Wednesday, September 30, 2009

Update: The effect was zero risk. As to the cause, I wonder if they expended any effort at all to prevent a reoccurrence?

Misfired e-mail was never viewed by Gmail user

by Elinor Mills September 29, 2009 3:01 PM PDT

A sensitive e-mail mistakenly sent by a bank to a Gmail address that prompted a court to order Google to deactivate the account was not viewed by the recipient and has been deleted, the bank said on Tuesday.

… The bank sent another e-mail asking that the data be destroyed and went to court to get Google to intervene on its behalf. Last week, a judge in U.S. District Court in San Jose, Calif., ordered Google to deactivate the Gmail account and Google complied. Google and the bank quickly resolved the matter and the court granted their motion to dismiss the case and allowed Google to reactivate the Gmail account.

"Rocky Mountain Bank, working with Google (through court order), confirmed on Thursday of last week that the e-mail containing client information was never opened and has now been permanently destroyed by Google's system," Tina Martinez, general counsel for Rocky Mountain Capital, wrote in an e-mail response to questions.

"As a result, no customer data of any sort has been viewed or used by any inappropriate user during this data lapse," Martinez wrote. [That statement is a bit broader than the facts suggest. Bob]

… The case poses some interesting questions. For instance, should the person who registered the e-mail address lose access to the account or have items deleted without his or her permission, particularly through no fault of their own?

And what recourse would the bank have if the data had been sent via regular mail to the wrong address? The U.S. Postal Office certainly doesn't have the ability to see the envelope sitting on the recipient's desk and vaporize it.

There has to be a “provable damage” requirement before the fund pays anything. I'll have to research this a bit.

CT: Governor Rell announces ID theft law

September 30, 2009 by Dissent Filed under Breaches, Legislation, U.S.

Governor M. Jodi Rell announced a new law [An Act Concerning Consumer Privacy and Identity Theft] which increases criminal penalties for identity theft and establishes a fund from forfeited assets to help individuals whose identity has been stolen will become effective on October 1st.


The legislation makes numerous changes in existing laws relating to identity theft, misuse of Social Security Numbers or other personal identifying information. The law also includes tougher penalties for those convicted of victimizing senior citizens. [Was AARP lobbying for this? Bob] A suspect now faces first-degree identity theft charges – a class B felony – for victimizing anyone older than 60 and stealing assets and valuables over $5,000. The law lowers the theft threshold for a first-degree offense from $10,000.

The legislation broadens the definition of identity theft, increases penalties for criminal impersonation and creates the crime of unlawful possession of personal access devices, such as card readers or scanners, account numbers, personal identification numbers or PIN number and telecommunications service.

Read more on News8

The amounts are small, the technology difficult to explain to a jury – no wonder these cases are not high on the prosecutor's list. Perhaps we could interest them in a nice old-fashioned lawsuit?

B.C. identity theft victims say they can’t get justice

September 29, 2009 by Dissent Filed under Breaches, Non-U.S.

Kathy Tomlinson reports:

Two B.C. people who are victims of identity theft are speaking out in frustration with the justice system.

Mark Gorst and Shannon Werry have ample evidence indicating who the thief is, but even so, RCMP have told them charges won’t be laid.

“It’s frustrating … and there is a lot of anger,” said Werry. “Because you know who it is — and you have the proof that you need — and nothing happens.”

“I didn’t know most of the money was stolen — until two years afterward,” said Gorst. “We’ve been told — because it’s been such a time delay — the statute of limitations on certain crimes means I am on the hook for everything.”

Read the full story on

[From the article:

"[Identity theft and fraud] is a level of crime that you don't know about until you know about it [Sounds very “Yogi Berra-like” Bob] — which is sometimes too late for legal boundaries," explained Cpl. Lea-Anne Dunlop of the Chilliwack RCMP.

If more than a year has passed since the initial crime, she said, the bar to get charges approved by the Crown is higher.

How Big Brother does it...

Prompted by EFF Lawsuit, FBI (Partially) Releases Domestic Surveillance Guidelines

News Update by David L. Sobel September 29th, 2009

The Federal Bureau of Investigation has released a heavily censored version of its controversial Domestic Investigations and Operations Guidelines (DIOG), which became effective on December 1, 2008.

… The 258-page document implements the Attorney General’s Guidelines for Domestic FBI Operations, the most recent version of which was issued late last year by former Attorney General Michael B. Mukasey.

… The Mukasey guidelines, among other things, gave the FBI the authority to open investigative “assessments” of any American without any factual predicate or suspicion. Such “assessments” allow the use of intrusive techniques to surreptitiously collect information on people suspected of no wrongdoing and no connection with any foreign entity. These inquiries may include the collection of information from online sources and commercial databases, and the use of grand jury subpoenas to obtain telephone and email subscriber information.

A trend or just 'those weirdos in Massachusetts?'

Cops Can’t Convert Car Into Tracking Device Without Court’s OK

September 30, 2009 by Dissent Filed under Court, Surveillance, U.S.

Jennifer Granick of EFF has a commentary on a recent decision out of Massachusetts discussed here previously.

The Supreme Court of Massachusetts recently held that officers may not place GPS tracking devices on cars without first getting a warrant. The case, Commonwealth v. Connolly, was decided under the state corollary to the Fourth Amendment, and its reasoning may influence pending GPS tracking cases, including United States v. Jones, where EFF is an amicus.

Read more on EFF.

[From the EFF article:

EFF has urged a U.S. appeals court to reject government claims that federal agents have an unfettered right to install Global Positioning System (GPS) location-tracking devices on anyone's car without a warrant.

What would be better than a mandatory security law that banks would find plenty of loopholes in? This has got to be terrifying!

Banks oppose computer crime law proposal

September 29, 2009 by admin Filed under Breach Laws, Legislation, Non-U.S.

Computer criminals could wind up costing Danish banks billions if a law requiring them to compensate small businesses on an equal footing with private account holders is passed.

The Commerce Ministry has asked the Financial Supervisory Authority to look into whether companies with less than 10 employees and annual turnover of less than 15 million kroner should be issued a guarantee that they will be compensated if their accounts are hacked into.

Currently, banks are required to compensate private account holders everything but a 1200 kroner deduction if their accounts are hacked. The new law would issue the same guarantee to small businesses and would encompass 90 percent of the country’s companies.

Read the full story in the Copenhagen Post.

One would expect crime to grow and mature slightly behind the growth curve of the industry itself. It was unlikely that thieves would steal the first (first thousand) automobiles, but eventually the volume made it easier and safer – eventually joining prostitution and gambling as a “business unit” of organized crime.

IT Security Breaches Soar In 2009

Posted by kdawson on Tuesday September 29, @07:24PM from the inside-jobs dept.

slak11 quotes from a Globe and Mail article on the jump in corporate and government security breaches year-over-year. (The reporting is from Canada but the picture is probably much the same in the US.)

"This does not seem to be all that newsworthy these days, since stories like this are appearing on a regular basis. The one detail I did like — that seems to break from the traditional 'hackers cause all the bad stuff' reporting — is the mention that everyday employees are a major cause of breaches. The recent Rocky Mountain Bank/Google story is a perfect example. As stated in the article: 'But lower security budgets aren't the only reason breaches tend to soar during tough economic times — employees themselves can often be the cause of such problems.' I figure this will be an ongoing problem until company management and employees accept their role in keeping company information safe. And IT people need to understand that regular employees are not propeller-heads like Slashdot readers, and to begin to implement technology and processes that average people can understand and use."

(Related) Coming soon to a bank near you! We should expect malware to be more sophisticated than early versions of VisiCalc, after all that was written more than 25 years ago. This looks like an automated stock trading program (also decades old) that initiates transactions based on readily available data.

Banking Trojan steals money from under your nose

by Elinor Mills September 29, 2009 5:51 PM PDT

Researchers at security firm Finjan have discovered details of a new type of banking Trojan horse that doesn't just steal your bank log in credentials but actually steals money from your account while you are logged in and displays a fake balance.

The bank Trojan, dubbed URLZone, has features designed to thwart fraud detection systems which are triggered by unusual transactions, Yuval Ben-Itzhak, chief technology officer at Finjan, said in an interview on Tuesday. For instance, the software is programmed to calculate on-the-fly how much money to steal from an account based on how much money is available.

It exploits a hole in Firefox, Internet Exlorer 6, IE7, IE8 and Opera, and it is different from previous reported banking Trojans, said Ben-Itzhak. The Trojan runs an executable only on Windows systems, he said. The executable can come via a number of avenues, including a malicious Javascript or Adobe PDF, he added.

The specific Trojan Finjan researchers analyzed targets customers of unnamed German banks, according to the latest Finjan report. It was linked back to a command-and-control server in Ukraine that was used to send instructions to the trojan software sitting infected PCs.

(Related) The growth bit...

Malware worldwide grows 15 percent in September

by Lance Whitney September 29, 2009 11:51 AM PDT

A rise in malware has caused the number of infected PCs worldwide to increase 15 percent just from August to September, says a report released Tuesday from antivirus vendor Panda Security.

Across the globe, the average number of PCs hit by malware now stands around 59 percent, an all-time high for the year. Among 29 countries tracked, the U.S. ranked ninth with slightly more than 58 percent of its PCs infected. Taiwan hit first place with an infection ratio of 69 percent, while Norway came in lowest with only 39 percent of its PCs attacked by malware.

Free software from Microsoft?

Microsoft Security Essentials Released; Rivals Mock It

Posted by kdawson on Tuesday September 29, @11:11PM from the free-but-is-it-worth-it dept.

Bimal writes

"After a short three-month beta program, Microsoft is officially releasing Microsoft Security Essentials, its free, real-time consumer anti-malware solution for fighting viruses, spyware, rootkits, and Trojans. MSE is available for Windows XP 32-bit, Windows Vista/7 32-bit, and Windows Vista/7 64-bit. 'Ars puts MSE through its paces and finds an unobtrusive app with a clean interface that protected us in the dark corners of the Internet.' The software received positive notes when in beta, including a nod from the independent testing group AV-Test."

But reader CWmike notes that Symantec is trash-talking Microsoft's free offering. Jens Meggers, Symantec's vice president of engineering, dismissed MSE as a "poor product" that will "never be up to snuff." Meggers added, "Microsoft has a really bad track record in security." The GM of Trend Micro's consumer division sniffed, "It's better to use something than to use nothing, but you get what you pay for."

“We'll only use DNA for identification, like fingerprints” “We're not prejudiced, but we ain't allowing no WOGs into the country!”

Scientists Decry "Horrifying" UK Border Test Plan

Posted by kdawson on Wednesday September 30, @03:27AM from the genetic-papers-please dept.

cremeglace writes

"Scientists are dismayed and outraged at a new project by the UK border agency to test DNA, hair, and nails to determine the nationality of asylum seekers and help decide if they can enter the UK. 'Horrifying,' 'naive,' and 'flawed' are among the words geneticists and isotope specialists have used to describe the 'Human Provenance pilot project.' The methods being used to determine ancestry include fingerprinting of mitochondrial DNA and isotope analysis of hair and nails. ScienceInsider blog notes that it is 'not clear who is conducting the DNA and isotope analyses [That would be the Klass Kategorizing KO-OP –ticker symbol KKK Bob] for the Border Agency,' and that the agency has not 'cited any scientific papers that validate its DNA and isotope methods.' There is also a followup post with more information on the tests that are being used, and some reactions from experts in genetic forensic analysis. This story was first reported in The Observer on Sunday."

Hackers! We need a free iPhone app that everyone will want/need to install. Viagra Marketers: Have we got a deal for you!

Retrievable iPhone Numbers Raise Privacy Issue

Posted by kdawson on Tuesday September 29, @04:58PM from the how-about-never-is-never-good-for-you dept.

TechnologyResource writes

"When a couple of voicemails didn't show up recently, I thought nothing of it until a friend asked me if I'd gotten his message — people just don't call me that often. But the iPhone is indeed a phone, as some users are reportedly being reminded when they get phone calls from the publishers of a free app they've downloaded from the App Store. The application in question, mogoRoad, is a real-time traffic monitoring application. As invasive and despicable as that sounds, it raises another question: how did the company get hold of the contact information for those users? Mogo claims the details were provided by Apple, but Apple doesn't disclose that information to App Store vendors. French site Mac 4 Ever did some digging (scroll down for the English version) and determined it was possible — even easy — for an app to retrieve the phone number of a unit on which it was installed."

