Saturday, December 05, 2009

Looks like BCBS is finally getting where they should have been weeks ago. Unfortunately, it looks like they got there by being dragged, kicking and screaming. (Repeating that this is “required” allows them to imply that it really isn't necessary.)

http://www.databreaches.net/?p=8740

BCBS of TN issues breach notification for stolen hard drive

December 4, 2009 by admin Filed under Breach Incidents, Healthcare Sector, Of Note, Theft, U.S.

Remember the BlueCross breach in Chattanooga from October. First it was 57 hard drives, then 68, then 3, then 1, depending on which report you read. Now it’s 57 again, it seems. Today, Blue Cross issued a breach notification on its web site, as required by the new HITECH Act:

Required Substitute HITECH Act Notice Regarding BlueCross Hard Drive Theft

Editor’s Note: BlueCross BlueShield of Tennessee has issued this press release as required by the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5) and its implementing regulations.

CHATTANOOGA, Tenn. — On Monday, Oct. 5, 2009 at 10 a.m., BlueCross BlueShield of Tennessee, Inc. employees discovered a theft of computer equipment at a network closet located in its former Eastgate Town Center office location in Chattanooga, Tenn. The theft occurred Friday, Oct. 2, 2009 at approximately 6:13 p.m. BlueCross has established that the items taken include 57 hard drives containing data that was encoded but not encrypted.

The hard drives were part of a system that recorded and stored audio and video recordings of coordination of care and eligibility telephone calls from providers and members to BlueCross’ former Eastgate call center located in Chattanooga.

… The back-up data of the stolen hard drives were restored and an exhaustive inventory of all data included on the drives is being conducted [We've been working for two months and still don't know what was on those drives. Bob] by BlueCross and Kroll Inc., a global leader in data security.

[Bob's questions and comments:

I'm not sure what the video recordings are (perhaps them mean screen shots?)

I understand these are recordings from their customer service call center. They are apparently listening to the calls to find out if sensitive data has been disclosed. Bad idea,

It would be much faster to check the computer logs of the call. Each time a client calls, the operator should call up their information on their computer and (at minimum) log the call. Recording which screens had been accessed (change of address, billing data, etc.) would tell them what information was being discussed – and would take only minutes to find!



Open a can of worm, expect an attack by crazed zombie pigeons?

http://www.databreaches.net/?p=8719

NH: AG reviewing WDH patient records breach

December 4, 2009 by admin Filed under Breach Incidents, Healthcare Sector, U.S.

As a follow-up to the coverage of a patient privacy breach involving Wentworth-Douglass Hospital (WDH), Adam D. Krauss of Foster’s Daily Democrat reports that a number of agencies are now piling on.

Concern over Wentworth-Douglass Hospital’s handling of a broad privacy breach into patients’ records has widened with the Attorney General’s Office confirming it is reviewing what happened.

“It is something we’re looking into,” said James Boffetti, who leads the AG’s Consumer Protection & Antitrust Bureau.

Boffetti said he could not divulge specifics, but confirmed the bureau took over the case after a complaint was made to the agency’s Medicaid Fraud Unit.

He also said a relevant state law is RSA 359-C: 20, which requires notification of a security breach, something WDH representatives have acknowledged they did not do after learning of the breach, which lasted from May 2006 to June 2007. An audit wasn’t completed until May.

Read more on Fosters.com.

[From the article:

When WDH was first asked late last month why it did not inform patients or authorities of the breach, Biehl said the hospital didn't have to because patients' personal health information wasn't affected — something disputed by two pathologists at the center of what's been alleged to be a hospital "cover up."

… We were concerned maybe diagnoses had been changed."

Moore said without contacting doctors for every patient it's impossible to be certain that no one was harmed.

The breach took place at the hands of a former hospital, not lab, employee after she had been transferred out of the pathology lab. The audit says she improperly accessed reports 1,847 times, resulting in changes to about half of them. Moore said the breach involved 1,157 patients.



For $20 Billion, I can secure medical records so well, not even the patients can read them.

http://www.informationweek.com/shared/printableArticle.jhtml;jsessionid=X001QDNRX3UINQE1GHPCKHWATMY32JVN?articleID=221601440

Can Electronic Medical Records Be Secured?

While EMRs promise massive opportunities for patient health benefits and reductions in administrative costs, the privacy and security risks are daunting.

By Mitch Wagner, InformationWeek Dec. 5, 2009

… The Obama administration has set an ambitious goal--to get electronic medical records on file for every American by 2014. The administration is offering powerful incentives: $20 billion in stimulus funds as per the American Recovery and Reinvestment Act (ARRA) of 2009, and stiff Medicare penalties for healthcare providers that fail to implement EMRs after 2014.

… Healthcare providers and other health businesses aren't stepping up to protect privacy, according to a recent study. Some 80% of healthcare organizations have experienced at least one incident of lost or stolen health information in the past year, according to a study released this month from security management company LogLogic and the Ponemon Institute, which conducts privacy and information management research.

Furthermore, some 70% of IT managers surveyed said senior management doesn't view privacy and data security as a priority, and 53% say their organizations don't take appropriate steps t protect patient privacy. Less than half judge their existing security measures as "effective or very effective."

Unauthorized use of medical records has created a new kind of crime: medical identity theft, where a criminal poses as another person to obtain medical treatments using another person's insurance. This is a crime with multiple victims: The actual person with insurance coverage, whose medical records are updated with incorrect information, and the insurance company, which is paying for the criminal's medical procedure. Medical identity theft cuts twice, causing both potential medical risk and financial harm to its victims.



Is there any way for them to get this information legally? (Surely we can trust the politicians to keep the data private.)

http://www.pogowasright.org/?p=6004

VA: Nonprofit sues state to avoid revealing source

December 5, 2009 by Dissent Filed under Breaches, Court

Bill Sizemore and Julian Walker report:

The kNOw Campaign, the source of an aborted mass mailing that would have disclosed many Virginians’ personal voting history days before the Nov. 3 election, is defying the State Board of Elections’ demand that it reveal where the data came from. In an escalating battle, the nonprofit group sued the state board Friday on constitutional grounds.

The group had planned a personalized mailing to 350,000 Virginia households in the week before the election detailing the recipients’ voting history in recent elections and that of their neighbors. The mailing would have disclosed only who voted in a given election, not how they voted.

The mailing was halted at the last minute amid indications that the voter information may have been acquired illegally.

Read more in The Virginian-Pilot.

[From the article:

Under state law, such information is restricted to candidates, elected officials and political party chairmen. Those who acquire such lists must sign a statement agreeing not to share the information with anyone else. Violation of the law is a felony.



Even the good ones can get better. Note that they did detect the breach as part of their “routine” security. However, they apparently didn't log activity, so they don' t know what was accessed. The applications from 2000 likely should have been archived when they were no longer “active” and deleted if no longer “required” but that is the Record Retention group's problem, not Security.

http://www.databreaches.net/?p=8733

EIU warns of student data security breach

December 4, 2009 by admin Filed under Breach Incidents, Education Sector, Malware, U.S.

From the Associated Press:

Eastern Illinois University says someone outside the school may have broken into files containing personal information from about 9,000 current and former students and applicants.

The university on Friday said it found a number of viruses on a server used by the university’s admissions office that could have provided outside access. Technology workers believe someone had such access between Nov. 11 and Nov. 16. But they aren’t sure if any of the files were accessed.

Read more on WAND-TV.

The Notice to Students on the university’s web site says:

On Nov. 16, 2009, routine security monitoring uncovered odd activity from a computer on campus. An investigation revealed that this computer had been compromised on Nov. 11, 2009, by malware that could have allowed an external individual to access and control the computer.

It’s good that they picked it up relatively quickly and followed up. What’s not so good is this part:

This incident affected some individuals who applied to Eastern Illinois University electronically between 2000 and 2009. Not everyone who applied electronically during this time was affected.

Why were applications from 2000 still on the computer instead of having been removed from the network after that length of time?



Interesting question. What does a breach victim need to know to protect themselves?

http://www.databreaches.net/?p=8596

Was Lockheed Martin breach notification intentionally vague?

December 4, 2009 by admin Filed under Breach Incidents, Business Sector

If Steve Regan of The Tech Herald thought Alpha Software’s breach notification was bland, I wonder what he thinks of Lockheed Martin’s recent breach notification.

On November 6, Lockheed Martin sent out a breach notification that began:

Dear

As part of Lockheed Martin’s continued vigilance of personal information privacy matters, I am writing to inform you about an incident that resulted in the potential compromise of your personal information.

After containing the incident, which occurred in April 2009, the Corporation took prudent measures to conduct a thorough analysis of the incident and implement solutions to deter future occurrences.

Really. There was no explanation of what the incident involved. Nor did the notification to the New Hampshire Attorney General’s Office contain even a clue as to the nature of the incident or why it took from April 2009 until November 6 to notify them or the individual(s).

Is Lockheed Martin being intentionally vague because of an ongoing investigation, did they accidentally omit a paragraph explaining the incident, or is something else going on? Can a recipient really assess the risk they face without some sense of what happened?



Like shrink wrap licenses?

http://www.pogowasright.org/?p=5988

Terms of (Ab)use: Are Terms of Service Enforceable?

December 5, 2009 by Dissent Filed under Internet

Ed Bayley of EFF writes:

In the first of a series of white papers on Terms of Service (TOS) issues, EFF today released The Clicks That Bind: Ways Users “Agree” to Online Terms of Service. The paper aims to answer a fundamental question: when do these ubiquitous TOS agreements actually become binding contracts? We discuss how courts have reacted to efforts by service providers to enforce TOS, and suggest best practices for service providers to follow in presenting terms to a user and for seeking his or her agreement to them.

The white paper examines both clickwrap agreements—whereby service providers require the user to click an “I Agree” button next to the terms—and browsewrap agreements—whereby service providers try to characterize one’s continued use of the website as constituting “agreement” to a posted set of terms. While neither method automatically creates enforceable contracts, some presentations may still be upheld even if the user never actually reads and understands the terms. The key is whether the service provider allows the user reasonable notice and opportunity to review the terms before using the website or service.

Of course, just because a TOS creates an enforceable agreement, does not mean that every provision of the TOS will be enforced by a court. In our next white paper, we’ll examine which particular provisions are most unfair to consumers, including provisions that have aroused the skepticism of courts and regulators.



I love it when someone shouts “The Emperor has no clothes!” (Or more properly, “Show me the data!”)

http://arstechnica.com/tech-policy/news/2009/12/bandwidth-hogs-dont-even-exist-says-analyst.ars

"Bandwidth hogs" join unicorns in realm of mythical creatures

One analyst has had it with Internet data caps. Bandwidth hogs are a myth, he says, and caps simply penalize heavy users who cause no problems for others. Now, he's throwing down the gauntlet and challenging ISPs to turn over some data for analysis.

By Nate Anderson Last updated December 3, 2009 7:25 PM

… Felten's basic critique concerns bandwidth caps—not because they exist, but because he sees them as disingenuous. Carriers can use them as a way to control bandwidth and wean people away from what the marketing department implicitly promises: all-you-can-surf Internet access for one monthly fee. The caps are sold as cutting off "bandwidth hogs" who use "more than their fair share," but Felten's take is that ISPs really have no idea if these people are causing any sort of actual congestion at all.

… Unfortunately, to the best of our knowledge, the way that telcos identify the Bandwidth Hogs is not by monitoring if they cause unfair traffic congestion for other users. No, they just measure the total data downloaded per user, list the top 5 percent and call them hogs."



A more rational explanation. Perhaps they are telling other countries that “the American people are behind us on this?”

http://www.wired.com/threatlevel/2009/12/feds-fear-acta-scrutiny/

Report: U.S. Fears Public Scrutiny Would Scuttle IP Treaty Talks — Update

By David Kravets December 4, 2009 4:16 pm

… But we now know that the real reason for secrecy, the one suspected all along, was that the United States does not think it could reach an accord with Europe and the nearly dozen other nations if the proposal came under public scrutiny.



Geeky stuff?

http://www.techcrunch.com/2009/12/04/meet-pivot-microsofts-newest-data-visualization-tool/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

An In-Depth Look At Pivot, Microsoft’s Newest Data Visualization Tool

by Leena Rao on December 4, 2009

At Microsoft’s PDC event a few weeks ago, Microsoft Live Labs introduced a new technology, called Pivot, to make sense of interconnectedness between objects on the web. The underlying premise of Pivot is to view relationships between “collections” of individual information on the the web.

… Windows XP is not supported at this time.



When bureaucracies attack! Automation gone bad?

http://www.techcrunch.com/2009/12/04/fda-imac/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

Dear FDA, Gimme My iMac

by MG Siegler on December 4, 2009

… As of yesterday, my new Apple iMac was to be delivered at some point this afternoon. But alas, it was not to be. But the reason why is a truly great WTF moment. Apparently, the U.S. Food and Drug Administration has to approve its delivery to me.

… I don’t want to believe that either UPS or the U.S. Government are so stupid as to think that my Apple computer is actually an apple, but I can’t come up with any other explanation



The first 100 each month are free

http://www.killerstartups.com/Web-App-Tools/convert-io-a-new-tool-for-the-conversion-of-documents?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+killerstartups%2FBkQV+%28KillerStartups.com%29

Convert.io - A New Tool For The Conversion Of Documents

http://www.convert.io/

It could be said that Convert.io is a simple document conversion service that was designed with the intention to optimize all the processes involving a large amount of files. This is a simple service that will help users to save time and energy by simplifying these processes with a secure open interface.

Friday, December 04, 2009

They probably scanned the documents to make storage easier. It is also easy to find and read a single record, but reviewing all of them is like looking at paper documents.

http://www.databreaches.net/?p=8715

Health Net notifies New Hampshire that 504 residents affected

December 3, 2009 by admin Filed under Breach Incidents, Healthcare Sector, Lost or Missing, U.S.

Health Net’s notification to the New Hampshire Attorney General’s Office is now available online (pdf). Dated November 23, the letter states that although the files on the lost portable hard drive were not encrypted as they should have been, because they were image-only format files of scanned documents, they would be difficult to view. [If memory serves, these were scanned documents. Like those prepared for electronic discovery, they were most likely TIFF files. I just did a Google search on “TIFF viewer” and got 2.9 million hits, the first of which was a plugin for browsers. Bob] The files contained names, addresses, phone numbers, Social Security numbers, and possibly protected health information and financial information of 504 New Hampshire residents.

Health Net noted that because of the image format, it had taken them a long time to identify whose records were involved and that as of November 23, the process was still not complete.



Less quantity, more quality?

http://www.databreaches.net/?p=8691

Many More Government Records Compromised in 2009 than Year Ago, Report Claims

December 3, 2009 by admin Filed under Commentaries and Analyses, Government Sector

Hilton Collins reports:

If you’re bummed about the data in your department that just got breached, you have some cold comfort. Although the combined number of reported data breaches in the government and the military has dropped in 2009 compared to last year, many more records were compromised in those breaches, according to recent figures compiled by a California nonprofit.

As of Tuesday, Dec. 1., the Identity Theft Resource Center (ITRC) reported 82 breaches in U.S. government and military organizations. Although the year isn’t over, that’s fewer than the 110 that occurred in 2008.

But here’s the catch: The breaches so far in 2009 have compromised more than 79 million records, whereas fewer than 3 million were hacked in 2008. A sobering upswing, to say the least.

Read more on Government Technology.


(Related) Letting the computer do the work...

http://www.databreaches.net/?p=8717

Malware rebounds as cause of data loss

December 4, 2009 by admin Filed under Commentaries and Analyses, Malware

The 2009 CSI Computer Crime and Security survey identified a number of shifts in significant cybersecurity threats this year. Malware infections jumped to 64% from 50%, reversing a dip in the number of companies experiencing malware infections that started in 2005. That year, the figure was 74%.

Other significant changes were an almost doubling in the percentage of companies that experienced password sniffing attacks, from 9% last year to 17% this year. And the percentage of respondents reporting financial fraud increased from 12% last year to one in five companies in 2009.

Read more on InfoSecurity.com


(Related)

http://www.databreaches.net/?p=8698

Top Experts Examine Causes Of Breaches In Spy Museum Forensics Panel

December 3, 2009 by admin Filed under Commentaries and Analyses

Tim Wilson writes:

Here at the U.S. Spy Museum, breaches are taken seriously. And in a panel held here last night, four top security experts had some serious advice for enterprises and security professionals.

[...]

If companies are going to defend themselves against the onslaught of attacks, panelists said, they need to change the way they approach the security problem. Carr observed that the Heartland breach — which turned out to be one of some 300 compromises orchestrated by a single group of attackers — might have been detected and stopped much earlier if companies and law enforcement agencies had shared the information they had about the SQL injection malware that was responsible for the leaks.

“After it happened, I contacted the other payment systems companies and offered to share the malware with them so that they would know what to look out for,” Carr said. “That was the beginning of something. We’re now sharing data between us, even though many of us are bitter competitors in the market. Some of them ran scans for the malware and found it on their systems. We’ve had the FBI come to us and share malware with us, as well. These are things that might never have happened a year ago.”

[...]

Companies also should be prepared for the possibility that even their best defenses will be compromised, the experts said. “At Heartland, we built a transaction network that was completely separate from our corporate network,” Carr said. “But we were breached from the corporate network. It took the hackers about six months to find a way to get into our payment network from our corporate network, but they found it.” [Interesting. Isn't this a change of tune? I thought they had been had through the aggregators (where the card swipe machines were routed to their headquarters.) Bob]

Read the full story on Dark Reading.



Probably too boring to watch, but we could record the webcast and cut to the good parts (if any)

http://www.pogowasright.org/?p=5953

FTC To Host Privacy Roundtable

December 4, 2009 by Dissent Filed under Govt, Other

WHAT: The Federal Trade Commission will host the first of three public Roundtables to explore the privacy challenges posed by technology and business practices that collect and use consumer data. This first roundtable will focus on the benefits and risks of information-sharing practices, consumer expectations regarding such practices, behavioral advertising, information brokers, and the adequacy of existing legal and self-regulatory frameworks. The updated agenda and other information about the Roundtable is at http://www.ftc.gov/bcp/workshops/privacyroundtables/index.shtml

WHEN: Monday, December 7, 2009 8:30 AM – 6:00 PM

WHERE: FTC Conference Center 601 New Jersey Avenue N.W. Washington, DC 20580

The Roundtable is free and open to the public. Pre-registration is not required. Members of the public and press who wish to participate but cannot attend can view a live Webcast.



Automating the complaint process should ensure that more Privacy complaints are filed but will that have an impact?

http://www.pogowasright.org/?p=5935

CDT makes it easier to file privacy complaints

December 3, 2009 by Dissent Filed under Businesses, Featured Headlines, Internet

As part of its new “Take Back Your Privacy” privacy initiative, CDT has launched a Privacy Complaint Tool to facilitate consumers filing complaints with the Federal Trade Commission about web sites or products or services that they believe are violating privacy.

[From the CDT website:

When you join the privacy campaign, we’ll keep you informed about the major developments in Internet user privacy – whether they occur in Capitol Hill meeting rooms or Silicon Valley boardrooms. We’ll also tip you off to opportunities to make your voice heard, both by lawmakers and by the companies that collect our personal information.



For some reason, we've been seeing lots of detail about the type and amount of information telecoms and Internet providers keep and are sharing with law enforcement.

http://www.pogowasright.org/?p=5926

Yahoo!’s guide for LEAs revealed

December 3, 2009 by Dissent Filed under Featured Headlines, Internet, Surveillance

Cryptome has posted a number of compliance guides for law enforcement agents seeking customer or subscriber information from Cox, Cricket, GTE, and Yahoo!, and other providers. While some of the files may be outdated by now, the Yahoo! guide is from December 2008, and Yahoo is trying to get it removed from Cryptome’s site.

Yesterday, Yahoo!’s lawyers sent a DMCA take down notice to Cryptome setting noon today as the time by which the file must be removed. As of the time of this posting, which is after their “high noon” deadline, the file is still available on the site.

Although I don’t spot any “smoking guns” in Yahoo!’s guide, it does reveal exactly what kinds of information Yahoo! retains and can make available to law enforcement and what they charge for particular services. As noted yesterday, Chris Soghoian had attempted to obtain some of the pricing information under freedom of information requests and Yahoo! had strongly objected, citing not only trade secrets arguments but the notion that Chris would use the information to “shame” them or attempt to shame them.

In any event, it seems that this particular kitty’s out of the bag now, as Cryptome is not the only site hosting the compliance guide and it’s probably been downloaded by numerous people by now as links to the sites have been posted around the web and on mail lists.

While it may be small consolation to Yahoo!, compared to other guides from other providers, theirs is pretty clearly written and designed to be actually helpful to law enforcement in terms of describing exactly what kinds of data they have available and for how long, etc. As to their prices, well, if you need information from a provider because that provider has information on an individual, does a competitor’s pricing really even come into play?



Not a typical article for this blog, but I asked myself if technology (in this case the Internet) changes the impact of certain crimes or violations of law or regulation? Is this young man's harm greater because this disclosure is “global?”

http://www.pogowasright.org/?p=5949

Teen sues over ID in online arrest log

December 4, 2009 by Dissent Filed under Court, Internet, Youth

Amanda Pinto reports:

In what may be the first lawsuit of its kind in the state, a Rhode Island man is suing the town because he was listed in an online arrest log when he was 17 years old, which is not permitted by law.

The plantiff, now 18, is identified in the suit as John Doe to protect his privacy. State law mandates that arrest records for people under the age of 18 “shall be confidential and shall not be open to public inspection,” his attorney, Diane Polan of New Haven, wrote in the suit.

Polan and other law scholars said the case is unique.

“In my experience, (police) are scrupulous about this, following the state law,” Polan said. “I’ve never heard of this happening.”

Once it did happen, in this “age of Internet privacy invasion” police could not put the genie back in the bottle, Polan said.

According to the lawsuit filed in Superior Court in New Haven, the information remained on the Web site for nearly one year, and is now available on other Web sites.

Read more in the New Haven Register.



Unlikely, but a possibility. Won't that drive the telecoms crazy!

http://www.livescience.com/technology/091202-google-phone-free-service-voip.html

Google Phone Could Mean Free Mobile Phone Service

By Leslie Meredith, TopTenREVIEWS posted: 02 December 2009 05:06 pm ET



We had the same thing when I was growing up, but we called it mooning.

http://www.wired.com/threatlevel/2009/12/sexting-survey?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

Survey: One-Third of Youths Engage in Sexting

By Kim Zetter December 3, 2009 7:00 am



For the Swiss Army folder, my statistics students and perhaps a few climate change politicians?

http://www.wired.com/wiredscience/2009/12/download-robot-scientist/

Download Your Own Robot Scientist

By Brandon Keim December 3, 2009 1:35 pm

… Eureqa, a program that distills scientific laws from raw data, is freely available to researchers.

… Lipson made Eureqa available for download early in November, after being overwhelmed by requests from scientists who wanted him to analyze their data.



For the Hacking folder.

http://it.slashdot.org/story/09/12/04/0413235/Malware-Could-Grab-Data-From-Stock-iPhones?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Malware Could Grab Data From Stock iPhones

Posted by timothy on Friday December 04, @01:20AM from the swamp-of-bog-standard dept.

Ardisson writes

"Swiss iPhone developer Nicolas Seriot presented last night a talk on iPhone Privacy in Geneva. He showed how a malicious application could harvest personal data on a non-jailbroken iPhone (PDF) and without using private APIs. It turns out that the email accounts, the keyboard cache content and the WiFi connection logs are fully accessible. The talk puts up several recommendations. There is also a demo project on github."



Also for the Hacking folder.

http://www.thetechherald.com/article.php/200949/4879/New-software-will-break-BitLocker-encryption

New software will break BitLocker encryption

by Steve Ragan - Dec 3 2009, 17:00

The protection offered by Microsoft’s BitLocker technology might be for naught, if a password recovery and decryption vendor has their say. Passware, who counts Microsoft, Apple, Intel, and the IRS among their clients, has released a new version of Passware Kit Forensic, and one of the new features is the ability to take down BitLocker in minutes.

… “Full-disk encryption was a major problem for investigators,” said Dmitry Sumin, Passware President. “We have been able to provide police, law enforcement, and private investigators [And hackers! Don't forget us hackers! Bob] with a tool that allows bypassing BitLocker encryption for seized computers.”

… Moreover, the software is available for anyone who wants it, if they spend almost $800.00 USD for it.

Thursday, December 03, 2009

Perhaps we were never serious about protecting Health records? Perhaps management isn't that interested.

http://www.phiprivacy.net/?p=1574

Healthcare Data Breaches Slow To Surface

By Dissent, December 3, 2009 8:31 am

Doug Pollack, Chief Marketing Officer for ID Experts, wrote the following article, questioning why we’re not yet seeing any reports of breaches affecting 500 or more posted to HHS’s website under the provisions of HITECH that went into effect September 23. Keeping in mind that not all breaches involving healthcare organizations involve unsecured protected health information, that it takes time to figure out a breach and report it, that HHS gave entities an “out” by inserting a “harm threshold” that Congress did not want or legislate, and that HHS may not have anyone dedicated to updating their web site, I’m not particularly surprised that we’re not seeing anything on HHS’s web site yet. But like Doug, I keep watching their site, too.

… I noticed that the Identity Theft Resource Center (ITRC) 2009 ITRC Breach Report, a terrific compendium of public information from numerous sources on data breach incidents, had captured numerous healthcare data breaches since the September 23rd effective date.

And of course there have been several very high profile healthcare data breaches recently including the Blue Cross Blue Shield Assocation breach that affected over 850,000 of their medical providers, as well as the recent Health Net data breach affecting over 1.5MM individuals.

So with great anticipation I visited the HHS website where there is a section on the Breach Notification Rule and clicked on the following link:

“View Breaches Affecting 500 or More Individuals. OCR must post a list of breaches that affect 500 or more individuals. View a list of these breaches.”

And surprisingly, there was nothing there.



Rant on, brother! See? It's not just me. (What kind of organization would deliberately reduce their security?)

http://news.cnet.com/8301-31114_3-10407961-258.html?part=rss&subj=news&tag=2547-1_3-0-20

Character limitations in passwords considered harmful

by Jonathan Eunice December 2, 2009 4:09 PM PST

For about the 4,000th time in the last five years, I tried to sign up for a new Web service, but it wouldn't accept my proposed password. Apparently, the site operators decided that passwords should contain only letters and numbers. Aarrrrgh! This isn't the first time I've seen this idiocy, and it won't be the last. But it should be.

Guidelines on how to construct a strong password almost uniformly recommend using a mixture of upper and lower case letters, numbers, and symbols. Tools for generating passwords (for example, strongpasswordgenerator.com) encourage the use of symbols. There's even a mathematical formula that precisely calibrates how much more unguessable symbols make a password. So why don't sites support symbols in passwords? It makes no sense.

… One good solution is using a password generator, such as PasswordMaker. Give it a Web site's URL, as well as a master password; it hands back a strong password such as Ga9i)t|Z that's unique to that site. A hundred different Web sites? No problem! A hundred different passwords, each of them very strong, yet the user has to remember just one (or for the very paranoid, a few) master passwords. For those using Firefox, there's even a plug-in; give it your master password once (per browsing session), and a single keypress automatically fills in the correct strong password whenever it's needed. It's not quite smart card or SecurID strong, but it's plenty strong for most uses, yet easy.



It's always wise to have a sound historical perspective. I think I'll have my students concentrate on how Jay Gould read every telegram relating to markets he invested in.

http://arstechnica.com/tech-policy/news/2009/12/how-the-robber-barons-hijacked-the-victorian-internet.ars

How Robber Barons hijacked the "Victorian Internet"

Ars revisits those wild and crazy days when Jay Gould ruled the telegraph and Associated Press reporters helped fix presidential elections. Is government supervision really the worst thing that can happen to a communications network?

By Matthew Lasar Last updated December 2, 2009 8:11 AM



Another “history”

http://www.bespacific.com/mt/archives/022922.html

December 02, 2009

CRS: The Market Structure of the Health Insurance Industry

The Market Structure of the Health Insurance Industry, D. Andrew Austin - Analyst in Economic Policy, Thomas L. Hungerford - Specialist in Public Finance. November 17, 2009

  • "Congress is now considering several proposals to reform the U.S. health care system and address the twin challenges of constraining rapid growth of health care costs and expanding access to high-quality health care. This report discusses how the current health insurance market structure affects the two policy goals of expanding health insurance coverage and containing health care costs. Concerns about concentration in health insurance markets are linked to wider concerns about the cost, quality, and availability of health care. The market structure of the health insurance and hospital industries may have played a role in rising health care costs and in limiting access to affordable health insurance and health care."


(Related) These are the services that want to hold our health records for us. Worth reading the article to see what they considered important for patient privacy. Can we improve on the criteria?

http://www.phiprivacy.net/?p=1560

Patient Privacy Rights grades PHRs

By Dissent, December 2, 2009 2:01 pm

Patient Privacy Rights has issued a privacy-oriented report card on some of the available PHRs (personal health records). For those who prefer to cut to the bottom line, the grades issued were as follows:

CapMed- icePHR: C

Google Health D/F [Platform Grade: D, Partners Grade: F]

Microsoft HealthVault B/F [Platform Grade: B, Partners Grade: F]

NoMoreClipboard: A [Who are these guys? Bob]

WebMD: C

PHRs Offered by Employers and Insurers: F

Detailed report cards for each PHR are available on their site.



It's not standing in front of the tanks in Tienanmen Square, but it does take courage. Conflicts in law (some based on logic, some based on lobbying) need to be resolved.

http://yro.slashdot.org/story/09/12/02/1913213/Danish-DRM-Breaker-Turns-Himself-In-To-Test-Backup-Law?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Danish DRM Breaker Turns Himself In To Test Backup Law

Posted by timothy on Wednesday December 02, @02:53PM from the impure-impurity-and-impureness dept.

coaxial writes

"In Denmark, it's legal to make copies of commercial videos for backup or other private purposes. It's also illegal to break the DRM that restricts copying of DVDs. Deciding to find out which law mattered, Henrik Anderson reported himself for 100 violations of the DRM-breaking law (he ripped his DVD collection to his computer) and demanded that the Danish anti-piracy Antipiratgruppen do something about it. They promised him a response, then didn't respond. So now he's reporting himself to the police. He wants a trial, so that the legality of the DRM-breaking law can be tested in court."



Are the phone companies doomed? (Should I short their stock?)

http://yro.slashdot.org/story/09/12/03/1318218/FCC-Preparing-Transition-To-VoIP-Telephone-Network?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

FCC Preparing Transition To VoIP Telephone Network

Posted by CmdrTaco on Thursday December 03, @08:46AM from the only-a-matter-of-time dept.

communications

mantis2009 writes

"The US Federal Communications Commission (FCC) published a request for public comment (pdf) on an upcoming transition from the decades-old circuit-based Public Switched Telephone Network to a new system run entirely with Voice over Internet Protocol (VoIP) technology. This is perhaps the most serious indication to date that the legacy telephone system will, in the near future, reach the end of its life. This public commenting phase represents a very early stage in what will undoubtedly be a very complex transition that makes this year's bumpy switch from analog to digital television look relatively easy."



Toward ubiquitous surveillance. “Why hire someone to do what we can do with a video camera and computer? (and a bunch of third worlders working for pennies per day.””

http://www.techcrunch.com/2009/12/02/retel-technologies-raises-1-million-for-surveillance-video-analytics/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

ReTel Technologies Raises $1 Million For Surveillance Video Analytics

by Leena Rao on December 2, 2009

… ReTel’s flagship product, ConstantAudit, provides video surveillance analysis for stores and restaurants. The startup uses security camera feeds to deliver interesting metrics and data such as table cleanliness, service times, and employee activities. ReTel delivers human tested analytics using paid micro-tasks on services like Mechanical Turk to break down data from the videos. This enables the company to deliver sophisticated reports that include data points such as male vs. female ratios, instances of theft by employees, and other actions that only humans can get right.


(Related) Surveillance tools. All that is not forbidden is mandatory.

http://tech.slashdot.org/story/09/12/03/0247228/FCC-Lets-Radar-Company-See-Through-Walls?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

FCC Lets Radar Company See Through Walls

Posted by samzenpus on Thursday December 03, @07:55AM from the x-ray-specs dept.

DesertNomad writes

"Attorney Mitchell Lazarus over at CommLawBlog gives a good overview of a new radar technology and the challenges of getting regulatory approval, which seemingly can be just as difficult as developing the technology itself."



For my iPod-using friends.

http://www.makeuseof.com/tag/the-itunesgodfather-from-organized-crime-to-organized-music-windows/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Makeuseof+%28MakeUseOf.com%29

The iTunes Godfather: From Organized Crime to Organized Music [Windows]

Dec. 3rd, 2009 By April Dee

… Apple seems to think it’s hilarious to rename all of your iTunes music files on the iPod’s hard drive to a lovely mess of nonsensical, completely unorganized file names that renders your music unrecognizable. Thanks to The Godfather, though, I dread this task no more.



I like lists. Let someone else do the aggregation, I get to skim through and find the gems. “Lists is like a box of chocolates. You never know what you're gonna git.” F. Gump

http://www.techcrunch.com/2009/12/03/twitter-amiando-playfish-technology-pioneers/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

Twitter, Amiando, Obopay, And Playfish Are Named Technology Pioneers By The World Economic Forum

by Erick Schonfeld on December 3, 2009



Hacker tools or Swiss Army folder. Because “protected” PDFs don't allow me to plagiarize their words.

http://freemypdf.com/

FreeMyPDF

Use this site to remove passwords and restrictions (such as printing, copying text, etc.) from PDFs.

Note: This only works for PDFs that you can open and read without any 3rd party plugins. PDFs that require a password to be viewed cannot be unlocked by this service.

Wednesday, December 02, 2009

An interesting management question...

http://www.databreaches.net/?p=8635

KS: Wichita Student Private Information Online

December 1, 2009 by admin Filed under Breach Incidents, Education Sector, Exposure, U.S.

Deb Farris reports:

Many Wichita parents are angry after learning their children’s names, ages, addresses and phone numbers are listed on an internet web site.

[...]

We tracked it down to the Wichita school district. The website is used to make maps and give directions. A spokesperson for the district says in the fall the Instructional Support Center made the list and the maps so teachers and staff could go door to door welcoming the students back. But the CEO of Community Walk says the district forgot to set the program to private, thus making all the information public.

Community Walk is working closely with the Wichita School District to get the names removed from the site. USD 259 says it didn’t put the names on the site publicly intentionally, and it is doing everything it can to correct the problem.

If your child’s name is on the site, the school district wants you to inform your child’s principal to get it removed.

Read more on KAKE.com

Why should parents have to inform the principal? Since the district is already aware of the problem, they should have secured the file and contacted Google to initiate any emergency cache removal procedures, if necessary.



Privacy, re-thunk?

http://www.pogowasright.org/?p=5901

Facebook changes privacy settings

December 2, 2009 by Dissent Filed under Featured Headlines, Internet

The following is part of an open letter posted by Facebook founder Mark Zuckerberg yesterday:

Facebook’s current privacy model revolves around “networks” — communities for your school, your company or your region. This worked well when Facebook was mostly used by students, since it made sense that a student might want to share content with their fellow students.

Over time people also asked us to add networks for companies and regions as well. Today we even have networks for some entire countries, like India and China.

However, as Facebook has grown, some of these regional networks now have millions of members and we’ve concluded that this is no longer the best way for you to control your privacy. Almost 50 percent of all Facebook users are members of regional networks, so this is an important issue for us. If we can build a better system, then more than 100 million people will have even more control of their information.

The plan we’ve come up with is to remove regional networks completely and create a simpler model for privacy control where you can set content to be available to only your friends, friends of your friends, or everyone.

We’re adding something that many of you have asked for — the ability to control who sees each individual piece of content you create or upload. In addition, we’ll also be fulfilling a request made by many of you to make the privacy settings page simpler by combining some settings. If you want to read more about this, we began discussing this plan back in July.

Since this update will remove regional networks and create some new settings, in the next couple of weeks we’ll ask you to review and update your privacy settings. [Users will need a much more detailed guide and some incentive, since they haven't paid much attention to Privacy so far. Bob] You’ll see a message that will explain the changes and take you to a page where you can update your settings. When you’re finished, we’ll show you a confirmation page so you can make sure you chose the right settings for you. As always, once you’re done you’ll still be able to change your settings whenever you want.

We’ve worked hard to build controls that we think will be better for you, but we also understand that everyone’s needs are different. We’ll suggest settings for you based on your current level of privacy, but the best way for you to find the right settings is to read through all your options and customize them for yourself. I encourage you to do this and consider who you’re sharing with online.


(Related) Why Mom and Dad might want to review those Privacy Settings?

http://www.wired.com/epicenter/2009/12/thousands-of-sex-offenders-booted-from-facebook-myspace/?utm_source=feedburner

Thousands of NY Sex Offenders Booted From Facebook, MySpace

By Eliot Van Buskirk December 1, 2009 11:27 am

Facebook and MySpace have terminated the accounts of 3,533 convicted sex offenders in the state of New York after they submitted their account information to the state under 2008’s Electronic Security and Targeting of Online Predators Act (e-STOP) law, the New York Daily News reports.

The law requires the state’s 30,000 convicted sex offenders to file their home, e-mail and social networking addresses with the state. Out of that pool, only about 27 percent revealed e-mail addresses or social-networking usernames to authorities, and only 10 percent divulged a Facebook or MySpace username.

… The e-STOP system only works if criminals volunteer their social networking identities, as they are required to do within 10 days of creating a new account under penalty of new felony charges. Proponents of the law have declared it a success.



A guide for future Computer Security dissertations?

http://www.pogowasright.org/?p=5870

8 Million Reasons for Real Surveillance Oversight

December 1, 2009 by Dissent Filed under Featured Headlines, Internet, Surveillance, U.S.

Chris Soghoian blogs:

Disclaimer: The information presented here has been gathered and analyzed in my capacity as a graduate student at Indiana University. This data was gathered and analyzed on my own time, without using federal government resources. This data, and the analysis I draw from it will be a major component of my PhD dissertation, and as such, I am releasing it in order to receive constructive criticism on my theories from other experts in the field. The opinions I express in my analysis are my own, and do not necessarily reflect the views of the Federal Trade Commission, any individual Commissioner, or any other individual or organization with which I am affiliated.

All of the mp3 audio recordings & pdf FOIA scans included on this page can be found in this .zip file (100Mb). Please mirror! [OK, Chris, now mirrored here-- Dissent]. […]

Executive Summary

Sprint Nextel provided law enforcement agencies with its customers’ (GPS) location information over 8 million times between September 2008 and October 2009. This massive disclosure of sensitive customer information was made possible due to the roll-out by Sprint of a new, special web portal for law enforcement officers.

The evidence documenting this surveillance program comes in the form of an audio recording of Sprint’s Manager of Electronic Surveillance, who described it during a panel discussion at a wiretapping and interception industry conference, held in Washington DC in October of 2009.

It is unclear if Federal law enforcement agencies’ extensive collection of geolocation data should have been disclosed to Congress pursuant to a 1999 law that requires the publication of certain surveillance statistics — since the Department of Justice simply ignores the law, and has not provided the legally mandated reports to Congress since 2004. [...]

Read Chris’s fascinating and troubling findings and analyses on his blog. The “Follow the Money” section is particularly intriguing, but the bottom line seems to be that we don’t know what we don’t know because they’re not telling us everything they should tell us and they’re not required to tell us everything we’d want to know to have an informed policy discussion on surveillance.


(Related)

http://www.wired.com/threatlevel/2009/12/wiretap-prices/

Yahoo, Verizon: Our Spy Capabilities Would ‘Shock’, ‘Confuse’ Consumers

By Kim Zetter December 1, 2009 3:30 pm


(Related) Update

http://www.pogowasright.org/?p=5894

Blog post on 8 million law enforcement requests causes online furor

December 2, 2009 by Dissent



We need articles like this from the B-schools, not lawyers. (It takes a smart lawyer to recognize this.)

http://www.pogowasright.org/?p=5899

11 Reasons Why Privacy Helps the Bottom Line

December 2, 2009 by Dissent Filed under Businesses

Lawyer David Bender writes:

In dire economic times such as these, companies are scouring their internal functionalities seeking ways to run “leaner and meaner.” Operations and personnel that do not ostensibly contribute to profit are at risk. And nowhere are employees more vulnerable than in New York City, the nation’s center for financial services, an industry particularly devastated.

Because the influence of privacy on profit is not immediately apparent, managers searching for excisable fat will doubtless be attracted to the privacy function, concluding that it makes no contribution to the bottom line. But although many view privacy solely as a legal concept, it often provides important commercial benefits. Where privacy does indeed contribute to profit, chopping away at privacy will be counterproductive, slicing off meat and bone, rather than fat. If management is not educated to this fact, the privacy function will be at unnecessary risk.

There are 11 reasons why privacy may benefit the bottom line, which should be raised with management.

Read more on Law.com.



Newspapers seem to win little here.

http://yro.slashdot.org/story/09/12/02/0224250/Google-May-Limit-Free-News-Access?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Google May Limit Free News Access

Posted by kdawson on Wednesday December 02, @05:21AM from the bend-like-a-willow dept.

You know how, if you want to read a paywalled newspaper article, you can just paste its title into Google News and get a free pass? Those days may be coming to an end. Reader Captian Spazzz writes: "It looks like Google may be bowing to pressure from folks like News Corp.'s Rupert Murdoch. What I don't understand is what prevents the websites themselves from enforcing some limit. Why make Google do it?" (Danny Sullivan explains how they could do that.)

"Newspaper publishers will now be able to set a limit on the number of free news articles people can read through Google, the company has announced. The concession follows claims from some media companies that the search engine is profiting from online news pages. Publishers will join a First Click Free programme that will prevent web surfers from having unrestricted access. Users who click on more than five articles in a day may be routed to payment or registration pages."



Does this sound familiar?

http://it.slashdot.org/story/09/12/01/1957200/SarBox-Lawsuit-Could-Rewrite-IT-Compliance-Rules?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

SarBox Lawsuit Could Rewrite IT Compliance Rules

Posted by kdawson on Tuesday December 01, @03:45PM from the sluice-gate-to-security-spending dept.

dasButcher notes that the Supreme Court will hear arguments next week brought by a Nevada accounting firm that asserts the oversight board for the Sarbanes-Oxley Act is unconstitutional. If the plaintiffs are successful, it could force Congress to rewrite or abandon the law used by many companies to validate tech investments for security and compliance.

"Many auditing firms have used [Sarbanes-Oxley Section] 404 as a lever for imposing stringent security technology requirements on publicly traded companies regulated by SOX and their business partners. SOX security compliance has proven effective for vendors and solution providers, as it forces regulated enterprises to spend billions of dollars on technology that, many times, doesn’t prevent security incidents but does make them compliant with the law."



Some Pirates are Capitalists. This does not mean that all Capitalists are Pirates! What a business model!

http://news.slashdot.org/story/09/12/02/0130216/Somali-Pirates-Open-Up-a-Stock-Exchange?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Somali Pirates Open Up a "Stock Exchange"

Posted by kdawson on Tuesday December 01, @11:29PM from the send-in-the-sba dept.

reginaldo writes to clue us that pirates in Somalia have opened up a cooperative in Haradheere, where investors can pay money or guns to help their favorite pirate crew for a share of the piracy profits.

"'Four months ago, during the monsoon rains, we decided to set up this stock exchange. We started with 15 "maritime companies" and now we are hosting 72. Ten of them have so far been successful at hijacking,' Mohammed [a wealthy former pirate who took a Reuters reporter to the facility] said. ... Piracy investor Sahra Ibrahim, a 22-year-old divorcee, was lined up with others waiting for her cut of a ransom pay-out after one of the gangs freed a Spanish tuna fishing vessel. 'I am waiting for my share after I contributed a rocket-propelled grenade for the operation,' she said, adding that she got the weapon from her ex-husband in alimony. 'I am really happy and lucky. I have made $75,000 in only 38 days since I joined the "company."'"



Oh shock! What the users have been telling us is true! Hard to believe that AT&T used to BE the phone industry.

http://gizmodo.com/5416389/att-comes-in-last-in-consumer-reports-study-that-surprises-no-one

AT&T Comes in Last in Consumer Reports Study That Surprises No One

Here's some news anyone with an iPhone could have told you: AT&T delivers crappy service that its customers hate. But this news comes from a reputable source, Consumer Reports, instead of the usual whiny friends.

Yes, in 19 of the 26 cities surveyed, AT&T was ranked dead last in every category. Verizon was ranked the best, followed by T-Mobile, then Sprint and then, of course, bringing up the rear is our friend AT&T. You can compare their results to the results of our own nationwide 3G test here.



Now we know what happened to all that medical marijuana!

http://www.nytimes.com/2009/12/02/us/02denver.html

Attention All ETs, Denver May Be the Place for You

By KIRK JOHNSON Published: December 1, 2009

DENVER — Oh, the tangled protocols of interplanetary contact. What should human beings do when aliens from other worlds happen by the neighborhood?

It is a subject about which Denver might gain a decided advantage over less-far-thinking rival cities if enough people vote yes next year on a ballot proposal to create an Extraterrestrial Commission.

The city’s clerk and recorder said in a letter released Tuesday that backers of an ET Commission had gathered enough signatures to guarantee a spot for their idea on the ballot in a statewide primary on Aug. 10.



For the Swiss Army folder

http://www.makeuseof.com/dir/manuals-search-engine-software-manuals/

Manuals-Search-Engine: Download Free Tech & Software Manuals Online

Download free tech & software manuals online. Currently indexes over 900.000 free manuals. Search and browse manuals on a tag cloud. Download and save manuals as PDFs.

Check out Manuals-Search-Engine @ www.manuals-search-engine.com



For my Disaster Recovery class.. Honest!

http://www.makeuseof.com/tag/destroy-all-zombies-3-the-encore-an-awesome-flash-game/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Makeuseof+%28MakeUseOf.com%29

Destroy All Zombies 3 – The Encore. An Awesome Flash Game

Dec. 2nd, 2009 By Karl L. Gechlik

… You can go to this URL to play the zombie game online. Once the loading finishes you can click the Skip this ad button in the lower right hand corner and you are on your way to becoming a zombie slayer. But you should go through the tutorial.

Tuesday, December 01, 2009

Interesting to me that they even consider re-interpreting the law. If the answer makes Hannaford liable, security will improve immediately.

http://www.databreaches.net/?p=8612

Update: Court to decide what time, trouble are worth in Hannaford breach

December 1, 2009 by admin Filed under Breach Incidents, Business Sector, Hack, Of Note, U.S.

Judy Harrison reports:

Whether Hannaford Bros. customers may recover damages for the time and trouble it took them to straighten out their bank or credit card accounts after the Scarborough-based firm’s computer system was breached in late 2007 and early 2008 now is up to the Maine Supreme Judicial Court.

The justices have never considered what constitutes damages for lost time and effort in cases of data theft.

U.S. District Judge D. Brock Hornby last week sent two specific questions to the state’s high court. In essence, the federal judge wants to know if Maine consumers who have been reimbursed by their banks and credit card companies for losses due to stolen data have the right to seek damages for the time they spent and the effort it took them to straighten out their accounts.

Read more in the Bangor Daily News.

[From the article:

Questions to the court

“1. In the absence of physical harm or economic loss or identity theft, do time and effort alone, spent in a reasonable effort to avoid or remediate reasonably foreseeable harm, constitute a cognizable injury for which damages may be recovered under Maine law of negligence and/or implied contract?”

“2. If the answer to question #1 is yes under a negligence claim and no under an implied contract claim, can a plaintiff suing for negligence recover damages under Maine law for purely economic harm absent personal injury, physical harm to property, or misrepresentation?”



Wisdom?

http://www.pogowasright.org/?p=5862

Privacy Trends and Laws: J. Trevor Hughes of the IAPP

December 1, 2009 by Dissent Filed under Other, U.S.

Tom Field writes:

What have been the biggest privacy issues of 2009, and what emerging trends should you watch heading into 2010?

We posed these questions to J. Trevor Hughes, Executive Director of the International Association of Privacy Professionals (IAPP). In an exclusive interview, Hughes discusses:

  • The role of the IAPP;

  • Key legislation in the U.S. and internationally;

  • Where organizations need to improve privacy protection.

Hughes is an attorney specializing in e-commerce, privacy and technology law. In his role as Executive Director of the IAPP, Hughes leads the world’s largest association of privacy professionals.

Read the interview on GovInfoSecurity.com.

[From the article:

… one of the dynamics that has emerged over the past 10 years has been a collision of sorts between globalization and the rise of the information economy. Those two things have put enormous strains on our prior jurisdictional approaches to law.


(Related) The joys of doing business globally. I wonder if there is a good (not in legalese) guide to laws in all countries.

http://www.pogowasright.org/?p=5844

Norwegian consumer group will mount legal challenge to Facebook terms

November 30, 2009 by Dissent Filed under Featured Headlines, Internet, Non-U.S.

A Norwegian consumer protection agency is preparing a legal challenge to Facebook and other social networking companies, accusing them of operating “in a legal vacuum and irrespective of norms and standards”.

Forbrukerr├ądet, the Norwegian Consumer Council, has studied the privacy policies and terms and conditions of social networking sites and says that many do not properly protect Norwegian users and do not comply with Norwegian law.

“There are general principles of fair contracts and privacy that must apply also in an online environment,” said the Consumer Council’s assistant director Hans Marius Graasvold. “Nothing has changed in that respect, except the online entrepreneurs at one point just stopped caring about the law.”

Read more on Out-Law.com



A trivial (573,000 lines and 6.4 million word) hack.

http://www.motherboard.tv/2009/11/27/how-the-9-11-pagers-got-hacked--2

How the 9/11 Pagers Got Hacked

Posted by Alex_Pasternack on Friday, Nov 27, 2009

… As CBS News’ Declan McCullagh writes, it could have been done with a single pager, a laptop and some software, using “over-the-air interception”:

Each digital pager is assigned a unique Channel Access Protocol code, or capcode, that tells it to pay attention to what immediately follows. In what amounts to a gentlemen’s agreement, no encryption is used, and properly-designed pagers politely ignore what’s not addressed to them.

But an electronic snoop lacking that same sense of etiquette might hook up a sufficiently sophisticated scanner to a Windows computer with lots of disk space — and record, without much effort, gobs and gobs of over-the-air conversations.

Existing products do precisely this.



Every time I read about someone caught crossing the border with child pornography on their computer, I wonder why their lawyers never told them how to avoid detection. Turns out some Canadian lawyers did.

http://www.pogowasright.org/?p=5831

Protect sensitive data from border searches this holiday season

November 30, 2009 by Dissent Filed under Featured Headlines

There are a lot of organizations offering tips on how to protect yourself from becoming the victim of identity theft or a scam during the holiday season. David Canton offers some tips for those traveling across borders who are taking their laptops or electronic devices. The tips are based on advice published by the Canadian Bar Association, where you can find additional tips as well:

  • Travel with a “bare” computer that contains only the most essential information. Ensure that all work with data is done via a secure virtual private network (VPN). Consider using SaaS (software as a service) programs based on the Internet, rather than your computer’s hard drive.

  • Turn off your computer early: At least five minutes before you get to U.S. Customs, make sure your computer is turned off so unencrypted information in your computer’s RAM has adequate time to void itself.

  • Back up your data: Self-explanatory.

  • Store data on small devices: Smaller devices can be carried more inconspicuously.

  • Protect your phone and PDA: Phones now carry a considerable amount of information and needed to be kept as “clean” as possible in case they’re confiscated.

  • ‘Clean’ your laptop once it’s returned: This will ensure that no programs or spyware have been installed on your computer.

The better approach is to leave all information on a Canadian server and access it remotely once in the U.S.

[...]

In summary, the prudent approach for taking a computer into the U.S. is to ensure it contains no confidential, sensitive or privileged information.

Read more on Canoe.



Once again it becomes obvious that “plain English” doesn't translate easily to “plain American” But it is a step in the right direction.

http://www.databreaches.net/?p=8600

ICO publishes guide to Data Protection Act

November 30, 2009 by admin Filed under Breach Laws, Commentaries and Analyses, Non-U.S., Of Note

The Information Commissioner’s Office (ICO) has produced a new plain English Guide to Data Protection to provide businesses and organizations with practical advice about the Data Protection Act and dispel myths. The guide will help organizations safeguard personal data and comply with the law. The guide takes a straight-forward look at the principles of the Data Protection Act and uses practical, business-based examples.

Download the guide here (pdf). The full press release can be found here.



Google has to get out of this business immediately. Reviewing what users choose to share within their (not public) groups should not be subject to review. Otherwise, don't they assume liability for “allowing” anything they miss? (I have heard this excuse already.)

http://it.slashdot.org/story/09/12/01/1419238/The-Cloud-Ate-My-Homework?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

The Cloud Ate My Homework

Posted by timothy on Tuesday December 01, @09:46AM from the low-hanging-clouds-are-fog dept.

theodp writes

"Over at CNET, James Urquhart sings the praises of cloud computing, encouraging folks to 'really listen to what is being said, understand how the cloud is being used, and seriously evaluate how this disruptive model will change your projects, your organization, and even your career.' Fair enough. Over at the Google Docs Help Forum, some perplexed cloud computing users spent the month of November unsuccessfully trying to figure out why they've been zinged for inappropriate content. Among the items deemed inappropriate and unshareable include notes on Henry David Thoreau ("the published version of this item cannot be shared until a Google review finds that the content is appropriate"), homework assignments, high school yearbook plans, wishlists, documents containing botanical names for plants, a list of websites for an ecommerce class, and a list of companies that rent motorcycles in Canada. When it comes to support in the cloud, it kind of looks like you might get what you pay for."



The IMEI identifies the phone not the user. If the terrorist buys several phones for cash and isn't videotaped while doing it, how does this help? Meanwhile, it shuts off the phones of all those slumdogs...

http://mobile.slashdot.org/story/09/11/30/2042245/India-Hanging-Up-On-25-Million-Cell-Phones?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

India Hanging Up On 25 Million Cell Phones

Posted by ScuttleMonkey on Monday November 30, @06:12PM from the can-you-hear-me-now dept.

jvillain writes

"India is about to pull the plug on 25 million cell phones in the name of fighting terrorism and fraud. 'The ban by India's Department of Telecommunications has been unfolding gradually since Oct. 6, 2008, six weeks before the attacks in Mumbai killed 173 people and wounded 308. A memo then directed service providers to cut off cellphone users whose devices didn't have a real IMEI — or unique identity number — in the interests of 'national security.' Since then, the move has picked up steam as a way to circumvent terrorists using black market, unregistered cellphones. The Mumbai attackers kept in touch with each other via cellphones and used GPS to pinpoint their attacks, which started Nov. 26, 2008, and went on for three days. The telecommunications department has issued warnings and deadlines through 2009 but has announced this one is for real, telling operators to block cellphones without valid IMEI numbers. Previously, it warned companies to stop importing them and customers to stop buying them.'"



We've been saying this for months, nice of you to notice! Note that it used to be “common knowledge” that only Republicans supported the “business agenda.”

http://www.wired.com/threatlevel/2009/11/america-catering-to-hollywood/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

Europe Worries U.S. Bowing to ‘Industry’ in ACTA Talks

By David Kravets November 30, 2009 4:01 pm

… The document, entitled European Union’s Comments to the US Proposal, suggests that the administration, in its closed-door negotiations over the Anti-Counterfeiting and Trade Agreement, might have forgotten that copyright interests extend beyond industry concerns.

The “most important provision” of the U.S.-proposed copyright section, according to the EU document, includes language noting that the United States’ “overarching objective” is to “facilitate the continued development of industry.” (.pdf)



Is this the business model that will kill newspapers? Personnaly, I think the newspapers are doing that themselves.

http://www.techcrunch.com/2009/11/30/smsone-micro-local-india-news/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

SMSONE: Micro-local news from India to make Silicon Valley jealous

by Sarah Lacy on November 30, 2009

… But every once in a while I find a company that hits the trifecta: It’s addressing a big problem locally, it’s something I don’t think is offered in the US, and…. I want it.

… I’m talking about SMSONE Media, a company I met in Pune about a week ago. Like most of the impressive companies I saw in India, it’s aimed squarely at the base of the pyramid and is using basic SMS to deliver services to people some of India’s most unconnected areas.

… SMSONE is basically a very-local newsletter. Ghate goes to a village and scouts out an unemployed youth—preferably one who’s had jobs as a street vendor or has experience going door-to-door shilling for local politicians. The kid pays Ghate 1000 rupees (or about $20) for the “franchise” rights to be the local reporter for that village. He goes door-to-door singing up 1,000 names, phone numbers and other basic information, then mails the slips to Ghate. Ghate enters it all his databases and all those “subscribers” get a text introducing the kid as their village’s reporter. In India all incoming texts are free so, the subscribers don’t pay anything.

And what readers get is pretty powerful. Right now there is no way to get a timely message to people in a village. There’s no Internet access, no TV, no local paper, and frequently no electricity. All they have is a basic mobile phone. SMSONE’s service can give farmers instant updates about crop pricing or news of a seed or fertilizer delivery a town away. That means the farmer only makes the trip when he knows the shipment is there, rather than wasting days of travel hoping the shipment is there.



Harvard makes a fundamental error? Also consider that existing “hospital” computer systems haven't been designed to assist doctors.

http://news.slashdot.org/story/09/12/01/0115246/Harvard-Says-Computers-Dont-Save-Hospitals-Money?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Harvard Says Computers Don't Save Hospitals Money

Posted by kdawson on Tuesday December 01, @02:28AM from the always-jam-tomorrow dept.

Lucas123 writes

"Researchers at Harvard Medical School pored over survey data from more than 4,000 'wired' hospitals and determined that computerization of those facilities not only didn't save them a dime, but the technology didn't improve administrative efficiency either. The study also showed most of the IT systems were aimed at improving efficiency for hospital management — not doctors, nurses, and medical technicians. 'For 45 years or so, people have been claiming computers are going to save vast amounts of money and that the payoff was just around the corner. [Not people, salesmen. Salesmen aren't people. Bob] So the first thing we need to do is stop claiming things there's no evidence for. It's based on vaporware and [hasn't been] shown to exist or shown to be true,' said Dr. David Himmelstein, the study's lead author."



Ethics. Iffin youse gotta ax, youse ain't got none.

http://ask.slashdot.org/story/09/12/01/0025213/Ethics-of-Releasing-Non-Malicious-Linux-Malware?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Ethics of Releasing Non-Malicious Linux Malware?

Posted by kdawson on Monday November 30, @09:39PM from the what-would-schneier-do dept.

buchner.johannes writes

"I was fed up with the general consensus that Linux is oh-so-secure and has no malware. After a week of work, I finished a package of malware for Unix/Linux. Its whole purpose is to help white-hat hackers point out that a Linux system can be turned into a botnet client by simply downloading BOINC and attaching it to a user account to help scientific projects. The malware does not exploit any security holes, [Not exactly true. Bob] only loose security configurations and mindless execution of unverified downloads.

The aim of the exercise was to provide a payload so security people can 'pwn' systems to show security holes, without doing harm (such as deleting files or disrupting normal operation). But now I am unsure of whether it is ethically OK to release this toolkit, which, by ripping out the BOINC payload and putting in something really evil, could be turned into proper Linux malware. On the one hand, the way it persists itself in autostart is really nasty, and that is not really a security hole that can be fixed. On the other hand, such a script can be written by anyone else too, and it would be useful to show people why you need SELinux on a server, and why verifying the source of downloads (checksums through trusted channels) is necessary. Technically, it is a nice piece, but should I release it? I don't want to turn the Linux desktop into Windows, hence I'm slightly leaning towards not releasing it. What does your ethics say about releasing such grayware?"



Small savings multiplied by huge numbers = competitive advantage.

http://hardware.slashdot.org/story/09/11/30/2039239/Google-Patent-Reveals-New-Data-Center-Innovations?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Google Patent Reveals New Data Center Innovations

Posted by ScuttleMonkey on Monday November 30, @05:29PM from the easy-to-innovate-with-unlimited-resources dept.

miller60 writes

"'Google is seeking to patent a system that provides precision cooling inside racks of servers, automatically adjusting to temperature changes while reducing the energy required to run chillers.' The cooling design uses an adjustable piping system featuring 'air wands' that provide small amounts of cold air to components within a server tray. The cooling design, which could help Google reduce the power bill for its servers, reinforces Google's focus on data center innovation as a competitive advantage. Check out the patent application and a diagram of the system."



Still thinking about collecting my blog into an e-book. Need to come up with a catchy title. “Everything important in the last 3 years?” “The world according to Bob?” “The dark side of the Internet?”

http://www.makeuseof.com/tag/how-to-actually-make-money-selling-ebooks/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Makeuseof+%28MakeUseOf.com%29

How to Actually Make Money Selling eBooks

Nov. 30th, 2009 By Ryan Dube



I plan to use this in my next word processing class. I wonder how many other “forced template” tools are available?

http://www.killerstartups.com/Web-App-Tools/niceletter-com-writing-letters-just-got-easier?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+killerstartups%2FBkQV+%28KillerStartups.com%29

Niceletter.com - Writing Letters Just Got Easier

http://www.niceletter.com/en/

The digital age caused many people to lose the structural knack that defined letter-writing in the past. These individuals will most likely benefit from a service such as Niceletter. And the same goes for those who did never get to grips with formatting their letters to begin with, and wrote everything in the wrong places of the sheet.

Basically, Niceletter is a free letter wizard that will enable anybody to have a letter which complies with writing rules simply by filling in a couple of fields. That is, the layout of the letter will be taken care of more or less automatically, and the only thing you will need to worry about is the actual content.