Saturday, February 21, 2009

I can remember the days when this would be considered a huge breach! Now it hardly merits a comment, but of course I'll make one. The tape does belong to the IT Department. Who owns the data? Is it Police related, Human Resources, or the Governor's Office. And why keep it for 12 years?

Tape with criminal background checks on 807,000 people missing

February 20, 2009 by admin

Filed under: Government Sector, Lost or Missing, Subcontractor, U.S.

The Associated Press is reporting that Information Vaulting Services cannot account for a computer storage tape belonging to the Arkansas Department of Information Systems, The tape reportedly contains data from criminal background checks on 807,000 people conducted over a 12-year period.

The Arkansas Times has a copy of the press release issued by DIS.

Another article pointing out the obvious?

February 20, 2009

2nd 20MM Class Action Lawsuit against RBS WorldPay

A firm in Philadelphia has filed a second class action lawsuite against RBS WorldPay in the amount of 20 million. This is after criminals stole 9 million in a highly coordinated ATM fraud scheme. See previous post here for more information.

It is becoming so that data breach is synonymous with class-action lawsuit. Worse still, the lawsuits are typically several times the amount of money that the hard costs of the breach itself (in this case 9 million just in cash loses).

With Technology changing as rapidly as it does, perhaps we need a more dynamic plan?

February 20, 2009

DHS: 2009 National InfrastructureProtection Plan

"The National Infrastructure Protection Plan provides the unifying structure for the integration of a wide range of efforts for the enhanced protection and resiliency of the nation's critical infrastructure and key resources (CIKR) into a single national program.

The overarching goal of the NIPP is to build a safer, more secure, and more resilient America by preventing, deterring, neutralizing, or mitigating the effects of deliberate efforts by terrorists to destroy, incapacitate, or exploit elements of our nation's CIKR and to strengthen national preparedness, timely response, and rapid recovery of CIKR in the event of an attack, natural disaster, or other emergency.

The 2009 NIPP replaces the 2006 version and reflects changes and updates to program elements and concepts. It captures the evolution and maturation of the processes and programs first outlined in 2006 without changing the underlying policies. The revised NIPP integrates the concepts of resiliency and protection, and broadens the focus of NIPP-related programs and activities to an all-hazards environment."

When knowledge is outlawed only outlaws will have knowledge? Will it also be a crime to read the results of Dutch research that proves “secure RFID” isn't secure at all?

Nevada bill would outlaw RFID security research, EFF says

Friday, February 20 2009 @ 05:48 PM EST Contributed by: PrivacyNews

A proposed bill in the Nevada State Legislature would make it a crime to do legitimate research on security weaknesses in radio frequency identification, the Electronic Frontier Foundation said on Friday.

The bill, S.B. 125, would make it a Class 3 felony to possess, read, or capture another person's personal identifying information through RFID, subject to up to five years in prison and a $10,000 fine.

Source - Cnet

This is beginning to sound like a Marx Brothers comedy: “A Day in the Courtroom”

Pirate Bay Day 5 — Prosecution Tries To Sneak In Evidence

Posted by Soulskill on Saturday February 21, @05:11AM from the not-sneaky-enough dept. The Courts The Internet News

Hodejo1 writes

"On the old Perry Mason TV shows, it was a common sight to see someone burst into the crowded courtroom at a dire moment and confess aloud that they, not the defendant, killed so-and-so. In reality, courts do not allow evidence to enter trial without a chance for the opposing council to view it and for a judge to rule on their admissibility. Yet, in the fifth day of the Pirate Bay trial, lawyers for the prosecution again tried to sneak in surprise evidence while questioning defendants. The judge put his foot down this time, telling lawyers for the state, 'If you have documents which you eventually plan to use, you need to hand them over now.' The prosecution continues to struggle in court. In one humorous moment, prosecutor HÃ¥kan Roswall tried to show how 'hip' he was with technology when he questioned defendant Peter Sunde. 'When did you meet [Gottfrid] for the first time IRL?' asked the Prosecutor. 'We do not use the expression IRL,' said Peter, 'We use AFK.' The defendants are not out of the woods yet. Lawyer and technology writer Richard Koman wonders aloud if the Pirate Bay's 'I-dunno' defense is all that much better."

[IRL: In real life, AFK: Away from keyboard Bob]

Wouldn't this business model work with any art form and some not-so-artsy forms? And couldn't the photos be used in non-ad contexts? - Monetize Your Photographs

Is using a camera something you truly excel at? Do you want to make the jump from amateur to pro, and are weighing up your available options? If you do, and you think that you have some pictures that would make a superb advertisement, then this site will let you set off on the path of monetization.

That is, this portal will empower you to submit your photographs as “perfect advertisements” for companies and brands, and name your price for them. If the company spots the pictures and likes them, the platform makes for selling the photos on the spot.

On the other hand, if you are an advertiser who needs any photos to publicize your company or brand, the site will enable you to post a want-ad describing what you envision, and see what comes up. When a photo that suits your needs is posted, it can be easily bought trough the site.

On the whole, the site adheres to its tagline of “Where photos become advertisements” by providing users with a platform where both sides are catered for, and bonds can be created and nurtured. As such, it is worth bookmarking and keeping in mind by amateur and seasoned photographers alike.

This might be useful... - The Home Of Tracer For Your Site

Tynt.Com, is the home to tracer. But one may ask, to trace what? Well this company provides a java code which you may easily install on your site to track what people do when they are on your website.

Here’s how it works, you go online and you subscribe for free, they send you a confirmation e-mail and you are pretty much done to get going. Once you are all setup the piece of code starts tracking what people do on your site and which bits they find more interesting. How do they do this? What they do is measure actions such as for instance when they highlight with their mouse a specific term, or when they copy and paste it generate a log for your visualization about this action.

The best thing perhaps is how it helps you take advantage of all those copy and pasted bits of your site since it inserts a link automatically taking the person back to the site where the content originates. In this way you will be taking double advantage of whatever bit of your site is deemed interesting by your audience.

Most likely, the best thing about the stats produced by traced is that with this information you may finally identify which are the strong points of your site. In this way you may focus your work on this targeted area to improve your sites success.

Friday, February 20, 2009

It's difficult to imagine the scope of the Heartland Breach. I'm glad some folks are making an effort!

Heartland: It’s not just banks

February 19, 2009 by admin Filed under: Breach Reports

Because has been doing such a terrific job of trying to identify financial institutions affected by the Heartland Payment Systems breach, it’s easy to forget that there were other types of entities affected.

The Contra Costa Community College District was also affected by the breach because it uses Heartland to process online fee payments, telephone fee payments, and purchases at the college bookstores.

It’s unknown how many educational institutions use Heartland to process student payments, and no one seems to be keeping track of how many educational institutions may be notifying students that their cards are at risk, but if you have a kid who’s in college, you might want to ask if they’ve received any notifications that they need to follow up on.

Related and not-so-related. (Neat pie chart of breach types) Data Mining the public record.

Group Spots Giant Hacks by Combing Small Newspapers

By Kim Zetter EmailFebruary 19, 2009 | 8:26:42 PM

Days before Heartland Payment Systems admitted to a computer intrusion that likely exposed hundreds of thousands of consumers to fraud, a group of volunteer security professionals sniffed out the truth on their own.

Thanks to Gary Alexander, one of my ace researchers. Note: This is nothing new, as they have been breached repeatedly. Like this: and this:

Feb 19, 2009 10:14 am US/Eastern

Major Computer Breach At University Of Florida

Personal Information Of More Than 97 Thousand People At Risk

Files Were From "Grove" Computer System Between 1996 & 2009

Breach Discovered Jan. 14


Former and current students, faculty and staff of the University of Florida had better watch their bank accounts closely.

… The investigation confirmed unauthorized access to the system, but it could not determine if files containing private information were accessed. [Without logs, were they legally required to notify every potential victim? How much cheaper would it be to actually know what happened? Bob]

Sounds viable. Time will tell. (Potential Seminar Speaker?)

Secretary Napolitano Appoints Mary Ellen Callahan as DHS Chief Privacy Officer

Thursday, February 19 2009 @ 11:42 AM EST Contributed by: PrivacyNews

U.S. Department of Homeland Security Secretary Janet Napolitano announced today her appointment of Mary Ellen Callahan as the department's Chief Privacy Officer.

... For more than ten years, Callahan has specialized in privacy, security, data protection, consumer protection and e-commerce law, currently as a partner at Hogan & Hartson, LLP. She is the Co-Chair of Online Privacy Alliance, a self-regulatory group of corporations and associations established to create an environment of trust and foster the protection of individuals' privacy online. Callahan also serves as Vice-Chair of the American Bar Association's Privacy and Information Security Committee of the Antitrust Division. She holds a Juris Doctor from the University of Chicago Law School and graduated magna cum laude from the University of Pittsburgh.

Source - Dept. of Homeland Security

Making Breach research easier? Well, in some cases.

Congress heard us! (commentary)

February 19, 2009 by admin

I’m first working my way through the provisions in the stimulus bill that relate to breaches and notifications. One of the recommendations that I and other privacy advocates had made was central notification and disclosure on a publicly available web site. They heard us. Here’s part of the new law:

(3) NOTICE TO SECRETARY- Notice shall be provided to the Secretary by covered entities of unsecured protected health information that has been acquired or disclosed in a breach. If the breach was with respect to 500 or more individuals than such notice must be provided immediately. If the breach was with respect to less than 500 individuals, the covered entity may maintain a log of any such breach occurring and annually submit such a log to the Secretary documenting such breaches occurring during the year involved.
(4) POSTING ON HHS PUBLIC WEBSITE- The Secretary shall make available to the public on the Internet website of the Department of Health and Human Services a list that identifies each covered entity involved in a breach described in subsection (a) in which the unsecured protected health information of more than 500 individuals is acquired or disclosed.

One of those interesting ethical dilemmas... (AKA: Oops!)

Wikileaks Forced to Leak Its Own Secret Info -- Update

By Ryan Singel February 18, 2009 9:28:41 PM

What's Wikileaks, the net's foremost document leaking site, supposed to do when a whistle-blower submits a list of email addresses belonging to the site's confidential donors as a leaked document?

That's exactly the conundrum Wikileaks faced this week after someone from the controversial whistle-blowing site sent an emergency fund-raising appeal on Saturday to previous donors. But instead of hiding email addresses from the recipients by using the bcc field, the sender put 58 addresses into the cc field, revealing all the addresses to all the recipients.

Oh goodie, we can start this argument again. Are you automatically a Monopoly when you exceed 50% of the market or must you be in a position to influence/control/dictate to the market? (And keep in mind that Google only has 23.7% of the online ad market.) Remember too that Google's CEO was a big Obama supporter.

Obama Anti-Trust Chief on Google the Monopoly Threat

Posted by CmdrTaco on Thursday February 19, @05:33PM from the it-has-to-be-said dept. Google Politics

CWmike writes

"The blogosphere regularly excoriates Microsoft for being a monopoly, but Google may be in the cross-hairs of the nation's next anti-trust chief for monopolistic behavior, writes Preston Gralla. Last June, Christine A. Varney, President Obama's nominee to be the next antitrust chief, warned that Google already had a monopoly in online advertising. 'For me, Microsoft is so last century. [Sir Bill will be devastated! Bob] They are not the problem,' Varney said at a June 19 panel discussion sponsored by the American Antitrust Institute, according to a Bloomberg report. The US economy will 'continually see a problem — potentially with Google' because it already 'has acquired a monopoly in Internet online advertising.' Varney has yet to be confirmed as antitrust chief, and she said all this before she was nominated. Still, it spells potentially bad news for Google. It may be time for the company to start adding to its legal staff." [Perhaps they could Google “Anti-Anti-Trust guys” Bob]

How would a Defense lawyer deal with strong (but anarchistic) supporters? More general question: Isn't there a huge downside to losing this case?

Pirate Bay Founder Begs For Hacker Ceasefire

Posted by CmdrTaco on Thursday February 19, @03:17PM from the please-hammer-don't-hurt-'em dept. The Courts

Barence writes

"Pirate Bay's co-founder has pleaded for hackers to stop attacking the sites of those organizations lined up against him. Peter Sunde is on trial with Pirate Bay's three other founders for allegedly distributing copyrighted material. The trial is about to enter its fourth day, and in a gesture of support for the four men hackers have begun assaulting plaintiff websites, beginning with that of the The International Federation of the Phonographic Industry. The campaign has caused concern in the Pirate Bay camp, prompting Sunde to write a post entitled 'We're winning, stop hacking, please' on his blog."

Related But of course, the Prosecutors have some problems too...

Prosecution Baffled by Pirate Bay's Anarchic Structure

By Wired Staff February 19, 2009 4:52:40 PM

Special correspondent Oscar Swartz reports.

STOCKHOLM — Defendant Fredrik Neij took the stand as the landmark trial of Pirate Bay continued Thursday, and left the prosecutor scratching his head over who is in charge of the BitTorrent site.

… The prosecutor became visibly frustrated when he tried to get Neij to identify the kingpin who is ultimately responsible for Pirate Bay and the text and graphics on the site. Neij explained that an extended group of people have privileges on the server, and contribute haphazardly as they see fit. The prosecutor seemed not to grasp the concept.

Related? Ah! That's the question, isn't it?

New U2 album makes early debut on P2P networks

by Steven Musil February 19, 2009 9:10 PM PST

Despite extreme measures to prevent U2's new album from appearing prematurely on the Internet, copies of the band's "No Line on the Horizon" have begun circulating on file-swapping networks--a full week before its official release.

CD-quality copies of the band's 12th album, which is slated for release in Ireland on February 27 and worldwide on March 3, started appearing Wednesday on BitTorrent and now reportedly number in the hundreds of thousands.

Might be worth forwarding... - Assistance For Those With Dyslexia

This solution advertises itself as “Your Personal Super Spell Checker”, and it aims to let anybody overcome any writing process’s shortcomings he might have. Specifically, it is geared towards the ones with dyslexia, and it aims to let these individuals convert the texts their produce into mainstream English.

The approach is quite spot on, as average spell checkers tend to address the needs of the general population, whose spelling mistakes actually have a resemblance to the word they intended to convey in the first place. When it comes to those with dyslexia it is a completely different matter, as the words they write quite often stray far away from the correct spelling.

What Social Good does this serve? (Is humor a social good?)

Judge Rules to Release Spitzer Wiretaps

A U.S. district judge said tapes of former New York Governor Eliot Spitzer making calls to a prostitution ring can be made public. Thursday, February 19, 2009

Thursday, February 19, 2009

I don't often post graphics, but I had a question: Visa told Heartland in October that they had traced the credit/debit card problem to them – did that cause insiders to bail out of the stock?

How big is huge? Click on the map! (376 so far)

February 17, 2009

Clickable Map of Banks Affected by Heartland Payment Systems Data Breach

Disheartening, but fascinating: Check out BankInfoSecurity's clickable map of banks affected by the Heartland Payment Systems data breach.

Related Forgive me if this duplicates an earlier report, I find it difficult to keep them straight.

Two New Suits Filed in Heartland Data Breach

Class Action Lawsuits Say Processor Failed to Safeguard Cardholder Data

February 16, 2009 - Linda McGlasson, Managing Editor

… The law firm of Berger & Montague filed a class action suit in the U.S. District Court for the District of New Jersey, alleging Heartland's failure to safeguard cardholder data when the company's computer systems were hacked and cardholder data was stolen.

… Previously, Chimicles & Tilellis LLP of Haverford, PA filed suit in the U.S. District Court for the District of New Jersey on behalf of Woodbury, MN resident Alicia Cooper, asserting that Heartland "made unreasonably belated and inaccurate statements concerning the breach."

… The third class action lawsuit filed in February against Heartland comes from Sheller P.C. of Philadelphia, PA. Sheller's suit against Heartland has similar charges against the payment processor.

Related Peer reactions. Some amusing quotes!

Industry Reaction to Heartland Data Breach

February 16, 2009 - Linda McGlasson, Managing Editor

… The perception that credit card data is 'safe' within the walls of a corporation is an illusion that we need to shatter.

… The first important point to note about the Heartland breach is that they were, by all accounts, PCI compliant.

… The breach at Heartland Payments is a reality check and another example of why we must all stop acting like it is the 1970s - when you kept your credit card in your wallet and the only way someone could get your number was to dumpster dive for your carbons. Today we must assume our credit card and other account information is out there for the taking.

… The real crime is that firms can very well protect all customer data and eliminate these breaches altogether quickly and easily, actually.


CO: City worker accused of stealing fellow employees’ identities

Posted February 18th, 2009 by admin

A Denver city worker will be formally charged this week with 18 counts of identity theft and nine counts of criminal impersonation.

Ray Taylor, 36, is also facing one count of theft.

The Denver District Attorney’s office says Taylor used the names, birth dates and other personal information of others, including current and former Denver city employees, to open credit card and bank accounts without their permission.

Taylor worked as a payroll clerk for Denver’s Career Service Authority, and prosecutors say he had access to personal information through his position.


I don't think they like it...,0

Obama’s Electronic Health Records initiative could usher in a new wave of ID theft

By jheary on Mon, 02/16/09 – 4:39pm

… But the plan or direction on how to get us there is completely missing from the stimulus bill. When the government throws lots of money at a problem before they have a viable plan or even the framework of a plan in place disaster usually strikes.

It's no surprise that Google's CEO wears a “'Bama's Buddy” T-shirt. Perhaps we need a “shadow site” to analyze and point out the opacity? shuns transparency, blocks Google

by Chris Soghoian February 19, 2009 5:41 AM PST

The Obama administration has apparently opted to forbid Google and other search engines from indexing any content on the newly launched

Is this further evidence that the administration's much-publicized commitment to transparency is simply hype?

The “get tough” trend continues.

VA: ID Theft Law Headed to Governor's Desk

Wednesday, February 18 2009 @ 03:25 PM EST Contributed by: PrivacyNews

A bill that makes it easier for prosecutors to go after identity thieves is on its way to the Governor's desk. The state senate unanimously passed Albemarle County Delegate Rob Bell's bill. It expands the existing identity theft law to include anything of value, including your credit rating.

Source - NBC29

[From the article:

"The reason identity theft is different is after the crime is over with, there's a whole lot of clean-up that has to be done," said Del. Rob Bell (R-58th District). "So this bill would empower the Attorney General to help the victim get his credit report back together and allow the court to assess costs to the criminal for the cost of getting your credit back together."

Website tool. - Speech Enabling Your Site

Presented by the ReadSpeaker folks (the forerunners as regards converting texts on sites to voice, back in the year 1999), WebReader is a new service that lets your visitors listen to your page or blog. The system is implemented by adding a button to your site that when clicked upon will read either the whole page or any specific portion that you determined beforehand.

This button can be easily added, as all you have to do is pasting a snippet of HTML or using one of the provided plug-ins. You must also specify the language and choose between a male or female voice to read out your site.

We don't tell our students about sites like this until the end of the website class. - Publishing & Monetizing Your Site

Building and monetizing a site is made a suppler task thank to online resources such as this one. Generally speaking, it covers the process from start to finish: it lets you build the site from scratch (and without any technical knowledge on your part), put it on the WWW and monetize it by placing products which are specifically geared towards your public. What’s more, once this has been taken care of you will be able to analyze traffic figures and see reports detailing revenue, in the hope of extending your outreach.

An account can be created at no cost, and the sites you can create are meant to work on all major browsers in the market today.

Let's bring back the days when we could cane students – avoiding the need to call police.

Student Arrested For Classroom Texting

Posted by samzenpus on Wednesday February 18, @04:52PM from the the-strong-arm-of-the-education-system dept.

A 14-year-old Wisconsin girl was arrested and charged with disorderly conduct after she refused to stop texting during a high school math class. The girl denied having a phone when confronted by a school safety officer, but a female cop found it after frisking her. The Samsung Cricket was recovered "from the buttocks area" of the teenager, according to the police report. The girl was banned from school property for a week, and is scheduled for an April 20 court appearance for a misdemeanor disorderly conduct charge. I applaud the adults involved for their discretion and temperance in this heinous case of texting without permission.

Global Warming! Global Warming! NOTE: This is not unusual in Scientific Reports. (It's called the “I didn't look out the window” syndrome.) Neither is it unusual for “fanatics?” to grasp anything that seems to support their position and never retract/correct their “proof.”

Arctic Ice Extent Understated Because of "Sensor Drift"

Posted by samzenpus on Thursday February 19, @07:57AM from the give-it-a-few-taps dept. Earth Science

dtjohnson writes

"The National Snow and Ice Data Center (NSIDC) has been at the forefront of predicting doom in the arctic as ice melts due to global warming. In May, 2008 they went so far as to predict that the North Pole would be ice-free during the 2008 'melt season,' leading to a lively Slashdot discussion. Today, however, they say that they have been the victims of 'sensor drift' that led to an underestimation of Arctic ice extent by as much as 500,000 square kilometers. The problem was discovered after they received emails from puzzled readers, asking why obviously sea-ice-covered regions were showing up as ice free open ocean. It turns out that the NSIDC relys on an older, less-reliable method of tracking sea ice extent called SSM/I that does not agree with a newer method called AMSR-E. So why doesn't NSIDC use the newer AMSR-E data? 'We do not use AMSR-E data in our analysis because it is not consistent with our historical data.' Turns out that the AMSR-E data only goes back to 2002, which is probably not long enough for the NSIDC to make sweeping conclusions about melting. The AMSR-E data is updated daily and is available to the public. Thus far, sea ice extent in 2009 is tracking ahead of 2005, 2006, 2007, and 2008, so the predictions of an ice-free north pole might be premature."

Wednesday, February 18, 2009

Perhaps HPS learned from TJX. After all, TJX kept a low profile too.

National Media Ignoring Heartland Data Breach

February 17th, 2009 Rob Douglas

President Barack Obama and the massive Heartland Payment Systems data breach have one thing in common. They both became official on Tuesday, January 20, 2009.

The 20th of January was the day the president was inaugurated and the day Heartland – in a pathetically obvious [yet effective Bob] attempt to hide behind the news of the inauguration – announced the largest data breach in history.

But, that is where the similarities end.

While President Obama continues to revel in the adulation of a fawning press, Heartland’s inability to thwart the hackers who planted malware in order to steal valuable credit card information from millions of Americans has been - for the most part - ignored by the national media.

While there have been dozens of articles written by small town and regional publications across the country about the hundreds of banks and credit unions that are replacing customer credit and debit cards because of the data breach, the national print and television media have paid almost no attention to the scope of the crisis.

Even more troubling is the lack of inquiry by the media into the genesis of the breach and the degree to which other payment processors may also be at risk.

The inescapable conclusion is that with the majority of the media so focused on our newly minted president and the global economic recession, there has never been a better time for cybercriminals to ply their trade. I suspect the Heartland security breach will not be the last significant cybercrime we learn of that benefited from the media’s self-induced distraction.

Bottom line: If you’re an identity thief, hacker or any other form of cybercriminal, this is the perfect time to strike the United States as no one is minding the store.

Related in that you'll never hear this on the evening news.

EXCLUSIVE: GovTrip site shut down; DOT computers infected

Posted February 17th, 2009 by admin

Over on USA Today, Peter Eisler’s lead is about how more infiltrators are trying to plant malicious software they could use to control or steal sensitive data. Here’s another incident this week that mainstream media doesn’t seem to know about.

Over on the FAA Follies blog, it’s been reported that the Cyber Security Management Center detected that certain users of the GovTrip site were being redirected to a site that was delivering malicious software to users, resulting in the compromise of certain computers within the Department of Transportation (DOT). The site was reportedly shut down on the 13th although it was back online by the time I checked it on the 15th. The notices, as posted on the blog read:

… When contacted about the breach, an employee of the DOT informed me that he had received the broadcast emails, but that’s all they he knew, and no one at Cyber Security Management Center has returned calls asking for more information about the breach. Nor did anyone seem to know who would even collect information from all agencies that use GovTrip to determine how many agencies and how many computers might have been infected.


And yet even more p2p breaches

Posted February 17th, 2009 by admin

Thanks to Rian of RedTeam Protection, here are some more breaches they uncovered:

  • An executive producer at a Manhattan based television Production Company published 2,755 documents onto the gnutella file-sharing network. Contractors of this firm were required to provide their name, date of birth, and social security number for tax purposes. The invoices with personal identifiers were leaked, and several scripts were found for episodes currently in preproduction.

  • A therapist at a Tennessee based health care provider, and contractor to the Department of Children’s Services published 581 files onto the gnutella p2p network. These files included psychological evaluations of both parents and their children. The documents included personal identifiers, family medical histories, parenting evaluations, and admissions of rape and sexual abuse. [Can prosecutors use this? Bob]

  • A Florida accounting firm published 1,714 files onto the gnutella file sharing network. These files contained social security numbers and income information, in addition to confidential accounting records belonging to their corporate clients.

  • A benefits advisor at a Canadian college, published 2,781 files onto the gnutella file sharing network. The files included health insurance information for employees and their families.

  • A Texas based paralegal and transcription service published 5,340 files onto the gnutella network. These files included both medical records as well as attorney client privileged information.

  • A bookkeeper at a national food service company, published 2,604 files onto the gnutella file sharing network. These files included social security numbers, payroll information, scanned drivers licenses, insurance cards, and social security cards, in addition to internal union negotiations and grievance claims.

More p2p breaches coverage.

The response must have been massive – not suggested in the accounts I read. (Or perhaps Facebook hadn't thought through the changes until the backlash forced them to?)

Facebook Withdraws Changes in Data Use

Wednesday, February 18 2009 @ 05:03 AM EST Contributed by: PrivacyNews

After a wave of protests from its users, the Facebook social networking site said on Wednesday that it would withdraw changes to its so-called terms of service concerning the data supplied by the tens of millions of people who use it.

Source - NY Times

Inevitable? Strategically, this bayoneting of the wounded would make any Privacy “protest” more likely to reach management's ears.

Facebook Privacy Change Sparks Federal Complaint

Tuesday, February 17 2009 @ 06:35 PM EST Contributed by: PrivacyNews

The backlash against Facebook's updated privacy policies is about to expand. The Electronic Privacy Information Center (EPIC) is preparing to file a formal complaint with the Federal Trade Commission over the social network's updated licenses, PC World has learned.

Source - PC World

What can we learn? The first thing that springs to mind is: When you have a high-visibility, strategically important, “proof of concept” trial – you damn well better make certain to win on every count. Anything not 99% certain should be eliminated. (Besides, keeping all those counts until now divided the defense's efforts.)

Prosecution Drops Some Charges Against The Pirate Bay

By Wired Staff February 17, 2009 12:27:29 PM

Special correspondent Oscar Swartz reports.

STOCKHOLM — Prosecutors dropped half of the charges in the landmark trial of The Pirate Bay file sharing site Tuesday, leaving observers stunned and prompting questions about the government's preparedness in the long-awaited criminal proceeding.

… The Pirate Bay's supporters quickly claimed victory in the blogosphere, and many expressed astonishment at the course-correction. This was, after all, supposed to be the seminal piracy prosecution, with Hollywood throwing the kitchen sink at a few defiant Swedish computer nerds.

… The move is remarkable because of the extensive groundwork the content industries and the prosecutor has laid for the case. The Motion Pictures Association and other plaintiffs had collected evidence for many months by participating in file-sharing torrent swarms, dumping screenshots of downloads in progress and collecting information before the raid on May 31, 2006, in which 195 computers were trucked away by the police. The prosecutor led an investigation for two-and-a-half years after that.

Now Brad Pitt's computer can be accessed by his brother Arm...

Researchers Hack Biometric Faces

Posted by kdawson on Tuesday February 17, @08:35PM from the face-off dept. Security Portables

yahoi sends in news from a week or so back:

"Vietnamese researchers have cracked the facial recognition technology used for authentication in Lenovo, Asus, and Toshiba laptops in lieu of the standard logon/password. The researchers were able to easily bypass the biometric authentication system built into the laptops by using photos of an authorized user, as well as by presenting multiple phony facial images in brute-force attacks. One of the researchers will demonstrate the hack at Black Hat DC this week. He says the laptop makers should remove the facial biometrics feature from their products because the vulnerability of this technology can't be fixed."

[From the article:

They successfully bypassed Lenovo's Veriface III, Asus' SmartLogon V1.0.0005, and Toshiba's Face Recognition -- each set to its highest security level -- demonstrating vulnerabilities in the systems that let an attacker cheat them with phony photos of the legitimate user and gain access to the laptops.

These Windows XP and Vista laptops come with built-in webcams that work with the facial-recognition technology. This form of authentication is considered more convenient than fingerprint scans and more secure than traditional passwords.

For your security newsletter. Points to reports and advice for securing your phone.

Phone Security Not Only a Presidential Issue

February 17th, 2009 Rob Douglas

… “There’s software out there that will let people image what’s on a phone, or download that information in a matter of minutes, put it back on a desk and nobody will know their information is lost,” said Michael Kessler, president of Kessler International. The computer and cell phone forensics company works with government agencies, as well as corporate clients and law firms.

See the full report at MSNBC.

So, under what circumstances would Google NOT be allowed to drive up a private road and photograph your house?

Google wins Street View privacy suit

Wednesday, February 18 2009 @ 05:23 AM EST Contributed by: PrivacyNews

A couple in Pittsburgh that sued Google claiming that the Street View on Google Maps is a reckless invasion of their privacy has lost their case.

Aaron and Christine Boring sued the Internet search giant last April, alleging that Google "significantly disregarded (their) privacy interests" when Street View cameras captured images of their house beyond signs marked "private road." The couple claimed in their five-count lawsuit that finding their home clearly visible on Google's Street View caused them "mental suffering" and diluted their home value. They sought more than $25,000 in damages and asked that the images of their home be taken off the site and destroyed.

Source - Cnet

[From the article:

However, the U.S. District Court for Western Pennsylvania wasn't impressed by the suit and dismissed it Tuesday, saying the Borings "failed to state a claim under any count."

Ironically, the Borings' suit subjected themselves to even more public exposure by filing the lawsuit, which included their home address. In addition, the Allegheny County's Office of Property Assessments included a photo of the home on its Web site.

The Borings are not alone in their ire toward the Google Maps feature. As reported earlier, residents in California's Humboldt County complained that the drivers who are hired to collect the images are disregarding private property signs and driving up private roads. In January, a private Minnesota community near St. Paul, unhappy that images of its streets and homes appeared on the site, demanded Google remove the images, which the company did.

However, Google claims to be legally allowed to photograph on private roads, arguing that privacy no longer exists in this age of satellite and aerial imagery.

Handy dandy planning tool for my website students. Might work for document layout as well. - Create Screen Mockups

Presented by Mr. Petru Severin (a Romanian programmer), WireframeSketcher is a nifty little tool that is available to users the world over. It serves the purpose of creating wireframes, screen mockups and UI prototypes and getting your ideas across to others.

The aim of any mockup is to let others have a good idea of what it is you want to construct in the long run, and see whether your vision and the vision of others are compatible and can complement each other. In that sense, WireframeSketcher does a very competent job and will enable you to find the feedback and the insight you might be needing in order to move on up.

This tool is provided at a given cost, but (as it is the norm nowadays) you can try it out for free beforehand. This way, you will be able to determine what are its high points and how minutely it will suit your needs before incurring into any expenses. You can also check out the provided “Support” section and the featured blog, and if any doubt still subsides you can dispel it by contacting Mr. Severin at the address provided online.

As Cloud Computing grows, users will have the ability to move applications off their computers (leaving more room for porn music) and ensuring that everyone in a work-group has the same tool. - Edit Documents Online For Free

If word processing is the task at hand, chances are a visit to this site will sort you out. Presented by a Canadian team, Shutterborg can be described as a free word processor that is entirely web-hosted.

When you first visit the site, you are asked where the document in question is located. You can pick documents located both in your computer and in the WWW, whereas a new document can be created from scratch if that is what you want.

The one aspect that gives this tool added presence is the ability to modify the text of any webpage without having to edit or touch the .HTML itself. This will obviously fuel the creativity of those who have either 1) A well-developed sense of humor, or 2) A lot of time on their hands. And if both suppositions turn out to be true at the same time, then we will be in for some highly amusing times.

...and just in case you thought all innovation was productivity enhancing... - A Transparent Browser

In a nutshell, Double Vision is a software application that will let you browse the web employing a transparent window. That is, the browser itself becomes a sort of see through entity that can even be clicked through in order to open applications and do other things in the background.

The transparency level itself can be customized, and there is also a “Quick hide” feature that comes complete with an automatic muting functionality. This is useful if you employ Double Vision in your workspace, and wish to go as unnoticed as possible.

Of course, this application also lends itself to uses such as watching tutorials while performing the different steps, or keeping articles in sight while working on projects.

Finally, it must be mentioned that this solution is absolutely free.

Tuesday, February 17, 2009

Strange? Now your data is kept by an organization you don't have a contract with, under a privacy policy you never read. to tap BT as data harvester

Small ISP customers to be monitored upstream

By Chris Williams Posted in Government, 16th February 2009 09:52 GMT

The arrangement is the Home Office's solution to its dilemma of having to comply with EU law, while not wishing to fund every ISP's data retention system. At an industry meeting last year officials were unable to provide clear guidance on what small operations would be required to do once the EUDRD became UK law.

… *Full details of the internet communications data to be retained under the UK implementation of the EUDRD are here. Scroll to Part 3.

A tool for stalkers? Will the phone companies refund your 'unlisted number' fee?

Anonymous Caller? New Service Says, Not Any More

Tuesday, February 17 2009 @ 05:57 AM EST Contributed by: PrivacyNews

A new service set for launch Tuesday allows cellphone users to unmask the Caller ID on blocked incoming calls, obtaining the phone number, and in some cases the name and address, of the no-longer-anonymous caller.

The service, called TrapCall, is offered by New Jersey's TelTech systems, the company behind the controversial SpoofCard Caller ID spoofing service. The new service is likely to be even more controversial — and popular.

"What’s really interesting is that they’ve totally taken the privacy out of Caller ID," says former hacker Kevin Mitnick, who alpha-tested the service.

Source - Threat Level

How better to justify knowing what you do on your PC than to tax it? No doubt anything encrypted will be taxed at the highest rate. Calculating a percentage for free downloads is too much like “Math-for-politicians” so no doubt that will simply be taxed on a “per item” basis.

New York Wants To Tax Internet Downloads

Posted by CmdrTaco on Monday February 16, @11:35AM from the bits-for-bucks dept. Politics

An anonymous reader writes

"NY is considering taxing 'video and music' downloads to offset a burgeoning budget deficit."

How long before we all have meters on our routers? This version is just a 4% tax on movies and songs downloaded from services like iTunes, but I'm sure if they could figure out a bit tax, they would.

Microsoft finds another way to disappoint. Best comment suggests this may force users to run Windows in their virtual machine so it can't control your hardware!

Draconian DRM Revealed In Windows 7

Posted by kdawson on Monday February 16, @09:18PM from the just-who-did-you-think-owns-your-machine dept. Windows

TechForensics writes

"A few days' testing of Windows 7 has already disclosed some draconian DRM, some of it unrelated to media files. A legitimate copy of Photoshop CS4 stopped functioning after we clobbered a nagging registration screen by replacing a DLL with a hacked version. With regard to media files, the days of capturing an audio program on your PC seem to be over (if the program originated on that PC). The inputs of your sound card are severely degraded in software if the card is also playing an audio program (tested here with Grooveshark). This may be the tip of the iceberg. Being in bed with the RIAA is bad enough, but locking your own files away from you is a tactic so outrageous it may kill the OS for many persons. Many users will not want to experiment with a second sound card or computer just to record from online sources, or boot up under a Linux that supports ntfs-3g just to control their files."

Read on for more details of this user's findings.

For your Security newsletter. (You do have one, right?)

9 Dirty Tricks: Social Engineers' Favorite Pick-Up Lines

By Joan Goodchild , CSO , 02/16/2009


Identity-theft scammers pretend to be IRS

By Peter Mucha Inquirer Staff Writer Posted on Tue, Feb. 17, 2009

Online con artists are always coming up with something new.

Now they're phishing for private information via fax - while pretending to be the IRS.

The phony e-mail arrives, pretending to be from "Internal Revenue Service," with a subject line such as "please see the attachment."

Tools for geeks - Blog On Web 2.0 & Internet Tips

A blog that deals with Web 2.0 and Internet tips, PakBlogger is an interesting online destination for those who want to maximize their time on the World Wide Web

The blog itself is subdivided into categories such as “Gadgets”, “Tips and Tricks” and “How To”, whereas a section that is named “Google” is likewise provided. The latter includes postings that go by names such as “10 Useful Google Chrome Tips And Tricks” and “Top YouTube Videos – Most Viewed YouTube Videos Using Google Map”.

Of course, you can see the most recent postings on the menu that is provided on the right-hand side of the main page, and you can see what new developments are attracting the most attention this way.

Usual features such as updates via RSS are likewise featured, so that you can always keep posted on the world of the Internet and Web 2.0 one way or the other. If you happen to be interested in the Internet as a whole, this weblog is definitely worth visiting at least once, and being browsed through for a while.

Even as a slide show, this is an interesting list.

Slideshow: Voice chat for free on your PC

by Jessica Dolcourt February 17, 2009 12:01 AM PST

You don't need a fistful of dollars to make an international call, just a computer with a microphone, speakers, and one of the six applications we gathered together for you in this collection of free voice-chat apps (some offer upgrades to premium services.) As a bonus, all of these fine downloads offer video calls to let you put a face to a voice.

Monday, February 16, 2009

It doesn't have the tabloid appeal the FBI loves...

Opinion: Where is the government on cybersecurity?

By Ira Winkler

February 16, 2009 (Computerworld) A couple of recent events have shown how purposefully useless the U.S. government is with regard to cybersecurity. Every so often, the FBI parades some success stories through the media. Unfortunately, what's behind them are prosecutions for show rather than true demonstrations of tackling cybercrime.

For example, U.S. law enforcement had nothing to do with the takedown of McColo, the ISP that was home to major botnet controllers. It's telling that foreign criminal gangs felt comfortable enough to use a U.S.-based service to host their critical servers.

Things that go bump in the night. (You don't suppose this is because they both now use Windows?),2933,493425,00.html

British and French Nuclear Subs Crash in Atlantic

Monday, February 16, 2009

… The collision is believed to have taken place on February 3 or 4, in mid-Atlantic. Both subs were submerged and on separate missions.

As inquiries began, naval sources said it was a millions-to-one unlucky chance both subs were in the same patch of sea.

Be careful what you agree to...

February 15, 2009

New on - E-Discovery Update: Revisiting ESI Agreements and Court Orders

E-Discovery Update: Revisiting ESI Agreements and Court Orders - Conrad J. Jacoby focuses on the new requirement that litigants must meet early in a dispute to discuss the scope of discovery work to reach agreement on how best to proceed with the discovery of potentially relevant electronically stored information (“ESI”). What happens, though, when fundamental assumptions used to reach agreement at that early stage in the case turn out to be incorrect?

There are probably a lot of theories on this. Let me add one that I quote often in my Statistics class: “Half the world is below average.” (So they have some growing to do...)

Facebook hits 175 million user mark

by Steven Musil February 15, 2009 10:30 AM PST

A little more than a month after announcing it had 150 million active users, Facebook has reached 175 million active users--the statistic the social-networking site prefers to use, rather than registered accounts overall.

Dave Morin, who runs Facebook's application platform team, announced the milestone Friday evening on his Twitter/FriendFeed. Facebook reached 150 million just more than two months after reaching 120 million and about four months after reaching 100 million.


Facebook's New Terms of Service

Posted by CmdrTaco on Monday February 16, @09:05AM from the are-we-really-worried-about-this dept. Privacy Social Networks

An anonymous reader writes

"Chris Walters writes about Facebook's new terms of service. 'Facebook's terms of service (TOS) used to say that when you closed an account on their network, any rights they claimed to the original content you uploaded would expire. Not anymore. Now, anything you upload to Facebook can be used by Facebook in any way they deem fit, forever, no matter what you do later. Want to close your account? Good for you, but Facebook still has the right to do whatever it wants with your old content. They can even sublicense it if they want.'"

