Saturday, July 25, 2009

Another example of delayed use of stolen data. As long as the cards remain valid, the crooks can plan and execute their scheme for converting that information into cash.

First National Bank closes debit accounts

July 24, 2009 by admin Filed under Breach Incidents, Financial Sector, Hack, ID Theft, Malware, U.S.

Another delayed effect of the Heartland breach….

More than two thousand debit card customers of First National Bank of Howell have had their accounts closed down after learning of a security breach. [Almost certain that they learned about this months ago. They chose to delay replacing cards in hopes that they could avoid the expense – leaving their customers at risk too. Will they repair any damage does to credit scores? Bob] Bank officials tell WHMI that after learning of an information breach at Heartland Payment Systems, a national credit and debit card processing company, they began to closely monitor their customer’s accounts and quickly found a pattern of suspicious activity. Randy Greene is the First National’s Vice President in charge of retail banking. He says that on Thursday they deactivated 2,300 of their customers debit cards as a precaution. He adds that any fraudulent activity will be completely covered and they are notifying all of their customers and arranging for new cards to be sent. A mass letter is also being sent out explaining the situation. Greene stresses that none of their customers personal identification data such as Social Security numbers or pin codes are believed to have been compromised.

Source: WHMI

Thanks to the good folks at ITRC for sending me this link.

Technical sophistication isn't enough and you can't spend all of your security budget on prevention. Some resources must be allocated to detecting a breach.

Network Solutions hacked

July 24, 2009 by admin Filed under Breach Incidents, Business Sector, Hack, Of Note, U.S.

Hackers have broken into Web servers owned by domain registrar and hosting provider Network Solutions, planting rogue code that resulted in the compromise of more than 573,000 debit and credit card accounts over the past three months, Security Fix has learned.

Herndon, Va. based Network Solutions discovered in early June that attackers had hacked into Web servers the company uses to provide e-commerce services - a package that includes everything from Web hosting to payment processing — to at least 4,343 customers, mostly mom-and-pop online stores. The malicious code left behind by the attackers allowed them to intercept personal and financial information for customers who purchased from those stores, Network Solutions spokeswoman Susan Wade said.

Wade said the company is working with federal law enforcement and a commercial data breach forensics team to determine the cause and source of the break-in. The payment data stolen was captured from transactions made between March 12, 2009 and June 8, 2009.

Read more on Security Fix.

(Related) Military power isn't enough. If the MoD can't protect data, is there any hope for the rest of us?

MoD admits to fourfold rise in data breaches

July 24, 2009 by Dissent Filed under Breaches, Govt, Non-U.S.

The government’s information security reputation suffered another blow this week, after the Ministry of Defence (MoD) revealed that serious data breaches have risen fourfold over the past year.

The MoD’s latest resource accounts (PDF) reveal that the department suffered eight serious breaches in the 2008 to 2009 period, up from just two in the preceding year.

The worst incident involved the loss of a portable hard disk from a contractor’s premises, which contained the names, passport information and bank account details of an estimated 1.7 million people.


Almost news? If the laptop was truly encrypted, there is little risk of data theft. The City's comments make me doubt that...

Brighton laptop stolen while IT engineer golfed

July 25, 2009 by admin Filed under Breach Incidents, Government Sector, Theft, U.S.

Anger is seething among several employees of the city of Brighton (Colorado) whose bank account numbers, social security numbers and addresses may have been compromised by the city’s lead IT engineer.

Jeromy King was playing in a charity golf tournament Monday at the Ranch County Club in Westminster when someone apparently took a laptop computer from his pickup.

The laptop contained the sensitive payroll information of city employees.


Johnson did say the information on the computer was encrypted.


The companion news video indicates that almost 350 employees had data on the laptop. [One employee had data on 350 people... Bob]

[From the article:

City officials declined to talk about the security breach, saying they didn’t want the thief to know what was on the computer. [If the data was encrypted (looks like gibberish) what's the big deal? Besides, the crook probably knows someone who can read this article. Bob]

… While there is no indication that the employee information was accessed... [The thief didn't call us... Bob]

… Charles Luce, a Denver attorney who specializes in computer technology and internet law, told 7NEWS that he was not aware of any restrictions governing the downloading of HR data from a municipality's main computer to a city-owned laptop.

He added that municipalities should take all steps necessary to make sure the sensitive information remains secure.

Luce, of the law firm Moye | White said, “We shouldn’t have to legislate common sense.”

(Related) Not all encryption is created equal...

iPhone 3Gs Encryption Cracked In Two Minutes

Posted by Soulskill on Friday July 24, @07:07PM from the see-it-really-is-fast dept. security cellphones encryption apple

An anonymous reader writes

"In a Wired news article, iPhone Forensics expert Jonathan Zdziarski explains how the much-touted hardware encryption of the iPhone 3Gs is but a farce, and demonstrates how both the passcode and backup encryption can be bypassed in about two minutes. Zdziarski also goes on to say that all data on the iPhone — including deleted data — is automatically decrypted by the iPhone when it's copied, allowing hackers and law enforcement agencies alike access the device's raw disk as if no encryption were present. A second demonstration features the recovery of the iPhone's entire disk while the device is still passcode-locked. According to a similar article in Ars Technica, Zdziarski describes the iPhone's hardware encryption by saying it's 'like putting privacy glass on half your shower door.' With the iPhone being sold into 20% of Fortune-100s and into the military, just how worried should we be with such shoddy security?"

Wal-Mart likely has the best picture of the retail world. It will be interesting to see how that translates to a Privacy Policy...

Wal-Mart to revamp its privacy policy

July 25, 2009 by Dissent Filed under Businesses, U.S.

One month from now, Wal-Mart will unveil a radically changed privacy policy, one that envisions a merged channel world, where consumers are as likely to use their phone and laptop to interact with Wal-Mart as much as they would walk into a store or speak with a call center. The policy talks about data not merely from a PCI and a purchase history perspective, but also from a security camera’s and cellphone’s perspective.

Read more on StorefrontBacktalk.

[From the article:

“Our goal is to have it be completely comprehensive, for both online and offline,” said Zoe Strickland, the Wal-Mart VP who serves as the chain’s Chief Privacy Officer. “We need to govern all the different ways that we collect and use information. Privacy is not just about using the Web site. It’s everything that happens when you’re interacting with the company.”

Are they arguing the wrong point? The concern isn't what they know about our browsing, it's how they use that information.

Can privacy and consumer protection coexist online?

July 24, 2009 by Dissent Filed under Internet

Legislation that would create privacy regulations for online advertising could cause consumers to get fewer free services and isn’t necessary because privacy advocates have shown no harm from data collection, the co-author of a study on online advertising said.

Online services have been tracking consumer behavior for a decade without creating problems for consumers, said Paul Rubin, a fellow at the Technology Policy Institute (TPI), a free-market think tank, and an economics and law professor at Emory University.

Read more on NetworkWorld.

Report: In Defense of Data: Information and the Costs of Privacy [pdf]. Technology Policy Institute, May 2009. The report states, in part:

Privacy advocates suggest privacy is a “free lunch.” Privacy advocates argue that online practices violate individuals’ rights and therefore should be curtailed. Innovations, such as the development of search engines or, more recently, the possibility that Internet Service Providers might use deep packet inspection as an online-advertising tool, have led to increased apprehension. However, more privacy implies less information available for producing benefits for consumers. Privacy advocates have provided little detail on the benefits of more privacy and have typically ignored the costs or tradeoffs associated with increasing privacy (i.e., reducing information). Their analysis suggests they believe that privacy is a “free lunch” consumers can obtain more of without giving up anything else.

Who to trust

Study: Internet content filtering harmful

July 24, 2009 by Dissent Filed under Businesses, Featured Headlines, Internet

Public Knowledge has released a study, ‘Forcing the Net Through a Sieve: Why Copyright Filtering is Not a Viable Solution for U.S. ISPs‘ [pdf]. The Executive Summary:

Copyright filtering, the latest proposed “magic bullet” solution from the major music and movie studios and industry trade groups, poses a number of dangers to Internet users, legitimate businesses and U.S. federal government initiatives to increase the speed, affordability and utilization of broadband Internet services. The following whitepaper presents a number of reasons why the use of copyright filters should not be allowed, encouraged or mandated on U.S. Internet Service Provider (ISP) networks. Among them:

1. Copyright filters are both underinclusive and overinclusive. A copyright filter will fail to identify all unlawful or unwanted content while harming lawful uses of content.
2. Copyright filter processing will add latency. Copyright filters will slow ISP networks, discouraging use, innovation and investment and harming users, businesses and technology policy initiatives.
3. The implementation of copyright filters will result in a technological arms race. Users will act to circumvent the filters and the architects of the filters will find themselves caught in a costly, unwinnable arms race.
4. Copyright filters do not make economic sense. The monetary costs associated with copyright filtering far outweigh any perceived benefits.
5. Copyright filters will discourage investment in the Internet economy.
Copyright filters will disrupt the Internet ecosystem, severely undermining our most promising engine for economic growth.
6. Copyright filters will harm free speech. Due to technological limitations, copyright filters will harm lawful, protected forms of speech such as parody and satire.
7. Copyright filters could undermine the safe harbor provisions that shield ISPs from liability. Under the Digital Millennium Copyright Act (DMCA), ISPs are shielded from liability for their users’ actions. Copyright filters could undermine these safe harbors, which have allowed the Internet to become the most important communications medium of the modern era.
8. Copyright filtering could violate the Electronic Communications and Privacy Act. Copyright filtering could constitute unlawful interception under the Electronic Communications and Privacy Act (ECPA).

- Full Report (PDF; 398 KB)

- Public Knowledge’s reply comments to the Federal Communications Commission (PDF; 271 KB)

Skype is relatively low bandwidth. (You could transfer 'War & Peace' in the time it takes me to read the first page aloud.) Twitter is just as useful for short messages (Attack Now!) so why are they concerned with Skype? Because it threatens a government monopoly.

Skype singled out as threat to Russia’s security

July 24, 2009 by Dissent Filed under Govt, Internet, Non-U.S., Surveillance

Russia’s most powerful business lobby moved to clamp down on Skype and its peers this week, telling lawmakers that the Internet phone services are a threat to Russian businesses and to national security.

In partnership with Prime Minister Vladimir Putin’s political party, the lobby created a working group to draft legal safeguards against what they said were the risks of Skype and other Voice over Internet Protocol (VoIP) telephone services.

Read more from Reuters on

Thanks to the crew at the Jeff Farias Show for sending this link.

And who knows? Maybe as part of rebooting the relationship with Russia, our government will show them how to swoop up all communications.

A conundrum indeed. Use advanced technology to give yourself control (and a competitive advantage?) then learn to deal with the consequences. (I wonder what their contracts say?) Question: If you neither BUY nor LEASE your e-book, what exactly have you paid for?

Amazon Kindle doomed to repeat Big Brother moment

July 25, 2009 by Dissent Filed under Businesses

Yes, Amazon chief Jeff Bezos has apologized for the Orwellian removal of Orwell from digital book readers tucked inside the pockets of American citizens. And yes, the new-age retailer has promised not to repeat its Big Brother moment. But that’s not a promise it can promise to keep.


Amazon doesn’t distribute books to the Kindle over the public internet. Etexts are downloaded via a private wireless network dubbed “Whispernet,” and the company has shown it has the technical power to vanish those titles at any time. If a copyright holder sued for the removal of a title, a judge may very well force Amazon to remove it.

“Amazon has the capacity to control the bits after they’ve left the store,” says Santa Clara University law professor and tech law blogger Eric Goldman. “I’m reasonably confident that what promoted Amazon to wipe the bits off of people’s devices was them asking themselves ‘How are we going to explain to a judge that we have the capacity to wipe bits from the device but we sat back and chose not to use it?’”

Read more on The Register.

[From the article:

"We're entering these new domains where what acquisition means and what ownership means has not been well demarcated," Brantley says.

(Related) Perhaps some nice hacker will do this for the Kindle? (Hint, hint. Wink, wink.)

How to Rip a DVD or Blu-ray Movie by Michael Brown

Are you ready to turn outlaw?

Hollywood wants you to buy its movies on DVD and Blu-ray disc, but then it wants to control what you do with them once you get home. We’re going to show you how to do something that Hollywood most definitely does not want you to do: Copy those movies to your hard drive or media server so that you can enjoy them without ever having to get off your couch to drop a disc in your DVD player.

Once you have the movie on your hard drive, you can do all kinds of other neat stuff with it, such as transcode it to another format so you can watch it on a handheld digital media player—or delete those annoying messages from the FBI and Interpol messages warning you of the penalties for doing what we’re about to show you how to do.

While we fully acknowledge that the movie industry has the right to protect its intellectual property, we also believe that consumers have the right to enjoy the property they purchase. The concept is called fair use: If you bought a movie on DVD, you should have the right to make a back-up copy of it or transfer the content to another medium, such as your computer’s hard drive. You don’t have the right distribute copies of that disc to anyone else, of course, and you don’t have the right to copy discs you don’t own, e.g, movies you borrow from a friend or rent from Netflix. But you knew that already.

For my Computer Security students. If they will produce a summary video each month, this could be fun.

Hacker group L0pht makes a comeback, of sorts

Its new Web site and the Hacker News Network are online, but the L0pht is not getting back together

Robert McMillan (IDG News Service) 24/07/2009 11:09:00

The news report begins with shots of a tense space shuttle launch. Engineers hunch over computer banks and techno music pounds in the background. There is a countdown, a lift-off, and then you see a young man in a black T-shirt and sunglasses, apparently reporting from space.

This is the Hacker News Network, and after a decade offline it is lifting off again, this time with a quirky brand of video reports about security.

Tools & Techniques (Probably not cheaper than retail, but custom!)

Video: How to Build a PC - Every Step Explained

Posted 07/24/09 at 11:22:23 AM by Will Smith

I'm Will Smith, the editor of Maximum PC and the guy in the video below. We shot this video demonstration to show people how to build a killer PC, one step at a time. It's a great reference for beginners and experts alike. This video was created for viewing by attendees of Comic-Con 2009.

Something for all my students? (I may have reported on this before, sorry) Download Free PDF Tutorials

Here is another Google powered custom search engine that lets you search and download free PDF tutorials from among 38.000.000 tutorials online.

Is it me or is this too retro for words? Perhaps they could run an article on “Creating your own scroll!”

How to Make Index Cards in Microsoft Word 2007

Jul. 24th, 2009 By Saikat Basu

Friday, July 24, 2009

If you don't know what happened, how do you know you've identified all the victims?

Big credit card breach in Japan

July 24, 2009 by admin Filed under Business Sector, ID Theft, Non-U.S., Of Note

Alico Japan said Thursday that credit card data on possibly tens of thousands of its insurance policyholders had apparently leaked, resulting in massive fraudulent transactions.

It said that up to 110,000 policyholders could be affected.

Names of policyholders, their credit card numbers and the expiry dates of the cards were used to make fraudulent purchases via the Internet.

By Thursday, the life insurer said it had received inquiries from more than 1,000 policyholders who complained they had been billed by credit card companies for purchases they hadn’t made.

The parent company of Alico Japan is the U.S.-based American Life Insurance Co. Alico Japan also falls under the umbrella of the giant American International Group Inc. (AIG).

The apparent scope of the fraud makes it one of the largest of its kind in Japan in recent years.

Alico Japan said it was first alerted to the problem on July 14 by a credit card company with which it has business dealings. The credit card company said the leak had apparently occurred at Alico Japan.

Read more on The company does not yet know how the breach occurred.

[From the article:

… Their policy contract numbers end with the numerals 2 or 3. [So only 2 out of 10 policies are impacted – or the crooks haven't needed to open the other files yet. Bob]


2009 Verizon Business Risk Team Findings

Key Findings of the 2009 Verizon Business Risk Team Cybercrime Report

This year’s key findings both support last year’s conclusions and provide new insights. These include:

* Most data breaches investigated were caused by external sources. Seventy-four percent of breaches resulted from external sources, while 32 percent were linked to business partners. Only 20 percent were caused by insiders, a finding that may be contrary to certain widely held beliefs.

* Most breaches resulted from a combination of events rather than a single action. Sixty-four percent of breaches were attributed to hackers who used a combination of methods. In most successful breaches, the attacker exploited some mistake committed by the victim, hacked into the network, and installed malware on a system to collect data.

* In 69 percent of cases, the breach was discovered by third parties. The ability to detect a data breach when it occurs remains a huge stumbling block for most organizations. Whether the deficiency lies in technology or process, the result is the same. During the last five years, relatively few victims have discovered their own breaches.

* Nearly all records compromised in 2008 were from online assets. Despite widespread concern over desktops, mobile devices, portable media and the like, 99 percent of all breached records were compromised from servers and applications. [A bit misleading, since the greatest volume of data is on servers and in applications. One server breach could yield 1000 times the data on a stolen laptop. Bob]

* Roughly 20 percent of 2008 cases involved more than one breach. Multiple distinct entities or locations were individually compromised as part of a single case, and remarkably, half of the breaches consisted of interrelated incidents often caused by the same individuals.

* Being PCI-compliant is critically important. A staggering 81 percent of affected organizations subject to the Payment Card Industry Data Security Standard (PCI-DSS) had been found non-compliant prior to being breached.

If nothing else, the graphic showing relative length of the privacy policies examined is amusing.

15 Top Privacy Policies, Analyzed

July 23, 2009 by Dissent Filed under Internet

We all know no one reads privacy policies. What do the top websites really include in them? In its mission to get anonymous public data, The Common Data Project a New York City-based non-profit, is on a mission to eliminate the barriers that privacy policies pose.

In a new report, they analyzed ten of the most popular Web properties on the Internet, and several more emerging ones. Here’s how what they put in their policies affects your privacy, and how other enterprises can imitate their best practices.

Read more on ReadWrite Enterprise.

… find all the sections together here.

No doubt they will want to add video cameras to each recycling bin. Facial recognition would let them identify the anti-social/non-recyclers for deportation.

Council admits snooping through rubbish

July 24, 2009 by Dissent Filed under Breaches, Govt, Non-U.S., Surveillance

“Disgraceful” council staff have been snooping through residents’ rubbish to monitor their recycling habits, it has been revealed.

Residents across Rother, including Battle, have had their refuse rifled through by East Sussex County Council, without their knowledge or consent.

And council staff have also been accused of using their findings to rate households across the county into five different social categories, from Level One, ‘Wealthy Achievers’, to Level Five, ‘Hard Pressed’.

Read more on the Rye & Battle Observer.

The start of a trend or do these Mainers have lobster fever again...

Maine law limits collection of data on minors

July 23, 2009 by Dissent Filed under Legislation, U.S., Youth

David Navetta of InfoSecCompliance provides an overview of a new law in Maine that limits the collection of personal information of minors. The law, which goes into effect on September 12, 2009, has a provision for an individual cause of action in state court, unlike many privacy laws that do not provide for an individual cause of action:

3. Civil violation; penalty. Notwithstanding the penalty provisions of Title 5, section 209, each violation of this chapter constitutes a civil violation for which a fine may be assessed of:

A. No less than $10,000 and no more than $20,000 for a first violation; and

B. No less than $20,000 for a 2nd or subsequent violation


No doubt this is important to a few IP lawyer types...

Are Tweets Copyright-Protected?

July 2009 By Consuelo Reinberg

Copyright and tweeting – the debate was bound to happen. Can repeating a message on Twitter - a free social networking and micro-blogging service that enables users to send and read other users' updates (known as tweets) – actually be construed as copyright infringement? This article, by Consuelo Reinberg, content editor, BP Council, was first published in the BP Council Note, June 18, 2009.

Tools & Techniques

How to Make Your Hotmail Sign In More Secure

Jul. 23rd, 2009 By Tim Watson

… If you’re not a Hotmail user, many of these tips can still apply to you, as other web-mail services may have the same features.

Thursday, July 23, 2009

Perhaps not the best target for identity theft?

Jackson death certificate improperly accessed

July 23, 2009 by Dissent Filed under Breaches, U.S.

Los Angeles County coroner’s officials said Wednesday that they have discovered security breaches involving the investigation into Michael Jackson’s death, including hundreds of improper views of the pop star’s death certificate and the discovery of weaknesses in two other computer systems in which more sensitive records are stored.

At least half a dozen staff members inappropriately accessed Jackson’s death certificate, officials said. Within two weeks of his death June 25, the certificate had been viewed more than 300 times. The document was not released publicly until July 7.

Read more on the Los Angeles Times.

[From the article:

In some cases, coroner's staff appear to have printed copies before it became public. [Perhaps we could blow it up to poster size and sell framed copies on e-Bay? Bob] This month, coroner's officials warned employees to cease in an e-mail reviewed by The Times.

… Death records in the can be accessed by anyone with a state-issued password, including employees at coroner's offices, funeral homes, hospitals and the county and the state registrar's office.

… Coroner's officials in L.A. said they also grappled with security concerns about two other password-protected computer systems that hold the active investigation files on Jackson's death.

Typically, such reports can be called up by investigators and other employees with system passwords. In Jackson's case, however, access was supposed to have been restricted from the start to a small number of high-ranking administrators. [Different rules for “important” people. Bob] Harvey said the hard copy of the investigation file was stored under lock and key.

Perhaps “Burden” isn't the right concern...

ABA plans for litigation over Red Flags rule

July 23, 2009 by Dissent Filed under Breaches, Businesses, Legislation, U.S.

The president of the American Bar Association said Wednesday the group may file a suit by the end of next week if it cannot persuade the Federal Trade Commission to exempt lawyers from new regulations set to take effect Aug. 1. The ABA has been lobbying for months to have lawyers kept out of the regulations, which require businesses and organizations that act as “creditors” to establish a program for preventing identity theft. The FTC and the ABA differ on how much of a burden the regulations would put on businesses.


...perhaps the word is “Waste” as it “If it doesn't work, why bother?”

Witnesses: E-Verify system can’t detect ID theft

July 23, 2009 by Dissent Filed under Govt, Surveillance, U.S.

The Homeland Security Department’s E-Verify employment verification system cannot detect identity theft and fraudulent applications, according to testimony before a Senate Judiciary Committee subcommittee.

The Internet-based E-Verify system allows employers to check Social Security numbers for their employees and prospective employees to determine whether the numbers are valid and the employees are therefore eligible to work. However, it is not designed to detect borrowed or stolen Social Security numbers.


E-Verify is a voluntary system used by about 134,000 employers, though it is mandatory to some degree in 12 states. Under an executive order from the Bush administration, federal contractors were supposed to begin mandatory use of E-Verify in January. However, that deadline has been pushed back to Sept. 8 due to a lawsuit. Homeland Security Secretary Janet Napolitano recently said the Sept. 8 deadline would be firm. [Even if it doesn't work, we want everyone tp use it... Bob]

The E-Verify system has been controversial due to alleged high error rates in the databases used. USCIS acknowledges a 3.1 percent rate of initial non-matches in the system.

Read more on FederalComputerWeek.


Hustinx issues warning over transport monitoring

July 23, 2009 by Dissent Filed under Govt, Non-U.S., Surveillance, Workplace

The European Commission plans to create a framework within which it will be easier for governments and transport operators to set up EU-wide tracking and monitoring systems for transport.

European Data Protection Supervisor Peter Hustinx, who is responsible for regulating EU bodies’ privacy practices, said that he had concerns about the proposals.

Though the systems are aimed at making transport more environmentally friendly and less time consuming, Hustinx said that they could be used to monitor individuals’ movements across the continent.

“The deployment of ITS will support the development of applications for ‘tracking and tracing’ of goods and will allow for the deployment of location-based commercial and public services,” said a formal opinion produced by Hustinx. “The use of location technologies is particularly intrusive from a privacy viewpoint as it allows for the tracking of drivers and for the collection of a wide variety of data relating to their driving habits.”


Interesting that one of the most popular software applications in the US doesn't pass even the basic Privacy tests in other countries. Perhaps there will eventually be a Universal Standard with which applications can determine which countries will ban/warn against them?

Facebook: Australia piles on

July 22, 2009 by Dissent Filed under Businesses, Internet, Non-U.S.

Australian authorities are looking into whether Facebook is in breach of local privacy laws in the way it handles user data.

A report released by Canadian Privacy Commissioner Jennifer Stoddart last week found “serious” flaws in some of the social networking site’s practises.


Australian Privacy Commissioner Kartin Curtis this week said her office was investigating the findings of the report and whether they breached local law.

“My office is examining the report of the Canadian Privacy Commissioner’s year-long investigation into a complaint it had received against Facebook,” said Ms Curtis.

“A number of the privacy issues raised… could arise under the Australian Privacy Act.


What “old book” (or document?) would you like an exact copy of?

Amazon Signs A Deal To Reprint Rarities

July 23, 2009 by Christopher Nickson

Amazon has inked a deal with the University of Michigan to reprint and sell 400,000 rare books.

The rare books in the University of Michigan’s library are in 200 different languages, and include such collectibles as an 1898 volume on nursing by Florence Nightingale. They’re all out of print and out of copyright, but soon they’ll be available to buy again, since the university signed a deal with Amazon.

The books will be available from Amazon’s Book Surge in soft cover, with prices ranging from $10 to $45, according to the BBC.

Statistics It still comes as a shock when I find students with almost zero computer skills.

Americans are going wireless Internet big time, report says

by Dong Ngo July 22, 2009 3:30 PM PDT

A few days ago, the Pew Research Center released a report that Americans are looking online to fight the recession. On Tuesday it added that most of us are doing that via wireless Internet.

The results of the center's Internet & American Life Project survey show that 56 percent of adult Americans have accessed the Internet via wireless means, such as a Wi-Fi laptop, a mobile device, a game console, or an MP3 player. The most popular way people get online wirelessly is with a laptop computer, numbering 39 percent of some 2,200 survey participants.

The report also revealed the rising levels of Americans using the Internet on a mobile handset. Almost one-third (32 percent) have used a cell phone or a smartphone to access the Internet for e-mailing, instant messaging, or reading news.

For comparison, only 24 percent of Americans had done this by December 2007. Now, in a typical day, nearly one-fifth (19 percent) of Americans use the Internet on a mobile device, up substantially from the 11 percent level recorded in December 2007.

Attention Blog readers! It could be much worse – you could be listening to me ramble on... But this might also work for Seminars, or even my classes.

How To Start Your Own Internet Radio Station With Shoutcast

Jul. 22nd, 2009 By Jason K

Internet radio is, quite possibly, one of the more interesting methods of listening to music. As of this writing, there are approximately 30,000 broadcasting SHOUTcast radio stations – all broadcasting a unique playlist of songs or other content.

We’re going to show you how to start your own Internet radio station with SHOUTcast – and help you set up a player on your website.

Wednesday, July 22, 2009

How much should a security breach cost an organization?

HSBC fined for personal data loss

July 22, 2009 by admin Filed under Breach Incidents, Lost or Missing, Non-U.S., Of Note

Three HSBC firms have been fined more than £3m for failing to adequately protect customers’ confidential details from being lost or stolen.

The Financial Services Authority (FSA) said customer data had been lost in the post on two occasions.

The firms concerned are HSBC Life UK, HSBC Actuaries and Consultants, and HSBC Insurance Brokers.

The FSA identified two instances where unencrypted data had been lost in the post.

In April 2007, HSBC Actuaries lost a floppy disk containing the personal information of 1,917 pension scheme members, including addresses, dates of birth and national insurance numbers.

And in February 2008, HSBC Life lost a CD containing the details of 180,000 policyholders.

“All three firms failed their customers by being careless with personal details which could have ended up in the hands of criminals,” said Margaret Cole, director of enforcement at the FSA.

Read more on BBC. Related - FSA Press Release

See how common “not knowing” is? Here's an idea. If you can't prove your laptop was “PII Free” then you must assume it contained data on every customer. (It'll never fly, but it would open some eyes.)

Stolen laptop “may have” held customer data

July 21, 2009 by admin Filed under Breach Incidents, Business Sector, Theft

On July 8, a laptop that may have contained some customer information such as names and credit card numbers was stolen from an employee of Henry Schein, Inc. Although the laptop was password protected, the data were not encrypted.

By letter dated July 16 to the New Hampshire Attorney General’s Office, Kristen J. Mathews of Proskauer Rose indicated that the HSI, which distributes medical, dental, and veterinary supplies, was not even sure any customer data were on the laptop, writing “At this time HSI has no reason to believe that any personal information (if any was actually contained on the laptop) has been or will be accessed or misused. ”

So how do you notify customers when you’re not even sure any customer data were on a stolen device? Is this a “if there were data, then it would have to be _________’s data” thing?

Whenever I read such reports, I always wonder why there was no backup that could tell them definitively whether there were PII on a stolen device and if so, whose. I also wonder why any customer data would be on the device since it seems logical (to me, anyway) that the employee wasn’t working with the data or at the very least, hadn’t worked with it for long enough time that s/he could not longer remember or be sure what was on the laptop. So far, I haven’t come up with any good answers, but maybe there is a scenario that I haven’t considered. [Rampant stupidity? Bob]

(Related) If you don't have expertise in a niche area, ask the Internet. The first Comment provides a (free) answer. See how easy “knowing” can be?

Best Tools For Network Inventory Management?

Posted by kdawson on Tuesday July 21, @05:51PM from the IPs-and-users-and-boxes-oh-my dept. networking

jra writes

"Once every month or so, people ask here about backups, network management, and so on, but one topic I don't see come up too often is network inventory management — machines, serial numbers, license keys, user assignments, IP addresses, and the like. This level of tracking is starting to get out of hand in my facility as we approach 100 workstations and 40 servers, and I'm looking for something to automate it.

Hope for the “Privacy/Security Challenged?” (It is possible some of my students are already sending me their research papers using this tool...

'Vanish' Makes Sensitive Data Self-Destruct

Posted by Soulskill on Tuesday July 21, @12:14PM from the also-doesn't-appear-to-be-a-fire-hazard dept. security encryption

Hugh Pickens writes

"The NY Times reports on new software called 'Vanish,' developed by computer scientists at the University of Washington, which makes sensitive electronic messages 'self destruct' after a certain period of time. The researchers say they have struck upon a unique approach that relies on 'shattering' an encryption key that is held by neither party in an e-mail exchange, but is widely scattered across a peer-to-peer file sharing system. 'Our goal was really to come up with a system where, through a property of nature, the message, or the data, disappears,' says Amit Levy, who helped create Vanish. It has been released as a free, open-source tool that works with Firefox. To use Vanish, both the sender and the recipient must have installed the tool. The sender then highlights any sensitive text entered into the browser and presses the 'Vanish' button. The tool encrypts the information with a key unknown even to the sender. That text can be read, for a limited time only, when the recipient highlights the text and presses the 'Vanish' button to unscramble it. After eight hours, the message will be impossible to unscramble and will remain gibberish forever. Tadayoshi Kohno says Vanish makes it possible to control the 'lifetime' of any type of data stored in the cloud, including information on Facebook, Google documents or blogs."

Interesting approach. If the same information is available for the other state laws, we have the basis for a quick (and useful?) article.

FAQ on Nevada’s Security of Personal Information Law (NRS 603A)

July 21, 2009 by admin Filed under Breach Laws, Legislation, State/Local

InfoSecCompliance (”ISC”) was recently asked by a prospective client to provide a summary of Nevada’s Security of Personal Information law (NRS 603A) and a recent amendment to the Security Law that incorporated the Payment Card Industry Data Security Standard (”PCI”). ISC decided to try something new and create a Frequently Asked Questions document around the PCI requirements contained in the Security Law. For better or worse (after sinking in 15 - 20 hours) ISC ended up doing FAQs for the entire Nevada Security Law. This turned out to be a much bigger work than originally anticipated, so ISC is going to do a five-part blog post series breaking down the Nevada Security Law into (hopefully) digestible parts.

This FAQ is broken down into six sections that will be posted over five posts over the next week or so. The postings will be broken down as follows:

Post One: The Basics of Nevada’s Security Law and Destruction of Records

Post Two: Security Breach Notice

Post Three: Required Security Measures

Post Four: Encryption and PCI Compliance

Post Five: Remedies, Penalties and Enforcement

Check the site for updates when the posts become available. Post One is available now.


Nevada’s Security of Personal Information Law Post Two: The Breach Notice Requirements

July 22, 2009 by admin Filed under Breach Laws, State/Local

From the FAQ provided by InfoSecCompliance:

What triggers the security breach notice obligations under the Security Law?

In order for the breach notice requirements to be triggered under the Security Law two general events must occur (with some sub-requirements discussed further below). First, there must have been a “breach of the security of the system data” discovered by a data collector or notified to a data collector. Second, “personal information” must have actually been acquired by an unauthorized person, or was “reasonably believed to have been acquired” by an unauthorized person.

Read more.

(Related) Perhaps not as detailed as the previous articles, but with some new ideas. Perhaps we need a website that analyzes new and modified laws to see how they are evolving. Provide a similar analysis of the breaches (what are the crooks doing) and it might allow legislatures to understand the issues. (Not that most politicians can actually read.)

Missouri data breach notification law goes into effect soon

July 21, 2009 by admin Filed under Breach Laws, Legislation, State/Local

Perkins Coie has provided a short synopsis of key requirements of Missouri’s new data breach notification law, which goes into effect on August 28, 2009.

….. In addition to the more common elements of first name or initial and last name in combination with unencrypted Social Security Number, driver’s license number, financial account number, or credit or debit card number, the statute also includes in the definition of personal information first name or initial and last name in combination with an unencrypted:

  • Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual’s financial account;

  • Medical information, which includes any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; and

  • Health insurance information, which includes an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual.

Other provisions of interest:

  • If an entity must notify more than 1000 residents, it must notify the Missouri Attorney General’s office and the nationwide consumer reporting agencies of the breach.

  • Civil penalties for violating the statute may reach up to $150,000 per breach of the security of the system.

The full text of the bill can be found at:

Perkins Coie’s chart summarizing all of the states’ data breach notification laws can be found at:

Source: Perkins Coie blog, Digestible Law.

Interesting that Iran only needs 3 months of data, but the US and the EU want several years.

Iran implements Internet data retention law

July 21, 2009 by Dissent Filed under Govt, Internet, Legislation, Non-U.S., Surveillance

Iranian President Mahmoud Ahmadinejad has implemented a law requiring the country’s Internet service providers to retain records of users’ incoming and outgoing data for at least three months, according to a Monday report by the state-run PressTV news agency. The government said the law is designed to help catch those who illegally steal others’ personal information from the Internet, and that the data would only be monitored under court order or in the interest of national security. [Riiight... Bob] Critics argue that the law will enable the government to monitor and censor the internet use [Al Jazeera report] of reporters and political dissidents, whose blogging and use of social networking websites have thus far been able to evade press restrictions.

Read more on JURIST.

Strategy: First start with someone who does not evoke sympathy. Then you have precedent to extend your program to everyone. “We've been doing this for years!”

Porn actress says state intruded on privacy

July 21, 2009 by Dissent Filed under Breaches, Court, Featured Headlines, Govt, U.S.

A porn film actress whose positive HIV test made news in June claims [pdf] state health officials violated her rights by demanding her medical records. Filing her complaint under the name “Patient Zero,” the woman sued California OSHA and the Adult Industry Medical Healthcare Foundation.

Zero claims that after she tested positive for HIV, the California Division of Occupational Safety and Health subpoenaed her health care provider for her records and personal information, in violation of her right to privacy.

She says that in June the Adult Industry Medical Healthcare Foundation (AIM), which provides health care to sex workers, told her she had preliminarily tested positive for HIV. She says the Foundation quarantined her and everyone known to have had sexual contact with her, and reported her case to the Los Angeles County Department of Public Health.

Cal/OSHA then conducted a surprise inspection of AIM and demanded the medical records of HIV patients, including Patient Zero, but AIM staff refused, she says.

After the inspection, she says, her attorney learned that Cal/OSHA was meeting with the medical facility’s staff to try to get the records of patients with HIV.

Read more on Courthouse News.

Does this mean I'll have to defend my Patent on “A device to measure thermodynamic changes in body temperature as a diagnostic tool? And won't be able to sue anyone who uses a thermometer?

Doctors Fight Patent On Medical Knowledge

Posted by kdawson on Tuesday July 21, @02:20PM from the no-not-patent-medicine dept. patents medicine

I Don't Believe in Imaginary Property writes

"Doctor's groups, including the AMA and too many others to list, are supporting the Mayo Clinic in the case Prometheus v. Mayo. The Mayo Clinic alleges that the patents in question merely recite a natural phenomenon: the simple fact that the level of metabolites of a drug in a person's body can tell you how a patient is responding to that drug. The particular metabolites in this case are those of thiopurine drugs and the tests are covered by Prometheus Lab's 6,355,623 and 6,680,302 patents. But these aren't the only 'observational' patents in medicine — they're part of a trend where patents are sought to cover any test using the fact that gene XYZ is an indicator for some disease, or that certain chemicals in a blood sample indicate something about a patient's condition. There are even allegations that certain labs have gone so far as to send blood samples to a university lab, order testing for patented indicators, then sue that university for infringement. Naturally, Prometheus Labs sees this whole story differently, arguing that the Mayo Clinic will profit from treating patients with knowledge patented by them.

They have their own supporters, too, such as the American Intellectual Property Law Association." Prometheus doesn't seem to be a classic patent troll; they actually perform the tests for which they have obtained patents.

Could they do this for other professions? Law, Medicine, Hacking?

Wikipedia Teaches NIH Scientists Wiki Culture

By Alexis Madrigal Email Author * July 21, 2009 | 1:03 pm

Adopt/Expand/Extend the business model

Applying a Music Business Model To a Blog

Posted by kdawson on Tuesday July 21, @05:07PM from the try-anything dept. internet business

An anonymous reader writes

"Many of you may be familiar with Mike Masnick, from the site Techdirt. Beyond just chronicling tech stories for years, he's also been following various music and media industry business models as well. While he's usually among the first (like Slashdot) to express dismay at silly activities from the recording industry, lately he's been cataloging numerous success stories, like business models from Trent Reznor, Amanda Palmer, and Josh Freese. Mike and Techdirt are now taking things a step further, and wondering what would happen if they took the lessons from those success stories and applied it to a media publication: their own Techdirt. The result is 'Connect with Fans + Reason to Buy.' Check out the very special offer for the RIAA."

God Bless Open Source! Business model: Put together all the hardware in a kit, sell grain & hops, sponsor contests and annual conventions, drink lots of free beer!

Open-Source Arduino Robot Beer Brewery

By Bruce Sterling Email Author July 21, 2009 4:37 am |

You may have noticed that I’m something of a skeptic about small-scale urban agriculture interventions. But this one? This is different. ‘Cause it’s beer! Small-scale stills and illicit breweries have a history that is literally as long as the invention of alcohol, tobacco and firearms laws! A revenuer-unfriendly gizmo like this has got proven legs!

So the basic scheme of this device is: you read the instructions, get the hardware, wire it together, plug it in, dump in some grain, walk away and there’s beer later. Who can’t like that? It’s like having your own cool radio-controlled surveillance blimp, except you’re drunk!

Students: If you are going to steal (we call it plagiarism) be sure you can get past these five. (and the ones we don't tell you about)

Plagiarism Checkers: 5 Free Websites To Catch The Copycats

Jul. 21st, 2009 By Saikat Basu

1) Find a teacher you don't like. 2) Send all of his/her students a link to this site with the suggestion they form an orchestra. 3) Stand outside the computer lab and enjoy the fun!

VirtualKeyboard: Play Virtual Instruments Online

VirtualKeyboard is another fun web application for the times when you bored. It provides you with virtual keyboard to play 9 different instruments online.

Simply choose your instrument from Piano, Organ, Saxophone, Flute, Pan Pipes, Strings, Guitar, Steel Drums or Double Bass, and start playing. All the keys are labeled so it is easier for beginners to learn. If you are not a big fan of clicking each key with the mouse, you can use keyboard instead.

Tuesday, July 21, 2009

“Interesting,” Anonymous

Judge OKs anon comments, some bloggers don’t

July 20, 2009 by Dissent Filed under Court, Internet, U.S.

There are a couple of interesting new posts around the blogosphere concerning anonymous online commenters. The first, over at Volokh, discusses a recent case out of Tennessee, State v. Cobbins, where a judge denied defendants’ motion to require a media outlet to disable a portion of its Web site enabling Web users to post comments (mostly anonymous) about the pending case. Defendants argued that the site comments could prejudice jurors. The judge denied the motion for a variety of reasons, noting the importance of the First Amendment rights at stake:

The right to speak anonymously extends to speech via the Internet. Internet anonymity facilitates the rich, diverse, and far ranging exchange of ideas. The “ability to speak one’s mind” on the Internet “without the burden of the other party knowing all the facts about one’s identity can foster open communication and robust debate.” People who have committed no wrongdoing should be free to participate in online forums without fear that their identity will be exposed under the authority of the court.

Read more on Legal Blog Watch. The blog entry goes on to discuss the recent trend on some legal blogs to require commenters to provide their real name and email address. [Perhaps we need an “Anonymous Lawyer” blog? Bob]

Too good to be true? Probably.

Google promises 'the end of viruses'

Engineering director claims Chrome OS will finally defeat malware

By Adam Hartley Monday at 11:30 BST

Google's Engineering Director has promised that its forthcoming Chrome OS will see 'the end of malware'.

Google is promising what the latest issue of New Scientist magazine refers to as "a carefree antivirus nirvana" with its forthcoming Google Chrome OS.

… Via New Scientist

Of course, this was before the iPhone (June 2007)

July 20, 2009

NYT Posts Unreleased Government Report on Dangers of Using Cell Phones While Driving

"The following body of research, conducted by the Department of Transportation and completed in 2003, has not been made public until now. The documents pertain to the safety of using wireless communication devices while driving. The New York Times obtained the research from the Center for Auto Safety and Public Citizen, two consumer advocacy groups that earlier this year acquired more than 250 pages of undisclosed material through a Freedom of Information Act lawsuit." See also Related Article.

[From the report:

The experimental data indicates that, with the exception of the consequences of manipulating a

wireless communications device, there are negligible differences in safety relevant behavior and

performance between using hand-held and hands-free communications devices while driving from

the standpoint of cognitive distraction.

This all started with the evil conspiracy to eliminate the buggy whip industry. No doubt Congress will take action to “Keep American in the Forefront of 19th Century Technology!”

July 20, 2009

Will There Be a Fight To Save American Manufacturing?

New York Times: "The United States ranks behind every industrial nation except France in the percentage of overall economic activity devoted to manufacturing — 13.9 percent, the World Bank reports, down a percentage point or so in a decade. The 19-month-old recession has contributed to this decline. Industrial production has fallen 17.3 percent, the sharpest drop during a recession since the 1930s... Manufacturing has long been viewed as an essential pillar of a powerful economy. It generates millions of well-paid jobs for those with only a high school education, a huge segment of the population. No other sector contributes more to the nation’s overall productivity, economists say. [Didn't they say that about farming? Bob] And as manufacturing weakens, the country becomes ever more dependent on imports of merchandise, computers, machinery and the like — running up a trade deficit that in time could undermine the dollar and the nation’s capacity to sustain so many imports."

Once again I will be able to argue with the Antitrust lawyers that it is simpler to wait a full “Internet century” (about 10 years) for the “next big thing” to supersede Google, or for Google to follow Microsoft's example and shoot itself in the foot once too often.

Why Is Obama's Top Antitrust Cop Gunning for Google?

By Fred Vogelstein

"I think you are going to see a repeat of Microsoft."

Christine Varney's blunt assessment sent a buzz through the audience at the National Press Club in Washington, DC. Varney, a partner at Hogan & Hartson and one of the country's foremost experts in online law, was speaking at the ninth annual conference of the American Antitrust Institute, a gathering of top monopoly attorneys and economists.

… The technology industry, she said, was coming under the sway of a dominant behemoth, one that had the potential to stifle innovation and squash its competitors. The last time the government saw a threat like this—Microsoft in the 1990s—it launched an aggressive antitrust case. But by the time of this conference, mid-June 2008, a new offender had emerged. "For me, Microsoft is so last century," Varney said. "They are not the problem. I think we are going to continually see a problem, potentially, with Google."

… She acknowledged that her remarks might ruffle some feathers at Google headquarters in Mountain View, California. "If any of my colleagues or friends from Google are here," she said, "I invite you to jump up and scream and yell at me."

Nobody took her up on that offer. But it is safe to assume that plenty of Googlers were jumping and screaming six months later when President Obama appointed Varney head of the Justice Department's antitrust division, making her the government's most powerful antimonopoly prosecutor.

… "Part of what you have to do when you're going to try to bring a [Sherman Antitrust] Section Two case is you have to create the political climate," she said. [Because neither the B-school nor Google's customers believe you have a case. Bob]

… In and of itself, Google's size is not a legal problem.

… Because its search and advertising algorithms are secret, there is no way for competitors or partners to know whether Google tweaks results to direct traffic to its own properties over theirs.

… And even if Google is behaving honorably now, it is creating a system full of temptations should the company ever come under financial pressure.

… Some antitrust experts argue that the natural business cycle will take care of this problem without government intervention, but Varney's three top economists have all said that they favor a hands-on approach. [What did they say when the Republicans were in charge? Bob]

This is an interesting business model. Would it work for other professions? - Science Articles & Resources

Hundreds of articles are published in various fields of medical research ranging from obesity, stem cell, various human syndromes and so forth on a daily basis. The information is usually stored in various publicly available databases. takes that information and automatically makes webpages that users can access to read the articles or research papers of their choice.

This means that now instead of conducting a search that goes “stem cell papers” or “obesity” users can resort to this site and find the latest articles that are published by the scientific community. The site is updated by the hour, which means if you are interested in various fields of biomedical research, you can just check out the website and see what is new at a glance. Websites such as this one (solely devoted to biomedical research) are not that commonplace, and as such it can gather a considerable following.

This is brilliant. Now I can point my students to tools they can try before downloading and installing (i.e. immediate feedback.) - Try Open Source Software At No Cost

Quite a well-focused community site, Click2Try will allow you to put open source software to the task without having to incur into downloads of any kind, and without having to worry about setting anything up. Basically, through the site you can gain access to software applications that are pre-configured and already functional, and that are installed on a virtual machine that is also private, and accessible from your desktop.

The advantages of such an approach are obvious: you eliminate long downloads and time-demanding installation procedures, whereas you also dispense with upgrades and integration issues of every kind. In short, a system like this one ensures that you will do without each and every software headache one knows that has to be faced when putting a new application into motion.

There are both standard and premium subscription plans, and there are also different evaluation packages so that if you want to see whether such an approach is what you need in order to have a less-stressful time with your computer this might be where it’s at.

Expect many pointers to presentations and videos...

OSCON 2009

[I'm interested in:

Introduction to Forensics

Cloud Computing - Why IT Matters

Enabling Academic Research – Open Tools and Services on Microsoft Platforms