Saturday, October 09, 2010

A little advanced notice: Next week, our friends at the Privacy Foundation ( will be announcing a seminar on the “Legal Implications of Internet Advertising” to be held Friday, November 5th. You can contact Diane Bales at the Sturm College of Law at the University of Denver, 303.871.6580 or for more information.

New Class of Malware Will Steal Behavior Patterns

Posted by Soulskill on Friday October 08, @09:32AM

"The information within huge, supposedly anonymized data sets can be used to build a detailed picture of an individual's lifestyle and relationships. This data is hugely valuable, which is why many companies already mine the pattern of links in their data to help them build things like recommender systems. Now a group of computer scientists say it is inevitable that a new class of malware will emerge for stealing this behavioral pattern data from social networks. They've analyzed the types of strategies this malware will use to collect information from a real mobile phone database of 800,000 links between 200,000 phones. They point out that the theft of behavioral data can be much more serious than the theft of other personal information. If somebody steals your credit card or computer password, for example, you can just get another card or change your password, thereby limiting the damage. That can't be done with behavioral data, they say. Who would be willing or able to change their real world pattern of person-to-person relationships, friendships and family ties?"

More on targeting Muslim communities for extra surveillance “to prevent crime.”

UK: The Independent View: surveillance lessons from Birmingham

October 8, 2010 by Dissent

James Elsdon-Baker, an activist with the NO2ID campaign, has a good commentary on the recent review of a poorly conceived, poorly communicated, and even more poorly implemented surveillance plan in Birmingham.

What U.S. readers will find particularly interesting are some of the statistics that he includes. Somewhat mind-boggling, to say the least.

Here’s a snippet from his article:

ANPR [Automated Number Plate Recognition Bob] differs from CCTV in that the information captured by the cameras is processed and stored on a massive centralized database. Although these cameras in a Muslim area are currently not in use (as I write it’s unclear if they will be taken down), there will remain a national network of over 10,000 cameras. Together they have captured over 7,600,000,000 occasions on which the location of people’s vehicles have been automatically logged. This data is held for five years at the National ANPR Data Centre (NADC) that is operated by the National Police Improvement Agency and routinely shared with other countries.

Read more on Liberal Democrat Voice.

Part of a CIO's job is to monitor system capacities and avoid problems like this. What else will they fail to do? NOTE: The previous article mentions 7 Billion records in the UK database.

US Monitoring Database Reaches Limit, Quits Tracking Felons and Parolees

Posted by timothy on Saturday October 09, @04:24AM

"Thousands of US sex offenders, prisoners on parole and other convicts were left unmonitored after an electronic tagging system shut down because of data overload. BI Incorporated, which runs the system, reached its data threshold — more than two billion records — on Tuesday. This left authorities across 49 states unaware of offenders' movement for about 12 hours."

As the astonished submitter asks, "2 billion records?"

[From the article:

Prisons and other corrections agencies were blocked from getting notifications on about 16,000 people...

… In Wisconsin, local police and probation agents held about 140 sex offenders at local jails until the GPS tracking system was restored. [Prevented their release or rounded them up? Neither seems likely. Bob]

The offenders - about 300 in the state, most of them sex offenders - were never aware they were not being tracked, state Department of Corrections spokeswoman Linda Eggert said.

… “In retrospect, we should have been able to catch this” Jock Waldo BI Incorporated spokesman [“Well, DUH! Bob]


Privacy Defense Mounted

October 8, 2010 by Dissent

Julia Angwin and Scott Thurm report:

Eleven of the nation’s largest website operators defended their privacy practices to lawmakers, saying it is impossible for them to monitor all the tracking technologies their sites install on visitors’ computers. [What they actually said was: "It is technically impossible for Yahoo! to be aware of all software or files that may be installed on a user's computer when they visit our site" Bob]

The operators, including Microsoft Corp., Yahoo Inc. and AOL Inc., say they are improving disclosures about online tracking and offering users more ways to protect their privacy. But they say that eliminating tracking is technically difficult and economically impractical, [“Do you know how expensive it is to flip a switch!” Bob] because the targeted advertisements supported by tracking allow the operators to offer free content.

Read more: on WSJ (behind paywall, though)

If I were writing the headline for this, I wouldn’t have called it “Privacy Defense Mounted.” Maybe “Website Operators Claim They Really Have No Idea What They’re Doing.”

Coming soon to a National Health Records system near you!

AU: iPads for Doctors

By Dissent, October 8, 2010

The Australian Privacy Foundation has written to the Victorian Department of Health over reports that 500 iPads are to be provided to graduate doctors and nurses. Noting the potential benefits of such technology, APF honed in on a few key privacy and security and issues.

In a letter signed by Roger Clarke, the group asks Andrew Howard, Chief CIO for the Department of Health, whether the pilot study reportedly being conducted was ever approved by an research ethics review board. It also asks whether there’s been a privacy impact assessment, and:

APF understands that many of the staff involved are academic-clinicians and are staff of both Alfred Health and Monash University. APF further understands that Monash uses Google as its email-provider.

What consideration has been given to the proprietary nature of both the Apple and Google services and data formats, and the data security aspects of the services, in the context of inter-operable information sharing

(Related) A video demoing some of the technology Kaiser Permanente is considering.

Inside the hospital of the future

Think of this as notification that you are already too late.

New Tool Suite Helps Track Privacy Policies

Posted by Soulskill on Friday October 08, @03:10PM

"Forbes reports that The Internet Society announced this week the availability of the Identity Management Policy Audit System, a suite of tools designed to give Internet users a clearer understanding of the online usage policies of the websites they visit. Born out of a collaboration between The Internet Society, the University of Colorado, the Electronic Frontier Foundation, and the Center for Democracy and Technology, the system consists of a free, open-source Firefox plug-in that checks a library of scraped terms of service and privacy policies from several popular websites. If a site changes the fine print of one of its policies, the plug-in notifies the user when they visit the website next. According to Forbes, 'that functionality would help users spot controversial switcheroos in sites' legalese, such as Facebook's change last year that suddenly gave the site the right to use your photos and other content.'"

More on the Aldi skimmers.

Skim Scam: Did Aldi Invite 11-State Coordinated Attacks?

October 8, 2010 by admin

Frank Hayes writes:

When a gang of thieves physically tampers with point-of-sale systems, the tampering is usually a local operation. But that may be changing. Discount grocer Aldi said Friday (Oct. 1) that it has found tampered payment-card readers in stores in 11 states, spread from the east coast to Illinois. The retailer said the tampering was only in a limited number of its 1,100 U.S. stores, and all those stores were clustered near 10 cities—but the stolen data is being cashed out thousands of miles away.

Read more on StorefrontBacktalk. Via @_Florindo_

Reading the full commentary, I started thinking that this sounds very much like we heard in the Hancock Fabrics breach. In that multi-state breach, the chain also seemingly used older pin pads.

Are older pin pads a thief’s best friend?

[From the article:

The retailer won’t say exactly how many stores got the tampered devices, but a spokesperson said that they were found in only a “limited number” of stores, and they were probably placed there during June, July and August. [and no one noticed! Bob]

… And because Aldi only accepts debit cards, not credit cards, at most stores, the card information collected by a skimmer (complete with PIN) would give direct access to a customer’s bank account.

These kind of physical attacks should be much less common than they are, and they would be that much less common if retailers were more meticulous about reviewing their network activity logs, [AMEN! Bob] said QSA-and StorefrontBacktalk PCI Columnist-Walter Conway. “There should be huge red flags in the logs if anyone disconnects a terminal.

Does anyone leave their laptop in their checked baggage?

FAA Reports Heat In Cargo Holds Can Ignite Laptop Batteries

Posted by timothy on Saturday October 09, @01:23AM

"US aviation officials are warning air carriers that new research shows lithium batteries are sensitive to heat and can ignite in-flight if transported in cargo compartments that get too hot. The Federal Aviation Administration also acknowledged publicly for the first time Friday that a United Parcel Service 747-400 plane that crashed in Dubai last month killing both pilots was carrying a large quantity of lithium batteries. Since the early 1990s, there have been dozens of incidents of batteries igniting in flight. But it has not been known what triggered many of the fires. FAA now says recent research has identified heat as the trigger and is offering air carriers advice on how to reduce the risk of fire."

Are we missing something? The EU seems to think this is an early peak at “Weapons of Cyberwar”

EU calls Stuxnet 'paradigm shift' as U.S. responds more mildly

While official U.S. response has been comparatively mild, the European Union's cybersecurity agency says Stuxnet represents a "paradigm shift" in critical infrastructure threats and that current defense philosophies need to be reconsidered.

Again I suspect I'm missing something. The judge seems to be suggesting that everyone will be insured at the same rate and that rate won't cover the payouts. If that is true, then the “Insurance Industry” is already gone, isn't it?

Health insurance mandate upheld

A federal judge in Detroit, in a broad ruling upholding Congress’s power to require all Americans to buy health insurance or pay a penalty, decided Thursday that the mandate is necessary to prevent the “extinction” of the nation’s entire health care insurance market. U.S. District Judge George Caram Steeh said the requirement was well within Congress’s power to regulate commerce among the states. The decision is the first by a federal court to rule directly on the constitutionality of the buy-or-be-penalized provision of the sweeping new health care reform law.

The Obama Administration lost on two arguments it had made to Judge Steeh — that the challengers in the Michigan case had no legal right to sue to stop the insurance mandate, and that their lawsuit in any event was premature. But, after finding that the challengers were properly in court and that a decision was appropriate now, the judge went on to rule that the requirement satisfies the Constitution and dismissed the claims targeting that specific provision of the new law. Thus, the result was a major victory for the Administration.

This is too strange. But if it is a fake, it's a good one.

Woman Uploads Child Porn, Police Raid Her Neighbor’s House…then it Really Gets Strange

Tools & Techniques - A Tool For Drawing On Webpages

Markup is a new collaboration tool that will let you draw on any webpage that you come across, and communicate your ideas to others in a more visual way. Certainly, being able to draw a pattern highlighting where different parts of a design you are should be is a much quicker way to let the rest of your team know what you mean than writing a long email that can be misinterpreted to no end.

Markup is a browser-hosted application. You (and your coworkers) won’t need to download anything on order to use it. All you will have to do is drag and drop the relevant bookmarklet into position. From that point onwards, Markup can be launched by merely clicking on the relevant button.

… And I didn’t mention it above, but you also have a tool for writing text on the page.

Tools & Techniques

10 Awesome Free Tools To Make Infographics

No comments: