Saturday, December 26, 2009

Laws, as they are bought and paid for...

December 25, 2009 - Money and Politics: Illuminating the Connections

", a groundbreaking public database, illuminates the connection between campaign donations and legislative votes in unprecedented ways. Elected officials collect large sums of money to run their campaigns, and they often pay back campaign contributors with special access and favorable laws."

Where to backup that PhD dissertation and all the research supporting it. (Perhaps the Climate Change guys could have used this?) - Taking Care Of Multiple Uploads Easily

If you were to back up vital information, uploading it to more than one file hosting service would be a sound thing to do. The one deterrent you will have for sure is that doing it manually would take far too long, not to mention that you would have to be very careful as regards the maximum size of the file or files you are uploading.

Both shortcomings are dealt with by this application. Named Load 2 All, it is a tool for uploading a file (any file) to as many service providers as you might feel like. For example, you can upload to sites such as Rapidshare, Megaupload and DepositFiles at the same time. You can actually upload files to 8 simultaneous mirrors, and you are clearly informed about the maximum capacity of each and every service. In the event that any of your files exceed these limits, the file will be automatically split in smaller .RAR files.

Files can be uploaded both locally and remotely, too, so that you will be able to take care of any backup process both from your home and from anywhere an Internet connection is available. [Great for the wholesale stealing of identities! Bob]

Because I love lists...,29569,1918031,00.html

50 Best Websites 2009,29569,1879276,00.html

25 Best Blogs 2009

Friday, December 25, 2009

I'd like to see the actual language. It sounds generous ($50,000 times 17,000,000 = $850,000,000,000) but I bet they never pay out a dime.

Judge Gives Preliminary OK To Countrywide breach settlement

December 24, 2009 by admin Filed under Financial Sector, Insider, Of Note, U.S.

Brett Barrouquere of the Associated Press reports:

A federal judge has given preliminary approval to a settlement between Countrywide Financial Corp., and millions of customers whose detailed financial information was exposed in a security breach.

Under the terms of the settlement, Countrywide, now owned by Bank of America, would give up to 17 million people whose information was exposed during the security breach free credit monitoring. That group includes anyone who obtained a mortgage and anyone who used Countrywide to service a mortgage prior to July 1, 2008.

The settlement entitles a person up to $50,000 in reimbursements from Countrywide per instance of identity theft, provided they actually lost something of value, were not reimbursed and it is more likely than not the theft stemmed from Countrywide.

In January, BOA agreed to pay Connecticut $350,000 and reimburse customers who had to freeze their credit after a massive data breach. About 30,000 Connecticut residents were affected.

Note that this settlement is separate from another Countrywide settlement in the news this week concerning a $4.4 million settlement finalized last year with Countrywide over alleged unfair and deceptive mortgage practices.

No previous report on this breach has indicated that up to 17 million people were affected, at least not to my knowledge. Most sites were reporting 2,000,000 as the number affected. I’ll have to look into whether that puts the Countrywide incident on the Top 10 list of biggest breaches when I update that list for the year next week.

More to the point, however, I don’t see where this “settlement” really gives anything significant to those affected that they shouldn’t have been given immediately and in any event. It’s a shame that it requires litigation to get breached entities to offer credit monitoring and restoration services.

If you could write the settlement, what terms would you include?

CRS: Privacy: An Overview of Federal Statutes Governing Wiretapping and Electronic Eavesdropping

December 24, 2009 by Dissent Filed under Featured Headlines, Legislation, Surveillance, U.S.

CRS report 98-326

Privacy: An Overview of Federal Statutes Governing Wiretapping and Electronic Eavesdropping

December 03, 2009


This report provides an overview of federal law governing wiretapping and electronic eavesdropping. It also appends citations to state law in the area and contains a bibliography of legal commentary as well as the text of the Electronic Communications Privacy Act (ECPA) and the Foreign Intelligence Surveillance Act (FISA).

Download the report from OpenCRS (pdf).

When the AG uses Occam's Razor, don't respond with “It coulda been the Tooth Fairy...”

Health Net disputes CT AG’s statement

By Dissent, December 24, 2009 3:31 pm

Emily Berry reports that Health Net has responded to statements by the Attorney General of Connecticut by claiming that there is no proof that a breach earlier this year was due to theft:

Citing a report by Kroll, a security firm Health Net hired to investigate, Blumenthal said in a Dec. 7 announcement that Health Net’s story contradicted what its own consultants found.


Blumenthal noted that two laptops were stolen from the same building around the same time, supporting the possibility that the disk was stolen, not lost.

He also said that although Health Net claimed that the data on the disk could be read only with proprietary software, Kroll noted that “common, commercially available” software could decode it.


In response to Blumenthal’s comments, Health Net released its own statement: “The [Kroll] report states that there could have been numerous scenarios that explained the disappearance of the missing drive, and that there was insufficient evidence to determine which, if any, of the scenarios was the most likely.”.

Read more on American Medical News.

I've been telling you that this lady is smart! Is there anything about these requirements that makes you believe it would take nearly two years to implement the changes?

Ca: Commissioner Cavoukian expects health sector to encrypt all health information on mobile devices: Nothing short of this is acceptable

By Dissent, December 24, 2009 3:35 pm

Ontario Information and Privacy Commissioner, Dr. Ann Cavoukian, today directed the province’s health sector not remove from their premises any personal health information on mobile devices – unless this very sensitive information is encrypted, as required in a health order issued in 2007.

This follows the loss last week of a USB key containing the health information of almost 84,000 patients who attended H1N1 flu vaccination clinics in the Durham Region.

This incident is “very distressing,” said the Commissioner, “especially in light of the fact that I directed all Ontario health information custodians not to transport personal health information on laptops or other mobile computing devices unless the information was encrypted.” This direction was included in a 2007 order under the Personal Health Information Protection Act (PHIPA).

In addition to immediately launching an investigation into the incident, the Commissioner contacted Ontario’s Ministry of Health and Long-Term Care as well as Ontario’s Chief Medical Officer of Health, Dr. Arlene King, and is working with them to reinforce the importance of safeguarding health information. Dr. King is issuing a message to all Medical Officers of Health today urging them to cease storing or transferring health information that is not protected with strong encryption.

“Our health orders set a minimum standard for what we expect from all health information custodians, all of whom are required to protect personal health information under PHIPA,” said the Commissioner.

“I want to make this very clear,” the Commissioner said today. “No personal health information should be transported on mobile devices, unless the information is encrypted. This requirement is perfectly clear and encryption technology is readily available.”

In order not to disrupt any immunization clinics taking place over the holiday period, Commissioner Cavoukian advised that any unencrypted personal health information that needs to be transported, must be in the physical possession of the person responsible, at all times, until it reaches its secure location. This is only an interim measure until full encryption processes can be put into place.

“The analogy I would use is that of detectives transporting sensitive information in briefcases handcuffed to their wrist. The health information of Ontario citizens is equally sensitive, and requires this same level of protection,” said Commissioner Cavoukian.

The Commissioner’s investigation report on the incident in Durham Region will be issued next month, in January 2010.

In March 2007, the Commissioner issued guidance to the Ontario health sector as part of a health order (HO-004) to Toronto’s Hospital for Sick Children after a laptop computer containing the personal health information of 2,900 patients was stolen from a parked vehicle.

For more information on how to encrypt and secure health information on mobile devices, see the IPC fact sheet Encrypting Personal Health Information on Mobile Devices at

Source: Information and Privacy Commissioner/Ontario

An indication that a technology has “arrived” or that the County has found a way to use that Stimulus Money to pay for the DA's kids cell phones?

Texas County Will Use Twitter To Publish Drunk Drivers' Names

Posted by timothy on Friday December 25, @03:07AM from the only-animal-that-blushes dept.

alphadogg contributes this snippet from Network World:

"If you get busted for drunk driving in Montgomery County, Texas, this holiday season, your neighbors may hear about it on Twitter. That's because the local district attorney's office has decided to publish the names of those charged with driving while intoxicated between Christmas and New Year's Eve. County Vehicular Crimes Prosecutor Warren Diepraam came up with the idea as a way of discouraging residents from getting behind the wheel while drunk. 'It's not a magic bullet that's going to end DWIs, but it's something to make people think twice before they get behind the wheel of a car and drive while they're intoxicated,' he said."

Sounds like a job for everyone's favorite super-hero: Class Action Lawyer-Man! Able to terrorize corporations with a single filing! Capable of excruciating leaps of logic!

Basically Every ISP Is Trying to Scare You Into Paying for Internet You Don't Need

(Related) I still predict that every device (phone, PDA, tablet, netbook, notebook or desktop) will allow free voice communications via the Internet. Telecomms, evolve or die..

Google Voice Is Coming Back To The iPhone Via The Browser, Thanks To VoiceCentral

by Erick Schonfeld on December 24, 2009

In case you found a computer under the tree...

13 Things You Must Do First with Your New PC

Posted 12/25/09 at 12:00:00 PM by The Maximum PC Staff

Thursday, December 24, 2009

You might want to read the Wikipedia page. MNBA is listed as the world's largest independent issuer of credit cards. All the usual questions apply: Why was the data on a laptop? Why wasn't the data encrypted?

UK: Credit card provider suffers breach, personal data lost

December 23, 2009 by admin Filed under Financial Sector, Non-U.S., Of Note, Subcontractor, Theft

MBNA, the UK¹s largest credit card provider, has confirmed that a laptop containing the personal details of its customers [All of them? Bob] has been stolen from one of its third party contractors NCO Europe Ltd earlier this month. The information is said to include personal details, however, no PIN numbers were reported to be contained in the stolen data.

Although the exact details have yet to be confirmed, it is expected that thousands of customers will be affected by this incident. Whilst the situation is monitored, MBNA has provided affected customers with free access to CreditExpert from Experian over the next 12 months.

Read more on HelpNet Security.

Thanks to Sharon Polsky, President of Amina Consulting Corp. for sending this link.

(Related) Which of these stories hurts the banks reputation more?

MBNA to refund €18m as interest error comes to light

CIARA O'BRIEN The Irish Times - Tuesday, December 15, 2009

MBNA IS to refund about €18 million to customers after it discovered an error had been made in how interest was calculated.

Merry Christmas from your Alma Mater, oh, by the way...

Update on Penn State’s malware breaches

December 23, 2009 by admin Filed under Education Sector, Malware, U.S.

From their newsroom:

Although most offices are winding down for the holidays, Penn State’s privacy office remains active. The University currently is working to notify nearly 30,000 individuals about privacy breaches that may have exposed their personally identifying information.

Malware infections to University computers caused all of the breaches, which occurred in the Eberly College of Science ( 7,758 records ), the College of Health and Human Development ( 6,827 records ) and one of Penn State’s campuses outside of University Park ( roughly 15,000 records ). Malware is short for malicious software and refers to any software designed to cause damage to a single computer, server, or computer network, whether it’s a virus, spyware, worm or other destructive program.

Letters are going out today ( Dec. 23 ) to those affected by the breaches in the two colleges. Work still is being done to identify those whose information is involved in the campus breach. Once that work is completed, letters will be sent to those affected in that incident as well. This response is in line with the Pennsylvania Breach of Personal Information Notification Act, which went into effect in 2006 and mandates that the University notify anyone whose personally identifiable information is potentially disclosed when a computer is lost or compromised.

Read more on Media Newswire.

[From the article:

The mailing also includes a brochure detailing how to prevent identity theft. [“We didn't bother to implement minimal levels of security, so you're going to need this!” Bob]

You get pro-business decisions like this only in the most liberal states...

Massachusetts’s Highest Court Delivers BJ Wholesalers (and other Retailers) a Data Breach Liability Gift

December 23, 2009 by admin Filed under Commentaries and Analyses

David Navetta of InformationLawGroup has an analysis of the recent court decision in Cumis Insurance Society, Inc. v. B.J. Wholesale Club decision, reported here earlier this month.

This blog post dives into and analyzes the Supreme Court Decision, and looks at it in context against similar decisions. Overall, in terms of issuing banks recovering for payment card breaches, the game does not appear to be litigation in the courts, but rather in the backroom contracts and recovery processes contained in the card brand operating regulations that most retailers agree to comply with.

Read more on InformationLawGroup.

Strange as it may seem, in this case I side with the Conde Nast.

Condé Nast Makes Strong Case To Unmask Blogger Who Posted Leaked Content

December 23, 2009 by Dissent Filed under Breaches, Court, Featured Headlines, Internet

Wendy Davis reports:

Condé Nast has filed a copyright infringement lawsuit against unknown users who allegedly hacked into the company’s computer system, downloaded unpublished photos and articles, and then published them online.

In papers filed in federal district court in New York, Condé Nast alleges that a host of material — including a big chunk of GQ’s December issue — surfaced last month on the blog FashionZag. The lawsuit alleges that the material appeared on FashionZag around two months after an unknown user obtained access to Condé Nast’s computer system and copied more than 1,100 files. [Sounds like a security flaw to me. Bob]

Initially, FashionZag posted five alternate covers of the December GQ, according to the lawsuit. Condé Nast says it successfully sent a takedown notice to, which hosted the photos, but that FashionZag then uploaded material to — an image hosting site created by the founders of The Pirate Bay.

By Nov. 14, FashionZag allegedly posted almost all editorial content and photos from the December issue.


On Monday, U.S. District Court Judge John G. Koeltl allowed Condé Nast to immediately subpoena Google and AT&T to discover the identities of the bloggers and alleged hackers. Google hosts the FashionZag blog, and the IP address of the alleged hacker resolves to AT&T, according to the legal papers.

Read more on MediaPost.

A copy of the lawsuit can be found on scribd.

Reading the lawsuit is a bit of an eye-opener. It claims that the IP associated with the unauthorized access is, which does appear to be an AT&T IP. But what’s somewhat mindboggling is that the lawsuit alleges that the intruder obtained the login details from a third party and downloaded 1100 files from the company in September, and — as of the date the lawsuit was filed in December — the company hasn’t stopped the leak!? The lawsuit alleges:

Upon information and belief, Defendants continue to obtain unauthorized access to Condé Nast’s computers and to reproduce, distribute, and display the Condé Nast Content to this day. (emphasis added by Dissent)

Huh? They haven’t figured out how to stop the unauthorized access after all these months? While it appears that they have a legitimate and strong case in terms of unmasking those behind FashionZag, I cannot help but wonder what is up with their security.

Yesterday I blogged about a website that let you put your child's name in stories to encourage them to read. Think of the results putting your law school student's name into this story as lead counsel.

How to sue Microsoft - and win

By Cindy Waxer, contributing writerDecember 23, 2009: 3:51 PM ET

… i4i's legal victory is being touted as a modern-day tale of David and Goliath. So how does a tiny software outfit in Canada defeat one of the world's best-known corporate behemoths?

Underdogs, take note. Here's a road map for waging war against a giant -- and winning.

Obviously he has thought more deeply that I have.

Understanding the Limitations - and Maximizing the Value - of eBooks

By Conrad J. Jacoby, Published on December 23, 2009

… Publishers and distributors of electronic books, however, are using an entirely different model for the distribution of their eBooks. Consumers purchasing eBooks receive only a license, not a full bundle of ownership rights in a tangible object. As a consequence, this considerably limits what consumers can do with their new digital files. For example, few bookstores permit the return of eBooks, since there's no reliable way to tell whether the book has actually been read or not (download records do not indicate whether the file was subsequently opened). Perhaps equally important, under the terms of most current eBook licenses, consumers are generally not permitted to resell eBooks that they have purchased; like computer operating system licenses, the license is personal to them—and often limited to the specific piece of hardware on which the digital file has been installed.

Wednesday, December 23, 2009

Nothing is so weird it can't get weirder... In Australia, they had you the card scanner, giving you the opportunity to hand them back your bogus skimmer.

AU: Two charged over $4m Perth McDonald’s EFTPOS scam

December 22, 2009 by admin Filed under Business Sector, Non-U.S., Of Note, Skimmers

Glenn Cordingley reports:

Two people have been arrested over an EFTPOS skimming scam in which $4 million was stolen from the accounts of McDonald’s customers in WA [Western Australia].

More than $4 million was withdrawn from 4,000 accounts and people were forced to change their pin numbers at the height of the scam in September.


[From the article:

WA Police believe card details were stolen after thieves tampered with hand-held EFTPOS devices handed into cars at several McDonald’s stores.

… Western Australia's top fraud officer Detective Senior Sergeant Don Heise said the McDonald's scam occurred when legitimate EFTPOS PIN pads were replaced by bogus ones that transmitted PINs to criminals.

[Note: EFTPOS is an acronym for "electronic funds transfer point of sale." Bob]

Update Think I should stop giving my student sniffing programs?

Former Morgan Stanley Coder Gets 2 Years in Prison for TJX Hack

By Kim Zetter December 22, 2009 6:44 pm

… Stephen Watt, a 25-year-old former Morgan Stanley software engineer, pleaded guilty last December to creating a custom sniffing program dubbed “blabla” that Gonzalez and other hackers used to siphon millions of credit and debit card numbers from TJX’s network.

… A spokeswoman for the U.S. attorney’s office in Massachusetts said the judge also ordered Watt to pay restitution to TJX in the amount of $171.5 million.

… Prosecutors never alleged that Watt received money for the software he wrote, or directly profited from the hacks. But they brandished more than 300 pages of chats [Someone was keeping the chat messages they claim to be deleting. Bob] the two friends exchanged that belied Watt’s stated ignorance.

These things are confusing, but I still want to believe the WSJ got it right. Who has the duty to disclose, and can other victims stop or initiate the disclosure?

WSJ reports Citi’s denial (updated)

December 22, 2009 by admin Filed under Breach Incidents, Financial Sector, Hack

David Enrich of the WSJ reports:

Citigroup Inc. denied a report in The Wall Street Journal that federal authorities are investigating the theft of tens of millions of dollars from customer accounts by hackers, and sought to reassure clients that their funds are safe.

The New York financial company sent employees in U.S. bank branches a memo to help respond to questions. The moves came after The Wall Street Journal reported that the Federal Bureau of Investigation is probing a computer-security breach aimed at accounts of the company’s Citibank unit.

It couldn’t be learned how funds were stolen, whether through Citibank’s systems or by other means. The breach could have involved a contractor that processes transactions for the U.S. financial institution. Investigators suspect that the theft was conducted by a well-known Russian cyber gang.

Read more on The Wall Street Journal (subscription required).

Citi’s press release does not specifically deny that they might have suffered losses due to a contractor or processor breach. It only denies that there was a breach of its system with associated losses. Nor did Citi deny that it had shared information with federal agencies over the summer to counter an attack. If their customers did not suffer large losses on the order of tens of millions of dollars due to any contractor or processor breach, it would be helpful if they said so. As it stands now, the only part of the WSJ story they seem to have directly denied is that there was a security breach of their own system.

Or at least that’s how I read it. How do you read it?

UPDATE: 12-23-09: Now others are confirming Citi’s denial and saying that WSJ got it wrong. See the story here.

(Related) Could make an interesting Ethics question for my students. Do we tell card holders they are at risk or not.

Suspected computer hack compromises Anchorage credit, debit card holders

December 23, 2009 by admin Filed under Breach Incidents, Business Sector, Hack

Christine Kim reports:

Just a simple swipe can lead to a ripple of consequences.

Up to 1,000 Anchorage residents may be affected by a credit card crime.

Police say it may have been a computer hack that stole the information about credit and debit card holders.

Detectives are still trying to figure out who was behind the hacking, but they say they’re using what they have to put the puzzle pieces together.

“It’s a lot easier than most people think,” Jan Jones from the Consumer Credit Counseling Service of Alaska said.

After a process of elimination, police believe it was a computer hack that compromised credit and debit card information of customers at an Anchorage business.

Police are not releasing the name and type of business.

Read more on KTUU.

[From the article:

I don't want the bad guy to know everything we know, we got to keep some things close but also there are some privacy issues as well," said APD Detective Glen Klinkhart.

… One pattern detectives are noting is that many of the charges made are from various locations in the East Coast. [So probably not one guy and probably a jurisdictional nightmare. Bob]

Stephen Rynerson was kind enough to send me this article, knowing it would ring my eDiscovery, logic, forensic and technology bells, simultaneously!

The Redactor’s Dilemma

December 8th, 2009

… Like a lot of the stacks of papers that pile up on your desk when you study national security surveillance for a living, these are heavily redacted, and over time, you start developing little heuristics for trying to put the puzzle pieces together, to at least limit the domain of what might be in those black boxes.

… But it does point toward the larger problem—or strategy for reading, if you spend your time outside the federal government poking through this stuff—that I want to call the Redactor’s Dilemma.

Imagine you’re given the task of censoring documents like these for public release. There are some bits that you just obviously cut out—whole paragraphs describing operational details that, for good reasons or bad, you want to keep secret. But that won’t be quite enough. Because you’re probably going to have folks reading the documents who know a little something about the law, a little something about the relevant technology, and a little something about surveillance tactics generally. [And when Stephen is asked to name someone who knows little, he naturally thinks of me! I couldn't be prouder. Bob]

Defining 'freedom of the blog'?

Canada’s top court transforms press freedom with new libel defense

December 23, 2009 by Dissent Filed under Court, Featured Headlines, Internet, Non-U.S.

Kirk Makin reports:

The Supreme Court of Canada transformed the country’s libel laws Tuesday with a pair of decisions that proponents say will expand the boundaries of free speech. [Free speech is an 'infinite good,' this is merely removing limits. Bob]

The court ruled that libel lawsuits will rarely succeed against journalists who act responsibly in reporting their stories when those stories are in the public interest.

It also updated the laws for the Internet age, extending the same defence to bloggers and other new-media practitioners.


The media were exultant about the rulings. “This is a historic turn for Canadian media, who have long suffered an undue burden of proof,” said Globe and Mail editor-in-chief John Stackhouse. “We should not take our responsibility any more lightly, but we should celebrate the fact that the heavier blinds of Canadian libel law have been pulled back. The acceptance of this new defence by the Supreme Court of Canada will greatly advance the cause of freedom of expression, transparency and responsible journalism in Canada.”

Read more in The Globe and Mail. Related: Peter Grant v. Torstar (pdf) Hat-tip, Slashdot.

What do they teach at Harvard these days?

Florida Congressman Wants Blogging Critic Fined, Jailed

Posted by timothy on Tuesday December 22, @01:27PM from the gov't-we-deserve-is-a-canard dept.

vvaduva writes

"Florida Rep. Alan Grayson wants to see one of his critics go directly to jail, all over her use of the word 'my' on her blog. In a four-page letter sent to [US Attorney General Eric] Holder, Grayson accuses blogger Angie Langley of lying to federal elections officials and requests that she be fined and imprisoned for five years. Her lie, according to Grayson, is that she claims to be one of his constituents. Langley, Grayson says, is misrepresenting herself by using the term 'my' in the Web site's name."

[From the article:

In an effort to raise money against the outspoken freshman Democrat, a Republican activist named Angie Langley has launched "" -- a Web site that parodies Grayson's re-election site, ""

The details would have been better, but we can still assume this proves that they do block user access, doesn't it?

Comcast Pays Out $16M In P2P Throttling Suit

Posted by kdawson on Wednesday December 23, @08:13AM from the bad-money-after-good dept.


eldavojohn writes

"Comcast has settled out of court to the tune of $16 million in one of several ongoing P2P throttling class action lawsuits. You may be eligible for up to $16 restitution if 'you live in the United States or its Territories, have a current or former Comcast High-Speed Internet account, and either used or attempted to use Comcast service to use the Ares, BitTorrent, eDonkey, FastTrack or Gnutella P2P protocols at any time from April 1, 2006 to December 31, 2008; and/or Lotus Notes to send emails any time from March 26, 2007 to October 3, 2007.' $16 million seems low. And it's too bad this was an out-of-court settlement instead of a solid precedent-setting decision for your right to use P2P applications. The settlement will probably not affect the slews of other Comcast P2P throttling suits, and it's unclear whether it will placate the FCC."

Next to gossip, we love leaks best! It's just like gossip, but (usually) without the celebrities. This business model would create thousands of “drop boxes” for spying on corporations.

Wikileaks Targets the Local News Frontier

Posted by kdawson on Tuesday December 22, @06:45PM from the think-locally-disrupt-globally dept.

eldavojohn writes

"Wikileaks has been pretty successful on a global scale — from ACTA documents to East Anglian e-mails, it is the definitive place to find suppressed documents. But some are saying that now Wikileaks should begin focusing on a local level. From the article: 'The organization has applied for a $532,000 two-year grant from the Knight Foundation to expand the use of its secure, anonymous submission system by local newspapers. The foundation's News Challenge will give as much as $5 million this year to projects that use digital technology to transform community news. WikiLeaks proposes using the grant to encourage local newspapers to include a link to WikiLeaks' secure, anonymous servers so that readers can submit documents on local issues or scandals. The newspapers would have first crack at the material, and after a period of time — perhaps two weeks, [German Wikileaks spokesman Daniel] Schmitt said — the documents would be made public on the main WikiLeaks page.' Anyone reading this who works for a community news source and would like to host sensitive documents with no risk: here is your solution."

Toward ubiquitous surveillance.

Background Checks For All With BeenVerified’s iPhone App

by MG Siegler on December 22, 2009

… The aptly named Background Check App does exactly what it says: Using data from the site BeenVerified, it allows you to do background checks on people via name queries or their email addresses. And it even allows you to check your contacts on your iPhone with just one click. Just imagine the fun that will bring.

But it’s not all free fun. Unfortunately, you only get three free queries a week [Probably not enough for Tiger Woods, but then he can afford to pay. Bob] After that, you’re prompted to sign up for a BeenVerified account and pay to get unlimited access. Currently, that will cost you $8-a-month.

Why did it take so long?

Amazon Kindle Proprietary Format Broken

Posted by kdawson on Wednesday December 23, @05:24AM from the let-a-thousand-e-books-bloom dept.

An anonymous reader writes

"The Register reports that the proprietary document format used by the Amazon online store and Amazon's Kindle has been successfully reverse engineered, allowing these DRM-protected documents to be converted into the open MOBI format. Users of alternative e-book readers rejoice."

Here are the hacker's notes on the program he is calling "Unswindle," and here is the (translated) forum where the Kindle challenge was posed and answered.


Enable Web Browsing and Full Catalog Access on International Kindle

By Charlie Sorrel December 22, 2009 6:58 am

Interesting convergence of law and technology?

UK divorce lawyers: A fifth of cases Facebook-related

by Chris Matyszczyk December 22, 2009 4:43 PM PST

I've been saying that myself! Perhaps we should start a “Cool Nerd” website (or has Al Gore already copyrighted that name?)

The US Economy Needs More "Cool" Nerds

Posted by kdawson on Tuesday December 22, @02:13PM from the we-be-cool dept.

Hugh Pickens writes

"Steve Lohr writes in the NY Times that the country needs more 'cool' nerds — professionals with hybrid careers that combine computing with other fields like medicine, art, or journalism. Not enough young people are embracing computing, often because they are leery of being branded nerds. Educators and technologists say that two things need to change: the image of computing work, and computer science education in high schools. Today, introductory courses in computer science are too often focused merely on teaching students to use software like word processing and spreadsheet programs, says Janice C. Cuny, a program director at the National Science Foundation adding that the Advanced Placement curriculum concentrates too narrowly on programming. 'We're not showing and teaching kids the magic of computing,' Cuny says. The NSF is working to change this by developing a new introductory high school course in computer science and seeking to overhaul Advanced Placement courses as well. The NSF hopes to train 10,000 high school teachers in the modernized courses by 2015. Knowledge of computer science and computer programming is becoming a necessary skill for many professions, not only science and technology but also increasingly for marketing, advertising, journalism and the creative arts. 'We need to gain an understanding in the population that education in computer science is both extraordinarily important and extraordinarily interesting,' says Alfred Spector, vice president for research and special initiatives at Google. 'The fear is that if you pursue computer science, you will be stuck in a basement, writing code. That is absolutely not the reality.'"

(Related) Does this qualify the creator as a cool nerd? Okay, probably not. They seem to be ignoring the over 10 age range. I suspect this would be useful in ESL classes and would probably amuse politicians. (“How [Your Name Here!] became President!”)

Story Something Quietly Opens Up, Turns Your Kids Into Heroes

by Robin Wauters on December 23, 2009

… TC50 finalist Story Something is cautiously opening up to the masses during the holidays – intentionally.

… As our initial review of Story Something lays out in detail, the service generates personalized stories for children that make them the heroes by putting them at the center of the narrative. The hero takes on the child’s name, and a story is generated which can be viewed on the Web or e-mailed to the parent.

The startup is launching in open beta with 55 stories, some of which get featured on the homepage. Stories come in two flavors: ones that are not interactive and fairly short, and ones that are a bit longer and allow the parent or child to have some control over the storyline by giving options that effect the narrative.

Tuesday, December 22, 2009

This sounds quite cheap on a 'per card compromised' basis. I wonder who their lawyers are?

Heartland to pay up to $2.4 million to settle cardholder class action suit

December 21, 2009 by admin Filed under Breach Incidents, Financial Sector, Of Note

Under the terms of the settlement, Heartland says it will pay a minimum of $1 million and up to a maximum of $2.4 million to class members who submit valid claims for losses as a result of the intrusion.

The payment processor says it will also shell out $1.5 million for the cost of notice to the settling class, and $0.76 million to cover legal fees.

Heartland has additionally agreed to submit the report of an independent expert on its plans to improve the security of its computer system since the announcement of the intrusion on January 20, 2009.

Read more on Finextra.

(Related) Completing(?) the picture of a mad hacker. Too technical for a movie of the week, I wonder if anyone will write a book about these hacks?

Albert Gonzalez Enters Plea Agreement in Heartland, Hannaford Cases

December 21, 2009 by admin Filed under Business Sector, Financial Sector, Hack, ID Theft, Of Note, U.S.

Kim Zetter reports:

Albert Gonzalez, who has admitted hacking into TJX and other companies, has filed a plea agreement in charges that he breached Heartland Payment Systems, Hannaford, 7-Eleven and two other companies.

Under the terms of the agreement, Gonzalez, a former Secret Service informant, [They keep saying that. Perhaps they just like to embarrass the Secret Service? Bob] will plead guilty to two counts of conspiracy to gain unauthorized access to computers, and to commit wire fraud. Prosecutors have agreed to seek a sentence of no more than 25 years, to run concurrent with his sentence in two other pending cases. Gonzalez had agreed to ask the court for no less than 17 years in prison.

Read more on Threat Level.

(Related) How do you get students to pay attention to Security lectures? “Bags of cash...”

7-Eleven Hack From Russia Led to ATM Looting in New York

December 21, 2009 by admin Filed under Breach Incidents, Hack, Of Note

Kevin Poulsen provides newly released details on the 7-Eleven hack included in Albert Gonzalez’s plea agreement:

….In his most recent plea agreement, filed in court on Monday, confessed hacker Albert Gonzalez admitted conspiring in the 7-Eleven breach, and fingered two Russian associates as the direct culprits. The Russians are identified as “Hacker 1″ and “Hacker 2″ in Gonzalez’s plea agreement, and as “Grigg” and “Annex” in an earlier document inadvertently made public by his attorney.

The Russians, evidently using an SQL injection vulnerability, “gained unauthorized access to 7-Eleven, Inc.’s servers through 7-Elevens’ public-facing internet site, and then leveraged that access into servers supporting ATM terminals located in 7-Eleven stores,” the plea agreement reads. “This access caused 7-Eleven, Inc., on or about November 9, 2007, to disable its public-facing internet site to disable the unauthorized access.”

At the time, there were 5,500 Citibank-branded ATMs at 7-Eleven stores around the country. According to SEC documents, 7-Eleven ran its own transaction processing server [Perhaps unwise from a liability perspective? Bob] to handle 2,000 of them: advanced models called Vcom machines, manufactured by NCR. The 7-Eleven Vcoms support special functions like bill-payment, check cashing and money order purchases. For two weeks in September 2007, anyone who typed their PINs in one of these was exposed.

Read more on Threat Level.

[Article contains more details and other crimes. Bob]

Ryabinin’s wife told investigators that she witnessed her husband “leave the couple’s house with bundles of credit cards in rubber bands and return with large sums of cash,” a Secret Service affidavit (.pdf) reads.

(Related) Computer Crime is Big Business.

Malware and Botnet Operators Going ISP

Posted by ScuttleMonkey on Monday December 21, @04:53PM from the spam-is-big-business dept.

Trailrunner7 writes to mention that malware and botnet operators appear to be escalating to the next level by setting up their own virtual data centers. This elevates the criminals to the ISP level, making it much harder to stop them.

"The criminals will buy servers and place them in a large data center and then submit an application for a large block of IP space. In some cases, the applicants are asked for nothing more than a letter explaining why they need the IP space, security researchers say. No further investigation is done, and once the criminals have the IP space, they've taken a layer of potential problems out of the equation. 'It's gotten completely out of hand. The bad guys are going to some local registries in Europe and getting massive amounts of IP space and then they just go to a hosting provider and set up their own data centers,' said Alex Lanstein, senior security researcher at FireEye, an anti-malware and anti-botnet vendor. 'It takes one more level out of it: You own your own IP space and you're your own ISP at that point.'"

Two interesting “facts” 1) the WSJ rarely gets it wrong. 2) NSA was involved?

WSJ report on Citigroup hack disputed by Citigroup

December 22, 2009 by admin Filed under Financial Sector, Hack, Of Note

Siobhan Gorman and Evan Perez of the Wall Street Journal report:

The Federal Bureau of Investigation is probing a computer-security breach targeting Citigroup Inc. that resulted in a theft of tens of millions of dollars by computer hackers who appear linked to a Russian cyber gang, according to government officials…… The Citibank attack was detected over the summer, but investigators are looking into the possibility the attack may have occurred months or even a year earlier. The FBI and the National Security Agency, along with the Department of Homeland Security and Citigroup, swapped information to counter the attack, according to a person familiar with the case.

But not so fast. Citigroup is denying any breach:

Joe Petro, managing director of Citigroup’s Security and Investigative services, said, “We had no breach of the system and there were no losses, no customer losses, no bank losses.” He added later: “Any allegation that the FBI is working a case at Citigroup involving tens of millions of losses is just not true.”

Their denial did not seem to convince WSJ, and the rest of the article provides background and some details on the alleged Citibank hack and the use of Black Energy software to steal banking data.

So… was there a breach or wasn’t there? And should those organizations that compile databases include a breach if the entity firmly denies being breached and we don’t have named sources? Right now, I’m glad that I don’t compile breaches as I’m not sure what I’d do with this one. Maybe an entry with an asterisk? Even then, associating the name with a possible breach can do reputational harm. I’ll be interested to see what OSF, ITRC, and the PRC do with this one.

[Black Energy is a botnet use for DDOS attacks:

So much for the “We did nothing wrong.” statement from the French earlier in the week. (What do you bet they keep a copy?)

UPDATE: France agrees to hand back ’stolen’ Swiss bank data

December 21, 2009 by admin Filed under Breach Incidents, Financial Sector, Insider, Non-U.S., Of Note

From the Agence France-Presse:

France said Monday it would agree to a Swiss request to hand back data taken from a HSBC bank branch in Geneva that is at the centre of a row between the two countries.

HSBC Private Bank says the information was stolen by a former employee who later gave it to French authorities probing suspected tax evasion by several thousand French taxpayers.

The Swiss authorities had called on France to hand it back after it was seized in January by police in southern France under a Swiss warrant for the former employee, a French citizen identified as Herve Falciani.

Read more on MSN.

Never happen. Gossip, especially the juicy stuff, trumps privacy every time.

Privacy and ethics: discussing celebrities’ private lives

December 21, 2009 by Dissent Filed under Other

Over on Chronicles of Dissent, I’ve been blogging about privacy issues and the ethics of psychologists discussing celebrities’ personal lives. Part 1 of the discussion uses the Tiger Woods scandal and Brittany Murphy death to illustrate some ethical concerns and it includes statements from the ethics codes of the Society of Professional Journalists, the American Psychological Association, and the American Psychiatric Association. Part 2 of the discussion quotes U.K. social psychologist Dr. Gary Wood, who shares my view that it is unethical for psychologists to discuss or speculate about the mental health of celebrities.

A “good deal” for a company is not always a good deal for customers. (Business 101) Will this result in more phone calls to Class Action lawyers?

Verizon Removes Search Choices For BlackBerrys

Posted by kdawson on Monday December 21, @08:22PM from the you've-been-bung dept.

shrugger writes

"I picked up my BlackBerry this morning to do a search and noticed Bing as my default search engine. I thought this was very strange, since I didn't pick this setting. I went to change it back to Google and, to my chagrin, Bing was my only option! Apparently Verizon has pushed an update that removes all search providers except Bing. Thanks a lot Verizon!"

The Reg notes: "The move is part of the five-year search and advertising deal Verizon signed with Microsoft in January for a rumored $500m."

[A thread in the Comments:

A: Ah, the wonderful sound of thousands of canceled contracts! Nothing quite like it.

B: ah but they doubled their termination fee. now it is cheaper to get a divorce than to pay Verizon to get out of the contract.

C: Divorce her and leave her the phone. That'll teach her.

Looks like this judge just made the no-fly list!

TSA Must Release Some ‘No-Fly List’ Evidence – Court

December 22, 2009 by Dissent Filed under Court, Featured Headlines, Surveillance, U.S.

Anne Youderian reports:

A federal judge in San Francisco ordered the Transportation Security Administration to release some evidence relating to a Muslim woman’s inclusion on the government’s “no-fly list,” breaking what the judge called a “potential jurisdictional impasse.”

Rahinah Ibrahim, a Malaysian Muslim, said she was illegally detained at the San Francisco International Airport because her name appeared on the “no-fly list,” which had been implemented after the Sept. 11, 2001, terrorist attacks.

Ibrahim said airport police handcuffed her in front of her 14-year-old daughter and detained her for two hours. She was getting her doctorate at Stanford University at the time, and had no criminal record or link to terrorists.

Agents later released her and told her that her name had been removed from the no-fly list. But when she tried to return to the United States to finish her degree, she learned that her student visa had been revoked.

She sued, claiming she’d been wrongfully included on the no-fly list.

U.S. District Judge William Alsup dismissed for lack of jurisdiction, but the 9th Circuit reversed on a 2-1 vote.


But the case faced a second jurisdictional hurdle on remand.

“[I]t turns out that important evidence at the heart of the case is still under lock and key by TSA,” Judge Alsup wrote. “The federal government asserts that this Court again lacks subject-matter jurisdiction, this time lacking jurisdiction to compel TSA to release the evidence. Fortunately, a portion of the jurisdictional impasse can be broken – a recent statutory amendment allows district courts to compel the production of at least some of the sensitive information” (original emphasis).

The judge ordered the TSA to produce FBI phone logs related to Ibrahim; TSA employee logs; documents discussing the incident, instructing police to detain or arrest Ibrahim, and discussing those instructions; and airport video recordings.

Read more on Courthouse News.

For Law School students? They get access to Lexus as part of their tuition. Is that enough to addict them to the service?

December 21, 2009

Google Scholar: A New Way to Search for Cases and Related Legal Publications

Follow up to Google Scholar Now Includes Free Case Law Database and Bridging the DiGital Divide: A New Vendor in Town? Google Scholar Now Includes Case Law, this related article - Google Scholar: A New Way to Search for Cases and Related Legal Publications.

Merry Christmas! Whose “Naughty or Nice” list do you get on?

An E-Book Buyer’s Guide to Privacy

December 22, 2009 by Dissent Filed under Breaches, Internet

Ed Bayley of EFF writes:

As we count down to end of 2009, the emerging star of this year’s holiday shopping season is shaping up to be the electronic book reader (or e-reader). From Amazon’s Kindle to Barnes and Noble’s forthcoming Nook, e-readers are starting to transform how we buy and read books in the same way mp3s changed how we buy and listen to music.

Unfortunately, e-reader technology also presents significant new threats to reader privacy. E-readers possess the ability to report back substantial information about their users’ reading habits and locations to the corporations that sell them. And yet none of the major e-reader manufacturers have explained to consumers in clear unequivocal language what data is being collected about them and why.

As a first step towards addressing these problems, EFF has created a first draft of our Buyer’s Guide to E-Book Privacy. We’ve examined the privacy policies for the major e-readers on the market to determine what information they reserve the right to collect and share.

Read more on the Electronic Frontier Foundation. You might be surprised when you look at their comparison chart about which device(s) seem to provide better privacy protection.

Why not eDoctors to go with those eHealth Records? (This would be more profitable if we could off-shore it to Sri Lanka.)

Virtual Visits To Doctors Spreading

Posted by ScuttleMonkey on Monday December 21, @03:09PM from the what-could-possibly-go-wrong dept.

tresho writes to tell us that virtual doctors visits seem to be on the rise. A new service, most recently deployed in Texas, from "NowClinic" is allowing doctors to make virtual house calls and prescribe anything short of controlled substances.

"For $45, anyone in Texas can use NowClinic, whether or not they are insured, by visiting Doctors hold 10-minute appointments and can file prescriptions, except for controlled substances. Eventually they will be able to view patients’ medical histories if they are available. The introduction of NowClinic will be the first time that online care has been available nationwide, regardless of insurance coverage."

Is there a market for Do-it-yourself security cameras? Those little “This house protected by video surveillance” signs work only when the crooks can read.

Caught on tape: Burglars target wrong techie

Grateful police say they've "never seen anything like this before"

By Paul McNamara on Sat, 12/19/09 - 12:03pm.

… A Framingham, Mass., resident received an urgent text message at work on Friday. It was from his home computer reporting the presence of movement inside of his apartment, which he had equipped with a motion detector and surveillance camera after a recent burglary.

The guy logs on, calls up the video feed, and bingo: Two burglars are having their way with his stuff. He calls the cops, who I'm going to presume have rarely had an easier collar.

From a MetroWest Daily News report:

Kevin John Fegan, 27, and Joshel Garcia, 18, both of Framingham, were inside the 205 Beaver St. apartment when police arrived and arrested them at 9:30 a.m., never knowing they were being watched via computer, Deputy Police Chief Craig Davis said.

The break-in and theft were also recorded for future use in court proceedings, the deputy chief said.

It is easy to justify huge amounts of compensation when a CEO makes you lots of money. Much harder is compensating one for avoiding a 100% loss.

Apple's Steve Jobs named world's best-performing CEO

By Neil Hughes Published: 12:50 PM EST

… "The #1 CEO on the list, Steve Jobs, delivered a whopping 3,188% industry-adjusted return (34% compounded annually) [Better than Bernie Madoff! Bob]after he rejoined Apple as CEO in 1997, when the company was in dire shape," the report said. "From that time until the end of September 2009, Apple’s market value increased by $150 billion."

Monday, December 21, 2009

We trust our cops so little that we need to monitor everything they do. (If they didn't have a union before, they will now.) It would be interesting and enlightening to see a compilation of the crap these officers put up with on a daily basis – can we get the videos via a FOIA request?

San Jose Cops Will Wear Body Cameras

December 21, 2009 by Dissent Filed under Surveillance, Workplace

Laura Glendinning reports:

San Jose knows the way. . . to get it all on camera. 18 helmet cameras are being put into use in San Jose in a test program aimed at reducing escalating violence in arrests and general public interactions. The department has been under fire for a number of alleged abuses of force. Patrol officers in the experiment will be turning on the cameras every time they talk with anyone. [What happens if they fail to turn a camera on? Bob] The cameras look a lot like bluetooth earpieces, and are attached via headband. A mini computer rides on the officer’s belt. Every shift will end with a data download. [Unlikely there will be a review unless a complaint is lodged. Bob]


The American Civil Liberties Union has come out strongly against police cameras, seeing them as a violation of the Fourth Amendment right to privacy, but courts have held that citizens have little expectation of privacy in public spaces. Disclosure that a citizen is being recorded is required of all body camera-wearing officers.

Read more on Yes, But, However.

Fourth Amendment lawyer John Wesley Hall, Jr. comments on the story:

It says that the ACLU claims that recording an interaction is an invasion of privacy. How? What is the privacy interest in what a cop sees?

You don’t know how many times I’ve wished that the police-citizen interaction was recorded. Either my client or the cop was lying. Just show me which one.

Hall’s comment makes sense, but since the device, AXON, records both video and audio, what happens when the officer forgets to shut off the recording and is caught making personal comments or other comments that perhaps, were best left unsaid or unrecorded? Will these recordings be restricted in their use to criminal complaints and complaints of citizen abuse? And how long will they be retained for?

Everything is legal if you're a government.

(follow-up) France stands by use of stolen bank data

December 21, 2009 by admin Filed under Financial Sector

France’s use of HSBC client data stolen by a former HSBC employer continues to create international tension. France maintains that they have obtained the information legally and can use it, while HSBC and the Swiss government do not see the data as having been legally obtained. Peggy Hollinger reports

France said yesterday that it had committed no crime in using a stolen list of Swiss bank accounts to track French tax evaders as a row between Bern and Paris over banking secrecy intensified.

“France is committing no fraud, the tax evaders are,” said Eric Woerth, budget minister, in an interview on Canal Plus. “What counts is that we obtained [the information] legally.”

Switzerland has threatened to suspend ratification of a new bilateral tax treaty agreed with France in September over the decision by French fiscal authorities to use a list stolen from HSBC in Geneva by a former employee.

Read more on Financial Times.

Reuters reports that in an interview with the Swiss newspaper SonntagsZeitung, Alexandre Zeller, CEO of HSBC Private Bank (Suisse) said:

“The person, who we employed for eight years, took the data from various systems and tried to put them together like a puzzle. It is difficult to evaluate this data both from a technical and legal point of view.”

HSBC confirmed earlier this month that an ex-employee stole client data from its Swiss private bank in 2006 and 2007. [Former HSBC IT specialist Herve] iFalciani later identified himself as that ex-employee.

(Related) When governments start censoring their critics, you have to ask yourself what is next.

AU Authority Moves To Censor Net Filtering Protest Site

Posted by kdawson on Monday December 21, @01:17AM from the shortcutting-the-udrp dept.

An anonymous reader writes

"On Friday the Sydney Morning Herald reported that an Internet censorship protest site had been set up under the banner 'Stephen Conroy: Minister for Fascism' and was ironically registered under the very name of the Australian Communications Minister responsible for trying to mandate the compulsory filtering scheme in federal law, Within hours of the story being published, auDA, the Australian Domain Name Authority, had shut down the site, giving the owners only 3 hours to respond to a request to justify their eligibility for the domain. Normally auDA would allow several days to weeks for this process. An appeal to request an extension was denied, with no reason given. The site was quickly moved to a US domain, in order to stay active while the dispute with auDA is resolved."

Amusing eDiscovery request. Is the time you are connected to Facebook an indication that you are able to perform your job functions? How about if you were connected, but not entering data? (Not sure how detailed Facebook's logs are.)

Canadian court orders litigant to request her Facebook records from ISP

December 20, 2009 by Dissent Filed under Court, Internet, Non-U.S.

Toronto attorney Dan Michaluk blogs:

On December 2nd, the New Brunswick Court of Queen’s bench ordered a plaintiff in a disability insurance claim to obtain “a history of her computer account use” from her ISP and “request” her ISP to generate a record accounting for her FaceBook use.

The case is Carter v. Connors, 2009 NBQB 317 (pdf), and from the court filing, the background is:

The Applicant-Defendant has brought a motion for an order that the Plaintiff, who is currently undergoing discovery examination by the Applicant’s counsel, provide an undertaking to have her Internet Service Provider, Bell-Aliant, disclose the history of her Internet use at her home from the date of a motor vehicle accident in 2004 until today. Included in that request is a specific ancillary request that, in the event the motion succeeds, the technician that assembles the Internet use record segregate as a discrete record, if possible, the time spent on the Internet social network site Facebook that may be disclosed in the Plaintiff’s Internet use account record. The Plaintiff has conceded in her examination that she also has an account on the social networking site Facebook. The motion is brought pursuant to Rule 33.12 of The Rules of Court but, practically speaking, under the auspices of Rule 32.06 and 33.08(3) of The Rules of Court.

At issue:

Does the law of civil discovery in New Brunswick allow a party to compel production of Internet and Facebook usage records from the service provider of a Plaintiff who held an administrative clerk position prior to a motor vehicle accident when the basis of the claim filed by her is a soft tissue injury that is claimed to have resulted from the accident that prevents her from resuming full time work?

The decision lays out the legal precedent and reasoning as to whether such a request in the context of private litigation violates any Charter rights or expectation of privacy and then concludes:

In this instance I believe that the probative value of the information requested is of such a level that its disclosure will not infringe upon a reasonable expectation of privacy. That is so because the information sought is not, at least at this stage of proceedings, information that could qualify as revealing very personal information over which most right thinking Canadians would expect a reasonable expectation of privacy. Put another way, it does not reveal: “intimate details of the lifestyle and personal choices of the individual.”

Having said that, it appears clear that this may be only the first of more questioning by The Defendant’s counsel, Mr. Morrison, of the Plaintiff with respect to her general Internet and specific Facebook usage at the examination for discovery. If the questioning attempts to delve deeper into the Plaintiffs lifestyle as it pertains to these subjects, relevancy and privacy, it will require a re-examination of the reasonable limits of such questioning. For example, included in that assessment will be the extent to which an individual may claim a reasonable expectation of privacy in the use of social networking site electronic data.

Read more on All About Information. Hat-tip, Canadian Privacy Law Blog.

Now this could be fun (and depressing) I can see case studies in law, ethics, corporate governance, and lots of other areas. Perhaps we should just send it to WikiLeaks right now?

Call To "Open Source" AIG Investigation

Posted by Soulskill on Sunday December 20, @09:33AM from the still-looking-for-somebody-to-crucify dept.

VValdo writes

"As you may recall, the citizens of the US shelled out about $85 billion to bail out AIG and its creditors (Goldman Sachs in particular) last year. But as 80% owners of AIG, we still don't know what happened, exactly. That may change. In a new op-ed piece, former prosecutors (including former NY governor Eliot Spitzer) are calling for the US Treasury to force AIG to release its treasure-trove of emails to the public before allowing AIG to 'break free' of our control. As the prosecutors put it, 'By putting the evidence online, the government could establish a new form of "open source" investigation. Once the documents are available for everyone to inspect, a thousand journalistic flowers can bloom, as reporters, victims and angry citizens have a chance to piece together the story.' Good idea?"

For your Security Manager if you process Credit Cards.

Attack Of The RAM Scrapers

Beware of malware aimed at grabbing valuable data from volatile memory in point-of-sale systems

Dec 18, 2009 | 02:33 PM By Keith Ferrell DarkReading

The inclusion of RAM scrapers in a recent Verizon Business list of the top data breach attack vectors has prompted a bit of buzz about what exactly RAM scraping is and how much of a threat it poses.

A RAM scraper as identified in the Verizon Business Data Breach Investigation report is a piece of customized malware created to grab credit card, PIN, and other confidential information out of a system's volatile memory. The RAM-scraping breaches in Verizon's report occurred in point-of-sale (POS) servers.

… Why go after the data in RAM? Because in many ways it's easier to grab there. Current PCI compliance standards require the end-to-end encryption of sensitive payment card data when being transmitted, received, or stored. Data then is exposed at the endpoints, during processing, when the unencrypted credit card data is resident in the POS device's RAM. That's where the RAM scraper can cherry-pick the data being processed, capturing only those strings related to card identifiers rather than performing bulk data grabs. This minimizes the scraper's presence and, far from incidentally, reduces the prospects of its being detected as a result of dramatically increased server traffic or other illicit activity flags.

… RAM scrapers have to get to the RAM in order to access valuable data. POS RAM scrapers enter systems that are either insufficiently protected, such as those that use default credentials or get compromised by trusted partners, according to the Verizon report.

… The best way to detect a RAM scraper is via regular traffic and critical file monitoring and log analysis, experts say. Following are eight tips for protecting against RAM scraping, gleaned from the Verizon report:

Now this is interesting.

Yelp Walks Away From Google Deal, And Half A Billion Dollars

by Michael Arrington on December 20, 2009

Jeremy Stoppleman, the CEO of Yelp, has walked away from an all-but-signed deal to be acquired by Google for more than half a billion dollars.

The deal was, as we wrote late last week, in the later stages of negotiation. The two companies had agreed on a price – around $550 million plus earnouts – and were working through the final details of the acquisition.

Then something happened that made Yelp reconsider the deal. Over the weekend they notified Google that they were not going to sell, say multiple sources.

For my Statistics class. Be careful what you measure. Is this truly the “7 and under” group or is Dad sneaking onto the kids computer to surf for porn check that the blocking software still works? (Is no one concerned that Symantec knows what your children are doing online?)

Porn” Among Top Search Terms for Kids

December 19th, 2009 by Pete Cashmore

In a somewhat worrying piece of news, security firm Symantec has released the top search terms by kids in 2009. Topping the lists: “YouTube”, “Google”, “Facebook”, “sex” and “porn”.

While that result set might not be surprising in the teen search rankings, it’s interesting to note that “porn” ranks 4th in the “7 and under” category, receiving more searches than “Club Penguin” and “Webkinz“.

… The data was compiled from 14.6 million searches made using Symantec’s OnlineFamily.Norton, which lets parents track their kids’ online activity.

Free is good!

eBooksRead: Read Over 200,000 Free eBooks

By TehseenBaweja on Dec. 15th, 2009

… eBooksRead is an online library where you can read and download over 240,000 ebooks for free. These eBooks can be searched by book title or author name. You can also browse through the alphabetical listing of authors to find the book you need. All the books are available in txt format while some are also available in PDF.