Saturday, January 03, 2009

At least proof read your notification letter!

Seibels Bruce Group hacked?

January 2nd, 2009 by admin From the your-guess-is-as-good-as-mine dept.

On December 22, Seibels Bruce Group notified the New Hampshire Attorney General of breach. I’m pretty sure they were describing a hack, but from their wording, I suppose it’s possible that someone wandered into their offices and just browsed through their file cabinets. See what you think when you read the description.

What’s really noteworthy is that within the space of a few paragraphs, they went from saying that individuals’ data may have been improperly accessed to saying that they had confirmed that the individuals’ data was accessed.

From the letter to those affected:

We are sending you this letter as a cautionary measure because we believe that certain information about you may have been improperly accessed.

What Happened:

The Seibels Bruce Group, Inc. and its subsidiaries (”Seibels Bruce”) provide various identity verification and related services to insurance companies who use our services during the process of granting and servicing insurance policies. In mid-December, we became aware that certain personal records that we use for these business purposes were accessed improperly by an unauthorized third party. We promptly detected the issue, and took a number of measures to secure our systems. We are sending you this letter because we confirmed that, during this brief period of time, your records (which may have contained your name, address, telephone number, Social Security number, and/or date of birth) were accessed by an unauthorized third party.

And that’s all they wrote by way of explanation. They did tell those affected that they could call them on a toll-free information helpline, and it was a nice touch to have the President of Seibels Bruce Group sign the letter, but if I was on the receiving end of this notification letter, I would not be happy with the contradictions in the notification. What do you think?

I wonder if anyone has actually thought through the contract requirements to secure data in third party hands?

Vonage customer data on Google Notebook

January 2nd, 2009 by admin

With all the advice we see these days about hardening security, this might be a good time to remember the importance of both having stringent security standards written into any contractor agreements and actually monitoring compliance with any contracts or policies. A recent breach reported by Vonage serves as a useful example.

On December 23, Vonage notified the New Hampshire Attorney General that it had recently discovered that an employee of an unnamed telesales contractor had violated Vonage’s policy of not recording sensitive customer data outside of its own computer system. The agent was recording contact data — including credit card number, CCV, or bank account number and routing information on Googe Notebook. [Expect more of this a Cloud Computing grows Bob]

Vonage got the information removed from Google Notebook, but in response to the incident:

Vonage has required that all of its third party vendors that handle credit card data provide Vonage with a description of their methodology for detecting data leaks. In addition, Vonage has required that third party vendors, with sales or support agents serving Vonage, block access to a number of web sites including Google Notebook.

That’s a good start, and kudos to Vonage for catching the breach and trying to address it in a proactive way, but of course, that is just one piece of a more comprehensive security approach. Hopefully, more entities will take a closer look at what they are requiring from vendors in the way of security and what they are requiring of the vendors and themselves in terms of monitoring.

“ all men are created equal” but sometimes that changes... Perhaps someone will invent a scoring system that measures privacy against 'the public's right to know' – perhaps.

IA: Panel proposes expanded privacy in public records

Saturday, January 03 2009 @ 05:58 AM EST Contributed by: PrivacyNews

Iowa governments would have greater authority to black out personal information from public records under proposals recommended by a legislative committee.

Advocates say the proposals would protect citizens from identity theft.

But opponents say the unintended results could be alarming, particularly if the public is unable to differentiate between, for example, a convicted sex offender and another citizen with the same name.

Source - Des Moines Register

Perhaps a bit too British?

India Sleepwalks Into a Surveillance Society

Posted by Soulskill on Saturday January 03, @02:11AM from the your-tech-support-calls-may-be-monitored dept. Privacy Government The Internet

An anonymous reader writes

"ZeroPaid has a fascinating roundup of news stories surrounding the latest surveillance laws passed in India, including a first-hand account of someone writing from inside India. The legislation in question is the Information Technology Act's amendment bill 2006, which was recently passed in the Indian parliament. Things you can't do with the new legislation include surfing for news in Bollywood and looking up porn on the internet. The legislation also allows all transmissions over the internet to be monitored for any form of lawbreaking and permits a sub-inspector to break into your house to make sure you aren't browsing porn on your computer."

If you make an exact copy of your data as it changes, you are protected when (not if) a hard drive fails – but you are not protected if you are writing corrupt data to the disk.

Why Mirroring Is Not a Backup Solution

Posted by kdawson on Friday January 02, @12:25PM from the pointed-lesson dept. Data Storage IT

Craig writes

" has fallen and can't get up. The post on their site describes how their entire database was overwritten through either some inconceivable OS or application bug, or more likely a malicious act. Regardless of how the data was lost, their undoing appears to have been that they treated drive mirroring as a backup and have now paid the ultimate price for not having point-in-time backups of the data that was their business."

The site had been in business since 2002 and had an Alexa page rank of 106,881. Quantcast said they had 14,000 monthly visitors recently. No word on how many thousands of bloggers' entire output has evaporated.

Whatever you do, don't tell the taxpayers! Download the spreadsheet and try to keep it up to date? Naaah, too depressing.

January 02, 2009

Calculating the Acutal Cost of the Financial Bailout

Several sources are reporting the current price tag for the bailout of the financial system. According to the Washington Post's Binyamin Appelbaum, "...the Treasury Department has now spent or committed more money than Congress has allocated to its financial rescue program, effectively making more promises than it can afford to keep. The scorecard: Congress gave Treasury $350 billion; Treasury has allocated $354.4 billion." Another perspective, on total expenditures of $8.5 trillion, comes from Barry Ritholtz's blog posting, Calculating the Total Bailout Costs, inclusive of a handy spreadsheet.

Is Microsoft taking a page from the Free Software book? (While maintaining deniability?)

Windows 7 Leaked To Pirates By Microsoft?

Posted by ScuttleMonkey on Friday January 02, @03:55PM from the viral-marketing-usually-comes-back-to-bite-you dept. Microsoft Windows

nandemoari writes

"The beta version of Windows 7 has been widely distributed through torrents and other file sharing systems. But now some commentators claim Microsoft deliberately allowed the package to get into the hands of pirates. ' I'm not being critical here, as some Microsoft Watch commenters will surely claim. It's rather smart marketing. Microsoft fills a big news void with something bloggers and journalists will write about. The suspense of stealth downloads from torrents and races to post the best screenshots first make the Windows 7 leak buzz all the more exciting. For other people, there is delight in seeing Microsoft squirm because Seven leaked early. Not that I see much squirming going on.'"

Something for your Swiss Army Folder? – IM To SMS And Back

The gap between the internet and mobile phones is growing ever smaller. Since the iPhone and other smart phones became mainstream, there’s little difference between an IM message and an SMS text message. is here to make that gap even smaller. Through the site, you’ll be able to send SMS text messages to any phone in the US, and get an answer, all in IM format. Why should you care? Well, it makes getting in touch with anyone with a US cell phone instant, without having to waste money sending a text message from your phone. Standard text message charge rates apply to the user on the cell phone end, but the online user doesn’t have to worry about it. [Know anyone who deserves the entire Library of Congress at 20 Cents a message? Bob]

It could get you out of a jam, say you lost your cell phone and you need to get in touch with someone quickly. It might sound like a novelty now, but it could grow into something truly interesting. Look for a desktop version coming soon, and might we suggest a mobile app?

Who says the FBI doesn't understand technology? Look at this exotic tool for tracking your Internet surfing!

Friday, January 02, 2009

Important for those of us who follow breaches.

ANNOUNCE: Breach news moving to

Thursday, January 01 2009 @ 07:41 AM EST Contributed by: PrivacyNews

Effective today, reports and news stories on specific breach incidents will no longer be posted to , but will have their own web site at, the Office of Inadequate Security. The OIS news feed will now appear on's homepage for those who prefer to continue visiting this site while finding out the latest headlines from OIS and

The change will enable site visitors to comment on breaches and to help researchers more quickly locate specific types of breaches.

Some breach-related news will continue to be posted to, but the bulk of breach news will be on the new site. The change also enables to continue to provide global coverage of privacy issues without important news stories being lost amid the increasing number of breach stories. will continue to cover healthcare-related privacy issues, but healthcare-related breaches are also moving to

Hope to see you over there, and Happy New Year!


Happy New Year and Welcome!

January 1st, 2009 by admin

Whether you’ve migrated over from,, or just stumbled across this site, welcome and Happy New Year!

This site is devoted to reported breaches involving PII or PHI. and will continue to cover discussions of privacy breaches as well as other aspects of privacy news, but if you are looking for reports on breach incidents, you will now find them on this site.

In addition to news coverage, you will also find information on legislation related to breaches as it is proposed in the 111th Congress.

This site permits comments on news stories and items. Simply register and login to post your comments. No longer do you need to just mutter to yourself as you read a news story — now you can mutter out loud. [So that's what I've been doing! Bob]

Individuals are not the only potential targets in a BIG data breach.

Express Scripts extortionist sends Toyota data on 188 employees

January 1st, 2009 by admin

On November 11, Express Scripts announced that some its clients had received extortion attempts, presumably from the same person or persons who had contacted them with the threat to expose personal information if Express Scripts did not meet their demands.

On November 21, Toyota Motor Sales notified the New Hampshire Attorney General that:


Early the following week, Toyota received a similar threat directly, apparently from the same extortionist. The extortionists identified 188 current and former Toyota associates’ name, social security number and date of birth held by Express Scripts. Additionally, they suggested that they possessed similar information for “most” other current and former Toyota associates and their covered dependents. The FBI is investigating the incident.

In its letter to affected associates and their dependents, Toyota described the communication they received, and added (boldface in original):


We believe that there is some risk, based on the threat contained in extortionists’ letter, that you or your dependents’ personal information could be misused. Therefore, we believe you should consider taking action to protect your identity even though, at this time, we have received no evidence that there has been any attempt to misuse your personal information or that of your covered dependents.

Express Scripts, through its vendor Kroll, Inc. is offering fraud prevention assistance in connection with this incident (please see enclosed information). The Fraud Prevention Steps You Can Take enclosed with this letter will also be available on ToyotaVision at http://tv/toyotavision/. You may also obtain information through the Express Scripts website at We recommend that you take action promptly.

Related Everyone is impacted by Identity Theft. Expect this to devolve to any “unusual” charge.

UK: Tell us your holiday plans, banks insist

Friday, January 02 2009 @ 06:55 AM EST Contributed by: PrivacyNews

Credit and debit cardholders are being told by banks to notify them of their holiday destinations and foreign travel plans or face having their accounts frozen in moves to combat fraud.

Customers increasingly find that trying to make a transaction abroad triggers a shutdown of their account as card companies seek to curb the use of information stolen from British cards.

Source - Times Online

How to abuse your customers...

Twply takes a spam-and-grab approach to violating your privacy

Friday, January 02 2009 @ 06:02 AM EST Contributed by: PrivacyNews

When's the last time you gave out your username and password for something crucial to a random web service? That's what a lot of people have been doing with The site asks you for your username and password, and then promises to send any @replies that you get on Twitter to your email account.

However, it'll also spam its own URL across your Twitter account - "Just started using to get my @replies via email. Neat stuff!". That means they've got a big database of Twitter usernames and passwords, ripe for spamming. I wonder what could happen if they got bought by someone without a conscience... Oh, wait.

Source - TechDigest

They win contracts based on their expertise?

Malware blamed in latest SAIC breach

January 1st, 2009 by admin

Science Applications International Corporation (”SAIC”), recipient of a number of large government contracts, notified the New Hampshire Attorney General on December 9th of a security breach involving malware. The specific malware was not named, but was described as “designed to provide backdoor access.”

The breach was detected on October 28th. In its letter to an unspecified number of affected individuals, SAIC wrote:

This letter is to notify you of a potential compromise of your personal information, including your name and social security number, date of birth, home address, home phone number and clearance level and possibly other personal information necessary to complete government security clearance questionnaires (e.g., SF-8SP or SF-86). We collected this information from you to provide it to the U.S. Government either to enable you to visit a government facility or to assist you in obtaining or updating your government clearance.

Our Security personnel routinely receive information regarding malicious software from industry partners. This process led to the recent discovery on October 28, 2008 of malicious software designed to provide backdoor access on a computer used to process your security clearance or visit request. [Why is anything online beyond a unique identifier and an approved or denied flag? Bob] Unfortunately, due to the nature of this malicious software, it avoided our standard cyber security precautions which include using industry-leading software for virus and spyware detection, intrusion detection systems, and firewalls. To help detect and prevent similar attacks, we keep pace with industry best practices and software, we continue to work with our industry partners and we are implementing Trusted Desktop, which removes elevated privileges from users. [Let's hope they don't mean this version of Trusted Desktop: Bob]

We have communicated with Defense Security Information Exchange and the Federal Bureau of Investigation regarding this malicious software, and we have sought evidence regarding whether the malicious software was used to access your personal information. To date there is no indication that any of your personal data was accessed. As there is a potential that it could have been accessed, we recommend that you take precautionary measures, including the actions further detailed in Exhibit A attached to this letter,

If their description and explanation sounds familiar, it may be because SAIC had another breach almost a year ago where malware (a keylogger) also evaded their detection system. In that breach, it was mostly corporate account data at risk. The nature of the data in this most recent incident is of more concern due to its security implications.

As in the previous incident, SAIC did not offer those affected by the recent breach any free services for credit monitoring or repair.

Related In case you thought I was kidding about the contracts...

Defense contractors eye cybersecurity bonanza

Posted by Jonathan Skillings January 1, 2009 6:46 PM PST

... Bloomberg has a year-end rundown on the efforts of the big defense contractors to tap into market that could swell to $11 billion by 2013.


UK Government To Outsource Data Snooping and Storage

Posted by timothy on Friday January 02, @06:40AM from the avoid-conflict-of-interest dept. Privacy

bone_idol writes

"The Guardian is reporting that the private sector will be asked to manage and run a communications database that will keep track of everyone's calls, emails, texts and internet use under a key option contained in a consultation paper to be published next month by Jacqui Smith, the home secretary. Also covered on the BBC."

Oh gloom and doom!

Data losses set to soar, predicts KPMG

Friday, January 02 2009 @ 06:25 AM EST Contributed by: PrivacyNews

KPMG’s Data Loss Barometer predicts that the number of people affected by data loss around the world could soar to 190 million in 2009, compared to 92 million in the previous year, as the credit crunch deepens.

In the three months to November 2008 the number of people affected by data loss incidents (47.8 million) was more than for the first eight months of the year combined – and 38 per cent higher than the same period in 2007 (34.5 million).

The Data Loss Barometer research concludes that the total number of reported incidents for 2008 will be 427, compared to 2007 (412) – the highest annual figure recorded by KPMG since the firm began collecting the data in 2005.

Source - SC Magazine

[From the article:

A few simple questions such as ‘Do you know where your data comes from?’, ‘Where it is stored and how it is used?’ and ‘Do you have a clear plan of what to do should you lose your data?’ are good starting points for all businesses – large and small.”

Attention Homeland Security! Isn't this the system you want to install?

S. Korean woman 'tricked' airport fingerprint scan

Thursday, January 01 2009 @ 01:15 PM EST Contributed by: PrivacyNews

A South Korean woman entered Japan on a fake passport in April 2008 by slipping through a state-of-the-art biometric immigration control system using special tape on her fingers to alter her fingerprints, it was learned Wednesday.

Source - Daily Yomiuri

[From the article:

The sources said the fact that the woman was so easily able to beat the sophisticated computer system will force the government into a drastic review of its counterterrorist measures and the current screening immigration system.

The immigration bureau reported to the Justice Ministry that a considerable number of South Koreans might have entered Japan illegally using the same technique, as a South Korean broker is believed to have helped the woman enter Japan.

Wouldn't it be nice to connect a numbers of people, each interested in a narrow area of law, and produce high-level overviews like this one every week?

Log retention initiatives

Friday, January 02 2009 @ 06:21 AM EST Contributed by: PrivacyNews

David Fraser of Canadian Privacy Law Blog presents a brief snapshot of some legal initiatives that affect internet log retention in a selection of countries.

Source - Slaw

Illustrating once again that there are many ways to skin a cat. But, is the DA just creating a larger petard?

ID cases may go to grand jury

Thursday, January 01 2009 @ 07:20 AM EST Contributed by: PrivacyNews

Weld District Attorney Ken Buck has requested a grand jury be assembled to decide whether there’s enough evidence to arrest more than 1,000 people suspected of identity theft.

Buck asked for the jury Tuesday after he and Weld District Court Judge James Hartmann continued to disagree on whether the tax records of defendants in the identity theft sting Operation Number Games were confidential.

Source - Greeley Tribune

[From the article:

The Weld County Sheriff’s and District Attorney’s offices began the effort in November to apprehend 1,300 people suspected of identity theft or criminal impersonation in northern Colorado by seizing their federal income tax records from Amalia’s Tax Service in Greeley. The tax records were used as evidence of them using false or stolen Social Security numbers. [So you can see why he doesn't want then toss out. Bob]

... Buck has said he consulted with the Internal Revenue Service before filing the cases and firmly believes the information is not considered confidential. [Amplify! Are my records confidential? If not, why not? Bob]

... Convening a grand jury also would eliminate the need for preliminary hearings, which are held to determine if there’s enough evidence to take the matters to trial.

In a preliminary hearing Monday, Hartmann dismissed two criminal impersonation cases against one defendant involved in Operation Number Games because of a lack of evidence.

For my security classes and your security manager

January 01, 2009

Google Releases Browser Security Handbook

SecurityFocus: "Google posted...a handbook for Web developers that highlights the key security features and quirks of major Web browsers. The document, dubbed the Browser Security Handbook, has three parts that tackle the security features in browsers and browser-specific issues that could lead to security weaknesses."

Documenting the decline and fall of the Microsoft Empire

IE Market Share Drops Below 70%

Posted by timothy on Thursday January 01, @07:06PM from the probably-too-late-to-open-source-ie dept. Internet Explorer Microsoft Software

Mike writes

"Microsoft's market share in the browser dropped below 70% for the first time in eight years, while Mozilla broke the 20% barrier for the first time in its history. It's too early to tell for sure, but if Net Applications' numbers are correct, then Microsoft's Internet Explorer will end 2008 with a historic market share loss in a software segment Microsoft believes is key to its business."

In contrast to the Microsoft article above... (Is this so different from a “feature want list?”)

Google Wants You To Be Its Unpaid Muse

Posted by timothy on Friday January 02, @08:10AM from the voluntary-grindstone-for-nose-skinning dept. Google Businesses

theodp writes

"So where do you turn to for great ideas when tough times force you to abort your engineers' brainchildren? If you're Google, reports Nicholas Carlson, you simply outsource brainstorming to your users. Google's launched a new Google Product Ideas blog as well as a Product Ideas for Google Mobile site where users can submit feature and product ideas and vote on others. So what's in it for you if you come up with Google's next billion-dollar-idea? 'If you post an idea or suggestion and we put it into action, we may give you a shout out on our Product Ideas blog,' explains Google, 'but we won't be compensating users for their ideas.' Lucky thing don't-be-evil Googlers don't have to live up to the IEEE Code of Ethics, or they might have to credit properly the contributions of others."

So what's wrong with a shout out among consenting adults?

Thursday, January 01, 2009

More, shall we say “inventive” language in the press release. (and another suggestion for contracts with third parties: Delete the data when your task is done!)

OH: OSU students told that private information was on Internet

Wednesday, December 31 2008 @ 09:46 AM EST Contributed by: PrivacyNews

Ohio State University has notified 18,000 current and former students that their names and Social Security numbers were mistakenly stored on a computer server exposed to the Internet.

A vendor doing work for Ohio State's student health insurance plan made the mistake. Only students enrolled in the school's insurance program from fall 2005 to summer 2006 are affected.

... The data included student names, Social Security numbers, addresses and coverage dates for those enrolled in the health insurance plan for three quarters in 2005-06.

Source - Columbus Dispatch - OSU web site on breach

[From the article:

Ohio State officials said the students' personal information has been deleted from Internet search engines [I doubt they know of half the search engines out there. What they actually mean is the archives some SEs make. Bob] and they haven't heard of any cases of identity theft related to the incident.

... OSU officials became concerned when a small number of students said they had found their personal data on the Internet in September.

Tip to crooks: Pick you targets carefully!

IL: 8 arrested in ring targeting police credit unions

Wednesday, December 31 2008 @ 10:41 AM EST Contributed by: PrivacyNews

Police have arrested eight people in a two-month-long investigation of at least $150,000 in credit card fraud against members of two police credit unions, officials announced late Tuesday.

The fraud ring, which involved seven employees of Chicago-area retail stores, hit 140 accounts at Illinois State Police Credit Union and the Chicago Patrolmen's Credit Union, according to Illinois State Police.

... The ring involved seven employees of retail stores who either bought merchandise fraudulently or helped other people buy goods fraudulently. Investigators began their probe after people with accounts at the two credit unions found out someone was making fraudulent purchases on their cards, according to police.

Source - Chicago Breaking News

Related - Press Release from Illinois Attorney General, sent by Rob Douglas.

Every new technology (toy) needs software written from scratch. How else can we re-invent all the classic glitches of a bygone era?

Microsoft Zunes Committing Mass Suicide

Posted by CmdrTaco on Wednesday December 31, @10:04AM from the i-bet-a-bricked-zune-is-still-warm dept. Bug Media Microsoft Hardware

jddeluxe writes

"There are multiple reports springing up all over the internet of a mass suicide of Microsoft 30GB Zune players globally. Check Zune forums, Gizmodo, or other such sites; the reports are spreading rapidly, except apparently to the Microsoft official Zune site."

Related Fix or wishful thinking?

Official Fix for the Zune 30 Fail

By Brian Lam, 5:29 PM on Wed Dec 31 2008

Microsoft's responded to the Zune 30GB failure, blaming a leap-year handling bug. And they've provided a fix. Which is to wait til New Years, when the bug will go away by itself. Huh.

Sour Grapes, corporate style. If you send customers to the Internet, will they ever return? (And if you thought that customers would meekly accept this, read the comments!)

Time Warner Recommends Internet For Some Shows

Posted by timothy on Wednesday December 31, @02:09PM from the how-to-keep-hulu-in-page-views dept. The Media Businesses Television

EdIII writes

"The dispute between Time Warner and Viacom over fees seems to be without any resolution this year. Time Warner faces the possibility of being without content for almost 20 channels. Alexander Dudley, a spokesperson for Time Warner, is fighting back: 'We will be telling our customers exactly where they can go to see these programs online,' Mr. Dudley said. 'We'll also be telling them how they can hook up their PCs to a television set.' Why pay for digital cable when many content providers are now providing it on demand via the Internet? Not to mention the widespread availability of TV shows in both standard and high definition on public and private torrent tracker sites. It is entirely possible to watch television with no commercials or advertising with only an Internet connection. So getting your content via the Internet is not exactly free, but it certainly isn't contributing to Time Warner or any other cable providers' revenue stream. The real question is why Time Warner would fight back by so clearly showing how increasingly obsolete they are becoming and that cable providers are losing their monopolistic grip on media delivery."

If no agreement is reached, those channels are supposed to be dropped just after midnight tonight.

[One interesting comment:

If you go to or (or any other Viacom property) and you're coming from a Time Warner-served IP, you'll get a nice pop up message that indicates your channels will be dropped on your (assumed) cable service.

It is also my understanding that after new years, should there be no deal, that Viacom will be pulling video access for a variety of their sites, if you're coming from the aforementioned ISP. Obviously its not that hard to do, if they already have that pop up working.

Related Did Viacom chicken out?

Viacom and Time Warner reach deal to avoid blackout

Reuters Thursday, January 1, 2009; 7:38 AM

Related but opposite? Turmoil in the music space? Still searching for a business model!

Capitol Records Flooded Internet With MP3s, Says MP3Tunes CEO

Posted by timothy on Wednesday December 31, @05:29PM from the how-much-carrot-how-much-stick dept. The Courts

NewYorkCountryLawyer writes

"In court papers filed in New York in Capitol Records v. MP3Tunes, the CEO of MP3Tunes, Michael Robertson, has accused the plaintiffs EMI, Capitol Records, and other EMI record labels of flooding the internet with free MP3s of their songs for promotional purposes, 'free to everyone (except, apparently, MP3tunes).' His 10-page declaration (PDF) provides exact details of specific song files, including the URLs from which they are being distributed free of charge, both by paid content distributors, and by EMI itself from its own web sites."

FEMA: A whole 'nother country? Is it me, or are they speaking gibberish?

December 31, 2008

FEMA Launches

" is an easy to use website that consolidates disaster information in one place. Currently, 17 U.S. Government agencies, which sponsor more than 40 forms of disaster assistance, contribute to the website. You can apply for many forms of assistance with a single, online application. Your application information is shared only with those agencies that you identify and is protected by the highest levels of security. Ultimately, will speed the application process and allow you to check the progress of your application online."

[Gibberish from the website:

Take Full Pre-Screening Questionnaire

Take an anonymous questionnaire to obtain and apply for the most accurate list of disaster forms of assistance for which you may be eligible.

[I clicked on the link but didn't answer ANY of the questions... Seems I'm still eligible for three forms of assistance! Bob]

Wednesday, December 31, 2008

Keeping your story straight? Blogger/reporters could sit in the court for a while then step out to blog – how much is too much?

DA, defense want to prevent blogging at trial

The Associated Press Posted: 12/30/2008 03:17:11 PM MST Updated: 12/30/2008 04:05:29 PM MST

DENVER—Prosecutors and defense attorneys want to prevent blogging out of fear witnesses could learn what's happening inside the courtroom before they testify in the Jan. 12 trial of a man accused of causing the death of his 11-week-old son

... The joint motion filed Monday seeks to ban cell phones and computers.

A common argument and cogent rebuttal...

Are state and federal breach notification mandates unreasonable?

Wednesday, December 31 2008 @ 05:59 AM EST Contributed by: PrivacyNews

Chris Wolf, an attorney and head of the Proskauer Rose (Washington, D.C.) law firm’s privacy and security group, stated in a recent interview that breach notifications should be delayed until all the facts are in about what was lost and who was affected. While this might be a good legal position, I’m not sure this view is shared by victims of a breach, privacy advocates, or me if the delay reaches across weeks or months.


Organizations unable or unwilling to provide the controls necessary to react immediately to protect customer, employee, or patient information should reconsider keeping it in the first place.

Source - Tech Republic

[From the article:

Wolf also asserts that organizations need time to understand the breach–who was affected and what was taken–before they release a notification. I don’t disagree with this. However, making these decisions quickly, within regulatory constraints focused on risk mitigation, is the role of a well-designed and practiced incident response process.

... Each organization must know where PII and ePHI is stored, use reasonable and appropriate controls to prevent unauthorized access, use intrusion or extrusion monitoring to detect a breach, and document a quick breach response. I define “quick” as hours, not weeks or months.

George Orwell was an optimist.

UK's database plan condemned by Europe

Tuesday, December 30 2008 @ 06:14 PM EST Contributed by: PrivacyNews

Britain must rethink plans for a database holding details of every email, mobile phone and internet visit, Europe's human rights commissioner has said in an outspoken attack on the growth of surveillance societies. Thomas Hammarberg said that UK proposals for sweeping powers to collect and store data will increase the risk of the "violation of an individual's privacy".

Source - The Independent

[From the article:

These proposals have already been described by the Government's own terrorism-law watchdog as "awful" and attacked by civil liberty groups for laying the basis of a Big Brother state.

Related. The US is moving toward the UK's position, but not in one swell foop.

Ga. sex offenders must hand over online passwords

Wednesday, December 31 2008 @ 05:17 AM EST Contributed by: PrivacyNews

Privacy advocates are questioning an aggressive Georgia law set to take effect Thursday that would require sex offenders to hand over Internet passwords, screen names and e-mail addresses.

Georgia joins a small band of states complying with guidelines in a 2006 federal law requiring authorities to track Internet addresses of sex offenders, but it is among the first to take the extra step of forcing its 16,000 offenders to turn in their passwords as well.

Source -

Better is still a long way from adequate.

Adobe’s Flash and Apple’s Safari Fail a Privacy Test

Wednesday, December 31 2008 @ 05:19 AM EST Contributed by: PrivacyNews

In the new browser war, privacy is a crucial battleground.

Mozilla’s Firefox, Google’s Chrome, Microsoft’s Internet Explorer and Apple’s Safari all compete to give users the most control over their online identities and the best protection from Web sites that use “cookies,” those unique identifiers that can track users online.

So how effective are the newest batch of browser privacy tools? Kate McKinley, a researcher at iSec Partners, a San Francisco security firm, sought to find out.

Source - New York Times

[From the article:

In a paper published Tuesday, Ms. McKinley found particular problems with Safari and concluded that none of the four major browsers extends its privacy protections to Adobe’s immensely popular Flash plug-in, which is used to display Web animations and video.

When the government starts being rational, it probably means they will cancel the whole plan.

FCC chairman revises wireless broadband plan

Posted by Marguerite Reardon December 30, 2008 10:23 AM PST

Federal Communications Commission Chairman Kevin Martin has backed off his plan that would require free wireless broadband license holders to filter for smut.

“All that is not mandatory is forbidden, all that is not forbidden is mandatory.” E. B. White

Business groups sue over Homeland Security E-Verify program

Posted by Stephanie Condon December 30, 2008 12:11 PM PST

The U.S. Chamber of Commerce and other business organizations filed suit against U.S. Homeland Security Secretary Michael Chertoff last week, complaining that the Homeland Security Department cannot legally require federal contractors to use its online worker verification database.

... Use of the system is voluntary, but President George Bush signed an executive order earlier this year requiring federal contractors to electronically verify their workers' employment eligibility.

The lawsuit, filed on December 23 in the U.S. District Court for Maryland's southern division, asks the court to declare the executive order and subsequent rule changes to be illegal and void, since the president's order is in direct contradiction to the law, which says that no person or entity shall be compelled to participate in the E-Verify program. The only exemptions are federal agencies, the legislative branch, and certain immigration law violators.

Cyber war: The electronic equivalent of a Fireside Chat?

YouTube, Twitter: Weapons in Israel's Info War

By Nathan Hodge December 30, 2008 1:47:01 PM

Days after sending aircraft to strike Hamas militants in Gaza, the Israeli government is launching a campaign to dominate the blogosphere.

Among other things, the Israeli military has started its own YouTube channel to distribute footage of precision airstrikes. And as I type, the Israeli consulate in New York is hosting a press conference on microblogging site Twitter.

Tuesday, December 30, 2008

A little social engineering goes a long way...

NY: Security Breach Found In Child Abuse Records

Monday, December 29 2008 @ 06:57 PM EST Contributed by:PrivacyNews

New York State Inspector General Joseph Fisch says he’s uncovered serious deficiencies at the Statewide Central Register of Child Abuse and Maltreatment (Register) and is recommending legislative and departmental changes to improve confidentiality.

The Register is overseen by the New York State Office of Children and Family Services (OCFS).

In a 33-page report issued Monday, Fisch revealed several findings related to a breach of the Register’s confidentiality. Also known as the “Hotline,” the Register receives calls reporting alleged child abuse. Such reports are confidential under state law.

The Inspector General’s investigation revolves around a Suffolk County father whose underage daughter was wrongly listed on the Register as allegedly involved in child abuse. When the father attempted to clear his daughter’s name, he encountered bureaucratic hurdles and unexplained delays. The father’s name was withheld from the Inspector General’s report to protect his confidentiality.

The Inspector General found that the father likely violated state law by improperly obtaining a confidential list of Hotline callers directly from Verizon by claiming to be a state employee. He then threatened to release the confidential records and demanded cash payment in exchange for the return of the records from OCFS and the Governor’s Office, possibly violating additional state laws against coercion or larceny.

Source - North Country Gazette

If we are able to reduce the gas we use, tax revenues would drop. Can't have that, so we need a new way to tax (and if it lets us track our second-class citizens, so much the better.)

OR: Kulongoski to pursue mileage tax

Monday, December 29 2008 @ 09:13 AM EST Contributed by: PrivacyNews

A year ago, the Oregon Department of Transportation announced it had demonstrated that a new way to pay for roads — via a mileage tax and satellite technology — could work.

Now Gov. Ted Kulongoski says he’d like the legislature to take the next step.

Source - Democrat Herald

“Your security isn't as good as you think it is.”

CCC Hackers Break DECT Telephones' Security

Posted by timothy on Tuesday December 30, @08:13AM from the distibuting-dialtone dept. Security Communications Hardware Hacking

Sub Zero 992 writes

"Heise Security (article in German) is reporting that at this year's Chaos Communications Congress (25C3) researchers in Europe's group have published an article (pdf) showing, using a PC-Card costing only EUR 23, how to eavesdrop on DECT transmissions. There are hundreds of millions of terminals, ranging from telephones, to electronic payment terminals, to door openers, using the DECT standard."

So far, the Heise article's German only, but I suspect will show up soon in English translation.

[Need a translation? Try Bob]

Speaking of code breaking... Getting ready for that first encrypted wiretap?

FBI Issues Code Cracking Challenge

Posted by ScuttleMonkey on Monday December 29, @06:23PM from the test-your-skillz dept.

coondoggie writes to tell us that the FBI has issued another cracking challenge for a new cipher on their site. Tens of thousands responded to a similar challenge last year. In addition to the challenge, the FBI is also offering a few primers on the subject. There are a number of sites offering cipher challenges, but it's funny to see the FBI encouraging such behavior.

[The code is on the FBI home page (no direct link) If you need a tool, try this one: Bob]

Are cellphone systems an “easy target?” What providers stayed up?

Storm Causes AT&T Outage Across Midwest

Posted by CmdrTaco on Monday December 29, @09:55AM from the guess-who-this-includes dept. Networking

dstates writes

"AT&T left users across several Midwestern states without cellular phone service yesterday. The outage apparently resulted from a power failure at a Michigan switching center and spread to affect level3 Internet communications. The powerful windstorm also left 400,000 users without electricity. Interestingly, except for a few reports in Chicago and Indianapolis papers, AT&T has managed to keep this out of the mainstream media. Widespread communication failures also followed Hurricane Ike in Texas earlier this year. With the increasing trend for users to drop landlines and rely only on cell phones, this is becoming an emergency preparedness issue."

Yes this included me. Still does. At least my office still has power — maybe we'll just camp here tonight. :)

Monday, December 29, 2008

It's not “if” it's “when”

UK: Government departments losing a computer every day

Monday, December 29 2008 @ 06:09 AM EST Contributed by: PrivacyNews

More than 2,800 computers belonging to Whitehall departments have been mislaid or stolen since 2002, the equivalent of more than seven per week, new figures disclosed. The total included 1,774 laptops and 1,035 desktop systems.

The figures also showed that 676 mobile phones have been lost or stolen over the past seven years. Meanwhile, 202 hard drives and 195 memory sticks also went missing.

Source - The Telegraph


Data "Dysprotection:" breaches reported last week

Monday, December 29 2008 @ 06:03 AM EST Contributed by: PrivacyNews

A recap of incidents or privacy breaches reported last week for those who enjoy shaking their head and muttering to themselves with their morning coffee.

Source - Chronicles of Dissent

It's easy to justify policy because “everyone else is doing it.” It's harder to find a logical reason.

Wash. legislator to introduce DNA testing bill

THE ASSOCIATED PRESS Last updated December 28, 2008 11:49 a.m. PT

TACOMA, Wash. -- Rep. Mark Miloscia, D-Federal Way, says he plans to introduce a bill in the 2009 Legislature that will put the state on the same page [By that logic, we could be on the same page as the Chinese, or George Orwell, or Attila the Hun. Bob] with the federal government on the subject of DNA testing.

... "We take their fingerprints, their pictures and their address when they are arrested," Miloscia said. "What's wrong with taking their DNA? We would throw their DNA away if they aren't convicted. It's not something you can abuse in any way." [So much illogic in such a short space. Bob]

Related? (We could take a page from India's book!) What will the subpoena look like? Technology will lead us to the Utopian state of “We don't need no lawyers”

December 28, 2008

New on Neurolaw and Criminal Justice

Neurolaw and Criminal Justice: Ken Strutin's article highlights selected recent publications, news sources and other online materials concerning the applications of cognitive research to criminal law as well as basic information on the science and technology involved.

Speaking of logic... (The comments point out some of the illogic...)

The Slippery Legal Slope of Cartoon Porn

Posted by timothy on Monday December 29, @07:55AM from the in-a-perfect-world-the-topic-would-not-arise dept. Censorship The Courts News

BenFenner writes

"Two out of the three Virginia judges involved with Dwight Whorley's case say cartoon images depicting sex acts with children are considered child pornography in the United States. Judge Paul V. Niemeyer noted the PROTECT Act of 2003, clearly states that 'it is not a required element of any offense under this section that the minor depicted actually exists.'"

Heaven forbid I would suggest that this is the tip of an electronic invasion...

Walmart Photo Keychain Comes Preloaded With Malware

Posted by timothy on Sunday December 28, @11:46PM from the caveat-maxima-emptor dept. Security Bug Toys Worms

Blowit writes

"With the Christmas holidays just past and opening up your electronic presents may get you all excited, but not for a selected lot of people who got the Mercury 1.5" Digital Photo Frame from Walmart (or other stores). My father-in-law attached the device to his computer and his Trend Micro Anti-virus screamed that a virus is on the device. I scanned the one I have and AVAST did not find any virus ... So I went to to see which vendors found what, and the results are here and here."

Update: 12/29 05:44 GMT by T : The joy is even more widespread; MojoKid points out that some larger digital photo frames have been delivered similarly infected this year, specifically Samsung's SPF-85H 8-inch digital photo frame, sold through Amazon among other vendors, which arrived with "W32.Sality.AE worm on the installation disc for Samsung Frame Manager XP Version 1.08, which is needed for using the SPF-85H as a USB monitor." Though Amazon was honest enough to issue an alert, that alert offers no reason to think that only Amazon's stock was affected.

A very risky trial. What if he proves what he says?

S.F. computer engineer to stand trial

Sunday, December 28 2008 @ 05:11 PM EST Contributed by: PrivacyNews

A judge has ordered a computer engineer to stand trial on tampering charges for allegedly taking over the cyberspace network he designed for the city of San Francisco and refusing to reveal the passwords to access the system.

After an eight-day preliminary hearing, Superior Court Judge Paul Alvarado ruled Wednesday that prosecutors had produced enough evidence of Terry Childs' probable guilt to hold him for trial on four felony charges of tampering with a computer network, denying other authorized users access to the network and causing more than $200,000 in losses.

Source - San Francisco Chronicle

[From the article:

Prosecutors said city officials have estimated that San Francisco spent at least $1.45 million in attempts to regain control of the network and assess its vulnerability to intrusions.

Childs' lawyers have denied any destructive intent and said he was trying to protect the network from incompetent officials whose meddling endangered the system he had built.

For my Computer Forensics class (and for the humor)

Entire Transcript of RIAA's Only Trial Now Online

Posted by timothy on Sunday December 28, @06:12PM from the give-us-this-day-our-daily-fix dept. The Courts

NewYorkCountryLawyer writes

"The entire transcript of the RIAA's 'perfect storm', its first and only trial, which resulted in a $222,000 verdict in a case involving 24 MP3's having a retail value of $23.76, is now available online. After over a year of trying, we have finally obtained the transcript of the Duluth, Minnesota, jury trial which took place October 2, 2007, to October 4, 2007, in Capitol Records v. Thomas. Its 643 pages represent a treasure trove for (a) lawyers representing defendants in other RIAA cases, (b) technologists anxious to see how a MediaSentry investigator and the RIAA's expert witness combined to convince the jurors that the RIAA had proved its case, and (c) anybody interested in finding out about such things as the early-morning October 4th argument in which the RIAA lawyer convinced the judge to make the mistake which forced him to eventually vacate the jury's verdict, and the testimony of SONY BMG's Jennifer Pariser in which she 'misspoke' according to the RIAA's Cary Sherman when she testified under oath that making a copy from one's CD to one's computer is 'stealing'. The transcript was a gift from the 'Joel Fights Back Against RIAA' team defending SONY BMG Music Entertainment v. Tenenbaum, in Boston, Massachusetts. I have the transcript in 3 segments: October 2nd (278 pages(PDF), October 3rd (263 pages)(PDF), and October 4th (100 pages)(PDF)."

It sure looks like they (the Democrats) will be throwing money around. Can we find a token Democrat and come up with a not-entirely-silly proposal to attract a few million?

How Can the Stimulus Plan Help the Internet?

Posted by Soulskill on Sunday December 28, @12:35PM from the daddy-needs-a-new-pair-of-e-shoes dept.

Wired is running an article raising the question of how a US economic stimulus plan could best help broadband adoption and the internet in general. We discussed President-elect Obama's statements about his plan, which would include investments in such areas, but Wired asks how we can avoid the equivalent of the New Deal's "ditches to nowhere" without more data about where the money would actually make a difference. Quoting:

"... the problem is that no one knows the best way to make the internet more resilient, accessible and secure, since there's no just no public data. The ISP and backbone internet providers don't tell anyone anything. For instance, the government doesn't know how many people actually have broadband or what they pay for it. ... In September, the FCC found that its data collection on internet broadband was incomplete and thus ruled that AT&T, Qwest and Verizon could stop filing some reports — because the requirements did not extend to cable companies, too."

Provides a lot of background if you read carefully (and include the comments)

Matt Blaze Examines Communications Privacy

Posted by Soulskill on Sunday December 28, @09:48AM from the still-a-lot-left-to-lose dept. Privacy Communications Government United States

altjira writes

"Matt Blaze analyzes the implications of a recent Newsweek story on the Bush administration's use of the NSA for domestic spying on communications, and questions whether the lower legal threshold for the collection of communications metadata is giving away too much to the government: 'As electronic communication pervades more of our daily lives, transaction records — metadata — can reveal quite a bit about us, indeed often much more than a few out-of-context conversations might. Aggregated into databases with other people's records (or perhaps everyone's records) and analyzed by powerful software, metadata by itself can paint a remarkably detailed picture of connections, relationships, and other patterns that could never be recovered simply from listening to the conversations themselves.'"

Research made easy? I think it just points out (almost) all the places you should have looked but didn't.

December 28, 2008

New on Deep Web Research 2009

Deep Web Research 2009: Marcus P. Zillman's guide includes links to: articles, papers, forums, audios and videos, cross database articles, search services and search tools, peer to peer, file sharing, grid/matrix search engines, presentations, resources on deep web research, semantic web research, and bot research resources and sites.

Inevitable. But what should it look like?

High hopes at Yahoo, Intel for Internet-enabled TV

Posted by Stephen Shankland December 29, 2008 4:00 AM PST

Now here's a tool I can use. Lots of podcasts are too soft for easy listening. Plus: Another way teenagers can ruin their hearing! (Perhaps some forensic uses too?) - Making Everything Sound Better

Vloud is a new online tool that has a very specific appeal, yet it will no doubt be a welcome addition to the bookmark collection of many of us.

Broadly speaking, what this web-hosted tool does is to let you upload a MP3 file and have it automatically processed in order to bring up its volume. The uploaded files can amount to as much as 10 MB, and WAV files are supported alongside MP3s.

Sunday, December 28, 2008

This happens if Security isn't a fundamental part of your system.

Zambia’s leading ISP hacked

Saturday, December 27 2008 @ 08:28 AM EST Contributed by: PrivacyNews

Zambia’s leading Internet Service Provider, has been Hacked. The site was hacked Saturday afternoon and at the time of writing the site had not been fixed. The Hackers who are calling themselves 3RqU (Turkish) have changed ZAMNETs landing page. 3RqU Turkish are a known notorious group of hackers.

The hackers have gained unauthorised access to ZAMNET servers. According to the new landing page that has been put on ZAMNET, the hackers claim to have root access..... Most of the websites hosted by ZAMNET have been affected by this security breach and these include sites like Times of Zambia, Daily mail, ZNBC.

Source - Luska Times

[From the article:

According to some experts the old Apache server ZAMNET uses might not necessarily be the cause of the breach but it points to the lax in ZAMNETs policy on applying security updates to the software on their servers.

Oh the horror of riding your own petard!

RIAA Case May Be Televised On Internet

Posted by Soulskill on Saturday December 27, @01:30PM from the court-documents-likening-the-riaa-to-vampires dept. The Courts Media Music

NewYorkCountryLawyer writes

"In SONY BMG Music Entertainment v. Tenenbaum, the Boston case in which the defendant is represented by Prof. Charles Nesson and his CyberLaw class at Harvard Law School, the defendant has requested that audio-visual coverage of the court proceedings be made available to the public via the internet. Taking the RIAA at its word — that the reason for its litigation program is to 'educate the public' — the defendant's motion (PDF) queries why the RIAA would oppose public access: 'Net access to this litigation will allow an interested and growingly sophisticated public to understand the RIAA's education campaign. Surely education is the purpose of the Digital Deterrence Act of 1999, the constitutionality of which we are challenging. How can RIAA object? Y et they do, fear of sunlight shone upon them.'"

Probably a useful guide for kids. I noticed that they often choose TV movies based on the ratings. Anything not rated “R” was probably boring.

UK Culture Secretary Wants Website Ratings, Censorship

Posted by Soulskill on Saturday December 27, @09:37AM from the since-the-aussies-seem-so-excited-about-it dept. Censorship Government

kaufmanmoore writes

"UK culture secretary Andy Burnham calls for a website rating system similar to the one used for movies in an interview with the Daily Telegraph. He also calls for censorship of the internet, saying, 'There is content that should just not be available to be viewed.' Other proposals he mentions in his wide-ranging calls for internet regulation are 'family-friendly' services from ISPs, and requiring takedown notices to be enforced within a specific time for sites that host content. Mr. Burnham wants to extend his proposals across the pond and seeks meetings with the Obama administration."

Seems there are several “economics of the Internet” articles today. Can you charge “by the drink” when others provide the same things for free?

Microsoft Invents $1.15/Hour Homework Fee For Kids

Posted by timothy on Saturday December 27, @04:04PM from the defining-the-edge-of-invention dept. Patents Microsoft The Almighty Buck Windows

theodp writes

"Microsoft's vision of your computing future is on display in its just-published patent application for the Metered Pay-As-You-Go Computing Experience. The plan, as Microsoft explains it, involves charging students $1.15 an hour to do their homework, making an Office bundle available for $1/hour, and billing gamers $1.25 for each hour of fun. In addition to your PC, Microsoft also discloses plans to bring the chargeback scheme to your cellphone and automobile — GPS, satellite radio, backseat video entertainment system. 'Both users and suppliers benefit from this new business model,' concludes Microsoft, while conceding that 'the supplier can develop a revenue stream business that may actually have higher value than the one-time purchase model currently practiced.' But don't worry kids, that's only if you do more than 52 hours of homework a year!"

Keep in mind that much of this is protected by monopoly/regulation. When the natural gas and pipeline industries were deregulated, they found they had no control over their costs – fortunately they were monopolies...

What Carriers Don't Want You To Know About Texting

Posted by timothy on Sunday December 28, @08:21AM from the what-the-market-will-bear dept. Cellphones Communications

An anonymous reader writes

"Randall Stross has just published a sobering article in The New York Times about how the four major US wireless carriers don't want anyone to know the actual cost structure of text message services to avoid public outrage over the doubling of a-la-carte per-message fees over the last three years. The truth is that text messages are 'stowaways' inside the control channel — bandwidth that is there whether it is used for texting or not — and 160 bytes per message is a tiny amount of data to store-and-forward over tower-to-tower landlines. In essence it costs carriers practically nothing to transmit even trillions of text messages. When text usage goes up, the carriers don't even have to install new infrastructure as long as it is proportional to voice usage. This makes me dream of the day when there is real competition in the wireless industry, not this gang-of-four oligopoly."

[From the article:

The carriers will have other opportunities to tell us more about their pricing decisions: 20 class-action lawsuits have been filed around the country against AT&T and the other carriers, alleging price-fixing for text messaging services.

... T-Mobile called Mr. Kohl’s attention to the fact that its “average revenue per text message, which takes into account the revenue for all text messages, has declined by more than 50 percent since 2005.”

This statement seems like good news for customers. But consider what is left out: In the past three years, the volume of text messaging in the United States has grown tenfold, according to CTIA — the Wireless Association, a trade group based in Washington.

Are some businesses recession proof? Or are some just doomed?

The Internet ate my business

Posted by Matt Asay December 27, 2008 7:07 AM PST has produced yet another record holiday season. But it's Paul Kedrosky who discerns the significance:

The right way to think about these figures is in Schumpeterian terms: With retail sales down across the board, whose businesses are being destroyed here, and what is the future of physical retail? Amazon is merely goosing this process along, of course, and may not even end up being a survivor.

Every now and then, I see a business model that I think has no basis in reality. This is one of those. But I've been spectacularly wrong before... - The Alternative Postal Service

This new solution is described by the team behind it as “The alternative postal service.” This is a quite accurate way of putting the concept across once you learn about the basic premise: what used to be sent as paper mail can be sent without the paper. That is, the company has come up with a paperless postal service that takes into account every street address in the United States.

This is achieved by having a private and secure web page for each and every postal service address. In order to access it, all you have to do is type the street address on the home page, and your mails will be displayed as envelopes for you to click about.

On the other hand, mailing somebody through Zumbox is also a supple task. All you have to do is upload a Word document or a PDF and specify the street address of the recipient. The mail will then be sent electronically. [Why would anyone sign onto this service? Bob]

From the previous paragraph, you can see where the main difference with e-mail lies. To send someone an e-mail, you must know his e-mail address. When it comes to Zumbox, a street address will suffice. If we bear in mind that businesses always have the street addresses of their customers, but not necessarily their e-mail addresses, the uses of this new solution become evident.