Saturday, March 06, 2010

Protecting Health Records is going to take some thought.

Major deficiencies in VCHA’s Primary Access Regional Information System – report

By Dissent, March 5, 2010 10:00 pm

The Office of the Information & Privacy Commissioner of British Columbia has released its review of the electronic health information system set up by the Vancouver Coastal Health Authority known as the Primary Access Regional Information System (PARIS).

From the Executive Summary:

Major deficiencies in implementation of the PARIS software from a privacy perspective are the following:

  • an access model that is team-based rather than role-based resulting in too many users having access to too much personal information,

  • several data flows of personal information outside of the health authority that are not authorized under FIPPA,

  • the security protection for the system when we investigated it was not reasonable given the sensitivity of the personal information and did not meet the FIPPA standard1, and

  • records are stored indefinitely – neither archived nor destroyed when they are no longer needed to provide care.

Read the full report here.

Interesting question

Is chasing cybercrooks worth it?

By John D. Sutter, CNN March 5, 2010 8:49 a.m. EST

… It would be smarter, Karygiannis said, to develop new anti-virus technologies and to teach people how to protect themselves from Internet crime.

… A number of cybersecurity experts, however, characterized the recent arrests as relative anomalies. They criticized efforts to prosecute cybercriminals as a waste of time and said the people who are arrested are rarely the right people: They're often the middlemen instead of the kingpins, experts said.

Starting a botnet like Mariposa "takes no more skill than it takes to run Microsoft Office," said Vincent Weafer, vice president for security response at Symantec, a company that makes anti-virus software.

All a person has to do is download the program from the Internet. Such programs are still available for easy purchase, he said.

The people who actually write these programs -- the keys to cybercrime -- are almost impossible to catch and prosecute, said Marty Lindner, principal engineer with Carnegie Mellon University's Computer Emergency Response Team.

The reason it's difficult to find these masterminds has to do both with technology and the law.

Lindner said it's unclear if the authors of malicious code are doing anything illegal.

Does this suggest that Reverse Engineering is futile? What went wrong? Is “major redesign” defined here?

TiVo Time Warp Judgment Affirmed

Posted by timothy on Saturday March 06, @07:07AM

zapakh writes

"A federal appeals court this week upheld a lower court decision that accused DISH Network and EchoStar of continuing to infringe on TiVo patents.' This is a follow-on to a Slashdot story from October. Despite a 'Herculean effort' by EchoStar in redesigning its DVR software, the ruling agrees with the district court that that was not a major redesign of the software. The patent in question is titled 'Multimedia time warping system.' TiVo is pleased with the ruling."

Oh, so that's what a legal can of worms looks like. I'm amazed anyone bothers. (I suspect this would be an interesting exercise for students in a litigation class.)

March 05, 2010

Jonathan Band's Chart of Possible Google Book Search Settlement Results

Follow up to previous postings on Google Book Search: "Now that the fairness hearing on the Google Books Settlement has occurred, it is up to Judge Chin to decide whether the proposed settlement is "fair, reasonable, and adequate." The attached chart attempts to diagram some of the possible paths forward. Notwithstanding the complexity of the chart, it does not reflect all the possible permutations. For example, it does not mention stays pending appeals nor whether litigation would proceed as a class action. Moreover, the chart does not address the substantive reasons why a certain outcome may occur, e.g., the basis for Judge Chin accepting or rejecting the settlement. And it doesn't begin to address the issue of Congressional intervention through legislation. In short, the precise way forward is more difficult to predict than the NCAA tournament. And although the next step in the GBS saga may occur this March, many more NCAA tournaments will come and go before the buzzer sounds on this dispute."

(Related) I'm sure all drunk, junket-taking, bribe accepting, cheating-on-the-wife politicians hope this is true, but I have no doubt that someone will archive this data.

Law Prevents British Websites From Being Archived

Posted by timothy on Friday March 05, @07:03PM

Lanxon writes

"The law that allows the US Internet Archive to collect and preserve websites does not apply to British archivists. In fact, experts from the Archive and many other archivist institutions argue that the only way the millions of Britain's websites could be legally archived is if British law itself was amended, reports Wired in an investigation published today. Currently, archivists have to seek permission from webmasters of every single site before they are able to take snapshots and retain data."

Microsoft enters the e-Reader market? Or perhaps this is a larger version of the iPhone? Or just a dual screen computer?

Microsoft "Courier" Pictures

Posted by ScuttleMonkey on Friday March 05, @05:31PM

tekgoblin writes to let us know that Gizmodo has some early shots of the new prototype "Courier" booklet (foldable tablet) on the way from Microsoft.

"Courier is a real device, and we've heard that it's in the 'late prototype' stage of development. It's not a tablet, it's a booklet. The dual 7-inch (or so) screens are multitouch, and designed for writing, flicking and drawing with a stylus, in addition to fingers. They're connected by a hinge that holds a single iPhone-esque home button. Statuses, like wireless signal and battery life, are displayed along the rim of one of the screens. On the back cover is a camera, and it might charge through an inductive pad, like the Palm Touchstone charging dock for Pre."

Attention Apple geeks!

Apple drops price of Mac Developer Program to $99

For my website class.

CSSColorEditor: Easily Change CSS Colors Online

Re-designing a website can be a hassle if you have a large and messy CSS file. CSSColorEditor makes it easy for you by allowing you to change CSS colors without writing any lines of code. Simply upload a CSS file from your computer and load it into the tool.

The editor will than list all the colors present in your file and let you replace them easily by either choosing a new color from the color wizard or by entering the hex code for the new color. If you don’t want to replace any of the colors, just leave it blank.

Once you have finalized your colors, click on generate new CSS to produce a revised CSS file with new colors. Upload it to your website and you are all set.

Friday, March 05, 2010

The plot thickens! Good summary of the case so far. Indications of a typical “we never thought of that” attitude.

Two Lower Merion School District IT workers placed on leave

March 4, 2010 by Dissent

Joseph Tanfani reports:

Two information-technology employees at Lower Merion School District have been placed on leave while an investigation continues into the use of remote surveillance software on student laptops. [“Paid leave” is one thing, “unpaid leave” suggests they are going to be the scapegoats. Bob]

The two people authorized to activate the software – Michael Perbix, a network technician, and Carol Cafiero, information systems coordinator – were put on paid leave last week while lawyers and technicians examine how the remote system was used, The Inquirer learned today.

Lawyers for Cafiero and Perbix said their clients did nothing wrong. Perbix and Cafiero only turned on the remote software when a laptop was reported missing, they said – and administrators knew what they were doing.

A phone call had to come from the high school to turn it on,” [“Phone call” suggests no written records? And should I read “from the high school” to suggest these guys were in another location? Bob] said Charles Mandracchia, attorney for Cafiero. “And if it was turned on it was turned on with the understanding that the computer was either lost or stolen.”


[From the article:

Their lawyers said the use of the software was no secret. [Except from parents and students of course. Bob] On at least two occasions, the district turned over pictures and other information to Lower Merion police so they could help track stolen laptops.

The school district even set up a secure Web site so the police could have access to pictures and other information, according to attorneys in the case. [New, but not surprising. Who, beside the police, had access? Bob]

… In each case, the tracking has to be turned on for an individual computer. Once that happens, the program will begin snapping photos and recording the computer's Internet location at regular intervals, as long as the laptop is on, open and connected to the Internet.

At Lower Merion, that interval was usually set at the default, 15 minutes.

… Once, he said, he turned it on and found out that a computer that was thought missing was really in a classroom; by the time he checked, the camera had snapped 20 pictures of a teacher and students, he said. [20 pictures, 15 minutes apart... That's 4hours & 45 minutes to determine that the computer is in a classroom? Bob]

… "There were enough policies in place that no one was running amok with these systems," Neff said. But no one in the district's administration office made those policies official.

"Unfortunately, I don't think they were written policies that were adopted by administrators," Neff said.

(Related) Some background on the school district. Would you believe the high school cost $100 million?

L. Merion schools a picture in polarity

… The results are evident in the twin Taj Mahals of academia rising up in the district - the $100 million new Harriton High, which opened last fall with its three gyms and greenhouse and passive solar lighting, and the nearly identical new Lower Merion High under construction. There are the little touches, too, like Sushi Thursdays.

Maybe it's just a negotiating tactic, maybe they know how Identity Theft works. I suspect the latter.

Alaska state employees’ union wants more protection after breach

March 4, 2010 by admin

The Alaska State Employees Association (ASEA) is seemingly unhappy with the two-year benefits plan being offered to over 77,000 state employees whose data were lost by PricewaterhouseCooper. The personal information included their names, social security numbers, and dates of birth. ASEA represents almost 8,000 of the state employees.

In a press release issued today, ASEA indicates that it has a number of concerns regarding the loss of the information and the state’s response:

ASEA does not believe that the state’s offer of two years of free identity theft protection relieves the state of responsibility for the incident. It is ASEA’s position that the state should be responsible for any damage that may result, including damage that occurs outside this arbitrary two-year window. [I like it! Bob]

The state’s decision to make employees protect themselves, by explicitly enrolling in the identity theft protection program, is backwards. [Agreed! Bob] Affected individuals should be enrolled automatically. ASEA also believes that the state remains responsible for any harm, regardless of whether an individual has explicitly requested the protection service.

Jim Duncan, ASEA/AFSCME Local 52 Business Manager said, “It could be extremely damaging to those individuals whose data has been lost, and the state’s response appears to be insufficient.”

Duncan has sent a letter to Annette Kreitzer, Commissioner of the Department of Administration, expressing the union’s concerns and asking for additional information about the nature of the loss of this information:

The information was lost when Price/Waterhouse moved office locations. In what form was the information when it was lost? Was it on a Compact Disc (Electronic) or was it on paper (Files)? Did the information include the names and confidential information for beneficiaries of the active and retired employees? Are people still looking for the files? Have the police been asked to investigate this loss? What efforts have been taken to find the missing information?

All good questions. Why weren’t they answered in the notification sent to those affected?

(Related) Either “somebody gets it” or “Somebody is really scared”

HOW many years of free credit alerts?

March 4, 2010 by admin

I don’t know if this is some kind of record, but the Iowa Racing and Gaming Commission is notifying people who were affected by the security breach reported in January that they can get an additional 7 years of fraud victim alerts on their credit reports at no charge. The story’s here.

Does anyone remember seeing breach that offered more than that?

[From the article:

Commission Administrator Jack Ketterer said the commission is unaware of any incident of identity theft related to the breach. [So what are they worried about? Bob]

Interesting point!

RSA: Identity Theft Challenges for Healthcare

By Dissent, March 5, 2010 8:08 am

Tony Kontzer reports:

The phenomenon of medical identity theft is on the rise, and healthcare companies face more challenges in addressing the issue than their counterparts in the financial services industry, a panel of experts agreed Thursday at the RSA 2010 conference in San Francisco.

The Federal Trade Commission estimates the number of American patients victimized by medical ID theft each year at 250,000, and research firm Javelin Group recently reported that while the number of incidents is relatively low in comparison with financial identity theft, the financial impact of medical IT thefts is much higher because of the astronomical costs of medical care.

Ryan Brewer, chief information security officer for the Centers for Medicare & Medicaid Services (CMS), said the financial industry has done a good job of dealing with this, in part by sending the all-too-familiar letters alerting customers of suspected data breaches and re-issuing affected credit cards. Such simple actions won’t work for healthcare firms, Brewer said. “How often have you gotten a letter from a healthcare provider saying, ‘We had some data stolen, and we’re issuing you a new blood type’?” he asked.

Read more on CIO Insight.

No fact too obscure! After all, they might find a new way to tax us. Especially if the Greens can influence the lawmakers. Garbage = sin tax!

Some Brits fear garbage-spying microchips

March 5, 2010 by Dissent

Raphael G. Satter of the Associated Press reports:

Monitored by millions of cameras and spied on by a secretive domestic intelligence network, Britons could be forgiven for feeling up in arms over the latest threat to their privacy: Intelligent garbage bins that can monitor how much they throw out.

Although the technology is already nearly a decade old, a U.K. privacy rights group says the number of local authorities fitting their trash bins with sensors of some kind has risen dramatically in the past year — affecting at least 2.6 million British households.

Big Brother Watch says the practice could lead to Britons being charged for how much they throw out — and effectively allow the government to go through their garbage.

Read more in the Chicago Tribune.

This is run by lawyers? How techie of them! Think of all the other areas of the law where we could “automate the lawyering”

PrivacyPolicyGenerator: Generate A Privacy Policy For Your Website

… One option is to hire a legal adviser to write the policy; however, a more reasonable alternative is a new web tool called PrivacyPolicyGenerator. It provides you an easy way to generate a privacy policy for your website.

Implemented by a team of legal advisers, the tool generates a privacy policy for your website after you answer a couple of quick questions. Once generated, you can make changes to it or simply copy the HTML to implement on your website. The policy is not meant to be 100% accurate for your website, but serves as a good starting point.

Trust us. You don't need to worry about those silly laws you've been pointing to. We absolutely will allow you to see (some of) your file. You only need to hire a lawyer and wait a few years!

US tries to soothe EU privacy worries

March 4, 2010 by Dissent

Aoife White reports:

A U.S. official said Thursday that Europeans are wrong to believe that they have few rights to see what information the U.S. government holds on them — a misperception that is holding up a key counterterrorism program.


Parliamentarians have also demanded more safeguards from the U.S. They also complain that U.S. privacy laws do not grant any rights to people outside the United States to access or challenge information held by U.S. agencies.

The Department of Justice’s chief privacy officer Nancy Libin said non-U.S. citizens could use other legal means to see information.

An example would be a person denied entry to the U.S. who wanted to ask the Department of Homeland Security if it held any information that might affect a visa application.

Libin said non-U.S. citizens have the right to make freedom of information requests to see what data U.S. government agencies hold on them and can take U.S. legal action to get access to the information.

Read more on BusinessWeek.

Hey! You're the one who put your information in the public domain! We just gathered it up!

Website Archives Personal Information

March 4, 2010 by Dissent

Your personal information has a new home on the internet. Making it easy to research, in near real-time world news and personal information, The Social Archive (, is rousing debate amongst data privacy and information professionals.

“We only archive publicly available information for the purpose of organizing it into a more consumable, usable form, freely available to the public.” says founder and operations manager Mendel Kurland. “We believe TSA is a valuable free resource on the internet and our growth in the past 6 months has really proven that people are interested in the information we provide.”

Debuting in early 2009, The Social Archive has grown considerably from 1,500 visitors per month to over 40,000. For the past 3 months, the site has paced close to 15% daily growth in traffic from all over the world with the majority of visitors coming from The United States, Brazil, Indonesia, Japan, China, Italy, and The United Kingdom.

TSA searches, spiders, and archives over 150 social media sites with an additional 200 of the most popular social networking sites, directories, and public records sites slated for archiving in Q2 of this year.

The Social Archive is privately held by World Life Networks, LLC an internet research and development company with offices in Iowa City, IA.

Source: PRWeb

The future of e-Discovery? Many hands make light work?

Pharma Watchdog Needs Your Help With Incriminating Documents

By Brandon Keim March 4, 2010 12:54 pm

Overwhelmed by thousands of documents describing the inner workings of pharmaceutical companies, the Drug Industry Document Archive wants to enlist the help of crowds.

Documents uncovered during lawsuits against drug companies could be made searchable to the public, just like documents from tobacco company lawsuits.

… Klausner envisions an internet army of students, journalists and concerned citizens helping, in much the same way as the Guardian newspaper invited the public to catalogue records of government-expense violations and the National Library of Australia enlisted crowds to correct errors made by automated scanners.

(Related) Interesting data for the e-Discovery team to analyze? Imaging gathering this data from hundreds of thousands of cars – with o way to automate the function! (Where is the NSA when we need them?) Would this discover many more instances of spontaneous acceleration?

Toyota Black Box Data Is More Closed Than Others'

Posted by timothy on Friday March 05, @01:12AM

wjr writes

"Many cars these days contain black boxes that record information (speed, accelerator position, etc) and can preserve information in the case of an accident. Ford and Chrysler say that they use 'open systems' so anyone can read out the data; General Motors has licensed Bosch to produce a device capable of reading its cars' black boxes. On the other hand, Toyota has only a single laptop in the US capable of reading its cars' black boxes, and generally won't allow the data to be read without a court order. Honda seems to have a similar policy. This is emerging as an issue in the investigation into unintended acceleration."

For my Computer Security class. The difficulty in just keeping up!

Typical Windows User Patches Every 5 Days

Posted by timothy on Thursday March 04, @03:47PM

CWmike writes

"The typical home user running Windows faces the 'unreasonable' task of patching software an average of every five days, security research company Secunia said on Thursday. 'It's completely unreasonable to expect users to master so many different patch mechanisms and spend so much time patching,' said Thomas Kristensen, the company's CSO. The result: Few consumers devote the time and attention necessary to stay atop the patching job, which leaves them open to attack. Secunia says that of the users who ran the company's Personal Software Inspector in the last week of January, half had 66 or more programs from 22 or more different vendors on their machines. … Secunia has published a white paper (PDF) that details its findings."

[You can get the Personal Software Inspector free at:

Remember, no certification, no incentive payments.

ONC Issues Rule Proposing the Establishment of Certification Programs for Health IT

By Dissent, March 5, 2010 7:34 am

Sheel Pandya reports:

On Tuesday, the Office of the National Coordinator (ONC) for Health Information Technology (Health IT) within the U.S. Department of Health and Human Services (HHS) issued a proposed rule that establishes two voluntary certification programs to test and certify health IT. [Makes it sound like no one had ever considered controlling IT before. Bob] The National Coordinator for health IT is required by the American Recovery and Reinvestment Act of 2009 (link to: (ARRA) to work with the Director of the National Institute of Standards and Technology to develop a program (or programs) for voluntary certification.

This proposed rule represents the third in an important set of coordinated rulemakings by HHS affecting health IT. Back in December 2009, HHS released two proposed regulations. The first, a proposed rule, describes how eligible professionals and eligible hospitals can qualify for incentive payments [Let us pay you to do what you were required by law to do anyway. Bob] under the Medicare and Medicaid programs through the meaningful use of certified electronic health record (EHR) technology. The second, an interim final rule, describes the standards, implementation specifications and certification criteria that EHR technology needs to meet for providers to receive incentive payments. HHS has invited the public to submit comments on both of these rules on or before March 15, 2010.

Read more on CDT.


Google: Desktops Will Be Irrelevant in Three Years’ Time

Trivial research?

Popular Science Puts Entire Scanned Archive Online, Free

By Charlie Sorrel March 4, 2010 8:08 am

… Oh, and did I mention it works great on an iPhone? Good luck getting any work done today.

Search the PopSci archives.

[I found a 1967 article on computers (GE time sharing) in the home! Bob]

For my Disaster Recovery class. Perhaps not all Cloud Computing is as well protected.

Google Apps Now Disaster Proof

by Leena Rao on Mar 4, 2010

… Google has made an announcement today for any enterprise users of Google Apps; assuring IT admins that the suite is now fully prepared for disaster recovery.

Google’s secret sauce is live and synchronous replication. So every action you take in Gmail is immediately replicated in two data centers at once, so that if one data center fails, Google will transfer data over to the other one. Traditionally, Google says, synchronous replication can be very expensive for companies. For example, the cost to back up 25GB of data with synchronous replication can range from $150 to $500+ in storage and maintenance costs per employee. Google says that exact price depends on a number of factors such as the number of times the data is replicated and the choice of service provider. Of course, Google replicates all the data multiple times, and the 25GB per employee for Gmail is backed up for free. And data from Google Docs, Google Sites, Google Docs, Google Calendar, Google Talk and Google Video, which encompass most of the applications in Google Apps, is also synchronously replicated for free.

For me. And any students wishing for an “A”

Advertt: Search Multiple Dictionaries At Once

… It is a simple web app that search multiple dictionaries including Wikipedia, YourDictionary,, OneLook, TheFreeDictionary all at once. [It also points to related videos! Bob]

[I also use:

Something for us teachers? - Communicate What You See In Your Screen

Owely can be defined as a screenshot sharing tool that aims to let people simplify their online communication by showing others what they see on their screens, instead of having to write half a dissertation just to explain that something is where it should not be.

This is achieved by enabling users to draw with a marker tool, and also by letting them write text comments where they need them right on the screenshot. The whole process is reduced to three simple steps, then: capturing the screen, drawing with the marker (or adding comments) and dropping the link for your friend to check it out.

Thursday, March 04, 2010

For the 53rd time, we don't see any need to encrypt our laptops! “

Council hit again by lap top thefts

March 3, 2010 by admin

Mike Keegan reports that Oldham council has suffered yet another data breach: a laptop and laptop bag containing documents with employee information such as names, job titles, and salaries was stolen over the weekend.

The theft is thought to have taken place in the authority’s Human Resources Department at the Civic Centre.


Councillor Lynne Thompson, Cabinet Member for Finance and Resources, said: “Oldham Council can confirm that over last weekend a laptop and a laptop bag containing some documents were stolen from one of the council’s buildings in the borough. No information about any member of the public was involved, but the documents did include some employee information.

Read more in the Manchester Evening News.

[From the article:

Last year a review was ordered after 17 laptops were stashed in a recycling bin and taken off the premises.

The cash-strapped authority, which is looking at cutting 500 jobs to slash costs, spent £**amount to come** on a host of new security measures which included a sophisticated computerised swipe card system.

Many staff were issued with new identity badges, and new card readers were being introduced at all entrances, car park barriers and along the corridors.

Council chief executive Charlie Parker hailed the measures as 'an important step forward'.

[But they didn't even try the free encryption programs? Ignorance of Security Best Practices is no excuse! Bob]

… It is thought that despite the new systems, bosses do not know exactly when the theft took place. [Trust us, we have everything under control. Bob]

Earlier this year the council proposed slashing £250,000 from its security budget.

(Related) For my “How to commit computer crime” lecture.

Wi-Fi 'Finders' Helping Thieves Locate and Steal Laptops

by Caleb Johnson — Mar 3rd 2010 at 1:30PM

We don't recommend leaving your laptop in the car for any reason, but, if you must, make sure you turn off the Wi-Fi signal first. According to Network World, thieves are using devices meant to locate Wi-Fi networks to detect laptops and steal them. Apparently, just closing the screen won't prevent your laptop from being detected, either. Wi- Fi disconnection must be done manually, as it can take as long as a half-hour for a laptop to go into sleep mode.

(Ditto) Who said thieves can't use technology?

Cyberthieves Using Bluetooth To Steal Gas Station Credit Card Data

March 4, 2010 by admin

Evan Schuman writes:

When cyberthieves plant skimming devices inside POS PIN pads, they typically have one of two headaches. First, they have to return to the scene of the crime to retrieve the device and its stolen data, which is dangerous. If the thieves use the device to wirelessly phone the data to one of their own, it’s safer initially. But if that data is detected and examined, it could lead law enforcement right to the culprits—a.k.a., problem number two.

But one group of cyberthieves in Utah—as yet uncaught—has hit about 200 gas stations in that state with a toothy tweak: Bluetooth-y, to be precise. By arming their skimmers with a Bluetooth transmitter, the stolen card data was beamed out indiscriminately to anyone nearby—make that very nearby—who happened to choose to listen for it. When such a device is found by law enforcement, it reveals nothing to point to the thieves’ location—past or present—and nothing to even indicate how long it’s been there. The devices in the Utah case had no local storage whatsoever, police said; they simply grabbed the data and instantly beamed it away.

Read more on StorefrontBacktalk.

Okay people, lets put our heads together and try to come up with the worst possible date for a security breach.

St. George Bank printing gaffe fuels fraud fears (updated)

March 3, 2010 by admin

Jessica Johnston reports:

A serious bank blunder has threatened the financial security of 42,000 people after their statements were mailed to strangers.

A former bank manager and a business owner are among the Gold Coast victims of a major fraud scare after private details were distributed during a St George Bank printing mistake.

The error resulted in names and addresses being transposed on to the wrong statements, which included personal information including Centrelink numbers, wage and employee details.

Ironically the mix-up occurred in national fraud week, and experts yesterday warned few details were needed to steal someone’s identity.


Update: The bank’s vendor, Salmat, accepted responsibility for the breach.

Identity Theft is now a wholesale crime – and apparently lucrative enough to attract (gasp) thieves!

Former fugitives sentenced for possessing more than 3k stolen credit cards

March 3, 2010 by admin

Octavio Delemos, 26, and Ruddy Perez-Espinal, 25, formerly of Miami-Dade County, were sentenced today for conspiring to commit credit card fraud, credit card fraud, and aggravated identity theft. U.S. District Court Marcia G. Cooke sentenced Delemos to 48 months’ imprisonment and Perez-Espinal to 64 months’ imprisonment. Both defendants were ordered to serve a three year term of supervised release following their incarceration, and to pay $171,562 in restitution.

According to court documents, in December 2007, a confidential informant told law enforcement that Delemos, Perez-Espinal, and their co-defendant Alfredo Dalmau were manufacturing counterfeit credit cards at a Medley, FL, home where all three defendants resided. On December 11, 2007, law enforcement began the process of securing a warrant to search the Medley residence.

While law enforcement agents were obtaining the search warrant, agents observed a group of armed home invaders, pretending to be police officers, raid the defendants’ residence, beat the defendants and their guests, tie up the defendants, and attempt to steal the defendants’ proceeds from credit card fraud. Law enforcement arrested the home invaders, secured a search warrant, and arrested Delemos, Perez-Espinal and Dalmau for credit card fraud.

Inside the Medley residence, law enforcement found evidence of a counterfeit credit card manufacturing operation, including hundreds of blank plastic cards used to make counterfeit credit cards, rolls of tipping foil to create the magnetic strips, partially manufactured counterfeit credit cards, and laptop computers. Subsequent analysis of the laptops revealed that the defendants possessed more than 3,000 stolen credit card numbers. Each defendant possessed a fraudulent identification with the defendant’s picture but a fraudulent name. In addition, each defendant possessed at least one counterfeit credit card with the defendant’s fictitious name but a real victim’s credit card number.

After indictment, the defendants filed a Motion to Suppress the evidence found inside the residence. After the district court denied the Motion in May 2008, the defendants fled to the Dominican Republic to avoid trial. In May 2009, Delemos and Perez-Espinal were arrested in the Dominican Republic and extradited to the United States. Alfredo Dalmau remains a fugitive, suspected of living in the Dominican Republic.

In December 2009, defendants Delemos and Perez-Espinal pled guilty to conspiring to commit credit card fraud, producing counterfeit access devices, possessing 15 or more counterfeit and unauthorized access devices, and aggravated identity theft. Because the defendants fled, Judge Cooke imposed a sentencing enhancement for obstruction of justice and rejected the defendants’ claim that they deserved a reduction for acceptance of responsibility. The Florida State Attorney’s Office is prosecuting the home invaders.

Source: U.S. Attorney’s Office

Should be (but rarely is) obvious. Lots of helpful forms and links!

ICO outlines business case for privacy

March 4, 2010 by admin

In The Privacy Dividend, a report published on 4 March 2010, it said public and private sector organisations can use business cases to justify spending on privacy protection.

It says the benefits of protecting privacy derive from four areas in which information has value. Firstly, protecting personal information as an asset can help to make an organisation’s operations efficient, agile and attractive to the public. Secondly, respecting people’s privacy helps to win their trust, and can enhance an organisation’s reputation.

Read more on Kable.

[From the article:

Thirdly, protecting information from other parties can save people from the harm associated with privacy violations. Finally, winning people's trust will support working with other organisations.

[Correct link for the report:

What makes them think it was unintended?

Unintended Consequences: Twelve Years under the DMCA

This document collects reported cases where the anti-circumvention provisions of the DMCA have been invoked not against pirates, but against consumers, scientists, and legitimate competitors. It will be updated from time to time as additional cases come to light. Previous versions remain available.

PDF available

Convergence. Think of displaying a 2 dimensional barcode on your phone's screen...

Mobile phone boarding passes increase by 1,200%

Handsets just the ticket

By Marc Chacksfield

The amount of consumers using mobile phone boarding passes has dramatically risen, with one company quoting a 1,200 per cent increase.

… Instead of security scanning your boarding pass, they can do it straight from your phone.

What does it take to convince you to drink the koolaide?

A quarter of Germans want to be implanted with chips

March 4, 2010 by Dissent

Clay Dillow reports:

Privacy-loving Americans have roundly rejected the idea of implanting microchips within their bodies, but one in four Germans is enthusiastic about the idea of having a chip implanted as long as there are tangible benefits involved. Those benefits don’t even have to be of the life-and-death nature; some said they would implant a chip simply to make a shopping experience more enjoyable.

A poll released Monday in anticipation of Europe’s CeBIT trade show indicated that 23 percent of Germans are open to the idea of implantable microchips. The largest contingent (16 percent) said they would do it to help emergency services respond to them more quickly and effectively in case of an accident.

Read more in PopSci.

I'm fairly sure this is not to ensure that NK does not infringe Microsoft's patents. Someone is thinking of ways to secure their infrastructure. It will be interesting to see if it works better than any new operating system.

North Korea's Own OS, Red Star

Posted by timothy on Wednesday March 03, @05:00PM

klaasb writes

"North Korea's self-developed computer operating system, named 'Red Star,' was brought to light for the first time by a Russian satellite broadcaster yesterday. North Korea's top IT experts began developing the Red Star in 2006, but its composition and operation mechanisms were unknown until the internet version of the Russia Today TV program featured the system, citing the blog of a Russian student who goes to the Kim Il-sung University in Pyongyang."

[From the article:

The Red Star is based on Linux, a free and open software operating system, but looks a lot like the Microsoft Windows on display. It also has a similar user interface. [Or maybe they'll claim Linux and Microsoft stole their code? Bob]

Note what they consider “moderately large” datasets. It's all a matter of scale, but you can see from the comments that storing data in the Cloud is becoming more acceptable.

Long-Term Storage of Moderately Large Datasets?

Posted by timothy on Wednesday March 03, @05:18PM

hawkeyeMI writes

"I have a small scientific services company, and we end up generating fairly large datasets (2-3 TB) for each customer. We don't have to ship all of that, but we do need to keep some compressed archives. The best I can come up with right now is to buy some large hard drives, use software RAID in linux to make a RAID5 set out of them, and store them in a safe deposit box. I feel like there must be a better way for a small business, but despite some research into Blu-ray, I've not been able to find a good, cost-effective alternative. A tape library would be impractical at the present time. What do you recommend?"

Forensics and e-Discovery?

Narus Develops Social Media Sleuth

Posted by samzenpus on Wednesday March 03, @07:16PM

maximus1 writes

"Narus is developing a new technology code-named Hone that can be used to identify anonymous users of social networks and Internet services. Hone can do some pretty 'scary' things, says Antonio Nucci, chief technology officer with Narus. Hone uses artificial intelligence to analyze e-mails and can link mails to different accounts, doing what Nucci calls topical analysis. 'It's going to go through a set of documents and automatically it's going to organize them in topics — I'm not talking about keywords as is done today, I'm talking about topics,' he said. That can't be done with today's technology, he said. 'If you search for fertilizers on Google ... it's going to come back with 6.5 million pages. Enjoy,' he said. 'If you want to search for non-farmers who are discussing fertilizer ... it's not even searchable.' Nucci will discuss Hone at the RSA Conference in San Francisco Friday."

I'll have to share this with my fellow teachers – sorry students! (Interesting that my first thought and the first comment were “A Clockwork Orange”)

Using Classical Music As a Form of Social Control

Posted by samzenpus on Thursday March 04, @01:34AM

cyberfringe writes

"Classical music is being used increasingly in Great Britain as a tool for social control and a deterrent to bad behavior. One school district subjects badly behaving children to hours of Mozart in special detention. Unsurprisingly, some of these youth now find classical music unbearable. Recorded classical music is blared through speakers at bus stops, outside stores, train stations and elsewhere to drive away loitering youth. Apparently it works. Detentions are down, graffiti is reduced, and naughty youth flee because they find classical music repugnant."

Might be useful for iPad owners.

Two Free Multiplatform Tools To Create iBooks

By Jeffry Thurana on Mar. 3rd, 2010

… Even though iPad is said to be capable of opening several standard ebook formats from simple text to Adobe’s PDF, Apple adopted the free and open source ePub as the format of their iBooks.

… Here are two free multiplatform tools to create iBooks – a.k.a: ePub books.

  1. eCub: A lightweight ePub publisher to create iBooks available for Windows, Mac, Linux, FreeBSD and Solaris platform.

  2. Sigil: Describes itself as a WYSIWYG ebook editor. Available for Windows, Mac and Linux. Some of the features are:

… If you like eBooks, you might want to check out our other ebook articles: The Best 6 Sites to Get Free Ebooks, How To Convert Scanned Pages Into eReader eBook Format, Calibre – Mighty eBook Management Software (Multi-OS) and How To Download Books From Google Books,

Color printer ink costs a Bazillion dollars an ounce. Here's how to use it by the gallon!

PosteRazor – Another Simple Tool To Make Your Own Posters

By Saikat Basu on Mar. 3rd, 2010

PosteRazor is a free software that easily helps you make your own posters at home. All that you need is an idea, the PosteRazor freeware and a standard color printer. PosteRazor is open source and a really small download at 484KB.

Poster lovers can check out a very early MakeUseOf HowTo: Free & Huge Custom Poster For Your Wall article that shows how to print out sections of a large image on standard size paper, and assemble it all as a huge poster.

(Also see)

4 Apps To Make Motivational Posters

Wednesday, March 03, 2010

Today's theme seems to be: Updating old stories.

Unfortunately, the most common “learning method” seems to be the lawsuit.

Lawsuit filed against Elgin clinic over P2P breach

March 3, 2010 by admin

Steven Ross Johnson reports on a lawsuit involving P2P filesharing and patient data:

Officials from a local medical clinic remained silent Monday about claims they allowed sensitive information on AIDS patients to be leaked.

Calls to the Open Door Clinic of Greater Elgin, 164 Division St., were not returned Monday. The allegations, made in a lawsuit filed last week in 16th Judicial Circuit Court in Geneva by five AIDS patients, claimed the clinic failed to secure personal information, including their HIV/AIDS status, that was made available to the public.


According to the complaint, a staff computer with a client list of more than 200 patients was accessed and became public domain because the computer had a file-sharing, peer-to-peer program installed — the same type used for popular music downloading sites such as Napster.

Once the information was made public, it was “…searched, accessed, downloaded and re-shared by various P2P file sharing users throughout the world from May 26, 2008, through the present,” according to the complaint.

In at least two cases, information later was stolen and used to commit identity fraud, the complaint says.

One of those who allegedly downloaded the list, according to the complaint, was a known identity thief from Apache Junction, Ariz., who continued to re-share the information on other file-sharing networks.

Read more in,3_1_EL02_05AIDS_S1-100302.articlel The Courier-News

Update: Dare we hope that some useful guidelines will be developed?

TD Ameritrade data theft settlement talks resume

March 2, 2010 by admin

A lawsuit over the theft of contact information for more than 6 million TD Ameritrade customers has been ordered into mediation, so the search for a satisfactory settlement will continue.

Last fall, U.S. District Judge Vaughn Walker in San Francisco rejected a proposed settlement last fall that offered anti-spam software and a promise of tighter security at TD Ameritrade. Walker ruled that deal offered little significant benefit to the Ameritrade customers affected.

Walker recently ordered more settlement talks under the supervision of a magistrate judge.

Read more on BusinessWeek.

Another way to reduce Health Care costs? Might be an interesting problem for my Data Analysis class.

Medical identity theft strikes 5.8% of American adults

March 3, 2010 by admin

Ellen Messmer reports:

Identity thieves are not only interested in tapping financial resources, but are also after your medical identification data and services.

Medical identity theft typically involves stolen insurance card information, or costs related to medical care and equipment given to others using the victim’s name. Roughly 5.8% of American adults have been victimized, according to a new survey from The Ponemon Institute. The cost per victim, on average, is $20,160.


According to the survey, 29% of victims of medical ID theft discovered the problem a year after the incident, and 21% said it took two or more years to learn about it.

Read more on IDG News.

(Related) Let us demonstrate how to steal your medical information right off your home computer! I will have my Computer Security class duplicate this one!

File-Sharing Software Potential Threat to Health Privacy

By Dissent, March 3, 2010 9:45 am

The personal health and financial information stored in thousands of North American home computers may be vulnerable to theft through file-sharing software, according to a research study published online in the Journal of the American Medical Informatics Association.


El Emam’s CHEO team used popular file sharing software to gain access to documents they downloaded from a representative sample of IP addresses. They were able to access the personal and identifying health and financial information of individuals in Canada and the United States. The research for the study was approved by the CHEO ethics board.


A sample of the private health information the CHEO team was able to find by entering simple search terms in file-sharing software:

  • an authorization for medical care document that listed an individual’s Ontario Health Insurance card number, birth date, phone number and details of other insurance plans;

  • a teenage girl’s medical authorization that included family name, phone numbers, date of birth, social security number and medical history, including current medications;

  • several documents created by individuals listing all their bank details, including account and PIN numbers, passwords and credit card numbers.

Read more on Science Daily.

The research article is: Khaled El Emam, Emilio Neri, Elizabeth Jonker, Marina Sokolova, Liam Peyton, Angelica Neisa, Teresa Scassa. The inadvertent disclosure of personal health information through peer-to-peer file sharing programs. Journal of the American Medical Informatics Association, 2010; 17: 148-158.

The full article is available online.

Update: Remember the “overprotective” system administrator in San Francisco? What do I advise my Network Security students to do?

Terry Childs's Slow Road To Justice

Posted by kdawson on Tuesday March 02, @11:21PM

snydeq writes

"Deep End's Paul Venezia provides an update on the City of San Francisco's trial against IT admin Terry Childs, which — at eight weeks and counting — hasn't even seen the defense begin to present its case. The main spotlight thus far has been on the testimony of San Francisco Mayor Gavin Newsom. 'Many articles about this case have pounced on the fact that after Childs gave the passwords to the mayor, they couldn't immediately be used. Most of these pieces chalk this up to some kind of secondary infraction on Childs's part,' Venezia writes. 'Just because you give someone a password doesn't mean that person knows how to use it. Childs's security measures would have included access lists that blocked attempted logins from non-specified IP addresses or subnets. In short, it was nothing out of the ordinary if you know anything about network security.' But while the lack of technical expertise in the case is troubling, encouraging is the fact that the San Francisco Chronicle's 'breathless piece reporting on the mayor's testimony' drew comments 10-to-1 in Childs's favor, which may indicate that 'public opinion of this case has tilted in favor of the defense,' Venezia writes. Of course, 'if [the trial] drags into summer, Childs will have the dubious honor of being held in jail for two full years.' This for a man who 'ultimately protected the [City's] network until the bitter end.'"

I'm always learning new ways to hide evidence... (Very punny headline)

Man swallows flash drive, charged with obstruction

Is this really a story about misunderstanding technology?

Faculty on Facebook: Privacy concerns raised by suspension

March 2, 2010 by Dissent

Jack Stripling reports:

Whether it’s avoiding bars frequented by students or politely declining the occasional social invitation, professors often make an extra effort to establish boundaries with their students. But social networking sites, which are often more public than they may appear, are lifting the veil on the private lives of professors in ways they may not have expected.

Gloria Gadsden said she thought she was talking only to close friends and family as she vented on Facebook about her students, but the East Stroudsburg University sociology professor has since learned the hard way that her frustrated musings were viewable by some of the very students she had consciously declined to “friend” in the past. A small change to the settings for Gadsden’s online profile allowed the “friends” of Gadsden’s own “friends” to read her updates, and in so doing created a controversy that the professor now feels could damage her career and her chances at tenure.

Gadsden was placed on administrative leave last week after a student reported two Facebook postings that some have interpreted as threats. On Jan. 21, Gadsden wrote “Does anyone know where to find a very discreet hitman? Yes, it’s been that kind of day …” Another post in the same vein came a month later, as Gadsden opined: “had a good day today, DIDN’T want to kill even one student :-) . Now Friday was a different story.”

Read more on USA Today.

Hey! This is not a bad idea! However, I think a Law School might make a better guide, since so much depends on a bazillion different laws... At least this will be shared and discussed in my Risk Management class.

Verizon releases framework for reporting security incidents

March 2, 2010 by admin

William Jackson reports:

Verizon Business on Monday released for public use a framework for collecting and reporting information about security incidents in the hope of creating a standardized way for government and industry to share information about breaches.

“If we don’t have a common language to collect and communicate data, we are going to be handicapped,” said Wade Baker, director of risk intelligence for Verizon.

The company announced the availability of the Verizon Information-Sharing framework at the RSA Security Conference. The site also contains a forum for VerIS users. Baker said the framework is expected to evolve with input from the security community.

Read more on GCN.

(Related) least as far as the need for legal review is concerned,

U.S. Declassifies Part of Secret Cybersecurity Plan

By Kim Zetter March 2, 2010 4:19 pm

… The declassified portion of the plan published Tuesday includes information on only part of the initiative and does not discuss cyberwarfare. The plan instead discusses the deployment of Einstein 2 and Einstein 3, intrusion detection systems on federal networks designed to inspect internet traffic entering government networks to detect potential threats.

… The Einstein programs have raised concerns among privacy and civil liberties groups, such as the Center for Democracy and Technology, because they involve scanning the content of communications to intercept malicious code before it reaches government networks.

I guess I hadn't really thought about this before. Automating a takedown suggests you are able to make the legal distinctions...

A Second Lessig Fair-Use Video Is Suppressed By WMG

Posted by kdawson on Tuesday March 02, @05:48PM

Bios_Hakr points out an ironic use of the DMCA: for the second time, a video tutorial on fair use that Larry Lessig uploaded to YouTube has been muzzled. This time the sound has been pulled from the video; last time the video was taken off of YouTube. (Video and sound for the new "webside chat" can be experienced together on BlipTV.) Both times, Warner Music Group was the party holding copyright on a song that Lessig used in an unarguably fair-use manner. TechDirt is careful not to assume that an actual DMCA takedown notice was issued, on the likelihood that Google's automatic copyright-violation detectors did the deed.

"The unintended consequences of asking tool providers [e.g., Google] to judge what is and what is not copyright infringement lead to tremendous problems with companies shooting first and asking questions later. They are silencing speech, on the threat that it might infringe on copyright. This is backwards. We live in a country that is supposed to cherish free speech, not stifle it in case it harms the business model of a company. We live in a country that is supposed to encourage the free expression of ideas — not lock it up and take it down because one company doesn't know how to adapt its business model. We should never be silencing videos because they might infringe on copyright."

Is this another Copyright Consortium initiative? Sure looks that way.

BBC To Make Deep Cuts In Internet Services

Posted by kdawson on Wednesday March 03, @06:31AM

Hugh Pickens writes

"The NY Times reports that the BBC has yielded to critics of its aggressive expansion, and is planning to make sweeping cuts in spending on its Web site and other digital operations. Members of the Conservative Party, which is expected to make electoral gains at the expense of the governing Labor Party, have called for the BBC to be reined in and last year James Murdoch criticized the BBC for providing 'free news' on the internet, making it 'incredibly hard for private news organizations to ask people to pay for their news.' [Screw the taxpayer! Prop up the newspapers! Bob] Mark Thompson, director-general of the BBC, said 'After years of expansion of our services in the UK, we are proposing some reductions.' The BBC is proposing a 25 percent reduction in its spending on the Web, as well as the closure of several digital radio stations and a reduction in outlays on US television shows. The Broadcasting Entertainment Cinematograph and Theatre Union, which represents thousands of workers at the BBC, says that instead of appeasing critics, the proposed cuts could backfire. 'The BBC will not secure the politicians' favor with these proposals and nor will the corporation appease the commercial sector, which will see what the BBC is prepared to sacrifice and will pile on the pressure for more cuts,' says Gerry Morrissey, general secretary of the union."

Pass this to your IT staff. Remind them they can be easily replaced with people who take security seriously..

New "Spear Phishing" Attacks Target IT Admins

Posted by kdawson on Tuesday March 02, @04:18PM

snydeq writes

"A new breed of 'spear phishing' aimed at IT admins is making the rounds. The emails, containing no obvious malicious links, are fooling even the savviest of users into opening up holes in their company's network defenses. The authentic-looking emails, which often include the admin's complete name or refer to a real project they are working on, are the product of tactical research or database hacks and appear as if having been sent by the company's hosting provider. 'In each case, the victim remembered getting a similar sort of email message when they first signed on with a service and, thus, thought the bogus message was legitimate — especially because their cloud/hosting providers keep bragging about all the new data centers they're continuing to bring online.' The phishing messages often include instructions for opening up mail servers to enable spam relaying, to disable their host-based firewalls, and to open up unprotected network shares. Certainly fodder for some bone-headed mistakes on the part of admins, the new attack 'makes the old days of hoax messages that caused users to delete legitimate operating system files seem relatively harmless.'"

(Related) Another warning that needs to be communicated.

Microsoft Says, Don't Press the F1 Key In XP

Posted by kdawson on Tuesday March 02, @07:22PM

Ian Lamont writes

"Microsoft has issued a security advisory warning users not to press the F1 key in Windows XP, owing to an unpatched bug in VBScript discovered by Polish researcher Maurycy Prodeus. The security advisory says that the vulnerability relates to the way VBScript interacts with Windows Help files when using Internet Explorer, and could be triggered by a user pressing the F1 key after visiting a malicious Web site using a specially crafted dialog box."

Perhaps we have moved beyond “commodity” to “strategic national resource?” More likely, this would be seen as a new way to tax – now how should we spend this windfall... Oh yeah, we should consider setting up a committee to think about developing a plan to study how we can address whatever we said this tax would address.

Microsoft VP Suggests 'Net Tax To Clean Computers

Posted by kdawson on Tuesday March 02, @05:05PM

Ian Lamont writes

"Microsoft's Vice President for Trustworthy Computing, Scott Charney, speaking at the RSA conference in San Francisco, has floated an interesting proposal to deal with infected computers: Approach the problem of dealing with malware infections like the healthcare industry, [Let's pick the most screwed up model we can... Bob] and consider using 'general taxation' to pay for inspection and quarantine. Using taxes to deal with online criminal activity is not a new idea, as demonstrated by last year's Louisiana House vote to levy a monthly surcharge on Internet access to deal with online baddies."

(Related) Unfortunately, the tools needed to clean your computer is most likely to be found on the Internet. Perhaps Microsoft thinks we'll just buy a new computer?

Microsoft exec: Infected PCs should be quarantined (Q&A)

by Elinor Mills March 2, 2010 3:42 PM PST

SAN FRANCISCO--In his keynote at the RSA security conference on Tuesday, Scott Charney, Microsoft's corporate vice president of Trustworthy Computing, suggested that the security industry should follow the health care model of quarantining infected PCs to prevent them from being used to send spam and conduct denial-of-service attacks.

One of the oldest old stories. Maybe you can't kill this zombie...

SCO Zombie McBride's New Plan For World Litigation

Posted by kdawson on Tuesday March 02, @03:32PM

eldavojohn writes

"Years after you thought it was all over, Groklaw is reporting that Darl McBride (ex-CEO of SCO) has formed a new company that is buying SCO's mobile business for peanuts — but he's also going to get 'certain Intellectual Property' with the deal. You may recall that McBride was the brains behind the Linux lawsuits that SCO launched and it appears he may be orchestrating an exit route where he escapes with some IP intact, in order to wreak havoc once again. Hopefully this is the part at the end of the movie where the zombie comes back to life one last time only to have the hero deliver the final final blow. When this news broke upon the investment world, SCO's stock skyrocketed a blistering 11%, bringing it up seven cents to a full seventy cents — a level which it has not achieved since 2007."

I wonder if Toyota would give us a few cars to hack test?

$1M Prize For Finding Cause of Unintended Acceleration

Posted by kdawson on Wednesday March 03, @02:22AM

phantomfive writes

"Edmunds Auto has announced that it will be offering a $1 million prize to anyone who can find the cause of unintended acceleration. As Wikipedia notes, this is a problem that has plagued not only Toyota, but also Audi and other manufacturers. Consumer Reports has some suggestions all automakers can implement to solve this problem, including requiring brakes to be strong enough to stop the car even when the accelerator is floored."

Because you shouldn't be reading while you drive...

Booksshouldbefree: Get free downloadable audio books in mp3 & iTunes format

Similar sites: AudioOwl, ThoughtAudio, NewFiction, WellToldTales, PodioBooks and LibriVox.

Might be useful when I create teaching videos.

EasyPrompter: Web Based & Free Teleprompter Software

Similar tool: CuePrompter.