Saturday, January 31, 2009

Tools for stealing data wholesale

P2P networks rife with sensitive health care data, researcher warns

Posted January 30th, 2009 by admin

Jaikumar Vijayan reports on the issue of p2p exposures compromising the security and privacy of health data:

Eric Johnson didn’t have to break into a computer to gain access to a 1,718-page document containing Social Security numbers, dates of birth, insurance information, treatment codes and other health care data belonging to about 9,000 patients at a medical testing laboratory.

Nor did he need to ransack a health care facility to lay his hands on more than 350MB of sensitive patient data for a group of anesthesiologists or to get a spreadsheet with 82 fields of information on more than 20,000 patients belonging to a health system.

In all instances, Johnson was able to find and freely download the sensitive data from a peer-to-peer file-sharing network using some basic search terms.

Johnson, a professor of operations management at the Dartmouth College Tuck School of Business, did the searches last year as part of a study looking at the inadvertent hemorrhaging of sensitive health care data on Internet file-sharing networks.

The results of that study, which are scheduled to be published in the next few days, show that data leaks over P2P networks involving the health care sector pose a significant threat to patients, providers and payers, Johnson said.

Read more on Computerworld

[From the article:

Normally, popular P2P clients -- such as Kazaa, LimeWire, BearShare, Morpheus and FastTrack -- let users download files and share items from a particular folder. But if proper care isn't taken to control the access that these clients have on a system, it is easy to expose far more data than intended. [Note the Windows article below that suggests (confirms?) organizations increasingly rely on employee owned computers. Bob]

Tools for stealing data retail

OR: State loses 45 Social Security numbers in scam

Posted January 30th, 2009 by admin

Alexander Rich reports:

An online scammer made off with 45 Social Security numbers after sending a virus to a computer at the Department of Human Services office in Coos Bay last week.

The virus arrived in the form of a bogus e-mail with a link on it Jan. 23. When an employee clicked on the link, it downloaded an application that recorded keystrokes and sent them to an external address.


Gene Evans, a DHS spokesman, said the information was taken from Coos County residents applying for assistance through the Self-sufficiency Program. All of those affected were notified of their lost information Monday and provided information about how to limit their risk of identity theft.

Read more in The World

[From the article:

Department officials discovered the virus later in the day and shut down the computer immediately. E-mails were sent to other computers but no one else opened the application. [See? With proper monitoring it can be done! Bob]

… Evans said the department is constantly updating its virus scans, firewalls and staff training to identify scam e-mails that could contain viruses. [Imagine how well security works in organizations that don't aggressively update and train? Bob]

Using your spending data to control their risk. Sounds like a reasonable business tool to me.

American Express Kept a (Very) Watchful Eye on Charges

Saturday, January 31 2009 @ 07:30 AM EST Contributed by: PrivacyNews

You probably know that credit card companies have been scrutinizing every charge on your account in recent years, searching for purchases that thieves may have made. Turns out, though, that some of the companies have been suspicious of your own spending, too.


In some instances, if it didn’t like what it was seeing, the company has cut customer credit lines. It laid out this logic in letters that infuriated many of the cardholders who received them. “Other customers who have used their card at establishments where you recently shopped,” one of those letters said, “have a poor repayment history with American Express.”

Source - NY Times

What say we gather a few consumers and form the Industry Privacy Legislative Forum and make our own recommendations?

Industry Giants to Weigh in on US Privacy Laws

Robert McMillan, IDG News Service Friday, January 30, 2009 5:30 PM PST

A group of U.S. companies, led by technology giants Microsoft, Hewlett-Packard and eBay, is set to outline recommendations for new federal data-privacy legislation that could make life easier for consumers and lead to a standard federal breach-notification law.

The recommendations, which were developed by a group of industry players called the Consumer Privacy Legislative Forum, are set to be released at an upcoming privacy conference six weeks from now, according to Peter Cullen, Microsoft's chief privacy officer.

Do the sharks smell blood in the water or are we looking and the takedown of a schoolyard bully?

If Windows 7 Fails, Citrix (Not Linux) Wins

Posted by kdawson on Friday January 30, @11:08AM from the expedient dept. Windows

Julie188 writes

"Microsoft blogger Mitchell Ashley, who has been using Windows 7 full-time, predicts that Windows 7 will fail to lure XP users away from their beloved, aging operating system — after all, Windows 7 is little more than what Vista should have been, when it shipped two years ago. But eventually old PCs must be replaced and then we'll see corporations, desperate to get out of the expense of managing Windows machines, get wise. Instead of buying new Windows 7 PCs, they could deliver virtualized XP desktops to a worker's own PC and/or mobile device. [Told ya! Companies may offer incentives but employees will choose and buy their computer. Bob] Ashley believes that Citrix's Project Independence has the right idea."

Software as a device...

Judge Rules WoW Bot Violates DMCA

Posted by ScuttleMonkey on Friday January 30, @04:50PM from the bot-having-trouble-climbing-the-slippery-slope dept.

An anonymous reader writes to tell us that Blizzard has added another victory in their campaign against World of Warcraft bots. A federal judge has ruled that not only did the Glider bot break the EULA, it can be classified as a circumvention device under the DMCA.

"As we've noted before, Blizzard's legal arguments, which Judge David G. Campbell largely accepted, could have far-reaching and troubling implications for the software industry. Donnelly is not the most sympathetic defendant, and some users may cheer the demise of a software vendor that helps users break the rules of Blizzard's wildly popular role playing game. But the sweeping language of Judge Campbell's decision, combined with his equally troubling decision last summer, creates a lot of new uncertainty for software vendors seeking to enter software markets dominated by entrenched incumbents and achieve interoperability with legacy platforms."

[From the article:

The judge... ...also found that MDY's founder, Michael Donnelly, was personally liable for the actions of his firm.

… World of Warcraft includes software called a "warden" that scans a user's computer looking for bots such as Glider. [What happens if it mis-identifies my pacemaker and shuts it off? Bob]

… Ars talked to two legal experts at Public Knowledge, a public interest organization that filed an amicus brief in the MDY case last year. Staff attorney Sherwin Siy compared Wednesday's decisions to past decisions that tried to use the DMCA to limit competition in the garage door opener and printer industries. He noted that the purpose of warden seemed less to control access to a copyrighted work than to a network service—quite a different thing. Siy's colleague Jef Pearlman agreed, warning that if the courts weren't careful, we could end up in a situation where "because anything can contain copyrighted works, any access to anything becomes a DMCA violation."

Siy and Pearlman also expressed skepticism at the notion that these "dynamic, non-literal elements" constitute a distinct copyrighted work.

Data Visualization is a hot topic since it helps explain patterns to the statistically-illiterate.

January 30, 2009

Flowing Data: 5 Best Data Visualization Projects of the Year

5 Best Data Visualization Projects of the Year: "Data visualization continues to grow online and in the real world. It exists as masterful art pieces and amazingly useful analysis tools. In both cases though it brings data -- which is oftentimes cryptic -- to the masses and shows that data is more than a bucket of numbers. Data is interesting. As we collect more and more data about ourselves and our surroundings, the data and the visualization will only get more interesting. On that note, I give you FlowingData's picks for the top 5 data visualization projects of 2008. Visualizations were judged based on the use of data, aesthetics, overall effect on the visualization arena, and how well they told a story."

Related? This could become an interesting and useful site, or an electronic supermarket tabloid.

January 30, 2009

Media Tracking of the 44th President Leverages Web 2.0 Spin

Politico 44, dubbed "a living diary of the Obama Presidency," provides readers with an aggregated melange of government documents, issue oriented media coverage in print and video, and well, gossip.

For my Business Continuity class. The solution is to backup your data rather than rely on someone to do it for you.

Ma.gnolia Suffers Major Data Loss, Site Taken Offline

By Michael Calore January 30, 2009 3:56:11 PM

There was a meltdown at bookmark sharing website Ma.gnolia Friday morning. The service lost both its primary store of user data, as well as its backup. The site has been taken offline while the team tries to reconstruct its databases, though some users may never see their stored bookmarks again.

The failure appears to be catastrophic. The company can't say to what extent it will be able to restore any of its users' data. It also says the data failure was so extensive, repairing the loss will take "days, not hours."

In light of today's outage, many are questioning the reliability of web apps and web-based storage in general. Twitter in particular is full of users venting their suspicions.

Potential research tool?

SimilarWeb shows you sites like the one you're on

Posted by Josh Lowensohn January 30, 2009 12:28 PM PST

I stumbled upon a useful site earlier today that's worth sharing. Called SimilarWeb, this small Firefox (and soon Internet Explorer) add-on sits on the side of your browser and pulls up sites that are similar to the one you're currently on.

It works remarkably well--at least with major sites. For example, visiting YouTube brings up a long list of other video hosts. The same went for social news sites like Digg, Reddit, and Delicious. You can scroll through these and open them up in new tabs, or pick from one of the tags SimilarWeb believes to be related to that page. This will pull up an entirely new list of places it thinks you should visit.

What makes the service shine is that users can re-arrange the lists and submit new sites that are not yet in SimilarWeb's index. There are thumbs up and down buttons which can raise or lower a site's standing on the list. Down-voting any site will actually remove it from the list. As a result, if users continue to vote the list gets more accurate.

Friday, January 30, 2009

Interesting twist... New statistic.

Canadian Tire cancels 16,000 Mastercards after Heartland breach results in hundreds of cards being misused

Posted January 29th, 2009 by admin

Canadian Tire (TSX:CTC) says it has cancelled and is re-issuing 16,000 Mastercard credit cards issued by its financial services arm over security concerns.

Spokeswoman Lisa Gibson says the cards were deemed to be at risk after a widespread security breach disclosed last week by Heartland Payment Systems (NYSE:HPY), a U.S. credit card transaction processor.

Gibson says for the most part, the cancelled Options Mastercards were deemed to be at risk because they had been used in the U.S.


Canadian Tire Financial Services manages the country’s second-largest MasterCard franchise, with more than five million accounts.

Read more on Stockhouse

Note: Ms. Gibson informs me that 2% of the cards involved had been misused. [I wonder how that compares to HPS's market share? Bob]

A rather poorly written article. However it does offer some new information (if it is more credible than the writing style indicates.)

Heartland Sniffer Hid In Unallocated Portion Of Disk

Posted January 29th, 2009 by admin

Evan Schuman of StorefrontBacktalk reports:

The sniffer malware that surreptitiously siphoned tons of payment card data from card processor Heartland Payment Systems hid in an unallocated portion of a server’s disk. The malware, which was ultimately detected courtesy of a trail of temp files, was hidden so well that it eluded two different teams of forensic investigators brought in to find it after fraud alerts went off at both Visa and MasterCard, according to Heartland CFO Robert Baldwin.

“A significant portion of the sophistication of the attack was in the cloaking,” Baldwin said.

Payment security experts pretty much agreed that hiding files in unallocated disk space is a fairly well-known tactic. But it requires such a high level of access—as well as the skill to manipulate the operating system—that is also indicates a very sophisticated attack. One of those security experts—who works for a very large U.S. retail chain and asked to have her name withheld—speculated that the complex nature of the hiding place, coupled with the relatively careless leaving of temp files, could suggest a less-skilled cyberthief who simply obtained some very powerful tools.

Read more on StorefrontBacktalk

[From the article:

Baldwin also added more details to the sketchy timeframes that have been revealed thus far about the attacks, specifying that Heartland was contacted by Visa and MasterCard “in very late October,” possibly October 28.

… Some of the problem might not involve common points of purchases or common points of processors as much as common points of high-tech hoodlums. Baldwin said Justice Department and U.S. Secret Service officials have told him “the bad guys they think got us have successfully breached other financial institutions.” [Something to look forward to? Bob]

… After the card brands alerted Heartland in late October, it took about two weeks of internal investigation to conclude that, yes, the company had been breached. [In their Inaugural Day announcement, they stated that they found “evidence of the intrusion last week” Bob]

… The company hired a forensic investigation team to come in and focus solely on that one area, an effort that ultimately proved fruitless. “We found issues in a large segment of our processing environment. The one that looked like the most promising turned out to be clean,” he said. [Translation: “Your security looks like Swiss Cheese and you don't log anything, so we can't tell what happened.” Bob]

… Heartland on Tuesday (Jan. 27) announced that it will be creating a new department that will be “dedicated exclusively to the development of end-to-end encryption.” [“But don't expect us to succeed, since we've already pointed out that getting every cash resister/card swipe machine to encrypt using a common technique is likely to be impossible.” Bob]

Not everything is related to HPS... (maybe)

Ca: Debit scam victims now in the ‘hundreds’

Posted January 29th, 2009 by admin

This incident keeps growing and growing…..

Joe Belanger reports:

Police now confirm there are “hundreds” of victims in a debit card scam in Stratford.

Although police said every financial institution was hit, they’ve confirmed there were more than 350 victims at just two banks.

“We’re just starting to extrapolate the data, but it’s obviously in the hundreds,” said Det. Inspector Sam Theocharis.

Asked how much money the culprits have scammed, Theocharis said: “Who knows? We can’t say for sure just yet, but it’s well over $100,000. Right now, I can say there’s no bank that hasn’t been affected.”

Police are working with the Interact Canada, the Canadian Bankers Association, and security branches of the various banks to try and gauge the breadth of the scam, which was discovered last weekend as Stratford residents began seeing money disappear from accounts and debit cards were disabled.

Read more in the London Free Press

[From the article:

The CBA says debit card fraud is a problem, but not as widespread as some may think. Less than one per cent of the 21 million debit cards in circulation in 2007 were hit by fraud, with the total amount lost estimated at $107 million. [One percent of 21,000,000 is 210,000. $107,000,000 divided by 210,000 works out to about $51 per card. I you can go through 1000 cards a week, that's not a bad income. Bob]

Told ya!

Pointer: SQL Server Database Hack Tricks Forensics

Posted January 29th, 2009 by admin

OK, because I’m not a security professional but a privacy advocate, I generally do not post just “straight security” news items, but this one really touches on an issue that keeps coming up.

How many times have we been told that some unnamed or named forensics service examined a recovered laptop or a hacked database and was able to determine that nothing happened, etc.?

For years, I have been told by security professionals I know that such statements are inaccurate and that it is certainly possible to access data without leaving any evidence that forensic examiners would find. And for years, I have argued that press releases should honestly say, “As far as we can tell…” instead of making blanket assurances that are probably false. Now this, from Kelly Jackson Higgins of Dark Reading:

A database security researcher will demonstrate at Black Hat DC next month how an attacker can cover his tracks using anti-forensics techniques after breaking into a SQL Server database.

Cesar Cerrudo, the lead researcher for Application Security Inc.’s Team SHATTER and founder and CEO of Argeniss, says he will show a proof-of-concept that circumvents forensics investigations by abusing some inherent features in the database “If the attacker has done a good job of removing his tracks, then it becomes pretty difficult to determine what was done, how it was done, why, and by whom,” Cerrudo says.

Read more here.

[From the article:

An attacker who infiltrates a database can even frame another person for the attack using antiforensics techniques. "One of the scary things about these antiforensics techniques is that the attacker can point investigators in the wrong way by making it look like another person performed the attack," Cerrudo says.

… "Without logs or [with] confusing logs, investigation becomes harder, the evidence is not enough, and in order to find the real culprit you must find real evidence that points to him," Cerrudo days.

How can an organization protect itself from such an attack? "Nowadays, using a third-party monitoring mechanism should be a must since built-in security mechanisms can't protect [the database] once the attacker has enough permissions," he says.

Technology you can (lie and) rely on?

Lie Detector Company Threatens Critical Scientists With Suit

Posted by timothy on Thursday January 29, @04:18PM from the slapp-ing-them-around dept. Censorship The Courts Science

An anonymous reader writes

"The Swedish newspaper DN reports that the Israeli company Nemesysco has sent letters to researchers at the University of Stockholm, threatening legal action if they do not stop publishing findings (Google translation). An article called 'Charlatanry in forensic speech science: A problem to be taken seriously' was pulled by the publisher after threats of a libel lawsuit."

Online translations can be a little wonky; if your Swedish is as bad as mine, this English-language article describes the situation well.

[From the second article:

The article's conclusion is that there is no scientific evidence to show that lie detectors actually work.


BBC Snakeoil: 'Perfectly Accurate' Voice Recognition Phone 'Too Secret' to See

By Charlie Sorrel January 30, 2009 6:53:51 AM

Just to point out what can be done. Contrast with what your cable company is doing?

Charter Launches 60 Mbps Service

Posted by timothy on Thursday January 29, @06:01PM from the deepening-the-digital-divide dept. The Internet Networking

ndogg writes

"While other companies are throttling their services, and capping bandwidth, Charter Communications, the cable company, is launching a 60/5 Internet service, starting in St. Louis, MO. It's certainly not cheap, starting at 129.99 per month (add another 10 if it's not being bundled with television or phone.) Currently, it's the fastest down stream speed available, and being a cable company, they potentially have greater reach than FiOS."

However, there may be a risk to putting too much money down on this service; Charter Communications as a company faces some serious financial problems right now. reader Afforess writes, "rumors abound that Paul Allen may just cut his losses and run," by selling the company. (Allen is the majority stockholder.)

“We work hard to develop the best games possible, then our marketing guys wrap it in DRM software that makes it inaccessible to our customers.” (Does this sound SONY-like?)

DRM Shuts Down PC Version of Gears of War

Posted by Soulskill on Friday January 30, @01:58AM from the you-know-what-really-grinds-my-gears dept. Games

carlmenezes writes

"It seems that the DRM on the PC version of Gears of War came with a built-in shut-off date; the digital certificate for the game was only good until January 28, 2009. Now, the game fails to work unless you adjust your system's clock. What is Epic's response? 'We're working on it.'"

Is this an “Our geeks are better than your geeks” issue, or is it because the fix simple on Googles side? Will Apple sue?

Google fakes out Hotmail for Chrome support

Posted by Stephen Shankland January 29, 2009 9:19 PM PST

… "While the Hotmail team works on a proper fix, we're deploying a workaround that changes the user agent string that Google Chrome sends when requesting URLs that end with," Chrome Product Manager Mark Larson said in a blog announcement. It also fixes a problem sending mail from Yahoo Mail, he said.

Something for those Ethics guys to argue about?

Do Humanlike Machines Deserve Human Rights?

By Daniel Roth Email 01.19.09

Something for students who haven't taken the “Ethics and the Computer” class

'Obama worm' probably a student prank, experts say

Posted by Elinor Mills January 29, 2009 4:10 PM PST

… "Someone played around with one of the many number of DIY malware kits and just added this small social engineering bait of Obama's picture," he wrote in an e-mail.

So which is it? $10 or $100

India Will Show Its $10 Laptop Prototype

Posted by timothy on Friday January 30, @08:09AM from the better-than-a-chicken-in-every-pot dept. Portables Hardware

Tech Ticker writes

"The Indian Government last year announced the development of a cheap $10 laptop, but was later rectified as $100 laptop. Now the government has announced that HRD minister Arjun Singh will unveil the prototype of a Rs. 500 ($10) computer. The computer is developed by the Indian Institute of Science (IISc), Bangalore, and Indian Institute of Technology (IIT), Chennai. No specifications were revealed but DNA, a daily newspaper, has mentioned that it will be small and portable, will feature Wi-Fi, LAN, and expandable memory, and will operate on 2 watts of power."

We're watching you! - Transparent Lawmaking

Lawmaking has always been on the shady side of things. Luckily for us non-politician folks, the internet has been striving to make things more transparent, and now there’s

The site aims to make things easier for us to understand, keeping a close eye on all of our elected officials. You can search for officials by state, name, or position, making it easy to find the person you want to keep an eye on. The site’s design is simple enough to make the content stand out, so you won’t get lost with too much over the top designs. Each member profile is filled with very interesting information, and profiles are updated every time there are new things to report. [Not really. They still show Ken Salazar as a Sentor. Bob]

It’s amazing to see how good this can be to everyone, as both lawmakers and regular folk will be able to benefit from government transparency. If you feel transparency is good for American politics, then you must check out

This immediately brought an old joke to mind. A friend asked if I would pour a bottle of Jack Daniel's over his grave. I promised I would even filter it through my kidneys first. (Ta dum bum)

Power In Scotland From Tides and Whiskey

Posted by timothy on Friday January 30, @06:17AM from the plus-the-spinning-corpse-of-william-wallace dept. Earth Power Technology

… And reader Mike writes

"Here's something to raise a glass to: recently the Rothes consortium of whiskey and scotch distillers announced that they have partnered with Helius Energy to install a power plant fueled entirely by whiskey by-products. The completed plant will use biomass cogeneration to convert draff and pot ale from the distillery into 7.2 MW of electricity — enough to power 9,000 homes."

Thursday, January 29, 2009

These “little” problems will be coming up for months as more credit unions and banks “realize” their frauds are tied to the HPS breach. I'll try to ignore them in future, unless there is something interesting or unusual in the article.

NC: SECU probes fraud cases after security breach

Posted January 28th, 2009 by admin

Renee Chou reports:

Officials with the State Employees Credit Union are investigating 40 cases of fraud in the wake of a security breach at a company that processes credit card payments nationwide.


SECU receives card transactions through Visa, which receives the transactions from Heartland. The credit union has issued new credit cards and personal identification numbers to its 62,000 cardholders as a precaution.

We want to take what will be the most costly approach [I doubt that's what he said... Bob] but the most proactive approach and close those cards as quickly as we can,” said Leanne Phelps, SECU senior vice president.


Financial institutions aren’t required to notify customers about the Heartland breach, she said, but the SECU chose to do so to alert their customers about the potential for fraud.

Read more on WRAL

Is this happening in the US? It might get congressional attention (well, I did say might.)

UK: Banks refuse to pay card fraud refunds as surge in victims leads to harder stance on claims

Posted January 28th, 2009 by admin

Sean Poulter reports:

Banks are increasingly refusing to compensate card fraud amid a surge in the number of victims.

One in four Britons - more than 12million people - has been a victim of some form of card fraud in the past year, research has revealed.

The average loss was more than £650, with one in 20 losing more than £2,000, the poll of 1,679 credit and debit card holders found.

The firm behind the study, Card insurer CPP, [Is this just a ploy to sell cardholders more insurance? Bob] says there is evidence that banks are reacting by refusing to refund those who cannot prove they have been victims of a fraud. [What constitutes proof? Bob]


The introduction of the chip and PIN security regime in 2006 was supposed to defeat the problem but critics claim its most significant effect has been to transfer the responsibility for criminal card losses from banks to customers and retailers.

Read more in the Daily Mail

[From the article:

'The banks have been lying about the security of their systems and the industry regulators have been completely gullible.'

Every now an then, the level of managerial stupidity astonishes me.

HMRC criticised over security concerns of online tax returns

Thursday, January 29 2009 @ 06:45 AM EST Contributed by: PrivacyNews

HM Revenue & Customs is facing fresh criticism after users complained that its tax self-assessment website reveals their password in the URL address bar.

Users claimed that while filling in their online tax forms, their personal details would be at risk because the username field has an auto-complete function. One user claimed that when he clicked on a link to open the ‘about you' page, his password was displayed in the browser address bar, and when a page was printed off the password was printed as part of the URL.

.... HMRC claimed that the URL does not contain the customer's password, but shows a unique taxpayer record (UTR) number. In a statement it said: “To log in to our secure services a user ID and password is required; the UTR is not based on either of these.”

Source - SC Magazine Thanks to Brian Honan for this link.

New terms!

Cleland: Privacy battle looming

Wednesday, January 28 2009 @ 01:51 PM EST Contributed by: PrivacyNews

Industry trends such as cloud computing, the push to go paperless and Web 2.0 services that use information on individuals’ Internet usage all pose new threats to consumer privacy at a time when consumers are more concerned with protecting that privacy, a consultant to the broadband industry cautioned.

Scott Cleland, founder and president of Precursor, used the occasion of World Data Privacy Day to post on the firm’s blog — viewable at — cautioning of growing tension along what he terms “the privacy/publicacy fault-line.” Cleland coined the term “publicacy” in testimony to Congress last summer regarding concerns over service provider use of deep packet inspection, saying it means the opposite of privacy.

Source - Telephony Online

[From the article:

“There is a huge privacy arbitrage going on, on the Net where some players have very strict privacy laws and regulations — legacy players like ISPs, health care providers or banks — but if you are a Web 2.0 company, you think you have a pass on respecting privacy,” Cleland said. [My take is that each new technology must re-invent the same solutions to the same problems that earlier technologies faced. I call it the “Don't nobody never learn nothing?” syndrome. Bob]

[From the Blog:

Many in the Web 2.0 community believe in the "publicacy ethos" where if technology innovation can make information public, it should be public and that there should be no permission or payment required to access, use or remix this new 'public' information. [Not sure I agree with that. Bob]

I think they got one right. (I tossed this in because many of you will find it amusing that I could agree with the Ninth...) This could have been more clear-cut if review of transcripts was a regular management responsibility. But it is the department's system, they set the rules. Why would it be unexpected that they would monitor how it is used?

Ninth Circuit Denies En Banc Review in Text Message Privacy Case

Wednesday, January 28 2009 @ 10:36 AM EST Contributed by: PrivacyNews

The Ninth U.S. Circuit Court of Appeals, over the dissent of seven of its judges, yesterday declined to review en banc a ruling that the Ontario Police Department violated an employee’s right to privacy when supervisors examined the contents of text messages sent on department pagers.

A panel of the court ruled in June that the department violated the Fourth Amendment rights of Sgt. Jeff Quon and three others to whom he sent text messages when the department obtained transcripts from the service provider and examined the messages’ contents to determine whether a monthly overage charge resulted from personal use.

Source - Metropolitan News-Enterprise

Unexpected. I wonder what the real reason is? “Impossible” has never been a factor – maybe he has a history of soap stealing?

UK Government Abandons Piracy Legislation

Posted by CmdrTaco on Wednesday January 28, @10:49AM from the abandon-all-hope-ye-who-enter-here dept. The Internet

arcticstoat writes

"Following last year's reports of a scheme to 'ban' pirates from the Internet via ISPs in the UK, it looks as though the UK government has now decided to back down on the plan, saying that it hopes it won't have to apply 'the heavy hand of legislation'. The UK's Intellectual Property Minister, David Lammy, said that 'I'm not sure it's actually going to be possible,' as a result of the complexities of enforcing such legislation. Lammy also revealed that he had a different opinion on file sharers than many people in the music industry. He pointed out that there's a big difference between organized counterfeiting gangs and 'younger people not quite buying into the system'. He added that 'we can't have a system where we're talking about arresting teenagers in their bedrooms. People can rent a room in an hotel and leave with a bar of soap — there's a big difference between leaving with a bar of soap and leaving with the television.'"

Is your ISP slowing your Internet speed? Gather evidence, then sue?

January 28, 2009

Google Announces open platform to deploy Internet measurement tools

Google Public Policy Blog: When an Internet application doesn't work as expected or your connection seems flaky, how can you tell whether there is a problem caused by your broadband ISP, the application, your PC, or something else? It can be difficult for experts, let alone average Internet users, to address this sort of question today... Today Google, the New America Foundation's Open Technology Institute, the PlanetLab Consortium, and academic researchers are taking the wraps off of Measurement Lab (M-Lab), an open platform that researchers can use to deploy Internet measurement tools." [See About Measurement Lab for more details including a FAQ]

Related In case you thought that monitoring ISPs wasn't necessary. ALSO: Look at what they can identify by peeking at packets!

Cox to try coaxing the Internet into submission

Posted by Dong Ngo January 28, 2009 1:00 PM PST

Cox Communications, the third-largest cable Internet provider in the U.S., announced Tuesday that starting February, it will begin testing a new method of managing traffic on its high-speed Internet network in Kansas and Arkansas.

...and Blogs are for nearly-old people?

January 28, 2009

Pew Survey: Generations Online in 2009

News release: "Over half of the adult internet population is between 18 and 44 years old. But larger percentages of older generations are online now than in the past, and they are doing more activities online, according to surveys taken from 2006-2008. Contrary to the image of Generation Y as the "Net Generation," internet users in their 20s do not dominate every aspect of online life. Generation X is the most likely group to bank, shop, and look for health information online. Boomers are just as likely as Generation Y to make travel reservations online. And even Silent Generation internet users are competitive when it comes to email (although teens might point out that this is proof that email is for old people)."

Related? Wikis are for old lawyers? I have found that a “class wiki” is still too much for my students. Perhaps a longer term/wider scope wiki would succeed.

January 28, 2009

New on Collaboration Through Wikis at Hicks Morley

Collaboration Through Wikis at Hicks Morley - Heather Colman explains how wikis were an ideal KM solution for her law firm. Quick and easy to set up, requiring little IT support, wikis support central data repositories and provide features including search capabilities, email, RSS, and also allow users to create a taxonomy of subject tags to classify information.

Consider. If you want to adopt popular (political) causes, you should check the facts you have already published. It won't change your mind, but perhaps you won't look as foolish.

Study challenges AGs on predator danger

Posted by Larry Magid January 28, 2009 4:04 PM PST

There's a war of words brewing, with several Internet safety organizations, researchers, and social-networking companies on one side and some state attorneys general on the other.

Earlier this month, the Internet Safety Technical Task Force, run out of Harvard's Berkman Center for Internet & Society, issued a report stating that Internet predator danger to kids is not as high as some have claimed. The report was immediately criticized by a number of attorneys general including Tom Corbett of Pennsylvania. And on Monday, an Internet safety organization in Oregon published a study that claims that data from press releases on Corbett's own Web site fail to back up his claims about Internet dangers.

The new study (PDF), from the Center for Safe and Responsible Internet Use (CSRIU), challenges recent assertions by several state attorneys general that young people are at significant risk from online predators on social-networking sites. It specifically analyzes press releases from the Pennsylvania attorney general about cases in the Keystone State.

Sounds like a 'call for papers.' At least a good article would be helpful...

Teachers Need an Open Source Education

Posted by timothy on Thursday January 29, @06:20AM from the yer-darn-tootin' dept. Education GNU is Not Unix Operating Systems Linux writes

"Teachers are sorely in need of an education in what open source software is, what it isn't, and how it can benefit their students. A recent news story at the Reg discussed the case of a Texas teacher who accused those distributing Linux to students of committing criminal acts. A HeliOS blog entry exposes a "higher education" culture of apathy, lies, and fear of open source software. Things have got to improve, and that improvement needs to start with misguided teachers getting their facts straight."

Replies to the call for a taxonomy!

A better way to understand cloud computing

Posted by James Urquhart January 28, 2009 3:59 PM PST

Earlier Wednesday, I wrote about the consensus on the need for a cloud taxonomy that was reached by the participants of the Cloud Interoperability meeting prior to Cloud Connect last week. But a couple of cloud ontologies have come to light that provide a great starting point for taxonomy discussions

This can't be right...

Microsoft Releases Source Code For Web Sandbox

Posted by timothy on Wednesday January 28, @01:15PM from the could-easily-be-the-biggest-open-source-company dept. Microsoft Software Security News

nandemoari writes

"After flirting with open source development for some time, Microsoft has made another step towards real commitment with the release of source code for Web Sandbox, a program used to test and secure web site content. The Sandbox source code will be released under the Apache 2.0 license, an open source license agreement allowing the content creator to maintain copyright while permitting others to develop the product for their own use. Microsoft has gradually been increasing their involvement with the Apache Software Foundation (ASF) since 2008 when they agreed to fund development of certain ASF initiatives."

This is for my statistics class... Honest!

Our guide to sports statistics sites

Posted by Don Reisinger January 28, 2009 5:10 PM PST

Hey kids! Now you can play the Wheaties Game! Learn to crush those evil Cheerios!

Video Game Conditioning Spills Over Into Real Life

Posted by CmdrTaco on Wednesday January 28, @12:18PM from the here-we-go-again dept. Games

doug141 writes

"Lessons learned in video games may transcend computers, PlayStations and Wiis. New research suggests that virtual worlds sway real-life choices. Twenty-two volunteers who played a cycling game learned to associate one team's jersey with a good flavored drink and another team's jersey with a bad flavored drink. Days later, 3/4 of the subjects avoided the same jersey in a real-world test. Marketers and lawyers will take note."

For my website students - RSS Feeds For Dummies

Feel like adding a RSS feed to your site but have absolutely no idea how to do it? If that is indeed the case, you have come to the right site. In essence, Quickest RSS is a new service that will let you come up with a RSS feed of your own without having to incur into any technical procedure, and without having any skills when it comes to coding language.

All you have to do is specify an URL to be used as the staring point, set down a name for the feed page title, and then twiddle with some parameters like the colors of the feed page. Upon doing so, a RSS feed will be there and then created for you to put to good use.

Just in case, the site lists the RSS feeds that have been created recently on its main page. This way, you will be able to see what the resulting feed will look like, and whether or not it will suit your needs before you get down to actually creating one. In any case, the service is wholly free, so that if you decide to give it a try you will have nothing to lose.

This was much more interesting than I expected. I found two interesting ideas in two minutes! I wonder if this would work in other areas (eg Education) - Innovative Business Ideas

This site offers internauts a daily fix of “fresh and feisty business ideas” along with cool twists and classic tips and formulas that prove to do well time and again. They say that thinking big always pays out, and that seems to be the spirit that motivates the site.

The ideas themselves are arranged into categories such as “Business idea collections”, “Retail business ideas” and “Marketing & Advertising”. The website also makes room for a “Social Causes and Non-profits”, and that is always a nice addition.

As it was to be expected, a “Submit an idea” link is provided in the event you wish to make a contribution of your own and share your vision with the world at large. If the guys and gals behind the project like it, they might promote it on the site and link back to your site or blog.

The Iddictive project has just emerged, and some features that the team hopes to implement soon include badges for added visibility, and an enhanced submission form. In the meantime, drop by the site if you have a creative vein that you would like to exploit, or if you are looking for fresh inspiration.

[What I found:


Start an Online Video Tutorial Business

I know some people who should be doing this... - A Marketplace Of Knowledge

The Coggno Marketplace is a resource that has one specific aim, namely connecting organizations in pursuit of e-learning and assessment contents with the ones that can provide exactly that. Those who sign up become what are termed “Coggno Authors”, and from that point onwards they can sell the contents they create and their knowledge to the organizations that wish to acquire it.

As the author, you have the right to set down the price beforehand. The cost of licenses tends to oscillate between 10 and 450 US$. For its part, payments are handled via checks, and these are sent out twice per month.

Moreover, you specify the licensing rules that will apply to the content that you have authored. The site also includes a whole section that details syndication policies, so that every doubt is dispelled.

When all is said and done, this site offers those that have an expertise in any particular industry a chance to share these skills and generate an income for doing so. If you think you have special skills or knowledge that could translate into a corporate asset, then Coggno will suit you fine.

For a buck, you can make people believe you can solve Rubik's cube – if they don't watch you do it... (Might make a fun challenge for my programming class.)

iPhone App Solves Rubik's Cube in 20 Moves or Better

By Michael Calore January 28, 2009 4:08:46 PM

Wednesday, January 28, 2009

I'm wearing a T-shirt that reads: It's International Privacy Day – Piss Off!

How To Celebrate Privacy Day (And How Not To)

Tuesday, January 27 2009 @ 06:50 PM EST Contributed by: PrivacyNews

Wednesday, Jan. 28, has been designated International Privacy Day, and I'm still not sure how to celebrate. Should I invite all of my friends and family over, then go in the bathroom, lock the door, and make an entry in my personal diary? Or maybe we should all put on funny hats and go outside with noisemakers, screaming, "It's none of your friggin' business!!" Ah, those holiday traditions.

Seriously, though, I'm a little confused. Who is this international day of observance for? It can't be for private citizens -- we already know the value of our privacy and how much we treasure it. If anybody's going to celebrate my privacy, I wish it could be the other parties out there who seem to disregard it on every other day of the year.

Source - Dark Reading

Now that we have your attention...

Washington state CUs introduce data breach bill

Posted January 27th, 2009 by admin

In the wake of the Heartland Payment Systems data breach announced last week, Washington state’s credit unions once again have introduced legislation to encourage financial institutions to take “extraordinary proactive steps” to protect consumers from identity theft and financial fraud after a breach.

Receiving its first hearing before the Full House Financial Institutions and Insurance Committee hearing Thursday, HB 1149 is sponsored by State Reps. Brendan Williams (D-22), Dan Raoch (R-31), Geoff Simpson (D-47), Steve Kirby (D-29), Hans Dunshee (D-44), Sharon Nelson (D-34) and Timm Ormsby (D-33).

Like a similar proposal last year, the bill would allow credit unions and other financial institutions to sue negligent data breachers for the cost of aggressively protecting Washingtonians’ personal and private information.

Read more on CUNA More info on HB 1149

First out of the blocks. (These are neither fast nor satisfying. See the next article.)

Send in the lawyers (Heartland Payment Systems update)

Posted January 27th, 2009 by admin

Over on Computerworld, Jaikumar Vijayan reports that a class action lawsuit has been filed in the Heartland Payment Systems breach:


A Pennsylvania law firm today filed the first class action lawsuit related to the breach. The lawsuit was filed by Chimicles & Tikellis LLP of Haverford, PA on behalf of Alicia Cooper, a resident of Woodbury, MN, and others who might have been affected by the breach.

The complaint, filed in the U.S. District Court for the District of New Jersey in Trenton, alleges that Cooper, whose card was compromised in the breach, and others, were victims of Heartland’s negligence in protecting card-holder data. The lawsuit, which calls for a jury trial, charged Heartland with breach of contract, breach of implied contract and breach of fiduciary contract for the breach.

Comment: OK, here’s the thing: if the banks reverse the charges so that the individuals have not incurred any actual financial harm, are we back to the situation where courts will throw out the lawsuits because plaintiffs cannot demonstrate “harm?”

My share should be about $0.08, fortunately I suffered no great harm (cussing the VA's security failures apparently don't count.)

VA agrees to settle data theft lawsuit

Posted January 27th, 2009 by admin

The Associated Press is reporting:

The Veterans Affairs Department has agreed to pay up to $20 million to veterans for exposing them to possible identity theft in 2006 after losing their sensitive personal information.

In court filings Tuesday, lawyers for the VA and the veterans said they had reached agreement to settle the veterans’ lawsuit alleging invasion of privacy. The money will be used to pay for veterans who suffered actual harm, such as emotional distress or expenses incurred for credit monitoring.


Comment: the APl describes the incident as a lost laptop that was later recovered. The May 2006 incident involved the theft of a laptop from a VA analyst.

Update: a fuller version of the AP story does note that the laptop had been stolen in a home burglary. The proposed settlement would give veterans who show harm from the data theft payments ranging from $75 to $1,500, with any balance of the settlement being donated to veterans’ charities agreed to by the parties, such as the Fisher House Foundation Inc. and The Intrepid Fallen Heroes Fund. The proposal still has to be approved by the judge.

It would be interesting to list some hacker (or if you prefer, intelligence gathering) techniques and compare them to current rules of evidence.

Ca: Technology straining paper-era privacy laws

Wednesday, January 28 2009 @ 06:07 AM EST Contributed by: PrivacyNews

Something about the image of Big Brother sifting through cellphone records of 7,000 law-abiding citizens touched a nerve in Mr. Justice Michael Quigley of the Ontario Superior Court.

In a ruling several weeks ago, Judge Quigley denied police the fruits of their "high-tech fishing expedition" - uncovering a series of cellphone calls that potentially linked several suspected jewellery store robbers.

It was a classic clash between privacy and new technology, and Judge Quigley was intent on applying aging provisions to a scenario never anticipated by those who drafted them.

Source - Globe and Mail

[From the article:

He argues that the definition of what constitutes a "reasonable" search has got to change: "The real issue is not making electronic information off limits, but making sure that access is regulated using the same values as we apply to regulate real-world searches."

“You can't be serious! That would make us just like those second class citizens we're supposed to keep in line!”

LAPD, union tangle over collection of officers' DNA

Tuesday, January 27 2009 @ 05:33 PM EST Contributed by: PrivacyNews

Since its arrival as a crime-fighting tool, Los Angeles police officers have aggressively used the power of DNA technology to solve countless cases.

When it comes to handing over their own genetic code, however, they've been told to be a lot more reticent.

Source - Los Angeles Times

Makes me want to say: “Well DUH!”

Microsoft Study Finds Consumers Want Control Over Data

Wednesday, January 28 2009 @ 06:08 AM EST Contributed by: PrivacyNews

The software vendor's commissioned research will be revealed during a panel discussion with leaders from a Calif. Office of Privacy Protection, Intel, and MySpace.

Source - InformationWeek

[From the article:

"We wanted to understand how different segments of consumers, from teens to professionals to boomers, thought about privacy," he said. "There were some rather interesting results that came out of this."

"Our hypothesis is that across these three segments, there would be different ways of thinking about these things," said Cullen. "We were really surprised to learn there's a large degree of similarity in the way people think about privacy."

… The top areas of concern for consumers in the Microsoft focus groups were identity theft (for all segments), child protection (for parents), and the sharing or selling of personal information without consent (for all segments).

See the sidebar for a summary of what he found and what he didn't (yet)

What Web Surfers Can Find Out About You

Posted by kdawson on Tuesday January 27, @02:39PM from the private-first-class dept.

cweditor writes in with an updated version of a story the likes of which you might have read before, What the Web Knows About You. But reporter Rob Mitchell found out vastly more about himself (his research subject) online than he could have even a year or two ago. The big difference is that state and local governments are putting online digitized records, often with Social Security numbers and other personal details intact. Mitchell ends by questioning how much good it does for banks or credit card companies to require 4, 5, or more independent identity "factors" before providing access to account details, when most or all of the factors they request can be found online about nearly anyone.


Hunting cyber-thieves

Wednesday, January 28 2009 @ 06:23 AM EST Contributed by: PrivacyNews

In his day job, David Shettler labors to keep hackers from breaching the computer system at the College of the Holy Cross.

At night and on weekends, he takes his search for cyber-thieves national, scouring the Internet and identifying thefts of personal data, called data breaches. He’s chief technical officer and vice president of the Open Security Foundation, a nonprofit group based in Virginia that compiles data breaches online at its Web site, The group, which has four core volunteers and hundreds of other helpers, also makes regular Freedom of Information Act requests with state governments to gather more information on data breaches.

Source - Telegram & Gazette

[From the article:

Open Security Foundation is one of a handful of organizations nationally that are dedicated to publicizing data breaches. There’s also the Identity Theft Resource Center in San Diego,, and dozens of bloggers who act as “cyber-sleuths,” tracking down the source of data breaches and identity thefts.

First, know the law.

How the US Lost Its China Complaint On IP

Posted by kdawson on Tuesday January 27, @11:51PM from the evidence-from-the-newspaper dept. The Internet Software

An anonymous reader writes

"The World Trade Organization yesterday released its much-anticipated decision involving a US complaint against China over its protection and enforcement of intellectual property rights. The US quickly proclaimed victory, with newspaper headlines trumpeting the WTO panel's requirement that China reform elements of its intellectual property laws. Yet the reality is somewhat different. As Michael Geist notes, the US lost badly on key issues such as border measures and criminal IP enforcement, with the international trade body upholding the validity of China's laws."

Is this why Google's CEO supported Obama? Perhaps it's just a risk he's willing to take now that Guantanamo is closing?

Stark relief: White House, VP's residence now visible in Google Maps

Posted by Rafe Needleman January 27, 2009 5:44 PM PST

Something tells me this is cover for their “traffic shaping” efforts.

Sources: AT&T, Comcast likely to help RIAA foil piracy

Posted by Greg Sandoval January 28, 2009 4:00 AM PST CNET staff writer Maggie Reardon coauthored this report.

AT&T and Comcast, two of the nation's largest Internet service providers, are expected to be among a group of ISPs that will cooperate with the music industry in battling illegal file sharing, three sources close to the companies told CNET News.

Interesting summary. Any lessons to be learned?

January 27, 2009

Assessing the Impacts of Changes in the Information Technology Research and Development Ecosystem

"This report examines changes in the IT R&D ecosystem over the past decade and makes recommendations to strengthen the effectiveness and impact of federally funded information technology research; for the U.S. to remain the strongest generator of and magnet for technical talent; to reduce friction that harms the effectiveness of the U.S. IT R&D ecosystem; and to ensure that the U.S. has a communications, computing, and applications infrastructure which enables U.S. IT users and innovators to lead the world."

Interesting variation on a Dutch Auction. - Live Online Auctions

“Live deals, one at a time, price drops till none left…” is the premise of this new service (just out in public beta). Whenever you visit the site, you will come across a wide-ranging collection of watches and accessories whose price drops second by second. The starting price is clearly denoted, whereas the amount that you could save is also set down. You are likewise informed about shipping and handling costs. If all is right by you, you can click on the provided “Buy 1 Now” button which is displayed, and carry the transaction to completion.

The featured watches come from big names such as Casio and Seiko, and in every case a “Compare Deal” button is included for you to figure how much of a bargain the transaction you are interested in can be.

As regards the length of the auction, that is stipulated right above the concerned item. In any case, you must understand that the auction ends when all the items that were in stock are sold out. That is obvious, really. Everybody would wait until the very end in order to start bidding otherwise. And that is what makes the whole process entertaining to begin with. Give it a try and see if you feel the same way.

A useful time-saving tool or the e-quivalent of Readers' Digest? - Synopses At Your Disposal

We all come across articles that seem interesting while surfing the Net, yet the length quite often prevents us from delving into them. You should make a point of keeping this site in mind if that ever happens again. Essentially, Synopit will empower you to carry a search for summaries that have been created for that very same article, and if any are found you will be able to see the most important takeaways from the article.

On the other hand, if no summary is found you can choose to be notified through e-mail when one surfaces by signing up. Moreover, you are given the option to create a summary yourself if you think you are skilled enough to do that, and wish to make a contribution to the cause.

Something for those Computer Science PhD candidates to consider?

The need for a standard cloud taxonomy

Posted by James Urquhart January 27, 2009 11:15 PM PST

Just interesting

Which HD video Web service is the best?

Posted by Josh Lowensohn January 28, 2009 5:00 AM PST

A purely economic question? Anticipating future costs of your dream ride?

Why some cars get stopped by cops and others don't

Posted by Chris Matyszczyk January 27, 2009 10:40 PM PST

… It seems that the police love to ticket Hummers most of all.