Saturday, May 01, 2010

Lots of Data Breach articles today. Because it's the end of the month?

The kid was doomed. This wasn't some 'second class' citizen, this was a politician!

Hacker of Sarah Palin’s e-mail found guilty

April 30, 2010 by Dissent

A college student who hacked into former Republican vice presidential candidate Sarah Palin’s e-mail account and posted some of its contents on the Internet was found guilty Friday.

After four days of deliberations, a federal jury found David Kernell, the 22-year-old son of a Democratic Tennessee state legislator, guilty of obstruction of justice, a felony, and unauthorized access of a computer, a misdemeanor.

Kernell was cleared of a wire fraud charge, and the jury could not agree on a verdict on a charge of identity theft.

Read more on Reuters.

The increasing cost of Identity Theft

Insurer rejects claims related to stolen U. medical records

May 1, 2010 by admin

Brian Maffly reports:

A Colorado insurance company contends it is not obligated to cover astronomical costs incurred by the University of Utah in 2008 after car burglars stole medical billings records filed with sensitive personal information on 1.7 million patients.

U. officials want Perpetual Storage to reimburse the university more than $3.3 million. That’s how much the school spent notifying patients of the theft and providing credit monitoring to any who asked, according to a suit filed by the firm’s insurer, Colorado Casualty Insurance Co., in U.S. District Court.

The insurer insists the claim is not covered by Perpetual’s policy and is seeking a judicial ruling to support its position.

Read more in the Salt Lake Tribune.

[From the article:

The money was pulled from clinical revenues over two fiscal years, and the loss did not affect taxpayers and the university's academic mission. [Oh, really? Bob]

… According to the insurer's suit, the U. claims it generated 6,232 in personnel hours responding to "the Incident" and spent $646,149 on printing and mailing costs and another $81,389 on a phone bank to field more than 11,000 calls over two weeks. But the big hit was nearly $2.5 million for credit-monitoring services for those whose Social Security numbers could have been poached.

Would you believe their Health Records are better secured than their financial systems? Would you believe the online bills contained no information that could be used to determine what treatment, by what doctor was being billed?

MN: Bemidji med center’s online bill-pay service apparently hacked

By Dissent, April 30, 2010 5:27 pm

Bethany Wesley reports:

North Country Health Services’ online bill-paying function was apparently hacked into on April 18, compromising the security of 349 customers’ credit card and debit card accounts.

NCHS is sending letters to all those who could be affected by the breach, said Joy Johnson, NCHS vice president for marketing and business development.

The incident is only related to the health system’s online bill pay, she noted. Those who paid by credit card in person or use an ATM at the hospital are not affected.

Read more in the Grand Forks Herald.

At the time of this posting, there is no notice on NCHS’s web site, and the online payment page says that the page is down for maintenance.

This is the site where you can tell everyone how you spend you money... It also appears that they have no professional PR help. Their statements are naive at best.

Announce A Data Breach And Say It’s No Big Deal?

April 30, 2010 by admin

Evan Schuman comments on the recent Blippy breach and lessons that should be learned:

Data Breach Etiquette Rule #8: The moment you announce you screwed up and exposed customers’ payment data to cyberthieves is a really bad time to lecture customers that “it’s a lot less bad than it looks” and that “it’s important to remember you’re never responsible if someone uses your credit card without your permission.” That rule is especially valid, as in the tale we’re about to tell, when both of those sentences are quite likely wrong.


We couldn’t put it any better than did Patricio Robles at EConsultancy: “Most cardholder agreements protect the cardholder against unauthorized charges provided that the cardholder has taken reasonable measures to protect his or her card against loss or theft. Can individuals willingly sharing purchasing information with a service like Blippy really claim to be exercising reasonable care to safeguard their credit card details?”

Read more on CBS.

[From the article:

On Friday (April 23), Kaplan announced on the company’s blog that four customers had their credit card numbers exposed on the site because Google cached some of its early testing. For some reason, Blippy publicly tested with live payment card numbers. [Very poor technique (even if you can secure it) because live data likely contains no errors, so you can't test the error handling routines. Bob]

First time I've seen mention of a contract to protect Privacy. I wonder if we will see more details? Note also that including “firstname.lastname.” as part of the URL is not the most sophisticated of security measures.

The College of New Jersey outreach campaign leaks alumni info

April 30, 2010 by admin

When Bari Dzomba, an alumnus of The College of New Jersey (TCNJ), received a postcard this week about a new outreach campaign to alumni, she went and checked out the new site. To her dismay, she discovered that the new site was leaking alumni personal information. She contacted the college, but when, after two days, the site was still not adequately secured, Dzomba, a Senior IT Project Consultant, contacted

Exploration of the site, which went ‘live’ a few days ago, confirmed Dzomba’s concerns. By entering an alumnus’ name in the url, anyone could see the personal information of those who had responded to the campaign. A Google search for TCNJ alumni revealed lists of names, some of which this site tested. In some cases, I could see the individual’s name, address, telephone number, zip code, date of birth, marital status, maiden name, name of spouse, name of employer, job title, work e-mail address, and business telephone, if they had entered it. No login or password was required. The configuration also allowed anyone who accessed an alumnus’ page to edit or alter the information, with no password required. No Social Security numbers or financial information was included in the form. made several calls and left several messages for TCNJ personnel concerning the leak, and delayed publishing this until the site was secured. By late this afternoon, the url was no longer working and attempts to connect to the outreach campaign site led only to a subscription form for a mail list.

