Saturday, November 21, 2009

Update. Perhaps all four states should pile on, just to drive home the point?

AZ Attorney General to investigate Health Net

November 21, 2009 by admin Filed under Breach Incidents, Healthcare Sector, U.S.

A second state’s attorney general is opening an investigation into the Health Net breach that was only recently revealed six months after the data were either lost or stolen. From the press release from Arizona Attorney General Terry Goddard:

Attorney General Terry Goddard today called on Health Net, a Connecticut-based insurance company, to immediately notify its Arizona policyholders whose personal, medical and financial information was either lost or stolen in a data breach that occurred six months ago.

He said further that his Office will open an investigation to determine whether a state law requiring prompt notification was violated.

Health Net notified the Arizona Department of Insurance on Wednesday that a hard drive containing personal data on some 316,000 present and former Arizona policyholders has been missing since May from the company’s headquarters in Shelton, Conn. The company has yet to contact the affected policyholders about the breach, however, saying it plans to send letters to them soon.

“Health Net’s failure to notify its customers after all this time appears inexcusable,” Goddard said. “The breach apparently includes sensitive personal health information as well as financial information that could put people at risk of identity theft. There can be no further delay; the company needs to provide notification as quickly as possible.”

Arizona law requires notification of individuals affected by an unauthorized acquisition and access of computerized personal information “in the most expedient manner possible and without unreasonable delay.”

Goddard said a letter citing that law was sent to the company Thursday. It also requests additional information about the data breach. A copy of the letter is attached.

Health Net said it will provide free credit monitoring for two years for all affected customers who request it. The company said it has not received any reports so far of misused data.

A company spokeswoman said the missing hard drive contains Social Security numbers, medical records and health information going back to 2002 for 1.5 million past and present customers in four states: Arizona, Connecticut, New York and New Jersey. Health Net is one of the country’s largest publicly traded managed care companies with some 6.6 million customers across the country.

Al Gore must be furious! But seriously, what would you do if someone hacked your organization's system and released a mix of real and phoney data suggesting that you were falsifying data or covering up a crime or bribing politicians?

Climatic Research Unit Hacked, Files Leaked

Posted by kdawson on Friday November 20, @02:51PM from the playing-dirty dept.

huckamania was one of many readers to write with the news that the University of East Anglia's Hadley Climatic Research Unit was hacked, and internal documents released. Some discussion and analysis of the leaked items can be found at Watts Up With That. The CRU has confirmed that a breach occurred, but not that all 61 MB of released material is genuine. Some of the emails would seem to raise concerns about the science as practiced — or at least beg an explanation. From the Watts Up link:

"[The CRU] is widely recognized as one of the world's leading institutions concerned with the study of natural and anthropogenic climate change. Consisting of a staff of around thirty research scientists and students, the Unit has developed a number of the data sets widely used in climate research, including the global temperature record used to monitor the state of the climate system, as well as statistical software packages and climate models. An unknown person put postings on some climate skeptic websites [Suggesting an agenda? Bob] that advertised an FTP file on a Russian FTP server. Here is the message that was placed on the Air Vent today: 'We feel that climate science is, in the current situation, too important to be kept under wraps. We hereby release a random selection of correspondence, code, and documents.' The file was large, about 61 megabytes, containing hundreds of files. It contained data, code, and emails apparently from the CRU. If proved legitimate, these bombshells could spell trouble for the AGW crowd."

Reader brandaman supplied the link to the archive of pilfered data. Reader aretae characterized the emails as revealing "...lots of intrigue, data manipulation, attempting to shut out opposing points of view out of scientific journals. Almost makes you think it's a religion. Anyone surprised?" And reader bugnuts adds, for context: "These emails are certainly taken out of context, whether they are legitimate or fraudulent, which adds to the confusion."

I'm surprised that you are surprised. Haven't you been paying attention? Or...

Rick: How can you close me up? On what grounds?
Captain Renault: I'm shocked, shocked to find that gambling is going on in here!
[a croupier hands Renault a pile of money]
Croupier: Your winnings, sir.
Captain Renault: [sotto voce] Oh, thank you very much.
Captain Renault: Everybody out at once!

Ca: Lost laptops shock watchdog

November 20, 2009 by admin Filed under Commentaries and Analyses, Non-U.S.

Gordon Kent reports:

Alberta’s privacy watchdog says he’s “stunned” by a report the city has lost an average of one laptop a month that could contain personal data.

Only half the 48 laptop disappearances over the last four years were investigated, and just once did officials look into whether a lost or stolen computer contained personal information, according to a report by city auditor David Wiun.

In that case, the computer stored resumes.

“I’m just stunned … I just don’t have words for this,” information and privacy commissioner Frank Work said Thursday.

Read more in the Edmonton Journal.

The audit report, Audit of Privacy Controls for Laptops & Tablets, November 3, 2009 can be found at

It's not cyber war. It is: let's see how much information we can gather. Think of it as a digital reconnaissance. (If there are similar looks at corporate America, they are going unreported.)

Cyber Attacks On US Military Jump Sharply In 2009

Posted by Soulskill on Saturday November 21, @02:02AM from the proportional-with-gold-farming dept.

angry tapir writes

"Cyber attacks on the US Department of Defense — many of them coming from China — have jumped sharply in 2009, a US congressional committee has reported. Citing data provided by the US Strategic Command, the US-China Economic and Security Review Commission said that there were 43,785 malicious cyber incidents targeting Defense systems in the first half of the year. That's a big jump. In all of 2008, there were 54,640 such incidents. If cyber attacks maintain this pace, the yearly increase will be around 60 percent. The full report (PDF) is available online."

Happy Holidays! Send me your credit card number, bank account, and all your passwords. (signed) Santa

Phishing: Verified by Visa scam targets holiday shoppers

by Steve Ragan - Nov 20 2009, 16:30

An interesting example of internet-enabled democracy? An indication of future vigilantism? Certainly an example of the popularity of soccer.

Can Facebook group change World Cup game result?

by Chris Matyszczyk November 20, 2009 2:43 PM PST

… In case you were only recently released after being abducted by recalcitrant performance artists, France was playing Ireland for the privilege of going to the World Cup finals in South Africa. Ireland was winning.

… A ball was hopefully pumped into the Irish penalty area. The French captain, Thierry Henry, reached out his left hand to control the ball, enjoyed the feeling so much he actually handled it twice, then crossed the ball for an embarrassed teammate, Willam Gallas, to score and eliminate the plucky Irish. (It is compulsory to use the term "plucky" when referring to the Irish soccer team.)

Henry, perhaps sensing his precious image evaporating, admitted Friday that the game should be replayed.

Even though the sport's governing body, FIFA, has declared no replay will happen, it now has to deal with perhaps the fastest-growing Facebook group on earth.

Petition to have IRELAND VS FRANCE REPLAYED!!!!! already has secured more than 250,000 members since its inception, as well as an increasing amount of media coverage.

Everyone wants to play... Perhaps we should be looking at/comparing the features offered?

Health gets personal in the cloud

Google Health Beta and Microsoft's My Health Info

by Brian Ahier

Healthcare is one of the biggest industries in the world. The United States spends over 17% of its GDP on healthcare and the issue of the industry's future is being hotly debated in Congress.

… For example, Google announced at the Health 2.0 conference that they have entered into a partnership to provide telehealth services through their Google Health platform using MDLiveCare.

… Also, Microsoft has introduced My Health Info as part of HealthVault.

… Another company that is doing some interesting work in this area is Practice Fusion. Practice Fusion is a free, Web-based electronic health record service for physicians.

… Through Patient Fusion, doctors grant patients instant access to their medical records, medications and immunization history. Updates to the patient's records are available in real-time in the cloud. Patients will also be able to schedule appointments, request prescription refills, email their physicians, and, most importantly, share their data with other providers at any time.


PHR – Personal Health Record Reviews

Here is a list of top providers.

  1. Google Health by Google

  2. Microsoft’s HealthVault and My Health Info

  3. Web MD PHR

  4. Patient Fusion by Practice Fusion

  5. GE’s Life Sensor

  6. HealthTrio


  8. Passport MD

  9. LifeOnKey

  10. FollowMe

  11. MiVia

  12. Patient Gateway

Source code as evidence of anti-trust?

iPhone Owners Demand To See Apple Source Code

Posted by kdawson on Friday November 20, @04:50PM from the you're-a-brick dept.

CWmike writes

"iPhone owners charging Apple and AT&T with breaking antitrust laws asked a federal judge this week to force Apple to hand over the iPhone source code, court documents show. The lawsuit, which was filed in October 2007, accuses Apple and AT&T of violating antitrust laws, including the Sherman Act, by agreeing to a multi-year deal that locks US iPhone owners into using the mobile carrier. On Wednesday, the plaintiffs asked US District Court Judge James Ware to compel Apple to produce the source code for the iPhone 1.1.1 software, an update that Apple issued in September 2007. The update crippled iPhones that had been unlocked, or 'jailbroken,' so that they could be used with mobile providers other than AT&T. The iPhone 1.1.1 'bricked' those first-generation iPhones that had been hacked, rendering them useless and wiping all personal data from the device. The plaintiffs say that the source code is necessary to determine whether all iPhones were given the same 1.1.1 update, and whether it was designed to brick all or just some hacked iPhones."

Some interesting thoughts on the Chrome OS. Convergence and challenge?

Chrome OS: Internet failing at PC > PC failing at Internet

In 2009, it's better to be an Internet company that's taking slow, awkward first steps toward the PC, than a PC company that's still trying and failing to truly integrate with the Internet. Ars looks at what Chrome OS means for Google, Apple, Microsoft, the netbook, ARM, Intel, and the cloud. "Revolutionary" is a clich├ęd term, but Chrome OS is a good candidate for it.

By Jon Stokes | Last updated November 20, 2009 8:30 AM

… The custom firmware integrates some of the functions of a boot loader, so it's a bit more robust than a traditional BIOS. During the seven-second boot time, the firmware loads a series of kernel modules, all of which are signed; if the signature check fails at any point in boot-up, the machine will prompt the user for a reboot, after which a clean version of the OS is downloaded and the entire device is essentially re-imaged. [Secure against root-kits and always up-to-date? Bob]

… Every "application" is just a webpage, which means that users don't install binaries, ever, for any reason.

The OS itself lives on a read-only partition that's not accessible to user-space processes. The fact that the OS is stateless is a major security advantage, since it's that much harder for malicious code to hijack any part of it. Also important is the fact that the user processes themselves are all sandboxed, and any user data that's locally cached is encrypted by default.

… with ChromeOS, all user data lives in the cloud. A ChromeOS device presumes that the canonical version of your data is the cloud version, so it caches this data locally for faster access, and when a user modifies it, the changes are invisibly written back out to the network.

… . If you plug a USB drive into the portable, ChromeOS opens a file browser tab that lets you look through the file tree. In the demo, Pichai clicked on a an Excel file that then opened in the Windows Live version of Excel. "Microsoft has written a killer app for ChromeOS," he snarked of Redmond's Live offerings, which will enable ChromeOS to natively open Office docs without translating them to Google Docs.

Worth a read... Not so much new, as all in one article. Are wee too heading to broadband as a basic human right?

FCC outlines seven biggest barriers to broadband adoption

The Federal Commission has listed seven big bumps in the road towards universal use of broadband in the United States, including the TV set-top box innovation gap and the spectrum gap. The document may be a sneak preview of the agency's National Broadband Plan, to be released in February.

By Matthew Lasar Last updated November 20, 2009 11:34 AM

Humor? This is likely to change fast when someone reminds hizzonor that college students often vote... They even lead recall elections.

Pittsburgh To Tax Students

Posted by Soulskill on Saturday November 21, @09:14AM from the this-will-go-over-well dept.

societyofrobots writes

"Pittsburgh Mayor Luke Ravenstahl has proposed taxing college and professional students for the privilege of receiving an education in the city. The proposed tax will charge students in the city at a rate of 1% of their yearly tuition — which, at Carnegie Mellon, would mean roughly a $400 tax (PDF) on most students. As the tax proposal hit local media outlets this week, the mayor repeatedly emphasized the burden that college students have placed on city services, and the need for students to pay their 'fair share.'"

Humor? Are they just making things up as they go along (practicing law without a license) or have they been invaded by the anti-smoking Nazis?

Apple Voiding Smokers' Warranties?

Posted by Soulskill on Saturday November 21, @10:17AM from the a-what-a-day-keeps-the-doctor-away dept.

Mr2001 writes

"Consumerist reports that Apple is refusing to work on computers that have been used in smoking households. 'The Apple store called and informed me that due to the computer having been used in a house where there was smoking, [the warranty has been voided] and they refuse to work on the machine "due to health risks of second hand smoke,"' wrote one customer. Another said, 'When I asked for an explanation, she said [the owner of the iMac is] a smoker and it's contaminated with cigarette smoke, which they consider a bio-hazard! I checked my Applecare warranty and it says nothing about not honoring warranties if the owner is a smoker.' Apple claims that honoring the warranty would be an OSHA violation. (Remember when they claimed enabling 802.11n for free would be a Sarbanes-Oxley violation?)"

For the Swiss Army folder


Create, Share, and Track multimedia presentations with ease.

Also for the Swiss Army folder

VideoLobby Wants To Help You Create Your Own Custom-Branded Live Webcasts

by Jason Kincaid on November 20, 2009

Today at the RealTime CrunchUp we saw the launch of VideoLobby, a new service founded by Peter Urban that’s looking to make it easier to create professional-looking webcasts, complete with custom branding.

… The service doesn’t just make your page look nicer, though — it can automatically pull in comments from Twitter and Facebook, and also allows users to submit questions directly from the show’s page.

Friday, November 20, 2009

Rumors of leaks can be as damaging to reputation as actual leaks. Think how much fun they will have now that they know the rumors were true!

NV: UMC has patient privacy leak

November 20, 2009 by admin Filed under Breach Incidents, Healthcare Sector, Insider, Paper, Theft, U.S.

Marshall Allen reports:

Private information about accident victims treated at University Medical Center has apparently been leaking for months, the Sun has learned, allegedly so ambulance-chasing attorneys could mine for clients.

Sources say someone at UMC is selling a compilation of the hospital’s daily registration forms for accident patients. This is confidential information — including names, birth dates, Social Security numbers and injuries — that could also be used for identity theft.


Silver said she was not even sure there was a leak until the Sun reporter informed her Thursday that 21 patient records, dated Oct. 31 and Nov. 1, had been provided to the newspaper by a source as evidence of the leak.

It is not known how many patient records have been printed from hospital computers and distributed to outsiders. But the source told the Sun it’s believed to have been going on for months.

Other information contained in the documents includes each patient’s address, employer, insurance information and details of the accident and injuries.

Wow,” Silver said upon learning about the actual leak of information.

Read more in the Las Vegas Sun.

[From the article:

Hospital officials knew of rumors of the leaks since the summer, but doubted them until provided evidence Thursday by the Sun.

Not yet a disaster, but has potential should it come to cyber war... Somehow, I doubt this “crash” will get anywhere near the study an aircraft accident would receive.

F.A.A. Computer Problem Snarls Flights

By MATTHEW L. WALD Published: November 19, 2009

WASHINGTON — Flights over much of the eastern United States were delayed Thursday by a pre-dawn failure in a fairly new communications system, which led to the shutdown of a computer that accepts flight plans from the airlines and feeds them to air traffic controllers. [Flight plans, like “I will not be flying past the World Trade Center” have some Homeland Security/Military value. Bob]

It was the fourth major systemwide disruption attributed to the communications system, which the Federal Aviation Administration began putting into service earlier in this decade as a way to cut costs and assure reliability. [Do you have any computer equipment older than 2001? The FAA does. Bob]

… The crucial computer that was knocked out, the National Airspace Data Interchange Network, situated in Atlanta and with a backup in Salt Lake City, had also failed in August 2008, with a similar result, but for a different reason. [Apparently, the FAA saw no need to develop a contingency plan in case it ever happened again... Bob]

(Related) I shouldn't pick on the FAA, they're not the only security under-achievers.

Feds Charge 3 With Hijacking

By Kevin Poulsen November 19, 2009 5:45 pm

… a prank that took down the cable giant’s homepage and webmail service for more than five hours, and allegedly cost the company over $128,000.

… As described in the indictment (.pdf), the hackers got control of the domain with two phone calls, and an e-mail sent to the company’s domain registrar, Network Solutions, from a hacked Comcast e-mail account.

There is “confidence in our ability” and there is “bragging” The latter tends to make the bad guys say “Oh yeah? We'll see about that.”

An introduction to the FBI's anti-cyber crime network

By Matthew Lasar Last updated November 19, 2009 10:42 AM

The Federal Bureau of Investigation told Congress this week that when it comes to cyber crime, terrorist groups like Al Qaeda aren't the sharpest pencils in the cup, but they're not out of the game either.

… Then there's Infragard. Coordinated by the FBI, it's is a fellowship of federal, state, local, industry, and academic cybercrook catchers and watchers. Infragard has about 33,000 participants in almost 90 cities around the country, and you can apply to become a member yourself. [Something for our Computer Security graduates? Bob]

Smile for Big Brother!

Town to photograph every car that enters and leaves

by Chris Matyszczyk November 19, 2009 7:13 PM PST

… the Tiburon Town Council voted on Wednesday by 4 to 0 to install cameras to photograph every single car that enters or leaves this little Disneyland?

… The Tiburon police chief, Michael Cronin, told the Chronicle: "I think it makes the community safer." [How? Bob]

… The town is fortunate, however, in that it is on a peninsula, from which there are only two roads. So the total cost of putting up six cameras is estimated to be no more than $200,000, which works out at something near $20 per resident.

Even Bigger Brother (It is amazing how many ways the UK can find to attack its citizens.)

BREAKING: Leaked UK government plan to create "Pirate Finder General" with power to appoint militias, create laws

Secretary of State Peter Mandelson is planning to introduce changes to the Digital Economy Bill now under debate in Parliament. These changes will give the Secretary of State (Mandelson -- or his successor in the next government) the power to make "secondary legislation" (legislation that is passed without debate) to amend the provisions of Copyright, Designs and Patents Act (1988).

What that means is that an unelected official would have the power to do anything without Parliamentary oversight or debate, provided it was done in the name of protecting copyright.

Now that's an interesting approach in the “your strategy should match the tools you have to work with” vein.

Lawsuit: Use of rival’s name as keyword invades privacy

November 19, 2009 by Dissent Filed under Court, Featured Headlines, Internet

Dinesh Ramde of Associated Press reports on a lawsuit in Wisconsin that makes an intriguing legal argument.

The law firm of Habush, Habush, & Rottier is suing rival law firm Cannon & Dunphy for buying the words “Habush” and “Rottier” from Google for keywords. Habush argues that by purchasing the keywords, a sponsored link for Cannon & Dunphy was showing up above their own listing when anyone used Google to search for “Habush Rottier.”

Unlike other lawsuits that Ramde describes that allege trademark infringement, however, this lawsuit is based on a privacy claim. Ramde writes:

Habush based its lawsuit on a Wisconsin right-to-privacy statute that prohibits the use of any living person’s name for advertising purposes without the person’s consent.

The statute defines three types of “invasion of privacy,” the second of which says:

The use, for advertising purposes or for purposes of trade, of the name, portrait or picture of any living person, without having first obtained the written consent of the person or, if the person is a minor, of his or her parent or guardian. [Section 995.50]

Ryan Calo, a fellow at the Center for Internet and Society at Stanford Law School and oft-time contributor to this site, told the AP that

the statute seemingly was meant to protect people from having their names and images misused to suggest they endorse or represent something. That’s not the case here, he said.

Ryan’s a lot more knowledgeable about the law than I am, but I am wondering how the courts will apply the “for purposes of trade.” If someone uses your name not to trade under your name but to still boost their trade, is that an invasion of privacy under the Wisconsin statute? According to Calo,

“Although (Cannon’s) conduct may run afoul of the literal words of the statute, I don’t think the conduct at issue goes to the core of this particular aspect of privacy,” he said.

You can read more of Ramde’s report in the Chicago Tribune.

Bruce Vielmetti of the Journal Sentinel provides some additional detail on the lawsuit and indicates that the plaintiffs are seeking an injunction and attorney fees, but no damages. Vielmetti also reports that

Dunphy said that he thought a marketing firm had made arrangements with search engines, and that he never requested Habush and Rottier as keywords to bring up his firm.

Habush and Rottier are represented by Jim Clark of the Foley & Lardner law firm.

Not too geeky. Anyone should be able to follow these instructions and see what future portables (at least) will be like.

Want To Try Out Google Chrome OS For Yourself? Here’s How.

by Jason Kincaid on November 19, 2009

… So we’ve put together a step-by-step guide to doing this, for free, in around 15 minutes (depending on how long it takes to download the OS itself). No, this won’t get your computer booting Chrome OS natively (and frankly, you probably wouldn’t want to yet anyway). But it will get it up and running in a virtual machine using the free software VirtualBox, which is available for Macs, PCs, and Linux.


Video: Chrome OS For Dummies

by Erick Schonfeld on November 19, 2009


What ChromeOS Means For Netbooks And Why Microsoft Needs To Be Scared

by John Biggs on November 19, 2009

We are doomed! Al Gore just invented the Smart Grid! I wasn't aware of this last night when my Disaster Recovery class was discussing the potential for Smart Grid Disasters – unfortunately, much the same as any other part of the infrastructure.

Al Gore: Our next power grid will be like the Net

by Josh Lowensohn November 19, 2009 7:11 PM PST

SAN MATEO, Calif.--Former U.S. Vice President Al Gore hopes that America's next-generation power grid will be a lot like the Internet. Or at least that's the plan.

… There are a few obstacles on the way there, though, the main one being a mix of outdated legislation and hardware that makes up America's current electricity grid. For example, the average estimated age of transformers currently in use 42 years, longer than their projected run of service.

… "There are many business leaders in that sector, and I want to compliment some of those electric utilities, some of them here, who have become a part of the movement for change."

One of those is Pacific Gas and Electric (PG&E), which recently began rolling out smart digital electricity meters of its own. However, that move has already been put into question by customers whose bills have skyrocketed since the changeover. [Perhaps Al gets a royalty? Bob] Some of those in Bakersfield, Calif., where PG&E began its pilot deployment, have filed a class action lawsuit against the utility.

[The link to the PG&E lawsuit article leads to the WSJ, where you are asked to subscribe to read the article. You could search the web for the article, which you can read free at: Bob]

Thursday, November 19, 2009

One of the recurring themes on this blog is the lack of information available to management when a data breach occurs. (Never attribute this to some elaborate conspiracy scheme when simple ignorance is sufficient to explain it.) NOTE that this is another opportunity (Blue Cross last week) for the Connecticut AG to wax poetic about how he will protect citizens.

Health Net Loses Information for 450,000 Clients: AG

November 18, 2009 by admin Filed under Breach Incidents, Healthcare Sector, Lost or Missing

Health Net, whose motto is “A Better Decision,” may have made a very very bad decision in not informing consumers of a breach involving their protected health information and sensitive personal information.

Leanne Gendreau reports:

The personal information for almost half a million Connecticut residents could be at risk after a hard drive disappeared from Health Net six months ago.

The hard drive disappeared from Health Net’s Shelton office in May, Attorney General Richard Blumenthal said.

Health Net is a regional health plan and the drive included health information, social security number and bank account numbers for all 446,000 Connecticut patients, he said. The information had been compressed, but not encrypted, although a specialized computer program is required to read it.

Blumenthal said he’s “outraged” that the company never told customers or police and only told the AG on Wednesday.

Read more on NBC.

[From the NBC article:

Health Net officials said they were not able to determine which information was on the disk, so they investigated and learned the information was saved in an image format [Suggests scanned documents Possibly in TIFF format Bob] that cannot be read without special software, but it contained personal information for many past and present Health Net members.

… If customers find suspicious activity between May 2009 and the date the identity protection service starts Health Net will provide assistance. [I'll be very interested in seeing what “assistance” they provide. Bob] They have not received any reports of data misuse. [How would anyone know to “report” a problem to Health Net? More interesting, if someone did report a problem would Health Net have taken any action? (i.e. Did they have a procedure in place from “last May” until they announced the breach?) Bob]

(Related) How quickly the numbers change.

UPDATE: 1.5 Million Medical Files At Risk In Health Net Data Breach

November 19, 2009 by admin Filed under Breach Incidents, Healthcare Sector, Lost or Missing, Of Note, U.S.

Matthew Sturvedant reports:

A hard drive with seven years of personal and medical information on about 1.5 million Health Net customers, including 446,000 in Connecticut, was lost six months ago and was first reported Wednesday, state and company officials said.

The insurance company informed the state attorney general’s office and the Department of Insurance Wednesday of the security breach that puts personal medical records at risk in a historic lapse, the first of its kind to be publicly reported.

A portable, external hard drive with Social Security numbers and medical records “disappeared” and is still missing from the insurer’s Northeast headquarters in Shelton, a Health Net spokeswoman said Wednesday.

The hard drive contains Social Security numbers, medical records and health information dating to 2002 for 1.5 million customers — past and present — in Arizona, Connecticut, New Jersey and New York, the spokeswoman said.

Read more in the Hartford Courant.

[From the Courant article:

The missing hard drive at Health Net is the first publicly reported, widespread release of patients' medical records, at least in recent state history. [Sounds like lawyer wording to me. Were there privately reported breaches before? How recent is recent? Bob]

More thought from Canada

Privacy issues and the Smart Grid

November 19, 2009 by Dissent Filed under Other

The Smart Grid brings many benefits – but privacy protection must be built into the design of this new technology before an explosion of personal data erupts, Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, cautioned today in a new white paper.

“The overarching privacy concern associated with Smart Grid technology is its ability to greatly increase the amount of information that is currently available relating to the activities of individuals within their homes – their habits and behaviors,” said the Commissioner.

Intimate details of hydro customers’ habits, from when they cook or take showers, to when they go to bed, plus such security issues as whether they have an alarm system engaged, could all be discerned by the data automatically fed by appliances and other devices to the companies providing electric power.

The Commissioner and co-authors, Jules Polonetsky and Christopher Wolf, co-chairs of the Washington-based Future of Privacy Forum, issued a white paper, Smart Privacy for the Smart Grid: Embedding Privacy in the Design of Electricity Conservation, which emphasizes the importance of building privacy directly into Smart Grid technology, as the default option.

“The smart grid will provide benefits for the economy and the environment and could mean savings for individual consumers,” said Jules Polonetsky. “But the success of the grid will be completely dependent on consumers trusting that their data is being handled responsibly. If companies do not get privacy right from the start, billions will have been spent in vain.”

“The information collected on a Smart Grid will form a library of personal information, the mishandling of which could be highly invasive of consumer privacy,” said Christopher Wolf. “There will be major concerns if consumer-focused principles of transparency and control are not treated as essential design principles, from beginning to end.”

Brian Krebs of Security Fix writes:

In an interview with Security Fix, Polonestsky said some utilities have adopted the stance that existing regulations already prevent them from sharing customer data without prior authorization. But he noted that as power companies transition to the smart grid, those utilities are going to be collecting — and potentially retaining — orders of magnitude more data on their customers than ever before.

“Relatively speaking, [utilities] aren’t big marketing companies with big back end databases ready to handle the tidal wave of data that’s coming,” he said. “But we’re a little worried that without some serious planning now, there’s going to be quite a challenge in a couple of years when people start realizing that maybe should think about developing some solid data retention policies that address what’s going to be done with all of this data.”

“I've got some good news and some bad news.”

NZ: PIs should not be restricted more than public – Sir Geoffrey

November 19, 2009 by Dissent Filed under Legislation, Non-U.S.

Private investigators should not be restricted from taking photos or recording people any more than the general public is, Law Commission president Geoffrey Palmer says.

However, restrictions on the general public were too lax, he said.

There was “no justification” for private investigators to be singled out for restrictions when ordinary members of the public did not face the same ones, Sir Geoffrey told NZPA.

He presented the commission’s briefing on the issue to Parliament’s justice select committee this morning. The committee is considering the Private Security Personnel and Private Investigators Bill.

Read more on the National Business Review.

[From the article:

"The police are different. The police are law enforcement officers. That's a totally different set of policy considerations.

"This is not about that. This is about what surveillance powers do ordinary citizens have and to what degree should they be restricted." [“Police good, citizens scum.” Bob]

Will the cable or telecom providers with monopolies fight this trend to the death?

First Finland, Now Spain Makes Broadband Access a Legal Right.

By Zee on November 19, 2009

Building a Bigger Brother?

Chicago's Camera Network Is Everywhere

Posted by timothy on Wednesday November 18, @06:04PM from the oh-it's-just-you-big-brother dept.

DesScorp writes

"Over the past few years, the City of Chicago has installed video cameras all over the city. Now the Wall Street Journal reports that the city has not only installed its own cameras for law enforcement purposes, but with the aid of IBM, has built a network that possibly links thousands of video surveillance cameras all over Chicago. Possibly, because the city refuses to confirm just how many cameras are in the network. [Consider that they may never have counted them Bob] Critics say that Chicago is becoming the city of Big Brother. 'The city links the 1,500 cameras that police have placed in trouble spots with thousands more—police won't say how many—that have been installed by other government agencies and the private sector in city buses, businesses, public schools, subway stations, housing projects and elsewhere. Even home owners can contribute camera feeds. Rajiv Shah, an adjunct professor at the University of Illinois at Chicago who has studied the issue, estimates that 15,000 cameras have been connected in what the city calls Operation Virtual Shield, its fiber-optic video-network loop.' There are so many camera feeds coming in that police and officials can't monitor them all, but when alerted to a situation, can zoom in on the area affected. The ACLU has requested a total number of video feeds and cameras, but as of yet, this information has not been supplied."

Something fishy about this. (Read the comments) Good (as in, we follow best practices) encryption would still be impossible to crack in my lifetime. Are pedophiles so stupid that they actually carry images through customs on their laptops rather than encrypt them and email them to themselves?

US Government Using PS3s To Break Encryption

Posted by timothy on Wednesday November 18, @05:16PM from the purchase-order-shenanigans dept.

Entropy98 writes

"It seems that the US Immigration and Customs Enforcement Cyber Crimes Center, known as C3, has replaced its '$8,000 Tableau/Dell server combination' with more efficient and much cheaper $300 PS3s. Each PS3 is capable of 4 million passwords per second, and C3 currently has 20 PS3s with plans to buy 40 more. Naturally this is only being used to break encryption on computers seized with a warrant and suspected of harboring child pornography."

[From the article:

After securing a warrant, agents can seize and search a suspect's computer, but the Fourth Amendment prevents authorities from forcing suspects to surrender their passwords, Davenport said. [They don't need a warrant to seize the computer, do they? Bob]

The networked Playstation 3s can process 4 million passwords per second, cutting down on the time necessary to find the correct combination. [Not each Playstation Bob]

For my Intro to Computer Security class. How simple is encryption?

Quickly & Easily Protect & Encrypt Files With Conceal

Nov. 18th, 2009 By Guy McDowell

This should be banned. My students are scary enough in 2-D

How to Build Your Own 3D Camera Rig for Under $20

Posted 11/18/09 at 11:00:00 PM by Eric Kurland

Wednesday, November 18, 2009

I thought this (like almost all breaches) would continue to grow as more data was released (or leaked) Unfortunately, I was right.

Card payment processor breach in Spain affecting Europeans

November 18, 2009 by admin Filed under Breach Incidents, Financial Sector, Non-U.S., Of Note

Back in October, this site reported that “tens of thousands” of Swedish banking customers and “tens of thousands” of Finnish banking customers had been affected by a breach in Spain that might involve a card payment processor. Today, the BBC reports that:

Anyone who used a Visa or Mastercard credit card when in Spain may have had their card data compromised.

In Germany, as many as 100,000 cards are reportedly being recalled.

In a statement, Visa Europe confirmed that “it is aware of a possible card data security issue in Spain. No details are yet confirmed, but we do not believe that the issue is specific to Visa.”

Visa and Mastercard reportedly starting alerting banks about four weeks ago. The Local (Germany) reports:

According to Wednesday’s edition of the Financial Times Deutschland, the Volksbank and Raiffeisenbank have decided to take more than 60,000 Visa and Mastercards out of circulation.

That brings the total number of credit cards recalled in Germany in recent weeks to more than 100,000. In October, retailer KarstadtQuelle replaced more than 15,000 customer credit cards while the German subsidiary of Barclay’s also recalled thousands. Commerzbank and Deutsche Bank also froze hundreds of credit cards as a precautionary matter.

At the weekend, German airliner Lufthansa announced it was replacing thousands of its “Miles & More” cards issued by the Deutsche Kreditbank after it was found many of the cards were used in Spain. However, so far there have been no cases of fraud discovered with the cards that can be used to collect frequent flyer miles with the airline.

I don't understand the logic here.

D.C. Circuit Examines Warrantless GPS Surveillance

November 17, 2009 by Dissent Filed under Court, Surveillance, U.S.

Mike Scarcella writes:

When federal authorities got a warrant to install an electronic tracking device to track a drug suspect, agents acted in an “abundance of caution,” a federal prosecutor said today in the U.S. Court of Appeals for the D.C. Circuit, where the government is defending its ability to secretly follow suspects without judicial supervision.

Peter Smith, an assistant U.S. attorney in the District of Columbia, argued that the authorities did not need a warrant to attach the global positioning system onto the vehicle of the suspect, Antoine Jones, the target of a cocaine trafficking ring in Washington. Jones was convicted last year and sentenced to life in prison. He is challenging the conviction.

Read more on The Blog of Legal Times. Hat-tip,

[From the Blog article:

Smith said GPS does not generate any information that the authorities cannot otherwise obtain using traditional physical surveillance—following a vehicle secretly for hours on end. Traditional surveillance, he said, provides more detail than GPS—including the number of passengers and information about who is behind the wheel.

Canada, or at least the Privacy Commissioner, seems to understand the issues. “Doing something” is always a problem.

Ca: Watchdog raises alarm over security measures

November 17, 2009 by Dissent Filed under Non-U.S.

OTTAWA – Were you the person who recently cashed a government-issued cheque for under $300 at your local trust company?

You probably never expected to be flagged as suspicious, but you were, says Canada’s privacy commissioner in a new audit of Canada’s financial watchdog agency.

Privacy Commissioner Jennifer Stoddart’s annual report, tabled in Parliament Tuesday, warns that Ottawa, in the drive to combat terrorism and money-laundering with the aid of modern technology, has developed a “seemingly insatiable appetite for personal information about individuals.”

Read more in the Toronto Star.

[From the Privacy Commissioner's website:

To view the reports:

Either UK laws are even stranger than Rumpole made them out to be, or the whole country is smoking wacky-weed.

Ex-MI5 agent in memoirs battle sues newspaper for naming him

November 17, 2009 by Dissent Filed under Breaches, Court, Non-U.S.

David Leigh and Richard Norton-Taylor report:

A former MI5 secret agent is suing the London Evening Standard for revealing his name, his lawyers say, in an attempt to extend Britain’s privacy laws to cover the identity of intelligence officers.

The agent is also threatening the Guardian with a high court injunction if the paper re-publishes his identity. The Guardian is therefore withholding details, for the time being, that might give clues to his identity.

The man’s name continues to be available online, where legal complaints have failed to silence foreign bloggers and websites which specialise in intelligence leaks. His lawyers say: “We do not agree that the information is in the public domain.”

The altercation highlights once again the difficulty of suppressing information in the online age. What makes the case doubly unusual is that the agent is simultaneously fighting his former employers in the name of free speech. He wants to be allowed to publish his memoirs under a pseudonym.

Read more in the Guardian.

Not quite a “get out of jail” card, but better than nothing?

Federal Regulators Issue Final Model Privacy Notice Form

November 17, 2009 by Dissent Filed under Featured Headlines, Govt, Legislation, U.S.

Eight federal regulatory agencies today released a final model privacy notice form that will make it easier for consumers to understand how financial institutions collect and share information about consumers. Under the Gramm-Leach-Bliley Act (GLB Act), institutions must notify consumers of their information-sharing practices and inform consumers of their right to opt out of certain sharing practices. The model form issued today can be used by financial institutions to comply with these requirements.

The final rule provides that a financial institution that chooses to use the model form obtains a “safe harbor” and will satisfy the disclosure requirements for notices.

Final Model Privacy Form under the Gramm-Leach-Bliley Act (pdf, 1.36 MB). Appendix A contains the sample notices.

For your Security Manager?

Budget problems and IT collaboration issues present challenge to security

by Steve Ragan - Nov 17 2009, 17:10

According to a new study by the Ponemon Institute and Lumension, the adoption of mobile devices, cloud computing, and collaborative technologies is happening faster than companies are able to adapt security policies. Part of this is due to poor budget allocation and broken IT collaboration.

… The report is available here.

Do you suppose the Google book scanning project will allow this level of integration in all areas? Could be a “game changing event.” NOTE: Automatically generates citations in many formats!

November 17, 2009

New on - Bridging the DiGital Divide: A New Vendor in Town? Google Scholar Now Includes Case Law

Bridging the DiGital Divide: A New Vendor in Town? Google Scholar Now Includes Case Law - The November 17, 2009 Google launch of free caselaw searching via Google Scholar is the focus of John J. DiGilio's timely content and resource review.

[From the article:

Searching for case law on Google is simple and versatile. You can search by case name, topic, or even phrase (“separate but equal” is the example they use). All you need to do is go to Google Scholar ( and click the new radio button for “Legal opinions and journals” It is just that easy. But what of the results? How do they compare to what we in the legal community are accustomed? A simple test of the new search might just surprise you. Take a case like Bowers v. Hardwick, for example - seminal, controversial, and heavily cited. Run it’s name through the Google Scholar search. What you get is almost overwhelming. Yes your search results will return the text of the decision. But that is not all. Decisions, in this case Bowers, can come with official citations and pagination. Key factors for anyone writing and citing to the case. The cases cited in the body of the decision, if Google has them, actually show up as clickable links. That should give the major vendors pause! But this is STILL not all Google Scholar has to offer. If there are legal journals that cite the case you have searched and Google has them, you will see them in your search. By clicking the “How Cited” link next to the case name on the results page, you can see how the document has been cited, where it has been cited, and other related cases. Searching for Bowers brings up a list of cases that have been seminal in the area of privacy rights, for example. Even the footnotes are clickable links! Suffice it to say that Google is on to something really good here.

Interesting article suggesting that at least a few lawyers are making use of many social networks.

November 17, 2009

New on Free Tools and Applications For More Efficient Online Interaction

Free Tools and Applications For More Efficient Online Interaction: Many lawyers understand the importance of networking, but running a law practice takes time and no one ever seems to have enough of it. This factor is one of the main reasons lawyers offer as an excuse to avoid online networking, but Nicole Black proposes how choosing even a few efficient applications from the range of free tools available can streamline and accelerate this marketing process.

(Related) Generate your own...



Creaza – An Online Toolbox For Creative & Educational Fun

Nov. 17th, 2009 By Saikat Basu

… a mindmapper, a cartoon creator, a movie editor and an audio application

I'll try it out, but if it doesn't have Dilbert I won't stick for long.

Mendeley,, could be world’s largest online research paper database by early 2010

by Steve O'Hear on November 18, 2009

[UK] London-based Mendeley, which calls itself “the of research”, has announced that it’s reached something of a milestone today – claiming 100,000 users and 8 million research papers uploaded to the site in less than a year since its launch. Furthermore, the online database is doubling in size every 10 weeks, says the company.

… Mendeley offers a secure online database for scientists, academics and researchers to store their research papers in the ‘cloud’, making it easier to share those documents with their peers but there’s an important ’social’ element too (if that’s the right word). The system helps researchers find and connect to like-minded academics in similar fields to foster collaboration.

Another TED talk that will make geeks drool...

The thrilling potential of SixthSense technology

At TEDIndia, Pranav Mistry demos several tools that help the physical world interact with the world of data -- including a deep look at his SixthSense device and a new, paradigm-shifting paper "laptop." an onstage Q&A, Mistry says he'll open-source the software behind SixthSense, to open its possibilities to all.

If I have students build a wiki documenting all they learn in my classes, would I need to pay them royalties if I sold it?

Wikis in the workplace: a practical introduction

The wiki crops up in many companies' internal discussions about process improvements and efficient collaboration, but it is often shot down because so few people have exposure to good models of what a really successful business wiki can do. Ars is here to help with a practical introduction based on real-world examples.

By Alan J. Porter | Last updated November 16, 2009 11:30 PM CT