Thursday, October 29, 2009

Here is one of those arguments used to justify leaving holes in the security system. The unencrypted credit card transaction is sent over unsecured lines (or broadcast on a wireless connection) and no one is responsible for securing it. Surely this is the electronic equivalent of the Pub shouting the information across the street to their bank? Won't anyone point out that the Emperor has no clothes?

http://www.databreaches.net/?p=8029

Joco pub and customers were targets of credit card hacker

October 28, 2009 by admin Filed under Business Sector, Hack

Dawn Bormann reports:

Llywelyn’s Pub and its customers are the victims of a cyber credit card attack, Overland Park police said Wednesday.

Overland Park police encourage anyone who has used a credit card at Llywelyn’s Pub within the last six months to monitor their statements for fraudulent expenses.

Police Spokesman Jim Weaver said that more than 100 victims have been identified so far, and they believe others could have been victimized as well.

[...]

nvestigators believe the crimes were the result of a hacker, who managed to gain access to the information between the time of sale and the point at which the information reached the credit card processing company.

Investigators do not believe the credit card processing company was to blame. They have also ruled out any wrongdoing by Llywelyn’s employees.

[They must have evidence that confirms this, no other way to definitively rule out employees. Bob]

Read more in the Kansas City Star.

[From the article:

Even Owner Eric Pritchett was a victim in the scheme. He received a $700 charge from a Florida grocery store [Interesting. The owner used is credit card in his own Pub? Why? Bob]

… Pritchett said the bar and grill, which has been open since July 2007, installed a new computer server this week. [Has no impact on security whatsoever. Bob]



Probably the same thing? This one suggests they don't know how or where to look, but they still took action!

http://www.databreaches.net/?p=8037

Easybakeware.com customers notified of security concern

October 29, 2009 by admin Filed under Breach Incidents, Business Sector

When easybakeware.com customers started contacting the company to report unauthorized charges on their credit cards or debit cards from other merchants during the month of September, the Connecticut-based company instructed its Microsoft Gold Level e-commerce service provider/data center to investigate. They also hired an independent security consultant, but neither the consultant nor service provider reportedly found any evidence of a security breach.

With no confirmation of a breach but in light of the fact that 35 customers had reported problems, the company decided to alert its customers to a possible problem, including 71 New Hampshire residents. The company also reported the situation to the FBI and instructed its e-commerce service provider to remove the customer database from any network or internet connection.

Source: Notification to New Hampshire Attorney General’s Office.



These are (almost) always fun...

http://www.pogowasright.org/?p=4833

Some Thoughts on the New Surveillance

October 29, 2009 by Dissent Filed under Surveillance, U.S.

Last night I spoke at “The Little Idea,” a mini-lecture series launched in New York by Ari Melber of The Nation and now starting up here in D.C., on the incredibly civilized premise that, instead of some interminable panel that culminates in a series of audience monologues-disguised-as-questions, it’s much more appealing to have a speaker give a ten-minute spiel, sort of as a prompt for discussion, and then chat with the crowd over drinks.

I’d sketched out a rather longer version of my remarks in advance just to make sure I had my main ideas clear, and so I’ll post them here, as a sort of preview of a rather longer and more formal paper on 21st century surveillance and privacy that I’m working on. Since ten-minute talks don’t accommodate footnotes very well, I should note that I’m drawing for a lot of these ideas on the excellent work of legal scholars Lawrence Lessig and Daniel Solove (relevant papers at the links). Anyway, the expanded version of my talk after the jump…

Read more on Think Tank West. Hat-tip, FourthAmendment.com.



Helping(?) to define Privacy and “open source intelligence,” now all I need is a definition of “open” that suits my needs.

http://www.pogowasright.org/?p=4835

California Court Rejects Class Action Based on Data Collection for PII Aggregation Purposes

October 29, 2009 by Dissent Filed under Businesses, Court

Tanya Forsheit has an analysis and commentary on an appellate decision that may be of interest to consumers who resent merchants from requesting their zip codes:

On Friday, the California Court of Appeal, Fourth Appellate District, certified for publication its October 8 opinion in Pineda v. Williams-Sonoma, the most recent in a string of decisions regarding California’s Song-Beverly Credit Card Act of 1971, California Civil Code § 1747.08. On first glance, Pineda appears uneventful. The Court merely reiterated its December 2008 holding in Party City v. Superior Court, 169 Cal.App.4th 497 (2008), that zip codes are not personal identification information for purposes of the Act, right? Not so fast. In fact, the Pineda court added a couple of new wrinkles that are worth a second look. First, the court reaffirmed its Party City holding even though Pineda specifically alleged that Williams-Sonoma collected the zip code for the purpose of using it and the customer’s name to obtain even MORE personal identification information, the customer’s address, through the use of a “reverse search” database. Second, the court held that a retailer’s use of a legally obtained zip code to acquire, view, print, distribute or use an address that is otherwise publicly available does not amount to an offensive intrusion of a consumer’s privacy under California law.

[...]

Second, the court examined and rejected plaintiff’s claim that Williams-Sonoma’s conduct constituted an illegal intrusion into her privacy, finding no allegations (a) that her home address was not otherwise publicly available or (b) of any efforts she made to keep her address private:

Without such facts, using a legally obtained zip code to acquire, view, print, distribute or use an address that is otherwise publicly available does not amount to an offensive intrusion of her privacy.

. . . Even assuming Pineda had [alleged Williams-Sonoma had sold her home address to third parties for profit], we fail to see how selling an address that is otherwise publicly available amounts to “an egregious breach of the social norms underlying the privacy right.” . . .[Dossier business, here I come! Bob]

Additionally, . . . the complaint contains absolutely no facts showing the extent and gravity of the alleged invasion of privacy. Under the facts alleged, the disclosure of Pineda’s address amounted to a trivial invasion of her assumed privacy interest.

Read more on Information LawGroup.



Designed in a vacuum

http://www.pogowasright.org/?p=4827

Fordham Law Study: Privacy of Nation’s School Children at Risk

October 28, 2009 by Dissent Filed under Featured Headlines, Legislation, U.S., Youth

Fordham Law’s Center on Law and Information Privacy released a study that found state educational databases across the country ignore key privacy protections for the nation’s K – 12 children. The findings come as Congress is considering legislation that would expand and integrate the 43 existing state databases without taking into account the critical privacy failures in the states’ electronic warehouses of children’s information. CLIP found that sensitive, personalized information related to matters such as teen pregnancies, mental health, and juvenile crime is stored in a manner that violates federal privacy mandates. CLIP reports that at least 32 percent of states warehouse children’s social security numbers; at least 22 percent of states record student pregnancies; and at least 46 percent of the states track mental health, illness, and jail sentences as part of the children’s educational records. Also, almost all states with known programs collect family wealth indicators.

Some states outsource the data processing without any restrictions on use or confidentiality for K- 12 children’s information. Access to this information and the disclosure of personal data may occur for decades and follow children well into their adult lives.

“If these issues are not addressed, the results could be catastrophic from a privacy perspective,” said Professor Joel Reidenberg, founding director of CLIP. “We don’t question the legitimacy of collecting data for school accountability, but we urge Congress and state officials to take rapid steps to ensure the data is collected and stored properly and used in compliance with established privacy laws and principles.”

CLIP launched the study in 2008 because state departments of education throughout the country had recently established statewide longitudinal databases to track all K-12 students’ progress over time. The trend has been accompanied by a movement to create uniform data collection systems so that each state’s student data systems can be interoperable.

Often the flow of information from the local educational agency to the state department of education was not in compliance with the privacy requirements of the Family Educational Rights and Privacy Act. One state, New Jersey, diverts special education Medicaid funding to pay for an out-of-state contractor to warehouse data, including medical test results. Many states do not have clear access and use rules regarding their longitudinal databases and over 80 percent of states apparently fail to have data-retention policies and, thus, are likely to hold student information indefinitely. Several states, like Montana, outsource the data warehouse without stipulating privacy protections in the vendor contract. Other states, such as Louisiana and Florida, track a long list of disciplinary matters that could remain on students’ records indefinitely.

Even so, House Bill 3221, or the Student Aid and Fiscal Responsibility Act, contains a section that calls for the expansion and further integration of these databases without addressing these privacy concerns. A Senate version of the bill is expected to be released from committee shortly.

“The CLIP study meticulously documents the states’ disregard for safeguarding children’s most personal data,” said Barmak Nassirian, Associate Executive Director, American Association of Collegiate Registrars and Admissions Officers. “And yet Congress is poised to fund an ill-thought-through expansion of these systems to include data ranging from pre-birth medical information to education, employment, military, and criminal records.”

The study makes several recommendations for increasing the privacy, transparency and accountability of the databases:

  • Data at the state level should be made anonymous through the use of dual-database architectures.

  • Third party processors of educational records should have comprehensive agreements that explicitly address privacy obligations.

  • The collection of information by the state should be minimized and specifically tied to an articulated audit or evaluation purpose.

  • Clear data-retention policies should be instituted and made mandatory.

  • States should have a Chief Privacy Officer in the department of education who assures that privacy protections are implemented for any educational record database and who publicly reports privacy impact assessments for database programs, proposals, and vendor contracts.

The full report is available here.

Source: Fordham University



This happens with every new technology. What they mean is they don't bother to build in the archiving when they implement the latest fad.

http://www.reuters.com/article/technologyNews/idUSTRE59Q5F720091027

Facebook challenges financial regulators: FINRA

Tue Oct 27, 2009 7:31pm EDT

NEW YORK (Reuters) - Social networking sites like Facebook and LinkedIn raise "serious new challenges" for financial regulators, the head of the largest U.S. independent securities regulator said on Tuesday.

Wall Street bankers and analysts increasingly want to use social networking to connect and interact with customers...

… But as these sites are currently designed they may not allow firms to keep the kind of archives of their employees' business communications required by regulators...


(Related) Of course, you could ask a hacker to help you do it.

http://www.makeuseof.com/tag/how-to-backup-archive-all-your-facebook-data/

How To Backup & Archive All Your Facebook Data

Oct. 11th, 2009 By Mahendra Palsule



I wonder what changed their mind? Is there legislation pending?

http://yro.slashdot.org/story/09/10/28/1953223/Sequoia-To-Publish-Source-Code-For-Voting-Machines?from=rss

Sequoia To Publish Source Code For Voting

Posted by timothy on Wednesday October 28, @04:07PM from the this-time-on-purpose dept.

cecille writes

"Voting machine maker Sequoia announced on Tuesday that they plan to release the source code for their new optical-scan voting machine. The source code will be released in November for public review. The company claims the announcement is unrelated to the recent release of the source code for a prototype voting machine by the Open Source Digital Voting Foundation. According to a VP quoted in the press release, 'Security through obfuscation and secrecy is not security.'"



Would this have impacted West Side Story (a clear rip-off of Romeo & Juliette) and will it impact reverse engineering procedures?

http://yro.slashdot.org/story/09/10/28/2236235/Amazon-Patents-Changing-Authors-Words?from=rss

Amazon Patents Changing Authors' Words

Posted by samzenpus on Wednesday October 28, @09:49PM from the it-was-a-good-time-it-was-a-bad-time dept.

theodp writes

"To exist or not to exist: that is the query. That's what the famous Hamlet soliloquy might look like if subjected to Amazon's newly-patented System and Method for Marking Content, which calls for 'programmatically substituting synonyms into distributed text content,' including 'books, short stories, product reviews, book or movie reviews, news articles, editorial articles, technical papers, scholastic papers, and so on' in an effort to uniquely identify customers who redistribute material. In its description of the 'invention,' Amazon also touts the use of 'alternative misspellings for selected words' as a way to provide 'evidence of copyright infringement in a legal action.' After all, anti-piracy measures should trump kids' ability to spell correctly, shouldn't they?"



Don't bother them with vague academic theories. Your government knows that no one in this country is competent, even as they limit the number of 'foreign devils' they allow in the country. (Only governments know what is best for you.)

http://tech.slashdot.org/story/09/10/28/2313206/Obama-Looks-Down-Under-For-Broadband-Plan?from=rss

Obama Looks Down Under For Broadband Plan

Posted by samzenpus on Thursday October 29, @12:06AM from the put-another-bit-on-the-barbie dept.

oranghutan writes

"The Obama administration is looking to the southern hemisphere for tips on how to improve the broadband situation in the US. The key telco adviser to the president, Sarah Crawford, has met with Australian telco analysts recently to find out how the Aussies are rolling out their $40 billion+ national broadband network. It is also rumored that the Obama administration is looking to the Dutch and New Zealand situations for inspiration too. The article quotes an Aussie analyst as saying: 'There needs to be a multiplier effect in the investment you make in telecoms — it should not just be limited to high-speed Internet. That is pretty new and in the US it is nearly communism, that sort of thinking. They are not used to that level of sharing and going away from free-market politics to a situation whereby you are looking at the national interest. In all my 30 years in the industry, this is the first time America is interested in listening to people like myself from outside.'"


(Related) Because we gotta do something! And in five years, we plan to ignore whatever the academics tell us, using the excuse that its too late for their Monday morning quarterbacking.

http://www.wired.com/threatlevel/2009/10/smartgrid

Feds’ Smart Grid Race Leaves Cybersecurity in the Dust

By Kim Zetter October 28, 2009 3:00 pm

Amid the government-funded rush to upgrade America’s aging electric system to a smart grid comes a strange confluence of press releases this week by the White House and the University of Illinois.

Tuesday morning, President Obama, speaking at Florida Power and Light (FPL) facilities, announced $3.4 billion in grants to utility companies, municipal districts and manufacturers to spur a nationwide transition to smart-grid technologies and fund other energy-saving initiatives as part of the economic stimulus package.

… Strange, then, that another press release distributed Monday by the Information Trust Institute at the University of Illinois announces a grant of $18.8 million to four academic institutions to fund a five-year research project into securing the power grid.



The perils of Blogging? It is extremely dangerous to be right when those in power are so obviously wrong. (Fortunately, I never fall into that trap.)

http://www.wired.com/magazine/2009/10/mf_minerva/all/1

The Troubles of Korea’s Influential Economic Pundit

By Mattathias Schwartz October 19, 2009 3:00 pm

Until the day he was outed, the most influential commentator on South Korea’s economy lived the life of a nobody.

… Then, in March 2008, Park opened an account on South Korea’s popular Daum Agora forum. Here, he decided, he would call himself Minerva, after the Roman goddess of wisdom, and write exclusively on economics, drawing on both public reports and his years in the stacks poring over Adam Smith and Joseph Stiglitz.

… The post that would bring Minerva worldwide fame appeared on August 25, 2008, under the florid title “Overture to the 2008 Financial Wars: Apocalypse Now in Korea.” It attacked a plan, floated three days before by the Korea Development Bank, to purchase a large chunk of Lehman Brothers. Minerva held forth at length on the stupidity of this idea, given that Lehman was groaning under $50 billion in debt. If KDB invested in Lehman, Minerva wrote, the people of Korea stood to lose as much as $80 billion. Once again, his pessimism proved to be deadly accurate. KDB and Lehman were unable to agree on a sale price. A few weeks later, Lehman filed for bankruptcy

… Park was packing up his cell phone and laptop, getting ready to meet some friends, when the doorbell rang. Looking through the peephole he saw nothing. Whoever it was had covered the lens. Tentatively, he cracked the door open. Four plainclothes investigators pushed past him, displaying a warrant.

“Would you come with us?” one asked. “We need to ask you some questions.”

For 103 days, the South Korean government held Park in a 50-square-foot cell at a Seoul detention center. Interrogators asked about his family, whether he had a girlfriend, whether he was a spy.

… Park was acquitted of all charges.



Did you know that some students have never listened to Dave Bruebeck?

http://www.makeuseof.com/tag/the-internet-music-guidebook-pdf/

DOWNLOAD: The Internet Music Guidebook

Oct. 28th, 2009 By Simon Slangen

… MakeUseOf is proud to present The Internet Music Guidebook, a manual for the internet audiophile. An introduction to the World Wide Web of Sound!

… Don’t wait, download the Internet Music Guidebook now in PDF, to view it offline and on your computer, or read it online on Scribd.com.



http://www.makeuseof.com/tag/lalarm-laptop-security-makes-your-laptop-scream-when-stolen/

LAlarm Laptop Security Makes Your Laptop Scream When Stolen

Oct. 28th, 2009 By Mahendra Palsule

Laptop theft is growing at alarming proportions. One laptop is stolen every 53 seconds, according to Gartner. A study by Dell revealed that over 12,000 laptops are lost in US airports every week.

LAlarm is a free laptop security alarming software. It has several different alarms to help protect your laptop, the most important of them being the Theft Alarm.

No comments: