Saturday, December 20, 2008

“We don't need no stinking security!” Version 473B

UNCSA tells its students to monitor credit

Friday, December 19 2008 @ 11:17 PM EST Contributed by: PrivacyNews

Officials at the UNC School of the Arts say they are notifying current and former students that their names and Social Security numbers "may have been accidentally exposed" in a security breach involving a university computer server.

The server in question went online in July 2003. The security breach occurred in May of 2006 and affected about 2,700 students who were enrolled between 2003 and 2006.

Source - Winston-Salem Journal

[From the article:

"We have no reason to believe that the personal information was stolen, used inappropriately or even accessed," Lisa Smith, the chief information officer at UNCSA, said in a statement. [Translation: “We don't log activity on the server, so we have no idea what the hacker did.” Bob]

School officials say they became aware of the breach last week. [Reviewing 21/2 year old files? Bob] They say they are still trying to determine its cause.

Another exercise in PR?

Hackers strikes LCCC system

Saturday, December 20 2008 @ 12:55 AM EST Contributed by: PrivacyNews

A sophisticated [Translation: “He got by our security, he must be smarter than we are.” Bob] computer hacker was able to breach the security system of two Lorain County Community College servers in an attack during the Thanksgiving holiday break.

It is believed that the hacker was not attempting to steal [See below Bob] information or identities, but rather to pirate available server space, said Marcia Ballinger, vice president of strategic and institutional development. The attack did not disrupt the college’s operations.

Still, the breach is being investigated by forensic experts and the FBI.

One of the servers contained the records of approximately 22,000 students, community users, and employees and their Social Security numbers. That server hosted the college’s library card system.

Source - The Chronicle-Telegram

[From the article:

When the breach occurred, LCCC’s system detected the downloading of application files [Translation: “We logged what was being stolen.” Bob and a virus alert was initiated. [Not sure from the information in the article why a virus alert would be triggered. Bob] The College’s Information Systems and Services staff immediately shut down the servers and blocked access, Ballinger said. [“By immediately, we mean sometime the following week. If it was truly immediately, nothing would have been downloaded.” Bob]

... LCCC has not experienced any hacking or cyber attack incidents in the past. [Translation: “We haven't detected any...” Bob]

Local update – still no facts!

Longmont Credit Fraud Part of Larger Scheme (update)

Saturday, December 20 2008 @ 01:01 AM EST Contributed by: PrivacyNews

Longmont Police believe they are closer to solving a credit card-identity theft scam that had targeted at least 150 people in Longmont, many of them customers of one Asian restaurant.

Longmont Det. Sgt. Jeffrey Satur said Friday that the identity theft was connected to a far more extensive fraud operation with tentacles in several western states.

... The Longmont investigation had focused on the East Moon Asian Bistro, located in the 2100 block of North Main Street. No arrests have been made, and Satur said management has cooperated in the probe. It is blieved that whatever employee or employees that might have been involved were doing so unbeknownst to restaurant management - but in coordination with suspects out of state.

Source - MyFOX Colorado

[From the article:

"There seems to be a lot of organization between how the cards were collected, how they were cloned and then who is using them at other locations," said Satur. And we know it's not just one person, so there appears to be an organized effort to pull off this scam." [“That's amazing, Mr. Holmes!” Bob]

Security ain't easy!

American Express bitten by XSS bugs (again)

Saturday, December 20 2008 @ 07:21 AM EST Contributed by: PrivacyNews

The website for American Express has once again been bitten by security bugs that could expose its considerable base of customers to attacks that steal their login credentials.

The notice come days after The Register reported Amex unnecessarily put its users at risk by failing to fix a glaring vulnerability more than two weeks after a security research first alerted company employees to the problem.

Source - The Register

As cell phones (slash PDA slash GPS slash Browsers) become more sophisticated, won't this become more likely for individuals, not just corporations?

Hacked Business Owner Stuck With $52k Phone Bill

Posted by ScuttleMonkey on Friday December 19, @02:19PM from the build-a-better-mousetrap dept. Communications Security

ubercam writes

"A Canadian business man is on the hook for a $52,000 phone bill after someone hacked into his voice mail system and found a way to dial out. The hacker racked up the charges with calls to Bulgaria. The business owner noticed an odd message coming up on his call display (Feature 36), and alerted his provider, Manitoba Telecom Services. They referred him to their fraud department, who discovered the breach. MTS said that they would reverse the charges if the hacked equipment was theirs, but in this case it was customer owned. The ironic part is that the victim's company, HUB Computer Solutions is in the business of computer and network security. They even offer to sell, configure and secure Cisco VoIP systems. Looks as though they even couldn't manage to secure their own system, which doesn't bode well for their customers."

This certainly isn't the first time someone has exploited the phone system and stuck another with the bill. Maybe it's time for the phone company to get their fraud detection and prevention services at least on par with what the credit card companies have done.

Here's an interesting area for a Security research paper. Start with what we tell individuals to do and then scale it up and start analyzing the conflicting goals... Would an online retailer (eBay, Amazon) be as willing to cut their Internet connection as the loacl bakery?

After six years, Homeland Security still without 'cybercrisis' plan

Posted by Declan McCullagh December 19, 2008 10:39 AM PST

When the U.S. Department of Homeland Security was created, it was supposed to find a way to respond to serious "cybercrises." "The department will gather and focus all our efforts to face the challenge of cyberterrorism," President Bush said when signing the legislation in November 2002.

More than six years later, and after spending more than $400 million on cybersecurity, DHS still has not accomplished that stated goal. "We need to have a plan tailored for a cybercrisis," DHS Secretary Michael Chertoff said on Thursday.

More on the “new RIAA.” (Based on the details they provide, how could an ISP ensure the file was infringing?)

Copy of RIAA's new enforcement notice to ISPs

Friday, December 19 2008 @ 10:56 AM EST Contributed by: PrivacyNews

The recording industry dropped some big news Friday, announcing that it will no longer take a broad approach to litigating against alleged filed sharers. The Recording Industry Association of America has enlisted the help of internet service providers to act as a sentry and help discourage customers from pirating music.

Below is a copy of the form letter the RIAA will send to ISPs to inform them one of their customers is accused of file sharing. The notification is similar to those the group has sent to college campuses for years and shows very clearly that the group retains the right to sue people for copyright violations.

Source - Cnet

It would not be good for the State to allow its citizen to know how sneaky their politicians are.

Court Allows Arkansas To Hide Wikipedia Edits

Posted by Soulskill on Saturday December 20, @08:15AM from the change-we-don't-believe-in dept. Government The Courts The Media Politics

rheotaxis writes

"A circuit judge in Arkansas will not order the state to reveal where its computers were used to edit Wikipedia articles about former governor Mike Huckabee while he was running for President. Two Associated Press journalists used WikiScanner to track the edits to IP addresses used by the state. Writer Jon Gambrell and News Editor Kelly P. Kissel filed a suit in October 2007 asking the state to reveal which state offices used the IP addresses, because state rules don't allow using computer resources for political purposes. The director of the Arkansas Department of Information Systems, Claire Bailey, claimed in court that releasing this information would allow hackers to target these state offices." [We already know the IP address, we just want to know who is breaking the law. Bob]

Spin politician, spin!

CSIS Cybersecurity Commission Chairman Jim Langevin Answers Your Questions

Posted by Roblimo on Friday December 19, @11:44AM from the yet-another-chapter-in-the-continuing-U.S.-government-cybersecurity-saga dept.

Last week we solicited questions for US Representative Jim Langevin (D-RI), one of the chairs of the CSIS Cybersecurity Commission. Here are his answers — along with contact information for him if you want to continue the conversation.

Some of us never bought the explanation of the first cuts. Read the comments for some of the “improbable” bits.

Mediterranean Undersea Cables Cut, Again

Posted by ScuttleMonkey on Friday December 19, @03:11PM from the cut-me-twice-shame-on-you dept. Communications The Internet

miller60 writes

"Three undersea cables in the Mediterranean Sea have failed within minutes of each other in an incident that is eerily similar to a series of cable cuts in the region in early 2008. The cable cuts are already causing serious service problems in the Middle East and Asia. See coverage at the Internet Storm Center, Data Center Knowledge and Bloomberg. The February 2008 cable cuts triggered rampant speculation about sabotage, but were later attributed to ships that dropped anchor in the wrong place."

Mark my words! This is a serious mistake. . They specify that the loan is secured by “unencumbered assets.” If they had 4 or 13 billion in unencumbered assets, would they need a loan? Perhaps all those lawyers in Congress never took a class in Bankruptcy.

At 14 or 15 pages, it is apparently far easier (paperwork wise) to borrow billions than it is to get a home mortgage

December 18, 2008

Bush Administration's Plan to Assist Automakers

Follow up to previous postings on auto industry, today's White House press release: "...the only way to avoid a collapse of the U.S. auto industry is for the executive branch to step in. The American people want the auto companies to succeed, and so do I. So today, I'm announcing that the federal government will grant loans to auto companies under conditions similar to those Congress considered last week...These loans will provide help in two ways. First, they will give automakers three months to put in place plans to restructure into viable companies -- which we believe they are capable of doing. Second, if restructuring cannot be accomplished outside of bankruptcy, the loans will provide time for companies to make the legal and financial preparations necessary for an orderly Chapter 11 process that offers a better prospect of long-term success -- and gives consumers confidence that they can continue to buy American cars."

Treasury Releases Term Sheet for Automotive Plan: Washington - The U.S. Treasury Department today released the term sheet and appendices for the Administration's plan for stabilizing the automotive industry.

Global Warming! Global Warming!

Surfers, Rejoice: Some Extreme Waves Getting Bigger

By Alexis Madrigal December 19, 2008 5:34:23 PM

SAN FRANCISCO — The largest waves in the Pacific Northwest are getting higher by seven centimeters a year, posing an increasing threat to property close to the shore. And the strange part is: Scientists aren't sure why. [It's that last but that makes me certain it is connected to Global Warming. Bob]

Oregon State researchers found that the danger to property from these larger extreme waves will outweigh the impacts of rising sea levels caused by global warming over the next several decades.

For the Computer Forensics class. Want to give someone a heart attack? Send your co-workers a lay-off notice! Foreclose on loans! Tell someone they are being sued! What fun! (There is even a “do it yourself” tutorial!) - Sending Anonymous E-mails

If for any reason you have to send an e-mail communication in an anonymous manner, this application is going to suit you just fine. To make things more interesting, you can not only send anonymous messages through the site, but also send e-mails and make them appear as if they came from another person.

This process is implemented in a very easy way too, and that is a definitive bonus. You don’t need to sign up or login in order to use it, and there are no fees of any kind to be paid.

[From the site FAQ:

Update: Due to some naughty people, I've now added a footer at the bottom of each message specifying that the message was actually a prank. Sorry.

A Computer Forensic tool leaves the Internet!

FixMyMovie forsakes the cloud for PC software

Posted by Stephen Shankland December 19, 2008 1:18 PM PST

FixMyMovie, an online service that let people improve the quality of their videos, is going offline.

"We're shutting down on December 31, 2008. In its place, we're launching a new Windows desktop application, code-named Carmel, which will be released in the first quarter of 2009," said MotionDSP, which runs the site, in an e-mail to site members Friday.

... MotionDSP has been funded by In-Q-Tel, the Central Intelligence Agency's venture investment arm, which is interested in technology that can extract more information from photos and videos.

Because my students have the next two weeks off...

Friday, December 19, 2008

New toys, new hacks.

Your Spying iPhone

Thursday, December 18 2008 @ 10:09 PM EST Contributed by:PrivacyNews

Careful, iPhone users: Your smart phone may be smarter than you think.

On Thursday researchers at Finnish cybersecurity firm F-Secure said they have spotted the first known instance of iPhone "spyware" called Mobile Spy, a piece of commercial software that sells for $99 a year.

Mobile Spy developer Retina-X Studios says the software can invisibly track the call logs, text messages and even the GPS data of any iPhone it's installed on, allowing the eavesdropper to track the user's whereabouts on a Web site that hosts the stolen data.

Source - Forbes

Fortunately, I can order these through my local library's website.

For your reading list

Friday, December 19 2008 @ 06:51 AM EST Contributed by: PrivacyNews

Dan Solove and PaulSchwartz have a new casebook out: Privacy and the Media. You can read more about it on Concurring Opinions..

Dan also lets us know about the publication of William J. Cuddihy's The Fourth Amendment: Origins and Original Meaning 602 - 1791: "The book has just come out in print, hot off the press, and it's an absolutely essential volume for any scholar of constitutional history, criminal procedure, or the Fourth Amendment." You can read more about it here

They are coming for you!

Personalized Spam Rising Sharply, Study Finds

Posted by CmdrTaco on Thursday December 18, @10:16AM from the no-i-don't-want-a-yearbook dept. Spam

designperfection9 writes

"A new study by Cisco Systems Inc. found an alarming increase in the amount of personalized spam, which online identity thieves create using stolen lists of e-mail addresses or other poached data about their victims, such as where they went to school or which bank they use."

[From the article:

Cisco's annual security study found that spam is growing quickly--nearly 200 billion spam messages are now sent each day, double the volume in 2007--and that targeted attacks are also rising sharply.

More than 0.4 percent of all spam sent in September were targeted attacks, Cisco found. That might sound low, but since 90 percent of all e-mails sent worldwide are spam, this means 800 million messages a day are attempts are spear phishing. A year ago, targeted attacks with personalized messages were less than 0.1 percent of all spam.

...and apparently, they are finding you!

Hundreds of Stolen Data Dumps Found

Thursday, December 18 2008 @ 12:32 PM EST Contributed by: PrivacyNews

A comprehensive new study that peers into huge troves of financial data stolen by cyber thieves confirms what experts have surmised from looking at much smaller, isolated caches of digital loot: That criminals can make hundreds, even thousands, of dollars a day selling data stolen with the help of widely available software toolkits.

Recent reports by security firms Finjan, RSA, SecureWorks and Symantec have shown that stolen identities, bank accounts and credit card numbers are sold in bulk every day in shadowy online forums, often for pennies on the dollar. In its analysis, Symantec found in 2007 that the going rate for the keys to assuming someone else's identity was between $14 and $18 per victim.

Those reports either presented conclusions based on examining a single cache of stolen data, or by observations based on watching transactions between cyber thieves. But a report released today by researchers at the University of Mannheim, Germany, offers a disturbing glimpse at the sheer abundance of this stolen data.

Source - Security Fix

File this under “I'll believe it when I see it.”

RIAA To Stop Prosecuting Individual File Sharers

Posted by kdawson on Friday December 19, @08:16AM from the declare-victory-and-withdraw dept. The Courts

debatem1 writes

"According to the Wall Street Journal, the RIAA has decided to abandon its current tactic of suing individuals for sharing copyrighted music. Ongoing lawsuits will be pursued to completion, but no new ones will be filed. The RIAA is going to try working with the ISPs to limit file-sharing services and cut off repeated users. This very surprising development apparently comes as a result of public distaste for the campaign."

An RIAA spokesman is quoted as saying that the litigation campaign has been "successful in raising the public's awareness that file-sharing is illegal."

Call for a national breach notification law?

December 18, 2008

FTC Issues Report on Social Security Numbers and Identity Theft

News release: "The Federal Trade Commission issued a report today recommending five measures to help prevent Social Security numbers from being used for identity theft. Principal among the report’s recommendations is that Congress consider taking action to strengthen the procedures that private-sector organizations use to authenticate their customers’ identities...The FTC report states that adopting nationwide standards for how businesses and other organizations verify the identity of new and existing customers would make it harder for identity thieves to use SSNs and other stolen information to consummate their fraud...The FTC report also recommends that steps be taken to reduce the unnecessary display and transmission of SSNs, but noted that such restrictions must be approached carefully. A number of important functions in the U.S. economy depend on use of and access to SSNs, and the report concluded that overly restrictive attempts to limit the availability of SSNs could unintentionally curtail those functions. Finally, the report recommends steps to improve data security, increase outreach to consumers and businesses on the protection of SSNs, and enhance coordination and information-sharing among organizations that routinely use SSNs."

[From the report:

Recommendation 3: Establish National Standards for Data Protection and Breach Notification

The business models are changing, will the attitudes?

Universal Music seeing 'tens of millions' from YouTube

Posted by Greg Sandoval December 18, 2008 1:18 PM PST

YouTube's traffic machine may finally be turning into a cash machine.

For the first time, there are signs that YouTube is driving significant revenue for itself and some of the video site's partners. In an interview with CNET News this week, Rio Caraeff, executive vice president of Universal Music Group's eLabs, said the largest of the top recording companies is bringing in "tens of millions of dollars" from YouTube.

"(YouTube) is not like radio, where it's just promotional," said Caraeff, who heads up Universal's digital group. "It's a revenue stream, a commercial business. It's growing tremendously. It's up almost 80 percent for us year-over-year in the U.S. in terms of our revenue from this category."

Lots of sites like this one. Perhaps a more targeted site (computers, law) would be a better business model. - Publishing Platform For Ebook Authors

A visit to this online resource is an appealing prospect for the many authors out there that are looking for ways of extending their outreach, and who can’t seem to attain transcendence however much they try.

In a nutshell, this site is a platform that gives independent authors the chance to publish their works in multiple ebook formats, which are ready for being sold online immediately. The site provides such writers with all the necessary viral marketing tools, too, and the author sets the price personally. Once a sale is made, he will receive 85 % of the net sale itself.

For its part, readers benefit from a system that empowers them to sample a significant part of the book beforehand (up to 50 % and even more), and they are also supporting indie authors that are just starting on the long literary journey.

Thursday, December 18, 2008

How to get the attention of lawyers?

UK: Burglars take barristers' details

Wednesday, December 17 2008 @ 08:36 AM EST Contributed by: PrivacyNews

The contact details and data records of all practising barristers in England and Wales have been stolen.

The data was taken during a burglary at the central London offices of the Bar Council, which is the professional body for barristers.

Details of direct debits and people who have complained about barristers, including witnesses, were also taken.

Source - BBC

Why I don't believe the press releases.

Duke employee charged with selling fake IDs

Wednesday, December 17 2008 @ 09:44 AM EST Contributed by: PrivacyNews

A biomedical research technician at Duke University is accused of supplying hundreds of fake IDs to college students with the aid of a computer stolen from the state Division of Motor Vehicles.

Wake ABC law enforcement officers arrested Robert Wayne Bullock, 23, Tuesday at his home in rural Orange County and charged him with selling false IDs. The officers found him in possession of the computer, which had been taken two years ago from the DMV office in Louisburg, said Lew Nuckles, chief of ABC law enforcement in Wake County.

... The IDs were made with the date of birth and holograms found on real driver's licenses issued by the state, he said.

Source - News&Observer

Comment: the original DMV breach was reported here. At the time, the News&Observer reported: "The motorist information is not easily accessible on the computer, and there is no evidence that it has been used, Howell said." Two years later, we find out that the data was certainly accessible to at least one person and that some of the information has, indeed, been used. -- Dissent.

Local, and a good example of bad (communications with) management? How many managers failed to notice extra people on their payroll?

CO: Payroll chief accused of $3M theft from energy firm

Wednesday, December 17 2008 @ 08:14 PM EST Contributed by:PrivacyNews

A 34-year-old former payroll manager for a Denver energy company is facing charges alleging that she stole more than $3 million from the firm by inventing fake employees and having their pay deposited in accounts she controlled.

... According to an arrest warrant affidavit, Bundy was payroll manager for Ensign United States Drilling Inc. The theft took place between 2001 and this year, the affidavit alleges.

Bundy added nonexistent employees to the payroll, and arranged to have their wages direct-deposited to accounts that she set up, the affidavit alleges.

Source - Denver Business Journal

Note: I would have missed this one and written it off as insider theft, but Rob Douglas of kindly alerted me that a second story on reported that she also used the identities of former employees. -- Dissent

[Cute little video on

We can't stop Political telemarketing, but at least they don't reverse the charges.

Th: PM's SMS might violate privacy: consumer advocate

Thursday, December 18 2008 @ 05:26 AM EST Contributed by: PrivacyNews

Consumer advocate Saree Ongsomwang on Thursday reminded about the possible offence on the privacy after Prime Minister Abhisit Vejjajiva chose to stay in touch with his constituents via text messaging.

Saree said under the telcommunication law, mobile phone operators are banned from releasing the list of subscribers without their consent.

She said Abhisit should opt to keep contacts with the people via television and other public communication outlets in order to avoid infringing on the consumer's right.

The Democrat Party should not place financial burden on mobile phone users, she said.

Democrat MP Korn Chatikavanij, tipped to become the finance minister, asked every mobile phone operator to transmit a text message to subscribers on Thursday.

Source - The Nation

The election nonsense continues...

Ohio official in 'Joe the Plumber' flap resigns

Thursday, December 18 2008 @ 05:28 AM EST Contributed by: PrivacyNews

An Ohio agency director resigned Wednesday in the wake of a finding that she improperly used state computers to access personal information on the man who became known as "Joe the Plumber" during the presidential campaign.

Two other officials who were suspended from their positions for their role in the computer search will not be returning to their jobs, [Is that “spin speak” for “They were fired?” Bob] an agency spokeswoman said.

Department of Job and Family Services Director Helen Jones-Kelley said in a statement accompanying her resignation that she won't allow her reputation to be disparaged [Oops! Too late! Bob] and that she is concerned for her family's safety.

Source - Houston Chronicle

Making vast plans for security is worthless if you only have half-vast implementation. Like many government procedures, there is no connection between the strategic vision and the tactical implementation. (Think of this as installing a smoke alarm with no speaker...)

IRS Doesn't Check Cyberaudit Logs

Posted by samzenpus on Thursday December 18, @07:57AM from the check-your-work-twice dept. Security United States

An anonymous reader writes

"The US Internal Revenue Service's IT staff hasn't routinely checked its cybersecurity audit logs, according to a report released this week by the agency's inspector general's office. The report is not exactly flattering for the IRS. The report, with large chunks redacted, recommends the IRS allow independent review of audit logs and establish procedures to save audit logs. It also recommended that the IRS regularly test its Internet gateways for compliance with standard security configurations."

Simple but effective? Their survey is based on the limited information available from disclosures. The Attornies General in states that mandate reporting could do the same thing, easily.

UK: Who’s been losing your data?

Thursday, December 18 2008 @ 05:33 AM EST Contributed by: PrivacyNews

You hand over your personal details to councils, hospitals, employers and businesses all the time. But these institutions don’t always keep that data safe. In fact, since HMRC lost its entire database of child benefit claimants last year, high profile data losses have hit the headlines with worrying regularity. But how does this affect you and your family? target="_blank">Click here to find out how likely it is that a government department or corporate entity has been losing your data recently.

Source - Open Rights Group

“Everyone is doing it!” If you can't get Congress to do it, first get someone else to do it so you can point to them and demand we “keep up.”

International data protection agreement reached

Wednesday, December 17 2008 @ 01:39 PM EST Contributed by: PrivacyNews

Efforts to improve data protection and data sharing practices between the United States and the European Union took a significant step forward with the declaration of a new set of common principles late last week.

The French EU Presidency, the European Commission, and the U.S. Homeland Security, Justice and State departments agreed to a Statement on Information Sharing and Privacy and Personal Data Protection at a meeting in Washington. The statement marks new progress on a set of principles intended to advance data privacy and data sharing in law enforcement circles.

Source - FCW

[From the article:

A central component of the PNR agreement was a set of data protection principles that shield private companies and other countries from punishment for cooperating with antiterrorism data-gathering measures.

Do you suppose they only advertised in LA? Is this the next bandwagon for DAs to hop on?

AT&T, T-Mobile settle over voicemail security advertising

Wednesday, December 17 2008 @ 08:40 AM EST Contributed by: PrivacyNews

AT&T and T-Mobile have agreed to pay fines to the Los Angeles District Attorney over claims they made that their voicemail systems were secure from hackers that turned out to be untrue. As part of a permanent injunction issued against the two companies last week, AT&T will pay $59,300 while T-Mobile will pay $25,000, and they have also agreed to stop advertising their systems as secure.

Source - Ars Technica

Be afraid, be very afraid! Can you say: “Blue screen of nuclear death?”

British Royal Navy Submarines Now Run Windows

Posted by samzenpus on Thursday December 18, @03:53AM from the deep-blue-screen dept. Windows The Military Technology

meist3r writes

"On his Government blog, Microsoft's Ian McKenzie announced today that the Royal Navy was ahead of schedule for switching their nuclear submarines to a customized Microsoft Windows solution dubbed 'Submarine Command System Next Generation (SMCS NG)' which apparently consists of Windows 2000 network servers and XP workstations. In the article, it is claimed that this decision will save UK taxpayers £22m over the next ten years. The installation of the new system apparently took just 18 days on the HMS Vigilant. According to the BAE Systems press release from 2005, the overall cost of the rollout was £24.5m for all eleven nuclear submarines of the Vanguard, Trafalgar and Swiftsure classes. Talk about staying with the sinking ship."

The concept is interesting, but PS3s?

How To Build a Homebrew PS3 Cluster Supercomputer

Posted by timothy on Wednesday December 17, @06:18PM from the slot-a-tab-b dept. Supercomputing PlayStation (Games) Hardware

eldavojohn writes

"UMass Dartmouth Physics Professor Gaurav Khanna and UMass Dartmouth Principal Investigator Chris Poulin have created a step-by-step guide designed to show you how to build your own supercomputer for about $4,000. They are also hoping that by publishing this guide they will bring about a new kind of software development targeting this architecture & grid (I know a few failed NLP projects of my own that could use some new hardware). If this catches on for research institutions it may increase Sony's sales, but they might not be seeing the corresponding sale of games spike (where they make the most profit)."

For my Statistics classes (and others)

December 17, 2008

Statistical Abstract of the United States: 2009

News release: "The U.S. Census Bureau released today the new Statistical Abstract of the United States: 2009. First published in 1878, “Uncle Sam’s Almanac” is a summary of statistics on a wide range of important topics, from A (aquaculture) to Z (zinc production). Whether one seeks numbers on biofuel or banking, foreign trade or foreign aid, cars or bars, there is no better one-stop shop for statistics... The 128th edition contains more than 1,400 tables of social, political and economic facts about our nation and the world. Among topics covered in the 49 new tables in this edition are the religious composition of our nation’s population, osteopathic physicians, online news consumption, expenditures for wildlife-related recreation and women in parliaments around the globe. Although the emphasis is on national-level statistics, some tables present state- and even city- and metropolitan-level data as well."

Something for the Computer Forensics class

Plethora of New User Space Filesystems For Mac OS X

Posted by CmdrTaco on Wednesday December 17, @11:46AM from the because-you-can dept. OS X Data Storage

DaringDan writes

"As part of the recent MacFUSE 2.0 release Amit Singh has added support for an insane number of filesystems on the Mac. This video from Google and this blog post pretty much explain everything in detail but to sum-up Singh has written a new filesystem called AncientFS which lets you mount a ton of UNIX file formats starting from the very first version of UNIX. Even more interesting is that they have also taken Linux kernel implementations of filesystems like ufs, sysv-fs, minix-fs and made them work in user-space on the Mac, which means its now possible to read disks from OSes like FreeBSD, Solaris and NeXT on OS X. ext2/ext3 don't seem to be on the list but apparently the source for everything is provided, so hopefully some enterprising soul can apply the same techniques to ext2. One of their demos even has the old UNIX kernel compiled directly on the Mac through the original PDP C compiler by somehow executing the PDP binaries on OS X!"

Wednesday, December 17, 2008

Once upon a time, workers would leave a job with only the tools they owned – but then castles and cathedrals were too large to carry off. Now we can click-n-steal. Ain't technology wonderful?

GMAC Mortgage announces office closings; employees take customer data

Tuesday, December 16 2008 @ 08:40 AM EST Contributed by: PrivacyNews

With the economy in what can only optimistically be described as a nose-dive, we're beginning to see more warnings about the risk of desperate, disgruntled or excessed employees taking data or propietary corporate information. But some of their warnings may have come a bit too late for GMAC Mortgage.

According to a notification letter to the Maryland Attorney General's Office, on September 3, the company announced the closing of its retail offices across the country and "put into place procedures to capture all assets in branch office locations including customer/consumer data."

But approximately a month later, two customers reported receiving mail from former employees at the Bedford, New Hampshire office.

An investigation by GMAC Mortgage revealed that prior to their end date, some loan officers had forwarded to themselves or associates customer lists containing customers' names, mailing addresses, and mortgage loan account numbers.

The company is currently pursuing legal remedies against seven former loan officers and Schaefer Mortgage in federal district court in New Hampshire, including seeking the return of customer data.

[No link to the notice itself, this is the link to the index:

Only six states have an open database of breach reports?

Data Breach Notices Show Tip of the Iceberg

Posted by kdawson on Tuesday December 16, @07:39PM from the data-diving dept. Privacy Security

d2d writes

"The Data Loss Database has released a new feature: The Primary Sources Archive, a collection of breach notification letters gathered from various state governments as a result of data breach notification legislation. The documents include breaches that were largely unreported in the media, many of which are significant incidents of data loss. This lends credence to the iceberg theory of data-loss reporting, where many incidents never break the surface. Now, thanks to the Open Security Foundation, we can 'dive' for them."

You have to plan the entire process.

When breach notifications breach privacy

Tuesday, December 16 2008 @ 09:44 AM EST Contributed by: PrivacyNews

Back in May, I reported a situation in which a breach notification letter to a state attorney general had revealed patient information, thereby creating yet another breach that was compounded by the publication of the notification letter on the Web. Because a similar web exposure problem recently occurred, I thought I would take a moment to point out what some CPOs, CSOs, and other reporting entities may not know or think about when they write their notification letters: if you file a mandated notification to states attorney general or another state agency or department under a state's mandated notification laws, your notification letters generally become public records that are obtainable under public records or freedom of information laws.

Six states currently maintain such central registries: New York, Massachusetts, North Carolina, Vermont, New Hampshire, and Maryland. Three of those (NH, VT, and NH) publish those notification letters on their web sites. The others make them obtainable under public records laws.

Even if you request that a notification be treated as propietary information, your report may become publicly available (although one state has not yet ruled on that).

Having to disclose a breach can be embarrassing enough. Revealing someone's personal information in your disclosure is even more embarrassing. When you include copies of your notification letters to affected individuals or other documentation concerning the breach, check to ensure that you have not included any actual individual's information in the letter. You'll thank me later.

The ultimate tabloid resource? Of course there will be consequences, but will they be consequential?

UK: ‘Access all areas’ for media so justice is seen to be done

Wednesday, December 17 2008 @ 07:27 AM EST Contributed by: PrivacyNews

The secrecy of the family courts – in which nearly 95,000 cases are heard in private each year – is to end under reforms announced yesterday that will allow the media access to all levels of the system. The move could mean that social workers and expert witnesses who fail children, and now enjoy the protection of anonymity, will in future be named publicly when criticised by judges.

Jack Straw, the Justice Secretary, said that from April the media would be permitted access to all family cases in all courts – from celebrity divorces to hearings over domestic violence or children being removed from families.

Source - Times Online

Not all policies are logical. Google was a big Obama supporter, should we read something into this? Surely it doesn't violate their “Do no evil” strategy, does it?

Google censors political-donation transparency ads

Posted by Chris Soghoian December 16, 2008 7:55 PM PST

Should members of the public be able to pay for Web advertisements detailing which companies have donated to politicians? While this seems like a great way to promote transparency in politics, Google forbids the practice--we are free to name the politicians who take money but cannot name the companies that give it

... As this post will explore, Google's rather absurd, and little known, trademark policy seriously harms the ability of citizens to highlight the donations made to politicians by large corporations.

What analysis takes 90 days? (Perhaps they should use a computer?)

Yahoo to purge user data after 90 days

Posted by Larry Dignan December 17, 2008 5:04 AM PST

Yahoo said Wednesday that it will makes its user logs anonymous within 90 days as it ups the ante on data retention policies.

In a statement, Yahoo said it would also make user data on page views, page clicks, ad views and ad clicks anonymous as well as its user logs. The only exceptions would be for "fraud, security and legal obligations."

... In September, Google said it would make its user logs anonymous after nine months, a vast improvement over its previous 18-month policy.

Undue reliance: believing that the economic model that works sometimes will work every time...

Computer Models and the Global Economic Crash

Posted by kdawson on Tuesday December 16, @05:03PM from the not-able-rightly-to-comprehend dept.

Anti-Globalism passes along a review in Ars of some recent speculation on the role of interconnected computer models in the global economic crash.

"If Ritholtz, Taleb, Mandelbrot, and the rest of the computer modeling and financial engineering naysayers are correct about the big picture, then we really are arguably in the midst a bona fide computer crash. Not an individual computer crash, of course, but a computer crash in the sense of Sun Microsystems' erstwhile marketing slogan, 'the network is the computer.' That is, we have all of these machines in different sectors of the economy, and we've networked all of them together either directly (via an actual network) or indirectly (by using the collective 'output' of machines in one sector as input for the machines in another sector), and like any other computer system the whole thing hums along nicely... up until the point when it doesn't."

This has happened many times before. Gutenberg probably got death threats from monks who made a living hand copying manuscripts. Radio was once King. TV has had its day, and I suspect YouTube is (eventually) doomed.

Good news for YouTube: Bullish video ad forecast

Posted by Stephen Shankland December 16, 2008 4:22 PM PST

Online advertising may be dragging, but one analyst firm expects the market for video ads to grow 45 percent to $850 million in 2009.

An eMarketer study released Tuesday forecast more growth in years to come: $1.25 billion in 2010, $1.85 billion in 2011, $3.0 billion in 2012, and $4.6 billion in 2013.

... TV ads, meanwhile, will shrink from $69.8 billion in 2008 to $66.9 billion in 2009, then down to $67.2 billion in 2010.

Related. Waiting for someone to chop down a tree and turn it into news-papyrus is just too Egyptian. If you can't be the single/best source of global news, you will have to be the best source of local news. (Two completely different strategies)

The Internet, the last hope of newspapers

Posted by Greg Sandoval December 16, 2008 3:07 PM PST

A "bold transformation" is how The Detroit News and The Detroit Free Press are trying to spin their decision to limit home delivery of their newspapers to three days a week.

While both said Tuesday that they will continue to issue traditional newspapers at newsstands seven days a week, they are the first daily newspapers from a major city to cutback home delivery.

Related. One heir to the telephone? Why talk to customer service when you can twit – and keep a log of the answers!

Twitter promotions can add up to millions

Posted by Caroline McCarthy December 16, 2008 2:17 PM PST

Computer giant Dell told Internet News that its "Twitter sale alerts" have added up to about $1 million in revenue.

As we all know from Mike Myers' "Dr. Evil" character in the Austin Powers movie franchise, a million bucks isn't a whole lot of money for a major multinational corporation. But it does have something to say about how Twitter is transforming from gimmicky messaging tool to marketing powerhouse. Fire-sale start-up Woot showed that it's possible to take advantage of Twitter's rapid-fire nature to advertise fleeting deals; shoe retailer Zappos has gotten praise for using Twitter for customer service.

Low-cost airline JetBlue, as the Internet News article points out, also uses Twitter for both fare deals and customer service.

More compelling is what this can mean for Twitter's own not-yet-existent business model, which looks like it might involve premium accounts for businesses using the service. With companies touting retail success, this could widen the window of opportunity for Twitter to start encouraging them to, well, pay up.

Related – because serious gamers want the best technology they can get. (Gameboy killed game boards?)

More games moving to the cloud

Posted by Dave Rosenberg December 16, 2008 11:45 PM PST

The Shack reports that Electronic Arts might be moving Spore to the Steam cloud-based gaming platform. An EA end-user license agreement showed up on Steam demonstrating that if nothing else, the company is testing out the idea.

Spore was the most pirated game of 2008, and if you are EA, you have to look at other ways to deliver games to the masses. With Steam, EA not only increases its distribution possibilities, but it also gets a better platform with a more user-friendly DRM function.

Similar to the Zotero Firefox add-in. This is becoming an interesting tool category for researchers. - A New Internet Aggregator

Broadly speaking, SyncOne is an Internet aggregator that enables users to save information from any page via a mere mouse click. The information that is thus stored can be accessed from anywhere there is an Internet connection, and this system has the distinct advantage of letting you access contents you have saved even when the page or site in question has gone down.

The basic concept at play is that of webclips. The term refers to portions or snippets of web pages that are saved for ulterior reference. SyncOne makes it possible to save information this way, and use it for study, research and comparison.

Moreover, there is a prominent social aspect at play since users of this web-based application can interact with each other through the site. This gives them a ready chance to discuss on the snippets they have saved, and see if they come across new relevant items this way.

When all is said and done, sites such as this one offer a different way of storing and sharing online information. If you feel such an approach will click with you, I advice you to pay the site a visit in order to have a taster for yourself.

Tuesday, December 16, 2008

Familiar questions. Why is this computer attached to the Internet? No anti-virus detection for 8 months?

NC: UNCG Discovers Security Breach; Employees Being Notified

Monday, December 15 2008 @ 09:53 AM EST Contributed by: PrivacyNews

Employees at The University of North Carolina at Greensboro have been notified about a security breach, with potential data loss from a computer which contained personal information used to process the institution’s payroll.

Notification was sent on Monday to UNCG’s faculty, staff and student employees, including former UNCG employees, who have received payment from UNCG since April of this year. All regular UNCG employees have direct deposit for their paychecks.


The situation was detected on Thursday afternoon (Dec. 11), when a payroll employee received a notification of a virus alert while attempting to access data. The computer was located in the Accounting Services office. It was discovered that the computer had been infected with a virus which may have allowed an unauthorized person to gain access to personal information.

Staff from UNCG’s accounting/payroll and information technology services areas are working to determine the level of access that unauthorized persons would have to employees’ personal information. Material on the affected computer included names, Social Security numbers, direct deposit routing and banking account information.

After checking, there is evidence that the virus has been on the workstation since April of this year. IT staff members have not been able to determine whether or not any personal data has actually been accessed.

Source - University of North Carolina at Greensboro Related - UNCG Incident FAQ

[From the related article:

When the security breach was discovered, UNCG technicians made a copy of the data on the affected workstation. They took the workstation offline, so the virus which had been detected could not access the network. [Normal procedure would be to take the computer offline, THEN work on cleaning the virus. Bob]

Even the AG can't keep up?

27 Breaches reported on Maryland Attorney General’s Web site

The following breaches were added (in batch) to the Maryland Attorney General’s web site on or about December 5th, 2008. The breaches were all reported to the Maryland Attorney General, in accordance with the Maryland Personal Information Protection Act (PIPA), between the dates of October 6th, 2008 and December 4th, 2008.

Consequences? Should be interesting to follow...

UAE: Police seize gang tied to US$62m credit fraud (follow-up)

Monday, December 15 2008 @ 04:33 PM EST Contributed by: PrivacyNews

Three members of a gang that allegedly stole US$62 million (Dh227.73m) in a month after obtaining credit information from thousands of UAE bank customers have been arrested, Dubai Police said last night.

An extradition warrant has been sought for a fourth gang member, they said.

The men allegedly obtained sensitive information from 16,975 bank cards by using a false website they created. They then illegally bought millions of dollars worth of goods on the internet.

Source - The National

[From the article:

Col al Mansouri said the gang, whose activities were uncovered on July 1, had been operating for a month before police were alerted. [Pretty quick work. Bob]

Related? Card skimming out of control?

UK: Stores deny blame for bank card scam

Tuesday, December 16 2008 @ 06:39 AM EST Contributed by: PrivacyNews

Supermarkets and petrol stations have responded to people’s claims they are the source of a string of scam transactions being made with shoppers’ bank cards.

The Evening Post has been inundated with stories from Reading’s victims – customers of a range of banks including NatWest, Lloyds and Halifax – and several point the finger at big-name stores and garages.

Source - Get Reading

Self-Regulation – the good, the bad, the impossible?

NAI Overhauls Privacy Principles For Online BT Ads

Tuesday, December 16 2008 @ 06:30 AM EST Contributed by: PrivacyNews

NAI is releasing updated BT principles tomorrow.

In the first major overhaul of its guidelines in eight years, the self-regulatory group Network Advertising Initiative today will issue new privacy principles for online behavioral advertising, or serving ads to people based on their Web history.

... the new guidelines differ in some respects from the older ones. For instance, Network Advertising Initiative members that serve ads based on so-called "sensitive" information--including social security numbers, financial account numbers, real-time geographic location and some types of medical data--must now first obtain users' explicit consent, even when the targeting is anonymous. Previously, there was a restriction on using sensitive information to target people when the data was considered "personally identifiable."

In addition, member companies that use behavioral targeting techniques on children under age 13 must first obtain the verifiable consent of a parent.

Source - MediaPost

[From the article:

The new code requires companies to give "clear and conspicuous" notice of behavioral targeting. The Network Advertising Initiative said via written comments that it believes that privacy policies are "the most effective and scalable approach," and that a clear and conspicuous link to a privacy policy on a Web site's home page will meet the group's standards. [We know how well that works! Bob]


BlueKai raises $10.5M to help sell consumer data

Tuesday, December 16 2008 @ 06:25 AM EST Contributed by: PrivacyNews

BlueKai, which runs a marketplace where advertisers can buy data about online shoppers, has raised $10.5 million in a second round of funding.

The Bellevue, Wash. startup allows shopping sites that have collected data about your interests and activities to sell that information to advertisers.

Source - Venture Beat

Arguing the fine points...

Lori Drew Files New Bid for Dismissal on Grounds that MySpace Authorized Access

By Kim Zetter December 15, 2008 4:40:30 PM

Lori Drew, the woman convicted of three misdemeanors in the MySpace suicide case, can't be guilty of computer fraud, because gaining access to a computer under false pretenses is still "authorized access" as a matter of law, Drew's attorneys argued Monday in a new bid at clearing their client's name.

In a written motion, defense attorneys H. Dean Steward and Orin Kerr cite cases in which courts have concluded that if someone gains permission or access to something through trickery or misrepresentation, it is still considered authorization and does not constitute nonconsent. If, for example, someone tricks another party into willingly handing over the keys to a car, the trickster could not be considered guilty of stealing the car.

Is the certificate a good idea? Might be fun to see if they can be counterfeited...

AU: The Victorian Government wants public feedback on a proposed new law, designed to tackle identity theft.

Monday, December 15 2008 @ 03:59 PM EST Contributed by: PrivacyNews

The law would allow victims of identity theft to obtain a court-issued certificate declaring that crimes have been committed in their name.

The Attorney-General, Rob Hulls says this would allow victims of identity theft to rebuild their lives.

Source - ABC (AU)

[From the article:

He says the law would also make it an offence to prepare to steal somebody's identity.

"Dealing in and possessing identity information, as well as possessing equipment for making identity documents with the intent to commit an indictable offence will now be crimes, very serious crimes," he said.

Assuming another person's identity is currently only an crime if a further offence is then committed.

“Ve vas just following procedure!”

Web who's who botches secure sockets layer

Monday, December 15 2008 @ 03:53 PM EST Contributed by: PrivacyNews

New research has uncovered flaws in the encryption certificates used to protect the websites of hospitals, banks, and even top-secret government spy agencies, raising questions about whether they are complying with regulations requiring them to adequately safeguard their online visitors.

Rodney Thayer, a security researcher with Canola & Jones, spent a day and a half scoping out weak websites using nothing more than a handful of search queries typed into Google. What he found were 31 sites maintained by the US Central Intelligence Agency, NASA, the World Bank, and Fortune 500 companies that used flawed security sockets layer certificates for authentication.

Among the scofflaws was a page for partner accounts offered by technology website CNET and this application page offered by Gartner, a company that dispenses advice on a host of security issues. Other organizations using defective certificates included the US Computer Emergency Readiness Team, Advanced Micro Devices, and Microsoft.

Source - The Register

[From the article:

SSL was developed in the mid 1990s as a measure to prevent websites that transact commerce or other sensitive business from being spoofed by attackers intent on defrauding visitors. It uses cryptographic certificates that mathematically validate that the site is operated by a particularly company or organization. Few webmasters give proper time to implementing and maintaining SSL certificates, however, an oversight that reduces their effectiveness.

SSL "suffers from the fact that it's one of the exotic technologies that we all had to get working for the whole internet .com thing to happen," Thayer says. "Everybody basically for the last five years at least who's done this was just following a check list that got handed, so nobody's really been thinking of this as a security issue."

... The Federal Information Processing Standards (pdf), for example, require federal agencies to use valid SSL certificates for webpages that accept employee logins. The Health Insurance Portability and Accountability Act (pdf) and Payment Card Industry rules place similar requirements on health care providers and online merchants respectively.

All First Amendment?

Court Narrows National Security Secrecy, Limits Oversight

Monday, December 15 2008 @ 03:58 PM EST Contributed by: PrivacyNews

A unanimous federal appeals court on Monday narrowed the scope of when telecommunications companies must keep secret so-called self-issued search warrants requested of them by the Federal Bureau of Investigation.

But the court limited when it was necessary for judges to review a secrecy order.

Source - Threat Level

[From the article:

"The nondisclosure requirement," Judge Jon O. Newman wrote (.pdf) for the appeals court, "is not a typical prior restraint or a typical content-based restriction warranting the most rigorous First Amendment scrutiny."

... But on Monday, the New York-based appellate court agreed with the government that it should not be required to "initiate litigation" and or to obtain judicial approval of every secrecy order (these number in the tens of thousands). Instead, the court noted that judges must review the validity of a secrecy order, in private if necessary, only when a telecommunications company challenges the gag order under what the court termed a "reciprocal notice procedure."

Yet the "reciprocal notice procedure" may have little value in the real world: Tens of thousands of customers may never know that personal information, including banking records, was disclosed to the FBI. As the appeals court noted, telecommunication companies have only challenged secrecy orders three times.

Why Computer Forensic is hot!

Kroll’s Report and Analysis of the Most Significant e-Discovery Cases in 2008

Kroll Ontrack has just released a report analyzing 138 judicial opinions pertaining to electronic discovery issued from Jan. 1, 2008 to Oct. 31, 2008. The title of the report pretty much says it all: Year In Review: Courts Unsympathetic to Electronic Discovery Ignorance or Misconduct.

Kroll’s Statistical Analysis of 138 Cases in 2008

Going back to Kroll’s report, it claims that over half of the e-discovery cases this year have addressed court-ordered sanctions, data production, preservation, and spoliation issues. That sounds about right to me. According to Kroll’s analysis, the major issues in these cases can be broken down as follows:

25% of cases addressed sanctions

20% of cases addressed various production considerations

13% of cases addressed preservation and spoliation issues

12% of cases addressed computer forensics protocols and experts

11% of cases addressed discoverability and admissibility issues

7% of cases addressed privilege considerations and waivers

7% of cases addressed various procedural issues

6% of cases addressed cost considerations

Related? Or is this just a case of lawyers being paid a percentage of money extorted?

RIAA May Be Violating a Court Order In California

Posted by kdawson on Monday December 15, @07:48PM from the play-nice-now dept. The Courts

NewYorkCountryLawyer writes

"In one of its 'ex parte' cases seeking the names and addresses of 'John Does,' this one targeting students at the University of Southern California, the RIAA obtained an order granting discovery — but with a wrinkle. The judge's order (PDF) specified that the information obtained could not be used for any purpose other than obtaining injunctions against the students. Apparently the RIAA lawyers have ignored, or failed to understand, that limitation, as an LA lawyer has reported that the RIAA is busy calling up the USC students and their families and demanding monetary settlements."

“Let's pat ourselves on the back for doing in 5 years what any businesses should be able to do in 2 months!” That truly is an accomplishment in such a bloated government bureaucracy.

December 15, 2008

DHS OIG: Major Management Challenges Facing the Department of Homeland Security

OIG-09-08 - Major Management Challenges Facing the Department of Homeland Security (PDF, 39 pages), November 2008

  • "After just 5 short years, we are beginning to witness the positive effects of the department’s efforts and initiatives: tighter security at the borders; increased immigration enforcement; greater cooperation with our international partners; expanded partnerships with the private sector; better and more efficient passenger screening at our airports; and regenerated disaster response and recovery management. Despite these considerable accomplishments, DHS still has much to do to establish a cohesive, efficient, and effective organization."