Saturday, February 14, 2009

Another exhausting meeting of the Privacy Foundation yesterday. We made a bunch of hard decisions (I had the Chicken Cordon Bleu and a nice Pinot Noir) discussed the current financial crisis (How big should the tip be to provide adequate economic stimulus?) and considered future seminar topics, which of course will include the Heartland Payment Systems breach.

These are the easy ones. Crooks so dumb they stand in front of the surveillance video camera while using the counterfeit cards.

First arrests made in Heartland data breach case

Posted February 13th, 2009 by admin

Chuck Miller reports:

Three men have been arrested in Tallahasee, Fla., in connection with the Heartland Payment Systems data breach, authorities said.

The men, Tony Acreus, Jeremy Frazier and Timothy Johns, each were charged with multiple counts of credit card fraud, police said. The arrests were part of a larger investigation into the breach,


There is no evidence that they were the masterminds of this breach,” Drzewiecki said. “All that we were able to connect is that the credit card numbers were stolen in the hijacking of the records from the Heartland processing center.”

Read more in SC Magazine

[From the article:

The suspects were running a sophisticated criminal enterprise, according to police.[Sounds better than: :They're too stupid to pour water out of a boot if the directions are written on the heel.” Bob] Law enforcement organizations, which included the U.S Secret Service, are looking into how the men were able to obtain the data. [My money is on e-mail. Bob]

From a similar article: Suggests this wasn't a direct link from HPS (which was only identified last month) but rather some credit card crooks who happened to have HPS data in addition to whatever was traced to them.

First arrests made in Heartland breach case

The arrests followed a three-month investigation of a major stolen credit card ring by the sheriff's office, the Tallahassee Police Department and the U.S. Secret Service.

Related. This one should be very interesting...

Unternehmensnachrichten 13.02.2009 18:07 Uhr

Heartland Payment Systems Announces Conference Call to Discuss Fourth Quarter and Fiscal Year End 2008 Results

… Chairman & Chief Executive Officer Robert Carr and President & Chief Financial Officer Robert Baldwin will host a conference call beginning at 8:30 AM Eastern Time, Tuesday, February 24, 2009, to discuss fourth quarter and fiscal year end 2008 results and conduct a question and answer session.

Heartland Payment Systems invites all interested parties to listen to its conference call broadcast through a webcast on the Company?s website. To access the call, please visit the Investor Relations portion of the Company?s website at: The webcast will be archived on the Company?s website within two hours of the live call and will remain available through Friday, May 22, 2009.

For those keeping score

Heartland Data Breach: List of Victims Grows; First Arrests Made

… The list of financial institutions impacted by the Heartland Payment Systems (HPY) breach now tops 220

I'm pretty sure this is just bad reporting of the HPS breach, but then again it could be a new one...

Debit card breach a nation-wide occurrence

By JEN MATSICK POSTED: February 14, 2009

CHESTER - A security compromise at VISA has affected the use of debit cards for customers of banks nationwide, including Hancock County Savings Bank.

… Human Resource and Marketing director Barbara Matey stated that the breach is a nationwide occurrence and does not solely affect Hancock County Savings Bank customers.

It's not the size, it's the frequency. (and the fact that they aren't reported.) Do your employees install P2P software at your organization?

More p2p fiascos

Posted February 13th, 2009 by admin

Rian from RedTeam Protection, a division of Tony Josephs and Sons Investigations Inc., just sent me another batch of p2p cockups that exposed personal — and in some cases — sensitive medical — information. In each case, RedTeam advised the entity and/or helped ensure removal of the filesharing application. Some of these breaches are more security-related than privacy-related, but they’re all reminders of the risks. What a shame that most of these never seem to get reported to states so that they can be included in our chronologies and databases. RedTeam doesn’t reveal the names of the entities, however, and treats all of their findings as confidential.

An employee of a Virginia based family counseling corporation, leaked out 1,698 files onto the gnutella file sharing network. These documents included Individualized Service Plans, which included psychological evaluations, Medicaid numbers, social security numbers, and dates of birth.

The administrator of a California based treatment home, leaked 1,632 business documents onto the gnutella P2P network, including Individualized Service Plans, including dates of birth, complete medical histories, and health insurance numbers.

The owner of a California based music studio, published 2,436 business related files onto the gnutella file sharing network. The files included personal contact information and signatures of well known musicians.

An executive at a United Arab Emirates based insurance provider, made publicly assessable 2,435 business related documents, including insurance numbers, scanned certificates, and workers compensation claims.

A Turkish accountant published 6,882 files onto the gnutella file sharing network, which included client balance sheets, account numbers, nondisclosure agreements, confidential merger information, and five years of faxes stored on the accountant’s hard drive.

A family counselor at a Washington, DC based treatment center, made 4,886 files accessible over the gnutella file sharing network. These files included the personal identifiers of juveniles seeking treatment for various behavioral issues, in addition to psychological profiles and emergency contact information.

A facilities manager at a national engineering consultancy published 13,038 files onto the gnutella file sharing network. These files contained confidential security and safety information for an manufacturing plant, numerous vendor non disclosure agreements and internal correspondence.

A security manager at a Louisiana based chemical plant leaked 107 confidential files onto the gnutella P2P network. These files included bomb threat procedures, internal contact numbers, login names and passwords for the plant security system, contingency management documents and radio frequency assignments.

An employee of a presidential protection unit in Africa, published 2,298 files onto the gnutella file sharing network, including intelligence reports regarding child soldiers and pending investigations.

An executive at an Indonesian airline corporation published 9,263 files onto the gnutella P2P network, including security documents, human resource information and thousands of files relating to internal communications and vendor relations.

The superintendent/former superintendent of a Texas based school district, published 11,884 internal files onto the gnutella files sharing network. These files included confidential correspondence with parents, confidential grade sheets with dates of birth and student ID numbers, and confidential statistics listing grades sorted by demographics such as age and race.

Previous coverage of p2p breaches here.

More on how NOT to design your security (There's no example like a bad example)

DVD Planet Uses 'Ebay' For Password, Sends It To You Via Email If You Ask

Friday, February 13 2009 @ 03:23 PM EST Contributed by: PrivacyNews

Update to a story posted earlier today...

Dear DVD Planet, you might want to sit down with the person who designed your customer account system and have a long talk. You know, about things like data security. After we posted this story yesterday about an Amazon shopper who was surprised to find you'd automatically created a barely secure account in his name with his data, another reader—this time a former eBay customer from nearly two years ago—decided to check whether you'd done the same thing to her. Yep! And the password was "Ebay."

Source - The Consumerist

If the Obama team is taking the same position as the Bush team, isn't it possible that there is some kind of National Security implication here?

In Spy Case, Obama's Justice Department Holds Fast to State Secrets Privilege

Friday, February 13 2009 @ 02:22 PM EST Contributed by: PrivacyNews

The Obama administration on Thursday invoked the state secrets privilege for the second time in a week, this time in a closely watched spy case weighing whether a U.S. president may bypass Congress and establish a program of eavesdropping on Americans without warrants.

The move came days after U.S. Attorney General Eric Holder announced the department was reviewing all the litigation it inherited from the Bush administration in which the privilege was invoked.

Source - Threat Level

This could be big for Linux.

Microsoft Sued Over Vista-To-XP Downgrade Fees

Posted by Soulskill on Friday February 13, @07:22PM from the can't-win-for-losing dept. Microsoft The Courts News

Krojack writes with this excerpt from Computerworld

"Los Angeles resident Emma Alvarado charged Microsoft with multiple violations of Washington state's unfair business practices and consumer protection laws over its policy of barring computer makers from continuing to offer XP on new PCs after Vista's early-2007 launch. Alvarado is seeking compensatory damages and wants the case declared a class-action suit. ... Irked at having to pay a fee for downgrading a new Lenovo notebook to XP, Alvarado said that Microsoft had used its position as the dominant operating system maker to 'require consumers to purchase computers pre-installed with the Vista operating system and to pay additional sums to "downgrade" to the Windows XP operating system.'"

Cure these, rule the world!

UC Berkeley Lab Examines Cloud Computing Obstacles

Posted by ScuttleMonkey on Friday February 13, @02:30PM from the just-throw-money-at-it dept. Networking Technology

alphadogg writes

"UC Berkeley researchers have outlined their view of cloud computing, which they say has great opportunity to exploit unprecedented IT resources if vendors can overcome a litany of obstacles. 'We argue that the construction and operation of extremely large-scale, commodity-computer data centers at low-cost locations was the key necessary enabler of Cloud Computing,' The paper outlines 10 obstacles to cloud computing [PDF]."

How to find how tos – my kind of list!

How to find how-tos on the Web

by Don Reisinger February 13, 2009 3:25 PM PST

5min eHow Expert Village Howcast Instructables

Friday, February 13, 2009

This continues to look like a real Titanic level event, and yet the I don't see much in the mainstream news. Perhaps because we haven't reached 800 Billion , yet.

Heartland Data Breach: Maine Credit Union Says Reported Fraud has Tripled

Posted February 12th, 2009 by admin

Some interesting insights into the impact of the Heartland breach on a small credit union are provided in a BankInfoSecurity story:

Last week [HealthFirst Credit Union of Waterville] in Maine thought it had seen the last of the Heartland Payment Systems data breach that had affected 261 of its members’ credit cards. Officials now report they weren’t as lucky as they thought. The number of compromised cards now has tripled, and the fraud reported may top $70,000. Heartland Payment Systems data breach coverage


Quirion expresses frustration at what the credit union’s members and employees are being subjected to because of this breach. “The cost of replacing the cards is around $2,500, and we are a tiny credit union, and our employees ‘wear many hats,’ We’ve all been involved in blocking compromised cards, ordering new cards, and calling members regarding the breach since January 12,” she says.

Quirion estimated that the employees at the credit union have spent about 300 hours to date working on containing the breach’s fallout among its members.


Heartland Data Breach Update: Now More Than 160 Institutions Impacted

Bermuda, Canada and Guam Now Report Effects from Breach

February 12, 2009 - Linda McGlasson, Managing Editor

When you try to make things effective/efficient without thinking about the impact on your customers?

DVD Planet's Automatic Account Creation Raises Security, Privacy Issues

Friday, February 13 2009 @ 06:11 AM EST Contributed by: PrivacyNews

Joel says when he ordered a disc from DVD Planet via Amazon, the company automatically created an account for him on their website. The problem is that the default password they used was so easy to guess that he figured it out on the second try, and he suspects it's the same password they use on every account. Once you guess it, you can see the customer's past orders and credit card billing address. When Joel contacted them to have the account removed, he was told that wasn't possible. [“We'll get to the Delete key as soon as we find the 'Any Key.'” Bob]

Source - The Consumerist blog

I haven't seen any hospital sanctions before this one. But it does reinforce my opinion that “the states are waking up!”

Maine cites hospital for data breach

Posted February 12th, 2009 by admin

It’s not often that we learn of any really serious consequences to hospitals that have suffered a data breach, but a previously reported breach has contributed to problems for Down East Community Hospital in Maine. Eric Russell of the Bangor Daily News reports:

In the latest of a series of incidents, Down East Community Hospital has been disciplined by state and federal agencies for a number of serious violations within the last year.

The Maine Department of Health and Human Services recently ordered the hospital to operate on a conditional state license, an action deemed “necessary to protect the interests of the general public,” said Catherine Cobb in DHHS’s Licensing and Regulatory Services division.

Additionally, the Center for Medicare and Medicaid Services, a federal agency that oversees health care coverage at U.S. hospitals and ensures compliance with certain federal regulations, has threatened to sever ties between Down East Community Hospital and Medicare. The hospital can avoid that action if it corrects certain deficiencies within a set period of time.

One of the issues in the state’s report was data protection:

Clinical records — In November 2008, the hospital discovered that numerous confidential patient files had washed up in a nearby waterway. The documents had been stolen from the hospital, which the state determined was a breach in confidentiality. All hospital documents now must be kept in a more secure location. Dodwell said an investigation is still continuing to determine who stole the files and why.

I seriously doubt that the data breach alone would have resulted in such severe measures, but it’s nice to see states stepping up and saying that such breaches are unacceptable and that hospitals need better security or they may not maintain their license.

Another result of the HPS breach – overreaction by card issuers.

On Your Side: American Express Squeeze

posted 02/10/09 5:57 pm

... Pamela Herndon came to 7 On Your Side frustrated. She wanted to show us this: her American Express card has been denied.

Card Machine:"We are unable to complete this transaction."

"I was furious," Herndon said.

Not just because her card had been canceled but because what they were asking of her to keep it open.

"They asked for a copy of my drivers license, a copy of my Social Security card, a copy of a utility bill -- not a phone bill -- and a notarized signature from any bank," Herndon said.

What? A cold call asking for that kind of information sounds like a scam. But it wasn't.

"Credit card companies are freaking out and they're doing things that years ago they were warning people not to do," said Evan Hendricks of Privacy Times.

Interesting. They still need a search warrant.

Ca: New law to give police access to online exchanges

Thursday, February 12 2009 @ 03:14 PM EST Contributed by: PrivacyNews

The Conservative government is preparing sweeping new eavesdropping legislation that will force Internet service providers to let police tap exchanges on their systems - but will likely reignite fear that Big Brother will be monitoring the private conversations of Canadians.

The goal of the move, which would require police to obtain court approval, is to close what has been described as digital "safe havens" for criminals, pedophiles and terrorists because current eavesdropping laws were written in a time before text messages, Facebook and voice-over-Internet phone lines.

Source - Globe and Mail Thanks to Brian Honan for sending this link.

“Now that the law is in effect, let us tell you what we think it means...” They require encryption where “technically feasible.” I assume that means “no matter what it costs” unless bankruptcy is a technicality?

MA: Tough Massachusetts data-privacy regulation facing revision

Thursday, February 12 2009 @ 03:29 PM EST Contributed by: PrivacyNews

The Massachusetts data-privacy regulation that went into effect Jan. 1st is now undergoing revisions that are expected to go into effect May 1st, according to the state agency in charge of issuing the rules.

Source - Network World

Either you believe that NSA et. al. can capture and read everything or you don't. I lean towards the “Don't” camp simply because of the volume issue. That's not to say they can't capture and read everything from a specified address.

NSA offering 'billions' for Skype eavesdrop solution

Friday, February 13 2009 @ 05:57 AM EST Contributed by: PrivacyNews

News of a possible viable business model for P2P VoIP network Skype emerged today, at the Counter Terror Expo in London. An industry source disclosed that America's supersecret National Security Agency (NSA) is offering "billions" to any firm which can offer reliable eavesdropping on Skype IM and voice traffic.

The spybiz exec, who preferred to remain anonymous, confirmed that Skype continues to be a major problem for government listening agencies, spooks and police. This was already thought to be the case, following requests from German authorities for special intercept/bugging powers to help them deal with Skype-loving malefactors. Britain's GCHQ has also stated that it has severe problems intercepting VoIP and internet communication in general.

Source - The Register

If you “own” the security software, you can “own” their clients.

Physician, heal thyself? Hackers continue exposing vulnerabilities in security firms’ databases

Posted February 12th, 2009 by admin

First it was Kaspersky. Then it was BitDefender Portugal. Today it’s F-Secure, but no personal data was accessible.

F-Secure posted a response on their site:


During the last few days a Romanian group has been doing SQL injection attacks on several security vendor’s websites and early this morning they hit us. One of our servers used in gathering malware statistics had a page that didn’t properly sanitize input and was therefore vulnerable to attack. Fortunately we utilize defense-in-depth strategies so the attack was only partly successful.

Although the attackers were able to read information from the database they couldn’t write or manipulate it. And they couldn’t access any other data on that server because the SQL user only had access to its own database, which only contains public information that is shown on our statistics pages. So while the attack is something we must learn from and points at things we need to improve, it’s not the end of the world.

The malware statistics are something we publish anyway at and because of our IT security strategy, the impact was minimal.

Nothing signals the death of the Gutenberg Age more than liquidating its assets.

Google Buys A Paper Mill?

Robin Wauters Thursday, February 12, 2009; 12:22 AM

Consider it a sign of the times when internet company Google acquires the buildings and premises of a mill site from a paper, packaging and forest products company that caters to the print industry.

Well, there goes the neighborhood!

Thursday, 12 February 2009

Buckingham Palace Website Is Relaunched

Her Majesty The Queen updated Her website today. You can see what Her Majesty has done, with the assistance of one Sir Tim Berners-Lee, by clicking on here. Her Majesty has even created a special section dedicated entirely to Her British Commonwealth.

Another consideration for my Computer Security class

Open data is the antidote to closed clouds

by Matt Asay February 12, 2009 7:20 PM PST

Open source is particularly well-suited to create cloud computing systems, but such open-source ingredients won't necessarily result in open clouds. Indeed, cloud computing has the potential to lock users in as much or more than desktop computing.

… But it's not really the hardware or software at issue here. It's the data. Free software doesnt necessarily translate into free data, which is arguably the technology industry's next big battleground. "Data is the new Intel-inside," proclaims Tim O'Reilly, the source of lock-in and hence profit for technology companies like Google, Yahoo, Digg, and more.

For truly obsessive multi-taskers?

Double Vision lets you watch Hulu in Excel

by Josh Lowensohn February 12, 2009 3:32 PM PST

Double Vision (download) is the latest tool for people who don't like doing work while at work. This small piece of software lets you casually surf the Web inside of other programs, then hide the window with a simple keyboard shortcut.

Thursday, February 12, 2009

I haven't seen them yet, but I bet they're amusing.

Ca: We have our winners!

Wednesday, February 11 2009 @ 08:20 PM EST Contributed by: PrivacyNews

We have the winning videos from the 2008 My Privacy & Me National Video Competition for young people! Participants from Encounters with Canada, a national youth forum that brings together teens from across Canada for week-long adventures in learning and discovery, selected the winners from among seven finalists.

Source - Office of the Privacy Commissioner of Canada

[From the website:

The videos have been posted to, the youth Web site of the Office of the Privacy Commissioner of Canada. They can also be viewed on the Office’s YouTube channel (

If true, this is the clearest admission yet that Microsoft screwed up! (Those Vista CDs might have some value after all...)

MS To Offer Free Windows 7 Upgrade To Vista Users

Posted by samzenpus on Wednesday February 11, @06:45PM from the you-get-what-you-pay-for dept. Microsoft Upgrades IT

crazyeyes writes

"With Windows 7 set for release in Dec. 09, Microsoft is getting ready with their free upgrade program, which allows Vista users to switch to Windows 7 when it arrives. The folks at TechARP have consistently scored accurate scoops on Microsoft software releases. They have now revealed Microsoft's upgrade plans, schedules and even screenshots of the upgrade process."

Does this signal that YouTube is dead or merely past its prime?

Federal Officials and YouTube Nearing a Deal

Posted by samzenpus on Wednesday February 11, @09:25PM from the watching-the-watchers dept. Social Networks Politics

GovTechGuy writes

"The federal government is on the verge of reaching an agreement with YouTube that would allow agencies to make official use of the popular video-sharing service. A coalition of federal agencies led by the General Service Administration's Office of Citizen Services has been negotiating with Google, YouTube's parent company, since summer 2008 on new terms that would allow agencies to establish their own channels on the site. Agencies have not been [allowed] to post videos to YouTube (although many already have) because under the current terms of service, people who post content are subject to their state's libel laws. Federal agencies must adhere to federal law. On Tuesday, government officials said the negotiations were "very close" to being completed."

Related Is Hulu a replacement for YouTube?

New evidence links Hulu with mushed brains

by Chris Matyszczyk February 11, 2009 3:26 PM PST

The Wall Street Journal suggested Wednesday that when Hulu went public last March, its largest demographic was not snotty-nosed punks actively looking to mush their brains, but those whose gray matter was in a fairly ripened state of mushiness. Yes, those 55 and over.

… Of course, YouTube's traffic is around 10 times that of Hulu's. But apparently 15 out of 20 searches on YouTube are for the kind of TV content for which Hulu has a license and YouTube often does not.

So who do you think will win in the end? The brand with all the videos of weird psychopathic doctors, overeaters, cuddly animals, office workers making a documentary about themselves, and stand-up comics of very varying abilities?

Or, um, YouTube?

...and I thought those social networks were hard to monetize...

Facebook friends don't ask friends for money

by Elinor Mills February 11, 2009 3:39 PM PST

… A relatively new Facebook scam has been surfacing in which a user's account is hacked and then used to send messages of alarm to get the user's friends to send money.

More interesting for how they filter the sounds they sell...

iStock launches iStockaudio for royalty-free clips

by Stephen Shankland February 11, 2009 6:34 PM PST

As expected, iStockphoto launched its audio clip licensing service, called iStockaudio, on Wednesday.

… That means there are constraints on audio contributors, though, who may not be members of various professional organizations.

"iStockphoto has used reasonable efforts to ensure that the suppliers of audio content are not members of any performing rights, mechanical rights or any other similar societies (such as SOCAN, ASCAP, BMI, SESAC, PRS, MCPS, SACEM, SDRM, JASLAC, GEMA, etc.) and that no performing rights or other royalties are required to be paid to any such organizations," according to the iStockaudio license agreement.

In order to compete directly with the Kindle, I need to find a good hardware hacker. Meanwhile...

High school was wrong. It's good to be a Bookworm

by Eric Franklin February 12, 2009 4:00 AM PST

… Bookworm is an open-source ePub reader that allows you to upload, organize, and read your e-books from the Web on your computer, as well as from Web-capable mobile devices including the iPhone.

Sor selfish reasons...

February 11, 2009

New on Six Questions and a Strategy for Campus-wide Information Competence

Six Questions and a Strategy for Campus-wide Information Competence. At Cornell University Library (CUL) a committee was established in 2005 to address the issue of information literacy at the university. The committee did extensive research on this topic and developed an approach for seeking solutions. Stuart Basefsky presents three exhibits to accomplish this objective.

Wednesday, February 11, 2009

Continuing the theme of “Wow, this keeps growing!”

ESI Year in Review 2008

Tuesday, February 10 2009 @ 04:18 PM EST Contributed by: PrivacyNews

The ESI Year in Review - 2008 examines all of the information security incidents occurring at colleges and universities around the world as reported in the news during 2008.

The security incidents reported in 2008 continued many of the trends seen in 2007. More colleges and universities reported suffering more security incidents. In fact, the total number of institutions suffering security incidents outnumbers the total number of incidents in 2008 due to several incidents affecting more than one institution. Another common trend continued from 2007 was that employee mistakes continue to be the leading cause of reported information security incidents.

Here is a sample of the information contained in the Educational Security Incidents (ESI) Year in Review - 2008:

* Total Number of Incidents: 173, a 24.5% increase over 2007
* Total Number of Institutions Affected: 178, a 59% increase over 2007
* Total Number of Incidents by Type:

o Employee Fraud: 10

o Impersonation: 4

o Loss: 9

o Penetration: 35

o Theft: 40

o Unauthorized Disclosure: 75

Source - ESI

The cost of Security Breaches. (For when you prepare next year's Security budget)

Pointer: impact of breaches on stock market prices

Tuesday, February 10 2009 @ 04:06 PM EST Contributed by: PrivacyNews

I received an email about a new web site on data breaches. When I checked it out, I saw a post on the impact of a data breach on stock market prices for 10 publicly traded firms that experienced breaches that may be of interest to readers.


[NOTE: They also have a list of Third Party providers who are responsible for breaches, at:

Aliens got privacy, but not the right to judicial review...

DHS memo: data retention protections for non-U.S. persons now online

Tuesday, February 10 2009 @ 04:23 PM EST Contributed by: PrivacyNews

This memorandum sets forth the policy of the DHS Privacy Office regarding privacy protections afforded to non-U.S. persons for information collected, used, retained, and/or disseminated by the Department of Homeland Security in so-called "mixed systems."1

Source - Dept. of Homeland Security: Privacy Policy Guidance Memorandum 2007-01, Regarding Collection, Use, Retention, and Dissemination of Information on Non-U.S. Persons, January 7, 2009 (As amended from January 19, 2007)

My Computer Forensics class should compile a checklist of “not very lawyerly ideas” to test for...

You Are Not a Lawyer

Posted by kdawson on Tuesday February 10, @01:42PM from the help-in-thinking-like-one dept.

Paul Ohm is starting a new "very occasional" feature on the Freedom To Tinker blog called You Are Not a Lawyer — "In this series, I will try to disabuse computer scientists and other technically minded people of some commonly held misconceptions about the law (and the legal system)." In the first installment, Ohm walks through the reasons why many techies' faith in the presence of "reasonable doubt" is so misplaced.

"When techies think about criminal law, and in particular crimes committed online, they tend to fixate on [the 'beyond a reasonable doubt'] legal standard, dreaming up ways people can use technology to inject doubt into the evidence to avoid being convicted. I can't count how many conversations I have had with techies about things like the 'open wireless access point defense,' the 'trojaned computer defense,' the 'NAT-ted firewall defense,' and the 'dynamic IP address defense.' ... People who place stock in these theories and tools are neglecting an important drawback. There are another set of legal standards — the legal standards governing search and seizure — you should worry about long before you ever get to 'beyond a reasonable doubt.'"

I'm sure there will be lots of little gems in this bill...

'Stimulus' bill pushes e-health records for all Americans

by Declan McCullagh February 10, 2009 8:45 PM PST

… Yet nowhere in this 140-page portion of the legislation does the government anticipate that some Americans may not want their medical histories electronically stored, shared, and searchable. Although a single paragraph promises that data-sharing will "be voluntary," there's no obvious way to opt out.


WSJ Says Gov't Money Injection Won't Help Broadband

Posted by timothy on Tuesday February 10, @12:06PM from the at-least-they-can-pay-with-free-money dept. United States Networking The Almighty Buck The Internet Politics

olddotter writes

"According to the WSJ, The US government is about to spend $10 Billion to make little difference in US broadband services: 'More fundamentally, nothing in the legislation would address the key reason that the US lags so far behind other countries. This is that there is an effective broadband duopoly in the US, with most communities able to choose only between one cable company and one telecom carrier. It's this lack of competition, blessed by national, state and local politicians, that keeps prices up and services down.' Get ready for USDA certified Grade A broadband."

[From the article:

A recent report by the Pew Research Center entitled "Stimulating Broadband: If Obama Builds It, Will They Log On?" concluded that for many people, the answer is no, often due to high monthly prices. By one estimate, the lowest monthly price per standard unit of millions of bits per second is nearly $3 in the U.S., versus about 13 cents in Japan and 33 cents in France.

A tool for podcasts, online video and TV

Miro 2.0 Launches Today

Posted by kdawson on Tuesday February 10, @07:18PM from the on-the-wall dept. Television The Internet

soDean writes

"Miro just launched their 2.0 release today. The free and open source HD video player and Internet TV features an all-new interface and an entirely rewritten UI engine, plus tons of new features and improvements — it's less of a collection of new stuff and more of a rethinking of the whole experience. You can download Miro 2.0 here for Linux, Mac, and Windows. Miro is developed by the Participatory Culture Foundation, a 501(c)(3) non-profit, hell-bent on making Internet video more open and decentralized, along with a dedicated community of users, volunteers, translators, testers, and coders."

Explaining Apple? My friend Dennis had described this concept years ago, but didn't charge $750 for a detailed report.

How to predict gadget success

by Erica Ogg February 10, 2009 4:52 PM PST

Sometimes even a well-designed and innovative product can still be a total dud. See the Apple Newton.

The industry analysts at Forrester Research now say they know why this happens.

In a new report released Friday, Forrester analyst James McQuivey zeroes in on what makes seemingly good products fall flat once they reach store shelves: lack of convenience.

… Forrester says convenience is key. It defines the concept in this way: A "comprehensive measure that considers the total product experience." That includes researching the product, obtaining the device, using it, and eventually getting rid of it. The study also says that in successful products, convenience is not a benefit, but "a measure of how easy your product makes it for people to get the benefits your product promises."

Tuesday, February 10, 2009

My wife has be notified by both her Credit Union and her prepaid medical card that they were part of the HPS breach and would be replacing her cards.

More on Heartland...

The letter from Heartland to the Maryland AG's Office is available at

Related (This mostly duplicates earlier information.)

Pointer: Numbers keep rolling in on Heartland breach

Posted February 9th, 2009 by admin Linda McGlasson of BankInfoSecurity reports:

By the latest count, the number of institutions that have informed their card customers and members that they were hit as a result of the Heartland Payment Systems (HPY) data breach has swelled to 124.

The second page of the article provides an alphabetical listing of banks that reported having been affected, with number of cards compromised indicated for many of them.

[From the article:

Heartland, the sixth-largest payments processor in the U.S.... [See? It could have been much worse! Bob]

Prof. Soma at the Sturm College of Law mentioned that there are now two HPS lawsuits

Cooper v. Heartland Payment Sys. Inc., D.N.J., No. 3:09-cv-00392-FLW-JJH, complaint filed 1/27/09; and Merino v. Heartland Payment Sys. Inc., D.N.J., No. 3:09-cv-00439-FLW-TJB, complaint filed 1/29/09

I must be missing something... Is it common to take four years to stop this kind of thing?

FTC Kills Dirty Online Check Processing Outfit

Posted by kdawson on Monday February 09, @09:34PM from the dirty-pretty-checks dept. The Courts Government The Almighty Buck United States

coondoggie writes

"The Federal Trade Commission today got a US District Court to stop permanently what it called the illegal operations of an Internet-based check creation and delivery service, and to require the group to give up over half a million dollars in ill-gotten gains. According to the FTC, created and sent checks drawn on any bank account that a Qchex user identified, but did not verify whether the user had authority to draw checks on that account. As a result, fraudsters worldwide used the Qchex service to draw thousands of checks on bank accounts that belonged to unwitting third parties. 'The evidence shows that the launch of was a "dinner bell" for fraudsters and resulted in a high number of accounts frozen for fraud...' said District Court Judge Janis Sammartino."

[How I know it took four years:

Prof Soma also pointed me to this article. And minutes later, so did Gary Alexander!

Survey: Identity theft up, but costs fall sharply


NEW YORK (AP) — The number of Americans ensnared by identity theft is on the rise, but victims are striking back more quickly and limiting how much is stolen.

In 2008, the number of identity theft cases jumped 22 percent to 9.9 million, according to a study released Monday by Javelin Strategy & Research. good news is that the cost per incident — including unrecovered losses and legal fees — fell 31 percent to $496.

Last year marked the first time the number of cases rose.

Online access accounted for only 11 percent of cases, according to the survey.

Despite the growing number of victims, the total fraud amount edged up just 7 percent to $48 billion over the previous year. That's because victims are uncovering cases faster to limit losses. Another reason is that financial institutions are taking more steps to thwart thieves, according to the Javelin study.

This is from the e-Discovery Blog. First time I've seen him comment on Privacy. (Of course, there is a connection.)

IT Workers Read Your Personal Email and U.S. Law is Generally OK with That

America is the land of the free, the brave, and the busybody; at least that is the way Europeans see us. Indeed, much of the world is surprised by the lack of privacy in the U.S., especially in the workplace where few corporations grant any privacy rights to their employees. At least one U.S. billionaire, Henry Nicholas, the co-founder and ex-CEO of Broadcom, now agrees with the Europeans. His defense of a criminal case recently suffered a major setback as a result of IT workers reading a personal email to his wife and then blabbing to the world about it. U.S. v. Nicholas, __F.Supp.2d__, 2008 WL 5546721 (C.D.Cal., Dec. 29, 2008).

Because your life isn't hectic enough?

Twitter Fast Growing Beyond its Messaging Roots

By Michael Calore February 10, 2009 7:32:17 AM

Thanks to its open-ended design and a thriving user community, Twitter is fast outgrowing its roots as a simple, easy-to-use messaging service. Enterprising hackers are creating apps for sharing music and videos, to help you quit smoking and lose weight -- spontaneously extending the text-based service into one of the web's most fertile (and least likely) application platforms.

Hardware hackers have set up household appliances to send status alerts over Twitter, like a washing machine that tweets when the spin cycle is through, or a home security system that tweets whenever it senses movement inside the house. Others have incorporated Twitter into their DIY home automation systems. Forgot to turn off the lights? Send a tweet to flip the switch by remote control.

… Businesses are starting to be built around it. Botanicalls, for example, sells a Twitter-enabled hardware kit that lets your neglected house plants alert you when they're thirsty.

… File sharers were the first to rush in. The photo-sharing service TwitPic, one of the oldest Twitter mashups, lets users send pictures to their followers by storing a photo on its servers, then passing the link around on Twitter. Now there are newer apps like Tweetcube and Twittershare, which let users share larger media like MP3s and videos.

Twitter's limited format of short, text-based announcements are a natural match for sites like TrackThis, which you can use to get status updates on FedEx and UPS packages, and Tweetajob, which job seekers can use to get real-time updates about new job openings.

Anyone who needs help quitting smoking can use Qwitter to monitor their progress. Those looking to lose weight can turn to TweetWhatYouEat or TweetYourEats.

A step towards a “Best Practice?” At least a procedure to help avoid getting sued.

Bruce Perens On Combining GPL and Proprietary Software

Posted by ScuttleMonkey on Monday February 09, @04:19PM from the how-not-to-get-sued dept. Software Linux Business

jammag writes

"Combining GPL and proprietary software is ever more common, especially in the world of embedded devices like cell phones. But the question is: how to combine them legally. As sticky as the issue is, there is an answer, as self titled "open source strategic consultant" Bruce Perens explains. The proper procedure entails fully understanding what type of open source software you're using, and knowing why you need to combine these disparate licenses. The problem, he notes, is that many companies don't know or care about doing this legally. 'They're used to just "clicking yes" with no regard to what they're committing themselves and their company to.' Hopefully Perens' guide can be read by more company execs — resulting in fewer lawsuits going forward (but we're not holding our breath)."

update 21:31 GMT by SM: Bruce wrote in to make sure we knew he was not a lawyer, even though he is weighing in on a legal issue; updated to reflect.

I've been looking for a project for the White Hat Hacker club. This looks interesting.

Metasploit Hacking Tool To Get Services-Based Model

Posted by kdawson on Monday February 09, @07:57PM from the at-your-services dept. Security IT

ancientribe writes

"Metasploit hacking tool creator HD Moore told Dark Reading that the open-source hacking tool soon will come with back-end services-based features aimed at offloading resource-intensive penetration testing tasks. This is a departure for the software-oriented Metasploit, and Moore and company just may be on to something: it turns out commercial penetration testing tool vendors are looking at adding services-based versions of their software. Immunity Inc. will do so this year, and Core Security Technologies is considering doing so as well."

One of the problems my Math students have is being able to solve some problems (X – 4 = 6) without understanding the process they used to get the answer.

Study Suggests Why Gut Instincts Work

LiveScience Staff Mon Feb 9, 11:01 am ET

Sometimes when you think you're guessing, your brain may actually know better.

After conducting some unique memory and recognition tests, while also recording subjects' brain waves, scientists conclude that some gut feelings are not just guesswork after all. Rather, we access memories we aren't even aware we have.

… The findings were published online Sunday in the journal Nature Neuroscience.

… "Intuition may have an important role in finding answers to all sorts of problems in everyday life," Paller said

A tool for your Swiss Army Folder... - A Free Online Diagramming Tool

Generally speaking, LovelyCharts is an online diagramming application that enables any individual to come up with diagrams of different denomination – all for free. These include sitemaps, flowcharts and wireframes to name just a few.

Although diagrams are easy to understand, it is also true that the drawing process itself is a bit tricky. This solution aims to get around this problem by empowering users to drag and drop elements until they are satisfied with the finished design. Moreover, the drawing process itself is an interactive one, whereby the system makes assumptions based on the way you are headed.

Lists, I just love 'em.

Free alternatives to Windows' built-in utilities

by Dennis O'Reilly February 10, 2009 12:01 AM PST

I wouldn't give you a nickel for all the system tools that come with Windows. That's because I can replace them with programs that do the job better without having to spend even that much.

Monday, February 09, 2009

Local story update. When things sound too good to be true...

CO: Police: Credit Card Thieves Worked As Waiters

Posted February 9th, 2009 by admin

Follow-up on the story that we’ve been covering since November:

he credit card numbers stolen from 200 customers at an Asian restaurant last year were taken by three people who offered to work for tips only, according to Longmont police.

Cmdr. Tim Lewis told 7NEWS two men and one woman offered to work at Longmont’s East Moon Asian Bistro without pay. They offered to work for tips only and management accepted. Because of that agreement, the owners never received any personal information about the workers.

Read more in The Denver Channel

Q: How could such smart people, who sell Security and Anti-Virus software foe a living, have such poor security on their website? A: Their business is Anti-Virus. I'll wager that they employ mostly entry level techies on their website. In other words, they view it as not critical, so they don't spend much to secure it. (Same as their customers.)

Kaspersky Customer Database Exposed

Posted by timothy on Sunday February 08, @06:36PM from the which-is-not-a-new-mtv-show dept. Security Privacy

secmartin writes

"A hacker has managed to gain access to several databases via a SQL injection vulnerability on Kaspersky's US website. He has posted several screenshots and a list of available tables; judging from the table names, the information available includes data on bugs and user- and reseller accounts. The hacker has indicated that no confidential information will be posted on the Internet, but since a large part of the URLs used was visible in screenshots, it will only be a matter of time before somebody else manages to duplicate this."


BitDefender breach exposes customer data

Posted February 9th, 2009 by admin

HackersBlog is reporting that Kapersky isn’t the only exposing customer data this week. BitDefender Portugal also seems to have a problem….

Ja, und why not?” Everyone from North Korea to teenagers to China is doing it.

German Bundeswehr Recruiting Hackers

Posted by timothy on Monday February 09, @12:46AM from the blinkenlights-brauch'-das-fingerpoken dept. The Military Government Security

bad_alloc writes

" tells us about the German Bundeswehr's idea of recruiting hackers in order to 'penetrate, manipulate and damage hostile networks.' (Note: The following passage has been translated from German into English: 'The Regiment is stationed in Rheinbach, near Bonn, and consists of several dozen graduates from Bundeswehr universities. They're training at the moment, but the 'hackers in uniforms' are supposed to be operational by next year. This regiment officially belongs to the "Kommando Strategische Aufklärung" (strategic reconnaissance) and is commanded by Brigadier General Friedrich Wilhelm Kriesel. The Bundeswehr has not said anything to this regiment yet.' You can find the full article in German."

An interesting if still imperfect business model. Credit Cards have been vulnerable for years – as PayPal demonstrated.

A new way to pay: Noca's credit card alternative

Posted by Rafe Needleman February 8, 2009 10:35 PM PST

When you buy a product online and use either a credit card or Paypal, a significant percentage of your transaction cost--from 2.5 percent to 4 percent when all the fees are considered--goes straight to either the credit card processing company or to PayPal. With so many retailers operating at such slim margins already, this is a material expense. While payment processing will probably never be free, a new company, Noca, is launching today that undercuts payment processing by an order of magnitude: It charges just 0.25 percent for transactions.

Researchers! Get 'em while they're hot! (and still online!) NOTE: The site had been overwhelmed when I tried to link.

February 08, 2009

Wikileaks Posts Database of 6,780 Congressional Research Service (CRS) Reports

"Wikileaks has released nearly a billion dollars worth of quasi-secret reports commissioned by the United States Congress. The 6,780 reports, current as of this month, comprise over 127,000 pages of material on some of the most contentious issues in the nation... Nearly 2,300 of the reports were updated in the last 12 months, while the oldest report goes back to 1990. The release represents the total output of the Congressional Research Service (CRS) electronically available to Congressional offices." [As noted by Michael Ravnitzky, "there are additional reports and briefings prepared for specific offices that are not included in that electronic output."]

Related A law journal under the Creative Commons license.

February 08, 2009

Journal of Legal Analysis: New Open-Access Law Journal Launched

"...the Journal of Legal Analysis (JLA) is a new open-access law journal co-published by Harvard University Press (HUP) and the John M. Olin Center for Law, Economics, and Business at Harvard Law School. For the record, this is the first new journal we've published in thirty years...articles will be posted, for free, as soon as they are ready for publication. In addition, we're hoping the journal fills a gap in the legal publishing landscape by providing a peer-reviewed, faculty-edited journal that covers the entire academy."

Fire up your Phasers! CBS must believe they can monetize their old shows.

CBS Hosts Ad-Funded TV Series, Incl. Original Star Trek

Posted by timothy on Sunday February 08, @09:44PM from the whole-new-generation-can-obsess-or-ridicule dept. Television Sci-Fi News

eldavojohn writes

"On Friday, CBS launched a TV Classics section to their ad based online service. Which means that Trekkies can now watch all three seasons of Star Trek: The Original Series online at the expense of a few commercials. Alongside this CBS is offering all of MacGyver, Twin Peaks and even three seasons of the original Twilight Zone. A side note, they seem to work perfectly fine in Linux. "

Serious stuff! But the solution was right in front of them months before the problem surfaced.

2009-02-08 Europe

French fighter planes grounded by computer virus

French fighter planes were unable to take off after military computers were infected by a computer virus, an intelligence magazine claims. The aircraft were unable to download their flight plans after databases were infected by a Microsoft virus they had already been warned about several months beforehand. At one point French naval staff were also instructed not to even open their computers.

Microsoft had warned that the "Conficker" virus, transmitted through Windows, was attacking computer systems in October last year, but according to reports the French military ignored the warning and failed to install the necessary security measures.

A more negative headline for the same story...

French airforce surrenders to German virus

Sunday, February 08, 2009

Would a request for a change of venue be granted automatically? (and where would it go, now that Guantanamo is closing?)

Houston Courts Shut Down By Malware

Posted by timothy on Saturday February 07, @04:30PM from the full-employment-for-compsec-types dept. Security Technology

Conficker is still at it: dstates writes

"The municipal courts of Houston were shut down yesterday after a computer virus spread through the courts' computer systems. The shutdown canceled hearings and suspended arrests for minor offenses and is expected to extend through Monday. The disruption affected many city departments, the Houston Emergency Center was briefly disconnected and police temporarily stopped making some arrests for minor offenses. The infection appears to be contained to 475 of the city's more than 16,000 computers, but officials are still investigating. Gray Hat Research, a technology security company, has been brought in on an emergency contract to eradicate the infection. In 2006, the City spent $10M to install a new computer system and bring the Courts online, but the system has been beset by multiple problems. After threatening litigation, the city reached a $5 million settlement with the original vendor, Maximus, and may seek another vendor."

[From the article:

Court offices will remain open to allow people to pay tickets and fines... [The government always accepts payment. Bob]

… Janis Benton, the city’s deputy director of information technology, said officials suspected the infection was a form of Conficker...

… Conficker, also known as Downadup, infects computers via a flaw in the Microsoft Windows operating system. Microsoft issued an emergency patch back in October, and PCs that have the patch are protected from the worm. [In other words, if they had followed best practices this never would have happened. Bob]

… However, police this weekend will be using only citations for class C misdemeanors instead of arrests, since they cannot be processed. [“'cause when the computer is down, we don't know what to charge for a Big Mac...” Bob]

… Mayoral spokesman Patrick Trahan said people in jail would be able to make bail, but several bondsmen contacted by the Houston Chronicle were under the impression that no one could be released until Tuesday.


OpenDNS To Block and Monitor Conficker Worm

Posted by Soulskill on Sunday February 08, @08:22AM from the no-phone-home dept. Networking Security Worms News

Linker3000 writes

"According to The Register, OpenDNS plans to introduce an new service that will prevent PCs infected with the Conficker (aka Downadup) malware from contacting its control servers, and will also make it easy for admins to know if even a single machine under their control has been infected by Conficker: 'Starting Monday, any networks with PCs that try to connect to the Conficker addresses will be flagged on an admin's private statistics page. The service is available for free to both businesses and home users.' With the amount of trouble this worm has caused, perhaps this is a good time to take a look at OpenDNS if you haven't done so already."

One to follow? (It could go beyond nasty comments – see the next article.)

Lawsuit targets anonymous online comments

Saturday, February 07 2009 @ 02:30 PM EST Contributed by: PrivacyNews

Hundreds of people who posted their opinions of a sexual assault trial in an online forum are now the targets of a lawsuit.

The authors of those comments on the Web site thought they were anonymous, but this week, a judge ruled their names should be revealed.

Source - KHOU


Prop 8 Donor Web Site Shows Disclosure Law Is 2-Edged Sword

Sunday, February 08 2009 @ 05:57 AM EST Contributed by: PrivacyNews

FOR the backers of Proposition 8, the state ballot measure to stop single-sex couples from marrying in California, victory has been soured by the ugly specter of intimidation.

Some donors to groups supporting the measure have received death threats and envelopes containing a powdery white substance, and their businesses have been boycotted.

The targets of this harassment blame a controversial and provocative Web site,

The site takes the names and ZIP codes of people who donated to the ballot measure — information that California collects and makes public under state campaign finance disclosure laws — and overlays the data on a Google map.

Source - NY Times

[From the article: is the latest, most striking example of how information collected through disclosure laws intended to increase the transparency of the political process, magnified by the powerful lens of the Web, may be undermining the same democratic values that the regulations were to promote.

With tools like eightmaps — and there are bound to be more of them — strident political partisans can challenge their opponents directly, one voter at a time. The results, some activists fear, could discourage people from participating in the political process altogether.

Stephen Rynerson sent me this article. I had been receiving e-mails about this but had dismissed them as “urban myth” Looks like I should learn from Stephen and do better job of research!

Parking ticket leads to a virus

Hackers have discovered a new way of duping users onto fraudulent websites: fake parking tickets.

Cars in the US had traffic violation tickets placed on the windscreen, which then directed users to a website.

The website claimed to have photos of the alleged parking violation, but then tricks users into downloading a virus.

Tools & Techniques for hackers. Remember, passwords alone are never enough.

Passwords From PHPBB Attack Analyzed

Posted by Soulskill on Saturday February 07, @12:19PM from the convenience-trumps-security dept. Security News

Robert David Graham writes

"The hacker who broke into posted the passwords online. I was sent the password list, so I ran it through my analysis tools and posted the results. Nothing terribly surprising here; 123456 and password are the most popular passwords as you would expect. I tried to be a bit more creative in my analysis, though, to get into the psychology of why people choose the passwords they do. '14% of passwords were patterns on the keyboard, like "1234" or "qwerty" or "asdf." There are a lot of different patterns people choose, like "1qaz2wsx" or "1q2w3e." I spent a while googling "159357" trying to figure out how to categorize it, then realized it was a pattern on the numeric keypad. I suppose whereas "1234" is popular among right-hand people, "159357" will be popular among lefties.'"

[From the article:

many passwords are dictionary words.

16% of passwords matched a person's first name.

14% of passwords were patterns on the keyboard

4% are variations of the word "password"

5% of passwords are pop-culture references

4% of passwords appear to reference things nearby

3% of passwords are "emo" words

3% are 'don't care' words

1.3% are passwords people saw in movies/TV

1% are sports related,

All machines used before had good salesmen but no certification. They still won't release their source code, so if “fair and open” isn't part of their sales pitch. What is?

The First Federally Certified Voting System

Posted by Soulskill on Saturday February 07, @09:17AM from the at-least-it's-not-diebold dept. Government

InternetVoting writes

"The Election Assistance Commission has announced the first ever federally certified voting system. While the Election Management System (EMS) 4.0 by MicroVote General Corporation has successfully completed 17 months of testing, many questions still remain about the United States' voting system Testing and Certification program. Many systems are still being tested to obsolete standards, the current standards are set to become obsolete soon and cost estimates for future certifications are skyrocketing. The future of improved innovating voting systems does not look bright."

Related (for contrast)

OLPC to laptop makers: Use our design

Posted by Jonathan Skillings February 7, 2009 4:01 PM PST

Speaking at the TED 2009 conference, OLPC founder Nicholas Negroponte said that the future of the initiative--which set out to put simple, durable, low-cost laptops in the hands of schoolchildren in developing nations--is to become, in essence, more commonplace, to "build something that everyone copies," according to Ethan Zuckerman, blogging from TED.


Tool Shows the Arguments Behind Wikipedia Entries

Posted by timothy on Sunday February 08, @01:01AM from the citation-will-one-day-be-needed dept. The Media The Internet

Al writes

"A team of researchers at the Palo Alto Research Center have created a tool that shows how much argument has gone into crafting an entry. Ed Chi, a senior research scientist for augmented social cognition at PARC, obtained access to Wikipedia edit data and used it to build a tool that shows whether users have fought over the accuracy of a page by rapidly re-editing each other's changes. Experiments suggest that the method provides a better measure of 'controversy' than simply having Wikipedia editors add a warning to a suspect page. Their software, called Wikidashboard, serves up a Wikipedia entry, but adds an info-graphic revealing who has been editing it and how often it has been reedited. Of course, this doesn't reveal whether a Wikipedia entry is truly accurate, but it might at least highlight an underlying bias or vested interest."

[From the article:

Daniel Tunkelang, chief scientist at Endeca, an information analysis firm based in Cambridge, MA, says that the tool is a step toward exploring the social context of Wikipedia entries, but he adds, "There's some room for compressing this into something more consumable."

Video of Bill Gates on malaria and teaching at the TED Conference. (And the release of mosquitoes at his talk)

Talks Bill Gates: How I'm trying to change the world now