Saturday, September 25, 2010

Not exactly Identity Theft, call it Reputation Modification?

Man Gets 12-Year Jail Sentence For Planting Child Porn On Enemy's Computer

Posted by Soulskill on Friday September 24, @01:16PM

An anonymous reader writes with an update to a story we discussed in August about Neil Weiner, a man who sought to ruin the life of a school caretaker by planting child pornography on his computer. Weiner has now been convicted on two counts of possession of child pornography and one count of perverting the course of justice. He was sentenced to 12 years in jail.

"The judge told Weiner that his plot to have Mr. Thompson sacked and prosecuted very nearly succeeded. Police had been careful not to make public their arrest of the caretaker and only informed those at the school who needed to know, he said. 'But you gratuitously and spitefully informed the local press so that he and his wife suffered the distress of the unwelcome publicity which followed.' Mr. Thompson's health and that of his wife suffered. The judge said: 'There are still those who believe, and probably always will, that he is a pedophile. I am wholly satisfied that Mr. Thompson is innocent.' ... Weiner had discovered the caretaker's password by looking over his shoulder one day and been caught doing so. When Mr. Thompson was asked why he did not change it, he said he wished he had, adding: 'Who in their worst nightmares would could have thought that anyone could stoop to do what he did?'"

Would you like to opt out of Behavioral Advertising tracking?


This bookmark will opt you out of tracking by over 100 ad companies. Reconfirm your privacy settings at any time with one click.

We can do anything we want. We don't need no “due process.” If they operated in Colorado, could I have your service disconnected by filing complaints?

US ISP Adopts Three-Strikes Policy

Posted by timothy on Friday September 24, @07:09PM

"Suddenlink, a United States ISP that serves nineteen states, has implemented a three-strikes policy. Subscribers who receive three DMCA takedown notices are disconnected without compensation for a period of six months. According to TorrentFreak, the takedown notices do not have to be substantiated in court, which effectively means that subscribers can be disconnected based on mere accusations. In justifying the policy, Suddenlink turns to an obscure provision of their Terms of Service, but also claims that they are required by the DMCA to disconnect repeat offenders."

If “A” medical procedure can be mandated, could “ANY” medical procedure be mandated?

Lawsuit filed over AnMed’s required flu shot policy

September 24, 2010 by Dissent

Mike Ellis reports:

Bertha Hunter has not had a flu shot in her life and she doesn’t intend to get one just because AnMed Health is requiring all its employees to get one.

Hunter, an AnMed Health employee, is suing the Anderson healthcare company on grounds that the hospital’s mandatory shots are a violation of her privacy.

The lawsuit challenges AnMed Health’s policy of requiring employees to get influenza shots, a policy that was announced in a Sept. 15 e-mail sent to employees.


Thank God for Pirates! (Since this was a copy for private viewing, and no one in baseball thought to do it, what kind of legal battles will it generate if someone wants to sell copies?)

Bing Crosby, Television Sports Preservationist

Posted by timothy on Friday September 24, @11:08PM

Hugh Pickens submits news first gleaned from a now-paywalled article at the New York Times (and, happily, widely reported) that

"The hunt for a copy of the seventh and deciding game of the 1960 World Series, considered one of the greatest games ever played and long believed to be lost forever, has come to an end in the home of Bing Crosby, a canny preservationist of his own legacy, who kept a half-century's worth of records, tapes and films in the wine cellar turned vault in his Hillsborough, California home. Crosby loved baseball, but as a part owner of the Pittsburgh Pirates he was too nervous to watch the Series against the Yankees, so he and his wife went to Paris, where they listened by radio. Crosby knew he would want to watch the game later — if his Pirates won — so he hired a company to record Game 7 by kinescope, an early relative of the DVR, filming off a television monitor. The five-reel set, found in December in Crosby's home, is the only known complete copy of the game, in which Pirates second baseman Bill Mazeroski hit a game-ending home run to beat the Yankees, 10-9."

Speaking of Pirates... Shouldn't you expect some to retaliate?

UK Anti-Piracy Firm E-mails Reveal Cavalier Attitude Toward Legal Threats

Posted by timothy on Saturday September 25, @08:17AM

"A recent DDoS attack against a UK-based anti-pirating firm, ACS:Law, has resulted in a large backup archive of the server contents being made available for download, [and this archive] is now being hosted by the Pirate Bay. Within this archive are e-mails from Andrew Crossley basically admitting that he is running a scam job, sending out thousands of frivolous legal threats on the premise that a percentage pay up immediately to avoid legal hassles."

Convienient for you, jackpot for my hackers...

Apple Leaves Another ‘Autocomplete’ Privacy Bug In Safari Unfixed

September 24, 2010 by Dissent

Andy Greenberg writes:

If you use Apple’s Safari browser and care about your privacy, it may be time to turn off the “autocomplete” function that conveniently fills in your personal details on websites. That, or stop typing the letter “U.”

Web security guru Jeremiah Grossman described on his blog Thursday a technique that a website can use to trick a visitor’s Safari browser’s autocomplete function into giving up his or her name, address, email, phone number and other sensitive contact details.

Read more on Forbes.

[From the article:

Here’s how the privacy exploit would work: When a user is filling out a form in Safari, he or she can type the first letter of just one field–say, name or street address–and the full name will be offered up by Safari’s autocomplete, using the name that the user originally registered in the PC’s operating system. A lesser-known shortcut: Press “tab” after that first entry, and every field on the page will be automatically filled from the user’s registration form.

That means, Grossman says, that if a user can be tricked into typing just a single letter and tab, all of his or her details can be stolen by a hidden form on the site.

...on second thought...

Va. court reconsiders police GPS use

September 24, 2010 by Dissent

Tom Jackman reports:

Two weeks after the Virginia Court of Appeals ruled that it was fine for police to use portable global positioning systems to track criminal suspects, the court has now decided to rehear the case, according to an order entered on Thursday.

The court ruled in the case of David L. Foltz Jr., a convicted sex offender whom Fairfax County police suspected might be assaulting women in the Falls Church area. Detectives placed a global positioning system device inside the bumper of his work van, then reviewed his movements and found he had been in the vicinity of a recent assault.

Update: I got so excited that I forgot to post the link to the full coverage:

Now will you believe me? I recommend Khan Academy to my Math students, but can't convince the other professors to join me. (Hey Google! How about a $2,000,000 award to a blog that serves no useful purposr what-so-ever?)

Google Announces Project 10^100 Winners

Posted by Soulskill on Friday September 24, @01:59PM

Kilrah_il writes with news that Google has selected winners for Project 10^100, a contest to find the best ideas to change the world. Among the winners is the Khan Academy, which we've discussed previously. Google is "providing $2 million to support the creation of more courses and to enable the Khan Academy to translate their core library into the world’s most widely spoken languages." The other winning projects are: FIRST, an organization fostering math and science education through team competition; Public.Resource.Org, a government transparency effort focused on online access to public documents; Shweeb, a silly-looking method of human-powered urban transit; and the African Institute for Mathematical Sciences, a center aimed at promoting graduate-level math and science education in Africa.

A useful tool?

Organize Your PDF Files and Collaboratively Research With Mendeley

… A while back, I wrote about three useful research tools. Unfortunately, while those solutions cited sources, they don’t deal very well with organizing or sharing files, especially during collaborative research. Jeffry covered some cool techniques to share research files, but that approach is a little difficult to track and manage citations for those files.

Luckily, after quite a bit of digging and trying out a few applications, I’ve discovered a free application and research social network called Mendeley which does it all. With Mendeley, you have a desktop application linked with an online account. Together, they archive and organize your PDF documents, web pages, videos – anything at all that you want to use in your research, complete with full citations. As if that weren’t enough, Mendeley lets you create research groups which you can share your research with. It’s like a researcher’s dream come true.

A site to help my students decypher technical documents? (Claims to adjust to your leel of knowledge...)

ReadEasy: Make your reading experience & comprehension better

… ReadEasy is a free to use website that aims to make your online reading experience a lot more convenient than it currently is. Before you get started with its service, it is advisable to create an account as you will need it later on. The next step is to upload a document file. Supported formats include PDF, EPUB, DOC, DOCX, ODT, RTF, HTML, HTM, LIT, PDB, FB2, and RB. If the text is online, simply copy it from your browser and save it in one of those file formats.

After you upload your document, the site analyzes it. A reader friendly interface is shown in which the meanings of infrequently used words are highlighted and described as side-notes. You can zoom in and out of the document, search for a particular word, print it for $0.99, or discard it.

The service attempts to remove all problems faced while reading articles online, and does a good job of it.

Similar tools: PDF-XChange Viewer, Nuance, Skim, FoxIt Reader,

Also read related articles:

4 Really Light Alternatives to Adobe Reader
6 Ways To Convert A PDF To A JPG Image
How To Convert A PDF File Into A Flash Movie.

Friday, September 24, 2010

Are we seeing indications of another Heartland type breach or is this just speculation on the part of the police? Difficult to tell, but where would you go for proof? Perhaps there is already an organized “users group” for stolen cards.

(Update) NE: Police Track Credit Card Thefts

September 23, 2010 by admin

More on the rash of credit card and debit card fraud being reported in the Lincoln, Nebraska area that was reported earlier this week. KETV reports:

Lincoln police said someone who hacked into a national database may be responsible for helping identity thieves go on shopping sprees with credit card numbers.

Investigators said more than 100 accounts have been hacked in Lincoln alone.


Police said some of the victims of the credit card thefts live on the East Coast, Canada and England.

“Possibly, a nationwide database was accessed, allowing these numbers to get out,” said Lincoln police Officer Katie Flood.

Floods said investigators are looking to see if the breach came from a Lincoln business.

Read more on KETV.

[From KETV:

"It's like, somewhere out there, there's a supermarket for thieves," Poley said.

You go to the easiest-to-hack website with the most useful information.

Three plead guilty to using Franklin County Court website as part of ID theft conspiracy

September 23, 2010 by admin

In a case that became a cautionary tale for court websites and the need to redact personally identifiable information that could be used for ID theft, three Columbus residents have pleaded guilty to conspiring to steal credit accounts belonging to people whose identities they stole from a government website in 2006.

Katura Mozelle, 23, pleaded guilty yesterday before U.S. District Judge Gregory L. Frost to one count of bank fraud, one count of conspiracy to commit bank fraud and one count of aggravated identity theft. Kinte Green, 30, pleaded guilty before Judge Frost on September 20, 2010 to one count of conspiracy to commit bank fraud and one count of aggravated identity theft. His sister, Fatima Green, 33, pleaded guilty before Magistrate Judge Norah McCann King on June 25, 2010 to one count of bank fraud and one count of conspiracy to commit bank fraud.

A statement of facts read during the plea hearing said that Ms. Mozelle and Mr. Green executed a scheme to defraud federally insured financial institutions by obtaining and using personal identifiers of individuals to take over existing accounts or to open new credit accounts.

Ms. Mozelle and Mr. Green accessed the Franklin County Municipal Court website between July 2006 and August 2007. They would enter random Social Security numbers until locating an individual who had been through the Franklin County Court system. Once they located an individual on the website, they would obtain a name, address, date of birth and driver’s license number. They used this information to get a credit report of the individual. They then would contact the financial institutions on the credit report and file for a change of address or report a card lost or stolen. New cards were sent to Fatima Green’s residence. [Clearly, these goys were not too bright... Bob] Using the fraudulently obtained cards, Mozelle and Kinte Green would buy merchandise from various stores and online shopping sites. Merchandise was often shipped to Fatima Green’s residence.

“Investigators found that they were able to access the information for as many as 70 individuals and took over up to 14 accounts,” Stewart said. “Law enforcement began investigating after a victim reported unusual activity on one of their accounts to Worthington Police.”

Bank fraud is punishable by up to 30 years imprisonment. Conspiracy to commit bank fraud is punishable by up to five years imprisonment, and aggravated identity theft is punishable by a mandatory two-year prison term consecutive to any other time served. Judge Frost will set a date for sentencing.

Source: U.S. Attorney’s Office, Southern District of Ohio

For my Criminal Justice students: The technology of crime... For my Business students: The evils of micro-management...

Teller accused of texting robber during bank heist

Technology is such an enabler. Even when it comes, allegedly, to robbing a bank.

… Recently, there was a serious robbery at the Texas Credit Union in Arlington. It happened after closing time, when the robber allegedly emerged from the bathroom in order to relieve the bank of $183,000.

According to NBC Dallas Fort Worth, police happened upon the alleged robber Tyce Von Franklin shortly after the heist, when he was allegedly going 54mph in a 40mph zone. Upon stopping him, police found some incriminating items, including a large amount of cash and a surgical mask.

However, they began to suspect this was an inside job when they surveyed footage from the bank and saw one of its tellers, Kyle Lightner, sending texts shortly before the robbery.

Quite coincidentally, the police say, Lightner was texting Franklin. One text allegedly read: "Don't forget yo sunglasses." Which might, to some, seem slightly odd. Especially as the alleged robber was, indeed, reportedly wearing sunglasses.

Interesting argument.

Privacy has a price tag of $5,000

September 23, 2010 by Dissent

Bill Morem has an opinion piece about the detailed U.S. census survey that gives the issue a “human face:”

Tom Bolton is in a pickle, a dilemma that may leave his wages garnished by the government to the tune of $5,000. He’s staring down the barrel of such a fine because the Atascadero resident is refusing to give the U.S. Census Bureau about 28 pages of details of his private life.

Read more in the San Luis Obispo Tribune.

Morem doesn’t argue that the survey is illegal, but he does suggest that the rich may have greater privacy because they can afford to just write a check to the government for failure to fill it out. I hadn’t quite thought of the inequity that way before, but he does have a point: those who can afford to pay the fine can have greater privacy than those who can’t.

This should make my wife's blood boil. She's already taken her Doberman into a DU Law School classroom to “discuss” the finer points of Animal Law (and the Doberman doesn't even have a degree)

UK: Dog-owner prevented from finding microchipped pet under Data Protection Act

September 23, 2010 by Dissent

You can’t make this stuff up.

Laura Roberts reports:

Dave Moorhouse’s Jack Russell terrier, Rocky, was stolen in 2007 and he was informed earlier this year that the microchip provider had discovered details of his dog’s new address.

However, they refused to pass on the animal’s whereabouts claiming it would breach the Data Protection Act.

Last week a court refused Mr Moorhouse’s request for a court order compelling Anibase, the microchipping database, to reveal the name and address of the new owners.

Mr Moorhouse, 56, from Huddersfield, West Yorks, said: “What’s the point of having your pet microchipped if you can’t get him back?”


Read more in the Telegraph.

Wouldn't this be the same as searching your garbage? But do Police look through everyone's garbage searching for some crime to charge them with?

If you sell or discard your own cellphone….

September 23, 2010 by Dissent

Remember that you may have no reasonable expectation of privacy for whatever you leave on the phone, as this news report by Beth Wurtmann out of New York demonstrates.

State Police confirmed that they are actively investigating whether graphic pictures found on used cell phones were uploaded to the Internet improperly.

The cell phones were reportedly sold at a business in the Wilton Mall that pays cash on the spot for used phones and iPods. Police were combing computers and websites to see if pictures left behind by customers were used illegally.

Read more on WNYT

“Yes we want to ensure your Privacy, but we also want to define the Privacy we ensure.”

Testimony in today’s House hearing on ECPA

The written testimony of today’s witnesses on ECPA reform is available online at


ECPA reform: Why digital due process matters

No doubt the French are more efficient... Or maybe they'll just hire more judges?

In France, Hadopi Reporting Begins, With (Only) 10,000 IP Addresses Per Day

Posted by timothy on Friday September 24, @08:12AM

mykos writes with an excerpt from TorrentFreak that says the automated enforcement of France's three-strikes law known as Hadopi is now coming into effect:

"The scope of the operation is mind boggling. The copyright holders will start relatively 'slowly' with 10,000 IP-addresses a day, but within weeks this number is expected to go up to 150,000 IP-addresses per day according to official reports. The Internet providers will be tasked with identifying the alleged infringers' names, addresses, emails and phone numbers. If they fail to do so within 8 days they risk a fine of 1,500 euros per day for every unidentified IP-address. To put this into perspective, a United States judge ruled recently that the ISP Time Warner only has to give up 28 IP-addresses a month (1 per day) to copyright holders because of the immense workload the identifications would cause."

[From the article:

Under France’s new Hadopi law, alleged copyright infringers will be hunted down systematically in an attempt to decrease piracy. Alleged offenders have to be identified by their Internet providers and they will be reported to a judge once they have received three warnings.

A judge will then review the case and hand down any one of a range of penalties, from fines through to disconnecting the Internet connection of the infringer.

It's not the facts, it's how you spin the facts...

E-Books Are Only 6% of Printed Book Sales

Posted by timothy on Thursday September 23, @06:53PM

"MIT's technology blog argues that ebook sales represent 'only six pecent of the total market for new books.' It cites a business analysis which calculates that by mid-July, Amazon had sold 15.6 million hardcover books versus 22 million ebooks, but with sales of about 48 million more paperback books. Amazon recently announced they sell 180 ebooks for every 100 hardcover books, but when paperbacks are counted, ebooks represent just 29.3% of all Amazon's book sales. And while Amazon holds about 19% of the book market, they currently represent 90% of all ebook sales — suggesting that ebooks represent a tiny fraction of all print books sold. 'Many tech pundit wants books to die,' argues MIT's Christopher Mims, citing the head of Microsoft's ClearType team, who says 'I'd be glad to ditch thousands of paper- and hard-backed books from my bookshelves. I'd rather have them all on an iPad.' But while Nicholas Negroponte predicts the death of the book within five years, Mims argues that 'it's just as likely that as the ranks of the early adopters get saturated, adoption of ebooks will slow.'"

For my website students (who must embed movies in their websites)

iMovieTube: Watch Full Movies Online, Legally & Free

Movies can be the perfect solution to your boredom. But if boredom strikes unexpectedly and you do not have a DVD handy, you could watch a movie on the internet instead for free. Downloading movies from torrent sites is not advisable because it is illegal; [Let's not generalize guys... Bob] instead, there is a great website called “iMovieTube” that you could visit for online movies.

Similar tools: QuickSilverScreen, DivXOnly, VideoHybrid and Inner-Live.


CineCatalog: Tagged Search For Trailes & Movie Torrent Downloads

Are you looking for the one place to get movie torrents easily? If you are, you should check out CineCatalog, a simple search engine for finding movie trailers and verified movie torrents. This gallery lets you search a growing collection of movie downloads, organized and tagged so that users can search or browse the database easily.

Similar Tools: Jinni, Mubi, Watch-Movies, and Movski.

Thursday, September 23, 2010

The economics of Identity Theft. When prices fall you have to make it up in volume.

I’ll Take 2 MasterCards and a Visa, Please

September 22, 2010 by admin

Brian Krebs writes:

When you’re shopping for stolen credit and debit cards online, there are so many choices these days. A glut of stolen data — combined with cutthroat competition and innovation among vendors — is conspiring to keep prices for stolen account numbers exceedingly low. Even so, many readers probably have no idea that their credit card information is worth only about $1.50 on the black market.


Will we see mandatory encryption standards?

FTC Testifies on Data Security Legislation

September 22, 2010 by Dissent

The Federal Trade Commission today told a Senate Subcommittee that it supports proposed legislation that would require many companies to use reasonable data security policies and procedures and require those companies to notify consumers when there is a security breach.

In testimony before the Committee on Science, Commerce, and Transportation Subcommittee on Consumer Protection, Product Safety and Insurance, Maneesha Mithal, Associate Director for Privacy and Identity Protection at the FTC told the Subcommittee that problems with data security and breaches affect a wide array of both businesses and nonprofit organizations. “Requiring reasonable security policies and procedures of this broad array of entities is a goal that the Commission strongly supports.”

“The Commission believes that notification in appropriate circumstances can be beneficial,” the testimony notes. Many states have passed notification laws that have increased public awareness of the harm breaches can cause. “Breach notification at the federal level would extend notification nationwide and accomplish similar goals.”

The testimony states that the agency suggests three additional measures that could be included in the proposed legislation to protect consumers. First, the provision that requires that companies notify consumers in the event of an information security breach should not be limited to entities that possess data in electronic form; second, the proposed requirements should be extended so that they apply to telephone companies; and third, the Commission suggests that the bill grant the agency rulemaking authority to determine circumstances under which providing free credit reports or credit monitoring may not be warranted.

Source: FTC (full press release here)

Related: Text of the Commission Testimony

(Related) Update. Either argument is scary...

T-Mobile Claims Right to Censor Text Messages

T-Mobile told a federal judge Wednesday it may pick and choose which text messages to deliver on its network in a case weighing whether wireless carriers have the same “must carry” obligations as wire-line telephone providers.

The Bellevue, Washington-based wireless service is being sued by a texting service claiming T-Mobile stopped servicing its “short code” clients after it signed up a California medical marijuana dispensary. In a court filing, T-Mobile said it had the right to pre-approve EZ Texting’s clientele, which it said the New York-based texting service failed to submit for approval.

Security failures have long term implications.

Victims of ChoicePoint Data Breach to Receive Redress Checks

September 22, 2010 by admin

An administrator working for the Federal Trade Commission is mailing checks to 14,023 consumers who were victims of ChoicePoint’s alleged failure to implement a comprehensive information security program to protect consumers’ personal information, as required by a previous court order. As a result, in the spring of 2008, an unauthorized person accessed its database and conducted unauthorized searches.

In January 2006, ChoicePoint settled FTC charges that its security and record-handling procedures violated consumers’ privacy rights and federal law, an action relating to a 2005 data breach. As part of that settlement, ChoicePoint agreed to maintain procedures to ensure that sensitive consumer reports were provided only to legitimate businesses for lawful purposes, to maintain a comprehensive data security program, and to obtain independent assessments of its data security program every other year until 2026.

In October 2009, the company settled charges that it violated the 2006 settlement order and agreed to a modified court order that expanded its data security assessment and reporting duties and required the company to compensate affected consumers for the time they may have spent monitoring their credit or taking other steps in response.

Checks for $18.17 are being sent to consumers.

These consumer redress checks can be cashed directly by the recipients of the checks. The FTC never requires the payment of money up-front, or the provision of additional information, before consumers cash redress checks issued to them.

Source: FTC

Would it be closer to the mark to say you don't want entities who have your personal data to do things (including sharing that data) that you didn't agree to in the first place?

Privacy is about control, not anonymity

September 22, 2010 by Dissent

Dave Fleet writes:

Seth Godin says you don’t really care about privacy:

“If you cared about privacy you wouldn’t have a credit card, because, after all, they know everything you spend money on. And you wouldn’t use the phone, because somewhere, there’s a computer scanning what you say.

What most of us care about is being surprised. You don’t want the credit card company to track where you’re staying and whether you’re buying flowers for someone you’re not even married to–and then send you a free coupon for STD testing…”

I think Seth missed the mark with this one.


Solove's Post Regarding the Role of Harm in Privacy Litigation

Posted on September 22, 2010 by Andy Serwin

Dan Solove has written extensively on privacy theory as well as harm in the data breach context and recently posted on harm in the data breach context. Solove’s post discusses the issues plaintiff’s face in privacy litigation and offers alternative theories on harm. Solove raises some interesting points, including regarding the efficacy of litigation in protecting consumers rights, and one of his points raises interesting issues about the role of insurance. Solve notes the following regarding harm:

This is a problem. Danielle Citron’s thoughtful paper, Reservoirs of Danger, argued that those keeping data should be treated similarly to those engaging in hazardous activities. I agree. If you’re going to profit by using people’s data, you should at least be held responsible for compensating people when you fail to keep it secure.

No s@#t! They like do that c#@p 'cause it like makes them like seem like they are like f*&^%$#@#@ smart!

Today's Children Are Officially Potty Mouths

Posted by samzenpus on Wednesday September 22, @10:32AM

"When the Sociolinguistics Symposium met earlier this month swearing scholar Timothy Jay revealed that an increase in child swearing is directly related to an increase in adult swearing. It seems that vulgarity is increasing as pop culture continues to popularize vulgarities. The blame lies with media, public figures, politicians, but mostly ourselves. From the article: 'Children as young as two are now dropping f-bombs, with researchers reporting that more kids are using profanity — and at earlier ages — than has been recorded in at least three decades.'"

With schools securing their networks beyond reason, a portable device allows me to demonstrate tools and techniques I can't install on the classroom computers. NOTE: This is not simple or quick.

How To Create Groups Of Portable Applications Using Cameyo [Windows]

It would be nice if we could pack everything up in one portable app, so those apps will always be available whenever we need them – in any possible scenario. Mac users don’t have any problem with this particular issue because basically all Mac apps are portable. But things work differently in the Windows world. Luckily, there’s a portable applications creator called Cameyo.

Wednesday, September 22, 2010

Being a lawyer may complicate things a bit. I wonder how many sole practitioners understand how to secure their data?

A home invasion leads to a breach for a New Hampshire lawyer

September 22, 2010 by admin

Two heads are better than one.

Evan Francen noticed a breach report on the New Hampshire Attorney General’s site that I apparently missed back in July. A laptop containing confidential and personal information of clients of attorney George R. LaRocque, Jr. was stolen during a home invasion.

Read more about the incident with Evan’s commentary on The Breach Blog.

Old school, but effective.

Man Facing 27 Charges for Allegedly Spying on ATM to Steal ID's

A Racine County man is accused of spying on ATM customers with binoculars, and then using ID numbers to grab money from their bank accounts.

... Some victims told police they never closed their ATM sessions when they drove away, and Kasprovich allegedly tried to get money.

Video from a convenience store was eventually used to arrest the man. All the thefts occurred in late August.

Not all infrastructure hacks would result in a mushroom cloud. (Okay, more like Chernobyl)

Stuxnet Worm May Have Targeted Iranian Reactor

Posted by CmdrTaco on Tuesday September 21, @01:02PM

"Analysis of the Stuxnet worm suggests its target might have been Iran's nuclear program. "Last week Ralph Langner, a well-respected expert on industrial systems security, published an analysis of the Stuxnet worm, which targets Siemens software systems, and suggested that it may have been used to sabotage Iran's Bushehr nuclear reactor. A Siemens expert, Langner simulated a Siemens industrial network and then analyzed the worm's attack. Experts had first thought that Stuxnet was written to steal industrial secrets, but Langner found something quite different. The worm actually looks for very specific Siemens settings — a kind of fingerprint that tells it that it has been installed on a very specific Programmable Logic Controller (PLC) device — and then it injects its own code into that system."

Quite a buzz in the security blogs about this one. But it is just the latest of many similar “super-cookies”

Evercookie: the latest way to subvert browser privacy settings?

September 22, 2010 by Dissent

Just what we needed: another way to subvert our privacy preferences and browser settings. Evercookie is generating a lot of (negative) buzz on Twitter among those concerned with privacy. It was released a few days ago by Samy Kamkar, who describes it this way:

evercookie is a javascript API available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they’ve removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others.

evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser. Additionally, if evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available.

More info on evercookie can be found here.

I don't think they define “closed” the same way my students would...

DHS releases its annual privacy report to Congress

September 21, 2010 by Dissent

The Department of Homeland Security Privacy Office has released its annual privacy report to Congress. You can access it here (pdf). Here’s a snippet from the report:

A total of 279 privacy incidents were reported to the DHS EOC [Enterprise Operations Center] during the reporting period. The majority of the incidents affected a small number of individuals and data, while a select few incidents involved larger amounts of data. Mitigation and remediation of each incident is coordinated among the DHS Privacy Office, EOC, component privacy officers and PPOCs, and Information Systems Security Managers. DHS investigated, mitigated, and closed 250 or 90% of the reported privacy incidents. Of those reported, 10% remain open. By comparison, during the previous reporting year, the Office mitigated and closed 77% of the reported privacy incidents, and 23% remained open. The average number of days during which an incident remained open decreased from 46 in the previous reporting period to 27. The decrease is due to the constant communication and collaboration among the many offices mentioned above.

[From the report:

The components and the DHS Privacy Office report disposition of complaints in one of the following two categories:

• Closed-Responsive Action Taken. The component or the DHS Privacy Office reviewed the complaint and a responsive action was taken. For example, an individual may provide additional information to distinguish himself from another individual. In some cases, acknowledgement of the complaint serves as the responsive action taken. [“We got your letter.” is a long way from “We fixed the problem.” Bob] This category may include responsive action taken on a complaint received from a prior reporting period.

• In-Progress. The component or the DHS Privacy Office is reviewing the complaint to determine the appropriate action or response. This category identifies in-progress complaints from both the current and prior reporting periods.

It means something different when the government “Googles” you.

U.S. Government Requests for Google Data Rise 20%

September 21, 2010 by Dissent

Ryan Singel writes:

The number of U.S. government requests for Google data rose 20% in the last six months, according to new data released by the search giant Monday.

U.S. government agencies sent Google 4,287 requests for data on Google users and services from January 1 to June 30, 2010, an average of 23.5 a day. That’s compared to 3,287 for July 1 to December 31, 2009, the company reported Tuesday in an update to its unique transparency tool.

Read more on Threat Level

[The map is here:

You knew this was coming...

Govt appeals Maynard decision on GPS monitoring in public places

September 21, 2010 by Dissent

David Kravets writes:

The Obama administration has urged a federal appeals court to allow the government, without a court warrant, to affix GPS devices on suspects’ vehicles to track their every move.

The Justice Department is demanding a federal appeals court rehear a case in which it reversed the conviction and life sentence of a cocaine dealer whose vehicle was tracked via GPS for a month, without a court warrant. The authorities then obtained warrants to search and find drugs in the locations were defendant Antoine Jones had travelled.

The administration, in urging the full U.S. Court of Appeals for the District of Columbia to reverse a three-judge panel’s August ruling from the same court, said Monday that Americans should expect no privacy while in public.

Read more on Threat Level.

Related: Petition for Rehearing en Banc (pdf)

Could be interesting.

Supreme Court Eyeing RIAA ‘Innocent Infringer’ Case

The case pending before the justices concerns a federal appeals court’s February decision ordering a university student to pay the Recording Industry Association of America $27,750 — $750 a track — for file-sharing 37 songs when she was a high school cheerleader. The appeals court decision reversed a Texas federal judge who, after concluding the youngster was an innocent infringer, ordered defendant Whitney Harper to pay $7,400 — or $200 per song. That’s an amount well below the standard $750 fine required under the Copyright act.

The RIAA has decried Harper as “vexatious,” because of her relentless legal jockeying.

The justices, without comment, asked the RIAA to respond (.pdf) to Harper’s petition to review the appellate court’s ruling.

A Texas federal judge had granted Harper the innocent-infringer exemption to the Copyright Act’s minimum fine, because the teen claimed she did not know she was violating copyrights. She said she thought file sharing was akin to internet radio streaming.

The appeals court, however, said she was not eligible for such a defense, even though she was between 14 and 16 years old when the infringing activity occurred on LimeWire. The reason, the appeals court concluded, is that the Copyright Act precludes such a defense if the legitimate CDs of the music in question carry copyright notices.

“Harper cannot rely on her purported legal naivety,” the New Orleans–based 5th U.S Circuit Court of Appeals ruled, 3-0.

Attorneys for Harper told the justices (.pdf) that she should get the benefit of the $200 innocent-infringer fine, because the digital files in question contained no copyright notice.

Could be even more interesting...

Newspaper May Have Given Implicit License To Copy

Posted by timothy on Wednesday September 22, @08:07AM

"Following up on the story of Righthaven, the 'copyright troll' that is working with the Las Vegas Journal Review to sue lots of websites (including one of Nevada's Senate candidates) for reposting articles from the LVRJ, a judge in one of the cases appears to be quite sympathetic to the argument that the LVRJ offered an 'implied license' to copy by not just putting their content online for free, but including tools on every story that say 'share this' with links to various sharing services (including one tool to 'share' via Slashdot!)."

Update. Even with the fix already in hand, the bad guys were faster!

Twitter Closes Web Hole After Attack Hits Up to 500,000

The security hole was patched at about 9:45 AM ET, according to a post by Del Harvey (@delbius), the head of Twitter's Trust and Safety Team. In a blog post Bob Lord on the Twitter Security Team said that the company first learned of the exploit at 5:54 AM Eastern Daylight Time. The hole in question had been patched internally by the company last month, but was inadvertently reintroduced with a Web site update, Lord wrote.

… In the intervening two hours, the attacks spread like wildfire across the social network, with up to 100 users per second falling victim at its height, according to data from

… Victims included high profile Twitter users including White House Press Secretary Robert Gibbs, who was perplexed by the balky javascript tweeted to more than 97,000 followers.

… Kaspersky researchers identified at least two worms that also launched on Tuesday morning, leveraging the same hole. Worm code was circulating on IRC within minutes of the discovery of the cross site scripting hole, Kaspersky Lab researcher Wicherski said in a blog post on the bug.

The FBI issues a guide to increased paranoia?

Doc of the Day: Feds’ Guide To Snitching on Your Terrorist Neighbor

Relyance on technology means “You need a backup plan” ...and don't leave home without your spare batteries!

What happens if your heart pump's battery dies?

Christian Volpe was shopping with his wife when an alarm started beeping to warn that only 15 minutes of battery power was left on the implanted heart pump that was keeping him alive.

… Dr. Donna Mancini, Volpe's cardiologist and director of the heart failure and transplant program at NewYork-Presbyterian/Columbia, said the hospital had not encountered a situation like this before.

"But with these devices getting more use, it may arise," Mancini said.

What technology really helps students?

Australian Schools Go iPad-Crazy

Posted by timothy on Wednesday September 22, @06:23AM

"Looks like it's not just Apple fanboys that are going wild for the iPad: in Australia, virtually every state education department is trialling the tablet in schools — and some schools are even trialling it without the official support of their department. One university in Adelaide has even abolished textbooks for first year science students [One way to increase the number of science majors? Bob] and is allocating free iPads to first year students instead. It will be interesting to see what happens when the inevitable wave of Android tablets hits over the next six months."

For my Website students...

GooEdit: Adds Basic Image Editor To Chrome

... This tool lets you do light image editing from your browser.

Unlike desktop image editors, you can take an image from any website and edit them on the spot with GooEdit.

GooEdit is very easy to use. Once the extension is installed, you have several image options available to you. You can flip, crop, and rotate images, adjust brightness, view and edit the histogram, and add effects. Image effects include sepia, grayscale, solarize, invert, blur, sharpen, and sepia.

First, get your thoughts down on paper in the word processor, then clean it up.

The fast, free way to clean up text in MS Word

There's nothing easy about reformatting text in a Microsoft Word document. You can use the Format Painter to apply the formatting of one paragraph to others with a single click, and Word's Find and Replace features let you remove unwanted characters (or strings of characters), but these tools make their changes one at a time and often require additional cleanup.

I wish I had discovered Greg Maxey's free Clean Up Text add-on for Word years ago. The retired U.S. Navy submarine ordnance officer and former Microsoft Word MVP has created a Word .dot template that removes unwanted leading, trailing spaces and characters, carriage returns, and empty paragraphs. The add-on also applies the default formatting to all or part of the document, applies Normal formatting, and replaces line breaks with paragraph formatting--all with a single click

Gooder is... well, gooder!

AIType: Fixes Your English As You Type, Helps You Write Gooder

AIType is for folks who generally speak and understand a language but aren’t quite certain on some of the rules and conventions. For example, a foreigner writing a note to someone in English will often mix up word order or futz up word choice. AIType is a predictive system for writing that, in short, lets you sound like you know what you’re doing.

Based on a catalog of phrases, the system searches for the next applicable word and lets you translate that word into your own language, ensuring you mean what you say. It’s not perfect.

… It works like a combination spell check, grammar checker, and Google Scribe. AIType is free and you can download it right now to add its features to almost any Windows application (no OS X support yet).

… The service supports multiple languages and has a number of databases already compiled. It learns based on texted entered most of the rules of usage.

Tuesday, September 21, 2010

Word is getting out to Crooks-R-Us that this is both easy and profitable.

Julie’s Place hack: an all-too-familiar story by now

September 20, 2010 by admin

This breach was first reported earlier this month, but I seem to have missed it:

About 100 people found out over the last couple weeks that someone else had accessed their bank account, taking their money and leaving them stunned.


After being flooded with reports of fraud, the Leon County Sheriff’s Office began to investigate and found that the computer system at the restaurant Julie’s Place had been hacked and someone, somewhere had full access.

Read more on WCTV.

In follow-up coverage today in the Tallahassee Democrat, the owner reportedly claims that he was told that the breach involved an Aloha POS-specific malware:

The company that provided the Aloha card terminal also found evidence of where the intruder got past the system’s firewall and was able to remotely access the terminal and steal the customers’ information.

“They found malware that was specifically for this Aloha system,” he said of the technicians’ evaluation. Since then, he has had the entire system changed out and security features upgraded to prevent a recurrence.

Radiant Systems’ Response contacted Radiant Systems, manufacturers of the Aloha POS systems, about the statement that the malware was “Aloha-specific” in any way. Ernie Floyd, Director of Data Security and Compliance for Radiant stated that there was no unusual or Aloha-specific malware, and that as in other cases, when cybercriminals find systems with remote access software in listening mode, they then probe for the presence of payment applications that would indicate that card data might be available. If they find it, they then upload the malware to scrape the card data. In the case of Julie’s Place, Floyd said that the system had PCAnywhere in listening mode and no commercial-grade firewall. [PCAnywhere “enables one computer to remotely control and access another computer, establishing a one-to-one connection.” according to the manufacturer. Symantec. Bob]

Floyd says that although it was not available at the time of this particular breach, the company has a developed two-factor authentication tool for support services. [“We could have protected this computer, but we didn't bother...” Bob] According to him, the firm and its resellers have really been trying to educate restauranteurs that having PA-DSS validated software is simply not sufficient if there is no commercial grade software or if the rest of the environment is in shambles.

Breaches in the Hospitality Sector Are Up

Floyd also confirmed my impression that breaches in the hospitality sector are up this year. At a Visa symposium in June, attendees were reportedly informed that although Q1 was a slow quarter in terms of breach reports, Q2 was more active than any quarter in 2009. A Trustwave SpiderLabs representative also reported that by August, they had already conducted more post-breach forensic evaluations than they had for the entire year in 2009. Trustwave SpiderLabs typically handles about half of all forensic evaluations in the hospitality sector.

Symptoms of another Heartland type breach? Without broader geographic coverage, it's impossible to tell.

NE: Lincoln police investigating credit card number theft

September 20, 2010 by admin

Cory Matteson reports that customers at three banks have been victims of fraud, but it is not clear whether the fraud is linked to recent arrests of two individual or is unconnected:

Officer Katie Flood said the purchases — often ordered from far-flung places such as Hong Kong — were made with debit and credit card numbers acquired from account holders at Cornhusker Bank, Pinnacle Bank and West Gate Bank. ….. How the numbers were obtained is unknown, Flood said Monday. She said it appeared some type of database had been breached.

Whether the unauthorized purchases were connected with two Lincoln residents arrested last week and suspected of stealing credit card numbers to make unauthorized online purchases is unknown, Flood said.


A probable cause affidavit for Kipf’s arrest said police were allowed by Nguyen to search a laptop computer found in Kipf’s hotel room. The affidavit says a folder on the computer’s hard drive holds the names of 26 people, along with their addresses, phone numbers, credit card or debit numbers and three-digit security codes.

Read more in the Lincoln Journal Star. I expect we’ll see more on whether this is one breach incident or more.

“We don't bother to review our attack ads...”

Dems include West social security number in flier, call it ‘oversight’

September 20, 2010 by Dissent

George Bennett reports:

The Florida Democratic Party today said it made an “oversight” when it included Republican congressional challenger Allen West’s Social Security number in an attack mailer.

West, who is challenging U.S. Rep. Ron Klein, D-Boca Raton, in a nationally watched race, called the mailer “an unprecedented new low in American politics.”

Read more in the Palm Beach Post.

[From the article:

The lien notice was pulled from public records in Indiana and is reproduced in the mailer with West's wife's name removed and his address blacked out. But his Social Security number is visible in a column that says "Identifying Number." if everyone brings a gift... Failure to understand the technology has consequences.

Teen sends Facebook invite to 15; 21,000 reply

The Telegraph has been friendly enough to reveal the Facebook faux-pas performed by the teen. She decided to hold a birthday party at her mom's house and mom kindly said she could invite 15 of her closest companions.

Being almost 15, what other forum could she possibly have considered than Facebook? So she created a nice little event page and waited, no doubt expectantly, for everyone to say "yes." Unfortunately, the everyone she envisaged seemed to comprise, well, everyone. At least 21,000 people reportedly said they were coming, before she realized that she had invited the whole world. Or at least the whole Facebook world, which is more or less the same thing.

… Now, the police in the small town of Harpenden (population 30,000) are reportedly going to have to guard her neighborhood on October 7, the fatefully festive day in question.

Her mom told the Telegraph: "She did not realize that she was creating a public event... She is going to have to change her mobile phone SIM card because of the number of calls she has been getting about it."

(Related) Secret changes to how Facebook works can't help but confuse users...

Facebook Has Quietly Implemented A De-Facto Follow Feature

… Previously, you could either Confirm or Ignore (deny) a request. Now, Ignore has been replaced by “Not Now”. This new option takes some of the pressure off you having to reject people as it instead moves them into a state of limbo, where they’re neither accepted nor rejected. But it actually does a lot more as well.

You see, when someone requests to be your friend on Facebook, this automatically subscribes them to all of your public (“Everyone”) posts in their News Feed. Facebook doesn’t talk about this much, but it’s a very real feature, which we reported on in July of last year. You see these posts until this person rejects you (because obviously if they accept you as a friend, you’ll keep seeing them). So with this new Not Now button, and the removal of the simple rejection mechanism, Facebook has basically created a de-facto follow feature.

Perhaps we could learn from the EU?

Privacy Key Obstacle to Adopting Electronic Health Records, Study Finds

By Dissent, September 20, 2010

The United States could achieve significant health care savings if it achieved widespread adoption of electronic health records (EHRs), but insufficient privacy protections are hindering public acceptance of the EHR concept, according to a new paper from researchers from North Carolina State University. The paper outlines steps that could be taken to boost privacy and promote the use of EHRs.

Read more on Science Daily. The article cites Dr. David Baumer, head of the business management department at NC State and co-author of the paper:

However, a lack of public support related to privacy concerns has hindered its progress. And Baumer says that those concerns are not entirely unwarranted. For example, there is some evidence showing that EHRs can facilitate identity theft. But EHRs have become prevalent in the European Union, which has significantly more stringent privacy protections and whose citizens feel more comfortable with the EHR concept.

“We are moving in the right direction in regard to putting better privacy protections in place, but we have a long way to go,” Baumer says. And that lack of privacy protection is hindering the adoption of EHRs.

Note that what Dr. Baumer is saying is more consistent with what I have maintained than what Eric Demers suggested. The latter treated privacy concerns somewhat dismissively, in my opinion.

The paper is ”Privacy and Security in the Implementation of Health Information Technology (Electronic Health Records): U.S. and EU Compared,” and is c-authored by Janine Hiller and Matthew McMullen of Virginia Tech and Wade Chumney of Georgia Tech. The paper will be published in a forthcoming issue of Boston University Journal of Science and Technology Law.


Europe Proposes International Internet Treaty

Posted by Soulskill on Monday September 20, @12:28PM

"Europe has proposed an Internet Treaty to protect the Internet from the political interference which threatens to break it up. The draft international law has been compared to the 1967 Outer Space Treaty, which sought to prevent space exploration being pursued for anything less than the benefit of all human kind. The Internet Treaty would similarly seek to preserve the Internet as a global system of free communication that transcends national borders." [Net Neutrality? Bob]

Do you have Privacy in your professional life? Should you be able to contest/correct your rating like you can a credit score?

Disgruntled Lawyer Drops Libel Claim, Sues Website Over Privacy

September 20, 2010 by Dissent

Daniel Fisher writes:

Florida attorney Larry Joe Davis didn’t like his listing on, a website that purports to rate lawyers according to a proprietary scale. He rates 3.7 out of 10 and has a “caution” warning because he was disciplined by the Florida Bar in 2007 over a matter involving failure to pay child support.

First Davis sued Avvo for libel in late August. Now he’s filed an amended complaint that drops the libel charges but unleashes a litany of complaints that would be familiar to anybody who resents being put on public display without his permission on the Internet.

Read more on Forbes.

[From the article:

It also accuses Avvo of manipulating his score based on whether he is willing to engage with the site, a common complaint against sites that rate businesses.

When Davis logged on to the site to eliminate the reference to employment law and remove any other details, he says, his rating plunged to 1. Since nothing had happened in his professional life, he says, that’s evidence that Avvo is misleading consumers.

… His main complaint, it seems, is that he can’t simply remove his listing from the site.

“If you build it, they will come!” For my Ethical Hackers

September 20, 2010

Guidelines for Smart Grid Cyber Security: Privacy and the Smart Grid

Guidelines for Smart Grid Cyber Security: Vol. 2, Privacy and the Smart Grid. The Smart Grid Interoperability Panel – Cyber Security Working Group, August 2010

  • "The Smart Grid brings with it many new data collection, communication, and information sharing capabilities related to energy usage, and these technologies in turn introduce concerns about privacy. Privacy relates to individuals. Four dimensions of privacy are considered:

  • (1) personal information—any information relating to an individual, who can be identified, directly or indirectly, by that information and in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural, locational or social identity;

  • (2) personal privacy—the right to control the integrity of one’s own body;

  • (3) behavioral privacy—the right of individuals to make their own choices about what they do and to keep certain personal behaviors from being shared with others; and

  • (4) personal communications privacy—the right to communicate without undue surveillance, monitoring, or censorship."

Just hacking into a system won't get you a passing grade in the Ethical Hacker class. After all, anyone can do that..

23% of university students have hacked into an IT system

September 21, 2010 by admin

A good education is so important.

Carrie Ann-Skinner reports:

Nearly a quarter (23 percent) of university students have successfully hacked into IT systems, says Tufin Technologies.

Research by the security firm revealed that of those that successfully hacked into a system, 40 percent were over 18.

While 84 percent of students surveyed said they knew hacking were wrong, nearly a third (32 percent) said it was also ‘cool’ and worryingly, 28 percent said they found it easy to hack into an IT system.

Read more on PC Advisor.

Somehow I can't picture Mr. Chips monitoring Twitter to find new words...

My BFF just told me “TTYL” is in the dictionary. LMAO.

cloud computing n. the practice of using a network of remote servers hosted on the Internet to store, manage, and process data, rather than a local server or a personal computer.

For my Business Continuity class – a new risk category and an illustration of infrastructure fragility.

Hunters Shot Down Google Fiber

Posted by Soulskill on Tuesday September 21, @05:12AM

"Google has revealed that aerial fiber links to its data center in Oregon were 'regularly' shot down by hunters, forcing the company to put its cables underground. Hunters were reportedly trying to hit insulators on electricity distribution poles, which also hosted aerially-deployed fiber connected to Google's $600 million data center in The Dalles. 'I have yet to see them actually hit the insulator, [...and we used to be a nation of sharpshooters. Bob] but they regularly shoot down the fibre,' Google's network engineering manager Vijay Gill told a conference in Australia. 'Every November when hunting season starts invariably we know that the fiber will be shot down, so much so that we are now building an underground path [for it].'"

Dilbert illustrates “Marketing over Technology”