Oh no! Now they'll be able to license your super flair goblin poke 25 tag history! [I have no idea what that is... Bob]

Sunday, February 15, 2009

A much older scam than the story suggests. Spoof the Accounts Payable Dept into changing the address for payments. One solution has been to send the a confirming letter to the old address. If they haven't moved you get a quick phone call, if they have the Post Office forwards the mail. NOTE this is not an IT problem as the article suggests.

Web Scam Bilks State of Utah Out of $2.5M

Posted by kdawson on Saturday February 14, @06:12PM from the lessons-from-the-nigerian dept.

KitB sends in a story in the Salt Lake Tribune that tells of a Web-based scam, resembling some used by Nigerian gangs, that snared the state of Utah. $2.5M was sent to a bank account in Texas before the bank raised a question and then froze $1.8M in the account.

"Thieves apparently used a Nigerian-based scam to steal $2.5 million from the Utah treasury, covering their tracks by using intermediaries and a church address. A Salt Lake Tribune review of the names listed in a search warrant as receiving or transferring money [found] names of African origin or connections to that continent. Michael Kessler, ... a forensic accounting [investigator] in New York City, said the thieves appear to have used a simple scam that originated in Nigeria about five years ago. The Utah theft is the first time he's seen a government victimized. 'Their IT people should have known better,' Kessler said after reviewing a copy of the search warrant Thursday. 'It sounds like any kid could have done this.'"

Social Engineering 101: Keep it simple!

Don’t Click’ Attack Strikes Twitter

February 14th, 2009 Rob Douglas

Using the simplest of social engineering hacks — an enticing message with a link, labeled “don’t click” — a “clickjacking” exploit of the Twitter microblogging service flooded its network today, hijacking users’ status to spread itself before the link could be shut down.

The exploit’s link — — relied on a URL hidden through use of the TinyURL link-shortening service. The hack was shut down early this afternoon by TinyURL’s founder, Kevin Gilbertson, after Twitter users notified him of the attack.

“On my end, I just got some e-mails mentioning it. So once I found that out, I terminated the URL like I do with other abuse instances,” Gilbertson told He added that he replaced the forward of the URL with a notice that the URL had been terminated due to a breach of TinyURL’s terms of service.

See the full report at

[From the article:

Before the link was blocked, however, it managed to place a major strain on Twitter's infrastructure. At several points, visitors to the service's Web site were greeted by a page saying that the site was over its message capacity.

The future of jury trials (at least those with an ax to grind) Add in a few egotistical lawyers and some trials will look like they were conducted in supermarket-tabloid-land.

The Pirate Bay Is Making a "Spectrial" of It

Posted by kdawson on Sunday February 15, @02:44AM from the step-right-up dept. The Courts

IDOXLR8 writes

"The Harvard Law students defending accused file-swapper Joel Tenenbaum are doing their best to turn his upcoming trial into a media event. But when it comes to pure spectacle, they have nothing on The Pirate Bay. TPB is referring to the event as a 'spectrial,' a cross between a spectacle and a trial. They have set up a site where you can track their current location, complete with journal entries. The trial begins next Monday and features a live audio feed and Twitter translations."

We we discussing this the other day. To avoid the tool altogether, you just find several cars identical to yours, photograph their license plates, and follow the instructions supplied here: AND you can drive as fast as you want!

Automation May Make Toll Roads More Common

Posted by Soulskill on Saturday February 14, @11:58AM from the first-cameras,-then-evil-toll-robots dept. Transportation Privacy The Almighty Buck

bfwebster writes

"Here in Denver, we have E-470, a toll section of the 470 beltway, that uses the usual transponder attached to your windshield. Fair enough, and I make use of it, particularly in driving to the airport. But they've just implemented new technology on E-470 that allows anyone to drive through the automated toll gates. If you don't have a transponder, it takes a photo of your license plate and sends a monthly bill to your house. As a result, the company that runs E-470 plans to close all human-staffed toll booths by mid-summer. And as an article in this morning's Rocky Mountain News> notes, 'Such a system could be deployed on other roads, including some that motorists now use free. The result: a new source of money for highways and bridges badly in need of repair.' You can bet that legislators, mayors, and city councilpersons everywhere will see this as an even-better source of income than red-light cameras. You've been warned."

The Internet killed newspapers, Google (and the Kindle) killed books, now radio and tomorrow television. No ancient technology is safe! Join the “Save Fire” foundation and send us all your money before that becomes obsolete too!

Internet Killed the Satellite Radio Star

Posted by kdawson on Sunday February 15, @08:15AM from the finding-an-economically-sensible-use-for-space dept. Space The Internet Entertainment

theodp writes

"As Sirius XM faces bankruptcy, Slate's Farhad Manjoo reports that the company has bigger problems than just the end of cheap credit. While it has what seems like a pretty great service — the world's best radio programming for just a small monthly fee — Sirius XM has been eclipsed by something far cheaper and more convenient: the Internet. Load up Pandora or the Public Radio Tuner on your iPhone, and you've got access to a wider stream of music than you'll ever get through satellite. So forget the satellites, the special radios, and the huge customer acquisition costs, advises Manjoo, and instead focus on getting Howard Stern, Oprah, the NFL, and MLB on every Internet-connected device on the market at very low prices."

Definitely targeted to me! This just might be useful. Most of the subjects I looked at were worthless, but one or two had real potential – especially as a reminder of the obscure. - Learning For Lazy People

Most people don’t like learning. That’s why so many people’s memories about high school don’t add up to much but parties. If you’re lazy about learning, then might be what you’ve been looking for all your life.

This useful desktop app will allow you to learn while you do other things. For example, if you’re looking to learn Spanish, just download the software and every once in a while, a popup question will test your knowledge. Do this long enough, and you’ll learn while you’re doing something else. It’s great. This should be developed with a lot more subjects, as alternative educational methods are all the rage right now. If you get into the learning method, you can click on the pop up and see the full flash card, allowing you to answer while concentrating more on the question.

There already are over 150 topics, so if you’re just getting started, try out one you already know and see how effective it is. We’re already hooked, so try it out at