Interpreting Fair Use (because no one can interpret Ulysses.)

Professor Wins $240K In Fair Use Dispute

Posted by kdawson on Tuesday September 29, @03:22PM from the happy-bloomsday dept.

pickens writes

"In a victory for Fair Use, Stanford Law School's Fair Use Project has announced that the estate of 20th century literary giant James Joyce, author of the landmark novel Ulysses, has agreed to pay $240,000 in attorneys' fees to Stanford University Consulting Professor Carol Shloss and her counsel in connection with Shloss's lawsuit to establish her right to use copyrighted material in her scholarship on the literary work of James Joyce. When Shloss used copyrighted materials in her biography of Joyce's daughter Lucia, titled Lucia Joyce: To Dance in the Wake, she had to excise a substantial amount of source material from the book in response to threats from the Joyce Estate. However following publication of the book, Shloss sued the Estate to establish her right to publish the excised material. The parties reached a settlement regarding the issue in 2007, permitting the publication of the copyrighted material in the US. Following the settlement, Shloss asked the Court to order the Estate to pay attorneys' fees of more than $400,000. She has now agreed to accept an immediate payment of $240,000 in return for the dismissal of the Estate's appeal. 'This case shows there are solutions to the problem Carol Shloss faced other than simple capitulation,' says Fair Use Project Executive Director Anthony Falzone, who led the litigation team."

Only lawyers understand copyright law, and they can't explain it to juries.

$338M Patent Ruling Against Microsoft Overturned

Posted by Soulskill on Wednesday September 30, @08:50AM from the courts-just-like-making-work-for-themselves dept.

some_guy_88 writes

"The $338 million verdict against Microsoft for violating a patent held by Uniloc has now been overturned. 'Ric Richardson ... is the founder of Uniloc, which sued Microsoft in 2003 for violating its patent relating to technology designed to deter software piracy. The company alleged Microsoft earned billions of dollars by using the technology in its Windows XP and Office programs. In April, a Rhode Island jury found Microsoft had violated the patent and told Microsoft to pay the company $388 million, one of the largest patent jury awards in US history. But on Tuesday ... US District Judge William Smith "vacated" the jury's verdict and ruled in favor of Microsoft.' In his ruling, Smith said the jury 'lacked a grasp of the issues before it [perhaps there can't be a jury of peers in Copyright litigation? Bob] and reached a finding without a legally sufficient basis (PDF).'"

How to capture a market? (Or at least not get left behind...)

Microsoft and CVS expand pharmacy partnership

by Lance Whitney September 29, 2009 3:26 PM PDT

Microsoft HealthVault is a free service that lets consumers store and maintain their health information in one single electronic spot.

… Microsoft isn't CVS' only health care partner. In April, CVS expanded its joint venture with Google to let customers store their health records online through Google Health.

With the push toward health care reform, other tech companies have also gotten into the act.

In May, Intuit, Microsoft, Dell, Intel, and other firms formed the EHR Stimulus Alliance, designed to push doctors and hospitals toward digital record keeping.

Interesting because of the debate in the comments. Consensus: there is no good electronic means to store data for the long term. Solutions range from paper to constant copying.

Archiving Digital Artwork For Museum Purchase?

Posted by timothy on Tuesday September 29, @01:09PM from the just-put-something-on-youtube dept.

An anonymous reader writes

"I am an artist working with 3d software to create animations and digital prints. For now my work just gets put on screening DVDs and BluRays and the original .mov and 3d files get backed up. But museums and big art collectors do want to purchase these animations. However as we all know archival DVDs are not really archival. So I want to ask the Slashdot readers, what can I give to the museum when they acquire my digital work for their collection so that it can last and be seen long after I am dead? No other artist or institution I know of have come up with any real solution to this issue yet, so I thought Slashdot readers may have an idea. These editions can be sold for a large amount of money, so it doesn't have to be a cheap solution."

'cause I'm gonna make my website students publish...

Top 7 Easy and Free Web Hosting Services

Sep. 29th, 2009 By Jeffry Thurana

No comments: