Saturday, January 02, 2010

Surely this comes as no surprise... Supreme court decisions are even published.

Using Fourth-Party Data Brokers To Bypass the Fourth Amendment

Posted by Soulskill on Friday January 01, @11:07PM from the one-party-per-amendment dept.

An anonymous reader writes

"Coming out of Columbia Law School is an article about commercial data brokers and their ability to provide information about individuals to the US government despite Fourth Amendment or statutory protections (abstract, full PDF at Download link). Quoting: 'The Supreme Court has held that the Fourth Amendment does not protect information that has been voluntarily disclosed to a third-party or obtained by means of a private search. Congress reacted to these holdings by creating a patchwork of statutes designed to prevent the government's direct and unfettered access to documents stored with third-parties; thus, the government's access is fettered by various statutory requirements, including, in many cases, notice of the disclosure. Despite these protections, however, third-parties are not restricted from passing the same data to other private companies (fourth-parties), and after the events of September 11, 2001, the government, believing that it needed a greater scope of surveillance, turned to the fourth-parties to access the personal information it could not acquire on its own. As a consequence, the fourth-parties, unrestricted by Fourth Amendment or statutory concerns, delivered — and continue to deliver — personal data en masse to the government.'"

eConspiracy! And, it is self-documenting!

Drunk Drivers Evade the Cops With Twitter

December 31st, 2009 | by Brenna Ehrlich

Twitter has become the ultimate turncoat lately, functioning as a soldier for the police and drunken drivers alike.

We reported last week that inebriated drivers in Texas are to be outed on Twitter, and now cops report that the culprits themselves are using the microblogging site to inform others of the location of sobriety checkpoints.

(Related) Over-cooperation?

Man Tracked Down and Arrested Via WoW

Posted by Soulskill on Saturday January 02, @02:09AM from the time-to-bubble-hearth dept.

kabome writes with this excerpt from a story about an alleged drug dealer who was located by law enforcement thanks to World of Warcraft:

"Roberson’s subpoena was nothing more than a politely worded request, considering the limits of his law enforcement jurisdiction and the ambiguity of the online world. 'They don’t have to respond to us, and I was under the assumption that they wouldn’t,' said Roberson. ... Blizzard did more than cooperate. It gave Roberson everything he needed to track down Hightower, including his IP address, his account information and history, his billing address, and even his online screen name and preferred server. From there it was a simple matter to zero in on the suspect's location."

Big Brother by proxy.

U.S. security rules would break privacy laws, Canadian airlines contend

January 1, 2010 by Dissent Filed under Featured Headlines, Non-U.S., Surveillance

Jim Bronskill of the Canadian Press reports:

Canada’s major airlines say they will be forced either to break privacy laws or to ignore new American air security rules unless the federal government comes up with a response to U.S. demands for passenger information.

The National Airlines Council of Canada, which represents the four largest Canadian carriers, is pleading with the government to find “a permanent solution” to the dilemma posed by the U.S. Secure Flight program.

The program would collect the name, gender and birth date of the approximately five million Canadians who fly through American airspace en route to destinations such as the Caribbean, Mexico and South America, even if their planes don’t touch the ground in the States.

Read more in The Globe and Mail.

“We hate porn so much, we'll pay you to look for it.”

China Arrests Thousands In Internet Porn Crackdown

Posted by Soulskill on Saturday January 02, @05:14AM from the that-fourth-party-crap-doesn't-sound-so-bad-anymore dept.

Clandestine_Blaze writes

"Chinese police have arrested 5,394 people — with another 4,186 criminal cases in the works — in one of the largest crackdowns on Internet porn in the country. Even more arrests are expected in 2010, according to the Ministry of Public Security's website (In Chinese or Google translated into English). According to the Reuters article on the crackdown, one of the justifications was that the pornography was 'threatening the emotional health of children.' From the English translation of the Ministry of Public Security's website linked above, it appears that certain provinces are also offering 1,000 yuan and 2,000 yuan rewards, per person, for reporting illegal websites to the government."

Joke-du-jour? This is the wrong kind of law to try enforcing in a country that drinks. Also, a smart lawyer (oxymoron?) would have someone locate an appropriate California cult to take offense an anything. (Attn Gov. Schwarzenegger: Taking these transactions could relieve the budget shortfall!)

Ireland's Blasphemy Law Goes Into Effect

Posted by Soulskill on Friday January 01, @07:13PM from the joe-pesci-is-angry dept.

stereoroid writes

"As of January 1, it is a crime in Ireland to commit Blasphemy. The law was changed in July 2009 to fill a gap in the Irish Constitution, which states that it is a crime but does not define what it is, an omission highlighted in a Supreme Court decision in 1999. To mark the occasion, Atheist Ireland published a list of 25 blasphemous quotations on the website, from such controversial figures as Bjork, Frank Zappa, Richard Dawkins, Randy Newman, and Pope Benedict XVI. (The last-mentioned was quoting a 14th Century Byzantine Emperor, but that's no excuse.)"

[From the article:

It defines blasphemy as "publishing or uttering matter that is grossly abusive or insulting in relation to matters sacred by any religion, thereby intentionally causing outrage among a substantial number of adherents of that religion, with some defences permitted".

Because I like lists, and don't know everything (yet)

Ten Technologies That Will Rock 2010

by Erick Schonfeld on January 1, 2010

Friday, January 01, 2010

I suspect lawyers are finding ways around the disclosure laws, but I'm a bit of a cynic.

Breach reports decline in 2009, but what does it mean?

December 31, 2009 by admin Filed under Commentaries and Analyses, Of Note

As of today’s date, breach compilations by both the Identity Theft Resource Center and Open Security Foundation indicate that there were fewer breach reports in 2009 relative to 2008. While some of the apparent decrease may be due to two sources used last year not being available online for the second half of this year, the entire decrease cannot be attributed to these two sources.

So why are breach reports down relative to last year? Are more entities now using encryption and safer methods of transporting data leading to a reduced number of breaches or reduced number of breaches that would trigger a breach disclosure? Has the arrest of a number of master cybercriminals put a significant dent in cybercrime? Either would be cause for some celebration. But there are other possible explanations for why breach reports might be down that would not be cause for celebration, such as:

  • Entities deciding not to report or disclose breaches despite any mandatory disclosure laws because of the cost of notification during these rough economic times;

  • Entities referring incidents to law enforcement in the partial hope that law enforcement will ask them not to disclose or reveal the breach so as not to interfere with any investigation;

  • Breaches becoming more sophisticated and entities not even realizing that they have been breached;

  • The media getting bored with breach reporting and not giving it as much coverage;

  • 2008 may have represented an anomaly, as inspection of OSF’s nifty graphic at the top of their homepage suggests, with breach reports returning to pre-2008 levels in the spring, or;

  • None of the above.

So… why do you think that breach reports declined in 2009?

“We don't encrypt sensitive data. We don't log access to sensitive data. We don't check for files (even videos) being uploaded to our system. So we sure as heck aren't going to make any effort to protect you! Love, Your Alma Mater”

WA: 130,000 at risk after computer breach at EWU

December 31, 2009 by admin Filed under Breach Incidents, Education Sector, Hack, U.S.

Levi Pulkkinen reports:

Following a computer breach earlier in December, Eastern Washington University will be notifying 130,000 current and former students that their identifying information may have been compromised.

While it remains unclear whether any students or alumni have had their identities stolen due to the breach, officials with the Cheney-based university are preparing to mail letters to those put at risk, a spokesman said.

Discovered during an assessment in early December, the breach was found in a system carrying student records dating back to 1987. Current and former students’ Social Security numbers, names and birth dates are stored on the system, which has since been secured.

While investigators found no evidence any information was taken — those behind the breach appeared to be storing video files on the system — those concerned their identities may have been stolen are encouraged to check their credit statements.


“Our blustery bluff failed, so we're not gonna play any longer.” (Terrorists/criminals, take note)

“We don't really understand the law, we were just angry” (Child psychologists, take note)

“This was a loser from the git go.” (Voters, take note)

“Can you say, 'Security Theater?'” (Airline passengers, take note)

Never mind:” DHS drops attempts to subpoena bloggers who posted TSA directive

December 31, 2009 by Dissent Filed under Featured Headlines, U.S.

Chris Elliott has this happy update on the Department of Homeland Security’s attempt to subpoena his records:

The Department of Homeland Security has withdrawn a subpoena that would have required me to furnish it with all documents related to the Dec. 25 TSA Security Directive which was published on my Web site.

The move came after my attorneys were granted an extension on the government request. I also signaled my intent to challenge the subpoena in federal court next week.

Steven Frischling, the blogger at Flying With Fish who also received a subpoena also received an all-clear as he reported on Twitter:

HAPPY NEW YEAR TO ME! TSA’s Dep Chief Counsel for Enforcement just called me to let me know I am in the clear & good to go! Woo Woo #TSAFail

(Related) Or maybe they're just incompetent. But they are always a good source of bad examples.

Another TSA redaction error involving sensitive information

January 1, 2010 by Dissent Filed under Govt, Internet


The USA Merit Systems Protection Board published an online Opinion and Order which involved a TSA employee. A footnote states:

*The original unexpurgated version of this Opinion and Order contains Sensitive Security Information (SSI) protected by 49 C.F.R. Parts 15 and 1520. Per agreement between the Merit Systems Protection Board and the Transportation Security Administration (TSA), the TSA has redacted all SSI protected by 49 C.F.R. Parts 15 and 1520 from this version so that it can be made available to the public.

The SSI redactions were made in an insecure manner and could be easily removed.

As it has done in similar situations, Cryptome provides the unredacted version.

[NOTE: If you go to the website and copy the redacted document to your word processor, the redactions are removed. This is covered in both my Word Processing and Intro to Security classes. Bob]

Ah man, why didn't I think of this business model? (Instead of the NSA)

Underground Services Let Virus Writers Check Their Work

By Brian Krebs December 31, 2009 2:50 pm

I have often recommended file-scanning services like VirusTotal and Jotti, which allow visitors to upload a suspicious file and scan it against dozens of commercial anti-virus tools. If a scan generates any virus alerts or red flags, the report produced by the scan is shared with all of the participating anti-virus makers so that those vendors can incorporate detection for the newly discovered malware into their products.

… Enter upstart file-scanning services like and, which bank on the guarantee that they won’t share your malware with the anti-virus community.

For $1 per file scanned (or a $40 monthly membership) will see if your file is detected by any of 22 anti-virus products, including AVAST, AVG, Avira, BitDefender, NOD32, F-Secure, Kaspersky, McAfee, Panda, Sophos, Symantec and Trend Micro.

What happens when a company that insists on staying 'old school' pushes a 'newer school' company too far?

Time Warner Cable shows subscribers how to cut cord

by Peter Kafka, AllThingsD December 31, 2009 5:30 PM PST

The nightmare scenario for cable companies is that customers drop their TV subscriptions and grab their video directly from the Web, turning the cable guys into mere providers of "dumb pipes."

But here's a comprehensive set of instructions from a big cable company showing its customers how to do just that. It suggests that they head to the likes of Hulu, Fancast, or "any search engine"--weird for it not to call out Google, no?--to find their favorite shows.

Time Warner Cable's instructions on "How to Connect Your PC to Your TV" can be accessed by clicking on the image at the bottom of this post. And here's a helpful video (sorry for the clumsy screen grab; the video kicks in at about the five-second mark, and there's some unpleasant coughing around 2:30. Yikes!):

The instructions (Time Warner Cable promised to provide them last week) are part of the company's game of chicken with News Corp.'s Fox, which is supposed to come to a head Thursday night. If you believe the posturing so far, Fox and its associated cable channels (Fox News, FX, etc.) will disappear after midnight because the two sides can't agree on a new rate.

For the Criminal Justice students

December 31, 2009

New on - Google Scholar: A New Way to Search for Cases and Related Legal Publications

Google Scholar: A New Way to Search for Cases and Related Legal Publications - Courtney Minick and David Tsai provide an overview of the new features Google Scholar provides for the legal research market.

[From the article:

Searches are conducted the same exact way you would conduct a search on That is, there is no need for Boolean connectors anymore if you don't want to use them, and you still might get the exact case you're looking for. This article gives an overview on the new features Google Scholar provides for the legal research market.

For my data mining and analysis students. Blogs, Linkedin and nings.

December 31, 2009

Harnessing Free-Flowing Competitive Intelligence Through Social Media Sites

Harnessing Free-Flowing Competitive Intelligence Through Social Media Sites: "For competitive intelligence research purposes, traditional Web sites (read Web 1.0) have offered a range of valuable information for those seeking to get a leg up on the competition. But that information has had its limits—enter a new breed of Web resources that break out of the traditional information boundaries." Greg Lambert is Library & Records Manager at King & Spalding in Houston, TX.

For potential students. We offer degrees in 5 of the 6.

6 hottest skills for 2010

A slowly reviving economy will have organizations hiring in a few key areas, looking for IT pros with a mix of skills

By Mary Brandel December 29, 2009 06:00 AM ET

1. Programming/Application Development

2. Help Desk/Technical Support

3. Networking

4. Project Management

5. Security

6. Business Intelligence

For my website class. They don't have everything yet – at least I can't find “We don't need no stinking badges” – but they have a lot!

MovieClips: Share & Watch Free Movie Clips

By TehseenBaweja on Dec. 24th, 2009

Thursday, December 31, 2009

Small, but increasing in frequency. We even know why. At some point, it will become so expensive they will need to fix their security. (Perhaps a discount for good security and a penalty for bad?)

Ca: Debit-card fraud hits Guelph bank customers

December 30, 2009 by admin Filed under Breach Incidents, ID Theft, Non-U.S., Skimmers

Vik Kirsch reports:

TD Canada Trust customers stood in long lineups in at least one Guelph branch Tuesday to replace debit cards after cash was stolen from their accounts or as a precaution against this high-tech theft.

“The lineup was just incredible,” customer Irene Hayes said after replacing her debit card to guard against further theft. She said she had $400 missing from her account, but was assured by bank staff it would be replaced within a few days.

“At least we’re getting it back, but I’m sure there are people who are going to be in dire straits about this,” Hayes said, noting she talked to one person in line, a student who said he had several thousand dollars missing from a school tuition account.

Bank branch staff run off their feet Tuesday were too busy to comment. And while TD Canada Trust corporate spokesperson Tashlin Hirani couldn’t readily provide details, she noted in an email response that “debit fraud is a growing problem that impacts all banks and their customers.”

It’s often due to “a compromised merchant terminal or PIN (personal information number) pad” at a retailer such as a gas station, restaurant or grocery store, Hirani said.


At first, they didn't want to name the restaurant. Now they won't name the (assumption follows) credit card processor. Clearly this is bigger than some local teenage hacker.

Update AK: Source of stolen credit information was a restaurant

December 30, 2009 by admin Filed under Business Sector, Hack, ID Theft, U.S.

James Halpin reports:

The source of the debit and credit card data stolen from hundreds of Anchorage residents in a sophisticated hacking attack [If history is any indication, probably not. Either a default password was still being used or the data was transmitted unencrypted. Bob] was Little Italy, a family-owned restaurant in South Anchorage, its owner said Tuesday.

Police say anywhere from 150 to 1,000 card numbers were stolen and used in the attack, which started generating reports of fraudulent purchases about a month ago. The scammers, in what appears to be a nationwide, [Suggests more than one? Bob] organized effort, have spent thousands of dollars on the East Coast with the stolen data, according to police.


According to the owners, the hack was actually perpetrated against a third-party network run by a nationwide corporation they wouldn’t name.

Read more in the Anchorage Daily News.

[From the article:

Mike Messick, chief technology officer for Digital Securus, a local firm that has been helping examine the network at Little Italy, said his group found hacker programs on the point-of-sale terminals at the restaurant.

"So what the bad guys did was, instead of trying to intercept that encrypted transmission, which they knew was futile, they came in and they installed a hacker program on the point-of-sale machines that actually intercepted that card number as it was being swiped," Messick said.

Not the greatest article of all time, but an increasingly common perspective. I would even postulate that TSA believes they can keep things private by fiat.

We All Live In Public Now. Get Used To It.

by Erick Schonfeld on December 30, 2009

… It used to be that we lived in private and chose to make parts of our lives public. Now that is being turned on its head. We live in public, like the movie says (except via micro-signals not 24-7 video self-surveillance), and choose what parts of our lives to keep private. Public is the new default.

Stowe Boyd, along with others before him, calls this new state of exposure “publicy” (as opposed to privacy or secrecy).

A chain is only as strong as its weakest link. (See the TSA article, below) At least, that's how the TJX hacker operated.

Quantum Encryption Implementation Broken

Posted by timothy on Wednesday December 30, @04:37PM from the but-this-was-a-quantum-drawing-board dept.

I Don't Believe in Imaginary Property writes

"Professor Johannes Skaar's Quantum Hacking group at NTNU have found a new way to break quantum encryption. Even though quantum encryption is theoretically perfect, real hardware isn't, and they exploit these flaws. Their technique relies on a particular way of blinding the single photon detectors so that they're able to perform an intercept-resend attack and get a copy of the secret key without giving away the fact that someone is listening. This attack is not merely theoretical, either. They have built an eavesdropping device and successfully attacked their own quantum encryption hardware. More details can be found in their conference presentation."

This is increasingly typical. How can you distribute non-classified data and expect it to remain confidential? Are the procedures used by the DHS “agents” also typical? I fear they are.

TSA Threatens Blogger Who Posted New Screening Directive

By Kim Zetter December 30, 2009 3:53 pm

Two bloggers received home visits from Transportation Security Administration agents Tuesday after they published a new TSA directive that revises screening procedures and puts new restrictions on passengers in the wake of a recent bombing attempt by the so-called underwear bomber.

… The document, which the two bloggers published within minutes of each other Dec. 27, was sent by TSA to airlines and airports around the world and described temporary new requirements for screening passengers through Dec. 30, including conducting “pat-downs” of legs and torsos. The document, which was not classified, was posted by numerous bloggers. Information from it was also published on some airline websites.

(Related) “We don't need no stinking journalists!” (or Bloggers!) Would this software have found and re-published the TSA security procedures? If so, who would you subpoena?

The Rise of Machine-Written Journalism

Posted by CmdrTaco on Wednesday December 30, @02:08PM from the hey-that's-my-job dept.

Hugh Pickens writes

"Peter Kirwan has an interesting article in Wired UK on the emergence of software that automates the collection, evaluation, and even reporting of news events. Thomson Reuters, the world's largest news agency, has started moving down this path, courtesy of an intriguing product with the nondescript name NewsScope, a machine-readable news service designed for financial institutions that make their money from automated, event-driven trading. The latest iteration of NewsScope 'scans and automatically extracts critical pieces of information' from US corporate press releases, eliminating the 'manual processes' that have traditionally kept so many financial journalists in gainful employment. At Northwestern University, a group of computer science and journalism students have developed a program called Stats Monkey that uses statistical data to generate news reports on baseball games. Stats Monkey identifies the players who change the course of games, alongside specific turning points in the action. The rest of the process involves on-the-fly assembly of templated 'narrative arcs' to describe the action in a format recognizable as a news story. 'No doubt Kurt Cagle, editor of, was engaging in a bit of provocation when he recently suggested that an intelligent agent might win a Pulitzer Prize by 2030,' writes Kirwin. 'Of course, it won't be the software that takes home the prize: it'll be the programmers who wrote the code in the first place, something that Joseph Pultizer could never have anticipated.'"

[From the article:

Journalists remain artisans in an era of industrialisation. Inside newsrooms, the old craft methods remain dominant. Outside, across the vast expanse of the web, algorithms are automating the information industry.

Lots of money waiting behind these rules, and only a few hundred pages to digest!

Meaningful use’ criteria released

By Dissent, December 31, 2009 7:58 am

David Burda writes on

HHS issued two sets of much-anticipated federal regulations that significantly further the government’s healthcare information technology adoption agenda. The first set of regulations lists the “meaningful use” criteria that healthcare providers must meet to qualify for federal IT subsidies based on how they use their electronic health records. The second set of regulations lays out the standards and certification criteria that those EHRs must meet for their users to collect the money

Read more here.

Because it's a list and it's free!,2817,2356301,00.asp

Top 20 Free Blackberry Apps

For all my students who expect instant understanding.

The Neuroscience of Screwing Up

Posted by samzenpus on Wednesday December 30, @07:45PM from the nobody-is-right-all-the-time dept.

resistant writes

"As the evocative title from Wired magazine implies, Kevin Dunbar of the University of Toronto has taken an in-depth and fascinating look at scientific error, the scientists who cope with it, and sometimes transcend it to find new lines of inquiry. From the article: 'Dunbar came away from his in vivo studies with an unsettling insight: Science is a deeply frustrating pursuit. Although the researchers were mostly using established techniques, more than 50 percent of their data was unexpected. (In some labs, the figure exceeded 75 percent.) "The scientists had these elaborate theories about what was supposed to happen," Dunbar says. "But the results kept contradicting their theories. It wasn't uncommon for someone to spend a month on a project and then just discard all their data because the data didn't make sense."'"

Wednesday, December 30, 2009

Apparently, there are ways around the notification laws. (Amazing what a smart lawyer and a dumb manager can do) More news leaks out. How many retailers were hacked? Will we ever know?

Target Co was victim of hacker Albert Gonzalez

December 29, 2009 by admin Filed under Breach Incidents, Business Sector, Hack, Malware, Of Note, U.S.

Target Co said it was among the victims of computer hacker Albert Gonzalez, mastermind [...if someone who noticed that there is no WiFi security can be called a mastermind. Bob] of the biggest identity theft in U.S. history.


Target spokeswoman Amy Reilly said her company was among the victims, having had an “extremely limited” number of payment card numbers stolen by Gonzalez about two years ago.

She declined to say how many card numbers had been stolen, and described the term of the exposure as brief.

“A previously planned security enhancement was already under way at the time the criminal activity against Target occurred,” Reilly said. “We believe that, at most, only a tiny fraction [...of the millions and millions... Bob] of guest credit and debit card data used at our stores may have been involved.”

She said that Target had notified the card issuers, leaving them to tell their customers. [Is that legal? Bob]

Read more on Reuters.

(Related) There may be two other “double secret victims”

Albert Gonzalez Pleads Guilty in Heartland, 7-11 Breaches — Updated

By Kim Zetter December 29, 2009 3:39 pm

… Gonzalez, known by the online nicks “segvec” and “Cumbajohnny,” was charged in August in New Jersey, along with two unnamed Russian conspirators, with hacking into Heartland Payment Systems, a New Jersey-based card processing company, as well as Hannaford Brothers, 7-Eleven and two unnamed “major” national retailers identified only as Company A and Company B.

… On Monday, Company A filed a sealed motion in Boston and a request for oral argument in the case.

The court docket doesn’t indicate the nature of the filings, but in November, Company A filed a letter with the court indicating that it might intervene in the case to obtain a protective order to ensure the company’s “dignity, privacy and anonymity.”

Prosecutors told Threat Level in August that they were not identifying the two anonymous retailers because the companies have never acknowledged publicly that they were breached.

“You got mud on yo' face

You big disgrace

Kickin' your can all over the place


We will, we will, SUE YOU!”

RockYou Sued for Failing to Protect the Personal Data of its 32 Million Customers

December 29, 2009 by admin Filed under Breach Incidents, Business Sector

From the press release:

An Indiana man filed a class action lawsuit Monday against RockYou, the developer of popular online applications and services for use with social networking sites such as Facebook and MySpace, after RockYou failed to safeguard the highly sensitive personal information of him and 32 million others.

The lawsuit alleges that RockYou maintained its customers’ email account and password information, as well as the login credentials for social networking sites, in an unencrypted and unsecured database. As a result, according to the lawsuit, hackers were able to harvest all of this information by utilizing a well-known and easy-to-prevent exploit.

The lawsuit is brought by Alan Claridge, Jr., of the Evansville, Ind., area. According to the suit, only after the media began reporting about the data breach did RockYou notify Mr. Claridge and others of the data breach.

“This alleged data breach was by no means unforeseeable. The means of attack has been well-documented for some time, as has been the means to prevent it,” explained Michael Aschenbrener, the lead attorney for the class action. “RockYou allegedly did nothing to prevent the attack or safeguard its customers’ sensitive personal information. How any company in possession of this much data could do nothing to secure it not only violates the law, but also basic common sense.”

The class action seeks injunctive relief and monetary damages for failing to protect RockYou user data.

On its site, RockYou had posted the following about the breach:

As we previously explained, one or more individuals illegally breached one of our databases that contained the usernames and passwords for about 32 million users in an unencrypted format. It also included these users’ email addresses. This database had been kept on a legacy platform dedicated exclusively to widgets. After learning of the breach, we immediately shut the platform down to prevent further breaches.

… However, because the platform breached contained user email addresses and passwords, we recommend that our users change their passwords for their email and other online accounts if they use the same email accounts and passwords for multiple online services.

… We are separately communicating with our users so that they take this step and are informed of the facts.

It’s hard to imagine the lawsuit prevailing. If anything, some regulatory agency might want to look at whether RockYou misled customers over its security and privacy protections, but I really don’t see how RockYou users are likely to get anywhere with this lawsuit in light of the bulk of court opinions about the need to demonstrate actual harm. Does any reader think this lawsuit has a snowball’s chance?

This could be another breach, or an organized crime group. It is becoming so common, I expect to see a late night info-mercial: “Make big bucks skimming credit card information in your spare time!”

Skimmers hitting debit card customers across N.C.

December 29, 2009 by admin Filed under Breach Incidents, Financial Sector

Dan Bowens reports:

Cases in which debit card information has been stolen are cropping up across North Carolina, and officials said Tuesday that thousands of customers could be affected.

The State Employees Credit Union informed about 300 customers in recent days that their account information had been obtained by skimmers and used to make withdrawals and purchases.


Account information has been stolen from customers in Raleigh to Winston-Salem to Charlotte, according to SECU security officer Cory Mathes. He said the widespread nature of the thefts leads him to believe either a large skimming network is involved or someone has hacked into the computer system of a company that processes debit card transactions.

Read more on WRAL.

Satire is fine, parody too, but embarrass a politician and you guarantee an over-reaction in response. (And lots of media coverage – just what the activists wanted.)

Canadian Censorship Takes Down 4500 Sites

Posted by timothy on Tuesday December 29, @03:00PM from the now-that's-what-I-call-political-science dept.

uncadonna writes

"According to activist group The Yes Men, the government of Canada has shut down two parody websites criticizing Canada's poor environmental policy. The article goes on to claim that 'In response to Environment Canada's request, Serverloft immediately turned off a whole block of IP addresses, knocking out more than 4500 websites that had nothing to do with the parody sites or the activists who created them. Serverloft was shown no warrant, and never called the web hosting company about the shutdown.'"

(Related) Censorship is not always based on what politicians want. Or even common sense. Could this be the basis for a stockholder's suit?

Following In Bing's Footsteps, Yahoo! and Flickr Censor Porn In India

Posted by Soulskill on Tuesday December 29, @11:06PM from the searching-for-morality dept.

bhagwad writes

"Following recent news on how Bing decided sex was too sensitive for India, Yahoo! and its associated site Flickr have decided to do the same. While it's true that this is because of India passing laws that prohibit the publication of porn, no complaint was ever launched (and never will be), and glorious Google still continues to return accurate and unbiased results. So why is Yahoo! doing this? Is it because of its tie-up with Bing? I assume this is the case. Indian ISPs have already told the government and the courts that it's not their job to restrict porn and it's technologically infeasible too. In the absence of a complaint, I can only assume that Yahoo! has decided to do this of their own volition. Given that the 'sex' search term is searched more in India than in any other country, isn't it the duty of Yahoo! to provide accurate results to its customers? It can always plausibly deny control of its results and claim that filtering porn is infeasible. Since Yahoo! already has a low search market share in India, this will drive it even lower."

(Related) On the other hand, if you can mislead a politician or a court, censorship can be made to serve your purposes.

Italy May Censor Torrent Sites

Posted by Soulskill on Wednesday December 30, @05:11AM from the giving-them-the-boot dept.

An anonymous reader writes

"Following a Pirate Bay block more than a year ago, Italy continues its attempts to censor torrent sites. The Italian Supreme Court has ruled that copyright holders can now force ISPs to block BitTorrent sites, even if they are hosted outside Italy. The torrent sites which 'hold' copyrighted materials are accused of taking part in criminal activity. It seems someone should enlighten Italian jurists about technology." [That's my point. “Someone” already has... Bob]

Bruce thinks rationally. Would that any politician had the guts to listen.

Is aviation security mostly for show?

By Bruce Schneier, Special to CNN December 29, 2009 7:38 a.m. EST

... Our current response to terrorism is a form of "magical thinking." It relies on the idea that we can somehow make ourselves safer by protecting against what the terrorists happened to do last time.

Why was this allowed to fester in the first place? A simple code review should have disclosed that the code was (or looked like it had been) copied, and a patch could have been generated pre-release. But then, Microsoft is not known for avoiding legal battles.

MS Issues Word Patch To Comply With Court Order

Posted by Soulskill on Tuesday December 29, @08:02PM from the wrist-slap-complete dept.

bennyboy64 writes

"iTnews reports that Microsoft has begun offering what appears to be a patch for its popular Word software, allowing it to comply with a recent court ruling which has banned the software giant from selling copyright-infringing versions of the word processing product. The workaround should put an end to a long-running dispute between Canadian i4i and Redmond, although it has hinted that the legal battle might yet take another turn."

Towards the “universal translator” of Science Fiction fame. Note that this requires storage of three complete dictionaries and the related programming. Something we couldn't do 5 years ago.

Toshiba Intros Trilingual Translation App For Cellphones

Posted by Soulskill on Tuesday December 29, @07:04PM from the like-a-liberal-arts-major-only-better dept.

MojoKid writes

"Shortly after hearing of a simple, two-way Spanish-to-English translator for the iPhone, Toshiba has announced that it has developed a new language translation system that requires no server-side interaction. The app is designed to be operated independently on a smartphone, which will eliminate costly data roaming fees that are generally incurred using systems that require an internet connection to retrieve translations. The system is trilingual in nature and enables users to translate freely between Japanese, Chinese and English."

Too late for another stocking stuffer? In my next Security Engineering class, I'll have my students design a detector to detect Decaff which detects Cofee. Think I'll call it Re-caff.

DECAF no stunt developer says – DECAF 2 launched

by Steve Ragan - Dec 29 2009, 20:30

DECAF has returned, and COFEE is not the only forensic set that it will monitor. After the first version of DECAF was pulled on December 18, with a notice that it was all a “stunt” and anyone who downloaded the software discovered it wasn’t working. Now it’s back, with new features, and an explanation as to why it was really pulled. Legal fears.

First, DECAF was not fake, the tool worked.

(Related) Another stocking stuffer. Available during the Consumer Electronics Show January 7-10

Singularity Proponent Ray Kurzweil Reinvents the Book, Again

By Priya Ganapati and Charlie Sorrel December 29, 2009 7:03 am

… Blio is not a device. Rather, it is a “platform” that could run on any device, but would be most obviously at home on a tablet. The software is free and available currently for PCs, iPod Touch and iPhone.

[Support site:

Tuesday, December 29, 2009

If it's just a bunch of local crooks, this will end here. But, if it's a roving national gang, this could become more than an irritation.

La. restaurants suffering credit card ‘nightmare’

December 28, 2009 by admin Filed under Business Sector, ID Theft, U.S.

Jason Brown of The Advocate has a story today about restauranteurs’ lawsuits against Radiant Systems and Computer World, a lawsuit covered previously on the blog. Of note, Brown cites a Secret Service agent involved in the case:

Luiz Velez, resident agent in charge of the Secret Service’s Baton Rouge office, said each hack involved restaurants using Internet-based computer systems. [Any restaurant attached to the Internet could be vulnerable. Bob]

Velez said more than 100,000 cards were exposed and conservatively placed the fraud loss for area banks at about $1.2 million.

Although 100,000 cards and $1.2 million might not sound huge when contrasted to mega-breaches like Heartland Payment Systems’ breach, this particular breach reportedly caused at least one restaurant to close its doors and another to give up taking credit cards. And of course, we only know about less than a dozen or so restaurants. Could there be other restaurants using this POS software that also had breaches that we haven’t learned about yet? It seems likely.

Charles Y. Hoff, general counsel for the Georgia Restaurant Association and one of the attorneys assisting in the Lafayette lawsuit, said he has received a multitude of calls from restaurant owners all over the country regarding similar claims.

It is not isolated and it is something that is a real concern on a national level,” Hoff said.

Intent” is not the same as “capability. “ I may intend to carve the Turkey, but when my crazy cousin Eddie pushes me over the edge, I suddenly find what my new electric carving knife is capable of.

Einstein and Citizens’ Privacy

December 28, 2009 by Dissent Filed under Govt, Surveillance

Einstein is an intrusion detection – and soon an intrusion prevention – system the government is deploying to safeguard government IT systems. Some cybersecurity experts contend Einstein has the potential to intrude on the privacy of individual Americans, a concern Philip Reitinger dismisses.

Reitinger, deputy undersecretary of the Department of Homeland Security’s National Protection and Programs Directorate and director of the National Cybersecurity Center, says the only purpose of Einstein is to protect government networks.

“To that end, it is not our intention to go out and seek things like personally identifiable information,” Reitinger said in the second of a two-part interview with “Our intent is instead, say, what constitutes an attack? What is malicious traffic? And when we see something that is malicious traffic, that is an attempt to compromise a government system, and quite conceivably impair the privacy of Americans who data is held or the people who are working on those government systems, that we can detect that and stop it, and do a better job of actually protecting privacy.”

Source: GovInfoSecurity. You can listen to Part 1 of Eric Chabrow’s interview with Reitinger here.

I haven't pointed to Bruce recently. But he still writes a good logical blog.

Schneier on Security

A blog covering security and security technology.

December 26, 2009

Separating Explosives from the Detonator

… For years I've been saying this:

Only two things have made flying safer [since 9/11]: the reinforcement of cockpit doors, and the fact that passengers know now to resist hijackers.

This week, the second one worked over Detroit. Security succeeded.

I wish that, just once, some terrorist would try something that you can only foil by upgrading the passengers to first class and giving them free drinks. [Amen Bob]

(Related) Follow-up on the over reaction to an inept terrorist. (I'll also use this in my Statistics class.)

The Odds of Airborne Terror

by Nate Silver @ 1:58 PM 12.27.2009

… Over the past decade, according to BTS, there have been 99,320,309 commercial airline departures that either originated or landed within the United States. Dividing by six, we get one terrorist incident per 16,553,385 departures.

There were a total of 674 passengers, not counting crew or the terrorists themselves, on the flights on which these incidents occurred. By contrast, there have been 7,015,630,000 passenger enplanements over the past decade. Therefore, the odds of being on given departure which is the subject of a terrorist incident have been 1 in 10,408,947 over the past decade. By contrast, the odds of being struck by lightning in a given year are about 1 in 500,000. This means that you could board 20 flights per year and still be less likely to be the subject of an attempted terrorist attack than to be struck by lightning.

(Related) More fun facts! Make you want to buy more life insurance?

Odds of Dying in a Terrorist Attack

john baker, March 28th, 2009.

You are 12,571 times more likely to die from cancer than from a terrorist attack

You are 11,000 times more likely to die in an airplane accident than from a terrorist plot involving an airplane

You are 17,600 times more likely to die from heart disease than from a terrorist attack

You are 1048 times more likely to die from a car accident than from a terrorist attack

You are eight times more likely to be killed by a police officer than by a terrorist

Could this happen here?

UK Consumers To Pay For Online Piracy

Posted by samzenpus on Tuesday December 29, @01:51AM from the music-rolls-down-hill dept.

Wowsers writes

"An article in The Times states that UK consumers will be hit with an estimated £500m ($800m US) bill to tackle online piracy. The record and film industries have managed to convince the government to get consumers to pay for their perceived losses. Meanwhile they have refused to move with the times, and change their business models. Other businesses have adapted and been successful, but the film and record industries refuse to do so. Surely they should not add another stealth tax to all consumers."

[From the article:

The Digital Economy Bill would force internet service providers (ISPs) to send warning letters to anyone caught swapping copyright material illegally, and to suspend or slow the connections of those who refused to stop. ISPs say that such interference with their customers’ connections would add £25 a year to a broadband subscription.

Ministers have not estimated the cost of the measures but say that the cost of the initial letter-writing campaign, estimated at an extra £1.40 per subscription, will lead to 40,000 households giving up their internet connections. Impact assessments published alongside the Bill predict that the measures will generate £1.7 billion in extra sales for the film and music industries over the next ten years, as well as £350 million for the Government in extra VAT.

[I'm not sure any of those numbers have a basis in reality. Bob]

This kind of article makes for great projects in my Computer Security class.

Code That Protects Most Cellphone Calls Is Divulged

December 28, 2009 by Dissent Filed under Featured Headlines, Other

Kevin J. O’Brien reports:

A German computer engineer said Monday that he had deciphered and published the secret code used to encrypt most of the world’s digital mobile phone calls, in what he called an attempt to expose weaknesses in the security of the world’s wireless systems.

The action by the encryption expert Karsten Nohl aimed to question the effectiveness of the 21-year-old GSM algorithm, a code developed in 1988 and still used to protect the privacy of 80 percent of the world’s mobile calls.

“This shows that existing GSM security is inadequate,” Mr. Nohl, 28, told about 600 people attending the Chaos Communication Congress, a four-day computer hacker’s conference that runs through Wednesday here. “We are trying to push operators to adopt better security measures for mobile phone calls.”

Read more in The New York Times.

Not the first to recognize this. Will the Anti-trust lawyers beat the Class Action lawyers to the punch? Or is the Copyright lobby too powerful for both of them?

Doctorow, How to Destroy the Book

Commentary by Fred von Lohmann December 28th, 2009

… When I buy an audiobook on CD, it’s mine. The license agreement, such as it is, is “don’t violate copyright law,” and I can rip that CD to mp3, I can load it to my iPod or any number of devises—it’s mine; I can give it away, I can sell it; it’s mine. But when you buy an audiobook through Audible, which now controls 90 per cent of the [downloadable] audiobook market, you get a license agreement, not a property interest. The things that you can do with it are limited by DRM; the players you can play it on are limited by the license agreements with Audible. Audible doesn’t do this because the publishers ask them to. Audible and iTunes, because Audible is the sole supplier to iTunes, do this because it’s in their own interest....

I haven't played with this one yet, but I plan to.

How To Fix Common Windows Problems In A Snap With FixWin

By Varun Kashyap on Dec. 28th, 2009

Monday, December 28, 2009

"All your blood are belong to us!” It's not unethical if you never ask yourself if it's unethical.

Ie: Hospital keeps secret DNA file

December 27, 2009 by Dissent Filed under Breaches, Featured Headlines, Other

Mark Tighe reports:

A Dublin hospital has built a database containing the DNA of almost every person born in the country since 1984 without their knowledge in an apparent breach of data protection laws.

The in Temple Street is under investigation by the Data Protection Commissioner (DPC) since The Sunday Times discovered it has a policy of indefinitely keeping blood samples taken to screen newborn babies for diseases.

Unknown to the DPC, the hospital has amassed 1,548,300 blood samples from “heel prick tests” on newborns which are sent to it for screening, creating, in effect, a secret national DNA database. The majority of hospitals act on implied or verbal consent and do not inform parents what happens to their child’s sample.

Read more in The Times Online.

T.J. McIntryre comments on the story on IT Law in Ireland:

…. In light of these controversies elsewhere, the lack of informed consent and the fact that there is no legal basis for the heel prick tests (a point confirmed in North Western Health Board v. HW and CW) it’s hard to see how Temple Street could have believed that it was entitled to hold onto these samples indefinitely – and it is remarkable that this point appears to have been missed by the ethics committee on four separate occasions.

Worth reading! Makes you wonder if any social network user can read.

Privacy Theater: Why Social Networks Only Pretend To Protect You

by Guest Author on December 27, 2009

… With apologies to Bruce Schneier’s brilliant coinage, “security theater” (e.g. the magical thinking behind forcing passengers to sit down and shut up for the last hour of international flights), social networks have been dogged by one disaster after another in 2009 because they pursue policies that provide the “feeling of improved privacy while doing little or nothing to actually improve privacy.”

… It’s not like lawsuits are being filed, as Marissa Mayer announced by going after work-from-home scam artists in an interview with Mike Arrington at LeWeb. It’s not like this is Scamville 2.0, since this isn’t stealing users’ cash, only their dignity. It’s not like there’s a legal spotlight on the issue, since there’s only $9M set aside for a hazy new privacy foundation in the latest Facebook class-action settlement. It’s not like it’s a political issue in the headlines, since a Facebook Chief Privacy Officer is running for Attorney General, the top law-enforcement office in California. It’s not like it’s as complicated as “don’t be evil,” since I can give you one simple tip to eliminate privacy theater: enforce your ToS and obey others’ ToS — or else stop setting unrealistic expectations and just let users have their data back!

(Related) The (double-secret) TSA regulation requires everyone to be searched and all carry-ons to be inspected. Looks like another major victory for Al Qaeda, and I doubt this guy had any contact with Al Qaeda except in his dreams.

TSA Security Directive SD-1544–09-06

December 28, 2009 by Dissent Filed under Surveillance

Over on The Volokh Conspiracy, Randy Barnett has posted a TSA security directive that was implemented on December 25, following the failed terrorist attack over Detroit. The directive seems to be circulating on the web, but I have not yet been able to confirm that this is, indeed, an official TSA directive because it is not on any government site that I have found as yet.

Of note, the directive does include the types of precautions described on Air Canada’s original travel advisory. From the directive:


1. During flight, the aircraft operator must ensure that the following procedures are followed:

1. Passengers must remain in seats beginning 1 hour prior to [scheduled or actual? Bob] arrival at destination.

2. Passenger access to carry-on baggage is prohibited beginning 1 hour prior to arrival at destination.

3. Disable aircraft-integrated passenger communications systems and services (phone, internet access services, live television programming, global positioning systems) prior to boarding and during all phases of flight. [Cell phone blockers? Bob]

4. While over U.S. airspace, flight crew may not make any announcement to passengers concerning flight path or position over cities or landmarks.

5. Passengers may not have any blankets, pillows, or personal belongings on the lap beginning 1 hour prior to arrival at destination. [Air crew must remove them? Bob]

The directive expires on December 30. You can read the whole thing here.

[From “the whole thing”:

1. Perform thorough pat-down of all passengers at boarding gate prior to boarding, concentrating on upper legs and torso.

2. Physically inspect 100 percent of all passenger accessible property at the boarding gate

(Related) Better than nothing, but not by much.

370 Passwords You Shouldn’t (And Can’t) Use On Twitter

by Robin Wauters on December 27, 2009

… It just so happens that Twitter has hard-coded all banned passwords on the sign-up page. All you need to do to retrieve the full list of unwelcome passwords is take a look at the source code of that page.

Do a simple search for ‘twttr.BANNED_PASSWORDS’ and voilĂ , there they are, all 370 of them.

This isn’t a security issue, of course, and in fact it’s helpful to distribute the list so you can check if your favorite password that you use for other services might not be as fail-proof as you’d like to think. For the full list, simply download this TXT file, but here are a couple:

password testing naked stupid twitter 123456 secret

please beavis butthead internet hooters

My students discovered this over a year ago.

Security In the Ether

Posted by Soulskill on Sunday December 27, @12:15PM from the less-likely-than-ether-in-the-security dept.

theodp writes

"Technology Review's David Talbot says IT's next grand challenge will be to secure the cloud — and prove we can trust it. 'The focus of IT innovation has shifted from hardware to software applications,' says Harvard economist Dale Jorgenson. 'Many of these applications are going on at a blistering pace, and cloud computing is going to be a great facilitative technology for a lot of these people.' But there's one little catch. 'None of this can happen unless cloud services are kept secure,' notes Talbot. 'And they are not.' Fully ensuring the security of cloud computing, says Talbot, will inevitably fall to emerging encryption technologies."

Well, there's Reality and eReality, see. And sometimes technology that works in Reality doesn't work in eReality, see.

Relax, You Can Still Buy An iPhone In New York City. Just Not Online.

by Erick Schonfeld on December 27, 2009

If you live in the New York City metropolitan area, as I do, and try to buy an iPhone from AT&T’s website, you will probably get the same message I did after I entered my zipcode: “Sorry this package is not available in your area.” Apparently, this is a big story. (Hey, it’s the tail end of a long holiday weekend, and there is nothing else going on). For instance, the Consumerist called some hapless AT&T customer service rep who confirmed that “the phone is not offered to you because New York is not ready for the iPhone.”

A very useful resource for my Business Continuity class

Ground Zero II: Analyze nuclear explosions on a nuclear strike map

By Israel Nicolas on Dec. 20th, 2009

Similar tool: NukeoMeter and Impact Calculator.