Saturday, August 28, 2010

Perhaps this is how they do it outside of Philadelphia?

GA: Schools attorney drafting revised policy after parent says searching backpacks is unconstitutional

August 28, 2010 by Dissent

Ryan Calhoun reports:

Random school searches are meant to keep your children safe, but one parent tells the Richmond County school board it’s unconstitutional and now they’re taking a new look at the policy.

OK, let’s stop right there in amazement. A parent raises a constitutional concern and the school board decides to think about their policy more? It doesn’t take a lawsuit to get them to at least consider their policy? What a refreshing change. [Amen! Bob]


In the U.S. Supreme Court case, Safford Unified School District #1 v. Redding it states, “For school searches, ‘the public interest is best served by a Fourth Amendment standard of reasonableness that stops short of probable cause.’”

Later it reads, “…a school search ‘will be permissible…when the measures adopted are reasonably related to the objectives of the search and not excessively intrusive in the light of the age and sex of the student and the nature of the infraction.’”

Richmond County School officials tell News 12 their attorney is now drafting a policy to make sure their searches are legal.

Read more on WRDW.

(Related) Rational is so much cheaper...

IT staffer set to return to LMSD

At least one of the two Lower Merion School District employees who have been on paid administrative leave since shortly after a webcam lawsuit was started against the district will be going back to work, her attorney confirmed this week.

In February school officials placed the employees, who were authorized to activate the district’s webcam monitoring system, on leave. Neither has been able [was allowed? Bob] to go back to work since the suit was filed. This week Main Line Media News learned that Carol Cafiero was expected to be taken off administrative leave and return to her job.

… Mandracchia said he also expects to work with the district to have them cover the legal fees she has accumulated.

“Hopefully we can come to some type of mutual agreement,” he said.

Although he declined to say what her bills amounted to, Mandracchia said they hadn’t reached six figures.

Should we conclude there is an economic impact?

The Economist Debate on Online privacy

August 27, 2010 by Dissent

Resolved: “This house believes that governments must do far more to protect online privacy.”

Proposer: Marc Rotenberg, EPIC

….. we need the government agencies charged with consumer protection, privacy protection and antitrust review to play a more active role on behalf of internet users. Companies that collect personal information for one purpose and then turn around and use it for a completely unrelated purpose should not get a free pass from regulators. And the consolidation of large internet firms, particularly in the online advertising world, should set off alarm bells for competition authorities. Not only does the massive profiling of users by incumbents place users in a digital fishbowl, it also makes it more difficult for new entrants to compete. Competition, innovation and privacy protection could easily become allies as the internet economy evolves.

We also need independent privacy agencies to speak up when the private sector or the government cross into Big Brother territory. Requiring RFID tags in products and identity documents, gathering up DNA samples for law enforcement use and consumer products, and tracking the location of internet users without their knowledge or consent all pose new challenges that cannot be ignored.

The Opposition: Jim Harper, CATO

…. Government help will not do for protecting privacy in its stronger “control” sense either. Privacy is a value that varies from person to person and from context to context. Perfectly nice, normal people can be highly protective of information about themselves or indifferent to what happens with data about their web surfing. Any government regulation would cut through this diversity.

Government “experts” should not dictate social rules. Rather, interactions among members of the internet community should determine the internet’s social and business norms.

Read more of the debate on The Economist.

Debate is better than nothing, but shouldn't we be narrowing down toward an agreement by now?

More on the “harm” threshold (and its possible demise)

By Dissent, August 27, 2010

Over on HIPAA Blog, attorney Jeff Drummond writes:

More on the “harm” threshold (and its possible demise): During this past week, the AHLA “HIT list” listserv has buzzed with commentary on the “harm” threshold (in large part started by the NYT article mentioned here), whether it should even be in there (or is an unconstitutional expansion of the statute beyond the capacity of HHS to enact), and whether it’s a good idea even if it can be instituted via regulation. Dom Nicastro has a nice article comparing the California breach notification statute, which is a net that catches all, to the the HIPAA breach notification provisions, which allow the “no harm” breaches to be excluded from the reporting requirement. Virtually all of the California healthcare breaches reported to the state were not reported to HHS under the “harm” standard (although it’s possible some were not reported because they fit into one of the other HIPAA exceptions to reporting). Which means either we need the “harm” threshold to prevent useless and unnecessary reporting, OR we must get rid of the “harm” threshold because it is abused in its use.

I discussed Nicastro’s article on this blog yesterday, here. What I want to respond to here is Jeff’s conclusion that

either we need the “harm” threshold to prevent useless and unnecessary reporting, OR we must get rid of the “harm” threshold because it is abused in its use.

There are more than two options or rationales here. We could — and should — get rid of the “harm” threshold because it exceeds the statute passed by Congress and indeed, flouts Congress’s specific language and intent as they had specifically rejected a harm threshold after considering it. We could — and should — get rid of the “harm” threshold because it is premised on the notion that the main reason to notify patients of a breach is concern for societally recognized “harm” and does not consider the issue of patient trust and confidentiality as the primary reason to disclose a breach.

What Jeff Drummond considers “useless and unnecessary reporting” reflects what he or others might consider a pragmatic approach, but what I consider to be an approach that ignores the trust and confidentiality issues between provider and patient. Patients believe we are bound by an oath to keep what we learn about them confidential. Unless we’re going to start warning them, “Yes, I’ll keep this all confidential, but if I suffer a security breach, I may not tell you,” then we have an obligation to disclose breaches.

(Related) Exceptions...

MN: Court Sides With State in Baby Blood Storage Case

By Dissent, August 27, 2010

Jeff D. Gorman reports:

Minnesota did not violate families’ privacy rights by collecting and storing children’s blood samples, the state Court of Appeals ruled.

Alan and Keri Bearder and the parents of 23 other children sued the state and its Department of Health for allegedly collecting blood samples from their infants to test for genetic disorders, and then storing the blood in freezers for use in research.

The parents claimed the state’s actions violated state privacy laws.

Read more on Courthouse News, where you can also read the court’s opinion (pdf). A key part of the opinion was the broad powers of the Commissioner “trump” the state’s genetic privacy act which requires written informed consent before use of the information “unless otherwise expressly provided by law.”

Applying these principles, we conclude that Minn. Stat. § 144.125-.128 and other governing legislation granting the commissioner broad authority to manage the newborn screening program amount to an “express” provision of law that authorizes collection, retention, use and dissemination of blood specimens for the newborn screening program, making the genetic privacy act inapplicable.

I am watching this debate, not surveilling it.

Debating America’s surveillance state

August 27, 2010 by Dissent

Glenn Greenwald writes:

Earlier this month, The Cato Institute’s Unbound published my essay on America’s Surveillance State, and then invited several commentators to reply and participate in a debate of these issues. Two of those replies were particularly critical: this one from John Eastman, former Dean of the Chapman University School of Law (recent home to John Yoo), recently defeated GOP candidate for California Attorney General, and former clerk to right-wing judges Clarence Thomas and Michael Luttig; and this one from Paul Rosenzweig, a Fellow at the Heritage Foundation and a former Homeland Security official in the Bush administration.

Read more on Salon.

(Related) For my Ethical Hackers – a four factor test.

Orin Kerr discussed GPS Tracking on C-SPAN

August 27, 2010 by Dissent

Orin Kerr was on C-SPAN’s Washington Journal program this morning discussing GPS surveillance and the Fourth Amendment. You can watch the interview on C-SPAN’s site, here. If you’re interested in this topic, it’s a great interview to watch as Orin touches on a number of cases and how different courts have reached different conclusions about the need for a warrant.

Another for my Ethical Hackers. Perhaps this suggests a business model: Send us your failing malware and we'll analyze it for you! If nothing else, selling the results of the analysis to the anti-virus vendors should turn a profit.

Many Hackers Accidentally Send Their Code To Microsoft

Posted by Soulskill on Friday August 27, @09:30AM

"When hackers crash Windows in the course of developing malware, they'll often accidentally agree to send the virus code straight to Microsoft, according to senior security architect Rocky Heckman. 'It's amazing how much stuff we get.' Heckman also said Microsoft was a common target for people testing their attacks. 'The first thing [script kiddies] do is fire off all these attacks at On average we get attacked between 7000 and 9000 times per second.'"

Who writes these contracts? Do they specifically outlaw Best Practices and Common Sense?

State of Virginia Technology Centers Down

Posted by Soulskill on Friday August 27, @12:00PM

"Some rather important departments (DMV, Social Services, Taxation) in the state of Virginia are currently without access to documents and information as a technology meltdown has caused much of their infrastructure to be offline for over 24 hours now. State CIO Sam Nixon said, 'A failure occurred in one memory card in what is known as a "storage area network," or SAN, at Virginia's Information Technologies Agency (VITA) suburban Richmond computing center, one of several data storage systems across Virginia.' How does the IT for some of the largest departments in a state come to a screeching halt over a single memory card? Oh, and also, the state is paying Northrup Grumman $2.4 billion over 10 years to manage the state's IT infrastructure."

Reader miller60 adds, "Virginia's IT systems drew scrutiny last fall when state agencies reported rolling outages due to the lack of network redundancy."

Friday, August 27, 2010

They just think differently in Pennsylvania...

Lower Merion webcam plaintiff's attorney again demands payment

By Derrick Nunnally Inquirer Staff Writer

Despite a hostile initial response from the Lower Merion School District, the lawyer handling the webcam lawsuit against it repeated his demand Monday to be paid more than $400,000 while the case is pending.

In an Aug. 12 federal court filing, the district attacked attorney Mark S. Haltzman for a bill that it said "far exceeds the bounds of reasonableness" and for suing in the first place instead of going directly to school officials. Concerns over the webcam surveillance of Harriton High School student Blake Robbins, the district said, could have been handled without the expense of litigation.

Haltzman responded on both fronts Monday, defending his accounting and the decision to take the matter to court - backing the latter up with the first public glimpse at the sworn statements given by school district officials in the case.

In a sliver of a transcript from a June deposition - eight of the document's 296 pages - included with the filing, district information services coordinator Carol Cafiero said that the principals of Lower Merion and Harriton High Schools blocked an attempt to end the webcam monitoring.

She described a Nov. 10 meeting with the principals and Cafiero's boss, information services director George Frazier, over the surveillance program.

"The principals were on the side of keeping it going," Cafiero said. "Mr. Frazier wanted to stop and get a policy."

Although the meeting happened two weeks after school officials tapped Robbins' computer and saw pictures from within his house, Cafiero said the discussion was about the general policy, rather than any student.

Cafiero's attorney, Charles Mandracchia, said Monday that the excerpt fairly characterized her extended deposition. Cafiero remains on paid administrative leave from her district job, he said.

Cafiero's claim of a rift over whether to continue the schools' use of remote webcam monitoring to track computers thought to be misplaced has been debated for months. In April, she told The Inquirer that administrators at that November meeting had wanted to keep using the feature.

But a May report made by the Ballard Spahr law firm for the district said "all of the known attendees of that meeting" had no recollection like that.

Haltzman, however, made the deposition a linchpin Monday in his quest to get paid while litigating the case.

Proving that the lawsuit he filed for Robbins ended the webcam surveillance and other privacy violations in the case would help enable Haltzman to begin to collect attorney's fees and other court costs as a winning party, though the decision rests with U.S. District Judge Jan E. DuBois.

Lawyer Henry E. Hockeimer Jr., who represents the school district in the case, declined to comment Monday. In the Aug. 12 filing, he attacked Haltzman for a bill that "far exceeds the bounds of reasonableness" and for suing in the first place instead of going directly to school officials.

In Monday's filing, Cafiero's deposition was cited to defend the escalation to court.

"Surely if the school's own IT director was unable to stop the practice," Haltzman wrote, "what chance did a mom have to get the surveillance stopped?"

He also defended the costs at which the district's attorneys had balked, including the cost of hiring technical experts to analyze computer records. In an interview, Haltzman called one item "ironic" for a lawsuit over surveillance: the school district's objection to paying a $4,836 charge for videotaping the depositions.

"At least I was doing it with the full knowledge of everybody in the room," Haltzman said. "The school district did it without anybody knowing about it."

(Related) The next kerfuffle?

LMSD to install GPS tracking units in its bus fleet

Will this become a trend? (If not, why not?)

Connecticut Insurance Commissioner Announces Data Breach Notification Mandate

August 27, 2010 by admin

Joseph Lazzarotti of Jackson Lewis writes:

On August 18, 2010, the Connecticut Insurance Commissioner issued Bulletin IC-25 which mandates that entities within its jurisdiction notify the Department of Insurance of any “information security incident.” This post provides a brief summary of this new requirement.


What is an “information security incident”?

Under this Bulletin, an information security incident is:

any unauthorized acquisition or transfer of, or access to, personal health, financial, or personal information, whether or not encrypted, of a Connecticut insured, member, subscriber, policyholder or provider, in whatever form the information is collected, used or stored, which is obtained or maintained by a licensee or registrant of the Insurance Department, the loss of which could compromise or put at risk [Isn't that the reason encrypted data is normally excluded? Bob] the personal, financial, or physical well being of the affected insureds, members, subscribers, policyholders or providers.

Thus, unlike the general Connecticut data breach notification statute which requires notification only with respect to computerized personal information, this mandate applies to paper documents which includes personal health, financial or personal information. Also, encrypted data is not exempt from this notification requirement.

Read more about the new bulletin on Workplace Privacy Data Management & Security Report. The state is now requiring covered entities to provide them with a lot of detailed information to the state within five (5) calendar days after a breach is identified.

Obviously, I’m delighted to see the inclusion of paper records and the absence of a “significant harm” threshold. Without knowing the history of this bulletin, I might guess that it is, at least in part, a reaction to a number of breaches by health insurers where neither the state nor residents were promptly notified of a breach and where the state’s attorney general investigated the breaches and insisted that the insurers offer credit monitoring services, etc.

That said, this situation also highlights the patchwork quality of regulations and statutes even with one state, much less between states. Can you hear me now, Congress?

More on your Privacy Policy as a contract...

Never Make a Promise You Can’t Keep- Especially in Your Privacy Policy

August 26, 2010 by Dissent

Kevin Khurana of Proskauer writes:

Expect the unexpected from your Web site privacy policy. In a handful of cases, including two which were recently decided, companies have been thwarted in various, unexpected ways by the commitments made in their online privacy policies.

Are your intellectual property litigators reading your privacy policy?

In FenF, LLC v. Healio Health, Inc., No. 5:08-CV-404 (N.D. OH July 8, 2010), the court held that a provision from a settlement agreement entered into by FenF, LLC (“FenF”), the plaintiff, and Healio Health, Inc. (“Healio”), the defendant, which required Healio to transfer certain customer information to FenF was unenforceable because doing so would result in a violation of Healio’s privacy policy.

Read more about this and the other cases where privacy policy came into play on Proskauer Law Blog.

“Just because everyone agrees we should do something doesn't mean anyone actually will do something.” As an Auditor (or an Ethical Hacker) I'd probably want to re-test periodically just to ensure someone didn't turn off a security feature to speed performance.

NIST Publishes Approved Testing Procedures for Electronic Health Records

… Starting next year, the federal government will provide extra Medicare and Medicaid payments to health care providers that implement EHR systems certified to meet ONC requirements that conform to technical standards and are put to “meaningful use,” performing specifically defined functions.

These ONC-approved test procedures help ensure that electronic health records function properly and work interchangeably across systems developed by different vendors. The set of 45 approved test procedures evaluate components of electronic health records such as their encryption, how they plot and display growth charts, and how they control access so that only authorized users can access their information.

(Related) This is the modern equivalent of “We can't afford insurance.”

Panda: 46 percent of U.S. SMBs victimized in 2010

“Many SMBs simply don’t have the resources in terms of budget, time and human capital to devote to protecting their computers and sensitive data,” said Sean-Paul Correll, threat researcher at PandaLabs.

… The entire report can be viewed by clicking here.

For my Ethical Hackers. Passwords should be longer AND contain numbers and symbols. But then, add more layers for real protection.

Longer passwords not solution to better security

August 26, 2010 by admin

Vivian Yeo reports on industry responses to a recent research report from the Georgia Tech Research Institute suggesting users should create longer, 12-character, passwords:

… Ronnie Ng, Symantec’s systems engineering manager for Singapore, told ZDNet Asia that the username-and-password application is the “first and only layer of defense” for many information systems in organizations today. Hence, while brute force attacks are the least sophisticated of attacks, they remain very effective, he explained in an e-mail.

Ng added: “Probability dictates that the longer a password is, the more difficult it will be to crack.” Symantec recommends a minimum password length of eight characters for typical users, and at least 15 for administrators.

However, more than just length, users need to consider the “depth and width” of the password. He said a secret code with depth refers to one that is not conventional or easily guessable, while width refers to the use of numbers and symbols alongside letters.

Concurring, Victor Keong, executive director of IT advisory services at KPMG in Singapore, pointed out that long passwords do not necessarily equate to strong passwords.

Read more on ZDNet (Asia)

(Related) A list of actual passwords is a good starting point for “dictionary attacks”

Researcher Creates Clearinghouse Of 14 Million Hacked Passwords

August 26, 2010 by admin

Andy Greenberg reports:

Canadian researcher Ron Bowes has created a sort of Wall of Sheep for the entire Internet. By simply collecting all the publicly-spilled repositories of users’ passwords from recent hacking incidents, he’s created a clearinghouse for stolen passwords on his Web site–14,488,929 distinct passwords to be exact, collected from 32,943,045 users.

Bowes didn’t steal these passwords, and they’re not associated with usernames, an extra piece of data that would make listing them far more dangerous. All but 250,000 or so became public after the breach of, a social networking applications site penetrated by cybercriminals using an SQL-injection. Another 180,000 were spilled when the bulletin board software site phpbb was hacked using a vulnerability in one of the site’s plugins. 37,000 more were stolen from MySpace using phishing techniques.

Read more on Forbes.

Clips for classes?

YouTube Debuts New Movies Section With 400 Free, Full-Length Films (Updated)

YouTube has launched a fresh Movies category on its website, gathering about 400 full-length films for your on-demand viewing pleasure, all free of charge.

… What can you find there? Loads of Bollywood flicks, a bunch of Bruce Lee and Jackie Chan films, obscure horror movies and cartoons, among many other sections.

Thursday, August 26, 2010

The cost of a security breach...

Ca: Corrections to pay victims of breach of privacy

August 26, 2010 by admin

Robb Tripp reports:

More than 360 people who worked at a federal prison in Kingston will get at least $1,000 each after a precedent-setting, six-year legal fight over a breach of their privacy.

“This has been a long odyssey,” Christopher Edwards, the Kings -ton lawyer who represented staff in a lawsuit said Wednesday.

Correctional Service Canada has agreed to the payments to 366 people whose names appeared on a staff list at Joyceville Institution. The list, which included home addresses, home phone numbers, and the names of spouses, fell into the hands of convicts at the prison in 2003.

This week, a Superior Court judge in Kingston endorsed the deal that puts an end to the class-action lawsuit launched in 2004 by staff. It originally sought $15 million in damages in a novel area where there have been only a handful of cases in Canada.

Read more in the Whig-Standard.

Okay, this was a settlement. Had it gone to court here in the U.S., would they have gotten anything or would the courts have held that risk of future harm is not something that one can put a monetary value on and if there were no unreimbursed expenses due to the breach, well, tough luck?

Not sure I'm surprised here...

Blagojevich auction boxes contain client files

August 26, 2010 by admin

Serena Dai of the Associated Press reports:

Amidst photos and handwritten letters in auction boxes connected to former Gov. Rod Blagojevich are confidential client-attorney papers from his lawyer days and opposition research on his 2006 gubernatorial race rival Judy Baar Topinka, a Northwestern University librarian said Wednesday.

Librarian Jeffrey Garrett bought 18 boxes of files, photos, and videotapes at the Boyer-Rosene Moving and Storage auction last Thursday on behalf of Northwestern’s special libraries, which documents the careers of significant alum, he said.

Read more in the Chicago Tribune.

Well, we’ve seen cases where lawyers improperly disposed of confidential client records so this wouldn’t exactly be a first. What’s a bit different about this case is how the confidential files wound up where they did. While people can point fingers at who packed up documents, who stored them, who was responsible for paying storage fees etc., I would think that ultimately, it’s the attorney’s responsibility to ensure that the confidentiality of client records is protected. Yes, even in the middle of a public scandal and trial.

Now will anyone actually get notified that their client records have been exposed or are now in the possession of others? I mean, it’s just paper records, right?

How would you monitor compliance with a contract and what record of your responses would be required?

Privacy Policy Lessons from Handbook Cases

August 25, 2010 by Dissent

Lawrence Cunningham writes:

Just as the hottest practical topic in contract law during the 1990s was whether corporate employee handbooks could be enforced as contracts, among today’s hot practical contract law topics is whether corporate policy statements, especially on the internet, can be enforced as contracts. We’re in the beginning of a struggle on that point, whose dynamic echoes that of the handbook cases of two decades ago—and we might learn something from them.

Read more on Concurring Opinions.

In humor there is truth. “The Internet is one big resume...” A video for our times.

Colbert Tackles Internet Privacy: ‘Become A Disfigured Nameless Loner’

What differs from assigning a police officer to follow a suspect? Technology makes it cheap enough to allow even small police forces to follow large numbers of people. What else changes?

GPS Tracking Without a Warrant Declared Legal

Posted by samzenpus on Wednesday August 25, @04:51PM

"The Ninth Circuit court has declared that attaching a GPS tracker to your car, as it sits in your driveway, or by extension on a public street, and then using it to monitor every one of your movements, is totally legal, and can be performed by the police without needing a warrant. So, if you live in the Western United States, big brother has arrived."

[From the article:

This doesn't violate your Fourth Amendment rights, because you do not have any reasonable expectation of privacy in your own driveway - and no reasonable expectation that the government isn't tracking your movements.

… Chief Judge Alex Kozinski, who dissented from this month's decision refusing to reconsider the case, pointed out whose homes are not open to strangers: rich people's. The court's ruling, he said, means that people who protect their homes with electric gates, fences and security booths have a large protected zone of privacy around their homes. People who cannot afford such barriers have to put up with the government sneaking around at night.

For my Ethical Hackers. Is it wrong to try thinking like an attacker?

Teacher Asks Students To Plan a Terrorist Attack

Posted by samzenpus on Thursday August 26, @12:22AM

Tired of looking at an endless parade of dioramas, an Australian teacher had her class plan a terrorist attack that would "kill as many innocent Australians as possible." "The teacher, with every best intention, was attempting to have the students think through someone else's eyes about conflict. I think there are better ways to do that. ... This is not what we expect of professional educators," said Sharyn O'Neill, director-general of the state's Department of Education.

I wonder if this is how the Attorneys General that are “investigating” Craigslist find all those “Adult Services” ads they object to?

notiFINDER: Get Craigslist Ad Alerts For Specific Items

Craigslist is a massive classifieds website that many people find useful. If you are looking for something in particular on Craigslist, then you have to check the site for new listings every day. But thanks to notiFINDER, that task has been greatly simplified. notiFINDER is a free and simple to craigslist ad alert tool that can notify you of new classifieds on Craigslist.

You fill out all the information on the site’s homepage. First you enter in your location. Next you type in what you are looking for; you can specify which category your item belongs to: for sale, jobs, housing, services, gigs, community, personals, or resumes. With the item’s name and type entered, a small red text appears which states the frequency of new listings regarding your item. You can enter your price range and the frequency with which you want to be alerted on the email address you provide.

Finally you click on the “Add” button and if any Craigslist post matches your options you are sent an email notification.

Similar tools: Search All Craig’s, Crazedlist, Craiglook, PadMapper, CLHack, Craigsly and HeyCraig.

Also read related articles:

Sometimes you need to know what's going on in the world.

Watch Streaming Live TV News Online with Livestation

Head over to Livestation’s web site and you can start watching streaming news immediately.

… There’s a very nice desktop client available. It works for Windows, Mac and Linux computers … For example, the service now offers picture-in-picture:

Another cool feature is the “carousal,” a slick interface that makes for quick browsing of your channels:

The desktop also gives you access to the many user-generated stations Livestation offers. These streams are similar to services such as UStream (check out this article for more information on starting your own broadcast with UStream.)

Intended for teachers, but useful for others as well... LOTS of examples!

Blogs, Wikis, Docs: Which is right for your lesson?

A Comparison Table

For my website students. You can also copy and paste directly into Word. (Lots of Math symbols: ±, ÷, √, ≈, ≠, etc. )

NiceEntity: Get HTML And Unicode For Symbols & Characters

NiceEntity is a web resource that indexes hundreds of special characters along with their HTML and Unicode details.

You can browse through categories like Punctuations, Accents, Shapes & Symbols, Math and even filter them further using sub-categories. If browsing is not your thing simply search for the character you are looking for, or click on “all’ to display the complete list.

Similar tools: JoyLy, CopyPasteCharacter and EntityCode.

Wednesday, August 25, 2010

Another great teaching tool. Listing what they did wrong will provide a complete list of “Best Practices”

AU: Hacker hits Ballarat City Council files

August 24, 2010 by admin
Filed under Breach Incidents, Government Sector, Hack, Non-U.S., Subcontractor

Leave a Comment

Benjamin Preiss reports:

Ballarat City Council’s online network was in meltdown yesterday after it was discovered somebody had broken into the system.

One source, who had specific details about the security scare, said a teenager from regional Victoria had gained access to the system.

”Essentially the level of access that’s available is complete and unrestricted access to all their files,” [The very definition of poor computer security. Bob] the source said.

Council staff detected the security breach on Monday after a resident came forward with claims the system had been hacked. [They apparently had no “Detection” controls. Bob]

Ballarat City Council chief executive officer Anthony Schinck said the network would be shut down until the end of the week after unauthorised access to payroll data and emails.


Mr Schinck said the council network was accessed via a ”third party provider”, which provides network support to Ballarat and other local councils….. “It appears that log ins and passwords have been potentially stolen (which) has allowed access to the system.”

Read more in The Courier.

[From the article:

Yesterday the council called in computer security experts to examine the system and determine exactly how much information had been viewed. Mr Schinck said he did not believe documents had been tampered with or removed. [Apparently, they have no logs or don't know how to read them... Bob]

If not immediately, then eventually. Which strategy meets Mercer's strategic goal to appear defensive, unresponsive and insensitive?

UPDATE: Idaho Power says Mercer breach affected over 375,000

August 25, 2010 by admin

The Mercer Health & Benefits breach involving a backup tape lost in transit after being shipped by FedEx is one of those multi-client breaches that comes out in dribs and drabs. But if Mercer hoped to keep the total number affected under wraps, one of their clients may have spilled their beans.

On August 12, Idaho Power Health Plan posted an FAQ on their site that I just came across. It says, in part:

2. What happened and what data information was lost?
A data breach was reported by Mercer to Idaho Power on June 16, 2010. According to Mercer, on March 26, 2010 a package containing a server back-up tape was sent via FedEx from Mercer’s Boise office to their Seattle office and is presently unaccounted for.

The tape contained personal demographic information (not medical or health-related data). The lost information included names, addresses, dates of birth, and Social Security numbers for approximately 5,000 Idaho Power employees and dependents and approximately 375,000 other individuals whom Mercer services through their client base.

The FAQ challenges Mercer’s reassuring statement that the unencrypted data would be difficult to be read: [Good for them! Bob]

3. Has the tape been recovered? Any indication the tape or any information on the tape has been inappropriately misused?
The tape cannot be accounted for, and we cannot confirm the tape or any information on it has or has not been inappropriately misused.

While the tape was not encrypted, Mercer indicates it is not the type of media that is readily accessible. Idaho Power disagrees and we are moving forward with our own independent investigation. You will be informed as the investigation progresses.

The FAQ is four pages and is either the most detailed, or one of the most detailed, breach FAQs I can recall seeing. The only thing I don’t spot in the FAQ is a phone number at Idaho Power that people can call.

This didn't work too well when they tried identifying marijuana growers by using thermal imaging to detect their “grow lights”

August 24, 2010

U.S. and Foreign Govt' buy backscatter x-ray scanners mounted in vans

Follow up to previous postings on government implementation of whole body scanning technology at airports, via Forbes news that "American Science & Engineering, a company based in Billerica, Massachusetts, has sold U.S. and foreign government agencies more than 500 backscatter x-ray scanners mounted in vans that can be driven past neighboring vehicles to see their contents... While the biggest buyer of AS&E’s machines over the last seven years has been the Department of Defense operations in Afghanistan and enforcement agencies have also deployed the vans to search for vehicle-based bombs in the U.S."

“Papers, student.” How can school districts ignore reactions to “spying” like the Lower Merion incident?

CT: Proposal would track students

August 25, 2010 by Dissent

Erin Cox reports that a district in Connecticut is thinking of making students carry chipped ID cards so that they can track them. Yes, really.

The New Canaan school district is thinking about electronically tracking their students.

Many students are not pleased with the idea that they could end up testing new tracking technology.


New Canaan already has GPS and video cameras on all their buses, but is only exploring being part of an experiment testing such tracking. Under the program, students would be carrying an ID card with radio frequency strips. It pinpoints a student’s location, be it in the classroom or off grounds in nearby downtown.

Read more on WTNH.

This is a really, really, really bad idea. The district has a solid reputation in terms of student performance, so why do they need to surveill or track students this way? Naturally, a vendor thinks it’s a good idea and could be used in emergencies. And the last time New Canaan had that kind of emergency was… when?

New Canaan, meet Lower Merion. And the ACLU. And

“Thank you for opting out of cookie tracking. Here's another cookie.” What genius developed this strategy? Perhaps we could call it “Mis-Behavioral Advertising?”

Ad Firm Sued for Allegedly Re-Creating Deleted Cookies

Specificmedia, one of the net’s largest ad-serving and tracking companies, has been hit with a federal lawsuit accusing the company of violating computer intrusion laws by secretly re-creating cookies deleted by users.

The lawsuit (.pdf), filed in California’s Central District federal court last Wednesday, is the third such suit filed this month by privacy attorney Joseph Malley. The first “zombie” cookie suit targeted sites ranging from MTV to Scribd that used technology from a company called Quantcast, while the second suit went after Disney and Demand Media for their use of similar tech from Clearspring Technologies.

Scam-du-jour. Unfortunately, lots of geeks would be interested in this IPO

Sketchy Startup Promises Facebook Stock To Investors

Oh, this is a huge mess in the making. A company called Freevi that has already had it’s hand slapped for securities laws violations by the State of California is trying to raise funds from investors by promising to “secure” the investment with Facebook stock. How did I find out about this? Via a spam email that hit my inbox, which is a general solicitation if I’ve ever seen one (that’s very relevant to the Securities Act of 1933).

The founder of the company, Neil Chandran, spends a great deal of time talking up Facebook’s value, saying that an IPO is “imminent” and noting that Google shot from $85 to $500 after their IPO. He also says that Facebook should hit $120, no problem.

This is a general solicitation of securities by an underwriter under the Securities Act. But it’s being done without disclosure of information required by the Act – namely, a prospectus. This is exactly the kind of thing that the SEC salivates over as they sharpen their legal claws.

Facebook redefines free speech. When you're trendy, nobody worries about nit-picky things like the constitution.

Facebook Bans Pot-Leaf Image in Political Ad

(Related) “We own everything – including your face!”

Facebook Lawsuit Throws the -book at Social Networking Site for Teachers

Misappropriating the distinctive book portion of Facebook’s trademark, defendant has created its own competing online networking community in a blatant attempt to become a Facebook for teachers,” (.pdf) according to a filing in San Francisco federal court.


Ca: Privacy czar continues her scrutiny of Facebook

August 25, 2010 by Dissent

Sarah Schmidt reports:

The clock has run out on Facebook to revamp its privacy rules to avoid a public showdown with Canada’s privacy czar over how it protects the personal information of its 500 million users worldwide.

After announcing in July 2009 that the social media giant was operating outside of Canada’s private-sector privacy law, privacy commissioner Jennifer Stoddart struck a deal with Facebook. It gave the California company one year to change or face the risk of being hauled before a federal judge to compel Facebook to implement the commissioner’s directives to provide users more detailed control over their personal information and to curtail the access of outside software and website developers to their data.

Now Stoddart is set to issue her assessment on whether Facebook has lived up to its list of undertakings to bring the company on side with Canada’s Personal Information Protection and Electronic Documents Act.


It's not identity theft, but perhaps my Computer Security students will now understand why I use the Zombie metaphor...

Who Owns Your Dead Son’s Brain?

By Dissent, August 24, 2010

Over on The Volokh Conspiracy, Jonathan H. Adler writes:

Do parents have a constitutionally protected property interest in the dead body of their child, including all organs? Not necessarily is the answer given by the U.S. Court of Appeals for the Sixth Circuit in Albrecht v. Treon, at least under Ohio law as interpreted by the Ohio Supreme Court.

The Albrechts brought a Section 1983 suit against the county coroner, among others, alleging that they were deprived of a protected property interest without due process of law when the coroner removed and retained their dead son’s brain without notice. According to the state, the brain was needed for additional study to aid in a criminal investigation. The question was certified to the Ohio Supreme Court, which held that under Ohio law the parents have no constitutionally protected interest in their child’s human remains that are retained for criminal investigation purposes, prompting a judgment for the state in district court. Today, the Sixth Circuit affirmed, distinguishing Circuit precedent that recognized constitutionally protected property interests in a family member’s body parts retained for donation purposes.

There is something disturbing to me about treating body parts as property, and I wonder if that is really the only viable legal analysis or approach. Our society seems to understand the emotional need of families to bury even fragments of their dead and to have that solace or comfort, and yet decisions about whether states have to notify family members of parts removed or offer them the opportunity to make their own arrangements for burial or disposal after any forensic examinations are completed is seemingly left to the states as a matter of property law.


A legal analysis of the case written back in 2007 provides some background and discussion of the issues.

Purchase of a lottery ticket automatically waves your right to privacy. Perhaps an additional fee could be added to buy it back?

Lottery Winner Sues Texas for Privacy

August 24, 2010 by Dissent

Elizabeth Banicki reports:

A Texas lottery winner sued the state to keep his identity private, for the privacy and safety of his family. After the Lottery Commission claimed that it had received a freedom of information request about the winner, Attorney General Greg Abbott ruled that information about John Doe should be released without redactions.

State lotteries customarily use information about winners, including photos, to advertise the gambling games. [Another “automatic” consent form? Bob]

In his complaint in Travis County Court, Doe says the Lottery Commission asked him for “a written statement describing his purchase of the winning ticket and the events that transpired prior to its presentation to the Lottery Commission for verification.”

Read more on Courthouse News. You can find the complaint here (pdf).

Perhaps asking my students to create their own “snippets” would teach them about privacy.

Six social implications of Facebook Places

Some snippets of conversations in the near-future:

Erstwhile friend: "Why didn't you ask me to go club-hopping with you last night? I'm not in your posse anymore?"

Prosecutor: "The subpeona of your Facebook records clearly shows that you're a known associate of Vinnie 'Big Guy' Vecchione."

Boss: "I guess you weren't too 'sick' to check into the ballpark for yesterday's afternoon game."

Husband to wife: "Yes, dear, I did check into Victoria's Secret downtown -- to buy something for you. It was going to be a surprise...."

Personal trainer: "You went to that greasy fast-food joint? I quit!"

"I wasn't really at the bar -- my friends checked me in there as a joke! I swear!"

For my Ethical Hacking students

Searching For Backdoors From Rogue IT Staff

Posted by CmdrTaco on Tuesday August 24, @05:43PM

"When IT staff are terminated under duress, there is often justification for a complete infrastructure audit to reduce future risk to a company. Here is an exploration of the steps necessary to maintain security."

Of course the first piece of advice is to basically assume you've been rooted. Ouch.

This could be fun for my website students.

Want a weather report? Watch this music video

If you watch the music video for singer Lissie Maurus' new song "Cuckoo" today, you might see the musicians against a nice sunny backdrop. Or a gray, windy one. It depends where you're watching it from.

The video changes according to live weather conditions. Viewers zoom in on a city or area on an interactive Google world map, and the video backdrop changes according to current local conditions. Pick a different location and the song continues while a humorously mustachioed, bow-tie-wearing TV weatherman kind of guy delivers a new forecast before the video shifts to reflect the new locale.

Gottta keep up with the evolution of language.

Interweb, defriend make it into the dictionary

A slew of geeky slang terms have made it into the the new third edition of the Oxford Dictionary of English.

Among the new entries are Interweb, defriend, hater, and tweetup, the definitions of which you can check out for yourself by clicking on those links.

Read more of "Interweb, defriend and tweetup make it into the dictionary" at Crave UK.

How to get millions of consumers to replay your ads! Very amusing.

OldSpiceVoicemail: Generate Custom Voicemail Recording In The Voice of OldSpice Man

As part of a new marketing strategy, OldSpice has suddenly taken the social media by storm using viral videos. A very prominent feature of the person featured as the OldSpice guy is his voice. If you are amongst the millions of people who love that voice, use OldSpiceVoicemail to generate custom voicemail recordings in his tone.

Tuesday, August 24, 2010

“We own your children.”

WA: Oak Harbor schools may be searching kids’ phones

August 23, 2010 by Dissent

Andy Rathbun reports on the latest assault on student privacy and the Fourth Amendment:

School principals may get to look through students’ cellphones if the Oak Harbor School Board signs off on a new policy meant to crack down on cyber-bullying.

The board could allow administrators to confiscate and search electronic devices in certain cases.

School officials say the proposed policy will combat cyber-bullying, a form of harassment performed via e-mail, text message or other electronic means. The policy would extend to messages and images sent outside school hours if that content was shared later during school. [How will this be determined? Bob]

Read more on HeraldNet.

“We own your money.”

Banks Siding Against the Customer in Fraud Cases

August 23, 2010 by admin

Naomi Wolf recounts the ugly story of her interactions with WaMu when she reported suspected fraud on her account.

… I noticed eventually that checkbooks were missing from my home, and finally my accountant got enough of the records to see an unmistakable pattern of fraud, and called my attention to it. I filed a police report and alerted WaMu to the fraud. For months thereafter, as you can see in the lawsuit that attorney David Fish and I have filed against J P Morgan Chase, now owner of WaMu, that is up on, I complied with what the WaMu bank officials directed me to do — which was to leave the accounts open so they could investigate, they said, the fraud. If the fraud is reported within six months of confirmation of fraud, it is liable for the loss.

You can probably guess what happened next. But to WaMu’s dismay, they reportedly handed Wolf the evidence of their alleged stonewalling:

Inadvertently, subsequent to that, a WaMu bank official handed me the wrong file — wrong from his point of view; illuminating from mine, and from any consumer’s. It contained emails, some of which you can see at, from WaMu bank officials to one another — and including emails from and to their counsel, PR department and and the fraud department — that take as given that stonewalling a client with a fraud claim on the bank is standard practice; and yet one freaked-out bank official in the emails warns his colleagues that if their mechanisms in this regard became known, their practices would be all over the newspapers. [And the Blogs! Bob]

Read more on Huffington Post.

