possible answer makes sense: Boardroom executives perhaps no longer view data privacy and security as remote risks that can be put off for a better day. If these dollars are getting sheltered or even augmented, executives must now see privacy as a bottom-line objective with immediate impact on earnings.

Interesting article with implications for e-Discovery and Data Mining

Guide to finding the right search solution

Surveys show most companies have yet to find the right search tool for their business

By Paul Doscher, Network World December 05, 2008

... The amount of data that companies generate is staggering and shows no sign of slowing. IDC estimated that digital content and replicated data exceeded 281 exabytes in 2007 and expects it to grow 10 times before 2011.

Related Tool for searching outside the organization... They profile four, but Clusty seems the most interesting.

Can you ditch Google for a metasearch engine?

Posted by Don Reisinger December 5, 2008 11:57 AM PST

... The biggest issue facing any metasearch engine is determining how it can compete with Google, Yahoo, and Microsoft without copying them. Clusty does it by "clustering" search results based on keywords contained in the query.

If you search for something simple like "CNET," you'll find a list of results like any other search engine. But to the left of those results, Clusty also displays keywords like "reviews," "networks," and "downloads" that you can click on to narrow results down to a specific topic and find exactly what you're looking for sooner.

At the intersection of Law and Technology, you have a opportunity to connect with (draw in) others interested in the issues being contested. Perhaps Harvard will be joined by hundreds of lawyers and techies, but they only need to connect with the one who provides the winning strategy!

RIAA Vs. Web 2.0? Social Media and Litigation

Posted by Soulskill on Friday December 05, @10:14PM from the onward-and-upward dept. The Courts The Internet

NewYorkCountryLawyer writes

"After learning that Professor Nesson's CyberLaw class at Harvard Law School has set up a Facebook page to assist in its defense of Joel Tenenbaum in an RIAA case, SONY BMG Music v. Tenenbaum, Wendy Davis of the Online Daily Examiner opines that 'Web 2.0,' and more particularly, the 'social media,' are playing an increasingly important role in RIAA litigation. We at Slashdot have already learned that principle, and have made good use of it, as have our friends at Groklaw."

Ja, dem Dutch boys is smart! And artistic too!

Amazon Fights Piracy Tool, Creators Call It a Parody

Posted by Soulskill on Saturday December 06, @12:13AM from the it-was-uh-uh-art-yeah-that's-the-ticket dept.

jamie points out an interesting story which started a few days ago, when a pair of students from the Netherlands released a Firefox add-on which integrated links to the Pirate Bay on Amazon product pages. Customers who had the add-on would see a large "Download 4 Free" button next to items which were also available on the Pirate Bay. The add-on quickly drew notice, and the creators were hit with a take-down notice and threats of litigation from Amazon. Now, the students have removed the add-on, and they are claiming an unusual defense: "'Pirates of the Amazon' was an artistic parody, part of our media research and education at the Media Design M.A. course at the Piet Zwart Institute of the Willem de Kooning Academy Hogeschool Rotterdam, the Netherlands. It was a practical experiment on interface design, information access and currently debated issues in media culture. We were surprised by the attentions and the strong reactions this project received. Ultimately, the value of the project lies in these reactions. It is a ready-made and social sculpture of contemporary internet user culture." [Obviously! Bob]

Sounds like this was not the best way to notify users. How would you do it?

Facebook security warning leaves users confused

Friday, December 05 2008 @ 04:02 PM EST Contributed by: PrivacyNews

Facebook today sent out a security warning to some of its users alerting them that their passwords have been changed due to alleged suspicious activities happening on their accounts.

The email appears to be a reaction from the social network due to the newest appearance of Koobface, a worm that preys on the paranoia of users and leverages seemingly trusted redirects to infect its victims.

In the email, Facebook tells its users that they need to reset their passwords but only after running their current antivirus protection to make sure they aren’t already infected. In the same breath, however, the Facebook Security Team tells its users never to click on suspicious links — even though its own email is suspect.

Source - ZDNet

[About Koobface:

The Koobface messages carry subject lines like "You look so funny on our new video" or something similar, and contain a link to a video site that appears to contain a movie clip. If the user tries to watch it, a message appears saying that he or she needs the latest version of Flash Player in order to play the clip. This tricks users into downloading a file carrying the malware.

Once I've made my website students suffer through my class, building their website from the code up, I give them tools like this. - Build Your Own Website With Ease

A service that has just moved out of private beta, Viviti will enable anybody to come up with his or her dream website in a hassle-free manner. Generally speaking, the site offer more than 100 templates to choose from, and in the event none of these matches you vision one can be created from scratch.

The whole system is an intuitive and flexible one, as no programming knowledge is required – all you have to do is click, drag and drop things into place. No coding experience is necessary at all.

Registration to the site is also an effortless task, and once you have submitted your e-mail address and chosen a web address for your brand new site you are ready to go.

Friday, December 05, 2008

Update: They had accused an employee of taking the tape – no indication if they were right.

C-W Agencies breach update: stolen tape recovered

Thursday, December 04 2008 @ 02:07 PM EST Contributed by: PrivacyNews

Gloria Evans, CEO, C-W Agencies Inc. has written to us in response to our posting a recent story that appeared in the Vancouver Sun. Ms Evans writes:

We noted your interest in recent events at our company and wanted to provide the correct facts:

  • The tape stolen from our premises on Nov. 4 has been recovered.

  • The recovered tape is being examined by forensic experts who will determine whether the information has been accessed. [I'd love to know how they can do that! Bob]

  • Because of encryption, the requirements for specialized equipment, knowledge and facilities, it is our hope that the data has not been compromised.

  • We informed our customers of the theft immediately.

  • The criminal and civil matters that have arisen from this situation are before the courts and we cannot comment further.

We are determined to protect our data and are very confident we are taking all reasonable measures to ensure the security of our customers. Our ability to protect our customer data is at the core of our ability to sustain our company.

We appreciate the opportunity to 'set the record straight.'

Makes for an interesting target, in the Wille Sutton (“That's where the money is.”) kind of way...

Hackers Hijacked Large E-Bill Payment Site

Thursday, December 04 2008 @ 10:08 AM EST Contributed by: PrivacyNews

Hackers on Tuesday hijacked the Web site, one of the largest online bill payment companies, redirecting an unknown number of visitors to a Web address that tried to install malicious software on visitors' computers, the company said today.


It appears hackers were able to hijack the company's Web sites by stealing the user name and password needed to make account changes at the Web site of Network Solutions, CheckFree's domain registrar. Susan Wade, a spokeswoman for the Herndon, Va., based registrar, said that at around 12:30 a.m. Dec. 2, someone logged in using the company's credentials and changed the address of CheckFree's authoritative domain name system (DNS) servers to point CheckFree site visitors to the Internet address in the Ukraine.


Among the 330 kinds of bills you can pay through CheckFree are military credit accounts, utility bills, insurance payments, mortgage and loan payments. Browsing through the first few letters of the company's alphabetized customer list reveals some big names, including Allegheny Power, Allstate Insurance AT&T, Bank of America, and Chrysler Financial See the full list of companies here.

[...] CheckFree declined to say how many of its customers and companies it handles payments for may have been affected by the attack. But this thread over at an Ubuntu Linux mailing list suggests that U.S. Bank may also have been affected by this attack. U.S. Bank did not return calls seeking comment.

Source - Security Fix

Just more yada yada?

Better privacy for better security

Friday, December 05 2008 @ 05:44 AM EST Contributed by: PrivacyNews

The failure of the government in general and the Homeland Security Department (DHS) in particular to adequately ensure the privacy of personal data undermines the nation’s cybersecurity, a panel of privacy experts and advocates said Wednesday at a congressional forum.

Speakers cited problems in multiple programs for gathering and sharing data by DHS. “All of the initiatives at DHS have privacy issues,” said Carol DiBattiste, senior vice president for security at LexisNexis Group.

Source - GCN

[From the article:

The speakers did not blame DHS completely for the missteps they were concerned about. They said the problem was the reactionary nature of large security programs that are rushed into production with time for the department to get its arms around the issues being created. Security efforts need to be proactive rather than reactive, Cate said.

The impetus to do something should not be stronger than the impetus to do something right,” he said. “A little thought might go a long way here.”

... “Most of our systems have been back-doored by nation states or organized crime,” he said.

1) There are probably more of us than traditional journalists 2) We don't have any supervision 3) We're everywhere

Online Reporters Now the Journalists Most Often Jailed

Posted by timothy on Friday December 05, @05:29AM from the three-hots-and-cot-and-a-beating dept. The Media Censorship

bckspc writes

"The Committee to Protect Journalists today released the results of its annual survey of journalists in prison. For the first time, they found more Internet journalists jailed worldwide than journalists working in any other medium. CPJ found that 45 percent of all media workers jailed worldwide are bloggers, Web-based reporters, or online editors. Their chart of journalists jailed by year is also interesting."

Perhaps this should be a standard class in every law school – or maybe it's too easy.

New Hampshire Law Students Take On RIAA

Posted by timothy on Thursday December 04, @01:54PM from the or-die-die-die dept. The Courts

NewYorkCountryLawyer writes

"We have recently learned that another law school legal aid clinic has joined the fight against the RIAA. Student attorneys from the Consumer and Commercial Law Clinic of the Franklin Pierce Law Center in Concord, New Hampshire, working under law school faculty supervision, are representing a lady targeted by the RIAA in UMG Recording v. Roy in New Hampshire. The case is scheduled for trial next Fall. That makes at least 4 law schools providing anti-RIAA defense services: University of Maine, University of San Francisco, Franklin Pierce, and, most recently, Harvard. Hopefully many more will follow. One commentator theorizes that this news 'will ... [encourage] professors and students at other law schools to take on hitherto defenseless people being pilloried by the corporate music industry.'"

Interesting debate. Is it too tough if it is an adoption of “Best Practices?”

Mass. 201 CMR 17: The Darkness and the Light

Thursday, December 04 2008 @ 11:08 AM EST Contributed by: PrivacyNews

Debate is under way in Massachusetts regarding a tough new data protection law designed to prevent security breaches and identity theft. Specifically, discussion is centered around whether the new law is too tough, just right or too little, too late.

.... CSOonline recently reached out to IT security practitioners in and out of the state to measure the mood. What follows is feedback from three such professionals:

Source - NetworkWorld

I hope they publish the raw data as well as their interpretation of the results. If not, expect the hacker Community to do it for them!

Clarifying the Next Step in Australia's Net-Censorship Scheme

Posted by timothy on Friday December 05, @02:43AM from the ah-but-this-is-just-the-proof-of-concept dept. Censorship The Internet

teh moges writes

"I recently received a response from the Minister for Broadband, Communications and the Digital Economy, Senator Stephen Conroy, regarding issues I had with the ISP filtering proposed for Australia. My comment can be summed up by 'Any efficient filter won't be effective and any effective filter won't be efficient.' His response clarifies the issue of using the blacklist for censorship."

Read on for the gist of Conroy's mistakes-were-made response, which seems to sidestep teh moges' critique, but offers Australian Internet users some idea of what they're in for.

From Conroy's email in response: "...concerns have been raised that filtering a blacklist beyond 10,000 URLs may raise network performance issues... The pilot will therefore seek to also test network performance against a test list of 10,000 URLs ... As this test is only being performed to test the impact on network performance against a list of this size, and actual customers are not involved,the make-up of the list is not an issue."

teh moges continues: "My initial query about the lack of effectiveness of the filter still stands, however it is important that the censorship issue is clarified. It seems, at least for now, that the trial that will begin on December 24th for the '10,000' list is for testing purposes, rather then using a list that will be used later. Still, no information on a guarantee of regulation is provided, so there is still a long way to go before this ISP filtering gains support, especially given Senator Stephen Conroy's lack of ability to answer questions in media conferences."

“We're proud to announce the dis-improvement of our product?” Note: there are lots of free password crackers out there.

Adobe admits new PDF password protection is weaker

Changes to the algorithm used to password-protect PDF documents in Acrobat 9 make it much easier to recover a password and raise concern over the safety of documents

By Jeremy Kirk, IDG News Service December 05, 2008

Adobe made a critical change to the algorithm used to password-protect PDF documents in Acrobat 9, making it much easier to recover a password and raising concern over the safety of documents, according to Russian security firm Elcomsoft. [Is it possible Adobe didn't notice? Bob]

Elcomsoft specializes in making software that can recover the passwords for Adobe documents. The software is used by companies to open documents after employees have forgotten their passwords, and by law enforcement services in their investigations.

For those of us looking for a good RSS tool?

Google Reader Gets a Major Makeover; It Rocks

December 4, 2008 - 2:46 pm PDT - by Adam Ostrow

Google Reader has just launched a major redesign to its interface, addressing many of the top concerns of users of the popular RSS reader.

... Google Reader team has a full explanation of the changes available on their blog. - Getting In Tune With The World

Do you enjoy radio on the web? If the answer to that question is an affirmative one, a visit to the site is the order of the day. Through the site, you will be able to create an account where you can keep all your favorite radios and access them from anywhere there is a web-enabled computer, as well as making personalized playlists reflecting your tastes.

... Registration to the site is the only requisite that has to be complied with in order to join in the action, and this is a free and uncomplicated process – you simply furnish some account particulars and provide some contact information.

For my website class – start selling online! (I WANT A CUT.) - E-commerce Solutions

Are you in the process of launching your very own online store yet feel not everything is falling into place? If that happens to be the case, help can always be procured online. NetroCart is one of many companies that offers solutions aiming to equip prospective online store owners with the tools for coping with the demands of modern businesses.

... The site includes some very illustrative video tutorials that can be watched in order to have a better appreciation of the services on offer, and these are augmented by a “Demos” category that will enable you to see an e-commerce site in full swing.

All in all, the site bears an interesting number of features that are bound to appeal not just to those who are starting out but also to those who aim to have a better outreach and consolidate the web presence of their businesses.

This could be useful for classes like statistics or data mining

Amazon Launches Public Data Sets To Spur Research

Posted by kdawson on Friday December 05, @09:44AM from the put-it-there dept. Databases Science

turnkeylinux writes

"Amazon just launched its Public Data Sets service (home). The project encourages developers, researchers, universities, and businesses to upload large (non-confidential) data sets to Amazon — things like census data, genomes, etc. — and then let others integrate that data into their own AWS applications. AWS is hosting the public data sets at no charge for the community, and like all of AWS services, users pay only for the compute and storage they consume with their own applications. Data sets already available include various US Census databases, 3-D chemical structures provided by Indiana University, and an annotated form of the Human Genome from Ensembl."

Thursday, December 04, 2008

It was a series of poor management decisions, not an accident.

FL: State agency put Social Security numbers of 250,000 job seekers online

Wednesday, December 03 2008 @ 03:43 PM EST Contributed by: PrivacyNews

The state Agency for Workforce Innovation blamed a "security breach" Wednesday for why it accidentally placed the names and Social Security numbers of 250,000 job-seekers on a "test server" that could have been accessed online.

The names and information were online for 19 days and removed in late October after the state Department of Revenue came across it during "routine work," officials said. The only common denominator among the names placed online was that they all got services over the last six years from one of the 81 Florida "career centers" that provide job-training and resources around the state.

Source - Orlando Sentinel Related - Agency for Workforce Innovation FAQ

[From the article:

“We are thoroughly investigating this matter and are making every effort to enhance the security of our computer systems.”

... "Certainly there is no Web site that is 100 percent secure. But we take very seriously protecting the public's privacy," he said. [Yet they have a “test server” that is Internet accessible? Bob]

"We don't have any reason to believe the information was accessed for unlawful purposes." [and no evidence that it was not accessed for unlawful purposes. Bob]

Another clueless management?

MI: Stolen GISD laptop included fingerprints on 6,000 Genesee County teachers, school workers

Wednesday, December 03 2008 @ 07:02 PM EST Contributed by: PrivacyNews

A Dell laptop stolen from the intermediate school district had been used for background checks on about 6,000 school workers and included their fingerprints and some personal information.

But officials say the info is buried deep in the computer's hard drive [That's a new PR non sequitur to me. Bob] and doesn't contain anything that could be used to steal anyone's identity.

The laptop is one of three belonging to the Genesee Intermediate School District laptops that was used to transmit fingerprints to the Michigan State Police for state-required background checks of teachers, bus drivers and other school workers.

It also holds separate files that include their names, addresses, birthdates and race.

The laptop did not have Social Security numbers and the data was stored in files that require a password to be opened, said Thomas Svitkovich, GISD superintendent.

... The GISD reported the laptop stolen Nov. 3 but believe it may have been stolen as early as Sept. 4 from the Erwin L. Davis Education Center on Maple Avenue in Mundy Township.

Source -

[From the article:

Why the three week delay? The district had to work with state police to match names with addresses for the stolen files, Svitkovich said. [Gibberish! Bob]

Are criminal cases moving into Federal courts while other litigation moves to state courts? What is driving this? (Easy wins for the Feds?)

OH: Feds take ID theft case; local counts tossed

Thursday, December 04 2008 @ 06:19 AM EST Contributed by: PrivacyNews

With federal prosecutors in Ohio filing more than a dozen charges against an Indianapolis woman, prosecutors in Allen County moved to dismiss their 66 charges against her.

In January, Kimberly K. Foulks [aka Kimberly Snyder], 39, was stopped by Fort Wayne police on Interstate 69 for a lane violation and arrested on outstanding warrants. Inside her car, they found Ohio identification cards with different names, gift cards and checkbooks under different names.

Further investigation led to storage units in Fort Wayne and Indianapolis with altered birth certificates, more identifications, and merchandise such as DVDs, electronics and jewelry, according to court documents.

Source - Journal Gazette

Related. This “small scale” Identity Theft must be more widespread than I thought.

GA: Suwanee auction uncovers ID theft

Thursday, December 04 2008 @ 06:16 AM EST Contributed by: PrivacyNews

A Barrow County couple may have unwittingly found evidence of a massive identity theft operation at a Suwanee auction Tuesday, police said.

The couple, who police did not identify, placed a winning bid of $10 for four boxes advertised as "household items" at a Suwanee storage business. Instead, the boxes revealed hundreds of stolen driver's licenses, fake credit cards and IDs, checkbooks, tax returns and other personal information, Suwanee police Sgt. Shane Edmisten said.

... The fake IDs are replicas of California licenses, while the real documents are mostly from Georgia, though it doesn't appear any belong to Gwinnett residents, Edmisten said.

Police worked Wednesday to track down the renter of Unit No. 1006 at a U-Store-It facility on Lawrenceville-Suwanee Road. No suspects have been named.

Source - Gwinnett Daily Post

“Ja, ve know many sings about you!”

The phone that feels the flu before you do

Wednesday, December 03, 2008 5:10:44 PM

... A maker of over-the-counter cold and flu remedies released a program this week for the T-Mobile G1, also known as the "Google phone," that warns the user how many people in an area are sneezing and shaking with winter viruses.

The "Zicam Cold & Flu Companion" will say, for instance, that 8 percent to 14 percent of the people in your ZIP code have respiratory illnesses, representing a "Moderate" risk level. To give germophobes and hypochondriacs even more of a thrill, it also says what symptoms are common, like coughing and sore throat.

Matrixx Initiatives Inc., the Arizona company that makes products under the Zicam brand, gets the information on disease levels from Surveillance Data Inc. -- which gets its data from polling health care providers and pharmacies.

Users can also ask the application about risk levels in other ZIP codes, so they can steer clear of, for instance, Atlanta, one of the five most infected cities in the nation right now, according to Zicam.

The "Companion" is available for free from the Android Marketplace, the repository of downloadable programs for the G1. Later this month, the program will be available for the iPhone, according to Matrixx.

Wait and see. We know what they said they didn't like, but that was from the perspective of the “loyal opposition.”

Experts spell out privacy platform for next Congress

Wednesday, December 03 2008 @ 06:32 PM EST Contributed by: PrivacyNews

The Homeland Security Department's first chief privacy officer recommended today that the new Congress consider strengthening the nation's 34-year-old Privacy Act and a 2002 statute on electronic government services to uphold privacy and civil liberties safeguards for national security.

Source - nextgov

Related. On the other hand...

UK: The Big Brother state – by stealth

Wednesday, December 03 2008 @ 06:34 PM EST Contributed by: PrivacyNews

Personal information detailing intimate aspects of the lives of every British citizen is to be handed over to government agencies under sweeping new powers. The measure, which will give ministers the right to allow all public bodies to exchange sensitive data with each other, is expected to be rushed through Parliament in a Bill to be published tomorrow.

The new legislation would deny MPs a full vote on such data-sharing. Instead, ministers could authorise the swapping of information between councils, the police, NHS trusts, the Inland Revenue, education authorities, the Driver and Vehicle Licensing Authority, the Department for Work and Pensions and other ministries.

Source - The Independent

[From the article:

Opponents of the move accused the Government of bringing in by stealth a data-sharing programme that exposed everyone to the dangers of a Big Brother state and one of the most intrusive personal databases in the world. The new law would remove the right to protection against misuse of information by thousands of unaccountable civil servants, they added.

... "The power will be exercised only in circumstances where the sharing of the information is in the public interest and proportionate to the impact on any person adversely affected by it." [Is it me, or is that an example of English as a foreign language? Are they saying, “We'll come down on you as hard as we need to?” Bob]

Related. If the Bobbies can't keep DNA data, perhaps they could store it in another database... After all: waste not, want not.

UK: DNA database innocents win landmark European court ruling

Thursday, December 04 2008 @ 05:58 AM EST Contributed by: PrivacyNews

The police in England, Wales and Northern Ireland face having to wipe the profiles of nearly one million innocent people from the DNA database after a landmark European ruling.

Source - Telegraph Related - BBC

Related, Of course, we'd never do anything like that in this country.

Local schools enlist MCLU in opposing student reporting to state

Thursday, December 04 2008 @ 06:06 AM EST Contributed by: PrivacyNews

Last June, the boards overseeing Camden-Rockport K-8 schools and Camden Hills Regional High School questioned why their administrators should release to the Maine Department of Education the names of students who have committed “incidents of prohibited behavior.”

The Five Town Community School District board also voted on June 20 to convince the DOE to abandon demanding such student names from all Maine school districts. Those names, board members agreed, should remain inside school walls, and less at risk from potential data breaches or policy changes.

This fall, the Maine School Administrative District 28 and Five Town CSD boards readdressed the issue, and after hearing again from the DOE that the reporting of the names remains mandatory, they contacted the Maine Civil Liberties Union for help.

Source - Village Soup

[From the article:

Until the last few years, the state did not ask for names, but with refinements in the DOE's data management system to further mesh with the U.S. Department of Education's National Center for Education Statistics, the submission of names became mandatory. The DOE justified the mandate, saying the name collection was purely for creating better aggregate level reporting. [Absurd on the face? We need more detail so we can summarize? Bob]

... After raising the issue, the boards ultimately agreed to comply with the reporting so as not to jeopardize state funding; but the two boards vowed to readdress the issue in the fall.

Related? You will love our operating system, or else?

Red Flag Linux Forced On Chinese Internet Cafes

Posted by timothy on Wednesday December 03, @04:12PM from the billions-and-billions-served dept. Government Linux

iamhigh writes

"Reports are popping up that Chinese Internet Cafes are being required to switch to Red Flag Linux. Red Flag is China's biggest Linux distro and recently received headlines for their Olympic Edition release. The regulations, effective Nov. 5th, are aimed at combating piracy and require only that cafes install either a legal version of Windows or Red Flag. However, Radio Free Asia says that cafes are being forced to install Red Flag even if they have legal versions of Windows. Obviously questions about spying and surveillance have arisen, with no comment from the Chinese Government."

In the spirit of “No good deed goes unpunished.” Thanks for the laugh, Gary!

Lawyers' Personal Info Swiped in Burglary of Nonprofit

Mike McKee The Recorder December 3, 2008

Identity theft was on the mind of many of California's appellate lawyers Monday as word spread about the mid-November theft of a disk containing attorneys' names, Social Security numbers and other personal information from a Sacramento-based nonprofit law firm.

In a letter that arrived in most law offices just before the Thanksgiving holiday, the Central California Appellate Program -- which supplies lawyers for indigent appeals in Sacramento's 3rd District Court of Appeal and Fresno's 5th -- advised current and former panel members that the disk was in a safe [Not just the disk or a data on a laptop – these guys took the whole safe! Bob] stolen from an off-site storage facility on Nov. 15 or 16.

It is an easy package to offer. Is the price low enough to make corporation switch?

IBM offers a 'Microsoft-free' desktop

Posted by Steven Musil

IBM wants corporate customers to cut the cord with Microsoft.

The tech pioneer is launching a Linux-based collection of virtual desktop applications that run on a server without the need for desktop hardware--or Microsoft software, according to a report Wednesday evening on The Wall Street Journal's Web site. The Linux-based software package, which is available now, runs on a back-office server and is accessible to customers on thin clients, the paper reported.

The Virtual Linux Desktop ranges in price from $59 to $289 per user, depending on level of software and service desired, according to the report. IBM estimates the software package could save corporate customers up to $800 per user when compared with the cost of maintaining Microsoft's Vista operating system, Office suite, and collaboration tools, the newspaper said.

Wednesday, December 03, 2008

Another small scale Identity Theft, with some indication of timing (time to sell the information?)

Ca: Breach affects bank cards

Tuesday, December 02 2008 @ 10:17 AM EST Contributed by: PrivacyNews

A debit-card security breach, including a compromised PIN pad at Bayfield Mall, has affected an untold number customers in the Barrie area.

Jim Pottage was told his TD Canada Trust debit card had been cancelled for security reasons, but he was lucky that criminals weren't able to tap into his account and clean him out.

.... Although it's unknown where and when crooks got a hold of Pottage's bank information, Barrie police Sgt. Robert Allan said a PIN pad has been compromised at Bayfield Mall.

"At this point, it's one business we know of in the mall, but this could happen to anyone, anywhere," Allan said. "It's not necessarily one bank, but a PIN pad that was being used to collect information from any number of banks."

Investigators know which PIN pad was compromised, but the business's name isn't being released. [Do they have a duty to notify their customers or is it the PIN pad manufacturer's job? Bob] More information is expected to be released today.

Authorities say the local frauds date back several months, but the transactions are only being made now.

Source - sunnybananas Thanks to Rob Douglas of for sending us this link

Probably not devastating, but definitely a concern to Mom & Pop operations in hard times... (Golden Chick is a chain...)

TX: Bank links over 400 identity theft cases to Gainesville restaurant

Tuesday, December 02 2008 @ 06:00 PM EST Contributed by: PrivacyNews

Record breaking identity theft numbers have hit Texoma, and the city of Gainesville has seen a drastic increase, where bank officials say one restaurant, Golden Chick, has over 400 people left without debit cards.

... First State Bank in Gainesville received a number of phone calls from their customers about transactions they never made. It turned out they were victims of fraud.

Source -

[From the article:

It’s the rumor going around town.

"I heard that some guy used his debit card at Golden Chick and supposedly about $400 was taken out of his account," Maegan Puetz told us.

So instead of going to Golden Chick, Maegan and her friend, Ellanie, went somewhere else to eat...

Small, local, but may be “connected”

CO: Similar ID thefts in other cities (Longmont update)

Wednesday, December 03 2008 @ 06:31 AM EST Contributed by: PrivacyNews

Detectives are working with restaurant owners and managers whose customers might have been victimized as part of an identity theft ring that has led to 133 reports to police through Tuesday.

Longmont Police Cmdr. Tim Lewis said detectives have analyzed 90 of the 133 reports and that 85 percent of the victims used their credit cards at East Moon Bistro before unauthorized charges started to hit accounts.

Source -

[From the article:

Residents about two weeks ago began reporting that their credit card numbers were being stolen and used out of state.

... Theft reports started in November, but police believe the credit card numbers were taken between early August and late October.

The Greeley and Grand Junction police departments have received similar reports.

More questions than facts... (First time I've see a newspaper present their article with additional tabs for related information. Expaet to see more of this!)

PA: Payroll records stolen, firm says

Wednesday, December 03 2008 @ 05:36 AM EST Contributed by: PrivacyNews

Computer hard drives and backup tapes containing the payroll records of more than 20,000 people and businesses were stolen from a Manheim Township accounting firm, police said.

A Walz, Deihm, Geisenberger, Bucklen & Tennis official said Tuesday that the equipment — taken from an employee's vehicle in West Lampeter Township last month — contains the names, tax information, Social Security numbers and other information of its clients' employees and workers at the firm.

Michael W. Lambert, a spokesman for Walz, Deihm, Geisenberger, Bucklen & Tennis, said the data-storage units were stolen while they were being "taken off-site as part of the firm's disaster recovery plan." [The backup site is the employee's home? Bob]

The stolen information includes bank account numbers of people with direct deposit, but the company doesn't believe the thief or thieves were searching for the hard drives and tapes.

... The theft occurred Nov. 5, police said. West Lampeter Township police Chief James Walsh said the firm didn't report it until Nov. 10.

Source -

[From the article:

Lambert said the "bulk" of the missing data is password-protected and used in "fairly unusual" applications that are specific to the accounting industry.

"They're not the sort of thing that would be accessible through most home computer software," Lambert said. [Bull! Bob]

He said the company has been closely monitoring its employees' accounts and "nothing has come up; it does not look like the information was accessed." [See the timing in the first article. Bob]

The theft occurred Nov. 5, police said. West Lampeter Township police Chief James Walsh said the firm didn't report it until Nov. 10.

New laws on Privacy – how much is too much?

OH: GOP would restrict, punish data snooping

Wednesday, December 03 2008 @ 05:21 AM EST Contributed by: PrivacyNews

Citizens could sue and nonunion employees would be fired ['cause unions are not 'second class citizens?' Bob] if government computer databases are mined without just cause for confidential information under a pair of identical bills unveiled yesterday.

... The bills would require governments to establish policies for when confidential personal information under their care may be accessed and would require those conducting such a search to state the reason for the search.

Government agencies would be required to track who conducts such searches and would require notification to any private citizen whose data is improperly accessed.

Any person who can prove he was harmed by an intentional intrusion could sue both the state and the individual offender to recover damages and attorney fees, an unusual example of the state voluntarily opening itself up to lawsuits.

Source - Toledo Blade

You will never even know that you are being surveilled. Isn't that wonderful!

Replacing Metal Detectors With Brain Scans

Posted by kdawson on Tuesday December 02, @02:51PM from the what-is-it-you-intend dept. Privacy Technology

Zordak writes

"CNN has up a story about several Israeli firms that want to replace metal detectors at airports with biometric readings. For example, with funding from TSA and DHS, 'WeCU ([creepily] pronounced "We See You") Technologies, employs a combination of infra-red technology, remote sensors and imagers, and flashing of subliminal images, such as a photo of Osama bin Laden. Developers say the combination of these technologies can detect a person's reaction to certain stimuli by reading body temperature, heart rate and respiration — signals a terrorist unwittingly emits before he plans to commit an attack.' Sensors may be embedded in the carpet, seats, and check-in screens. The stated goal is to read a passenger's 'intention' in a manner that is 'more fair, more effective and less expensive' than traditional profiling. But not to worry! WeCU's CEO says, 'We don't want you to feel [or know Bob] that you are being interrogated.' And you may get through security in 20 to 30 seconds."

Just because it makes the job easier?

EPIC Calls For Disclosure of Federal Domestic Surveillance Guidelines

Tuesday, December 02 2008 @ 07:10 AM EST Contributed by: PrivacyNews

Today, EPIC filed a Freedom of Information Act request to force disclosure of new guidelines governing domestic surveillance. The Attorney General's Guidelines for Domestic FBI Operations became effective today, despite warnings from Congressional leaders that "these guidelines would permit FBI surveillance of innocent Americans with no suspicion and on the basis of their race, religion or national origin." Administration officials failed to make public the final, complete policies, which govern the conduct of field operatives while performing domestic investigations. "The guidelines grant the FBI broad authority to conduct domestic surveillance of many individuals suspected of no crime. Therefore it is necessary that the legal authority is made available to the public," EPIC said. For more information, See EPIC Attorney General's Guidelines.

Source -


Obama's attorney general pick: Good on privacy?

Tuesday, December 02 2008 @ 07:14 AM EST Contributed by: PrivacyNews

Eric Holder, President-elect Barack Obama's pick for attorney general, drew applause from liberal Democrats earlier this year when he denounced the Bush administration's warrantless wiretapping program.

A review of Holder's public statements, speeches, and testimony when he was a top Justice Department official in the Clinton administration, however, reveals a more nuanced record on privacy. His remarks indicate support for laws mandating Internet traceability, limits on domestic use of encryption, and more restrictions on free speech online. He also called for new powers for federal prosecutors, some of which became law under President Bush as part of the USA Patriot Act.

Source - Cnet

The flip side of Privacy? (Interesting case.)

Identifying Individuals in Internet Iniquity: ECHR rules on naming wrongdoers

Tuesday, December 02 2008 @ 10:12 AM EST Contributed by: PrivacyNews

The European Court of Human Rights gave an important decision today in KU v. Finland, dealing with the issue of whether states are obliged to have laws which allow for the identification of internet wrongdoers. In short, according to the court the answer is yes - national laws must "provide the framework for reconciling the various claims which compete for protection in this context" and a national law which gives an absolute guarantee of anonymity and confidentiality of communication may breach the rights of persons who are affected by online wrongdoing.

Source - IT Law in Ireland

Cloud Security

20 Rules for Amazon Cloud Security — Is the Amazon Cloud secure? Anyone not asking that question is not doing their due diligence. But how do you separate the real issues you need to worry about from the fear that pundits are using to grab eyeballs for their articles and blogs? The short answer is: Yes! The Amazon Cloud is secure and you can securely deploy web applications....

Often interesting and useful.

New reports from the Privacy Commissioner of Canada

Tuesday, December 02 2008 @ 07:07 AM EST Contributed by: PrivacyNews

The Privacy Commissioner tabled her 2007-2008 Access to Information and Privacy Annual Reports to Parliament:

2007-2008 Annual Report to Parliament on the Access to Information Act (PDF version)
2007-2008 Annual Report to Parliament on the Privacy Act (PDF version)

“Youse gotta problem getin dat “A” from youse teacher? Call Guido – I'll make him an offer he can't refuse.”

Teacher Sells Ads On Tests

Posted by samzenpus on Tuesday December 02, @01:37PM from the pay-the-bills dept.

Tom Farber, a calculus teacher at Rancho Bernardo high school in San Diego, has come up with a unique way of covering district cuts to his supplies budget. He sells ads on his tests. "Tough times call for tough actions," Tom says. The price of an ad on a Mr. Farber Calc test is as follows: $10 for a quiz, $20 for a chapter test, and $30 for a semester final. Most of the ads are messages from parents but about a third of them come from local businesses. Principal Paul Robinson says reaction has been "mixed," but adds, "It's not like, 'This test is brought to you by McDonald's or Nike.'" I see his point. Being a local business whore is much better than being a multinational conglomerate whore.

Tuesday, December 02, 2008

Is this even a breach?

Army waited to tell of possible security breach

Monday, December 01 2008 @ 06:16 PM EST Contributed by: PrivacyNews

U.S. Army medical officials in southeast Germany waited nearly two months before notifying more than 6,000 beneficiaries of a possible security breach regarding their personal information stored on a lost laptop computer.

Authorities know the names, Social Security numbers and health information of at least 26 individuals were stored on the laptop, according to a news release sent Monday from the U.S. Army Medical Department Activity, Bavaria.

However, officials said similar information on approximately 6,000 other patients also may have been on the missing computer, though they don’t know for sure.

According to the release, the laptop went missing on Oct. 4.

Source - Stars and Stripes

[From the article:

Officials believe whoever took possession of the laptop "could not access" the data on it "because of the encryption software program," Spring said.

The user must have connection to a U.S. government network, a secure Common Access Card, and a password to access the computer, the release said.

Is small volume Identity Theft on the rise?

FL: Computer Stolen From State Revenue Office

Monday, December 01 2008 @ 07:42 AM EST Contributed by: PrivacyNews

A computer possibly containing sensitive personal information was the only item stolen in a break-in at a state Department of Revenue office in Maitland, police said.

Source -

[From the article:

Police said the incident is part of a growing trend in the area.

"Between our area and south Seminole County, we've had some other break-ins to businesses that have been smash-and-grabs -- they throw something through the window and grab whatever they can and leave as quickly as possible," Maitland police Lt. Jeff Harris said.

An interesting way to screw up evidence?

FL: Cindy Anthony Says Someone Hacked Her Email Account

Monday, December 01 2008 @ 03:39 PM EST Contributed by:PrivacyNews

Cindy Anthony says someone hacked into her email and sent out messages and documents containing sensitive information about the case. WFTV reporter Kathi Belich received four of the emails herself, but when she realized something didn't seem right about them she forwarded the emails to the FBI.

Now, the FBI is investigating.

The Anthonys have used their home computer to email their spokesman, their private investigators and others about the case, but they say someone accessed their account when they weren't even home during the holiday weekend.

Source -

For your Security Manager? Where does liability begin?

CBS Web site bitten by iFrame hack

Russian malware distributors launch an iFrame attack on a subdomain of so it served remote malware to visitors

By John E. Dunn, Techworld December 01, 2008

... It appears that Russian malware distributors were able to launch another iFrame attack on a subdomain of the site so that it was serving remote malware to any visitors.

It's just a thought, but a law like this could have saved tons of paper (political ads) going to the landfill.

Ca: Privacy breach alleged over Tories' mailing

Monday, December 01 2008 @ 05:03 PM EST Contributed by: PrivacyNews

Letters sent from Conservative MPs to Prairie farmers urging them to vote for specific candidates in the Canadian Wheat Board's director elections may be a privacy breach, the National Farmers Union claimed Monday.

... "It seems certain that Canadian members of Parliament have unlawfully used confidential information about Canadian citizens to conduct an inappropriate mail-out campaign," NFU president Stewart Wells wrote in the letter to Stoddart.

Source - Manitoba Co-operator

Executive decree is the second best tool in the bag...

French "Three Strikes" Law Gets New Life

Posted by kdawson on Monday December 01, @07:54PM from the batter-batter-batter dept. The Internet Government

Kjella writes

"A little over a week ago we discussed the EU's forbidding of disconnecting users from the Internet. But even after having passed with an 88% approval in the European Parliament, and passing through the European Commission, it was all undone last week. The European Council, led by French President Nicolas Sarkozy, removed the amendment before passing the Telecom package. This means that there's now nothing stopping France's controversial 'three strikes' law from going into effect. What hope is there for a 'parliament' where near-unanimous agreement can be completely undone so easily?"

Presidential Pardons are better...

Bush Demands Amnesty for Spying Telecoms

Posted by kdawson on Monday December 01, @09:14PM from the courtroom-battles-not-ended dept.

The Bush administration and the Electronic Frontier Foundation are poised to square off in front of a San Francisco federal judge Tuesday to litigate the constitutionality of legislation immunizing the nation's telecoms from lawsuits accusing them of helping the government spy on Americans without warrants. "

'The legislation is an attempt to give the president the authority to terminate claims that the president has violated the people's Fourth Amendment rights,' the EFF's [Cindy] Cohn says. 'You can't do that.

Movie of the week: The little company that would not die!

Groklaw's PJ Says SCO's Demise Greatly Exaggerated

Posted by ScuttleMonkey on Monday December 01, @02:48PM from the still-looking-for-a-fat-lady dept. The Courts Businesses

blackbearnh writes

"Last week, the net was all abuzz with speculation that SCO was finally gone and done for. With the final judgment in SCO v. Novell in, and SCO millions of dollars in the hole to Novell, it seemed like the fat lady had finally sung. But like most things in the legal system, it isn't nearly that simple. O'Reilly Media sought out Groklaw's Pamela Jones, and got a rundown of what's still alive, and why a final end to the madness may be many years away. 'Summing up, it looks bleak for SCO at the moment, but let's enter the alternate realm of SCO's best-case scenario in its dreams: in that realm, SCO wins on appeal, which one of SCO's lawyers indicated might take a year and a half or five years, and the case is sent back to Utah for trial by jury, which is what SCO wanted (as opposed to trial by judge, which is what it got), then everything listed above (except for the IPO class action) comes alive again, presumably, depending on what the appellate court decides. Then SCO is in position once again to go after Linux end users, as well as IBM, et al.'"

For the SQL students?

MySQL in a Nutshell

Posted by samzenpus on Monday December 01, @02:01PM from the read-all-about-it dept. thumbnail

stoolpigeon writes

"MySQL is frequently touted as the world's most widely used relational database management system. Many of the best known web applications and web sites use MySQL as their data repository. The popularity of MySQL has continued to grow while at the same time many were concerned by the lack of many features considered essential to a 'real' rdbms. Such naysayers have done little to impede the growth or development of MySQL. The first edition of MySQL in a Nutshell, published in 2005, gave users a handy reference to using MySQL. The second edition, published in 2008, covers many new features that MySQL fans proudly proclaim as an answer to all those critics clamoring for a better-rounded rdbms."

For my wino oenophile friends.

Video: A toast to online wine

With old-fashioned liquor laws and complicated shipping procedures, selling or buying wine online has never been easy. But as CNET's Kara Tsuboi explains, it no longer has to be so hard.