Saturday, July 11, 2009

Today's theme is “unbelievable statistics” – believe it!

This can't be right, can it? According to Wolfram Alpha, more than 600,000 people died in the UK last year. So something like 96,000 had their identity stolen? Are we seeing this in the US where 2,500,000 people died last year?

Post-mortem ID theft

July 10, 2009 by Dissent Filed under Breaches, Non-U.S.

According to Cifas data analyzed by Halo, if you’re in the UK and die, you apparently have a 16% risk of having your identity stolen after your death.

That makes a somewhat compelling argument for not dying in the UK, doesn’t it?


Après HITECH, le déluge (of reports)

July 10, 2009 by Dissent Filed under Breaches, Featured Headlines, Legislation, U.S.

Yesterday on, I posted a link to an article in the Journal of AHIMA that discusses how California officials were surprised at how many breach reports they have received since California’s new medical privacy breach reporting law went into effect on Jan. 1.

Under the broadened reporting requirements whereby healthcare organizations in California are now required to report any unauthorized access to a patient’s unsecured personally identifiable health information (PHI) —intentional or otherwise — 823 incidents were reported between Jan. 1 and May 31. According to a spokesperson for the California Department of Public Health, Center for Health Care Quality (CDPH), most of the breaches have been due to errors as opposed to intentional breaches.

In a statement to, Pam Dixon, Executive Director of the World Privacy Forum noted how the high numbers suggest that there is much to be done to ensure privacy and confidentiality:

“What struck me the most about the report is the total number of breaches since January — over 800. This is a substantially higher number than previous breach reports have hinted at. We have always known that the number of actual breaches exceeded the number of breaches that get reported, but these new statistics suggest that the number of actual breaches is staggeringly high. This new data show why there is heightened need for stronger protections for electronic health records, and especially for electronic health records that are exchanged among a variety of providers and health information exchanges. Ensuring patient privacy and confidentiality has not been adequately addressed yet, or we would not be seeing these high breach numbers.”

If that is the case, as it appears to be, then what should we expect to see nationwide when the HITECH Act is implemented? Under the new law, there is a broader definition of what constitutes a breach and what triggers notification. Although notification is only required in the case of unsecured PHI, given how many incidents we read about on a daily basis involving unsecured records, and in light of preliminary data from California, it seems likely that we are about to have a mind-boggling experience when we see how often unintended disclosure of PHI really occurs.

As Dixon points out, and as the reports from Alberta Health Services in Canada and the NHS in the UK clearly remind us, as we move towards more records online, we run greater risks of not only hacks but viruses infecting databases and either endangering the accuracy of patient records or stealing sensitive health and personal information. The California data serve as a useful wake-up call and call to action even before HITECH Act provisions go into effect.

I hope they are notifying users and pointing them to a “cure” but I don't see that in the article. Just means the user will re-connect with a new account and the same old malware – and assume Twitter is poorly managed.

Twitter Suspends Accounts of Users With Infected Computers

Jeremy Kirk, IDG News Service Friday, July 10, 2009 5:00 AM PDT

Twitter is suspending the accounts of some users whose computers have fallen victim to a well-known piece of malicious software that has targeted other sites such as Facebook and MySpace.

The malware, Koobface, is designed to spread itself by checking to see if person is logged into a social network. It will then post fraudulent messages on the person's Twitter account trying to entice friends to click the link, which then leads to a malicious Web site that tries to infect the PC.

… Koobface gets instructions from a command-and-control server, which tells the malware which messages to send out. Koobface is dangerous on other levels, however, as it can also steal data from a PC or download other malware.

Politics means never having to say you're sorry (or wrong or lying or...)

Mininova Denied Rectification From Dutch Government

Written by Ernesto on July 09, 2009

Recently a committee of the Dutch Parliament published a report on copyright legislation in which it made several false accusations against the Dutch-based BitTorrent site Mininova. The Mininova team were insulted by the report and demanded a public rectification, which the parliament has now refused. Mininova is now considering legal action.

… Legal threats or not, the committee announced today that it does not intend to rectify their earlier statements, even though they admit to having made a mistake.

(Related) Perhaps we've reached a point where whatever politicians say is assumed to be wrong?

EU Commissioner: Digital Natives See Piracy As ‘Sexy’

Written by enigmax on July 10, 2009

EU Commissioner for Telecoms and Media Viviane Reding has joined the debate over Internet piracy. Yesterday she stated that both sides of the conflict are right but their inability to see things from the other’s perspective is holding back progress. In the meantime, she says, piracy is seen by many as increasingly “sexy”.

“enquiring minds want to know”

Terrorist Surveillance Program, unplugged

July 10, 2009 by Dissent Filed under Featured Headlines, Govt, Surveillance

A long-awaited report on the Terrorist Surveillance Program was released today. An unclassified version of the report prepared by the Office of Inspectors General for the Departments of Defense, Justice, the CIA, NSA, and DNI is entitled Unclassified Report on the President’s Surveillance Program (pdf).

The report’s discussion of the President’s Surveillance Program (PSP) makes it clear that the Terrorist Surveillance Program (TSP) that the public became aware of in 2005 following publication by the New York Times was only one part of a much broader program expanded by Bush after 9/11 to include a variety of activities. The other activities, referred to in the report as “Other Intelligence Activities,” remain “highly classified” and are not described in the report, but are also subsumed under “PSP.” The PSP program resulted in “unprecedented” collection of data.

According to the report, although John Yoo reportedly prepared several preliminary opinions relating to hypothetical events in September and October of 2001, the first formal Office of Legal Counsel (OLC) opinion on the legality of PSP was not drafted until after President Bush formally authorized the program in October 2001. According to the report:

The first OLC opinion directly supporting the legality of PSP was dated November 2, 2001, and was drafted by Yoo. As discussed in Section IV of this report, deficiencies in Yoo’s memorandum identified by his successors in the Office of Legal Counsel and the Office of the Deputy Attorney General later became critical to DOJ’s decision to reassess the legality of the program in 2003.


As the only OLC official read into the PSP through early 2003, Yoo consulted directly with White House officials about the PSP during this period. Because the DOJ OIG was unable to interview Yoo, it could not determine the exact nature and extent of these consultations. The DOJ OIG was also unable to determine whether Attorney General Ashcroft was fully aware of the advice Yoo was providing directly to the White House about the PSP.

Of course, much that the public would want to know is omitted from the unclassified version of the report, but there is a significant amount of criticism that is left for the public to mull over. One such aspect concerns the DOJ’s handling of PSP-collected information as it related to DOJ’s discovery obligations in international terrorist prosecutions. The DOJ OIG recommended that DOJ reviews its obligations, but also that the DOJ

carefully consider whether it must re-examine past cases to see whether potentially discoverable but undisclosed Rule 16 or Brady material was collected under the PSP, and take appropriate steps to ensure that it has complied with its discovery obligations in such cases.

That Yoo was pretty much the sole source of legal justification memos for PSP seems pretty evident from reviewing the report. It also seems clear that as more people in OLC were read into the program, the OLC began seriously questioning Yoo’s memoranda and the legality of the program, while Gonzales and others in the White House kept trying to persuade Yoo’s successors that the program was legal.

Perhaps some of the greatest drama in the report is provided in the detailed description of the conflict between the White House and DOJ counsel in March 2004, which included the scene in Ashcroft’s hospital room where, having disregarded his wife’s request that her husband was too ill, White House Chief of Staff Andy Card and White House counsel Alberto Gonzales still tried to pressure Ashcroft into signing a reauthorization of the program.

Later in the report, the DOJ OIG concluded that

the White House’s strict controls over DOJ access to the PSP undermined DOJ’s ability to perform its critical legal function over the PSP’s early phase of operation.

The report also indicated that because Ashcroft would not be interviewed, it was unclear whether he had aggressively pursued getting more staff read into the program when the White House did not approve of Ashcroft’s chief of staff, David Ayres, and Deputy Attorney General Larry Thompson being read in.

The report also criticized Alberto Gonzales for providing testimony to Congress that was

confusing, inaccurate, and had the effect of misleading those who were not knowledgeable about the program.

Overall, the impression given is that by restricting details of the program to one and only one person in the OLC who would be likely to be sympathetic to the President’s views, the White House was able to produce “paper” justifying the program until March 2004 by which time others who had been read into the program raised serious doubts about the legality of the program.

Unfortunately, the public still has no court ruling on important issues such as whether the President’s Article II powers trumps FISA. If the courts would stop tossing out lawsuits based on “state secrets” defense, maybe we’d get an answer. If we don’t, then eventually we may find ourselves in a similar situation.

Update/Related: See NY Times coverage, as well as Washington Post. I’m sure everyone will have something to say on the report.

This could get interesting, or Facebook could back away immediately. gets in Facebook’s face

July 10, 2009 by Dissent Filed under Businesses, Court, Featured Headlines, Internet is fighting back against Facebook’s lawsuit (pdf). Today, filed a response and countersuit (pdf).

In the filing, claims that some of the actions attributed to by Facebook, such as sending out emails to contacts, actually were the doing of Facebook itself and that it was Facebook itself which inserts the Facebook email address and “team” sig line. The filing also claims that Facebook is essentially complaining about doing exactly what Facebook does. Facebook allows users to import contacts from other email accounts but is seemingly trying to block from also serving an aggregator function.

Dismissing Facebook’s copyright and trademark infringement claims in relatively short order by pointing out that Facebook does not provide even one element to support its claims, focuses on user ownership of and control of data, and asserts that everything it is doing is done with the content owner’s consent — unlike Facebook, it says, which is allegedly trying to stop its users from exerting such control if they wish to use’s service.

Jason Kincaid of TechCrunch provides a recap of the lawsuits to date and his perspective on the lawsuits.

Facebook did not respond to a request for a comment on’s filing or lawsuit by the time of publication.

(Related) I don't see much new...

July 10, 2009

Research Institute Releases Primer on Internet Privacy

News release: "The Pacific Research Institute (PRI) announced the release of a new report on Internet privacy and security. Click Confidential: A Privacy Primer for the Social Web, authored by Daniel Ballon, Ph.D., PRI senior fellow in technology studies, outlines the detrimental affects of government regulated privacy policy on emerging online businesses. He also provides effective strategies for empowering consumers while promoting choice and competition."

Another “nothing new”

July 10, 2009

National Security Inspectors General Release Critique of Warrantless Surveillance Program

News release: Today’s release of a report by several agency inspectors general reinforces the National Security Archive’s argument in our Freedom of Information Act lawsuit that the Justice Department should declassify and release the legal justifications for the surveillance program authorized by President Bush after the terrorist attacks of September 11, 2001. The new report from the inspectors general of the Department of Defense, Department of Justice, Central Intelligence Agency, National Security Agency, and Office of the Director of National Intelligence, criticizes the OLC memoranda that were used to justify warrantless surveillance of US citizens, several of which remain secret and are subject to the Archive’s lawsuit. The IGs state that there were “deficiencies” in the OLC memos, drafted by Deputy Assistant Attorney General John Yoo, and that the memos “raise[d] serious concerns” at DOJ because they omitted analysis of key cases and legal provisions and were not subject to the ordinary “rigorous peer review process.”

Sometimes I just like to remind you that I do have a great grasp of the obvious. I've been saying for years that there is no need to own media if the cost (buying, storing, upgrading) is greater than the cost of viewing movies (songs, archives) 'on demand'

July 10, 2009

Has the Swan Song of the DVD Begun?

The Economist: "TEN years ago DVDs rejuvenated the film business, encouraging people to own films rather than simply watch them. But sales, which began declining gradually in 2006, are now falling more steeply. Around a third of the drop in the first quarter was counteracted by rising sales of high-definition Blu-ray discs, which are more profitable. Meanwhile, rentals are booming. Redbox, which rents films cheaply from self-service kiosks, has been adding machines at the rate of more than 500 per month. For the studios it is much more profitable to stream a film digitally or sell it through a cable operator as a video-on-demand (VOD)."

(Related?) A business model the RIAA will absolutely hate.

Trent Reznor: 'So you want to make money on the Web'

by Matt Asay July 10, 2009 8:04 AM PDT

For those who have yet to grok the Open Core business model, Trent Reznor of Nine Inch Nails fame will sing it to you. In a series of forum entries, Reznor explains exactly how to build a music business on the Web and, in the process, classically defines Open Core, the primary business model for open-source software, too.

Reznor writes:

Forget thinking you are going to make any real money from record sales. Make your record cheaply (but great) and GIVE IT AWAY. As an artist you want as many people as possible to hear your work. Word of mouth is the only true marketing that matters.

… Then, offer a variety of premium packages for sale and make them limited editions/scarce goods. Base the price and amount available on what you think you can sell. Make the packages special--make them by hand, sign them, make them unique, make them something YOU would want to have as a fan.

For my website students (Get a “.INFO” domain name for $0.99)


Domparison is a domain name price comparison search engine. We search domain registrars to find the cheapest domain prices so that you don't have to. Simply select which domain extension you want and the type of price you want (e.g. register, renew or transfer) and the lowest domain name prices for registration, renewal or transfers will be displayed.

Have I listed this one before?

JDSupra: Database of Legal Documents Shared By Lawyers

JDSupra is a database of legal documents shared by lawyers. For legal professionals its a platform to reach wider audience by uploading their work and get credited for their expertise and experience. For consumers it’s a way to find a lawyer to represent them in court who has worked on similar cases with a proven record of success.

Friday, July 10, 2009

Is this good news or bad news?

New Law Floods California With Medical Data Breach Reports

By Kim Zetter July 9, 2009 3:24 pm

California officials have received more than 800 reports of health data breaches in the first five months after a new state law went into effect January 1.

The law requires health care organizations in California to report suspected incidents of intentional and unintentional unauthorized breaches of a patient’s personally identifiable health information to the California Department of Public Health.

The agency, however, says it was surprised by the large number of reports it received in such a short period, according to the Journal of the American Health Information Management Association, and expects that number to increase dramatically as organizations become more familiar with the reporting procedures.


Johnson, et al. v Microsoft: Court Docs on Motion Ruling IP Address Does Not Equal PII

Posted on July 9th, 2009 by David Navetta Filed under: IP address, PII, personally identifiable information, priavcy

For those interested in digging deeper into the recent ruling in the UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF WASHINGTON, SEATTLE DIVISION that IP addresses do not constitute “personally identifiable information,” I have complied all of the relevant pleadings, motions, and response/reply/surreply briefs for your viewing pleasure….

Everyone does it, but unless they publish how would we know?

UK police won’t reopen phonetap case

July 9, 2009 by Dissent Filed under Businesses, Non-U.S.

British police said on Thursday they would not reopen investigations into the interception of celebrities’ mobile phone voicemails by journalists, despite new allegations against a Rupert Murdoch newspaper.


Assistant Commissioner John Yates of the Metropolitan Police said the original probe had concluded that phone tapping had occurred in only a minority of cases. All those victims had been informed, he said.

Their potential targets may have run into hundreds of people, but our inquiries showed that they only used the tactic against a far smaller number of individuals,’ Yates said.

‘No additional evidence has come to light since this case has concluded. I therefore consider that no further investigation is required.’


Times Online has the full text of John Yates’ statement.

(Related) We call it “pretexting”

ICO statement about media blagging

July 10, 2009 by Dissent Filed under Non-U.S.

This is the full text of the statement by Mick Gorrill, Assistant Information Commissioner, yesterday:

“People care about their personal privacy and have a right to expect that their personal details remain confidential. Who they are, where they live, who their friends and family are, how they run their lives: these are all private matters. Individuals may choose to divulge such information to others, but information about them held confidentially should not be available to anyone prepared to pay the right price.

“The Information Commissioner’s Office (ICO) exposed the widespread media involvement in illegally obtaining personal information in its reports What Price Privacy? and What Price Privacy Now? The ICO named some of the UK’s newspapers and magazines which bought people’s personal information in search of a story.

“Following a court order in 2008 we made available a copy of some information, from our investigation into the buying and selling of personal information, to lawyers acting on behalf of Gordon Taylor. This included material that showed that 31 journalists working for The News of the World and The Sun had acquired people’s personal information through blagging.”

The links below take you to two reports, What Price Privacy? and What Price Privacy Now? which set out more information.

All politicians lie.

Jewel v. NSA back in court next week

July 9, 2009 by Dissent Filed under Court, Govt, Surveillance, U.S.

Leave a Comment

… EFF brought the suit on behalf of Carolyn Jewel, a California database administrator who is an AT&T customer, and other AT&T customers.

… To the disappointment of most privacy advocates and civil libertarians, despite President Obama’s statements during his campaign about his views of the warrantless surveillance program, his administration adopted the Bush administration’s position that the courts cannot judge the legality of the National Security Agency’s (NSA’s) warrantless wiretapping program. In April, the administration filed a motion to dismiss (pdf) Jewel v. NSA [background and documents], arguing that the litigation would require it to disclose “state secrets.”

Fortunately, politicians know nothing about technology (and can't understand/won't listen to those who do.) Be Warned: It will happen here!

Hackers Undermine Piracy Evidence With Hadopi Router

Written by enigmax on July 09, 2009

Yesterday we reported that a provision in the revamped French “3 strikes” bill will allow for the punishment of ISP account holders for the copyright infringing actions of others. Now a group of hackers has set out to compromise WiFi routers en masse, in order to create an environment of plausible deniability.

,,, Aside from punishing actual file-sharers, the bill allows the courts to take measures against people who have done no sharing, but are accused simply because they are the one paying the ISP bill. If the court decides that an account holder is guilty of “negligence” - by somehow allowing others to file-share on their connection - it is within a judge’s power to issue a fine up to 1,500 euros along with a 4 week disconnection.

… A hacker known only as ‘N’ says he has developed some software known as ‘Hadopi Router’

… “It locates Wi-Fi networks in the neighborhood, then begins to crack all their passwords,” says ‘N’. “Once we have the keys, we can create a virtual access point,” which in basic terms means using the Internet connection without the account holder’s knowledge.

… An IP address does not necessarily identify an individual, in fact one could argue that in many instances these days it doesn’t even identify a computer but merely a gateway to a sub network, behind which could be any number of individuals not linked in any way to a bill payer.

For the first time, 50% of Americans use the Internet every day.

Daily Internet Activities, 2000-2009

When the government screws up provides health care, numbers like these will become part of premium calculation, which will cause mass migration from fatter states to Colorado, which will cause our premiums to rise. We need to control our borders!

July 09, 2009

CDC: U.S. Obesity Trends 1985–2008

U.S. Obesity Trends 1985–2008: "Obesity is defined as a body mass index (BMI) of 30 or greater. BMI is calculated from a person’s weight and height and provides a reasonable indicator of body fatness and weight categories that may lead to health problems. Obesity is a major risk factor for cardiovascular disease, certain types of cancer, and type 2 diabetes. During the past 20 years there has been a dramatic increase in obesity in the United States. In 2008, only one state (Colorado) had a prevalence of obesity less than 20%. Thirty-two states had a prevalence equal to or greater than 25%; six of these states (Alabama, Mississippi, Oklahoma, South Carolina, Tennessee, and West Virginia) had a prevalence of obesity equal to or greater than 30%."

Perhaps they will use this database to “prove” how much they have reduced crime?,0,909582.story

LAPD's public database omits nearly 40% of this year's crimes

The map, touted as a way for residents to monitor the safety of their neighborhoods, doesn't include about 19,000 serious crimes reported in other LAPD data. Officials say they're looking into it.

By Ben Welsh and Doug Smith July 9, 2009

The Los Angeles Police Department's online crime map intended for public use has failed to include nearly 40% of serious crimes reported in the city, a Times analysis has found.

The omissions, which date back at least six months, include thousands of crimes known to LAPD officials and are included in their official crime statistics.

We're the government. We have no idea how to give money away...

US Seeks Volunteers To Review Broadband Grant Applications

Posted by timothy on Thursday July 09, @04:07PM from the low-expertise-worries-me-less-than-poor-incentives dept.

BobB-nw writes with this excerpt from Network World:

"The US National Telecommunications and Information Administration, scheduled to distribute $4.7 billion in broadband deployment grants over the next 15 months, will count on volunteers to review grant applications. The NTIA, in a document released this week, asks for people to apply to become volunteer reviewers of the broadband grants. The NTIA's broadband grant program is part of $7.2 billion that the US Congress approved for broadband in a huge economic stimulus package approved earlier this year. ... It's 'a little scary' that volunteers will have the power to accept and reject broadband applications, said Craig Settles, an analyst and president of consulting firm Volunteers may have limited expertise, or they may have biases that aren't evident to the NTIA, he said."

Do you have something to add or are you content to let me help define Global Computing Policy for the next few years?

Cloud computing perspectives and questions at the World Economic Forum

by Andy Oram| @praxagora

The World Economic Forum started a research project at Davos 2009 concerning cloud computing, which they broadly define to include all kinds of remote services, from Software as a Service to virtual machines.

I was asked to provide some ideas on the implications of cloud computing for business as well as its future operating environment. To allow my colleagues and the O'Reilly community to help define the issues and provide references, I've put up a discussion forum as a wiki. Anyone with relevant and valid ideas can suggest points. I don't even mind people listing their businesses and information sources, so long as the information is relevant and is directed toward the larger educational goal of the wiki.

Tools & Techniques If most of your search results are in PDFs, this might be useful.

PDFind: PDF Document Search Engine

… This site is in many ways similar to previously profiled PDF search tools (PDFgeni, PDFand Ebook Search Engine and Data-Sheet)

You can also check out our related article “3 Excellent Sites to Get Free Document Templates” profiling more resources for finding documents.

Tools & Techniques For those of you who hate reading online?

PDFNewspaper: Web Page To PDF Converter

… The application can extract text content from provided URLs and RSS feeds and present it in an easy to read printable format.

To use PDFNewspaper you can either go to the site and create PDF by entering the URL or use provided bookmarklet that allows you convert any webpage you are on with a single click.

Similar websites: HTML 2 PDF and HTML to PDF Converter.

Geeks use chainsaws to open those heavy-plastic-encased packages of parts & accessories.

Meet the USB Powered Chainsaw: Cut Wood While Updating Your Facebook

Thursday, Jul. 9 2009 @ 1:00PM By Alexia Tsotsis in Tech, Weird

Boss got you thirsty for blood? Need a way to cut trees while still remaining active on Digg? Really into bringing weapons to the office? Attention Dwight Shrute -- we know what you're getting for Christmas...

Meet the iSaw, the world's first USB powered chainsaw. Yes, you read that right. Lamenting that "current materials used on bodies of chainsaws are too heavy for office use" the vanguards of innovation over at figured out how to get a USB 2.0 port to power sharp chains for all your office-based wood cutting needs.

Thursday, July 09, 2009

Something to consider as all our health records go online.

Alberta Health records hit by virus

July 8, 2009 by admin Filed under Breach Incidents, Healthcare Sector, Malware, Non-U.S., Of Note

The Office of the Information and Privacy Commissioner has been notified by Alberta Health Services that a virus was present on the Alberta Health Services network in Edmonton. The virus impacted the network and Netcare, Alberta’s electronic health record, before it was discovered and removed.

The virus is a new variant of a Trojan horse program called coreflood and is designed to steal data from an infected computer and send it to a server controlled by a hacker. Coreflood captures passwords and data the user of the computer accesses. The virus was active from May 15 to 29 before it was detected and removed.

AHS identified two groups who are potentially at risk. Patients whose health information was accessed in Netcare through an infected computer and employees who accessed personal banking and email accounts from work using an infected computer. AHS is sending letters to the 11,582 patients whose information may have been exposed and has notified all affected employees.

Commissioner Frank Work says this does not necessarily mean Netcare itself has been infected by the virus; rather the virus may have captured patient data accessed through Netcare from an infected computer and sent it to an external party. [Important distinction. The application can be very secure, but if the entire processing environment isn't as secure, someone can tap in ant the weakest point. Bob] “While it appears the risk to patients is low, viruses don’t discriminate and this is an important message to everyone about the need to run up to date anti virus software”, says the Commissioner.

The Commissioner’s office is investigating. In the meantime Work is expecting a full forensic report from Alberta Health Services on how this happened and what steps will be taken to prevent future breaches. Work says “AHS responded quickly when the virus was detected and that steps have been taken to notify users and patients with advice on what they should do to protect personal and health information”.

Source: Office of the Information and Privacy Commissioner of Alberta

No statement appears on the Alberta Health Service site as of the time of this posting

The legal side is outlined. Is that all there is?

PCI DSS Incident Response: The Legal Perspective

Posted on July 8th, 2009 by David Navetta Filed under: TJX, breach notice, credit cards

The SANS Institute InfoSec Reading Room recently published an article by Christian J. Moldes entitled PCI DSS and Incident Handling: What is required before, during and after an incident. Moldes’ whitepaper is a good starting point for developing an incident response plan to address payment card security breaches. The paper hits upon the key aspects of payment card security breach handling from an information security professional’s point of view. The paper, however, speaks little of the legal implications of a payment card security breach, and the incident response considerations that arise out of those implications.

Does Microsoft have a “duty to disclose” bugs in its software? (Ask a Class Action lawyer?)

Microsoft may have known about critical IE bug for months

Researchers uncovered latest bug in 2007; Microsoft mum on timing

By Gregg Keizer July 7, 2009 02:31 PM ET

Computerworld - The vulnerability that sent Microsoft scrambling yesterday and is being used by hackers now to attack Internet Explorer (IE) users may have been reported 18 months ago or more.

… The CVE (Common Vulnerabilities and Exposures) number for the vulnerability -- CVE-2008-0015 -- points to a possible early 2008 reporting date. According to the database, the CVE number was reserved on Dec. 13, 2007.

Remember, North Korea has a division of hackers in its army. And since they still consider pigeons high-tech communications, how can we retaliate – short of Nuking them?

Cyberattacks hit U.S. and South Korean Web sites

By Choe Sang-Hun The New York Times July 8, 2009 5:50 AM PDT

SEOUL, South Korea--Cyberattacks that have crippled the Web sites of several major American and South Korean government agencies since the July 4th holiday weekend appear to have been launched by a hostile group or government, South Korea's main government spy agency said on Wednesday.

Although the National Intelligence Service did not identify whom they believed responsible, the South Korean news agency Yonhap reported that the spy agency had implicated North Korea or pro-North Korea groups. [There are pro-North Korea groups? Bob]

… In the attack, an army of thousands of "zombie computers" infected by the hackers' program were ordered to request access to these Web sites simultaneously, causing an overload that caused the sites' servers to crash, South Korean officials said.

Although most of the North Korean military's hardware is decrepit, the South Korean authorities have recently voiced their concern over possible cyberattacks from the North. In May, South Korean media reported that North Korea was running a cyberwarfare unit that operates through the Chinese Internet network and tries to hack into American and South Korean military networks.

Surprise! Surprise! Surprise!

State Dept lost track of its laptops

July 8, 2009 by admin Filed under Commentaries and Analyses, Of Note

The State Department does not have an accurate accounting of its laptop computers, including ones meant for classified use, and has failed to encrypt machines [Deadline was July 1 last year! Bob] as it is supposed to do to protect sensitive information, according to a new report by the department’s inspector general.

Inspectors found that 27 laptops, worth $55,000 were missing out of a sample of 334 from four State Department bureaus.

“Because the content and the encryption status of the missing laptop computers are unknown, there is a risk that PII (Personally Identifiable Information) and other sensitive Department information may be susceptible to unauthorized access and use,” it says.

Read more on McClatchy.

[From the article:

More than half the machines tested were not encrypted, including some used for classified information.

An argument to watch? Is the competition worth more than vague future concerns?

Google’s new OS raises privacy concerns

July 8, 2009 by Dissent Filed under Featured Headlines, Internet

Google’s announcement Tuesday that it is developing an open-source operating system raised questions among privacy advocates about the amount of personal data Google will be able to collect.

Google already collects private data through products like its search engine and its Gmail e-mail service, as well as its AdSense advertising service. The Chrome operating system, to be rolled out on netbook computers next year, gives the company another avenue to collect and monetize personal information, privacy advocates said Wednesday.

Read more on PC World.

Interesting video if you have time... Not at all sure I agree.

July 08, 2009

Commentary: The Newsweekly’s Last Stand

Why The Economist is thriving while Time and Newsweek fade, by Michael Hirschorn, The Atlantic, July/August 2009

  • "Newsweek’s recent decision to get out of the news-digesting business and reposition itself as a high-end magazine selling in-depth commentary and reportage follows Time magazine’s emergency retrenchment along similar lines. It accelerates a process by which the 76-year-old weekly will purposely reduce its circulation from 2.7 million to a bit more than half of that. (Its circulation was nearly 3.5 million in 1988.) Likewise, Time’s circulation, which 20 years ago was close to 5 million, is now at 3.4 million. Both newsweeklies are seeking to avoid the fate of U.S. News & World Report, which after years (decades?) of semi-relevance gave up on the idea of weekly publication entirely."

[From the Article:

Given that even these daily digests are faltering, how is it that a notionally similar weekly news digest—The Economist—is not only surviving, but thriving? Virtually alone among magazines, The Economist saw its advertising revenues increase last year by double digits—a remarkable 25 percent, according to the Publisher’s Information Bureau. Newsweek’s and Time’s dropped 27 percent and 14 percent, respectively.

Fortunately, I don't use that newfangled stuff.

Embedding a YouTube Video May Cost You a Bundle in ASCAP Bills

By Ryan Tate, 3:46 PM on Wed Jul 8 2009,

Fresh off a court victory against Google's YouTube, ASCAP tells us it is setting its sights on users of the video-sharing site.

A huge tiny business. A whole lot of small can make a big.

July 08, 2009

New survey identifies top risks facing microfinance industry

CSFI - Centre for the Study of Financial Innovation: "The resilience of the global microfinance industry will be put to the test by the economic crisis, according to a new survey of the risks to the business, Microfinance Banana Skins 2009, by David Lascelles and Sam Mendelson. Far from being insulated from the economic mainstream as traditionally thought, microfinance could face a fall in growth [from 25% a year? Sounds inevitable! Bob] and funding because of the global recession and declining investor confidence. This will present the industry with its first major stress test since it emerged in recent decades as a fast-growing provider of small-scale financial services to the world's poor... The survey, published by the CSFI and sponsored by Citi Foundation and the Consultative Group to Assist the Poor (CGAP) and supported by the Council of Microfinance Equity Funds (CMEF), was designed to identify and rank the main risks, or "Banana Skins" facing the industry at a time of economic crisis and change. It reflects the views of more than 400 practitioners, investors, regulators and analysts in 82 countries."

[From the report:

Originally a small-scale, philanthropic movement to provide credit to the neediest, microfinance (MF) has grown enormously in recent years and is now firmly established as a major supplier of a wide range of financial services to millions of people around the world. The 1,200 microfinance institutions (MFIs) that report to the Microfinance Information eXchange (MIX) have 64m borrowers and 33.5m savers, and numbers are growing by 25 per cent a year, more in some countries. Total assets of these MFIs amount to $32bn.

We need to develop a “Porta-potty/renewable energy” business model. Quick

Can Urine Rescue Hydrogen-Powered Cars?

Posted by timothy on Wednesday July 08, @02:43PM from the use-every-part-of-the-animal dept. transportation earth power technology

thecarchik writes with this interesting excerpt:

"It takes a lot of energy to split hydrogen out from the other atoms to which it binds, either in natural gas or water. Which means energy analysts are skeptical about the overall energy balance of cars fueled by hydrogen. Ohio University researcher Geraldine Botte has come up with a nickel-based electrode to oxidize (NH2)2CO, otherwise known as urea, the major component of animal urine. Because urea's four hydrogen atoms are less tightly bound to nitrogen than the hydrogen bound to oxygen in water molecules, it takes less energy to break them apart."

Tools & Techniques Might be useful in several contexts...

Archive your e-mail from almost any account

by Jessica Dolcourt July 8, 2009 5:15 PM PDT

I have thousands of e-mail messages in my corporate Outlook in-box, and thousands more in Gmail and in my ancient Hotmail account. MailStore Home is a free program that can archive them all locally, and display those archives in an interface that reads like your Outlook in-box.

Why use it? You can clear away old messages and attachments, but easily search to find them again when that inevitable moment arrives. Until universal offline in-boxes like Yahoo's Zimbra Desktop start addressing consumers on a wider scale, MailStore Home is also a good way to read mail offline in areas of spotty Wi-Fi, or to use as a de facto message backup.

Tools & Techniques (In case one didn't come with your e-Discovery suite...)

FineReaderOnline: Web Based Image Text Extractor

FineReaderOnline is a new web based image text extractor using which you can extract text from a scanned image in variety of formats ( BMP, PCX, DCX, JPEG/JPEG2005, PNG and TIFF/TIF.) and convert it into a most commonly used editable document formats such as Microsoft Word, Excel, RTF, and TXT, or PDF.

Similar apps: Free-ORC and OCRTerminal.

Cheat Sheets I can tell my students about...

5 Essential Google Cheat Sheets Which Surely Will Come in Handy

Posted on July 7, 2009 under Cheatsheet, Web Development

Cheat sheet is a reference tool that provides simple, brief instructions for accomplishing a specific task.

Wednesday, July 08, 2009

Today's theme seems to be the increasing sophistication of hacker gangs.

Hackers Decrypt Encrypted Data?

July 8, 2009 by admin Filed under Business Sector, Hack, ID Theft, Non-U.S.

Meanwhile, in Manila, the Manila Bulletin Publishing Corp. reports:

The National Bureau of Investigation (NBI) started expanding its probe into the credit card fraud after uncovering that the arrested Nigerians who managed to hack the merchant website to get vital information of the credit card holders.


Last Friday, agents of the National Bureau of Investigation (NBI) arrested four Nigerians engaged in purchasing plane tickets through fraudulently acquired credit cards in an operation in Cavite.


Mallari said the arrested Nigerians and other syndicates engaged in the credit card fraud were able to hack the merchant website.

Information in the merchant website is encrypted and the internet hackers managed to decrypt the info. Of course not all info in the merchant web can easily accessed by syndicates like the big companies, because they have measures to protect their clients but in some instances; the syndicates succeed in decrypting the info,” said Palmer.

The remainder of the story is a bit difficult for me to understand. If anyone would like to read the whole thing and then summarize, that would be nice

Small, but interesting. Sounds like an amusing project for my Math students... Identify the range of numbers your bank (any card issuer) uses and then generate a few dozen valid numbers. My usual 10% guarantees an “A” Best Practice would be a truly random number, but with hundreds of issuers, that could cause duplicates...

ID Theft Case in Japan

July 7, 2009 by admin Filed under ID Theft, Malware, Non-U.S., Other

It’s unusual for me to see an ID theft report coming out of Japan. There was the report last year involving Yahoo! Japan, but other than that, I’m hard-pressed to think of any cases offhand. Today’s Yomiuri Shimbun, however, reports one such case:

The Metropolitan Police Department arrested Chizuru Asahi, 21….. She allegedly used other people’s credit card numbers she illicitly obtained through card-generation malware called CreditMaster. [Another useful crook-tool! Bob]


During a search of her house, the police seized eight credit cards issued under other people’s names.

Asahi was quoted by the police as saying, “We identified credit card numbers [originally issued] for more than 60 people based on these [eight] credit cards.”


This is the first time in Japan that a person has been charged in connection with a CreditMaster scheme, the Japan Credit Card Association said.

According to the association, credit card numbers are basically set sequentially based on a specific protocol created by individual credit companies.

The CreditMaster fraud scheme allows existing credit card numbers to be illicitly identified with computer software based on an existing number by making calculations based on the numb ter of the base card, excluding a specific set of numerals with which the credit card company can be identified.

(Related?) What do you bet that they also generate account numbers based on a simple algorithm...

eMoney Transfer Customer Data Accessed

July 7, 2009 by admin Filed under Breach Incidents, Financial Sector, Of Note, U.S., Unauthorized Access

MoneyGram International has notified the Vermont Attorney General’s Office of a breach affecting some customers using MoneyGram Payment System’s eMoney Transfer system.

According to the letter dated June 29, during routine security checks, the company discovered that some customers’ accounts had been accessed by unauthorized individuals. The company insists, however, that there was no security breach on their end. The letter from Debra Guertin, MoneyGram’s Privacy Officer, said:

The access was not a result of breakdown in MoneyGram’s security controls. Although we have investigated thoroughly and contacted law enforcement, we do not know how the criminals obtained the customers’ login information.

The unauthorized access may have exposed the customers’ names, addresses, phone numbers, transaction history, and last four digits of a masked credit card number. As a preventive measure, the company blocked access to those accounts and wrote to affected customers to ask them to call in and change their password to unblock their accounts. Customers were also offered a discounted rate on a subscription to services through Equifax.

Three Vermont residents were notified of the breach. The total number affected was not reported.

Very slick. By routing through the victim's link, the bank would see the correct IP address of their customer.

PC Invader Costs a Kentucky County $415,000

Posted by kdawson on Tuesday July 07, @07:26PM from the don't-be-stupid-out-there dept.

plover recommends a detailed account by Brian Krebs in the Washington Post's Security Fix column of a complex hack and con job resulting in the theft of $415,000 from Bullitt County, Kentucky.

"The crooks were aided by more than two dozen co-conspirators in the United States, as well as a strain of malicious software capable of defeating online security measures put in place by many banks. ...the trouble began on June 22, when someone started making unauthorized wire transfers of $10,000 or less from the county's payroll to accounts belonging to at least 25 individuals around the country... [T]he criminals stole the money using a custom variant of a keystroke logging Trojan known as 'Zeus' (a.k.a. 'Zbot') that included two new features. The first is that stolen credentials are sent immediately via instant message to the attackers. But the second, more interesting feature of this malware... is that it creates a direct connection between the infected Microsoft Windows system and the attackers, allowing the bad guys to log in to the victim's bank account using the victim's own Internet connection."

Why would the cellphone companies need to know where you are? They could count the number of calls at each cell (without identifying users) if they needed to determine the load on their system. What business purpose is served by knowing who is where?

Cellphones Increasingly Used As Evidence In Court

Posted by kdawson on Wednesday July 08, @09:02AM from the we-know-where-you-were-last-summer dept. court privacy

Hugh Pickens writes

"The NY Times reports that the case of Mikhail Mallayev, who was convicted in March of murder after data from his cellphone disproved his alibi, highlights the surge in law enforcement's use of increasingly sophisticated cellular tracking techniques to keep tabs on suspects before they are arrested and build criminal cases against them by mapping their past movements. But cellphone tracking is raising concerns about civil liberties in a debate that pits public safety against privacy rights. Investigators seeking warrants must provide a judge with probable cause that a crime has been committed, but investigators often obtain cell-tracking records under lower standards of judicial review — through subpoenas, which are granted routinely, or through an intermediate type of court order based on an argument that the information requested would be relevant to an investigation. 'Cell phone providers store an increasing amount of sensitive data about where you are and when, based on which cell towers your phone uses when making a call. Until now, the government has routinely seized these records without search warrants,' said EFF Senior Staff Attorney Kevin Bankston. Last year the Federal District Court in Pittsburgh ruled that a search warrant is required even for historical phone location records, but the Justice Department has appealed the ruling. 'The cost of carrying a cellphone should not include the loss of one's personal privacy,' said Catherine Crump, a lawyer for the ACLU."

Reenforces a lots of my views. Politicians can't understand everything so they rely on the bureaucrats to tell them what their policy should be. (Presidents may change but bureaucracies live forever.)

Obama’s cyber plan raises privacy hackles

July 8, 2009 by Dissent Filed under Govt, Internet, Surveillance, U.S.

Andy Greenberg of Forbes discusses the initial concerns and reactions of privacy advocates to Obama’s cybersecurity plan. Concerns kicked into higher gear last week with news about NSA involvement in monitoring government traffic on private sectors and the Einstein 3 program. Greenberg reports:

While the concerns over privacy and the NSA are valid, they could hamper the progress of the Obama administration’s cyber plan, says James Lewis, director of the Center for Strategic and International Studies, which authored an influential paper aimed at shaping the president’s thinking on cyber issues. “We have technologies that would greatly improve cybersecurity, but their use wouldn’t be consistent with our laws on surveillance and privacy,” Lewis says, pointing to statutes such as the Electronic Communications Privacy Act of 1986, which disallows wiretaps without a warrant.

Lewis says these laws may need to be amended to allow effective government monitoring systems, but he notes that the scandal surrounding the Bush administration’s warrantless wiretapping practices may have precluded that kind of legislation.

Read more in Forbes.

[From the article:

… "It feels like the Bush administration all over again," says Pam Dixon, executive director of the World Privacy Forum. "Not enough people know the details about these programs to have a good public discussion. We all want good security of government systems, but you have to balance the cloak and dagger elements with civil liberties."

… But the plans involve two controversial players: The revamped monitoring technology would largely come from the NSA and initial tests would take place on AT&T's network, two ideas that bring to mind uncomfortable memories of the warrantless wiretapping programs that rattled civil libertarians under the Bush administration.

"The same folks are being potentially entrusted with cybersecurity who have already shown that they have no regard for the law," says Lee Tien, an attorney with the Electronic Frontier Foundation, a nonprofit group that sued AT&T for its involvement in those wiretapping programs. "It's troubling that the Obama administration would consider this sort of thing."

… But Stewart Baker, a former NSA general counsel in the Clinton administration, argues that given the frequency of hacker intrusions on government networks, there's little time to waste on vague privacy worries.

Tools for parents tracking their children? - LastFM & LyricWiki Mashup

Mashups come in all sizes and colors. This one caught my fancy recently, if only because it combines three different services that have blended pretty well together. They are LastFM, LyricWiki and GoogleMaps.

By glancing at that list you can more or less guess what it does, and chances are you will guess right. You just supply a LastFM username to be provided with a list of the 10 last songs that were played by that person. Upon clicking on each one of the provided song titles the lyrics will be displayed for you to enjoy them, whereas a short band information is likewise provided. Note that Flickr is also part of the mashup, as you can see recent pictures with ease on the right-hand corner of the screen. For its part, GoogleMaps are employed to list forthcoming events.

This mashup offers you a sort of window into any person’s musical tastes. It is a good way to while away some idle hours, and all the information that is provided guarantees you will learn everything about any artist that crops up and whose name you didn’t even know to begin with.

(Related) A rose by any other name would be a petunia. (bin Ladin / Ben Ladin / Ben London )

Does the PASS ID Act Protect Privacy?

July 7, 2009 by Dissent Filed under Govt, Legislation, Surveillance, U.S.

Jim Harper of the Cato Institute takes aim at PASS ID and CDT’s praise for it. Here are a few snippets:

One of the more interesting privacy “protections” in the PASS ID Act is a requirement that individuals may access, amend, and correct their own personally identifiable information. This is a new and different security/identity fraud challenge not found in REAL ID, and the states have no idea what they’re getting themselves into if they try to implement such a thing. A May 2000 report from a panel of experts convened by the Federal Trade Commission was bowled over by the complexity of trying to secure information while giving people access to it. Nowhere is that tension more acute than in giving the public access to basic identity information.

The privacy language in the PASS ID Act is a welcome change to REAL ID’s gross error on that score. At least there’s privacy language! But creating a national identity system that is privacy protective is like trying to make water that isn’t wet.

Does PASS ID address “most of the major privacy and security concerns with REAL ID”? Not even close. PASS ID is a national ID, with all the privacy consequences that go with that.

Changing the name of REAL ID to something else is not an alternative to scrapping it. Scrapping REAL ID is something Senator Akaka (D-HI) proposed in the last Congress. Fixing REAL ID is an impossibility, and PASS ID does not do that.

You can read his entire commentary here.

(Related) Is it so difficult to identify the practices that threaten privacy? Perhaps what we need is a statement of “True Privacy” and then companies could document why they need to violate specific bits. For example: They do need your credit card number if that is how you choose to pay and they need an address to ship to. It would be harder to justify asking for your mother's maiden name...

Four Missed Opportunities for Privacy

Posted by kdawson on Tuesday July 07, @02:44PM from the squirming-to-head-off-regulation dept.

The NY Times has a blog posting on the occasion of the Internet advertising industry's release (PDF) of what it describes as tough new standards governing the collection and use of data about users' behavior. The Times' Saul Hansell describes these "new" standards as more of the same old status quo, and outlines four privacy-enhancing ideas, being discussed by Google, Yahoo, the FTC, and Congress, that the IAB has completely ignored. These principles are:

every ad should explain itself;

users should be able to see data collected about them;

browsers should help enforce user choices about tracking; and

some information (medical and financial) is simply too sensitive to track.

I can see a university library using a filter to keep students “on task” – another way of saying they want to spend resources on academic content only. But a public library should serve the needs of the taxpayers, right? Who do they think they are, politicians?

Can Libraries Refuse to Disable Filters?

July 7, 2009 by Dissent Filed under Court, Internet, U.S.

In the first legal challenge to Internet filtering practices enacted by relatively few libraries, the Washington Supreme Court is weighing whether the North Central Regional Library (NCRL), Wenatchee, can refuse to turn off filters at the request of adult patrons seeking constitutionally protected material.

At issue in Bradburn v. North Central Regional Library, which was the subject of an oral argument June 23 (see video linked below), are some knotty questions still facing libraries.

Read more on The article provides a number of links and resources on the case, as well as a lot of background. In addition, you may wish to read the amicus brief (pdf) filed by EFF and CDT.

Does this have application here? Should we move to Spain?

Judge Rules P2P Legal, Sites To Be Presumed Innocent

Written by enigmax on July 07, 2009

After Spain virtually ruled out imposing a “3-strikes” regime for illicit file-sharers, the entertainment industries said they would target 200 BitTorrent sites instead. Now a judge has decided that sharing between users for no profit via P2P doesn’t breach copyright laws and sites should be presumed innocent until proved otherwise.

Death to Microsoft!?? Yesterday I included an article where Microsoft claimed their Browser-supporting operating system was still years away. Oops!

Google Announces PC Operating System to Compete with Windows

By Ryan Singel Email Author * July 8, 2009 | * 3:02 am |

Google is releasing a lightweight, open-source PC-operating system later this year, the company announced Tuesday night, a move that threatens the very heart of Microsoft, long seen as Google’s biggest rival.

Chrome OS is intended to be a very lightweight, quick-starting operating system whose central focus is supporting Google’s Chrome browser. Applications will run mostly inside the browser, making the web — not the desktop — into the computer’s default operating system.

Tools & Techniques Useful for illustrating a “how to”

ScreenJelly: Capture Your Screen On Video & Share

ScreenJelly is a neat web utility that provides you with quick and hassle free way to capture your screen activity on video, and then share it via Twitter or email.

There is no installation or sign up, just go to the site and click “Record” button to start recording. Once finished, choose how you want to share it (Twitter, Email or Web), and spread it online. That’s it!

Similar web tools: ScreenToaster, FreeScreenCast, uTIPu and Screencast-O-Matic.

Tools & Techniques How to make those old fashioned newspaper thingies work on the web?

TodaysFrontPages: See Front Pages Of Newspapers Around The World

TodaysFrontPages is another cool resource for news junkies. The application displays 793 front pages of newspapers published in 77 different countries. All pages are presented in their original, unedited form.

You can view pages in three different mods: Gallery, List and Map. In all cases front pages can be sorted by region (USA, North America, Asia, Caribbean, Europe, Middle East, Oceania, South America, Africa), zoomed in, printed out and saved as readable PDF.

Global Warming! Global Warming! Sunspots are “cool” areas on the sun. More sunspots should equal less energy and therefore help decrease global warming. Except Al Gore claimed they were (partly) responsible for global warming – as was everything but voting for a Democrat.

Sunspots Return

Posted by kdawson on Tuesday July 07, @03:31PM from the try-this-proven-acne-cure dept.

We're emerging from the longest, deepest sunspot drought since 1913 (we discussed its depths here) with the appearance of a robust group of sunspots over the weekend. Recently we discussed a possible explanation for the prolonged minimum. The Fox News article quotes observer Michael Buxton of Ocean Beach, Calif.: "This is the best sunspot I've seen in two years." jamie found a NASA site where you can generate a movie of the recent sunspot's movement — try selecting the first image type and bumping the resolution to 1024. The magnetic field lines are clearly visible.