“We don't own the problem”

Fraudsters Drain PayPal Accounts Through iTunes

Reports are appearing this morning about a major security hole in iTunes accounts linked to PayPal. At least one group of scammers has found a way to charge thousands of dollars to iTunes accounts through PayPal. One targeted customer told us, “My account was charged over $4700. I called security at PayPal and was told a large number of iTunes store accounts were compromised.” His email was filled with nearly 50 receipts from PayPall for $99.99 each.

… AT least PayPal is aware of the issue, but it seems like the problem is on the iTunes side.


The real iTunes fraud vulnerability: Gullible users

So these reports of a major security hole in iTunes, one through which people have had their PayPal accounts drained?

Not much to them, I'm told. Or, rather, not much to their assertion that Apple is at fault here. There's no security hole in iTunes, [That's one of those “I bet my job” statements if it came from a Security Manager. If it came from Marketing it's an “I'm doing my job” statement. Bob] and if you've been unfortunate enough to have hundreds of dollars in unauthorized purchases charged to your iTunes account, it's likely because you've fallen victim to a phishing scam--a variation on the one that's been around for years now. Sources close to Apple tell me iTunes has not been compromised and the company isn't aware of any sudden increase in fraudulent transactions.

A mere 93 pages...

August 23, 2010

Identity Theft Resource Center 2010 Breach List

Identity Theft Resource Center 2010 Breach List - Breaches: 435 Exposed: 13,329,706 - Report Date, 8/17/2010

For my Ethical Hackers...

I Can Stalk U: New Site Posts Exacts Locations of Twitter Users Posting Geotagged Photos

August 23, 2010 by Dissent

Sarah Perez writes:

Remember The website, which warned of the dangers in sharing your physical location online, now has a successor called I Can Stalk U.

While PleaseRobMe (now shuttered) focused on how publicly broadcasting your location could alert criminals to an empty house nearby, ideal for burglarizing, the new site aims to raise awareness about the dangers of geo-tagged photos, specifically the ones shared from your smartphone to social networks like Twitter.

“Many people may be unaware that lots of smartphones geo-tag photos,” explains security researcher Graham Cluley, who revealed the site via blog post today. The site itself, however, quietly launched a few months ago to little fanfare.

Read more on ReadWriteWeb.

An indication of how serious the attack on Google was taken?

Why Intel bought McAfee

There's been quite a bit of head-scratching over Intel's decision to purchase McAfee, but, despite all the breathless talk about mobile security and ARM and virus-fighting processors, the chipmaker's motivations for the purchase are actually fairly straightforward. First, Intel's management has decided, in the wake of Operation Aurora, to move security up to the top of Intel's priority list. Second, secure systems require a lot more than just hardware support—security is about the whole stack, plus the network, plus policies and practices. Third, Intel has waited for ages for its ecosystem partners to come up with ways to give consumers access to vPro's security benefits, and little has really panned out so now they're just going to take vPro (and any newer security technologies) directly to consumers via McAfee.

Let's take a look at each of these reasons in turn.

After all, words speak louder than actions... Is that true for Courts and Legislatures and Schools and Police Departments?

Court: Death Threats Addressed to Corporations Aren’t Illegal

An Arizona man who plotted a massacre outside the 2008 Super Bowl had his conviction overturned Monday by a federal appeals court because his snailmailed death threats went to no specific targets.

The case concerned Kurt William Havelock, who drove to the Super Bowl in Glendale, Arizona, with a newly purchased assault rifle and dozens of rounds of ammunition with the intent to kill. “It will be swift and bloody,” he wrote media outlets in packages mailed a half hour before he got cold feet and abandoned his plan. “I will sacrifice your children upon the altar of your excess.”

“We can't figure out how t make money, so it must be the law that's at fault.”

RIAA: U.S. copyright law 'isn't working'

For my fellow Math teachers and the students.

Solve and Graph Equations in Word and OneNote

Here’s a free add-in from Microsoft that will make Word and OneNote into top-notch mathematics programs.

Microsoft’s new Mathematics Add-in for Word 2007 and 2010 is a great tool to work with math in Office. It lets you create beautiful graphs and solve equations without purchasing an expensive math program.

The Math add-in generates beautiful 3D graphs powered by DirectX, so you’ll be prompted to install the latest version of DirectX at the end of the installation.

Next time you open Word 2010 or 2007, you’ll notice a new Mathematics tab in the ribbon. Here you can insert equations, graphs and more right into your Word documents.

OneNote includes one very interesting feature: you can insert equations with digital ink. While editing a new equation, click Ink Equation to start writing the equation in on your touch screen.

Alternately, you can insert a variety of pre-built equations by clicking the down-arrow under the Equation button in either application. More equations are available from if you’d like to add to your gallery.

Download the Mathematics Add-in for Word and OneNote

It's that time of year again, so expect several articles like this one.

Monday, August 23, 2010

100+ Free Textbooks from Open Culture


10 Best Websites For Free Audio Books


Back to School Guide to Some Awesome Apps and Resources

… Visual Studio 2010, Windows Server 2008 R2, SQL Server 2008 R2, Expression Studio 4, and more are all available free for students from Microsoft’s Dreamspark program. Additionally, many colleges offer MSDNAA to computer science students; check Microsoft’s MSDNAA site to see if your college offers it.

[Colorado Tech does: ]

… AutoCAD 2011, Maya 2011, 3ds Max, Autodesk Revit, and more are available free for students from Autodesk’s Education Community.

How lazy can you get? Actually, this might be handy...

Keep Your Computer 'Awake' with Mouse Jiggler

As you probably know, all it takes an occasional jiggle of the mouse to keep the system humming. And that's the idea behind Mouse Jiggler, a free utility that "fakes" mouse input--and saves you from having to mess with Windows' power settings.

Humor? I copied this into a slideshow to remind myself of the definition of a “specialist,” – one who knows more and more about less and less.

What Exactly Is a Doctorate?