Saturday, August 29, 2009

TJX update. It seem the assets he is surrendering come to about one percent of the amount TJX spent to “resolve” the issue. I wonder how much it cost TJX customers?

Gonzalez pleads guilty, sentenced to 15-25 years

August 28, 2009 by admin Filed under Breach Incidents, Business Sector, Hack, Of Note

The Associated Press has reported that Albert Gonzalez has agreed to plead guilty to conspiracy, wire fraud and aggravated identity theft charges.

Under a plea agreement with federal prosecutors filed in Boston on Friday, Albert Gonzalez would serve a sentence of 15 to 25 years after pleading guilty to a 19-count indictment. He would also forfeit some $2.8 million in cash, a Miami condo, a car and expensive jewelry.

Gonzalez, 28, is charged with swiping credit and debit card numbers of more than 170 million accounts.

Kim Zetter of Threat Level reports:

The agreement resolves the case against Gonzalez in Massachusetts — which charged him with hacking into TJX, Barnes & Noble and OfficeMax — as well as a case in the eastern district of New York that charged him with hacking into the Dave & Busters restaurant change.

Still outstanding are charges filed last week in New Jersey alleging that Gonzalez also hacked into Heartland Payment Systems, Hannaford Brothers, ATMs stationed in 7-11 stores, and two unnamed national retailers.

Yesterday, StorefrontBacktalk indicated that the two unnamed retailers are J.C. Penney and Target.

Update 1: The Associated Press has published more detail.

You might wonder why they bothered to notify the AG if the database was encrypted. It looks to me that is was not really encrypted, but might squeak by based on some vague legal definition of encryption. Much more likely the data was in some database format and not “encrypted” at all. But we'll never know since there is no requirement to report the impact of a breach.

Normandeau Associates reports theft and recovery of stolen laptop

August 28, 2009 by admin Filed under Breach Incidents, Breach Types, Business Sector, Theft, U.S.

Normandeau Associates, an environmental consulting firm based in New Hampshire, notified the New Hampshire Attorney General of the theft of a laptop with an encrypted employee database. The theft occurred in 2008, and the laptop was recovered in February 2009, but Normandeau did not learn of the problem until June 2009, [How could that be? The manager responsible was in a coma? Bob] at which point they notified 277 employees in New Hampshire. As they explain (pdf):

In June, 2009, Normandeau learned that one of its laptop computers had been stolen from the home of a Normandeau employee in November, 2008, and later returned in February, 2009. The password protected laptop contained an encrypted employee database with personal information, including names, social security numbers, and bank account numbers of past and present Normandeau employees. The perpetrator required specific computer software to access the encrypted database in its existing format on the laptop, and it is unknown if access was actually made. [Are we to assume the employee did not have the software on his computer to access the database he downloaded? How stupid is this guy? Bob]

The local police were notified [Apparently not by the employee! Bob] about the theft and Normandeau conducted an internal investigation. Nonnandeau also consulted with a computer forensic analyst, but was unable to determine if unauthorized access to the database actually occurred. There is no evidence of misuse of the personal information. [This is a very safe statement to make. Worthless, but safe. Since employees didn't know about the theft, they were unlikely to notify the firm of any Identity Theft issues. Bob]


Normandeau has policies that prohibit personal information from being downloaded onto its laptop computers. In this instance, the database was temporarily stored on the laptop during restorative maintenance to the company’s network, and contrary to company policy, not thereafter removed. The company took action against the responsible person for unintentionally failing to remove the database containing the personal information as required by company policy. No further precautionary actions were required to prevent similar breaches. [Near gibberish. Translation: “We're not going to change anything.” Bob]

(Related) Lessons: Most organizations still don't encrypt. Laptops are still targets of thieves. Apparently, unlimited downloading of patient data (personal data) is still okay...

Laptops containing medical details of Birmingham patients stolen

August 29, 2009 by admin Filed under Breach Incidents, Healthcare Sector, Non-U.S., Theft

In the U.K.:

Laptops containing the private and medical details of more than 7,000 Birmingham NHS patients, including sick children, have been stolen prompting a massive security alert.

Surgical firm Trulife used by four hospitals – Birmingham Children’s Hospital, City Hospital, in Winson Green, Sandwell Hospital, in West Bromwich, and Rowley Regis Hospital – has revealed that three computers have been taken.

One of them was taken after being left in a car by an employee, while another was snatched during a mugging.

None of the information on the missing laptops had been encrypted.

Between 3,000 and 3,500 Children’s Hospital patients are affected plus a further 3,633 patients from City, Sandwell and Rowley Regis.


The first laptop went missing at the premises of a Birmingham hospital in March 2006, a second was stolen in a mugging in March 2007 and the third was stolen after being left in a Trulife employee’s car in February last year.

Update your statistics.

Biggest Breaches of 2009

August 28, 2009 by admin Filed under Breach Incidents, Commentaries and Analyses, Of Note

Linda McGlasson of provides an analysis and commentary, based on ITRC’s statistics for this year.

There have been 356 data breaches so far in 2009, according to the Identity Theft Resource Center (ITRC). And 46 of those breaches have involved financial institutions - up from 34 at this same time last year.

In reviewing these 46 incidents (see interactive timeline w/details of each breach), one finds goods news and bad, according to ITRC executive director Linda Foley.

The good news, Foley says, is that, based on percentages, financial institutions consistently have lower percentages of data breaches than other organizations. “This means they’re doing a better job of controlling and protecting their data,” she says.

The bad news is when financial institutions - or their third-party service providers — are breached … it’s big.


Good news, bad news? “If you're innocent, you have nothing to worry about.”

Swedish police to publicly identify suspects

August 29, 2009 by Dissent Filed under Non-U.S., Surveillance

Police in Skåne in southern Sweden will shortly begin publishing pictures of criminal suspects on the police website, a practice that may soon be adopted all over the country.

The pictures will be taken from surveillance cameras and the police hope that the general public will help investigate and identify criminals.


Anne Ramberg, general secretary of the Swedish Bar Association (Advokatsamfundet), argues that innocent people may suffer anxiety as a result of this method. She writes publicly that the pictures are a further sign that more societal surveillance leads to “an insidious shifting of the boundaries”.

Read more on The Local (Sweden)

Worth a review

Privacy missing from Google Books settlement

August 29, 2009 by Dissent Filed under Internet, U.S.

If Google digitizes the world’s books, how will it keep track of what you read?

That’s one of the unanswered questions that librarians and privacy experts are grappling with as Google attempts to settle a long-running lawsuit by publishers and copyright holders and move ahead with its effort to digitize millions of books, known as the Google Books Library Project.


“Which way are we going to go?” said Michael Zimmer, a professor from the University of Wisconsin at Milwaukee. “ Is this service going to be an extension of the library, or an extension of Web searching?”

Zimmer spoke at a panel discussion at the University of California, Berkeley, on Friday. He was one of several panelists who called on Google to make a stronger privacy commitment as it develops the Google Books service.

Read more on PC World.

Michael Zimmer has posted a draft of the talk he gave as well as his slides on his blog, here.

Yes. Youse gotta problem wit dat?

Is "Good Enough" the Future of Technology?

Posted by Soulskill on Saturday August 29, @02:08AM from the seems-to-work-for-the-movie-industry dept.

himitsu writes

"In an article titled 'The Good Enough Revolution: When Cheap and Simple Is Just Fine,' Wired claims that the future of technology, warfare and medicine will be filled with 'good enough' solutions; situations where feature-rich and expensive products are replaced with bare-bones infrastructures and solutions. 'We now favor flexibility over high fidelity, convenience over features, quick and dirty over slow and polished. Having it here and now is more important than having it perfect. These changes run so deep and wide, they're actually altering what we mean when we describe a product as "high-quality."'"

(Related) but rather simplistic...

What technology tells us about society

by Matt Asay August 28, 2009 8:10 AM PDT

Twitter has become an excellent way to quickly scan headlines. It's terrible at just about everything else. It's hard to have a coherent discussion in 140-character soundbites, and even harder when the architecture of Twitter is set to "broadcast" rather than "discourse." But maybe, just maybe, Twitter's not to blame. We are.

After all, Twitter is simply a creation of our society, and reflects our priorities.

Not all of society, of course. After all, as The New York Times reported, teenagers, usually technology's early adopters, hardly use Twitter at all, with only 11 percent of people aged 11 to 17 using the service. They are, however, heavily into Facebook, preferring to share with friends rather than talk at strangers.

A generational thing?

Perhaps. But I think the technology we build and use says a lot about society.

Oooo! I like it!

Crime Expert Backs Call For "License To Compute"

Posted by ScuttleMonkey on Friday August 28, @06:08PM from the natural-selection-working-just-fine dept.

The Cable Guy writes to mention that Russel Smith, one of Australia's principal criminologists, is pushing for first-time computer users to be required to earn a license to browse the web.

"The Australian Computer Society launched computer driver's licenses in 1999. It aimed to give users a basic level of competency before they started using PCs. But the growth in cybercrime has led to IT security experts such as Eugene Kaspersky to call for more formalized recognition of a user's identity so they can travel the net safely. Last week Dr. Smith sat in front of a Federal Government Inquiry into cybercrime and advised Australia's senior politicians on initiatives in train to fight cybercrime. He said that education was secondary to better technology solutions." [This is incredibly illogical... “Let's build a device but not teach people how to use it!” Bob]

Monopolies are good? Perhaps the rule should be “Subscribers get to choose their provider?”

Court of Appeals Rejects FCC's Cable Subscriber Cap

Posted by Soulskill on Friday August 28, @06:59PM from the pack-'em-in dept.

olsmeister writes

"The US Court of Appeals Friday threw out the FCC's cap on the number of cable subscribers one operator can serve, saying the FCC was 'derelict' in not giving DBS its due as a legitimate competitor. 'We agree with Comcast that the 30% subscriber limit is arbitrary and capricious. We therefore grant the petition and vacate the Rule,' said the court, which concluded that there was ample evidence of an increasingly competitive communications marketplace and that cable did not have undue control on the programming pipeline. The FCC commissioner's statement (PDF) is available online."

Breaking News! I am not on this list!

August 28, 2009

Federal Reserve Board Must Release Bank Bailout Info to News Organizations

Reporters Committee for Freedom of the Press: "The string of FOIA lawsuits for release of records of the government's emergency lending programs finally saw its first victory Monday. The Federal Reserve Board must release to Bloomberg News records identifying the financial firms it loaned bailout funds to as well as the assets or amounts put up as collateral, the news agency reported. Chief Judge Loretta Preska in Manhattan federal court issued the first ruling requiring disclosure in a handful of suits in New York federal court brought separately by Bloomberg, Fox News and the New York Times. Bloomberg reported that she rejected the argument that the records were exempt from release under FOIA because they might harm the competitive advantage of the borrowers."

This is filed under Humor, but we know better!

Hilarious New iPhone Commercial

By: Dahlia Rideout

With one University going entirely to eBooks and another to “programed learning” site like this one should prove useful.

All About Online Learning -

Online learning has gone from being a curiosity and even something regarded as unreliable to a form of education revered and respected both by teachers and students the world over. As such, it is only appropriate that there are resources which intend to guide people and show them which online providers of education are the best available, or the ones that will suit their specific needs more minutely and accurately.

The opening screen of the blog, then, showcases the most recent sites and products to have been reviewed, whereas the obligatory list of categories is available for you to focus your stay at the site even more.

Friday, August 28, 2009

Curious. HP suspects fraud. So would I if five laptops were paid for on a personal credit card (or were they shipped COD?)

FBI investigating laptops sent to US governors

August 27, 2009 by Dissent Filed under Breaches, Other

Robert McMillan of IDG News Service reports:

There may be a new type of Trojan Horse attack to worry about.

The U.S. Federal Bureau of Investigation is trying to figure out who sent five Hewlett-Packard laptop computers to West Virginia Governor Joe Mahchin a few weeks ago, with state officials worried that they may contain malicious software.

According to sources familiar with the investigation, other states have been targeted too, with HP laptops mysteriously ordered for officials in 10 states. Four of the orders were delivered, while the remaining six were intercepted, according to a source who spoke on condition of anonymity because of the ongoing investigation.

Read more on Network World.


Security test prompts federal fraud alert

August 28, 2009 by admin Filed under Financial Sector, U.S.

Robert McMillan of IDG News Service reports:

A sanctioned security test of a bank’s computer systems had some unexpected consequences this week, leading the federal agency that oversees U.S. credit unions to issue a fraud alert.

On Tuesday, the National Credit Union Administration (NCUA) warned all federally insured credit unions of a bogus letter that an unnamed credit union had received along with two CDs. The bogus letter claimed that the CDs contained NCUA anti-fraud training materials, but in its fraud alert, NCUA warned that running the CDs “could result in a possible security breach to your computer system, or have other adverse consequences.”

Only it turned out that the CDs were not sent by fraudsters. They were sent by employees of MicroSolved, a Columbus, Ohio, security testing company. “It was a part of some social engineering we were doing in a fully sanctioned penetration test,” said MicroSolved CEO Brent Huston in an e-mail message.

Read more on Computerworld

It’s interesting (to me, anyway), that this type of information was immediately and correctly shared throughout the system to prevent fraud, whereas details of actual compromises that might help other institutions prevent compromises of their own do not seem to be shared quickly or fully. [And apparently before checking the contents of the CDs Bob] To the contrary, they are often kept under tight wraps. Following the Heartland Payment Systems breach, Heartland indicated that it would share specifics with others and called for greater information sharing. Is that actually happening?

Hackers aren't the only problem you face with IT systems. Sometimes incompetence is even more deadly.

Bug Means High School Students' Schedule Errors May Last Days

Posted by timothy on Thursday August 27, @05:53PM from the ok-computer-meeting-people-is-easy dept.

Hugh Pickens writes

"The Washington Post reports that thousands of high school students in Prince George's County missed a third day of classes Wednesday, and school officials said it could take more than a week to sort out the chaos caused by a computerized class-scheduling system as students were placed in gyms, auditoriums, cafeterias, libraries and classes they didn't want or need at high schools across the county and their parents' fury over the logistical nightmare rose. 'The school year comes up the same time every year,' said Carolyn Oliver, the mother of a 16-year-old senior who spent Wednesday in the senior lounge at Bowie High School. 'When I heard they didn't have schedules, I was like, "What have they been doing all summer?"' When school opened Monday, about 8,000 high school students had no class schedules and were sent to wait in holding spaces while administrators tried to sort things out." (More below.)

"By Tuesday evening, that number was down to 4,000. As of noon Wednesday, 3,400 of the school district's 41,000 high school students had no class schedules, officials said. Superintendent William R. Hite Jr. said that some schools didn't realize there was a problem with schedules until school started and that the trouble was exacerbated by difficulties with SchoolMax, a $4.1 million computer system introduced last school year. SchoolMax went online in Prince George's a year ago to help the county track students' grades, attendance and discipline data. Last year, the program crashed at least four times and was plagued by errors that led to botched schedules, an overcount of students and mistakes on report cards. Jessica Pinkney, a junior, said she was moved to the cafeteria Wednesday morning after two days in the gymnasium because the cafeteria had air conditioning. 'We just sit and do nothing,' says Pinkney. 'But I'm meeting new people, so it's getting more interesting.'"

(Related) And sometimes acting before thinking produces some nasty (if inevitable) results too.

White House sued over free speech violations in healthcare battle

August 27, 2009 by Dissent Filed under Court, Featured Headlines, Govt, U.S.

The Office of the President and other White House officials are defendants in a free speech lawsuit filed by a prominent physician group, and a non-profit advocate for inner-city poor, according to a new press release.

The White House has “unlawfully collected information on political speech,” [What makes it “unlawful?” Bob] thereby illegally using the power of the White House to chill opposition to its plans for health care reform, according to the complaint filed in District Court for the District of Columbia, by the Association of American Physicians and Surgeons (AAPS) and the Coalition for Urban Renewal and Education (CURE)

The lawsuit was prompted by the White House solicitation for the public to report any “fishy” comments to ‘’ Although the White House slightly revised its data collection procedure last week, the email address still exists, the illegal activity continues, and is part of an “unlawful pattern and practice to collect and maintain information” on the exercise of free speech, which “continues in violation of the Privacy Act and First Amendment even if the Defendants terminate a particular information-collection component due to negative publicity.”

The lawsuit outlines how the White House has employed a form of “bait-and-switch” tactic of accusing the Plaintiffs and other opponents of spreading misinformation about the Administration’s goals for health care reform, and thereby refusing to ‘come clean’ about its real agenda.

The lawsuit outlines that the White House knew that the data collection would chill free speech, and in fact, intended to do just that:

“43. As part of their effort to advance the White House healthcare
reform agenda, Defendants have accused opponents (including
Plaintiffs) of spreading misinformation on issues such as whether
(a) health reform would provide public funding for abortions, (b) put
“death panels” in place to deny care to the elderly or infirm,
(c) amount to a government takeover of healthcare, and (d) increase
healthcare costs..the Defendants and the administration have spread
misinformation, semantics, and disinformation on these topics…..

“45. By denying and continuing to deny that healthcare reform
legislation includes “death panels” that make individual life-or-death
decisions on the elderly or infirm, the Defendants and the current
administration have ignored and implicitly denied and continue to
ignore and implicitly to deny both that their healthcare reform agenda
involves rationing healthcare…”

“My hate mail started shortly after the White House issued the ‘fishy’ request,” said Kathryn Serkes, Director of Policy and Public Affairs for AAPS. “We were quite visible and vocal before then, so it doesn’t seem like a coincidence. Who did they share their data with? With whom might they share it?”

AAPS and CURE demand that the White House remove all information already collected, and further, be prohibited from collecting any personal data in the future.

NOTE: AAPS is a non-partisan professional association of physicians dedicated since 1943 to protection of the patient-physician relationship. CURE, founded by Star Parker, serves poor and inner-city communities through church, individual, and market-based solutions to poverty.

The case number is Civil Action No. 09-1621-EGS. The full text of the complaint is available on request .

SOURCE Association of American Physicians and Surgeons (AAPS)

(Related) If you can't get away with a “chilling effect” try something else.

Bill would give president emergency control of Internet

by Declan McCullagh August 28, 2009 12:34 AM PDT

Internet companies and civil liberties groups were alarmed this spring when a U.S. Senate bill proposed handing the White House the power to disconnect private-sector computers from the Internet.

They're not much happier about a revised version that aides to Sen. Jay Rockefeller, a West Virginia Democrat, have spent months drafting behind closed doors. CNET News has obtained a copy of the 55-page draft (excerpt), which still appears to permit the president to seize temporary control of private-sector networks during a so-called cybersecurity emergency.

What is secure today, is hacker fodder tomorrow.

WPA Encryption Cracked In 60 Seconds

Posted by timothy on Thursday August 27, @02:38PM from the nicholas-cage-has-an-alibi dept.

carusoj writes

"Computer scientists in Japan say they've developed a way to break the WPA encryption system used in wireless routers in about one minute. Last November, security researchers first showed how WPA could be broken, but the Japanese researchers have taken the attack to a new level. The earlier attack worked on a smaller range of WPA devices and took between 12 and 15 minutes to work. Both attacks work only on WPA systems that use the Temporal Key Integrity Protocol (TKIP) algorithm. They do not work on newer WPA 2 devices or on WPA systems that use the stronger Advanced Encryption Standard (AES) algorithm."


China: All Your Rare-Earth Metals Belong to Us

By Nathan Hodge Email Author August 26, 2009 11:57 am

Rare-earth metals are the key to 21st Century technology: Without them, we wouldn’t have smartphones, hybrid cars or precision weapons. And China, which mines most of the world’s rare-earth metals, may be starting to catch on to their strategic value.

According to this alarming story in Britain’s Telegraph, China’s Ministry of Industry and Information Technology is weighing a total ban on exports of terbium, dysprosium, yttrium, thulium, and lutetium — and may restrict foreign sales of other rare-earth metals. But don’t panic yet: U.S.-based Molycorp Minerals is preparing to resume mining of rare earth ore deposits at a California facility, pictured here.

I'm shocked! Shocked I tell you!

Hollywood, Big Software and Coal Miners Pros at Timely Political Donations

By Ryan Singel August 26, 2009 7:38 pm

Money in politics is an old story. But armed with a new tool that shows just how closely timed votes and contributions are, Threat Level uncovered some interesting connections between high tech industries, lawmakers and legislation that became the law of the land.’s new Money Near Votes site works by noting which groups support a bill and which oppose it, and watching their campaign contributions over time. MAPLight launched the tool Wednesday with a dramatic chart showing that bank lobbyists paid nearly $300,000 to politicians before and after a vote on a credit card reform measure.

This is too soon after the 9th Circuit's decision to be a result of that decision, isn't it?

New directives on border searches of electronic media

August 27, 2009 by Dissent Filed under Govt, Surveillance, U.S.

Department of Homeland Security (DHS) Secretary Janet Napolitano today announced new directives to enhance and clarify oversight for searches of computers and other electronic media at U.S. ports of entry.

“Keeping Americans safe in an increasingly digital world depends on our ability to lawfully screen materials entering the United States,” said Secretary Napolitano. “The new directives announced today strike the balance between respecting the civil liberties and privacy of all travelers while ensuring DHS can take the lawful actions necessary to secure our borders.”

The new directives address the circumstances under which U.S. Customs and Border Protection (CBP) and U.S. Immigration and Customs Enforcement (ICE) can conduct border searches of electronic media—consistent with the Department’s Constitutional authority to search other sensitive non-electronic materials, such as briefcases, backpacks and notebooks, at U.S. borders.

The directives, available at, will enhance transparency, accountability and oversight of electronic media searches at U.S. ports of entry and includes new administrative procedures designed to reflect broad considerations of civil liberties and privacy protections—measures designed to ensure that officers and agents understand their responsibilities to protect individual private information and that individuals understand their rights.

The DHS Privacy Office also released today a Privacy Impact Assessment, available at, in connection with the new directives to enhance public understanding of the authorities, policies, procedures and controls employed by DHS during border searches of electronic data to protect individuals’ privacy. The DHS Office for Civil Rights and Civil Liberties (CRCL) will also conduct a Civil Liberties Impact Assessment within 120 days.

In conjunction with the Privacy Office and CRCL, CBP will ensure training materials and procedures promote fair and consistent enforcement of the law relating to electronic media searches. CBP will also provide travelers subject to electronic device searches with clear and concise material informing them of the reasons for the search, how their data may be used and detailed information about their constitutional and statutory rights.

DHS conducts border searches of computers and other electronic media on a small percentage of international travelers seeking to enter the United States—searches often as basic as asking a traveler te to o turn on a devicensure it is what it appears to be.

Between Oct. 1, 2008, and Aug. 11, 2009, CBP encountered more than 221 million travelers at U.S. ports of entry. Approximately 1,000 laptop searches were performed in these instances—of those, just 46 were in-depth. [Does that sound like an under estimation to you? Bob]

The new directives will also allow DHS to develop automated, comprehensive data collection and analytic tools to facilitate accurate, thorough reporting on electronic media searched at the border, the outcomes of those searches and the nature of the data searched—further enhancing transparency and accountability.

Related documents:

Source: Department of Homeland Security

Just a reminder that outsourcing isn't the ONLY way... Worth reading!

US Call-Center Jobs — That Pay $100K a Year

Posted by timothy on Thursday August 27, @01:50PM from the payment-for-the-gift-of-gab dept.

bheer writes

"BusinessWeek profiles a call center company called iQor which has grown revenues 40% year-on-year by (shock) treating employees as critical assets. It's done this not by nickel-and-diming, but by expanding its US operations (13 centers across the US now), giving employees universal health insurance, and paying salaries and bonuses that are nearly 50% above industry norms. The article notes that outsourcing will continue and globalization will continue to change the world's economic landscape. 'But the US is hardly helpless. With smart processes and the proper incentives, US companies can keep jobs here in America, and do so in a way that is actually better for the company and its employees.' Now if only other companies get a clue as well."

An interesting graphic for my Intro to Computing class (and as a perspective on e-Discovery)

Physical Storage vs. Digital Storage

August 26th, 2009 by nate

Last time we did one of these, we wanted to show you how much data we create with our digital lives. Now we want to show you how data storage has changed over the years. It’s pretty mind-blowing. Enjoy!

Thursday, August 27, 2009

Most interesting reading. I expect the government to appeal immediately. They can't live with the limitations this court specifies. (Apparently the California financial crisis hasn't reduced the supply of “medical” marijuana available in the Ninth Circuit.)

Court’s Steroid Ruling Pumps Up Computer Privacy

By David Kravets Email Author August 26, 2009 7:32 pm

A divided 11-judge federal appeals court panel has dramatically narrowed the government’s search-and-seizure powers in the digital age, ruling Wednesday that federal prosecutors went too far when seizing 104 professional baseball players’ drug results when they had a warrant for just 10. [As we all know, lawyers can't count. Bob]

The 9th U.S. Circuit Court of Appeals’ 9-2 decision offered Miranda-style guidelines to prosecutors and judges on how to protect Fourth Amendment privacy rights while conducting computer searches.

… Chief Judge Alex Kozinski, writing for the 9-2 majority, (.pdf) said the government “must maintain the privacy of materials that are intermingled with seizable materials, and … avoid turning a limited search for particular information into a general search of office file systems and computer databases.”

George Washington University law professor and former federal cybercrime prosecutor Orin Kerr called the decision “truly astonishing.”

“The majority opinion … announces a laundry list of brand-new rules, introduced with no citations to any authority, [I wonder if they read my blog? Bob] that henceforth the government must follow when executing warrants for digital information,” Kerr wrote in a post to the Volokh Conspiracy blog. “I can’t recall having read anything quite like it, although it does bring to mind Miranda v. Arizona.”

In dissent, Judges Consuelo Callahan and Sandra Ikuta wrote that the majority was sidestepping its own precedent in which the circuit court had denied the suppression of child pornography evidence found on a computer during a search for the production of false identification cards pursuant to a valid warrant.

There is no rule … that evidence turned up while officers are rightfully searching a location under properly issued warrant must be excluded simply because the evidence found may support charges for a related crime,” the dissenting judges wrote.

[The decision:

Repeated finding: The scope of any data breach expands dramatically after statements like, “Only a few records were compromised.” (The alternative would force us to the conclusion that politicians were lying to us!)

Update: Home Office admits full extent of USB data loss

August 26, 2009 by admin Filed under Breach Incidents, Government Sector, Lost or Missing, Non-U.S., Subcontractor

The Home Office has had to dramatically revise its estimates of the amount of data contained on a memory stick lost by third-party contractor PA Consulting last year.

The department’s newly released Resource Accounts for 2008-09 (PDF) say that the USB device containing Police National Computer and prisoner data actually held 377,000 records, 250,000 more than originally reported.

Read more on V3

Earlier coverage of this breach can be found in the archive of

A detailed (long) article illustrating another axiom of data breaches: If management doesn't understand what happened, they deny that anything happened.

School district hiding behind a criminal investigation - parent

August 26, 2009 by admin

On the principle of “no good deed goes unpunished,” some of those who have discovered and reported breaches have been terminated or prosecuted for their actions...

Now a parent of a disabled student alleges that he is being investigated by the FBI because he discovered and reported a security breach that his child’s school district has not owned responsibility for.

… He claims that it wasn’t until four months later, however, when he went back to a publicly available document on Leander’s web site called “Welcome to the World of eSped” that he noticed that screen shots of the eSped system in that public document displayed logins and passwords to the system. [Probably created by “screen capture” of the logon process by someone with full access to the system. Bob] Short informs this site that he impulsively tested one of the logins on eSped’s site and found that it gave him access to Leander’s special education records.

Your tax data will never be used for any other purpose. Your health data will never be used for any other purpose.

Democratic health care bill divulges IRS tax data

August 27, 2009 by Dissent Filed under Featured Headlines, Govt, Legislation, U.S.

Over on Taking Liberties, Declan McCullagh has some commentary on provisions in the proposed health care bill, H.R. 3200, that relate to privacy. Some of the provisions in the massive bill include:

Section 431(a) of the bill says that the IRS must divulge taxpayer identity information, including the filing status, the modified adjusted gross income, [because if you're rich you get better coverage and you get to be on the Democrat's fund raising list. Bob] the number of dependents, and “other information as is prescribed by” regulation. That information will be provided to the new Health Choices Commissioner and state health programs and used to determine who qualifies for “affordability credits.”

Section 245(b)(2)(A) says the IRS must divulge tax return details — there’s no specified limit on what’s available or unavailable — to the Health Choices Commissioner. The purpose, again, is to verify “affordability credits.”

Section 1801(a) says that the Social Security Administration can obtain tax return data on anyone who may be eligible for a “low-income prescription drug subsidy” but has not applied for it.

Read more on CBS News.

Let me see if I get this right. They're bragging about catching this guy after failing to do so 9 times in a row. Yeah. Great software.

Man with 25 IDs nabbed by face-recognition tech

by Chris Matyszczyk August 26, 2009 12:14 PM PDT

… However, according to authorities in Indiana, his real name was George Helms and he assumed at least 10 different names in that state alone.

According to CBS2 Chicago, Helms walked into the Hobart, Ind., license branch to obtain an 11th ID. No one seems really sure why he would want an 11th license.

What Helms appears not to have known is that Indiana has invested in new facial recognition software.

Helms allegedly had all the correct paperwork and then posed for his photograph. However, in the evening after his application was approved, the photograph passed through the new facial recognition system, which spotted an allegedly remarkable similarity with 10 other licenses, according to the report.

Remember, “We locked the barn door!” should only happen after, “We put the horse in the barn.”

August 26, 2009

DHS and Information Technology Sector Coordinating Council Release Information Technology Sector Baseline Risk Assessment

News release: "The Department of Homeland Security (DHS) and the Information Technology Sector Coordinating Council (IT SCC) today released the IT Sector Baseline Risk Assessment (ITSRA) to identify and prioritize national-level risks to critical sector-wide IT functions while outlining strategies to mitigate those risks and enhance national and economic security... The ITSRA validates the resiliency of key elements of IT sector infrastructure while providing a process by which public and private sector owners and operators can continually update their risk management programs. The assessment links security measures to concrete data to provide a basis for meaningful infrastructure protection metrics." [This control.....Didn't work. Bob]

(Related) In the US, wouldn't we (taxpayers) already own the code? Could we send the NSA a FOIA request? (The Swiss like their cheese and your network with holes.)

Coder of Swiss Wiretapping Trojan Speaks Out

Posted by Soulskill on Wednesday August 26, @10:41AM from the is-swiss-software-full-of-security-holes dept.

Lars Sobiraj writes

"Ruben Unteregger has worked for a long time as a software-engineer for the Swiss company ERA IT Solutions. His job there was to code malware that would invade PCs of private users, and allow the wiretapping of VoIP calls — in particular, calls made through Skype. In the German-speaking areas of the country, the Trojans were called 'Bundestrojaner' because the Swiss government was involved with their development and use. Unfortunately, Unteregger has to remain silent about the customers of the company. Last night, he published the source code of his Skype-Trojan under the GPL."

This is always one of the options on the negotiation table, so they can't complain.

TiVo sues AT&T and Verizon

DVR firm claims patent infringement

By Paul Bond Aug 26, 2009, 08:36 PM ET

Unable to strike a deal with either of the major phone companies that offer TV services, TiVo on Wednesday sued them both.

TiVo filed its DVR patent infringement lawsuits against AT&T and Verizon in the U.S. District Court in the Eastern District of Texas, where it has been battling -- mostly successfully -- Dish Network for five years.

TiVo has already taken Dish for more than $200 million and a judge has slapped a permanent injunction, now being appealed, against Dish. If all goes TiVo's way, Dish will have to shut off millions of its customers' DVRs or strike a licensing deal with TiVo.

Now, the company that introduced DVRs to the world is hoping for a similar outcome against the two phone companies.

Do they mean, “If it ain't work related, don't do it on government owned equipment or during work hours?”

US Fed Gov. Says All Music Downloads Are Theft

Posted by timothy on Wednesday August 26, @04:29PM from the bit-of-a-broad-brush-there dept.

BenEnglishAtHome writes

"Nearly all US government employees and contractors are subject to mandatory annual information security briefings. [This is a good thing. Bob] This year the official briefing flatly states that all downloaded music is stolen. The occasionally breathless tone of the briefing and the various minor errors contained therein are funny but the real eye-opener is a 'secure the building' exercise where employees stumble across security problems and resolve them. According to the material, the correct response to an employee who is downloading music is to shout 'That's stealing!' No mention is made of more-free licenses, public domain works, or any other legitimate download. If this were a single agency or department that had made a mistake in their training material it might not be so shocking. But this is a government-wide training package that's being absorbed by hundreds of thousands of federal employees, both civilian and military. If you see a co-worker downloading music, they're stealing. Period. Who woulda thunk it? Somebody should mirror this. Who wants to bet that copies will become hard to find if clued-in technogeeks take notice and start making noise?"

Warning: this site gives a whole new meaning to "Flash heavy."

Dear Government Guys, Thank you for putting all of your utility communications eggs is one easily accessed basket. Sincerely, The League of Extraordinary Hackers

Utilities may get dedicated chunk of spectrum for smart grid

As part of its broadband hearings, the FCC looked at whether it should follow Canada's lead and allocate a chunk of spectrum to give utilities wireless broadband for smart grid devices.

By John Timmer Last updated August 26, 2009 2:41 PM CT

Remember the IBM commercials that suggested you would be able to listen to “Every song ever recorded?” This is how that will happen. No need for local storage, since you can access anything from anywhere.

5 Apps Tap the Internet's Infinite Playlist

By Eliot Van Buskirk Email 08.24.09

It used to be you needed a ginormous hard drive to build and store your digital music collection. But now that most songs exist somewhere in the cloud—on YouTube, one-stop streaming sites like imeem, or blog aggregators like Hype Machine—services have emerged that help you squeeze the Internet for any track you need. Wherever music lives, you can now play, collect, and share it without downloading any audio files. None of these sites is pitch-perfect, and their fidelity isn't as high as your meticulously encoded lossless library. But in these lean times, free jams are sounding better by the minute.

For my Disaster/Recovery students. Creating an “excuse free” contingency plan.

7 Backup Strategies for Your Data, Multimedia, and System Files

Nobody likes backing up, but one day, it’ll save your bacon. Here are the most efficient methods of protecting your stuff, no matter what your situation.

Lincoln Spector, PC World Aug 25, 2009 7:00 pm

Tools & Techniques This could be very handy. I could create a new web page for each of my lectures, with all the links and images. Also useful in the website class...

Create a Free Disposable Web Page with DinkyPage

Aug. 27th, 2009 By Karl L. Gechlik

Have you ever had the need to create a free web page quickly to share information with a group of people or even a team member? You have to fire up your editor, make the page and then upload the page to the site, find the URL and pass it around.

Now we have discovered a service that does ALL the hard work for you! It’s called DinkyPage and can be found here.

Wednesday, August 26, 2009

Now do you understand, Mr. Chairman?

Bernanke Victimized by Identity Fraud Ring

August 25, 2009 by Dissent Filed under Breaches, U.S.

If ever there were living proof that identity theft can strike the mighty and powerful as well as hapless consumers, look no further than the nation’s chief banker: Ben Bernanke. The Federal Reserve Board chairman was one of hundreds of victims of an elaborate identity-fraud ring, headed by a convicted scam artist known as “Big Head,” that stole more than $2.1 million from unsuspecting consumers and at least 10 financial institutions around the country, according to recently filed court records reviewed by NEWSWEEK.

Read more in Newsweek

Small businesses have little leverage with the banks. Perhaps a Class Action to require the banks to extend the same level of security the give to individuals?

Banks Urge Businesses To Lock Down Online Banking

Posted by kdawson on Tuesday August 25, @08:14PM from the no-social-no-engineering dept.

tsu doh nimh writes

"Organized cyber-gangs in Eastern Europe are increasingly preying on small and mid-size companies in the US, setting off a multimillion-dollar online crime wave that has begun to worry the nation's largest financial institutions, The Washington Post's Security Fix blog reports: '"In the past six months, financial institutions, security companies, the media and law enforcement agencies are all reporting a significant increase in funds transfer fraud involving the exploitation of valid banking credentials belonging to small and medium sized businesses," reads a confidential alert issued by the Financial Services Information Sharing and Analysis Center, an industry group created to share data about critical threats to the financial sector.' The banking group is urging that commercial bank customers 'carry out all online banking activity from a standalone, hardened, and locked-down computer from which e-mail and Web browsing is not possible.' The story includes interviews with several victim businesses, and explains that in each case, the fraudsters — thought to reside in Eastern Europe — are using "'money mules,' unwitting or willing accomplices in the US hired via Internet job boards. The blog has more stories and details about these crimes."

[From the first article:

According to the latest estimates by anti-virus maker Trend Micro, at least 253 million systems were infected with malware last year, the majority of which were the result of software lying in wait on hacked or malicious Web sites.

[From the second article:

"All of the people who have called us are very angry with their respective banks," Slack said. "Most have retained attorneys and I think they are afraid of publicity."

[From a related story at:

In many cases, the advisory warned, the scammers infiltrate companies in a similar fashion: They send a targeted e-mail to the company's controller or treasurer, a message that contains either a virus-laden attachment or a link that -- when opened -- surreptitiously installs malicious software designed to steal passwords. Armed with those credentials, the crooks then initiate a series of wire transfers, usually in increments of less than $10,000 to avoid banks' anti-money-laundering reporting requirements.

… Businesses do not enjoy the same legal protections as consumers when banking online. Consumers typically have up to 60 days from the receipt of a monthly statement to dispute any unauthorized charges.

In contrast, companies that bank online are regulated under the Uniform Commercial Code, which holds that commercial banking customers have roughly two business days to spot and dispute unauthorized activity if they want to hold out any hope of recovering unauthorized transfers from their accounts.

Avivah Litan, a fraud analyst with Gartner Inc., said few commercial banks have invested in back-end technologies that can detect fraudulent or unusual transaction patterns for businesses.

"The banks spend a lot of money on protecting consumer customers because they owe money if the consumer loses money," Litan said. "But the banks don't spend the same resources on the corporate accounts because they don't have to refund the corporate losses."

Something wrong when violations of citizen privacy is punished by taking citizen tax moneys and ignoring the bad actors.

Tentative settlement between govt and FL on sale of DMV records

August 25, 2009 by Dissent Filed under Breaches, Govt, U.S.

The Associated Press is reporting that Florida Governor Charlie Crist and the Florida Cabinet have agreed to pay the federal government $1.5 million to settle charges that the state violated motorists’ privacy by selling their personal information in motor vehicle records to businesses during the period June 1, 2000 to September 30, 2004. The legislature still has to approve the deal.

Tools & Techniques Privacy enabling tool?

Use Twitter Anonymously. This Will Not End Well.

by MG Siegler on August 25, 2009

… a new service (which is really two new services) wants to make anonymous tweeting easy: Tweet From Above and Tweet From Below.

As their names imply, one of these services is meant to be used for good, while the other is meant for evil. Both allow you to use a third-party Twitter account to send out messages. While you might think that’s pointless, if you use it to @reply someone, they will obviously see the tweet, without knowing exactly who it is from.

This could be huge! (If they define neutrality the way geeks do)

FCC Declares Intention To Enforce Net Neutrality

Posted by kdawson on Tuesday August 25, @05:38PM from the play-nice-now dept.

Unequivocal writes

"The FCC chairman, Julius Genachowski, told Congress today that the 'Federal Communications Commission plans to keep the Internet free of increased user fees based on heavy Web traffic and slow downloads. ...Genachowski... told The Hill that his agency will support "net neutrality" and go after anyone who violates its tenets. "One thing I would say so that there is no confusion out there is that this FCC will support net neutrality and will enforce any violation of net neutrality principles," Genachowski said when asked what he could do in his position to keep the Internet fair, free and open to all Americans. The statement by Genachowski comes as the commission remains locked in litigation with Comcast. The cable provider is appealing a court decision by challenging the FCC's authority to penalize the company for limiting Web traffic to its consumers.' It looks like the good guys are winning, unless the appeals court rules against the FCC."

(Related) ...and while we're on the subject... You can zoom the map to County and Zip Code level. Also contains a “Test your speed” widget.

2009 Report on Internet Speeds in All 50 States

[Or just Colorado:

Business opportunity

The Craigslist Credo: Bad Advice for Newspapers

By Gary Wolf Email Author August 25, 2009 3:30 pm

Here is a question I took away from my reporting on craigslist: Why, given the site’s notorious shortcomings, has nobody ever succeeded in taking business away from it?

The business we should have started in the DotCom era?

Betfair Growing 30%, Easing over the Pond, and Hiring 50 Valley Engineers

by Sarah Lacy on August 25, 2009

Most Web sites started in the late 1990s have either gone public, been acquired or are defunct. Wired has a rather harsh cover story on one of the most famous ones that isn’t, Craigslist. But there’s another one that could rile up even more attorneys generals and socially conservative figureheads: Betfair.

The London-based online gambling company is seldom written about or mentioned in the U.S. despite its gargantuan size. It employs 1,800 people around the world, generates more than $500 million in annual revenues and is profitable. Oh, and those revenues have grown nearly 30% in the last year. What world-wide recession?

… The company is well aware that legislation is making the rounds that could legalize online poker, and while it doesn’t want to be one of those lobbying for changes, be sure the company will be ready to throw a ton of money at the U.S. should the laws change.

Something for the Forensic toolkit

August 25, 2009

NIST Guidelines recommends best practices for next generation of portable biometric acquisition devices

"A new publication that recommends best practices for the next generation of portable biometric acquisition devices—Mobile ID—has been published by Commerce’s National Institute of Standards and Technology (NIST). Devices that gather, process and transmit an individual’s biometric data—fingerprints, facial and iris images—for identification are proliferating. Previous work on standards for these biometric devices has focused primarily on getting different stationary and desktop systems with hard-wired processing pathways to work together in an interoperable manner. But a new generation of small, portable and versatile biometric devices are raising new issues for interoperability."

Tools & Techniques For when you don't want to re-type a document.

Top 5 Free OCR Software Tools To Convert Images Into Text

Aug. 25th, 2009 By Saikat Basu

… Ah, modern technology is wonderful; take a scanned image (or take a snap using a mobile camera/Digicam) and presto – OCR software extracts all the information from the image into easily editable text format.

Tools & Techniques For the multi-tasker

Use OfficeTab To Give Microsoft Office Firefox-Like Tabs

Aug. 26th, 2009 By Karl L. Gechlik

I got a hot tip today on a piece of Chinese software that will make my life MUCH easier by adding Microsoft Office tabs to your installed MS applications. Have you heard of OfficeTab?

… Feel free to download OfficeTab from this link. BUT WAIT – the catch is that the site is NOT in English.

So the direct download link lives here which, if you scroll down to the bottom of the product page, is the only link there. So no need for Google Translations today. The actual application IS multilingual so there are no issues there.

Global Warming! Global Warming! Will this make Al Gore a monkey?

Global Warming To Be Put On Trial?

Posted by ScuttleMonkey on Wednesday August 26, @08:23AM from the break-out-the-popcorn dept.

Mr_Blank writes to mention that the United States' largest business lobby is pushing for a public trial to examine the evidence of global warming and have a judge make a ruling on whether human beings are warming the planet to dangerous effect.

"The goal of the chamber, which represents 3 million large and small businesses, is to fend off potential emissions regulations by undercutting the scientific consensus over climate change. If the EPA denies the request, as expected, the chamber plans to take the fight to federal court. The EPA is having none of it, calling a hearing a 'waste of time' and saying that a threatened lawsuit by the chamber would be 'frivolous.' [...] Environmentalists say the chamber's strategy is an attempt to sow political discord by challenging settled science — and note that in the famed 1925 Scopes trial, which pitted lawyers Clarence Darrow and William Jennings Bryan in a courtroom battle over a Tennessee science teacher accused of teaching evolution illegally, the scientists won in the end."

A couple for my fellow teachers...

Teaching and Learning in the Digital Age

Mindmaps for Learning