According to Matthew Golden, Executive Director of Public Relations & Communications, the college had contractual language with the vendor, Pursuant, about ensuring the privacy and security of the data, and they had called the vendor after getting the report of the leak from their alumnus. In a statement to, Golden said, “We absolutely take the security of our alumni very seriously. As soon as we learned about the problem, we acted as quickly as possible to rectify the situation.”

“Hey, we just noticed that we've been running a school for Identity Thieves.”

(Follow-up) Governor denounces security flaw

April 30, 2010 by admin

Tim Carpenter reports:

Gov. Mark Parkinson said Friday several state agencies were complying with an edict to reform a program that for decades allowed inmates in the custody of the Kansas Department of Corrections to access personal information of citizens.

He said new safeguards were being put in place at the Kansas Highway Patrol, Kansas Department of Transportation and the state corrections department to address security failures in a program that has been in place for 25 years. The program allows inmates to perform data entry for the state, cities, counties and nonprofits.

Read more in the Topeka Capital-Journal.

Another state with a website listing data breaches. I was curious as to where this list was, so I tried to get to the NY Attorney General's website, but they were down – I wonder if they were hacked or are merely saving money?

Breaches recently reported to NYS

By Dissent, April 30, 2010 11:28 am

Last year, New York State began posting logs of breach reports they receive. Entities experiencing a breach are required to inform the state how many NYS residents were involved, but are not required to indicate the total number of individuals affected.

Unfortunately, their logs do not indicate precisely whether the NYS residents affected are employees, clients, or patients of the breached entity, and do not indicate what kinds of personal information were involved — SSN, financial, medical, etc. With that frustration in mind, here are some of the breaches that have showed up in the logs for April. An asterisk means that the breach has not been reported in the mainstream media, to date. In asterisked cases, I did try to search for a notification on the entity’s web site, if they have one:

[The report can be found here:

Here's a bad use of a good service. (In fact, I mention it for my website students, below)

Posterous Starts Automatically Inserting Affiliate Links Into Sites, Forgets To Tell Users

by Jason Kincaid on Apr 30, 2010

We’ve been tracking super-simple publishing service Posterous for quite a while now, and for the most part they’ve turned us into big fans. Unfortunately, they’ve just committed a fairly serious blunder. In a post earlier today, one Posterous user stumbled across the fact that his site was automatically converting all of his links to affiliate links using VigLink. There isn’t anything sinister about VigLink — the service helps publishers generate revenue without having to manually insert affiliate links themselves, and has received funding from Google Ventures, First Round Capital, and some prominent angel investors. But Posterous neglected to inform its users that it was starting to monetize all of their links, which is a breach of user trust.

The annual Wiretap Report.

Privacy, Crime and Security Online Police Wiretapping Jumps 26 Percent

May 1, 2010 by Dissent

Ryan Singel writes:

The number of wiretaps authorized by state and federal judges in criminal investigations jumped 26 percent from 2008 to 2009, according to a report released Friday by the Administrative Office of the U.S. Courts.

Courts authorized 2,376 criminal wiretap orders in 2009, with 96 percent targeting mobile phones in drug cases, according to the report. Federal officials requested 663 of the wiretaps, while 24 states accounted for 1,713 orders.

Not one request for a wiretap was turned down.

Read more on Threat Level.

[From the article – another recurring theme:

Law enforcement officials have long warned that encryption technology allows criminals to hide their activities, but investigators encountered encrypted communications only one time during 2009’s wiretaps. The state investigators told the court that the encryption did not prevent them from getting the plain text of the messages.

… The tally does not include subpoenas or warrants issued for e-mails or documents stored in the cloud using Gmail, Hotmail or ISP’s internet services, nor does it include search warrants issued to seize e-mails stored on a target’s home computer.

Quotable quotes? Would that users gave two minutes of thought to these issues before they plunged in...

The Right to Privacy is Not a Right to Facebook

May 1, 2010 by Dissent

Daniel Castro comments:

… Yet even if you accept the premise that consumers had an expectation of privacy, the last few years of debate over online privacy should make it clear to even the most casual user that this is no longer true. Many Internet companies clearly intend to continue to find innovative ways to use personal data to deliver products and services to their customers. While Facebook CEO Mark Zuckerberg may or may not “believe in privacy”, it is clear that Facebook thinks that companies should respond to changing social norms on privacy and that the overall trend is towards more sharing and openness of personal data. So going forward, no Facebook user (or privacy fundamentalist) can continue to use the service without admitting that the benefits of using the website outweigh any reservation the user has about sharing his or her personal data. As the saying goes, “Fool me once, shame on you. Fool me twice, shame on me.”

Certainly some users may still object to this tradeoff. But if you don’t like it, don’t use it.

Read his entire commentary on Information Policy.

(Related) An age limit for social networking?

Get your kids off Facebook, principal tells parents

Another version of Privacy Law...

Guernsey: Data protection law amended to include prison time

April 30, 2010 by Dissent

Michael Adkins of Collas Day summarizes amendments to the Data Protection (Bailiwick of Guernsey) Law. According to Wikipedia, Guernsey is a possession of the UK and not part of the UK nor part of the EU. Of particular interest to me in their amendments:

Section 55(2) has been amended to offer further exemptions to people who obtain, disclose or procure the disclosure of personal data without the consent of a data controller. A new paragraph has been introduced to exempt anyone who is in breach of these provisions if the breach was committed for a ’special purpose’ (defined as journalism, art or literary purposes) or in the reasonable belief that it was in the public interest to do so. However, more severe repercussions have been established for those found to be in contravention of law.


Persons found guilty under Section 55 of the law of unlawfully obtaining (or disclosing) personal data without the consent of the data controller may now face a prison sentence. Previously, the most severe penalty available was a fine not exceeding Level 5 on the uniform scale (ie, £10,000). Under the amended provisions, the courts have the alternative sentencing options of 12 months’ imprisonment on summary conviction and two years on indictment.

Prison? This may be one of the toughest laws yet, if they actually enforce it.

To read the full article, subscription is required.

Is Microsoft concerned with Privacy or remaining regulation-free?

Researcher: Social networks shouldn’t reuse private info

April 30, 2010 by Dissent

Joab Jackson reports:

While social networking services may legally own customer-generated data generated on their sites, they still should not reuse that material outside the context in which it was created, contended a Microsoft researcher who studies social networks.

Willfully failing to respect the context of how that data was created may only lead to increased regulatory oversight in the future, warned Danah Boyd, in a series of talks given at the WWW 2010 conference, being held this week in Raleigh, North Carolina, as well as in a follow-up interview with IDG News Service.

“When the law comes down, it is usually not pretty,” she said.

Read more on Computerworld.

They should get this information – on a case by case basis and after presenting reasonable evidence to support their request.

Record Labels Can Seek Download Info From ISP’s

April 30, 2010 by Dissent

Anne Youderian reports:

Major record labels have the right to know who’s illegally downloading their music, the 2nd Circuit ruled Thursday. The court said a computer user’s right to remain anonymous does not trump the labels’ right to enforce their copyrights.

The alleged infringer, identified only as “Doe 3,” asked a federal magistrate judge to quash a subpoena served on his Internet service provider, the State University of New York at Albany. The record labels wanted to learn the names of 16 people who allegedly downloaded or distributed [Big difference. Shouldn't they specify which in order to get the subpoena? Bob] copyrighted songs through an online file-sharing network.

Doe 3 objected to having his identity revealed, claiming he has a First Amendment right to remain anonymous.

The magistrate judge refused to quash the subpoena, and U.S. District Judge Glenn Suddaby rejected Doe 3’s claims on appeal.

Read more on Courthouse News.

In the decision, the court rejected all of the defendant’s arguments, holding that

to the extent that anonymity is used to mask copyright infringement or to facilitate such infringement by other parties, it is unprotected by the First Amendment.

The case is Arista v. Doe 3.

(Related) Not all Internet users are as easy to identify as the casual down-loader. Perhaps there is a market for “How to remain anonymous on the Internet”?

(update) Hacker remains at large year after cyberattack on Va. data

April 30, 2010 by admin

A year after a computer hacker breached Virginia’s statewide prescription drug database, investigators still don’t know who did it.

Computer functions at the state Department of Health Professions, which runs the program, were disabled for weeks as a result of the April 30, 2009, cyberattack. The hacker claimed to have stolen more than 35 million prescription records and demanded a $10 million ransom.

A criminal investigation by the FBI and State Police remains open, but the perpetrator has not been identified, Diane Powers, a department spokeswoman, said Thursday. There is no evidence of identity theft or other misuse of patient records, she added.

Read more in the Virginian-Pilot.

For my Ethical Hacking class. You have to secure the results of you hacks.

US Air Force phishing test transforms into a problem

Rumors that "Transformers 3" will be filmed in Guam start after a phishing exercise goes viral

By Robert McMillan, IDG News Service April 29, 2010 08:41 PM ET

… This type of in-house phishing exercise is a routine occurrence in the military and in major corporations, and is generally seen as a good way of promoting security awareness. But in Andersen's case, the information in the phishing e-mail started leaking to the civilian world.

"Unfortunately, many of Andersen's personnel responded to this inject and submitted their personal information to the Web site, and forwarded the information outside of Andersen," the Air Force base said in a statement.

… This isn't the first time that some type of unforeseen consequence has come of a security training exercise. In August, a test of a bank's computer systems prompted the federal agency chartered with overseeing the nation's credit unions to issue a fraud alert. The "fraud" was actually a sanctioned penetration testing exercise conducted by security firm MicroSolved.

For my website students.


The easiest way to monetize links on your site.

How It Works

If one of your users clicks through to a product or service and buys something you automatically earn a commission. In return for the service we typically take 25% of those commissions. There is no risk, you only pay us a share of what you earn. Often you earn more with VigLink due to collective bargaining on commission rates, even after our 25% cut.

[Watch the video:

When you need to demonstrate how simple explaining complex science can be...

Friday, April 30, 2010

Some comments on the difficulties of presenting technical information (forensics) to juries.

Podcast: Inside the TJX/Heartland Investigations

April 29, 2010 by admin

Tom Field of BankInfoSecurity interviews Kim Peretti, former Senior Counsel in the Computer Crime and Intellectual Property Section of the Criminal Division of the United States Department of Justice, about the investigation of Albert Gonzalez and his co-conspirators, including

How the investigations unfolded from beginning to end;

The significance of the conspirators’ sentences;

Lessons learned from these cases.

[See also:


Ethics again. Shouldn't the employers lawyers at least skim the emails to ensure there is no evidence of crimes being committed?

Use of Employer Systems for Personal Communications to Legal Counsel – How Should Employer Counsel Deal With “Hot” E-Mails?

April 29, 2010 by Dissent

Dan Michaluk writes:

I made a half-baked comment in response to Omar’s April 4th post on the procedural issues in dealing with the communications that employees have with their legal counsel through employer e-mail systems. This is a post based on some “more baked” thoughts that I plan to incorporate into a book chapter under development.

The thoughts I’ve included are strictly on the procedure for dealing with these “hot” e-mails. I’ll leave the substantive issue about the legitimacy of an employee privilege claim to another day, but will set up the thoughts below by noting that the issue is highly uncertain in Canadian law. The early case law seems to demonstrate a privilege-protective approach. In my view, however, it is still open to an employer to attack an employee privilege claim based on proof of the domain it exercises over its computer system, and that the strongest basis for attack is one which challenges the confidentiality on which the privilege claim is founded rather than one which relies on the doctrine of waiver. Employers may very well choose to attack, but can’t do so without thinking through the important duties described below.

This is pretty law-heavy for here, but I figure that this issue is Slaw-worthy and might draw debate. I welcome your critique!

Read his article on Slaw.

Privacy in Canada...

Patriot Act reality check and Canadian authorities’ similar powers

April 29, 2010 by Dissent

Canadian privacy lawyer David T.S. Fraser blogs:

I had the honour of being invited to speak to the Canadian Bar Association’s Alberta branch earlier this week about cross-border privacy issues.

We have had to deal with them rather acutely in Nova Scotia since the passage of the Personal Information International Disclosure Protection Act (PIIDPA), which prompted me to take a closer look at the different regimes for access to personal information by law enforcement and national security types on both sides of the border.

Most people are surprised to learn that some of the most “problematic” provisions of the USA Patriot Act are replicated in Canadian law in the Anti-Terrorism Act. We just don’t hear about it as much. People are also surprised to learn of huge amount of information sharing that takes place between agencies in Canada and their counterparts in the US.

You can read more and see the PowerPoint presentation on his blog.

(Related) Probably, they will only see the Table of Contents...

Contents of Canada’s secret no-fly list exposed

April 30, 2010 by Dissent

Colin Freeze reports:

For the first time Canadians are getting a peek into the top-secret binders containing various versions of the country’s no-fly list, thanks to an intelligence analyst who allegedly went AWOL and took the manual with her.

The details – including references to “data sheets” kept on potential terrorists and “emergency directions” to be followed if a suspected person boards a plane – surfaced in a legal case this week. More information may soon follow.

Read more in the Globe and Mail.

Observations on the Dept. of Commerce’s Privacy Inquiry

April 30, 2010 by Dissent

David Navetta comments:

Earlier in the week, I referenced the U.S. Department of Commerce’s Notice of Inquiry concerning “Information Privacy and Innovation in the Internet Economy” (the “Inquiry”). I have now had a chance to review the document in more detail and believe that this Inquiry and the report that it generates has the potential to usher a paradigm shift and radically reshape the privacy environment as it relates to commerce. It also has the potential to be a frustrating exercise involving entrenched special interests banging their heads against a wall in a political forum. Nonetheless, whether the Inquiry ends up yielding any legislation, industry standard, best practices or a strategic frame work, the document itself reflects some of key challenges faced at the intersection of privacy and commerce. This post outlines some of my observations after reading the Inquiry.

Read more on InformationLawGroup.

I can speak for animals because I am one.” If true, could you ask my cat to lick himself somewhere else? It's embarrassing the dogs.

Animals need ‘right to privacy’ from wildlife films

April 30, 2010 by Dissent

Sean Coughlan reports:

Animals’ right to privacy needs to be taken more seriously by wildlife documentary makers, suggests research.

The ethics of the media and privacy should be extended beyond humans to the animal world, suggests Brett Mills at the University of East Anglia.

He says it might be acceptable to film “public events” such as animals hunting – but questions more intrusive recording.

Dr Mills says animals should not be seen as “fair game” for filmmakers.

Read more on the BBC. FOXNews also covers the story.

I suppose it's faster than reverse engineering the code, but I am kind of surprised that they don't build the hardware themselves...

India, China Try Import Regulations As Security Tools

Posted by timothy on Thursday April 29, @03:22PM

An anonymous reader writes

"The Register reports that the Chinese government is forcing vendors to cough up the source code to their encryption alogrithms before they can sell their equipment to the Chinese government. The EU doesn't seem to like it, but if I were in their position I'd want the same thing."

China's biggest neighbor goes further; another anonymous reader writes

"Telco equipment from China could have spyware that gives access to telcom networks in India. The Indian government has officially told mobile operators not to import any equipment manufactured by Chinese vendors, including Huawei and ZTE. The ban order follows concerns raised by the Home Ministry that telecom equipment from some countries could have spyware or malware that gives intelligence agencies across the border access to telecom networks in India. The biggest gainers from the move could be Ericsson, Nokia, and Siemens, which have been losing market share to aggressive Chinese equipment-makers in India."

Some interesting titles...

European Journal of Law and Technology

by Simon Fodden April 28, 2010

The venerable Journal of Information, Law & Technology (JILT) is reborn as the European Journal of Law and Technology. Volume 1, Number 1, available free online, is a special issue, “A History of Legal Informatics”:

  • Let there Be Lite: A Brief History of Legal Information Retrieval (Jon Bing)

  • The Global Development of Free Access To Legal Information (Graham Greenleaf)

  • How Structural Features of the U.S. Judicial System Have Affected the Take-Up of Digital Technology by Courts (Peter W Martin)

  • Legal Informatics – A Personal Appraisal of Context and Progress (Richard Susskind)

  • Jurimetrics Please! (Richard De Mulder)

  • The Rise and Fall of the Legal Expert System (Philip Leith)

  • From Legal Thesaurus to E-Signatures (Fernando Galindo)

  • Socrates and Confucius: A Long History of Information Technology In Legal Education (Abdul Paliwala)

As you might imagine, Canada’s LexUM, CanLII, and Quicklaw are mentioned but are not, in my view, given enough emphasis in the historical essays.

The essay by Susskind (he was a general editor of the predecessor JILT) is in effect the first chapter of his book The End of Lawyers?, and is well worth reading even if “legal informatics” is not of special interest to you.

A better tool for visual searchers?

LocPDF: Search & Preview PDF Files

There are a lot of specialized search engines that let you find and download PDF files online. These search engines are especially useful for finding academic papers, training manuals, journals, paper forms and ebooks. However, they can be hard to use if all you see are lists to linked PDFs without any visual recognition to check if you are downloading the correct file that you need.

One app that solves this is LocPDF. This website is a visual search engine for PDF files. It lets you view thumbnails of PDFs, read a preview, and then download them easily.

Similar Tools: PDF Search Engine, Data-Sheet, and LivePDF.

Thursday, April 29, 2010

Cost of Cyber Crime

Texas Man Pleads Guilty To Building Botnet-For-Hire

Posted by samzenpus on Thursday April 29, @12:49AM

Julie188 writes

"A Mesquite, Texas, man is set to plead guilty to training his 22,000-PC botnet on a local ISP — just to show off its firepower to a potential customer. David Anthony Edwards will plead guilty to charges that he and another man, Thomas James Frederick Smith, built a custom botnet, called Nettick, which they then tried to sell to cybercriminals at the rate of US$0.15 per infected computer, according to court documents."

...and you thought Facebook's change to Opt Out was bad. Being sent to the “organ Banks” has been a SciFi horror theme for years.

Proposal: All New Yorkers Become Organ Donors

By Dissent, April 29, 2010 7:35 am

Organ donation has become a vital way to save lives around the world, but a vast shortage of donors continues to mean people are losing their lives while on waiting lists.

But there is a unique proposal that could change all that.

New York State Assemblyman Richard Brodsky nearly lost his daughter, Willie, at 4 years old when she needed a kidney transplant, and again 10 years later when her second kidney failed.

“We have 10,000 New Yorkers on the list today waiting for organs. We import half the organs we transplant. It is an unacceptable failed system,” Brodsky said.

To fix that, Brodsky introduced a new bill in Albany that would enroll all New Yorkers as an organ donor, unless they actually opt out of organ donation. It would be the first law of its kind in the United States.

Read more on CBS.

The article states that 24 countries have this type of automatic enrollment. What do you think? Should organ donation require opt-in vs. opt-out? My initial reaction is that it should require opt-in, but I’m willing to think about it.

Yes the data is public (available on our website) but we expected users would look at only one or at most a few records each. Actually looking at everything we offer is obviously a crime.” This has implications for data you store in the Cloud!

Database builder faces web-scraping lawsuit

April 29, 2010 by Dissent

A US company faces a copyright, trespass and trade secrets lawsuit because it ’scraped’ the website of a rival on behalf of a client. The case underlines the legal uncertainty surrounding the practice.

Website ’scraping’ is the practice of automatically taking information from a website and can be used to retrieve the contents of entire back-end databases from other websites.

The legality of scraping is unclear in the UK and the US. Uncertainty still surrounds the degree to which it is copyright infringement, hacking, a violation of database rights or a breach of other laws.

Snap-on Business Solutions hopes that an Ohio court agrees with it that scraping is a violation of several laws. It has lodged a claim against O’Neil Associates over activity surrounding Mitsubishi’s moving of outsourced work from Snap-on to O’Neil.


[From the article:

Snap-on built a parts database for Mitsubishi so that dealers could access spare parts. It later moved the work to O'Neil and asked Snap-on for the database, which it saw as its property.

Snap-on, though, said that Mitsubishi would have to pay an extra fee to be given a copy of the database it had built.

O'Neil told Mitsubishi that it could 'scrape' the website to retrieve all the elements of the database. Mitsubishi gave it login details so that this could happen. Snap-on claims that this constituted an unlawful access to its database and unlawful copying of it.

I wonder if this was sponsored by the RIAA?

Bluebear: Exploring Privacy Threats in BitTorrent

April 28, 2010 by Dissent

BitTorrent is arguably the most efficient peer-to-peer protocol for content replication. However, BitTorrent has not been designed with privacy in mind and its popularity could threaten the privacy of millions of users. Surprisingly, privacy threats due to BitTorrent have been overlooked because BitTorrent popularity gives its users the illusion that finding them is like looking for a needle in a haystack. The goal of this project is to explore the severity of the privacy threats faced by BitTorrent users.

We argue that it is possible to continuously monitor from a single machine most BitTorrent users and to identify the content providers (also called initial seeds) [LLL_LEET10, LLL_TR10]. This is a major privacy threat as it is possible for anybody in the Internet to reconstruct all the download and upload history of most BitTorrent users.

To circumvent this kind of monitoring, BitTorrent users are increasingly using anonymizing networks such as Tor to hide their IP address from the tracker and, possibly, from other peers. However, we showed that it is possible to retrieve the IP address for more than 70% of BitTorrent users on top of Tor [LMC_POST10]. Moreover, once the IP address of a peer is retrieved, it is possible to link to the IP address other applications used by this peer on top of Tor.

Read more on Project Bluebear. Hat-tip, Slashdot.

Privacy in the automated data gathering and sharing age?

Every move I make, every step I take, they’ll be watching me

April 29, 2010 by Dissent

If you are not already familiar with Erasing David, a documentary about privacy, surveillance, and the database state, you may want to read this article by David Bond in the London Evening Standard about his experience trying to hide while others tried to find him. It’s a chilling demonstration of how much information about us is out there.

You can find out more about the project and film on

Cyber War: Isn't this another face of asynchronous warfare?

Online anonymity fueled ‘Web War’ on Estonia

April 28, 2010 by Dissent

Dan Goodin reports:

The attacks that paralyzed Estonian internet traffic for three days in 2007 were fueled by online anonymity and a phenomenon known as contagion, according to a report by three academics.

The paper, titled Storming the Servers: A Social Psychological Analysis of the First Internet War, is among the first to study the social and psychological forces that contributed to the massive DDoS, or distributed denial of service, attacks on Estonia. They are likely to play out in future online conflicts, the authors warn.

Read more in The Register.

BlackBerrys are Lawyer Toys.

Spy software watches BlackBerry, privacy advocates too

April 28, 2010 by Dissent

AFP with Lia Timson report:

US software firm Retina-X Studios has released a more vigilant version of its Mobile Spy program that captures every email and picture from BlackBerry smartphones, prompting Australian privacy advocates to call for order.


Roger Clarke, chairman, Australian Privacy Foundation, said such software was entirely inappropriate.

“We’re still in the wild west. Every time a new technology comes along it’s pretty much open slather for everyone to do anything they like, then courts and parliaments have to make rules.

Read more in The Age.

This is the Y2K scenario. Computers imbedded in devices with inadequate testing.

Computer glitches in Toyota cars begin to pile up

by Brooke Crothers April 28, 2010 3:50 PM PDT

Wednesday's recall of the 2003 Sequoia marks the third computer-related recall for Toyota Motor this year.

The Japanese car company announced a recall of 50,000 Sequoia 2003 model year SUVs to address problems with the Vehicle Stability Control (VSC) System. If not fixed, some vehicles may not accelerate as quickly as the driver expects, Toyota said.

… In the glitch disclosed on Wednesday, Toyota said it made a production change during the 2003 model year and published a technical service bulletin to address the issue when it was first identified in the fall 2003. "Since that time, Toyota has been responding to individual owner concerns by replacing the skid control engine control unit in Sequoias impacted by this condition," Toyota said in a statement. The engine control unit, or ECU, is an onboard computer.

The Internet is more about Trade than Communications?

FTC Could Gain Enforcement Power Over Internet

Posted by timothy on Wednesday April 28, @04:01PM

Hugh Pickens writes

"The Washington Post reports that under a little-known provision in financial overhaul legislation before Congress the Federal Trade Commission could become a more powerful watchdog for Internet users with the power to to issue rules on a fast track and impose civil penalties on companies that hurt consumers. 'If we had a deterrent, a bigger stick to fine malefactors, that would be helpful,' says FTC Chairman Jon Leibowitz, who has argued in favor of bolstering his agency's enforcement ability. This power would stand in stark contrast to a besieged FCC, whose ability to oversee broadband providers has been cast into doubt after a federal court ruled last month that the agency lacked the ability to punish Comcast for violating open-Internet guidelines. The provision to strengthen the FTC is in the regulatory overhaul legislation passed by the House, and although it is absent from the legislation before the Senate, some observers expect the measure to be included when the House and Senate versions are combined."

Even war isn't what it used to be...

Drone Pilots Could Be Tried for ‘War Crimes,’ Law Prof Says

By Nathan Hodge April 28, 2010 4:15 pm

The pilots waging America’s undeclared drone war in Pakistan could be liable to criminal prosecution for “war crimes,” a prominent law professor told a Congressional panel Wednesday.

Harold Koh, the State Department’s top legal adviser, outlined the administration’s legal case for the robotic attacks last month. Now, some legal experts are taking turns to punch holes in Koh’s argument.

It’s part of an ongoing legal debate about the CIA and U.S. military’s lethal drone operations, which have escalated in recent months — and which have received some technological upgrades. Critics of the program, including the American Civil Liberties Union, have argued that the campaign amounts to a program of targeted killing that may violate the laws of war.

Very interesting presentation.

James Hamilton on cloud economies of scale

by James Urquhart April 28, 2010 4:26 PM PDT

While it is often cited that cloud computing will change the economics of IT operations, it is rare to find definitive sources of information about the subject. However, the influence of economies of scale on the cost and quality of computing infrastructure is a critical reason why cloud computing promises to be so disruptive.

James Hamilton, a vice president and distinguished engineer at Amazon and one of the true gurus of large scale data center practices, recently gave a presentation at Mix 10 that may be one of the most informative--and influential--overviews of data center economies of scale to date.

Here are the key points that I took away from the presentation:

Everything is (probably) cheaper for a large scale service provider than for the average enterprise.

The two quickest hits in terms of data center operations are server costs and the cost of delivering power to servers.

Turning off a server is not as economically efficient as using the server fully at all times.

Large computing providers have a different relationship with their vendors than you do.

Buy a market.

With Palm, HP reboots mobile strategy

by Erica Ogg April 28, 2010 5:46 PM PDT

With its purchase of Palm, Hewlett-Packard acquired more than just a smartphone maker. It also picked up a whole new strategy for its mobile devices.

HP said Wednesday it plans to acquire Palm for $1.2 billion, or $5.70 per share, which amounts to a 23 percent premium over Palm's actual stock price at the end of the day. But for a leading technology company like HP with almost zero mobile phone presence and $13.5 billion in cash, picking up a company with a fully developed mobile operating system, a decent lineup of devices, and trove of mobile patents is a bargain. It will also make HP a viable competitor in the growing mobile market.

When new technologies (e.g. the iPad) come on the market, reporters look for industries or organizations that quickly adapt it – so they can figure out how it will be used. They always seem startled by how rapidly the Porn industry can move.

In the tech world, porn quietly leads the way

By Doug Gross, CNN April 23, 2010 -- Updated 2153 GMT (0553 HKT)

The Education Cloud?

Wednesday, April 28, 2010

Congratulations to Teachers in Oregon!

Today, Google announced that the Oregon Department of Education is officially migrating to Google Apps for Education. All public schools in the state will have access to Google Apps for Education for students and staff. Google and the Oregon DOE estimate that this could save Oregon $1.5million/ year.

Wednesday, April 28, 2010

I should probably whip up a spreadsheet to show how much you should budget for security based on the cost of a potential breach. Oh wait, I already have my students do that in the Risk Management class.

First-Ever Global Cost of a Data Breach Study Shows Organisations Paid USD3.43 million per Breach in 2009

April 28, 2010 by admin

Privacy and information management research firm Ponemon Institute, together with PGP Corporation, a global leader in trusted data protection, today announced the results of the first-ever global study into the costs incurred by organisations after experiencing a data breach. The 2009 Annual Study: Global Cost of a Data Breach report, compiled by The Ponemon Institute and sponsored by PGP Corporation, assesses the actual cost of activities resulting from more than one hundred real life breach incidents, affecting organisations from 18 different industry sectors.

The research shows that the average cost of a data breach globally stood at USD3.43 million last year, the equivalent of USD142 per compromised customer record. However, costs varied dramatically between regions, from USD204 per lost record in the U.S., down to USD98 per record in the UK. A total of 133 organisations, located in five countries – Australia, France, Germany, UK and U.S. – participated in the research, which was undertaken during 2009. The average costs of a data breach in all five countries were as follows….

See the full press release on PGP.

Andy Greenberg has some commentary on the study over on Forbes.

The overly protective(?) network admin who held San Francisco hostage.

Terry Childs Found Guilty

Posted by kdawson on Tuesday April 27, @06:56PM

A jury in San Francisco found Terry Childs guilty of one felony count of computer tampering. The trial lasted four months. Childs now faces a maximum sentence of five years in prison.

Free at What Cost?: Cloud Computing Privacy Under the Stored Communications Act

April 27, 2010 by Dissent

William Jeremy Robison has a Note in the April issue of the Georgetown Law Journal, “Free at What Cost?: Cloud Computing Privacy Under the Stored Communications Act.” From the Introduction:

Scott McNealy, the Chairman and former CEO of Sun Microsystems, caused an uproar in 1999 when he dismissed online privacy concerns and proclaimed, “You have zero privacy anyway. Get over it.” Was he right? Within the realm of cloud computing, he may have been uncomfortably close to the truth.

The Stored Communications Act (SCA), a component of the broader Electronic Communications Privacy Act (ECPA), is the primary federal source of online privacy protections, but it is more than twenty years old. Despite the rapid evolution of computer and networking technology since the SCA’s adoption, its language has remained surprisingly static. The resulting task of adapting the Act’s language to modern technology has fallen largely upon the courts. In coming years, however, the courts will face their most difficult task yet in determining how cloud computing fits within the SCA’s complex framework.

This Note ultimately concludes that the advertising supported business model embraced by many cloud computing providers will not qualify for the SCA’s privacy protections. In exchange for “free” cloud computing services, customers are authorizing service providers to access their data to tailor contextual and targeted advertising. This quid pro quo violates the SCA’s requirements and many customers will find that their expectations of privacy were illusory.

For my Ethical Hacking students. This happens when you skip thinking about security...

On iPhone, beware of that AT&T Wi-Fi hot spot

by Elinor Mills April 27, 2010 1:33 PM PDT

A security researcher has discovered that any wireless network can pretend to be an AT&T Wi-Fi hot spot and thus lure unsuspecting iPhone users to an untrusted network connection.

Samy Kamkar, [ … ] said in an interview this week that he can hijack any iPhone within Wi-Fi range in what is often dubbed a "man-in-the-middle" attack because of the way the devices are configured to recognize AT&T Wi-Fi connections merely by the name "attwifi."

Legal hacking? Will other ISPs follow?

UK ISP Spots a File-Sharing Loophole, Implements It

Posted by kdawson on Wednesday April 28, @05:03AM

An anonymous reader writes

"As well as taking an active part in OFCOM's code of obligations in regards to the ill-conceived Digital Economy Act (the UK three-strikes law for filesharers), niche ISP Andrews & Arnold have identified various loopholes in the law, the main one being that a customer can be classified as a communications provider. They have now implemented measures so in your control panel you may register your legal status and be classed as such."

Another of the loopholes this inventive ISP sussed out: "Operating more than one retail arm selling to customers and allowing customers to migrate freely with no change to service between those retail arms, thus bypassing copyright notice counting and any blocking orders."

(Related) Bad strategy. Now the RIAA will quote that as “dollars lost”

Fair Use Generates $4.7 Trillion For US Economy

Posted by kdawson on Wednesday April 28, @08:06AM

Hugh Pickens writes

"The Hill spotlights a study released by the Computer & Communications Industry Association, which concludes that companies relying on fair use generate $4.7 trillion in revenue to the US economy every year. The report claims that fair use — an exception to the copyright law that allows limited use of copyrighted materials — is crucial to innovation. It adds that employment in fair use industries grew from 16.9 million in 2002 to 17.5 million in 2007 and one out of eight US workers is employed by a company benefiting from protections provided by fair use (PDF). Rep. Zoe Lofgren (D-CA) says the reasonable fair use of content needs to be preserved; otherwise, content owners will control access to movies, music and art that will no longer be available for schools, research, or web browsing. Lofgren tied the copyright issue with the question of net neutrality. Without net neutrality 'content owners will completely control and lock down content. We're going to be sorry characters when we actually don't see fair use rights on the Web,' says Lofgren. 'If we allow our freedom to be taken for commercial purposes, we will have some explaining to do to our founding fathers and those who died for our freedom.'"

Interesting statistics. Much higher numbers than I would have expected.

April 27, 2010

Pew Report: Government Online

Government Online - The internet gives citizens new paths to government services and information. Aaron Smith, Research Specialist, April 27, 2010

  • Government agencies have begun to open up their data to the public, and a surprisingly large number of citizens are showing interest. Some 40% of adult internet users have gone online for raw data about government spending and activities. This includes anyone who has done at least one of the following: look online to see how federal stimulus money is being spent (23% of internet users have done this); read or download the text of legislation (22%); visit a site such as that provides access to government data (16%); or look online to see who is contributing to the campaigns of their elected officials (14%). The report also finds that 31% of online adults have used social tools such as blogs, social networking sites, and online video as well as email and text alerts to keep informed about government activities. Moreover, these new tools show particular appeal to groups that have historically lagged in their use of other online government offerings—in particular, minority Americans. Latinos and African Americans are just as likely as whites to use these tools to keep up with government, and are much more likely to agree that government outreach using these channels makes government more accessible and helps people be more informed about what government agencies are doing."

(Related) Automating this process might be amusing...

April 27, 2010

Site provide citizens withsingle destination to explore all the information from

"Our long-term vision for ThisWeKnow is to model the entire catalog and make it available to the public using Semantic Web standards as a large-scale online database. ThisWeKnow will provide citizens with a single destination where they can search and browse all the information the government collects. It will also provide other application developers with a powerful standards-based API for accessing the data. Loading governmental databases into a single, flexible data store breaks down silos of information and facilitates inferences across multiple data stores. For example, inferences can be made by combining census demographic data from the Agency of Commerce, factory information from the Environmental Protection Agency, information about employment from the Department of Labor, and so on. We can't even begin to imagine the discoveries that will become possible after all these data are loaded into an integrated repository."

A website to visualize Chemistry? Not complete yet, but interesting...

Tuesday, April 27, 2010

Canvas Mol - 3D Models of Molecules

Canvas Mol is a website that provides 3D, interactive, rotating models of simple and complex molecules. There are 46 models of relatively common molecules like glucose, fructose, and morphine. Each model can be altered to show or not show bonds, to show or not show individual atoms, and to rotate on the X,Y, or Z axis. Canvas Mol works best in Chrome or Opera, but can also be used in Firefox and Safari.

You might find these useful for insurance purposes... Includes movie and music databases and room furtiture arrangers.

10 Most Downloaded Home Inventory Apps

Another free screen capture video tool.;compare

TipCam 2.2

You'll be able to start, pause, delete, and preview your screencasts from the small recording controls window, even draw on annotations while you record.